- A
Administratively shut down unused switch ports
This is correct because disabling unused ports reduces exposure and is a common hardening practice.
- B
Convert all unused ports into trunk ports
Why wrong: This is wrong because trunking unused ports would increase complexity and exposure.
- C
Enable Telnet on all unused ports
Why wrong: This is wrong because Telnet is insecure and unrelated to physical port hardening.
- D
Advertise every unused port into OSPF
Why wrong: This is wrong because routing protocol advertisement has nothing to do with switch-port exploitation risk.
Quick Answer
The answer is to administratively shut down unused switch ports. This is the correct choice because an active but unmonitored port remains a viable entry point for unauthorized devices, directly violating the security principle of minimizing attack surface; disabling it with the `shutdown` interface configuration command eliminates that risk entirely. On the CCNA 200-301 v2 exam, this concept tests your understanding of Layer 2 security fundamentals, often appearing in questions that contrast administrative shutdown with other measures like port security or VLAN assignment—a common trap is to confuse disabling a port with merely assigning it to an unused VLAN, which still leaves the physical interface active and exploitable. Unused switch port hardening is a baseline step in any secure network design, and the exam expects you to recognize that a physically disabled port is far more secure than one left in an administratively up state. Remember the mnemonic: "If it’s not in use, pull the plug—shut it down, don’t just VLAN it out."
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: administratively shutting down unused switch ports prevents unauthorized physical access and reduces the attack surface on a Cisco switch.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company wants to reduce the chance that unused switch ports can be exploited. Which action best aligns with that goal?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"best"Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Administratively shut down unused switch ports
The best action is to administratively disable unused ports and apply hardening where appropriate. In plain language, an unused port is still a possible entry point if it remains active and unmonitored. Shutting it down reduces exposure and aligns with the broader principle of minimizing unnecessary attack surface. This is a simple but effective part of switch hardening. Leaving unused ports active may feel convenient, but it creates opportunities for unauthorized connections. The correct answer is the one focused on disabling resources that are not needed rather than on unrelated technologies.
Key principle: Administratively shutting down unused switch ports prevents unauthorized physical access and reduces the attack surface on a Cisco switch.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Administratively shut down unused switch ports
Why this is correct
This is correct because disabling unused ports reduces exposure and is a common hardening practice.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Administratively shutting down unused switch ports prevents unauthorized physical access and reduces the attack surface on a Cisco switch.
- ✗
Convert all unused ports into trunk ports
Why it's wrong here
This is wrong because trunking unused ports would increase complexity and exposure.
When this WOULD be correct
If the question were about optimizing network performance and ensuring that multiple VLANs can communicate over unused ports, converting them to trunk ports would be appropriate. This would apply in a scenario where the company is looking to utilize all switch ports efficiently rather than securing them.
- ✗
Enable Telnet on all unused ports
Why it's wrong here
This is wrong because Telnet is insecure and unrelated to physical port hardening.
When this WOULD be correct
If the exam question asked about enabling remote management on specific ports for monitoring purposes, and if those ports were secured and actively monitored, then enabling Telnet could be considered appropriate in that context.
- ✗
Advertise every unused port into OSPF
Why it's wrong here
This is wrong because routing protocol advertisement has nothing to do with switch-port exploitation risk.
When this WOULD be correct
In a scenario where the question asks how to ensure that all network interfaces, including unused ones, are included in OSPF for monitoring purposes, advertising unused ports could be correct. This would be relevant in a context where visibility into all interfaces is prioritized over security concerns.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓Administratively shut down unused switch portsCorrect answer▾
Why this is correct
This is correct because disabling unused ports reduces exposure and is a common hardening practice.
✗Convert all unused ports into trunk portsWrong answer — click to see why▾
Why this is wrong here
Configuring unused ports as trunk ports would allow multiple VLANs and potentially expose the network to VLAN hopping attacks, increasing security risk rather than reducing it.
★ When this WOULD be the correct answer
If the question were about optimizing network performance and ensuring that multiple VLANs can communicate over unused ports, converting them to trunk ports would be appropriate. This would apply in a scenario where the company is looking to utilize all switch ports efficiently rather than securing them.
Why candidates choose this
Students might think trunking is a way to 'secure' ports by limiting them to a specific role, but trunk ports are actually more complex and vulnerable if not properly secured.
✗Enable Telnet on all unused portsWrong answer — click to see why▾
Why this is wrong here
Telnet is an unencrypted protocol that transmits credentials in plaintext, making it highly insecure. Enabling Telnet on unused ports does not prevent physical exploitation and introduces remote access vulnerabilities.
★ When this WOULD be the correct answer
If the exam question asked about enabling remote management on specific ports for monitoring purposes, and if those ports were secured and actively monitored, then enabling Telnet could be considered appropriate in that context.
Why candidates choose this
Some might confuse Telnet with SSH or think that enabling a management protocol on ports provides some form of control, but Telnet is outdated and insecure.
✗Advertise every unused port into OSPFWrong answer — click to see why▾
Why this is wrong here
Advertising unused ports into OSPF would unnecessarily include them in the routing domain, potentially causing routing loops or black holes, and does nothing to prevent physical port exploitation.
