Practise 200-301 DHCP questions covering DORA flow, scopes, excluded addresses, default gateway options, helper addresses, and troubleshooting clients that receive APIPA or cannot get an IP address.
DHCP questions cover server configuration, relay agents (ip helper-address), DHCP snooping, and the four-step DORA handshake. Common exam scenarios: a host isn't getting an IP, a relay agent isn't forwarding requests, or a rogue DHCP server is handing out wrong addresses.
Quick answer
DHCP questions usually test address assignment, scopes, relay agents, excluded addresses and why a client cannot obtain an IP address.
DHCP discovery, offer, request and acknowledgement flow.
DHCP scopes, excluded addresses and default gateway options.
DHCP relay using helper addresses.
Troubleshooting clients that receive APIPA or no address.
Related practice questions
Related 200-301 topic practice pages
Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.
Drag and drop the following steps into the correct order to configure an SSID on a WLC and complete a WPA3-Personal client association with DHCP address assignment.
A
Create an SSID profile, enable the SSID, configure WPA3-Personal security, configure DHCP scope, client associates and obtains IP address.
Why wrong: This is the correct sequence. First, you create the SSID profile on the WLC. Then you enable it. Next, you configure WPA3-Personal security settings. After that, you configure DHCP (either on the WLC or external server) to assign IP addresses. Finally, the client associates and obtains an IP address via DHCP.
B
Configure DHCP scope, create an SSID profile, enable the SSID, configure WPA3-Personal security, client associates and obtains IP address.
This is incorrect because DHCP configuration should come after the SSID is enabled and security is set, not before creating the SSID. The DHCP scope is part of the network infrastructure that supports the WLAN, but the logical order on the WLC starts with the SSID profile.
C
Create an SSID profile, configure WPA3-Personal security, enable the SSID, configure DHCP scope, client associates and obtains IP address.
This correct order first creates the WLAN, then secures it with WPA3 before enabling it, preventing any open-air gap. After security, the SSID is activated, DHCP is configured, and the client can associate and obtain an IP.
D
Create an SSID profile, enable the SSID, configure DHCP scope, configure WPA3-Personal security, client associates and obtains IP address.
This is incorrect because DHCP configuration should come after security configuration, not before. The DHCP scope is part of the network services that support the WLAN, but the security settings must be in place before the client can associate and request an IP.
Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a client VLAN and then enable a DHCP relay agent on a different interface to forward client requests to a remote server.
A
Enter global configuration mode, create the DHCP pool, configure the network and default gateway, exclude addresses, enable DHCP relay on the required interface, and verify.
Why wrong: This is the correct sequence: first enter global configuration mode, then create the DHCP pool with network and default gateway, exclude addresses to prevent conflicts, enable DHCP relay on the interface that needs to forward requests, and finally verify the configuration.
B
Enter global configuration mode, enable DHCP relay on the required interface, create the DHCP pool, configure the network and default gateway, exclude addresses, and verify.
This is incorrect because DHCP relay should be configured after the DHCP pool is created and addresses are excluded, not before. The relay configuration depends on the interface and the DHCP server address, which is independent of the pool, but the logical order is to set up the server first.
C
Enter global configuration mode, create the DHCP pool, enable DHCP relay on the required interface, configure the network and default gateway, exclude addresses, and verify.
This is incorrect because the network and default gateway must be configured within the DHCP pool before excluding addresses. The pool configuration includes the network and default gateway, and excluding addresses is part of the pool configuration.
D
Enter global configuration mode, exclude addresses, create the DHCP pool, configure the network and default gateway, enable DHCP relay on the required interface, and verify.
Correct order: exclusions first to protect reserved addresses, then pool configuration, relay agent, and verification.
A switch is configured with DHCP snooping and Dynamic ARP Inspection. Hosts suddenly lose connectivity after changing IP settings manually. Which explanation is strongest?
A
DAI is rejecting ARP traffic because the manual IP change does not match trusted snooping bindings.
This is correct because DAI validates ARP against trusted information, often sourced from DHCP snooping.
B
STP is blocking the host because its MAC address changed.
Why wrong: This is wrong because STP does not block hosts for changing IP settings.
C
OSPF authentication failed on the access port.
Why wrong: This is wrong because OSPF is not the issue in a host ARP validation scenario.
D
The switch requires PPP authentication before allowing ARP traffic.
Why wrong: This is wrong because PPP authentication is unrelated to switched ARP inspection.
Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP relay agent and verify the DHCP DORA process for a client on a different subnet.
A
Configure the 'ip helper-address' command on the interface facing the client subnet.
