The correct answer is the combination of `switchport port-security maximum 1` and `switchport port-security violation shutdown`. These two settings work together because the maximum command limits the port to learning a single MAC address, while the violation shutdown command forces the port into an error-disabled state if any additional device attempts to communicate, perfectly matching the requirement to block a second unauthorized device. On the CCNA 200-301 v2 exam, this scenario tests your understanding of how port security enforces both the count of allowed MAC addresses and the action upon a violation, often appearing in configuration or troubleshooting questions where the default violation mode is protect or restrict—a common trap is forgetting that shutdown is the only mode that physically disables the port. A solid memory tip is to think of the phrase “Max One, Shut the Gun,” linking the limit of one MAC to the shutdown action that stops the threat immediately.
CCNA Switching and Network Access Practice Question
This 200-301 practice question tests your understanding of switching and network access. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Desired behavior:
- one known endpoint per port
- violation causes interface shutdown
A switch should learn one MAC address on an access port and shut the port down if a second unauthorized device appears. Which two port-security settings support that requirement?
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
switchport port-security maximum 1
Port security enforces how many MAC addresses may be learned on a port and what happens when a violation occurs. 'switchport port-security maximum 1' limits the port to one MAC address, and 'switchport port-security violation shutdown' disables the port if a violation occurs, matching the requirement. 'switchport protected' isolates ports within a switch but does not limit MAC addresses or cause a shutdown. 'switchport nonegotiate' disables DTP negotiation, which is unrelated to port security.
Key principle: Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
switchport port-security maximum 1
Why this is correct
This limits the number of learned secure MAC addresses to one.
Related concept
Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.
✓
switchport port-security violation shutdown
Why this is correct
This forces the interface into the shutdown/err-disabled state on violation.
Related concept
Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.
✗
switchport protected
Why it's wrong here
Protected ports affect forwarding behavior, not MAC learning limits.
✗
switchport nonegotiate
Why it's wrong here
This disables DTP negotiation and is unrelated to port-security violations.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Be careful not to confuse the different port security violation modes. Only the shutdown mode will disable the port.
Detailed technical explanation
How to think about this question
Port security is a Cisco switch feature that restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. It enhances network security by preventing unauthorized devices from connecting to the network through that port. When enabled, the switch learns MAC addresses dynamically or can be configured with static addresses, and it enforces limits on how many addresses can be learned or allowed.
The command 'switchport port-security maximum 1' configures the port to learn and allow only one MAC address, which is ideal for access ports connected to a single device. The 'switchport port-security violation shutdown' command specifies that if a violation occurs—such as a second unauthorized MAC address appearing—the port will be put into an error-disabled state, effectively shutting it down to prevent unauthorized access. This combination ensures strict control over device connections on access ports.
A common exam trap is confusing port-security violation modes. Besides 'shutdown', other violation modes like 'restrict' or 'protect' exist, which do not disable the port but only limit traffic or log violations. Candidates might incorrectly select these modes, thinking they enforce strict security. Understanding that 'shutdown' is the only mode that disables the port on violation is critical for correctly answering questions about strict port-security enforcement in CCNA exams.
KKey Concepts to Remember
Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.
The 'switchport port-security maximum 1' command restricts the port to learn and allow only one MAC address, suitable for access ports with a single device.
The 'switchport port-security violation shutdown' command causes the port to enter an error-disabled state when a security violation occurs, effectively shutting down the port.
When a second unauthorized MAC address is detected on a port with port security enabled, the configured violation action determines how the switch responds to the breach.
Port-security violation modes include 'shutdown', 'restrict', and 'protect', but only 'shutdown' disables the port, which is essential for strict security enforcement.
Access ports are typically configured with port security to prevent unauthorized devices from connecting and potentially compromising the network.
Switches learn MAC addresses dynamically on ports unless static secure MAC addresses are configured, and port security enforces limits on these learned addresses.
The error-disabled state caused by a port-security violation requires manual intervention or configured recovery to re-enable the port.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security., then practise related 200-301 questions on the same topic to reinforce the concept.
Switching and Network Access — This question tests Switching and Network Access — Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security..
What is the correct answer to this question?
The correct answer is: switchport port-security maximum 1 — Port security enforces how many MAC addresses may be learned on a port and what happens when a violation occurs. 'switchport port-security maximum 1' limits the port to one MAC address, and 'switchport port-security violation shutdown' disables the port if a violation occurs, matching the requirement. 'switchport protected' isolates ports within a switch but does not limit MAC addresses or cause a shutdown. 'switchport nonegotiate' disables DTP negotiation, which is unrelated to port security.
What should I do if I get this 200-301 question wrong?
Review port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security., then practise related 200-301 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Port security on Cisco switches limits the number of MAC addresses learned on a port to control device access and enhance network security.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.