Question 1,040 of 1,819
Network Infrastructure and ConnectivityhardTroubleshootingObjective-mapped

Quick Answer

The answer is to change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN. This resolves the wireless client association failure because the client only supports WPA2, not WPA3, and the hidden SSID prevents client discovery, while the missing DHCP scope on VLAN 100 blocks IP address assignment. On the CCNA 200-301 v2 exam, this scenario tests your ability to troubleshoot client association by correlating authentication mismatches, broadcast settings, and VLAN mapping—a common trap is assuming the management interface VLAN (1) handles client DHCP, but client traffic must use the designated WLAN VLAN. Remember the three-step fix: match security, reveal the SSID, and pair the VLAN with a DHCP scope. A useful memory tip is “AID” for Authentication (WPA2), Interface (broadcast on), and DHCP (VLAN scope).

CCNA Network Infrastructure and Connectivity Practice Question

This 200-301 practice question tests your understanding of network infrastructure and connectivity. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

WLC Configuration (partial)

interface Management
 ip address 192.168.1.10 255.255.255.0
 no shutdown
!
wlan CorpNet 1 CorpNet
 ssid CorpNet
 security wpa3-sae
 security wpa akm sae
 security wpa psk ascii 7 1234567890abcdef
 no security wpa2
 no security wpa
 no security wpa3-sae
!
interface wlan 1
 vlan 100
!
wlan enable 1
!
wlan ssid CorpNet
 broadcast-ssid disable
!
! End of configuration

You are troubleshooting a wireless client association failure on a Cisco WLC. The client is unable to connect to the corporate SSID 'CorpNet' and reports an authentication error. Review the WLC configuration and fix the issue so that the client can associate and obtain an IP address from VLAN 100. The WLC management IP is 192.168.1.10/24.

Question 1hardTroubleshooting
Open the full VLAN trunking answer →

Exhibit

WLC Configuration (partial)

interface Management
 ip address 192.168.1.10 255.255.255.0
 no shutdown
!
wlan CorpNet 1 CorpNet
 ssid CorpNet
 security wpa3-sae
 security wpa akm sae
 security wpa psk ascii 7 1234567890abcdef
 no security wpa2
 no security wpa
 no security wpa3-sae
!
interface wlan 1
 vlan 100
!
wlan enable 1
!
wlan ssid CorpNet
 broadcast-ssid disable
!
! End of configuration

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.

The client authentication and DHCP issues are caused by: (1) WPA3 being configured while the client only supports WPA2, (2) SSID broadcast disabled, preventing client discovery, and (3) the WLAN's client VLAN (100) lacking a DHCP server or scope. The management interface VLAN (1) does not interfere with client DHCP. To resolve, change security to WPA2, enable SSID broadcast, and ensure the WLAN is associated with the correct VLAN (100) and a DHCP scope exists on that VLAN.

Key principle: A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.

    Why this is correct

    This option correctly addresses all three issues: WPA3 is not backward compatible with WPA2 clients, so switching to WPA2 (or enabling WPA2/WPA3 mixed mode) allows the client to authenticate. Enabling SSID broadcast lets the client discover the network. Configuring the WLAN interface for VLAN 100 and ensuring a DHCP scope exists on that VLAN provides IP addressing.

    Related concept

    Access ports place end devices into a single VLAN.

  • Change the WLAN security to WPA3 only, enable SSID broadcast, and change the management interface IP to 192.168.100.10/24.

    Why it's wrong here

    This is incorrect because WPA3 only would still not work if the client does not support WPA3. Changing the management interface IP is unnecessary and does not fix the VLAN mismatch for client traffic; the WLAN interface should be mapped to VLAN 100, not the management interface.

  • Keep WPA3, disable SSID broadcast for security, and configure the WLAN interface to use VLAN 100 with a DHCP scope on VLAN 1.

    Why it's wrong here

    This is incorrect because keeping WPA3 may still cause authentication failure if the client does not support it. Disabling SSID broadcast prevents the client from seeing the SSID. Configuring the WLAN interface for VLAN 100 but placing the DHCP scope on VLAN 1 means clients on VLAN 100 cannot obtain an IP address.

  • Change the WLAN security to WPA2, keep SSID broadcast disabled, and configure the WLAN interface to use VLAN 1.

    Why it's wrong here

    This is incorrect because while changing to WPA2 fixes the authentication issue, keeping SSID broadcast disabled prevents the client from seeing the SSID. Configuring the WLAN interface to use VLAN 1 would place clients on the management VLAN, not VLAN 100 as required.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.Correct answer

Why this is correct

This option correctly addresses all three issues: WPA3 is not backward compatible with WPA2 clients, so switching to WPA2 (or enabling WPA2/WPA3 mixed mode) allows the client to authenticate. Enabling SSID broadcast lets the client discover the network. Configuring the WLAN interface for VLAN 100 and ensuring a DHCP scope exists on that VLAN provides IP addressing.

