Port Security
Question 1
Explanation
The “sticky” keyword in switchport port-security mac-address sticky command converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds to the running configuration.
Question 2
Explanation
Port security can be enabled on both access and static trunk ports. An example of configuring port security on a static trunk port is shown below:
| Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport Switch(config-if)# switchport mode trunk Switch(config-if)# switchport port-security |
For more information about configuring port-security on trunk port please visit this link: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25sg/configuration/guide/conf/port_sec.pdf
We cannot configure port security on a dynamic interface. For example we will see an error when try it:
| Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport Switch(config-if)# switchport mode dynamic desirable Switch(config-if)# switchport port-security Command rejected: FastEthernet0/1 is a dynamic port. |
Question 3
Explanation
When a port security violation is detected, the switch automatically places the port in the “err-disabled” shutdown state. The “errdisable recovery cause psecure-violation” command brings a secure port out of error-disabled state.
Note: There is a similar command: “errdisable recovery cause security-violation” but it recovers a port from 802.1x violation disable state.
Question 4
Explanation
When a port security violation is detected, the switch automatically places the port in the “err-disabled” shutdown state.
Question 5
Explanation
If any one of the errdisable recovery conditions is enabled, the ports with this condition are reenabled after 300 seconds. You can also change this default of 300 seconds if you issue this command:
Switch(config)#errdisable recovery interval timer_interval_in_seconds
Question 6
Explanation
A sticky MAC address can be learned automatically or configured manually. When it is dynamically learned, the MAC address is automatically entered into the running configuration as a static MAC address; the address is then kept in the running configuration until a reboot. On reboot, the MAC address will be lost; if we want to keep the MAC address after a reboot, we need to save the running config (with the command copy running-config startup-config)
To turn on sticky feature on a switch, use the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky MAC addresses.
Question 7
Question 8
Question 9
Question 10
who has the latest dump
Was able to pass;
Few questions new: what steps to take if you want to configure port security on a port: chose – access port; make sure it’s not span destination;
How to see vlan database: choose 2 – Sh vlan/sh vlan database/sh run/etc forgot
Vspan question – what traffic it allows I think
Hsrp hotspot/vtp lacp sim/new switch addition vtp sim
Drag – tacacs radius/stp modes