The correct answer is that the third device’s traffic will be dropped and a syslog message will be generated. This occurs because port security with a VoIP phone MAC limit enforces a maximum number of allowed MAC addresses on the access port, which already includes the phone’s MAC and the connected PC’s MAC. When a third device connects to the phone’s passthrough port, it introduces an additional MAC, exceeding the configured limit, and the switch’s default violation mode (typically ‘restrict’) discards the offending frames while logging the event via syslog, without error-disabling the port. On the Systems Security Certified Practitioner SSCP exam, this scenario tests your understanding of how port security interacts with VoIP daisy-chaining—a common trap is assuming the violation mode always shuts down the port, but ‘restrict’ or ‘protect’ silently drops traffic and logs it. Remember the memory tip: “Three’s a crowd—restrict logs, protect drops, shutdown locks.”
SSCP Network and Communications Security Practice Question
This SSCP practice question tests your understanding of network and communications security. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky
A network administrator configured the above port security on an access port connected to a VoIP phone and a PC. A third device is connected to the phone's passthrough port. What will happen when the third device attempts to communicate?
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The third device's traffic will be dropped, and a syslog message will be generated.
The port security configuration on the access port has a maximum MAC address count that includes the VoIP phone's MAC address. When a third device connects to the phone's passthrough port, it introduces an additional MAC address, exceeding the configured limit. The switch will then drop traffic from the third device and generate a syslog message, as the default violation mode is 'restrict' (or 'protect' depending on the configuration), which does not error-disable the port but discards offending frames and logs the event.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The third device will be allowed to communicate because the phone's MAC is not counted.
Why it's wrong here
The phone's MAC is counted; the limit is 2, so the third is denied.
✓
The third device's traffic will be dropped, and a syslog message will be generated.
Why this is correct
'Restrict' drops excess traffic and logs the violation.
Related concept
Read the scenario before looking for a memorised answer.
✗
The port will be error-disabled.
Why it's wrong here
Only 'shutdown' violation mode causes error-disable.
✗
The port will remain up but all traffic will be dropped.
Why it's wrong here
Only the third device's traffic is dropped, not all.
Common exam traps
Common exam trap: answer the scenario, not the keyword
ISC2 often tests the misconception that the VoIP phone's MAC address is not counted toward port security limits, leading candidates to incorrectly choose that the third device is allowed, when in fact the phone's MAC is always counted unless a specific 'voice VLAN' exception is configured (which is not the case here).
Detailed technical explanation
How to think about this question
Port security uses the 'switchport port-security' command with a maximum MAC address count (e.g., 2) and a violation mode (default is 'shutdown' on many Cisco switches, but 'restrict' or 'protect' can be configured). In 'restrict' mode, the switch drops frames from unknown MAC addresses and sends a syslog message, while 'protect' drops silently. The VoIP phone's MAC is learned on the port and counts toward the limit, and the PC's MAC is also learned; a third device's MAC violates the limit, triggering the configured action. In real-world scenarios, this prevents unauthorized devices from using the network via a phone's passthrough port.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Security exam questions test whether you can match controls to threats in context — not just recall definitions.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Network and Communications Security — This question tests Network and Communications Security — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The third device's traffic will be dropped, and a syslog message will be generated. — The port security configuration on the access port has a maximum MAC address count that includes the VoIP phone's MAC address. When a third device connects to the phone's passthrough port, it introduces an additional MAC address, exceeding the configured limit. The switch will then drop traffic from the third device and generate a syslog message, as the default violation mode is 'restrict' (or 'protect' depending on the configuration), which does not error-disable the port but discards offending frames and logs the event.
What should I do if I get this SSCP question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This SSCP practice question is part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SSCP exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.