200-101 · Question #167
A network administrator wants to ensure that only the server can connect to port Fa0/1 on a Catalyst switch. The server is plugged into the switch Fa0/1 port and the network administrator is about to
The correct answer is C. Configure the MAC address of the server as a static entry associated with port Fa0/1. E. Configure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server.. Port security on a Catalyst switch can restrict a port to a specific MAC address either by manually configuring a static secure MAC address or by enabling port security with a violation action.
Question
Options
- AConfigure port Fa0/1 to accept connections only from the static IP address of the server.
- BEmploy a proprietary connector type on Fa0/1 that is incompatible with other host connectors.
- CConfigure the MAC address of the server as a static entry associated with port Fa0/1.
- DBind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.
- EConfigure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server.
- FConfigure an access list on the switch to deny server traffic from entering any port other than Fa0/1.
How the community answered
(34 responses)- A3% (1)
- B6% (2)
- C74% (25)
- D3% (1)
- F15% (5)
Why each option
Port security on a Catalyst switch can restrict a port to a specific MAC address either by manually configuring a static secure MAC address or by enabling port security with a violation action.
Switches operate at Layer 2 and do not natively filter based on IP addresses on access ports; IP-based filtering requires Layer 3 ACLs and would not prevent a different device from using the same IP.
Using a proprietary connector type is a physical/hardware measure outside the scope of switch configuration and is not a valid network administration technique.
Configuring the server's MAC address as a static entry on port Fa0/1 permanently binds that MAC to the port in the switch's MAC address table, so frames sourced from any other MAC on that port are treated as a violation and dropped.
Binding an IP address to a MAC (static ARP) prevents IP spoofing in the ARP table but does not prevent a different device with a different MAC from connecting to the switch port.
Enabling port security on Fa0/1 with the server's MAC address as the allowed address instructs the switch to monitor source MAC addresses on that port and take a configured violation action (shutdown, restrict, or protect) if any other MAC is detected, enforcing Layer 2 access control.
A switch access list filtering server traffic from entering other ports does not prevent unauthorized devices from connecting to Fa0/1 itself; it addresses the wrong direction of the security requirement.
Concept tested: Switch port security with static and dynamic MAC restriction
Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swtrafc.html
Topics
Community Discussion
No community discussion yet for this question.