CCNA DHCP Questions

75 of 89 questions · Page 1/2 · DHCP topic · Answers revealed

1
Multi-Selectmedium

A router is configured as a DHCP server for VLAN 20. Clients on the VLAN can reach the default gateway, but they do not receive leases. Which two configuration issues on the router would directly prevent successful address assignment?

Select 2 answers
A.The excluded-address range removes the entire usable subnet
B.The DHCP pool is missing a dns-server statement
C.The subinterface lacks an ip helper-address
D.There are no available addresses left in the defined pool
AnswersA, D

Excluding 10.20.20.1 through 10.20.20.254 leaves nothing assignable for clients.

Why this answer

The router can serve DHCP locally without an ip helper-address. The real problem is that the excluded-address range consumes every usable host address, leaving the pool with no assignable leases.

Exam trap

A common exam trap is to incorrectly assume that missing optional DHCP parameters, such as the dns-server statement, or the absence of an ip helper-address on the subinterface, will prevent clients from receiving leases. Candidates may also overlook the impact of the excluded-address command consuming the entire subnet range, mistakenly thinking the router’s DHCP service is functioning correctly because clients can ping the gateway. The real issue is that no IP addresses remain available to assign, which is a subtle but critical configuration error that directly causes DHCP lease failures.

Why the other options are wrong

B

Incorrect because the dns-server statement is optional; its absence does not prevent the DHCP server from assigning IP addresses to clients.

C

Incorrect because the ip helper-address command is only necessary when forwarding DHCP requests across subnets, not when the router itself is the DHCP server on the VLAN.

2
Drag & Dropmedium

Drag and drop the following steps into the correct order to implement DHCP services for clients in VLAN 10 using a centralized DHCP server in VLAN 20 and to protect the network with DHCP snooping.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order requires the DHCP server to be configured first so it can respond to requests. Then the IP helper-address is configured on the default gateway interface for VLAN 10 to forward client broadcasts to the server. Next, DHCP snooping is enabled globally, followed by identifying the trusted port to the server (to allow DHCP replies), and then snooping is enabled on the client VLAN.

Finally, a client connection triggers a DHCP transaction that you can verify with the snooping binding table.

3
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an SSID on a WLC and complete a WPA3-Personal client association with DHCP address assignment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is to first create the SSID profile, then configure WPA3-Personal security to ensure the WLAN is protected before it becomes active, then enable the SSID, set up the DHCP scope for address assignment, and finally allow the client to associate and obtain an IP address. Option A enables the SSID before setting security, exposing the network to unauthorized access during that window. Option B incorrectly starts with DHCP configuration before the SSID even exists.

Option D also enables the SSID before security, leading to the same vulnerability as option A. Only option C follows the secure configuration order recommended by Cisco.

Exam trap

A common mistake is enabling the WLAN before applying WPA3 security, but the recommended practice is to configure security first to prevent a temporary open SSID.

4
Drag & Drophard

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a client VLAN and then enable a DHCP relay agent on a different interface to forward client requests to a remote server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to first exclude addresses to prevent the DHCP server from leasing reserved or gateway IPs, then create and configure the DHCP pool (network, default gateway), next enable DHCP relay on the required interface, and finally verify. Option D follows this Cisco best practice. Option A risks assigning excluded addresses because the pool is created before exclusions.

Options B and C place relay setup before the pool is fully configured, which is incorrect.

Exam trap

Candidates often mistakenly create the DHCP pool before excluding addresses, which can lead to the server leasing addresses intended to be reserved. Always configure exclusions first, then the pool, then relay, then verify.

5
MCQmedium

A junior network engineer is configuring a new Windows 10 workstation to connect to the corporate network. The network uses a /24 subnet mask and has a default gateway of 192.168.1.1. The workstation obtains its IP address automatically from a DHCP server, but the engineer needs to manually set a static IPv4 address of 192.168.1.50 and ensure the workstation can reach the internet. Which configuration step must the engineer take to satisfy these requirements?

A.Set the subnet mask to 255.255.0.0 and the default gateway to 192.168.1.1
B.Set the subnet mask to 255.255.255.0 and the default gateway to 192.168.1.1
C.Set the subnet mask to 255.255.255.0 and leave the default gateway blank
D.Set the subnet mask to 255.255.255.0 and the default gateway to 192.168.1.50
AnswerB

This is the correct configuration. The subnet mask 255.255.255.0 corresponds to a /24 prefix, which matches the network. The default gateway 192.168.1.1 is the router's IP on the same subnet, allowing the workstation to reach the internet.

Why this answer

Option B is correct because a /24 subnet mask (255.255.255.0) matches the network prefix of the default gateway 192.168.1.1, ensuring the workstation can route traffic to the internet via that gateway. Option A fails because a /16 mask (255.255.0.0) does not match the corporate /24 network, causing incorrect network identification and potential routing issues. Option C fails because leaving the default gateway blank means the host cannot reach any network beyond its local subnet, so internet access is impossible.

Option D fails because using the host's own IP (192.168.1.50) as the default gateway would cause the host to attempt to route traffic to itself, never reaching the actual gateway.

Exam trap

Cisco often tests the requirement that the default gateway must be on the same subnet as the host's IP address, and a common trap is to confuse the gateway address with the host's own IP or to use an incorrect subnet mask that still allows local communication but breaks routing.

Why the other options are wrong

A

Using a /16 subnet mask (255.255.0.0) does not match the corporate /24 network, leading to incorrect network identification and potential routing issues.

C

Leaving the default gateway blank prevents the host from reaching any network beyond its own subnet, so internet access is impossible.

D

Setting the default gateway to the host's own IP address (192.168.1.50) would cause traffic to be sent to itself, never reaching the actual gateway.

6
MCQhard

A switch has DHCP snooping enabled, but users still experience IP-to-MAC spoofing attacks. Which additional feature should be considered to help address that specific problem?

AnswerB

Correct. DAI directly targets ARP spoofing.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets against trusted binding information learned through DHCP snooping, directly preventing IP-to-MAC spoofing. PortFast is used to speed up STP convergence and does not provide ARP security. EtherChannel aggregates multiple links for bandwidth and redundancy but does not inspect ARP traffic.

NetFlow is a traffic accounting and monitoring tool, not a security control for ARP spoofing. Therefore, DAI is the correct additional feature to address IP-to-MAC spoofing.

Exam trap

Don't confuse general security features with those specifically designed to prevent ARP spoofing.

Why the other options are wrong

A

PortFast is a Spanning Tree Protocol feature that immediately transitions a port to forwarding state, bypassing listening and learning states. It does not perform any validation of ARP packets or prevent IP-to-MAC spoofing attacks.

C

EtherChannel is a link aggregation technology that combines multiple physical links into a single logical link to increase bandwidth and provide redundancy. It does not inspect or validate ARP packets, so it cannot prevent IP-to-MAC spoofing.

D

NetFlow is a network monitoring protocol that collects IP traffic statistics for analysis and troubleshooting. It provides visibility into traffic patterns but does not actively block or validate ARP packets, so it cannot prevent spoofing attacks.

7
MCQhard

A client PC is receiving an APIPA address (169.254.x.x) instead of a valid IP from the DHCP server. The DHCP server is on the same subnet as the client. The technician runs the command 'show ip dhcp binding' and confirms that the correct scope is configured. The command 'show ip dhcp pool' shows that there are plenty of addresses remaining in the pool. The client's NIC status shows 'connected'. What should the technician do next?

A.Check the DHCP snooping configuration on the access switch.
B.Verify that no firewall is blocking UDP ports 67 and 68 on the local network.
C.Run the ipconfig /release and /renew commands on the client.
D.Check for a rogue DHCP server on the network.
AnswerD

Given that the legitimate DHCP server is reachable, has a correct scope, and addresses are available, the most probable reason for persistent APIPA assignment is interference from an unauthorized DHCP server. A rogue server could be responding to DHCP Discover messages, preventing the client from obtaining a proper lease. The technician should use tools like packet captures or DHCP logs to detect any other DHCP Offer messages.

Why this answer

When a client on the same subnet as the DHCP server still receives an APIPA address, the problem is often that the client's DHCP Discover broadcasts are not reaching the legitimate DHCP server or the server's offers are not reaching the client. Since the technician has already verified the DHCP server configuration (scope exists, addresses available) and the client's physical connectivity (NIC connected), the most logical next step is to check for a rogue DHCP server. A rogue server can intercept DHCP Discover messages and respond with invalid or malicious offers, causing the client to disregard legitimate offers, or it might respond with offers that conflict and confuse the client.

This addresses the DHCP application layer (Layer 7) and ensures that only the authorized server is responding. Identifying a rogue server can be done via packet capture or by inspecting DHCP lease database inconsistencies.

Exam trap

Many candidates choose to run 'ipconfig /release' and 'ipconfig /renew' (Option C) as a first step, but doing so does not identify the root cause and can waste time if a rogue server is present. The APIPA assignment is a symptom, not a lease renewal issue, and the DHCP server has already been confirmed operational.

Why the other options are wrong

A

Candidates often jump to switch security features when they see DHCP issues, but without evidence of a switch misconfiguration, it is not the most direct next action.

B

Test-takers often consider firewalls as universal blockers, forgetting that in a flat Layer 2 domain, broadcast traffic such as DHCP Discover is not filtered by a firewall.

C

Candidates prefer simple client-side fixes, but CCNA troubleshooting emphasises identifying root causes before applying band-aid solutions.

8
Multi-Selectmedium

Which TWO commands would a network administrator use to verify that a client has received a valid IP address from a DHCP server and can resolve domain names to IP addresses?

Select 2 answers
A.ipconfig /all
B.ping 127.0.0.1
C.tracert 8.8.8.8
D.nslookup www.courseiva.com
E.arp -a
AnswersA, D

Displays full TCP/IP configuration, confirming DHCP-assigned IP address, subnet mask, gateway, and DNS servers.

Why this answer

Option A (ipconfig /all) is correct because it displays the full TCP/IP configuration for all network adapters, including whether DHCP is enabled, the assigned IP address, subnet mask, default gateway, and the DHCP server address. This allows the administrator to confirm that the client received a valid IP address from the DHCP server. Option D (nslookup www.courseiva.com) is correct because it queries the configured DNS server to resolve the domain name to an IP address, verifying that name resolution is working.

Option B (ping 127.0.0.1) only tests the local TCP/IP stack and does not verify DHCP assignment or DNS resolution. Option C (tracert 8.8.8.8) uses an IP address directly and does not test domain-name resolution. Option E (arp -a) displays the ARP cache, which is unrelated to DHCP or DNS.

Exam trap

Cisco often tests the distinction between verifying local IP stack functionality (ping 127.0.0.1) versus verifying DHCP address assignment and DNS resolution, leading candidates to mistakenly choose loopback or traceroute commands that do not validate the specific requirements.

Why the other options are wrong

B

ping 127.0.0.1 only tests the local TCP/IP stack and does not verify DHCP address assignment or DNS resolution.

C

tracert 8.8.8.8 uses an IP address directly and does not test domain-name resolution.

E

arp -a displays the ARP cache, which is unrelated to DHCP or DNS.

9
PBQhard

You are troubleshooting a connectivity issue for a remote worker who reports being unable to access the internet. The worker's PC is connected to switch S1, which is connected to router R1. You have console access to R1. The router's interface G0/0 is configured with IP 192.168.1.1/24, and the DHCP pool 'LAN' currently has network 192.168.1.0 255.255.255.0 and default-router 192.168.1.254. The PC has obtained an IP address of 192.168.1.100 from DHCP and a subnet mask of 255.255.255.0, but cannot ping 8.8.8.8. Identify the fault and configure R1 to restore internet access for the PC.

Network Topology
G0/0192.168.1.1/24G0/0192.168.1.1/24PCS1R1internet

Hints

  • Check the default-router value in the DHCP pool against the router's interface IP.
  • The PC's APIPA address indicates DHCP failure — review the DHCP configuration.
  • Ensure the router's interface IP matches the gateway offered by DHCP.
A.Change the default-router in the DHCP pool 'LAN' to 192.168.1.1
B.Change the network statement in the DHCP pool 'LAN' to 192.168.1.0 255.255.255.0
C.Add the command 'ip helper-address 192.168.1.254' on interface G0/0
D.Change the IP address of interface G0/0 to 192.168.1.254/24
AnswerA
solution
! R1
conf t
ip dhcp pool LAN
default-router 192.168.1.1
end

Why this answer

The PC received a valid IP address from DHCP, proving the DHCP server is reachable and the network statement is correct. However, the pool’s default-router is set to 192.168.1.254, while the actual interface IP (the real gateway) is 192.168.1.1. The PC therefore uses an incorrect default gateway, blocking internet access.

Changing the default-router to 192.168.1.1 fixes the gateway mismatch. Option B is wrong because the network statement already matches the subnet. Option C is unnecessary since no helper address is needed for a DHCP server on the same subnet.

Option D would change the router’s IP to 192.168.1.254, creating further misalignment and breaking connectivity.

Exam trap

Do not assume that any connectivity issue is caused by a DHCP server failure; always compare the default-router entry in the DHCP pool with the actual interface IP before altering network statements or adding helper addresses.

Why the other options are wrong

B

The network statement is already correct; changing it does not resolve the incorrect default gateway.

C

No helper address is needed because the DHCP server (the router itself) is on the same subnet as the PC.

D

Setting the interface IP to 192.168.1.254 would create an address mismatch with the DHCP pool’s gateway and break the subnet.

10
PBQmedium

You are connected to R1 via console. R1 is a router that needs to provide DHCP services to hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The router has two subinterfaces on GigabitEthernet0/0: G0/0.10 (192.168.10.1/24) and G0/0.20 (192.168.20.1/24) with 802.1Q encapsulation. Configure R1 as a DHCP server for both VLANs, excluding addresses 192.168.10.1-10 and 192.168.20.1-10, with a lease of 1 day. Ensure DNS server 8.8.8.8 is provided.

Network Topology
G0/0.10192.168.10.1/24trunkR1SW1

Hints

  • Use 'ip dhcp excluded-address' to reserve addresses.
  • Create DHCP pools with 'network', 'default-router', and 'dns-server'.
  • Lease time is in days; use 'lease 1' for 1 day.
A.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 1 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 1
B.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 /24 default-router 192.168.10.1 dns-server 8.8.8.8 lease 1 0 0 ip dhcp pool VLAN20 network 192.168.20.0 /24 default-router 192.168.20.1 dns-server 8.8.8.8 lease 1 0 0
C.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 24 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 24
D.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 24 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 24
AnswerA
solution
! R1
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp pool VLAN10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
lease 1
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
lease 1

Why this answer

Option A correctly uses `lease 1` for a 1-day lease, dotted decimal subnet masks, and proper DHCP pool settings. Option B incorrectly uses CIDR notation `/24` in the network command, which IOS does not accept. Option C uses `lease 24`, which is interpreted as 24 days, not 1 day.

Option D also incorrectly uses `lease 24`, resulting in a 24-day lease instead of the required 1-day lease.

Exam trap

Be careful with the lease command: the default unit is days, not hours. Also, remember that the network command in DHCP pool configuration requires a subnet mask in dotted decimal format, not CIDR prefix length. Excluded addresses are configured globally, not within the pool.

