CCNA Switching Network Access Questions

75 of 392 questions · Page 2/6 · Switching Network Access topic · Answers revealed

76
MCQhard

A network engineer notices that a root port on a switch has transitioned to a loop-inconsistent state. The port was previously receiving BPDUs normally, but after a suspected unidirectional fiber cut, it no longer receives BPDUs. What is the most likely cause?

A.BPDU Guard is enabled on the port, causing it to be placed in error-disabled state.
B.Loop Guard is active on the root port and transitioned it to loop-inconsistent state upon BPDU loss.
C.UDLD has detected a unidirectional link and has shut down the port.
D.Root Guard is preventing the port from transitioning to designated forwarding after losing BPDUs.
AnswerB

Loop Guard is precisely designed to monitor BPDU reception on blocked or alternate ports. When a unidirectional link failure occurs and BPDUs are no longer received, Loop Guard places the port into the loop-inconsistent state, blocking all traffic to prevent a potential loop. The 'loop-inconsistent' state is a clear indicator of this feature.

Why this answer

Loop Guard is an STP enhancement that monitors the reception of BPDUs on a blocked port. When BPDUs stop arriving (due to a unidirectional link failure), Loop Guard moves the port to loop-inconsistent state, preventing it from transitioning to the forwarding state and thus avoiding a switching loop.

Exam trap

UDLD is tempting because it also detects unidirectional links, but UDLD would place the port in err-disable or shut down state, not the STP loop-inconsistent state. The appearance of 'loop-inconsistent' specifically indicates Loop Guard is active.

Why the other options are wrong

A

BPDU Guard is a protective feature that disables a port upon receiving a BPDU, not upon losing BPDUs. The symptom here is a loss of BPDUs, not a reception of unexpected BPDUs.

C

UDLD acts by shutting down the port or putting it in errdisable state, while the scenario explicitly shows the port in a loop-inconsistent state, indicating an STP-based protection mechanism.

D

Root Guard would block a port if it received a BPDU with better root information, not when BPDUs stop arriving. It also does not produce a loop-inconsistent state.

77
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch. Port GigabitEthernet0/1 connects to a PC in VLAN 10, and port GigabitEthernet0/2 connects to a server in VLAN 20. Both ports are currently in VLAN 1. Configure SW1 to assign GigabitEthernet0/1 to VLAN 10 and GigabitEthernet0/2 to VLAN 20, and verify the configuration.

Network Topology
G0/1G0/2SW1PCServer

Hints

  • Use switchport mode access to configure the port as an access port.
  • Use switchport access vlan to assign the VLAN.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 interface GigabitEthernet0/2 switchport mode access switchport access vlan 20 end show vlan brief
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10 interface GigabitEthernet0/2 switchport mode trunk switchport trunk allowed vlan 20 end show interfaces trunk
C.vlan 10 name PC_VLAN vlan 20 name Server_VLAN interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 interface GigabitEthernet0/2 switchport mode access switchport access vlan 20 end show vlan brief
D.interface GigabitEthernet0/1 switchport access vlan 10 interface GigabitEthernet0/2 switchport access vlan 20 end show vlan brief
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20

Why this answer

Access ports carry traffic for a single VLAN. By assigning G0/1 to VLAN 10 and G0/2 to VLAN 20, the PC and server are placed in their respective VLANs.

Exam trap

Do not confuse access ports with trunk ports. Access ports are for end devices; trunk ports are for switch-to-switch connections. Also, remember that 'switchport mode access' is required before assigning a VLAN; otherwise, the port may not behave as expected.

Why the other options are wrong

B

Trunk ports are not appropriate for end devices; they are designed for inter-switch links.

C

The question does not require creating or naming VLANs; it only asks to assign ports to existing VLANs.

D

The 'switchport mode access' command is required to explicitly set the port as an access port; otherwise, the port might negotiate trunking.

78
Matchingmedium

Match each STP or switch protection feature to the problem it is mainly designed to prevent.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Reduces delay for an end-host access port to reach forwarding

Err-disables a PortFast port that unexpectedly receives a BPDU

Prevents an access or designated port from becoming a new root port because of superior BPDUs

Helps stop a non-designated port from transitioning to forwarding when BPDUs stop arriving

Why these pairings

STP protection features prevent specific problems: Root Guard protects root bridge election, BPDU Guard prevents loops on access ports, Loop Guard handles BPDU loss, UDLD detects unidirectional links, and PortFast speeds up port transition.

Exam trap

The exam trap is confusing BPDU Guard with Root Guard or Loop Guard. Remember that BPDU Guard specifically protects against rogue switches by shutting down the port if a BPDU is received on a PortFast port.

79
MCQhard

A technician connects a PC to a switch port that has port security enabled with the default maximum of one MAC address and violation mode shutdown. Immediately after connecting, the port goes into the err-disabled state. The technician runs the show interfaces command and sees the port status as err-disabled. What should the technician do next?

A.Configure the port security violation mode to restrict, increase the maximum number of MAC addresses, and then recover the port.
B.Disable port security on the interface.
C.Enter the shutdown and no shutdown commands to recover the port, then enable port security with sticky MAC learning.
D.Verify the spanning-tree portfast configuration on the interface.
AnswerA

This directly addresses the symptom (err-disabled due to a port security violation) by making the policy more permissive while still retaining security. Increasing max MACs prevents the violation, and switching to restrict mode avoids future shutdowns. The err-disable state is cleared so the port becomes operational again.

Why this answer

Option A is correct because the port went into err-disabled state due to a port security violation (default maximum of one MAC address was exceeded). To resolve this, the technician must first recover the port (shutdown/no shutdown) or use the 'errdisable recovery cause psecure-violation' command, but the question asks what to do next. The best next step is to configure the violation mode to 'restrict' (which allows traffic from violating MACs but logs them) and increase the maximum MAC addresses to accommodate the PC, then recover the port.

