The correct answer involves reconfiguring R1 with two separate DHCP exclusion statements—`ip dhcp excluded-address 192.168.10.1 192.168.10.10` and `ip dhcp excluded-address 192.168.10.254`—while on SW1 you must correct the `ip helper-address` to point to R1’s G0/0 IP (10.0.0.1) and set G0/1 as a DHCP snooping trusted port. This is correct because the original oversized exclusion (1–254) blocked all address assignments, and the misdirected helper-address prevented relay of VLAN 10 broadcasts to the DHCP server. On the CCNA 200-301 v2 exam, this scenario tests your ability to combine DHCP configuration with exclusion ranges, DHCP snooping trust, and IP helper-address relay—a common troubleshooting topic where candidates overlook the need to remove a bad exclusion before adding correct ones. A frequent trap is forgetting that the default gateway (192.168.10.1) must also be excluded, and that the helper-address must be the router’s interface IP, not a random subnet address. Memory tip: “Exclude the gate and the top, then point the helper to the router’s drop.”
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Network Topology
You are connected to R1 (a router acting as DHCP server) via the console. Configure R1 to provide DHCP addresses for VLAN 10 (192.168.10.0/24) on the switch SW1, which is connected via R1's G0/0. Exclude the first 10 addresses (192.168.10.1-10) and the last address (192.168.10.254). Set the default gateway to 192.168.10.1 and DNS server to 203.0.113.10. On SW1, enable DHCP snooping globally and for VLAN 10, configure G0/1 as trusted toward R1, and ensure the ip helper-address on the switch's VLAN 10 SVI points to R1's G0/0 IP. The current config has a wrong helper-address and an oversized excluded range; identify and fix all issues.
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "first"
Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.
SW1#show running-config | section interface vlan 10
interface Vlan10
ip address 192.168.10.254 255.255.255.0
ip helper-address 192.168.20.1
!
SW1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
Insertion of option 82 is disabled
Interface Trusted Rate limit (pps)
----------------------- ------- -----------------
GigabitEthernet0/1 no unlimited
GigabitEthernet0/2 no unlimited
R1#show running-config | section dhcp
ip dhcp excluded-address 192.168.10.1 192.168.10.254
!
ip dhcp pool VLAN10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 203.0.113.10
!
A
On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10 and ip dhcp excluded-address 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
This option correctly configures the new exclusions but omits the critical step of removing the existing oversized excluded range (192.168.10.1 192.168.10.254). Without removing that original exclusion, the entire subnet remains excluded and no addresses can be assigned. The solution commands explicitly include `no ip dhcp excluded-address 192.168.10.1 192.168.10.254` before adding the new ones, so this option is incomplete and would not achieve the intended fix.
B
On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 192.168.10.1.
Why wrong: This is incorrect because the helper-address on SW1 points to 192.168.10.1, which is the default gateway address, not R1's G0/0 IP. The helper-address must be the IP of the DHCP server interface that receives the relayed requests, which is 10.0.0.1. Also, the excluded range does not include 192.168.10.254, so that address could be assigned to a host, which is not desired.
C
On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface Vlan10: ip helper-address 10.0.0.1.
Why wrong: This is incorrect because it does not exclude the last address (192.168.10.254) on R1, and it fails to configure the trusted interface on SW1's G0/1. Without the trust setting, DHCP snooping will treat DHCP server messages from R1 as untrusted and may drop them, preventing DHCP from working.
D
On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
Why wrong: This is incorrect because the excluded range on R1 covers the entire subnet (192.168.10.1 through 192.168.10.254), which prevents any addresses from being assigned to clients. The correct exclusion should only exclude the first 10 addresses and the last address, not the whole range.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10 and ip dhcp excluded-address 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
The DHCP server R1 had an excluded range that covered the entire subnet (192.168.10.1 through 192.168.10.254), preventing any addresses from being assigned. This was corrected by first removing that oversized exclusion, then setting the excluded range to 192.168.10.1 192.168.10.10 and adding 192.168.10.254 as a separate excluded address. On SW1, the ip helper-address pointed to 192.168.20.1 (wrong), which should be R1's G0/0 IP 10.0.0.1. Also, DHCP snooping was enabled globally and for VLAN 10, but G0/1 (link to R1) was not trusted; it was set to trusted. These changes allow DHCP requests from VLAN 10 to be relayed to R1 and trusted from the correct interface. Option A is technically incomplete because it fails to include the removal of the original oversized exclusion.
Key principle: A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10 and ip dhcp excluded-address 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
Why this is correct
This option correctly configures the new exclusions but omits the critical step of removing the existing oversized excluded range (192.168.10.1 192.168.10.254). Without removing that original exclusion, the entire subnet remains excluded and no addresses can be assigned. The solution commands explicitly include `no ip dhcp excluded-address 192.168.10.1 192.168.10.254` before adding the new ones, so this option is incomplete and would not achieve the intended fix.