Why the other options are wrong

B

The network command in DHCP pool configuration requires a subnet mask in dotted decimal format, not CIDR notation like /24.

C

The lease command uses days as its unit; `lease 24` sets a 24-day lease, not the required 1 day.

D

The lease command sets duration in days, so `lease 24` gives a 24-day lease instead of a 1-day lease.

11
MCQmedium

A client on VLAN 20 must obtain an IPv4 lease from a DHCP server located on VLAN 100. Which feature is required on the Layer 3 interface for VLAN 20?

A.NAT overload
B.DHCP relay
D.Private VLAN
AnswerB

Correct. The SVI or routed interface needs DHCP relay.

Why this answer

A DHCP relay agent forwards client broadcasts as unicast to the remote server, typically using ip helper-address.

Exam trap

A common exam trap is selecting NAT overload or port security as the required feature for DHCP communication across VLANs. NAT overload is used for IP address translation and does not forward DHCP broadcasts, while port security restricts MAC addresses on switch ports but does not relay DHCP messages. Another trap is confusing private VLANs with DHCP relay; private VLANs isolate Layer 2 domains but do not forward DHCP requests between VLANs.

The key is understanding that DHCP relay is the only feature that forwards DHCP broadcasts as unicast messages across Layer 3 boundaries, enabling clients on VLAN 20 to obtain leases from a DHCP server on VLAN 100.

Why the other options are wrong

A

NAT overload translates private IP addresses to a public IP for outbound traffic but does not forward DHCP broadcasts between VLANs. It is unrelated to DHCP relay functionality required for inter-VLAN DHCP communication.

C

Port security restricts which MAC addresses can connect to a switch port but does not forward DHCP broadcasts or relay DHCP messages between VLANs, so it cannot enable DHCP communication across VLANs.

D

Private VLANs isolate devices within a VLAN for security purposes but do not provide DHCP relay capabilities or forward DHCP requests between VLANs, making this option incorrect.

12
MCQhard

PCs in VLAN 40 are not receiving addresses from the centralized DHCP server at 172.16.1.10. What should be configured on the VLAN 40 default gateway interface?

A.ip dhcp excluded-address 10.40.40.1 10.40.40.10
B.ip helper-address 172.16.1.10
C.service dhcp
D.ip default-gateway 172.16.1.10
AnswerB

Correct choice.

Why this answer

When DHCP clients and the DHCP server are on different subnets, the router interface serving the client subnet must relay broadcasts to the server with the ip helper-address command.

Exam trap

Ensure you understand the difference between DHCP relay and DHCP security features like snooping, as well as local DHCP server configuration.

Why the other options are wrong

A

The 'ip dhcp excluded-address' command is used on a DHCP server to prevent certain addresses from being assigned, not on a router interface to forward DHCP requests. This command would not help clients in VLAN 40 reach the centralized DHCP server.

C

The 'service dhcp' command globally enables the DHCP server or relay agent on a Cisco device, but it does not specify where to forward requests. Without the 'ip helper-address' command, DHCP broadcasts will not be forwarded to the server.

D

The 'ip default-gateway' command is used on a switch to set a default gateway for management purposes, not to forward DHCP broadcasts. It does not provide DHCP relay functionality.

13
MCQhard

A switch has DHCP snooping enabled and Dynamic ARP Inspection enabled on VLAN 30. A printer with a static IP on VLAN 30 cannot communicate because its ARP packets are being dropped. What is the best fix?

A.Disable DAI on all VLANs globally.
B.Configure a static ARP inspection entry or ARP ACL for the printer.
C.Trust the user-facing printer access port for DHCP snooping and DAI.
D.Change the printer to use a larger MTU.
AnswerB

Correct. Static devices need a trusted binding source.

Why this answer

DAI relies on trusted bindings. Static-IP devices that are not learned through DHCP often require a static ARP ACL or equivalent trusted binding mechanism.

Exam trap

A common exam trap is to disable Dynamic ARP Inspection entirely or trust the user-facing access port to fix ARP packet drops from static IP devices. Disabling DAI weakens the network’s ARP spoofing protection, which is against best practices and exam expectations. Trusting access ports is too broad and can allow malicious ARP traffic, defeating the purpose of DAI.

The trap is that these options seem easier but compromise security, whereas the correct approach is to configure static ARP inspection entries or ARP ACLs for static IP devices to maintain security and functionality.

Why the other options are wrong

A

Disabling DAI on all VLANs globally removes ARP spoofing protection network-wide, which is excessive and reduces security unnecessarily. The question requires a targeted fix, so this option is incorrect.

C

Trusting the user-facing printer access port for DHCP snooping and DAI is too permissive and can allow malicious ARP packets, weakening security. It is not recommended as a best practice or exam answer.

D

Changing the printer to use a larger MTU does not affect ARP packet validation or DAI behavior. MTU size is unrelated to ARP inspection, so this option is irrelevant and incorrect.

14
Multi-Selectmedium

Which three of the following are characteristics of DHCP snooping? (Choose three.)

Select 3 answers
.It filters untrusted DHCP messages on trusted ports.
.It builds and maintains a DHCP snooping binding database.
.It prevents DHCP starvation attacks by rate-limiting DHCP messages.
.It allows DHCP server messages from untrusted ports if the source MAC matches.
.It can validate DHCP client MAC addresses against the source MAC in the Ethernet frame.
.It automatically enables IP source guard when configured globally.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding database to track valid IP-to-MAC address assignments. It prevents DHCP starvation attacks by rate-limiting DHCP messages on untrusted ports, and it validates DHCP client MAC addresses against the source MAC in the Ethernet frame to prevent MAC spoofing. These three functions directly correspond to the correct answer options.

Exam trap

Cisco often tests the distinction between trusted and untrusted ports, leading candidates to incorrectly assume that DHCP snooping filters messages on trusted ports or allows server messages from untrusted ports under certain conditions.

15
Multi-Selectmedium

Which three statements are true about the operation of Dynamic Host Configuration Protocol (DHCP) in an enterprise network? (Choose three.)

Select 3 answers
.A DHCP client sends a DHCPDISCOVER message as a broadcast to locate a DHCP server.
.A DHCP server uses the client's MAC address to uniquely identify and assign an IP address.
.DHCP options, such as default gateway and DNS server, are included in DHCPOFFER and DHCPACK messages.
.A DHCP relay agent is required only if the client and server are on the same subnet.
.The DHCPREQUEST message is always sent as a unicast directly to the DHCP server.
.DHCP ensures that IP addresses are permanently assigned and never expire.

Why this answer

The DHCP client sends a DHCPDISCOVER message as a broadcast (destination IP 255.255.255.255) because it does not yet know the IP address of any DHCP server. The server uses the client's MAC address (from the CHADDR field) to uniquely identify the client and assign an IP address. DHCP options like default gateway and DNS server are carried in the DHCPOFFER and DHCPACK messages as part of the Options field, allowing the server to provide essential network configuration parameters.

Exam trap

Cisco often tests the misconception that DHCPREQUEST is always unicast, but in the initial DORA exchange, it is broadcast until the client receives an ACK and configures its IP; the trap here is confusing the renewal process with the initial lease acquisition.

16
Multi-Selectmedium

Which two statements accurately compare SLAAC and DHCPv6?

Select 2 answers
A.SLAAC allows a host to form its own address using information from router advertisements.
B.DHCPv6 can be used to provide host configuration in a more server-driven way.
C.SLAAC requires NAT to function.
D.DHCPv6 replaces the need for router advertisements completely.
E.Neither SLAAC nor DHCPv6 can provide any addressing information to hosts.
AnswersA, B

This is correct because SLAAC relies on router advertisements and local address formation.

Why this answer

SLAAC and DHCPv6 are both IPv6 host-configuration approaches, but they are not the same. In practical terms, SLAAC lets a host build its own address using router advertisements and the advertised prefix, while DHCPv6 can be used to provide addressing information or other configuration in a more server-driven way. Depending on design, IPv6 networks can use one, the other, or a mixture of behaviors.

The key is not to oversimplify. SLAAC is not “IPv6 DHCP,” and DHCPv6 is not the only way IPv6 hosts learn how to operate. Router advertisements remain very important.

Exam trap

Do not assume DHCPv6 is the only way to configure IPv6 addresses or settings; SLAAC also plays a crucial role.

Why the other options are wrong

C

SLAAC does not require NAT because IPv6 has a vast address space, eliminating the need for address translation. NAT is a workaround for IPv4 address exhaustion and is not used in native IPv6 networks. SLAAC relies on router advertisements to provide prefix information, and hosts generate their own addresses without any translation.

D

DHCPv6 does not replace router advertisements; in fact, router advertisements are still required for hosts to determine the default gateway and other network parameters. Even when DHCPv6 is used, hosts rely on RAs to learn the on-link prefix and to decide whether to use stateful or stateless configuration.

E

Both SLAAC and DHCPv6 can provide addressing information to hosts. SLAAC allows hosts to form their own addresses from prefix information in RAs, while DHCPv6 can assign addresses and other configuration parameters. Therefore, the statement that neither can provide addressing information is false.

17
Matchingeasy

Match each DHCPv4 message in the DORA process to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client looks for DHCP servers

Server proposes an address and lease details

Client asks to use the offered address

Server confirms the lease

Why these pairings

The DORA process includes Discover (client broadcast), Offer (server response), Request (client accepts), and Ack (server confirms). Additional messages like NAK and Decline handle errors.

Exam trap

Do not confuse the order or roles of DHCP messages. Remember that the client initiates with Discover, then the server Offers, the client Requests, and the server Acknowledges. The mnemonic DORA helps: Discover, Offer, Request, Ack.

18
MCQhard

A network administrator has configured a DHCP server on VLAN 100 with an IP address of 192.168.100.10/24. Clients on VLAN 200 (192.168.200.0/24) report that they cannot obtain an IP address via DHCP. The router is configured with a DHCP relay on the VLAN 200 interface. The administrator checks the router configuration and verifies that the relay is in place, but clients still fail to get an address. The switch that the router and clients connect to has DHCP snooping enabled. What is the most likely cause of this issue?

A.The DHCP server is on a different subnet and the relay address is incorrect.
B.DHCP snooping is blocking the relay agent because the relay interface is not trusted.
C.The DHCP server is unreachable from the router.
D.The ip helper-address command is missing from the VLAN 200 interface.
AnswerB

The 'show ip dhcp relay information trusted' output shows 'Not configured', which means the relay agent is not trusting the DHCP server's responses. This causes the switch to drop DHCP server responses when DHCP snooping is enabled. The fix is to configure 'ip dhcp relay information trusted' on the interface facing the DHCP server.

Why this answer

The scenario states that DHCP snooping is enabled on the switch. When DHCP snooping is active, it discards DHCP messages received on untrusted ports. The router's VLAN 200 interface, which is configured as a DHCP relay agent, must be configured as a trusted port for DHCP snooping; otherwise, the relayed messages are silently dropped.

Option A is incorrect because the relay address is correctly pointing to the DHCP server's subnet. Option C is too generic and unlikely since the router and switch are directly connected. Option D is incorrect because the relay is verified to be in place.

Therefore, the most likely cause is DHCP snooping blocking the relay agent due to the relay interface not being trusted.

Exam trap

Cisco often tests the misconception that a correctly configured DHCP relay alone guarantees DHCP operation, ignoring that DHCP snooping can silently drop relayed messages if the relay interface is not trusted.

Why the other options are wrong

A

The relay address 192.168.100.10 is correctly configured to point to the DHCP server on VLAN 100. The issue is not with the relay address being incorrect.

C

The DHCP server is on the same router (VLAN 100 interface) and is reachable; the relay configuration is correct. The server is not unreachable.

D

The exhibit shows 'ip helper-address 192.168.100.10' is configured on GigabitEthernet0/1, which is the VLAN 200 interface. The command is present.

19
PBQmedium

You are connected to R1 via the console. R1 is a router that needs to provide DHCP services for hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The DHCP server is located on VLAN 10 at 192.168.10.100, but hosts on VLAN 20 cannot reach it directly. Configure R1 to forward DHCP broadcasts from VLAN 20 to the DHCP server.

Network Topology
G0/0.10192.168.10.1/24G0/0.20192.168.20.1/24DHCP ServerVLAN 10R1VLAN 20Hosts

Hints

  • The helper address should be placed on the interface that receives the DHCP broadcast.
  • The helper address is the server's IP address.
  • Only one command is needed.
A.interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip helper-address 192.168.10.100
B.interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip helper-address 192.168.10.100
C.interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip dhcp relay information option
D.ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1
AnswerA
solution
! R1
interface GigabitEthernet0/0.20
ip helper-address 192.168.10.100

Why this answer

The ip helper-address command enables the router to forward UDP broadcasts (including DHCP) to a specific server. Placing it on the VLAN 20 subinterface ensures that DHCP requests from VLAN 20 are unicast to the server on VLAN 10.

Exam trap

The key trap is placing the ip helper-address on the wrong interface. Remember: the helper-address must be on the interface that receives the client's broadcast, not on the server's interface. Also, do not confuse ip helper-address with DHCP server configuration or relay option commands.

Why the other options are wrong

B

The ip helper-address must be configured on the interface that receives the client broadcasts (VLAN 20), not the server's VLAN.

C

This command enables relay agent information insertion, not the actual forwarding of DHCP packets to a server.

D

The question states the DHCP server is at 192.168.10.100, so R1 should relay, not serve.

20
Multi-Selectmedium

Which three of the following are functions of the Dynamic Host Configuration Protocol (DHCP) in a network? (Choose three.)

Select 3 answers
.Assigning IP addresses to hosts automatically from a defined pool.
.Providing the default gateway and DNS server information to clients.
.Leasing IP addresses for a configurable period of time.
.Resolving domain names to IP addresses for client devices.
.Authenticating users before granting network access.
.Translating private IP addresses to public IP addresses for internet access.

Why this answer

DHCP automates IP address assignment from a defined pool, eliminating manual configuration. It also provides essential network parameters like the default gateway and DNS server via DHCP options (e.g., Option 3 for router, Option 6 for DNS). Additionally, DHCP leases IP addresses for a configurable period, after which the client must renew the lease to continue using the address.

Exam trap

Cisco often tests the distinction between DHCP providing DNS server information (correct) and DHCP performing DNS resolution (incorrect), as candidates confuse the roles of DHCP and DNS.

21
Multi-Selectmedium

Which TWO statements correctly describe the operation of the ip helper-address command in a DHCP relay agent configuration?

Select 2 answers
A.It forwards DHCPDISCOVER broadcasts from a client to a DHCP server on a different subnet.
B.It is configured on the DHCP server interface to allow replies to reach clients on remote subnets.
C.It automatically forwards all UDP broadcasts by default.
D.It sets the gateway IP address (giaddr) field in the DHCP packet to the relay agent's IP address.
E.It prevents DHCP spoofing by validating the source MAC address of DHCP packets.
AnswersA, D

The relay agent listens for DHCP broadcasts on one interface and forwards them as unicasts to the configured server IP.

