Refer to the exhibit. Port security has been configured on the switch port Fa0/5. What would
happen if another device is connected to the port after the maximum number of devices has
been reached, even if one or more of the original MAC addresses are inactive?
A.
The port will permit the new MAC address because one or more of the original MAC
addresses are inactive.
B.
The port will permit the new MAC address because one or more of the original MAC
addresses will age out.
C.
Because the new MAC address is not configured on the port, the port will not permit the
new MAC address.
D.
Although one or more of the original MAC addresses are inactive, the port will not permit
the new MAC address.
Explanation:
In this example the switch is configured for Port Security with the maximum number of
allowed devices set to 11. When configuring port security, note the following syntax
information about port security violation modes:
• protect—Drops packets with unknown source addresses until you remove a sufficient
number of secure MAC addresses to drop below the maximum value.
• restrict—Drops packets with unknown source addresses until you remove a sufficient
number of secure MAC addresses to drop below the maximum value and causes the
SecurityViolation counter to increment.
• shutdown—Puts the interface into the error-disabled state immediately and sends an
SNMP trap notification.
Normally, since the security violation has been set to protect, the switch indeed allow a new
device to be added after an original MAC address is inactive. However, the key to this
question is the “aging time 0” command which has also been configured. This command
disables aging, so the original MAC addresses would remain even when they were removed.
Therefore the switch will not permit ay new MAC addresses.http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/g
uide/port_sec.html#wp1036736