300-430 · Question #276
After the rogue reports from Cisco Prime Infrastructure are reviewed, it is determined that the automatic rogue mitigation is not working as planned. Which security measure must be taken to help preve
The correct answer is A. Apply port security to the switch.. Port security on a switch port restricts which devices can connect based on MAC address, blocking unauthorized rogue APs from establishing a network connection.
Question
After the rogue reports from Cisco Prime Infrastructure are reviewed, it is determined that the automatic rogue mitigation is not working as planned. Which security measure must be taken to help prevent rogue APs from being plugged into the network?
Options
- AApply port security to the switch.
- BAdd a MAC filter to the switch.
- CApply a different version of spanning tree.
- DApply an IP access list to ports.
How the community answered
(52 responses)- A90% (47)
- B2% (1)
- C2% (1)
- D6% (3)
Why each option
Port security on a switch port restricts which devices can connect based on MAC address, blocking unauthorized rogue APs from establishing a network connection.
Port security allows an administrator to limit the number of valid MAC addresses on a switchport, and can shut down or restrict a port when an unknown device such as a rogue AP is plugged in. This directly prevents rogue APs from gaining network access at the physical layer. It is the most effective mitigation because it acts before the rogue AP can pass any traffic.
A MAC filter on a switch requires pre-knowing the rogue device's MAC address, making it reactive rather than preventive against unknown rogue APs.
Spanning Tree Protocol prevents Layer 2 loops in a switched network and has no mechanism to block unauthorized devices from connecting to a port.
IP access lists filter traffic based on IP addresses at Layer 3 but cannot prevent a rogue AP from physically connecting and operating on the network.
Concept tested: Switch port security to prevent rogue AP access
Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-3/configuration_guide/sec/b_173_sec_9300_cg/configuring_port_security.html
Topics
Community Discussion
No community discussion yet for this question.