Packet Tracer Troubleshooting Switch Port Security

Posted on  by 



Overview:

Packet Tracer Activity 2.2.1.4: Configuring SSH. Packet Tracer Activity 2.2.4.9: Configuring Switch Port Security. Packet Tracer Activity 2.2.4.10: Troubleshooting. Switch(config)#interface fa0/1 Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 1 Use the switchport port-security command to enable port-security. I have configured port-security so only one MAC address is allowed. Once the switch sees another MAC address on the interface it will be in violation and something will happen. Switch(config-if)#switchport port-security maxi Switch(config-if)#switchport port-security maximum 1 Switch(config-if)#switchport port-security viol Switch(config-if)#switchport port-security violation sh Switch(config-if)#^Z Switch#%SYS-5-CONFIGI: Configured from console by console Switch#sh por Switch#sh port-security interfa Switch#sh port. Packet Tracer - Troubleshooting Switch Port Security Scenario The employee who normally uses PC1 brought his laptop from home, disconnected PC1 and connected the laptop to the telecommunication outlet. After reminding him of the security policy that does not allow personal devices on the network, you now must reconnect PC1 and re-enable the port.

Packet Tracer - Configuring Switch Port Security

Port security can be used on an interface to identify and limit the MAC addresses of clients that are allowed to access that port.

Study Notes:

  • Port security identifies the MAC addresses of clients allowed to forward traffic through an interface
  • Port security is applied to access ports
  • Port security cannot be applied to a trunk port
  • Port security cannot be applied to the destination port for a SPAN port
  • Port security cannot be applied to an EtherChannel/Port-Channel interface
  • Port security and static MAC configuration are mutually exclusive
  • By default
    • Port security is turned off
    • The maximum number of secure MAC addresses is 1
    • When a violation occurs the port gets shutdown
    • Aging is disabled
    • Aging type is absolute
    • Static aging is disabled
    • Sticky is disabled
  • If the number of MAC addresses configured on a port is less than the maximum then the remaining MAC addresses are able to be learned dynamically
  • If a port shuts down, all dynamically learned MAC addresses are removed
  • A sticky MAC lets an interface retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online
  • To recover a port from err-disabled, you must shut and no shut it
  • Port-security violation modes:
protectDrops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count
restrictDrops all the packets from the insecure hosts at the port-security process level and increments the security-violation count
shutdownShuts down the port if there is a security violation

Required

Packet Tracer - Troubleshooting Switch Port Security

Optional
6.1.a Static/6.1.b Dynamic
Set the MAC addresses that are allowed to use the port. If less than the maximum are set than the remaining are learned dynamically.

6.1.c Sticky
Enable sticky learning on the interface

6.1.d Maximum MAC Addresses
Set the number of MAC addresses allowed to use this port

6.1.e Violation Actions
Set the action to be taken when port-security is violated

6.1.f Err-disabled recovery
Once port security is violated on an interface, the interface will go to err-disabled. To return it to normal, do the following:

Packet Tracer Troubleshooting Switch Port Security

Verification commands

PacketTracer Lab:CCNA-6.1-Configure-verify-and-troubleshoot-port-security.pkt

CCNA2 v6.0 Chapter 5 Exam Answers 2018 2019

From year to year, Cisco has updated many versions with difference questions. The latest version is version 6.0 in 2018. What is your version? It depends on your instructor creating your class. We recommend you to go thought all version if you are not clear. While you take online test with netacad.com, You may get random questions from all version. Each version have 1 to 10 different questions or more. After you review all questions, You should practice with our online test system by go to 'Online Test' link below.

Version 5.02Version 5.03Version 6.0Online Assessment
Chapter 5 ExamChapter 5 ExamChapter 5 ExamOnline Test
Next Chapter
Chapter 6 ExamChapter 6 ExamChapter 6 ExamOnline Test
Lab Activities
5.2.1.4 Packet Tracer – Configuring SSH
5.2.2.7 Packet Tracer – Configuring Switch Port Security
5.2.2.8 Packet Tracer – Troubleshooting Switch Port Security
5.3.1.2 Packet Tracer – Skills Integration Challenge
  1. What is a function of the switch boot loader?

    • to speed up the boot process
    • to provide security for the vulnerable state when the switch is booting
    • to control how much RAM is available to the switch during the boot process
    • to provide an environment to operate in when the switch operating system cannot be found
      Explanation:

      The switch boot loader environment is presented when the switch cannot locate a valid operating system. The boot loader environment provides a few basic commands that allows a network administrator to reload the operating system or provide an alternate location of the operating system.

