CCNA Switching and Network Access Questions

75 of 392 questions · Page 5/6 · Switching and Network Access · Answers revealed

301
MCQmedium

A PC connected to switch port Gi0/10 should be in VLAN 20 but receives broadcasts only from VLAN 1. Which switchport setting is most likely wrong?

A.switchport mode trunk
B.switchport access vlan 20 missing or incorrect
C.speed 1000
D.duplex full
AnswerB

Correct. The access VLAN setting most directly controls this behavior.

Why this answer

The PC is receiving broadcasts only from VLAN 1, which indicates the switchport is not correctly assigned to VLAN 20. The most likely cause is that the 'switchport access vlan 20' command is missing or incorrect, leaving the port in its default VLAN (VLAN 1). This prevents the PC from participating in VLAN 20 and receiving its broadcasts.

Exam trap

Cisco often tests the misconception that a trunk port is needed for VLAN membership, but for a single end device, an access port with the correct VLAN assignment is required.

Why the other options are wrong

A

The switchport mode trunk setting is incorrect because a trunk port allows multiple VLANs to pass, while the question indicates that the PC should only receive broadcasts from VLAN 20. Therefore, the issue lies with the access VLAN configuration.

C

The speed setting of 1000 Mbps (1 Gbps) does not influence VLAN membership or broadcast traffic; it only affects the data transfer rate. Therefore, this option does not address the issue of the PC receiving broadcasts only from VLAN 1.

D

The duplex setting of the switch port does not influence VLAN membership or broadcast traffic. Therefore, a duplex configuration of 'full' does not affect the ability of a PC to receive broadcasts from VLAN 20.

302
MCQhard

After connecting a new switch to interface GigabitEthernet1/0/1 on a distribution switch, a network engineer notices that the interface is in err-disable state. The engineer checks the configuration and finds that spanning-tree portfast and spanning-tree bpduguard enable are applied to the interface. What is the most likely cause of the err-disable state?

A.BPDU Guard was incorrectly enabled on a port that should be a trunk link.
B.The connected switch is sending BPDUs with a lower bridge priority.
C.Spanning-tree PortFast is enabled on a port that connects to another switch.
D.The port is configured as an access port, but should be a trunk.
AnswerC

PortFast skips the listening and learning STP states and is designed for end hosts. When combined with BPDU Guard, the switch was instructed to disable the port upon receiving any BPDU. The downstream switch naturally sends BPDUs, causing BPDU Guard to react and place the port in err-disable. Removing PortFast (and leaving BPDU Guard alone, or disabling BPDU Guard on that link) would resolve the issue.

Why this answer

Option C is correct because PortFast is designed for end-host ports that should not receive BPDUs. When PortFast is enabled on a port connecting to another switch, the switch will immediately transition the port to forwarding state, but if it then receives a BPDU from the connected switch, BPDU Guard will error-disable the port. This is the most common cause of err-disable state when both PortFast and BPDU Guard are configured on an inter-switch link.

Exam trap

Cisco often tests the misconception that BPDU Guard alone causes err-disable, but the trap here is that PortFast must be enabled for BPDU Guard to trigger err-disable on a port receiving BPDUs from another switch.

Why the other options are wrong

A

Candidates often associate BPDU Guard exclusively with access ports and assume configuring it on a trunk is itself a misconfiguration, overlooking that PortFast is the real culprit.

B

Students may confuse root bridge placement with BPDU Guard operation, thinking that a BPDU from a superior switch might cause a port to be disabled, when in fact BPDU Guard is content-agnostic.

D

Candidates may think that because a link between switches should be a trunk, the access mode misconfiguration is the root cause. However, they miss the fact that BPDU Guard acts on the BPDU regardless of the port mode, and the real misconfiguration is PortFast.

303
MCQmedium

A switch displays this output: Port Name Status Vlan Fa0/1 connected 10 Fa0/2 connected 10 Fa0/24 connected trunk Which port should be checked first if a user in VLAN 20 cannot reach the distribution switch over the uplink?

A.Fa0/1
B.Fa0/2
C.Fa0/24
D.Any access port in VLAN 1
AnswerC

Correct. The trunk carries inter-switch VLAN traffic.

Why this answer

If users in VLAN 20 must cross the uplink, the trunk port is the first place to verify allowed VLANs and tagging.

Exam trap

Don't confuse access ports with trunk ports; only trunk ports can carry multiple VLANs.

Why the other options are wrong

A

Fa0/1 is connected to VLAN 10, and since the user in VLAN 20 cannot reach the distribution switch, checking this port would not address the issue, as it is not part of the user's VLAN.

B

Fa0/2 is connected to VLAN 10, which means it cannot facilitate communication for a user in VLAN 20. The issue lies with the trunk port, which is responsible for carrying multiple VLANs, including VLAN 20.

D

Option D is incorrect because it suggests checking any access port in VLAN 1, which is not relevant to the user's issue in VLAN 20. The problem lies with the trunk port not allowing VLAN 20 traffic, not with access ports in VLAN 1.

304
MCQhard

A switch trunk is carrying several VLANs, but VLAN 99 traffic is failing. The trunk allowed list includes VLAN 99 on both sides. Which statement best explains why a VLAN can still fail even when it is allowed?

A.Because the VLAN may still be absent, inactive, or otherwise not operational locally even if it is allowed on the trunk
B.Because allowing a VLAN on a trunk automatically disables it
C.Because VLANs can cross trunks only when PAT is enabled
D.Because VLAN 99 must always be the native VLAN
AnswerA

This is correct because an allowed-list entry alone does not guarantee that the VLAN exists and operates correctly end to end.

Why this answer

A VLAN can still fail across a trunk even when it is allowed because the allowed list is only one part of the overall design. In plain language, a switch may permit the VLAN on the link, but if the VLAN does not actually exist locally, is not active, or if some other trunk characteristic is inconsistent, traffic can still fail. This is an important CCNA troubleshooting principle: one correct line of configuration does not guarantee the full end-to-end condition is correct.

Candidates often stop at the allowed VLAN list because it is visible in common show commands. However, VLAN presence, local status, and other trunk parameters still matter. The best answer is the one recognizing that permission on the trunk does not automatically prove the entire VLAN path is healthy.

Exam trap

A common exam trap is assuming that simply including VLAN 99 in the trunk allowed list guarantees that VLAN 99 traffic will pass. Many candidates stop troubleshooting once they see the VLAN is allowed on the trunk, neglecting to verify if VLAN 99 is actually created and active on each switch. This mistake leads to incorrect conclusions, as the allowed list only controls trunk forwarding permissions, not VLAN existence or operational status.

The exam tests your understanding that VLAN configuration and status are equally critical for successful VLAN traffic flow.

Why the other options are wrong

B

Incorrect. Allowing a VLAN on a trunk does not disable it; this option contradicts how VLANs and trunks operate in Cisco switches.

C

Incorrect. Port Address Translation (PAT) is unrelated to VLAN trunking. VLANs do not require PAT to cross trunks.

D

Incorrect. VLAN 99 does not have to be the native VLAN to function on a trunk. The native VLAN is independent of VLAN allowance and operation.

305
PBQhard

You are connected to SW1. The network has three switches (SW1, SW2, SW3) running Rapid-PVST+. SW1 should be the root bridge for VLAN 10. PortFast and BPDU Guard must be enabled on all edge ports connected to end hosts. An err-disabled port (G0/1) has occurred due to a BPDU violation on an edge port. Recover the port and ensure it is configured correctly to prevent recurrence.

Network Topology
Gi0/0Gi0/0Gi0/2Gi0/0Gi0/1SW1SW2SW3Host

Hints

  • The port is in err-disabled state. You need to manually recover it by cycling the interface.
  • After recovery, verify the port is forwarding and still has PortFast and BPDU Guard enabled.
  • If the err-disabled condition recurs, the connected device may be sending BPDUs; consider removing BPDU Guard from that port if it is not truly an edge port.
A.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree bpduguard disable' on the interface.
B.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable' on the interface.
C.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree guard root' on the interface.
D.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then verify that the connected device is not a switch or remove it from the network.
AnswerD
solution
! SW1
configure terminal
interface gigabitEthernet 0/1
shutdown
no shutdown
end

Why this answer

The port Gi0/1 is in err-disabled state because BPDU Guard disabled it after receiving a BPDU on a PortFast edge port. First, shut down the interface and then re-enable it with 'no shutdown' to recover from err-disabled. However, to prevent recurrence, the root cause must be addressed: the connected device (likely another switch) should not be sending BPDUs on an edge port.

Optionally, you can disable BPDU Guard on that specific port if it is not truly an edge port, but the task requires PortFast and BPDU Guard on edge ports. The correct fix is to ensure no BPDUs are sent from the downstream device or use 'spanning-tree bpduguard disable' on that port if it is not an edge port (but the task mandates BPDU Guard). Since the scenario requires BPDU Guard, the candidate should recover the port and then verify that the connected device is not a switch (or remove it from the topology).

Exam trap

The exam trap is that candidates may focus on recovering the port (shutdown/no shutdown) but forget to address why the BPDU was received. Simply re-enabling BPDU Guard or reapplying PortFast will not prevent recurrence. The key is to ensure the connected device is not sending BPDUs, either by removing it or reclassifying the port.

Why the other options are wrong

A

The specific factual error is that BPDU Guard should not be disabled on a port that is supposed to be an edge port with BPDU Guard enabled.

B

The specific factual error is that simply re-enabling the same features does not prevent recurrence; the source of BPDUs must be removed or the port must be reconfigured as a non-edge port.

C

The specific factual error is that Root Guard and BPDU Guard serve different purposes; Root Guard does not stop BPDU Guard from disabling the port.

306
Drag & Dropmedium

Drag and drop the following steps into the correct order to interpret packet capture output for L2/L3 troubleshooting.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct sequence follows a bottom-up troubleshooting approach, starting at the data link layer and progressing to the transport layer. Verifying MAC addresses first confirms that Layer 2 framing and delivery are working. Checking ARP ensures that IP-to-MAC resolution is successful, which is a prerequisite for Layer 3 communication.

Analyzing IP headers validates network-layer addressing and routing. ICMP error messages often indicate specific routing or reachability problems. Finally, inspecting transport-layer details (ports, flags, and session states) provides insight into application connectivity without being misled by lower-layer issues.

307
MCQhard

A switch port connected to a user PC is configured as a trunk. The PC cannot communicate normally. What is the best explanation?

A.The port role is wrong because a normal PC-facing switchport should usually be an access port, not a trunk
B.A user PC requires EtherChannel to function
C.Trunk mode disables MAC address learning automatically
D.Trunk mode forces the switch to stop using IP addressing
AnswerA

This is correct because a standard PC is normally connected to an access port in one VLAN.

Why this answer

The best explanation is that the port role is wrong: a PC-facing port should be an access port, not a trunk, because PCs normally send untagged frames and cannot process VLAN tags. Option B is incorrect because EtherChannel is used for link aggregation, not required for a single PC. Option C is wrong because trunk mode does not disable MAC address learning.

Option D is irrelevant, as switches do not stop using IP addressing in trunk mode.

Exam trap

Be careful not to confuse physical link issues with logical configuration mismatches. A trunk port on a user PC is a logical mismatch, not a hardware failure.

Why the other options are wrong

B

A user PC does not require EtherChannel to function; EtherChannel is a method for bundling multiple physical links into a single logical link, which is not necessary for standard PC connectivity.

C

Trunk mode does not disable MAC address learning; it actually allows the switch to learn MAC addresses from multiple VLANs. Therefore, a switch port configured as a trunk can still learn MAC addresses normally.

D

Trunk mode does not disable IP addressing; it allows multiple VLANs to be carried over a single link, and IP addressing is still applicable to the switch interfaces. Therefore, the user PC's inability to communicate is not due to trunk mode disabling IP addressing.

308
Multi-Selectmedium

Which two STP facts are correct? Choose two.

Select 2 answers
A.The root bridge is elected using the lowest bridge ID
B.STP is designed to prevent Layer 2 switching loops
C.A lower path cost makes a port less likely to become root port
D.All blocked ports are designated ports
AnswersA, B

That is how the root bridge is selected.

Why this answer

STP prevents Layer 2 loops by placing some ports into a non-forwarding role. The root bridge is chosen by the lowest bridge ID, and all ports on the root bridge itself are designated ports for their segments.

Exam trap

Be careful not to confuse root ports with designated ports, and remember that STP uses path cost, not hop count.

Why the other options are wrong

C

STP uses path cost to determine the root port, where a lower path cost is more desirable and makes a port more likely to become the root port, not less.

D

In STP, blocked ports are alternate or backup ports, not designated ports. Designated ports are in forwarding state on each segment, while blocked ports are non-designated.

309
PBQhard

You are connected to SW1 via the console. The network has three switches connected in a triangle: SW1 (G0/1 to SW2 G0/1), SW1 (G0/2 to SW3 G0/1), and SW2 (G0/2 to SW3 G0/2). SW1 is the root bridge. A PC is connected to SW3's G0/3 port, which should be an edge port. However, the PC has been sending BPDUs, causing the port to go err-disabled. Configure SW3 to prevent this in the future: enable PortFast and BPDU Guard on G0/3. Then, verify that the port recovers from err-disabled state and that a specific blocked port on SW2 is identified. Use the provided show output to determine the current state and necessary commands.

Network Topology
G0/1 to SW2 G0/1G0/2 to SW3 G0/2G0/2 to SW3 G0/2G0/3 to PCSW2SW1SW3

Hints

  • The err-disabled port must be manually recovered with shutdown/no shutdown.
  • PortFast is configured at the interface level.
  • BPDU Guard is also configured at the interface level using 'spanning-tree bpduguard enable'.
A.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable shutdown no shutdown
B.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable no shutdown
C.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable end copy running-config startup-config
D.interface g0/3 spanning-tree portfast spanning-tree bpduguard enable shutdown
AnswerA
solution
! SW3
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable
shutdown
no shutdown

Why this answer

The PC connected to SW3's G0/3 was sending BPDUs, causing the port to go err-disabled due to BPDU Guard. To prevent this, enable PortFast and BPDU Guard on that interface. First, move to interface configuration mode for G0/3, then issue 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.

After configuration, the port will remain err-disabled until manually recovered by issuing 'shutdown' followed by 'no shutdown'. The blocked port on SW2 is G0/2, as shown by the 'Altn BLK' role/status in its spanning-tree output.

Exam trap

A common trap is forgetting that err-disabled ports require a manual shutdown/no shutdown cycle to recover. Simply enabling BPDU Guard or saving the configuration does not restore the port. Always remember to reset the interface after correcting the cause.

Why the other options are wrong

B

The err-disabled state requires a manual interface reset (shutdown followed by no shutdown) to recover; a single 'no shutdown' command is insufficient.

C

Saving the configuration preserves the settings but does not affect the current operational state of the interface; the port stays err-disabled.

D

The shutdown command disables the interface but does not automatically re-enable it; the err-disabled state is cleared only after a shutdown/no shutdown cycle.

310
MCQmedium

A controller-based WLAN is deployed across multiple floors. Users can associate to the SSID on both floors, but their experience improves when moving between APs compared with a poorly designed standalone deployment. Which wireless concept is most closely related to that client movement experience?