This prevents immediate err-disable on future violations while maintaining security.

Exam trap

Cisco often tests the misconception that simply recovering the port (shutdown/no shutdown) is sufficient, but candidates must realize that the underlying violation condition must be corrected first to prevent immediate reoccurrence.

Why the other options are wrong

B

Assumes port security is the problem itself rather than its configuration, leading to a full removal of the feature.

C

Focuses on clearing the error state without addressing why the violation occurred, leading to a loop of repeated err-disabled events.

D

Mistakenly attributes the err-disabled condition to a Layer 2 loop-prevention feature instead of the explicitly configured Layer 2 security feature.

80
PBQhard

You are connected to R1, a multilayer switch acting as the STP root bridge. Configure Root Guard on the designated port toward R2 (G0/1), Loop Guard on the uplink port G0/2, and BPDU Guard on PortFast-enabled access port G0/3. After configuration, a superior BPDU is received on G0/1, causing it to be blocked by Root Guard; later, an unauthorized BPDU on G0/3 triggers err-disable. Troubleshoot and verify the expected port states.

Hints

  • Root Guard only blocks a port when it receives a superior BPDU; it does not affect normal operation.
  • Loop Guard prevents alternate or root ports from becoming designated in case of BPDU loss.
  • BPDU Guard err-disables a PortFast port immediately upon BPDU reception.
A.G0/1 is in blocking state (Root Guard), G0/2 is in forwarding state (Loop Guard), G0/3 is in err-disable state (BPDU Guard).
B.G0/1 is in forwarding state (Root Guard), G0/2 is in blocking state (Loop Guard), G0/3 is in err-disable state (BPDU Guard).
C.G0/1 is in err-disable state (Root Guard), G0/2 is in forwarding state (Loop Guard), G0/3 is in blocking state (BPDU Guard).
D.G0/1 is in blocking state (Root Guard), G0/2 is in loop-inconsistent state (Loop Guard), G0/3 is in err-disable state (BPDU Guard).
AnswerA
solution
! R1
interface GigabitEthernet0/1
no spanning-tree guard root
spanning-tree guard root
end
interface GigabitEthernet0/3
shutdown
no shutdown
end

Why this answer

The root guard on G0/1 correctly blocked the port when a superior BPDU was received, preventing an unauthorized root bridge. Loop Guard was applied specifically to the uplink port G0/2 to prevent forwarding loops in case of uni-directional link failure. BPDU Guard on G0/3 placed the port into err-disable state upon receiving an unexpected BPDU, which protects the PortFast edge port.

To restore G0/3, you must manually shut/no shut the interface after removing the offending device.

Exam trap

Do not confuse the actions of Root Guard (blocking) with BPDU Guard (err-disable). Root Guard blocks the port temporarily; BPDU Guard err-disables the port until manual intervention. Also, Loop Guard does not block immediately; it only reacts when BPDUs stop.

Why the other options are wrong

B

Root Guard blocks the port upon receiving a superior BPDU, not forwards. Loop Guard transitions to blocking only after BPDU loss, not while BPDUs are still received.

C

Root Guard results in a blocking state, not err-disable. BPDU Guard results in err-disable, not blocking.

D

Loop Guard does not immediately place the port in loop-inconsistent state; it only does so after BPDU loss. Here, BPDUs are still being received.

81
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, and then recover a port that enters err-disabled due to BPDU Guard.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order begins with Root Guard on designated ports to prevent them from becoming root ports upon receiving superior BPDUs. Next, Loop Guard is applied to non-designated ports (alternate/backup) to protect against unidirectional link failures. Then, BPDU Guard is placed on PortFast-enabled ports to shut them down if a BPDU is received, preventing rogue switch connections.

Finally, recovery from BPDU Guard err-disable requires a manual interface reset (shutdown/no shutdown) because the errdisable cause 'bpduguard' has no automatic timeout.

Exam trap

Cisco exams often test the specific port roles for each STP protection feature. Remember: Root Guard is for designated ports, Loop Guard is for non-designated ports (alternate/backup), and BPDU Guard is for PortFast ports. Also, recovery from err-disabled due to BPDU Guard requires manual interface reset, not just waiting or removing the configuration.

82
Matchingmedium

Match each switch protection feature to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits and controls MAC address use on a switch port

Disables an edge port if a BPDU is received

Helps block rogue DHCP behavior and build trusted bindings

Validates ARP traffic using trusted information

Why these pairings

Port security directly controls MAC address usage on a switch port, limiting the number and types of MACs allowed. BPDU Guard disables an edge port if it receives a BPDU, preventing potential loop or rogue switch issues. DHCP Snooping filters untrusted DHCP messages and builds a binding table of valid IP-MAC pairs.

Dynamic ARP Inspection validates ARP packets against the DHCP Snooping binding table, ensuring they are legitimate.

Exam trap

Do not confuse the purposes of BPDU Guard and Root Guard. BPDU Guard error-disables a port upon receiving any BPDU, while Root Guard only reacts to superior BPDUs and does not disable the port. Also, Loop Guard and UDLD both address loop issues but in different ways: Loop Guard handles BPDU loss, UDLD handles unidirectional links.

83
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Rapid PVST+ on SW1, make it the root bridge, and enable PortFast with BPDU Guard on all access ports.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins by entering global configuration mode, then enabling Rapid PVST+ so that subsequent spanning-tree commands operate under that mode. Next, the switch is designated as the root bridge for VLAN 1 using 'spanning-tree vlan 1 root primary', which sets a superior bridge priority. After the root election is influenced, PortFast is applied to all access interfaces to transition them directly into forwarding state.

Finally, BPDU Guard is enabled globally to protect all PortFast-enabled ports; if a BPDU is received on such a port, it is immediately put into err-disabled state, preventing potential loops. Each step builds on the previous one: enabling Rapid PVST+ must precede root setup, root selection should be completed before any access-port optimization, and BPDU Guard is applied last to secure the already-accelerated ports.

