CCNA Switching Network Access Questions

75 of 392 questions · Page 1/6 · Switching Network Access topic · Answers revealed

1
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a switch access port, and then recover after a BPDU Guard error-disable event.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order starts with global and interface configuration mode, then enabling PortFast, followed by BPDU Guard. After an error-disable event due to BPDU Guard, the proper manual recovery is to first issue the 'shutdown' command on the interface, then issue the 'no shutdown' command; simply using 'no shutdown' alone will not clear the errdisable state.

Exam trap

Remember that PortFast must be configured before BPDU Guard on an interface. Also, after an error-disable event due to BPDU Guard, the default recovery is manual: you must issue both 'shutdown' and then 'no shutdown' on the interface, not just 'no shutdown'. Do not confuse global default commands with recovery steps.

2
MCQhard

Refer to the exhibit. A network administrator is troubleshooting a trunk link between SW1 and SW2. The trunk on interface GigabitEthernet0/0 on SW1 is not passing traffic, and all VLANs are isolated. The administrator issues the command 'show interfaces GigabitEthernet0/0 trunk' on SW1. What is the most likely cause of the issue?

A.The native VLAN is mismatched between SW1 and SW2.
B.The interface is configured as an access port instead of a trunk.
C.The interface is administratively shut down.
D.The trunk encapsulation is set to ISL on SW1, but the peer switch only supports 802.1Q.
AnswerD

The Encapsulation column shows 'isl', and the Status is 'not-trunking'. This confirms that SW1 is using ISL, which is incompatible with the peer's 802.1Q-only support, preventing trunk establishment.

Why this answer

The 'show interfaces GigabitEthernet0/0 trunk' output explicitly displays encapsulation 'isl' and status 'not-trunking'. This indicates that the port is configured for ISL encapsulation, but the trunk is not operational. Since the peer switch only supports 802.1Q, the encapsulation mismatch prevents the trunk from forming, causing the traffic isolation.

Exam trap

Option A is commonly chosen because candidates often suspect a native VLAN mismatch when trunk issues arise. However, the exhibit shows the native VLAN is 1 (default) and does not indicate any mismatch; the real cause is the ISL encapsulation setting.

Why the other options are wrong

A

Native VLAN mismatches can cause traffic to leak between VLANs, but they do not prevent a trunk from becoming operational. The output clearly shows the encapsulation type as ISL, not a native VLAN problem.

B

Candidates might assume a misconfigured mode causes the issue, but the exhibit confirms the port is in trunk mode ('on' mode).

C

New learners might equate 'not-trunking' with a shutdown state, but 'admin down' is a distinct status. The port is operationally unable to trunk, not manually disabled.

3
Multi-Selectmedium

An engineer wants rapid transition to forwarding on end-user switchports while still protecting the topology from accidental switch connections. Which two STP-related features fit that design?

Select 2 answers
A.PortFast on user-facing access ports
B.BPDU Guard on those same access ports
C.Root Guard on every user-facing port instead of PortFast
D.Loop Guard on hosts to accelerate DHCP
AnswersA, B

PortFast skips the usual listening/learning delay for edge endpoints.

Why this answer

PortFast improves the user experience on edge ports, and BPDU Guard keeps those ports from becoming unintended switch uplinks.

Exam trap

Beware of confusing STP features that secure or optimize ports with those that manage root bridge roles or loop prevention.

Why the other options are wrong

C

Root Guard is designed to prevent a port from becoming a root port, not to accelerate forwarding. It does not skip the STP listening/learning states, so it cannot provide rapid transition for end-user ports.

D

Loop Guard is used to prevent alternate or root ports from transitioning to forwarding in the absence of BPDUs, which helps avoid loops. It has no effect on host startup or DHCP acceleration.

4
MCQmedium

Which spanning-tree port state listens for BPDUs and participates in STP, but does not learn MAC addresses yet?

A.Blocking
B.Listening
C.Learning
D.Forwarding
AnswerB

Correct. Listening occurs before learning and forwarding.

Why this answer

In the classic 802.1D sequence, the listening state processes BPDUs and prepares for forwarding decisions, but it does not populate the MAC address table yet.

Exam trap

Be careful not to confuse the listening state with learning, as both involve BPDU processing but differ in MAC address table updates.

Why the other options are wrong

A

In the blocking state, the port does not participate in STP actively; it only receives BPDUs but does not send them or transition toward forwarding. The question specifies a state that listens for BPDUs and participates in STP, which is the listening state, not blocking.

C

The learning state populates the MAC address table by learning source MAC addresses from incoming frames, which directly contradicts the question's requirement that the state does not learn MAC addresses. Learning occurs after listening and before forwarding.

D

The forwarding state both learns MAC addresses and forwards traffic, which violates the condition that the state does not learn MAC addresses. Forwarding is the final state where the port is fully operational.

5
MCQhard

Exhibit: After a new switch was connected, the access-layer port went into err-disabled state immediately. Which feature most likely caused this?

B.UDLD aggressive
D.Storm control
AnswerC

Correct choice.

Why this answer

BPDU Guard is the most likely cause because it immediately places a PortFast-enabled port into the err-disabled state upon receiving any BPDU, which is exactly what happens when a new switch is connected to an access port meant for end devices. Root Guard does not err-disable a port; instead, it puts the port into a root-inconsistent state when a superior BPDU is received, preventing the port from becoming a root port but still allowing traffic. UDLD aggressive can cause err-disabled states, but it is specifically designed to detect unidirectional links on fiber connections and requires a delay or misconfiguration, making it less immediate than BPDU Guard in this scenario.

Storm control can err-disable a port if traffic exceeds thresholds, but this is not immediate upon connection unless a broadcast storm is already occurring, which is not indicated in the scenario.

Exam trap

Be cautious not to confuse BPDU Guard with other features that cause err-disabled states, like Port Security or UDLD, which are unrelated to BPDU receipt.

Why the other options are wrong

A

Root Guard does not cause a port to go into err-disabled state; instead, it places the port into a root-inconsistent state if a superior BPDU is received, blocking traffic but not disabling the port. The question describes an immediate err-disabled state, which is characteristic of BPDU Guard, not Root Guard.

B

UDLD aggressive mode does not immediately cause an err-disabled state upon connecting a new switch; it detects unidirectional links by sending probes and can put the port into err-disabled state only after a failure is detected, which takes time. The immediate err-disabled state suggests a feature that reacts instantly to BPDUs.

D

Storm control does not cause a port to go into err-disabled state by default; it typically drops traffic exceeding a threshold or can be configured to shut down the port, but the immediate err-disabled state upon connecting a new switch is not typical for storm control. The scenario points to a feature that reacts to BPDUs, not broadcast storms.

6
MCQhard

A network administrator notices that a switchport in access mode with PortFast enabled has transitioned to an err-disabled state. What is the most likely cause?

A.BPDU Guard disabled the PortFast-enabled access port after it received a BPDU.
B.Port security shut down the port because the VLAN was wrong.
C.DHCP snooping disabled the interface because a host requested an address.
D.EtherChannel suspended the interface because the bundle was incomplete.
AnswerA

This is correct because the event message explicitly identifies a BPDU Guard violation.

Why this answer

The strongest reason is a BPDU Guard violation on a PortFast-enabled access port. In practical terms, the port was expected to face an end host, not a switching device that emits BPDUs. When BPDUs appeared, the switch treated that as a topology-policy violation and error-disabled the interface to protect the network.

This is one of the most classic access-layer protection patterns on the CCNA exam.

Exam trap

Be careful not to confuse BPDU Guard with other port security features or network issues like duplex mismatches.

Why the other options are wrong

B

Port security restricts access based on MAC addresses, not VLANs, and the event message explicitly mentions BPDU Guard, not port security. The exhibit shows a spanning-tree BPDU Guard error, not a port security violation.

C

DHCP snooping does not cause err-disabled state due to BPDU reception; it filters DHCP messages and can disable ports for DHCP attacks, but the exhibit clearly shows a spanning-tree BPDU Guard event.

D

EtherChannel suspension occurs due to configuration mismatches or link failures, not BPDU reception. The exhibit's syslog message explicitly identifies BPDU Guard, not EtherChannel issues.

7
PBQhard

You are connected to the console of a Catalyst 2960+ switch named SW2. Configure the switch so that the IP phone connected to interface FastEthernet0/5 receives power via PoE and uses VLAN 150 for voice traffic, while the PC connected through the phone uses VLAN 50 for data. Additionally, the access point connected to interface FastEthernet0/10 must receive PoE and be placed in VLAN 100. Assume the interfaces are already correctly configured as access ports in VLAN 50 and VLAN 100, respectively. Verify your configuration using the appropriate show commands.

Network Topology
Fa0/5Fa0/10SW2IP PhoneAccess Point

Hints

  • Use 'switchport voice vlan' to define the voice VLAN on an access port.
  • Enable PoE on a port with 'power inline auto'.
  • Verify voice VLAN with 'show interfaces switchport' and PoE with 'show power inline'.
A.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: power inline auto. Verify with show interfaces switchport and show power inline.
B.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: switchport access vlan 100, power inline auto. Verify with show interfaces switchport and show power inline.
C.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: power inline auto. Verify with show vlan and show power inline.
D.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: power inline auto. Verify with show interfaces trunk and show power inline.
AnswerA
solution
! SW2
configure terminal
interface FastEthernet0/5
switchport voice vlan 150
power inline auto
interface FastEthernet0/10
power inline auto
end

Why this answer

The switch had no voice VLAN or PoE configured on the ports. On FastEthernet0/5, you need to add 'switchport voice vlan 150' to separate voice traffic from data, and 'power inline auto' to enable PoE for the IP phone. On FastEthernet0/10, you only need to enable PoE with 'power inline auto' because the AP already has its access VLAN set.

After configuration, 'show interfaces switchport' will confirm the voice VLAN, and 'show power inline' will verify PoE status.

Exam trap

Avoid adding unnecessary commands like setting the access VLAN on a port that already has it configured. Also, use the correct show command: show interfaces switchport for voice VLAN, not show vlan or show interfaces trunk.

Why the other options are wrong

B

The error is adding an unnecessary access VLAN command for the AP port, which is not required and could conflict with existing configuration.

C

The error is using show vlan instead of show interfaces switchport to verify voice VLAN on a port.

D

The error is using show interfaces trunk, which is for trunk ports, not for verifying voice VLAN on an access port.

8
MCQhard

A switch port connected to an edge host immediately transitions to forwarding and then later goes err-disabled after a BPDU is received. Which feature combination most likely produced this behavior?

B.NetFlow with SNMP traps
C.OSPF passive-interface with EUI-64
D.WPA3 with CAPWAP
AnswerA

This is correct because PortFast speeds forwarding and BPDU Guard disables the edge port if a BPDU appears.

Why this answer

The most likely combination is PortFast with BPDU Guard. In practical terms, PortFast explains why the port moved quickly into forwarding when the host connected. BPDU Guard explains why the same port later shut down after seeing a BPDU that should not normally appear on an edge port.

This is a very common enterprise edge-port design pattern and a classic exam scenario.

Exam trap

Beware of confusing BPDU Guard with other protection mechanisms like Root Guard or Loop Guard; each serves a different purpose.

Why the other options are wrong

B

NetFlow is used for traffic monitoring and analysis, while SNMP traps are used for network management notifications. Neither feature affects STP behavior or port state transitions; they do not cause a port to go err-disabled upon receiving a BPDU.

C

OSPF passive-interface prevents OSPF from sending routing updates on an interface but does not affect STP or port security. EUI-64 is used for IPv6 address generation. Neither feature relates to BPDU handling or err-disable behavior.

D

WPA3 is a wireless security protocol, and CAPWAP is a control and provisioning protocol for wireless access points. These are entirely unrelated to wired switch port STP behavior and cannot cause a port to go err-disabled due to BPDU reception.

9
MCQmedium

Two switches are connected by an 802.1Q trunk. Hosts in VLAN 30 cannot communicate across the link, but VLAN 10 works. What is the most likely cause?

A.VLAN 30 is missing from the allowed VLAN list on SW2
B.VLAN 10 must be removed for VLAN 30 to pass
C.The trunk should use ISL instead of 802.1Q
D.The port on SW1 should be changed to access mode
AnswerA

SW2 is only allowing VLANs 10 and 20.

Why this answer

When one VLAN works across a trunk but another does not, the most likely cause is that the failing VLAN is missing from the allowed VLAN list on one or both switches. This is often confirmed by a 'show interfaces trunk' command. Option B is incorrect because removing VLAN 10 would break an already working VLAN and does not address VLAN 30.

Option C is incorrect because both ISL and 802.1Q carry multiple VLANs; the issue is not the encapsulation protocol. Option D is incorrect because changing a trunk port to access mode would disable the trunk entirely, preventing all VLAN traffic.

Exam trap

Beware of confusing native VLAN issues with allowed VLAN list configurations. Native VLAN problems affect untagged traffic, not specific VLANs.

Why the other options are wrong

B

Removing VLAN 10 from the allowed list would break an already functioning VLAN and would not fix VLAN 30.

C

Both ISL and 802.1Q support multiple VLANs; the problem is not the trunking protocol but the allowed VLAN list.

D

Changing a trunk port to access mode would terminate the trunk, preventing all VLAN traffic across the link.

10
MCQhard

A switchport connected to another switch should carry VLANs 10, 20, and 30. The interface is operational, but only VLAN 10 works. VLANs 20 and 30 fail. Which explanation is most likely if the port was accidentally configured as an access port in VLAN 10?

A.The interface is carrying only VLAN 10 because an access port does not transport multiple VLANs like a trunk.
B.VLAN 20 and 30 require different IP subnet masks on the switches.
C.Every inter-switch link must use a routed port instead of a trunk.
D.STP blocks all VLANs except VLAN 10 by design.
AnswerA

This is correct because an access-port misconfiguration explains why only the configured VLAN works.

Why this answer

The correct answer is A because an access port is limited to a single VLAN, so only VLAN 10 traverses the link. Option B is incorrect: IP subnet masks are irrelevant on switchports that operate at Layer 2. Option C is incorrect: inter-switch links typically use trunk ports, not routed ports.

Option D is incorrect: STP does not block based on VLAN IDs; it blocks redundant paths, not specific VLANs.

Exam trap

Be careful not to confuse access port limitations with trunk configuration issues. Always verify the port mode when troubleshooting VLAN connectivity.

Why the other options are wrong

B

IP subnet masks are Layer 3 concepts and do not affect Layer 2 VLAN propagation across a switchport. The issue here is purely Layer 2, related to the switchport mode (access vs. trunk), not IP addressing. VLANs 20 and 30 would still fail regardless of subnet mask configuration.

C

Routed ports are Layer 3 interfaces used for routing between networks, not for carrying multiple VLANs. The standard method for carrying multiple VLANs between switches is to use a trunk port, which tags frames with VLAN IDs. A routed port would not solve the issue and would break Layer 2 connectivity.