A.Roaming between access points
B.NetFlow export
C.DHCP snooping
D.Route summarization
AnswerA

This is correct because the question is about client movement between AP coverage areas.

Why this answer

The concept most closely related is roaming between access points. In practical terms, client mobility experience depends on how smoothly a device can move from one AP coverage area to another while staying on the WLAN. Controller-based designs often help manage this more consistently than fragmented independent configurations.

The key point is that the question is about movement between APs while remaining on the wireless network, not about VLAN trunks or routing protocol neighbors.

Exam trap

Be careful not to confuse network performance improvements like channel bonding with client mobility improvements like roaming.

Why the other options are wrong

B

NetFlow export is related to network traffic analysis and monitoring, not directly to client movement or experience between access points in a WLAN. It does not address the seamless connectivity aspect of roaming.

C

DHCP snooping is a security feature that helps prevent unauthorized DHCP servers from distributing IP addresses on a network. It does not directly relate to the user experience of roaming between access points in a WLAN deployment.

D

Route summarization is a technique used in routing protocols to reduce the size of routing tables by aggregating multiple routes into a single route. It does not pertain to client movement or wireless connectivity between access points.

311
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, and in Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

After entering privileged EXEC mode, enable capture on the interface, define buffer/filter, start capture, then export for Wireshark analysis; starting before configuring buffer would fail.

Exam trap

The exam trap is that candidates may confuse the order of steps, especially thinking that defining the buffer/filter should come before enabling the capture on the interface, or that starting the capture can be done early. Remember: enable the capture on the interface first, then configure buffer/filter, then start.

312
MCQeasy

Which VLAN is used by default for most switch ports on a new Cisco switch?

A.VLAN 1
B.VLAN 99
C.VLAN 1002
D.No VLAN until the port is manually assigned
AnswerA

That is the default VLAN on most Cisco switches.

Why this answer

On a default Cisco switch, access ports belong to VLAN 1 until changed. Best practice is usually to move user ports away from VLAN 1, but the default is still VLAN 1.

Exam trap

Remember that VLAN 1 is the default VLAN on Cisco switches, despite being discouraged for use in production environments.

Why the other options are wrong

B

VLAN 99 is not the default VLAN for switch ports on a new Cisco switch; the default is VLAN 1. VLAN 99 is often used in specific configurations but is not the factory default setting.

C

VLAN 1002 is a reserved VLAN for Token Ring and FDDI, and it is not the default VLAN for switch ports on a new Cisco switch. Most switch ports default to VLAN 1 unless configured otherwise.

D

This option is incorrect because, by default, Cisco switches assign all ports to VLAN 1, not leaving them unassigned. Every port is part of VLAN 1 unless configured otherwise.

313
MCQhard

A switch port connected to a workstation is configured with sticky MAC learning and a maximum secure MAC count of 1. What is the main operational benefit of sticky learning in this case?

A.It dynamically learns a secure MAC address and can preserve it if the configuration is saved.
B.It disables the maximum secure MAC limit on the interface.
C.It automatically saves the running configuration to the startup configuration after learning the MAC address.
D.It prevents the port from ever generating a security violation.
AnswerA

This is correct because sticky MAC learning records the observed address as a secure port-security entry.

Why this answer

Sticky learning gives the convenience of dynamic discovery while still treating the learned address as a secure port-security entry. In practical terms, the switch can observe the first legitimate MAC address on the port and record it as a secure address without the administrator having to type that address manually. If the running configuration is later saved, that sticky entry can persist after a reload.

This is useful because it balances ease of deployment with access control. The maximum secure MAC count still matters, and port security is still active. Sticky learning does not replace port security; it works within it.

Exam trap

Be careful not to confuse sticky learning with allowing multiple MAC addresses or automatic removal of unauthorized addresses.

Why the other options are wrong

B

Option B is incorrect because sticky MAC learning does not disable the maximum secure MAC limit; it simply allows the switch to learn and retain the MAC address within that limit. The maximum secure MAC count remains enforced regardless of sticky learning.

C

Sticky learning does not automatically save the running configuration; it only adds the learned MAC to the running configuration, which must be explicitly saved to the startup configuration to persist across reboots.

D

This option is incorrect because sticky MAC learning does not prevent security violations; it only allows the learned MAC address to be retained across reboots if saved. A security violation can still occur if an unauthorized MAC address is detected on the port.

314
Multi-Selectmedium

Which TWO commands are required to configure a switch port to support both a desktop PC and a VoIP phone using voice VLAN?

Select 2 answers
A.switchport mode access
B.switchport mode trunk
C.switchport voice vlan <vlan-id>
D.switchport access vlan <vlan-id>
E.switchport port-security maximum 1
AnswersA, C

This command configures the port as an access port, which is required for connecting a desktop PC and a VoIP phone (the phone typically uses the access port for data and a separate voice VLAN).

Why this answer

Option A, 'switchport mode access,' is required because voice VLAN only operates on an access port. Option C, 'switchport voice vlan <vlan-id>,' is the command that actually assigns the voice VLAN ID. Option B is incorrect because a trunk port would not properly separate voice and data traffic as the phone expects an access port.

Option D is a common data VLAN configuration but is not strictly necessary for voice VLAN operation; the access VLAN can be left as the default or configured separately. Option E is wrong because 'switchport port-security maximum 1' would allow only a single MAC address, while the port must support two devices (the phone and the PC), second MAC being the phone's internal switch.

Exam trap

Candidates often mistakenly include 'switchport access vlan' as one of the two required commands, but the question specifically asks for voice VLAN configuration, not the full port setup.

Why the other options are wrong

B

Trunk mode is incompatible because the phone expects an access port, and the voice VLAN is tagged internally by the phone, not by switch port trunking.

D

Configuring an access VLAN is not mandatory for voice VLAN; the question targets only the commands unique to enabling the voice feature.

E

Limiting the port to one MAC address would block the PC's MAC, breaking dual-device support provided by the phone's internal switch.

315
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an LACP EtherChannel on two Cisco switches.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Start in global config, select interfaces, set channel-group mode to active on each interface (at least one side must be active; the other can be active or passive), then verify. This order ensures consistent negotiation and correct channel formation.

Exam trap

The exam trap is that candidates often confuse the order of steps or try to set channel-group mode globally. Remember: you must first enter global config, then select interfaces, then set the mode per interface. Also, LACP can form with one side active and the other passive; both active is not strictly required.

316
Matchingmedium

Match each switchport or trunking concept to its most accurate role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Endpoint-facing port that normally belongs to one VLAN

Link that carries multiple VLANs

Restriction controlling which VLANs traverse the trunk

VLAN associated with untagged traffic on the trunk

Why these pairings

Access port: carries traffic for a single VLAN (usually to an endpoint).

Trunk: carries traffic for multiple VLANs between switches.

Allowed VLAN list: controls which VLANs are permitted to traverse the trunk.

Native VLAN: carries untagged frames on the trunk (typically VLAN 1).

The other terms (Dynamic Desirable, Dynamic Auto, Trunking, DTP) are related to trunk negotiation or generic concepts, not directly matched to these roles.

Exam trap

Do not confuse DTP negotiation modes (Dynamic Desirable, Dynamic Auto) with port roles (access, trunk). Access ports are statically assigned to one VLAN, while trunk ports carry multiple VLANs.

317
MCQeasy

Which wireless design objective is achieved by using nonoverlapping channels in adjacent cells?

A.It increases PoE budget for the access points
B.It reduces interference between nearby APs
C.It removes the need for authentication
D.It forces all clients to use 5 GHz only
AnswerB

That is the main reason for careful channel planning.

Why this answer

The correct answer is B because using nonoverlapping channels minimizes interference between adjacent APs, improving wireless performance in dense environments. Option A is wrong because nonoverlapping channels have no effect on PoE budget, which is determined by the switch and cable specifications. Option C is wrong because authentication mechanisms operate independently of channel assignment and are still required.

Option D is wrong because nonoverlapping channels are used in both the 2.4 GHz and 5 GHz bands, and they do not mandate client use of a specific frequency.

Exam trap

Avoid confusing interference reduction with bandwidth or range improvements.

Why the other options are wrong

A

This option is incorrect because using nonoverlapping channels does not impact the Power over Ethernet (PoE) budget for access points; PoE budget is determined by the power supply and the devices connected, not by channel selection.

C

This option is incorrect because using nonoverlapping channels does not eliminate the need for authentication in wireless networks; authentication is a separate security measure that ensures only authorized users can connect.

D

This option is wrong because using nonoverlapping channels does not force clients to operate exclusively on the 5 GHz band; it simply allows for better channel management to reduce interference. Clients can still connect on both 2.4 GHz and 5 GHz bands based on their capabilities and network configuration.

318
PBQhard

You are connected to SW1. The current configurations of interfaces GigabitEthernet0/1 and GigabitEthernet0/2 are as follows: Gi0/1: speed 100, duplex half, switchport access vlan 10 Gi0/2: speed 1000, duplex full, switchport access vlan 20 The port-channel interface 1 does not exist. Configure a LACP EtherChannel between SW1 and SW2 using these two interfaces, with port-channel 1 and mode active on both sides. Ensure the channel forms by resolving any speed/duplex or VLAN mismatches. After configuration, verify with 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1LACPSW1SW2

Hints

  • Check speed and duplex consistency between member interfaces.
  • All member interfaces must be in the same VLAN.
  • The port-channel interface VLAN must match the physical interfaces.
A.The EtherChannel will not form because the physical interfaces have mismatched speed/duplex and VLAN assignments. You must configure both interfaces with the same speed (1000), duplex (full), and access VLAN (10), then apply channel-group 1 mode active on each.
B.The EtherChannel will form successfully because LACP active mode negotiates the channel regardless of speed/duplex or VLAN differences.
C.The EtherChannel will not form because the port-channel interface must be configured with the same VLAN as the physical interfaces, but the physical interfaces can have different speeds.
D.The EtherChannel will form successfully because the port-channel interface inherits the VLAN from the first physical interface added, so no additional configuration is needed.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
speed 1000
duplex full
switchport access vlan 10
channel-group 1 mode active
interface GigabitEthernet0/2
speed 1000
duplex full
switchport access vlan 10
channel-group 1 mode active
interface Port-channel1
switchport access vlan 10

Why this answer

The EtherChannel fails because member interfaces have mismatched speed/duplex (Gi0/1 is 100/half, Gi0/2 is 1000/full) and different VLANs (VLAN 10 vs 20). Additionally, the port-channel interface and physical interfaces must have matching VLAN assignments. To fix, unify both physical interfaces to the same speed (1000), duplex (full), and access VLAN (10).

Then set channel-group mode active on each physical interface. Finally, ensure the port-channel interface also uses VLAN 10. Verify with 'show etherchannel summary' which should show the port-channel as SU (in use).

Exam trap

Cisco exam traps often test the requirement for identical speed, duplex, and VLAN on all EtherChannel member interfaces. Do not assume LACP can negotiate mismatches; it only handles aggregation, not physical or VLAN parameters.

Why the other options are wrong

B

LACP active mode only enables negotiation, but it does not resolve underlying parameter mismatches. The interfaces must still have consistent speed, duplex, and VLAN configuration.

C

All member interfaces must have identical speed and duplex settings. Even if VLANs match, speed mismatch will cause the channel to fail.

D

The port-channel interface is a logical interface that requires its own VLAN configuration. Physical interfaces must have identical VLAN assignments; otherwise, the channel will not form.

319
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic for L2/L3 troubleshooting.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The steps follow the logical sequence of a packet capture: first identify the traffic source, then configure a SPAN session to mirror it, connect the capture device, start capture, reproduce the issue, stop capture, and finally analyze the output. Each step must be completed before the next can succeed.

320
PBQhard

You are connected to a multilayer switch MLSW1. PortFast and BPDU Guard have already been enabled on interface GigabitEthernet0/1, which connects to an end device, and a BPDU received on that interface placed it in the err-disabled state. Configure Rapid PVST+ so that MLSW1 becomes the root bridge for VLAN 10 with a priority of 4096. Recover the interface by re-enabling it. Finally, verify which port is blocking on VLAN 10 by connecting to MLSW2 and executing the appropriate show command.

Network Topology
G0/1 to PCG0/2 to MLSW3 G0/1G0/2 to MLSW3 G0/1G0/2 to MLSW1 G0/3SiMLSW2SiMLSW1SiMLSW3

Hints

  • Check the current root priority and adjust with 'spanning-tree vlan <vlan> priority <value>'.
  • An err-disabled interface can be recovered by administrative shutdown and no shutdown.
  • Look at the spanning-tree topology to find which port is blocking; it will be in 'ALT' role with 'BLK' state.
A.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; shutdown; no shutdown; show spanning-tree vlan 10
B.spanning-tree vlan 10 root primary; interface GigabitEthernet0/1; no shutdown; show spanning-tree vlan 10
C.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; no shutdown; show interfaces status
D.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; shutdown; no shutdown; show running-config
AnswerA
solution
! MLSW1
spanning-tree vlan 10 priority 4096
interface gigabitEthernet 0/1
shutdown
no shutdown

Why this answer

The correct solution sets the spanning-tree priority for VLAN 10 to 4096 on MLSW1, ensuring it becomes the root bridge. PortFast and BPDU Guard are already configured on G0/1, which caused the interface to go err-disabled when a BPDU was received. To recover, you must issue the 'shutdown' followed by 'no shutdown' commands on the interface.

Because MLSW1 is the root bridge, it has no blocking ports; the blocking port (alternate) will be seen on a downstream switch like MLSW2. Therefore, verification must be done on MLSW2 using 'show spanning-tree vlan 10' to view the alternate blocking port. Option A correctly includes all required steps.

Option B uses 'root primary' (priority 24576) instead of the specified 4096, lacks the recovery commands, and verifies on the wrong device. Option C omits the err-disabled recovery and uses the wrong verification command. Option D also verifies with 'show running-config', which does not display STP port roles.

Exam trap

Remember that 'spanning-tree vlan <vlan> root primary' sets priority to 24576, not a custom value. Also, err-disabled recovery requires a shutdown followed by no shutdown. Always use 'show spanning-tree vlan <vlan>' to verify port roles, not 'show interfaces status' or 'show running-config'.

Why the other options are wrong

B

The specific factual error: 'root primary' sets priority to 24576, not 4096. Also, err-disabled recovery requires a shutdown followed by no shutdown.

C

The specific factual error: err-disabled recovery requires a shutdown before no shutdown. 'show interfaces status' does not display STP port roles.

D

The specific factual error: 'show running-config' does not display STP port roles or blocking status.

321
PBQmedium

You are connected to SW1 via console. SW1 is a multilayer switch with SVIs for VLAN 10 (192.168.10.1/24) and VLAN 20 (192.168.20.1/24). Hosts in VLAN 10 and VLAN 20 need to communicate with each other. Currently, inter-VLAN routing is not working. You need to enable routing on SW1 and verify that the SVIs are operational.

