Ticket 7 – Port Security
Client 1 is getting a 169.x.x.x IP address & is unable to ping Client 2 as well as DSW1. The command ‘sh interfaces fa1/0/1′ will show following message in the first line
‘enFastEthernet1/0/1 is down, line protocol is down (err-disabled)’
On ASW1 port-security mac 0000.0000.0001, interface in err-disable state
Configuration of ASW1
interface fa1/0/1
switchport mode access
switchport port-security
switchport port-security mac-address 0000.0000.0001
Answer:on asw1 delele portsecurity & do on interfaces shutdown, no shutdown
Ans1)ASW1
Ans2)Port security
Ans3)issue “no switchport port-security mac-address 0000.0000.0001 command followed by shutdown & no shutdown commands on port fa1/0/1 on ASW1
Symptoms for this ticket:-
1- Client 1 is getting 169.x.x.x ip address
2- Client 1 is unable to ping Client 2 as well as DSW1.
3- ‘sh interfaces fa1/0/1′ will show following message in the first line
‘enFastEthernet1/0/1 is down, line protocol is down (err-disabled)’
4- ‘sh running-config’, you will see ‘switchport port-security mac-address ’0000.0000.0001′ configured under fa1/0/1.
@Naveed
confused bout d switch port-security…can u explain more pls?
@el
To understand port security, refer to the below article.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/port_sec.html
why also f1/0/2, maybe the goal is to deny client2, and to allow client1,
if i find 2 options
1- disable switchport @ f1/0/1
2- disable switchport @ f1/0/1 and f1/0/2
which one correct?
thanks
sorry, i mean disable switchport port-security
@sara
In exam configuration port-security is applied only to f1/0/1 and the solution is to disable it on the same. I don’t know why it is mentioned above for both. You’ll see the correct option something like this:-
Issue no switchport port-security mac-address 0000.0000.0001 command followed
by shutdown and no shutdown command on port fa1/0/1 on ASW1
Note: Just cross check during exam, In case you found in the running config that the switch port-security is configured for both the interfaces and fa1/0/2 interface is also in err-disabled state (by using sh interface fa1/0/2 command) then only you require to select the option with both interfaces. But the simple idea is that we’ll disable port-security on the interface(s) which is in err-disabled state, either only fa1/0/1 or both.
Hope it is clear.
Naveed,, thank u very much.
take it with all this god willing shit , half you lot are cheating Muslims.. read the Koran brother and you will see that the profit said ” at the point of stealing, cheating the Muslim is no longer a believer”
you have just become a infidel for the sake of a cert. well done
@CCIE interested people
This is an open invitation for the serious people about CCIE. You are advised to send an email to the below mentioned address for enrolling your willingness. We’ll be utilizing the concept of 1+1 = 11 by putting our minds together to study/practice the right thing. Here it doesn’t require a mention for a CCIE candidate but let me clear one thing, ‘THERE IS NO SHORTCUT TO CCIE’, so any body looking for shortcuts, please accept my advance excuse. However, we’ll try to do our best to find out the fastest way and most effective material of practice/study.
Kindly, enroll your willingness at following email address. Also if you have any question, send to the same address.
ask_ccie@yahoo.com
n client ipconfig-10.2.1.3,then ping 10.2.1.254 not sucess.
so problem is in asw1 or dswi
check asw1
1. int fa 1/0/1- switchport access vlan 10-if yes
2.int fa 1/0/1-port condition-error disabled-if no
3.int fa 1/0/13 and 23 allowed vlan 10-if yes
HERE THE PROBLEM IS PORT IS IN ERROR DISABLED STATE
asw1#show run
int fa 1/0/1
switchport mode access
switch port-security
switch port-port security mac add 0000.0000.0001
which all commands supports here to find the problem
show run,show int fa 1/0/1??or any other command
@networktut
Take TSHOOT with 1000/1000 in november.
TT is differend in exam.
Configuration of ASW1
interface fa1/0/1
switchport mode access
switchport port-security
switchport port-security mac-address 0000.0000.0001
!
interface fa1/0/2
switchport mode access
switchport port-security
switchport port-security mac-address 0000.0000.0002
!
Ans3)on “interface range fa1/0/1 – 2″ do “no switchport port-security” and “shutdown” and “no shutdown”
“no switchport port-security mac-address 0000.0000.0001″ is no election in exam.