★ When this WOULD be the correct answer
In a scenario where the question asks how to ensure that all network interfaces, including unused ones, are included in OSPF for monitoring purposes, advertising unused ports could be correct. This would be relevant in a context where visibility into all interfaces is prioritized over security concerns.
Why candidates choose this
Students may associate OSPF with network security features like authentication, but OSPF advertisement is unrelated to switch port hardening.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is selecting options that involve enabling protocols or configurations unrelated to physical port security, such as enabling Telnet or advertising ports in OSPF. These options may seem to increase control or visibility but do not reduce the risk of unauthorized access through unused switch ports. Another trap is converting unused ports into trunk ports, which actually increases exposure by allowing multiple VLANs to traverse ports that should be inactive. The key mistake is confusing Layer 2 port hardening with Layer 3 routing or management protocol configurations, which do not address the fundamental risk of an active but unused physical port.
Detailed technical explanation
How to think about this question
Switch ports on Cisco devices operate at Layer 2 and provide physical access points for devices to connect to the network. Each active port represents a potential entry point for unauthorized users or devices if left unsecured. Administratively shutting down unused ports disables their Layer 2 connectivity, effectively preventing any device from communicating through those ports. This action reduces the attack surface by eliminating unused physical interfaces that could be exploited for unauthorized access or network attacks such as MAC flooding or VLAN hopping. The decision to administratively disable unused ports follows Cisco’s security best practices for switch hardening. By default, ports are enabled and can forward traffic, so leaving them active without control exposes the network to risks. Disabling unused ports is a straightforward and effective method to enforce physical security. Additional measures such as enabling port security, configuring VLAN assignments, and applying access control lists (ACLs) further enhance protection. In contrast, converting unused ports to trunk mode or advertising them in routing protocols like OSPF does not mitigate Layer 2 port exploitation risks and can increase complexity or exposure. A common exam trap is confusing Layer 2 port security with Layer 3 routing protocols or management protocols like Telnet. For example, enabling Telnet on unused ports or advertising them in OSPF does not secure the physical port itself. Similarly, converting unused ports to trunk ports unnecessarily exposes multiple VLANs and increases attack vectors. The practical behavior in Cisco switches is that administratively shutting down ports immediately blocks all traffic and access, making it the most effective first step in securing unused switch ports and aligning with CCNA security fundamentals.
KKey Concepts to Remember
- Administratively shutting down unused switch ports prevents unauthorized physical access and reduces the attack surface on a Cisco switch.
- Unused switch ports that remain active can be exploited by attackers to gain unauthorized network access or launch attacks such as VLAN hopping.
- Cisco best practices recommend disabling unused ports and applying port security features to harden switch infrastructure against unauthorized devices.
- Converting unused ports into trunk ports increases network complexity and exposure by allowing multiple VLANs to traverse ports that should remain inactive.
- Enabling Telnet on unused ports is insecure because Telnet transmits data in clear text and does not address physical port security.
- Advertising unused switch ports in OSPF is irrelevant because OSPF operates at Layer 3 and does not manage Layer 2 switch port states or security.
- Port security and administrative shutdown are fundamental Layer 2 security controls that complement higher-layer protocols like OSPF and ACLs.
- Disabling unused ports aligns with the principle of minimizing unnecessary network resources to reduce potential vulnerabilities and attack vectors.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Administratively shutting down unused switch ports prevents unauthorized physical access and reduces the attack surface on a Cisco switch.
Real-world example
How this comes up in practice
A network engineer at a university connects two campus buildings via a fibre link. Both routers run OSPF, but no adjacency forms — even though both routers can ping each other. The engineer finds one router is in area 0 and the other in area 1. OSPF adjacency requires matching area numbers, hello/dead timers, and network type. IP reachability alone is not enough.
What to study next
Got this wrong? Here's your next step.
Review administratively shutting down unused switch ports prevents unauthorized physical access and reduces the attack surface on a Cisco switch., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Network Services and Security — study guide chapter
Learn the concepts, then practise the questions
- →
Network Services and Security practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Network Services and Security — This question tests Network Services and Security — Administratively shutting down unused switch ports prevents unauthorized physical access and reduces the attack surface on a Cisco switch..
What is the correct answer to this question?
The correct answer is: Administratively shut down unused switch ports — The best action is to administratively disable unused ports and apply hardening where appropriate. In plain language, an unused port is still a possible entry point if it remains active and unmonitored. Shutting it down reduces exposure and aligns with the broader principle of minimizing unnecessary attack surface. This is a simple but effective part of switch hardening. Leaving unused ports active may feel convenient, but it creates opportunities for unauthorized connections. The correct answer is the one focused on disabling resources that are not needed rather than on unrelated technologies.
What should I do if I get this 200-301 question wrong?
Review administratively shutting down unused switch ports prevents unauthorized physical access and reduces the attack surface on a Cisco switch., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
Administratively shutting down unused switch ports prevents unauthorized physical access and reduces the attack surface on a Cisco switch.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.