Question 1,610 of 1,819
Network Services and SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is a trunk allowed VLAN misconfiguration, specifically that the AP trunk is not allowing VLAN 300. This is the most likely cause because the Guest SSID is mapped to VLAN 300, but the switch trunk port toward the access point only permits VLANs 10, 20, and 30. When a guest WLAN DHCP failure occurs, it is often due to client traffic being dropped at the trunk; the DHCP discover broadcast never reaches the correct VLAN upstream where the DHCP server scope exists, even though authentication can succeed if it is handled locally or on a different VLAN. On the CCNA 200-301 v2 exam, this scenario tests your understanding of how trunk allowed VLANs directly impact wireless client services, and it is a common trap to assume authentication success means full connectivity. Remember the tip: “Auth works, DHCP fails? Check the trunk allowed list, not the server.”

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: a VLAN trunk link between a switch and an access point must allow all VLANs that carry wireless client traffic to ensure proper network segmentation and connectivity.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

WLAN: Guest
Mapped VLAN: 300

Switch interface Gi1/0/24 toward AP:
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

Clients can join the Guest SSID and authenticate successfully, but they never receive an IP address. The DHCP scope for the guest network exists on the server. Based on the exhibit, what is the most likely cause?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

  • Clue: "never"

    Why it matters: Absolute qualifier. True only if the statement has zero exceptions — be cautious of options that seem obvious but break down in edge cases.

Question 1hardmultiple choice
Read the full DHCP explanation →

Exhibit

WLAN: Guest
Mapped VLAN: 300

Switch interface Gi1/0/24 toward AP:
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The AP trunk is not allowing VLAN 300.

The Guest SSID is mapped to VLAN 300, but the switch trunk toward the AP allows only VLANs 10,20,30. Client traffic for the guest WLAN never reaches the correct VLAN upstream, so DHCP requests for that WLAN fail. Authentication can still succeed depending on how the WLAN is designed.

Key principle: A VLAN trunk link between a switch and an access point must allow all VLANs that carry wireless client traffic to ensure proper network segmentation and connectivity.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The AP trunk is not allowing VLAN 300.

    Why this is correct

    That prevents guest client traffic from reaching the proper VLAN.

    Clue confirmation

    The clue words "most likely", "never" in the question point toward this answer.

    Related concept

    A VLAN trunk link between a switch and an access point must allow all VLANs that carry wireless client traffic to ensure proper network segmentation and connectivity.

  • The DHCP server must use TCP instead of UDP.

    Why it's wrong here

    DHCP uses UDP.

    When this WOULD be correct

    In a different scenario where the question states that the DHCP server is incorrectly configured to use TCP instead of UDP for its operations, this option would be correct. It would highlight a fundamental misconfiguration in the DHCP server setup that prevents clients from obtaining IP addresses.

  • The SSID name must match the DHCP pool name.

    Why it's wrong here

    DHCP scopes do not depend on SSID naming.

    When this WOULD be correct

    In a different scenario where the question specifies that the DHCP server is configured to only serve IP addresses to clients with SSIDs that match the DHCP pool name, this option would be correct. For example, if the network policy enforces strict naming conventions for security reasons, a mismatch could prevent IP assignment.

  • The AP should be configured as an access port for VLAN 1.

    Why it's wrong here

    Multiple SSIDs mapped to VLANs commonly require a trunk.

    When this WOULD be correct

    In a different scenario where the question involves a network setup where the AP is incorrectly set to access port mode for a specific VLAN that should be serving clients, such as VLAN 1, and clients are expected to connect to that VLAN, this option would be correct as it would prevent proper communication with the DHCP server.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

The AP trunk is not allowing VLAN 300.Correct answer

Why this is correct

That prevents guest client traffic from reaching the proper VLAN.

The DHCP server must use TCP instead of UDP.Wrong answer — click to see why

Why this is wrong here

This option is wrong because DHCP relies on UDP for communication, not TCP. The DHCP server will not function correctly if it were to use TCP, as it would not be able to send or receive DHCP packets properly.

★ When this WOULD be the correct answer

In a different scenario where the question states that the DHCP server is incorrectly configured to use TCP instead of UDP for its operations, this option would be correct. It would highlight a fundamental misconfiguration in the DHCP server setup that prevents clients from obtaining IP addresses.

Why candidates choose this

Candidates may choose this option due to a misunderstanding of the protocols involved in DHCP, mistakenly believing that TCP could be a viable alternative for DHCP communications, especially if they are not familiar with the specifics of how DHCP operates.

The SSID name must match the DHCP pool name.Wrong answer — click to see why

Why this is wrong here

This option is wrong because the SSID name does not need to match the DHCP pool name for clients to receive an IP address; DHCP operates independently of SSID naming conventions.

★ When this WOULD be the correct answer

In a different scenario where the question specifies that the DHCP server is configured to only serve IP addresses to clients with SSIDs that match the DHCP pool name, this option would be correct. For example, if the network policy enforces strict naming conventions for security reasons, a mismatch could prevent IP assignment.

Why candidates choose this

Candidates might choose this option due to a misunderstanding of DHCP operations and the belief that naming conventions are critical for network configurations, leading them to overlook the actual mechanics of DHCP communication.

