Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
A host on a guest WLAN can browse the Internet but cannot reach internal corporate resources, while employees on another SSID can. Which statement best explains why that can be a correct design outcome?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Because guest and employee WLANs can intentionally have different trust levels and access policies.
This is correct because guest isolation is often an intentional design goal.
B
Distractor review
Because guest WLANs cannot use IP routing at all.
This is wrong because guest WLANs can absolutely use routing to reach the Internet.
C
Distractor review
Because employees do not need DHCP or DNS.
This is wrong because employees still depend on common IP services.
D
Distractor review
Because SSIDs automatically determine BGP policy.
This is wrong because SSIDs do not directly define BGP behavior.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is to interpret guest WLAN isolation as a misconfiguration or network failure. Candidates may incorrectly believe that all WLANs should have identical access or that routing must be unrestricted. This misunderstanding overlooks the security principle of trust boundaries, where guest networks are purposefully restricted to prevent access to internal corporate resources. Misreading this design intent can lead to selecting incorrect answers that imply technical faults rather than intentional policy enforcement.
Technical deep dive
How to think about this question
Guest WLANs and employee WLANs are typically segmented using VLANs and distinct SSIDs to enforce different security and access policies. This segmentation ensures that guest users can access the Internet but are isolated from sensitive internal corporate resources. Network Access Control (NAC) and Access Control Lists (ACLs) are commonly applied to restrict traffic between these VLANs, maintaining separation and protecting enterprise assets. The design decision to allow guest WLAN users only Internet access while permitting employees broader network access is intentional and aligns with best practices for network security. Routing between VLANs or SSIDs is controlled by Layer 3 devices, which enforce policies based on trust levels. This approach prevents unauthorized lateral movement within the network and limits exposure of internal services to untrusted users. A common exam trap is to assume that inability to reach internal resources from a guest WLAN indicates a network failure. In reality, this isolation is a deliberate security measure. Understanding this design principle helps candidates distinguish between misconfiguration and intentional policy enforcement, which is critical for Cisco CCNA exam scenarios and real-world network design.
KKey Concepts to Remember
- A guest WLAN typically uses VLAN segmentation and ACLs to isolate guest traffic from internal corporate resources for security purposes.
- Different SSIDs can be mapped to separate VLANs, allowing distinct access policies and trust levels within the same physical wireless infrastructure.
- Routing between VLANs or SSIDs is controlled by Layer 3 devices, which enforce access restrictions based on network policies.
- Access Control Lists (ACLs) are commonly applied to restrict guest WLAN users to Internet access only, preventing access to sensitive internal networks.
- Network Access Control (NAC) mechanisms help enforce security policies by limiting guest user privileges compared to employee users.
- Guest WLAN isolation is an intentional design choice to reduce attack surfaces and protect enterprise resources from untrusted devices.
- Misinterpreting guest WLAN restrictions as network failures is a common exam trap that overlooks security best practices.
- Understanding the role of VLANs, ACLs, and trust boundaries is essential for correctly analyzing WLAN access scenarios on the CCNA exam.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
A guest WLAN typically uses VLAN segmentation and ACLs to isolate guest traffic from internal corporate resources for security purposes.
What is the correct answer to this question?
The correct answer is: Because guest and employee WLANs can intentionally have different trust levels and access policies. — That can be a correct design outcome because guest access is usually meant to be isolated and limited, while employee access is tied to a different trust level and policy set. In practical terms, one WLAN can provide Internet-only or restricted service while another WLAN permits broader enterprise access. This is not necessarily a failure; it may be intentional policy. This is a useful exam-style question because it tests whether the candidate can distinguish design intent from malfunction.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.