This is correct because the 'ip helper-address' command enables DHCP relay on the router interface, forwarding DHCP broadcasts to the DHCP server.
B
Verify DHCP relay operation using 'show ip interface' and 'show ip dhcp relay'.
Passive show commands that confirm the relay configuration and operation after the DORA process completes.
C
Trigger the DORA process on the client by releasing and renewing the IP address.
This is incorrect because triggering the DORA process should occur after the relay is configured and verified, not before. The order should be: configure relay, verify, then trigger DORA.
D
Use 'debug ip dhcp relay' to observe the DORA packets being forwarded.
This is incorrect because debugging should be the last step after triggering DORA, not before. The correct order is: configure, verify, trigger, then debug.
A client connects to an employee WLAN using 802.1X authentication. The authentication process completes successfully, but the client fails to obtain an IP address via DHCP. What is the most likely cause?
The client is being placed into the wrong policy or VLAN after successful authentication.
Post‑authentication VLAN assignment via RADIUS attributes can override the default interface VLAN. If the assigned VLAN has no DHCP server, the client cannot obtain an address.
B
The WLAN is configured with the wrong SSID, which prevents DHCP packets from being forwarded.
Why wrong: This is wrong because the symptom is wrong network placement after successful assignment, not just a mask typo.
C
The client has a static IP address manually configured, causing a DHCP conflict.
Why wrong: This is wrong because STP root guard is not the primary clue in WLAN client-to-subnet placement.
D
The access point is configured with an incorrect default gateway, preventing DHCP relay.
Why wrong: This is wrong because client WLAN access does not depend on host-side BGP configuration.
A DHCP client on VLAN 30 is not receiving an IP address from a DHCP server (10.99.99.20) on another subnet. The SVI for VLAN 30 is configured with an IP address and is up, but the DHCP relay command is missing. Which command should be added to the SVI configuration?
Exhibit
interface vlan 30
ip address 10.30.30.1 255.255.255.0
no shutdown
DHCP server: 10.99.99.20
A
ip directed-broadcast
Why wrong: That is unrelated and not used for DHCP relay.
B
ip helper-address 10.99.99.20
The helper address forwards DHCP broadcasts as unicast to the server.
C
service dhcp-server 10.99.99.20
Why wrong: That is not the Cisco IOS interface command for relay.
D
default-router 10.99.99.20
Why wrong: That is a DHCP pool parameter, not an SVI relay command.
You are connected to R1 via the console. R1 is the DHCP server for the 192.168.50.0/24 LAN. Configure DHCP on R1 to assign addresses from 192.168.50.10 to 192.168.50.200, with default gateway 192.168.50.1 and DNS server 8.8.8.8. Also, configure R1 to act as a DHCP relay agent for the 10.0.0.0/30 link to reach a remote DHCP server at 203.0.113.10. Then, troubleshoot and fix a misconfiguration that causes clients on VLAN 50 to not receive IP addresses.
Exhibit
R1#show running-config | section dhcp
ip dhcp excluded-address 192.168.50.1 192.168.50.200
ip dhcp pool LAN50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8
!
interface GigabitEthernet0/0
ip address 192.168.50.1 255.255.255.0
ip helper-address 203.0.113.10
no shutdown
!
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.252
no shutdown
!
A
[CORRECT] The DHCP pool is misconfigured: the excluded-address range covers most of the pool (192.168.50.1 through 192.168.50.200), but leaves 192.168.50.201-254 assignable, violating the requirement. The correct configuration should exclude 192.168.50.1-9 (gateway) and 192.168.50.201-254 (upper end). The 'ip helper-address' on GigabitEthernet0/0 is unnecessary because R1 itself is the DHCP server for that subnet; it should be removed. The relay agent configuration is missing on the interface facing the remote DHCP server—'ip helper-address 203.0.113.10' should be added to GigabitEthernet0/1.
The DHCP pool nearly all addresses are excluded, but the upper range .201-.254 remains available and must be explicitly excluded to meet the assignment requirement. The helper-address on G0/0 is redundant because R1 is the server for that subnet, and G0/1 lacks the required helper-address to forward requests from the 10.0.0.0/30 link.
B
The DHCP pool is misconfigured: the excluded-address range should be 192.168.50.1 192.168.50.9, but the helper-address on GigabitEthernet0/0 is correct because it forwards DHCP requests to the remote server. The relay agent configuration is missing on GigabitEthernet0/1.
Why wrong: This is incorrect because the helper-address on GigabitEthernet0/0 is not needed; R1 is the DHCP server for that subnet, so broadcasts should not be forwarded elsewhere. Adding a helper-address would cause DHCP requests to be forwarded to the remote server unnecessarily.