84
PBQhard

You are connected to SW1. Configure LACP EtherChannel between SW1 and SW2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. Ensure the channel forms and passes traffic for VLAN 10. Troubleshoot and fix any issues preventing the channel from coming up.

Network Topology
Gi0/1Gi0/1LACPSW1SW2

Hints

  • Check the speed and duplex settings on both member interfaces.
  • Verify that the port-channel interface and member ports are both Layer2 or both Layer3.
  • Ensure LACP mode is active on at least one side to initiate negotiation.
A.Configure speed 1000 and duplex full on Gi0/2, change port-channel 1 to switchport mode trunk with allowed vlan 10, and set both Gi0/1 and Gi0/2 to channel-group 1 mode active.
B.Configure speed 1000 and duplex full on Gi0/2, change port-channel 1 to no switchport, and set both Gi0/1 and Gi0/2 to channel-group 1 mode passive.
C.Configure speed 100 and duplex half on Gi0/1 to match Gi0/2, change port-channel 1 to switchport mode trunk with allowed vlan 10, and set both Gi0/1 and Gi0/2 to channel-group 1 mode active.
D.Configure speed 1000 and duplex full on Gi0/2, change port-channel 1 to switchport mode access with access vlan 10, and set both Gi0/1 and Gi0/2 to channel-group 1 mode desirable.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full
channel-group 1 mode active
exit
interface GigabitEthernet0/1
channel-group 1 mode active
exit
interface Port-channel1
switchport
switchport mode trunk
switchport trunk allowed vlan 10
no ip address
end

Why this answer

The EtherChannel is not forming because of multiple mismatches: speed (1000 vs 100), duplex (full vs half), and the port-channel interface is configured as Layer3 (no switchport) while the member ports are Layer2 (switchport mode trunk). First, correct the speed and duplex on Gi0/2 to match Gi0/1 (speed 1000, duplex full). Then change the port-channel to switchport mode trunk and set the allowed VLAN.

Finally, change the LACP mode on both interfaces to 'active' to initiate negotiation. After these changes, the channel should come up.

Exam trap

Watch for mismatches in speed, duplex, and Layer2/Layer3 configuration between member ports and the port-channel interface. Also, ensure LACP mode is active on at least one side to initiate negotiation.

Why the other options are wrong

B

The specific factual error: The port-channel interface must match the Layer2 configuration of member ports; using no switchport creates a Layer3 interface that cannot trunk VLANs. Additionally, passive mode requires an active partner to form the channel.

C

The specific factual error: Speed and duplex should be consistent across all member links, but the correct resolution is to correct the misconfigured interface (Gi0/2) to match the working one (Gi0/1), not vice versa.

D

The specific factual error: Access mode cannot carry multiple VLANs; trunk mode is required for VLAN 10. Additionally, desirable is a PAgP keyword, not LACP. LACP uses active or passive.

85
Multi-Selectmedium

Which THREE statements correctly describe the behavior of LACP modes in an EtherChannel configuration?

Select 3 answers
A.Active mode will not send LACP packets unless the peer is also in active mode.
B.Passive mode will only respond to LACP packets and will not initiate negotiation.
C.Passive mode cannot form an EtherChannel with another passive mode interface.
D.Active mode will initiate LACP negotiation by sending LACP packets.
E.Both active and passive modes are supported in PAgP.
AnswersB, C, D

Passive mode waits for LACP packets from the peer and does not initiate the negotiation.

Why this answer

B is correct because passive mode interfaces only respond to LACP packets and never initiate negotiation. C is correct because two passive interfaces will both wait for the other to initiate, so no LACP packets are sent and the EtherChannel never forms. D is correct because active mode interfaces actively send LACP packets to initiate negotiation with either an active or passive peer.

A is incorrect: active mode sends LACP packets regardless of the peer’s mode; it can form a channel with passive just as well as with active. E is incorrect because PAgP supports only desirable and auto modes, not LACP’s active/passive modes; PAgP and LACP are separate protocols.

Exam trap

A common mistake is thinking active mode requires the peer to also be active, but active can form with either active or passive, while passive–passive pairs never negotiate.

Why the other options are wrong

A

Active mode sends LACP packets unconditionally; it does not require the peer to be active and will negotiate with a passive peer.

E

PAgP uses desirable and auto modes, not the LACP active/passive modes; these modes are specific to LACP.

86
MCQhard

Refer to the exhibit. A network administrator is troubleshooting a connectivity issue on switch SW1. Users connected to port Gi0/3 are unable to reach resources in VLAN 30. The administrator issues the show vlan brief command and receives the output shown. What is the most likely cause of the problem?

A.The Gi0/3 port is in an error-disabled state due to port security violations.
B.The VLAN 30 SVI is administratively down.
C.VLAN 30 is administratively shut down.
D.Spanning Tree Protocol has placed Gi0/3 into a blocking state for VLAN 30.
AnswerC

The Status field for VLAN 30 clearly displays 'act/lshut', which is Cisco’s notation for an administratively shut-down VLAN. This prevents any data plane forwarding on ports assigned to that VLAN.

Why this answer

The 'show vlan brief' output shows VLAN 30 as 'active' but the ports assigned to it are not listed, and the VLAN is not present in the output at all. This indicates that VLAN 30 has been administratively shut down (shutdown command applied under the VLAN configuration mode), which prevents any traffic from being forwarded through that VLAN, even if the switch port Gi0/3 is configured as an access port in VLAN 30. The correct answer is C because an administratively shutdown VLAN will not appear in the 'show vlan brief' output, and all ports assigned to it will be unable to communicate within that VLAN.

Exam trap

Cisco often tests the distinction between a VLAN being 'shutdown' versus a VLAN being 'active' but with no ports assigned, and candidates mistakenly think that a missing VLAN in 'show vlan brief' means it doesn't exist, rather than recognizing it could be administratively disabled.

