An engineer deploys a new Cisco Nexus 5000 Series Switch in an existing environment with strict security policies. The new device should meet these requirements:
• Secure end-user ports with minimum configuration effort.
• Log security breaches and require manual recovery.
• Retain the switch configuration if the device restarts.
Which configuration must be used?
The correct configuration must secure end-user ports with minimum configuration effort, log security breaches, require manual recovery, and retain the switch configuration if the device restarts. The sticky MAC address method retains the learned MAC addresses even after a restart. Moreover, to log security breaches and require manual recovery, the violation mode should be set to 'shutdown' which disables the port and generates a syslog message. Therefore, the configuration switchport port-security, switchport port-security max 1, and switchport port-security violation shutdown best meets the specified requirements.
It´s A
A. If port security is enabled, the default settings on a Nexus 5000 switch are: The maximum number of MAC addresses allowed per port is 1. The violation action is set to "shutdown", which means that the port will be disabled if a violation occurs. The violation mode is set to "restrict", which means that traffic from the violating MAC address is dropped and a syslog message is generated, but the port remains enabled. Sticky secure MAC addresses – like Dynamic secure MAC addresses, MACs are learned dynamically but are saved in the running configuration.
B....violation shutdown does not syslog, violation restrict does
it's A
is A by elimination
• Retain the switch configuration if the device restarts. Sticky Method If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in nonvolatile RAM (NVRAM). As a result, addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface
Shutdown - In this (default) violation mode Also 1 mac is the default number of macs allowed before a violation occurs
Here is the configuration that meets these requirements: C. switchport port-security switchport port-security violation shutdown switchport port-security mac-address dynamic
It is A!!! Default option is "shutdown" if no option is configured (from cisco 5000 guide) Security violation action Shutdown
D. violation shutdown is the only one that requires manual recovery.
The answer is <<<< B >>>> Sticky Method If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in nonvolatile RAM (NVRAM). As a result, addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface. You explicitly remove the address You configure the interface to act as a Layer 3 interface Dynamic Method By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. A dynamic secure MAC address entry remains in the configuration of an interface until one of the following events occurs: The device restarts The interface restarts The address reaches the age limit that you configured for the interface You explicitly remove the address You configure the interface to act as a Layer 3 interface
Sorry guys! answer << A >> seems correct due to the default violation is shutdown ( No need to configure if it does not want to change explicitly)
C. To meet the requirements of securing end-user ports with minimum configuration effort, logging security breaches, and retaining the switch configuration in case of a device restart, the following configuration should be used: this configuration will enable port security with sticky MAC addresses, which will allow the switch to dynamically learn the MAC addresses of connected devices and save them to the running configuration. If a security breach occurs, the switch will automatically shut down the port and log the event. The spanning-tree portfast and bpduguard commands are added to minimize the risk of a rogue device connecting to the port and disrupting the network.