The answer is to reconfigure the WLAN to use WPA2-PSK with AES encryption, disable PMF, map it to the management interface on VLAN 10, hide the SSID, and restrict HTTP/HTTPS access to the 192.168.1.0/24 subnet. This resolves the client connectivity troubleshooting association and IP issues because the client cannot associate when the WLAN requires WPA3 with PMF, and the VLAN mismatch between the AP (VLAN 10) and the WLAN (VLAN 100) prevents proper IP assignment and traffic flow. On the CCNA 200-301 v2 exam, this scenario tests your ability to align WLAN security settings with client capabilities and correct interface mappings—a common trap is forgetting to disable PMF when switching from WPA3 to WPA2, or leaving the VLAN mismatched. Remember the mnemonic "S.A.V.E.": Security (WPA2-PSK/AES), Association (disable PMF), VLAN (match to management), and Exposure (hide SSID and restrict management access).
CCNA Network Infrastructure and Connectivity Practice Question
This 200-301 practice question tests your understanding of network infrastructure and connectivity. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Network Topology
You are managing a Cisco WLC (WLC-1) with IP 10.10.10.10. A wireless client reports it can see the SSID 'CorpNet' but fails to associate. The SSID is configured for WPA3, but the client only supports WPA2. Additionally, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a mismatch. Your task: reconfigure the WLAN to use WPA2-PSK with AES encryption, correct the VLAN assignment to 10, and ensure the SSID is hidden. Also, verify that management access via the WLC web UI is restricted to the 192.168.1.0/24 subnet.
WLC-1# show wlan summary
Number of WLANs...................... 1
WLAN ID WLAN Profile Name / SSID Status Interface
------- ---------------------------- ------- ----------
1 CorpNet / CorpNet Enabled VLAN100
WLC-1# show wlan 1
WLAN Profile Name............. CorpNet
SSID........................... CorpNet
Status......................... Enabled
Security
WPA3......................... Enabled
WPA2......................... Disabled
AES........................... Enabled
PSK........................... (configured)
PMF.......................... Required
Interface...................... VLAN100
Broadcast SSID................. Enabled
WLC-1# show interface summary
Interface Name Port VLAN IP Address Type
--------------- ------ ------ -------------- ----
management LAG 10 10.10.10.10 Static
ap-manager LAG 10 10.10.10.10 Static
virtual N/A N/A 1.1.1.1 Static
WLC-1# show management summary
HTTP Access............. Enabled
HTTPS Access............ Enabled
Allowed Subnets......... 0.0.0.0/0
A
Change security to WPA2-PSK with AES, disable PMF, map WLAN to management interface (VLAN 10), disable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
This option correctly addresses all issues: WPA2-PSK with AES matches client capability, disabling PMF removes WPA3 requirement, mapping to management interface (VLAN 10) resolves VLAN mismatch, disabling SSID broadcast hides the SSID, and restricting HTTP/HTTPS access to 192.168.1.0/24 secures management access.
B
Change security to WPA2-PSK with TKIP, enable PMF, map WLAN to VLAN 100, enable SSID broadcast, restrict HTTP access to 192.168.1.0/24.
Why wrong: This is incorrect because TKIP is not recommended and not supported for WPA2-PSK on modern Cisco WLCs (AES is required). PMF should be disabled for WPA2-only clients. VLAN 100 is the original mismatch; it should be VLAN 10. Enabling SSID broadcast does not hide the SSID. Restricting only HTTP leaves HTTPS open.
C
Change security to WPA3-PSK with AES, disable PMF, map WLAN to VLAN 10, disable SSID broadcast, restrict HTTP/HTTPS access to 10.10.10.0/24.
Why wrong: This is incorrect because WPA3-PSK is not supported by the client (only WPA2). Disabling PMF on WPA3 is not possible as PMF is mandatory. The management access should be restricted to 192.168.1.0/24, not 10.10.10.0/24.
D
Change security to WPA2-PSK with AES, enable PMF, map WLAN to VLAN 10, enable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
Why wrong: This is incorrect because enabling PMF (Protected Management Frames) requires WPA3 or WPA2 with PMF capability; the client may not support PMF, causing association failure. Also, enabling SSID broadcast does not hide the SSID.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Change security to WPA2-PSK with AES, disable PMF, map WLAN to management interface (VLAN 10), disable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
The client cannot associate because the WLAN requires WPA3 (PMF required) but the client only supports WPA2. Also, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a VLAN mismatch that prevents client traffic from reaching the correct subnet. The SSID is broadcast (visible), and management access is open to all subnets. To fix: change the WLAN security to WPA2-PSK with AES, disable PMF, map the WLAN to the management interface (VLAN 10), disable SSID broadcast, and restrict HTTP/HTTPS access to subnet 192.168.1.0/24.