  2. Which interface is the default location that would contain the IP address used to manage a 24-port Ethernet switch?

    • VLAN 1
    • Fa0/0
    • Fa0/1
    • interface connected to the default gateway
    • VLAN 99
  3. A production switch is reloaded and finishes with a Switch> prompt. What two facts can be determined? (Choose two.)

    • POST occurred normally.
    • The boot process was interrupted.
    • There is not enough RAM or flash on this router.
    • A full version of the Cisco IOS was located and loaded.
    • The switch did not locate the Cisco IOS in flash, so it defaulted to ROM.
  4. Which two statements are true about using full-duplex Fast Ethernet? (Choose two.)

    • Performance is improved with bidirectional data flow.
    • Latency is reduced because the NIC processes frames faster.
    • Nodes operate in full-duplex with unidirectional data flow.
    • Performance is improved because the NIC is able to detect collisions.
    • Full-duplex Fast Ethernet offers 100 percent efficiency in both directions.
  5. Which statement describes the port speed LED on the Cisco Catalyst 2960 switch?

    • If the LED is green, the port is operating at 100 Mb/s.
    • If the LED is off, the port is not operating.
    • If the LED is blinking green, the port is operating at 10 Mb/s.
    • If the LED is amber, the port is operating at 1000 Mb/s.
      Explanation:

      The port speed LED indicates that the port speed mode is selected. When selected, the port LEDs will display colors with different meanings. If the LED is off, the port is operating at 10 Mb/s. If the LED is green, the port is operating at 100 Mb/s. If the LED is blinking green, the port is operating at 1000 Mb/s.

  6. Which command is used to set the BOOT environment variable that defines where to find the IOS image file on a switch?

    • config-register
    • boot system
    • boot loader
    • confreg
      Explanation:

      The boot system command is used to set the BOOT environment variable. The config-register and confreg commands are used to set the configuration register. The boot loader command supports commands to format the flash file system, reinstall the operating system software, and recover from a lost or forgotten password.

  7. In which situation would a technician use the show interfaces switch command?

    • to determine if remote access is enabled
    • when packets are being dropped from a particular directly attached host
    • when an end device can reach local devices, but not remote devices
    • to determine the MAC address of a directly attached network device on a particular interface
      Explanation:

      The show interfaces command is useful to detect media errors, to see if packets are being sent and received, and to determine if any runts, giants, CRCs, interface resets, or other errors have occurred. Problems with reachability to a remote network would likely be caused by a misconfigured default gateway or other routing issue, not a switch issue. The show mac address-table command shows the MAC address of a directly attached device.

  8. Refer to the exhibit. A network technician is troubleshooting connectivity issues in an Ethernet network with the command show interfaces fastEthernet 0/0. What conclusion can be drawn based on the partial output in the exhibit?

    CCNA 2 RSE 6.0 Chapter 5 Exam Answers 2018 2019 04

    • All hosts on this network communicate in full-duplex mode.
    • Some workstations might use an incorrect cabling type to connect to the network.
    • There are collisions in the network that cause frames to occur that are less than 64 bytes in length.
    • A malfunctioning NIC can cause frames to be transmitted that are longer than the allowed maximum length.
      Explanation:

      The partial output shows that there are 50 giants (frames longer than the allowed maximum) that were injected into the network, possibly by a malfunctioning NIC. This conclusion can be drawn because there are only 25 collisions, so not all the 50 giants are the result of a collision. Also, because there 25 collisions, it is most likely that not all hosts are using full-duplex mode (otherwise there would not be any collisions). There should be no cabling issues since the CRC error value is 0. There are 0 runts, so the collisions have not caused malformed frames to occur that are shorter than 64 bytes in length .

  9. Refer to the exhibit. What media issue might exist on the link connected to Fa0/1 based on the show interface command?

    CCNA 2 RSE 6.0 Chapter 5 Exam Answers 2018 2019 02

    • The bandwidth parameter on the interface might be too high.
    • There could be an issue with a faulty NIC.
    • There could be too much electrical interference and noise on the link.
    • The cable attaching the host to port Fa0/1 might be too long.
    • The interface might be configured as half-duplex.
      Explanation:

      Escalating CRC errors usually means that the data is being modified during transmission from the host to the switch. This is often caused by high levels of electromagnetic interference on the link.

  10. If one end of an Ethernet connection is configured for full duplex and the other end of the connection is configured for half duplex, where would late collisions be observed?

