Which of the following methods will ensure that only one specific host can connect to port F0/1 on a switch? (Choose two. Each correct answer is a separate
solution.)
A.
Configure port security on F0/1 to forward traffic to a destination other than that of the MAC address of the host.
B.
Configure the MAC address of the host as a static entry associated with port F0/1.
C.
Configure port security on F0/1 to accept traffic only from the MAC address of the host.
D.
Configure an inbound access control list on port F0/1 limiting traffic to the IP address of the host.
E.
Configure port security on F0/1 to accept traffic other than that of the MAC address of the host.
Explanation:
To limit connections to a specific host, you should configure the MAC address of the host as a static entry associated with the port. Another solution would be to
configure port security to accept traffic only from the MAC address of the host. By default, an unlimited number of MAC addresses can be learned on a single switch
port, whether it is configured as an access port or a trunk port. Switch ports can be secured by defining one or more specific MAC addresses that should be allowed
to connect, and by defining violation policies (such as disabling the port) to be enacted if additional hosts try to gain a connection.
The following example secures a switch port by manually defining the MAC address of allowed connections:
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security mac-address 00C0.35F0.8301
The first command activates port security on the interface, while the second command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on
the switch port.
Another approach to restricting a port to a single MAC address is to use the mac-address-table static command to assign a permanent MAC address to the port.
The command below would assign the MAC address 0050.3e8d.62bb to port 15 on the switch:
switch(config)# mac-address-table static 0050.3e8d.6400 interface fastethernet0/15
In review, you can ensure that only a single MAC address can use a port by either of these two strategies:
– Configuring the MAC address as a static entry associated with the port
– Configuring portsecurity to reject traffic with a source address other than the desired MAC address
You should not configure port security on F0/1 to forward traffic to a destination other than that of the MAC address of the host. Traffic from other hosts should be
rejected, not forwarded or accepted. For the same reason, you should not configure port security on F0/1 to accept traffic other than that of the MAC address of the
host.You cannot configure an inbound access control list on port F0/1 limiting traffic to the IP address of the host. It is impossible to filter traffic based on IP addresses on
a Layer 2 switch.
Objective:
LAN Switching Fundamentals
Sub-Objective:
Configure, verify, and troubleshoot port securityhttps://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html#wp1070356