Home > Ticket 7 – Port Security

Ticket 7 – Port Security

April 30th, 2018 in TSHOOT v2 Go to comments

Client 1 is unable to ping Client 2 as well as DSW1. The command ‘sh interfaces fa1/0/1′ will show following message in the first line
‘FastEthernet1/0/1 is down, line protocol is down (err-disabled)’

On ASW1 port-security mac 0000.0000.0001, interface in err-disable state

Configuration of ASW1
interface fa1/0/1
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security mac-address 0000.0000.0001


Answer: on ASW1 delele port-security & do on interfaces shutdown, no shutdown

Ans1) ASW1
Ans2) Port security
Ans3) In Configuration mode, using the interface range Fa1/0/1 – 2, then no switchport port-security, followed by shutdown, no shutdown interface configuration commands.

Note: There is another ticket (ticket 13) in which port security is also configured but it is not the fault. In that ticket when we “show interfaces fa1/0/1” we see the interface is in ‘up/up’ state so be careful to identify the two tickets.

Comments (43) Comments
Comment pages
1 5 6 7 22
  1. Adventure life
    January 17th, 2018

    I passed exam yesterday with the score 958/1000.
    9tut cleared lots of doubt.

  2. Abc
    January 19th, 2018

    Congratulations @Adventure life

  3. Please don’t use real name.
    January 30th, 2018

    got this question in 30th january exam.

  4. chuposeupau
    February 1st, 2018

    Este ticket voltou

  5. chuposeupau
    February 1st, 2018

    fiz a prova hoje e este ticket de port-security estava lá

  6. p9p9
    February 16th, 2018

    Can anyone clarify the correct answer for this Q? Should I simply disable port-security (plus shut/no shut) or should I enter the correct port-security config using the right MAC addresses of Client 1 and 2?

  7. colonel.exe
    February 17th, 2018

    Default setting means 1 MAC address is allowed to connect. If you remove the configured address ending .0001, you free up that space. By shutting & unshutting the interface it will then dynamically learn the MAC address of the connected client.
    You can configure the MAC address like you mention, but it’s not necessary.

  8. The_Boss
    February 19th, 2018

    Which commands will work here?

    From DSW1 can ypu do a sh run.

  9. p9p9
    February 19th, 2018

    @colonel.exe — yah, i agree. But the suggested answer is “no switchport security” which will disable port security altogether on Fa1/0/1.

    Your answer makes way more sense.

    could you confirm whether port security has to be disabled or just to delete the mac address configured in this ticket?

  10. NickMenza
    April 10th, 2018

    Does the command “show port-security interface fa1/0/1” works in exam sim?

  11. 46598dasd
    May 14th, 2018

    2018 Latest Update CCNP Dumps 300-135 100% Valid

  12. anonymous
    May 25th, 2018

    1. sim 2 : I had both bgp and hsrp, no issues
    2. 11 tickets
    * all good except 2
    * Ticket 6 : no vlan filter option was not available on dsw1, it was on ASW1, strange. I think I got it wrong
    * Ticket 4 : ip nat outside or inside all looked good. client was not able to ping the server but R1,2,3,4 all were able to ping to the server.
    3. MCQ all new
    – IPv6 ACLs (pick 2): standard, extended, name, tag..
    – TIme based ALCs (requirement pick 2) : standard, extended, time source from router, NTP sync and so on
    – GRE tunnel IPv6 over IPv4 (pick 2) : SRC must be IPv4, IPv6 over IPv4 .. I do not remember much
    – uRPF (it was not the same as the ones I’ve seen here)
    – to avoid fragmentation via gre tunnel, 3 command lines in order (choices were like ip mtu 1400, gre mtu discovery, mss..).
    – GRE tunnel is up but the server or host cannot pass through traffic what are the 2 things need to be fixed (move R1 to global routing, put R3 on vrf, run hearbeat on gre tunnel, and so on)
    – ping and traceroute : ping uses UDP and ICMP, traceroute uses TCP and ICMP, ping uses ICMP, only ping ses TTL, to check source IP reachability use traceroute and so on
    – server learns routes via ospf and 2 eigrp, what’s the best way to see the path to the destination
    (choicess were show ip ospf database, show eigrp topology, traceroute to the destination, show ip route)
    – management plane security (choices were DNS, ARP, TFP, HTTPS…)

  13. X
    June 6th, 2018

    Thank you for the feedback anonymous.
    I am wondering if in ticket 6 you found VLAN ACL/ Port ACL in question 2 (Did you choose DSW1 in question? ). No t sure if you saw the option ‘no vlan access-map test1 10’

  14. $foo
    July 6th, 2018

    I took the TSHOOT Exam yesterday – Port Security-Ticket still exists …

  15. lanman
    July 7th, 2018

    If there was no vlan acl commands , Then you could of used just a regular acl
    ip access-list standard ACL_NAME

  16. Some Dude
    July 30th, 2018

    In the network tut lab, when you do ‘show ip int brief’ on ASW1 for this ticket, it shows the interfaces as down/down. However, in the actual exam, they are up/up. You won’t know it is a port security issue unless you do ‘show port-security’

  17. josh
    August 29th, 2018

    @ Some dude, did you passed the exam?

  18. Someone in London
    September 9th, 2018

    @SomeDude Thank you so much for your tip!

  19. bono
    September 24th, 2018

    Hi all,

    I had two questions last week which look new or same issue on different device.

    1- passive interface configured under eigrp router on DSW1 instead of R4
    2- there was no OSPF neighbor relationship between R1 and R2 but the issue was not auth under sub-int on R1

    Could you please kindly assist if anyone has any idea what these issues are regarding to as I booked another exam in two days? This is the last chance I have as my CCNA will be expired by 1st of October.

