Question 22 of 1,819
Network Services and SecuritymediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is that frames from the unknown MAC are dropped and the violation counter is incremented. In port security restrict mode, when a violation occurs—such as a third device connecting through a hub to a port configured with a maximum of two MAC addresses—the switch immediately discards any frames sourced from the unauthorized MAC while keeping the port fully operational. This behavior contrasts with shutdown mode, which disables the port entirely, making restrict mode a less disruptive option for monitoring unauthorized access without breaking connectivity. On the CCNA 200-301 v2 exam, this question tests your understanding of the three port security violation modes—protect, restrict, and shutdown—and a common trap is confusing restrict with protect, which silently drops frames without incrementing the counter. Remember the memory tip: “Restrict reports, protect is quiet, shutdown shuts the port.”

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

SW1# show port-security interface gi1/0/5
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Maximum MAC Addresses      : 2
Current MAC Addresses      : 2

Port security is enabled with a maximum of 2 MAC addresses, but a third device connected through a small hub causes a violation. Which result is expected in restrict mode?

Question 1mediummultiple choice
Full question →

Exhibit

SW1# show port-security interface gi1/0/5
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Maximum MAC Addresses      : 2
Current MAC Addresses      : 2

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Frames from the unknown MAC are dropped and the violation is counted

In restrict mode, the switch drops frames from unknown source MAC addresses and increments the violation counter, but the port stays up. That is less disruptive than shutdown mode.

Key principle: Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The port goes immediately to err-disabled state

    Why it's wrong here

    That behavior is associated with shutdown mode.

    When this WOULD be correct

    This option would be correct in a scenario where the port security is configured to place the port in err-disabled state upon a violation, such as when the violation mode is set to shutdown instead of restrict. In that case, the immediate response to a third MAC address would indeed be to disable the port.

  • Frames from the unknown MAC are dropped and the violation is counted

    Why this is correct

    That is the purpose of restrict mode.

    Related concept

    Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.

  • The switch learns the third MAC after 30 seconds automatically

    Why it's wrong here

    That would defeat the configured maximum.

    When this WOULD be correct

    In a different exam scenario where the port security is set to 'sticky' learning mode, a question could state that the switch is configured to learn new MAC addresses automatically. In this case, if a third device connects, the switch would learn the MAC after the aging time expires.

  • STP blocks the port until the MAC table ages out

    Why it's wrong here

    STP is not what enforces port security.

    When this WOULD be correct

    If the question specified that the port was operating in a mode where security violations lead to the port being disabled, such as protect or shutdown mode, then this option could be correct. For example, if the question stated that the port was configured to err-disable on a violation, then this answer would apply.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Frames from the unknown MAC are dropped and the violation is countedCorrect answer

Why this is correct

That is the purpose of restrict mode.

The port goes immediately to err-disabled stateWrong answer — click to see why

Why this is wrong here

In restrict mode, the port does not go to err-disabled state; that behavior is specific to shutdown mode. Shutdown mode disables the port upon a violation, whereas restrict mode only drops traffic from unknown MACs and increments the violation counter.

★ When this WOULD be the correct answer

This option would be correct in a scenario where the port security is configured to place the port in err-disabled state upon a violation, such as when the violation mode is set to shutdown instead of restrict. In that case, the immediate response to a third MAC address would indeed be to disable the port.

Why candidates choose this

Students often confuse restrict mode with shutdown mode because both are violation actions for port security. The term 'restrict' might be misinterpreted as a more severe action, leading to the assumption that the port is disabled.

The switch learns the third MAC after 30 seconds automaticallyWrong answer — click to see why

Why this is wrong here

Port security does not automatically learn additional MAC addresses after a delay; it strictly enforces the configured maximum number of MAC addresses. If the maximum is set to 2, any new MAC address beyond that triggers a violation action (restrict, shutdown, or protect) immediately, not after 30 seconds.

