nerdexam
Cisco

300-430 · Question #276

After the rogue reports from Cisco Prime Infrastructure are reviewed, it is determined that the automatic rogue mitigation is not working as planned. Which security measure must be taken to help preve

The correct answer is A. Apply port security to the switch.. Port security on a switch port restricts which devices can connect based on MAC address, blocking unauthorized rogue APs from establishing a network connection.

Wireless Security and Mobility

Question

After the rogue reports from Cisco Prime Infrastructure are reviewed, it is determined that the automatic rogue mitigation is not working as planned. Which security measure must be taken to help prevent rogue APs from being plugged into the network?

Options

  • AApply port security to the switch.
  • BAdd a MAC filter to the switch.
  • CApply a different version of spanning tree.
  • DApply an IP access list to ports.

How the community answered

(52 responses)
  • A
    90% (47)
  • B
    2% (1)
  • C
    2% (1)
  • D
    6% (3)

Why each option

Port security on a switch port restricts which devices can connect based on MAC address, blocking unauthorized rogue APs from establishing a network connection.

AApply port security to the switch.Correct

Port security allows an administrator to limit the number of valid MAC addresses on a switchport, and can shut down or restrict a port when an unknown device such as a rogue AP is plugged in. This directly prevents rogue APs from gaining network access at the physical layer. It is the most effective mitigation because it acts before the rogue AP can pass any traffic.

BAdd a MAC filter to the switch.

A MAC filter on a switch requires pre-knowing the rogue device's MAC address, making it reactive rather than preventive against unknown rogue APs.

CApply a different version of spanning tree.

Spanning Tree Protocol prevents Layer 2 loops in a switched network and has no mechanism to block unauthorized devices from connecting to a port.

DApply an IP access list to ports.

IP access lists filter traffic based on IP addresses at Layer 3 but cannot prevent a rogue AP from physically connecting and operating on the network.

Concept tested: Switch port security to prevent rogue AP access

Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-3/configuration_guide/sec/b_173_sec_9300_cg/configuring_port_security.html

Topics

#rogue AP mitigation#port security#switch security#rogue prevention

Community Discussion

No community discussion yet for this question.

Full 300-430 Practice