D

STP (Spanning Tree Protocol) prevents loops by blocking redundant paths, but it does not selectively block specific VLANs based on their VLAN ID. If STP were blocking VLANs 20 and 30, it would be due to a misconfiguration like PVST+ inconsistencies, not by design. The scenario describes a simple access port misconfiguration, not an STP issue.

11
MCQmedium

Two switches form an EtherChannel. One side is configured with LACP active. Which setting on the other side will successfully negotiate the bundle?

A.PAgP desirable
B.on
C.LACP passive
D.PAgP auto
AnswerC

Correct. Active plus passive will negotiate LACP.

Why this answer

LACP forms when at least one side is active and the other side is active or passive.

Exam trap

Remember that 'on' mode forces the channel without negotiation and LACP cannot form a channel with PAgP.

Why the other options are wrong

A

PAgP is a Cisco proprietary protocol and cannot negotiate with LACP. Even if one side is set to PAgP desirable, the LACP active side will not respond, resulting in no EtherChannel formation.

B

The 'on' mode creates a static EtherChannel without any negotiation. Since the LACP active side expects LACP PDUs to form the bundle, the static 'on' side will not send or respond to LACP messages, causing a mismatch.

D

PAgP auto is a passive PAgP mode that waits for a PAgP desirable partner. It cannot negotiate with LACP active because the protocols are incompatible.

12
MCQhard

Two switches should form an LACP EtherChannel. One side is configured passive, and the other side is also passive. What is the most likely result?

A.The EtherChannel is unlikely to form because neither side initiates LACP negotiation.
B.The EtherChannel always forms because passive mode is stronger than active mode.
C.The link becomes a routed port automatically.
D.Both switches delete the port-channel configuration.
AnswerA

This is correct because passive/passive normally does not start the LACP exchange.

Why this answer

If both sides are passive, the EtherChannel is unlikely to form because passive mode waits for the other side to initiate LACP negotiation. In plain language, both switches are listening, but neither is actively starting the conversation. Because neither side takes the active role, the bundle normally stays down or unformed unless one side is changed to active.

This is a classic LACP negotiation question. It reinforces the difference between valid pairings such as active/active or active/passive and the passive/passive pairing that usually fails to initiate negotiation.

Exam trap

Remember, passive mode waits for the other side to initiate. Ensure at least one side is active to form an EtherChannel.

Why the other options are wrong

B

Passive mode does not initiate LACP negotiation; it only responds to incoming LACP packets. Active mode is the one that actively sends LACP packets. Therefore, passive mode is not stronger than active mode.

C

LACP configuration does not change the interface type; it only bundles multiple physical links into a logical EtherChannel. The interface remains a Layer 2 or Layer 3 port based on its configuration, not a routed port automatically.

D

Passive mode does not cause the switch to delete the port-channel configuration. The configuration remains, but the EtherChannel will not come up because no LACP negotiation occurs.

13
Multi-Selectmedium

Which TWO statements correctly describe the behavior of Root Guard, Loop Guard, and BPDU Guard in a Rapid PVST+ environment?

Select 2 answers
A.Root Guard is applied to a port that should never become a root port; if a superior BPDU is received, the port is placed into a root-inconsistent state.
B.Loop Guard is used on root ports to monitor BPDU reception; if BPDUs stop, the port is immediately placed into forwarding mode to maintain connectivity.
C.BPDU Guard is typically configured on access ports and error-disables the port if a BPDU is received, protecting against unauthorized switch connections.
D.Root Guard and BPDU Guard can be enabled simultaneously on the same port to provide both root protection and BPDU filtering.
E.Loop Guard is only effective when configured on ports that are in a blocking state; it prevents them from transitioning to forwarding if BPDUs are not received.
AnswersA, C

Root Guard forces a port to be a designated port. When a superior BPDU is received, the port enters a root-inconsistent (blocked) state to prevent it from becoming a root port.

Why this answer

Option A is correct because Root Guard, applied to a port that should never become a root port, places that port into a root-inconsistent state upon receiving a superior BPDU, blocking traffic to prevent an unauthorized root bridge. Option C is correct because BPDU Guard is typically configured on access ports and error-disables the port if any BPDU is received, protecting against rogue switch connections. Option B is incorrect: when BPDUs stop on a port with Loop Guard, the port is placed into a loop-inconsistent state (blocked), not immediately forwarded, to prevent loops.

Option D is incorrect because Root Guard and BPDU Guard are mutually exclusive and cannot be enabled simultaneously on the same port due to conflicting protective behaviors. Option E is incorrect because Loop Guard is effective on any port that is expected to receive BPDUs, including root ports and alternate/backup ports; it is not limited to ports already in a blocking state, and the statement's use of 'only' makes it false.

Exam trap

Cisco often tests the misconception that Loop Guard immediately forwards traffic when BPDUs stop, but in reality it blocks the port to prevent loops, and that Root Guard and BPDU Guard can coexist on the same port, which they cannot due to conflicting behaviors.

Why the other options are wrong

B

Loop Guard is applied to non-designated ports (alternate or backup ports), not root ports. When BPDUs stop arriving, the port is placed into a loop-inconsistent state (blocked) to prevent loops, not into forwarding mode.

D

Root Guard and BPDU Guard have conflicting behaviors: Root Guard allows BPDU processing to detect superior BPDUs, while BPDU Guard disables the port upon receiving any BPDU. They cannot be enabled simultaneously on the same port because their actions are mutually exclusive.

E

Loop Guard is effective on ports that are in a blocking state (alternate or backup ports), but it does not prevent them from transitioning to forwarding; instead, if BPDUs stop, the port remains in a loop-inconsistent state (blocked) to prevent loops. The statement incorrectly implies that Loop Guard prevents transition, but it actually causes the port to stay blocked.

14
MCQhard

A switchport is configured as an access port in VLAN 10, but a user plugs in a small unmanaged switch and connects multiple devices behind it. Which security feature most directly limits that behavior at the switchport?

B.OSPF authentication
C.NetFlow
D.NTP
AnswerA

This is correct because port security can limit MAC addresses learned on the port.

Why this answer

Port security most directly limits that behavior because it can restrict how many MAC addresses are learned on the switchport. In practical terms, if the interface is supposed to support one endpoint but suddenly begins presenting multiple MAC addresses from a downstream mini-switch, port security can detect and react to that change.

This is a classic access-layer control question. VLAN assignment alone does not limit how many devices appear behind the port.

Exam trap

A frequent exam trap is assuming that VLAN assignment alone restricts the number of devices behind a switchport. VLANs only segregate traffic logically and do not prevent multiple MAC addresses from appearing on a port. Another common mistake is selecting unrelated options like OSPF authentication, which secures routing protocol exchanges but does not control Layer 2 access.

NetFlow and NTP are also unrelated to limiting connected devices. The key is recognizing that only port security directly limits how many MAC addresses can be learned on a port, thus controlling the number of connected devices.

Why the other options are wrong

B

OSPF authentication is unrelated to switchport security; it protects routing protocol exchanges but does not control physical or MAC-level access on a switchport.

C

NetFlow is a traffic monitoring tool that provides visibility into network flows but does not enforce any limits on the number of devices connected to a switchport.

D

NTP is used for time synchronization across network devices and does not provide any mechanism to restrict or control devices connected to a switchport.

15
MCQmedium

An administrator wants a switchport connected to an end device to move to forwarding quickly but does not want that setting used on inter-switch links. Which feature is intended for that edge-port behavior?

D.UDLD aggressive
AnswerA

This is correct because PortFast is intended for host-facing edge ports to speed their transition to forwarding.

Why this answer

PortFast is intended for that exact edge-port behavior: it allows a host-facing access port to skip the usual listening and learning delays and transition directly to forwarding, enabling end devices to come online quickly. Root guard is used to protect the root bridge election by restricting which ports can become root ports; it is not designed for edge ports. Loop guard prevents alternate or root ports from becoming designated in the absence of BPDUs, which is a different STP protection mechanism.

UDLD aggressive mode detects and disables unidirectional links on point-to-point links, typically between switches, not for end-device connections. Therefore, only PortFast meets the requirement for fast forwarding on an edge port without affecting inter-switch links.

Exam trap

Be careful not to confuse PortFast with other STP-related features like BPDU Guard or Root Guard, which serve different purposes.

Why the other options are wrong

B

Root guard is used to protect the root bridge election by restricting ports that could become root ports, not to speed up edge-port forwarding.

C

Loop guard prevents alternate or root ports from becoming designated in the absence of BPDUs, which is unrelated to fast forwarding on host-facing ports.

D

UDLD aggressive mode detects and disables unidirectional links on point-to-point switch links, not for end-device connections.

16
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure inter‑VLAN routing between VLANs 10 and 20, using a router‑on‑a‑stick with VLAN 99 as the native VLAN on the trunk link.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order is: first create VLANs on the switch to define the VLAN database. Second, assign switch ports to the appropriate VLANs so that end hosts are placed in their correct broadcast domains. Third, configure the switch port facing the router as an 802.1Q trunk and set the native VLAN to 99 – this allows tagged traffic from multiple VLANs to traverse a single link while matching the native VLAN on both sides.

Fourth, enable the router's physical interface (no shutdown) so that subinterfaces can pass traffic. Next, create subinterfaces for each data VLAN, specifying the correct 802.1Q encapsulation and IP address for each VLAN's default gateway. Finally, configure the native VLAN subinterface with the native keyword to ensure that untagged frames from the trunk are handled correctly and that the native VLAN is explicitly defined on the router.

17
MCQhard

Switch SW1 sends traffic for VLAN 30 across a trunk to SW2, but hosts in VLAN 30 on SW2 cannot communicate with hosts in VLAN 30 on SW1. Other VLANs work across the trunk. Which trunk issue is most likely?

A.VLAN 30 is pruned or missing from the allowed VLAN list
B.The native VLAN is set to 1 on both switches
C.The trunk uses 802.1Q encapsulation
D.SW1 is the STP root bridge
AnswerA

Native VLAN settings can matter, but they do not best explain why other VLANs still work while VLAN 30 alone fails.

Why this answer

If only one VLAN fails across an otherwise healthy trunk, a missing or filtered VLAN in the allowed list is a common cause. Native VLAN matching and encapsulation would affect broader trunk behavior, not usually just one VLAN in this way.

Exam trap

Beware of assuming that common trunk issues like native VLAN mismatches affect only one VLAN; they typically affect all VLANs.

Why the other options are wrong

B

The native VLAN mismatch or setting does not cause a single VLAN to fail while others work. Native VLAN issues typically cause all traffic to be mis-tagged or dropped, not just one specific VLAN. Here, other VLANs work fine, so native VLAN is not the problem.

C

802.1Q is the standard trunking encapsulation used in modern networks. Using 802.1Q is correct and does not cause a single VLAN to fail. Both switches must use the same encapsulation, but that is not the issue here.

D

STP root bridge status does not affect which VLANs are allowed on a trunk. STP prevents loops but does not block specific VLANs unless configured with VLAN-based STP (like PVST+). Even then, being the root does not block a VLAN; it only influences port roles.

18
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two redundant links to SW2 (G0/1 and G0/2). The network administrator wants to use both links for load balancing and redundancy by configuring EtherChannel. You need to configure a Layer 2 EtherChannel using LACP on both switches. The port-channel should be in VLAN 1.

Network Topology
G0/1G0/1EtherChannelSW1SW2

Hints

  • LACP uses modes active or passive; both sides must be active or one active and one passive.
  • The physical interfaces must have the same configuration before being added to the port-channel.
  • The port-channel interface inherits the configuration applied to it, not the physical interfaces.
A.interface port-channel 1 switchport mode access switchport access vlan 1 interface range GigabitEthernet0/1-2 channel-group 1 mode active
B.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1 interface range g0/1-2 channel-group 1 mode desirable
C.interface port-channel 1 switchport mode access switchport access vlan 1 interface range g0/1-2 channel-group 1 mode passive
D.interface port-channel 1 switchport mode access switchport access vlan 1 interface g0/1 channel-group 1 mode active interface g0/2 channel-group 2 mode active
AnswerA
solution
! SW1
interface GigabitEthernet0/1
channel-group 1 mode active
interface GigabitEthernet0/2
channel-group 1 mode active
interface Port-channel1
switchport mode access
switchport access vlan 1

! SW2
interface GigabitEthernet0/1
channel-group 1 mode active
interface GigabitEthernet0/2
channel-group 1 mode active
interface Port-channel1
switchport mode access
switchport access vlan 1

Why this answer

EtherChannel bundles multiple physical links into a single logical link for load balancing and redundancy. LACP (mode active) negotiates the bundle automatically. The port-channel interface must be configured with the desired switchport settings.

Exam trap

Be careful to distinguish between LACP modes (active/passive) and PAgP modes (desirable/auto). Also, remember that all interfaces in an EtherChannel must use the same channel-group number and have consistent switchport settings. A common mistake is to configure trunk when an access port is needed, or to use passive on both sides, which prevents the bundle from forming.

Why the other options are wrong

B

Uses PAgP mode 'desirable' instead of LACP mode 'active'. Additionally, configuring trunk is unnecessary for a single VLAN access port.

C

Using 'passive' on both sides would prevent the EtherChannel from forming because neither side sends LACP packets.

D

Using different channel-group numbers creates separate EtherChannels, not a single bundle. Both interfaces must be in the same channel-group to form one logical link.

19
Multi-Selectmedium

Which four of the following are characteristics of 802.1Q trunking? (Choose four.)

Select 3 answers
.The native VLAN frames are transmitted untagged on the trunk.
.The 802.1Q tag is inserted after the Source MAC address and before the EtherType/Length field.
.VLANs can be pruned from a trunk to restrict unnecessary traffic.
.802.1Q encapsulates the entire Ethernet frame with a new header.
.The 802.1Q tag increases the maximum frame size to 1522 bytes.
.Dynamic Trunking Protocol (DTP) is required for 802.1Q to function.

Why this answer

802.1Q trunking uses a single native VLAN per trunk, and frames belonging to that VLAN are transmitted without an 802.1Q tag, allowing interoperability with devices that do not understand trunking. The 802.1Q tag is inserted between the Source MAC address and the EtherType/Length field, adding a 4-byte tag that includes the VLAN ID and priority information. VLAN pruning, such as via VTP pruning or manual configuration, allows a switch to restrict unnecessary VLAN traffic from being sent over a trunk, reducing bandwidth waste.

Additionally, the 802.1Q tag increases the maximum Ethernet frame size from 1518 bytes to 1522 bytes, due to the extra 4 bytes inserted.

Exam trap

Candidates often forget that the 802.1Q tag adds 4 bytes to the frame, increasing the maximum Ethernet frame size to 1522 bytes (including the FCS), and may confuse this with the standard 1518-byte limit or think the tag is part of the payload.

Why the other options are wrong

D

802.1Q does not encapsulate the entire Ethernet frame; it inserts a 4-byte tag into the existing frame header, not around it.