Why the other options are wrong

A

Candidates often confuse port-level issues with VLAN-level states. Port security violations would result in an err-disable status, which is not reflected in the VLAN status column; the VLAN would still show 'active' if it were enabled.

B

Candidates may mistake the VLAN shutdown for an SVI shutdown because both involve the 'shutdown' keyword. However, the SVI state would appear in 'show ip interface brief' or 'show interface vlan 30', not here.

D

Candidates often attribute connectivity loss to STP blocking, which is a common cause of forwarding issues. However, this exhibit’s specific clue is the 'act/lshut' flag, directing attention to the VLAN administrative state.

87
MCQhard

A technician is troubleshooting a network-wide broadcast storm that has caused severe performance issues. The technician notices that BPDU guard is globally enabled on the access layer switch, but no ports are in an err-disabled state. All access ports have PortFast enabled. What is the most likely cause?

A.Spanning tree is disabled globally, allowing the rogue switch to create a loop.
B.BPDU guard is misconfigured on the wrong ports, so it failed to block the rogue switch.
C.Root guard is incorrectly enabled on the access ports, causing the rogue switch to become the root bridge.
D.BPDU filter is globally enabled, causing the switch to suppress BPDUs on PortFast ports and preventing BPDU guard from triggering.
AnswerD

Global BPDU filter on a switch sets PortFast on all access ports and disables BPDU transmission and reception on those ports. The rogue switch’s BPDUs are never processed, so BPDU guard—which depends on receiving a BPDU—never err-disables the port, allowing a loop and broadcast storm.

Why this answer

When BPDU filter is enabled globally on a switch, it enables PortFast on all access ports and also prevents those ports from sending or receiving BPDUs. If a rogue switch is then connected to such a port, the switch does not detect any BPDU from it, so BPDU guard never triggers despite being enabled globally. This allows the rogue switch to create a bridging loop without STP intervention, leading to a broadcast storm.

Exam trap

Many candidates see that BPDU guard is globally enabled but no ports are err-disabled, and conclude that BPDU guard is misconfigured or not applied correctly. However, the true reason is that BPDU filter suppresses BPDUs on PortFast ports, rendering BPDU guard ineffective because no BPDU is ever received to trigger it.

Why the other options are wrong

A

This answer assumes STP is off entirely, but the presence of BPDU guard configuration indicates spanning tree is operational.

B

Candidates often assume that BPDU guard simply failed, overlooking the interaction with BPDU filter, which can neutralize guard by suppressing BPDUs.

C

Root guard is a different feature and not related to the suppression of BPDUs that would allow a loop to form undetected.

88
Multi-Selectmedium

Which two statements accurately describe CAPWAP in a controller-based WLAN context?

Select 2 answers
A.It is associated with communication between lightweight APs and the wireless LAN controller.
B.It is relevant in controller-based WLAN designs.
C.It is the same thing as a client SSID.
D.It is a replacement for WPA2 and WPA3.
E.It is used only for IPv4 ACL filtering.
AnswersA, B

This is correct because CAPWAP is part of the AP-controller architecture.

Why this answer

CAPWAP (Control and Provisioning of Wireless Access Points) is the protocol used between lightweight access points (LAPs) and the wireless LAN controller (WLC) in controller-based WLAN architectures. Options C, D, and E are incorrect: CAPWAP is not an SSID; it is a control and data tunneling protocol, not a security standard like WPA2/WPA3; and it supports both IPv4 and IPv6, not just IPv4 ACL filtering.

Exam trap

Be careful not to confuse encapsulation with encryption or assume CAPWAP is limited to a specific IP version.

Why the other options are wrong

C

CAPWAP is a control protocol for AP-WLC communication, not a client SSID—an SSID is the network name that clients see and associate with.

D

CAPWAP is not a security replacement; WPA2 and WPA3 are wireless security standards, whereas CAPWAP tunnels traffic between AP and WLC.

E

CAPWAP supports both IPv4 and IPv6 transport; it is not limited to IPv4 ACL filtering.

89
Multi-Selectmedium

Which TWO statements accurately describe 802.1Q trunking and inter-VLAN routing on Cisco switches?

Select 2 answers
A.The native VLAN on a trunk port sends frames with an 802.1Q tag containing VLAN ID 1.
B.802.1Q trunking adds a 4-byte tag that includes a 12-bit VLAN ID field, increasing the maximum frame size.
C.A router-on-a-stick configuration uses subinterfaces, each mapped to a VLAN with 802.1Q encapsulation and an IP address in a unique subnet.
D.A trunk port can only forward traffic for one VLAN at a time.
E.The native VLAN on a trunk cannot be changed from VLAN 1.
AnswersB, C

The 802.1Q tag is 4 bytes, consisting of TPID and TCI, where the TCI contains a 12-bit VLAN ID.

Why this answer

Option B is correct because 802.1Q trunking inserts a 4-byte tag into the Ethernet frame, which includes a 12-bit VLAN ID field (supporting up to 4094 VLANs). This tag increases the maximum frame size from 1518 bytes to 1522 bytes, which is a key characteristic of 802.1Q encapsulation.

Exam trap

Cisco often tests the misconception that the native VLAN is always VLAN 1 and that it is tagged, when in fact the native VLAN is untagged and can be changed to any VLAN number.

Why the other options are wrong

A

By default, frames belonging to the native VLAN (VLAN 1) traverse a trunk link without an 802.1Q tag.

D

Trunk ports differentiate frames from multiple VLANs using VLAN tags, permitting concurrent forwarding for all allowed VLANs.

E

Cisco switches allow administrators to assign any active VLAN as the native VLAN for a trunk port.