Network Topology
G0/1G0/2SW1HostAHostB

Hints

  • Check if 'ip routing' is already enabled.
  • Verify that the SVIs are up with 'no shutdown'.
A.Enable IP routing using the 'ip routing' global configuration command.
B.Configure a routing protocol such as OSPF or EIGRP on the SVIs.
C.Assign IP addresses to the physical interfaces connected to the hosts.
D.Create a trunk port and connect a router to perform router-on-a-stick.
AnswerA
solution
! SW1
ip routing

Why this answer

The 'ip routing' command enables Layer 3 routing on the multilayer switch, allowing SVIs to route between VLAN 10 and VLAN 20. Option B is unnecessary because directly connected SVIs do not require a routing protocol; routing protocols are only needed for routes learned from other routers, and 'ip routing' must still be enabled. Option C would require converting the physical interfaces to routed ports, which would break the existing Layer 2 VLAN topology and is not the intended solution.

Option D provides an external router-on-a-stick solution but does not enable routing on SW1 itself, which is the required task. Therefore, only option A correctly enables inter-VLAN routing on SW1.

Exam trap

The trap is that many candidates assume SVIs automatically route traffic once they have IP addresses. However, on a multilayer switch, you must explicitly enable IP routing with the 'ip routing' command. Without it, the switch remains a Layer 2 device and SVIs only serve as management interfaces.

Why the other options are wrong

B

Routing protocols like OSPF or EIGRP are not required for directly connected SVIs; only 'ip routing' is needed to enable Layer 3 routing.

C

Assigning IP addresses to physical interfaces would convert them to routed ports, breaking the existing Layer 2 VLAN configuration and is not the correct approach.

D

Using an external router with router-on-a-stick would enable inter-VLAN routing but does not enable routing on SW1 as required.

322
MCQhard

Refer to the exhibit. A network engineer notices that on a four-link EtherChannel bundle between two switches, all traffic from a particular VLAN is being forwarded over only one physical link, while the other three links remain idle. The engineer suspects a load-balancing issue and issues the show etherchannel load-balance command, the output of which is shown. What is the most likely cause of the uneven traffic distribution?

A.The switch is using source‑MAC‑address load balancing, and multiple end hosts are appearing with the same source MAC address.
B.The EtherChannel is misconfigured with an LACP active/passive mode mismatch, forcing only one link to bundle.
C.VLAN pruning on the trunk has removed the VLAN from three of the four member interfaces.
D.Spanning Tree Protocol has blocked three of the four links in the EtherChannel because they form a loop.
AnswerA

The show etherchannel load-balance output confirms the global load‑balancing method is src‑mac. With this method, frames with an identical source MAC always hash to the same physical member link, causing all traffic from hosts sharing that MAC to use only one link.

Why this answer

The exhibit shows the load-balancing method is 'src-mac'. When source-MAC-based hashing is used, all frames with the same source MAC address egress the same physical member link. If multiple end hosts are behind a router or proxy and appear with identical source MAC, the hash algorithm always selects the same link, leaving the other links in the bundle idle.

Exam trap

Many candidates choose LACP misconfiguration because they recall that mode mismatches can limit the number of active links. However, the exhibit explicitly displays the load‑balancing method, not the LACP negotiation state. A mode mismatch would prevent the EtherChannel from forming, not leave it forming but with only one link carrying traffic.

Why the other options are wrong

B

Candidates may think that an LACP problem explains a single active link, but a mismatch would cause the entire EtherChannel to fail, not selectively use one member.

C

Candidates might mistake an idle member for a pruned VLAN, but pruning would not affect all traffic, only the specific VLAN, and it is not related to the load‑balance method shown.

D

Candidates may associate an idle link with STP blocking, but an EtherChannel bundle presents one logical link to STP. A blocking state on some members only would indicate a serious configuration error, not the load‑balance method shown.

323
MCQhard

A switchport connected to another switch is configured as an access port by mistake. Which symptom is most likely in a multi-VLAN design?

A.Only one VLAN is likely to pass correctly, while other VLAN traffic across the link fails
B.The link negotiates as a trunk but drops all VLAN traffic
C.The switch generates excessive broadcasts on all VLANs
D.The switch stops learning MAC addresses entirely
AnswerA

This is correct because an access port normally carries one VLAN rather than multiple VLANs.

Why this answer

The most likely symptom is that only one VLAN’s traffic works correctly across the link while traffic for other VLANs fails. In plain language, an access port belongs to one VLAN in normal switching behavior. If an inter-switch link that should carry multiple VLANs is accidentally configured as an access port, the network loses the ability to transport the other VLANs.

The physical link may stay up, which can make the problem seem subtle, but the logical role of the port is wrong.

Exam trap

Be cautious not to confuse physical link status with logical configuration issues. An access port will not drop the link but will restrict traffic to a single VLAN.

Why the other options are wrong

B

An access port cannot negotiate trunking; it simply forwards only one VLAN's traffic.

C

Broadcast storms are not caused by an access port misconfiguration.

324
Multi-Selectmedium

Which TWO statements are true about configuring and verifying VLANs, 802.1Q trunking, native VLAN, and inter-VLAN routing with router-on-a-stick?

Select 2 answers
A.On a router-on-a-stick configuration, each subinterface must be configured with an IP address and the encapsulation dot1Q command to specify the VLAN ID.
B.The native VLAN is always tagged on an 802.1Q trunk link.
C.The command switchport trunk native vlan 10 is used to restrict which VLANs are allowed on a trunk.
D.When configuring a router-on-a-stick, the native VLAN must match on both the switch and the router subinterface to avoid miscommunication.
E.The command show interfaces trunk displays the IP addresses configured on router subinterfaces.
AnswersA, D

This is correct because the router needs a subinterface per VLAN, each with an IP address and the dot1Q encapsulation to identify the VLAN.

Why this answer

Option A is correct because in a router-on-a-stick configuration, each subinterface must be assigned an IP address and use the encapsulation dot1Q command to associate it with a specific VLAN ID; this enables the router to process tagged frames from multiple VLANs over a single physical link. Option D is also correct because the native VLAN configured on the switchport trunk must match the native VLAN used on the router's subinterface (or physical interface if no subinterface); a mismatch causes the router to mishandle untagged frames because it expects them to belong to the configured native VLAN, leading to communication failures. Option B is wrong because on an 802.1Q trunk, the native VLAN frames are sent untagged, not tagged.

Option C is wrong because the command 'switchport trunk native vlan 10' only changes the native VLAN; it does not restrict which VLANs are allowed—that requires 'switchport trunk allowed vlan'. Option E is wrong because 'show interfaces trunk' shows trunking status, native VLAN, and allowed VLAN lists on switch ports, not IP addresses of router subinterfaces.

Exam trap

Cisco often tests the misconception that the native VLAN is tagged on a trunk, or that the switchport trunk native vlan command controls allowed VLANs, when in fact it only changes which VLAN is untagged.

Why the other options are wrong

B

The native VLAN is sent untagged to maintain backward compatibility with devices that do not understand 802.1Q tagging.

C

The command to restrict allowed VLANs is switchport trunk allowed vlan, not the native VLAN command.

E

To see IP addresses on subinterfaces, use show ip interface brief or show running-config on the router.

325
MCQhard

A user joins the employee SSID successfully and can browse internal resources, but VoIP over Wi-Fi calls fail only while roaming between floors. Which troubleshooting area is the strongest first focus?

A.Roaming behavior and RF transition quality between AP coverage areas
B.Whether the SSID name is spelled correctly
C.Whether the branch router has PPP enabled
D.Whether the user has a static default route on the phone
AnswerA

This is correct because the symptom appears specifically during movement between coverage zones.

Why this answer

The strongest first focus is roaming and RF transition behavior between AP coverage areas. In practical terms, the user already proved that general WLAN access and internal reachability are working. The failure happens during movement and affects a time-sensitive application. That points to mobility-related behavior rather than basic SSID visibility or simple IP addressing.

This is a realistic wireless troubleshooting item because it narrows the fault domain from the symptom pattern instead of restarting from the basics.

Exam trap

Avoid assuming basic connectivity issues when the problem is specific to roaming and affects a time-sensitive application.

Why the other options are wrong

B

This option is wrong because the spelling of the SSID does not affect the ability to roam between access points; the user is already connected to the SSID and can access internal resources.

C

This option is wrong because PPP (Point-to-Point Protocol) is not directly related to VoIP performance or roaming issues; it primarily pertains to WAN connections rather than local Wi-Fi network transitions.

D

This option is wrong because the issue described pertains to roaming and VoIP call quality, which is unrelated to static routing configurations on the user's phone. A static default route would not directly impact the ability to maintain VoIP calls while transitioning between access points.

326
MCQmedium

Why is PortFast typically enabled on switch ports connected to end devices?

A.To let end-device ports reach forwarding state more quickly
B.To make access ports participate in OSPF
C.To convert all access ports into trunks
D.To disable Ethernet addressing on PCs
AnswerA

This is correct because PortFast speeds transition to forwarding on suitable edge ports.

Why this answer

PortFast is enabled so access ports connected to end devices can move to forwarding more quickly instead of waiting through the normal spanning-tree listening and learning transitions. In plain language, it helps a user’s PC, printer, or similar endpoint start communicating sooner after the link comes up. That can reduce delays at startup and prevent certain device timeout problems.

PortFast is not intended as a loop-prevention mechanism by itself, and it should not normally be used carelessly on links to other switches. That is why it is commonly paired with BPDU Guard on edge ports. The correct answer is the one focused on faster transition for end-device access links rather than on unrelated routing or VLAN functions.

Exam trap

Do not confuse PortFast with disabling spanning-tree or improving routing; it specifically speeds up access port transitions.

Why the other options are wrong

B

This option is incorrect because PortFast does not enable access ports to participate in OSPF; OSPF is a routing protocol that requires Layer 3 interfaces, while PortFast is a feature for Layer 2 switch ports.

C

This option is wrong because PortFast does not convert access ports into trunk ports; it is designed to bypass the Spanning Tree Protocol (STP) listening and learning states to allow end devices to connect more quickly.

D

Disabling Ethernet addressing on PCs is not related to the function of PortFast, which is designed to expedite the transition of switch ports to the forwarding state. PortFast does not alter how Ethernet addressing operates on connected devices.

327
MCQhard

A network administrator connects an IP phone to interface Gi0/1 and a PC to the phone's PC port. Users report that the phone cannot register with the call manager and the PC does not obtain an IP address. The administrator verifies the configuration shown in the exhibit. What is the most likely cause of the problem?

A.The switchport mode should be changed to trunk to allow tagged voice traffic.
B.The voice VLAN is not configured on the interface.
C.The spanning-tree portfast command is blocking the port from forwarding.
D.The access VLAN 10 is incorrect for the data subnet.
AnswerB

The exhibit lacks the 'switchport voice vlan <vlan-id>' command. Adding this command tells the switch to expect 802.1Q tagged frames for the phone's voice traffic while keeping the PC data in the access VLAN.

Why this answer

The correct answer is B because the voice VLAN is not configured on the interface. For an IP phone to communicate with the call manager, the switchport must be configured with a voice VLAN (e.g., 'switchport voice vlan 20') to separate voice traffic from data traffic. Without this command, the phone cannot tag its frames with the appropriate VLAN ID, preventing registration.

Additionally, the PC connected to the phone's PC port relies on the phone to pass untagged data traffic, but without the voice VLAN, the phone may not properly negotiate or forward traffic, causing the PC to fail to obtain an IP address.

Exam trap

Cisco often tests the distinction between access VLAN and voice VLAN, and the trap here is that candidates assume the access VLAN alone is sufficient for both voice and data, overlooking the mandatory 'switchport voice vlan' command required for IP phone operation.

Why the other options are wrong

A

Cisco best practice for IP phone + PC is an access port with switchport voice vlan, not trunk mode. Trunk mode is more complex and can cause VLAN hopping if misconfigured.

C

Portfast enables faster convergence, not a blocking action. A blocked port would show no link or constant amber LED, not intermittent connectivity.

D

Even if VLAN 10 were wrong, the phone’s registration issue would persist because the voice VLAN is still missing. The problem has two symptoms; the voice VLAN omission explains both.

328
Matchingmedium

Match each WLAN term to its correct description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Name of the wireless network shown to clients

Wireless security standard

Protocol associated with AP-controller communication

Client movement between AP coverage areas

Why these pairings

SSID is the service set identifier, the human-readable name that identifies a wireless network. WPA3 is the latest Wi-Fi security standard providing stronger encryption and authentication. CAPWAP is the Control and Provisioning of Wireless Access Points protocol, used for communication between lightweight APs and wireless LAN controllers.

Roaming is the process of a wireless client moving between different access points or coverage areas while maintaining its network session.

Exam trap

Candidates often mistake CAPWAP for a security feature or confuse roaming with a security mechanism; remember CAPWAP handles AP-controller communication and roaming simply refers to client mobility between coverage areas.

329
Matchingmedium

Drag and drop the VLAN and trunking commands/concepts on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configures an interface to operate as a trunk link

Sets the native VLAN on a trunk to VLAN 999

Assigns a port to VLAN 10 as an access port

VLAN that carries untagged traffic on a trunk

Creates a subinterface for router-on-a-stick

Configures 802.1Q tagging for VLAN 10 on a subinterface

Why these pairings

These are fundamental VLAN/trunking concepts: VLAN segments, trunk carries multiple VLANs, access port is single VLAN, 802.1Q is tagging standard, VLAN ID is the identifier.

Exam trap

Be careful not to confuse access ports with trunk ports. Access ports are for single VLANs, while trunk ports carry multiple VLANs. Also, native VLAN and allowed VLAN list are trunk-related concepts, not port modes.

330
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, and in Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First define the capture interface, then apply a filter, start capture, stop it, and finally export for analysis in Wireshark.

Exam trap

A common trap is confusing the order of steps, especially applying the filter before defining the interface or starting the capture before applying the filter. Remember that the interface must be defined first, then the filter, then start, then stop, then export.

331
MCQhard

A switch port connected to an IP phone and a PC should separate voice traffic from data traffic while still using one physical edge connection. Which feature best supports that design?

A.Voice VLAN
B.EtherChannel
C.Native VLAN
D.Loop guard
AnswerA

This is correct because a voice VLAN separates phone traffic from user data on a shared edge port.

Why this answer

A voice VLAN best supports that design. In practical terms, a Cisco-style voice VLAN allows the switch to carry voice traffic separately from user data even though the phone and PC share the same physical access connection. This is a common enterprise edge design because it lets the phone use one VLAN while the downstream PC uses another.

The key point is separation of traffic types over one edge port, not trunking between switches or link aggregation.

Exam trap

Avoid confusing the purpose of trunk ports and link aggregation with traffic separation on a single edge port.

Why the other options are wrong

B

EtherChannel is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, but it does not inherently separate voice and data traffic on a single port. It does not address the requirement of managing different traffic types on the same physical connection.

C

The Native VLAN is used for untagged traffic on a trunk link and does not separate voice and data traffic effectively; it simply allows untagged frames to pass through without any differentiation.

D

Loop guard is designed to prevent loops in a switched network by blocking ports that receive unexpected BPDUs. It does not facilitate the separation of voice and data traffic on a single physical connection, which is the requirement of the question.

332
Multi-Selecthard

Which two conditions must match for a Layer 2 EtherChannel bundle to form correctly? (Choose two.)

Select 2 answers
A.The member interfaces must use the same speed and duplex settings.
B.Each member interface must be assigned a different native VLAN.
C.The member interfaces must have compatible switchport mode and VLAN settings.
D.One side must use LACP and the other must use PAgP.
AnswersA, C

Correct. Inconsistent physical settings can prevent bundling.