Key principle: A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
Change security to WPA2-PSK with AES, disable PMF, map WLAN to management interface (VLAN 10), disable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
Why this is correct
This option correctly addresses all issues: WPA2-PSK with AES matches client capability, disabling PMF removes WPA3 requirement, mapping to management interface (VLAN 10) resolves VLAN mismatch, disabling SSID broadcast hides the SSID, and restricting HTTP/HTTPS access to 192.168.1.0/24 secures management access.
Related concept
Access ports place end devices into a single VLAN.
✗
Change security to WPA2-PSK with TKIP, enable PMF, map WLAN to VLAN 100, enable SSID broadcast, restrict HTTP access to 192.168.1.0/24.
Why it's wrong here
This is incorrect because TKIP is not recommended and not supported for WPA2-PSK on modern Cisco WLCs (AES is required). PMF should be disabled for WPA2-only clients. VLAN 100 is the original mismatch; it should be VLAN 10. Enabling SSID broadcast does not hide the SSID. Restricting only HTTP leaves HTTPS open.
✗
Change security to WPA3-PSK with AES, disable PMF, map WLAN to VLAN 10, disable SSID broadcast, restrict HTTP/HTTPS access to 10.10.10.0/24.
Why it's wrong here
This is incorrect because WPA3-PSK is not supported by the client (only WPA2). Disabling PMF on WPA3 is not possible as PMF is mandatory. The management access should be restricted to 192.168.1.0/24, not 10.10.10.0/24.
✗
Change security to WPA2-PSK with AES, enable PMF, map WLAN to VLAN 10, enable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
Why it's wrong here
This is incorrect because enabling PMF (Protected Management Frames) requires WPA3 or WPA2 with PMF capability; the client may not support PMF, causing association failure. Also, enabling SSID broadcast does not hide the SSID.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓Change security to WPA2-PSK with AES, disable PMF, map WLAN to management interface (VLAN 10), disable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.Correct answer▾
Why this is correct
This option correctly addresses all issues: WPA2-PSK with AES matches client capability, disabling PMF removes WPA3 requirement, mapping to management interface (VLAN 10) resolves VLAN mismatch, disabling SSID broadcast hides the SSID, and restricting HTTP/HTTPS access to 192.168.1.0/24 secures management access.
✗Change security to WPA2-PSK with TKIP, enable PMF, map WLAN to VLAN 100, enable SSID broadcast, restrict HTTP access to 192.168.1.0/24.Wrong answer — click to see why▾
Why this is wrong here
The specific factual error: TKIP is deprecated and not used with WPA2-PSK; PMF must be disabled for WPA2-only clients; VLAN 100 is incorrect; SSID broadcast should be disabled; HTTPS access must also be restricted.
Why candidates choose this
Candidates pick this because they may confuse TKIP with AES, think PMF is optional, forget to change VLAN, or assume only HTTP needs restriction.
✗Change security to WPA3-PSK with AES, disable PMF, map WLAN to VLAN 10, disable SSID broadcast, restrict HTTP/HTTPS access to 10.10.10.0/24.Wrong answer — click to see why▾
Why this is wrong here
The specific factual error: WPA3-PSK requires PMF and is incompatible with WPA2-only clients; the allowed subnet for management is 192.168.1.0/24, not 10.10.10.0/24.
Why candidates choose this
Candidates pick this because they might think WPA3 is backward compatible or confuse the WLC management IP with the allowed subnet.
✗Change security to WPA2-PSK with AES, enable PMF, map WLAN to VLAN 10, enable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.Wrong answer — click to see why▾
Why this is wrong here
The specific factual error: PMF is not supported by all WPA2 clients and can cause association issues; SSID broadcast should be disabled to hide the SSID.
Why candidates choose this
Candidates pick this because they may think PMF is optional and always safe to enable, or they forget to disable SSID broadcast.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: an active trunk can still block the VLAN you need
A trunk being up does not prove every VLAN is crossing it. Check allowed VLAN lists, native VLAN mismatch, VLAN existence and access-port assignment.