90
PBQhard

You are securing the spanning-tree topology on R1, the root bridge for VLAN 10. Intended configurations: Root Guard on GigabitEthernet1/0/3, Loop Guard on gigabit interfaces 1/0/1 and 1/0/2, and BPDU Guard on all PortFast-enabled interfaces. After initial configuration, a superior BPDU on G1/0/3 blocks the port (expected), and a host on G1/0/5 triggers BPDU Guard, causing err-disable (expected). However, you realize Loop Guard was not applied to the uplinks. Troubleshoot and apply the missing configuration.

Hints

  • Root Guard on the root bridge may cause blocking if a superior BPDU is received; this is correct behavior unless the port should be a root port.
  • Loop Guard prevents alternate or root ports from becoming designated in case of unidirectional link failure; it is safe on trunk uplinks.
  • BPDU Guard err-disables a PortFast port when a BPDU is received; re-enable with 'no shutdown' after fixing the cause.
A.Remove Root Guard from G1/0/3 and configure it with 'spanning-tree guard loop' to prevent the blockage.
B.Re-enable G1/0/5 with 'no shutdown' and apply 'spanning-tree bpduguard enable' on all PortFast-enabled interfaces to prevent future err-disable.
C.Configure Loop Guard on G1/0/1 and G1/0/2 with 'spanning-tree guard loop' and recover G1/0/5 from err-disable by issuing 'shutdown' followed by 'no shutdown'.
D.Remove BPDU Guard from all PortFast interfaces and configure 'spanning-tree portfast bpdufilter default' to prevent err-disable.
AnswerC
solution
! R1
interface GigabitEthernet1/0/1
spanning-tree guard loop
interface GigabitEthernet1/0/2
spanning-tree guard loop
interface GigabitEthernet1/0/5
shutdown
no shutdown

Why this answer

The candidate must first identify that Root Guard is correctly configured on G1/0/3, causing it to block (BKN*ROOT_Guard) upon receiving a superior BPDU, which is correct behavior. However, the task states to protect the root bridge role; since R1 is already root, Root Guard is appropriate. The err-disabled port G1/0/5 indicates BPDU Guard triggered; this is expected because a host connected to a PortFast port sent a BPDU.

To resolve, the candidate should re-enable the port with 'no shutdown' and ensure BPDU Guard is properly applied. Additionally, Loop Guard is missing on uplinks G1/0/1 and G1/0/2; it must be configured with 'spanning-tree guard loop' under each interface. No changes to Root Guard are needed; the blockage is intentional.

Exam trap

Do not assume that a blocked port due to Root Guard is a problem; it is intentional. Also, do not confuse BPDU Guard with BPDU Filter; BPDU Guard err-disables, while BPDU Filter suppresses BPDUs. Remember that err-disabled ports must be manually re-enabled with 'no shutdown'.

Why the other options are wrong

A

Root Guard is designed to block a port that receives superior BPDUs, which is exactly what happened. The configuration is correct and should not be removed.

B

BPDU Guard is correctly configured; the err-disable is expected behavior when a BPDU is received on a PortFast port. The solution is to re-enable the port and ensure the host is not a switch.

D

BPDU Filter is not a substitute for BPDU Guard; it prevents the port from sending or receiving BPDUs, which can cause bridging loops. The correct action is to re-enable the port, not change the protection mechanism.

91
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two links to SW2: G0/1 and G0/2. The administrator wants to combine these two links into an EtherChannel using LACP. Configure an EtherChannel on SW1 for these ports and verify.

Hints

  • EtherChannel requires a port-channel interface and channel-group configuration on member ports.
  • Use mode active for LACP.
A.interface range g0/1-2 channel-group 1 mode active
B.interface range g0/1-2 channel-group 1 mode desirable
C.interface g0/1 channel-group 1 mode active interface g0/2 channel-group 1 mode passive
D.interface port-channel 1 channel-group 1 mode active
AnswerA
solution
! SW1
interface port-channel 1
interface range GigabitEthernet0/1-2
channel-group 1 mode active

Why this answer

The correct answer is A because it applies the LACP 'active' mode to both interfaces in the range, which will dynamically negotiate an EtherChannel with the peer. Option B uses PAgP 'desirable' mode, which is Cisco proprietary and not LACP, failing the requirement for LACP. Option C mixes LACP modes (active on one interface and passive on the other); both member ports must use the same mode (either active/active or passive/passive) to form a channel.

Option D attempts to configure the 'channel-group' command on the port-channel interface itself, but this command must be applied to the physical interfaces, not the logical port-channel.

Exam trap

Remember that LACP uses 'active' and 'passive' modes, while PAgP uses 'desirable' and 'auto'. Also, the 'channel-group' command is applied on physical interfaces, not on the port-channel interface. Both ports in the channel must use the same mode on the same switch.

Why the other options are wrong

B

The specific factual error is that 'desirable' is a PAgP mode, not LACP. LACP uses 'active' or 'passive'.

C

The specific factual error is that LACP requires both ends to be in compatible modes (active-active or active-passive), but on the same switch, both ports should use the same mode for the same channel group.

D

The specific factual error is that 'channel-group' is a physical interface command, not a port-channel interface command. The port-channel interface is used for logical configuration (e.g., trunking) after the channel is formed.

92
PBQhard

You are connected to SW1. An EtherChannel between SW1 and SW2 using LACP must be established on interfaces GigabitEthernet0/1 and GigabitEthernet0/2. Currently, the channel is not forming. Inspect the provided configuration and output, then apply the necessary commands on SW1 to resolve the issue and bring up the Port-Channel interface.