Why this answer

Member interfaces must have consistent Layer 2 parameters such as speed/duplex and trunk/access characteristics.

Exam trap

Don't confuse VLAN membership or MAC address requirements with EtherChannel parameters. Focus on speed and duplex consistency.

Why the other options are wrong

B

This option is wrong because all member interfaces in an EtherChannel must be configured with the same native VLAN for the bundle to form correctly, not different native VLANs.

D

This option is wrong because EtherChannel can only form if both ends of the link use the same protocol, either LACP or PAgP, not a mix of both. Mixing protocols will prevent the EtherChannel from establishing.

333
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, and in Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

For IOS‑XE embedded packet capture, the correct order is: 1) Access privileged EXEC mode (required for all monitor commands), 2) Create a capture buffer, 3) Associate a capture point, 4) Start the capture, 5) Stop the capture, 6) Export the capture, 7) Analyze in Wireshark. Options B, C, and D each violate the required sequence: B starts buffer creation before entering privileged mode, C associates the point before creating the buffer, and D omits the critical 'start' step entirely.

Exam trap

A common mistake is to forget the 'start the capture' step, making the exported file empty; always remember to issue 'monitor capture point start' after association.

334
MCQmedium

An administrator configures an EtherChannel between SW1 and SW2. The port-channel interfaces are physically up, but the EtherChannel bundle fails to come up. On SW1, the channel-group is set to mode active; on SW2, it is set to mode on. What is the most likely cause?

A.The switch priority values are mismatched
B.One side is using LACP active while the other side is set to on
C.The native VLAN must be VLAN 1 for EtherChannel to form
D.Gi1/0/2 cannot be bundled because interfaces must be in different VLANs
AnswerB

Mode on does not negotiate LACP.

Why this answer

EtherChannel requires compatible modes: LACP active mode sends negotiation packets, while 'on' mode disables all negotiation, so the two sides cannot agree and the bundle stays down. Option A is wrong because switch priority values are used in STP root election, not EtherChannel formation. Option C is wrong because the native VLAN does not need to be VLAN 1; it only needs to match on both ends.

Option D is wrong because all member interfaces in an EtherChannel must be in the same VLAN, not different ones.

Exam trap

Ensure both sides of an EtherChannel are set to compatible modes; 'on' mode does not participate in LACP negotiation.

How to eliminate wrong answers

Option B can be eliminated because both sides set to passive will not initiate negotiation. Option C is incorrect because VLAN mismatches affect traffic, not channel formation. Option D is wrong because speed mismatches are a physical issue, not a configuration mismatch.

Option A is correct as it directly addresses the LACP mode incompatibility causing the EtherChannel to remain down.

335
MCQhard

Two switches are connected by a trunk. VLAN 50 exists on both switches, but hosts in VLAN 50 cannot communicate across the link. All other VLANs work. Based on the exhibit, what is the most likely cause?

A.VLAN 50 is not allowed on the trunk from SwitchA.
B.The native VLAN is mismatched.
C.802.1Q cannot carry VLAN 50.
D.VLAN 50 must be configured as the native VLAN first.
AnswerA

This is correct because VLAN 50 is missing from SwitchA’s allowed list.

Why this answer

Option A is correct because VLAN 50 is missing from the allowed VLAN list on the trunk, which blocks only that VLAN while allowing others. Option B is incorrect: a native VLAN mismatch would affect the native VLAN (usually VLAN 1) or cause STP issues, not specifically VLAN 50. Option C is incorrect: 802.1Q encapsulation supports all VLANs from 1 to 4094, including VLAN 50.

Option D is incorrect: VLANs do not need to be the native VLAN to be transported over a trunk; any VLAN can traverse a trunk if it is allowed.

Exam trap

Ensure you differentiate between general trunk issues and VLAN-specific configurations. Don't confuse access port settings with trunk link issues.

Why the other options are wrong

B

This option is wrong because a native VLAN mismatch would typically affect all VLANs, not just VLAN 50. Since other VLANs are functioning correctly, it indicates that the native VLAN configuration is not the issue.

C

802.1Q is a standard that can carry VLANs up to 4096, including VLAN 50. Therefore, the issue of VLAN 50 not communicating is not due to the protocol's inability to carry it.

D

This option is wrong because VLAN 50 can exist on a trunk without being the native VLAN; it does not need to be configured as such to communicate across the trunk link.

336
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to router R1 via trunk port G0/1. The trunk is currently using VLAN 1 as native VLAN, but the network administrator wants to change the native VLAN to VLAN 99 for security. Configure the trunk on G0/1 to use native VLAN 99 and verify.

Hints

  • The native VLAN is configured per trunk interface.
  • Use show interfaces trunk to see allowed VLANs and native VLAN.
A.SW1(config)# interface g0/1 SW1(config-if)# switchport trunk native vlan 99 SW1(config-if)# end SW1# show interfaces trunk
B.SW1(config)# interface g0/1 SW1(config-if)# switchport trunk allowed vlan 99 SW1(config-if)# end SW1# show vlan brief
C.SW1(config)# vlan 99 SW1(config-vlan)# name Native SW1(config-vlan)# exit SW1(config)# interface g0/1 SW1(config-if)# switchport mode trunk SW1(config-if)# switchport trunk native vlan 99 SW1(config-if)# end SW1# show interfaces trunk
D.SW1(config)# interface g0/1 SW1(config-if)# switchport trunk native vlan 99 SW1(config-if)# end SW1# show vlan id 99
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk native vlan 99

Why this answer

Changing the native VLAN on a trunk prevents VLAN hopping attacks. The native VLAN carries untagged traffic; here it is changed from default VLAN 1 to VLAN 99.

Exam trap

The exam trap is confusing the 'switchport trunk native vlan' command with 'switchport trunk allowed vlan' or thinking that you need to create the VLAN or re-enter trunk mode. Also, ensure you use the correct verification command: 'show interfaces trunk' shows native VLAN, not 'show vlan'.

Why the other options are wrong

B

The specific factual error is confusing the allowed VLAN list with the native VLAN configuration. The native VLAN is set with 'switchport trunk native vlan', not 'switchport trunk allowed vlan'.

C

The specific factual error is including extra steps that are not needed. The trunk already exists, so 'switchport mode trunk' is redundant. Creating VLAN 99 is also unnecessary if it already exists or is not required for the native VLAN change.

D

The specific factual error is using the wrong verification command. 'show interfaces trunk' is needed to see trunk parameters including native VLAN.

337
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on port GigabitEthernet0/1 (designated port) to protect against superior BPDUs from an unauthorized switch, Loop Guard on uplink GigabitEthernet0/2 to prevent forwarding loops on unidirectional links, and BPDU Guard on PortFast-enabled GigabitEthernet0/3 to shut down the port if a BPDU is received. After configuration, troubleshoot the scenario: a superior BPDU is received on G0/1, causing it to be blocked by Root Guard, and an unauthorized switch sends a BPDU to G0/3, placing it in err-disable state. Verify the final configuration and state.

Network Topology
G0/1G0/2G0/3SiR1AccessSwitchCoreSwitchServer

Hints

  • Root Guard is configured with 'spanning-tree guard root' on the interface that should never become a non-designated port. It will block the port if a superior BPDU is received.
  • Loop Guard is enabled with 'spanning-tree guard loop' on interfaces where BPDU loss could cause a loop. It prevents the port from transitioning to forwarding if BPDUs stop.
  • BPDU Guard is configured with 'spanning-tree bpduguard enable' on PortFast ports. Any BPDU received will error-disable the port, requiring manual recovery with 'shutdown' followed by 'no shutdown'.
A.[CORRECT] Root Guard on G0/1 is correctly configured; when a superior BPDU is received, the port is placed into a root-inconsistent state (BKN* in show spanning-tree) to prevent the switch from becoming root. Loop Guard on G0/2 prevents loops if BPDUs stop arriving due to a unidirectional link. BPDU Guard on G0/3, combined with PortFast, err-disables the port upon receiving any BPDU, as shown by the err-disabled status. To recover, the administrator must manually re-enable the interface after removing the offending device. No additional configuration is required; the existing commands are correct and produce the expected behavior.
B.Root Guard on G0/1 is incorrectly configured; it should be configured on the root port, not the designated port. Loop Guard on G0/2 is correctly configured. BPDU Guard on G0/3 is correctly configured, but the port should automatically recover from err-disable state after a timeout.
C.Root Guard on G0/1 is correctly configured. Loop Guard on G0/2 is incorrectly configured because Loop Guard should be applied to root ports, not uplink ports. BPDU Guard on G0/3 is correctly configured, but the port should be in a blocking state, not err-disabled.
D.Root Guard on G0/1 is correctly configured. Loop Guard on G0/2 is correctly configured. BPDU Guard on G0/3 is incorrectly configured because BPDU Guard should be applied to trunk ports, not access ports, and the port should be placed in a root-inconsistent state.
AnswerA
solution
! R1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

The scenario demonstrates three STP protection mechanisms. Root Guard on G0/1 is correctly configured; when a superior BPDU is received, the port is placed into a root-inconsistent state (BKN* in show spanning-tree) to prevent the switch from becoming root. Loop Guard on G0/2 prevents loops if BPDUs stop arriving due to a unidirectional link.

BPDU Guard on G0/3, combined with PortFast, err-disables the port upon receiving any BPDU, as shown by the err-disabled status. To recover, the administrator must manually re-enable the interface after removing the offending device. No additional configuration is required; the existing commands are correct and produce the expected behavior.

Exam trap

Watch out for confusion between Root Guard and BPDU Guard states: Root Guard causes root-inconsistent (BKN*), while BPDU Guard causes err-disable. Also, remember Root Guard is for designated ports, not root ports. Loop Guard can be applied to any port expecting BPDUs, not just root ports.

Why the other options are wrong

B

The specific factual error: Root Guard is applied to designated ports, not root ports. BPDU Guard does not auto-recover by default.

C

The specific factual error: Loop Guard is not restricted to root ports; it can be used on any port where BPDUs are expected. BPDU Guard results in err-disable, not blocking.

D

The specific factual error: BPDU Guard is not limited to access ports; it works on any PortFast-enabled port. The state is err-disable, not root-inconsistent.

338
MCQhard

A host on a guest WLAN can browse the Internet but cannot reach internal corporate resources, while employees on another SSID can. Which statement best explains why that can be a correct design outcome?

A.Because guest and employee WLANs can intentionally have different trust levels and access policies.
B.Because guest WLANs cannot use IP routing at all.
C.Because the guest WLAN is assigned to a different VLAN that uses a different IP subnet, and inter-VLAN routing is inherently disabled for security reasons.
D.Because the guest WLAN uses a different SSID that automatically triggers firewall rules that only permit HTTP/HTTPS traffic.
AnswerA

This is correct because guest isolation is often an intentional design goal.

Why this answer

The correct answer is A because guest wireless networks are intentionally isolated from corporate resources through separate trust levels and access policies. Option B is incorrect because guest WLANs can use IP routing, but routing policies restrict which destinations are reachable. Option C is incorrect because inter-VLAN routing is not inherently disabled; it is a design choice to restrict routing between VLANs.

Option D is incorrect because SSIDs themselves do not trigger firewall rules; it is the VLAN or group assignment that determines the applied policy.

Exam trap

A frequent exam trap is to interpret guest WLAN isolation as a misconfiguration, rather than an intentional policy enforcement. Candidates may also incorrectly attribute the restriction to technical limitations like routing being inherently disabled or SSIDs triggering firewall rules.

Why the other options are wrong

B

Guest WLANs can use IP routing; they are just restricted by policy.

C

Inter-VLAN routing is not inherently disabled; it is a configurable policy.

D

SSIDs do not automatically trigger firewall rules; the assigned VLAN determines the policy.

339
Matchingmedium

Drag and drop the STP port roles on the left to their descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Port on a non-root switch with the best path to the root bridge

Port on a segment that forwards traffic and has the best path to the root bridge

Blocked port that provides a backup path to the root bridge

Blocked port that provides a redundant connection to the same segment

Port that is administratively shut down or not participating in STP

Why these pairings

In STP/RSTP, root ports provide best path to root; designated ports are the forwarding ports per segment; alternate ports back up root ports; backup ports back up designated ports; blocking ports prevent loops; disabled ports are shut down.

Exam trap

Be careful not to confuse alternate ports (backup for root port) with backup ports (backup for designated port). Also, remember that designated ports are the only forwarding ports on a segment, not backup ports.

340
PBQhard

You are connected to R1. The network uses a router-on-a-stick design with a single switch (SW1) and two VLANs: VLAN 10 (10.0.10.0/24) and VLAN 20 (10.0.20.0/24). The current configuration has connectivity issues: PCs in VLAN 20 cannot ping the router interface or each other, and there is a native VLAN mismatch on the trunk. Configure R1 to correct the native VLAN mismatch, ensure the trunk allows both VLANs, enable inter-VLAN routing, and fix any subinterface encapsulation errors so that all PCs can reach the router and each other across VLANs.

Hints

  • Check the native VLAN on both sides of the trunk
  • Ensure the trunk allows all required VLANs
  • Router-on-a-stick requires ip routing to be enabled
A.interface gig0/0 no shutdown switchport trunk native vlan 99 switchport trunk allowed vlan 10,20 ip routing
B.interface gig0/0.10 encapsulation dot1Q 10 ip address 10.0.10.1 255.255.255.0 interface gig0/0.20 encapsulation dot1Q 20 ip address 10.0.20.1 255.255.255.0
C.interface gig0/0 no shutdown switchport trunk native vlan 1 switchport trunk allowed vlan 10,20 ip routing
D.interface gig0/0 no shutdown switchport trunk native vlan 99 switchport trunk allowed vlan 10,20 no ip routing
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no switchport
switchport trunk native vlan 99
switchport trunk allowed vlan 10,20
exit
ip routing

Why this answer

The issue is a native VLAN mismatch: R1 subinterface .99 uses native VLAN 99, but the switch expects native VLAN 1 (default). Additionally, VLAN 20 traffic may be blocked if the switch trunk does not allow VLAN 20, and 'ip routing' is missing on R1 (though it appears to have routes, but the command may not be present). The fix: on R1, set the native VLAN on the physical interface to 99 (or match switch), ensure the trunk allows VLANs 10 and 20, and enable IP routing.

Also verify subinterface encapsulation is correct. In this case, the candidate must issue 'interface gig0/0', 'no shutdown', 'switchport trunk native vlan 99', 'switchport trunk allowed vlan 10,20', and 'ip routing'.

Exam trap

Cisco exams often test the concept that native VLAN must match on both ends of a trunk. Also, remember that 'ip routing' is required for inter-VLAN routing on a router, even with subinterfaces configured.

Why the other options are wrong

B

Missing commands to set native VLAN on the physical interface and enable ip routing.

C

The native VLAN should match the switch's native VLAN (99), not default to 1.

D

IP routing must be enabled for the router to route between subinterfaces.

341
PBQhard

You are connected to R1, a Catalyst 3650 multilayer switch running IOS-XE. Configure Root Guard on all designated ports, Loop Guard on uplink interfaces, and BPDU Guard on all PortFast-enabled ports. Troubleshoot the current issue: one port is receiving a superior BPDU and is being blocked by Root Guard, and a different PortFast port has gone err-disabled after BPDU Guard triggered. Verify that Root Guard is active on port Gi1/0/1, Loop Guard is active on Gi1/0/2, and BPDU Guard is enabled on Gi1/0/3.

