The CCNA 200-301 exam is notorious for its trap questions—questions designed to test not just whether you know a concept, but whether you can spot the subtle twist that makes an otherwise correct-looking answer wrong. This chapter is a dedicated trap-busting session covering the most frequent exam pitfalls across IOS operations, switching, routing, and troubleshooting. Mastering these traps separates a borderline pass from a confident pass. Exam objective: General CCNA knowledge—applied across all domains.
Jump to a section
Imagine you are a TSA agent at a busy airport. Your job is to check passengers' boarding passes and IDs before they enter the secure zone. The boarding pass has the flight number, gate, and time. The ID has the passenger's name and photo. You must verify that the name on the boarding pass matches the name on the ID. This is exactly how a router processes an IP packet: it checks the destination IP address (the flight number) against the routing table (the gate assignments). But here's the trap: sometimes a passenger shows up with a boarding pass that says 'Gate C7' but the gate sign says 'C7'—yet the flight is actually departing from C8 because the gate was changed. In networking terms, the routing table may have an entry for a network, but the next-hop router might be unreachable, or the exit interface might be down. The TSA agent (the router) does not re-check the actual flight status; it just trusts the boarding pass. Similarly, a router does not verify that the next hop is actually reachable before forwarding—it relies on the routing protocol's convergence. Another trap: the passenger has a valid ID but the boarding pass is for a flight that already departed. That's like a packet with a TTL of 1 arriving at a router—it gets dropped, even if the route is perfect. The TSA agent must also check the time. So, in both cases, multiple fields must be valid simultaneously: destination, next-hop reachability, and TTL. The exam loves to present a scenario where one field is bad but the others are good, and asks what happens.
What Are Exam Traps and Why Do They Exist?
Cisco exam writers deliberately include questions that test your depth of understanding, not just surface-level memorization. A trap question presents a scenario where an obvious answer is wrong because of a subtle detail—a default timer, a specific IOS behavior, a protocol state, or a command nuance. The goal is to separate candidates who truly understand the technology from those who crammed facts without context.
Common trap categories include:
- Default values: Candidates assume a non-default value (e.g., OSPF reference bandwidth is 100 Mbps, but modern exams often use 1000 Mbps in scenarios).
- State confusion: Forgetting that a protocol must be in a specific state before it can do something (e.g., OSPF must reach FULL before exchanging LSAs).
- Order of operations: The sequence in which IOS processes features (e.g., NAT before routing, ACLs before NAT).
- Layer mismatch: Applying a Layer 2 concept to Layer 3 or vice versa (e.g., thinking a switch's MAC address table works like a router's routing table).
- Command syntax: Using the wrong keyword or forgetting a mandatory parameter (e.g., ip nat inside source list 1 interface GigabitEthernet0/1 overload — missing overload is common).
How Traps Work at the Packet/Frame Level
Consider a classic trap: "A router receives an IP packet with destination 10.1.1.1. The routing table has a route to 10.1.1.0/24 via GigabitEthernet0/0. What does the router do?" The obvious answer is "forward out G0/0." But the trap: the packet's TTL is 1. The router decrements TTL to 0 and drops the packet, sending an ICMP Time Exceeded message. The question might not mention TTL—you must infer it from the context (e.g., the packet came from a traceroute).
Another trap: "A switch receives a frame with destination MAC 0000.1111.2222. The MAC address table shows this MAC on port Fa0/1. What does the switch do?" The obvious answer: "forward out Fa0/1." But if the frame arrived on Fa0/1 itself, the switch does nothing—it drops the frame because the source and destination are on the same port. This is called "same-interface forwarding" and is a common exam trap.
Key States, Timers, and Defaults
Memorize these exact values—they are trap magnets:
- OSPF dead interval: 4x hello interval (default hello 10s, dead 40s for broadcast; hello 30s, dead 120s for non-broadcast).