Network Topology
Gi0/1Gi0/1EtherChannelSW1SW2

Hints

  • Check the duplex and speed settings on both member interfaces on SW1.
  • Verify that the native VLAN (or access VLAN if not trunking) is identical on all bundled ports.
  • Ensure both sides use compatible LACP modes (active/active or active/passive).
A.Configure both interfaces with speed 1000, duplex full, and switchport access vlan 1.
B.Change the LACP mode on SW1's Gi0/2 from active to passive.
C.Configure both interfaces with speed 100, duplex half, and switchport access vlan 10.
D.Remove the switchport access vlan command from both interfaces and configure them as trunk ports with native vlan 1.
AnswerA
solution
! SW1
interface gigabitEthernet 0/2
speed 1000
duplex full
switchport access vlan 1
end

Why this answer

The EtherChannel failed because the two member interfaces on SW1 have mismatched speed (Gi0/1: 1000 Mbps, Gi0/2: 100 Mbps) and duplex (Gi0/1: full, Gi0/2: half), and their native VLANs differ (Gi0/1: VLAN 1, Gi0/2: VLAN 10). LACP requires all bundled ports to have identical speed, duplex, and VLAN configuration. To fix, on SW1 configure both interfaces with consistent settings: set speed 1000, duplex full, and switchport access vlan 1 (or a common trunk native VLAN).

Also ensure both sides use the same LACP mode (both active or active/passive); here SW2's Gi0/2 is passive, which is acceptable with SW1's active, so the primary issue is the mismatched physical and VLAN parameters. After correction, the channel will form.

Exam trap

Do not focus solely on LACP mode mismatches; always check physical parameters (speed, duplex) and VLAN consistency first. Mismatched native VLANs are a common cause of EtherChannel failures.

Why the other options are wrong

B

The specific factual error is assuming that LACP mode must match on both sides; active/passive is acceptable.

C

The specific factual error is that the solution should aim for optimal performance, not just consistency; using 100/half is technically possible but not the best practice.

D

The specific factual error is that trunking does not fix speed/duplex mismatches, and the native VLAN must be consistent.

93
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a connectivity issue on SW3. A host connected to the same segment as SW3's GigabitEthernet0/0 interface cannot reach any network resources. The engineer issues the show spanning-tree vlan 10 command and receives the output shown. Based on the output, what is the most likely cause?

A.GigabitEthernet0/0 is administratively down, which prevents the host from communicating.
B.The port is in the Blocking state because the switch detected a loop and moved the port to error-disabled state.
C.The port is blocked because SW3 has a lower bridge priority than the root bridge and should be the designated port for that segment.
D.The interface GigabitEthernet0/0 is in the Blocking state because it received a superior BPDU, making it an alternate port to the root bridge.
AnswerD

The output explicitly shows role 'Altn' and state 'BLK' for Gi0/0. An alternate port is blocked because it receives better BPDUs on that interface than it can send, providing an alternate path to the root bridge. This is correct STP behavior, and the blocking state prevents the host from communicating.

Why this answer

The output shows that GigabitEthernet0/0 is in the Blocking state for VLAN 10. In Rapid PVST+ or classic STP, a port enters the Blocking state when it receives a superior BPDU (i.e., a BPDU with a lower bridge ID or lower path cost to the root), causing it to become an alternate (or backup) port rather than a designated or root port. This prevents the host from reaching network resources because the port does not forward traffic.

Exam trap

Cisco often tests the distinction between a port being blocked due to normal STP operation (receiving a superior BPDU) versus being error-disabled or administratively down, leading candidates to incorrectly assume a physical or administrative issue.

Why the other options are wrong

A

Candidates may incorrectly associate the blocked state with an administratively disabled interface.

B

Candidates often confuse error-disabled state (caused by features like BPDU guard) with the standard STP blocking state.

C

Candidates may misunderstand the root election process and assume a lower priority switch always becomes designated for all segments, ignoring the Altn role.

94
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch with three redundant links to SW2: G0/1, G0/2, and G0/3. The network is experiencing loops, and STP is not configured. You need to enable STP and ensure that SW1 becomes the root bridge for VLAN 1. Configure STP on SW1 and set its priority to 4096 for VLAN 1.

Network Topology
G0/1G0/1SW1SW2

Hints

  • STP uses bridge priority to determine root bridge; lower priority wins.
  • The default priority is 32768; setting it to 4096 ensures SW1 becomes root.
A.spanning-tree vlan 1 priority 4096
B.spanning-tree vlan 1 root primary
C.spanning-tree vlan 1 priority 32768
D.spanning-tree vlan 1 priority 8192
AnswerA
solution
! SW1
spanning-tree vlan 1 priority 4096

Why this answer

By setting the STP priority to 4096 for VLAN 1, SW1 has a lower priority than the default, making it the root bridge for that VLAN.

Exam trap

The exam may test your ability to recall the exact command syntax for setting STP priority. Remember that 'spanning-tree vlan <vlan> priority <value>' sets the priority directly, while 'root primary' is a macro that sets it to 24576. Always check the exact value required.

Why the other options are wrong

B

The 'root primary' macro sets priority to 24576, not 4096.

C

A priority of 32768 is the default, so it does not guarantee root bridge status.

D

The requirement is to set priority to exactly 4096, not 8192.

95
PBQhard

You are connected to SW1. Configure an LACP EtherChannel between SW1 and SW2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. Set the channel-group mode to active on both switches. Verify that the port-channel interface is configured with VLAN 100 as an access port. Then, troubleshoot and fix the issue that prevents the EtherChannel from forming due to a mismatched speed on one of the member links. After correction, verify the EtherChannel is up with 'show etherchannel summary'.

Hints

  • Check the speed and duplex settings on all member interfaces.
  • LACP requires identical speed and duplex on all ports in the channel.
  • Use the 'speed' and 'duplex' commands under the interface to match the working member.
A.Set speed 1000 and duplex full on interface GigabitEthernet0/2 of SW1, ensuring the corresponding interface on SW2 has matching settings, then verify with 'show etherchannel summary'.
B.Change the channel-group mode to desirable on both switches and verify with 'show etherchannel summary'.
C.Remove the access VLAN configuration from the port-channel interface and configure it as a trunk port instead.
D.Configure the channel-group mode to passive on SW1 and active on SW2, then verify with 'show etherchannel summary'.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full

Why this answer

The EtherChannel fails because interface GigabitEthernet0/2 on SW1 has a mismatched speed (likely 100 Mbps) compared to the other member link (1000 Mbps). LACP requires all member ports to have identical speed and duplex. The solution is to set the speed on Gi0/2 to 1000 and duplex to full.

