CCNA Port Security Questions and Answers with Explanation

By | February 4, 2018

This is an Updated CCNA exam question (October 2017). You might see a different IP addressing, VLAN configuration and SwitchPort Security Configurations.
As usual, take time to read through the question so as to clearly understand what is all about.
Note: ThisPort Security Questions and Answers are used for demonstration only, you might see different IP addressing, configuration and Port allocation in the real CCNA exam.
But it all works the same way, try and understand the technique.

I suggest you use packet tracer for practice.

Read Switchport Security and Configuration

Question 1

Refer to the following exhibit. As a network administrator, you found that a port is no longer active.
The port has post security configured on it. What is the problem?

A. The port has been administratively shut down.
B. The port has an access violation on it.
C. The port has bad wiring.
D. The port on the switch is configured as a trunk.

Answers and Explanation
B. The default configuration for port security results in an access violation of shutdown. When a port-security violation occurs, the port will be shut down in an errdisable
status.

Question 2.

Refer to the following exhibit. A port on a switch is showing inactive. You determine that a port-security violation has been experienced. Once the violation has been discovered, how will you reset the port so that it functions again?

A. SwitchA(config-if)#no port-security
B. SwitchA(config-if)#no shutdown
C. SwitchA(config-if)#no switchport port-security
D. SwitchA(config-if)#shutdown
SwitchA(config-if)#no shutdown

Answers with Explanation
D. One way to clear an err-disable status is to issue the shutdown command and then the no shutdown command on the port. This will reset the port so that traffic can flow again. However, if the access violation still exists then it will enter an err-disable status again.

Question 3.

Which command can be used to see the output in the following exhibit?

A. Switch#show port-security details
B. Switch#show mac address-table secure
C. Switch#show port-security address
D. Switch#show port-security

Answers with Explanation
D. The command show port-security will display all the ports that are actively participating in port security.it also display the maximum number of addresses configured, current addresses, security violations, and action.



Question 4.

Which is a correct statement about sticky MAC addresses learned on a switchport?
A. Sticky MAC addresses are removed by performing a shutdown on the port.
B. Sticky MAC addresses become part of the running-configuration.
C. Sticky MAC addresses can be explicitly configured manually.
D. Sticky MAC addresses automatically become part of the startup-configuration.

Answers with Explanation
B. Sticky MAC addresses become part of the running-configuration. If the running configuration
is saved to the NVRAM, then the sticky MAC address will become part of the startup configuration.

Question 5.

Refer to the following exhibit, which statement is correct about the status of port security configured on the swith?

A. Only one MAC address is learned on the interface.
B. The port is currently in an access violation status.
C. The port is currently up and normal.
D. The MAC addresses have been seen 0 minutes ago.

Answers with Explanation
C. It shows that the port is up and operational in a normal status. The port is configured for a maximum of two MAC addresses, both of which are sticky MAC addresses.

Question 6.

Refer to the following exhibit, which statement is correct about the status of port security?

A. Two MAC address is allowed on the interface.
B. The port is currently in an access violation status.
C. The port is currently up and normal.
D. The MAC addresses have been seen 0 minutes ago.

Answers with Explanation
B. The port is currently in an access violation status. The current access violation mode is secure-shutdown, and therefore, the interface will require a shutdown and no shutdown to reset the port.

Question 7.

Which command is used to verify the output in the following exhibit?

A. Switch#show port-security details
B. Switch#show mac address-table secure
C. Switch#show port-security address
D. Switch#show port-security

Answers with Explanation

C. The show port-security address command will enable you to see all the MAC addresses and the ports they are assigned to for port security. It also will show you the time left before the MAC addresses expire, if they have been obtained dynamically.

Question 8.

Which statement is correct about the configuration in the following exhibit?

A. The port will restrict the MAC address of 782b.cb9f.6431.
B. The port will be in an err-disable state when the maximum threshold is exceeded.
C. The maximum number of MAC addresses is one.
D. The port should be set to shutdown to stop unauthorized access.

Answers with Explanation

C. The maximum number of MAC addresses is one, which is the default. The current port-security violation of restrict will restrict frames from any other MAC addresses by dropping the frames.



Question 9.

Which command is used to see the output in the following exhibit?

A. Switch#show port-security details
B. Switch#show mac address-table gi 2/3
C. Switch#show port-security gi 2/3
D. Switch#show port-security interface gi 2/3

Answers with Explanation
D. The command show port-security interface gi 2/3 will allow you to see detailed information about the interface in which port security is configured.

Question 10.

Which term describes the area outside of the corporate firewall?
A. DMZ area
B. Perimeter area
C. Internal area
D. Trusted area

Answers with Explanation
B. The perimeter area, or perimeter network, is outside of the corporate firewall. The perimeter area generally holds equipment necessary for routing to the ISP.

Question 11.

How does DHCP snooping track DHCP messages and mitigate attacks?
A. DHCP filtering
B. DHCP binding table
C. Untrusted ports
D. IOS ACLs

Answers with Explanation
B. The DHCP binding table tracks all interface, MAC address, VLAN, and IP information. This database is critical in snooping out other ports from using identical information.



Question 12.

Which term describes the area accessible to the Internet yet protected by the corporate firewall?
A. DMZ
B. Perimeter
C. Internal
D. Trusted

Answers with Explanation
A. The demilitarized zone (DMZ) is an area that is protected by the corporate firewall. However, it allows servers such as web servers, email servers, and application servers to be accessible via the Internet.

Question 13.

Which method can restrict a user from plugging a wireless access point into a corporate network?
A. Access control lists
B. Port security
C. Wired Equivalent Privacy
D. Static MAC addresses

Answers with Explanation

B. Port security can restrict a port to a single device by MAC address. This will effectively make plugging in a wireless access point a non-event for a corporate network.

Question 14.

What does port security use to block unauthorized access?
A. Source MAC addresses
B. Destination MAC addresses
C. Source IP addresses
D. Destination IP addresses

Answers with Explanation
A. Port security blocks unauthorized access by examining the source address of a network device.

Question 15.

Which command will enable port security?
A. Switch(config)#switchport port-security
B. Switch(config)#port-security enable
C. Switch(config-if)#switchport port-security
D. Switch(config-if)#port-security enable

Answers with Explanation
C. Port security is enabled by configuring the command switchport port-security. This command must be configured on the interface in which you want to enable port security.

Question 16.

If port security is enabled on an interface, what is the maximum number of MAC addresses allowed by default?
A. 1 MAC address
B. 2 MAC addresses
C. 0 MAC addresses
D. 10

Answers with Explanation

A. By default, only a single MAC address is allowed on an interface when port security is enabled.