C
The DHCP pool is correctly configured with excluded-address 192.168.50.1 192.168.50.9. The issue is that the 'ip helper-address' on GigabitEthernet0/1 is missing; it should be added to forward requests to the remote server. Additionally, the 'ip helper-address' on GigabitEthernet0/0 is correct because it forwards requests from VLAN 50 to the remote server.
Why wrong: This is incorrect because the excluded-address range is correct, but the helper-address on GigabitEthernet0/0 is still unnecessary and should be removed. The problem statement says clients on VLAN 50 are not receiving addresses, which is due to the excluded-address covering the entire pool, not the helper-address on G0/0.
D
The DHCP pool is misconfigured: the excluded-address range should be 192.168.50.1 192.168.50.9. The 'ip helper-address' on GigabitEthernet0/0 should be removed. The relay agent configuration is correct because 'ip helper-address 203.0.113.10' is already configured on GigabitEthernet0/1.
Why wrong: This is incorrect because the relay agent configuration is missing; the helper-address on GigabitEthernet0/1 is not present. The option claims it is already configured, but the problem states that the relay agent configuration is missing.
A network administrator has configured a switch port to support a VoIP phone and a desktop PC. Users report that the desktop PC cannot obtain an IP address via DHCP, while the VoIP phone registers successfully. The switch port is up/up, and the desktop is connected to the phone's PC port. What is the most likely cause of the issue?
Exhibit
interface GigabitEthernet1/0/24
description VoIP and Desktop
switchport mode access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
A
The switchport mode access should be changed to switchport mode trunk to allow both vlans.
Why wrong: Changing to trunk mode would require the phone to tag traffic, which might not be supported and could cause further issues.
B
The switchport access vlan should be changed to the data VLAN to match the subnet expected by the desktop.
With the phone's PC port forwarding the switch's access VLAN, correcting the access VLAN to the data VLAN ensures the desktop receives a DHCP offer from the data subnet.
C
The switchport voice vlan should be removed because the desktop cannot use it.
Why wrong: Removing the voice vlan would prevent the VoIP phone from registering, as it needs a dedicated voice vlan.
D
The spanning-tree portfast should be disabled to prevent DHCP delays.
Why wrong: Portfast actually helps speed up DHCP by immediately transitioning the port to forwarding state. Disabling it would cause delays, not resolve the IP assignment failure.
Drag and drop the following steps into the correct order to configure a new WLAN on a Cisco WLC using IOS-XE CLI, including WPA3-Personal security, and to complete a wireless client association with DHCP.
A
Enter global configuration mode, create WLAN profile, configure WPA3-Personal (SAE) security, enable WLAN, client associates, client obtains IP via DHCP.
This is the correct order per Cisco IOS-XE WLC CLI: first enter global config, create the WLAN profile, set security (WPA3-Personal/SAE), enable the WLAN, then the client associates and gets an IP via DHCP.
B
Enter global configuration mode, create WLAN profile, enable WLAN, configure WPA3-Personal (SAE) security, client associates, client obtains IP via DHCP.
Why wrong: This is incorrect because security must be configured before enabling the WLAN; enabling a WLAN without security first can leave it open temporarily.
C
Enter global configuration mode, configure WPA3-Personal (SAE) security, create WLAN profile, enable WLAN, client associates, client obtains IP via DHCP.
Why wrong: This is incorrect because the WLAN profile must be created before security can be applied to it; security parameters are part of the WLAN profile configuration.
D
Enter global configuration mode, create WLAN profile, configure WPA3-Personal (SAE) security, enable WLAN, client obtains IP via DHCP, client associates.
Why wrong: This is incorrect because the client must associate with the WLAN before obtaining an IP via DHCP; DHCP occurs after association.
You are connected to R1. Configure DHCP server on R1 to assign addresses from 192.168.50.0/24 to hosts on VLAN 50, excluding 192.168.50.1-192.168.50.20, with default-router 192.168.50.1 and DNS server 8.8.8.8. On switch SW1, configure DHCP snooping globally and on VLAN 50, and enable trusted ports on the uplink to R1. Then, a host on VLAN 50 reports it received an incorrect IP address; troubleshoot and fix the issue: the wrong helper-address is configured on SW1, the excluded range is too large, and a rogue DHCP server is present on port Fa0/5.
Exhibit
R1# show running-config | section dhcp
ip dhcp excluded-address 192.168.50.1 192.168.50.100
ip dhcp pool VLAN50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8
!
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.252
no shutdown
!
