Which feature would prevent guest users from gaining network access by unplugging an IP phone
and connecting a laptop computer?
A.
IPSec VPN
B.
SSL VPN
C.
port security
D.
port security with statically configured MAC addresses
E.
private VLANs
Explanation:
Port Security with Dynamically Learned and Static MAC Addresses
You can use port security with dynamically learned and static MAC addresses to restrict a port’s
ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When
you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that
has source addresses outside the group of defined addresses. If you limit the number of secure
MAC addresses to one and assign a single secure MAC address, the device attached to that port
has the full bandwidth of the port.
A security violation occurs in either of these situations:
When the maximum number of secure MAC addresses is reached on a secure port and the
source MAC address of the ingress traffic is different from any of the identified secure MAC
addresses, port security applies the configured violation mode.
If traffic with a secure MAC address that is configured or learned on one secure port attempts to
access another secure port in the same VLAN, applies the configured violation mode.
Note After a secure MAC address is configured or learned on one secure port, the sequence of
events that occurs when port security detects that secure MAC address on a different port in the
same VLAN is known as a MAC move violation.
See the “Configuring the Port Security Violation Mode on a Port” section for more information
about the violation modes.
After you have set the maximum number of secure MAC addresses on a port, port security
includes the secure addresses in the address table in one of these ways:
You can statically configure all secure MAC addresses by using the switchport port-security macaddress
mac_address interface configuration command.
You can allow the port to dynamically configure secure MAC addresses with the MAC addresses
of connected devices.
You can statically configure a number of addresses and allow the rest to be dynamically
configured.
If the port has a link-down condition, all dynamically learned addresses are removed.Following bootup, a reload, or a link-down condition, port security does not populate the address
table with dynamically learned MAC addresses until the port receives ingress traffic.
A security violation occurs if the maximum number of secure MAC addresses have been added to
the address table and the port receives traffic from a MAC address that is not in the address table.
You can configure the port for one of three violation modes: protect, restrict, or shutdown. See the
“Configuring Port Security” section.
To ensure that an attached device has the full bandwidth of the port, set the maximum number of
addresses to one and configure the MAC address of the attached device.http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_s
ec.html#wp1061587