#CCENT and #CCNA Fast Start: a Port Security Question

certskills
By certskills May 24, 2013 09:05

 

No muss, no #CCENT or #CCNA fuss: a straightforward Port Security question. At least it’s straightforward if you have a clear and confident concept of how IPv4 works inside the same LAN subnet. Enjoy!

The Question

(Wendell’s note to self: internal question number 113.)

In the figure, Host A and Host B are new hosts in this small LAN, sitting in the same IPv4 subnet. A network engineer has just connected the devices to switch SW1. The engineer then issues the following commands on interface Fa0/2 as the first and only port security commands:

shutdown
switchport mode access
switchport port-security
no shutdown

 

The user of host A then issues a ping 10.1.1.2 command, which first requires host A to use ARP to learn host B’s MAC address (because host A did not have an ARP table entry for host B). Which of the following answers identifies the first message (if any) that port security filters?

a)     The ARP Request sent from host A to host B

b)     The ARP Reply sent from host B to host A

c)     The ICMP Echo Request from host A to host B

d)     The ICMP Echo Reply from host B to host A

e)     None of the messages in the other answers are filtered

Figure 2: Figure Used with Port Security Question

Answers next post. Enjoy!

Related Posts

Introduction to this topic as it exists in the new CCENT and CCNA exams:

More Practice Questions:

This question is like those you get if when you buy the ICND1 100-101 Official Cert Guide. This blog also lists various practice questions as well. For more questions on a large variety of topics:

 

#CCENT and #CCNA Fast Start: Port Security
Answer to the Port Security Question
certskills
By certskills May 24, 2013 09:05
Subscribe
Notify of

Your e-mail address will not be published.
Required fields are marked*

guest

12 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
ASU
ASU
May 24, 2013 9:47 am

My answer is B. The ARP request is sent to all ports except the source, and port security filters the ARP response from host B sent on F0/2.

Charmand
Charmand
Reply to  ASU
May 26, 2013 2:10 am

Wow, a switch here is a L2 device, it has not ability to control a Ping which runs at L3. Also switch port security command by itself has not effects what so ever.

lyjo
lyjo
Admin
Reply to  Charmand
May 26, 2013 6:43 am

Charmand,
To flow over a LAN, those packets must be encapsulated in an Ethernet frame. To answer the question, you have to think about what layer 3 does, what the Ethernet headers that are added to those packets look like, and then what port security does when looking at those Ethernet headers. FYI.
Wendell

firdous
firdous
Reply to  ASU
June 27, 2013 4:05 am

i didnt think it that way. since port security enable on a port only activates security on the port and by default have a maximum of 1 address and voilation of shutdown. so arp request request gets replied by the host b and the switches figures out which mac address is associated to host b. and stores it in port security and nothing stops communication to happen no filters work unless we add new device to that port.

firdous
firdous
Reply to  firdous
June 27, 2013 4:07 am

and none of communication get affected. Probally E is the best answer in this case becoz none of the communication get filtered

lyjo
lyjo
Admin
May 24, 2013 4:54 pm

…And two votes for E so far on Facebook. Stay tuned – answer will post Monday or Tuesday.
W

Davin
Davin
Reply to  lyjo
June 3, 2013 12:00 pm

My bet is, since the ping is destined for 10.1.1.2, it will use icmp to request communication. 10.1.1.2 will send 10.1.1.1 an echo reply. im open for correction thou. thanks DAVIN

lyjo
lyjo
Admin
Reply to  Davin
June 20, 2013 2:36 pm

Hi Davin,
Well, I agree with your analysis. But which answer is correct? If you want to follow it through to a specific answer, note that there’s a link below to the answer post. Thanks…
Wendell

trackback
May 28, 2013 9:10 am

[…] Link to the question […]

Ramses
Ramses
June 8, 2013 4:50 am

I think of E. Here Port Security has only been activated, with no policy set in case of violation. So I think that nothing is going to be filtered.

lyjo
lyjo
Admin
Reply to  Ramses
June 20, 2013 2:37 pm

Ramses,
Well, I like the direction you are thinking, but the Port Security defaults matter a lot. See the link below for the answer details…
Wendell

Punya Athma
Punya Athma
April 29, 2020 1:43 am

Answer is: a)

Port security enabled on Fa0/2 as part of the initial configurations by the engineer. Therefore Port Fa0/2 was err-disabled. i.e, error, not functioning. Arp request from host A enters the port Fa0/1 but, it can’t go beyond the port Fa0/2, as the request was filtered, i.e, discarded by the disabled port Fa0/2.

Search

Categories