To all who take exams,
Is the option available for adding mac-address of client 1 and 2 to port-security config. of int. fa1/0/1 and fa1/0/2? I think it will be better option to choose as it will enable port security and only client 1 and client 2 will be able to connect.
In practice exam, I checked the mac-address of client 1 and added that one to int fa1/0/1 as switchport port-security mac-address 0003.e4e1.c5c6 and then shut and no shut…
@matrix
From what I have seen in TSHOOT demo ipconfig command on PC1 and PC2 only gives ip address , subnet mask and default gateway information. MAC address is not being listed therefore to solve this TT it would be best to remove port security all together.
@ Naveed ,George and noname
thank u very much for the info
Here is something I don’t understand … if ASW1 had put the port Fa1/0/1 in err-disable state due to port security violation then the client client network card shouldn’t recieve signal at all (line is down) so it won’t take 169.x.x.x IP address because it should see the network disconnect ! is that right …
hi guys somebody help i am tr to do the demo but there is only 4 tt qu and all releated to l3 topology plz help is there more or just this is it
and how i know this q releated to which topology my cordial thanks to u guys
@networktut
pls consider to update noname answer. his answer seems more accurate.
Hi
is their a packet trace lab available for just this TT, I don’t seem to have any Packet Tracer Labs that will give a IP address of 169.x.x.x at client 1.
If it would not be to much trouble could you please give me a link to download the correct file to practice this TT.
thank you very much
@noname
I configured the following on an Gigabit interface on a Cisco 2960 L2 switch:
interface gi0/1
switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security mac-address 0000.0000.0001
After i entered ‘no switchport port-security’, the statement ‘switchport port-security mac-address 0000.0000.0001′ still exist on int gi0/1.
I believe the rightful way is to execute ‘no switchport port-security mac-address 0000.0000.0001′.
However, in the context of Tshoot, it really depends on what are the solution available to choose.
cisco guru teri maa ki choot .. madarchod.. randi k bacche..
@Admin— either u remove cisco guru’s all post or else accept abusive language from diff users…
Hi everyone! I’m going to take the exam next week. Guys please let me know if there is anything changed or updated.
Are these questions still valid?
Please help me……!
Thank you
Thanks, friends !
Today i passed TSHOOT with 964 and became CCNP :)
All tickets from this site are valid. There is a bug in exam engine in Port Security Ticket – hosts Client1 and Client 2 are obtain correct IP addresses, but not ping DSW1 and other.
Here are my lab in GNS3 – 10 tickets (without port security an vlan filter – not implemened in GNS3) and fully working topology
http://dl.dropbox.com/u/2749921/GNS_Tshoot.tar.gz
Thanks Scoch…..
I did the exam yesterday and got 1000……………..!
Thanks for everybody here supporting me for this achievement.
All the questions in the exam are the things appear here. Nothing has been changed.
But i would like to give an important advice for the people who wish to take the exam soon.
Please read the comments in following link by Geno and Lisa. Those instructions were really
helpful to me…!
http://www.networktut.com/tshoot-ticket-1
In my exam, the option for
- delete the port-security settings, then “shutdown”, then “no shutdown interface”
is incorrect (note the the extra word “interface” in the command “no shutdown interface”!)
The correct answer in my exam is
delete the port-security settings, and execute “clear errdisable interface int fa1/0/1″ and “clear errdisable interface int fa1/0/2″
@anonymous: “clear errdisable” does not exist.
hi, new to the site, thanks.
Dear All;
just passed Tshoot,& um CCNP.Got 1000 ;i ve got the following:
4 MCQ
NO Drag & Drop.
12 TT (1 new TT,the old TT with wrong ip 209.56.200.241 has been removed)all other TT are VALID.
Thanks Networktut for charing knowledge.
Hey Guys… I will be appearing for my CCNP exam tomorrow.
I am confused abt this question. What is the right answer… “shut/no shut ” or the one having “errdisable” command
Pls suggest the same.
Hi CCNP Aspirant,
You will need to shut the port down and bring it back up again in order to bring it out of the errdisable state
Hi Friends,
I am planning to sit for the exam on friday but i am bit confused about the port security question. Which answer is the right “errdisable” or “shut no shut” command ?
Please help me.
