A new security policy has been adopted by your company. One of its requirements is that only one host is
permitted to attach dynamically to each switch port. The security settings on all of the ports have been altered
from the default settings.
You execute the following command on all switch ports of Switch A:
SwitchA(config-if)# switchport port-security maximum 1
After executing the command, you discover that users in the Sales department are still successfully plugging a
hub into a port and then plugging two or three laptops into the hub.
What did you do wrong?
A.
The command should be executed at the global prompt.
B.
The command should be executed as switchport port-security maximum 0.
C.
You also need to execute the switchport port-security violation shutdown command at the global prompt.
D.
You also need to execute the switchport port-security violation shutdown command on each switch port.
Explanation:
When configuring switch port security to enforce the policy described in the scenario, two commands are
required. One command specifies how many addresses are allowed per switch port and the other tells theswitch what to do when a violation occurs. Configuring the first without the second is like creating a rule without
enforcing the rule. Both commands must be executed on each switch port, as shown in the following example:
switchA(config)# interface fa0/22
switchA(config-if)# switchport port-security maximum 1
switchA(config-if)# switchport port-security violation shutdown
By default, ports are configured to shut down on a violation, but the scenario states the default settings have
been altered.
The switchport port-security violation command can be set to shutdown, restrict, or protect. The shutdown
option shuts down the port if there is a security violation, but does not send an SNMP trap logging the violation.
The restrict option drops all packets from insecure hosts at the port-security process level and increments the
security-violation count, and can send an SNMP trap. The protect option drops all the packets from the insecure
hosts at the port-security process level, but does not increment the security-violation count or send an SNMP
trap.
You should not execute either the switchport port-security violation command or the switchport port-security
maximum command at the global prompt. Both commands must be executed on each switch port.
You should not execute the command switchport port-security maximum 0. This would tell the switch to not
allow any addresses at all per switch port.
Objective:
Infrastructure Security
Sub-Objective:
Configure, verify, and troubleshoot port securityCisco > Cisco IOS Interface and Hardware Component Command Reference > squelch through system
jumbomtu > switchport port-security maximum
Cisco > Cisco IOS Interface and Hardware Component Command Reference > squelch through system
jumbomtu > switchport port-security violation