Port Security 3
Question 1
Question 2
Question 3
Question 4
Explanation
When a violation occurs, a port can be put into error disabled state. Although the behavior of this state is the same as shutdown state but it is not shutdown state (so answer B is not correct). Also in this state all traffic through this port would be drop and a SNMP trap (not log) is sent.
Question 5 (same as Q.2 of https://www.certprepare.com/port-security but answers are different)
Explanation
Port security can be enabled on both access and static trunk ports. An example of configuring port security on a static trunk port is shown below:
| Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport Switch(config-if)# switchport mode trunk Switch(config-if)# switchport port-security |
For more information about configuring port-security on trunk port please visit this link: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25sg/configuration/guide/conf/port_sec.pdf
We cannot configure port security on a dynamic interface. For example we will see an error when try it:
| Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport Switch(config-if)# switchport mode dynamic desirable Switch(config-if)# switchport port-security Command rejected: FastEthernet0/1 is a dynamic port. |
Question 6
Explanation
Note: The show errdisable detect does not figure out which interface was shutdown as a result of a port security violation.
|
2960G# show errdisable detect ErrDisable Reason Detection Mode |
With the “show interface status err-disabled command we can find out the err-disabled ports:
| switch# show interface status err-disabled
———————————————————————– |
Question 4
Which two actions are possible when you are configuring port-security? (Choose two)
A. Port will be error disabled > Correct
B. Port will be shutdown > Incorrect
C. Port will drop traffic > Correct
D. Port will send logs > Switch sends logs, not the port itself
A & C
I have an issue with Question 4. I’ll copy and paste the guy above me who also has a problem with this question.
Which two actions are possible when you are configuring port-security? (Choose two)
A. Port will be error disabled > Correct
B. Port will be shutdown > Incorrect
C. Port will drop traffic > Correct
D. Port will send logs > Switch sends logs, not the port itself.
I believe the anaswer is A&C. Not A&B.
The reason for not B is that shutdown = shutdown command. Port security will never “shutdown” a port. It will err-disable a port, which is option “A.” The Port WILL drop unknown source traffic in Protect and Restrict modes, which lends to “C” being a correct answer.
D is not correct because Port Security restrict can generate SNMP traps but the switch will generate the log (as user above said).
Dear @certprepare
Please update the Q4.
Answer should be A and C
”I have an issue with Question 4. I’ll copy and paste the guy above me who also has a problem with this question.
Which two actions are possible when you are configuring port-security? (Choose two)
A. Port will be error disabled > Correct
B. Port will be shutdown > Incorrect
C. Port will drop traffic > Correct
D. Port will send logs > Switch sends logs, not the port itself.
I believe the anaswer is A&C. Not A&B.
The reason for not B is that shutdown = shutdown command. Port security will never “shutdown” a port. It will err-disable a port, which is option “A.” The Port WILL drop unknown source traffic in Protect and Restrict modes, which lends to “C” being a correct answer.”
Not quite true. There is a specific mode for port security violation named shutdown. In which if the security violation is met the port effectively is shutdown with err-disable condition in () next to the protocol status.
But the question is not so accurately asked as the port also drops traffic from violating mac addresses in restrict and protect modes.
But in general the question is badly written. Maybe this is from someones memory from the actual exam and something is missing. I honestly have issues with understanding the question. I presume it asks what two action will the port undertake after it has been configured for port security…(some mode) and a violation occurred.
Here https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html
somewhere in the end it is written:
–To return the violation mode to the default condition (shutdown mode), use the no switchport port-security violation {restrict | shutdown} command.
So maybe indeed A and B are correct.
If someone has some other thoughts he is welcome to write them here.
I also believe Q4 is A and C, as the two configurations you can do for violation is shutdown or restrict, which will err-disable or just drop the traffic. I’ve seen it regularly on switches.
Q6 asks “a device was shutdown”. I believe A show port-security suits better since according to cisco it sees “the number of security violations that have occurred, and the violation mode.”
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html
Q 4
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/port_security.pdf
The command to Sets the violation mode and the action to be taken when a security violation is detected.
Router(config-if)# switchport port-security violation {protect | restrict | shutdown}
Shutdown is the default mode, when in this mode, the switch will automatically force the switchport into an error disabled (err-disable) state when a violation occurs.
The answer is B C.
I found this in some notes:
Port-Security Actions (Violation Modes)
Mode Port Action Administrative Action
Protect Traffic from violating hosts is dropped Port will automatically resume after
No record of the violation is kept after violations stop
Restrict Traffic from violating hosts is dropped Port will automatically resume after
Record of the violation is kept violations stop
Switch can send a SNMP trap and/or
syslog message
Shutdown Port is error-disabled (shutdown) Port must be re-enabled manually
(default) Optionally error-disable the entire (shut / no shut)
VLAN with the vlan keyword Port will automatically resume if err-
disable recovery is configured
Based on this, Answer C. Port will drop traffic could be correct.
Then the decision is either Port will be shutdown or error disabled:
A. Port Action = Error-Disabled
B. Mode = Shutdown
If question is about actions, then answers A & C could work.
Q4
Switch(config-if)# switchport port-security violation {restrict | shutdown}
– restrict – A port security violation RESTRICTS DATA and causes the SecurityViolation counter to increment and send an SNMP trap notification.
– shutdown – The interface is ERROR-DISABLED when a security violation occurs.
To me it’s A and C. Then again, as many other questions this one is poorly written.
I don’t think it’s poorly written it is deliberate to confuse so that you fail and come again that is how i see it.
Question 4
Which two actions are possible when you are configuring port-security? (Choose two)
A. Port will be error disabled
B. Port will be shutdown
C. Port will drop traffic
D. Port will send logs
Answers: A & C
Protect, restrict & shutdown are the 3x violation modes.
Both protect & restrict will drop traffic until such time that you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. < Answer C
Shutdown mode – Error-disables the port if a violation occurs. < Answer A
Tricky wording….