F

Dynamic Trunking Protocol (DTP) is not required for 802.1Q to function; trunks can be configured manually without using DTP.

20
MCQmedium

What is a common requirement for interfaces to successfully bundle into an EtherChannel?

A.All member interfaces must use matching speed, duplex, and trunk/access settings
B.Each interface must belong to a different VLAN
C.Only odd-numbered switch ports can be bundled
D.Each interface must have a different STP path cost
AnswerA

Correct. Mismatched settings commonly prevent bundling.

Why this answer

EtherChannel members must have compatible operational and administrative settings, including speed, duplex, and switchport mode.

Exam trap

Remember that EtherChannel is concerned with Layer 2 settings like speed and duplex, not Layer 3 settings like IP addresses.

Why the other options are wrong

B

EtherChannel does not require interfaces to be in different VLANs; in fact, all member interfaces must have the same VLAN configuration (either all access ports in the same VLAN or all trunk ports with the same allowed VLAN list). Placing interfaces in different VLANs would violate the consistency requirement and prevent bundling.

C

Port numbering (odd or even) has no bearing on EtherChannel eligibility; any physical ports on a switch can be bundled as long as they meet the configuration consistency requirements. The restriction is based on hardware capabilities, not port numbers.

D

STP path cost is a per-interface value used by Spanning Tree Protocol to determine the best path to the root bridge; it is not a requirement for EtherChannel bundling. In fact, when interfaces are bundled, STP treats the EtherChannel as a single logical link, and all member interfaces share the same STP state.

21
Multi-Selectmedium

Which TWO statements correctly describe the configuration and behavior of a router-on-a-stick setup for inter-VLAN routing?

Select 2 answers
A.Each subinterface on the router must be configured with an IP address that belongs to the corresponding VLAN's subnet.
B.The switch port connecting to the router must be configured as an access port in VLAN 1.
C.The native VLAN on the trunk must be the same VLAN as the one used for management traffic.
D.The router's physical interface must be in 'no shutdown' state, but subinterfaces do not require a separate 'no shutdown' command.
E.The router's subinterface for the native VLAN must use the 'encapsulation dot1q <vlan-id> native' command.
AnswersA, D

For the router to route traffic for a VLAN, the subinterface must have an IP address in the same subnet as that VLAN. This allows the router to act as the default gateway for hosts in that VLAN.

Why this answer

Option A is correct because each subinterface is assigned an IP address in the subnet of its corresponding VLAN, enabling the router to act as the default gateway and route between VLANs using 802.1Q tags. Option D is correct because the physical interface must be 'no shutdown' to pass traffic, and subinterfaces inherit this state; they do not have their own shutdown command. Option B is incorrect because the switch port connecting to the router must be configured as a trunk port, not an access port, to carry multiple VLANs.

Option C is incorrect because the native VLAN on the trunk does not have to be the same as the management VLAN; they are separate concepts. Option E is incorrect because the 'encapsulation dot1q <vlan-id> native' command is only needed on the subinterface for the native VLAN to tag or untag frames appropriately; it is not required for all native VLAN configurations (e.g., if the native VLAN is left at default 1, the command may be optional).

Exam trap

The trap here is that candidates often think subinterfaces need a separate 'no shutdown' command, but Cisco tests that the physical interface must be 'no shutdown' and subinterfaces inherit that state, making option D correct.

Why the other options are wrong

B

The switch port must be a trunk port to carry multiple VLANs, not an access port assigned to VLAN 1.

C

The native VLAN on the trunk is used for untagged traffic and does not have to match the management VLAN.

E

The 'encapsulation dot1q <vlan-id> native' command is not always required for the native VLAN; it depends on whether the native VLAN is used for a subinterface.

22
Matchingmedium

Drag and drop the items on the left to match the descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sets the switch port to permanent access mode

Configures the port as an 802.1Q trunk

Assigns VLAN 10 to the access port for data traffic

Specifies VLAN 20 for voice traffic on the port

Restricts the trunk to carry only VLANs 10 and 20

Why these pairings

Access ports carry traffic for a single VLAN and are configured with switchport mode access. Voice VLANs are added to an access port with switchport voice vlan to separate voice and data traffic. Trunk ports carry multiple VLANs and are set with switchport mode trunk; allowed VLANs can be restricted with switchport trunk allowed vlan.

23
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure VLANs, assign access ports, set up 802.1Q trunking with a native VLAN, and verify the configuration on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

VLAN creation precedes port assignment; trunking configuration follows access port assignment; verification is last.

Exam trap

The exam trap is that candidates may confuse the order of VLAN creation and port assignment, or think trunking should be configured before access ports. Remember: VLANs must exist first, then assign ports, then configure trunking, then verify.

24
PBQhard

You are connected to SW1. Configure an LACP EtherChannel between SW1 and SW2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. The port-channel interface must be configured as a trunk allowing VLANs 10, 20, and 30. Currently, the channel is not forming due to a mismatch in speed/duplex and VLAN configuration on SW2. Troubleshoot and resolve the issue so that the EtherChannel comes up as a Layer 2 trunk.

Network Topology
Gi0/1Gi0/1LACP EtherChannelSW1SW2

Hints

  • Check the speed and duplex settings on SW2's physical interfaces.
  • Compare the allowed VLAN list on SW2's physical interfaces to the port-channel trunk.
  • Use 'show etherchannel summary' to see if ports are bundled or down.
A.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 1000, duplex full, and on the port-channel interface, set allowed VLANs to 10,20,30.
B.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 100, duplex half, and on the port-channel interface, set allowed VLANs to 10,20,30.
C.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 1000, duplex full, and on the port-channel interface, set allowed VLANs to 10,20.
D.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 1000, duplex full, and on the port-channel interface, set allowed VLANs to 1-4094.
AnswerA
solution
! SW2
interface gigabitEthernet0/1
speed 1000
duplex full
switchport trunk allowed vlan 10,20,30
interface gigabitEthernet0/2
speed 1000
duplex full
switchport trunk allowed vlan 10,20,30

Why this answer

The EtherChannel is not forming because SW2's interfaces have speed 100 and duplex half, while SW1's interfaces have speed 1000 and duplex full. Additionally, the allowed VLANs on SW2's trunk must include VLAN 30, and this should be configured on the port-channel interface, not the physical interfaces. To fix, on SW2, set the speed to 1000 and duplex to full on Gi0/1 and Gi0/2, then on the port-channel interface, configure allowed VLANs 10,20,30.

After these changes, the channel will come up as a Layer 2 trunk.

Exam trap

The exam trap is that candidates may focus solely on the speed/duplex mismatch and forget to verify the VLAN allowed list on the trunk. Also, they might incorrectly try to match by lowering SW1's settings instead of raising SW2's.

Why the other options are wrong

B

The specific factual error is that LACP requires all member interfaces to have identical speed and duplex settings; changing SW2 to 100/half does not match SW1's 1000/full.

C

The specific factual error is that the trunk must allow all required VLANs; omitting VLAN 30 violates the requirement.

D

The specific factual error is that the configuration does not match the requirement to allow only VLANs 10, 20, and 30; it allows all VLANs instead.

25
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, and in Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order for embedded packet capture on IOS-XE is: configure the capture point first (to define the traffic filter), then define the capture buffer, start the capture, stop the capture, and finally export the capture. Starting the capture after configuring both the point and buffer ensures that traffic is captured correctly. Exporting before stopping may result in incomplete data.

Exam trap

Do not confuse the order of configuring the capture point and defining the buffer. The capture point must be configured first because it defines the traffic filter, and the buffer is associated with that capture point. Also, always stop the capture before exporting to avoid incomplete data.

26
MCQhard

A switch trunk must carry VLANs 10, 20, and 30, but traffic for VLAN 20 is failing. The trunk allowed list on one side is `10,30`. What is the most likely cause?

A.VLAN 20 is missing from the allowed VLAN list on one side of the trunk.
B.The trunk must be converted to an access port for VLAN 20 to work.
C.VLAN 20 must always be the native VLAN.
D.The switches must both use ISL instead of 802.1Q.
AnswerA

This is correct because the trunk is explicitly not permitting VLAN 20 on that side.

Why this answer

The most likely cause is that VLAN 20 is not in the allowed VLAN list on one side of the trunk. Option B is incorrect because converting the trunk to an access port would block all other VLANs, not just fix VLAN 20. Option C is incorrect because there is no requirement that VLAN 20 must be the native VLAN; native VLAN is unrelated to allowed list filtration.

Option D is incorrect because ISL vs 802.1Q does not affect per-VLAN filtering; the allowed list is a separate configuration independent of the encapsulation type.

Exam trap

Focus on the allowed list configuration, not on VLAN existence or trunk mode. Misconfigurations in allowed lists are a common trap.

Why the other options are wrong

B

Converting the trunk to an access port would remove all other VLANs, not solve the selective failure for VLAN 20.

C

There is no requirement that VLAN 20 must be the native VLAN; the native VLAN is used for untagged traffic and is unrelated to the allowed VLAN list.

D

The encapsulation type (ISL vs 802.1Q) does not affect per-VLAN allowed lists; the issue is purely about the allowed list configuration.

27
MCQhard

Two switches are bundled with LACP, but only one physical link is forwarding traffic in the port-channel. What is the most likely reason?

A.One member interface has a trunk configuration mismatch
B.LACP requires exactly one active and one passive side only
C.STP blocks all but one interface inside every EtherChannel
D.EtherChannel cannot be used on trunk ports
AnswerA

A mismatch in Layer 2 settings is a classic reason a link is suspended or left out of the channel.

Why this answer

For an EtherChannel to form correctly, the member interfaces must match on key settings such as speed, duplex, trunking, and allowed VLAN list. A mismatch keeps one link from bundling even if LACP is enabled on both sides.

Exam trap

Be careful not to confuse individual link issues with overall port-channel configuration problems. Ensure all settings match across member interfaces.

Why the other options are wrong

B

LACP supports active-active mode where both sides are configured as active, which is a common and valid configuration. The statement that LACP requires exactly one active and one passive side is incorrect; active-passive is just one possible combination.

C

STP treats the entire EtherChannel as a single logical interface, so it does not block individual member links. STP will only block the port-channel itself if there is a loop, but it does not block all but one interface inside the channel.

D

EtherChannel is commonly used on trunk ports to increase bandwidth and provide redundancy between switches. There is no restriction that prevents EtherChannel from being used on trunk ports; in fact, it is a best practice for inter-switch links.

28
Multi-Selectmedium

Which TWO of the following statements about Spanning Tree Protocol (STP) and Rapid PVST+ are true?

Select 2 answers
A.The root bridge in STP is elected based on the lowest bridge ID.
B.The root bridge in STP is elected based on the highest bridge ID.
C.PortFast automatically enables BPDU Guard on an interface.
D.BPDU Guard places a PortFast-enabled port into an error-disabled state if a BPDU is received.
E.Rapid PVST+ uses a different root bridge election process than traditional STP.
AnswersA, D

The bridge ID consists of priority and MAC address; the switch with the lowest bridge ID becomes the root bridge.

Why this answer

Option A is correct because the root bridge in STP is elected based on the numerically smallest bridge ID (priority + MAC address). Option D is correct because BPDU Guard, when enabled on a PortFast-enabled port, immediately error-disables the port if a BPDU is received, protecting against accidental loops. Option B is incorrect because the root bridge is chosen by the lowest bridge ID, not the highest.

Option C is incorrect because PortFast and BPDU Guard are independent features; PortFast does not automatically enable BPDU Guard. Option E is incorrect because both traditional STP (802.1D) and Rapid PVST+ (RSTP-based) use the same root bridge election process—lowest bridge ID.

Exam trap

Cisco often tests the misconception that PortFast and BPDU Guard are automatically linked, when in fact they are separate features that must be configured independently, and the trap is that candidates assume enabling PortFast also enables BPDU Guard.

Why the other options are wrong

B

The root bridge is elected based on the lowest bridge ID, not the highest.

C

PortFast does not automatically enable BPDU Guard; they must be configured separately.

E

Rapid PVST+ uses the same root bridge election process (lowest bridge ID) as traditional STP.

29
Multi-Selectmedium

Which four of the following are considered best practices for securing switch ports and preventing Layer 2 attacks? (Choose all that apply. There are four correct answers.)

Select 4 answers
.Disable unused ports and place them in a shutdown state.
.Enable PortFast and BPDU guard on all ports that connect to end devices.
.Use MAC address filtering as the sole security measure to prevent unauthorized access.
.Implement DHCP snooping to prevent rogue DHCP server attacks.
.Configure dynamic ARP inspection (DAI) to prevent ARP spoofing.
.Set the native VLAN to a higher number than the default VLAN 1 on trunk links.

Why this answer

Disabling unused ports and placing them in a shutdown state (A) prevents unauthorized physical access and stops Layer 2 attacks like rogue device connections or VLAN hopping. Enabling PortFast and BPDU guard on ports connecting to end devices (B) speeds up STP convergence and protects against rogue switch loops. DHCP snooping (D) prevents rogue DHCP server attacks by filtering untrusted DHCP messages.

Dynamic ARP inspection (E) uses DHCP snooping bindings to validate ARP packets and prevent ARP spoofing. Setting the native VLAN to a higher number (F) is not a best practice; the recommended approach is to change the native VLAN to an unused VLAN on both ends of the trunk and explicitly tag it. MAC address filtering as the sole measure (C) is easily bypassed and must be combined with port security or 802.1X.

Exam trap

Cisco often tests the misconception that MAC address filtering is a strong standalone security measure, when in reality it is trivial to bypass and must be combined with other features like 802.1X or port security with sticky MAC addresses to be effective.

30
MCQhard

A trunk link between two switches is up, but voice phones connected through one access switch no longer receive the correct voice VLAN treatment. Data users still pass traffic. Which area should be checked first?

A.Whether the voice VLAN is being carried and handled correctly across the switching path.
B.Whether OSPFv3 neighbors are fully adjacent on the phone switch ports.
C.Whether the wireless controller has the correct guest SSID.
D.Whether BGP uses a lower metric than the static route.
AnswerA

This is correct because selective failure affecting phones points to voice-VLAN handling rather than complete link failure.

Why this answer

The first area to check is the end-to-end handling of the voice VLAN across the switching path. In practical terms, the data VLAN can still work while the voice VLAN experiences a forwarding, configuration, or policy problem. Because the phones depend on the correct voice VLAN behavior, that VLAN path should be examined first rather than assuming the whole trunk is broken.

This is a selective-services troubleshooting question. One class of traffic can fail even when ordinary user data still works.

Exam trap

Be cautious not to assume that a general network issue is the cause when only specific traffic types are affected. Focus on the specific VLAN configuration first.

Why the other options are wrong

B

OSPFv3 is an IPv6 routing protocol and has no role in Layer 2 voice VLAN handling on access ports. The issue is about VLAN assignment and trunking, not routing protocol adjacency.

C

The scenario involves wired switches and IP phones, not wireless LAN. Guest SSID configuration on a wireless controller is unrelated to voice VLAN treatment on a wired trunk link.

