Question 1,893 of 1,819
Switching and Network AccessmediumMultiple SelectObjective-mapped

Quick Answer

The correct answer is the combination of `switchport port-security maximum 1` and `switchport port-security violation shutdown`. These two settings work together because the maximum command limits the port to learning a single MAC address, while the violation shutdown command forces the port into an error-disabled state if any additional device attempts to communicate, perfectly matching the requirement to block a second unauthorized device. On the CCNA 200-301 v2 exam, this scenario tests your understanding of how port security enforces both the count of allowed MAC addresses and the action upon a violation, often appearing in configuration or troubleshooting questions where the default violation mode is protect or restrict—a common trap is forgetting that shutdown is the only mode that physically disables the port. A solid memory tip is to think of the phrase “Max One, Shut the Gun,” linking the limit of one MAC to the shutdown action that stops the threat immediately.

CCNA Switching and Network Access Practice Question

This 200-301 practice question tests your understanding of switching and network access. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Desired behavior:
- one known endpoint per port
- violation causes interface shutdown

A switch should learn one MAC address on an access port and shut the port down if a second unauthorized device appears. Which two port-security settings support that requirement?

Question 1mediummulti select
Full question →

Exhibit

Desired behavior:
- one known endpoint per port
- violation causes interface shutdown

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

switchport port-security maximum 1

Port security enforces how many MAC addresses may be learned on a port and what happens when a violation occurs. 'switchport port-security maximum 1' limits the port to one MAC address, and 'switchport port-security violation shutdown' disables the port if a violation occurs, matching the requirement. 'switchport protected' isolates ports within a switch but does not limit MAC addresses or cause a shutdown. 'switchport nonegotiate' disables DTP negotiation, which is unrelated to port security.

Key principle: Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • switchport port-security maximum 1

    Why this is correct

    This limits the number of learned secure MAC addresses to one.

    Related concept

    Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.

  • switchport port-security violation shutdown

    Why this is correct

    This forces the interface into the shutdown/err-disabled state on violation.

    Related concept

    Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.

  • switchport protected

    Why it's wrong here

    Protected ports affect forwarding behavior, not MAC learning limits.

  • switchport nonegotiate

    Why it's wrong here

    This disables DTP negotiation and is unrelated to port-security violations.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Be careful not to confuse the different port security violation modes. Only the shutdown mode will disable the port.

Detailed technical explanation

How to think about this question

Port security is a Cisco switch feature that restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. It enhances network security by preventing unauthorized devices from connecting to the network through that port. When enabled, the switch learns MAC addresses dynamically or can be configured with static addresses, and it enforces limits on how many addresses can be learned or allowed. The command 'switchport port-security maximum 1' configures the port to learn and allow only one MAC address, which is ideal for access ports connected to a single device. The 'switchport port-security violation shutdown' command specifies that if a violation occurs—such as a second unauthorized MAC address appearing—the port will be put into an error-disabled state, effectively shutting it down to prevent unauthorized access. This combination ensures strict control over device connections on access ports. A common exam trap is confusing port-security violation modes. Besides 'shutdown', other violation modes like 'restrict' or 'protect' exist, which do not disable the port but only limit traffic or log violations. Candidates might incorrectly select these modes, thinking they enforce strict security. Understanding that 'shutdown' is the only mode that disables the port on violation is critical for correctly answering questions about strict port-security enforcement in CCNA exams.

KKey Concepts to Remember

  • Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.
  • The 'switchport port-security maximum 1' command restricts the port to learn and allow only one MAC address, suitable for access ports with a single device.
  • The 'switchport port-security violation shutdown' command causes the port to enter an error-disabled state when a security violation occurs, effectively shutting down the port.
  • When a second unauthorized MAC address is detected on a port with port security enabled, the configured violation action determines how the switch responds to the breach.
  • Port-security violation modes include 'shutdown', 'restrict', and 'protect', but only 'shutdown' disables the port, which is essential for strict security enforcement.
  • Access ports are typically configured with port security to prevent unauthorized devices from connecting and potentially compromising the network.
  • Switches learn MAC addresses dynamically on ports unless static secure MAC addresses are configured, and port security enforces limits on these learned addresses.
  • The error-disabled state caused by a port-security violation requires manual intervention or configured recovery to re-enable the port.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Review port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Switching and Network Access — This question tests Switching and Network Access — Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security..

What is the correct answer to this question?

The correct answer is: switchport port-security maximum 1 — Port security enforces how many MAC addresses may be learned on a port and what happens when a violation occurs. 'switchport port-security maximum 1' limits the port to one MAC address, and 'switchport port-security violation shutdown' disables the port if a violation occurs, matching the requirement. 'switchport protected' isolates ports within a switch but does not limit MAC addresses or cause a shutdown. 'switchport nonegotiate' disables DTP negotiation, which is unrelated to port security.

What should I do if I get this 200-301 question wrong?

Review port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security., then practise related 200-301 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 200-301 practice questions

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.