Q: A Port Security Question

 In 200-301 V2 Ch06: Port Security, 200-301 V2 Part 2: Security Services, CCENT-OLD, Q&A

The  lobby has a live Ethernet port: it’s time to lock that port down with port security. As usual, this post poses the question, and the next post (which will be linked at the bottom of this one once it’s there) will list the answers. Enjoy! Question is below the fold.


The figure shows a small enterprise network. The switches all have default configuration, other than some unrelated administrative settings that have no impact on this question.

Although these questions mostly ignore the routers and PCs, note that all PCs can ping each other. On the left side of the figure, all switch interfaces default to be in the same VLAN (VLAN 1). Similarly, on the right, all devices sit in the same VLAN (VLAN 2).

The switches are layer 2 only switches, like most typical Cisco access layer switches.


The question:

Host A, whose MAC address is 0200.AAAA.AAAA, happens to be a PC in the company lobby. The engineer wants to add some port security configuration to switch SW1. In this case, the engineer wants to ensure that host A, and only host A, can send traffic into the company network through this switch port. If someone walks up and disconnects that PC, and plugs in their own laptop, the port should be disabled immediately. Which of the following commands would be useful for the configuration of port security to achieve that setting? Also, do not choose answers where the command simply configures a default setting.

A. switchport port-security violation shutdown

B. switchport port-security

C. switchport mode access

D. switchport port-security mac-address 0200.AAAA.AAAA

E. switchport post-security mac-address sticky

F. switchport port-security maximum 1




A: LAN Switching Logic
Housekeeping Notice: No Config Labs for this Book Part
Notify of

Newest Most Voted
Inline Feedbacks
View all comments

B, C and D. E can also be used if Host A is connected to the switch by default.




Hey Guys (Darek and Auone).
You probably overlooked the recommendations and jumped into the answers. Please, the last sentence reads “Also, do not choose answers where the command simply configures a default setting.”
The default in Port Sceurity are : maximum =1 and violation is shutdown. Therefore, we can rule out A and F. We can also rule out E because “sticky” means that the Swicth will learn and save the first MAC that is plugged. But we want a speicifc MAC to be learned. So we are left with B, C, and D.We can also rule out C because that command is not necessary for Switchport Security (C is used for VLAN configuration). So answers are B and D. B because you have to enable port security first. Then D to configure the desire MAC.
I will pass CCNA R&S on Sept 30, Please if it is as easy as this question, Mr Wendell just give me the certicate right now !!! (just kidding Sir).


Thanks for your input, well, by default, all switch ports are in dynamic-auto, so you have to configure switchport mode in access to configure port security?


U r 100% right!


And just to clarify, I did read the part about default settings, that’s why i ruled out A and F


Hey Dexter, love that confidence! Visualize yourself leaving the testing center with passing grade receipt in hand! 🙂


C, B, then D. My 2950’s won’t let me ad port security without making the port an access port first.


I came to the answer on my own, but for the same reasons as Dexter.


Hi all – thanks for all the answers! answers post with explanation to follow in a couple of days. Thanks for playing!


Dexter is right

Would love your thoughts, please comment.x