D

BGP is an exterior routing protocol used for interdomain routing, not for Layer 2 VLAN handling. The symptom is about voice VLAN treatment on a trunk, which is unrelated to BGP metrics or static routes.

31
MCQhard

A switch port configured with PortFast and BPDU Guard receives a BPDU and transitions to an error-disabled state. Which statement best explains why this is considered useful protection?

A.It prevents a port expected to be an edge port from accidentally becoming part of the switching topology and causing loops.
B.It increases the port's bandwidth by combining multiple links.
C.It automatically enables VLAN trunking on the port.
D.It forces the port to use Rapid Spanning Tree Protocol for faster convergence.
AnswerA

This matches the purpose of PortFast combined with BPDU Guard: to protect the network when an edge port unexpectedly receives BPDUs, indicating a potential loop condition.

Why this answer

PortFast is used on edge ports to bypass STP listening/learning, but if a BPDU is received, the assumption that the port is an edge port is violated. BPDU Guard then error-disables the port to prevent potential loops or topology disruptions. This protects the network when an edge port unexpectedly connects to another switch, which could cause a bridging loop.

The other options describe unrelated features or incorrect mechanisms.

Exam trap

Remember that BPDU Guard disables the port, not just logs or adjusts its role. It's a protective measure, not a monitoring tool.

Why the other options are wrong

B

Increasing port bandwidth by combining links is done via EtherChannel, not related to BPDU Guard or loop prevention.

C

VLAN trunking is automatically negotiated via DTP or manually configured, not triggered by BPDU Guard or PortFast.

D

Forcing Rapid Spanning Tree Protocol is not a function of PortFast or BPDU Guard; they are separate STP optimizations.

32
Matchingmedium

Match each VLAN-related term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The VLAN assigned to a normal end-device access port

The VLAN used to carry phone voice traffic separately

A link carrying traffic for multiple VLANs

The VLAN associated with untagged traffic on an 802.1Q trunk

Why these pairings

Each VLAN type serves a specific purpose: Access VLAN for end devices, Trunk VLAN for multiple VLANs over a link, Native VLAN for untagged frames, Voice VLAN for phones, Management VLAN for admin access, and Data VLAN for user traffic.

Exam trap

Be careful not to confuse the function of a trunk link with a VLAN type. Also, remember that native VLAN and voice VLAN are not separate VLAN types; they are specific uses of data VLANs.

33
MCQhard

A network engineer is configuring an EtherChannel between two switches. After applying the configuration, the port-channel fails to form. What is the most likely reason?

A.The member links use different switchport modes, so the channel cannot form correctly.
B.LACP requires both interfaces to use different channel-group numbers.
C.The interfaces must both be configured for PPP.
D.The bundle fails because BGP is not enabled on the switch.
AnswerA

This is correct because trunk/access inconsistency breaks EtherChannel compatibility.

Why this answer

The port-channel is not forming because the two member interfaces are not configured consistently. In practical terms, EtherChannel requires important characteristics to align across candidate member links. Here, one interface is a trunk and the other is configured as an access port, so the channel cannot be built cleanly.

This is a classic EtherChannel consistency problem. The protocol alone is not enough if the member-link settings disagree.

Exam trap

Always verify interface configurations for consistency when troubleshooting EtherChannel issues.

Why the other options are wrong

B

LACP requires that all member interfaces in the same port-channel use the same channel-group number. Using different numbers would place them in separate bundles, preventing the intended aggregation.

C

PPP is a Layer 2 encapsulation used on serial links, not on Ethernet switch ports. EtherChannel on Cisco switches uses Ethernet frames, and PPP is irrelevant to the configuration of port-channels.

D

BGP is a routing protocol that operates at Layer 3 and is not required for EtherChannel formation. EtherChannel is a Layer 2 technology that bundles physical links into a single logical link, independent of any routing protocol.

34
PBQhard

You are connected to R1. Configure R1 and SW1 so that hosts in VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) can communicate via the router-on-a-stick setup. The current configuration has errors: the trunk port between SW1 and R1 has a native VLAN mismatch, VLAN 30 is not allowed on the trunk, and the subinterface encapsulation is incorrect. Correct these issues and enable inter-VLAN routing.

Network Topology
G0/1trunkSW1R1

Hints

  • Check the native VLAN on both ends of the trunk: R1's subinterface .30 should use the native keyword.
  • Ensure VLAN 30 is allowed on the SW1 trunk; you may need to add it to the allowed list.
  • Enable ip routing globally on R1 to route between VLANs.
A.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 99 native; on SW1, allow VLAN 30 on the trunk interface.
B.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 30; on SW1, remove VLAN 30 from the trunk allowed list.
C.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 30; on SW1, set the native VLAN to 1 on the trunk.
D.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 30; on SW1, configure the trunk to allow only VLANs 10 and 20.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0.30
encapsulation dot1Q 30 native
exit
interface GigabitEthernet0/0
no shutdown
exit
ip routing
exit
copy running-config startup-config

Why this answer

The native VLAN on SW1 is 99 but R1's physical interface defaults to VLAN 1, causing a mismatch. To fix this, R1's subinterface Gi0/0.30 must be set with encapsulation dot1Q 99 native, making R1's native VLAN 99 and matching SW1. VLAN 30 is not allowed on the trunk, preventing any traffic in that VLAN; it must be added to the trunk's allowed list on SW1.

After these corrections, inter-VLAN routing for VLANs 10 and 20 will function correctly.

Exam trap

Candidates often assume that setting a subinterface's encapsulation to 'dot1Q 30 native' will fix any mismatch, but the native VLAN ID must be explicitly aligned with the switch's native VLAN configuration.

Why the other options are wrong

B

The specific factual error: VLAN 30 must be allowed on the trunk for the router to receive and forward traffic for that VLAN.

C

The specific factual error: The native VLAN must match on both ends of the trunk; changing SW1 to VLAN 1 would not resolve the mismatch with R1's native VLAN 30.

D

The specific factual error: The trunk must allow all VLANs that need to be routed, including the native VLAN (30), otherwise the router cannot communicate with hosts in VLAN 30.

35
PBQhard

You are connected to a multilayer switch MLS1. Configure FastEthernet0/1 as an access port for an IP phone and a PC, with voice VLAN 20 and data VLAN 10. Also enable PoE on the port. Then verify the configuration using 'show interfaces switchport' and 'show power inline'.

Hints

  • The interface currently has 'no switchport' — remove that to make it a Layer 2 port.
  • You need to set both access VLAN and voice VLAN using the switchport command.
  • PoE is currently disabled globally or per interface — enable it with 'power inline auto'.
A.interface FastEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline auto no shutdown
B.interface FastEthernet0/1 no switchport ip address 192.168.1.1 255.255.255.0 power inline auto no shutdown
C.interface FastEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,20 power inline auto no shutdown
D.interface FastEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline never no shutdown
AnswerA
solution
! MLS1
configure terminal
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 20
power inline auto
end

Why this answer

Option A is correct because it configures FastEthernet0/1 as an access port with data VLAN 10, voice VLAN 20, and PoE enabled, which is the required setup for an IP phone and PC. Option B is incorrect because 'no switchport' makes the interface a routed port (Layer 3), but it needs to be a Layer 2 access port to support an IP phone and PC. Option C is incorrect because trunk mode is used for switch-to-switch links, not for connecting end devices like an IP phone and PC.

Option D is incorrect because 'power inline never' disables PoE, but the IP phone requires power; it should use 'power inline auto'.

Exam trap

The trap is that candidates may incorrectly use 'no switchport' to make the interface a routed port, or use trunk mode instead of access mode with voice VLAN. Remember that for end devices, the port must be an access port; the voice VLAN is configured separately. Also, ensure PoE is enabled with 'auto', not 'never'.

Why the other options are wrong

B

'no switchport' creates a routed port, which cannot handle VLANs for an IP phone and PC.

C

Trunk mode is for inter-switch links, not for end devices; access mode is required.

D

'power inline never' disables PoE, but the IP phone needs power from the switch.

36
MCQhard

A phone and PC share one switchport. The phone registers successfully, but the workstation receives an address from the wrong subnet. Which explanation is strongest?

A.The workstation is likely in the wrong data VLAN even though the phone is in the correct voice VLAN.
B.If the phone works, the data VLAN must also be correct automatically.
C.The problem must be CAPWAP because phones require AP controllers.
D.The phone registration proves that DHCP cannot be the issue for the PC.
AnswerA

This is correct because voice and data can use different VLAN roles on the same physical port.

Why this answer

Option A is correct because the phone and PC share a single switchport configured with separate voice and data VLANs. The phone successfully registers in the voice VLAN, but the workstation receives an IP address from the wrong subnet, indicating it is placed in an incorrect data VLAN. This typically occurs when the switchport's access VLAN (data VLAN) is misconfigured or mismatched with the workstation's expected subnet, while the voice VLAN (often using 802.1Q tagging) is correctly set for the phone.

Exam trap

Cisco often tests the misconception that if the phone works, the entire port configuration is correct, but the trap here is that the voice and data VLANs are independent, so a misconfigured access VLAN can still cause the PC to receive an incorrect IP address.

Why the other options are wrong

B

This statement is incorrect because voice and data VLANs are independent on a switchport configured with separate VLANs. The phone successfully registering on the voice VLAN does not guarantee that the data VLAN is correctly configured; the PC could still be assigned to a different VLAN or subnet due to misconfiguration.

C

CAPWAP (Control and Provisioning of Wireless Access Points) is a protocol used for wireless LAN controller and access point communication, not for wired switchport configuration. The scenario describes a wired phone and PC sharing a switchport, which is unrelated to wireless controllers.

D

The phone's successful registration does not rule out DHCP issues for the PC. The PC could be receiving an IP address from a DHCP server that is on the wrong subnet or VLAN, or the DHCP relay might be misconfigured for the data VLAN. The phone's DHCP success is independent of the PC's DHCP process.

37
MCQhard

After configuring a trunk port to allow VLAN 40, a technician finds that VLAN 40 is not listed among the VLANs in spanning tree forwarding state in the show interfaces trunk output. What is the most likely cause?

A.The trunk port is using ISL encapsulation, which does not support VLAN 40.
B.The technician omitted the 'add' keyword when adding VLAN 40 to the allowed list, so the trunk no longer permits VLAN 40.
C.VLAN 40 has not been created in the VLAN database on the switch.
D.VTP pruning is enabled, and VLAN 40 is not needed by any downstream neighbor, so it is pruned from this trunk.
AnswerC

A VLAN must be defined in the local VLAN database for the switch to build a spanning-tree instance and forward frames for that VLAN. If it is permitted on the trunk but does not exist, the switch marks it as pruned and it will not appear in the 'VLANs in spanning tree forwarding state' list. This is the exact symptom presented.

Why this answer

Even if a VLAN is included in the trunk's allowed list, the switch cannot forward frames for that VLAN unless it exists in the local VLAN database. A non-existent VLAN is placed in a pruned state and will not appear as forwarding in show interfaces trunk. The allowed-list command worked, but the missing VLAN definition prevents the VLAN from being active on the trunk.

Exam trap

Option B: the classic mistake of omitting the 'add' keyword when modifying the allowed list is tempting because it is a very common trunk configuration error. However, that error would result in the VLAN not even appearing in the allowed list column, not simply missing from the forwarding state. The question states the VLAN was added to the allowed list, so the missing VLAN database entry is the correct culprit.

Why the other options are wrong

A

Candidates might associate VLAN support with trunk encapsulation types, but ISL fully supports VLAN 40. This is a distractor.

B

This is a common operational mistake, but the resulting output would show VLAN 40 missing from the 'Vlans allowed' column, not from the forwarding list.

D

Candidates might confuse local pruning (due to non-existent VLAN) with VTP pruning. VTP pruning would also require a multi-switch VTP domain and is less likely in a standalone troubleshooting scenario.

38
MCQmedium

In a router-on-a-stick design, what is configured on the physical router interface connected to the switch?

A.One IP address for every VLAN on the physical interface itself only
B.No subinterfaces; the switch handles all inter-VLAN routing internally
C.Subinterfaces with 802.1Q encapsulation for each routed VLAN
D.A serial encapsulation setting for each VLAN
AnswerC

Correct. Subinterfaces with dot1q encapsulation are the key configuration element.

Why this answer

Router-on-a-stick uses one physical router interface with multiple logical subinterfaces. Each subinterface is associated with a VLAN using 802.1Q encapsulation and gets an IP address for that VLAN. Option A is wrong because IP addresses are configured on subinterfaces, not directly on the physical interface for all VLANs.

Option B is wrong because inter-VLAN routing requires a router; the switch alone does not perform inter-VLAN routing in this design. Option D is wrong because serial encapsulation is used for WAN connections, not for VLAN tagging on Ethernet interfaces.

Exam trap

Avoid confusing switch VLAN configurations with router subinterface configurations. Remember that routers require subinterfaces for VLAN handling.

Why the other options are wrong

A

IP addresses for multiple VLANs are configured on subinterfaces, not directly on the physical interface.

B

Inter-VLAN routing requires a router; the switch does not route between VLANs internally in a router-on-a-stick design.

D

Serial encapsulation is used for WAN serial links, not for VLAN tagging on Ethernet interfaces.

39
Multi-Selectmedium

Which three options correctly describe the behavior or configuration of EtherChannel? (Choose three.)

Select 3 answers
.EtherChannel can bundle up to 8 active physical links of the same type.
.All interfaces in the EtherChannel must have the same VLAN allowed list or trunk mode.
.Load balancing is based on a hash algorithm that can use source MAC, destination MAC, IP, or port numbers.
.EtherChannel provides redundancy by forwarding traffic out all active links simultaneously.
.PAgP is an industry-standard protocol for forming EtherChannels.
.EtherChannel interfaces are configured as individual switch ports in the running-config.

Why this answer

EtherChannel allows bundling up to 8 active physical links of the same type (e.g., all FastEthernet or all GigabitEthernet) to increase bandwidth and provide redundancy. All interfaces in the bundle must have consistent VLAN allowed lists and trunk mode configurations (or, for access ports, the same access VLAN) to avoid traffic misdirection or loops. Load balancing uses a hash algorithm that can be based on source MAC, destination MAC, source/destination IP, or TCP/UDP port numbers, with the default typically being source MAC on Cisco switches.

Exam trap

Cisco often tests that EtherChannel can bundle up to 8 active links (not 16, which includes standby in LACP), and that all interfaces must have matching VLAN and trunk settings, but candidates may mistakenly think load balancing is round-robin or that different link types can be mixed.

40
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, then export to Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter privileged mode, then define the capture buffer, specify the interface and direction, start the capture, stop it after collecting data, export to a .pcap file, then transfer and analyze in Wireshark.

Exam trap

Be careful with the order of operations: the buffer must be defined before the capture point, and the capture must be stopped before exporting. Also, remember that these commands are executed in privileged EXEC mode, not global configuration mode.

