Q: A Port Security Question

By certskills September 3, 2015 09:05

The  lobby has a live Ethernet port: it’s time to lock that port down with port security. As usual, this post poses the question, and the next post (which will be linked at the bottom of this one once it’s there) will list the answers. Enjoy! Question is below the fold.


The figure shows a small enterprise network. The switches all have default configuration, other than some unrelated administrative settings that have no impact on this question.

Although these questions mostly ignore the routers and PCs, note that all PCs can ping each other. On the left side of the figure, all switch interfaces default to be in the same VLAN (VLAN 1). Similarly, on the right, all devices sit in the same VLAN (VLAN 2).

The switches are layer 2 only switches, like most typical Cisco access layer switches.


The question:

Host A, whose MAC address is 0200.AAAA.AAAA, happens to be a PC in the company lobby. The engineer wants to add some port security configuration to switch SW1. In this case, the engineer wants to ensure that host A, and only host A, can send traffic into the company network through this switch port. If someone walks up and disconnects that PC, and plugs in their own laptop, the port should be disabled immediately. Which of the following commands would be useful for the configuration of port security to achieve that setting? Also, do not choose answers where the command simply configures a default setting.

A. switchport port-security violation shutdown

B. switchport port-security

C. switchport mode access

D. switchport port-security mac-address 0200.AAAA.AAAA

E. switchport post-security mac-address sticky

F. switchport port-security maximum 1




Basic OSPFv3
Answers: Basic OSPFv3
By certskills September 3, 2015 09:05
Write a comment


  1. Auone September 3, 12:52

    B, C and D. E can also be used if Host A is connected to the switch by default.

    Reply to this comment
  2. Darek September 3, 14:00


    Reply to this comment
  3. Dexter September 3, 14:52

    Hey Guys (Darek and Auone).
    You probably overlooked the recommendations and jumped into the answers. Please, the last sentence reads “Also, do not choose answers where the command simply configures a default setting.”
    The default in Port Sceurity are : maximum =1 and violation is shutdown. Therefore, we can rule out A and F. We can also rule out E because “sticky” means that the Swicth will learn and save the first MAC that is plugged. But we want a speicifc MAC to be learned. So we are left with B, C, and D.We can also rule out C because that command is not necessary for Switchport Security (C is used for VLAN configuration). So answers are B and D. B because you have to enable port security first. Then D to configure the desire MAC.
    I will pass CCNA R&S on Sept 30, Please if it is as easy as this question, Mr Wendell just give me the certicate right now !!! (just kidding Sir).

    Reply to this comment
  4. Travis September 4, 00:06

    C, B, then D. My 2950’s won’t let me ad port security without making the port an access port first.

    Reply to this comment
  5. Bob September 4, 07:05

    I came to the answer on my own, but for the same reasons as Dexter.

    Reply to this comment
  6. CCENTSkills September 4, 18:26

    Hi all – thanks for all the answers! answers post with explanation to follow in a couple of days. Thanks for playing!

    Reply to this comment
  7. mawatta December 5, 11:51

    Dexter is right

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.