Home > Port Security 2

Port Security 2

November 16th, 2019 Go to comments

Question 1

Question 2

Explanation

The new network switch port keeps going back into err-disabled mode so we can deduce port security is still enabled on this port -> A is correct but B is not correct.

In this questions we know that all access ports have port security sticky enabled so port security is still enabled on the older switch port (as we only removed the PC and clear the port security on the new one) -> E is correct (although D is also correct but E is better).

Answer C is not correct as other access ports do not have any effect on these two ports.

Question 3

Explanation

There are three port security violation modes:
+ protect – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
+ restrict – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
+ shutdown – Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

The default behavior for a security violation is to shut down that port permanently.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)

Question 4

Explanation

The “sticky” command learns all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, not the first MAC address so answer B is not correct.

Question 5a

Explanation

Port Security Guidelines and Restrictions

Follow these guidelines when configuring port security:
+ A secure port cannot be a trunk port.
+ A secure port cannot be a destination port for Switch Port Analyzer (SPAN) -> Answer E is not correct.
+ A secure port cannot belong to an EtherChannel port-channel interface -> Answer C is correct.
+ A secure port and static MAC address configuration are mutually exclusive.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

+ Port security supports private VLAN (PVLAN) ports -> Answer B is not correct.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/port_security.pdf

Sticky MAC addresses can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. There is no document mentioning about the maximum of sticky MAC addresses can be configured on a device but surely it can be greater than three -> D is not correct.

We are not sure about answer A but port security does support “static secure MAC addresses” (by using the “switchport port-security mac-address mac_address” interface configuration command).

Question 5b

Question 6

Explanation

A switchport violation occurs in one of two situations:
+ When the maximum number of secure MAC addresses has been reached (by default, the maximum number of secure MAC addresses per switchport is limited to 1)
+ An address learned or configured on one secure interface is seen on another secure interface in the same VLAN

Reference: http://www.ciscopress.com/articles/article.asp?p=1722561

We have to admit that we have never tested the second violation rule stated above ^^.

Question 7

Question 8

Explanation

When a port security is violated, that port can be put into errdisable state -> B is correct.

When a maximum number of hosts per port was reached, learning a new MAC address can put that port into errdisable state -> D is correct.

Comments
  1. polleke
    January 18th, 2020

    Q5a+b: Really conflicting information on Cisco.
    1.) A secure port and static MAC address configuration are mutually exclusive. But what about: “switchport port-security mac-address mac_address”-interface-command?
    2.) A secure port cannot belong to an EtherChannel port-channel interface. But what about: static-mode (trunk=ON) etherchannel/portchannel can be configured with port security.
    3.) A secure port cannot be a trunk port. But what about: L2 nonegotiating-mode trunk ports can be configured with port security.

  2. FB
    January 28th, 2020

    @Polleke – Totally agree with you.

    Question 5a
    Which two restrictions of the port security feature are true? (Choose two)
    A. Static port MAC address assignments are not supported.
    B. It is not supported on PVLAN ports.
    C. It is not supported on EtherChannel port-channel interfaces.
    D. A single device can learn a maximum of three sticky MAC addresses.
    E. It is supported on destination SPAN ports

    Only B is correct here.

    Question 5b
    Which three restrictions of port security features are true? (Choose three)
    A. It is not supported on EtherChannel port-channel interfaces.
    B. Static MAC address assignments are not supported.
    C. It is not supported on destination SPAN ports.
    D. It is not supported on PVLAN ports.
    E. A single device supports up to two sticky MAC addresses.

    C & D are correct

    See the latest SW config guide for 3750’s, specifically table 3.
    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/152_4_e/configurationguide/b_1524e_consolidated_3750x_3560x_cg/b_1524e_consolidated_3750x_3560x_cg_chapter_0100110.html#ID550

    I think older config guides need to be discounted as Cisco are clearly changing tack on their approach to some technologies. If these questions come up i will be logging a comment as they are clearly incorrect.

  3. FB
    January 28th, 2020

    @Certprepare – You need to look into some of these answers as they are clearly incorrect. On numerous occasions you have referenced both 4500 & 6500 old software config guides which are at odds with current documentation.

  4. suntzu
    February 13th, 2020

    The CCNA and CCNP current tests are testing based on 2960 and 3700 series switches. It is the only ones they use to ask questions about.

    If the answers are not found in THOSE documentations then the answers are questionable.

    For instance, in a 4500 series or 4600, you cannot add switchport port security to a static configured trunk port but you can in a 2960 and 3750.

  5. suntzu
    February 13th, 2020

    @FB

    In the 3750 guide that you posted, it states that a secure port cannot belong to an Etherchannel Group

    Hence:

    Cosw1(config)#interface port-channel 1
    Cosw1(config)#switchport trunk encap dot1q
    Cosw1(config)#switchport mode trunk
    Cosw1(config)#switchport port-security
    %Unrecognized command

    Answers are B and C

  6. suntzu
    February 14th, 2020

    Actually depending on the platform, port-security is supported on PVLAN.

    At the very least, Cisco needs to start saying which platforms they are testing on or at least gives us 3 possible platforms/software versions.

    These are the restrictions from 2 different possible testing platforms. It’s all the different possibilities of port-security from two platforms. Obviously, there could be others from other platforms.

    •A secure port cannot be a trunk port.

    •A secure port cannot be a destination port for Switch Port Analyzer (SPAN).

    •A secure port cannot belong to an EtherChannel port-channel interface.

    •A secure port and static MAC address configuration are mutually exclusive.

    •Port security supports private VLAN (PVLAN) ports.

    •Port security supports IEEE 802.1Q tunnel ports.

    •Port security does not support Switch Port Analyzer (SPAN) destination ports.

    •Port security does not support EtherChannel port-channel interfaces or groups

    •Port security and 802.1X port-based authentication cannot both be configured on the same port:

    •Port security supports nonnegotiating trunks.

  1. No trackbacks yet.