nerdexam
Cisco

352-001 · Question #325

Acme Corporation wants to minimize the risk of users plugging unauthorized switches and hubs into the network. Which two features can be used on the LAN access ports to support this design requirement

The correct answer is A. BPDU Guard D. Port Security. BPDU Guard detects unauthorized switches via their BPDUs and err-disables the port, while Port Security limits MAC addresses to block hubs and switches introducing multiple hosts.

Designing Security

Question

Acme Corporation wants to minimize the risk of users plugging unauthorized switches and hubs into the network. Which two features can be used on the LAN access ports to support this design requirement? (Choose two.)

Options

  • ABPDU Guard
  • BPortFast
  • CLoop Guard
  • DPort Security
  • EUDLD

How the community answered

(31 responses)
  • A
    90% (28)
  • C
    3% (1)
  • E
    6% (2)

Why each option

BPDU Guard detects unauthorized switches via their BPDUs and err-disables the port, while Port Security limits MAC addresses to block hubs and switches introducing multiple hosts.

ABPDU GuardCorrect

BPDU Guard shuts down an access port the moment a BPDU is received, immediately detecting when an unauthorized switch or bridge has been plugged in and isolating it from the STP domain.

BPortFast

PortFast only accelerates STP port state transitions so end devices come online faster; it provides no mechanism to detect or block unauthorized switches or hubs.

CLoop Guard

Loop Guard protects against unidirectional link failures that could create STP forwarding loops by monitoring BPDU receipt; it has no capability to detect or block unauthorized device connections.

DPort SecurityCorrect

Port Security restricts the number of learned MAC addresses on a port, triggering a violation action when a hub or unmanaged switch introduces multiple source MAC addresses beyond the configured maximum.

EUDLD

UDLD detects physical-layer unidirectional link failures by monitoring echo replies between neighbors; it does not identify or restrict unauthorized switches or hubs connected to access ports.

Concept tested: LAN access port security against unauthorized switches and hubs

Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html

Topics

#BPDU guard#port security#access ports#Layer 2 security

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice