PrepAway - Latest Free Exam Questions & Answers

Which two commands must the network administrator configure on the 2950 Catalyst switch to meet this policy?

The network security policy requires that only one host be permitted to attach dynamically to each
switch interface. If that policy is violated, the interface should shut down. Which two commands
must the network administrator configure on the 2950 Catalyst switch to meet this policy? (Choose
two.)

PrepAway - Latest Free Exam Questions & Answers

A.
Switch1(config-if)# switchport port-security violation shutdown

B.
Switch1(config)# mac-address-table secure

C.
Switch1(config-if)# switchport port-security maximum 1

D.
Switch1(config)# access-list 10 permit ip host

E.
Switch1(config-if)# ip access-group 10

Explanation:
Explanation
Catalyst switches offer the port security feature to control port access based on MAC addresses.
To configure port security on an access layer switch port, begin by enabling it with the following
interface configuration command:
Switch(config-if)# switchport port-security
Next, you must identify a set of allowed MAC addresses so that the port can grant them access.
You can explicitly configure addresses or they can be dynamically learned from port traffic. On
each interface that uses port security, specify the maximum number of MAC addresses that will be
allowed access using the following interface configuration commanD.
Switch(config-if)# switchport port-security maximum max-addr
Finally, you must define how each interface using port security should react if a MAC address is in
violation by using the following interface configuration command:
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
A violation occurs if more than the maximum number of MAC addresses are learned, or if an
unknown (not statically defined) MAC address attempts to transmit on the port. The switch port
takes one of the following configured actions when a violation is detected:
shutdown—The port is immediately put into the errdisable state, which effectively shuts it down. It
must be re-enabled manually or through errdisable recovery to be used again.
restrict—The port is allowed to stay up, but all packets from violating MAC addresses are
dropped. The switch keeps a running count of the number of violating packets and can send an
SNMP trap and a syslog message as an alert of the violation.
protect—The port is allowed to stay up, as in the restrict mode. Although packets from
violating addresses are dropped, no record of the violation is kept.


Leave a Reply