nerdexam
Cisco

200-101 · Question #167

A network administrator wants to ensure that only the server can connect to port Fa0/1 on a Catalyst switch. The server is plugged into the switch Fa0/1 port and the network administrator is about to

The correct answer is C. Configure the MAC address of the server as a static entry associated with port Fa0/1. E. Configure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server.. Port security on a Catalyst switch can restrict a port to a specific MAC address either by manually configuring a static secure MAC address or by enabling port security with a violation action.

Operate a Medium-Sized Switched Network

Question

A network administrator wants to ensure that only the server can connect to port Fa0/1 on a Catalyst switch. The server is plugged into the switch Fa0/1 port and the network administrator is about to bring the server online. What can the administrator do to ensure that only the MAC address of the server is allowed by switch port Fa0/1? (Choose two.)

Options

  • AConfigure port Fa0/1 to accept connections only from the static IP address of the server.
  • BEmploy a proprietary connector type on Fa0/1 that is incompatible with other host connectors.
  • CConfigure the MAC address of the server as a static entry associated with port Fa0/1.
  • DBind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.
  • EConfigure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server.
  • FConfigure an access list on the switch to deny server traffic from entering any port other than Fa0/1.

How the community answered

(34 responses)
  • A
    3% (1)
  • B
    6% (2)
  • C
    74% (25)
  • D
    3% (1)
  • F
    15% (5)

Why each option

Port security on a Catalyst switch can restrict a port to a specific MAC address either by manually configuring a static secure MAC address or by enabling port security with a violation action.

AConfigure port Fa0/1 to accept connections only from the static IP address of the server.

Switches operate at Layer 2 and do not natively filter based on IP addresses on access ports; IP-based filtering requires Layer 3 ACLs and would not prevent a different device from using the same IP.

BEmploy a proprietary connector type on Fa0/1 that is incompatible with other host connectors.

Using a proprietary connector type is a physical/hardware measure outside the scope of switch configuration and is not a valid network administration technique.

CConfigure the MAC address of the server as a static entry associated with port Fa0/1.Correct

Configuring the server's MAC address as a static entry on port Fa0/1 permanently binds that MAC to the port in the switch's MAC address table, so frames sourced from any other MAC on that port are treated as a violation and dropped.

DBind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.

Binding an IP address to a MAC (static ARP) prevents IP spoofing in the ARP table but does not prevent a different device with a different MAC from connecting to the switch port.

EConfigure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server.Correct

Enabling port security on Fa0/1 with the server's MAC address as the allowed address instructs the switch to monitor source MAC addresses on that port and take a configured violation action (shutdown, restrict, or protect) if any other MAC is detected, enforcing Layer 2 access control.

FConfigure an access list on the switch to deny server traffic from entering any port other than Fa0/1.

A switch access list filtering server traffic from entering other ports does not prevent unauthorized devices from connecting to Fa0/1 itself; it addresses the wrong direction of the security requirement.

Concept tested: Switch port security with static and dynamic MAC restriction

Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swtrafc.html

Topics

#port security#MAC address filtering#static MAC entry#switch security

Community Discussion

No community discussion yet for this question.

Full 200-101 Practice