Why this answer

Option A is correct because the `ip helper-address` command is configured on the router interface facing the client, and it converts the client's DHCPDISCOVER broadcast into a unicast directed to the specified DHCP server, allowing the client to obtain an IP address from a server on a different subnet. Option D is also correct because the relay agent sets the giaddr (gateway IP address) field in the DHCP packet to its own interface IP address. This is how the DHCP server knows which subnet the client is on and can assign an appropriate IP address and return the reply.

Option B is incorrect because the command is configured on the interface facing the DHCP clients, not on the server-facing interface. Option C is incorrect because `ip helper-address` does not forward all UDP broadcasts; it only forwards broadcasts for specific UDP ports (DHCP, DNS, TFTP, etc.) by default, and this list can be modified. Option E is incorrect because the command does not perform any MAC address validation or spoofing protection; it simply relays DHCP messages.

Exam trap

Cisco often tests the misconception that `ip helper-address` forwards all UDP broadcasts, when in reality it only forwards specific UDP ports (default: 67, 68, 53, 69, 37, 137, 138, 161, 162) and can be customized with the `ip forward-protocol` command.

Why the other options are wrong

B

The `ip helper-address` command is configured on the client-facing interface, not the server-facing interface.

C

The command does not forward all UDP broadcasts; it only forwards specific UDP ports (DHCP, DNS, TFTP, etc.) by default.

E

The command does not validate source MAC addresses or prevent DHCP spoofing; it only relays DHCP messages.

22
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP relay agent and verify the DHCP DORA process for a client on a different subnet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First configure the ip helper-address on the client-facing interface (A). Then enable 'debug ip dhcp relay' (D) so forwarded packets are captured. Next trigger the DORA process by releasing/renewing the client IP address (C).

Finally verify with passive show commands (B). Debug must be active before the DORA exchange; enabling it afterward misses the output.

Exam trap

Candidates often enable debugging after triggering the DORA process, causing the debug output to show nothing. Always enable debug before the client action.

23
Multi-Selectmedium

Which TWO actions does DHCP snooping perform by default on a Cisco switch?

Select 2 answers
A.It blocks DHCP server messages received on untrusted ports.
B.It generates a Cisco Discovery Protocol packet for each DHCP request.
C.It builds a DHCP binding table.
D.It relays DHCP requests across VLANs.
E.It converts DHCP broadcasts into unicasts.
AnswersA, C

DHCP snooping classifies ports as trusted or untrusted. Untrusted ports are not permitted to send DHCP server-side messages (e.g., DHCPOFFER, DHCPACK), thereby preventing rogue DHCP servers.

Why this answer

DHCP snooping is a Layer 2 security feature that filters DHCP messages and builds a binding table. By default, it blocks DHCP server messages on untrusted ports and dynamically creates a binding table mapping IP addresses to MAC addresses. It does not relay requests across VLANs or convert broadcasts to unicasts (those are relay agent functions).

Why the other options are wrong

B

This statement incorrectly associates two separate features; DHCP snooping operates at Layer 2 for DHCP security, not for CDP.

D

This function belongs to the relay agent, not to DHCP snooping, which operates within a single VLAN to enforce security policies.

E

This is a relay agent feature; DHCP snooping does not alter the broadcast nature of DHCP packets, it only filters them.

24
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a DHCP issue where DHCP clients on the LAN subnet are sending DHCPDISCOVER messages but the DHCP server does not receive them. The output of the show ip dhcp binding command on R1 is shown. What is the most likely cause of the problem?

A.DHCP service is disabled on R1.
B.The ip helper-address command is configured on the WAN interface instead of the LAN interface facing the DHCP clients.
C.The DHCP pool is configured with a network address that does not match the client subnet.
D.The default-router option is missing from the DHCP pool configuration.
AnswerB

The show ip dhcp binding output shows zero bindings because the router is not relaying DHCP broadcasts. For a DHCP relay agent to work, the ip helper-address must be placed on the interface that receives client broadcasts (the LAN interface). Configuring it on the WAN interface sends relay messages toward the server in the wrong direction, so client DISCOVERs never reach the DHCP server.

Why this answer

The show ip dhcp binding output explicitly displays 'Total number of bindings = 0', confirming that no DHCP leases have been issued. Because the router is acting as a DHCP relay agent, this indicates it is not receiving any DHCPDISCOVER broadcasts from the clients. The most plausible reason is that the ip helper-address command is mistakenly placed on the WAN interface, which faces away from the client subnet, rather than on the LAN interface where the clients reside.

Without the helper address on the correct interface, broadcast DHCP messages are not forwarded to the DHCP server, resulting in zero bindings.

Exam trap

Many candidates select option C (incorrect network statement in the DHCP pool) because they assume a pool configuration error prevents any IP address assignment. However, even with a mismatched network statement, if the DHCP server received the DISCOVER messages it would still attempt to offer an address (and the binding table would show some activity or error). The true issue here is that the server never sees the requests because the relay agent is misconfigured.

Why the other options are wrong

A

Candidates may think that an empty binding table means the service is off, but the command itself would fail or show a service status if DHCP were truly disabled.

C

Candidates often associate 'no addresses assigned' with a pool misconfiguration, but a pool mismatch would not prevent the server from seeing DISCOVER messages and possibly creating failed or erroneous bindings.

D

Candidates may confuse a missing option with a complete failure of DHCP operation, but IP address leasing is independent of options like default-router.

25
MCQmedium

Which feature helps prevent a rogue DHCP server from handing out addresses on a campus switch network?

AnswerB

Correct. DHCP snooping is designed for this threat.

Why this answer

DHCP snooping classifies interfaces as trusted or untrusted and can block unauthorized DHCP server replies arriving on untrusted ports.

Exam trap

Avoid confusing PortFast (which skips STP convergence) with DHCP-specific features like DHCP Snooping.

Why the other options are wrong

A

PortFast is a Spanning Tree Protocol feature that immediately transitions an access port to the forwarding state, bypassing the listening and learning states. It does not inspect or validate DHCP messages, so it cannot prevent a rogue DHCP server from handing out addresses.

C

HSRP (Hot Standby Router Protocol) provides first-hop redundancy by allowing multiple routers to share a virtual IP address, ensuring gateway availability. It does not inspect DHCP traffic or provide any mechanism to block unauthorized DHCP servers.

D

LLDP (Link Layer Discovery Protocol) is a vendor-neutral protocol used for discovering neighboring devices and their capabilities by exchanging information such as device type, management addresses, and VLAN IDs. It has no role in DHCP security or filtering DHCP messages.

26
PBQhard

You are troubleshooting a PC connected to switch SW1. The PC cannot access the internet. SW1 is connected to router R1 via port G0/1. R1 provides default gateway and DHCP services. Analyze the provided show output and fix the connectivity issue so that the PC can ping 8.8.8.8. === Show output from R1 === <pre> R1# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES manual administratively down down GigabitEthernet0/1 10.0.0.1 YES NVRAM up up </pre> === Show output from PC === <pre> C:\> ipconfig Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . : 169.254.123.45 Subnet Mask . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . : </pre> === Show output from SW1 === <pre> SW1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3 </pre>

Network Topology
G0/1G0/2G0/1G0/0SW1PC1R1

Hints

  • Check if R1's interface connected to SW1 has an IP address.
  • The DHCP pool expects the default gateway to be on the same subnet as the clients.
  • APIPA address means the PC did not receive a DHCP offer.
A.Configure R1's interface G0/0 with IP address 192.168.1.1/24 and ensure the interface is not administratively down.
B.Change the VLAN on SW1's port G0/2 to VLAN 10 and configure R1's subinterface G0/0.10 with IP 192.168.1.1/24.
C.Enable DHCP snooping on SW1 and configure the port G0/2 as a trusted port.
D.Configure a static IP address of 192.168.1.10/24 on the PC with default gateway 192.168.1.1.
AnswerA
solution
! R1
interface gigabitethernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown

Why this answer

The PC's APIPA address (169.254.x.x) indicates DHCP failure. The router's DHCP pool is correctly configured and has a lease, but the show output reveals that R1's interface G0/0 is administratively down and has no IP address. Without a working IP on G0/0, the router cannot serve DHCP or route traffic for VLAN 1, even though both the PC and the router are in the same VLAN.

Option A fixes the root cause by assigning the correct subnet IP and bringing the interface up. Option B is incorrect because moving the PC to a different VLAN or creating subinterfaces does nothing to enable the router's physical interface where DHCP and routing must run. Option C is wrong because DHCP snooping or trust configurations are irrelevant when the router's own interface is down/unaddressed.

Option D is a workaround that only masks the problem; the scenario requires a working DHCP service, and a static IP would not restore the intended design.

Exam trap

This question tests your ability to identify that a router interface must have an IP address in the client subnet for DHCP to work, even if the DHCP pool is correctly configured. Many candidates focus on VLANs or DHCP server settings but overlook the basic requirement of an IP address on the router interface.

Why the other options are wrong

B

Changing VLANs or using subinterfaces does not solve the problem because the router's physical interface must be up and have an IP address to serve the VLAN.

C

Enabling DHCP snooping or trust settings on the switch cannot fix a router interface that is administratively down and unassigned.

D

Assigning a static IP to the PC circumvents but does not resolve the root issue of the router's interface being down, and the scenario requires DHCP.

27
MCQhard

A switch is configured with DHCP snooping and Dynamic ARP Inspection. Hosts suddenly lose connectivity after changing IP settings manually. Which explanation is strongest?

A.DAI is rejecting ARP traffic because the manual IP change does not match trusted snooping bindings.
B.STP is blocking the host because its MAC address changed.
C.OSPF authentication failed on the access port.
D.The switch requires PPP authentication before allowing ARP traffic.
AnswerA

This is correct because DAI validates ARP against trusted information, often sourced from DHCP snooping.

Why this answer

The correct answer is A because DAI uses DHCP snooping binding to validate ARP messages; a manual IP change creates a mismatch, causing DAI to block ARP. Option B is incorrect because STP prevents loops and does not block based on MAC address changes. Option C is incorrect because OSPF authentication is a routing protocol feature irrelevant on an access port.

Option D is incorrect because PPP authentication applies to serial links, not Ethernet ARP.

Exam trap

Be cautious not to confuse DHCP snooping's role with DHCP server functionality or ARP cache operations.

Why the other options are wrong

B

STP (Spanning Tree Protocol) prevents loops in redundant topologies and does not block hosts based on IP or MAC address changes. It operates at Layer 2 and is unrelated to IP address configuration.

C

OSPF is a Layer 3 routing protocol used between routers, not on access ports connecting hosts. OSPF authentication is configured on router interfaces and does not apply to host ARP traffic on a switch.

D

PPP (Point-to-Point Protocol) authentication is used on serial links or PPPoE connections, not on Ethernet switch ports. It is unrelated to ARP inspection or DHCP snooping in a switched network.

28
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a VLAN 10 subnet and enable DHCP relay for a remote client on VLAN 20.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is to globally exclude IP addresses first, preventing the DHCP server from assigning reserved addresses. Then define the DHCP pool for VLAN 10 with network parameters, enable DHCP relay on the VLAN 20 interface so it forwards requests to the server, and finally verify the service is functioning. Options that place relay before pool or exclusions after pool misorder these essential configuration steps and deviate from recommended practice.

Exam trap

Many learners mistakenly think DHCP relay must be enabled before pool creation or that exclusions are a sub‑mode command inside the pool; in fact, exclusions are configured globally and should be defined before the pool to avoid accidental assignment of excluded IPs.

29
MCQhard

A network engineer has enabled DHCP snooping on a Catalyst switch to prevent rogue DHCP servers. All access ports in VLAN 10 are untrusted. A router attached to a trunk port on the switch acts as the default gateway for VLAN 10 and is configured with the ip helper-address 10.1.2.5, which points to a remote DHCP server. After enabling DHCP snooping, hosts in VLAN 10 cannot obtain IP addresses; packet captures show DHCPDISCOVER messages are sent, but no DHCPOFFER is received. What is the most likely cause?

A.The router's ip helper-address command is pointing to an incorrect DHCP server IP address.
B.The switch port connecting to the router is not configured as a trusted port for DHCP snooping.
C.The DHCP server is on a different subnet, so the switch needs a switched virtual interface (SVI) in VLAN 10 with an IP address for Layer 3 connectivity.
D.DHCP snooping is dropping DHCPDISCOVER messages because the client access ports are untrusted.
AnswerB

DHCP snooping trusts only designated ports to forward DHCP server messages. Since the router relays the DHCPOFFER onto the trunk port, an untrusted port will cause the switch to discard the offer, resulting in DHCP failure.

Why this answer

DHCP snooping treats all ports as untrusted by default. When a router acting as a DHCP relay is connected to an untrusted trunk port, the switch drops DHCPOFFER messages received from the router because they originate from an untrusted interface. Configuring the trunk port as trusted allows DHCP server responses (OFFER, ACK) to pass through to clients.

Exam trap

Cisco often tests the distinction that DHCP snooping blocks DHCP server messages (OFFER/ACK/NAK) on untrusted ports, not client messages (DISCOVER/REQUEST), leading candidates to incorrectly assume client messages are dropped.

Why the other options are wrong

A

This distractor exploits the common tendency to blame the helper address configuration first, overlooking the security feature that silently drops the returning DHCPOFFER.

C

This plays on the misconception that a switch requires an IP address on the client VLAN to facilitate DHCP, when in fact the router acting as the relay agent provides Layer 3 connectivity.

D

This misinterprets DHCP snooping behavior: it assumes all DHCP traffic is filtered on untrusted ports, overlooking the critical distinction that only server-side messages are blocked, not client requests.

30
PBQhard

You are troubleshooting a PC (PC-A) connected to switch SW1, which is connected to router R1. PC-A has an APIPA address (169.254.23.45) and cannot reach the internet (203.0.113.1). You confirm that R1 has a correctly configured DHCP pool for the 192.168.10.0/24 subnet, but the DHCP service is not enabled. The network uses VLAN 10 with subnet 192.168.10.0/24. Verify and correct the configuration on PC-A, SW1, and R1 to restore full connectivity.

Network Topology
G0/0/0192.168.10.1/24G0/0/0192.168.10.1/24203.0.113.1PC-ASW1R1Internet

Hints

  • Check if the DHCP server process is running on R1.
  • APIPA addresses (169.254.x.x) indicate DHCP failure.
  • The DHCP pool is configured but not yet active.
A.Enable the DHCP service on R1 with the 'service dhcp' command.
B.Configure a default gateway on PC-A with the IP address 192.168.10.1.
C.Change the VLAN on SW1's interface connected to PC-A from VLAN 10 to VLAN 1.
D.Add the 'ip helper-address' command on R1's interface connected to SW1.
AnswerA
solution
! R1
service dhcp

! SW1


! PC-A

Why this answer

The APIPA address (169.254.x.x) indicates that PC-A failed to obtain a DHCP lease. The correct solution is to enable the DHCP service on R1 with 'service dhcp', which is not running despite the configured pool. Option B is incorrect because setting a default gateway on PC-A with a static IP would still require a valid address in the subnet; the APIPA address cannot communicate with 192.168.10.1.