Network Topology
Gi1/0/1Gi1/0/2Gi1/0/3R1R2Core SwitchHost

Hints

  • Root Guard should be on the port that is designated, not receiving superior BPDUs.
  • Loop Guard should be on the port that is a root port or alternate root port.
  • An err-disabled port must be manually recovered with shutdown/no shutdown.
A.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue shutdown then no shutdown; verify Root Guard on Gi1/0/2, Loop Guard on Gi1/0/1, BPDU Guard on Gi1/0/3.
B.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue no shutdown; verify Root Guard on Gi1/0/2, Loop Guard on Gi1/0/1, BPDU Guard on Gi1/0/3.
C.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue shutdown then no shutdown; verify Root Guard on Gi1/0/1, Loop Guard on Gi1/0/2, BPDU Guard on Gi1/0/3.
D.Remove Root Guard from Gi1/0/1 and apply it to Gi1/0/2; remove Loop Guard from Gi1/0/2 and apply it to Gi1/0/1; on Gi1/0/3, issue shutdown then no shutdown; verify Root Guard on Gi1/0/2, Loop Guard on Gi1/0/2, BPDU Guard on Gi1/0/3.
AnswerA
solution
! R1
interface GigabitEthernet1/0/1
no spanning-tree guard root
spanning-tree guard loop
interface GigabitEthernet1/0/2
no spanning-tree guard loop
spanning-tree guard root
interface GigabitEthernet1/0/3
shutdown
no shutdown

Why this answer

The network requires Root Guard on designated ports, Loop Guard on uplink (root/alternate) ports, and BPDU Guard on PortFast ports. Gi1/0/1 is receiving a superior BPDU and being blocked by Root Guard, indicating Root Guard is misapplied to a non-designated port; it should be moved to the designated port Gi1/0/2. Loop Guard belongs on the uplink port Gi1/0/1, not Gi1/0/2, so the configuration is swapped.

The PortFast port Gi1/0/3 experienced a BPDU Guard violation and is err-disabled; recovering it requires a shutdown followed by a no shutdown command, not just no shutdown. Finally, verification must confirm the correct new placement: Root Guard on Gi1/0/2, Loop Guard on Gi1/0/1, and BPDU Guard on Gi1/0/3.

Exam trap

Be careful not to confuse the purpose of Root Guard and Loop Guard. Root Guard is for designated ports, Loop Guard is for root/alternate ports. Also, remember that an err-disabled port requires a shutdown/no shutdown sequence to recover, not just no shutdown.

Why the other options are wrong

B

Issuing only 'no shutdown' will not recover an interface from the err-disabled state caused by BPDU Guard; it must be administratively shut down first with 'shutdown', then re-enabled with 'no shutdown'.

C

The verification step checks Root Guard on Gi1/0/1 and Loop Guard on Gi1/0/2, which is the original incorrect configuration before the swap; after the fix, Root Guard should be on Gi1/0/2 and Loop Guard on Gi1/0/1.

D

The verification step incorrectly states that Loop Guard is active on Gi1/0/2. After swapping the configurations, Loop Guard is now on Gi1/0/1, not Gi1/0/2, so this option validates the wrong port.

342
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a switch port for a VoIP phone (voice VLAN + data VLAN), an AP trunk, and a PoE-powered IoT device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First create VLANs, then assign data and voice VLANs to the phone port, configure the AP trunk, and lastly enable PoE on the IoT port.

Exam trap

The trap is that candidates may enable PoE too early or configure trunks before VLANs exist. Remember: VLANs must be created first, then assigned to ports, and PoE is typically enabled last.

343
MCQmedium

A switch shows this output from the "show interfaces trunk" command: Gi0/1 on 802.1q trunking 1 Gi0/2 auto 802.1q not-trunking 1 Which statement is correct?

A.Gi0/1 is an access port in VLAN 1
B.Gi0/1 is trunking, and Gi0/2 is waiting for DTP negotiation
C.Gi0/2 is forced to trunk mode
D.Neither interface can carry tagged traffic
AnswerB

Correct. Gi0/1 is trunking now; Gi0/2 is in a passive DTP negotiation state.

Why this answer

Gi0/1 is already operating as an 802.1Q trunk. Gi0/2 is in dynamic auto mode, which waits for the other side to actively negotiate trunking.

Exam trap

Beware of confusing 'on' with access mode and misunderstanding dynamic auto's capability to negotiate trunking.

Why the other options are wrong

A

This option is incorrect because Gi0/1 is configured as a trunk port, not an access port, and it is actively trunking VLANs. Access ports do not participate in VLAN tagging and would not show trunking status.

C

This option is incorrect because Gi0/2 is set to 'auto' for trunking, meaning it is not forced into trunk mode but is instead waiting for Dynamic Trunking Protocol (DTP) negotiation to determine if it should become a trunk port.

D

This option is incorrect because Gi0/1 is configured as a trunk port and can carry tagged traffic, while Gi0/2 is in a state waiting for DTP negotiation, which means it can potentially become a trunk port as well.

344
MCQhard

A network engineer notices that a new switch, SW3, was connected to port GigabitEthernet0/1 on SW1, but the port immediately went into an err-disabled state. The network uses Rapid PVST+ with BPDU Guard enabled globally on all access ports. The engineer checks the logs and sees 'bpduguard error detected' messages. What is the most likely cause of the err-disabled state?

A.The port is configured as an access port, but BPDU Guard should be disabled on all access ports.
B.A BPDU was received on port GigabitEthernet0/1, triggering BPDU Guard.
C.Configure Root Guard on the interface to prevent the err-disabled state.
D.Enable Loop Guard on the interface to prevent the err-disabled state.
AnswerB

BPDU Guard err-disables a port immediately when a BPDU is received on an access port where it is enabled, which is exactly the scenario described.

Why this answer

The err-disabled state is caused by BPDU Guard triggering when a BPDU is received on an access port. Option A is incorrect because BPDU Guard is intentionally enabled on access ports to prevent unauthorized switches from joining the network. Option C is wrong because Root Guard prevents a port from becoming the root, not from receiving BPDUs.

Option D is wrong because Loop Guard prevents loops on blocked ports in case of unidirectional links, not relevant to BPDU reception.

Exam trap

Cisco often tests the confusion between BPDU Guard, Root Guard, and Loop Guard; candidates may incorrectly attribute the err-disable to Root Guard or Loop Guard, but the true cause is receiving a BPDU on a BPDU-Guard-enabled port.

Why the other options are wrong

A

BPDU Guard is designed to be enabled on access ports to protect against unauthorized switches, so disabling it on all access ports would defeat its purpose.

C

Root Guard prevents a port from becoming the root bridge, but does not block BPDU reception that causes err-disable with BPDU Guard.

D

Loop Guard detects and prevents loops on blocked ports due to unidirectional links, not related to the BPDU Guard err-disable mechanism.

345
MCQmedium

PCs in VLAN 30 on SwitchA cannot reach servers in VLAN 30 on SwitchB. All other VLANs work across the trunk. What is the most likely cause?

A.The native VLAN is mismatched between the switches.
B.VLAN 30 should be configured as the native VLAN on both ends.
C.SwitchB must use ISL instead of 802.1Q.
D.VLAN 30 is not allowed on the trunk from SwitchA.
AnswerD

This is correct because the exhibit clearly shows VLAN 30 missing from the allowed list on SwitchA. A VLAN must be permitted across the trunk on both sides for end-to-end communication.

Why this answer

The trunk is up and carrying multiple VLANs, but VLAN 30 is missing from the allowed list on one side. Since SwitchA and SwitchB both need to permit VLAN 30 on the trunk, if SwitchA's allowed VLAN list does not include VLAN 30, traffic for that VLAN cannot cross. Native VLAN mismatch or ISL vs 802.1Q issues would affect all VLANs, not just VLAN 30.

Thus, the most likely cause is that VLAN 30 is not allowed on the trunk from SwitchA.

Exam trap

Be cautious of assuming native VLAN mismatches or protocol issues when the problem is specific to the allowed VLAN list.

Why the other options are wrong

A

This option is wrong because a native VLAN mismatch would typically affect all VLANs across the trunk, not just VLAN 30. In this scenario, only VLAN 30 is experiencing connectivity issues, indicating a different problem.

B

This option is wrong because configuring VLAN 30 as the native VLAN does not directly affect the ability of PCs in VLAN 30 on SwitchA to communicate with servers in VLAN 30 on SwitchB, especially if VLAN 30 is already properly configured on both switches.

C

SwitchB using ISL instead of 802.1Q is not relevant to the connectivity issue between VLAN 30 on SwitchA and SwitchB. The problem is likely due to VLAN 30 not being allowed on the trunk, not the encapsulation method used.

346
Multi-Selectmedium

Which two statements accurately describe good design thinking for wireless guest access?

Select 2 answers
A.Guest access should normally be isolated from internal corporate resources.
B.Guest access policies should usually reflect lower trust than employee access.
C.Guest WLANs should avoid all security to make access easier.
D.Guest WLANs should automatically use the same permissions as internal employee WLANs.
E.Guest access means the AP no longer needs controller coordination.
AnswersA, B

This is correct because guest segmentation is a core design principle.

Why this answer

Good guest-access design is based on isolation and appropriate policy. In practical terms, guest users should normally be separated from internal corporate resources, and their access should align with the limited purpose of guest connectivity. The goal is not to give them the same trust level as managed internal users.

This is about segmentation and policy, not about disabling the WLAN or eliminating security.

Exam trap

Don't assume guest access should mirror internal access policies; guests should have more restricted access.

Why the other options are wrong

C

This option is wrong because good design thinking for guest access requires implementing security measures to protect the network and its resources, even for guests. Completely avoiding security compromises the network's integrity and exposes it to potential threats.

D

This option is wrong because guest WLANs should have distinct permissions to ensure that guests do not have access to sensitive internal resources, which could lead to security breaches.

E

This option is wrong because guest access typically requires controller coordination to manage policies, monitoring, and security effectively, ensuring that guest traffic is properly segmented and controlled.

347
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, and to recover a port that enters err-disabled due to a BPDU guard violation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Root Guard on designated, Loop Guard on non-designated, then BPDU Guard on PortFast; recovery requires interface reset after violation.

Exam trap

Candidates often confuse the port roles for Root Guard and Loop Guard, or think that disabling the protection feature will recover an err-disabled port. Remember: Root Guard is for designated ports, Loop Guard for non-designated, and BPDU Guard for PortFast. Err-disabled recovery requires manual reset or global errdisable recovery configuration.

348
MCQhard

A switchport connected to another switch should carry multiple VLANs, but it was manually configured as an access port. What is the most likely operational result?

A.The link will not carry multiple VLANs as intended because an access port handles one VLAN only.
B.The switch automatically converts the access port into a proper trunk.
C.The port becomes a routed Layer 3 interface.
D.The VLANs are summarized into one prefix automatically.
AnswerA

This is correct because access mode is the wrong role for a multi-VLAN inter-switch link.

Why this answer

An access port is designed to carry only a single VLAN. If the link is intended to carry multiple VLANs, it must be configured as a trunk. The switch will not automatically convert the port to a trunk (B).

The port remains a Layer 2 access port, not a routed Layer 3 interface (C). VLANs are not automatically summarized into a single prefix (D). The most likely result is that the link will not carry multiple VLANs as intended.

Exam trap

Beware of confusing automatic port mode changes with manual configurations. Access ports do not auto-convert to trunk mode.

Why the other options are wrong

B

Switches do not automatically convert an access port to a trunk; manual configuration is required.

C

An access port remains a Layer 2 interface; it does not become a routed Layer 3 interface.

D

VLANs operate at Layer 2 and are not automatically summarized into a single prefix; that would be a routing function.

349
MCQhard

A port connected to an end host is configured with PortFast and BPDU Guard. What is the most likely result if a small unmanaged switch is connected and starts sending BPDUs?

A.The port is error-disabled by BPDU Guard.
B.The port automatically becomes the root port.
C.The port is converted into a trunk.
D.The port ignores the BPDU because PortFast disables STP entirely.
AnswerA

This is correct because BPDU Guard disables an edge port when it receives a BPDU.

Why this answer

The most likely result is that the port is placed into an err-disabled state by BPDU Guard. In practical terms, PortFast tells the switch to treat the interface like an edge port for a normal endpoint, which is why it starts forwarding quickly. BPDU Guard protects that assumption. If the port suddenly receives a spanning-tree BPDU, the switch treats that as a sign that the port is no longer connected to a simple end device.

This combination is common in enterprise access-layer design because it improves user startup time while still protecting the topology. The correct answer is the one that describes the port being shut down automatically when BPDUs appear unexpectedly.

Exam trap

Remember, BPDU Guard disables the port, it doesn't use spanning-tree states like blocking or learning.

Why the other options are wrong

B

This option is wrong because a port configured with PortFast and BPDU Guard will not automatically become the root port when it receives BPDUs; instead, it will be error-disabled due to BPDU Guard's protection mechanism.

C

This option is wrong because a port configured with PortFast does not automatically convert to a trunk port when it receives BPDUs; instead, it remains in access mode. BPDU Guard will cause the port to be error-disabled upon receiving BPDUs, preventing any trunking behavior.

D

This option is wrong because PortFast does not disable Spanning Tree Protocol (STP) entirely; it merely allows the port to transition to the forwarding state immediately without participating in STP calculations. BPDUs are still processed, and BPDU Guard will take action if they are received.

350
MCQhard

A network engineer notices that Host A in VLAN 10 (10.10.10.50/24) can successfully ping its default gateway 10.10.10.1, but cannot ping the VLAN 20 SVI (10.20.20.1) or any hosts in VLAN 20. The SVIs for both VLAN 10 and VLAN 20 are in an up/up state, and the switch's trunk ports are correctly allowing both VLANs. What is the most likely cause?

A.The ip routing global configuration command is missing.
B.The VLAN 20 SVI is administratively shut down.
C.The trunk between the access switch and the Layer 3 switch is misconfigured as an access port.
D.The default gateway on Host A is configured incorrectly.
AnswerA

The missing 'ip routing' command prevents the Layer 3 switch from performing routing between VLANs, even though the SVIs are up and hosts can reach their own gateways.

Why this answer

Host A can reach its default gateway (10.10.10.1), which is the VLAN 10 SVI, but cannot reach the VLAN 20 SVI (10.20.20.1) or any hosts in VLAN 20. This indicates that Layer 2 connectivity is working (trunk allows both VLANs, SVIs are up/up), but inter-VLAN routing is failing. On a multilayer switch, inter-VLAN routing requires the global command 'ip routing' to enable the switch's IP routing engine; without it, the switch acts as a Layer 2 device only and cannot forward packets between different VLANs.

Exam trap

Cisco often tests the distinction between a switch operating as a Layer 2 device versus a Layer 3 device, and the trap here is that candidates assume SVIs in an up/up state automatically provide inter-VLAN routing, forgetting the mandatory 'ip routing' command.

Why the other options are wrong

B

Candidates may overlook the explicit mention that the SVIs are up/up, mistakenly thinking a shut SVI could be the problem.

C

Trunk misconfiguration is a common inter-VLAN issue, but the scenario explicitly says the trunks are working properly, making this answer invalid.

