350-601 Question #435: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. An engineer configures port security on a Cisco Nexus 9000 Series Switch. The requirement is to prevent any newly learned MAC addresses from forwarding traffic on the interface. Also, the already learned MAC addresses must not be affected by the changes. Which configuration meets these requirements?

Options

• Aswitchport port-security violation shutdown
• Bswitchport port-security violation isolate
• Cswitchport port-security violation protect
• Dswitchport port-security violation restrict

Explanation

To prevent newly learned MAC addresses from forwarding traffic while ensuring already learned MACs are unaffected on a Cisco Nexus 9000 Series Switch, the engineer should configure port security with the restrict violation mode.

Common mistakes.

• A. The shutdown violation mode disables the interface when a security violation occurs, which would affect already learned MAC addresses by taking the port down.
• B. The isolate violation mode is not a standard port security violation mode on Cisco Nexus switches.
• C. The protect violation mode silently drops packets from new, unauthorized MAC addresses but does not increment a violation counter or send an SNMP trap, which might not provide sufficient visibility compared to restrict.

Concept tested. Cisco Nexus port security violation modes.

Reference. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_01000.html

No community discussion yet for this question.