The AP should be configured as an access port for VLAN 1.Wrong answer — click to see why

Why this is wrong here

This option is wrong because configuring the AP as an access port for VLAN 1 does not address the issue of clients not receiving an IP address from the DHCP server on the guest network, which is likely related to VLAN configuration or DHCP relay settings.

★ When this WOULD be the correct answer

In a different scenario where the question involves a network setup where the AP is incorrectly set to access port mode for a specific VLAN that should be serving clients, such as VLAN 1, and clients are expected to connect to that VLAN, this option would be correct as it would prevent proper communication with the DHCP server.

Why candidates choose this

Candidates may find this option tempting because they might associate access port configurations with basic connectivity issues, leading them to believe that changing the port type could resolve IP assignment problems.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

A common exam trap is to incorrectly assume that DHCP issues stem from the DHCP server configuration or protocol errors, such as believing DHCP must use TCP instead of UDP. Another tempting mistake is thinking the SSID name must match the DHCP pool name, which is false because DHCP scopes are based on VLAN subnets, not SSID naming. Additionally, some candidates mistakenly configure the access point port as an access port on VLAN 1, which prevents multiple VLANs from passing and breaks guest VLAN connectivity. These traps distract from the core issue of VLAN trunk misconfiguration preventing DHCP traffic.

Detailed technical explanation

How to think about this question

VLAN trunks are essential in wireless network deployments where multiple SSIDs are mapped to different VLANs. Each SSID corresponds to a VLAN that segregates traffic for security and management purposes. When a client connects to a guest SSID mapped to VLAN 300, the access point tags the client’s traffic with VLAN 300. This tagged traffic must traverse the trunk link between the access point and the switch, which must allow VLAN 300 to pass through. If VLAN 300 is not allowed on the trunk, the switch will drop the traffic, preventing it from reaching the DHCP server and other network resources. The decision process for troubleshooting DHCP issues in a wireless environment involves verifying VLAN trunk configurations. Since DHCP requests are broadcast packets tagged with the client’s VLAN, the trunk must carry the VLAN associated with the SSID. The DHCP server’s scope must match the VLAN subnet to assign IP addresses correctly. If the trunk does not allow the VLAN, DHCP requests never reach the server, resulting in clients authenticating successfully but failing to obtain IP addresses. This is a common misconfiguration in wireless VLAN deployments. A frequent exam trap is assuming that DHCP failure is due to server misconfiguration or protocol issues, such as using TCP instead of UDP, or that SSID names must match DHCP pool names. Another pitfall is configuring the access point port as an access port on VLAN 1, which restricts traffic to a single VLAN and breaks multi-SSID deployments. In practice, ensuring the trunk allows all necessary VLANs, including the guest VLAN, is critical for seamless wireless client connectivity and DHCP functionality.

KKey Concepts to Remember

  • A VLAN trunk link between a switch and an access point must allow all VLANs that carry wireless client traffic to ensure proper network segmentation and connectivity.
  • DHCP requests from wireless clients are tagged with the VLAN ID assigned to the SSID and must traverse the trunk link to reach the DHCP server on the correct VLAN.
  • If a VLAN is not allowed on a trunk port, traffic tagged with that VLAN is dropped, preventing clients from obtaining IP addresses via DHCP.
  • Multiple SSIDs on a wireless LAN controller or access point are typically mapped to different VLANs to separate traffic and apply distinct policies.
  • DHCP uses UDP as its transport protocol, and changing it to TCP is not valid or supported in standard network configurations.
  • The SSID name is independent of DHCP scope names; DHCP scopes are defined by IP subnet and VLAN, not by SSID naming conventions.
  • Configuring an access point port as an access port on VLAN 1 restricts it to a single VLAN and prevents multiple SSIDs mapped to different VLANs from functioning properly.
  • Wireless client authentication can succeed without DHCP if the VLAN tagging and trunk configuration are incorrect, but clients will lack IP connectivity.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

A VLAN trunk link between a switch and an access point must allow all VLANs that carry wireless client traffic to ensure proper network segmentation and connectivity.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Review a VLAN trunk link between a switch and an access point must allow all VLANs that carry wireless client traffic to ensure proper network segmentation and connectivity., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — A VLAN trunk link between a switch and an access point must allow all VLANs that carry wireless client traffic to ensure proper network segmentation and connectivity..

What is the correct answer to this question?

The correct answer is: The AP trunk is not allowing VLAN 300. — The Guest SSID is mapped to VLAN 300, but the switch trunk toward the AP allows only VLANs 10,20,30. Client traffic for the guest WLAN never reaches the correct VLAN upstream, so DHCP requests for that WLAN fail. Authentication can still succeed depending on how the WLAN is designed.

What should I do if I get this 200-301 question wrong?

Review a VLAN trunk link between a switch and an access point must allow all VLANs that carry wireless client traffic to ensure proper network segmentation and connectivity., then practise related 200-301 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "most likely", "never". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

A VLAN trunk link between a switch and an access point must allow all VLANs that carry wireless client traffic to ensure proper network segmentation and connectivity.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 200-301 practice questions

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.