Home > Port Security 3

Port Security 3

November 16th, 2019 Go to comments

Question 1

Question 2

Question 3

Question 4

Explanation

When a violation occurs, a port can be put into error disabled state. Although the behavior of this state is the same as shutdown state but it is not shutdown state (so answer B is not correct). Also in this state all traffic through this port would be drop and a SNMP trap (not log) is sent.

Question 5 (same as Q.2 of https://www.certprepare.com/port-security but answers are different)

Explanation

Port security can be enabled on both access and static trunk ports. An example of configuring port security on a static trunk port is shown below:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport port-security

For more information about configuring port-security on trunk port please visit this link: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25sg/configuration/guide/conf/port_sec.pdf

We cannot configure port security on a dynamic interface. For example we will see an error when try it:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode dynamic desirable
Switch(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.

Question 6

Explanation

Note: The show errdisable detect does not figure out which interface was shutdown as a result of a port security violation.

2960G# show errdisable detect

ErrDisable Reason Detection Mode
—————– ——— —-
bpduguard Enabled port
channel-misconfig Enabled port
community-limit Enabled port
dhcp-rate-limit Enabled port
dtp-flap Enabled port
gbic-invalid Enabled port
inline-power Enabled port
invalid-policy Enabled port
link-flap Enabled port
loopback Enabled port
lsgroup Enabled port
mac-limit Enabled port
pagp-flap Enabled port
port-mode-failure Enabled port
secure-violation Enabled port/vlan
security-violation Enabled port
sfp-config-mismatch Enabled port
small-frame Enabled port
storm-control Enabled port
udld Enabled port
vmps Enabled port

With the “show interface status err-disabled command we can find out the err-disabled ports:

switch# show interface status err-disabled

———————————————————————–
Port Name Status Reason
———————————————————————–
Eth114/1/27 — down BPDUGuard errDisable
Eth114/1/28 — down BPDUGuard errDisable
Eth114/1/29 — down BPDUGuard errDisable
Eth114/1/30 — down BPDUGuard errDisable
Eth114/1/31 — down BPDUGuard errDisable
Eth114/1/32 — down BPDUGuard errDisable
Comments
  1. FB
    January 28th, 2020

    Question 4

    Which two actions are possible when you are configuring port-security? (Choose two)
    A. Port will be error disabled
    B. Port will be shutdown
    C. Port will drop traffic
    D. Port will send logs

    Answers: A & C

    Protect, restrict & shutdown are the 3x violation modes.

    Both protect & restrict will drop traffic until such time that you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. < Answer C

    Shutdown mode – Error-disables the port if a violation occurs. < Answer A

    Tricky wording….

  1. No trackbacks yet.