Cisco 350-401 ENCOR Exam Materials: Which Of The Following Is Required When Configuring Port Security With Sticky Learning?

In the intricate architecture of enterprise networks, Layer 2 (Data Link Layer) security often represents the first line of defense against unauthorized access, MAC address spoofing, and various forms of denial-of-service (DoS) attacks. While firewalls and intrusion prevention systems guard the perimeter and higher layers, securing the access layer—where end-user devices connect to the network—is paramount for maintaining network integrity and data confidentiality. Among the most effective tools for this purpose is Cisco's Port Security feature.

For network engineers aspiring to achieve the prestigious Cisco CCNP Enterprise (350-401 ENCOR) Certification, a deep understanding of Layer 2 security mechanisms, including advanced Port Security configurations like "sticky learning," is not merely a theoretical exercise; it's a practical necessity for designing, implementing, and troubleshooting robust enterprise networks. This article will meticulously dissect the core question: "Which of the following is required when configuring port security with sticky learning?" We will explore the fundamentals of port security, highlight the specific requirement for sticky learning, delve into its advantages, examine its configuration context, and emphasize its vital relevance to the Cisco CCNP ENCOR exam, providing a comprehensive guide for aspiring enterprise network professionals.

Introduction: The Criticality of Layer 2 Security

The access layer of a network is the most vulnerable entry point. It's where employees connect their laptops, IP phones, printers, and sometimes, even unauthorized devices. While network devices like routers and firewalls protect against external threats and control traffic flow between different network segments, the Layer 2 (Ethernet) switching infrastructure is often overlooked until a security incident occurs.

A compromised access layer can lead to a cascade of problems:

• Unauthorized Access: An attacker plugging into an available wall jack gains direct access to the network segment.
• MAC Address Spoofing: An attacker can mimic a legitimate device's MAC address to bypass security controls or intercept traffic.
• CAM Table Overflow Attacks: Flooding a switch's MAC address table (CAM table) can turn it into a hub, sending all traffic to all ports, enabling eavesdropping.
• Denial of Service (DoS): Malicious devices can flood the network, disrupting legitimate user traffic.

Traditional security measures like strong authentication (e.g., 802.1X) are excellent for user and device identity. However, Port Security provides an essential supplementary layer, acting as a gatekeeper at the physical port level. It controls which MAC addresses are allowed to communicate on a specific switch port, effectively locking down access.

For a Cisco CCNP Enterprise candidate, this is not just theoretical knowledge. The 350-401 ENCOR exam focuses on core enterprise network technologies, including network design, virtualization, infrastructure, network assurance, security, and automation. A significant portion of the security domain covers switch security features, making Port Security, and specifically its advanced configurations like "sticky learning," a critical topic. Understanding how to implement these features is crucial for securing enterprise networks, ensuring business continuity, and protecting sensitive data. This article will delve into the specific requirements for deploying Port Security with sticky learning, emphasizing its practical benefits and its importance for your CCNP certification journey.

Understanding Port Security Fundamentals

Before diving into "sticky learning," it's essential to grasp the core concepts of Cisco Port Security. Port Security is a Layer 2 security feature available on Cisco Catalyst switches that allows network administrators to restrict input traffic on a port by limiting the number of valid MAC addresses allowed on that port. If the number of MAC addresses learned or configured on a port exceeds the configured limit, or if an unauthorized MAC address attempts to access the port, Port Security can take various actions.

Key Concepts of Port Security:

1. Secure MAC Addresses: These are the MAC addresses that are explicitly permitted to send traffic on a port. They can be configured in two main ways:

• Statically Configured: The administrator manually enters the MAC address using the switchport port-security mac-address command. This provides the highest level of control but requires manual updates if devices change.
• Dynamically Learned: The switch automatically learns MAC addresses from incoming traffic. This is more flexible but can be reset if the switch reboots or the port is reset.

2. Maximum MAC Addresses: Each port configured with Port Security has a limit on the number of MAC addresses it can learn or be configured with. This is set using the switchport port-security maximum command. The default is usually 1, meaning only one MAC address is allowed per port.