- EIGRP hold time: 3x hello interval (default hello 5s, hold 15s for high-speed links; hello 60s, hold 180s for low-speed).
- STP timers: Hello 2s, Max Age 20s, Forward Delay 15s. These are default and can be changed with spanning-tree vlan vlan-id hello-time.
- VLAN 1: Default VLAN and native VLAN on trunk ports. Cannot be deleted, but can be renamed.
- CDP timer: Default 60 seconds, holdtime 180 seconds.
- LLDP timer: Default 30 seconds, holdtime 120 seconds.
- MAC address table aging: Default 300 seconds (5 minutes) for dynamic entries.
- ARP cache timeout: Default 4 hours for entries learned via ARP (but may vary by platform).
- NAT translation timeout: Default 24 hours for static, 300 seconds (5 min) for dynamic with overload.
IOS CLI Verification Commands
Use these commands to verify and troubleshoot—exam questions often ask what output a specific command produces:
show ip route [connected | static | ospf | eigrp]
show ip interface brief
show interfaces [interface]
show mac address-table
show spanning-tree [vlan vlan-id]
show vlan brief
show cdp neighbors [detail]
show lldp neighbors [detail]
show ip nat translations
show ip arp
show running-config | section [feature]
show ip protocols
show ip ospf neighbor
show ip eigrp neighbors
show ip bgp summaryHow Traps Interact with Related Protocols
Traps often combine multiple protocols. For example: "PC1 sends a ping to PC2 across two routers. The ping fails. What could be the issue?" The answer might be that an ACL on the first router blocks ICMP, or that the second router has no route back. But a subtle trap: the first router has a default route, but the second router does not have a route for the source network—so the return packet is dropped. This is an asymmetric routing trap. Another common combo: OSPF neighbor not forming because of MTU mismatch (OSPF sends DBD packets; if MTU mismatch, neighbor stays in EXSTART/EXCHANGE).
Trap Patterns for Specific Topics
VLAN trunking: The native VLAN must match on both ends, or CDP/VTP/STP BPDUs will be misdirected. Exam trap: "Trunk is up, but no traffic passes." Check native VLAN mismatch.
Port security: Violation modes (shutdown, restrict, protect). Trap: "shutdown" error-disables the port; "restrict" drops offending frames but keeps port up; "protect" drops but does not log.
EtherChannel: All ports must have same config (speed, duplex, VLAN, trunk mode). Trap: one port is in a different VLAN—bundle fails.
HSRP/VRRP/GLBP: Virtual IP must be in the same subnet as the physical interfaces. Trap: virtual IP is on a different subnet—no standby.
NTP: Stratum levels; client-server vs. symmetric active. Trap: NTP server not reachable—clock not synchronized.
Syslog: Severity levels (0-7). Trap: "logging trap 4" means send messages with severity 0-4.
SNMP: Versions (v1, v2c, v3) and security. Trap: v2c uses community strings in clear text; v3 has authentication and encryption.
QoS: Classification vs. marking; trust boundaries. Trap: trusting DSCP on an access port from an untrusted device.
Common Exam Traps Summary Table
| Trap Topic | The Trap | The Truth | |---|---|---| | OSPF network type | Default is broadcast on Ethernet | Non-broadcast on Frame Relay (legacy) | | EIGRP stub | Stub router does not advertise routes | Stub router only advertises connected and summary | | STP port roles | Root port vs. designated port | Root port is closest to root; designated port is best on segment | | VLAN 1 | Can be deleted | Cannot be deleted | | Native VLAN | Must match on both ends | Mismatch causes BPDU misplacement | | Access port | Trunking disabled | Still sends CDP/LLDP/DTP frames | | DTP | Dynamic desirable vs. dynamic auto | Dynamic desirable actively sends DTP; dynamic auto passively waits | | Autonegotiation | Speed and duplex | If one side is fixed, the other side may mismatch (half/full duplex) | | TTL | Starts at 255 | Actually starts at 255 for most OS, but some use 128 or 64 | | NAT order | NAT before routing | Actually: routing first, then NAT (for inside-to-outside) |
Conclusion
To beat exam traps, you must go beyond memorization. Understand the why behind each default, the order of operations, and the exact state machines. When you see a question that looks too easy, pause—there is likely a twist. Check for TTL, MTU, native VLAN, duplex mismatch, and protocol states. Use the process of elimination: if two answers seem plausible, look for the one that matches IOS behavior exactly, not what you think should happen.
