Refer to the exhibit. The “show port-security interface fa0/1” command was issued on switch SW1.
Given the output that was generated, which two security statements are true? (Choose two.)
A.
Interface FastEthernet 0/1 was configured with the switchport port-security aging command.
B.
Interface FastEthernet 0/1 was configured with the switchport port-security protect command.
C.
Interface FastEthernet 0/1 was configured with the switchport port-security violation restrict command.
D.
When the number of secure IP addresses reaches 10, the interface will immediately shut down.
E.
When the number of secure MAC addresses reaches 10, the interface will immediately shut down and an SNMP trap notification will be sent.
Explanation:
Port security is a feature supported on Cisco Catalyst switches that restricts a switch port to a specific set or number of MAC addresses. Those addresses can be learned dynamically or configured statically. The port will then provide access to frames from only those addresses. If, however, the number of addresses is limited to four but no specific MAC addresses are configured, the port will allow any four MAC addresses to be learned dynamically, and port access will be limited to those four dynamically learned addresses.
Port Security Implementation:When Switch port security rules violate different action can be applied:
1. Protect: Frames from the nonallowed address are dropped, but there is no log of the violation.
2. Restrict: Frames from the nonallowed address are dropped, a log message is created, and a Simple Network Management Protocol (SNMP) trap is sent.
3. Shutdown: If any frames are seen from a nonallowed address, the interface is errdisabled, a log entry is made, an SNMP trap is sent, and manual intervention or errdisable recovery must be used to make the interface usable. The port will not be shutdown, because it is in protect mode — not shutdown.
how come answer is E? it is in protect mode. how come it will send snmp trap?
when MAC address are 10 . Interface will be shutdown and a Simple Network Management Protocol (SNMP) trap is sent.
port won’t shut-down. it won’t accept frames from violating mac-address. your explanation says: “Protect: Frames from the nonallowed address are dropped, but there is no log of the violation.”
It’s either exhibit is wrong or answers are wrong.
Interface FastEthernet 0/1 was configured with the switchport port-security violation protect command, not what is on B – “Interface FastEthernet 0/1 was configured with the switchport port-security protect command”.
But in this case only Answer A and B are true.(with closed eyes for both mistake)
I agree with Yerlan,
Answer B with a mistake. there is missed word -violation-
Cisco command is:
SW1(config-if)# switchport port-security violation protect
Answer A with a mistake also. there is missed word -time-
You can use command with 0 min. It disabled Aging.
SW1(config-if)# switchport port-security aging time 0
In this case You can see
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
—
Why C is wrong:
violation restrict command -> should be on the exhibit
Violation Mode : Restrict
—
Why D and E are wrong:
Protected mode won’t shut down port, only drops packets.
—
FYI
There is
Port Status : Secure-down
It means port is administratively down, line protocol is down (disabled)
But
Port Status : Secure-shutdown
It means err-disabled status during port-security violation shutdown
@juri
Default aging time is 0 – no aging by default. That means A cannot be correct no matter the command syntax.
The images of the all questions to this exam don’t showing