- A
Firewall: Filters traffic based on security rules
Firewalls inspect packets and apply rules to permit or deny traffic, forming the first line of defense in network security.
- B
Intrusion Prevention System: Detects and blocks malicious activity
Firewalls do not encrypt data; encryption is performed by VPNs or encryption protocols like IPsec.
- C
VPN: Encrypts data between remote sites
Endpoint malware detection is the role of antivirus software, not a firewall.
- D
Access Control List: Permits or denies traffic based on IP/port
Centralized log analysis is the function of a SIEM system, not a firewall.
Quick Answer
The correct match pairs each security feature with its main purpose: Access Control Lists permit or deny traffic based on IP and port, DHCP Snooping identifies trusted ports and builds a binding table to block rogue DHCP servers, Dynamic ARP Inspection (DAI) uses that binding table to validate ARP packets and prevent ARP spoofing, and Port Security restricts MAC addresses learned on a switch port to mitigate MAC flooding. These features are correct because they each enforce a specific layer of defense—ACLs filter at Layer 3/4, DHCP Snooping secures Layer 2 addressing, DAI validates Layer 2-to-Layer 3 mappings, and Port Security controls physical access. On the CCNA 200-301 v2 exam, this topic appears in the Network Access section, often as a drag-and-drop or multiple-choice question testing your ability to distinguish between these overlapping security tools. A common trap is confusing DAI with DHCP Snooping, but remember DAI depends on the DHCP Snooping binding table to work. Memory tip: "ACLs filter, DHCP blocks, DAI validates, Port Security locks."
CCNA Network Infrastructure and Connectivity Practice Question
This 200-301 practice question tests your understanding of network infrastructure and connectivity. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: aCLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Match the security feature to its main purpose.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Firewall: Filters traffic based on security rules
ACLs are correct because they use permit and deny statements to filter traffic based on source/destination IP, protocol, or port. DHCP Snooping is correct because it identifies trusted ports and builds a DHCP binding table to block rogue DHCP servers and prevent spoofed DHCP messages. DAI is correct because it leverages the DHCP Snooping binding table to validate ARP packets, dropping those that do not match trusted bindings and thus preventing ARP spoofing attacks. Port Security is correct because it restricts the number and specific MAC addresses learned on a switch port, mitigating MAC flooding and unauthorized device access.
Key principle: ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Firewall: Filters traffic based on security rules
Why this is correct
Firewalls inspect packets and apply rules to permit or deny traffic, forming the first line of defense in network security.
Related concept
ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.
- ✓
Intrusion Prevention System: Detects and blocks malicious activity
Why this is correct
Firewalls do not encrypt data; encryption is performed by VPNs or encryption protocols like IPsec.
Related concept
ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.
- ✓
VPN: Encrypts data between remote sites
Why this is correct
Endpoint malware detection is the role of antivirus software, not a firewall.
Related concept
ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.
- ✓
Access Control List: Permits or denies traffic based on IP/port
Why this is correct
Centralized log analysis is the function of a SIEM system, not a firewall.
Related concept
ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Avoid confusing the general term 'security' with specific functions. Firewalls filter traffic; they do not encrypt, detect endpoint malware, or provide centralized log analysis. Each security tool has a defined purpose.
Detailed technical explanation
How to think about this question
Access Control Lists (ACLs) are fundamental Cisco security tools that filter network traffic by permitting or denying packets based on defined criteria such as source/destination IP addresses, protocols, or ports. ACLs operate at Layer 3 and Layer 4 to enforce security policies and control access to network resources. They are widely used to restrict unauthorized traffic but do not inherently protect against DHCP or ARP spoofing attacks. DHCP Snooping is a Layer 2 security feature that prevents rogue DHCP servers from distributing invalid IP addresses. It works by filtering DHCP messages and building a DHCP binding table that records legitimate IP-to-MAC address mappings. This binding table is critical because other features, like Dynamic ARP Inspection (DAI), rely on it to validate ARP packets. DAI intercepts ARP requests and replies, comparing them against the DHCP Snooping binding table to prevent ARP spoofing and man-in-the-middle attacks. Port Security is another Layer 2 feature that limits the number of MAC addresses allowed on a switch port. It helps prevent unauthorized devices from connecting to the network by restricting port access based on MAC addresses. Unlike DHCP Snooping and DAI, Port Security does not validate DHCP or ARP traffic but focuses on controlling physical access to the network. Understanding these distinct roles is essential for correctly matching security features to their purposes in Cisco network environments.
KKey Concepts to Remember
- ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.
- DHCP Snooping protects the network from unauthorized DHCP servers by filtering DHCP messages and creating a binding table of legitimate IP-to-MAC mappings.
- Dynamic ARP Inspection uses the DHCP Snooping binding table to validate ARP packets and prevent ARP spoofing attacks on the network.
- Port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized device connections.
- ACLs do not protect against DHCP or ARP spoofing; their primary role is traffic filtering based on IP and protocol rules.
- DHCP Snooping and DAI work together to secure Layer 2 address resolution processes by validating DHCP and ARP traffic respectively.
- Port Security enforces physical access control on switch ports but does not inspect or filter DHCP or ARP packets.
- Correctly matching Cisco security features requires understanding their specific functions within Layer 2 and Layer 3 security contexts.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Review aCLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Network Infrastructure and Connectivity — study guide chapter
Learn the concepts, then practise the questions
- →
Network Infrastructure and Connectivity practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Network Infrastructure and Connectivity — This question tests Network Infrastructure and Connectivity — ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria..
What is the correct answer to this question?
The correct answer is: Firewall: Filters traffic based on security rules — ACLs are correct because they use permit and deny statements to filter traffic based on source/destination IP, protocol, or port. DHCP Snooping is correct because it identifies trusted ports and builds a DHCP binding table to block rogue DHCP servers and prevent spoofed DHCP messages. DAI is correct because it leverages the DHCP Snooping binding table to validate ARP packets, dropping those that do not match trusted bindings and thus preventing ARP spoofing attacks. Port Security is correct because it restricts the number and specific MAC addresses learned on a switch port, mitigating MAC flooding and unauthorized device access.
What should I do if I get this 200-301 question wrong?
Review aCLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria., then practise related 200-301 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Apr 12, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.