- A
Storm Control: Limits excessive broadcast, multicast, or unicast traffic to prevent network storms.
Storm Control monitors traffic levels and drops frames when a configured threshold is exceeded, preventing broadcast storms from overwhelming the network.
- B
Storm Control: Authenticates devices before granting network access.
Why wrong: This is incorrect because device authentication is the purpose of 802.1X, not Storm Control.
- C
Storm Control: Validates ARP packets to prevent ARP spoofing attacks.
Why wrong: This is incorrect because ARP validation is the function of Dynamic ARP Inspection (DAI), not Storm Control.
- D
Storm Control: Filters IP traffic based on DHCP snooping bindings.
Why wrong: This is incorrect because IP traffic filtering based on DHCP snooping is the role of IP Source Guard, not Storm Control.
Quick Answer
The answer is Storm Control, as its purpose is to limit excessive broadcast, multicast, or unicast traffic to prevent network storms. This feature works by setting a threshold—either as a percentage of bandwidth or a rate of packets per second—on a switch interface; when the incoming traffic of a specified frame type exceeds that threshold, the interface either drops the excess traffic or shuts down the port to stop the storm from propagating. On the CCNA 200-301 v2 exam, this concept often appears in a matching question where you must distinguish Storm Control from other Layer 2 protections like Port Security or DHCP Snooping—a common trap is confusing it with broadcast suppression alone, but remember Storm Control also applies to multicast and unicast floods. To lock it in, use the mnemonic: “Storm Control Stops Storms by Setting a Stop Sign on the Switchport.”
CCNA Switching and Network Access Practice Question
This 200-301 practice question tests your understanding of switching and network access. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized devices from connecting and causing MAC flooding attacks.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Match each Layer 2 protection feature to its most accurate purpose.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Storm Control: Limits excessive broadcast, multicast, or unicast traffic to prevent network storms.
Storm Control limits excessive traffic. Port Security limits MAC addresses. DHCP Snooping blocks unauthorized DHCP servers. DAI validates ARP packets. IP Source Guard filters IP traffic based on DHCP snooping. 802.1X authenticates devices before granting access.
Key principle: Port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized devices from connecting and causing MAC flooding attacks.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Storm Control: Limits excessive broadcast, multicast, or unicast traffic to prevent network storms.
Why this is correct
Storm Control monitors traffic levels and drops frames when a configured threshold is exceeded, preventing broadcast storms from overwhelming the network.
Related concept
Port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized devices from connecting and causing MAC flooding attacks.
- ✗
Storm Control: Authenticates devices before granting network access.
Why it's wrong here
This is incorrect because device authentication is the purpose of 802.1X, not Storm Control.
- ✗
Storm Control: Validates ARP packets to prevent ARP spoofing attacks.
Why it's wrong here
This is incorrect because ARP validation is the function of Dynamic ARP Inspection (DAI), not Storm Control.
- ✗
Storm Control: Filters IP traffic based on DHCP snooping bindings.
Why it's wrong here
This is incorrect because IP traffic filtering based on DHCP snooping is the role of IP Source Guard, not Storm Control.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓Storm Control: Limits excessive broadcast, multicast, or unicast traffic to prevent network storms.Correct answer▾
Why this is correct
Storm Control monitors traffic levels and drops frames when a configured threshold is exceeded, preventing broadcast storms from overwhelming the network.
✗Storm Control: Authenticates devices before granting network access.Wrong answer — click to see why▾
Why this is wrong here
Storm Control is a traffic rate-limiting feature, not an authentication mechanism.
Why candidates choose this
Candidates may confuse 'control' with access control, thinking it involves authentication.
✗Storm Control: Validates ARP packets to prevent ARP spoofing attacks.Wrong answer — click to see why▾
Why this is wrong here
Storm Control does not inspect packet contents; it only monitors traffic volume.
Why candidates choose this
Candidates might associate 'storm' with ARP storms and incorrectly think Storm Control handles ARP validation.
✗Storm Control: Filters IP traffic based on DHCP snooping bindings.Wrong answer — click to see why▾
Why this is wrong here
Storm Control operates at Layer 2 and does not use DHCP snooping bindings.
Why candidates choose this
Candidates may confuse Storm Control with IP Source Guard because both are security features that filter traffic.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Many certification questions include familiar terms but test a specific constraint. Read the exact wording before choosing an answer that is generally true but wrong for this case.