Option C is wrong because the PC-A interface on SW1 is correctly assigned to VLAN 10. Option D is unnecessary since R1 is directly connected to the same subnet, so 'ip helper-address' is only used to forward DHCP broadcasts across router boundaries.

Exam trap

Do not assume that configuring a DHCP pool is sufficient; the DHCP service must be explicitly enabled with 'service dhcp'. Also, remember that APIPA addresses indicate DHCP failure, not just a missing gateway.

Why the other options are wrong

B

The PC's APIPA address cannot reach the 192.168.10.1 gateway because it is not in the same subnet, so configuring a default gateway alone does not restore connectivity.

C

Changing the VLAN to VLAN 1 would isolate PC-A from the correct subnet (VLAN 10), breaking connectivity instead of fixing it.

D

The 'ip helper-address' command is used on interfaces that need to forward DHCP broadcasts to a remote DHCP server; here R1 itself is the DHCP server and is directly attached, so the command is not needed.

31
MCQhard

A client connects to an employee WLAN using 802.1X authentication. The authentication process completes successfully, but the client fails to obtain an IP address via DHCP. What is the most likely cause?

A.The client is being placed into the wrong policy or VLAN after successful authentication.
B.The WLAN is configured with the wrong SSID, which prevents DHCP packets from being forwarded.
C.The client has a static IP address manually configured, causing a DHCP conflict.
D.The access point is configured with an incorrect default gateway, preventing DHCP relay.
AnswerA

Post‑authentication VLAN assignment via RADIUS attributes can override the default interface VLAN. If the assigned VLAN has no DHCP server, the client cannot obtain an address.

Why this answer

Even after successful 802.1X authentication, the client may be assigned to the wrong VLAN or policy through RADIUS attributes (such as Tunnel-Type or Cisco AV-pair). If that VLAN lacks a DHCP server or correct subnet, the client will not receive an IP address. The other options describe issues that either prevent association entirely (wrong SSID) or are not typical causes in controller-based WLANs (static IP, AP gateway misconfiguration).

Exam trap

Cisco often tests the distinction between authentication success and post-authentication network access, leading candidates to focus on pre-authentication issues (like wrong PSK or RADIUS timeout) when the real problem is VLAN assignment or DHCP relay misconfiguration.

Why the other options are wrong

B

An incorrect SSID would prevent the client from associating to the WLAN at all, not allow authentication followed by DHCP failure.

C

A statically configured IP is less likely the strongest cause because the client would either not use DHCP or would obtain an APIPA address, and the issue is specifically about failing to obtain a correct address via DHCP.

D

The access point’s default gateway does not impact DHCP forwarding for client traffic; in controller-based deployments, DHCP packets are handled by the controller or bridged directly to the wired network.

32
MCQhard

A network technician is troubleshooting a DHCP relay issue. The router at the branch office is supposed to forward DHCP requests from local clients to a central DHCP server. Clients connected to Gi0/1 are not receiving IP addresses. The technician verifies that the DHCP server is reachable from the router, that no ACLs are blocking DHCP traffic, and that the DHCP scope on the server has available leases. Upon checking the running configuration, the technician notices that the ip helper-address command is applied to interface Gi0/0 (the WAN link toward the server) instead of Gi0/1. What should the technician do next?

A.Check the DHCP server logs for any error or warning messages related to the clients' requests.
B.Move the ip helper-address command from interface Gi0/0 to interface Gi0/1.
C.Issue the show ip interface brief command to ensure that interface Gi0/1 is in an up/up state.
D.Remove the ip helper-address from Gi0/0 and then reapply it to the same interface to ensure the command is active.
AnswerB

DHCP relay requires the helper address to be configured on the interface that faces the DHCP clients (the broadcast domain where clients send their DHCPDISCOVER messages). By moving the command to Gi0/1, the router will correctly intercept and forward client requests to the DHCP server.

Why this answer

The ip helper-address command must be configured on the interface that receives DHCP broadcasts from clients—in this case, Gi0/1, the LAN-facing interface. Placing it on the WAN interface (Gi0/0) means the router never sees the client broadcasts and therefore never relays them. Moving the command to Gi0/1 enables the router to intercept DHCP discoveries and forward them as unicast packets to the DHCP server.

This action directly addresses a common DHCP relay misconfiguration at the network services layer.

Exam trap

The most common incorrect next step is checking DHCP server logs (Option A). Candidates often assume the problem lies on the server side when clients fail to obtain addresses, overlooking the relay placement configuration on the router. Another trap is to reapply the helper address on the same WAN interface, hoping it will take effect.

Why the other options are wrong

A

This skips the obvious configuration mismatch and targets the wrong component. It assumes the issue is on the server side rather than the router's DHCP relay placement.

C

This action investigates Layer 1/2 status when the problem is already identified as a Layer 3 (DHCP relay) configuration error. It skips applying the fix and delays resolution.

D

Candidates might think the command simply didn't take effect and that reapplying it solves the problem, misunderstanding the directional requirement of DHCP relay placement.

33
MCQhard

A network engineer has implemented DHCP snooping on a Cisco switch to prevent unauthorized DHCP servers. The switch's VLAN 100 SVI is configured with ip helper-address to relay DHCP requests to a legitimate server in VLAN 200. Clients in VLAN 100 cannot obtain IP leases, even though the DHCP server is reachable from the switch and has available addresses.

A.The ip helper-address command has been incorrectly applied to VLAN 100 instead of VLAN 200.
B.The switch port that connects to the DHCP server's VLAN is not configured as a trusted DHCP snooping port.
C.DHCP snooping must be disabled globally because it conflicts with the configured DHCP relay agent.
D.The DHCP server lacks a valid default gateway, preventing replies from reaching the relay agent's SVI subnet.
AnswerB

DHCP snooping classifies ports as trusted or untrusted. Server-originated DHCP messages (Offer/ACK) are only allowed on trusted ports. The server's response comes from VLAN 200, so the interface facing that server must be trusted.

Why this answer

DHCP snooping treats all switch ports as untrusted by default, which blocks DHCP server messages (OFFER, ACK) from entering the switch. Even though the switch itself can reach the DHCP server, the relayed reply from the server arrives on a port that is not trusted, so DHCP snooping drops the packet before it can be forwarded to the client. Configuring the port connecting to the DHCP server as a trusted port allows the server's responses to pass through the switch, resolving the issue.

Exam trap

Cisco often tests the interaction between DHCP snooping and DHCP relay, where candidates mistakenly think the relay bypasses snooping or that the issue is with the helper-address configuration, rather than the untrusted port blocking the server's unicast reply.

Why the other options are wrong

A

Many engineers mistakenly think the helper should reside on the server VLAN; however, it must reside on the client-facing L3 interface.

C

A common misconception is that DHCP relay bypasses snooping, but snooping still inspects the server's unicast response and drops it unless the ingress port is trusted.

D

Candidates often suspect routing issues, but verified reachability eliminates this. The problem lies in the snooping policy, not IP connectivity.

34
Drag & Drophard

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a local subnet and enable a DHCP relay agent on a different interface to forward client requests to that server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The DHCP server must be configured first on the local subnet, then the relay agent on the remote interface to forward requests; verification ensures both server and relay function correctly.

Exam trap

Do not confuse the order of configuration: the DHCP server must be configured first, then the relay agent. Verification should be performed after both are configured to test end-to-end functionality.

35
MCQhard

Refer to the exhibit. A network administrator notices that newly connected devices on the 192.168.1.0/24 subnet are failing to obtain IP addresses via DHCP and are instead assigning themselves APIPA addresses. The administrator issues the show ip dhcp pool command on the router and receives the output shown. What is the most likely cause of this issue?

A.DHCP snooping is blocking DHCP Offer messages on the VLAN.
B.The DHCP pool has an address conflict, causing all addresses to be marked as ineligible.
C.The lease time is set to 7 days, causing old devices to hold IP addresses long after disconnecting.
D.The pool's subnet mask is incorrectly configured as /24 instead of /25, limiting available addresses.
AnswerC

The 'Lease expiration' of 7 days combined with 'Current bindings: 253' reveals that the pool stays exhausted because leases take a week to expire, starving new clients of addresses.

Why this answer

The exhibit shows 'Current bindings: 253' out of 'Total addresses: 254', meaning only one free IP remains. 'Lease expiration' is 7 days, indicating that devices that have disconnected still hold their bindings for up to a week, preventing new clients from obtaining addresses. This explains the APIPA fallback.

Exam trap

Many candidates choose option A, suspecting DHCP snooping blocks Offer messages, but the exhibit contains no reference to snooping or blocked traffic—the straightforward cause is pool exhaustion due to a long lease time.

Why the other options are wrong

A

Candidates often prematurely blame security features when DHCP fails, ignoring the pool statistics right in front of them.

B

A common mistake is assuming that conflicts always fill up a pool, but the zero value directly disproves this.

D

Misunderstanding subnet sizing often leads candidates to blame the mask, but the exhibit confirms the mask is appropriate for the pool size.

36
MCQmedium

A router is configured as follows: interface g0/1 ip address 172.16.1.1 255.255.255.0 ip helper-address 10.20.20.10 Hosts on 172.16.1.0/24 are not receiving addresses from the DHCP server at 10.20.20.10. The server is reachable by ping from the router. What is the purpose of the ip helper-address command in this scenario?

A.It converts DHCP unicast replies into broadcasts on the client segment
B.It forwards certain UDP broadcasts, including DHCP requests, to a remote server
C.It provides DNS resolution for DHCP clients before they receive an address
D.It creates a static route to the DHCP server
AnswerB

Correct. This is correct. The command relays certain UDP broadcasts, including DHCP client requests, to a server on another subnet. That is why DHCP can work even when the server is not local to the client VLAN.

Why this answer

The ip helper-address command exists to solve a broadcast-boundary problem. DHCP clients begin by sending broadcast traffic because they do not yet have a valid IP configuration. Routers normally do not forward broadcasts between subnets, so if the DHCP server lives on a different network, the client request would stop at the router.

The helper-address function listens for that local broadcast and relays it as unicast traffic to the remote DHCP server. In plain language, it lets a client on one VLAN ask a DHCP server on another VLAN for an address. The command is not a routing statement and it is not a DNS feature.

It is a relay mechanism for broadcast-based UDP services such as DHCP.

Exam trap

A frequent exam trap is confusing the ip helper-address command as a feature that converts DHCP unicast replies into broadcasts on the client segment. In reality, the router forwards DHCP client broadcasts as unicast to the server, not the other way around. Another mistake is assuming the command creates static routes or provides DNS resolution, which it does not.

Misunderstanding these functions leads to incorrect troubleshooting and answer choices, especially when the DHCP server is reachable by ping but clients still fail to get addresses due to missing broadcast relay.

Why the other options are wrong

A

Option A incorrectly states that the ip helper-address converts DHCP unicast replies into broadcasts. The command actually relays client broadcast requests as unicast to the server, not the reverse. This reverses the direction of the relay function and misunderstands the broadcast boundary issue.

C

Option C incorrectly claims the command provides DNS resolution for DHCP clients before they receive an address. DNS resolution is unrelated to the ip helper-address function, which only relays UDP broadcasts like DHCP requests and does not perform name resolution.

D

Option D mistakenly suggests that the command creates a static route to the DHCP server. Routing and static routes are separate functions; the ip helper-address does not affect routing tables but only relays broadcast traffic as unicast.

37
MCQmedium

Which DHCP message does the client send to formally accept an offered address?

A.DISCOVER
B.OFFER
C.REQUEST
D.ACK
AnswerC

Correct. REQUEST is the client's acceptance step.

Why this answer

In the DORA process, the client sends DHCPREQUEST after receiving an offer. The server then responds with DHCPACK if the lease is granted.

Exam trap

Be careful not to confuse the direction of messages in the DHCP process. Remember which messages are client-initiated and which are server responses.

Why the other options are wrong

A

The DISCOVER message is used by the client to locate available DHCP servers, not to accept an offered address. It is the first step in the DORA process.

B

The OFFER message is sent by the DHCP server to propose an IP address to the client, not by the client to accept it. The client cannot send an OFFER.

D

The ACK message is sent by the DHCP server to confirm the lease after receiving the REQUEST, not by the client. The client does not send ACK.

38
PBQhard

You are connected to R1. Configure DHCP services so that hosts on VLAN 10 (192.168.10.0/24) can obtain IP addresses from R1. Additionally, configure the switch SW1 to prevent rogue DHCP server attacks on that VLAN. The current configuration has a misconfigured helper-address and an excluded-address range that is too broad.

Network Topology
G0/0.10192.168.10.1/24SW1R1Hosts

Hints

  • The helper-address should point to the DHCP server itself, not an external address.
  • The excluded-address range is too wide; leave room for hosts to get IPs.
  • On the switch, only the port connecting to the legitimate DHCP server should be trusted.
A.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as trusted.
B.On R1, change the helper-address to 192.168.10.255 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set all ports as trusted.
C.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.254. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as untrusted.
D.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as untrusted.
AnswerA
solution
! R1
configure terminal
no ip dhcp excluded-address 192.168.10.1 192.168.10.254
ip dhcp excluded-address 192.168.10.1 192.168.10.10
interface GigabitEthernet0/0.10
no ip helper-address 10.0.0.2
ip helper-address 192.168.10.1
end

! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
ip dhcp snooping trust
interface GigabitEthernet0/2
no ip dhcp snooping limit rate 10
ip dhcp snooping limit rate 15
end

Why this answer

The helper-address on R1's subinterface points to 10.0.0.2 instead of the DHCP server's IP (R1 itself, which is the server). The excluded-address range excludes all addresses in the subnet, preventing any host from getting an IP. The fix: change helper-address to 192.168.10.1 (loopback or interface IP of R1), and narrow the excluded range to the first 10 addresses (or just the gateway).

On SW1, enable DHCP snooping globally and for VLAN 10, and mark the port facing R1 (G0/1) as trusted; other ports should be untrusted to block rogue servers.

Exam trap

Watch out for two common traps: (1) The helper-address must be the DHCP server's unicast IP, not a broadcast address. (2) DHCP snooping trusted ports are for server connections; untrusted ports are for clients. Misplacing these will break DHCP or security.

Why the other options are wrong

B

The helper-address must be a unicast IP address of the DHCP server, not a broadcast address. Additionally, only ports connected to legitimate DHCP servers should be trusted; all other ports must be untrusted to block rogue servers.

C

The excluded-address range should only reserve a few addresses (e.g., for the gateway and static assignments), not the entire subnet. The port connected to the DHCP server must be trusted to allow DHCP server messages; untrusted ports block such messages.

D

DHCP snooping requires that ports connected to legitimate DHCP servers be configured as trusted. Untrusted ports are for client-facing ports where rogue servers might appear; they drop DHCP server messages.

39
MCQhard

Which switch security feature uses DHCP snooping bindings to validate ARP packets and help stop ARP spoofing?

C.UDLD
D.HSRP preemption
AnswerB

Correct. DAI is designed to mitigate ARP spoofing.

Why this answer

Dynamic ARP Inspection compares ARP information to trusted bindings, often learned through DHCP snooping, to block forged ARP packets.

