The answer is that frames from the unknown MAC are dropped and the violation counter is incremented. In port security restrict mode, when a violation occurs—such as a third device connecting through a hub to a port configured with a maximum of two MAC addresses—the switch immediately discards any frames sourced from the unauthorized MAC while keeping the port fully operational. This behavior contrasts with shutdown mode, which disables the port entirely, making restrict mode a less disruptive option for monitoring unauthorized access without breaking connectivity. On the CCNA 200-301 v2 exam, this question tests your understanding of the three port security violation modes—protect, restrict, and shutdown—and a common trap is confusing restrict with protect, which silently drops frames without incrementing the counter. Remember the memory tip: “Restrict reports, protect is quiet, shutdown shuts the port.”
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
SW1# show port-security interface gi1/0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Maximum MAC Addresses : 2
Current MAC Addresses : 2
Port security is enabled with a maximum of 2 MAC addresses, but a third device connected through a small hub causes a violation. Which result is expected in restrict mode?
SW1# show port-security interface gi1/0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Maximum MAC Addresses : 2
Current MAC Addresses : 2
A
The port goes immediately to err-disabled state
Why wrong: That behavior is associated with shutdown mode.
B
Frames from the unknown MAC are dropped and the violation is counted
That is the purpose of restrict mode.
C
The switch learns the third MAC after 30 seconds automatically
Why wrong: That would defeat the configured maximum.
D
STP blocks the port until the MAC table ages out
Why wrong: STP is not what enforces port security.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Frames from the unknown MAC are dropped and the violation is counted
In restrict mode, the switch drops frames from unknown source MAC addresses and increments the violation counter, but the port stays up. That is less disruptive than shutdown mode.
Key principle: Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The port goes immediately to err-disabled state
Why it's wrong here
That behavior is associated with shutdown mode.
When this WOULD be correct
This option would be correct in a scenario where the port security is configured to place the port in err-disabled state upon a violation, such as when the violation mode is set to shutdown instead of restrict. In that case, the immediate response to a third MAC address would indeed be to disable the port.
✓
Frames from the unknown MAC are dropped and the violation is counted
Why this is correct
That is the purpose of restrict mode.
Related concept
Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.
✗
The switch learns the third MAC after 30 seconds automatically
Why it's wrong here
That would defeat the configured maximum.
When this WOULD be correct
In a different exam scenario where the port security is set to 'sticky' learning mode, a question could state that the switch is configured to learn new MAC addresses automatically. In this case, if a third device connects, the switch would learn the MAC after the aging time expires.
If the question specified that the port was operating in a mode where security violations lead to the port being disabled, such as protect or shutdown mode, then this option could be correct. For example, if the question stated that the port was configured to err-disable on a violation, then this answer would apply.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓Frames from the unknown MAC are dropped and the violation is countedCorrect answer▾
Why this is correct
That is the purpose of restrict mode.
✗The port goes immediately to err-disabled stateWrong answer — click to see why▾
Why this is wrong here
In restrict mode, the port does not go to err-disabled state; that behavior is specific to shutdown mode. Shutdown mode disables the port upon a violation, whereas restrict mode only drops traffic from unknown MACs and increments the violation counter.
★ When this WOULD be the correct answer
This option would be correct in a scenario where the port security is configured to place the port in err-disabled state upon a violation, such as when the violation mode is set to shutdown instead of restrict. In that case, the immediate response to a third MAC address would indeed be to disable the port.
Why candidates choose this
Students often confuse restrict mode with shutdown mode because both are violation actions for port security. The term 'restrict' might be misinterpreted as a more severe action, leading to the assumption that the port is disabled.
✗The switch learns the third MAC after 30 seconds automaticallyWrong answer — click to see why▾
Why this is wrong here
Port security does not automatically learn additional MAC addresses after a delay; it strictly enforces the configured maximum number of MAC addresses. If the maximum is set to 2, any new MAC address beyond that triggers a violation action (restrict, shutdown, or protect) immediately, not after 30 seconds.
