The answer is that the port security maximum is too low for the connected devices. When an IP phone and a workstation share the same access port via a wall jack, the switch legitimately learns two MAC addresses—one for the phone and one for the PC. If the port security maximum is set to 1, the second MAC address triggers a security violation, causing the switch to err-disable the interface. This scenario is a classic CCNA 200-301 v2 trap: it tests your understanding that a single access port can host multiple devices, especially with Cisco IP phones that pass through PC traffic. Many candidates mistakenly blame a duplex mismatch or a loop, but the core issue is the violation threshold. Remember the mnemonic “Two MACs, one max, port goes lax” to recall that a maximum of 1 cannot accommodate both devices, leading to the err-disabled state.
CCNA Switching and Network Access Practice Question
This 200-301 practice question tests your understanding of switching and network access. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: port security on Cisco switches limits the number of MAC addresses learned on a single access port to prevent unauthorized devices from connecting.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
show port-security interface gi1/0/10
Port Status : secure-shutdown
Violation Mode : shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 2
Exhibit: An access switch shows Gi1/0/10 as err-disabled shortly after an IP phone and a workstation are connected through the same wall jack. What is the most likely cause?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The port security maximum is too low for the connected devices
With a phone and a PC on the same access port, the switch may legitimately see two MAC addresses. Port security set to a maximum of 1 causes a violation and can place the interface into err-disabled state.
Key principle: Port security on Cisco switches limits the number of MAC addresses learned on a single access port to prevent unauthorized devices from connecting.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
In a scenario where a switch is configured to require a native VLAN for trunking and a device attempts to connect without it, a question could ask about the impact of a missing native VLAN on trunk ports, making this option correct.
✓
The port security maximum is too low for the connected devices
Why this is correct
A phone plus a PC commonly requires more than one secure MAC address.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Port security on Cisco switches limits the number of MAC addresses learned on a single access port to prevent unauthorized devices from connecting.
✗
BPDU Guard blocked the port because a workstation was attached
Why it's wrong here
A workstation does not send BPDUs in a normal case.
When this WOULD be correct
If the question specified that a switch port was err-disabled due to receiving BPDUs from a connected device, and the context involved a misconfigured spanning tree, then option C would be correct. For example, if a switch was connected to another switch instead of an endpoint device, BPDU Guard could trigger.
✗
DHCP snooping denied the voice VLAN
Why it's wrong here
That would not match the err-disabled symptom shown.
When this WOULD be correct
If the question described a scenario where a switch port was configured with DHCP snooping and the voice VLAN was not properly trusted, leading to the IP phone being unable to obtain an IP address, this option would be correct. In that case, the port could go err-disabled due to DHCP snooping violations.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓The port security maximum is too low for the connected devicesCorrect answer▾
Why this is correct
A phone plus a PC commonly requires more than one secure MAC address.
✗The native VLAN is missingWrong answer — click to see why▾
Why this is wrong here
The native VLAN being missing would not directly cause a port to go err-disabled when connecting an IP phone and workstation; it typically results in VLAN mismatches or communication issues rather than disabling the port.
★ When this WOULD be the correct answer
In a scenario where a switch is configured to require a native VLAN for trunking and a device attempts to connect without it, a question could ask about the impact of a missing native VLAN on trunk ports, making this option correct.
Why candidates choose this
Candidates may confuse the concept of native VLANs with port security issues, leading them to believe that a missing native VLAN could cause err-disabled states due to VLAN-related misconfigurations.
✗BPDU Guard blocked the port because a workstation was attachedWrong answer — click to see why▾
Why this is wrong here
BPDU Guard is designed to protect against loops by disabling ports that receive Bridge Protocol Data Units (BPDUs). In this scenario, the port is err-disabled due to port security violations, not because of BPDU Guard activation.
★ When this WOULD be the correct answer
If the question specified that a switch port was err-disabled due to receiving BPDUs from a connected device, and the context involved a misconfigured spanning tree, then option C would be correct. For example, if a switch was connected to another switch instead of an endpoint device, BPDU Guard could trigger.
