DHCP questions cover server configuration, relay agents (ip helper-address), DHCP snooping, and the four-step DORA handshake. Common exam scenarios: a host isn't getting an IP, a relay agent isn't forwarding requests, or a rogue DHCP server is handing out wrong addresses.
Start Scenario PracticeYour company has deployed a Cisco Catalyst 9300 switch stack as the distribution layer for a campus network. The network uses VLANs 10 (data), 20 (voice), and 30 (management). The switch stack is configured with DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard (IPSG) on access ports. Recently, users in VLAN 10 report intermittent connectivity issues. You notice that some users receive duplicate IP addresses from the DHCP server. The DHCP server is connected to a trunk port on the switch stack. After reviewing logs, you see that DHCPACK messages are being dropped on the trunk port. The DHCP snooping binding table shows entries for legitimate clients, but also some entries with MAC addresses from a different vendor. Which action should you take to resolve the issue?
Explanation: The DHCP snooping feature treats all ports as untrusted by default, which means DHCP server messages (DHCPOFFER, DHCPACK, DHCPNAK) are dropped on untrusted ports. Since the DHCP server is connected to a trunk port and DHCPACK messages are being dropped, that trunk port must be explicitly configured as a trusted port for DHCP snooping using the 'ip dhcp snooping trust' interface command. This allows legitimate DHCP server responses to reach clients, resolving the duplicate IP address issue caused by clients not receiving their assigned addresses.
A network administrator is troubleshooting a DHCP snooping issue on a Cisco switch. The switch is configured with DHCP snooping globally and on VLAN 10. The trusted interface is GigabitEthernet0/1 connected to the DHCP server. However, clients on VLAN 10 are not receiving IP addresses from the DHCP server. What is the most likely cause?
Explanation: Option B is correct because the scenario states that DHCP snooping is configured globally and on VLAN 10, and that GigabitEthernet0/1 is connected to the DHCP server. However, for DHCP snooping to allow DHCP server messages (OFFER, ACK) to be forwarded, the interface connected to the legitimate DHCP server must be explicitly configured as a trusted port using the 'ip dhcp snooping trust' interface command. Without this, the switch treats all DHCP server responses as untrusted and drops them, preventing clients from receiving IP addresses.
Refer to the exhibit. A network administrator notices that some DHCP packets are being dropped due to 'MAC Address Mismatch'. What is the most likely cause of this drop?
Explanation: The DHCP snooping feature on a switch compares the source MAC address in the Ethernet frame with the chaddr (client hardware address) field inside the DHCP packet. When a DHCP client sends a packet with a different MAC in the frame than in the chaddr field, the switch considers it a 'MAC Address Mismatch' and drops the packet. This security mechanism prevents a rogue client from spoofing another device's MAC address to obtain a lease.
A network engineer is configuring a Cisco router as a DHCP relay agent to forward DHCP requests from a client VLAN to a centralized DHCP server located in a different subnet. The engineer configures the ip helper-address command on the VLAN interface. However, clients in the VLAN are not receiving IP addresses. The DHCP server is reachable from the router. What is the most likely cause?
Explanation: The ip helper-address command forwards DHCP broadcasts as unicasts to the specified server. If the DHCP server receives the request but the reply cannot be routed back to the client, the client will not get an address. This often happens when the router does not have a route back to the client subnet.
A network engineer is troubleshooting a DHCP issue on a Cisco router configured as a DHCP server for a VLAN. Clients in the VLAN are able to obtain IP addresses from the DHCP server, but they are not receiving the correct DNS server address. The engineer checks the DHCP pool configuration and sees the dns-server command is configured with the correct IP address. What is the most likely cause of the problem?
Explanation: The DHCP server configuration appears correct, but the clients are not receiving the DNS server address. This often happens when the DHCP server is not the default gateway and DHCP relay is involved, or when the DHCP pool is not bound to the correct interface.
+10 more scenario questions available
Practice all DHCP Troubleshooting ScenariosDHCP questions cover server configuration, relay agents (ip helper-address), DHCP snooping, and the four-step DORA handshake. Common exam scenarios: a host isn't getting an IP, a relay agent isn't forwarding requests, or a rogue DHCP server is handing out wrong addresses. These appear throughout the 350-401 and require you to apply your knowledge, not just recall facts.
Cisco doesn't publish an exact breakdown, but scenario-based questions (especially exhibit and command-output formats) make up a significant portion of the 350-401. Practicing each scenario type ensures you're ready for any format.
Yes. Courseiva provides free 350-401 scenario practice across all official exam domains. The platform includes scenario-based questions, command-output interpretation, topic-based practice, mock exams, and readiness tracking — no account required.
Launch a full DHCP Troubleshooting Scenarios session with instant scoring and detailed explanations.
Start Scenario Practice →