Detailed technical explanation
How to think about this question
VLAN questions usually combine access-port and trunking clues. The key is to identify whether the issue is local to one switchport, caused by the trunk, or caused by the VLAN not existing where it needs to exist.
KKey Concepts to Remember
Access ports place end devices into a single VLAN.
Trunk ports carry multiple VLANs between switches.
Allowed VLAN lists decide which VLANs can cross a trunk.
Native VLAN mismatch can create confusing symptoms.
TExam Day Tips
→Use show vlan brief to verify access VLANs.
→Use show interfaces trunk to verify trunk state and allowed VLANs.
→Do not treat every same-VLAN issue as a routing problem.
Key takeaway
A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.
Network Infrastructure and Connectivity — This question tests Network Infrastructure and Connectivity — Access ports place end devices into a single VLAN..
What is the correct answer to this question?
The correct answer is: Change security to WPA2-PSK with AES, disable PMF, map WLAN to management interface (VLAN 10), disable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24. — The client cannot associate because the WLAN requires WPA3 (PMF required) but the client only supports WPA2. Also, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a VLAN mismatch that prevents client traffic from reaching the correct subnet. The SSID is broadcast (visible), and management access is open to all subnets. To fix: change the WLAN security to WPA2-PSK with AES, disable PMF, map the WLAN to the management interface (VLAN 10), disable SSID broadcast, and restrict HTTP/HTTPS access to subnet 192.168.1.0/24.
What should I do if I get this 200-301 question wrong?
Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.
What is the key concept behind this question?
Access ports place end devices into a single VLAN.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. You are troubleshooting a wireless client connectivity issue on the Cisco WLC at 192.168.1.100. The client reports it can see the SSID 'CorpNet' and successfully associates, but cannot obtain an IP address or reach network resources. The WLAN is already configured with WPA3 security, and the SSID should remain hidden. Identify and correct the configuration issue.
hard
✓ A.The WLAN is mapped to the management interface. Use 'config wlan interface 1 CorpNet_VLAN' to assign the correct interface.
B.The SSID is not hidden. Use 'config wlan disable-broadcast-ssid 1 enable' to hide the SSID.
C.WPA3 is not enabled on the WLAN. Use 'config wlan security wpa akm 6 enable' to enable WPA3.
D.The WLAN is disabled. Use 'config wlan enable 1' to enable the WLAN.
Why A: The WLAN is incorrectly mapped to the management interface, which places client traffic in the management VLAN instead of the correct CorpNet_VLAN. As a result, clients cannot obtain IP addresses or communicate beyond the WLC. Reassigning the WLAN to the CorpNet_VLAN interface with 'config wlan interface 1 CorpNet_VLAN' resolves the issue by placing client data in the proper VLAN.
Variation 2. You are connected to the Cisco WLC (WLC-1) via its management IP 192.168.1.10. The wireless network 'CorpNet' is configured but clients cannot associate. Troubleshoot and resolve the issue: clients report 'Association failed' and the SSID is not visible in site surveys. Ensure that after your fix, the SSID is broadcast, WPA3 is used, and the WLAN is mapped to VLAN 20. Also, verify the WLC management interface is accessible over HTTPS.
hard
✓ A.Enable the WLAN, set Broadcast SSID to Enabled, create a dynamic interface for VLAN 20 and map the WLAN to it, and enable the HTTPS server.
B.Enable the WLAN, set Broadcast SSID to Enabled, change the interface to the management interface, and enable the HTTPS server.
C.Enable the WLAN, keep Broadcast SSID Disabled for security, create a dynamic interface for VLAN 20 and map the WLAN to it, and enable the HTTPS server.
D.Enable the WLAN, set Broadcast SSID to Enabled, create a dynamic interface for VLAN 20 and map the WLAN to it, but leave HTTPS disabled for security.
Why A: The WLAN was disabled, the SSID was hidden (Broadcast SSID Disabled), and it was incorrectly mapped to the management interface instead of a user VLAN. Additionally, HTTPS access was disabled. The solution: enable the WLAN, enable SSID broadcast, change the interface to a VLAN 20 interface (e.g., create a dynamic interface 'vlan20' with VLAN 20), and enable the HTTPS server for management access. Note: On an AireOS WLC, the correct commands use `config wlan enable <wlan_id>`, `config wlan broadcast-ssid enable <wlan_id>`, and `config network secureweb enable` for HTTPS.
Last reviewed: Jun 6, 2026
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.