SW1# show running-config | section interface
interface GigabitEthernet0/1
description uplink to R1
ip address 10.0.0.2 255.255.255.252
ip helper-address 10.0.0.1
!
interface VLAN50
ip address 192.168.50.1 255.255.255.0
!
interface FastEthernet0/5
description rogue server
switchport mode access
switchport access vlan 50
!
SW1# show ip dhcp snooping
Switch DHCP snooping is disabled
DHCP snooping is configured on the following VLANs:
none
DHCP snooping trust/untrusted ports:
Trusted ports:
Untrusted ports:
A
Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, correct the excluded range on R1 to 192.168.50.1-192.168.50.20, and change the helper-address on SW1's G0/1 to 192.168.50.1.
This option correctly addresses all issues: DHCP snooping blocks rogue DHCP servers, trusting the uplink allows legitimate DHCP offers, fixing the excluded range ensures hosts get addresses, and correcting the helper-address ensures DHCP requests reach the correct server.
B
Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and change the helper-address on SW1's G0/1 to 10.0.0.1.
Why wrong: This is incorrect because the helper-address should point to the DHCP server's IP (192.168.50.1), not the point-to-point link address (10.0.0.1). Also, it does not fix the excluded range issue.
C
Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and correct the excluded range on R1 to 192.168.50.1-192.168.50.20.
Why wrong: This is incorrect because it does not address the wrong helper-address on SW1. Without correcting the helper-address, DHCP requests from hosts will not reach the correct server.
D
Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and change the helper-address on SW1's G0/1 to 192.168.50.1.
Why wrong: This is incorrect because it does not fix the excluded range on R1. The excluded range is too large (excluding all addresses), so hosts cannot obtain any IP address from the legitimate server.
Drag and drop the following steps into the correct order to implement DHCP services for clients in VLAN 10 using a centralized DHCP server in VLAN 20 and to protect the network with DHCP snooping.
Drag and drop the following steps into the correct order to configure a Layer 3 switch to perform DHCP relay agent and DHCP snooping for a remote DHCP server.
Drag and drop the following steps into the correct order to configure a Cisco switch as a DHCP relay agent with DHCP snooping, where the DHCP server is located on a remote router.
Which TWO actions does DHCP snooping perform by default on a Cisco switch?
A
It blocks DHCP server messages received on untrusted ports.
DHCP snooping classifies ports as trusted or untrusted. Untrusted ports are not permitted to send DHCP server-side messages (e.g., DHCPOFFER, DHCPACK), thereby preventing rogue DHCP servers.
B
It generates a Cisco Discovery Protocol packet for each DHCP request.
Why wrong: DHCP snooping does not generate CDP packets. CDP is a separate Cisco-proprietary neighbor discovery protocol unrelated to DHCP.
C
It builds a DHCP binding table.
DHCP snooping dynamically creates a binding table that records the IP address, MAC address, VLAN, and interface associated with each successful DHCP lease.
D
It relays DHCP requests across VLANs.
Why wrong: Relaying DHCP requests across different subnets is the role of a DHCP relay agent, typically configured using the `ip helper-address` command on the gateway interface.
E
It converts DHCP broadcasts into unicasts.
Why wrong: The conversion of DHCP client broadcast messages (DISCOVER, REQUEST) into unicast packets is performed by a DHCP relay agent, not by DHCP snooping.
After configuring DHCP snooping on VLAN 10 to prevent rogue DHCP servers, all clients in the VLAN stop receiving DHCP offers from the legitimate DHCP server that is connected to port Gi0/1. The administrator verifies the DHCP server is operational and reachable. What should the technician do next?
A
Enable Dynamic ARP Inspection on VLAN 10.
Why wrong: Enabling DAI will not permit DHCP server replies because DAI validates ARP packets against the DHCP snooping binding table; it does not change the trust state of the DHCP server port. DHCP offers will still be blocked.
B
Configure interface Gi0/1 as a DHCP snooping trusted port.
DHCP snooping blocks DHCP server messages on untrusted ports. Since the legitimate server is on Gi0/1, trusting the port allows the switch to forward DHCP offers from that port, resolving the issue.
C
Add an ip helper-address on the VLAN 10 SVI pointing to the DHCP server.
Why wrong: An ip helper-address is used to forward DHCP broadcasts across IP subnets. Here, clients and server are in the same VLAN, so no forwarding is needed; the server's replies are simply being blocked by snooping.
D
Reconfigure the DHCP server scope to include DHCP Option 82.
Why wrong: DHCP Option 82 is inserted by relay agents, not by the server itself. Modifying the scope does not affect whether the switch drops DHCP offers due to snooping port trust.
These 200-301 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-301 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.