#CCENT and #CCNA Fast Start: a Port Security Question

By certskills May 24, 2013 09:05


No muss, no #CCENT or #CCNA fuss: a straightforward Port Security question. At least it’s straightforward if you have a clear and confident concept of how IPv4 works inside the same LAN subnet. Enjoy!

The Question

(Wendell’s note to self: internal question number 113.)

In the figure, Host A and Host B are new hosts in this small LAN, sitting in the same IPv4 subnet. A network engineer has just connected the devices to switch SW1. The engineer then issues the following commands on interface Fa0/2 as the first and only port security commands:


The user of host A then issues a ping command, which first requires host A to use ARP to learn host B’s MAC address (because host A did not have an ARP table entry for host B). Which of the following answers identifies the first message (if any) that port security filters?

a)     The ARP Request sent from host A to host B

b)     The ARP Reply sent from host B to host A

c)     The ICMP Echo Request from host A to host B

d)     The ICMP Echo Reply from host B to host A

e)     None of the messages in the other answers are filtered

Figure 2: Figure Used with Port Security Question

Answers next post. Enjoy!

Related Posts

Introduction to this topic as it exists in the new CCENT and CCNA exams:

More Practice Questions:

This question is like those you get if when you buy the ICND1 100-101 Official Cert Guide. This blog also lists various practice questions as well. For more questions on a large variety of topics:


#CCENT and #CCNA Fast Start: Port Security
Answer to the Port Security Question
By certskills May 24, 2013 09:05
Write a comment


  1. ASU May 24, 09:47

    My answer is B. The ARP request is sent to all ports except the source, and port security filters the ARP response from host B sent on F0/2.

    Reply to this comment
    • Charmand May 26, 02:10

      Wow, a switch here is a L2 device, it has not ability to control a Ping which runs at L3. Also switch port security command by itself has not effects what so ever.

      Reply to this comment
      • CCENTSkills May 26, 06:43

        To flow over a LAN, those packets must be encapsulated in an Ethernet frame. To answer the question, you have to think about what layer 3 does, what the Ethernet headers that are added to those packets look like, and then what port security does when looking at those Ethernet headers. FYI.

        Reply to this comment
    • firdous June 27, 04:05

      i didnt think it that way. since port security enable on a port only activates security on the port and by default have a maximum of 1 address and voilation of shutdown. so arp request request gets replied by the host b and the switches figures out which mac address is associated to host b. and stores it in port security and nothing stops communication to happen no filters work unless we add new device to that port.

      Reply to this comment
      • firdous June 27, 04:07

        and none of communication get affected. Probally E is the best answer in this case becoz none of the communication get filtered

        Reply to this comment
  2. CCENTSkills May 24, 16:54

    …And two votes for E so far on Facebook. Stay tuned – answer will post Monday or Tuesday.

    Reply to this comment
    • Davin June 3, 12:00

      My bet is, since the ping is destined for, it will use icmp to request communication. will send an echo reply. im open for correction thou. thanks DAVIN

      Reply to this comment
      • CCENTSkills June 20, 14:36

        Hi Davin,
        Well, I agree with your analysis. But which answer is correct? If you want to follow it through to a specific answer, note that there’s a link below to the answer post. Thanks…

        Reply to this comment
  3. Ramses June 8, 04:50

    I think of E. Here Port Security has only been activated, with no policy set in case of violation. So I think that nothing is going to be filtered.

    Reply to this comment
    • CCENTSkills June 20, 14:37

      Well, I like the direction you are thinking, but the Port Security defaults matter a lot. See the link below for the answer details…

      Reply to this comment
  4. Punya Athma April 29, 01:43

    Answer is: a)

    Port security enabled on Fa0/2 as part of the initial configurations by the engineer. Therefore Port Fa0/2 was err-disabled. i.e, error, not functioning. Arp request from host A enters the port Fa0/1 but, it can’t go beyond the port Fa0/2, as the request was filtered, i.e, discarded by the disabled port Fa0/2.

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email