    • on both ends of the connection
    • on the full-duplex end of the connection
    • only on serial interfaces
    • on the half-duplex end of the connection
      Explanation:

      Full-duplex communications do not produce collisions. However, collisions often occur in half-duplex operations. When a connection has two different duplex configurations, the half-duplex end will experience late collisions. Collisions are found on Ethernet networks. Serial interfaces use technologies other than Ethernet.

  11. What is one difference between using Telnet or SSH to connect to a network device for management purposes?

    • Telnet uses UDP as the transport protocol whereas SSH uses TCP.
    • Telnet does not provide authentication whereas SSH provides authentication.
    • Telnet supports a host GUI whereas SSH only supports a host CLI.
    • Telnet sends a username and password in plain text, whereas SSH encrypts the username and password.
      Explanation:

      SSH provides security for remote management connections to a network device. SSH does so through encryption for session authentication (username and password) as well as for data transmission. Telnet sends a username and password in plain text, which can be targeted to obtain the username and password through data capture. Both Telnet and SSH use TCP, support authentication, and connect to hosts in CLI.

  12. Refer to the exhibit. The network administrator wants to configure Switch1 to allow SSH connections and prohibit Telnet connections. How should the network administrator change the displayed configuration to satisfy the requirement?

    CCNA 2 RSE 6.0 Chapter 5 Exam Answers 2018 2019 01

    • Use SSH version 1.
    • Reconfigure the RSA key.
    • Configure SSH on a different line.
    • Modify the transport input command.
  13. What is the effect of using the switchport port-security command?

    • enables port security on an interface
    • enables port security globally on the switch
    • automatically shuts an interface down if applied to a trunk port
    • detects the first MAC address in a frame that comes into a port and places that MAC address in the MAC address table
      Explanation:

      Port security cannot be enabled globally. All active switch ports should be manually secured using the switchport port-security command, which allows the administrator to control the number of valid MAC addresses allowed to access the port. This command does not specify what action will be taken if a violation occurs, nor does it change the process of populating the MAC address table.

  14. Where are dynamically learned MAC addresses stored when sticky learning is enabled with the switchport port-security mac-address sticky command?

    • ROM
    • RAM
    • NVRAM
    • flash
      Explanation:

      When MAC addresses are automatically learned by using the sticky command option, the learned MAC addresses are added to the running configuration, which is stored in RAM.

  15. A network administrator configures the port security feature on a switch. The security policy specifies that each access port should allow up to two MAC addresses. When the maximum number of MAC addresses is reached, a frame with the unknown source MAC address is dropped and a notification is sent to the syslog server. Which security violation mode should be configured for each access port?

    • restrict
    • protect
    • warning
    • shutdown
      Explanation:

      In port security implementation, an interface can be configured for one of three violation modes:
      Protect – a port security violation causes the interface to drop packets with unknown source addresses and no notification is sent that a security violation has occurred.
      Restrict – a port security violation causes the interface to drop packets with unknown source addresses and to send a notification that a security violation has occurred.
      Shutdown – a port security violation causes the interface to immediately become error-disabled and turns off the port LED. No notification is sent that a security violation has occurred.

  16. Which two statements are true regarding switch port security? (Choose two.)

    • The three configurable violation modes all log violations via SNMP.
    • Dynamically learned secure MAC addresses are lost when the switch reboots.
    • The three configurable violation modes all require user intervention to re-enable ports.
    • After entering the sticky parameter, only MAC addresses subsequently learned are converted to secure MAC addresses.
    • If fewer than the maximum number of MAC addresses for a port are configured statically, dynamically learned addresses are added to CAM until the maximum number is reached.
  17. Which action will bring an error-disabled switch port back to an operational state?

    • Remove and reconfigure port security on the interface.
    • Issue the switchport mode access command on the interface.
    • Clear the MAC address table on the switch.
    • Issue the shutdown and then no shutdown interface commands.
      Explanation:

      When a violation occurs on a switch port that is configured for port security with the shutdown violation action, it is put into the err-disabled state. It can be brought back up by shutting down the interface and then issuing the no shutdown command.

  18. Refer to the exhibit. Port Fa0/2 has already been configured appropriately. The IP phone and PC work properly. Which switch configuration would be most appropriate for port Fa0/2 if the network administrator has the following goals?

    No one is allowed to disconnect the IP phone or the PC and connect some other wired device.
    If a different device is connected, port Fa0/2 is shut down.
    The switch should automatically detect the MAC address of the IP phone and the PC and add those addresses to the running configuration.