D

The successful ping to the default gateway proves the gateway is correct. Without 'ip routing', the switch can't forward packets from VLAN 10 to VLAN 20, but it can respond to local VLAN requests.

351
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on a designated port, Loop Guard on a non-designated port, and BPDU Guard on a PortFast port, along with the recovery steps when a port enters err-disabled state.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The order follows the logical sequence: enter config mode, then configure each guard feature on its respective port, and finally set the errdisable recovery to automatically re-enable ports after a BPDU Guard violation.

Exam trap

The trap is that candidates may think the order of configuring the guards is arbitrary, but the question explicitly requires a specific sequence. Pay close attention to the order in which features are listed in the stem.

352
PBQhard

You are connected to R1. The network consists of R1, SW1, and two hosts (Host-A on VLAN 10, Host-B on VLAN 20). SW1 has two access ports (one per VLAN) and a trunk to R1. Configure R1 for router-on-a-stick inter-VLAN routing. The current configuration has a native VLAN mismatch and a missing subinterface for VLAN 20. Fix these issues so that Host-A and Host-B can ping each other.

Hints

  • Check if all required subinterfaces are present.
  • Examine the native VLAN on the trunk.
  • Verify that IP routing is enabled globally.
A.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 1 on the trunk, and enable ip routing.
B.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 99 on the trunk, and enable ip routing.
C.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 1 on the trunk, but do not enable ip routing.
D.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 99 on the trunk, and do not enable ip routing.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
exit
interface GigabitEthernet0/0
no encapsulation dot1Q 99
exit
ip routing
end

Why this answer

The native VLAN mismatch exists: R1 expects native VLAN 99, but SW1 likely uses native VLAN 1 (default). This causes CDP/STP issues but not directly inter-VLAN routing; however, for proper operation, set native VLAN to 1 on R1. Additionally, the subinterface for VLAN 20 is missing, so traffic from VLAN 20 cannot be routed.

Finally, 'ip routing' is disabled, preventing any inter-VLAN routing. Solution: change native VLAN on trunk to 1, create subinterface G0/0.20 with encapsulation dot1Q 20 and IP 192.168.20.1/24, and enable ip routing.

Exam trap

Be careful to identify all issues in the scenario. Candidates often focus only on the missing subinterface and forget to check the native VLAN mismatch and the global 'ip routing' command. Always verify that routing is enabled and that native VLANs match on both ends of the trunk.

Why the other options are wrong

B

The native VLAN mismatch is not resolved; the switch likely uses native VLAN 1, so R1 should also use 1 or both sides must be configured consistently.

C

IP routing is disabled by default on Cisco routers; it must be explicitly enabled for the router to perform routing functions.

D

Two errors: native VLAN mismatch persists and IP routing is disabled, so packets cannot be routed between VLANs.

353
PBQhard

You are connected to R1. The network has two VLANs (10 and 20) on SW1, connected to R1 via a trunk. Currently, hosts in VLAN 10 cannot reach the router or each other across VLANs. Configure R1 with the correct subinterface encapsulation and IP addressing, and ensure the trunk on SW1 allows both VLANs. Also, fix any native VLAN mismatch on the trunk link. Which configuration steps will resolve the issues?

Network Topology
Gi0/1Gi0/0trunkSW1R1

Hints

  • Check the native VLAN on the trunk; it's currently 1 but not configured on R1.
  • R1 needs a subinterface for the native VLAN with the 'native' keyword.
  • IP routing must be enabled for inter-VLAN routing to work.
A.On R1, configure subinterface Gi0/0.1 with encapsulation dot1Q 1 native and IP 192.168.1.1/24, and enable ip routing. On SW1, ensure trunk Gi0/1 allows VLANs 10,20 and set native VLAN 1.
B.On R1, configure subinterface Gi0/0.10 with encapsulation dot1Q 10 and IP 192.168.10.1/24, and subinterface Gi0/0.20 with encapsulation dot1Q 20 and IP 192.168.20.1/24. Enable ip routing. On SW1, change native VLAN to 10 on trunk Gi0/1.
C.On R1, configure subinterface Gi0/0.1 with encapsulation dot1Q 1 (without native keyword) and IP 192.168.1.1/24. Enable ip routing. On SW1, ensure trunk Gi0/1 allows VLANs 10,20 and set native VLAN 1.
D.On R1, configure subinterface Gi0/0.10 with encapsulation dot1Q 10 native and IP 192.168.10.1/24, and subinterface Gi0/0.20 with encapsulation dot1Q 20 and IP 192.168.20.1/24. Enable ip routing. On SW1, set native VLAN to 10 on trunk Gi0/1.
AnswerA
solution
! R1
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
ip routing

Why this answer

The current issue is a native VLAN mismatch and missing IP routing. SW1's trunk port Gi0/1 uses native VLAN 1, sending untagged frames for VLAN 1. R1 has subinterfaces for VLANs 10 and 20 but no subinterface handling untagged native traffic, causing VLAN 10 traffic (if it were tagged) to reach R1 but native traffic to be dropped.

Additionally, IP routing is not enabled, preventing inter‑VLAN forwarding even if subinterfaces are correctly addressed. Option A resolves both problems by adding a subinterface dot1Q 1 native with an IP address, enabling IP routing, and ensuring the trunk allows VLANs 10 and 20 with native VLAN 1. Option B creates subinterfaces for VLANs 10 and 20 but changes the switch native VLAN to 10 without a matching native subinterface on R1, so untagged VLAN 10 traffic still fails.

Option C incorrectly uses 'encapsulation dot1Q 1' without the native keyword, so it expects tagged VLAN 1 frames, which do not match the switch's untagged native traffic. Option D changes the native VLAN to 10 on both sides, but this requires modifying the existing VLAN design; moreover, it does not guarantee that hosts in VLAN 10 will be able to reach the router if they are using IP 192.168.1.1 as their default gateway, and the trunk may still be missing allowed VLANs—making A the simplest, design‑coherent solution.

Exam trap

Watch out for native VLAN mismatches: the router must have a subinterface with 'encapsulation dot1Q <vlan> native' to match the switch's native VLAN. Also, remember that 'ip routing' is required for router-on-a-stick to forward between VLANs.

Why the other options are wrong

B

Changing the native VLAN to 10 on the switch without a matching 'encapsulation dot1Q 10 native' subinterface on R1 causes native VLAN traffic to be dropped.

C

Using 'encapsulation dot1Q 1' (without native) tells the router to expect tagged VLAN 1 frames, which will never arrive because the switch sends native VLAN 1 untagged.

D

Altering the network to make VLAN 10 the native VLAN is unnecessary and can break existing connectivity; the correct fix is to accommodate the existing native VLAN 1 design.

354
MCQhard

A network engineer has configured an LACP EtherChannel between Switch1 and Switch2 by assigning interfaces to channel-group 1 with the mode passive on both switches. The engineer issues the show etherchannel summary command on Switch1 and sees the output below. The Port-channel interface remains down. Which action resolves the issue?

A.Configure the switchport mode as trunk on both sides.
B.Change the mode on one switch to active.
C.Verify that the native VLAN matches on both sides of the trunk.
D.Correct the speed and duplex settings on the member ports.
AnswerB

With both sides passive, no LACP PDUs are exchanged. Configuring one side as active starts the negotiation, allowing the ports to bundle and the Port-channel to come up.

Why this answer

When both switches are configured with LACP mode passive, neither switch initiates the negotiation process because passive mode only responds to incoming LACP packets. By changing one side to active mode, that switch will actively send LACP packets, allowing the EtherChannel to form. The Port-channel interface remains down due to this negotiation failure, not because of VLAN or physical mismatch issues.

Exam trap

Cisco often tests the LACP mode interaction by setting both sides to passive, leading candidates to incorrectly focus on trunking, VLAN, or physical layer issues instead of recognizing that LACP requires at least one side to be active.

Why the other options are wrong

A

The show output indicates Layer 2 mode is already active, and trunking isn’t required for bundling. The issue is LACP protocol negotiation, not interface mode.

C

The Port-channel would still form even with a native VLAN mismatch; it would not be down (SD) and ports would not be stand-alone (I) solely because of VLAN mismatch.

D

The flags in the output (I, SD) are not consistent with a speed/duplex problem, and the explicit configuration of passive mode on both sides is the known root cause.

355
MCQhard

A PC connected to SW1 cannot reach the default gateway. The access port is assigned to VLAN 20, and the switch output shows that VLAN 20 is inactive. What is the most likely cause?

A.Port security has shut down the interface
B.VLAN 20 does not exist or is not active on the switch
C.The port must be converted to a trunk
D.The default gateway must be configured on the physical switch port
AnswerB

That is exactly what the inactive VLAN status is telling you.

Why this answer

The port is operationally up, but VLAN 20 is listed as inactive because that VLAN does not exist in the VLAN database. An access port assigned to a missing VLAN will not carry normal user traffic for that VLAN.

Exam trap

Ensure the VLAN is created and active in the VLAN database when troubleshooting connectivity issues.

Why the other options are wrong

A

This option is wrong because the question specifies that the PC cannot reach the default gateway due to VLAN issues, not because of port security settings. Port security would typically result in the interface being in an error-disabled state, which is not indicated here.

C

This option is incorrect because converting the port to a trunk would not resolve the issue of the PC not reaching the default gateway if VLAN 20 is not configured or active. The problem lies in the VLAN configuration, not the port type.

D

This option is incorrect because the default gateway is typically configured on the device (e.g., a router or PC) rather than on the switch port itself. The issue in the question pertains to VLAN configuration, not gateway settings.

356
PBQmedium

You are connected to SW1, a Layer 2 switch. Port G0/1 connects to a PC in VLAN 10. Management requires that only one MAC address is allowed on this port, and if a violation occurs, the port should shut down and a log message should be generated. Additionally, you need to ensure that the port enables rapidly and does not wait for STP convergence. Currently, the PC has MAC address aaaa.bbbb.cccc.

Network Topology
G0/1SW1PC

Hints

  • Port security must be enabled first.
  • Use the 'mac-address' command to specify the allowed MAC.
  • PortFast bypasses STP listening/learning for access ports.
A.switchport port-security; switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation shutdown; spanning-tree portfast
B.switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation restrict; spanning-tree portfast
C.switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation protect; spanning-tree portfast
D.switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation shutdown; no spanning-tree portfast
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address aaaa.bbbb.cccc
switchport port-security violation shutdown
spanning-tree portfast

Why this answer

Port security limits access to a port based on MAC addresses. The correct sequence must first enable port security with the `switchport port-security` command. Then setting maximum to 1 with a specific MAC ensures only that device can connect.

Violation shutdown disables the port if an unauthorized MAC appears. PortFast allows the port to transition to forwarding immediately, which is appropriate for end-user devices. Options B and C use wrong violation modes (restrict or protect) that do not shut the port and may not log.

Option D uses correct violation mode but omits PortFast, causing STP delays.

Exam trap

The key trap is confusing the three port security violation modes: shutdown (disables port + logs), restrict (drops traffic + logs but port stays up), and protect (drops traffic silently, no log). Also, remember that PortFast is needed for immediate forwarding on access ports.

Why the other options are wrong

B

The specific factual error: 'restrict' does not disable the port; it only filters traffic and logs the violation, but the port remains operational.

C

The specific factual error: 'protect' silently drops unauthorized traffic without logging or disabling the port.

D

The specific factual error: PortFast is required to bypass STP convergence; without it, the port will wait for STP to transition, causing delay.

357
MCQhard

After configuring DHCP snooping on VLAN 10 to prevent rogue DHCP servers, all clients in the VLAN stop receiving DHCP offers from the legitimate DHCP server that is connected to port Gi0/1. The administrator verifies the DHCP server is operational and reachable. What should the technician do next?

A.Enable Dynamic ARP Inspection on VLAN 10.
B.Configure interface Gi0/1 as a DHCP snooping trusted port.
C.Add an ip helper-address on the VLAN 10 SVI pointing to the DHCP server.
D.Reconfigure the DHCP server scope to include DHCP Option 82.
AnswerB

DHCP snooping blocks DHCP server messages on untrusted ports. Since the legitimate server is on Gi0/1, trusting the port allows the switch to forward DHCP offers from that port, resolving the issue.

Why this answer

By default, DHCP snooping marks all ports as untrusted, which blocks DHCP server replies (including offers) from those ports. Since the legitimate server is connected to Gi0/1, the port must be explicitly trusted to allow DHCP offers through. This step directly addresses the Layer 2 access control mechanism.

Exam trap

The most common mistake is to enable Dynamic ARP Inspection on VLAN 10, assuming it is required for DHCP snooping to work, but DAI only uses the DHCP snooping binding table and does not control DHCP traffic.

Why the other options are wrong

A

Misunderstanding that DAI controls DHCP traffic rather than ARP packets.

C

Assuming DHCP snooping introduces routing changes or that the server is on a different subnet.

D

Confusing DHCP snooping with DHCP relay agent functionality and option 82 insertion.

358
Multi-Selectmedium

Which TWO switch port configurations are required when connecting a Cisco IP phone and a desktop PC to a single access port?

Select 2 answers
A.Configure the port as a trunk and allow both VLANs.
B.Use the 'switchport voice vlan' command to assign a dedicated voice VLAN.
C.Disable spanning tree on the port to prevent voice delays.
D.Apply 'mls qos trust cos' on the interface to preserve voice packet markings.
E.Configure the port as a routed port with an IP address for management.
AnswersB, D

This command separates voice traffic from data traffic by placing the phone in a specific VLAN, typically VLAN 10 or similar, while the PC remains in the native access VLAN.

Why this answer

Option B is correct because the 'switchport voice vlan' command assigns a dedicated VLAN for voice traffic, allowing the IP phone to tag its packets with the voice VLAN ID while the PC remains in the native (data) VLAN. Option D is correct because 'mls qos trust cos' preserves the Layer 2 Class of Service (CoS) markings from the IP phone, ensuring voice packets receive appropriate QoS treatment across the network. Option A is incorrect because a trunk port is not required—the access port with the voice VLAN command handles both VLANs without trunking.

Option C is incorrect because disabling Spanning Tree Protocol (STP) is not a recommended practice and does not prevent voice delays; STP is essential for loop prevention and can be tuned with PortFast instead. Option E is incorrect because the port must remain a Layer 2 access port, not a routed port, to support both the PC and IP phone.

Exam trap

Cisco often tests the misconception that a trunk port is needed to carry both voice and data VLANs, but the correct approach uses a single access port with the 'switchport voice vlan' command to handle both VLANs without trunking.

Why the other options are wrong

A

Using a trunk port for a single device connection is unnecessary and violates standard access port design; it would also require the phone to support trunking, which is not the typical Cisco IP phone configuration.

C

STP does not introduce significant delays in normal operation, and disabling it risks broadcast storms and network loops.

E

Access ports operate at Layer 2; converting to a routed port would prevent the phone and PC from communicating within their respective VLANs.

359
MCQhard

A network engineer notices that after adding a new switch to the network, a different switch unexpectedly becomes the STP root bridge, disrupting all VLANs. The new switch has the default priority (32768) but has a lower MAC address than all existing switches. What is the most likely cause?

