CCENT Answer 104 and 105: Troubleshooting

By certskills March 5, 2013 09:05

Today’ post gives the letter answer(s) to the last two #CCENT questions, and combines the discussion of the answers to both questions. It combines both in part because much of the background information applies to both. Don’t read here until you try question 104 and question 105!  Today’s post then looks at the toughest distractors (wrong answers) with both questions: The answers that mentioned port security.

Literal Answer(s):

Question 104: C

Question 105: D

Figure Reference

The figure is just a repeat of the figure from the questions, for handy reference.

Figure 104: Network Used for Question 104 (and 105)

The rest of today’s post discusses the nuances of why both answers about port security happen to be wrong in this case. And to understand port security, you have to understand both the MAC addresses used in each frame, and what port security examines in a frame.

General Discussion 1: The MAC Addresses Stay in the Local Subnet

One of the first facts needed to help answer this question is to have a firm knowledge of encapsulation. Packets in this example leave one subnet and go to a second subnet when the router routes the packet. As a result, the router discards the old data link header/trailer that had encapsulated the frame, and builds a new one. For instance, when PC2 pings PC4:

  1. The frame leaves PC2 with source MAC PC2-MAC, destination MAC R1-G0/0-MAC
  2. R2 discards the data link header/trailer
  3. R2 builds a new Ethernet frame w/ source MAC R1-G0/1-MAC and destination MAC PC4-MAC

General Discussion 2: Port Security Acts on Incoming Frames, Based on Source MAC Address

Cisco happens to include a little port security in ICND1, and a little in ICND2, with the current breakdown in these exams. However, even the ICND1 coverage defines the basics about what port security considers when watching traffic on a switch port. Specifically, port security:

  • Watches incoming frames only
  • Bases its choice of whether the frame breaks a rule based on the source MAC address

Question 104’s Answer with Port Security

Now look at question 104’s answer that mentions port security. It asks about SW4, port F0/5. Assuming port security was enabled on that interface, what would the frames look like for the ping issued from PC1? And for PC2? And how are they different?

First, note that port security only considers the incoming frames, and those would be the frames sent by each ping command towards PC4.

Next, note that in the figure, the IP packets would have arrived at R1, and been routed into subnet So, the source MAC at that point would be R1-G0/1-MAC, both for packets sent for PC1’s ping and packets sent for PC2’s ping.

In short, the only concepts port security can examine on SW4’s G0/2 interface – the source MAC of frames entering that interface – are identical for frames holding PC1’s packets and frames holding PC2’s packets. So port security can either cause both pings to fail, or allows both to fail, but it cannot be configured to make PC1’s ping work and PC2’s ping fail.

Question 105’s Port Security Answer

Question 105’s answer has similar, but not identical logic. The big difference is that it asks about an event in subnet, on the left side of the figure. So, PC1’s and PC2’s MAC addresses might be in play.

Question 105 has an answer that asks about SW2’s F0/5 interface. That interface connects to router R1, namely R1’s G0/0 interface. Looking at the figure, and thinking about the ICMP messages generated by the ping commands, the ICMP Echo Reply messages will enter the SW2 F05 interface. That is, when PC4 sends back the reply, R1 will forward them back to the left.

Next, note that in the figure, the IP packets would have arrived from PC4 to R1, and been routed into subnet on the left. So, the source MAC at that point would be R1-G0/0-MAC, both for packets sent from PC4 to PC1 (for PC1’s ping), and for packets sent from PC4 to PC2 (for PC2’s ping.)

In short, port security cannot distinguish between these two frames, because they have the same source MAC address.  Again, port security can either cause both pings to fail, or allows both to fail, but it cannot be configured to make PC1’s ping work and PC2’s ping fail.

Next post, I’ll wrap up the discussion of the other answers.

CCENT Question 105: Troubleshooting Ping Failure
CCENT Answer 104 and 105: Answers Part 2
By certskills March 5, 2013 09:05
Write a comment


  1. Robbie March 17, 04:37

    Keep the questions coming, Wendell!

    There don’t seem to be many comments, so I hope this doesn’t put you off posting more. I for one am finding your explanations helpful and reassuring to know I’m thinking in the right way.

    Reply to this comment
    • CCENTSkills March 18, 16:01

      Thank you Robbie! Nice to get some encouragement over here in the blog. It does seem to be a little quiet sometimes. But I do see the hit counters, so I know people at least have the page up in their browser!
      I’ll get the rest of the explanation posted for these two questions by tomorrow. Sorry for the delay.

      Reply to this comment
      • Ruben November 27, 14:02

        I am also here checking everything from all chapters and I know more people check this blog as well from talking to people also taking ICND1 along with me!

        In a personal note, I’m glad that every single chapter in the book is backed up with more exercises and comments that make me “think correctly” when coming up with an answer!

        Reply to this comment
  2. Rickosic July 7, 19:21

    Great Questions and explanations! thanks

    Reply to this comment
  3. Em3xus October 2, 22:35

    This was a tricky one, thanks again for these posts.

    Always good reminders to read the question thoroughly and remember the basics. I actually mistook answer B on question 105 as possible as I was thinking of ACL and not port security!

    Reply to this comment
  4. adrikayak November 28, 02:55

    Hello Wendell

    There seems to be a typo under section “General Discussion 1: The MAC Addresses Stay in the Local Subnet”: points 2 and 3 refer to a nonexistent R2 in the schema. Should not it be R1?

    Reply to this comment
  5. Bav October 28, 08:54

    Another great question.

    Reply to this comment
  6. Tobias November 29, 11:24

    I think the answer of 104 is a tad in the gray zone, and requires you to assume a little too much.

    I believe there is no mentioning of duplex in the question, meaning that IEEE autosense for speed/duplex is still active for duplex.

    Remember even if either duplex or speed is manually configured and the other one is left at auto, the autosense should be active.

    This means that the duplex should match.

    However if one assumes that one end is using a 10Mbps speed configuration and the other 100Mbps, one side would concider the link half and the other full, meaning that there would be a problem with traffic forwarding.

    The question works but hinges a little too much on assumptions.

    Reply to this comment
    • Tobias November 29, 11:36

      Following myself with another question.

      A: Misconfiguration of R1’s G0/0 IP address/mask to this seems to be the obvious answer.

      Seeing that PC2 is at the lower end of the subnet the router cannot return traffic to that host since the host would be outside of the subnet which would be the subnet the router interface is in if configured with what the answer states.

      This seems the more obvious correct answer over C. However since PC1 is in the same subnet as PC2 (assumed) is then answer A does not work.

      This once again however shows that to answer correctly, one have to selectively assume correct on various parts with no way of actually being able to tell which facts are correct. Referring to “Also, note that the information in the figure may be incorrect” which is in the question.

      The question works, but again I think it is quite gray regarding if it should be used.

      Maybe I’m misunderstanding the question somehow though.

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.