★ When this WOULD be the correct answer
In a different exam scenario where the port security is set to 'sticky' learning mode, a question could state that the switch is configured to learn new MAC addresses automatically. In this case, if a third device connects, the switch would learn the MAC after the aging time expires.
Why candidates choose this
Some students might think there is a learning period or aging mechanism that allows temporary learning of extra MACs, confusing port security with MAC address table aging or dynamic learning. However, port security violations are immediate and not delayed.
✗STP blocks the port until the MAC table ages outWrong answer — click to see why▾
Why this is wrong here
STP (Spanning Tree Protocol) is used to prevent loops in redundant topologies and does not enforce port security. Port security violations are handled by the port security feature itself, independent of STP. STP blocking a port would be unrelated to MAC address limits.
★ When this WOULD be the correct answer
If the question specified that the port was operating in a mode where security violations lead to the port being disabled, such as protect or shutdown mode, then this option could be correct. For example, if the question stated that the port was configured to err-disable on a violation, then this answer would apply.
Why candidates choose this
Students might associate STP with blocking ports and think that a violation could trigger STP to block the port. However, STP and port security are separate features; port security violations do not involve STP.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Be careful not to confuse restrict mode with shutdown mode, which disables the port entirely.
Detailed technical explanation
How to think about this question
Port security is a Layer 2 security feature on Cisco switches that restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. This feature is essential in preventing unauthorized devices from connecting to the network through physical access points. When enabled, the switch learns MAC addresses up to a configured maximum and enforces policies when violations occur, such as when an unknown MAC address attempts to send frames through the port.
The behavior of port security upon a violation depends on the configured violation mode. In restrict mode, the switch drops frames from any MAC address that exceeds the maximum allowed and increments a violation counter, but the port remains active and forwarding. This mode allows network administrators to monitor violations without disrupting network connectivity. In contrast, shutdown mode immediately disables the port by placing it into an err-disabled state, requiring manual recovery. The protect mode silently drops violating frames without incrementing counters or disabling the port.
A common exam trap is confusing restrict mode with shutdown mode. Restrict mode does not disable the port but only drops unauthorized frames and counts violations, which is less disruptive in environments where uptime is critical. Additionally, when multiple devices connect through a hub to a single port, each device's MAC address counts toward the port security maximum, potentially causing violations if the limit is exceeded. Understanding these behaviors helps in designing secure and resilient network access policies aligned with Cisco CCNA security fundamentals.
KKey Concepts to Remember
Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.
In restrict mode, port security drops frames from unknown MAC addresses exceeding the maximum limit and increments the violation counter without disabling the port.
Shutdown mode causes the port to enter an err-disabled state immediately upon a security violation, requiring manual intervention to re-enable.
Port security violation counters help network administrators monitor unauthorized access attempts and enforce security policies effectively.
Spanning Tree Protocol (STP) does not enforce port security violations; it manages loop prevention and port states independently.
When multiple devices connect through a hub to a port with port security, all MAC addresses count toward the maximum allowed, potentially causing violations.
Port security does not automatically learn new MAC addresses beyond the configured maximum, preventing unauthorized devices from gaining access.
Restrict mode provides a balance between security enforcement and network availability by dropping unauthorized frames but keeping the port operational.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.
Real-world example
How this comes up in practice
A practitioner preparing for the 200-301 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access., then practise related 200-301 questions on the same topic to reinforce the concept.
Network Services and Security — This question tests Network Services and Security — Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access..
What is the correct answer to this question?
The correct answer is: Frames from the unknown MAC are dropped and the violation is counted — In restrict mode, the switch drops frames from unknown source MAC addresses and increments the violation counter, but the port stays up. That is less disruptive than shutdown mode.
What should I do if I get this 200-301 question wrong?
Review port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access., then practise related 200-301 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.