A.The new switch is running PVST+ while the existing switches use Rapid PVST+
B.Root Guard is enabled on the new switch’s uplink ports facing the existing root
C.The existing root bridge has a bridge priority lower than the default value of 32768
D.The new switch was added with a bridge priority of 4096
AnswerC

If the existing root bridge’s priority is less than 32768 (e.g., 4096 or 0), its Bridge ID is lower than the new switch’s default 32768 + lower MAC. STP always elects the switch with the lowest Bridge ID as the root bridge. Thus, despite the new switch’s lower MAC, the manually lowered priority keeps the existing switch as root.

Why this answer

In STP, bridge priority is the primary parameter for root election. If the existing root bridge has a bridge priority lower than the default 32768, it will have a lower Bridge ID regardless of its MAC address, so it remains the root. The new switch’s lower MAC would only win if all bridge priorities are equal (default).

This explains why a different switch becomes root even though the new one has a lower MAC.

Exam trap

Many candidates focus solely on the MAC address tie-breaker and forget that bridge priority is compared first. They may also confuse root guard functionality—root guard prevents a port from becoming a root port, but does not cause another switch to become the root.

Why the other options are wrong

A

Candidates may think that STP version incompatibility disrupts root election, but both versions use the same BPDU format and root election rules.

B

Candidates often associate Root Guard with preventing a switch from becoming the root. However, it does not cause another switch to become root; it just protects the network from unexpected superior BPDUs.

D

Candidates may confuse the symptom and think that a low priority on the new switch causes the problem, but this would make the new switch the root, not another switch.

360
MCQhard

A network administrator notices that hosts in VLAN 10 cannot ping the default gateway (192.168.10.1). The switch's SVI for VLAN 10 is configured and the output of the show ip interface brief command shows its status as up/up. An embedded packet capture is configured. The exhibit shows ARP requests from a host to 192.168.10.1 but no ARP reply. Based on the exhibit, what is the most likely cause of the connectivity issue?

A.The default gateway is configured incorrectly on the host.
B.The switchport connecting the host is not assigned to VLAN 10.
C.An ACL is applied to the SVI blocking ICMP.
D.The SVI is administratively down.
AnswerB

The SVI for VLAN 10 is configured and responding to pings, but the host cannot ping the gateway because it is in a different VLAN. The access port must be in VLAN 10 for the host to communicate with the SVI.

Why this answer

The correct answer is B because the packet capture shows ARP requests from the host but no reply, indicating the switch's VLAN 10 SVI is not receiving the ARP frames. Since the SVI is confirmed up/up, the most likely cause is that the switchport connecting the host is not assigned to VLAN 10, causing the frames to be on a different VLAN. Option A is incorrect because the host's default gateway is correctly set to 192.168.10.1 (the SVI's IP); ARP requests are being sent but not answered.

Option C is wrong because an ACL on the SVI would not block ARP (ARP is a Layer 2 protocol not filtered by IP ACLs), and the capture would show a reply if the SVI received the request. Option D is incorrect because the exhibit shows the SVI is up/up, ruling out an administratively down condition.

Exam trap

Cisco often tests the distinction between Layer 2 connectivity (VLAN assignment) and Layer 3 issues (ACL, SVI state), where candidates mistakenly blame IP configuration or ACLs when the root cause is a VLAN mismatch preventing ARP resolution.

Why the other options are wrong

A

The host's default gateway is correctly configured as 192.168.10.1, evident from the ARP requests being sent to that address.

C

An IP ACL on the SVI does not block ARP (it operates at Layer 2), so it would not prevent ARP replies.

D

The exhibit's show ip interface brief output confirms the SVI is in up/up state, proving it is not administratively down.

361
MCQhard

A client can join a secure employee SSID, but traffic is consistently placed into a guest-style restricted path. Which area should be investigated first?

A.The policy, role, or VLAN mapping applied after successful authentication.
B.Whether the client can see the SSID at all.
C.Whether the RADIUS server is returning a guest VLAN attribute.
D.Whether OSPF area 0 is configured on the client.
AnswerA

This is correct because the symptom points to wrong post-authentication placement.

Why this answer

The strongest first area to investigate is the mapping between the authenticated user or WLAN and the policy or VLAN that is applied afterward. In practical terms, the client is joining successfully, so the issue is not basic RF visibility or initial authentication. The clue is that the wrong access policy is being applied after the join process.

This is a highly realistic wireless policy troubleshooting scenario because the failure happens after successful connectivity setup.

Exam trap

Avoid assuming connectivity issues are always RF-related; consider post-authentication processes like VLAN assignment.

Why the other options are wrong

B

This option is wrong because the question already states that the client can join the secure SSID, indicating that the SSID is visible and accessible. Therefore, checking visibility is unnecessary.

C

While a misconfigured RADIUS server could cause this symptom, the question asks which area should be investigated first; checking the policy mapping applied after authentication is a more direct and likely cause.

D

This option is wrong because OSPF area 0 configuration pertains to routing protocols and network topology, which does not directly affect the client's access to the SSID or its traffic path after authentication.

362
MCQhard

Two switches are connected via an IEEE 802.1Q trunk. Hosts in VLAN 30 on opposite sides cannot communicate, yet hosts in VLAN 10 communicate normally. Both switches have VLAN 30 in their VLAN database, and the trunk link is operational. What is the most likely cause?

A.VLAN 30 is pruned or not allowed on one side of the trunk
B.The native VLAN must be set to 30
C.STP blocks all VLANs on the trunk when one VLAN fails
D.The trunk must be changed to access mode for VLAN 30
AnswerA

That directly explains why VLAN 10 works and VLAN 30 does not.

Why this answer

If a VLAN is not allowed on one side of the trunk, frames for that VLAN are dropped even though other VLANs continue to work. Option A correctly identifies that VLAN 30 is either pruned or missing from the allowed list on one end. Option B is wrong because the native VLAN only affects untagged frames and would not cause the filtering of a tagged VLAN like VLAN 30.

Option C is incorrect because STP can block individual VLANs per port, but it does not block all VLANs on a trunk due to a single VLAN’s issue—only the affected VLAN would be blocked. Option D is invalid because converting the trunk to access mode would break all VLAN trunking, including the working VLAN 10.

Exam trap

Ensure you check the trunk configuration for allowed VLANs, not just VLAN existence or port assignments.

Why the other options are wrong

B

The native VLAN setting only governs untagged traffic on the trunk, not the tagged frames of VLAN 30, so it cannot fix a missing allowed VLAN.

C

STP does not globally block all VLANs on a trunk; per‑VLAN spanning tree can block individual VLANs, but a single VLAN failure would not cause the trunk to block all traffic.

D

Changing the trunk to access mode would restrict the link to a single VLAN, breaking VLAN 10 connectivity as well, which contradicts the working state of VLAN 10.

363
Multi-Selectmedium

Which three of the following statements about VLAN Trunking Protocol (VTP) are correct? (Choose three.)

Select 3 answers
.VTP pruning helps reduce unnecessary broadcast traffic on trunk links by pruning VLANs that are not active on any downstream switch.
.A VTP server can create, modify, and delete VLANs, and these changes are propagated to all other switches in the same VTP domain.
.VTP transparent mode switches forward VTP advertisements but do not synchronize their VLAN database from the server.
.VTP version 3 supports extended VLANs (1006-4094) and is backward compatible with VTP version 1 and 2.
.A switch in VTP client mode can create local VLANs that are not advertised to the rest of the domain.
.VTP advertisements are sent as multicast frames using the destination MAC address 0180.c200.0000.

Why this answer

All three selected statements are correct: VTP pruning reduces unnecessary broadcast traffic by pruning inactive VLANs from trunk links; a VTP server can create/modify/delete VLANs and propagates changes; transparent mode forwards advertisements but does not synchronize. The three distractors are incorrect. D: VTP version 3 is not backward compatible with version 1 and 2; it requires compatible versions.

E: A VTP client cannot create local VLANs; it only synchronizes from the server. F: VTP uses multicast MAC address 0100.0CCC.CCCC for advertisements, not 0180.c200.0000 which is used by other protocols like STP.

Exam trap

Cisco often tests the distinction between VTP modes, especially that transparent mode forwards advertisements but does not synchronize, and that VTP pruning is a separate feature that must be enabled on the VTP server to take effect.

Why the other options are wrong

D

VTP version 3 is not backward compatible with versions 1 and 2; it uses a different format and does not interop.

E

A VTP client switch cannot create local VLANs; it synchronizes its VLAN database from the VTP server.

F

VTP advertisements use the multicast MAC address 0100.0CCC.CCCC, not 0180.c200.0000 which is used for protocols like STP.

364
Multi-Selectmedium

Which TWO statements correctly describe the configuration and use of a voice VLAN on a Cisco switch port?

Select 2 answers
A.The voice VLAN is configured using the 'switchport mode trunk' command.
B.When a voice VLAN is configured, the switch port operates in two VLANs: one for data and one for voice traffic.
C.The voice VLAN must be the same as the native VLAN on the trunk link.
D.The IP phone uses CDP or LLDP to learn the voice VLAN ID from the switch.
E.The data VLAN and voice VLAN must be in the same IP subnet.
AnswersB, D

With voice VLAN, the port is an access port for the data VLAN and also accepts tagged traffic on the voice VLAN, effectively operating in two VLANs.

Why this answer

Option B is correct because when a voice VLAN is configured on a Cisco switch port, the port operates in two separate VLANs simultaneously: one for data traffic (the access VLAN) and one for voice traffic (the voice VLAN). This is achieved using the 'switchport voice vlan' command, which allows the switch to tag voice frames with the voice VLAN ID while leaving data frames untagged (or tagged with the access VLAN). This separation ensures that voice traffic receives appropriate QoS treatment and is isolated from data traffic.

Exam trap

Cisco often tests the misconception that a voice VLAN requires trunking or that the voice VLAN must match the native VLAN, but in reality, a voice VLAN is configured on an access port using the 'switchport voice vlan' command, and the native VLAN concept applies only to trunk ports.

Why the other options are wrong

A

Trunk mode is used to carry multiple VLANs, but for a single access port with voice, the port remains in access mode and uses the voice VLAN feature.

C

The native VLAN is used for untagged traffic on a trunk, while the voice VLAN is a specific VLAN that carries tagged voice traffic from the phone.

E

They are separate VLANs and usually belong to different subnets for logical separation and management.

365
PBQeasy

You are connected to SW1, a Layer 2 switch. The network administrator wants to prevent unauthorized switches from being connected to access ports. Port G0/1 is an access port in VLAN 10. You need to configure BPDU Guard on this port to protect against STP loops caused by rogue switches. Additionally, enable PortFast for immediate transition to forwarding.

Hints

  • PortFast should be applied to access ports to reduce STP convergence time.
  • BPDU Guard disables the port if a BPDU is received.
  • Both commands are under the interface configuration.
A.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree bpduguard enable
B.SW1(config)# spanning-tree portfast default SW1(config)# spanning-tree bpduguard default
C.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree guard root
D.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree bpduguard disable
AnswerA
solution
! SW1
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

PortFast allows an access port to skip STP listening/learning and transition immediately to forwarding. BPDU Guard protects against STP loops by error-disabling the port if a BPDU is received, which would indicate an unauthorized switch connection.

Exam trap

Be careful to distinguish between interface-level and global commands for PortFast and BPDU Guard. Also, remember that BPDU Guard uses 'bpduguard enable' (not 'disable') and is different from Root Guard ('guard root').

Why the other options are wrong

B

The specific factual error is that global commands affect all ports, not a single interface.

C

The specific factual error is confusing Root Guard with BPDU Guard; they serve different purposes.

D

The specific factual error is using the 'disable' keyword instead of 'enable' to activate BPDU Guard.

366
MCQeasy

Which STP port state on a classic 802.1D switch listens for BPDUs and prepares to participate in the topology, but does not yet learn MAC addresses?

A.Listening
B.Learning
C.Forwarding
D.Disabled
AnswerA

Listening comes before learning and does not yet learn MACs.

Why this answer

In classic STP, the listening state processes BPDUs and waits before learning begins. The learning state is when the switch starts populating the MAC table.

Exam trap

Do not confuse the listening state with the learning state; remember that listening involves BPDU processing without MAC address learning.

How to eliminate wrong answers

Eliminate 'Learning' because it involves MAC address table updates. 'Blocking' can be ruled out as it does not prepare to forward traffic. 'Forwarding' is incorrect because it involves active data transmission and MAC learning. 'Listening' is correct as it processes BPDUs without learning MAC addresses.

367
MCQhard

A switch interface is configured as `dynamic desirable`, and the peer interface is configured as `dynamic auto`. What is the most likely result?

A.The link is likely to become a trunk.
B.The link becomes a routed port.
C.All VLANs are deleted from both switches.
D.The port is immediately error-disabled.
AnswerA

This is correct because dynamic desirable can initiate trunk negotiation with a dynamic auto peer.

Why this answer

The most likely result is that the link becomes a trunk. In simple terms, `dynamic desirable` actively tries to negotiate a trunk, while `dynamic auto` listens and responds. Because one side is willing to initiate the process, trunking can be established if the rest of the configuration is compatible.

This question tests whether you know the difference between passive and active DTP behavior. The classic failure pairing is auto/auto. Desirable/auto, by contrast, is a normal path to trunk formation.

Exam trap

Be careful not to confuse DTP modes with Spanning Tree Protocol states or assume passive modes prevent trunking.

Why the other options are wrong

B

This option is wrong because a switch interface configured as `dynamic desirable` and its peer as `dynamic auto` will negotiate a trunk link, not a routed port. Routed ports are typically configured explicitly and not through dynamic negotiation.

C

This option is wrong because configuring a switch interface as `dynamic desirable` and `dynamic auto` does not lead to the deletion of VLANs; it instead allows for trunk negotiation between the switches.

D

This option is wrong because a switch interface configured as `dynamic desirable` and its peer as `dynamic auto` will negotiate a trunk link, not a routed port. Routed ports are typically configured explicitly and do not involve dynamic negotiation.

368
PBQhard

You are connected to the multilayer switch SW1. Configure Root Guard on the designated port towards the access switch SW2, Loop Guard on the uplink port towards the distribution switch SW3, and BPDU Guard on the PortFast-enabled port connected to a workstation. After configuration, a superior BPDU is received on the designated port, causing it to be blocked by Root Guard. Later, a BPDU is received on the PortFast port, triggering err-disable state. Identify and resolve these issues.

Network Topology
Gi0/0192.168.1.1/24Gi0/0192.168.1.2/24Gi0/110.10.10.1/30Gi0/110.10.10.2/30Gi0/2172.16.1.1/24SW1SW2SW3Workstation

Hints

  • Root Guard should only be placed on ports that are not expected to receive superior BPDUs — check if Gi0/0 is a designated port.
  • A port err-disabled by BPDU Guard requires manual intervention: shutdown/no shutdown.
  • Loop Guard is correctly applied to the trunk uplink; no changes needed there.
A.Remove Root Guard from interface Gi0/0 and re-enable interface Gi0/2 with a shutdown/no shutdown sequence.
B.Disable BPDU Guard on interface Gi0/2 and increase the root bridge priority on SW1 to prevent superior BPDUs.
C.Apply Root Guard to interface Gi0/2 instead of Gi0/0 and configure Loop Guard on Gi0/0.
D.Remove Loop Guard from interface Gi0/1 and configure it on Gi0/0 instead, then re-enable Gi0/2 using the 'errdisable recovery cause bpduguard' command.
AnswerA
solution
! SW1
interface GigabitEthernet0/0
no spanning-tree guard root
end
configure terminal
interface GigabitEthernet0/2
shutdown
no shutdown
end

Why this answer

The issue is that Root Guard was incorrectly applied to the designated port (Gi0/0) which should normally be the root port if a superior BPDU is received. Root Guard blocks the port when a superior BPDU arrives, but this is expected on a designated port; instead, Root Guard should be applied to ports that should never become root ports. In this scenario, the superior BPDU is legitimate (from a root bridge with lower priority), so Root Guard should be removed from Gi0/0.