Apply the Process of Elimination
When you are stuck between two answers, use elimination. Cross out answers that are clearly wrong: those that contradict IOS behavior, use incorrect terminology, or reference non-existent features. Then, among the remaining, pick the one that matches the specific detail in the question. For example, if the question says 'the router receives a packet with TTL 1' — the answer must mention that the router decrements TTL to 0 and drops the packet. If one answer says 'forwards the packet' — eliminate it. Another elimination rule: if an answer says 'the switch floods the frame' but the destination MAC is known, that is wrong. Also, watch for answers that are partially correct but miss a key detail, like 'OSPF neighbor is stuck in ExStart because of MTU mismatch' — that is correct, but if the question says 'hello timer mismatch' — that is not a cause for ExStart; hello mismatch causes neighbor to not form at all.
In enterprise networks, exam traps often become real-world outages. Consider a network engineer who configured a new VLAN 100 on a trunk. They added it to the allowed list on both switches, but forgot to create VLAN 100 on one switch. The result: hosts in VLAN 100 can't communicate, and the engineer spends hours troubleshooting. The exam trap: 'which command verifies VLAN creation?' — the answer is 'show vlan brief'. If the VLAN is missing, it won't appear. Another real-world scenario: a company uses HSRP with a virtual IP of 10.1.1.1. The engineer configures the standby IP as 10.1.1.2 on one router and 10.1.1.3 on the other, but the virtual IP is 10.1.1.1. However, the physical interfaces are on subnet 10.1.1.0/24. The trap: the virtual IP must be in the same subnet. If the engineer mistakenly uses 10.1.2.1 as virtual IP, the routers will never form a standby group. In production, this causes a single point of failure. The exam question: 'why is the HSRP group not forming?' — answer: virtual IP not in same subnet. A third scenario: a network admin sets up OSPF between two routers over a serial link. The default network type for serial is point-to-point, but the admin configures it as broadcast. The trap: the DR election occurs, but since there are only two routers, one becomes DR and the other BDR. This wastes resources and can cause adjacency issues if the DR goes down. In real life, this might cause intermittent routing issues. The exam trap: 'what is the OSPF network type on a serial interface?' — default is point-to-point. Knowing these traps prevents production outages and saves troubleshooting time. The key is to always verify defaults and not assume that a configuration that works in a lab will work in production without checking the specific interface type.
The 200-301 exam tests your ability to identify and avoid traps across all domains. Approximately 30-40% of questions have a trap element. The exam objectives that most often feature traps are: 1.0 Network Fundamentals (VLANs, STP, IPv4/IPv6 addressing), 2.0 Network Access (EtherChannel, port security, DTP), 3.0 IP Connectivity (routing protocol states, administrative distance, route selection), 4.0 IP Services (NAT, ACLs, NTP, syslog, SNMP), and 5.0 Security Fundamentals (port security, DHCP snooping, dynamic ARP inspection). The most common wrong answers candidates choose are: 1. Assuming default values are always correct: Candidates choose an answer that uses a non-default value without checking the scenario. For example, a question says 'OSPF dead timer expires after 40 seconds' — but the scenario uses a non-broadcast network (default dead 120s). The correct answer might be 'the dead timer should be 120 seconds'. Candidates pick '40 seconds' because they memorized the broadcast default. 2. Confusing protocol states: For OSPF, candidates often think '2-Way' means full adjacency, but it only means two-way communication. They might choose 'the routers are forming adjacency' when they are just neighbors. The correct answer: 'the routers have exchanged hello packets but not yet synchronized databases'. 3. Misapplying Layer 2 vs Layer 3: In a question about a switch forwarding a frame, candidates might say 'the switch checks the destination IP address'. The correct answer is 'the switch checks the destination MAC address'. This is a basic trap that catches many. 4. Forgetting the order of operations: For NAT, candidates might think 'NAT is applied before routing' — but actually, routing decision is made first, then NAT translates. In a question about a packet from inside to outside, the router first looks up the route, then translates the source IP. If the route is missing, NAT never happens.
