Question 231 of 1,819
Switching and Network AccesshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is port security, the feature designed to limit MAC addresses on a switchport. Port security enforces a maximum number of allowed source MAC addresses per interface, and when that limit is exceeded—such as by connecting an unmanaged switch—it can either shut down the port, restrict the offending traffic, or send a notification. On the CCNA 200-301 v2 exam, this question tests your understanding of access-layer hardening: VLAN assignment controls broadcast domains, but port security is the second layer that prevents unauthorized devices from learning the network. A common trap is confusing this with DHCP snooping or 802.1X, but port security is the straightforward answer for simply capping MAC learning. Remember the mnemonic “Ports Protect Permits” to recall that port security permits you to protect the port by defining a permitted number of MAC addresses.

CCNA Switching and Network Access Practice Question

This 200-301 practice question tests your understanding of switching and network access. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A switchport connected to a user workstation is placed in VLAN 30. The administrator also wants to prevent that port from learning more than one MAC address. Which feature should be configured?

Question 1hardmultiple choice
Open the full VLAN trunking answer →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Port security

The correct feature is port security. In practical terms, port security lets the administrator control how many MAC addresses can be learned on a switchport and what happens if that limit is exceeded. That makes it a very natural fit for a user-facing access port where one endpoint is expected and unmanaged extra devices are not. This is a common access-layer hardening technique. VLAN assignment controls where the traffic belongs, but it does not limit who or what can appear on the port. Port security adds that second layer of control.

Key principle: Port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Port security

    Why this is correct

    This is correct because port security can enforce a maximum number of MAC addresses on the switchport.

    Related concept

    Port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections.

  • EtherChannel

    Why it's wrong here

    This is wrong because EtherChannel bundles links and is unrelated to limiting MAC learning on one user port.

    When this WOULD be correct

    If the question asked about configuring a link aggregation to increase bandwidth between switches while ensuring redundancy, then EtherChannel would be the correct answer, as it directly addresses the need for combining multiple links.

  • OSPF passive-interface

    Why it's wrong here

    This is wrong because OSPF passive-interface is a routing concept, not a switchport access-control feature.

    When this WOULD be correct

    If the question asked about configuring OSPF on a router and required the administrator to stop OSPF updates on a specific interface while still allowing other interfaces to participate in OSPF, then selecting OSPF passive-interface would be correct.

  • Native VLAN

    Why it's wrong here

    This is wrong because native VLAN is a trunking concept and does not limit MAC address learning.

    When this WOULD be correct

    In a scenario where a question asks about configuring VLANs for trunk links and managing untagged traffic, selecting 'Native VLAN' could be correct if the question specifically addresses the need to define which VLAN untagged frames should be assigned to on a trunk port.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Port securityCorrect answer

Why this is correct

This is correct because port security can enforce a maximum number of MAC addresses on the switchport.

EtherChannelWrong answer — click to see why

Why this is wrong here

EtherChannel is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, not to limit MAC address learning on a single port. It does not provide any mechanism to restrict the number of MAC addresses learned on a switchport.

★ When this WOULD be the correct answer

If the question asked about configuring a link aggregation to increase bandwidth between switches while ensuring redundancy, then EtherChannel would be the correct answer, as it directly addresses the need for combining multiple links.

Why candidates choose this

Students might confuse EtherChannel with port security because both involve controlling traffic on switchports, but EtherChannel focuses on link aggregation rather than MAC address control.

OSPF passive-interfaceWrong answer — click to see why

Why this is wrong here

OSPF passive-interface is a routing protocol feature used to prevent OSPF from sending hello messages on an interface, typically used on interfaces that do not have OSPF neighbors. It has no effect on MAC address learning or switchport security.

★ When this WOULD be the correct answer

If the question asked about configuring OSPF on a router and required the administrator to stop OSPF updates on a specific interface while still allowing other interfaces to participate in OSPF, then selecting OSPF passive-interface would be correct.

Why candidates choose this

The term 'passive' might be misinterpreted as a security feature that limits activity on the port, leading students to incorrectly associate it with restricting MAC addresses.

Native VLANWrong answer — click to see why

Why this is wrong here

Native VLAN is a concept used on trunk ports to specify the VLAN that carries untagged traffic. It does not control MAC address learning or limit the number of MAC addresses on a switchport.

★ When this WOULD be the correct answer

In a scenario where a question asks about configuring VLANs for trunk links and managing untagged traffic, selecting 'Native VLAN' could be correct if the question specifically addresses the need to define which VLAN untagged frames should be assigned to on a trunk port.

Why candidates choose this

Students might think that native VLAN, being a VLAN-related feature, could affect MAC address learning, but it is unrelated to port security mechanisms.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

Don't confuse VLAN assignment or ACLs with port security; they serve different functions.

