- A
It reduces the attack surface by removing unnecessary network entry points.
This is correct because an unused enabled port is an unnecessary risk that can be eliminated by shutting it down.
- B
It increases available bandwidth on the switch backplane.
Why wrong: This is wrong because disabling ports does not change backplane bandwidth.
- C
It enables 802.1Q trunking on all remaining ports.
Why wrong: This is wrong because shutting down a port has no effect on trunk configuration of other ports.
- D
It forces port security to activate automatically.
Why wrong: This is wrong because port security must be configured explicitly and does not activate from a shutdown.
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: administratively shutting down unused switch ports prevents unauthorized devices from physically connecting to the network, reducing potential attack vectors.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Why is administratively shutting down unused switch ports considered a useful hardening measure?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
It reduces the attack surface by removing unnecessary network entry points.
Unused active ports create unnecessary opportunity for unauthorized connection. Disabling them reduces the attack surface and makes opportunistic access much harder. Option B is incorrect because administratively shutting down a port does not increase backplane bandwidth; bandwidth is a fixed hardware characteristic. Option C is incorrect because shutting down ports does not enable 802.1Q trunking; trunking is configured separately. Option D is incorrect because port security must be explicitly enabled; it is not activated automatically by shutting down ports.
Key principle: Administratively shutting down unused switch ports prevents unauthorized devices from physically connecting to the network, reducing potential attack vectors.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
It reduces the attack surface by removing unnecessary network entry points.
Why this is correct
This is correct because an unused enabled port is an unnecessary risk that can be eliminated by shutting it down.
Related concept
Administratively shutting down unused switch ports prevents unauthorized devices from physically connecting to the network, reducing potential attack vectors.
- ✗
It increases available bandwidth on the switch backplane.
Why it's wrong here
This is wrong because disabling ports does not change backplane bandwidth.
When this WOULD be correct
In a question focused on optimizing network performance, such as 'What actions can improve the overall bandwidth efficiency of a switch?', this option could be correct if it specifies that shutting down unused ports can help allocate resources more effectively by reducing unnecessary traffic on the switch.
- ✗
It enables 802.1Q trunking on all remaining ports.
Why it's wrong here
This is wrong because shutting down a port has no effect on trunk configuration of other ports.
When this WOULD be correct
In a question focused on VLAN configuration, where the context is about optimizing trunking capabilities across a switch, stating that enabling 802.1Q trunking on all remaining ports is correct could be valid. For example, if the question asks how to ensure that all active ports can handle multiple VLANs efficiently, this option could be correct.
- ✗
It forces port security to activate automatically.
Why it's wrong here
This is wrong because port security must be configured explicitly and does not activate from a shutdown.
When this WOULD be correct
In a question asking about the benefits of enabling port security on a switch, one might state that shutting down unused ports can help ensure that port security is enforced on active ports, as it reduces the risk of unauthorized access through unused ports.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓It reduces the attack surface by removing unnecessary network entry points.Correct answer▾
Why this is correct
This is correct because an unused enabled port is an unnecessary risk that can be eliminated by shutting it down.
✗It increases available bandwidth on the switch backplane.Wrong answer — click to see why▾
Why this is wrong here
This option is incorrect because shutting down unused switch ports does not directly increase available bandwidth; rather, it is a security measure to minimize potential vulnerabilities. Bandwidth on the switch backplane is determined by the overall switch architecture and the active ports' configurations, not by disabling unused ports.
★ When this WOULD be the correct answer
In a question focused on optimizing network performance, such as 'What actions can improve the overall bandwidth efficiency of a switch?', this option could be correct if it specifies that shutting down unused ports can help allocate resources more effectively by reducing unnecessary traffic on the switch.
Why candidates choose this
Candidates may be tempted by this option because they associate port management with performance improvements, leading them to believe that disabling ports could somehow enhance bandwidth availability.
✗It enables 802.1Q trunking on all remaining ports.Wrong answer — click to see why▾
Why this is wrong here
This option is wrong because administratively shutting down unused switch ports does not enable 802.1Q trunking; trunking is a configuration that allows multiple VLANs to traverse a single physical link, which is unrelated to the status of unused ports.
★ When this WOULD be the correct answer
In a question focused on VLAN configuration, where the context is about optimizing trunking capabilities across a switch, stating that enabling 802.1Q trunking on all remaining ports is correct could be valid. For example, if the question asks how to ensure that all active ports can handle multiple VLANs efficiently, this option could be correct.