41
MCQhard

A switchport connected to a user workstation is placed in VLAN 30. The administrator also wants to prevent that port from learning more than one MAC address. Which feature should be configured?

AnswerA

This is correct because port security can enforce a maximum number of MAC addresses on the switchport.

Why this answer

The correct feature is port security. In practical terms, port security lets the administrator control how many MAC addresses can be learned on a switchport and what happens if that limit is exceeded. That makes it a very natural fit for a user-facing access port where one endpoint is expected and unmanaged extra devices are not.

This is a common access-layer hardening technique. VLAN assignment controls where the traffic belongs, but it does not limit who or what can appear on the port. Port security adds that second layer of control.

Exam trap

Don't confuse VLAN assignment or ACLs with port security; they serve different functions.

Why the other options are wrong

B

EtherChannel is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, not to limit MAC address learning on a single port. It does not provide any mechanism to restrict the number of MAC addresses learned on a switchport.

C

OSPF passive-interface is a routing protocol feature used to prevent OSPF from sending hello messages on an interface, typically used on interfaces that do not have OSPF neighbors. It has no effect on MAC address learning or switchport security.

D

Native VLAN is a concept used on trunk ports to specify the VLAN that carries untagged traffic. It does not control MAC address learning or limit the number of MAC addresses on a switchport.

42
MCQmedium

In a controller-based WLAN, what is the main job of the access point?

A.To provide the radio connection between wireless clients and the network
B.To replace the wireless LAN controller entirely
C.To act as the default gateway for every wired VLAN
D.To perform OSPF route summarization for wireless users
AnswerA

This is correct because the AP handles the local wireless connectivity.

Why this answer

The main job of the access point is to provide the actual radio connection between wireless clients and the network. In practical terms, the controller may centralize policy and management, but the AP is still the device that transmits and receives the wireless frames in the local area.

This distinction matters because CCNA wireless questions often separate the controller’s management role from the AP’s RF and client-connectivity role.

Exam trap

Remember that access points handle RF communication, while controllers manage policies and configurations. Don't confuse these roles.

Why the other options are wrong

B

In a controller-based WLAN, the access point is a lightweight device that relies on the wireless LAN controller (WLC) for management, control, and data forwarding decisions. The AP cannot replace the controller because it lacks the necessary intelligence and processing power to perform controller functions such as RF management, client authentication, and mobility services.

C

The access point does not act as a default gateway for wired VLANs. Default gateway functionality is provided by routers or Layer 3 switches that route traffic between different subnets. The AP's role is limited to wireless access and forwarding client traffic to the wired network, typically through the controller or directly to the switch.

D

OSPF route summarization is a routing protocol function performed by routers or Layer 3 switches, not by access points. APs are not involved in routing protocol operations; they focus on wireless connectivity and may forward traffic to the controller or wired network without participating in dynamic routing.

43
PBQhard

You are connected to SW1. The current configuration on SW1 is: interfaces GigabitEthernet0/1 and GigabitEthernet0/2 are set to channel-group mode passive; Gi0/1 has speed 100, duplex half, and access VLAN 20; Gi0/2 has speed 1000, duplex full, and access VLAN 10. You need to form an LACP EtherChannel between SW1 and SW2. Ensure the channel forms by setting the channel-group mode to active on SW1's member ports. Also correct the speed/duplex mismatch and VLAN mismatch so that the port-channel interface is in the up/up state. Finally, verify the EtherChannel summary shows the channel as a Layer 2 bundle in use.

Network Topology
Gi0/1Gi0/1LACP EtherChannelSW1SW2

Hints

  • LACP requires at least one side to be in active mode to initiate negotiation.
  • All member ports must have identical speed, duplex, and VLAN configuration.
  • Use the 'channel-group 1 mode active' command to set LACP active mode.
A.Change channel-group mode to active on both ports, set speed 1000 and duplex full on Gi0/1, set access VLAN 10 on Gi0/2.
B.Change channel-group mode to passive on both ports, set speed 100 and duplex half on Gi0/2, set access VLAN 20 on Gi0/1.
C.Change channel-group mode to desirable on both ports, set speed 1000 and duplex full on Gi0/1, set access VLAN 10 on Gi0/2.
D.Change channel-group mode to active on both ports, set speed 100 and duplex half on Gi0/1, set access VLAN 20 on Gi0/2.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
speed 1000
duplex full
channel-group 1 mode active
exit
interface GigabitEthernet0/2
switchport access vlan 10
channel-group 1 mode active
end

Why this answer

The EtherChannel fails because both member ports are set to mode passive, preventing LACP negotiation. Additionally, Gi0/1 has speed 100/duplex half while Gi0/2 has speed 1000/duplex full—a mismatch that causes one port to be suspended. Finally, the VLANs differ (10 vs 20), which also prevents bundling.

The solution: change the channel-group mode to active on both ports, set consistent speed (1000) and duplex (full) on Gi0/1, and set the same access VLAN (10) on Gi0/2. After these corrections, the port-channel should form and show as (SU) in the summary.

Exam trap

The exam often tests that LACP requires at least one side to be active, and that speed, duplex, and VLAN must match across all member ports. Do not confuse PAgP and LACP modes.

Why the other options are wrong

B

Passive mode requires the other side to be active; both passive means no negotiation. Speed/duplex mismatch (100/half vs 1000/full) and VLAN mismatch (20 vs 10) prevent bundling.

C

The mode 'desirable' is used with Cisco's proprietary PAgP protocol, not with the IEEE standard LACP. Using it would not form an LACP EtherChannel.

D

Speed/duplex mismatch causes one port to be suspended in the EtherChannel. VLAN mismatch prevents the port-channel from being in up/up state as a Layer 2 bundle.

44
PBQhard

You are connected to R1, a multilayer switch running Rapid PVST+. The current root bridge for VLAN 10 has priority 24586 and for VLAN 20 has priority 24676. Configure R1 so that it becomes the root bridge for VLAN 10 and VLAN 20. Then enable PortFast and BPDU Guard on interface FastEthernet0/1, which connects to an access switch. Finally, diagnose why interface FastEthernet0/2 has entered an err-disabled state and recover it.

Network Topology
Fa0/1Fa0/2Access SwitchSiR1Another Switch

Hints

  • Set root priority to a value lower than 24586 for VLAN 10 and 24676 for VLAN 20.
  • PortFast and BPDU Guard must be configured under the interface.
  • An interface in err-disabled state due to BPDU Guard requires a manual shutdown/no shutdown to recover.
A.Configure spanning-tree vlan 10,20 priority 4096; on Fa0/1: spanning-tree portfast and spanning-tree bpduguard enable; on Fa0/2: shutdown then no shutdown.
B.Configure spanning-tree vlan 10,20 root primary; on Fa0/1: spanning-tree portfast; on Fa0/2: no shutdown.
C.Configure spanning-tree vlan 10,20 priority 8192; on Fa0/1: spanning-tree portfast; on Fa0/2: no shutdown.
D.Configure spanning-tree vlan 10,20 priority 4096; on Fa0/1: spanning-tree portfast and spanning-tree bpduguard enable; on Fa0/2: shutdown.
AnswerA
solution
! R1
configure terminal
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 4096
interface FastEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable
interface FastEthernet0/2
shutdown
no shutdown
end

Why this answer

To become the root bridge, R1’s priority must be lower than the current root’s priority. Setting the priority to 4096 (or any value lower than 24586/24676) accomplishes this. Option A correctly uses `spanning-tree vlan 10,20 priority 4096` (though the actual command per VLAN is `spanning-tree vlan 10 priority 4096` and `spanning-tree vlan 20 priority 4096`).

It also enables PortFast and BPDU Guard on Fa0/1 to prevent BPDU reception on an edge port, and recovers the err-disabled Fa0/2 by cycling `shutdown` then `no shutdown`. Options B and C fail because they do not enable BPDU Guard, leaving the interface vulnerable. Option D fails because it only shuts down Fa0/2 without the `no shutdown` command, so the interface remains administratively down.

Exam trap

Candidates often mistakenly believe that the priority must be set to the absolute lowest (e.g., 0) or that `root primary` always works, but the real requirement is simply a priority lower than the current root. Also, they may forget that an err-disabled interface requires both `shutdown` and `no shutdown` to recover.

Why the other options are wrong

B

The 'root primary' command sets priority to 24576, which is higher than the current root priority for VLAN 10 (24586) and VLAN 20 (24676) — actually 24576 is lower than 24586 and 24676, so it would become root. Wait, check: 24576 < 24586, so it would become root. But the command 'root primary' sets priority to 24576 only if the current root priority is above 24576; if the current root priority is 24586, it sets to 24576, which is lower, so R1 would become root.

However, the question states the current root has priority 24586 and 24676, so 'root primary' would set to 24576, which is lower than 24586 but not lower than 24676? Actually 24576 < 24676, so it would become root for both. But the correct answer uses 4096, which is even lower. The key is that 'root primary' might not guarantee becoming root if another switch has a lower priority.

Also, BPDU Guard is missing, and recovery requires shutdown first.

C

BPDU Guard is not configured on Fa0/1, leaving the port vulnerable to BPDU attacks. Also, the err-disabled recovery requires a shutdown command before no shutdown.

D

Simply shutting down the interface does not recover it from err-disable; you must also re-enable it with 'no shutdown'.

45
MCQhard

A multilayer switch has SVIs for VLAN 10 and VLAN 20. Hosts in both VLANs can reach their local SVI, but they cannot reach each other. Which additional configuration is most likely required?

A.Enable `ip routing` on the multilayer switch.
B.Convert all access ports into trunks.
C.Make both VLANs use the same IP subnet.
D.Disable spanning tree on both VLANs.
AnswerA

This is correct because the switch needs Layer 3 routing enabled to forward traffic between SVIs.

Why this answer

The most likely missing configuration is `ip routing`. In practical terms, the switch already has Layer 3 gateway interfaces for the VLANs, which is why hosts can reach their local SVI. But inter-VLAN communication still requires the switch to actually route between those VLAN interfaces. Without IP routing enabled, the SVIs can exist and respond locally without forwarding traffic between them.

This is a classic multilayer-switch question because many learners assume that creating SVIs automatically enables inter-VLAN routing. It does not. The device must also be told to behave as a Layer 3 forwarding device across those VLAN interfaces.

Exam trap

Don't assume SVIs automatically enable inter-VLAN routing; IP routing must be explicitly enabled.

Why the other options are wrong

B

Converting all access ports to trunks is unnecessary and incorrect because host-facing ports should remain access ports assigned to a single VLAN. Trunks are used to carry multiple VLANs between switches, not to connect end hosts. This change would not enable inter-VLAN routing.

C

Making both VLANs use the same IP subnet would break the fundamental purpose of VLANs, which is to separate broadcast domains and logically segment the network. Hosts in different VLANs must be in different subnets for proper routing; otherwise, they would expect to communicate directly at Layer 2, which is not possible across VLANs.

D

Disabling Spanning Tree Protocol (STP) on both VLANs would not enable inter-VLAN routing; it would only risk creating Layer 2 loops and broadcast storms. STP is a loop-prevention mechanism and has no role in Layer 3 routing between VLANs.

46
MCQhard

An EtherChannel between SW1 and SW2 is not forming. The technician runs the show etherchannel summary command on both switches and sees that all configured interfaces are in the 'I' (stand-alone) state. Both switches have their interfaces configured with channel-group 1 mode active. What should the technician check next?

A.Verify that both switches are using the same EtherChannel protocol (LACP or PAgP).
B.Check that the speed and duplex settings match on all member interfaces.
C.Check for a VLAN mismatch on the member interfaces (e.g., mismatched native VLAN or allowed VLAN list).
D.Determine whether Spanning Tree Protocol is blocking one of the ports.
AnswerC

LACP requires that all member ports have identical VLAN configurations (switchport mode, allowed VLANs, native VLAN). A mismatch in any of these parameters keeps the ports in stand-alone state. Since the protocol is already confirmed as LACP, verifying VLAN consistency is the most appropriate next step.

Why this answer

Option C is correct because when both switches are configured with channel-group 1 mode active, they are using LACP (active/active). The 'I' (stand-alone) state indicates the ports are not forming an EtherChannel despite LACP being enabled. A VLAN mismatch—such as differing native VLANs or allowed VLAN lists—can prevent LACP from successfully negotiating the bundle, as the control plane sees a Layer 2 inconsistency and keeps the ports in stand-alone mode.

Exam trap

Cisco often tests the misconception that the 'I' (stand-alone) state always indicates a physical or protocol mismatch, when in fact it frequently points to Layer 2 configuration inconsistencies like VLAN mismatches that prevent LACP from completing negotiation.

Why the other options are wrong

A

Assuming that a protocol mismatch might exist without checking the existing configuration first.

B

Prioritizing a Layer 1 check over a Layer 2 parameter that must be identical for EtherChannel to bundle.

D

Confusing STP port states with EtherChannel negotiation states.

47
MCQhard

A network engineer configures an EtherChannel between two Cisco switches SW1 and SW2 using LACP. After configuration, hosts connected to SW1 report intermittent connectivity to hosts on SW2. The engineer checks the EtherChannel status and sees that the trunk is up but only allows VLAN 1, while the hosts communicate across VLANs 10 and 20. Which command should the engineer apply to both switches to resolve the issue?

A.channel-group 1 mode active
B.switchport trunk allowed vlan 1,10,20
C.lacp rate fast
D.switchport mode trunk
AnswerB

This command ensures that all member ports of the EtherChannel have the same VLAN list. Inconsistent allowed VLANs across member ports can cause traffic to be dropped intermittently. Applying this to all member interfaces on both switches resolves the issue.

Why this answer

The output shows the EtherChannel is up but only VLAN 1 is allowed on the trunk, while the hosts on SW1 and SW2 communicate across VLANs 10 and 20. Applying 'switchport trunk allowed vlan 1,10,20' on both switches ensures all necessary VLANs are permitted over the EtherChannel, resolving the intermittent connectivity caused by dropped traffic for VLANs 10 and 20.

Exam trap

The trap here is that candidates assume the EtherChannel is fully functional once it shows as up/up, overlooking that the trunk's VLAN allowed list must match on both sides to pass traffic for all required VLANs.

Why the other options are wrong

A

The ports are already configured with LACP active mode, as indicated by the protocol being LACP and the ports being bundled. Reapplying this command does not address the root cause of intermittent connectivity, which is likely due to VLAN mismatch.

C

The 'lacp rate fast' command changes the LACP packet transmission rate to every second, which is used for faster failure detection. It does not affect VLAN consistency or cause intermittent connectivity; the issue is likely due to VLAN mismatch, not LACP rate.

D

The ports are already configured as trunk ports (the Po1 is Layer2 and trunking is implied). Reapplying 'switchport mode trunk' does not address the VLAN inconsistency that causes intermittent connectivity.

