Which of the following statements about port security on Cisco switches are correct? (Select all that apply.)
Correct Answer: A,B,C,E
Detailed Explanation: One of the primary functions of port security is to limit the number of MAC addresses that can be dynamically learned on a port. This setting prevents a single port from being flooded with traffic from too many devices, which could be an indication of a security breach or an attempt at a MAC flooding attack. Administrators can configure a maximum number of secure MAC addresses on each port, thereby reducing the risk of unauthorized access and network congestion. B. Dynamic Learning of MAC Addresses: Port security supports dynamic learning, which means that a switch port can automatically learn the MAC addresses of devices connected to it. Once learned, these addresses become “secure” entries in the switch’s security table. This dynamic feature is useful in environments where devices might change over time. The learned addresses are then used to enforce the security policy on that port. C. Preventing Unauthorized Devices: By restricting the MAC addresses that can appear on a port, port security effectively prevents unauthorized devices from accessing the network. If an unauthorized device (with a MAC address not previously learned or explicitly configured) attempts to send traffic through the secured port, the switch can take predefined actions (such as dropping the packet or shutting down the port) to block the connection. This protects the network against both accidental and malicious intrusions. D. Traffic Encryption: Port security does not encrypt traffic on a port. While it is very effective at controlling which devices can send or receive data, it does not provide any encryption mechanism. Encryption is typically provided by other features and protocols (such as WPA2/WPA3 for wireless networks or IPsec for secure data transmission). Hence, option D is incorrect. E. Violations and Port Shutdown: Port security can be configured to take action when a security violation occurs. One common reaction is to shut down the port for a specified time (or until an administrator intervenes) when an unauthorized MAC address is detected. This feature, often referred to as “violation mode,” is designed to immediately cut off access if an unexpected device appears on the port. There are different violation modes available (protect, restrict, and shutdown), but the shutdown mode is frequently used as a strong deterrent against potential security breaches. Additional Considerations: Port security is typically configured on access ports (those assigned to end-user devices) rather than trunk ports (which carry multiple VLANs) because the latter are used for inter-switch communication and are less vulnerable to direct end-user attacks. Additionally, port security can be combined with other security features like DHCP snooping, dynamic ARP inspection, and 802.1X authentication to create a layered security strategy. For network professionals preparing for the CCNA exam, understanding port security is essential because it is a practical tool used to secure the network at the switch level. You should be familiar with how to configure port security, understand its various options and modes, and be able to troubleshoot issues related to unauthorized MAC addresses. In lab environments, you might practice configuring port security on a Cisco switch and observing its behavior when a violation occurs. In summary, port security is a valuable mechanism that limits the number of MAC addresses (A), learns addresses dynamically (B), prevents unauthorized access (C), and can shut down a port upon violation (E). It does not, however, encrypt traffic (D).
This CCNA practice question helps students prepare for Cisco networking certification exams by testing knowledge of network fundamentals, routing, switching, and network security concepts.