For the PortFast port (Gi0/2), BPDU Guard correctly err-disabled the port upon receiving a BPDU, indicating an unauthorized switch connection. To restore the port, you must shut/no shut the interface and then investigate why a BPDU was received. The solution involves removing Root Guard from Gi0/0 and re-enabling Gi0/2 after verifying the connecting device.

Exam trap

Do not confuse the purpose of Root Guard (to prevent a port from becoming root port) with BPDU Guard (to protect PortFast ports). Root Guard should be applied to ports that should never be root ports, not to designated ports that may legitimately receive superior BPDUs. Also, remember that err-disable ports require manual intervention or errdisable recovery configuration.

Why the other options are wrong

B

The specific factual error is that BPDU Guard should remain enabled on PortFast ports, and changing root bridge priority does not address the Root Guard misapplication.

C

The specific factual error is that Root Guard is not appropriate for PortFast ports, and Loop Guard is already correctly placed on the uplink port.

D

The specific factual error is that Loop Guard is already correctly placed, and automatic recovery does not replace the need to investigate the unauthorized BPDU on Gi0/2.

369
MCQhard

Refer to the exhibit. An engineer configured PortFast on interface GigabitEthernet0/1, which connects to a server that does not participate in spanning tree. However, the port remains in the listening state for the full forward delay period before transitioning to forwarding. The engineer issues the show spanning-tree vlan 10 detail command. Based on the output, what is the most likely cause?

A.The port is configured as a trunk, so PortFast is not active.
B.BPDU Guard is enabled on the port, causing it to block.
C.The forward delay timer is set too high, and PortFast cannot override it.
D.The server is sending BPDUs, causing the port to lose its PortFast state.
AnswerA

PortFast is only effective on access ports. The exhibit shows ‘Edge port: no (default) portfast: no (default)’ despite the engineer enabling PortFast, indicating the port is operating as a trunk (or not an access port). Therefore, PortFast has no effect and the normal STP listening/learning states apply.

Why this answer

The exhibit shows that GigabitEthernet0/1 is in ‘listening’ state with a forward delay timer of 12 seconds, and the lines ‘Edge port: no (default) portfast: no (default)’ indicate that PortFast is disabled. PortFast only takes effect on access ports; since the port is configured as a trunk (implied by the disconnected state of PortFast despite the engineer’s configuration), it does not skip listening/learning. The port is not in err-disabled state (no BPDU Guard block), and no BPDUs have been received (BPDU: received 0), ruling out other options.

Exam trap

Candidates often assume that the forward delay timer always causes slow convergence, but PortFast bypasses that timer entirely on access ports. Here, PortFast is disabled, so the timer runs normally, but the root cause is that PortFast is not active due to the port being a trunk.

Why the other options are wrong

B

The port is not in an err-disabled state; BPDU Guard causes the port to be shut down, not to stay in listening.

C

Misunderstanding that PortFast bypasses timers completely on access ports; the high forward delay is irrelevant if PortFast were active.

D

The assumption that the server is sending BPDUs is contradicted by the output showing zero BPDUs received.

370
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and recover from a BPDU guard violation on a PortFast-enabled access port in RSTP.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Configure PortFast and BPDU guard on the access port. Then trigger a violation by connecting an unauthorized switch, which causes the port to error-disable. Diagnose by checking the error-disabled status.

To recover, first remove the offending device, then cycle the port with shutdown and no shutdown; otherwise the port will immediately go error-disabled again.

Exam trap

Do not confuse the order: configuration must precede the violation. Also, recovery requires removing the rogue switch before bouncing the interface; failing to do so will cause the port to trip again.

371
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on port GigabitEthernet0/1 (designated port) to protect against superior BPDUs from an unauthorized switch, Loop Guard on uplink GigabitEthernet0/2 to prevent loops, and BPDU Guard on PortFast-enabled GigabitEthernet0/3. After configuration, a superior BPDU arrives on G0/1, blocking the port; verify the Root Guard state and ensure BPDU Guard triggers err-disable on G0/3.

Network Topology
G0/1: designated portG0/2: uplinkG0/3: PortFastR1Access SwitchCore SwitchEnd Device

Hints

  • Root Guard is applied on ports that should never become root; use 'spanning-tree guard root'.
  • Loop Guard prevents alternate or root ports from becoming designated when BPDUs stop; use 'spanning-tree guard loop' on uplinks.
  • BPDU Guard combined with PortFast err-disables a port upon BPDU reception; enable with 'spanning-tree bpduguard enable' under the interface.
A.G0/1 is in root-inconsistent state; G0/3 is in err-disabled state.
B.G0/1 is in blocking state; G0/3 is in err-disabled state.
C.G0/1 is in root-inconsistent state; G0/3 is in blocking state.
D.G0/1 is in err-disabled state; G0/3 is in root-inconsistent state.
AnswerA
solution
! R1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree bpduguard enable

Why this answer

Root Guard is needed on the designated port (G0/1) to prevent an unauthorized switch from becoming root by sending superior BPDUs. Loop Guard on the uplink (G0/2) prevents loops if BPDUs stop arriving. BPDU Guard on PortFast ports (G0/3) immediately err-disables them upon BPDU reception.

The configuration uses 'spanning-tree guard root' on G0/1, 'spanning-tree guard loop' on G0/2, and 'spanning-tree bpduguard enable' on G0/3. Verification shows G0/1 blocked by root-inconsistent state and G0/3 in err-disabled state.

Exam trap

Do not confuse the states caused by Root Guard (root-inconsistent) and BPDU Guard (err-disable). Also, remember that Root Guard is applied to designated ports, not root or alternate ports.

Why the other options are wrong

B

Root Guard uses a specific 'root-inconsistent' state, not the generic 'blocking' state.

C

BPDU Guard triggers err-disable, not blocking. Blocking is an STP state, not an error state.

D

Root Guard and BPDU Guard have different effects: root-inconsistent vs. err-disable. Mixing them up is a common error.

372
PBQhard

You are connected to switch SW1 via console. The network uses Rapid-PVST+ and you need to ensure that SW1 becomes the root bridge for VLANs 10 and 20. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/2, which connects to an end host. Finally, diagnose why interface GigabitEthernet0/3 is in err-disabled state and bring it back operational.

Hints

  • PortFast and BPDU Guard are configured under the interface.
  • Err-disabled recovery often requires a manual shutdown/no shutdown.
  • Check the errdisable cause with 'show interfaces Gi0/3' to understand the specific issue.
A.Configure SW1 with spanning-tree vlan 10,20 priority 4096, enable PortFast and BPDU Guard on Gi0/2, and recover Gi0/3 by identifying the cause and using shutdown/no shutdown.
B.Set SW1's priority to 0 for VLANs 10 and 20, enable PortFast on Gi0/2, and recover Gi0/3 by reloading the switch.
C.Configure SW1 with spanning-tree vlan 10,20 root primary, enable PortFast and BPDU Guard globally, and recover Gi0/3 by using the 'errdisable recovery cause all' command.
D.Set SW1's priority to 8192 for VLANs 10 and 20, enable PortFast on Gi0/2, and recover Gi0/3 by removing and reinserting the cable.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
spanning-tree portfast
spanning-tree bpduguard enable
exit
interface GigabitEthernet0/3
shutdown
no shutdown
exit

Why this answer

To make SW1 the root bridge for VLANs 10 and 20, configure 'spanning-tree vlan 10,20 priority 4096' (a valid multiple of 4096). Interface Gi0/2 connects to an end host, so enable PortFast with 'spanning-tree portfast' and BPDU Guard with 'spanning-tree bpduguard enable' under the interface to protect against accidental BPDU reception. Gi0/3 is in err-disabled state.

Common causes include a port-security violation, UDLD misconfiguration, or a loopback detection. To recover, identify the cause with 'show interfaces status err-disabled', then administratively shut and no shut the interface. Option A correctly accomplishes these tasks.

Option B uses an invalid priority value (0) and reloading the switch is unnecessary. Option C configures 'root primary', which sets priority to 24576 but not 4096, and globally enabling PortFast and BPDU Guard is not recommended; also 'errdisable recovery cause all' might recover the port automatically but does not address the root cause. Option D uses priority 8192 (too high) and physical cable manipulation is not a valid recovery method.

Exam trap

Watch out for common mistakes: using invalid priority values (like 0), relying on 'root primary' which dynamically adjusts priority, forgetting BPDU Guard on edge ports, and attempting physical recovery instead of CLI commands. Always verify priority is a multiple of 4096 and that err-disable recovery uses administrative actions.

Why the other options are wrong

B

The specific factual error: Priority 0 is not a valid STP priority value; valid values are 0-61440 in increments of 4096, but 0 is reserved and not used in Cisco IOS. Also, reloading is not the recommended recovery for err-disable.

C

The specific factual error: 'root primary' does not set a fixed priority; it adjusts dynamically. Global PortFast and BPDU Guard can cause issues on trunk ports. 'errdisable recovery cause all' only enables automatic recovery after a timeout, not immediate recovery.

D

The specific factual error: Priority 8192 does not guarantee root bridge status if another switch has a lower priority. BPDU Guard is required on edge ports. Cable reseating does not clear err-disable state.

373
MCQhard

A user connects a Cisco IP Phone with a PC attached to the phone's PC port to switch interface GigabitEthernet0/5. The PC obtains an IP address and can reach the network, but the phone displays "Configuring IP" and never registers. Based on the exhibit outputs, what is the most likely cause?

A.The switchport must be configured as a trunk to support voice VLANs.
B.VLAN 20 has not been created in the switch's VLAN database.
C.The native VLAN on the trunk ports between the switch and the DHCP server is incorrectly set to VLAN 10.
D.The phone is manually configured to use VLAN 10 for voice traffic instead of VLAN 20.
AnswerB

The 'show vlan brief' output lists only VLANs 1 and 10. VLAN 20 does not exist, so the switch discards any tagged frames arriving on the port with VLAN ID 20, causing the phone's DHCP/TFTP communication to fail.

Why this answer

The PC obtains an IP address and can reach the network, indicating that the access VLAN (likely VLAN 1 or the native VLAN) is functioning. However, the phone displays 'Configuring IP' and never registers, which means it cannot obtain an IP address on its voice VLAN. The most likely cause is that VLAN 20, which is configured as the voice VLAN on the switchport, has not been created in the switch's VLAN database.

Without the VLAN existing, the switch cannot forward traffic or DHCP requests for that VLAN, leaving the phone stuck in the IP configuration phase.

Exam trap

Cisco often tests the distinction between configuring a voice VLAN on an interface and actually creating that VLAN in the global VLAN database; candidates mistakenly assume that referencing a VLAN in interface configuration automatically creates it.

Why the other options are wrong

A

Voice VLANs operate on access ports by tagging voice traffic while keeping PC traffic untagged in the data VLAN. A trunk is not required.

C

Native VLAN mismatches on trunks would affect both data and voice VLANs if both were allowed. The PC works, ruling out a general trunk issue.

D

The phone would work if it was sending voice traffic on the data VLAN (10), because VLAN 10 exists. The phone failing indicates a missing voice VLAN, not a misconfiguration on the phone.

374
PBQhard

You are connected to R1. The network has three departments: Sales (VLAN 10, 192.168.1.0/24), Engineering (VLAN 20, 192.168.2.0/24), and Management (VLAN 99, 192.168.99.0/24). A single switch SW1 connects to R1 via trunk interface G0/0. Subinterfaces for VLANs 10, 20, and 99 are already configured on R1 with correct encapsulation and IP addresses. However, inter-VLAN communication is failing. Troubleshoot and fix the configuration issue on R1 to enable routing between all VLANs.

Network Topology
G0/0trunkR1SW1

Hints

  • Check the global routing status on R1.
  • The subinterfaces are correctly configured but the router cannot forward packets between them.
  • A single global command enables inter-VLAN routing on a router.
A.Enable 'ip routing' globally on R1.
B.Configure a subinterface for VLAN 1 and assign it an IP address.
C.Change the encapsulation on the subinterfaces from dot1Q to ISL.
D.Add a static route on R1 pointing to each VLAN subnet.
AnswerA
solution
! R1
configure terminal
ip routing

Why this answer

The router has correctly configured subinterfaces with 802.1Q encapsulation and IP addresses for VLANs 10, 20, and 99. However, 'ip routing' is disabled globally, so the router cannot forward packets between subinterfaces. Additionally, the native VLAN on the trunk is VLAN 1, but no subinterface for VLAN 1 is configured, and the native VLAN mismatch could cause issues; however, the main problem is the lack of IP routing.

Enable 'ip routing' globally and optionally configure a subinterface for the native VLAN if needed. The solution requires only 'ip routing' to enable inter-VLAN routing.

Exam trap

The trap is that candidates often focus on trunking issues or missing subinterfaces, but the most common misconfiguration in router-on-a-stick is forgetting to enable 'ip routing' globally. Always check the running-config for 'ip routing' before troubleshooting other aspects.

Why the other options are wrong

B

The specific factual error: The native VLAN does not need a subinterface; the router can still route traffic for other VLANs without it.

C

The specific factual error: ISL is not commonly used and would not fix the routing issue; the problem is IP routing disabled.

D

The specific factual error: Directly connected routes are automatically added; no static routes are required.

375
MCQmedium

Exhibit: Users complain of slow wireless performance in a dense office even though signal strength is strong. Multiple APs are using channels 1, 2, and 3 on 2.4 GHz. Which change is most appropriate?

A.Reduce all AP transmit power to zero
B.Move to non-overlapping channels such as 1, 6, and 11
C.Change every AP to the same channel for consistency
D.Disable WPA2 security
AnswerB

That is the standard corrective action on 2.4 GHz.

Why this answer

In 2.4 GHz, overlapping channels cause co-channel and adjacent-channel interference. The common non-overlapping choices are 1, 6, and 11. Moving away from overlapping channels usually improves performance in a dense deployment.

Exam trap

Avoid assuming that increasing power or adding more APs will solve interference issues without considering channel overlap.

Why the other options are wrong

A

Reducing all AP transmit power to zero would completely disable the wireless network, making it impossible for users to connect or experience any performance, which does not address the issue of slow performance in a dense office environment.

C

Changing every AP to the same channel would lead to co-channel interference, exacerbating the slow wireless performance issue rather than resolving it. In a dense office environment, this configuration would reduce overall throughput and increase contention among devices.

D

Disabling WPA2 security would not address the issue of slow wireless performance in a dense office environment; instead, it would compromise network security and potentially allow unauthorized access, worsening the situation.

← PreviousPage 5 of 6 · 392 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Switching and Network Access questions.