Exam trap

A common exam trap is selecting PortFast, UDLD, or HSRP preemption as the answer because these features are well-known switch security or stability mechanisms. However, PortFast only speeds up STP port transitions and does not inspect ARP packets. UDLD focuses on detecting unidirectional links and does not validate ARP traffic.

HSRP preemption deals with gateway redundancy and has no role in ARP security. The key to avoiding this trap is recognizing that only Dynamic ARP Inspection uses DHCP snooping bindings to validate ARP packets and stop ARP spoofing.

Why the other options are wrong

A

PortFast is a feature that allows switch ports to bypass the usual STP listening and learning states to quickly transition to forwarding. It does not perform any ARP packet validation or security checks, so it cannot prevent ARP spoofing.

C

UDLD (Unidirectional Link Detection) is designed to detect and disable unidirectional links between switches to prevent network loops or blackholes. It does not inspect or validate ARP packets and thus does not stop ARP spoofing.

D

HSRP preemption is a feature related to first-hop redundancy protocols that allows a higher priority router to take over as the active gateway. It does not provide any ARP packet validation or protection against ARP spoofing.

40
Multi-Selectmedium

Which three of the following are characteristics of DHCP snooping on a Cisco switch? (Choose three.)

Select 3 answers
.It differentiates trusted and untrusted ports to filter DHCP messages.
.It builds and maintains a DHCP snooping binding database.
.It prevents DHCP starvation attacks by rate-limiting DHCP messages on untrusted ports.
.It encrypts DHCP traffic between the client and the server.
.It replaces the DHCP server's IP address with a static route.
.It requires all DHCP servers to be connected to untrusted ports.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages by differentiating trusted and untrusted ports. It builds and maintains a DHCP snooping binding database to track valid IP-to-MAC address assignments. Additionally, it prevents DHCP starvation attacks by rate-limiting DHCP messages on untrusted ports, typically using the 'ip dhcp snooping limit rate' command.

Exam trap

Cisco often tests that DHCP snooping's rate-limiting feature specifically targets DHCP starvation attacks, not rogue server attacks, and that the binding database is used for both IP source guard and dynamic ARP inspection integration.

41
PBQhard

You are connected to the multilayer switch MLS1 in a branch network. The DHCP server on router R1 is supposed to serve the 192.168.20.0/24 VLAN 20, but clients in VLAN 20 are not receiving IP addresses. Additionally, a rogue DHCP server has been detected on VLAN 20. Configure MLS1 to enable DHCP snooping on VLAN 20, set the trust state on the uplink port to R1, and limit the rate of DHCP packets on access ports. Then, on R1, correct the DHCP configuration so that the pool for VLAN 20 uses the correct default-router (192.168.20.1) and DNS server (8.8.8.8), and ensure that the excluded-address range is not too large (exclude only the first 10 addresses). Verify the solution.

Network Topology
G0/010.0.0.2/30G0/010.0.0.1/30linkG0/1 access VLAN 20192.168.20.0/24linkSiMLS1R1Clients

Hints

  • On MLS1, DHCP snooping must be globally enabled and then applied to VLAN 20.
  • The uplink to R1 must be trusted; access ports should have rate limiting to prevent DHCP starvation.
  • On R1, the excluded-address range was too broad; only exclude the first 10 addresses. The default-router and DNS server were incorrect.
A.On MLS1: ip dhcp snooping, ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8
B.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.254, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8
C.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.10.1 dns-server 4.4.4.4
D.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8, but no ip dhcp snooping enabled globally on MLS1
AnswerA
solution
! R1
configure terminal
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp pool VLAN20_POOL
default-router 192.168.20.1
dns-server 8.8.8.8
end

! MLS1
ip dhcp snooping
ip dhcp snooping vlan 20
interface GigabitEthernet0/0
ip dhcp snooping trust
exit
interface GigabitEthernet0/1
ip dhcp snooping limit rate 10
end

Why this answer

The problem had three faults: First, the DHCP pool on R1 had a wrong default-router (192.168.10.1 instead of 192.168.20.1) and an incorrect DNS server (4.4.4.4 instead of 8.8.8.8). Second, the excluded-address range was too large (excluding all addresses from .1 to .254 effectively blocked all dynamic assignments; corrected to exclude only .1 through .10). Third, DHCP snooping was disabled on MLS1, allowing a rogue DHCP server.

To enable DHCP snooping, both the global `ip dhcp snooping` command and the VLAN-specific `ip dhcp snooping vlan 20` command are required. With snooping enabled, the uplink port Gig0/0 was set as trusted and the access port Gig0/1 was configured with rate limiting to prevent DHCP starvation attacks.

Exam trap

Watch for three separate issues: DHCP pool misconfiguration (default-router, DNS, excluded range), DHCP snooping not enabled globally, and the need to set trust on the uplink. Candidates often forget the global 'ip dhcp snooping' command or misconfigure the excluded range.

Why the other options are wrong

B

The excluded-address range is too large; it should only exclude the first 10 addresses (1-10) to allow dynamic allocation from .11 onward.

C

The default-router must be the gateway for VLAN 20 (192.168.20.1), and the DNS server should be 8.8.8.8 as specified.

D

The global 'ip dhcp snooping' command is required to activate the feature; omitting it leaves DHCP snooping disabled entirely.

42
MCQmedium

A network administrator is troubleshooting a Windows 10 workstation that cannot access the internet. The workstation receives an IPv4 address starting with 169.254.x.x. The network uses DHCP, and other workstations on the same subnet are working correctly. What is the most likely cause of this issue?

A.The workstation's DNS server settings are incorrect.
B.The workstation's network cable is unplugged or faulty, preventing DHCP communication.
C.The DHCP server has exhausted its address pool.
D.The workstation's default gateway is misconfigured.
AnswerB

A physical connectivity issue (e.g., unplugged or faulty cable) prevents the workstation from reaching the DHCP server, causing it to fall back to APIPA. This is the most common cause when only one workstation is affected.

Why this answer

The 169.254.x.x address is an Automatic Private IP Addressing (APIPA) address assigned by Windows when DHCP fails. Since other workstations on the same subnet work correctly, the DHCP server and network are functional, isolating the issue to the specific workstation. A faulty or unplugged network cable would prevent the workstation from sending DHCP Discover messages, causing it to fall back to APIPA.

Exam trap

Cisco often tests the distinction between DHCP failure symptoms (APIPA) and other connectivity issues, trapping candidates who confuse DNS or gateway misconfigurations with the inability to obtain an IP lease.

Why the other options are wrong

A

Incorrect DNS settings prevent name resolution but do not affect IP address assignment. The workstation would still receive a valid IP from DHCP, not an APIPA address.

C

If the DHCP pool were exhausted, all workstations would fail to obtain addresses and use APIPA. The scenario states other workstations are working correctly, so pool exhaustion is not the cause.

D

A misconfigured default gateway would prevent internet access but the workstation would still receive a valid IP from DHCP. APIPA addresses are only assigned when DHCP fails entirely.

43
Multi-Selectmedium

Which two statements accurately describe DNS and DHCP?

Select 2 answers
A.DNS resolves names to IP information, while DHCP dynamically assigns addressing information to clients.
B.DHCP is used primarily to translate private addresses into public addresses.
C.DNS can help users reach services by hostname instead of remembering numeric IP addresses.
D.DHCP replaces the need for subnet masks and default gateways.
E.DNS and DHCP are both Layer 1 technologies.
AnswersA, C

This is correct because it states the core job of each service accurately.

Why this answer

DNS and DHCP solve very different problems, even though both are common infrastructure services. DNS helps devices and users find systems by name. In simple terms, it means people can type a hostname rather than memorizing numeric IP addresses. DHCP automatically gives clients important IP settings such as an address, subnet mask, default gateway, and often DNS server information.

The trick in comparison questions is not to blend their roles together. DHCP does not perform NAT, and it does not eliminate the need for addressing details; it actually supplies them.

Exam trap

A frequent exam trap is confusing DHCP with NAT or assuming DHCP replaces the need for subnet masks and default gateways. Some candidates mistakenly believe DHCP translates private IP addresses to public ones, but this is the role of NAT, not DHCP. Additionally, DHCP does not remove the need for subnet masks or default gateways; instead, it provides these parameters automatically to clients.

Misunderstanding these distinctions can lead to incorrect answers, especially when questions ask about the functions of IP services. Carefully distinguishing DHCP’s role in dynamic addressing from NAT’s role in address translation is essential to avoid this trap.

Why the other options are wrong

B

DHCP does not translate private addresses to public; that is the function of NAT.

D

DHCP does not replace the need for subnet masks and default gateways; it actually provides them automatically.

E

DNS and DHCP operate at the Application Layer (Layer 7), not Layer 1.

44
MCQhard

Based on the exhibit, which configuration should be added to restore DHCP service for clients in VLAN 30?

A.ip helper-address 10.99.99.20 under interface Vlan30
B.switchport mode trunk under interface Vlan30
C.ip default-gateway 10.99.99.20 under interface Vlan30
D.spanning-tree portfast under interface Vlan30
AnswerA

This is correct because the VLAN 30 SVI must relay DHCP requests toward the remote server.

Why this answer

The correct fix is to add an IP helper address pointing to the remote DHCP server on the Layer 3 interface for VLAN 30. In practical terms, the clients are sending DHCP discovery as a broadcast, and the server is on another subnet. The SVI for VLAN 30 is the local gateway that must relay those requests toward the server.

This is one of the most exam-realistic campus troubleshooting scenarios because it tests both subnet boundaries and the role of the local gateway interface.

Exam trap

A common exam trap is confusing the ip helper-address command with ip default-gateway or Layer 2 commands like switchport mode trunk. Candidates might incorrectly apply switchport commands to an SVI, which is a Layer 3 interface, or think setting ip default-gateway will relay DHCP requests. These mistakes cause DHCP broadcasts to fail reaching the remote server, leading to no IP address assignment for clients.

Understanding that ip helper-address is the DHCP relay mechanism on Layer 3 interfaces is critical to avoid this trap.

Why the other options are wrong

B

Incorrect. The command switchport mode trunk is a Layer 2 switchport configuration and cannot be applied to an SVI, which is a Layer 3 interface. This does not affect DHCP relay.

C

Incorrect. The ip default-gateway command sets the default gateway for management traffic on a Layer 2 device and does not relay DHCP broadcasts. It does not restore DHCP service for clients.

D

Incorrect. The spanning-tree portfast command is used on physical Layer 2 switchports to speed up port transitions and has no effect on DHCP relay or SVIs.

45
Multi-Selectmedium

Which two actions help protect access-layer switch ports from rogue DHCP servers?

Select 2 answers
A.Enable DHCP snooping globally and for the needed VLANs
B.Trust the uplink toward the legitimate DHCP server path
C.Enable PortFast on all trunks to block rogue servers
D.Disable ARP on access ports
E.Set every access port as trusted
AnswersA, B

That turns on the feature and applies it to selected VLANs.

Why this answer

DHCP snooping marks trusted and untrusted interfaces and filters server-type DHCP messages on untrusted ports. Uplink ports toward the real DHCP server or relay are typically trusted, while user-facing ports stay untrusted. Option C is incorrect because PortFast does not filter DHCP messages; it only speeds up spanning tree convergence.

Option D is incorrect because disabling ARP breaks normal communication and does not block DHCP. Option E is incorrect because marking all access ports as trusted would permit rogue DHCP servers on those ports.

Exam trap

Do not confuse port security with DHCP snooping; they address different security concerns.

Why the other options are wrong

C

PortFast is used to speed up the transition of a port to forwarding state in spanning tree, typically for end-user devices. It does not filter DHCP messages or prevent rogue DHCP servers; DHCP snooping is the correct mechanism.

D

ARP is essential for IP communication and disabling it would break network connectivity. DHCP snooping does not involve ARP; it operates at the DHCP protocol level to validate messages.

E

Setting every access port as trusted would allow any device connected to those ports to act as a DHCP server, defeating the purpose of DHCP snooping. Only ports connected to legitimate DHCP servers should be trusted.

46
MCQhard

A network engineer notices that clients in the 192.168.10.0/24 subnet are receiving the IP address 192.168.10.1 from the DHCP server, causing a duplicate IP conflict with the router’s own interface. What is the most likely cause?

A.The DHCP pool does not exclude the router’s own interface IP address.
B.The DHCP conflict logging feature is disabled on the router.
C.The DHCP lease time is set too low, causing frequent re-issuing of addresses.
D.The DHCP pool’s default-router address is misconfigured, so the client uses the router’s IP as its own.
AnswerA

When no excluded-address is configured for the router’s IP, the DHCP server treats it as available from the pool and can offer it to clients, creating a conflict. Adding 'ip dhcp excluded-address 192.168.10.1' prevents the server from offering that address.

Why this answer

The DHCP server is handing out 192.168.10.1, which is the router’s interface IP, because the pool includes the entire subnet without excluding that address. The correct fix is to configure 'ip dhcp excluded-address 192.168.10.1'. The other options describe features that do not control whether the server offers a specific address: conflict logging, lease time, and default-router settings do not prevent assignment of a duplicate address.

Exam trap

Candidates often assume that enabling DHCP conflict detection ('ip dhcp conflict logging' or 'ip address dhcp conflict') will prevent the server from assigning an address that is already in use. In reality, the server offers the address regardless; conflict detection only helps log or send notifications after the fact.

Why the other options are wrong

B

Many candidates confuse conflict detection with a preventive mechanism, thinking that enabling it would stop the assignment of an already-used address.

C

Candidates may associate short leases with instability, but the root cause is the missing exclusion, not the lease timer.

D

Beginners often conflate the default gateway with the assigned IP address, believing a mistake in the default-router setting could cause an address conflict.

47
Multi-Selectmedium

Which three of the following are true about the operation of DHCP snooping? (Choose three.)

Select 3 answers
.DHCP snooping builds a binding database of trusted DHCP clients.
.Interfaces connected to DHCP servers are configured as trusted ports.
.DHCP snooping can prevent DHCP starvation attacks.
.DHCP snooping is enabled globally and requires no per-VLAN configuration.
.DHCP snooping automatically blocks all BOOTP traffic.
.DHCP snooping only works with DHCPv6.

Why this answer

DHCP snooping is a security feature that builds and maintains a DHCP snooping binding database by monitoring DHCP messages exchanged on trusted and untrusted ports. It prevents rogue DHCP servers and DHCP starvation attacks by filtering DHCP messages based on the trust state of the interface. The binding database records the IP address, MAC address, VLAN, and port information for each DHCP client that successfully obtains a lease through a trusted DHCP server.

Exam trap

Cisco often tests the misconception that DHCP snooping is automatically applied to all VLANs once enabled globally, but in reality you must explicitly enable it on each VLAN with the 'ip dhcp snooping vlan' command.

48
MCQhard

A host receives a correct IP address and subnet mask from DHCP but still cannot reach remote networks. Local subnet communication works. Which missing DHCP option is the strongest suspect?

A.Default gateway information
B.An STP root bridge ID
C.A voice VLAN value
AnswerA

This is correct because the host needs a default gateway for off-subnet traffic.

Why this answer

The strongest suspect is the default gateway option. In practical terms, the host can already identify local destinations because the subnet mask is present. That is why local communication still works. What it does not have is the next hop needed for off-subnet traffic. Without a default gateway, remote communication usually fails.