Thanks
Hey Haren…
I cleared my exam today with 1000/1000 score.
Choose the option which has ” shut/no shut” command in it.
3 of my friends gave tshoot exam in the last week…. out of 12 tickets 1 ticket was from outside for each and different for each.. ie altogether 3 tickets are added …but each got only 1 of the newly added questions.. so it was 11 old tickets + 1 new one….
the new questions is changing for each person..So we have to figure the 3 newly added question..
For 1 friend ,he was getting 4 tickets with client 1′s ip address s 169.x.x.x
so there r new questions .. pls post them if anyone hears abt them..
Thanks
Hi Scich,
I tried importing the GNS3 TT files that you provided in previous message & link above but had no luck opening them with GNS3 program, are your files for windows or linux or other?
Does anyone else have GNS3 TT labs that they could share I am using windows XP.
Thanks for the help.
The answer for this ticket in pass4sure 8.2 46q (gb) is that using int range fa 1/0/1-2 , then no switchport port security interface config commands. then in execution mode clear err-dissabled on fa 1/0/1 , then clear err-dissabled int fa 1/0/2 commands..
I know this answer is completely wrong still this is what written in the dumps of pass4sure…
there is mistake in the ticket of switch-port trunk and also access-vlan and Eigrp + the 13th new ticket is not mentioned…. so do not rely on the latest pass4sure dumps.
@ishanX
Thanks man, I am supposed to take my test tomorrow and I too noticed this error. I was sure that it was incorrect, but wanted to hear somebody else say it. Thanks for the input man! It seems that I can’t trust pass4sure right now.
i need the images for gns mls
anyone can help ?
hi scoch i download the gns3 lab but i am missing somw images for your lab
can we find any dumps to practice ticket questions…TT are really confusing me
The dump sold Testinside has no trouble ticket. What are they thinking?
The 642-832 TSHOOT Topology made available by cisco on the PDF is not the same as their online Topology demo. Could someone please confirm the actually topology used in the real exam?
Can anybody give me an example of exactly how the TT Questions are asked i the exam?
If the problem is in port security only why ‘switchport access vlan 10′ missing in ASW1′s configuration?
http://www.scribd.com/doc/50816068/81/clear-errdisable-interface
vs
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml
My 3500XL series does not have the clear errdisable command (my IOS 12.0 vs Cisco IOS Release 12.2(55)SE found on 3560 command reference) .. and Cisco article does not mention this command also. My conclusion is that maybe some IOS-es had this.
From what I remember the 3560 it’s a L3 switch …my oldie it’s just an L2 but maybe I can boost it a little with a 3560′s IOS :)
Does the CCNP 642-832 TSHOOT exam ROUTERS and SWITCHES resetS themselves, or do we have logout of all DEVICES after every Trouble Ticket?
How does the routers refreshes themselves between trouble tickets
Hello everybody, I did the test today with 930/1000 – there is a tt of bgp and drag drop a question that is not available on the site that went into my exam, the rest are equal.
Thank you!
I have completed my CCNP certification today by passing my last exam TSHOOP.
The exam itself was kind of straight forward with almost all of the TT well know
as state on this site. I had 2 DD, 2 MCQ & 13 TT
One of the issues with this TSHOOP exam is that you have to constantly move windows around whiles you are trying to keep your concentration. I was also working on small screen. (Frustrating)
TIP
Have a strategy with your PING command
Make sure you properly exit all devices after each ticket.
Abort and move to the next TT if you can’t find the problem. (You can always come back)
I think cisco should have offered a PRINT OUT OF THE TOPOLOGY to all candidates on exam day and collect them afterwards. Anyway! I have a good dump. Interested? Drop me a line donald.bart-williams@stjohns.surrey.sch.uk
I am now going to be focus on ASA5510 firewall
To all you CCNP Candidates on this forum including SWITCH & ROUTE, Good Luck and have a nice summer. It has been fun
hi every one i am planing to give my exam on 18 may 2011 any one can please post which one is the right answer.
shut no shut
or
clear err disalbe
@anonymlus
Have you ever tried to issue the command ‘clear err disable’ on a real switch??
Let me know how that works for you!!!
correct answer is shut, no shut.
@ Dirty Sanches
Catalyst 3550
ASW1#clear e?
