#CCENT and #CCNA Fast Start: a Port Security Question
No muss, no #CCENT or #CCNA fuss: a straightforward Port Security question. At least it’s straightforward if you have a clear and confident concept of how IPv4 works inside the same LAN subnet. Enjoy!
The Question
(Wendell’s note to self: internal question number 113.)
In the figure, Host A and Host B are new hosts in this small LAN, sitting in the same IPv4 subnet. A network engineer has just connected the devices to switch SW1. The engineer then issues the following commands on interface Fa0/2 as the first and only port security commands:
shutdown switchport mode access switchport port-security no shutdown
The user of host A then issues a ping 10.1.1.2 command, which first requires host A to use ARP to learn host B’s MAC address (because host A did not have an ARP table entry for host B). Which of the following answers identifies the first message (if any) that port security filters?
a) The ARP Request sent from host A to host B
b) The ARP Reply sent from host B to host A
c) The ICMP Echo Request from host A to host B
d) The ICMP Echo Reply from host B to host A
e) None of the messages in the other answers are filtered
Figure 2: Figure Used with Port Security Question
Answers next post. Enjoy!
Related Posts
Introduction to this topic as it exists in the new CCENT and CCNA exams:
More Practice Questions:
This question is like those you get if when you buy the ICND1 100-101 Official Cert Guide. This blog also lists various practice questions as well. For more questions on a large variety of topics:
- Look at the Questions tab in the www.ccentskills.com blog
- Look at the Questions tab in the www.ccnaskills.com blog
- Use the practice tests that come with the printed version of the book
- Get additional exam banks, even more than the print book, with the Premium Edition of the Book, available only from the publisher
My answer is B. The ARP request is sent to all ports except the source, and port security filters the ARP response from host B sent on F0/2.
Wow, a switch here is a L2 device, it has not ability to control a Ping which runs at L3. Also switch port security command by itself has not effects what so ever.
Charmand,
To flow over a LAN, those packets must be encapsulated in an Ethernet frame. To answer the question, you have to think about what layer 3 does, what the Ethernet headers that are added to those packets look like, and then what port security does when looking at those Ethernet headers. FYI.
Wendell
i didnt think it that way. since port security enable on a port only activates security on the port and by default have a maximum of 1 address and voilation of shutdown. so arp request request gets replied by the host b and the switches figures out which mac address is associated to host b. and stores it in port security and nothing stops communication to happen no filters work unless we add new device to that port.
and none of communication get affected. Probally E is the best answer in this case becoz none of the communication get filtered
…And two votes for E so far on Facebook. Stay tuned – answer will post Monday or Tuesday.
W
My bet is, since the ping is destined for 10.1.1.2, it will use icmp to request communication. 10.1.1.2 will send 10.1.1.1 an echo reply. im open for correction thou. thanks DAVIN
Hi Davin,
Well, I agree with your analysis. But which answer is correct? If you want to follow it through to a specific answer, note that there’s a link below to the answer post. Thanks…
Wendell
[…] Link to the question […]
I think of E. Here Port Security has only been activated, with no policy set in case of violation. So I think that nothing is going to be filtered.
Ramses,
Well, I like the direction you are thinking, but the Port Security defaults matter a lot. See the link below for the answer details…
Wendell
Answer is: a)
Port security enabled on Fa0/2 as part of the initial configurations by the engineer. Therefore Port Fa0/2 was err-disabled. i.e, error, not functioning. Arp request from host A enters the port Fa0/1 but, it can’t go beyond the port Fa0/2, as the request was filtered, i.e, discarded by the disabled port Fa0/2.