Why candidates choose this
Candidates may confuse the err-disabled state with security features like BPDU Guard, especially if they have encountered similar scenarios where misconfigurations lead to port shutdowns, leading them to select this option without fully analyzing the context.
✗DHCP snooping denied the voice VLANWrong answer — click to see why▾
Why this is wrong here
DHCP snooping denying the voice VLAN would typically result in the IP phone failing to receive an IP address, rather than causing the port to go err-disabled. The err-disabled state is more likely due to port security violations when multiple devices are connected.
★ When this WOULD be the correct answer
If the question described a scenario where a switch port was configured with DHCP snooping and the voice VLAN was not properly trusted, leading to the IP phone being unable to obtain an IP address, this option would be correct. In that case, the port could go err-disabled due to DHCP snooping violations.
Why candidates choose this
Candidates may be tempted by this option because they recognize that DHCP snooping can impact device connectivity, and they may confuse the symptoms of connectivity issues with the err-disabled state caused by port security violations.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Be cautious of assuming all err-disabled states are due to STP or VLAN issues; port security is a frequent cause.
Trap categories for this question
Command / output trap
That would not match the err-disabled symptom shown.
Detailed technical explanation
How to think about this question
Port security is a fundamental Cisco switch feature designed to enhance network security by limiting the number of MAC addresses that can be learned on a single switch port. This is especially important in access layer switches where end devices connect. When an IP phone and a workstation connect through the same physical port, the switch sees two MAC addresses: one from the phone and one from the PC. This is a common deployment scenario because IP phones often have an integrated switch to connect a PC through the phone.
The port security configuration must accommodate multiple MAC addresses on such a port. If the port security maximum is set to one, the switch detects a violation when it learns the second MAC address. This violation triggers the port to enter an err-disabled state, effectively shutting down the port to prevent potential security risks. The err-disabled state requires manual intervention or automatic recovery mechanisms to re-enable the port.
A common exam trap is to confuse err-disable causes with other features like BPDU Guard or DHCP snooping. BPDU Guard disables ports that receive unexpected BPDUs, but workstations do not send BPDUs, so this is unlikely. DHCP snooping protects IP address assignment but does not cause err-disable due to multiple MAC addresses. Understanding the interaction between port security and multi-device connections on a single port is critical for correct troubleshooting and exam success.
KKey Concepts to Remember
Port security on Cisco switches limits the number of MAC addresses learned on a single access port to prevent unauthorized devices from connecting.
When an IP phone and a workstation share the same access port, the switch sees two distinct MAC addresses, one from each device.
If port security is configured with a maximum of one MAC address, the presence of two MAC addresses triggers a security violation.
A port security violation typically causes the switch to place the interface into an err-disabled state to protect the network.
The native VLAN mismatch does not cause err-disable due to port security but can cause other connectivity issues.
BPDU Guard disables ports that receive Bridge Protocol Data Units (BPDUs) unexpectedly, but workstations normally do not send BPDUs.
DHCP snooping protects against rogue DHCP servers but does not directly cause err-disable states related to multiple MAC addresses on a port.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Port security on Cisco switches limits the number of MAC addresses learned on a single access port to prevent unauthorized devices from connecting.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review port security on Cisco switches limits the number of MAC addresses learned on a single access port to prevent unauthorized devices from connecting., then practise related 200-301 questions on the same topic to reinforce the concept.
Switching and Network Access — This question tests Switching and Network Access — Port security on Cisco switches limits the number of MAC addresses learned on a single access port to prevent unauthorized devices from connecting..
What is the correct answer to this question?
The correct answer is: The port security maximum is too low for the connected devices — With a phone and a PC on the same access port, the switch may legitimately see two MAC addresses. Port security set to a maximum of 1 causes a violation and can place the interface into err-disabled state.
What should I do if I get this 200-301 question wrong?
Review port security on Cisco switches limits the number of MAC addresses learned on a single access port to prevent unauthorized devices from connecting., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Port security on Cisco switches limits the number of MAC addresses learned on a single access port to prevent unauthorized devices from connecting.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.