Question 1mediummultiple choice
Full question →mediummultiple choiceObjective-mapped
What does switchport port-security primarily protect against on an access port?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Unauthorized MAC addresses appearing on the port
Correct. That is the main purpose of port security.
B
Distractor review
OSPF route flapping
OSPF behavior is unrelated to host-facing switch port security.
C
Distractor review
DNS spoofing across the enterprise
Port security does not solve network-wide DNS threats.
D
Distractor review
Wireless rogue APs on every VLAN
Rogue AP detection is a different security control.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is mistaking switchport port-security as a solution for routing protocol instability or enterprise-wide threats like DNS spoofing or rogue wireless access points. Candidates might incorrectly associate port-security with OSPF route flapping or wireless rogue AP detection because these are common network security concerns. However, port-security strictly limits MAC addresses on a Layer 2 access port and does not interact with Layer 3 routing protocols or wireless security controls. Misunderstanding this scope leads to selecting incorrect answers that describe unrelated network issues, so it is critical to focus on port-security’s role in controlling physical device access via MAC addresses.
Technical deep dive
How to think about this question
Switchport port-security is a Layer 2 security feature on Cisco switches that restricts input to an access port by limiting and identifying MAC addresses of the devices allowed to connect. It primarily protects against unauthorized devices connecting to the network through that port by controlling which MAC addresses are permitted. This helps prevent MAC flooding attacks and unauthorized endpoint access, which can compromise network integrity and security. When port-security is enabled on an access port, the switch can be configured to allow a specific number of MAC addresses, either learned dynamically or statically assigned. If a device with an unauthorized MAC address attempts to connect, the switch can take predefined actions such as shutting down the port, restricting traffic, or generating alerts. This mechanism enforces strict control over endpoint access at the switch port level, effectively mitigating risks from rogue devices. A common exam trap is confusing port-security with protections against routing protocol issues or broader network threats like DNS spoofing or rogue wireless APs. Port-security only controls MAC address access on a physical switch port and does not influence Layer 3 routing protocols like OSPF or enterprise-wide DNS security. Understanding this scope helps avoid selecting incorrect answers related to routing or wireless threats, which are outside port-security’s function.
KKey Concepts to Remember
- Switchport port-security limits the number of MAC addresses allowed on a Layer 2 access port to prevent unauthorized device connections.
- Port-security can be configured to learn MAC addresses dynamically or use statically assigned addresses for stricter control.
- When an unauthorized MAC address is detected, port-security can shut down the port, restrict traffic, or generate alerts based on the configured violation mode.
- Port-security protects against MAC flooding attacks that attempt to overwhelm the switch’s CAM table and disrupt network traffic.
- Port-security operates only on Layer 2 access ports and does not affect Layer 3 routing protocols such as OSPF or EIGRP.
- Port-security does not provide protection against enterprise-wide threats like DNS spoofing or wireless rogue access points.
- Understanding the scope of port-security helps avoid confusing it with other security controls that manage routing stability or wireless security.
- Port-security is a fundamental control to enforce endpoint device authentication at the switch port level in Cisco networks.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
Switchport port-security limits the number of MAC addresses allowed on a Layer 2 access port to prevent unauthorized device connections.
What is the correct answer to this question?
The correct answer is: Unauthorized MAC addresses appearing on the port — Port security limits which MAC addresses can use an access port, helping prevent rogue endpoint attachment and simple CAM table abuse.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.