48
Drag & Dropmedium

Drag and drop the following steps into the correct order to capture and analyze traffic on IOS-XE using the embedded packet capture feature, then export the capture for analysis in Wireshark to isolate a Layer 2 or Layer 3 fault.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Embedded Packet Capture (EPC) on IOS-XE uses exec-mode monitor capture commands without needing global configuration mode. First, define the capture point specifying the interface and direction. Then start the capture to collect packets.

Stop the capture after gathering sufficient data, and finally export the file to a TFTP server for analysis in Wireshark.

Exam trap

A common mistake is attempting to start the capture before defining the capture point, or exporting before stopping the capture. Remember the logical order: define, start, stop, export.

49
MCQmedium

A switch port connected to an end host should forward traffic for one VLAN only and should not negotiate trunking. Which configuration approach best fits that requirement?

A.Configure the interface with `switchport mode access`
B.Configure the interface with `switchport mode trunk`
C.Configure the interface with `switchport mode dynamic desirable`
D.Configure the interface with `no switchport`
AnswerA

This is correct because access mode is the normal one-VLAN configuration for an end-host port.

Why this answer

The best approach is to configure the interface as an access port. In plain language, this tells the switch that the interface is for a normal endpoint and should belong to one VLAN rather than carry multiple VLANs like a trunk. It also avoids reliance on dynamic trunk negotiation, which is usually unnecessary and potentially confusing for a user-facing connection.

This is a standard access-layer design principle. End hosts such as PCs and printers usually connect to access ports, not trunks. That is why the correct answer is the one centered on explicit access-port behavior.

Exam trap

Avoid confusing trunking features with access port requirements. Remember, end devices typically connect via access ports.

Why the other options are wrong

B

A trunk port is designed to carry traffic for multiple VLANs between switches, not for a single end host. Using switchport mode trunk on an access port would allow multiple VLANs and enable trunk negotiation, violating the requirement.

C

The dynamic desirable mode actively attempts to form a trunk with the connected device using DTP. This allows trunk negotiation, which contradicts the requirement to not negotiate trunking and to forward traffic for only one VLAN.

D

The no switchport command converts the Layer 2 switch port into a Layer 3 routed port, which does not operate as a switch port and cannot be assigned to a VLAN. This is used for routing between VLANs, not for connecting an end host to a single VLAN.

50
Multi-Selectmedium

Which TWO statements about 802.1Q trunking, native VLANs, and inter-VLAN routing are correct? (Choose two.)

Select 2 answers
A.802.1Q trunking is a Cisco-proprietary protocol that uses a 4-byte tag to identify VLAN membership.
B.By default, frames belonging to the native VLAN are sent untagged across an 802.1Q trunk.
C.Inter-VLAN routing can be accomplished using a Layer 2 switch configured with VLAN access maps.
D.The native VLAN must be identical on both ends of an 802.1Q trunk to avoid native VLAN mismatch errors.
E.Switches strip the 802.1Q tag from all frames before forwarding them out of a trunk port.
AnswersB, D

The 802.1Q specification sends native VLAN traffic without a tag, allowing the receiving switch to identify the native VLAN.

Why this answer

Option B is correct because, by default, 802.1Q trunking treats the native VLAN (typically VLAN 1) as untagged. Frames in the native VLAN are sent without an 802.1Q tag, allowing interoperability with devices that do not understand trunking. This behavior is defined in IEEE 802.1Q and is essential for backward compatibility.

Exam trap

Cisco often tests the misconception that all frames on a trunk are tagged, but the trap here is that the native VLAN is sent untagged by default, and candidates may incorrectly assume that inter-VLAN routing can be done with a Layer 2 switch alone.

Why the other options are wrong

A

802.1Q is an open IEEE standard. Cisco-proprietary trunking is Inter-Switch Link (ISL).

C

Layer 2 switches cannot route between VLANs. Inter-VLAN routing requires a Layer 3 device such as a router or a Layer 3 switch with SVIs.

E

Trunk ports forward tagged frames so the receiving switch can distinguish VLANs. Removing tags from all frames would defeat the purpose of trunking.

51
MCQhard

A client can join a corporate SSID and authenticate successfully, but it consistently loses connectivity when moving between floors. Which area is most strongly suggested for deeper investigation?

A.Roaming and RF behavior between AP coverage areas
B.Whether the SSID is visible at all
C.Whether the host has a BGP autonomous system number
D.Whether the switch uses a smaller wildcard mask
AnswerA

This is correct because the failure occurs during movement rather than initial join.

Why this answer

The strongest area for deeper investigation is wireless mobility and RF behavior between the AP coverage areas involved. In practical terms, the client can already authenticate and use the WLAN initially, so the issue is more likely tied to movement, signal transition, channel behavior, or roaming-related operation rather than basic SSID existence or initial authentication alone.

This is a mobility-troubleshooting question, not a simple association problem.

Exam trap

A common exam trap is assuming that connectivity loss during movement is caused by SSID visibility or initial authentication failure. Since the client can join and authenticate successfully, the problem is not with the SSID broadcast or basic network access. Another tempting mistake is to consider unrelated network configurations such as BGP autonomous system numbers or ACL wildcard masks, which do not affect wireless roaming.

The key is to focus on roaming and RF behavior between AP coverage areas, as these directly impact client mobility and session continuity in a wireless environment.

Why the other options are wrong

B

Incorrect because the client already successfully joins and authenticates to the SSID, so SSID visibility is not the issue.

C

Incorrect because BGP autonomous system numbers relate to routing protocols and have no impact on wireless client roaming or connectivity.

D

Incorrect because ACL wildcard masks affect packet filtering rules and do not influence wireless roaming or client mobility between access points.

52
Multi-Selectmedium

Which two functions are commonly handled by a wireless LAN controller in a controller-based deployment? (Choose two.)

Select 2 answers
A.Centralized management of lightweight APs
B.Per-host DHCP address assignment on every WLAN
C.Policy enforcement for SSIDs and WLAN settings
D.Providing STP root bridge election for the campus
E.Replacing all Layer 2 switching functions in the access layer
AnswersA, C

Correct. Centralized AP management is a core controller role.

Why this answer

Wireless LAN controllers commonly centralize AP management and apply WLAN policies consistently across access points. They do not replace every switching or DHCP function in the network.

Exam trap

Don't confuse the roles of network devices; WLAN controllers manage APs and policies, not routing or DHCP.

Why the other options are wrong

B

DHCP address assignment is typically handled by dedicated DHCP servers or routers, not by the WLC. While the WLC can act as a DHCP relay or integrate with DHCP, it does not assign per-host addresses as a core function for every WLAN.

D

STP root bridge election is a Layer 2 switching function performed by switches in the campus network, not by a WLC. The WLC operates at higher layers and does not participate in STP processes.

E

The WLC does not replace Layer 2 switching functions; it focuses on wireless control and management. Switches still handle VLANs, STP, and forwarding in the access layer, while the WLC manages APs and wireless traffic.

53
Matchingmedium

Drag and drop the EtherChannel commands and concepts on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables LACP active negotiation to form EtherChannel

Enables LACP passive negotiation (waits for active side)

Enables PAgP desirable mode to actively negotiate EtherChannel

Displays port-channel interface status and member ports

Creates and enters the logical EtherChannel interface

Sets LACP heartbeat interval to 1 second instead of default 30 seconds

Why these pairings

EtherChannel modes: active/passive for LACP, desirable/auto for PAgP, on for static, and interface port-channel creates the logical interface.

Exam trap

Do not confuse LACP modes (active/passive) with PAgP modes (desirable/auto) or static mode (on).

54
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure RSTP and enable PortFast with BPDU Guard on a switch port, then verify the state transitions.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Correct order: First configure RSTP globally because interface commands like PortFast and BPDU Guard depend on the spanning-tree mode being set. Next enable PortFast on the interface to immediately transition to forwarding. Then enable BPDU Guard as a protective feature for PortFast ports.

Finally verify state transitions. Other orders are incorrect: enabling PortFast or BPDU Guard before setting RSTP mode may cause the commands to be rejected or not take effect; enabling BPDU Guard before PortFast is not typical because BPDU Guard is designed to protect PortFast ports.

Exam trap

The exam trap is that candidates often confuse the order of configuration steps. They may enable PortFast or BPDU Guard before setting the global spanning-tree mode, or they may enable BPDU Guard before PortFast. Remember that global configurations come first, then interface-specific features, and BPDU Guard is typically enabled after PortFast.

55
MCQmedium

A switchport is configured as an access port for VLAN 20, but users connected to it cannot reach the default gateway. The switch shows the interface as up/up. Which switch misconfiguration is the most likely cause?

A.The access port is missing a speed command
B.VLAN 20 has not been created on the switch
C.The switch has not enabled VTP transparent mode
D.The port should use DTP desirable mode
AnswerB

Correct choice.

Why this answer

If the access port is assigned to VLAN 20 but VLAN 20 does not exist in the VLAN database, traffic is not placed into a usable VLAN and hosts lose connectivity. The port can still appear physically up while forwarding fails at Layer 2.

Exam trap

A common exam trap is assuming that an interface showing up/up means the port is fully functional and correctly forwarding traffic. Candidates may overlook the necessity of creating the VLAN in the switch’s VLAN database. Without VLAN 20 existing, the switch cannot forward traffic for that VLAN, even though the physical link is active.

This leads to confusion because the interface status does not reflect VLAN misconfiguration, causing users to lose connectivity to the default gateway despite the port appearing operational.

Why the other options are wrong

A

The absence of a speed command on the access port does not prevent VLAN forwarding or connectivity to the default gateway. Speed settings affect physical link parameters but not VLAN membership or Layer 2 forwarding.

C

VTP transparent mode controls VLAN propagation between switches but does not affect whether a VLAN exists locally. Missing VLANs must be created manually regardless of VTP mode.

D

DTP desirable mode is used to negotiate trunk links and is irrelevant for access ports, which do not trunk and only carry untagged frames for a single VLAN.

56
MCQmedium

A switch interface connects to a user PC and should belong only to VLAN 30. Which command assigns that VLAN after the interface is in access mode?

A.switchport access vlan 30
B.switchport trunk allowed vlan 30
C.encapsulation dot1Q 30
D.ip helper-address 30
AnswerA

This is correct because it assigns VLAN 30 to the access port.

Why this answer

After an interface is placed into access mode, the command used to assign its VLAN is `switchport access vlan 30`. In plain language, this tells the switch which VLAN the endpoint traffic on that access port belongs to. Access mode defines the role of the interface, and the access VLAN command defines the specific VLAN membership for that role.

This distinction matters because some commands change the port’s behavior while others set the VLAN it uses. The correct answer is the one that directly assigns VLAN 30 to the access port rather than modifying a trunk or a native VLAN setting.

Exam trap

Be careful not to confuse commands for trunk ports with those for access ports. Ensure you understand the difference between setting a port mode and assigning a VLAN.

Why the other options are wrong

B

The command 'switchport trunk allowed vlan 30' is used on trunk ports to specify which VLANs are allowed to traverse the trunk link. It does not assign a VLAN to an access port; instead, it filters VLANs on a trunk, which is not appropriate for a port connected to a single PC.

C

The command 'encapsulation dot1Q 30' is used on a router subinterface to enable 802.1Q trunking and specify the VLAN for that subinterface. It is not a valid command on a switch access port, and switch ports do not use encapsulation commands for VLAN assignment.

D

The command 'ip helper-address 30' is used to configure DHCP relay on a router or Layer 3 switch interface, forwarding DHCP broadcasts to a DHCP server. It has nothing to do with VLAN assignment on a switch port.

57
MCQhard

PCs in VLAN 30 on SwitchA cannot reach PCs in VLAN 30 on SwitchB. VLAN 30 exists on both switches and all other VLANs work across the same link. Based on the exhibit, what is the most likely cause?

A.VLAN 30 is not allowed on the trunk from SwitchA.
B.The native VLAN is mismatched.
C.The trunk must use ISL instead of 802.1Q.
D.VLAN 30 must be configured as the native VLAN.
AnswerA

This is correct because VLAN 30 is missing from SwitchA’s allowed list.

Why this answer

The trunk is up, but VLAN 30 is missing from the allowed list on SwitchA. In plain language, the hallway between the switches is open, but one side is refusing to carry that specific VLAN through the hallway. Since the other VLANs are working, the failure is selective rather than total. That strongly points to an allowed-VLAN problem rather than a broader trunk outage.

This is a classic CCNA switching scenario because it tests whether you can separate trunk health from per-VLAN forwarding. A trunk can be operational and still block one VLAN if that VLAN is not permitted on one side. The native VLAN and encapsulation are not the issue shown here — the mismatch in the allowed list is.

Exam trap

Be careful not to confuse general trunk issues with specific VLAN forwarding problems. Always check the allowed VLAN list when specific VLANs fail to pass.

Why the other options are wrong

B

The exhibit shows both switches have native VLAN 1 configured, so there is no mismatch. A native VLAN mismatch would cause all VLAN traffic to fail or be misdirected, not just a single VLAN.

C

Since other VLANs are working across the same trunk, the trunk encapsulation (802.1Q) is functioning correctly. Changing to ISL would not fix the issue and would break connectivity for all VLANs.

D

A VLAN does not need to be the native VLAN to traverse a trunk; native VLAN is only for untagged traffic. Making VLAN 30 the native VLAN would not solve the problem and could introduce other issues.

58
PBQhard

You are connected to SW1 via the console. The network uses Rapid-PVST+ and you need to ensure that SW1 becomes the root bridge for VLAN 10 and VLAN 20. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/1, which connects to a workstation. After configuration, the workstation is moved and the port goes err-disabled. Diagnose the cause and recover the port without reloading the switch.

Network Topology
Gi0/1Gi0/2SW1workstationother switch

Hints

  • Use 'spanning-tree vlan <vlan> priority <value>' to set root bridge priority (lower values are preferred).
  • A port in err-disabled due to BPDU Guard must be manually recovered with 'shutdown' and 'no shutdown' after removing the BPDU source.
  • Check which VLANs the switch is currently root for using 'show spanning-tree'.
A.Configure spanning-tree vlan 10 priority 4096 and spanning-tree vlan 20 priority 4096. Then on interface GigabitEthernet0/1, configure spanning-tree portfast and spanning-tree bpduguard enable. After removing the BPDU source, use 'shutdown' and 'no shutdown' to recover the port.
B.Configure spanning-tree vlan 10,20 root primary and spanning-tree portfast on Gi0/1; then use 'errdisable recovery cause bpduguard' to automatically recover the port.
C.Configure spanning-tree vlan 10,20 priority 0 and spanning-tree bpduguard enable on Gi0/1; then use 'no spanning-tree bpduguard' to recover the port.
D.Configure spanning-tree vlan 10,20 priority 4096 and spanning-tree portfast on Gi0/1; then use 'clear spanning-tree detected-protocols' to recover the port.
AnswerA
solution
! SW1
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 4096
interface GigabitEthernet0/1
shutdown
no shutdown

Why this answer

SW1 is currently the root for VLAN 10 but not for VLAN 20. To become root for both VLANs, set the spanning-tree priority to a lower value (e.g., 4096) for each VLAN. The port Gi0/1 went err-disabled because it received a BPDU, which is unexpected on a PortFast edge port with BPDU Guard enabled.

