Home > Port Security 2

Port Security 2

August 29th, 2017 in SWITCH 300-115 Go to comments

Question 1

Question 2


The new network switch port keeps going back into err-disabled mode so we can deduce port security is still enabled on this port -> A is correct but B is not correct.

In this questions we know that all access ports have port security sticky enabled so port security is still enabled on the older switch port (as we only removed the PC and clear the port security on the new one) -> E is correct (although D is also correct but E is better).

Answer C is not correct as other access ports do not have any effect on these two ports.

Question 3


There are three port security violation modes:
+ protect – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
+ restrict – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
+ shutdown – Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

The default behavior for a security violation is to shut down that port permanently.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)

Question 4


This is the paragraph which describes about the “show errdisable recovery” command on Cisco website:

“If you have enabled errdisable recovery, you can determine the reason for the errdisable status if you issue the “show errdisable recovery” command. An example of the output of this command is shown below:

Switch#show errdisable recovery
ErrDisable Reason    Timer Status
-----------------    --------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
pagp-flap            Enabled
dtp-flap             Enabled
link-flap            Enabled
l2ptguard            Enabled
psecure-violation    Enabled
gbic-invalid         Enabled
dhcp-rate-limit      Enabled
mac-limit            Enabled
unicast-flood        Enabled
arp-inspection       Enabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

Interface      Errdisable reason      Time left(sec)
---------    ---------------------    --------------
  Fa2/4                bpduguard          273

Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/69980-errdisable-recovery.html

So answer A seems to be correct but the above quote is very misleading. In fact, this command is used to verify which services/features were enabled for err-disable recovery (notice that the err-disable recovery feature is disabled by default for all services and features and we have to manually turn them on if we want to use via the command “errdisable recovery cause …”). If we allows all above services/features to automatically recover then we will not know the reason a port was error-disabled.

In fact, the best way to determine why a port is in the err-disabled state is to view the Syslog messages. For example:

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

This means Fa0/1 is put in err-disabled state because of a port security violation.

Note: The command “show errdisable detect” is used to identify which services are enabled for Errdisable only (for example, services like “arp-inspection”, bpduguard, UDLD,…)

Question 5

Question 6


Port Security Guidelines and Restrictions

Follow these guidelines when configuring port security:
+ A secure port cannot be a trunk port.
+ A secure port cannot be a destination port for Switch Port Analyzer (SPAN) -> Answer E is not correct.
+ A secure port cannot belong to an EtherChannel port-channel interface -> Answer C is correct.
+ A secure port and static MAC address configuration are mutually exclusive.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

+ Port security supports private VLAN (PVLAN) ports -> Answer B is not correct.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/port_security.pdf

Sticky MAC addresses can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. There is no document mentioning about the maximum of sticky MAC addresses can be configured on a device but surely it can be greater than three -> D is not correct.

We are not sure about answer A but port security does support “static secure MAC addresses” (by using the “switchport port-security mac-address mac_address” interface configuration command).

Question 7


A switchport violation occurs in one of two situations:
+ When the maximum number of secure MAC addresses has been reached (by default, the maximum number of secure MAC addresses per switchport is limited to 1)
+ An address learned or configured on one secure interface is seen on another secure interface in the same VLAN

Reference: http://www.ciscopress.com/articles/article.asp?p=1722561

We have to admit that we have never tested the second violation rule stated above ^^.

Question 8


You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone -> Therefore we can configure two VLANs in total.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_40_se/configuration/guide/scg/swvoip.pdf

Question 9

  1. Anonymous
    July 11th, 2017

    are these new questions ?

  2. BoZZ
    September 2nd, 2017

    Q2 – explanation – see second reason.

    A security violation occurs in either of these situations:

    •When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic is different from any of the identified secure MAC addresses, port security applies the configured violation mode.

    •If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, applies the configured violation mode.

  3. Hank
    October 6th, 2017

    To Certprepare:
    the explanation for Q6 is partly correct. Trunk ports CAN do port security. You even state this in Q2 on the first set of Port Security questions on this site. The link you posted is out of date. Cisco has many docs stating it does support trunk port security.

  4. mike_peerawat
    October 17th, 2017

    @kl Can you provide document from IT-Libraries to me mike_peerawat at icloud dot com
    or you just a saleman

  5. Nick
    November 29th, 2017

    DO NOT USE http://www.myexamcollection.com/ ITS A FAKE

  6. ciptech
    December 5th, 2017

    Question 8

    How many VLANs can be assigned to a user access port configured for VoIP?
    A. 1
    B. 2
    C. 3
    D. unlimited

    Answer: B

    “a user access port configured for VoIP” has already a VLAN configure for VoIP, so you can only one more vlan for data. => Answer A. 1 [please correct me if I am wrong]

  7. Anon6
    December 23rd, 2017

    Interesting info from a Cisco document: https://webcache.googleusercontent.com/search?q=cache:Ml3m2-kqiMYJ:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.pdf+&cd=5&hl=en&ct=clnk&gl=us&client=opera

    • Port security supports private VLAN (PVLAN) ports.
    • Port security supports IEEE 802.1Q tunnel ports.
    • Port security does not support Switch Port Analyzer (SPAN) destination ports.
    • Port security supports access and trunking EtherChannel port-channel interfaces.
    • You can configure port security and 802.1X port-based authentication on the same port.
    • Port security supports nonnegotiating trunks.
    – Port security only supports trunks configured with these commands:
    switchport trunk encapsulation
    switchport mode trunk
    switchport nonegotiate
    – If you reconfigure a secure access port as a trunk, port security converts all the sticky and static
    secure addresses on that port that were dynamically learned in the access VLAN to sticky or
    static secure addresses on the native VLAN of the trunk. Port security removes all secure
    addresses on the voice VLAN of the access port.

  1. No trackbacks yet.