Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
A switchport connected to a user workstation is placed in VLAN 30. The administrator also wants to prevent that port from learning more than one MAC address. Which feature should be configured?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Port security
This is correct because port security can enforce a maximum number of MAC addresses on the switchport.
B
Distractor review
EtherChannel
This is wrong because EtherChannel bundles links and is unrelated to limiting MAC learning on one user port.
C
Distractor review
OSPF passive-interface
This is wrong because OSPF passive-interface is a routing concept, not a switchport access-control feature.
D
Distractor review
Native VLAN
This is wrong because native VLAN is a trunking concept and does not limit MAC address learning.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is selecting EtherChannel or native VLAN as the solution to limiting MAC addresses on a switchport. EtherChannel bundles multiple physical links into one logical link and does not control MAC address learning per port. Native VLAN is a trunking concept that defines untagged VLAN traffic on trunk ports but does not restrict MAC addresses. Another trap is choosing OSPF passive-interface, which is a routing protocol feature unrelated to Layer 2 port security. Candidates must recognize that only port security directly limits the number of MAC addresses learned on a switchport, making it the correct choice.
Technical deep dive
How to think about this question
Port security is a Cisco Catalyst switch feature that restricts the number of MAC addresses learned on a single switchport. It is primarily used on access ports connected to end devices like workstations, printers, or IP phones to enhance security by preventing unauthorized devices from connecting. When enabled, port security can limit the maximum number of MAC addresses learned dynamically or allow static MAC addresses to be configured. If the limit is exceeded, the switch can take predefined actions such as shutting down the port, dropping packets from unknown MAC addresses, or generating alerts. The decision to use port security involves configuring the maximum allowed MAC addresses on a port, typically set to one for user workstations to prevent multiple devices from sharing the same port. This feature complements VLAN assignment by controlling not only traffic segregation but also device access at Layer 2. Port security enforces a strict policy that helps mitigate risks like MAC flooding attacks or unauthorized device connections, which VLANs alone cannot prevent. The switch monitors MAC addresses learned on the port and enforces the configured limits accordingly. A common exam trap is confusing port security with other Layer 2 or routing features such as EtherChannel, native VLAN, or OSPF passive-interface. EtherChannel aggregates links and does not limit MAC addresses. Native VLAN relates to trunk ports and does not restrict MAC learning. OSPF passive-interface is a routing protocol setting unrelated to switchport security. Understanding that port security specifically controls MAC address learning on access ports is critical for correctly answering questions about limiting MAC addresses on a switchport.
KKey Concepts to Remember
- Port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections.
- VLAN assignment controls traffic segregation but does not restrict how many devices or MAC addresses can appear on a switchport.
- When the maximum MAC address limit is exceeded, port security can shut down the port, drop packets, or generate alerts based on the configured violation mode.
- EtherChannel bundles multiple physical links into one logical link and does not limit MAC address learning on individual switchports.
- Native VLAN applies only to trunk ports and defines untagged traffic VLAN but does not restrict MAC address learning on access ports.
- OSPF passive-interface is a routing protocol feature that prevents OSPF updates on an interface and is unrelated to Layer 2 MAC address control.
- Port security is commonly used on access-layer switchports connected to user devices to enhance network security by limiting MAC addresses.
- Limiting MAC addresses with port security helps prevent MAC flooding attacks and unauthorized devices from gaining network access.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
Port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections.
What is the correct answer to this question?
The correct answer is: Port security — The correct feature is port security. In practical terms, port security lets the administrator control how many MAC addresses can be learned on a switchport and what happens if that limit is exceeded. That makes it a very natural fit for a user-facing access port where one endpoint is expected and unmanaged extra devices are not. This is a common access-layer hardening technique. VLAN assignment controls where the traffic belongs, but it does not limit who or what can appear on the port. Port security adds that second layer of control.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.