Clue confirmation
The clue word "first" in the question point toward this answer.
Related concept
Access ports place end devices into a single VLAN.
✗
On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 192.168.10.1.
Why it's wrong here
This is incorrect because the helper-address on SW1 points to 192.168.10.1, which is the default gateway address, not R1's G0/0 IP. The helper-address must be the IP of the DHCP server interface that receives the relayed requests, which is 10.0.0.1. Also, the excluded range does not include 192.168.10.254, so that address could be assigned to a host, which is not desired.
✗
On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface Vlan10: ip helper-address 10.0.0.1.
Why it's wrong here
This is incorrect because it does not exclude the last address (192.168.10.254) on R1, and it fails to configure the trusted interface on SW1's G0/1. Without the trust setting, DHCP snooping will treat DHCP server messages from R1 as untrusted and may drop them, preventing DHCP from working.
✗
On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
Why it's wrong here
This is incorrect because the excluded range on R1 covers the entire subnet (192.168.10.1 through 192.168.10.254), which prevents any addresses from being assigned to clients. The correct exclusion should only exclude the first 10 addresses and the last address, not the whole range.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10 and ip dhcp excluded-address 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.Correct answer▾
Why this is correct
This option correctly configures the new exclusions but omits the critical step of removing the existing oversized excluded range (192.168.10.1 192.168.10.254). Without removing that original exclusion, the entire subnet remains excluded and no addresses can be assigned. The solution commands explicitly include `no ip dhcp excluded-address 192.168.10.1 192.168.10.254` before adding the new ones, so this option is incomplete and would not achieve the intended fix.
✗On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 192.168.10.1.Wrong answer — click to see why▾
Why this is wrong here
The helper-address should be the DHCP server's IP (10.0.0.1), not the default gateway. Additionally, the last address (192.168.10.254) is not excluded.
Why candidates choose this
Candidates might think the helper-address should be the default gateway since it is the router's address, but the helper-address must be the actual server interface IP.
✗On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface Vlan10: ip helper-address 10.0.0.1.Wrong answer — click to see why▾
Why this is wrong here
Missing exclusion of 192.168.10.254 and missing the ip dhcp snooping trust command on the interface connecting to R1.
Why candidates choose this
Candidates might forget to exclude the broadcast address or the last usable address, and they might overlook the need to trust the uplink interface when DHCP snooping is enabled.
✗On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.Wrong answer — click to see why▾
Why this is wrong here
The excluded range is too broad; it excludes all usable addresses, leaving no addresses for DHCP clients.
Why candidates choose this
Candidates might misinterpret the requirement to exclude the first 10 and last address and instead exclude the entire range, thinking it is a shortcut, but this breaks DHCP functionality.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: an active trunk can still block the VLAN you need
A trunk being up does not prove every VLAN is crossing it. Check allowed VLAN lists, native VLAN mismatch, VLAN existence and access-port assignment.
Detailed technical explanation
How to think about this question
VLAN questions usually combine access-port and trunking clues. The key is to identify whether the issue is local to one switchport, caused by the trunk, or caused by the VLAN not existing where it needs to exist.
KKey Concepts to Remember
Access ports place end devices into a single VLAN.
Trunk ports carry multiple VLANs between switches.
Allowed VLAN lists decide which VLANs can cross a trunk.
Native VLAN mismatch can create confusing symptoms.
TExam Day Tips
→Use show vlan brief to verify access VLANs.
→Use show interfaces trunk to verify trunk state and allowed VLANs.
→Do not treat every same-VLAN issue as a routing problem.
Key takeaway
A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.
Network Services and Security — This question tests Network Services and Security — Access ports place end devices into a single VLAN..
What is the correct answer to this question?
The correct answer is: On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10 and ip dhcp excluded-address 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1. — The DHCP server R1 had an excluded range that covered the entire subnet (192.168.10.1 through 192.168.10.254), preventing any addresses from being assigned. This was corrected by first removing that oversized exclusion, then setting the excluded range to 192.168.10.1 192.168.10.10 and adding 192.168.10.254 as a separate excluded address. On SW1, the ip helper-address pointed to 192.168.20.1 (wrong), which should be R1's G0/0 IP 10.0.0.1. Also, DHCP snooping was enabled globally and for VLAN 10, but G0/1 (link to R1) was not trusted; it was set to trusted. These changes allow DHCP requests from VLAN 10 to be relayed to R1 and trusted from the correct interface. Option A is technically incomplete because it fails to include the removal of the original oversized exclusion.
What should I do if I get this 200-301 question wrong?
Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related 200-301 questions on switching, trunking, and access-port configuration.
Are there clue words in this question I should notice?
Yes — watch for: "first". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.
What is the key concept behind this question?
Access ports place end devices into a single VLAN.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.