    • SWA(config-if)# switchport port-security
      SWA(config-if)# switchport port-security mac-address sticky
    • SWA(config-if)# switchport port-security mac-address sticky
      SWA(config-if)# switchport port-security maximum 2
    • SWA(config-if)# switchport port-security
      SWA(config-if)# switchport port-security maximum 2
      SWA(config-if)# switchport port-security mac-address sticky
    • SWA(config-if)# switchport port-security
      SWA(config-if)# switchport port-security maximum 2
      SWA(config-if)# switchport port-security mac-address sticky
      SWA(config-if)# switchport port-security violation restrict
      Explanation:

      The default mode for a port security violation is to shut down the port so the switchport port-security violation command is not necessary. The switchport port-security command must be entered with no additional options to enable port security for the port. Then, additional port security options can be added.

  19. Refer to the exhibit. What can be determined about port security from the information that is shown?

    CCNA 2 RSE 6.0 Chapter 5 Exam Answers 2018 2019 05

    • The port has been shut down.
    • The port has two attached devices.
    • The port violation mode is the default for any port that has port security enabled.
    • The port has the maximum number of MAC addresses that is supported by a Layer 2 switch port which is configured for port security.
      Explanation:

      he Port Security line simply shows a state of Enabled if the switchport port-security command (with no options) has been entered for a particular switch port. If a port security violation had occurred, a different error message appears such as Secure-shutdown. The maximum number of MAC addresses supported is 50. The Maximum MAC Addresses line is used to show how many MAC addresses can be learned (2 in this case). The Sticky MAC Addresses line shows that only one device has been attached and learned automatically by the switch. This configuration could be used when a port is shared by two cubicle-sharing personnel who bring in separate laptops.

  20. Refer to the exhibit. Which event will take place if there is a port security violation on switch S1 interface Fa0/1?

    • A notification is sent.
    • A syslog message is logged.
    • Packets with unknown source addresses will be dropped.
    • The interface will go into error-disabled state.
      Explanation:

      The Port Security line simply shows a state of Enabled if the switchport port-security command (with no options) has been entered for a particular switch port. If a port security violation had occurred, a different error message appears such as Secure-shutdown. The maximum number of MAC addresses supported is 50. The Maximum MAC Addresses line is used to show how many MAC addresses can be learned (2 in this case). The Sticky MAC Addresses line shows that only one device has been attached and learned automatically by the switch. This configuration could be used when a port is shared by two cubicle-sharing personnel who bring in separate laptops.

  21. Open the PT Activity. Perform the tasks in the activity instructions and then answer the question.

    Which event will take place if there is a port security violation on switch S1 interface Fa0/1?

    • A notification is sent.
    • A syslog message is logged.
    • Packets with unknown source addresses will be dropped.
    • The interface will go into error-disabled state.
  22. Match the step to each switch boot sequence description. (Not all options are used.)

    • Question
    • Answer

      CCNA2 v6.0 Chapter 5 Exam A001

      Explanation:

      The violation mode can be viewed by issuing the show port-security interface <int> command. Interface FastEthernet 0/1 is configured with the violation mode of protect. If there is a violation, interface FastEthernet 0/1 will drop packets with unknown MAC addresses.

  23. Identify the steps needed to configure a switch for SSH. The answer order does not matter. (Not all options are used.)

    • Question
    • Answer

      CCNA2 v6.0 Chapter 5 Exam A002

      Explanation:

      The steps are:
      1. execute POST
      2. load the boot loader from ROM
      3. CPU register initializations
      4. flash file system initialization
      5. load the IOS
      6. transfer switch control to the IOS

  24. Match the link state to the interface and protocol status. (Not all options are used.)

    • Question
    • Answer

      CCNA2 v6.0 Chapter 5 Exam A003

      Explanation:

      The login and password cisco commands are used with Telnet switch configuration, not SSH configuration.

From year to year, Cisco has updated many versions with difference questions. The latest version is version 6.0 in 2018. What is your version? It depends on your instructor creating your class. We recommend you to go thought all version if you are not clear. While you take online test with netacad.com, You may get random questions from all version. Each version have 1 to 10 different questions or more. After you review all questions, You should practice with our online test system by go to 'Online Test' link below.

Version 5.02Version 5.03Version 6.0Online Assessment
Chapter 5 ExamChapter 5 ExamChapter 5 ExamOnline Test
Next Chapter
Chapter 6 ExamChapter 6 ExamChapter 6 ExamOnline Test
Lab Activities
5.2.1.4 Packet Tracer – Configuring SSH
5.2.2.7 Packet Tracer – Configuring Switch Port Security
5.2.2.8 Packet Tracer – Troubleshooting Switch Port Security
5.3.1.2 Packet Tracer – Skills Integration Challenge




Coments are closed