    I am also wondering if anyone knows how many score each TT and MCQ has?

    Your guidance is much appreciated.


  20. Anonymous
    September 24th, 2018

    Hi bono,

    Same here , I failed by 13 points.

    all my certifications will be expired by 1st of October as well. I have exam tomorrow, I shall update you.

  21. Anonymous
    October 4th, 2018

    Packet tracer labs. Both interfaces are shut down to act like err-disabled ports. Less than one min. Client does not have an IP address. Checked connected switch ASW1 issue found via show interfaces status. Removed port-security but client cannot ping the server. Had to wait a lot time for DHCP. Then it worked.

  22. Lang
    December 20th, 2018

    Just failed an exam. needed 30 point more, i answered this ticket with answer that this site offers, but i doubt, because there were 2 solutions, that can resolve the problem, for example remove the mac address bind from port-security, i am not sure at all how cisco expect to answer

  23. Anonymous
    February 3rd, 2019

    Please, I want to know if 9tu premium account allow you to practice in a simulated environment for TSHOOT ticket

  24. Anonymous
    February 4th, 2019

    Yes you can practice in simulated environments for TSHOOT tickets

  25. Dany1
    February 18th, 2019

    One unreal configuration in Ticket 7 Simulation Ticket:
    -int fa1/0/1 and int fa1/0/2 have the same port-security mac-address 0000.000.0001.

    Is not possible to define the same port-security mac-address to different ports on the same switch. Otherwise, the simulator is just fine. In addition, i notice it is allow to run command
    show port-security
    , which show at blinking eye if the port-security is on, on which interfaces and if interfaces are err-disabled. Good work, networktut

  26. @networktut
    March 17th, 2019

    kindly check client 1. It is able to get an IP address, should be APIPA since it is not connected with an err-disabled interface!

  27. @networktut
    March 17th, 2019

    kindly check client 1. It is able to get an IP address, should be APIPA since it is connected with an err-disabled interface!

  28. ASJ Network
    April 8th, 2019

    Can someone please provide me the latest dumps of CCNP TSHOOT exam ?

  29. ASJ Network
    April 8th, 2019

    Can someone please provide me the latest dumps of CCNP TSHOOT exam ?
    ardhirocks at gmail dot com

  30. deep
    April 19th, 2019

    My ccna is about to expire, I need to write CCNP exam and prefer route if someone has material to study and can lend that is appreciated. My address is despannu at gmail dot com thanks

  31. Ipv6
    June 18th, 2019

    This ticket is still present or no ?

  32. Raspasoti
    August 3rd, 2019

    Hello everyone, the “show port-security” command is not supported in this simulation. How do you get to the answer without the show run command in this case?

  33. yy
    August 4th, 2019

    you can use show interface status as well, but that comand is not permited in the exam so you have to use sh run or show port comands to se if the port is in err-disable status

    September 23rd, 2019

    Hi Guys. If you want to download freedump 300-135 go in my link. Last updated 08/08/2019

    htt ps : //w ww. youtu be. com/watch?v= yzG7EKVVz_0

  35. ciscoTech
    November 23rd, 2019

    Hi Guys,

    I have a question regarding the SAM’s strategy.

    Client 1 (ping > R1 (show run and check), there are 4 possibilities of tickets:

    1. (T04) Missing command under the outside ACL NAT_Traffic Add network

    2. (T03) Wrong IP of BGP Neighbor (.56 should be .65)

    3. ip nat outside should be replaced with ip nat inside

    4. (T05) WAN ACL Missing command under the outside edge security ACL Add network

    The item number 1 which points to the ticket 4 doesn’t exist. I’m saying that because the answer for the Ticket 4 from the networktut website is the item number 3 (ip nat outside should be replaced with ip nat inside which actually is the other way around, the ip nat outside will need to be added on the interface S/0/0/1)
    Moreover I haven’t seen the answer from the item 1 on any other ticket.

    Can anyone clarify that pls?


  36. Anonymous
    December 12th, 2019

    guys , where should i find the topology ?

  37. Clarity
    January 4th, 2020

    Port security for fa1/0/1 – 2
    switchport port-security mac-address 0000.0000.0001
    Mac Address is same for each interface ?

    The Premium Tut & practice, piece of cake

  38. Chesta
    January 7th, 2020

    Hi guys, new to the site. Out of curiosity, how are the labs provided? Is this via GNS3? Renewing my CCNP in a couple of weeks so just want to confirm before parting with any cash. Cheers all

  39. Chesta
    January 7th, 2020

    Sorry, this is for the premium membership. Would like to ensure my ducks are in a row before taking the exam. Thanks.

  40. Juggy
    January 7th, 2020

    Just passed test. This site is correct. The only problem I saw on this ticket was the macs didn’t match.

  41. Anonymous
    January 12th, 2020

    If you see the ports fa1/0/1 and fa1/0/2 are down remove the port security and bounce the ports.

  42. maria
    January 23rd, 2020

    Hi Guys,

    I have a question regarding the SAM’s strategy.

    Client 1 (ping > R1 (show run and check), there are 4 possibilities of tickets:

    hey all dont worry about all bullshit stigmata u will spend more time trying to memorize them and forget them in the sweaty moment

    just ping form C1 and move upstream or downstream with your pings to determine the faulty device

  43. maria
    January 23rd, 2020

    1- passive interface configured under eigrp router on DSW1 instead of R4–not true
    2- there was no OSPF neighbor relationship between R1 and R2 but the issue was not auth under sub-int on R1- no its not written on the ospf 1 process

Comment pages
1 5 6 7 22