★ When this WOULD be the correct answer

In a different exam scenario where the port security is set to 'sticky' learning mode, a question could state that the switch is configured to learn new MAC addresses automatically. In this case, if a third device connects, the switch would learn the MAC after the aging time expires.

Why candidates choose this

Some students might think there is a learning period or aging mechanism that allows temporary learning of extra MACs, confusing port security with MAC address table aging or dynamic learning. However, port security violations are immediate and not delayed.

STP blocks the port until the MAC table ages outWrong answer — click to see why

Why this is wrong here

STP (Spanning Tree Protocol) is used to prevent loops in redundant topologies and does not enforce port security. Port security violations are handled by the port security feature itself, independent of STP. STP blocking a port would be unrelated to MAC address limits.

★ When this WOULD be the correct answer

If the question specified that the port was operating in a mode where security violations lead to the port being disabled, such as protect or shutdown mode, then this option could be correct. For example, if the question stated that the port was configured to err-disable on a violation, then this answer would apply.

Why candidates choose this

Students might associate STP with blocking ports and think that a violation could trigger STP to block the port. However, STP and port security are separate features; port security violations do not involve STP.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

Be careful not to confuse restrict mode with shutdown mode, which disables the port entirely.

Detailed technical explanation

How to think about this question

Port security is a Layer 2 security feature on Cisco switches that restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. This feature is essential in preventing unauthorized devices from connecting to the network through physical access points. When enabled, the switch learns MAC addresses up to a configured maximum and enforces policies when violations occur, such as when an unknown MAC address attempts to send frames through the port. The behavior of port security upon a violation depends on the configured violation mode. In restrict mode, the switch drops frames from any MAC address that exceeds the maximum allowed and increments a violation counter, but the port remains active and forwarding. This mode allows network administrators to monitor violations without disrupting network connectivity. In contrast, shutdown mode immediately disables the port by placing it into an err-disabled state, requiring manual recovery. The protect mode silently drops violating frames without incrementing counters or disabling the port. A common exam trap is confusing restrict mode with shutdown mode. Restrict mode does not disable the port but only drops unauthorized frames and counts violations, which is less disruptive in environments where uptime is critical. Additionally, when multiple devices connect through a hub to a single port, each device's MAC address counts toward the port security maximum, potentially causing violations if the limit is exceeded. Understanding these behaviors helps in designing secure and resilient network access policies aligned with Cisco CCNA security fundamentals.

KKey Concepts to Remember

  • Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.
  • In restrict mode, port security drops frames from unknown MAC addresses exceeding the maximum limit and increments the violation counter without disabling the port.
  • Shutdown mode causes the port to enter an err-disabled state immediately upon a security violation, requiring manual intervention to re-enable.
  • Port security violation counters help network administrators monitor unauthorized access attempts and enforce security policies effectively.
  • Spanning Tree Protocol (STP) does not enforce port security violations; it manages loop prevention and port states independently.
  • When multiple devices connect through a hub to a port with port security, all MAC addresses count toward the maximum allowed, potentially causing violations.
  • Port security does not automatically learn new MAC addresses beyond the configured maximum, preventing unauthorized devices from gaining access.
  • Restrict mode provides a balance between security enforcement and network availability by dropping unauthorized frames but keeping the port operational.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.

Real-world example

How this comes up in practice

A practitioner preparing for the 200-301 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.

What to study next

Got this wrong? Here's your next step.

Review port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access..

What is the correct answer to this question?

The correct answer is: Frames from the unknown MAC are dropped and the violation is counted — In restrict mode, the switch drops frames from unknown source MAC addresses and increments the violation counter, but the port stays up. That is less disruptive than shutdown mode.

What should I do if I get this 200-301 question wrong?

Review port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access., then practise related 200-301 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Port security on Cisco switches limits the number of MAC addresses learned on a switch port to prevent unauthorized device access.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 200-301 practice questions

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.