The network security policy requires that only one host be permitted to attach dynamically to each switch interface. If that policy is violated, the interface should shut down. Which two commands must the network administrator configure on the 2950 Catalyst switch to meet this policy? (Choose two.)

A.
Switch1 (config-if)# switchport port-security violation shutdown.

B.
Switch1(config)# mac-address-table secure

C.
Switch1 (config-if)# switchpoit port-security maximum 1

D.
Switch1 (config)# access-list 10 permit ip host

E.
Switch1 (config-if)# ip access-group 10

Explanation:
Catalyst switches offer the port security feature to control port access based on MAC addresses. To configure port security on an access layer switch port, begin by enabling it with the following interface configuration command:
Switch(config-if)# switchport port-security
Next, you must identify a set of allowed MAC addresses so that the port can grant them access. You can explicitly configure addresses or they can be dynamically learned from port traffic. On each interface that uses port security, specify the maximum number of MAC addresses that will be allowed access using the following interface configuration command:
Switch(config-if)# switchport port-security maximum max-addr

Finally, you must define how each interface using port security should react if a MAC address is in violation by using the following interface configuration command: Switch(config-if)# switchport port-security violation {shutdown | restrict | protect)

A violation occurs if more than the maximum number of MAC addresses are learned, or if an unknown (not statically defined) MAC address attempts to transmit on the port. The switch port takes one of the following configured actions when a violation is detected:
shutdownThe port is immediately put into the errdisable state, which effectively shuts it down. It must be re-enabled manually or through errdisable recovery to be used again.
restrictThe port is allowed to stay up, but all packets from violating MAC addresses are dropped. The switch keeps a running count of the number of violating packets and can
send an SNMP trap and a syslog message as an alert of the violation.
protectThe port is allowed to stay up, as in the restrict mode. Although packets from
violating addresses are dropped, no record of the violation is kept.