This is a very common host-troubleshooting scenario. It separates basic local addressing from the additional information required for off-subnet reachability.

Exam trap

A common exam trap is selecting options like STP root bridge ID or voice VLAN as the cause of remote connectivity failure. These options relate to Layer 2 switching or voice VLAN segmentation and do not affect IP routing or host reachability to remote networks. Candidates might confuse DHCP options that influence Layer 2 behavior with those critical for Layer 3 routing.

The key mistake is overlooking the default gateway option, which is essential for off-subnet traffic forwarding. This trap tests the candidate’s understanding of DHCP’s role in providing routing information, not just IP addressing.

Why the other options are wrong

B

An STP root bridge ID is irrelevant to host IP reachability because it pertains to Layer 2 spanning tree topology and does not affect IP routing or DHCP configuration for hosts.

C

A voice VLAN value is specific to voice traffic segmentation on switches and does not influence a host’s ability to route IP packets to remote networks, making it unrelated to the connectivity issue.

D

A router ID is a concept used in routing protocols like OSPF and does not apply to DHCP or host IP configuration, so it cannot cause the described connectivity problem.

49
MCQhard

Refer to the exhibit. A network engineer is troubleshooting DHCP issues on a branch office network. Several users report that new devices are unable to obtain IP addresses, even though the DHCP pool configured on R1 appears to have sufficient free addresses. The engineer executes the show ip dhcp conflict command and observes the output. Based on the output, what is the most likely cause of the problem?

A.The DHCP scope is misconfigured with an exclusion range that includes 192.168.1.50 to 192.168.1.59.
B.The ping timeout on the DHCP server is set too low, causing it to falsely detect conflicts.
C.Several hosts on the network are using static IP addresses from the DHCP pool range, causing the DHCP server to mark those addresses as conflicts and depleting the available pool.
D.The DHCP server is not properly releasing expired leases, causing the conflict table to fill up.
AnswerC

Each conflict entry with detection method 'Ping' indicates the server attempted to verify the address and received a reply, meaning a device is already using that IP statically or from another source. The server then marks it as a conflict and withdraws it from the pool, shrinking the pool until no addresses remain free.

Why this answer

The exhibit lists ten IP addresses (192.168.1.50 through .59) that have been detected as conflicts via Ping. This means the DHCP server sent ICMP echo requests to these addresses before offering them and received replies, confirming that hosts with those IPs already exist on the network—likely devices with static IP configurations. The server then marks them as conflicts and excludes them from the pool, reducing the number of available addresses.

With multiple static hosts consuming the address space, the DHCP pool becomes effectively exhausted, preventing new devices from obtaining IPs.

Exam trap

Candidates often mistakenly believe the ping timeout on the server is too short, causing false conflict detections. However, the output explicitly shows successful detection via Ping, meaning the server received a reply, so the conflicts are real and the addresses are genuinely in use.

Why the other options are wrong

A

Candidates may confuse administratively excluded addresses with dynamically detected conflicts.

B

The misconception is that aggressive ping settings create false conflicts, when in fact a conflict entry proves a reply was received.

D

Candidates might think that conflicts represent stale entries, but a conflict is a permanent record of a detected collision, not a lease state.

50
MCQmedium

Exhibit: PCs in VLAN 20 are not receiving addresses from a DHCP server in another subnet. The switch SVI for VLAN 20 is up, and routing is working. Which configuration is most likely missing on the gateway for VLAN 20?

A.ip default-gateway 10.20.20.1
B.ip helper-address 10.99.99.10
C.switchport trunk allowed vlan 20
D.spanning-tree portfast default
AnswerB

That forwards DHCP broadcasts to the remote server.

Why this answer

DHCP Discover messages are broadcasts and do not cross routers by default. An ip helper-address on the client gateway interface relays those requests to a remote DHCP server.

Exam trap

A frequent exam trap is selecting the ip default-gateway command as the solution for DHCP relay issues. This command only applies to Layer 2 switches for their own management traffic and does not forward DHCP broadcasts across routed interfaces. Candidates may also mistakenly focus on VLAN trunking or spanning-tree settings, which do not affect DHCP relay functionality.

The key is to recognize that DHCP broadcasts must be explicitly forwarded by the router or Layer 3 switch interface using ip helper-address to reach a DHCP server in another subnet.

Why the other options are wrong

A

The ip default-gateway command configures the default gateway for a Layer 2 switch’s management interface and does not forward DHCP broadcasts. Since the question involves DHCP relay across routed VLANs, this command is irrelevant.

C

The switchport trunk allowed vlan 20 command controls VLAN traffic allowed on a trunk link but does not influence DHCP relay or routing between VLANs. The issue is DHCP relay, not VLAN trunk configuration.

D

The spanning-tree portfast default command enables PortFast on switch ports to speed up STP convergence and does not affect DHCP relay or routing. It is unrelated to the problem of clients not receiving DHCP addresses.

51
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a DHCP server on a Cisco IOS-XE router and enable DHCP relay on a remote subnet, following Cisco's recommended configuration sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The recommended order is to first create the DHCP pool with network and default-router, then exclude addresses, and finally enable DHCP relay on the remote interface. While the 'ip dhcp excluded-address' command can technically be issued before or after the pool definition, Cisco documentation typically shows the pool created first. The critical requirement is that DHCP relay is configured last, after the DHCP server is fully configured.

Options B and D place relay first, which is incorrect.

Exam trap

A common mistake is to configure DHCP relay before the DHCP server, or to think the order of pool and exclusion is irrelevant for the exam. While both orders are technically valid, the question expects the standard order of pool first, then exclusion.

52
Drag & Drophard

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP relay agent and verify the DHCP DORA process for a client on a remote subnet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The relay agent must be configured first by setting the ip helper-address on the client-facing interface, then verifying connectivity to the DHCP server. The DORA process should be observed using a relay-specific debug command such as debug ip dhcp relay; the originally listed debug ip dhcp server packet would show no output on a pure relay agent, making it incorrect for verification.

Exam trap

A common trap is placing the ip helper-address on the wrong interface or using the wrong debug command. Always place the helper address on the client-facing interface, and verify relay operation with debug ip dhcp relay, not debug ip dhcp server packet.

53
MCQhard

After hardening SSH by disabling password authentication and restricting access to an ACL permitting only the management subnet 10.1.10.0/24, configuring RADIUS AAA authentication, enabling port security with a maximum of two MAC addresses on all access ports, and implementing DHCP snooping and DAI on VLAN 10, the administrator finds that users in VLAN 10 obtain DHCP addresses and access the network normally, but SSH from the management workstation (10.1.10.20) to the switch fails with timeouts.

A.The SSH ACL is misconfigured and denies port 22 from the management subnet.
B.The management workstation’s IP-to-MAC binding is missing from the DHCP snooping binding table, causing DAI to drop its ARP traffic.
C.Port security on the switch interface connected to the management workstation has learned two MAC addresses and shut down the port.
D.RADIUS AAA authentication is missing the shared secret on the switch, causing SSH login timeouts.
AnswerB

DAI relies on DHCP snooping bindings to validate ARP packets. The static IP of the workstation means no binding was learned, so DAI considers the ARP reply invalid and drops it, breaking L2 reachability.

Why this answer

The management workstation (10.1.10.20) is on the same VLAN 10 where DHCP snooping and DAI are enabled. DAI validates ARP packets against the DHCP snooping binding table. Since the workstation uses a static IP address, its IP-to-MAC binding is not automatically added to the DHCP snooping database.

DAI will drop the workstation's ARP replies, preventing the switch from learning its MAC address and causing SSH timeouts.

Exam trap

Cisco often tests the interaction between security features like DAI and static IP hosts, where candidates overlook that DAI requires explicit static bindings for non-DHCP clients, leading to connectivity failures that appear as timeouts rather than explicit denials.

Why the other options are wrong

A

Misunderstanding ACL processing—assumes a simple subnet permit ACL would block port 22 by default, but the ACL entry permits all traffic from the subnet, not just specific ports.

C

Assumes port security is the first cause of connectivity failure when MAC limits are configured, but the symptom does not indicate a port security violation; the port would need to go into err-disabled, which is not mentioned.

D

AAA failures manifest as authentication errors or prompts that time out after attempting RADIUS, but they typically affect all attempts, not a single source, unless combined with ACLs that permit other hosts but block this one.

54
MCQhard

After enabling Dynamic ARP Inspection on VLAN 20, a network engineer notices that some hosts lose connectivity. The affected hosts have correct IP addresses and MAC addresses, but they cannot ping the default gateway. All other hosts on the same VLAN work fine. Further investigation reveals that the non-functioning hosts are using static IP configurations, while the working hosts are DHCP clients. What is the most likely cause?

A.The DHCP snooping binding table is exhausted and cannot accept new bindings for the static hosts.
B.IP Source Guard is also enabled on VLAN 20 and is blocking traffic from hosts that have no DHCP snooping binding.
C.DAI is dropping ARP packets from the static hosts because they do not have a corresponding entry in the DHCP snooping binding table.
D.The switch is detecting ARP spoofing from the static hosts and has shut down their switchport interfaces for security.
AnswerC

When DAI is enabled, it checks every ARP packet on untrusted ports against the DHCP snooping binding table. Since the static hosts have no DHCP lease, no binding exists, and DAI drops their ARP packets, preventing them from learning the gateway MAC address and causing loss of connectivity.

Why this answer

Dynamic ARP Inspection (DAI) uses the DHCP snooping binding table to validate ARP packets. Hosts with statically assigned IP addresses have no DHCP binding entry, so DAI considers their ARP packets invalid and drops them, preventing these hosts from resolving MAC addresses and thus causing loss of connectivity.

Exam trap

Option B (IP Source Guard) is tempting because both features rely on the DHCP snooping binding table, but IP Source Guard filters IP data traffic, not ARP packets. The specific symptom of failed ARP resolution after enabling DAI points directly to DAI's ARP validation, not IP traffic filtering.

Why the other options are wrong

A

Candidates may think that a large number of untrusted hosts could overwhelm the binding table, but static hosts do not interact with DHCP and would not fill the table or be rejected.

B

Candidates often confuse DAI and IP Source Guard since both use DHCP snooping; however, DAI specifically validates ARP packets, which matches the symptom of connectivity loss due to ARP resolution failure.

D

Some candidates might associate ARP security features with port shutdown, but standard DAI operation does not disable ports, and the symptom does not indicate interface down events.

55
Multi-Selectmedium

Which TWO DHCP snooping trust states are valid on a Cisco switch? (Choose two.)

Select 2 answers
A.Trusted
B.Untrusted
C.Secure
D.Authorized
E.Relay
AnswersA, B

A trusted port is configured using 'ip dhcp snooping trust' and is allowed to forward all DHCP messages, including server responses. This is typically applied to ports connecting to DHCP servers or upstream relay agents.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages on a switch. The only two valid trust states are 'trusted' and 'untrusted'. A trusted port is typically an uplink to a legitimate DHCP server, while an untrusted port is a downstream port where DHCP client messages are expected and server-originated messages are blocked.

Exam trap

Cisco often tests the exact terminology of DHCP snooping trust states, and the trap here is that candidates confuse 'trusted' and 'untrusted' with other security terms like 'secure' or 'authorized' from different features (e.g., port security or 802.1X).

Why the other options are wrong

C

This is a distractor term that does not exist in the DHCP snooping configuration. The correct states are trusted and untrusted.

D

This term is borrowed from other security contexts and is not applicable to DHCP snooping trust states.

E

This confuses the DHCP relay agent feature with DHCP snooping trust states. They are different mechanisms.

56
MCQmedium

What problem does DHCP snooping help prevent?

A.Unauthorized DHCP server responses from user-facing ports
B.Layer 3 route loops
C.Trunk encapsulation mismatch
D.Weak SSH ciphers
AnswerA

Correct. This is the main value of DHCP snooping.

Why this answer

DHCP snooping marks interfaces as trusted or untrusted and blocks rogue DHCP server messages arriving on untrusted ports.

Exam trap

A frequent exam trap is selecting options related to Layer 3 routing issues or encryption weaknesses, such as route loops or weak SSH ciphers, when asked about DHCP snooping. Candidates may mistakenly think DHCP snooping prevents routing problems or secures SSH sessions. However, DHCP snooping specifically targets unauthorized DHCP server messages at Layer 2 and does not affect routing protocols or encryption.

Misunderstanding this scope leads to incorrect answers. Remember, DHCP snooping’s primary function is to block rogue DHCP servers on untrusted ports, not to solve routing or encryption problems.

Why the other options are wrong

B

Incorrect. Layer 3 route loops are routing protocol issues and are not addressed by DHCP snooping, which operates at Layer 2 for DHCP message validation.

C

Incorrect. Trunk encapsulation mismatches relate to VLAN tagging and trunk negotiation, which DHCP snooping does not influence or prevent.

D

Incorrect. Weak SSH ciphers pertain to encryption security and have no connection to DHCP snooping, which focuses solely on DHCP message filtering.

57
MCQhard

A DHCP client on VLAN 30 is not receiving an IP address from a DHCP server (10.99.99.20) on another subnet. The SVI for VLAN 30 is configured with an IP address and is up, but the DHCP relay command is missing. Which command should be added to the SVI configuration?

A.ip directed-broadcast
B.ip helper-address 10.99.99.20
C.service dhcp-server 10.99.99.20
D.default-router 10.99.99.20
AnswerB

The helper address forwards DHCP broadcasts as unicast to the server.

Why this answer

DHCP Discover messages are broadcasts and do not cross routers by default. On an SVI or routed interface facing the clients, an ip helper-address relays those broadcasts to the DHCP server on another subnet.

Exam trap

A frequent exam trap is selecting ip directed-broadcast or default-router as the solution for DHCP relay issues. ip directed-broadcast only enables forwarding of directed broadcasts but does not relay DHCP requests to servers on other subnets. default-router is a DHCP pool parameter that assigns a gateway to clients but does not affect how DHCP broadcasts are forwarded. Another trap is assuming service dhcp-server is an interface command for relay, which it is not. These distractors test your understanding of DHCP relay mechanisms and Cisco IOS command usage.

Why the other options are wrong

A

The ip directed-broadcast command enables forwarding of directed broadcasts but does not relay DHCP requests. It is unrelated to DHCP relay and will not solve the problem of clients not receiving addresses from a remote DHCP server.

C

service dhcp-server is not a valid Cisco IOS interface command for DHCP relay. It does not configure the router to forward DHCP broadcasts and thus will not resolve the issue.

D

default-router is a DHCP pool parameter used to assign the default gateway IP address to clients. It does not configure the interface to relay DHCP broadcasts and is not relevant to the relay configuration.

58
MCQhard

A network administrator has configured a Cisco switch as a DHCP server for the 192.168.1.0/24 subnet. Hosts in VLAN 10 are unable to obtain IP addresses via DHCP. The switch's SVI for VLAN 10 is up/up. What is the most likely cause of the problem?