To recover, first identify and remove the BPDU source (likely another switch connected to that port), then use 'shutdown' followed by 'no shutdown' on the interface to bring it back up.

Exam trap

Do not confuse 'root primary' with a guaranteed root election; always check for lower priorities. Also, remember that err-disabled ports require manual intervention (shutdown/no shutdown) unless you configure errdisable recovery. BPDU Guard err-disables the port; simply disabling BPDU Guard does not recover it.

Why the other options are wrong

B

The 'root primary' command does not guarantee root status if another switch has a priority lower than 24576. The question expects manual recovery, not automatic.

C

Priority 0 is not incorrect but is not the standard recommendation. The recovery method is wrong: disabling BPDU Guard does not clear the err-disabled state.

D

The command 'clear spanning-tree detected-protocols' does not clear the err-disabled state; it only resets the port's protocol state.

59
Multi-Selectmedium

Which TWO statements correctly describe EtherChannel configuration and verification with LACP?

Select 2 answers
A.LACP uses the modes 'active' and 'passive' to negotiate an EtherChannel.
B.LACP uses the modes 'desirable' and 'auto' to negotiate an EtherChannel.
C.The command 'show etherchannel summary' displays the status of each port-channel as SU (in use) or SD (shutdown).
D.The command 'show etherchannel summary' displays the status of each port-channel as UP or DOWN.
E.LACP 'active' mode can only form an EtherChannel with another interface in 'active' mode.
AnswersA, C

LACP defines 'active' (initiates negotiation) and 'passive' (responds to negotiation) modes. At least one side must be active to form a channel.

Why this answer

Option A is correct because LACP (IEEE 802.3ad) defines two negotiation modes: 'active' (sends LACP frames and initiates negotiation) and 'passive' (responds only to received LACP frames). An EtherChannel forms only when at least one side is in 'active' mode; two 'passive' sides will never negotiate. Option C is correct because the 'show etherchannel summary' command displays the port-channel status as 'SU' (in use, Layer 2) or 'SD' (administratively down/shutdown), not simply 'UP' or 'DOWN'.

Exam trap

Cisco often tests the distinction between LACP modes ('active'/'passive') and PAgP modes ('desirable'/'auto'), and the trap here is that candidates confuse the proprietary PAgP terms with the standards-based LACP terms, or assume 'show etherchannel summary' shows simple UP/DOWN like interface status.

Why the other options are wrong

B

The modes 'desirable' and 'auto' are used by PAgP (Cisco proprietary), not LACP. LACP uses 'active' and 'passive' modes for negotiation.

D

The 'show etherchannel summary' command does not display 'UP' or 'DOWN' in plain text; it uses two-letter codes like SU (Layer 2 up), SD (shutdown), etc. This is a common misinterpretation of the output format.

E

LACP 'active' mode can form an EtherChannel with either 'active' or 'passive' mode. If both sides are passive, the channel will not form because neither initiates negotiation.

60
Drag & Dropmedium

Drag and drop the steps into the recommended configuration order for setting up VLANs, assigning access ports, configuring 802.1Q trunking with a non-default native VLAN, and verifying the setup on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

After creating VLANs, the recommended order is to configure trunking with a non-default native VLAN before assigning access ports. This ensures the trunk is ready with the correct native VLAN, preventing mismatches and allowing the switch to carry traffic for the new VLANs. Options B and D fail because VLANs must exist first.

Option A places trunking last, which is not the best practice.

Exam trap

Candidates often assume that access ports must be assigned before trunking, but in a recommended workflow, configuring trunking early helps avoid native VLAN mismatches and aligns with common Cisco configuration guides.

61
PBQhard

You are connected to a Multilayer Switch MLS1. Configure the switch so that interface GigabitEthernet1/0/1 is an access port for VLAN 10, with voice VLAN 110 for an IP phone, and enable PoE. Additionally, interface GigabitEthernet1/0/2 must be an access port for VLAN 20 to connect an AP. Verify the configuration using 'show interfaces switchport' and 'show power inline'.

Network Topology
G1/0/1G1/0/2SiMLS1IP PhoneAP

Hints

  • Use 'switchport mode access' to set the port as an access port.
  • For the IP phone port, apply both 'switchport access vlan' and 'switchport voice vlan' commands.
  • PoE is enabled by default but ensure 'power inline auto' is configured.
A.interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline auto interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
B.interface GigabitEthernet1/0/1 switchport mode trunk switchport trunk allowed vlan 10,110 power inline auto interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
C.interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline never interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
D.interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 110 switchport voice vlan 10 power inline auto interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
AnswerA
solution
! MLS1
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 110
power inline auto
exit
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 20
exit

Why this answer

Option A is correct. It configures Gi1/0/1 as an access port in VLAN 10 with voice VLAN 110 and PoE enabled, and Gi1/0/2 as an access port in VLAN 20. Option B is wrong because it uses 'switchport mode trunk' instead of 'switchport mode access'.

For a voice VLAN, the port should be an access port, not a trunk. Option C is wrong because it disables PoE with 'power inline never', but the IP phone requires power. Option D is wrong because it assigns the access VLAN as 110 and voice VLAN as 10, reversing the intended roles.

Verify with 'show interfaces switchport' and 'show power inline'.

Exam trap

Watch out for the difference between access and trunk ports when a voice VLAN is involved. The voice VLAN is configured on an access port, not a trunk. Also, ensure PoE is enabled (auto) and not disabled (never).

Finally, do not confuse the access VLAN with the voice VLAN.

Why the other options are wrong

B

The specific factual error is using 'switchport mode trunk' instead of 'switchport mode access'. Access ports are used for end devices like IP phones and APs, not trunks.

C

The specific factual error is using 'power inline never' which disables PoE. The correct command to enable PoE is 'power inline auto'.

D

The specific factual error is reversing the VLAN assignments: 'switchport access vlan 110' and 'switchport voice vlan 10' instead of the correct order.

62
Drag & Dropmedium

Which of the following sequences correctly configures and verifies PortFast and BPDU Guard on a Cisco IOS-XE switch interface, and then recovers after a BPDU guard violation?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enter global config, then the specific interface, enable PortFast, then BPDU Guard; verification confirms settings; recovery after error-disable requires administrative shutdown and no shutdown.

Exam trap

The exam trap is that candidates may confuse the order of PortFast and BPDU Guard, or think that recovery requires a switch reload or a special clear command. Remember: PortFast first, then BPDU Guard; recovery is always 'shutdown/no shutdown' on the interface.

63
MCQhard

A network technician notices CDP native VLAN mismatch warnings between switches SW1 and SW2 on their trunk link. The technician runs 'show interfaces trunk' on SW1 and sees native VLAN 1, then on SW2 and sees native VLAN 99. Data traffic is currently passing, but the mismatch can cause broadcast loops. What should the technician do next?

A.Add VLAN 99 to the allowed VLAN list on the trunk interface of SW1.
B.Remove the trunk configuration and set both interfaces as access ports in VLAN 1.
C.Enable spanning‑tree PortFast on the trunk ports.
D.Configure the native VLAN to match on both ends of the trunk.
AnswerD

The root cause is a configured native VLAN mismatch (1 vs 99). Changing one switch’s native VLAN to match the other (or setting both to a common VLAN) immediately resolves the CDP warning and eliminates the potential for broadcast loops caused by the mismatch. This is the most direct and least disruptive next step.

Why this answer

The correct action is to configure the native VLAN to match on both ends of the trunk. CDP reports a native VLAN mismatch when the native VLANs differ on the two sides of a trunk link. Although data traffic may still pass because 802.1Q does not tag frames on the native VLAN, the mismatch can cause broadcast loops and security risks, as frames from one native VLAN may be misinterpreted on the other side.

Setting both sides to the same native VLAN (e.g., VLAN 1 or VLAN 99) resolves the mismatch and ensures proper Layer 2 behavior.

Exam trap

Cisco often tests the misconception that data traffic passing means the configuration is fine, but the trap here is that the native VLAN mismatch can still cause serious issues like broadcast loops and security vulnerabilities, even if user data appears to work.

Why the other options are wrong

A

Common misconception: the warning message implies a VLAN is not allowed, but native VLAN mismatch means the trunk ports disagree on the native VLAN, not that a VLAN is missing from the allowed list.

B

Over‑reaction: candidates might think a trunk problem requires eliminating the trunk, but the correct approach is to correct the native VLAN parameter on the existing trunk.

C

Wrong feature: PortFast addresses access port convergence, not VLAN mismatches. Candidates may reach for any familiar command, but it targets the wrong layer and port type.

64
Multi-Selectmedium

Which TWO statements accurately describe the use of packet capture tools for troubleshooting Layer 2/3 issues?

Select 2 answers
A.A packet capture that shows ARP requests with no ARP replies indicates a Layer 3 routing issue.
B.A packet capture that shows frames with the same source and destination MAC addresses but different 802.1Q VLAN tags indicates a possible trunk misconfiguration.
C.A packet capture that shows ICMP echo requests but no echo replies confirms a Layer 2 switching loop.
D.A packet capture that shows ICMP echo requests leaving a router but no echo replies returning suggests a Layer 3 routing problem.
E.A packet capture that shows TCP SYN packets with no SYN-ACK replies indicates a Layer 1 physical issue.
AnswersB, D

Frames traversing a trunk should have consistent VLAN tags. Inconsistent tags suggest a mismatch in allowed VLANs or native VLAN on the trunk.

Why this answer

Option B is correct because frames with identical source and destination MAC addresses but different 802.1Q VLAN tags indicate the same device is reachable on multiple VLANs, which commonly results from a misconfigured trunk (e.g., native VLAN mismatch or inconsistent allowed VLAN lists). Option D is correct because seeing ICMP echo requests leave a router but no echo replies return suggests the reply is blocked or dropped at some intermediate Layer 3 hop, pointing to a routing problem rather than a Layer 2 issue. Option A is wrong: ARP requests without replies point to a Layer 2 problem (e.g., unreachable destination or filtering), not a Layer 3 routing issue.

Option C is wrong: ICMP echo requests without replies could have many causes (ACLs, firewalls, routing) – a switching loop would typically generate excessive broadcasts, not just missing replies. Option E is wrong: TCP SYN without SYN-ACK typically indicates a Layer 4 filtering or unreachable server issue, or possibly a Layer 3 routing problem, not a pure Layer 1 physical fault.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 troubleshooting by making candidates incorrectly attribute ARP failures to Layer 3 routing issues, when ARP is strictly a Layer 2 protocol used for MAC address resolution within the same subnet.

Why the other options are wrong

A

ARP operates at Layer 2 (Data Link layer) and is used to resolve IP addresses to MAC addresses. A lack of ARP replies indicates a Layer 2 connectivity issue, such as a misconfigured VLAN, incorrect cabling, or a switch port problem, not a Layer 3 routing issue.

C

ICMP echo requests without replies typically indicate a Layer 3 issue, such as no route back to the source, or a firewall blocking the replies. Layer 2 loops cause broadcast storms, duplicate frames, and MAC address flapping, not a simple lack of ICMP replies.

E

TCP SYN packets without SYN-ACK replies often indicate a firewall blocking the connection, a service not listening on the destination port, or a Layer 4-7 issue. Layer 1 physical issues would typically result in no packets being received at all, not just missing SYN-ACKs.

65
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an LACP EtherChannel on two Cisco switches using active mode.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First create the logical port-channel interface and configure its properties, then assign physical interfaces to it using channel-group with active mode to initiate LACP negotiation.

Exam trap

Cisco exams often test the correct order of EtherChannel configuration: always create the port-channel interface first. Also, distinguish between LACP modes (active/passive) and PAgP modes (desirable/auto).

66
Matchingmedium

Match each switching feature to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Speeds an edge port into forwarding state

Disables an edge port if a BPDU is received

Limits and controls MAC address use on a switch port

Helps block rogue DHCP behavior and build trusted bindings

Why these pairings

PortFast allows an edge port (connected to an end device) to bypass the listening and learning states and transition directly to forwarding, speeding up convergence. BPDU Guard disables a port if it receives a BPDU, protecting against accidental bridge connections on edge ports. Port security restricts which MAC addresses can communicate on a switch port, preventing unauthorized devices.

DHCP Snooping filters DHCP messages and builds a binding table of trusted clients, helping to block rogue DHCP servers and attacks.

Exam trap

Cisco exams often test the specific purpose of each switching feature; avoid confusing PortFast with BPDU Guard, or mixing up DHCP Snooping with Dynamic ARP Inspection.

67
MCQmedium

Exhibit: A switch port connected to an end host is stuck in a blocking state much longer than expected after a reboot. Which configuration change most directly speeds host access while still keeping loop protection elsewhere?

A.Enable PortFast on the access port
B.Disable STP globally
C.Change the trunk native VLAN
D.Set the port to half-duplex
AnswerA

PortFast is the standard fix for host-facing access ports.

Why this answer

PortFast should be enabled on access ports that connect to end devices. It lets the port move to forwarding quickly without waiting through normal STP listening and learning delays. Disabling STP globally removes all loop protection, which contradicts the requirement to keep loop protection elsewhere.

Changing the trunk native VLAN is irrelevant to an access port's STP state transition. Adjusting duplex has no effect on STP timers and would not speed up host access.

Exam trap

Avoid confusing STP parameters like hello time with features like PortFast that directly affect port state transitions.

Why the other options are wrong

B

Disabling STP globally removes all loop protection, which is not desired because loop protection elsewhere is still needed.

C

Changing the trunk native VLAN does not affect STP port state transitions and is irrelevant for an access port.

D

Setting the port to half-duplex has no impact on STP listening/learning timers and would not speed up host access.

68
MCQhard

A trunk link between two switches is operational, but one side shows a native VLAN mismatch warning. What is the main concern with that condition?

A.Untagged traffic may be associated with different VLANs on each end of the trunk
B.All tagged VLAN traffic is automatically converted to routed traffic
C.The mismatch forces OSPF adjacency reset on all routers
D.The trunk can carry only one VLAN until the mismatch is cleared
AnswerA

This is correct because that is the direct risk of a native VLAN mismatch.

Why this answer

A native VLAN mismatch can cause untagged traffic to be interpreted as belonging to different VLANs on each end of the trunk. In plain language, the two switches disagree about where untagged frames belong. That can lead to confusing traffic behavior, reachability problems for certain flows, and operational warnings. It is not always a total outage, but it is a design inconsistency that should be corrected.

This matters because trunks carry multiple VLANs, and the native VLAN defines how untagged traffic is handled. If both ends do not agree, the logical treatment of those frames becomes inconsistent. The correct answer is the one that focuses on misclassification of untagged traffic, not on unrelated routing behavior.

Exam trap

Be careful not to confuse native VLAN mismatches with general trunk failures or issues affecting tagged traffic.

