The answer is that the switch access port connecting the host is configured in the wrong VLAN, such as VLAN 20 instead of VLAN 10. This is the root cause because when a host on VLAN 10 sends a ping to its default gateway at 192.168.10.1, the frames must be tagged or associated with VLAN 10 as they traverse the trunk to the router. If the access port is assigned to VLAN 20, the switch will place those frames into VLAN 20, meaning the router’s SVI for VLAN 10 never receives them, and the ping fails. On the CCNA 200-301 v2 exam, this scenario tests your understanding of VLAN assignment on access ports and how mismatched VLANs break Layer 3 connectivity, even when the router and switch trunk are correctly configured. A common trap is to suspect the router’s SVI or the trunk itself, but the captured traffic on the trunk reveals the absence of VLAN 10 frames, pointing directly to the access port. Remember: if the host can’t reach the gateway, check the access VLAN first—it’s the most common misconfiguration.
CCNA Switching and Network Access Practice Question
This 200-301 practice question tests your understanding of switching and network access. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
R1# show monitor capture CAP1 buffer brief
# size timestamp source destination protocol
1 64 00:01:23.456 192.168.10.10 192.168.10.1 ICMP
2 64 00:01:23.789 192.168.10.10 192.168.10.1 ICMP
3 60 00:01:24.123 192.168.10.1 192.168.10.10 ARP
4 60 00:01:24.456 192.168.10.10 192.168.10.1 ICMP
5 60 00:01:24.789 192.168.10.1 192.168.10.10 ARP
6 60 00:01:25.123 192.168.10.10 192.168.10.1 ICMP
R1# show ip interface vlan 10
Vlan10 is up, line protocol is up
Internet address is 192.168.10.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP CEF switching is enabled
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: None
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
A network administrator is troubleshooting an issue where hosts on VLAN 10 cannot ping the default gateway at 192.168.10.1. The router (R1) has an SVI for VLAN 10 with IP 192.168.10.1/24. The administrator captures traffic on the router's G0/0/0 interface (trunk to the switch) and reviews the embedded packet capture output. What is the root cause of the problem?
R1# show monitor capture CAP1 buffer brief
# size timestamp source destination protocol
1 64 00:01:23.456 192.168.10.10 192.168.10.1 ICMP
2 64 00:01:23.789 192.168.10.10 192.168.10.1 ICMP
3 60 00:01:24.123 192.168.10.1 192.168.10.10 ARP
4 60 00:01:24.456 192.168.10.10 192.168.10.1 ICMP
5 60 00:01:24.789 192.168.10.1 192.168.10.10 ARP
6 60 00:01:25.123 192.168.10.10 192.168.10.1 ICMP
R1# show ip interface vlan 10
Vlan10 is up, line protocol is up
Internet address is 192.168.10.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP CEF switching is enabled
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: None
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
A
The router's SVI for VLAN 10 is administratively down.
Why wrong: The 'show ip interface vlan 10' output clearly shows the interface is up and line protocol is up.
B
The switch port connecting the host is configured in the wrong VLAN (e.g., VLAN 20 instead of VLAN 10).
The router is sending ARP requests, but the host never receives them because the switch port is in a different VLAN. This prevents the router from learning the host's MAC address, causing the ping to fail.
C
An inbound ACL on the router's SVI is blocking ICMP echo requests from the host.
Why wrong: The packet capture shows the router is receiving ICMP echo requests from the host, so there is no ACL blocking inbound traffic.
D
The router has ICMP redirects enabled, causing it to ignore the pings.
Why wrong: ICMP redirects are used to inform hosts of a better path, not to block traffic. The router is actively sending ARP replies, so redirects are not the issue.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The switch port connecting the host is configured in the wrong VLAN (e.g., VLAN 20 instead of VLAN 10).
The captured traffic on the trunk shows that the router is not receiving any frames tagged with VLAN 10 from the host. If the switch port connecting the host is configured in VLAN 20 instead of VLAN 10, the host's frames will be tagged with VLAN 20 (or remain untagged in the access VLAN 20) and will not reach the router's SVI for VLAN 10, causing the ping to fail. This is the most direct cause given the symptom that the host cannot ping the default gateway.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The router's SVI for VLAN 10 is administratively down.
Why it's wrong here
The 'show ip interface vlan 10' output clearly shows the interface is up and line protocol is up.
✓
The switch port connecting the host is configured in the wrong VLAN (e.g., VLAN 20 instead of VLAN 10).