After correction, the port will bundle, and the port-channel will come up. Verification with 'show etherchannel summary' should show both ports as 'P' (bundled) and the port-channel as 'SU' (in use, Layer2).

Exam trap

Do not confuse LACP modes (active/passive) with PAgP modes (desirable/auto). Also, remember that physical parameters like speed and duplex must match across all member ports; logical configurations like VLAN or trunking are separate but must also be consistent. Always verify the root cause before changing unrelated settings.

Why the other options are wrong

B

The specific factual error is that 'desirable' is a PAgP mode, not LACP. LACP uses 'active' and 'passive' modes.

C

The specific factual error is that the problem is physical (speed mismatch), not logical (VLAN/trunking). Changing the port type does not address the root cause.

D

The specific factual error is that the speed mismatch is the root cause, not the LACP mode. Even with correct modes, the EtherChannel will not form if speeds differ.

96
MCQmedium

A two-switch EtherChannel bundle is configured with LACP. One side uses active mode on both member links, while the other side uses passive mode on both member links. What is the result?

A.The bundle forms successfully
B.The links remain individual because both sides must use active
C.The bundle forms only if PAgP is also enabled
D.The channel comes up but forwards only one VLAN
AnswerA

Correct choice.

Why this answer

LACP forms a channel when at least one side actively sends negotiation frames. Active-to-passive works. Passive-to-passive would fail, but that is not the case here.

Exam trap

Ensure you know that LACP only needs one side in active mode to form a channel; both sides in passive mode would fail.

Why the other options are wrong

B

LACP does not require both sides to be in active mode; active/passive is a valid combination. The passive side will respond to LACP packets from the active side, forming the bundle.

C

PAgP is a Cisco proprietary protocol and is not required for LACP. LACP and PAgP are independent; enabling PAgP does not affect LACP negotiation.

D

EtherChannel, once formed, forwards all VLANs allowed on the trunk or access ports. There is no mechanism in LACP that restricts the bundle to a single VLAN.

97
MCQmedium

A switch receives a unicast frame for a destination MAC address that is not yet in its MAC address table. What does the switch do?

A.Drops the frame immediately
B.Floods the frame out all ports in the same VLAN except the incoming port
C.Sends the frame to the default gateway first
D.Converts the frame to a broadcast packet
AnswerB

Correct. Unknown unicast is flooded within the VLAN.

Why this answer

An unknown unicast frame is flooded within the VLAN because the switch does not yet know which port leads to the destination MAC. The frame is not sent back out the receiving port.

Exam trap

Do not confuse switch flooding behavior for unknown unicast frames with dropping or routing behaviors.

Why the other options are wrong

A

Switches are designed to forward unknown unicast frames by flooding, not dropping them. Dropping would occur only if the frame is malformed or security features like port security are violated.

C

A Layer 2 switch operates at the data link layer and does not involve the default gateway for forwarding decisions. The default gateway is used for routing between VLANs or subnets, not for unknown unicast flooding within a VLAN.

D

Switches flood the original unicast frame unchanged; they do not modify the frame type to broadcast. Broadcasting would change the destination MAC to FF:FF:FF:FF:FF:FF, which is not the case for unknown unicast flooding.

98
Multi-Selectmedium

Which four of the following are correct statements about VLAN configuration and verification on a Cisco switch? (Choose four.)

Select 3 answers
.The 'switchport mode access' command places the interface into a non-trunking mode.
.By default, all ports on a Cisco switch are in VLAN 1.
.The 'show vlan brief' command displays VLANs that are active on the switch.
.VLANs 1002–1005 are reserved for user-created VLANs.
.A VLAN must be manually created before its name can be assigned.
.The 'switchport trunk native vlan' command restricts the native VLAN to only tagged frames.

Why this answer

The 'switchport mode access' command configures the interface as an access port, operating in non-trunking mode and carrying traffic for a single VLAN. By default, all ports on a Cisco switch are assigned to VLAN 1, which is the default and management VLAN. The 'show vlan brief' command displays all active VLANs along with their names and assigned ports.

A VLAN does not need to be manually created before its name can be assigned; you can assign a port to a new VLAN, which automatically creates it, and then enter VLAN configuration mode to set its name. The false statements are that VLANs 1002–1005 are reserved for user-created VLANs (they are legacy FDDI/Token Ring VLANs) and that the 'switchport trunk native vlan' command restricts the native VLAN to only tagged frames (native VLAN traffic is sent untagged).

Exam trap

Candidates often confuse the native VLAN as carrying tagged frames, and mistakenly believe VLANs 1002–1005 are user-configurable, when in fact they are reserved for legacy technologies.

Why the other options are wrong

D

VLANs 1002–1005 are reserved for legacy FDDI and Token Ring, not user-created VLANs.

F

The native VLAN on a trunk sends frames untagged; this command sets the native VLAN, not a tagging restriction.

99
MCQmedium

When spanning tree elects a root bridge, which value is considered first?

A.Lowest MAC address only
B.Lowest bridge priority only
C.Lowest bridge ID, which begins with priority
D.Highest interface bandwidth
AnswerC

Correct. STP compares the bridge ID, and priority is the leading field in that comparison.

Why this answer

The root bridge is the switch with the lowest bridge ID. The bridge ID is made up of priority and MAC address, so priority is considered first, then MAC address if priorities tie.

Exam trap

Remember that the bridge priority is evaluated before the MAC address in the root bridge election process.

Why the other options are wrong

A

The MAC address is only used as a tiebreaker when bridge priorities are equal. It is not the first value considered in root bridge election.