A.The VLAN 10 SVI is not configured with an IP address in the 192.168.1.0/24 subnet.
B.The DHCP server is including the network and broadcast addresses in the pool, causing conflicts. Use the 'ip dhcp excluded-address' command to exclude them.
C.DHCP snooping is blocking DHCP messages on the switch port connected to the hosts.
D.The DHCP pool is not bound to VLAN 10. Use the 'vlan' command under the pool configuration.
AnswerB

The conflict detection shows that addresses 192.168.1.1 (network) and 192.168.1.254 (broadcast) are in conflict. These should be excluded to prevent the DHCP server from leasing them.

Why this answer

Option B is correct. The most likely cause is that the DHCP server pool includes the network (192.168.1.0) and broadcast (192.168.1.255) addresses, which are reserved and cannot be leased. When a host requests an IP, the server may attempt to assign one of these addresses, causing a conflict and preventing successful DHCP lease completion.

Using the 'ip dhcp excluded-address' command to exclude these addresses from the pool resolves the issue. Option A is not the best answer because the SVI for VLAN 10 is up/up and must already have an IP address in the 192.168.1.0/24 subnet for the DHCP server to offer addresses to that subnet; if it were missing, DHCP would fail completely, but the symptom would likely be no offers at all, not address conflicts. The problem described is consistent with the pool including reserved addresses, which is a common misconfiguration.

Exam trap

Learners often overlook that the DHCP pool's range must exclude network and broadcast addresses; they may incorrectly suspect DHCP snooping, an SVI misconfiguration, or a missing VLAN binding instead.

Why the other options are wrong

A

The SVI must have an IP address for routing, but the DHCP server can serve addresses from any pool regardless of the SVI's subnet. The issue is with the pool itself.

C

If DHCP snooping were blocking messages, the 'Malformed messages' counter might increase, but the server would still receive some messages. The zero count indicates no messages are reaching the server.

D

There is no 'vlan' command under a DHCP pool. The pool serves all hosts in the subnet regardless of VLAN association.

59
Drag & Drophard

Drag and drop the following steps into the correct order to configure a new WLAN on a Cisco WLC using IOS-XE CLI, including WPA3-Personal security, and to complete a wireless client association with DHCP.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The configuration order follows the Cisco IOS-XE WLC CLI: first enter global config, create the WLAN profile, set security (WPA3-Personal/SAE), enable the WLAN, then the client associates and gets an IP via DHCP.

Exam trap

Be careful with the order of operations: you must create the WLAN profile first, then configure security, then enable the WLAN. Also, remember that DHCP IP assignment occurs after the client associates, not before.

60
MCQmedium

Why is DHCP often preferred over manual addressing on larger user networks?

A.It automates host IP configuration and reduces manual effort and mistakes.
B.It replaces DNS completely.
C.It removes the need for default gateways.
D.It is required by all routing protocols.
AnswerA

This is correct because DHCP improves consistency and reduces administrative overhead.

Why this answer

DHCP is often preferred because it automates host configuration and reduces both manual work and configuration mistakes. In practical terms, it is far easier to let endpoints receive addresses, masks, gateways, and DNS settings automatically than to configure each device by hand.

This improves scale, consistency, and operational efficiency. That is why DHCP is such a common service in enterprise access networks.

Exam trap

A common exam trap is selecting options that confuse DHCP with DNS or routing protocols. Some candidates mistakenly believe DHCP replaces DNS or removes the need for default gateways. However, DHCP only automates IP configuration; it does not perform name resolution like DNS, nor does it eliminate the requirement for a default gateway.

Another trap is assuming routing protocols depend on DHCP, which is incorrect because routing protocols operate independently of IP address assignment methods. Understanding these distinctions is essential to avoid incorrect answers related to IP services in the CCNA exam.

Why the other options are wrong

B

This option is incorrect because DHCP does not replace DNS. DNS is a separate service responsible for name resolution, while DHCP only provides IP configuration parameters including DNS server addresses.

C

This option is wrong because DHCP does not remove the need for default gateways. Hosts still require gateway information to communicate outside their subnet, and DHCP typically provides this information during configuration.

D

This option is incorrect because routing protocols do not depend on DHCP. Routing protocols function independently of IP address assignment methods and do not require DHCP to operate on user networks.

61
MCQhard

A host has a valid IP address and subnet mask from DHCP but cannot reach remote networks because no gateway was provided. What is the best explanation?

A.The host has no next-hop gateway for traffic destined outside its local subnet.
B.The host cannot use ARP on the local network anymore.
C.The host automatically becomes part of every remote subnet.
D.The host must convert its access port into a trunk.
AnswerA

This is correct because a default gateway is needed for off-subnet traffic.

Why this answer

The best explanation is that the host has no next-hop path for off-subnet traffic. In plain language, the device knows what its own local network looks like, but it does not know where to send packets when the destination is outside that local range. Without a default gateway, remote communication usually fails even though local communication can still work.

This is a core host-configuration concept. The correct answer is the one focused on the absence of a next hop for remote destinations.

Exam trap

A common exam trap is assuming that a host without a default gateway cannot communicate at all. Many candidates mistakenly believe that missing a gateway disables all network communication, but in reality, the host can still communicate with devices on its local subnet using ARP. The trap lies in confusing local subnet communication with remote network access.

The question specifically tests understanding that the lack of a gateway prevents forwarding to remote networks, not local connectivity. Misreading this can lead to selecting incorrect options that focus on ARP or subnet expansion rather than the gateway role.

Why the other options are wrong

B

This option is incorrect because ARP is used for local subnet communication and does not depend on the presence of a default gateway. The host can still use ARP to communicate locally.

C

This option is wrong because a host does not automatically become part of every remote subnet without a gateway. The subnet mask defines the local subnet boundaries, and gateway absence does not change this.

D

This option is unrelated to the problem. Converting an access port to a trunk port affects VLAN tagging on switches but does not impact a host’s ability to have or use a default gateway.

62
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco switch as a DHCP relay agent with DHCP snooping, where the DHCP server is located on a remote router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, the DHCP server must be properly configured on the router. Next, DHCP snooping is enabled globally on the switch to protect against rogue servers. Then, the specific client VLANs must be added to the snooping database.

After that, the uplink interface to the DHCP server must be trusted to allow legitimate server responses. Finally, the ip helper-address command is placed on the client's SVI to forward DHCP broadcasts to the remote server.

63
MCQmedium

A network administrator is configuring a new Windows 10 workstation on a network that uses DHCP. The workstation receives an IPv4 address of 169.254.10.20 with a subnet mask of 255.255.0.0 and no default gateway. The user cannot access the internet or other subnets. What is the most likely cause of this issue?

A.The workstation has a duplicate IP address conflict.
B.The workstation's DNS server configuration is incorrect.
C.The workstation's subnet mask is misconfigured.
D.The DHCP server is unreachable or not responding.
AnswerD

When a DHCP client fails to receive an IP address from a DHCP server, it self-assigns an APIPA address from the 169.254.0.0/16 range. This explains the observed address and the absence of a default gateway.

Why this answer

The IP address 169.254.10.20 with a /16 subnet mask is an Automatic Private IP Addressing (APIPA) address, which Windows assigns when a DHCP discovery broadcast (DHCPDISCOVER) fails to receive a response from a DHCP server. Without a valid DHCP lease, the workstation has no default gateway, so it cannot communicate outside its local subnet, explaining the lack of internet or inter-subnet access. The most likely cause is that the DHCP server is unreachable or not responding, forcing the client to self-assign an APIPA address.

Exam trap

Cisco often tests the misconception that a 169.254.x.x address indicates a duplicate IP or a subnet mask issue, but the real trap is that APIPA is a direct symptom of DHCP server unavailability, not a configuration error on the client.

Why the other options are wrong

A

Duplicate IP conflicts typically result in a warning but do not cause the system to assign a 169.254.x.x address.

B

DNS issues do not affect IP address assignment via DHCP.

C

The subnet mask is correct for the APIPA range; the problem is the lack of a DHCP server response.

64
PBQhard

You are connected to R1. Configure DHCP server on R1 to assign addresses from 192.168.50.0/24 to hosts on VLAN 50, excluding 192.168.50.1-192.168.50.20, with default-router 192.168.50.1 and DNS server 8.8.8.8. On switch SW1, configure DHCP snooping globally and on VLAN 50, and enable trusted ports on the uplink to R1. Then, a host on VLAN 50 reports it received an incorrect IP address; troubleshoot and fix the issue: the wrong helper-address is configured on SW1, the excluded range is too large, and a rogue DHCP server is present on port Fa0/5.

Hints

  • Check the DHCP snooping configuration first — is it enabled and on the correct VLAN?
  • Look at the helper-address: the DHCP server is on the SVI, not on the point-to-point link.
  • The excluded range on R1 is too large; it should only exclude the first 20 addresses.
A.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, correct the excluded range on R1 to 192.168.50.1-192.168.50.20, and change the helper-address on SW1's G0/1 to 192.168.50.1.
B.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and change the helper-address on SW1's G0/1 to 10.0.0.1.
C.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and correct the excluded range on R1 to 192.168.50.1-192.168.50.20.
D.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and change the helper-address on SW1's G0/1 to 192.168.50.1.
AnswerA
solution
! R1
configure terminal
no ip dhcp excluded-address 192.168.50.1 192.168.50.100
ip dhcp excluded-address 192.168.50.1 192.168.50.20
end
write memory

! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 50
interface GigabitEthernet0/1
ip dhcp snooping trust
no ip helper-address 10.0.0.1
ip helper-address 192.168.50.1
interface FastEthernet0/5
shutdown
end
write memory

Why this answer

The host received a wrong IP because a rogue DHCP server on Fa0/5 was responding. First, enable DHCP snooping globally with 'ip dhcp snooping' and on VLAN 50 with 'ip dhcp snooping vlan 50'. Then, trust the uplink port to R1 (G0/1) with 'ip dhcp snooping trust'.

Next, fix the excluded range on R1: change it to exclude only the first 20 addresses (192.168.50.1-192.168.50.20) so that hosts can obtain other addresses. Finally, correct the helper-address on SW1's G0/1: change 'ip helper-address 10.0.0.1' to 'ip helper-address 192.168.50.1' because the DHCP server is on the VLAN 50 SVI, not on the point-to-point link.

Exam trap

This question tests your ability to troubleshoot a multi-faceted DHCP issue. Common traps include: (1) forgetting that DHCP snooping must be enabled both globally and per VLAN, (2) assuming the helper-address should be the router's link IP instead of the server's SVI IP, (3) overlooking the excluded range configuration, and (4) thinking that only one of the issues needs to be fixed. Always verify all components: snooping, trust, helper-address, and pool configuration.

Why the other options are wrong

B

The helper-address must be the IP of the DHCP server, which is the SVI address 192.168.50.1, not the link address 10.0.0.1.

C

The helper-address misconfiguration prevents DHCP requests from being forwarded to the correct server, so fixing only the excluded range is insufficient.

D

The excluded range must be corrected to allow hosts to receive addresses from the pool; otherwise, the DHCP server will not assign addresses.

65
MCQmedium

A client receives an IP address but cannot reach remote networks. Which DHCP option is most likely missing or incorrect?

A.DNS server option
B.Lease time option
D.TFTP server option
AnswerC

Without the correct gateway, off-subnet traffic fails.

Why this answer

The client can obtain an IP address but cannot reach remote networks, which indicates that the DHCP server is not providing the default gateway (option 3). Without a default gateway, the client has no route to destinations outside its local subnet, so traffic to remote networks is dropped. The DHCP server must be configured to supply the router's IP address as the default gateway for clients to forward inter-network traffic.

Exam trap

Cisco often tests the distinction between DHCP options by presenting a symptom like 'can't reach the internet' and expecting candidates to recognize that the default gateway (option 3) is the critical missing piece, not DNS or lease time.

Why the other options are wrong

A

The DNS server option is not critical for basic connectivity to remote networks; it primarily affects name resolution. If a client can obtain an IP address but cannot reach remote networks, the issue is more likely related to the default gateway configuration.

B

The lease time option specifies how long a DHCP lease is valid, but it does not affect the ability to reach remote networks. Therefore, a missing or incorrect lease time would not directly cause connectivity issues.

D

The TFTP server option is not necessary for a client to reach remote networks, as it primarily facilitates file transfers and does not impact routing or network accessibility. Therefore, its absence would not directly cause connectivity issues to remote networks.

66
MCQhard

Clients in VLAN 30 are not receiving addresses from the DHCP server located in VLAN 99. Which configuration change should be made on the Layer 3 interface for VLAN 30?

A.Add ip dhcp snooping trust under interface Vlan30.
B.Add switchport mode trunk under interface Vlan30.
C.Add ip default-gateway 10.99.99.20 under interface Vlan30.
D.Add ip helper-address 10.99.99.20 under interface Vlan30.
AnswerD

This is correct because the SVI for VLAN 30 is the interface that receives the client DHCP broadcasts. By adding `ip helper-address 10.99.99.20`, the Layer 3 device forwards the request as a unicast packet to the DHCP server in VLAN 99.

Why this answer

The DHCP server is on a different subnet, so the client broadcast messages from VLAN 30 will not naturally cross the Layer 3 boundary. In simple terms, the clients are asking for an address by shouting on their own floor of the building, but the server lives on another floor and cannot hear that broadcast directly. The router or Layer 3 switch must relay the request for them. On Cisco devices, that relay function is usually configured with `ip helper-address` on the interface that receives the client broadcasts.

Here, that receiving interface is Vlan30, because that is the default gateway for the clients in VLAN 30. Pointing `ip helper-address` to 10.99.99.20 tells the Layer 3 device to forward DHCP requests to the remote server. DHCP snooping trust is a separate security feature, trunk mode is unrelated to an SVI, and `ip default-gateway` is not the correct solution for relaying DHCP across subnets.

Exam trap

Remember that DHCP snooping and trunk mode do not facilitate DHCP relay. Focus on the purpose of `ip helper-address` for relaying requests across VLANs.

Why the other options are wrong

A

This option is wrong because enabling DHCP snooping trust on VLAN 30 does not facilitate communication with the DHCP server in VLAN 99; it only protects against rogue DHCP servers.

B

Adding 'switchport mode trunk' under interface Vlan30 is incorrect because VLAN 30 is already configured as a Layer 3 interface, and trunking is not applicable to Layer 3 interfaces. This command is used for Layer 2 interfaces to allow multiple VLANs over a single link.

C

This option is wrong because the command 'ip default-gateway' is used to set a default gateway for a Layer 2 device, not for enabling DHCP relay on a Layer 3 interface. Clients in VLAN 30 need a helper address to reach the DHCP server in VLAN 99.

67
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure WPA3-Personal on a WLC, associate a wireless client, and complete the 802.11 authentication and DHCP process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to first configure the WLAN with WPA3-Personal on the WLC, then the client completes 802.11 authentication (open system authentication followed by the SAE handshake), next the client associates with the AP, and finally the client obtains an IP address via DHCP. Option B correctly follows this sequence, while option A incorrectly reverses authentication and association, option C places WLAN configuration after client association, and option D erroneously performs DHCP before any wireless steps.

Exam trap

Watch out for the order of 802.11 authentication and DHCP. Many candidates mistakenly place DHCP before authentication, but authentication is a layer 2 process that must complete before the client can obtain an IP address.