Why this is correct
The router is sending ARP requests, but the host never receives them because the switch port is in a different VLAN. This prevents the router from learning the host's MAC address, causing the ping to fail.
Related concept
Read the scenario before looking for a memorised answer.
✗
An inbound ACL on the router's SVI is blocking ICMP echo requests from the host.
Why it's wrong here
The packet capture shows the router is receiving ICMP echo requests from the host, so there is no ACL blocking inbound traffic.
✗
The router has ICMP redirects enabled, causing it to ignore the pings.
Why it's wrong here
ICMP redirects are used to inform hosts of a better path, not to block traffic. The router is actively sending ARP replies, so redirects are not the issue.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓The switch port connecting the host is configured in the wrong VLAN (e.g., VLAN 20 instead of VLAN 10).Correct answer▾
Why this is correct
The router is sending ARP requests, but the host never receives them because the switch port is in a different VLAN. This prevents the router from learning the host's MAC address, causing the ping to fail.
✗The router's SVI for VLAN 10 is administratively down.Wrong answer — click to see why▾
Why this is wrong here
The SVI is operational, so this cannot be the root cause.
✗An inbound ACL on the router's SVI is blocking ICMP echo requests from the host.Wrong answer — click to see why▾
Why this is wrong here
The router receives the ICMP requests, so an inbound ACL would have dropped them before they reached the capture buffer.
✗The router has ICMP redirects enabled, causing it to ignore the pings.Wrong answer — click to see why▾
Why this is wrong here
ICMP redirects do not prevent the router from responding to pings; they only send redirect messages when appropriate.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the distinction between Layer 2 and Layer 3 issues, and the trap here is that candidates assume the problem is on the router (e.g., ACL or interface state) when the packet capture reveals that the traffic never reaches the router's SVI due to a VLAN mismatch on the switch access port.
Trap categories for this question
Command / output trap
The 'show ip interface vlan 10' output clearly shows the interface is up and line protocol is up.
Detailed technical explanation
How to think about this question
On a trunk link, the switch tags frames with the appropriate VLAN ID using IEEE 802.1Q. If the host's access port is in VLAN 20, the switch will forward the host's frames with VLAN 20 tag over the trunk, and the router's G0/0/0 interface, which expects VLAN 10 frames on its subinterface or SVI, will not process them. This is a common misconfiguration where the access VLAN on the switch does not match the VLAN configured on the router's SVI, leading to a Layer 2 connectivity failure despite correct IP addressing.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Switching and Network Access — This question tests Switching and Network Access — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The switch port connecting the host is configured in the wrong VLAN (e.g., VLAN 20 instead of VLAN 10). — The captured traffic on the trunk shows that the router is not receiving any frames tagged with VLAN 10 from the host. If the switch port connecting the host is configured in VLAN 20 instead of VLAN 10, the host's frames will be tagged with VLAN 20 (or remain untagged in the access VLAN 20) and will not reach the router's SVI for VLAN 10, causing the ping to fail. This is the most direct cause given the symptom that the host cannot ping the default gateway.
What should I do if I get this 200-301 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A network administrator notices that hosts in VLAN 10 cannot ping the default gateway (192.168.10.1). The switch's SVI for VLAN 10 is configured and the output of the show ip interface brief command shows its status as up/up. An embedded packet capture is configured. The exhibit shows ARP requests from a host to 192.168.10.1 but no ARP reply. Based on the exhibit, what is the most likely cause of the connectivity issue?
hard
A.The default gateway is configured incorrectly on the host.
✓ B.The switchport connecting the host is not assigned to VLAN 10.
C.An ACL is applied to the SVI blocking ICMP.
D.The SVI is administratively down.
Why B: The correct answer is B because the packet capture shows ARP requests from the host but no reply, indicating the switch's VLAN 10 SVI is not receiving the ARP frames. Since the SVI is confirmed up/up, the most likely cause is that the switchport connecting the host is not assigned to VLAN 10, causing the frames to be on a different VLAN. Option A is incorrect because the host's default gateway is correctly set to 192.168.10.1 (the SVI's IP); ARP requests are being sent but not answered. Option C is wrong because an ACL on the SVI would not block ARP (ARP is a Layer 2 protocol not filtered by IP ACLs), and the capture would show a reply if the SVI received the request. Option D is incorrect because the exhibit shows the SVI is up/up, ruling out an administratively down condition.
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.