% Unrecognized command
Hello Guys,
Need CBT Nuggets TSHOOT .Pls call if anybody has got it. Happy to share Route and Switch study and P4S Q&A plus all Sims for route and switch. Routes in GNS3 and Switch in Packet Tracer.
Thanks
email:kripa.jyoti@gmail.com
@Naveed
I would like to start studying for CCIE, is this a email from a group?
How does it work?
I would like really good advices and material for a serious study plan.
Thanks for sharing ask_ccie@yahoo.com
Regards.
I changed the IOS on the 3550 from 12.1 to 12.2 and now I am able to do the clear errdisable command.
ASW1#clear e?
eap eigrp eou errdisable
I am not saying that’s is the right answer, but the command is available in my 12.2 version IOS.
update?
hi guys…..1 doubt…if i click done in d 5th qn,thn can i chck d 1st 4 qns..plz reply..thankx in advance….
by the way, where is possible to connect to access switches? used to study exam environment official demo configuration from cisco site, but unable to connect to CLI ASW. On layer 3 topology it’s simply absent (coz it’s layer 2 device actually), and on layer 2/3 topology ASW was not clicable there… For those who passed exam – how to access ASW devices?
anyone done the exam pls correct the confusion here… (anyone who got 1000/1000 is preferred) despite the real practice we just want to know which worked in the exam
to answer the port security question…
no shut or clear error disable..
thanks in advance…will be appreciated
@sha
You need to issue the command shut/no shut in order to get back the interface up.
Regards,
@shikima,
did u selected the same in exam and got 1000?
that’s correct, you can check my review in http://www.networktut.com/tshoot-share-your-experience
Regards,
The correct answer would be to do a shut down and no sh on the interface. This will clear the err-disable status.
the only time i would do this command is if the pc that is connected to that interface does not as the same mac-address and the conf.
no switchport port-security mac-address 0000.0000.0001
to check the interface status do command sh int fa1/0/1 status err-disable this will give you the reason why its in err-disable also. Comes in handy in the real world besides the exams.
how to check client is getting 169.x.x.x
James. How would you check your computer’s IP @ from the command line..??..IPCONFIG..
well funnily enough its the same here..!!
Thanx 9tut.com , we are always grateful…..
Are there any social site like 9tut for CCNP Security?
Today, I have passed TSHOOT with full mark Alhamdulleah (thanks for GOD). All the dumps are valid.
13 TT (EIGRP AS ticket is not in the exam).
All 13 TT is the same.
@ Naveed,
Thank you very much for your help, at the begaining every ticket seemed to me very confusing until i read your comments :) Thanks for all the explaination .
i have two questions, first as you mentioned there won’t be much info in the exam’s questions then how would i know which topology to use??
- DSW AND ASW , are they layer 2 or 3 switches? and i don’t see their ip addresses mentioned in the topology . and in this ticket you mentioned to write sh interfaces fa1/0/1, do you mean in ASW1? thank you very much
I passed my exam last week and completed my CCNP certification. Thanks to all who share their knowledge on this site.
In my exam there were 13 tickets, it was easy and my approach was to keep OSI model in my mind and start troubleshooting the Ticket from layer 1 to layer 7.
Alhumdullilah I have passed my exam with score 945. Thanks to Allah and network tut.
aleemyousuf@gmail.com
Passed my TShoot Exam on 5th January, 2012 with 1000/1000, Allhamdulilah.
“Networktut” website and my brother Sohaib Fouzi helped me to prepare this exam, thanks for both of you.
All TTs are still valid and same as mentioned under “networktut”. I got multiple choices and 13 TTs. Except EIGRP AS all TTs came. In All TTS Client1 will have valid IPs (except 4 TTs of 169.x.x.x).
I did my complete exam using only “ipconfig”, “ping” and “show run” commands and never felt to use any other command. One thing is very important that you should have complete understandings of TTs other wise you will not able to understand 2 or 3 TTs because Cisco made very minor changes in mulitple choices or in configuration. The IP scheme between R4, DSW1 and DSW2 is 10.1.4.x.
When i entered in LAB, before starting my exam i wrote the below lines on the provided sheet and then it became very easy to solve the TTs. To solve the TTs i followed the following scheme and order: (remember to use “ipconfig” and “ping” always in Client1 for all TTs)
->> If it is 169.x.x.x there are 4-TTs
1.ASW1 – port security (show-run ASW1 if 1/0/1 and 1/0/2 are in Vlan10, apply sh int for both)
2.ASW1 – access vlan 10 (show-run and check ASW1 if 1/0/1 and 1/0/2 are in Vlan1, if they are… stop!)