Why the other options are wrong

B

A native VLAN mismatch does not convert tagged traffic into routed traffic. Tagged frames continue to be switched based on their VLAN tags, and the trunk remains a Layer 2 link. The mismatch only affects untagged frames on the native VLAN.

C

A native VLAN mismatch is a Layer 2 trunking issue and does not directly affect OSPF or any routing protocol. OSPF adjacency is a Layer 3 process and would only be impacted if the mismatch caused connectivity loss for the router interfaces, but the mismatch itself does not force OSPF adjacency resets.

D

A native VLAN mismatch does not prevent the trunk from carrying other tagged VLANs. Tagged frames for other VLANs are still forwarded correctly because they are not affected by the native VLAN configuration. The trunk can carry multiple VLANs, but the native VLAN traffic is misdirected.

69
Multi-Selectmedium

Which four of the following are characteristics of Dynamic Trunking Protocol (DTP) and VLAN Trunking Protocol (VTP) used in Cisco switching? (Choose four.)

Select 4 answers
.DTP is a Cisco proprietary protocol used to negotiate trunking between two switches.
.VTP allows synchronization of VLAN information across switches in the same VTP domain.
.A switch configured with 'switchport mode dynamic desirable' actively attempts to form a trunk using DTP.
.VTP pruning helps reduce unnecessary broadcast traffic by limiting flooded traffic to only switches that need the VLAN.
.VTP transparent mode stores and forwards VTP advertisements but also modifies the VLAN database based on received updates.
.DTP can form a trunk regardless of whether both ends are configured with 'switchport nonegotiate'.

Why this answer

The four correct statements are: (1) DTP is a Cisco proprietary protocol for negotiating trunk links; (2) VTP synchronizes VLAN information across switches in the same VTP domain; (3) 'switchport mode dynamic desirable' actively sends DTP frames to form a trunk; (4) VTP pruning reduces unnecessary broadcast traffic by limiting flooded traffic to only switches that need the VLAN. The two incorrect statements: VTP transparent mode forwards VTP advertisements but does **not** modify its VLAN database based on received updates—it only passes them through. DTP **cannot** form a trunk when both ends are configured with 'switchport nonegotiate' because that command disables DTP frame transmission entirely, preventing trunk negotiation.

Exam trap

Cisco often tests the distinction between DTP modes (dynamic desirable vs. dynamic auto) and the fact that VTP can cause catastrophic VLAN propagation errors if revision numbers are not reset before adding a switch to a production network.

70
PBQhard

You are connected to R1. Configure router-on-a-stick inter-VLAN routing so that hosts in VLAN 10 and VLAN 20 can communicate through R1. The switch (not shown) is already configured with the correct VLANs and trunk. Troubleshoot and fix any issues in the current R1 configuration.

Network Topology
G0/0 802.1Q trunk to switchtrunkR1Switch

Hints

  • Check if the main physical interface is administratively down.
  • The subinterfaces require the parent interface to be up.
  • Verify that ip routing is enabled (it is already).
A.Enable IP routing globally and bring up the main interface GigabitEthernet0/0 with 'no shutdown'.
B.Change the encapsulation on the subinterfaces to 'encapsulation dot1Q 10 native' and 'encapsulation dot1Q 20 native'.
C.Remove the subinterfaces and configure IP addresses directly on GigabitEthernet0/0.
D.Add 'ip routing' on each subinterface individually.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no shutdown
end

Why this answer

The R1 configuration has two subinterfaces (G0/0.10 and G0/0.20) with correct VLAN encapsulation and IP addresses, but inter-VLAN routing fails because the main interface G0/0 is not configured as a trunk (no 'no shutdown' and no 'ip routing' globally). Enable IP routing globally with 'ip routing' and ensure GigabitEthernet0/0 is administratively up with 'no shutdown'. The subinterfaces will then route between VLANs.

Exam trap

Do not assume that configuring subinterfaces with encapsulation and IP addresses is sufficient. Always verify that 'ip routing' is enabled globally and that the main physical interface is not shut down. These are common oversights that cause inter-VLAN routing to fail.

Why the other options are wrong

B

The specific factual error: The 'native' keyword should only be applied to the subinterface that matches the native VLAN (usually VLAN 1 by default), not to all subinterfaces.

C

The specific factual error: Router-on-a-stick requires subinterfaces with VLAN encapsulation to handle multiple VLANs over a single trunk link. Assigning an IP to the physical interface only works for a single VLAN (usually the native VLAN).

D

The specific factual error: 'ip routing' is a global configuration command that enables Layer 3 forwarding on the entire router. It is not available under interface configuration mode.

71
MCQhard

A switch displays the following output: Switch# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi1/0/24 on 802.1q trunking 99 Port Vlans allowed on trunk Gi1/0/24 10,20,30 Port Vlans active in management domain Gi1/0/24 10,20,30,40 Users in VLAN 40 cannot reach resources across this trunk. What is the most likely reason?

A.VLAN 40 is active, so spanning tree must be blocking it
B.VLAN 40 is not in the native VLAN, so it cannot cross the trunk
C.VLAN 40 is not permitted on the trunk
D.802.1Q trunks can carry only three VLANs at a time
AnswerC

Correct. This is correct. The allowed VLAN list controls which VLANs are transported across the trunk. Because VLAN 40 is absent from that list, users in VLAN 40 cannot use that trunk to reach resources on the far side.

Why this answer

The trunk is not carrying VLAN 40 because VLAN 40 is missing from the allowed VLAN list (only 10, 20, 30 are allowed). Option A is incorrect because spanning tree does not block VLANs by default without evidence of a loop; the output shows no STP blocking. Option B is incorrect because native VLAN only affects tagging, not whether a VLAN can traverse a trunk; all VLANs can cross a trunk if permitted.

Option D is incorrect because 802.1Q can carry up to 4094 VLANs, not just three. The key distinction is that a VLAN may be active on the switch but still fail to cross a specific trunk if it is not in the allowed list.

Exam trap

Ensure you differentiate between VLANs configured on the switch and those allowed on the trunk. Just because a VLAN is active doesn't mean it's allowed on a trunk.

Why the other options are wrong

A

Spanning Tree Protocol (STP) can block a VLAN if there is a loop, but the output shows VLAN 40 is active in the management domain and not listed as blocked. The explicit absence of VLAN 40 from the allowed VLAN list is the direct cause, not STP.

B

The native VLAN is only for untagged traffic on an 802.1Q trunk. All other VLANs are tagged and can cross the trunk regardless of the native VLAN. VLAN 40 is not the native VLAN, but that does not prevent it from being carried if permitted.

D

802.1Q has no limit of three VLANs per trunk; it can support up to 4094 VLANs. The output shows only three VLANs allowed because of configuration, not a protocol limitation.

72
MCQhard

A multilayer switch has SVIs for VLAN 10 and VLAN 20, but hosts in those VLANs still cannot reach each other. The SVIs are up/up. Which additional condition is most likely required?

A.IP routing must be enabled on the multilayer switch
B.Every access port must be converted to a trunk
C.DHCP snooping must be disabled globally
D.The switch must remove all VLAN assignments
AnswerA

This is correct because the switch needs Layer 3 routing enabled to route between active SVIs.

Why this answer

If the SVIs are up but inter-VLAN traffic still fails, the most likely missing condition is that IP routing is not enabled on the multilayer switch. In plain language, the switch has the VLAN gateway interfaces present, but it has not been told to behave as a Layer 3 router between them. Without IP routing enabled, the SVIs can exist and still not actually route traffic between VLANs.

This is a classic multilayer-switch design issue because many learners assume the presence of SVIs alone automatically creates routing. In reality, routed forwarding between VLANs still requires the switch to operate as a Layer 3 device. That is why enabling routing is the best answer.

Exam trap

Don't assume SVIs automatically enable routing; IP routing must be explicitly configured.

Why the other options are wrong

B

Converting all access ports to trunk ports is unnecessary and incorrect for inter-VLAN routing. Access ports belong to a single VLAN, and hosts connect via access ports. Trunk ports are used to carry multiple VLANs between switches, not to connect end hosts.

Changing all ports to trunks would break connectivity for hosts.

C

DHCP snooping is a security feature that filters DHCP messages and does not affect Layer 3 routing between VLANs. Disabling it would not enable inter-VLAN communication. The issue is routing, not DHCP.

D

Removing all VLAN assignments would break the network entirely, as hosts would lose their VLAN membership and connectivity. VLANs are essential for segmenting the network; removing them would not solve the routing issue.

73
PBQhard

You are connected to R1, a multilayer switch acting as the root bridge for VLAN 10. The network has experienced a loop, and interface GigabitEthernet0/1 on R1 is currently in err-disabled state due to a BPDU guard violation. Configure the switch to recover automatically from err-disable state after 300 seconds, then verify that the interface comes back up.

Hints

  • The errdisable recovery command is in global configuration mode.
  • Use the 'show errdisable recovery' command to check the current causes and timers.
  • The interface will not recover immediately; you can use 'clear errdisable interface Gi0/1' to test manually.
A.Configure 'errdisable recovery cause bpduguard' and 'errdisable recovery interval 300' globally, then verify with 'show interfaces status'.
B.Configure 'spanning-tree portfast bpduguard default' and 'errdisable recovery interval 300' globally, then verify with 'show spanning-tree'.
C.Configure 'errdisable recovery cause all' and 'errdisable recovery interval 300' globally, then verify with 'show errdisable recovery'.
D.Configure 'errdisable recovery cause bpduguard' and 'errdisable recovery interval 300' on interface GigabitEthernet0/1, then verify with 'show interfaces GigabitEthernet0/1'.
AnswerA
solution
! R1
errdisable recovery cause bpduguard
errdisable recovery interval 300

Why this answer

The interface Gi0/1 is in err-disabled state because BPDU Guard detected an unexpected BPDU on a PortFast-enabled access port. To recover automatically, configure errdisable recovery cause bpduguard and set the recovery interval to 300 seconds with errdisable recovery interval 300. After applying these commands, the interface will automatically come out of err-disable state after 300 seconds.

The blocking port on Gi0/2 is expected because R1 is the root bridge and Gi0/2 is an alternate port providing redundancy; no action is needed for that blocking state.

Exam trap

The trap is that candidates may confuse enabling BPDU guard with configuring recovery, or they may think recovery commands are applied per-interface. Remember that errdisable recovery is a global setting, and you must specify the exact cause unless you want to recover from all causes.

Why the other options are wrong

B

The specific factual error: 'spanning-tree portfast bpduguard default' enables BPDU guard, not recovery. Recovery requires 'errdisable recovery cause bpduguard'.

C

The specific factual error: Using 'cause all' is not the best practice; the question implies a specific cause. Also, the verification command is correct but the configuration is not precise.

D

The specific factual error: errdisable recovery is a global configuration command, not interface-specific.

74
Multi-Selectmedium

Which TWO statements correctly describe the behavior of PortFast and BPDU Guard on a Cisco switch?

Select 2 answers
A.PortFast immediately transitions a port from blocking to forwarding state, bypassing listening and learning.
B.BPDU Guard disables a PortFast-enabled port if it receives any BPDU.
C.PortFast allows BPDUs to pass through the port normally, but the port remains in forwarding state.
D.BPDU Guard prevents the port from becoming a root port or designated port by ignoring superior BPDUs.
E.BPDU Guard is typically configured on trunk ports to prevent loops between switches.
AnswersA, B

This is correct. PortFast allows a port to go directly to forwarding, reducing the time a host takes to start sending traffic.

Why this answer

PortFast immediately transitions an access port from blocking to forwarding, bypassing listening and learning (Option A). BPDU Guard errdisables a PortFast-enabled port if any BPDU is received, protecting against accidental loops (Option B). Option C is incorrect because PortFast does not alter BPDU handling; the port still processes BPDUs and reverts to normal STP if one is received.

Option D is false because BPDU Guard disables the port entirely rather than ignoring BPDUs. Option E is incorrect because BPDU Guard is typically configured on access ports connected to end devices, not on trunk ports.

Exam trap

Cisco often tests the misconception that PortFast itself blocks or filters BPDUs, when in fact it only accelerates the transition to forwarding; BPDU Guard is a separate feature that must be explicitly enabled to disable the port upon BPDU reception.

Why the other options are wrong

C

PortFast does not filter BPDUs; it still processes them normally. If a BPDU is received on a PortFast port, the port will still participate in STP and may transition to a blocking state, defeating the purpose of PortFast. The statement incorrectly claims BPDUs pass through while the port remains forwarding, which is not true.

D

BPDU Guard does not affect STP election processes; it simply err-disables the port upon receiving any BPDU. It does not ignore superior BPDUs or prevent the port from becoming a root or designated port. That behavior is associated with Root Guard, not BPDU Guard.

E

BPDU Guard is intended for access ports with PortFast, not for trunk ports. Trunk ports between switches are expected to exchange BPDUs for normal STP operation; applying BPDU Guard on a trunk would cause the port to err-disable upon receiving legitimate BPDUs, disrupting the network.

75
MCQhard

A switch port should allow an IP phone and attached PC to operate correctly. The phone should place voice traffic in VLAN 200 while the PC remains in VLAN 20. Which configuration approach best supports that design?

A.Configure the port with an access VLAN for data and a voice VLAN for the phone
B.Configure the port as a routed port with no switchport
C.Configure the port as an EtherChannel member
D.Use a native VLAN only and disable all tagging
AnswerA

This is correct because Cisco voice-VLAN design allows user data and tagged voice traffic to coexist correctly on one edge port.

Why this answer

The best approach is to configure the access VLAN for user data and the voice VLAN separately. In plain language, the PC should remain a normal untagged data endpoint in VLAN 20, while the phone can tag its own voice traffic for VLAN 200. Cisco access-port designs support this exact use case and allow the switch to keep voice and user traffic logically separated without requiring two physical ports.

This is a classic CCNA edge-port design. It is not a general trunking problem, and it does not require EtherChannel or router subinterfaces. The important idea is that one switchport can support an access VLAN and a voice VLAN together in a way designed specifically for IP phones with downstream PCs.

Exam trap

Avoid assuming trunk mode is needed for VLANs; understand access vs. voice VLANs for edge ports.

Why the other options are wrong

B

A routed port (no switchport) is used for Layer 3 routing between switches or routers, not for connecting end devices like IP phones and PCs. It does not support VLAN assignment or the coexistence of multiple VLANs on a single port, making it unsuitable for this scenario.

C

EtherChannel is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy. It does not provide any mechanism to separate voice and data traffic into different VLANs on a single port, and it is not relevant to the requirement of connecting an IP phone and PC.

D

Using a native VLAN only and disabling all tagging would place all traffic (voice and data) in the same VLAN, which contradicts the requirement to separate voice into VLAN 200 and data into VLAN 20. The native VLAN is used for untagged traffic on a trunk, but this design requires distinct VLANs with tagging for voice.

Page 1 of 6 · 392 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Switching Network Access questions.