Specific values that appear on the exam: OSPF dead interval 40s (broadcast), EIGRP hold time 15s, STP forward delay 15s, MAC aging 300s, NAT timeout 300s (dynamic with overload), ARP timeout 4 hours. Commands: 'show ip ospf neighbor', 'show ip eigrp neighbors', 'show spanning-tree', 'show mac address-table', 'show ip nat translations'. Calculation traps: subnetting questions where the network address is given, but the host address is a broadcast address — candidates choose it as a valid host. Decision rule: always check if the address is a network or broadcast address before selecting. For scenario questions, use the 'STOP' method: S - State the problem, T - Think of the protocol state/machine, O - Observe the output, P - Pick the answer that matches the expected behavior. If two answers seem correct, choose the one that is more specific to the scenario.
OSPF dead interval default is 40s on broadcast networks (4x hello of 10s).
EIGRP hold time default is 15s on high-speed links (3x hello of 5s).
STP forward delay default is 15s, max age 20s, hello 2s.
MAC address table aging default is 300 seconds.
NAT dynamic translation timeout default is 300 seconds (5 minutes) with overload.
Switch drops a frame if source and destination MAC are on the same port.
OSPF neighbor stuck in ExStart usually indicates MTU mismatch.
HSRP virtual IP must be in the same subnet as the physical interfaces.
Port security 'shutdown' error-disables the port; 'restrict' drops but keeps up; 'protect' drops without log.
Native VLAN must match on both ends of a trunk.
These come up on the exam all the time. Here's how to tell them apart.
OSPF Default Dead Interval (Broadcast)
Hello interval: 10 seconds
Dead interval: 40 seconds (4x hello)
Network type: broadcast (Ethernet)
Default on: Ethernet, FastEthernet, GigabitEthernet
DR/BDR election occurs
OSPF Default Dead Interval (Non-Broadcast)
Hello interval: 30 seconds
Dead interval: 120 seconds (4x hello)
Network type: non-broadcast (Frame Relay, ATM)
Default on: Serial interfaces with Frame Relay encapsulation
No DR/BDR election (point-to-point or point-to-multipoint)
Mistake
OSPF dead interval is always 40 seconds.
Correct
The default dead interval is 40 seconds only on broadcast and point-to-point networks. On non-broadcast networks, the default is 120 seconds (4x hello of 30s). The dead interval is always 4x the hello interval, but the hello interval itself varies by network type.
Candidates often memorize the broadcast default and forget that other network types have different defaults.
Mistake
A switch floods all unknown unicast frames.
Correct
A switch floods unknown unicast frames (destination MAC not in MAC address table) out all ports except the incoming port. However, if the destination MAC is known, it forwards only to that port. Flooding is not all frames, only those with unknown destination MAC.
Candidates confuse 'flooding' with 'broadcasting' or think that all frames are flooded.
Mistake
The 'ip nat inside source list 1 interface GigabitEthernet0/1' command enables PAT.
Correct
This command enables dynamic NAT (one-to-one translation) without port address translation. To enable PAT, you must add the keyword 'overload' at the end: 'ip nat inside source list 1 interface GigabitEthernet0/1 overload'. Without 'overload', only one inside host can use the outside interface at a time.
