Exam 200-301 topic 1 question 665 discussion

1.#switchport mode access 2.#switchport port-security 3.#switchport port-security maximum 2 4.#switch port-security sticky

It says: only two random MAC addresses at a time, not the first two macs. So the sticky command is incorrect, as are the static MACs, leaving only 4 options

WRONG switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown keyword is randomly, not fixed, so we don´t need for sticky.

To configure port security in this scenario, you need to permit only two random MAC addresses at a time. The correct sequence of commands to achieve this is: switchport mode access This command sets the port to access mode, where port security can be applied. switchport port-security This enables port security on the port. switchport port-security maximum 2 This restricts the port to allow only two MAC addresses at a time. switchport port-security violation shutdown This command sets the violation mode to "shutdown," meaning if more than two MAC addresses are detected, the port will be shut down. Why not Sticky command is used:- The sticky command in port security is used to dynamically learn and retain the MAC addresses that are allowed on the port. If the requirement is to permit only two random MAC addresses at a time, the sticky command would not be necessary because it is primarily used for static environments where you want the port to remember and restrict the learned MAC addresses for future connections.

1. switchport mode access This is a must. The port must be in access mode for port security to work 2. switchport port-security Apparently a must. It enables the function. 3. switchport port-security maximum 2 This is a must as well, because the question specifically requires two addresses. 4. switchport port-security violation shutdown This is optional, but have to put here to make four answers. Why STICKY is wrong: The question requires "two random addresses at a time". If you use the sticky option, the first two address learned by the port will become permanent, and the port cannot accept new addresses. This is against "random". By contrast, without sticky, you can let old addresses age out, or re-enable the err-disabled port, and then the port can accept new addresses again, but still two maximum at any given time.

given answers are incorrect switchport mode access switchport port-security switchport port-security maximum 2 switch port-security sticky permit only two (random) MAC addresses at a time means that we shouldn´t use static MAC addresses. "switchport port-security violation shutdown" command is not needed here because the violation mode is shutdown by default.

Believe me) 1. #swithport mode access 2. #swithport port-security 3. #switchport port-security maximum 2 4. #switchport port-security violation shutdown Here we shouldn't use sticky mac addresses, as it's said that we need to use RANDOMLY addresses AT A TIME, so we don't any STATIC mac address, that we'll keep in our device(Sticky address keep the mac addresses in static form, we can check it with command #show mac-address table secure, and it will disapear if only we reload our device). Hence I'll be good with this 4 commands. Also the violation type is deffault shutdown, so it's definetly not the best command that Cisco can provide us, but the ones is false, so wee have not other choice.

1st. Obviously the commands to configure static MAC addresses are discarded by condiition of the question. 2nd. And the "default" violation mode of a switch port with port security enabled = Shutdown (hence this option is not necessary). Finally, the correct order is: 1.#switchport mode access 2.#switchport port-security 3.#switchport port-security maximum 2 4.#switch port-security sticky

1.switchport mode access 2.switchport port-security 3.switchport port-security maximum 2 4.switchport port-security violation shutdown "Dynamic secure MAC addresses" are typically used when the host(s) connecting to a specific switchport is constantly changing, and the intention is to limit the port to only be used by a specific number of hosts at once. https://www.ciscopress.com/articles/article.asp?p=1722561 Adding: By default, Cisco IOS sets the aging time (aging time) of port security table entry to 0 (zero), which means that the entry will be removed immediately when a device disconnects. Therefore, by disconnecting the MAC device currently connected to the port, you can immediately connect another device without causing a violation.

I checked packet tracert 1.#switchport mode access 2.#switchport port-security 3.#switch port-security sticky 4.#switchport port-security maximum 2

I think "shutdown" is incorrect as it will cause the first two devices cannot use as well. It said we should "permit" them to use.

Agreed with Peter_panda & HeinyHo. I've seen a few places mentioning that port security was usually configured on access ports(including pkt labs and other sites that explain how to implement port security concept for ccna) so my answer as follows. 1.switchport mode access 2.switchport port-security 3.switchport port-security maximum 2 4.switchport port-security violation shutdown Based on my experience with going over alot of questions here, Cisco takes everything literally so if the question says permit only two random MAC addresses at a time indicates it can be always changed to something else. Sticky will be a permanent mark on the MAC table thus not allowing any other device to associate with it.

Port security will only work on access ports. Therefore, in order to enable port security, the user must first make the port an access port. Source: https://cowbell.insure/blog/port-security-2/

don t understand, why shutdown..?

don t understand, why shutdown..?

switchport mode access command is essential Switch>enable Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int f0/1 Switch(config-if)#switchport port-security Command rejected: FastEthernet0/1 is a dynamic port. Shutdown is default setting so no need to specify

The answers are correct. sticky is not an option . Due that it will saved the first 2 MAC addresses to the running configuration. IF any other device " randomly" connects to the same port then the connection will be refused till we cleared the sticky mac addresses