Cisco Catalyst port security policy: You must permit exactly one host to learn dynamically on each access interface and shut the port on any violation. Which two interface-level commands meet this requirement?

Introduction / Context:
Catalyst switches can limit the number of MAC addresses learned per access port to mitigate MAC flooding and unauthorized device attachment. Enforcing “exactly one host” per interface and shutting the port on violations is a classic use of port security.

Given Data / Assumptions:

• The goal is one dynamically learned MAC per access port.
• On violation, the port must transition to an error-disabled state (shutdown).
• Configuration is at the interface level for port security behavior.

Concept / Approach:
Port security is configured under the interface with switchport port-security options. Two key knobs are the maximum number of MACs and the violation action. To actually enable port security, you also use switchport port-security (base command). Among the options provided, only the maximum limiter and violation action are relevant interface-level commands.

Step-by-Step Solution:

Verification / Alternative check:
Use show port-security interface to confirm the maximum and violation mode, and test with a second host to see the port error-disable.

Why Other Options Are Wrong:

• ip access-group 10: Applies an ACL at Layer 3/4; not port security.
• access-list 10 permit ip host 1: Irrelevant and syntactically incomplete.
• mac-address-table secure: Not a valid global configuration command for this purpose.

Common Pitfalls:
Forgetting the base switchport port-security command; using sticky without understanding persistence; applying ACLs instead of port security.

Final Answer:
Switch(config-if)# switchport port-security maximum 1 and Switch(config-if)# switchport port-security violation shutdown