#CCENT and #CCNA Fast Start: a Port Security Question

 In 200-301 V2 Ch06: Port Security, 200-301 V2 Part 2: Security Services, CCENT-OLD, Q&A

 

No muss, no #CCENT or #CCNA fuss: a straightforward Port Security question. At least it’s straightforward if you have a clear and confident concept of how IPv4 works inside the same LAN subnet. Enjoy!

The Question

(Wendell’s note to self: internal question number 113.)

In the figure, Host A and Host B are new hosts in this small LAN, sitting in the same IPv4 subnet. A network engineer has just connected the devices to switch SW1. The engineer then issues the following commands on interface Fa0/2 as the first and only port security commands:

shutdown
switchport mode access
switchport port-security
no shutdown

 

The user of host A then issues a ping 10.1.1.2 command, which first requires host A to use ARP to learn host B’s MAC address (because host A did not have an ARP table entry for host B). Which of the following answers identifies the first message (if any) that port security filters?

a)     The ARP Request sent from host A to host B

b)     The ARP Reply sent from host B to host A

c)     The ICMP Echo Request from host A to host B

d)     The ICMP Echo Reply from host B to host A

e)     None of the messages in the other answers are filtered

Figure 2: Figure Used with Port Security Question

Answers next post. Enjoy!

Related Posts

Introduction to this topic as it exists in the new CCENT and CCNA exams:

More Practice Questions:

This question is like those you get if when you buy the ICND1 100-101 Official Cert Guide. This blog also lists various practice questions as well. For more questions on a large variety of topics:

 

#CCENT and #CCNA Fast Start: Port Security
Answer to the Port Security Question
Subscribe
Notify of
guest

12 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
ASU

My answer is B. The ARP request is sent to all ports except the source, and port security filters the ARP response from host B sent on F0/2.

Charmand

Wow, a switch here is a L2 device, it has not ability to control a Ping which runs at L3. Also switch port security command by itself has not effects what so ever.

lyjo

Charmand,
To flow over a LAN, those packets must be encapsulated in an Ethernet frame. To answer the question, you have to think about what layer 3 does, what the Ethernet headers that are added to those packets look like, and then what port security does when looking at those Ethernet headers. FYI.
Wendell

firdous

i didnt think it that way. since port security enable on a port only activates security on the port and by default have a maximum of 1 address and voilation of shutdown. so arp request request gets replied by the host b and the switches figures out which mac address is associated to host b. and stores it in port security and nothing stops communication to happen no filters work unless we add new device to that port.

firdous

and none of communication get affected. Probally E is the best answer in this case becoz none of the communication get filtered

lyjo

…And two votes for E so far on Facebook. Stay tuned – answer will post Monday or Tuesday.
W

Davin

My bet is, since the ping is destined for 10.1.1.2, it will use icmp to request communication. 10.1.1.2 will send 10.1.1.1 an echo reply. im open for correction thou. thanks DAVIN

lyjo

Hi Davin,
Well, I agree with your analysis. But which answer is correct? If you want to follow it through to a specific answer, note that there’s a link below to the answer post. Thanks…
Wendell

[…] Link to the question […]

Ramses

I think of E. Here Port Security has only been activated, with no policy set in case of violation. So I think that nothing is going to be filtered.

lyjo

Ramses,
Well, I like the direction you are thinking, but the Port Security defaults matter a lot. See the link below for the answer details…
Wendell

Punya Athma

Answer is: a)

Port security enabled on Fa0/2 as part of the initial configurations by the engineer. Therefore Port Fa0/2 was err-disabled. i.e, error, not functioning. Arp request from host A enters the port Fa0/1 but, it can’t go beyond the port Fa0/2, as the request was filtered, i.e, discarded by the disabled port Fa0/2.

12
0
Would love your thoughts, please comment.x
()
x