3. Violation Modes: When a Port Security violation occurs (e.g., too many MAC addresses or an unauthorized MAC address tries to connect), the switch can be configured to take one of three actions:

• shutdown (Default): The port is immediately shut down and placed in an error-disabled (err-disabled) state. It requires manual intervention (shutdown then no shutdown on the interface) or an errdisable recovery timer to bring it back up. This is the most secure but also the most disruptive option.
• restrict: Traffic from the unauthorized MAC address is dropped, and a syslog message is generated, an SNMP trap is sent, and the violation counter increments. The port remains operational for authorized MAC addresses. This is less disruptive but still provides alerts.
• protect: Traffic from the unauthorized MAC address is dropped. No syslog message or SNMP trap is generated, and no violation counter is incremented. This is the least disruptive but provides minimal visibility.

Configuring Basic Port Security (Example):

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown

This basic configuration enables Port Security on G0/1, limits it to one MAC address, and shuts down the port on violation. The MAC address would be dynamically learned.

For a CCNP Enterprise candidate, this foundational understanding is critical. The 350-401 ENCOR exam expects you to know not just how to enable Port Security but also how to choose the appropriate violation mode and understand the implications of each. However, managing dynamically learned MAC addresses can be problematic, especially after a power cycle or port reset, which leads us to the specific requirement of "sticky learning."

The Specific Requirement: Enabling "Sticky Learning"

When configuring Port Security to retain dynamically learned MAC addresses across switch reboots or interface resets, the specific requirement is to enable "sticky learning."

The command to enable sticky learning is:

switchport port-security mac-address sticky

Let's break down what "sticky learning" does and why it's required:

• Problem with Pure Dynamic Learning: In a standard Port Security configuration with dynamic learning, the MAC addresses learned by the switch port are stored only in the running configuration (RAM). If the switch reboots or the interface is manually shut down and then brought up (shutdown then no shutdown), these dynamically learned MAC addresses are lost from the running configuration. The switch then has to re-learn the MAC addresses, which can cause temporary connectivity issues until the devices re-register. If the first device to connect after a reboot is an unauthorized one, it could potentially register itself if the MAC address limit hasn't been met yet.
• Solution: "Sticky Learning": When switchport port-security mac-address sticky is configured on a port, the switch dynamically learns MAC addresses from incoming traffic, just as it would with standard dynamic learning. However, instead of keeping these learned addresses only in RAM, the switch converts these dynamically learned MAC addresses into "sticky secure MAC addresses." These sticky MAC addresses are then automatically added to the running configuration of the switch interface.
• Persistence: The crucial aspect of sticky learning is persistence. Because the sticky MAC addresses are now part of the running configuration, they are retained across interface resets or switch reboots (if the running configuration is saved to startup configuration). This means that once a legitimate device connects and its MAC address is learned as sticky, that MAC address will be remembered by the switch even after a power cycle, preventing the need for re-learning and ensuring consistent security.

How it works (in steps):

1. An administrator enables Port Security and then switchport port-security mac-address sticky on a port.
2. The first legitimate device (e.g., a user's laptop) connects to the port.
3. The switch dynamically learns the MAC address of the laptop.
4. Because sticky learning is enabled, the switch immediately converts this dynamically learned MAC address into a "sticky secure MAC address."
5. This sticky MAC address is then added directly to the running configuration of that interface (e.g., you'll see a switchport port-security mac-address sticky command appear in the show running-config output for that interface).
6. If the running configuration is saved to the startup configuration (copy running-config startup-config or wr mem), the sticky MAC address will be preserved even if the switch reboots.
7. If a new, unauthorized device tries to connect to the port after the legitimate MAC address has been learned (and the maximum limit is 1), a Port Security violation will occur based on the configured violation mode.

The switchport port-security mac-address sticky command is a fundamental requirement for deploying Port Security in a way that balances the flexibility of dynamic learning with the persistence of static configuration, making it a highly practical and commonly used approach in enterprise networks. For a Cisco CCNP ENCOR (350-401) candidate, knowing this command and its purpose is absolutely essential for both configuration and troubleshooting scenarios.

Advantages of Deploying Port Security with Sticky Learning (CCNP Benefits)

Implementing Port Security with sticky learning offers significant advantages for network administrators, directly contributing to more robust and manageable enterprise network security. These benefits are precisely why this configuration is emphasized in certifications like Cisco CCNP Enterprise (350-401 ENCOR).