Candidates see 'source list' and think it implies PAT, but PAT explicitly requires 'overload'.
Mistake
A router forwards a packet based on the destination MAC address.
Correct
A router forwards a packet based on the destination IP address. The router uses the routing table to find the next-hop IP, then uses ARP to find the next-hop MAC address. The destination MAC address changes at each hop, but the destination IP remains the same.
Candidates confuse the roles of MAC and IP addresses at different layers.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
On a serial interface with HDLC or PPP encapsulation (default for Cisco serial), the default OSPF network type is point-to-point. The hello interval is 10 seconds, and the dead interval is 40 seconds (4x hello). However, if the serial interface uses Frame Relay encapsulation (legacy), the default network type is non-broadcast, with hello 30s and dead 120s. For the CCNA exam, assume serial interfaces are point-to-point unless told otherwise. Exam tip: always check the encapsulation type – if it's Frame Relay, the dead interval is 120s.
The 2-WAY state means that the routers have exchanged hello packets and see each other, but a full adjacency has not been formed. On multi-access networks (like Ethernet), routers that are not the DR or BDR will stay in 2-WAY with each other. This is normal. They only form full adjacency with the DR and BDR. If you see 2-WAY between two routers that are both DR-eligible, it means they are not DR/BDR. If you expect full adjacency (e.g., on a point-to-point link), then 2-WAY indicates a problem – likely the routers are not forming adjacency due to mismatched parameters (area, authentication, subnet mask, etc.).
The 'overload' keyword enables Port Address Translation (PAT), allowing multiple inside hosts to share a single public IP address. Without 'overload', NAT performs one-to-one translation, meaning each inside host requires a unique public IP. With 'overload', the router uses the source port number to differentiate between sessions. For example, if you have 100 inside hosts and one public IP, you must use 'overload' to allow all 100 hosts to communicate simultaneously. The exam often tests this: if you see 'ip nat inside source list 1 interface G0/1' without 'overload', only one host can go out at a time.
No, VLAN 1 is the default VLAN and cannot be deleted. It is also the native VLAN by default. You can rename it, but you cannot remove it. This is a common exam trap: a question might say 'the network engineer wants to remove VLAN 1 for security reasons' – the correct answer is that VLAN 1 cannot be deleted. Instead, you can change the native VLAN to another VLAN and prune VLAN 1 from trunk allowed lists, but the VLAN itself remains in the VLAN database.
The first command 'switchport trunk allowed vlan 10' replaces the list of allowed VLANs with only VLAN 10. Any other VLANs that were previously allowed are removed. The second command 'switchport trunk allowed vlan add 10' adds VLAN 10 to the existing allowed list without removing other VLANs. This is a classic exam trap: if you want to add a VLAN to a trunk, you must use the 'add' keyword; otherwise, you will remove all other VLANs. Always check the command syntax in the question.
The command 'spanning-tree portfast' is not a valid global command. The correct global command is 'spanning-tree portfast default', which enables PortFast on all access ports. PortFast bypasses the listening and learning states, moving directly to forwarding, which is useful for end-user devices to avoid waiting for STP convergence. The trap: candidates might think 'spanning-tree portfast' is the global command, but it must be followed by 'default'. Alternatively, you can enable PortFast per interface with 'spanning-tree portfast' in interface configuration mode.
When a switch receives a frame, it learns the source MAC and associates it with the incoming port. If the destination MAC is already in the MAC address table and is associated with the same incoming port, the switch knows that the destination is on the same segment. Forwarding the frame back out the same port would be pointless and could cause a loop. Therefore, the switch drops the frame. This is called 'same-interface forwarding' and is a common exam trap: a question might show a scenario where a frame arrives on a port and the destination MAC is on that same port, and ask what the switch does. The correct answer is 'drops the frame'.
You've just covered CCNA Exam Traps Mega Review — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?