Change the WLAN security to WPA3 only, enable SSID broadcast, and change the management interface IP to 192.168.100.10/24.Wrong answer — click to see why

Why this is wrong here

The specific factual error is that WPA3-only security may not be supported by the client, and changing the management interface IP does not resolve the client VLAN assignment issue.

Why candidates choose this

Candidates might think that since the management IP is on VLAN 1, changing it to a different subnet could help, but the management interface is separate from the WLAN interface used for client data.

Keep WPA3, disable SSID broadcast for security, and configure the WLAN interface to use VLAN 100 with a DHCP scope on VLAN 1.Wrong answer — click to see why

Why this is wrong here

The specific factual errors are: WPA3 may not be compatible, disabling SSID broadcast hides the network, and DHCP scope must be on the same VLAN as the client (VLAN 100).

Why candidates choose this

Candidates might believe that disabling SSID broadcast improves security and that DHCP can be served from a different VLAN, but in this scenario the client cannot get an IP from a different subnet.

Change the WLAN security to WPA2, keep SSID broadcast disabled, and configure the WLAN interface to use VLAN 1.Wrong answer — click to see why

Why this is wrong here

The specific factual errors are: SSID broadcast must be enabled for client discovery, and the WLAN interface must be mapped to VLAN 100, not VLAN 1.

Why candidates choose this

Candidates might think that since the management interface is on VLAN 1, using VLAN 1 for clients is simpler, but the requirement specifies VLAN 100 for client traffic.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: an active trunk can still block the VLAN you need

A trunk being up does not prove every VLAN is crossing it. Check allowed VLAN lists, native VLAN mismatch, VLAN existence and access-port assignment.

Detailed technical explanation

How to think about this question

VLAN questions usually combine access-port and trunking clues. The key is to identify whether the issue is local to one switchport, caused by the trunk, or caused by the VLAN not existing where it needs to exist.

KKey Concepts to Remember

  • Access ports place end devices into a single VLAN.
  • Trunk ports carry multiple VLANs between switches.
  • Allowed VLAN lists decide which VLANs can cross a trunk.
  • Native VLAN mismatch can create confusing symptoms.

TExam Day Tips

  • Use show vlan brief to verify access VLANs.
  • Use show interfaces trunk to verify trunk state and allowed VLANs.
  • Do not treat every same-VLAN issue as a routing problem.

Key takeaway

A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Infrastructure and Connectivity — This question tests Network Infrastructure and Connectivity — Access ports place end devices into a single VLAN..

What is the correct answer to this question?

The correct answer is: Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN. — The client authentication and DHCP issues are caused by: (1) WPA3 being configured while the client only supports WPA2, (2) SSID broadcast disabled, preventing client discovery, and (3) the WLAN's client VLAN (100) lacking a DHCP server or scope. The management interface VLAN (1) does not interfere with client DHCP. To resolve, change security to WPA2, enable SSID broadcast, and ensure the WLAN is associated with the correct VLAN (100) and a DHCP scope exists on that VLAN.

What should I do if I get this 200-301 question wrong?

Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.

What is the key concept behind this question?

Access ports place end devices into a single VLAN.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on 200-301

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A wireless client associates to an AP and successfully authenticates to the correct SSID, but it does not obtain an IP address. The WLC is running in local mode. What should the technician do next?

hard
  • A.Check the DHCP server to ensure it has available leases.
  • B.Verify the AP’s operating channel for interference.
  • C.Verify the VLAN mapping on the WLC for the client’s WLAN.
  • D.Verify the WPA3 PSK on the client.

Why C: Option C is correct because when a wireless client authenticates to the SSID but fails to obtain an IP address, the most likely cause is a VLAN mapping mismatch on the WLC. In local mode, the WLC maps the WLAN to a specific VLAN (via the interface or VLAN tag), and if that VLAN does not have a DHCP relay or is not trunked to the correct switch, the client's DHCP requests will never reach the DHCP server. This is a common Layer 2 connectivity issue that prevents IP address assignment even though authentication succeeds.

Variation 2. You are troubleshooting a wireless client association failure on a Cisco WLC. A client reports it can see the SSID 'GuestNet' but fails to connect, while another client using the same SSID connects fine. You must check the WLC configuration, identify the cause, and fix it so that both clients can associate successfully.

hard
  • A.Change the WLAN security to WPA2-PSK only and disable PMF.
  • B.Enable WPA3 Transition Mode and set PMF to Optional.
  • C.Disable PMF on the WLAN and keep WPA3 enabled.
  • D.Change the WLAN to use WPA2-PSK with PMF Required.

Why B: The client that cannot associate is likely a legacy client that does not support WPA3. The WLAN 'GuestNet' has WPA3 enabled with 'PMF Required', which forces all clients to support WPA3 and PMF. To fix this, enable WPA3 Transition Mode (which allows both WPA2 and WPA3 clients) and set PMF to Optional. This will allow the older client to associate using WPA2 while newer clients can use WPA3.

Keep practising

More 200-301 practice questions

Last reviewed: Jun 6, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.