Why candidates choose this
Candidates may choose this option due to a misunderstanding of the relationship between port status and VLAN configurations, mistakenly believing that shutting down ports directly facilitates trunking capabilities.
✗It forces port security to activate automatically.Wrong answer — click to see why▾
Why this is wrong here
This option is wrong because administratively shutting down unused switch ports does not automatically activate port security; it is a separate configuration that must be enabled explicitly on the switch.
★ When this WOULD be the correct answer
In a question asking about the benefits of enabling port security on a switch, one might state that shutting down unused ports can help ensure that port security is enforced on active ports, as it reduces the risk of unauthorized access through unused ports.
Why candidates choose this
Candidates may choose this option because they associate port security with overall network security and might mistakenly believe that shutting down ports triggers security features automatically, reflecting a misunderstanding of how these configurations interact.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Do not confuse port shutdown with network performance improvements or IP address management. Focus on security implications.
Detailed technical explanation
How to think about this question
Administratively shutting down unused switch ports is a fundamental security hardening technique in Cisco networking. Switch ports that are enabled but unused represent potential entry points for unauthorized devices, which can lead to network breaches or attacks. By disabling these ports, network administrators effectively reduce the attack surface, limiting opportunities for rogue devices to connect and exploit the network. This practice aligns with the principle of least privilege, ensuring only necessary network access is available. The decision to administratively shut down unused ports is based on the understanding that an active port, even if unused, can be exploited by attackers to gain physical access to the network. Cisco switches allow administrators to disable ports using the "shutdown" command in interface configuration mode, which prevents any traffic from passing through. This measure does not affect the switch’s backplane bandwidth or trunking configurations but strictly controls physical access points. It complements other security features like port security but does not replace them. A common exam trap is confusing the effect of shutting down ports with enabling other features such as automatic port security activation or bandwidth improvements. Disabling a port simply prevents any device from connecting through it; it does not automatically configure security policies or enhance switch performance. Understanding this distinction helps avoid selecting incorrect answers that imply additional functionality beyond the scope of administrative shutdown. Practically, this control is a straightforward, effective way to reduce unauthorized access risks without impacting legitimate network operations.
KKey Concepts to Remember
- Administratively shutting down unused switch ports prevents unauthorized devices from physically connecting to the network, reducing potential attack vectors.
- Cisco switches use the shutdown command in interface configuration mode to disable ports, stopping all traffic and access through those ports.
- Disabling unused ports does not affect switch backplane bandwidth or enable features like 802.1Q trunking on other ports.
- Port security features must be explicitly configured and do not activate automatically when a port is administratively shut down.
- Reducing the attack surface by disabling unused ports aligns with the principle of least privilege in network security.
- Leaving unused ports enabled increases risk without providing any operational benefit, making the network more vulnerable to opportunistic attacks.
- Administratively shutting down ports is a simple but effective hardening control that complements other security mechanisms like ACLs and port security.
- Understanding the difference between physical port state and security feature activation is critical to correctly answering CCNA exam questions on switch hardening.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Administratively shutting down unused switch ports prevents unauthorized devices from physically connecting to the network, reducing potential attack vectors.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
What to study next
Got this wrong? Here's your next step.
Review administratively shutting down unused switch ports prevents unauthorized devices from physically connecting to the network, reducing potential attack vectors., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Network Services and Security — study guide chapter
Learn the concepts, then practise the questions
- →
Network Services and Security practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Network Services and Security — This question tests Network Services and Security — Administratively shutting down unused switch ports prevents unauthorized devices from physically connecting to the network, reducing potential attack vectors..
What is the correct answer to this question?
The correct answer is: It reduces the attack surface by removing unnecessary network entry points. — Unused active ports create unnecessary opportunity for unauthorized connection. Disabling them reduces the attack surface and makes opportunistic access much harder. Option B is incorrect because administratively shutting down a port does not increase backplane bandwidth; bandwidth is a fixed hardware characteristic. Option C is incorrect because shutting down ports does not enable 802.1Q trunking; trunking is configured separately. Option D is incorrect because port security must be explicitly enabled; it is not activated automatically by shutting down ports.
What should I do if I get this 200-301 question wrong?
Review administratively shutting down unused switch ports prevents unauthorized devices from physically connecting to the network, reducing potential attack vectors., then practise related 200-301 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Administratively shutting down unused switch ports prevents unauthorized devices from physically connecting to the network, reducing potential attack vectors.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.