1. Automation and Reduced Administrative Overhead:

• No Manual Static Configuration: Unlike manually configuring static MAC addresses, sticky learning automates the process of associating a MAC address with a port. This is invaluable in large networks where devices frequently move or are replaced. Imagine manually updating MAC addresses for thousands of user desktops or IP phones!
• Self-Healing (to an extent): When a legitimate device connects, its MAC address is automatically learned and secured. If the device is replaced, the old sticky MAC might need to be cleared, but the initial learning is automatic.
• CCNP Relevance: As a CCNP-level engineer, you're expected to design scalable and efficient solutions. Sticky learning contributes significantly to automating Layer 2 security, reducing the ongoing workload for network operations teams.

2. Persistence Across Reboots and Interface Resets:

• Reliable Security: Without sticky learning, dynamically learned MAC addresses are lost upon a switch reboot. This creates a security gap where an unauthorized device could connect before the legitimate device re-learns its address. Sticky learning prevents this by making the learned addresses persistent.
• Consistent Policy: Ensures that security policies remain enforced consistently, even after planned maintenance or unexpected power outages.
• CCNP Relevance: This directly addresses network resilience and reliability, critical aspects of CCNP exam objectives. Understanding how configurations persist is key to troubleshooting and designing stable networks.

3. Enhanced Security Posture:

• Binding to First Authenticated Device: Effectively "binds" a port to the first legitimate device that connects and is authenticated (if 802.1X is also used), preventing unauthorized devices from connecting later.
• Mitigation of MAC Spoofing: If an attacker attempts to spoof a learned sticky MAC address on a different port, that port will likely experience a violation if Port Security is enabled there too. If they try to spoof it on the same port, the switch is already expecting the legitimate MAC address and will flag the impostor.
• Defense Against CAM Table Flooding (Limited): While not its primary function, by limiting the number of MAC addresses per port, Port Security also indirectly helps mitigate simple CAM table overflow attacks, making it harder for an attacker to flood the table.
• CCNP Relevance: This directly ties into the "Network Security" domain of the ENCOR exam, focusing on implementing robust access layer security.

4. Reduced Troubleshooting Complexity (for specific scenarios):

• Known Good State: Once sticky MACs are learned and saved, the switch has a "known good" state for its ports. If a device has connectivity issues, you can quickly verify if its MAC address is correctly registered as sticky.
• Faster Recovery: After an interface reset or reboot, devices connected to ports with sticky learning don't need to re-learn their MACs, leading to faster restoration of connectivity.
• CCNP Relevance: Troubleshooting is a major part of the CCNP role. Understanding how sticky learning impacts device connectivity and state is crucial for efficient problem resolution.

5. Flexibility of Dynamic Learning with Control of Static Configuration:

• Sticky learning offers a powerful hybrid approach. You get the convenience of dynamic learning without the fragility of losing learned addresses.
• It's particularly useful in environments with hot-desking, where users move between desks, or when IP phones and PCs are chained together on a single port.
• CCNP Relevance: This demonstrates a nuanced understanding of trade-offs and choosing the right security feature for a given scenario, a key skill for a Solutions Architect.

In essence, sticky learning transforms Port Security from a good feature into a great one, balancing automation with persistence and significantly enhancing the security and manageability of the access layer. For a CCNP Enterprise certified professional, mastering this configuration is indicative of their ability to implement practical and effective network security solutions. For a comprehensive review of these critical topics, including detailed configuration examples and practical scenarios, Study4Pass provides excellent Practice Exam Materials. A study4pass practice test pdf is just in 19.99 USD, offering a cost-effective way to ensure you're fully prepared for the intricacies of network security within the ENCOR exam. Study4Pass helps you internalize these vital security concepts.

Configuration Context (Simplified Example):

Let's put the requirement for sticky learning into a practical configuration context. Assume we have a Cisco Catalyst switch and we want to secure GigabitEthernet0/1 for a user's laptop, allowing only one MAC address, learning it automatically, and making it sticky.

Scenario: A user's laptop connects to GigabitEthernet0/1. We want to ensure only this laptop can use the port, even after a switch reboot, and we don't want to manually configure its MAC address.

Configuration Steps:

1. Enter Global Configuration Mode:

Switch# configure terminal
Switch(config)#

2. Enter Interface Configuration Mode for the target port:

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)#

3. Set the port to Access Mode: Port Security typically operates on access ports.

Switch(config-if)# switchport mode access

4. Enable Port Security on the interface:

Switch(config-if)# switchport port-security

5. Set the Maximum Number of MAC Addresses: We want to allow only one device.

Switch(config-if)# switchport port-security maximum 1

6. Configure the Violation Mode (Optional, but highly recommended for security): We choose shutdown for maximum security.