3.ASW1 – switch-to-switch (show-run ASW1)
4.R4 – DHCP excluded (show-run R4)
——————————————————————-
->> If client got IP address then 2 options:
-First, if client1 can ping 10.1.1.1 not to server 209.65.200.241 (3TT) ALL IN R1
1.R1 – NAT (10.2.0.0) (show-run R1)(sh ip BGP summary)
2.R1 – BGP (56-65) (show-run R1)(sh ip BGP summary)
3.R1 – ACL (show-run R1)(sh ip BGP summary)
-Second , Client can’t ping 10.1.1.1 but it can ping to 10.1.1.2) then: (1TT)
4-R1 – OSPF authentication (show-run R1 + R2)
-Thirdly, if client1 cannot ping 10.1.1.1, then (4 TTs)
1. DSW1(ASW1) – vlan access map(vlan acl port) *** this one cannot ping even gateway (Check vlan-filter command, which contain vlan access-map, this contain access-list no., now check access-list no. It can drop the packet for PC conntected to ASW1.)
2. R4 – Route redistribution: (show-run R4)(EIGRP->OSPF is created and EIGRP-TO-OSPF is used)
3. R4 – EIGRP Passive Interface: passive interface (show-run R4)(sh IP protocols )
4-R4-EIGRP AS: AS number of EIGRP is different is used To verify – show IP protocols.
——————————————————————-
->> Finally, there are 2 distinct TTs,
- HSRP on DSW1: Check DSW1 Use track 10 instead of track 1 (show run) and this is the only question you will see tracking.
- OSPF IPv6 on R2: On serial interface use area 0, not area 12 (show run), you will recognize this TT by reading ticket because it is the only TT which says about IPv6.
Note: The above scheme i copied from one comment under “networktut”, i dont remember the name. Sory to mention under my comments but it was just to help others. Please feel free for any query, my email address belal_fouzi@yahoo.com
Q of port security
on P4S said the is the answer is { in configuration mode using the interface range fa1/0/1-2, then no switch-port port-security interface configuration commands.Then in exec mode clear err-disable interface fa1/0/2 commands }
Ans3)issue “no switchport port-security mac-address 0000.0000.0001 command followed by shutdown & no shutdown commands on port fa1/0/1 on ASW1
so which one is the correct answer I’m confused
pls some1 explain
Here is the option, but which one is correct? Anyone pass it with full mark? Belal, can you help us?
A),issue no switchport port-security mac-address 0000.0000.0001 command followed by shutdown & no shutdown commands on port fa1/0/1 on ASW1
B),issue no switchport port-security mac-address 0000.0000.0001 command followed by shutdown & no shutdown commands on port fa1/0/1-2 on ASW1
C),issue no switchport port-security mac-address 0000.0000.0001 command followed by shutdown & no shutdown commands on port fa1/0/1 on ASW1 and issue no switchport port-security mac-address 0000.0000.0002 command followed by shutdown & no shutdown commands on port fa1/0/2 on ASW1
D), in configuration mode using the interface range fa1/0/1-2, then no switch-port port-security interface configuration commands.Then in exec mode clear err-disable interface fa1/0/2 commands
for me this is the correct answer:
A),issue no switchport port-security mac-address 0000.0000.0001 command followed by shutdown & no shutdown commands on port fa1/0/1 on ASW1
there is a slight change in the q i got..it was to issue no switchport port-security on both the interfaces..and there was also a slight change in the switchport vlan and trunk..!
i passed with 1000 marks though..the errors are the same..anyways thanks to networktut
A big congratulations to everyone who just passed THOOT paper, if possible please share the Dump of TSHOOT to this mail please and thanks a lot ! kkk278@hotmail.co.uk also if you have any packet tracer software 5.3+ pls send me one and really appreciated ! (Urgent)
Answer has been change to
“In configuration mode, using the interface range F1/0/1-2, then no switchport port-security,followed by shutdown,no shutdown interface configuration commands”
this is the answer now,
Cool:) I would say say it exploded my brain..!!