Question 1,150 of 1,819
Network Services and SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the management workstation’s static IP-to-MAC binding is missing from the DHCP snooping binding table, causing Dynamic ARP Inspection (DAI) to drop its ARP traffic. DAI validates all ARP packets on a VLAN against the DHCP snooping database, which only contains entries for dynamically leased addresses. Since the workstation uses a static IP, its binding is absent, so DAI treats its ARP replies as invalid and drops them, preventing the switch from learning the workstation’s MAC address and resulting in SSH timeouts. This scenario tests your understanding of how DAI and DHCP snooping interact on the CCNA 200-301 v2 exam, often appearing as a tricky integration question where a static host on a secured VLAN loses connectivity. A common trap is assuming port security or ACLs are the culprit, but the real issue is DAI’s reliance on the snooping table. Memory tip: “Static IPs need a static entry—DAI won’t learn what DHCP didn’t lease.”

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

After hardening SSH by disabling password authentication and restricting access to an ACL permitting only the management subnet 10.1.10.0/24, configuring RADIUS AAA authentication, enabling port security with a maximum of two MAC addresses on all access ports, and implementing DHCP snooping and DAI on VLAN 10, the administrator finds that users in VLAN 10 obtain DHCP addresses and access the network normally, but SSH from the management workstation (10.1.10.20) to the switch fails with timeouts.

Question 1hardmultiple choice
Open the full VLAN trunking answer →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The management workstation’s IP-to-MAC binding is missing from the DHCP snooping binding table, causing DAI to drop its ARP traffic.

The management workstation (10.1.10.20) is on the same VLAN 10 where DHCP snooping and DAI are enabled. DAI validates ARP packets against the DHCP snooping binding table. Since the workstation uses a static IP address, its IP-to-MAC binding is not automatically added to the DHCP snooping database. DAI will drop the workstation's ARP replies, preventing the switch from learning its MAC address and causing SSH timeouts.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The SSH ACL is misconfigured and denies port 22 from the management subnet.

    Why it's wrong here

    The ACL was explicitly set to permit 10.1.10.0/24, and no indication of misconfiguration is given. It would block SSH for the entire subnet, not just one host, but other management hosts would also be affected.

  • The management workstation’s IP-to-MAC binding is missing from the DHCP snooping binding table, causing DAI to drop its ARP traffic.

    Why this is correct

    DAI relies on DHCP snooping bindings to validate ARP packets. The static IP of the workstation means no binding was learned, so DAI considers the ARP reply invalid and drops it, breaking L2 reachability.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Port security on the switch interface connected to the management workstation has learned two MAC addresses and shut down the port.

    Why it's wrong here

    The administrator’s workstation typically uses a single MAC address, and even with a second device like a VoIP phone, the maximum is set to 2. No violation would occur unless more than two MACs are seen, which is unlikely from a single admin PC.

  • RADIUS AAA authentication is missing the shared secret on the switch, causing SSH login timeouts.

    Why it's wrong here

    A missing RADIUS secret would cause authentication to fail for all SSH attempts, not just from one workstation. The symptom shows only one specific host failing, while others might succeed, indicating network-level blockage rather than global AAA misconfiguration.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

The management workstation’s IP-to-MAC binding is missing from the DHCP snooping binding table, causing DAI to drop its ARP traffic.Correct answer

Why this is correct

DAI relies on DHCP snooping bindings to validate ARP packets. The static IP of the workstation means no binding was learned, so DAI considers the ARP reply invalid and drops it, breaking L2 reachability.

The SSH ACL is misconfigured and denies port 22 from the management subnet.Wrong answer — click to see why

Why this is wrong here

Misunderstanding ACL processing—assumes a simple subnet permit ACL would block port 22 by default, but the ACL entry permits all traffic from the subnet, not just specific ports.

Port security on the switch interface connected to the management workstation has learned two MAC addresses and shut down the port.Wrong answer — click to see why

Why this is wrong here

Assumes port security is the first cause of connectivity failure when MAC limits are configured, but the symptom does not indicate a port security violation; the port would need to go into err-disabled, which is not mentioned.

RADIUS AAA authentication is missing the shared secret on the switch, causing SSH login timeouts.Wrong answer — click to see why

Why this is wrong here

AAA failures manifest as authentication errors or prompts that time out after attempting RADIUS, but they typically affect all attempts, not a single source, unless combined with ACLs that permit other hosts but block this one.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the interaction between security features like DAI and static IP hosts, where candidates overlook that DAI requires explicit static bindings for non-DHCP clients, leading to connectivity failures that appear as timeouts rather than explicit denials.

Trap categories for this question

  • Command / output trap

    A missing RADIUS secret would cause authentication to fail for all SSH attempts, not just from one workstation. The symptom shows only one specific host failing, while others might succeed, indicating network-level blockage rather than global AAA misconfiguration.

Detailed technical explanation

How to think about this question

DAI (Dynamic ARP Inspection) intercepts all ARP packets on untrusted ports and verifies that the sender IP and MAC match an entry in the DHCP snooping binding table. For static hosts, an administrator must manually add a static DHCP snooping binding using 'ip dhcp snooping binding <mac> vlan <vlan> <ip> interface <int>'. Without this, DAI drops the ARP reply from the management workstation, preventing the switch from resolving its IP to MAC, which is required for Layer 2 forwarding of SSH packets. The SSH timeout occurs because the TCP SYN from the workstation reaches the switch, but the switch cannot send back a SYN-ACK without the workstation's MAC address in its ARP cache.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The management workstation’s IP-to-MAC binding is missing from the DHCP snooping binding table, causing DAI to drop its ARP traffic. — The management workstation (10.1.10.20) is on the same VLAN 10 where DHCP snooping and DAI are enabled. DAI validates ARP packets against the DHCP snooping binding table. Since the workstation uses a static IP address, its IP-to-MAC binding is not automatically added to the DHCP snooping database. DAI will drop the workstation's ARP replies, preventing the switch from learning its MAC address and causing SSH timeouts.

What should I do if I get this 200-301 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 200-301 practice questions

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.