Switch(config-if)# switchport port-security violation shutdown

7. Enable Sticky Learning (THE REQUIRED PART): This is the crucial command that tells the switch to convert dynamically learned MAC addresses into sticky secure MAC addresses and add them to the running configuration.

Switch(config-if)# switchport port-security mac-address sticky

Full Configuration Block:

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end

Verification Steps (After a device connects):

1. Show Running-Config:

Switch# show running-config interface GigabitEthernet0/1

You should now see an entry like: switchport port-security mac-address sticky This confirms the MAC address was learned and converted to sticky.

2. Show Port Security Interface:

Switch# show port-security interface GigabitEthernet0/1

This command will show details like:

• Port Security : Enabled
• Port Status : Secure-up
• Violation Mode : Shutdown
• Maximum MAC Addresses : 1
• Current MAC Addresses : 1
• Sticky MAC Addresses : 1
• Last Source Address:
• Configured MAC Addresses: (This indicates the sticky address is now part of the configuration)

3. Save Configuration:

Switch# copy running-config startup-config

This step is vital. If you don't save, the sticky MAC addresses will be lost upon the next switch reboot, even if they were added to the running config.

This example clearly illustrates that the switchport port-security mac-address sticky command is the specific requirement to achieve persistence for dynamically learned MAC addresses when configuring Port Security. For the CCNP ENCOR exam, not only knowing this command but also understanding its placement within the overall configuration process and its interaction with copy running-config startup-config is paramount.

Cisco CCNP ENCOR (350-401) Exam Relevance:

The Cisco CCNP Enterprise (350-401 ENCOR) exam is the foundational core exam for the CCNP Enterprise certification, covering a broad spectrum of enterprise network technologies. Network security, particularly at Layer 2, is a significant domain within ENCOR. Understanding Port Security, and specifically its configuration with sticky learning, is directly relevant to several exam objectives:

1. Security (Domain 5.0 - Network Security):

• 5.1.a Implement and Troubleshoot Layer 2 security features: This objective explicitly lists "port security" as a feature to be implemented and troubleshooted. The ability to configure sticky learning falls directly under "implement."
• Understanding Violation Modes: The exam will expect you to know the difference between shutdown, restrict, and protect, and their implications. Sticky learning enhances the enforcement of these modes by ensuring learned MACs persist.
• Mitigation of Layer 2 Attacks: Port Security is a primary defense against MAC address spoofing and unauthorized access at the access layer. The exam will test your knowledge of how these features mitigate such attacks.

2. Infrastructure (Domain 4.0 - Network Infrastructure):

• While primarily a security feature, port security also affects the overall infrastructure configuration and operational state. Understanding how it impacts device connectivity and how to verify its state is relevant to network operations.

3. Network Assurance (Domain 6.0 - Network Assurance):

• Monitoring and Troubleshooting: Knowing how to use show commands (show port-security interface, show port-security address) to verify sticky MAC addresses and troubleshoot port security violations is crucial. A CCNP-level engineer needs to be able to diagnose why a port might be in an err-disabled state or why a device isn't getting connectivity due to port security.

Typical Exam Scenario Questions:

You can expect various question formats in the ENCOR exam related to Port Security with sticky learning:

• Multiple Choice: Direct questions asking about the command to enable sticky learning or its primary benefit.
• Drag and Drop: Matching configuration commands to their effects or linking violation modes to their outcomes.
• Simulations/Labs (less common for ENCOR, more for labs): Though ENCOR is primarily written, the understanding gained from hands-on configuration, including sticky learning, is essential for higher-level certifications and real-world application. You might be asked to identify a configuration error in a given output.
• Troubleshooting Scenarios: "A user reports intermittent connectivity after a switch reboot. You suspect port security. What steps would you take, and what configuration is most likely missing if the user's MAC address was previously learned dynamically?" (This points directly to the need for sticky learning).

For any aspiring CCNP Enterprise professional, a deep dive into these configuration and verification aspects is critical. Study4Pass provides Cisco CCNP Enterprise (350-401 ENCOR) Exam Materials that are specifically tailored to meet these rigorous demands. Their practice tests offer realistic scenarios and detailed explanations, helping you internalize complex configurations like port security with sticky learning. Remember, a study4pass practice test pdf is just in 19.99 USD, offering an accessible and effective way to ensure you're fully prepared for the security challenges posed by the ENCOR exam. Study4Pass is committed to helping you solidify your knowledge and pass the exam.