Detailed technical explanation

How to think about this question

Port security is a Cisco Catalyst switch feature that restricts the number of MAC addresses learned on a single switchport. It is primarily used on access ports connected to end devices like workstations, printers, or IP phones to enhance security by preventing unauthorized devices from connecting. When enabled, port security can limit the maximum number of MAC addresses learned dynamically or allow static MAC addresses to be configured. If the limit is exceeded, the switch can take predefined actions such as shutting down the port, dropping packets from unknown MAC addresses, or generating alerts. The decision to use port security involves configuring the maximum allowed MAC addresses on a port, typically set to one for user workstations to prevent multiple devices from sharing the same port. This feature complements VLAN assignment by controlling not only traffic segregation but also device access at Layer 2. Port security enforces a strict policy that helps mitigate risks like MAC flooding attacks or unauthorized device connections, which VLANs alone cannot prevent. The switch monitors MAC addresses learned on the port and enforces the configured limits accordingly. A common exam trap is confusing port security with other Layer 2 or routing features such as EtherChannel, native VLAN, or OSPF passive-interface. EtherChannel aggregates links and does not limit MAC addresses. Native VLAN relates to trunk ports and does not restrict MAC learning. OSPF passive-interface is a routing protocol setting unrelated to switchport security. Understanding that port security specifically controls MAC address learning on access ports is critical for correctly answering questions about limiting MAC addresses on a switchport.

KKey Concepts to Remember

  • Port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections.
  • VLAN assignment controls traffic segregation but does not restrict how many devices or MAC addresses can appear on a switchport.
  • When the maximum MAC address limit is exceeded, port security can shut down the port, drop packets, or generate alerts based on the configured violation mode.
  • EtherChannel bundles multiple physical links into one logical link and does not limit MAC address learning on individual switchports.
  • Native VLAN applies only to trunk ports and defines untagged traffic VLAN but does not restrict MAC address learning on access ports.
  • OSPF passive-interface is a routing protocol feature that prevents OSPF updates on an interface and is unrelated to Layer 2 MAC address control.
  • Port security is commonly used on access-layer switchports connected to user devices to enhance network security by limiting MAC addresses.
  • Limiting MAC addresses with port security helps prevent MAC flooding attacks and unauthorized devices from gaining network access.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections.

Real-world example

How this comes up in practice

A network engineer at a university connects two campus buildings via a fibre link. Both routers run OSPF, but no adjacency forms — even though both routers can ping each other. The engineer finds one router is in area 0 and the other in area 1. OSPF adjacency requires matching area numbers, hello/dead timers, and network type. IP reachability alone is not enough.

What to study next

Got this wrong? Here's your next step.

Review port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Switching and Network Access — This question tests Switching and Network Access — Port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections..

What is the correct answer to this question?

The correct answer is: Port security — The correct feature is port security. In practical terms, port security lets the administrator control how many MAC addresses can be learned on a switchport and what happens if that limit is exceeded. That makes it a very natural fit for a user-facing access port where one endpoint is expected and unmanaged extra devices are not. This is a common access-layer hardening technique. VLAN assignment controls where the traffic belongs, but it does not limit who or what can appear on the port. Port security adds that second layer of control.

What should I do if I get this 200-301 question wrong?

Review port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections., then practise related 200-301 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Port security on Cisco switches enforces a maximum number of MAC addresses learned on a single access port to prevent unauthorized device connections.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on 200-301

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to multiple PCs. The network administrator wants to implement port security on port G0/1 to allow only one MAC address and to shut down the port if a violation occurs. Additionally, the administrator wants the MAC address to be learned dynamically and added to the running configuration as sticky. Configure port security on G0/1 accordingly.

easy
  • A.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation shutdown
  • B.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation protect
  • C.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address 0000.1111.2222 SW1(config-if)# switchport port-security violation shutdown
  • D.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation restrict

Why A: Port security restricts access by limiting MAC addresses. With sticky learning, the first dynamically learned MAC is saved to the config. If another MAC attempts to connect, the port shuts down, preventing unauthorized access.

Variation 2. You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to a PC on port G0/1. The network administrator wants to secure the port by allowing only two MAC addresses and enabling sticky MAC learning. Additionally, if a violation occurs, the port should be put into error-disabled state. Configure port security on G0/1 with maximum MAC addresses of 2, sticky learning, and shutdown violation mode.

hard
  • A.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation shutdown
  • B.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation restrict
  • C.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation protect
  • D.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address 0000.1111.2222 SW1(config-if)# switchport port-security violation shutdown

Why A: Port security restricts access based on MAC addresses. The first command, `switchport port-security`, enables port security on the interface. With sticky, learned MACs are saved to the running config; `shutdown` violation mode places the port in error-disable state, requiring manual recovery. Option A includes all required commands in the correct order. Option B uses `restrict`, which drops traffic but does not errdisable. Option C uses `protect`, which drops silently without logging. Option D manually configures a specific MAC instead of enabling sticky learning, so it does not meet the requirement for sticky.

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.