Exam 350-601 topic 1 question 381 discussion

It´s A

It is A because shutdown violation mode is the default and sticky keep the MAC address after the reboot

Here is the configuration that meets these requirements: C. switchport port-security switchport port-security violation shutdown switchport port-security mac-address dynamic

It is A!!! Default option is "shutdown" if no option is configured (from cisco 5000 guide) Security violation action Shutdown

D. violation shutdown is the only one that requires manual recovery.

B....violation shutdown does not syslog, violation restrict does

it's A

The answer is <<<< B >>>> Sticky Method If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in nonvolatile RAM (NVRAM). As a result, addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface. You explicitly remove the address You configure the interface to act as a Layer 3 interface Dynamic Method By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. A dynamic secure MAC address entry remains in the configuration of an interface until one of the following events occurs: The device restarts The interface restarts The address reaches the age limit that you configured for the interface You explicitly remove the address You configure the interface to act as a Layer 3 interface

is A by elimination

Shutdown - In this (default) violation mode Also 1 mac is the default number of macs allowed before a violation occurs

• Retain the switch configuration if the device restarts. Sticky Method If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in nonvolatile RAM (NVRAM). As a result, addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface

A. If port security is enabled, the default settings on a Nexus 5000 switch are: The maximum number of MAC addresses allowed per port is 1. The violation action is set to "shutdown", which means that the port will be disabled if a violation occurs. The violation mode is set to "restrict", which means that traffic from the violating MAC address is dropped and a syslog message is generated, but the port remains enabled. Sticky secure MAC addresses – like Dynamic secure MAC addresses, MACs are learned dynamically but are saved in the running configuration.

C. To meet the requirements of securing end-user ports with minimum configuration effort, logging security breaches, and retaining the switch configuration in case of a device restart, the following configuration should be used: this configuration will enable port security with sticky MAC addresses, which will allow the switch to dynamically learn the MAC addresses of connected devices and save them to the running configuration. If a security breach occurs, the switch will automatically shut down the port and log the event. The spanning-tree portfast and bpduguard commands are added to minimize the risk of a rogue device connecting to the port and disrupting the network.