Conclusion: A Smart Approach to Access Layer Control

The question "Which of the following is required when configuring port security with sticky learning?" highlights a fundamental and highly practical aspect of Layer 2 security in Cisco enterprise networks. The answer, specifically, is the command switchport port-security mac-address sticky. This command is the crucial enabler that transforms temporary, dynamically learned MAC addresses into persistent, "sticky" secure MAC addresses, automatically incorporating them into the switch's running configuration.

The implementation of Port Security with sticky learning offers a compelling balance: it provides the automation and flexibility of dynamic learning, eliminating the tedious manual configuration of static MAC addresses, while simultaneously ensuring the critical persistence required for robust security across switch reboots and interface resets. This hybrid approach significantly enhances the security posture of the access layer, mitigating risks such as unauthorized device access, MAC address spoofing, and certain types of DoS attacks.

For network engineers pursuing the Cisco CCNP Enterprise (350-401 ENCOR) certification, mastering Port Security, including its sticky learning capability and various violation modes, is indispensable. It's not just about memorizing commands; it's about understanding how these features contribute to designing, implementing, and troubleshooting secure, resilient, and manageable enterprise networks. As the digital landscape evolves, securing the access layer remains a primary concern, and technologies like Port Security with sticky learning stand as effective, intelligent approaches to controlling who connects to your network.

Special Discount: Offer Valid For Limited Time "Cisco CCNP Enterprise (350-401 ENCOR) Exam Materials"

Sample Questions from Cisco CCNP Enterprise (350-401 ENCOR) Certification Exam

A network administrator is configuring port security on a Cisco Catalyst switch port GigabitEthernet0/5. The goal is to allow only the first device that connects to the port to communicate, automatically learn its MAC address, and ensure that this MAC address is retained even after the switch reboots. Which command is REQUIRED to ensure the learned MAC address persists across reboots without manual static configuration?

A. switchport port-security aging time 0

B. switchport port-security mac-address sticky

C. switchport port-security dynamic

D. switchport port-security mac-address permanent

1. Refer to the following partial output from a Cisco switch:
2. interface GigabitEthernet0/1
3. switchport mode access
4. switchport port-security
5. switchport port-security maximum 1
6. switchport port-security violation shutdown
7. switchport port-security mac-address 0050.56FF.AAAA sticky

If a device with MAC address 0050.56FF.BBBB attempts to connect to GigabitEthernet0/1, what will be the immediate action taken by the switch?

A. The MAC address 0050.56FF.BBBB will be added as a second secure MAC address.

B. The port GigabitEthernet0/1 will be placed in an err-disabled state.

C. Traffic from 0050.56FF.BBBB will be dropped, but the port will remain up for 0050.56FF.AAAA.

D. The switch will send an SNMP trap and a syslog message but continue forwarding traffic.

Which of the following is a primary advantage of using port security with sticky learning compared to pure dynamic port security?

A. It increases the maximum number of MAC addresses allowed per port.

B. It encrypts the MAC address table for enhanced security.

C. It ensures that dynamically learned MAC addresses persist in the running configuration, even after an interface reset.

D. It allows the port to operate in trunk mode while still enforcing port security.

A network engineer needs to implement port security on an access port. They want the switch to learn the MAC address of the connected device automatically, save it to the running configuration, and prevent any other MAC address from sending traffic on that port. If an unauthorized MAC address attempts to connect, the port should drop its traffic but remain operational for the authorized device. Which set of commands would achieve this objective?

A. switchport port-security; switchport port-security mac-address sticky; switchport port-security violation shutdown

B. switchport port-security; switchport port-security mac-address sticky; switchport port-security violation restrict

C. switchport port-security; switchport port-security maximum 1; switchport port-security violation protect

D. switchport port-security; switchport port-security mac-address static; switchport port-security violation restrict

A technician is troubleshooting a port GigabitEthernet0/2 that is showing a status of "err-disabled." The show interfaces status err-disabled command confirms Reason: psecure-violation. Which port security violation mode is MOST likely configured on GigabitEthernet0/2?

A. protect

B. restrict

C. shutdown

D. no action