Home > Port Security 3

Port Security 3

November 16th, 2018 in SWITCH 300-115 Go to comments

Question 1

Question 2

Question 3

Question 4

Explanation

When a violation occurs, a port can be put into error disabled state. Although the behavior of this state is the same as shutdown state but it is not shutdown state (so answer B is not correct). Also in this state all traffic through this port would be drop and a SNMP trap (not log) is sent.

Question 5 (same as Q.2 of https://www.certprepare.com/port-security but answers are different)

Explanation

Port security can be enabled on both access and static trunk ports. An example of configuring port security on a static trunk port is shown below:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport port-security

For more information about configuring port-security on trunk port please visit this link: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25sg/configuration/guide/conf/port_sec.pdf

We cannot configure port security on a dynamic interface. For example we will see an error when try it:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode dynamic desirable
Switch(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.

Question 6

Explanation

Note: The show errdisable detect does not figure out which interface was shutdown as a result of a port security violation.

2960G# show errdisable detect

ErrDisable Reason Detection Mode
—————– ——— —-
bpduguard Enabled port
channel-misconfig Enabled port
community-limit Enabled port
dhcp-rate-limit Enabled port
dtp-flap Enabled port
gbic-invalid Enabled port
inline-power Enabled port
invalid-policy Enabled port
link-flap Enabled port
loopback Enabled port
lsgroup Enabled port
mac-limit Enabled port
pagp-flap Enabled port
port-mode-failure Enabled port
secure-violation Enabled port/vlan
security-violation Enabled port
sfp-config-mismatch Enabled port
small-frame Enabled port
storm-control Enabled port
udld Enabled port
vmps Enabled port

With the “show interface status err-disabled command we can find out the err-disabled ports:

switch# show interface status err-disabled

———————————————————————–
Port Name Status Reason
———————————————————————–
Eth114/1/27 — down BPDUGuard errDisable
Eth114/1/28 — down BPDUGuard errDisable
Eth114/1/29 — down BPDUGuard errDisable
Eth114/1/30 — down BPDUGuard errDisable
Eth114/1/31 — down BPDUGuard errDisable
Eth114/1/32 — down BPDUGuard errDisable

Comments
  1. An Nonymouse
    February 17th, 2019

    Question 4
    Which two actions are possible when you are configuring port-security? (Choose two)
    A. Port will be error disabled > Correct
    B. Port will be shutdown > Incorrect
    C. Port will drop traffic > Correct
    D. Port will send logs > Switch sends logs, not the port itself

    A & C

  2. Michael
    February 25th, 2019

    I have an issue with Question 4. I’ll copy and paste the guy above me who also has a problem with this question.

    Which two actions are possible when you are configuring port-security? (Choose two)
    A. Port will be error disabled > Correct
    B. Port will be shutdown > Incorrect
    C. Port will drop traffic > Correct
    D. Port will send logs > Switch sends logs, not the port itself.

    I believe the anaswer is A&C. Not A&B.

    The reason for not B is that shutdown = shutdown command. Port security will never “shutdown” a port. It will err-disable a port, which is option “A.” The Port WILL drop unknown source traffic in Protect and Restrict modes, which lends to “C” being a correct answer.

    D is not correct because Port Security restrict can generate SNMP traps but the switch will generate the log (as user above said).

  3. Network_Monkey
    March 23rd, 2019

    Dear @certprepare

    Please update the Q4.

    Answer should be A and C

  4. yavor
    April 11th, 2019

    ”I have an issue with Question 4. I’ll copy and paste the guy above me who also has a problem with this question.

    Which two actions are possible when you are configuring port-security? (Choose two)
    A. Port will be error disabled > Correct
    B. Port will be shutdown > Incorrect
    C. Port will drop traffic > Correct
    D. Port will send logs > Switch sends logs, not the port itself.

    I believe the anaswer is A&C. Not A&B.

    The reason for not B is that shutdown = shutdown command. Port security will never “shutdown” a port. It will err-disable a port, which is option “A.” The Port WILL drop unknown source traffic in Protect and Restrict modes, which lends to “C” being a correct answer.”

    Not quite true. There is a specific mode for port security violation named shutdown. In which if the security violation is met the port effectively is shutdown with err-disable condition in () next to the protocol status.
    But the question is not so accurately asked as the port also drops traffic from violating mac addresses in restrict and protect modes.
    But in general the question is badly written. Maybe this is from someones memory from the actual exam and something is missing. I honestly have issues with understanding the question. I presume it asks what two action will the port undertake after it has been configured for port security…(some mode) and a violation occurred.

    Here https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html
    somewhere in the end it is written:
    –To return the violation mode to the default condition (shutdown mode), use the no switchport port-security violation {restrict | shutdown} command.

    So maybe indeed A and B are correct.
    If someone has some other thoughts he is welcome to write them here.

  5. lark
    July 15th, 2019

    I also believe Q4 is A and C, as the two configurations you can do for violation is shutdown or restrict, which will err-disable or just drop the traffic. I’ve seen it regularly on switches.

  6. jzrla
    July 30th, 2019

    Q6 asks “a device was shutdown”. I believe A show port-security suits better since according to cisco it sees “the number of security violations that have occurred, and the violation mode.”

    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

  7. Anonymous
    August 4th, 2019

    Q 4
    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/port_security.pdf

    The command to Sets the violation mode and the action to be taken when a security violation is detected.
    Router(config-if)# switchport port-security violation {protect | restrict | shutdown}

    Shutdown is the default mode, when in this mode, the switch will automatically force the switchport into an error disabled (err-disable) state when a violation occurs.

    The answer is B C.

  8. Q4
    August 17th, 2019

    I found this in some notes:

    Port-Security Actions (Violation Modes)
    Mode Port Action Administrative Action

    Protect Traffic from violating hosts is dropped Port will automatically resume after
    No record of the violation is kept after violations stop

    Restrict Traffic from violating hosts is dropped Port will automatically resume after
    Record of the violation is kept violations stop
    Switch can send a SNMP trap and/or
    syslog message

    Shutdown Port is error-disabled (shutdown) Port must be re-enabled manually
    (default) Optionally error-disable the entire (shut / no shut)
    VLAN with the vlan keyword Port will automatically resume if err-
    disable recovery is configured

    Based on this, Answer C. Port will drop traffic could be correct.

    Then the decision is either Port will be shutdown or error disabled:
    A. Port Action = Error-Disabled
    B. Mode = Shutdown

    If question is about actions, then answers A & C could work.

  9. Burìk
    November 1st, 2019

    Q4

    Switch(config-if)# switchport port-security violation {restrict | shutdown}
    – restrict – A port security violation RESTRICTS DATA and causes the SecurityViolation counter to increment and send an SNMP trap notification.
    – shutdown – The interface is ERROR-DISABLED when a security violation occurs.

    To me it’s A and C. Then again, as many other questions this one is poorly written.

  10. Anonymous
    December 4th, 2019

    I don’t think it’s poorly written it is deliberate to confuse so that you fail and come again that is how i see it.

  1. No trackbacks yet.