Detailed technical explanation
How to think about this question
Layer 2 protection features are essential mechanisms in Cisco switching environments designed to secure the data link layer from common attacks and misconfigurations. Port Security restricts the number of MAC addresses learned on a switch port, preventing unauthorized devices from flooding the MAC address table and causing denial of service. BPDU Guard protects the Spanning Tree Protocol topology by shutting down ports that receive unexpected BPDUs, which are typically sent by switches and can cause topology loops if introduced on edge ports. DHCP Snooping monitors DHCP traffic to block rogue DHCP servers and builds a trusted binding table that maps IP addresses to MAC addresses and switch ports. Dynamic ARP Inspection (DAI) leverages this binding table to validate ARP packets, preventing ARP spoofing attacks that can redirect traffic or cause man-in-the-middle scenarios. Each Layer 2 protection feature addresses a specific security concern. Port Security enforces MAC address limits per port, effectively blocking unauthorized devices. BPDU Guard disables ports that receive BPDUs unexpectedly, protecting the STP topology from accidental or malicious loops. DHCP Snooping filters DHCP messages, allowing only trusted DHCP servers to assign IP addresses and preventing rogue servers from disrupting network IP configuration. DAI uses the DHCP Snooping binding table to verify ARP requests and replies, ensuring that only valid ARP traffic is forwarded. This layered approach ensures that different attack vectors at Layer 2 are mitigated by the appropriate feature. A common exam trap is confusing the purposes of these features or assuming they overlap in functionality. For example, some candidates mistakenly believe DHCP Snooping prevents MAC flooding or that BPDU Guard protects against ARP spoofing. In practice, each feature targets a distinct threat: Port Security controls MAC address usage, BPDU Guard protects STP topology, DHCP Snooping secures DHCP assignments, and DAI validates ARP traffic. Understanding these distinctions is critical for correctly matching features to their purposes and for designing secure Cisco switched networks that resist Layer 2 attacks.
KKey Concepts to Remember
- Port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized devices from connecting and causing MAC flooding attacks.
- BPDU Guard disables a port configured as an edge port if it receives a Bridge Protocol Data Unit (BPDU), preventing potential Spanning Tree Protocol (STP) topology loops.
- DHCP Snooping filters DHCP messages to block rogue DHCP servers and builds a trusted binding table of IP-to-MAC address mappings for security.
- Dynamic ARP Inspection (DAI) uses the DHCP Snooping binding table to validate ARP packets and prevent ARP spoofing or poisoning attacks on Layer 2.
- Layer 2 protection features address different security threats: Port Security controls MAC access, BPDU Guard protects STP topology, DHCP Snooping secures IP assignment, and DAI validates ARP traffic.
- Cisco switches implement these Layer 2 protections to maintain network integrity by preventing common Layer 2 attacks and misconfigurations that can disrupt connectivity.
- Understanding the distinct purpose of each Layer 2 protection feature is critical for troubleshooting and designing secure Cisco switched networks.
- Layer 2 protections are often combined in enterprise networks to provide comprehensive defense against MAC flooding, rogue DHCP servers, STP manipulation, and ARP attacks.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized devices from connecting and causing MAC flooding attacks.
Real-world example
How this comes up in practice
A network engineer segments a warehouse floor into three subnets: 20 scanners, 5 printers, and 2 management hosts. Picking the wrong mask wastes addresses or leaves too few usable hosts. Exam questions test whether you can apply CIDR notation, calculate block size, and identify the correct usable-host range for a given prefix.
What to study next
Got this wrong? Here's your next step.
Review port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized devices from connecting and causing MAC flooding attacks., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Switching and Network Access — study guide chapter
Learn the concepts, then practise the questions
- →
Switching and Network Access practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Switching and Network Access — This question tests Switching and Network Access — Port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized devices from connecting and causing MAC flooding attacks..
What is the correct answer to this question?
The correct answer is: Storm Control: Limits excessive broadcast, multicast, or unicast traffic to prevent network storms. — Storm Control limits excessive traffic. Port Security limits MAC addresses. DHCP Snooping blocks unauthorized DHCP servers. DAI validates ARP packets. IP Source Guard filters IP traffic based on DHCP snooping. 802.1X authenticates devices before granting access.
What should I do if I get this 200-301 question wrong?
Review port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized devices from connecting and causing MAC flooding attacks., then practise related 200-301 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized devices from connecting and causing MAC flooding attacks.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More 200-301 practice questions
- A switchport connected to another switch should carry multiple VLANs, but it was manually configured as an access port.…
- What problem is HSRP designed to solve?
- Which TWO statements correctly describe the causes or implications of CRC errors, runts, giants, or output errors as see…
- You are connected to R1. Configure IPv4 and IPv6 addressing on R1's interfaces and verify reachability to R2. The curren…
- Which TWO statements accurately describe how AI/ML concepts are applied to network operations in modern enterprise netwo…
- Which TWO switch port configurations are required when connecting a Cisco IP phone and a desktop PC to a single access p…
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.