Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
A company wants unauthorized devices plugged into unused wall ports to have as little chance of gaining access as possible. Which action most directly supports that goal?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Administratively disable unused switch ports.
This is correct because unused active ports are unnecessary exposure points.
B
Distractor review
Convert every unused port into a trunk.
This is wrong because trunking unused ports increases exposure and complexity.
C
Distractor review
Enable Telnet on unused ports for monitoring.
This is wrong because Telnet is insecure and unrelated to this hardening goal.
D
Distractor review
Remove all VLAN assignments from active user ports.
This is wrong because the question is about unused-port exposure, not breaking active production access.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is assuming that assigning unused ports to an unused VLAN or enabling monitoring protocols like Telnet on those ports provides sufficient security. Candidates may mistakenly believe that VLAN segmentation alone prevents unauthorized access, but VLAN hopping attacks or misconfigurations can bypass this. Similarly, enabling Telnet on unused ports is irrelevant and insecure, as Telnet is a plaintext protocol and does not restrict physical access. The trap is to overlook the fundamental step of administratively disabling unused ports, which completely cuts off any unauthorized device from network access at Layer 2.
Technical deep dive
How to think about this question
Unused switch ports represent a significant security risk because they provide potential entry points for unauthorized devices. In Cisco networking, each switch port can be administratively enabled or disabled. When a port is administratively disabled (shutdown), it stops forwarding any traffic and does not participate in VLAN or spanning-tree operations. This effectively removes the port from the network, preventing any device connected to it from gaining access or causing network disruptions. The best practice to secure unused ports is to administratively disable them. This action is a proactive security measure that reduces the attack surface by eliminating unnecessary active ports. Unlike relying on monitoring or VLAN segmentation alone, disabling ports ensures that no traffic can pass through, which is a fundamental step in port security. Cisco switches allow network administrators to quickly disable ports via the CLI using the "shutdown" command under the interface configuration mode. A common exam trap is confusing port security features like port-based authentication or VLAN assignments with the fundamental step of disabling unused ports. While features like 802.1X or VLAN segmentation add layers of security, they do not replace the need to shut down unused ports. Practically, leaving unused ports enabled—even if assigned to an unused VLAN—still risks unauthorized access if VLAN hopping or misconfigurations occur. Disabling ports is the simplest and most effective baseline security control in Cisco environments.
KKey Concepts to Remember
- Administratively disabling unused switch ports prevents any Layer 2 traffic from passing through, effectively removing the port from the network.
- Unused active switch ports create unnecessary exposure points that attackers can exploit to gain unauthorized network access.
- Assigning unused ports to unused VLANs does not guarantee security because VLAN hopping or misconfigurations can allow access.
- Enabling insecure protocols like Telnet on unused ports increases security risks and does not prevent unauthorized physical connections.
- Cisco switches use the "shutdown" command in interface configuration mode to administratively disable ports.
- Disabling unused ports reduces the attack surface by eliminating potential entry points rather than relying on monitoring or detection.
- Port security features complement but do not replace the fundamental security measure of disabling unused ports.
- Effective network hardening starts with eliminating unnecessary active ports to prevent casual or opportunistic unauthorized access.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
Administratively disabling unused switch ports prevents any Layer 2 traffic from passing through, effectively removing the port from the network.
What is the correct answer to this question?
The correct answer is: Administratively disable unused switch ports. — Administratively shutting down unused switch ports most directly supports that goal. In practical terms, if the business has no reason to keep a port active, leaving it enabled creates an unnecessary access point. Disabling it reduces attack surface and makes casual or opportunistic unauthorized connection attempts much harder. This is a simple hardening measure, but it is one of the most effective because it removes exposure entirely instead of trying to monitor a risk that does not need to exist.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.