14 - Security Services II - Port Security

Question 1

How does Port security work?

Answer 1

Identifying devices based on their source MAC from Ethernet frames to restrict which devices can be connected either statically or dynamically

Question 2

What are Sticky secure MAC addresses?

Answer 2

Port security feature that learns the MAC addresses off each port and adds them to the running-config file so that you do not have to pre-configure them

Question 3

What command is used to enable port security on an interface?

Answer 3

Interface subcommand:

switchport port-security

Question 4

What switchport configuration command is used to set the maximum number of allowed MACs?

Answer 4

switchport port-security maximum 10

Question 5

What switchport configuration command is used to override the default action to take upon violation?

Answer 5

switchport port-security violation {protect | restrict | shutdown}

Question 6

How do you predefine an allowed source MAC for an interface?

Answer 6

switchport port-security mac-address 0200.1111.1111

Question 7

How do you make an interface ‘sticky learn’ MACs for port security?

Answer 7

switchport port-security mac-address sticky

Question 8

What is the difference between dynamic and sticky Port security?

Answer 8

Sticky saves Port security commands in the running config whereas dynamic does not

Question 9

What do you need to make sure you do if you are configuring port security on voice ports?

Answer 9

Make sure you configure it to allow at least 2 MACs

Question 10

Where would you configure Port security for Ether-channels?

Answer 10

On the port-channel interface, not the individual interfaces that make up the channel

Question 11

How do you verify Port security?

Answer 11

show port-security interface Ge0/1

Question 12

How do you show all MAC addresses that are associated with ports using Port security?

Answer 12

show mac address-table secure

Question 13

How do you show all MAC addresses that are associated with ports using Port security, and any other statically defined MACs?

Answer 13

show mac address-table static

Question 14

True/False: Sticky learned MACs for Port security show in the output of dynamic MAC addresses (show mac address-table dynamic)

Answer 14

False.

Sticky learned addresses are considered to be static entries

Question 15

How do you show MAC address table entries just for a specific interface?

Answer 15

show mac address-table {secure} interface Ge0/1

Question 16

How would you define a Port security violation?

Answer 16

Any frame received on a given interface that violates the Port security rules configured for that interface

Question 17

What state would a port be put into after Port security violation and Shutdown mode is configured?

Answer 17

Err-disabled state

Question 18

What commands would show err-disabled for an interface state (not port security interface state) that has had a Port security violation Shutdown?

Answer 18

show interfaces

show interfaces status

Question 19

How do you recover a port from the err-disabled state?

Answer 19

You must shutdown the port then re enable it

shutdown
no shutdown

Question 20

How can you configure a switch to automatically recover interfaces placed into the err-disabled state by Port Security?

Answer 20

errdisable recovery cause psecure-violation

Question 21

How can you adjust the time to wait before automatically recovering ports shutdown by Port security (if enabled)?

Answer 21

errdisable recovery interval {seconds}

Question 22

How can you show a quick summary of interfaces and Port security?

Answer 22

show port-security

Question 23

What does the Last Source Address:Vlan field show in the output of show port-security interface?

Answer 23

The MAC and VLAN of the device that caused the violation

Question 24

What do the Protect and Restrict violation modes do differently to Shutdown?

Answer 24

• Interface remains connected in secure-up state

- Only discards offending traffic

Question 25

What does Protect violation mode do when an offending frame arrives?

Answer 25

It only discards the frame, but does not increment the violations counter

Question 26

What does Restrict violation mode when an offending frame arrives?

Answer 26

It discards the frame, and increments the violation counter and generates syslog messages

Question 27

What will the interface state and interface port security states show for an interface on which a Port security violation has occurred and Shutdown violation mode is configured?

Answer 27

Interface state: err-disabled

Port security interface state: secure-down

Question 28

True/False: show mac address-table dynamic lists MAC entries for MAC addresses configured by Port security

Answer 28

False

Question 29

Which two show mac address-table commands list MACs for entries configured by port security?

Answer 29

show mac address-table

show mac address-table static