68
PBQhard

You are connected to R1. Configure R1 as a DHCP server for VLAN 20 clients (192.168.20.0/24) with DNS server 203.0.113.10 and default gateway 192.168.20.1. On switch SW1, enable DHCP snooping globally and on VLAN 20, configure the uplink to R1 as trusted, and ensure that the DHCP server is reachable via ip helper-address on the VLAN 20 SVI. Currently, clients are not receiving IP addresses because of misconfigurations: the excluded-address range on R1 is too large (excluding the entire subnet), the helper-address on SW1 points to a wrong IP (192.0.2.99), and a rogue DHCP server is connected to port Fa0/3 on SW1. Fix all issues so that clients can get addresses securely.

Hints

  • The excluded-address range is too broad; narrow it to only the gateway and a small reserved range.
  • The helper-address must point to the DHCP server's IP, which is on a different subnet.
  • DHCP snooping must be enabled globally and per VLAN, and the port connecting to the legitimate DHCP server must be trusted.
A.On R1, change the excluded-address range to 192.168.20.1 192.168.20.1; on SW1, configure ip helper-address 10.0.0.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
B.On R1, remove the excluded-address range entirely; on SW1, configure ip helper-address 192.168.20.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
C.On R1, change the excluded-address range to 192.168.20.1 192.168.20.254; on SW1, configure ip helper-address 192.0.2.99 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
D.On R1, change the excluded-address range to 192.168.20.1 192.168.20.1; on SW1, configure ip helper-address 10.0.0.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, but do not configure any trusted ports.
AnswerA
solution
! R1
no ip dhcp excluded-address 192.168.20.0 192.168.20.255
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.20.2 192.168.20.10

! SW1
ip dhcp snooping
ip dhcp snooping vlan 20
interface FastEthernet0/1
ip dhcp snooping trust
exit
interface Vlan20
no ip helper-address 192.0.2.99
ip helper-address 10.0.0.1

Why this answer

The DHCP server had an excluded-address range covering the entire subnet (192.168.20.0–255), which prevented any IP from being assigned. Fix: change the excluded range to only include the gateway (192.168.20.1) and optionally other reserved addresses. The helper-address on SW1 pointed to 192.0.2.99 (nonexistent) instead of the DHCP server at 10.0.0.1; correct it.

DHCP snooping was disabled; enable it globally and on VLAN 20, then configure the uplink to R1 (port connecting to R1) as trusted and the port connecting the rogue server (Fa0/3) as untrusted (or simply leave it untrusted by default, but the rogue server will be blocked).

Exam trap

A common trap is forgetting that the excluded-address range should only reserve specific addresses, not the whole subnet. Another trap is confusing the helper-address with the default gateway or leaving the incorrect IP. Also, many candidates enable DHCP snooping but forget to configure the trusted port, which breaks legitimate DHCP traffic.

Why the other options are wrong

B

The helper-address must point to the DHCP server, not the default gateway. The excluded-address range should include the gateway to prevent conflicts.

C

The excluded-address range must be limited to reserved addresses only, not the entire usable range. The helper-address must be corrected to 10.0.0.1.

D

DHCP snooping requires the port connected to the legitimate DHCP server to be explicitly trusted; otherwise, all DHCP server messages are discarded.

69
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to R2 (10.0.0.2/30). Hosts on the LAN (192.168.1.0/24) need DHCP services. The DHCP server is located at 172.16.1.100 on a different subnet reachable via R2. Configure R1 to forward DHCP broadcasts to the DHCP server.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/3010.0.0.2/30link10.0.0.2/30PCsLANR1R2DHCP server

Hints

  • The ip helper-address command is used to forward DHCP broadcasts.
  • Apply it on the interface facing the DHCP clients.
A.ip helper-address 172.16.1.100
B.ip dhcp relay information option
C.ip forward-protocol udp 67
D.ip dhcp-server 172.16.1.100
AnswerA
solution
! R1
interface GigabitEthernet0/1
ip helper-address 172.16.1.100

Why this answer

The ip helper-address command on the LAN interface forwards DHCP broadcast requests to the DHCP server at 172.16.1.100, allowing clients to obtain IP addresses across subnets.

Exam trap

Do not confuse the ip helper-address command with other DHCP-related commands like ip dhcp relay information option or ip forward-protocol. The key is to remember that ip helper-address is the command that actually forwards broadcasts to a specific server.

Why the other options are wrong

B

It is a supporting feature for relay agents, not the primary command to forward DHCP broadcasts.

C

It is a prerequisite but not sufficient; the ip helper-address is still needed to direct the traffic.

D

The command does not exist; it is a fabrication.

70
PBQhard

You are troubleshooting connectivity for a wireless client connected to the home network shown below. The client has obtained an APIPA address (169.254.x.x), indicating DHCP failure. Verify the DHCP server configuration on R1 and correct the issue so that the client receives a valid IP address from the 192.168.1.0/24 subnet.

Network Topology
G0/0192.168.1.1/24switchR1Wireless Client

Hints

  • Check if the DHCP service is enabled globally on R1.
  • APIPA addresses indicate that the client did not receive a DHCP offer.
  • The DHCP pool and interface configuration are correct; the missing piece is the global DHCP service.
A.Enable the DHCP service globally using the 'service dhcp' command on R1.
B.Remove the 'ip dhcp excluded-address 192.168.1.1 192.168.1.10' command because it excludes too many addresses.
C.Change the DHCP pool network to 192.168.1.0/24 and add the default-router 192.168.1.1 command.
D.Configure the 'ip helper-address' command on the client's VLAN interface to forward DHCP requests to the server.
AnswerA
solution
! R1
configure terminal
service dhcp
end

Why this answer

The client obtained an APIPA address (169.254.x.x) because DHCP was not assigning addresses. The DHCP pool is correctly configured, but the global DHCP service must be enabled with the 'service dhcp' command on R1. The excluded-address range (192.168.1.1–192.168.1.10) uses only a small fraction of the /24 subnet, so it is not the issue.

Enabling 'service dhcp' allows the router to process DHCP requests and assign addresses from the pool.

Exam trap

Trap: Candidates often focus on pool configuration (network, default-router, excluded-address) when troubleshooting DHCP failures, but they forget that the DHCP service must be enabled globally with 'service dhcp'. Always check if the service is running before modifying pool parameters.

Why the other options are wrong

B

The specific factual error: Excluding 10 addresses does not exhaust the pool; the pool still has 244 addresses available.

C

The specific factual error: The pool configuration is already correct; modifying it does not address the disabled DHCP service.

D

The specific factual error: 'ip helper-address' is for DHCP relay across subnets; it is not needed when the server is local.

71
Multi-Selectmedium

Which four of the following are true statements regarding the operation of DHCP snooping on a Cisco switch? (Choose all that apply. There are four correct answers.)

Select 4 answers
.DHCP snooping distinguishes trusted and untrusted ports.
.By default, all ports are considered untrusted for DHCP snooping.
.DHCP snooping can rate-limit DHCP messages to prevent denial-of-service attacks.
.DHCP snooping builds and maintains a DHCP snooping binding database (also called a binding table).
.DHCP snooping prevents rogue DHCP servers by allowing only authorized servers on any port.
.DHCP snooping requires an external DHCP server to be configured on the switch.

Why this answer

The four correct statements are true because DHCP snooping is a security feature that operates by classifying switch ports as trusted or untrusted. By default, all ports are untrusted, meaning they cannot send DHCP server messages (OFFER, ACK, NAK) unless explicitly configured as trusted. Rate-limiting DHCP messages on untrusted ports mitigates DHCP starvation attacks, and the binding database (MAC-to-IP mapping) is built from DHCP ACK messages to prevent IP spoofing.

The incorrect statement "DHCP snooping requires an external DHCP server to be configured on the switch" is false because DHCP snooping itself does not require the switch to act as a DHCP server; it simply relies on DHCP messages from a legitimate server reachable through a trusted port.

Exam trap

Cisco often tests the misconception that DHCP snooping can be configured to allow authorized servers on any port, but the feature strictly enforces that only trusted ports can source DHCP server messages, regardless of the server's IP or MAC address.

72
MCQhard

After enabling DHCP snooping on VLAN 10, a technician finds that clients in that VLAN are no longer receiving IP addresses from the DHCP server. The server is connected to port Gi0/24. What is the most likely cause?

A.The port Gi0/24 has not been configured as a trusted port for DHCP snooping.
B.The DHCP server is on a different subnet, and the VLAN 10 SVI does not have an ip helper-address configured.
C.The DHCP snooping database location was not configured, causing the switch to discard all DHCP server messages.
D.The DHCP snooping binding table does not contain an entry for the DHCP server’s MAC address, so offers are being discarded.
AnswerA

DHCP snooping immediately blocks all DHCP server messages on untrusted ports. Because Gi0/24 is the uplink to the DHCP server, it must be explicitly set as trusted (ip dhcp snooping trust), otherwise the switch will drop the DHCP offers sent by the server.

Why this answer

DHCP snooping classifies all ports as untrusted by default, and an untrusted port drops DHCP server messages (OFFER/ACK) to prevent rogue servers. Because the uplink Gi0/24 was not explicitly configured as a trusted port with ip dhcp snooping trust, the legitimate DHCP offers from the server are being discarded, so clients never receive addresses. The other options are not the cause: an ip helper-address would still be needed if the server were remote and was working before snooping (so it is already in place); the DHCP snooping database is not required for traffic forwarding; and the binding table does not need to contain the server’s MAC to permit server traffic.

Exam trap

D. Candidates often misunderstand the role of the DHCP snooping binding table and think the switch must have learned the server’s MAC to allow DHCP traffic, but the binding table is used to filter client traffic, not to authorize servers.

Why the other options are wrong

B

This option assumes that the loss of DHCP service is due to a missing relay agent, but the symptom started only after enabling snooping, not after an infrastructure change that would affect the relay path.

C

The idea that a missing database causes immediate traffic blocking is a common misinterpretation of the database’s role—it is purely for persistency, not for runtime filtering.

D

Many candidates assume that DHCP snooping uses a reverse-check against the binding table for any DHCP server messages, but the filtering is based solely on the trusted/untrusted port state, not on a learned server entry.

73
PBQhard

You are connected to SW1, a multilayer switch. Configure DHCP snooping and an IP helper-address so that clients in VLAN 20 receive IP addresses from the DHCP server at 10.0.0.2. The DHCP server is already configured with a pool for 192.168.20.0/24, but clients are not getting addresses. Identify and correct the issues in the current configuration.

Network Topology
G0/010.0.0.1/30G0/1SW1DHCP ServerClient

Hints

  • Check the helper-address on VLAN 20 — is it pointing to the correct server IP?
  • DHCP snooping must be enabled globally and for the specific VLAN.
  • The port towards the DHCP server must be configured as trusted.
A.Enable DHCP snooping globally and on VLAN 20, configure interface G0/0 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
B.Enable DHCP snooping globally and on VLAN 20, configure interface G0/1 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
C.Enable DHCP snooping globally and on VLAN 20, configure interface G0/0 as trusted, and keep the ip helper-address as 10.0.0.3 because that is the correct server address.
D.Enable DHCP snooping globally and on VLAN 20, configure both interfaces G0/0 and G0/1 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
AnswerA
solution
! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 20
interface gigabitethernet0/0
ip dhcp snooping trust
interface vlan20
no ip helper-address 10.0.0.3
ip helper-address 10.0.0.2
end
write memory

Why this answer

The DHCP relay helper-address was pointing to 10.0.0.3 instead of the actual server at 10.0.0.2. Also, DHCP snooping was not enabled. After enabling DHCP snooping globally and on VLAN 20, configure the uplink to the DHCP server as a trusted port (G0/0) and the access port (G0/1) as untrusted (default).

Finally, correct the helper-address to 10.0.0.2. These steps allow DHCP broadcasts from VLAN 20 to be relayed to the server and prevent rogue DHCP attacks.

Exam trap

A common trap is to trust all ports or to forget that the ip helper-address must match the actual DHCP server IP. Also, candidates may confuse which port should be trusted: only the port facing the legitimate DHCP server should be trusted, not client-facing ports.

Why the other options are wrong

B

The specific factual error is that the access port (G0/1) should be untrusted, not trusted. Only the uplink port to the legitimate DHCP server should be trusted.

C

The specific factual error is that the ip helper-address must be set to the actual DHCP server IP (10.0.0.2), not 10.0.0.3.

D

The specific factual error is that only the uplink port (G0/0) should be trusted; trusting the access port (G0/1) allows any device connected to that port to act as a DHCP server.

74
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Layer 3 switch to perform DHCP relay agent and DHCP snooping for a remote DHCP server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

Correct order: 1) Create DHCP pool on the server to have valid lease parameters; 2) Assign IP address to the SVI so it can act as the gateway and relay agent for the subnet; 3) Globally enable DHCP snooping to activate the feature; 4) Enable snooping on the client VLAN so that only that VLAN’s DHCP traffic is filtered; 5) Set the interface facing the server as trusted to allow DHCP replies; 6) Configure ip helper-address on the SVI to forward client DHCP broadcasts to the server. Each step depends on the previous: the server must be ready; the SVI needs an IP before the helper can be applied; snooping must be globally on before per-VLAN settings; trusted port must be defined before relayed replies are accepted; finally, the helper address enables the actual relay.

75
MCQmedium

A network administrator is troubleshooting a new branch office where hosts in VLAN 20 on switch SW1 cannot obtain IP addresses from the DHCP server located at 192.168.10.5 in the main data center. The router R1 is configured as the default gateway for VLAN 20 with interface GigabitEthernet0/1.20. The administrator verifies that the DHCP server is reachable and has available addresses. What configuration change should the administrator make to resolve the issue?

A.Configure a static IP address on the DHCP server to ensure it is always reachable.
B.Configure the 'ip helper-address 192.168.10.5' command on the router interface GigabitEthernet0/1.20.
C.Enable DHCP snooping globally on the switch SW1.
D.Increase the DHCP lease time on the server to 30 days.
AnswerB

The ip helper-address command enables the router to forward DHCP broadcasts as unicasts to the specified DHCP server, allowing clients in VLAN 20 to obtain IP addresses from the remote server.

Why this answer

The correct answer is B because the DHCP server is on a different subnet than the hosts in VLAN 20. By default, DHCP broadcasts are not forwarded across routers. The 'ip helper-address 192.168.10.5' command on the router's subinterface GigabitEthernet0/1.20 converts the broadcast DHCP request into a unicast and forwards it to the DHCP server, allowing the hosts to obtain IP addresses.

Exam trap

Cisco often tests the misconception that DHCP issues across subnets are caused by server availability or switch security features, when the real problem is the lack of a DHCP relay agent (ip helper-address) on the router interface facing the client VLAN.

Why the other options are wrong

A

A static IP on the server does not forward broadcasts across subnets; the server's reachability is not the issue.

C

Enabling DHCP snooping without proper configuration could block legitimate DHCP traffic, and it does not solve the broadcast forwarding issue.

D

The problem is not about lease duration; clients cannot receive any DHCP offers because broadcasts are not forwarded.

Page 1 of 2 · 89 questions totalNext →

Ready to test yourself?

Try a timed practice session using only DHCP questions.