Cisco CCNA mock exam questions sample test – Question 313

.A new security policy has been adopted by your company. One of its requirements is that only one host is permitted to attach dynamically to each switch port. The security settings on
all of the ports have been altered from the default settings.
You execute the following command on all switch ports of Switch A:
SwitchA(config-if)# switchport port-security maximum 1
After executing the command, you discover that users in the Sales department are still successfully plugging a hub into a port and then plugging two or three laptops into the hub.
What did you do wrong?

A. The command should be executed at the global prompt.
B. The command should be executed as switchport port-security maximum 0.
C. You also need to execute the switchport port-security violation shutdown command at the global prompt.
D. You also need to execute the switchport port-security violation shutdown command on each switch port.

Correct Answer: D

Explanation:
When configuring switch port security to enforce the policy described in the scenario, two commands are required. One command specifies how many addresses are allowed per
switch port and the other tells the switch what to do when a violation occurs. Configuring the first without the second is like creating a rule without enforcing the rule. Both commands
must be executed on each switch port, as shown in the following example:
switchA(config)# interface fa0/22
switchA(config-if)# switchport port-security maximum 1
switchA(config-if)# switchport port-security violation shutdown
By default, ports are configured to shut down on a violation, but the scenario states the default settings have been altered.
The switchport port-security violation command can be set to shutdown, restrict, or protect. The shutdown option shuts down the port if there is a security violation, but does not send
an SNMP trap logging the violation. The restrict option drops all packets from insecure hosts at the port-security process level and increments the security-violation count, and can
send an SNMP trap. The protect option drops all the packets from the insecure hosts at the port-security process level, but does not increment the security-violation count or send an
SNMP trap.
You should not execute either the switchport port-security violation command or the switchport port-security maximum command at the global prompt. Both commands must be
executed on each switch port.
You should not execute the command switchport port-security maximum 0. This would tell the switch to not allow any addresses at all per switch port.
Objective:
Infrastructure Security
Sub-Objective:
Configure, verify, and troubleshoot port security
References:
Cisco > Cisco IOS Interface and Hardware Component Command Reference > squelch through system jumbomtu > switchport port-security maximum
Cisco > Cisco IOS Interface and Hardware Component Command Reference > squelch through system jumbomtu > switchport port-security violation