Home > Port Security 3

Port Security 3

November 16th, 2018 in SWITCH 300-115 Go to comments

Question 1

Question 2

Question 3

Question 4

Question 5 (same as Q.2 of https://www.certprepare.com/port-security but answers are different)

Explanation

Port security can be enabled on both access and static trunk ports. An example of configuring port security on a static trunk port is shown below:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport port-security

For more information about configuring port-security on trunk port please visit this link: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25sg/configuration/guide/conf/port_sec.pdf

We cannot configure port security on a dynamic interface. For example we will see an error when try it:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode dynamic desirable
Switch(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.

Question 6

Explanation

Note: The show errdisable detect does not figure out which interface was shutdown as a result of a port security violation.

2960G# show errdisable detect

ErrDisable Reason Detection Mode
—————– ——— —-
bpduguard Enabled port
channel-misconfig Enabled port
community-limit Enabled port
dhcp-rate-limit Enabled port
dtp-flap Enabled port
gbic-invalid Enabled port
inline-power Enabled port
invalid-policy Enabled port
link-flap Enabled port
loopback Enabled port
lsgroup Enabled port
mac-limit Enabled port
pagp-flap Enabled port
port-mode-failure Enabled port
secure-violation Enabled port/vlan
security-violation Enabled port
sfp-config-mismatch Enabled port
small-frame Enabled port
storm-control Enabled port
udld Enabled port
vmps Enabled port

With the “show interface status err-disabled command we can find out the err-disabled ports:

switch# show interface status err-disabled

———————————————————————–
Port Name Status Reason
———————————————————————–
Eth114/1/27 — down BPDUGuard errDisable
Eth114/1/28 — down BPDUGuard errDisable
Eth114/1/29 — down BPDUGuard errDisable
Eth114/1/30 — down BPDUGuard errDisable
Eth114/1/31 — down BPDUGuard errDisable
Eth114/1/32 — down BPDUGuard errDisable
Comments
  1. An Nonymouse
    February 17th, 2019

    Question 4
    Which two actions are possible when you are configuring port-security? (Choose two)
    A. Port will be error disabled > Correct
    B. Port will be shutdown > Incorrect
    C. Port will drop traffic > Correct
    D. Port will send logs > Switch sends logs, not the port itself

    A & C

  2. Michael
    February 25th, 2019

    I have an issue with Question 4. I’ll copy and paste the guy above me who also has a problem with this question.

    Which two actions are possible when you are configuring port-security? (Choose two)
    A. Port will be error disabled > Correct
    B. Port will be shutdown > Incorrect
    C. Port will drop traffic > Correct
    D. Port will send logs > Switch sends logs, not the port itself.

    I believe the anaswer is A&C. Not A&B.

    The reason for not B is that shutdown = shutdown command. Port security will never “shutdown” a port. It will err-disable a port, which is option “A.” The Port WILL drop unknown source traffic in Protect and Restrict modes, which lends to “C” being a correct answer.

    D is not correct because Port Security restrict can generate SNMP traps but the switch will generate the log (as user above said).

  3. Network_Monkey
    March 23rd, 2019

    Dear @certprepare

    Please update the Q4.

    Answer should be A and C

  4. yavor
    April 11th, 2019

    ”I have an issue with Question 4. I’ll copy and paste the guy above me who also has a problem with this question.

    Which two actions are possible when you are configuring port-security? (Choose two)
    A. Port will be error disabled > Correct
    B. Port will be shutdown > Incorrect
    C. Port will drop traffic > Correct
    D. Port will send logs > Switch sends logs, not the port itself.

    I believe the anaswer is A&C. Not A&B.

    The reason for not B is that shutdown = shutdown command. Port security will never “shutdown” a port. It will err-disable a port, which is option “A.” The Port WILL drop unknown source traffic in Protect and Restrict modes, which lends to “C” being a correct answer.”

    Not quite true. There is a specific mode for port security violation named shutdown. In which if the security violation is met the port effectively is shutdown with err-disable condition in () next to the protocol status.
    But the question is not so accurately asked as the port also drops traffic from violating mac addresses in restrict and protect modes.
    But in general the question is badly written. Maybe this is from someones memory from the actual exam and something is missing. I honestly have issues with understanding the question. I presume it asks what two action will the port undertake after it has been configured for port security…(some mode) and a violation occurred.

    Here https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html
    somewhere in the end it is written:
    –To return the violation mode to the default condition (shutdown mode), use the no switchport port-security violation {restrict | shutdown} command.

    So maybe indeed A and B are correct.
    If someone has some other thoughts he is welcome to write them here.

  1. No trackbacks yet.