B

The bridge priority is only the first part of the bridge ID; the full bridge ID (priority + MAC address) is compared. If priorities are equal, the MAC address is used as a tiebreaker.

D

Interface bandwidth is used to calculate path cost, which influences port roles (root port, designated port) but does not affect root bridge election. Root bridge election is based solely on bridge ID.

100
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch. Ports G0/1 and G0/2 are connected to two PCs that should be in VLAN 10 (Sales). Port G0/3 is a trunk link to another switch. The PCs are currently unable to communicate because the ports are in VLAN 1. Configure the switch to place the ports in the correct VLAN and ensure the trunk is properly configured with 802.1Q encapsulation and native VLAN 99.

Network Topology
trunkPC1SW1 G0/1SW1 G0/2OtherSwitch

Hints

  • Check the current VLAN assignment on access ports.
  • The trunk encapsulation must be set to dot1q for 802.1Q support.
  • Native VLAN should match on both ends of the trunk.
A.Create VLAN 10, assign G0/1 and G0/2 as access ports in VLAN 10, configure G0/3 as trunk with encapsulation dot1q and native VLAN 99.
B.Create VLAN 10, assign G0/1 and G0/2 as access ports in VLAN 10, configure G0/3 as trunk with encapsulation isl and native VLAN 99.
C.Create VLAN 10, assign G0/1 and G0/2 as trunk ports in VLAN 10, configure G0/3 as trunk with encapsulation dot1q and native VLAN 99.
D.Create VLAN 10, assign G0/1 and G0/2 as access ports in VLAN 10, configure G0/3 as trunk with encapsulation dot1q and native VLAN 1.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport access vlan 10
interface GigabitEthernet0/2
switchport access vlan 10
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 99

Why this answer

VLAN 10 must be created and the access ports must be explicitly set to access mode with 'switchport mode access' before assigning them to VLAN 10. Assigning the access ports to VLAN 10 places the PCs in the correct broadcast domain. The trunk needed explicit 802.1Q encapsulation and a native VLAN change to 99 for security and consistency.

Exam trap

Be careful to distinguish between access and trunk ports: access ports belong to a single VLAN for end devices, while trunk ports carry multiple VLANs between switches. Also, remember that 802.1Q is the standard trunking protocol, and native VLAN should be changed from default 1 for security.

Why the other options are wrong

B

The specific factual error is that ISL is a legacy Cisco proprietary trunking protocol, and modern switches default to 802.1Q. The question specifies 802.1Q encapsulation.

C

The specific factual error is that ports connected to end devices (PCs) should be access ports, not trunk ports. Trunk ports are used for inter-switch links.

D

The specific factual error is that the native VLAN must be explicitly set to 99. Native VLAN 1 is the default and is often targeted in VLAN hopping attacks.

101
MCQhard

A technician is troubleshooting a network issue where hosts in VLAN 20 on SW1 cannot communicate with hosts in VLAN 20 on SW2. Both switches are connected by an Ethernet trunk link that is up/up and configured as a trunk. The VLAN databases on both switches include VLAN 20, and the spanning tree for VLAN 20 is in a forwarding state on all ports. Hosts within VLAN 20 on each switch can communicate with each other locally. What is the most likely cause?

A.The native VLAN is mismatched on the two ends of the trunk.
B.VLAN 20 has not been created in the VLAN database on SW2.
C.The trunk encapsulation is mismatched between SW1 and SW2.
D.VLAN 20 is not in the switchport trunk allowed VLAN list on the trunk port between SW1 and SW2.
AnswerD

When a trunk port’s allowed VLAN list explicitly excludes a VLAN, the switch drops all frames tagged for that VLAN, even though the VLAN exists locally and the trunk is active. This results in the described symptom of local intra-VLAN communication working but no cross-switch communication for VLAN 20.

Why this answer

The most likely cause is that VLAN 20 is not included in the allowed VLAN list on the trunk port between SW1 and SW2. Even though the trunk is up/up and VLAN 20 exists in the VLAN database, the switchport trunk allowed vlan command restricts which VLANs can traverse the trunk. If VLAN 20 is omitted from this list, frames from VLAN 20 will be dropped at the trunk, preventing inter-switch communication for that VLAN.

Exam trap

Cisco often tests the distinction between VLAN existence in the database and VLAN permission on a trunk; candidates mistakenly think that if a VLAN is created and spanning tree is forwarding, it must work, but the trunk allowed list is an independent filter that can block traffic.

Why the other options are wrong

A

Candidates may think that a native VLAN mismatch breaks all trunk functions.

B

Candidates may assume that a missing VLAN on one switch explains inter-switch failures, ignoring that local communication would also fail.

C

Candidates might overlook that the trunk link is operational, which implies matching encapsulation.

102
Matchingmedium

Drag and drop the switch port configuration commands on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Statically configures the port as an access port

Sets the data VLAN for an access port

Assigns the VLAN for IP phone voice traffic

Permanently sets the interface as a trunk port

Restricts which VLANs traverse the trunk

Why these pairings

The command 'switchport mode access' statically sets the port as an access port. 'switchport access vlan 10' assigns VLAN 10 as the data VLAN for connected devices. 'switchport voice vlan 20' defines the VLAN used by a Cisco IP phone for voice traffic. 'switchport mode trunk' forces the port into permanent trunking mode. 'switchport trunk allowed vlan 100,200' restricts the trunk to carry only VLANs 100 and 200.

103
MCQhard

A user connects a small unmanaged switch to an access port, and the port immediately transitions to err-disabled. Which feature most likely caused this behavior?

A.UDLD aggressive
AnswerB

This is correct because BPDU Guard disables a PortFast-enabled interface if a BPDU is received.

Why this answer

BPDU Guard is the correct answer because it is specifically designed to protect access ports configured with PortFast. When an unauthorized switch is connected to such a port, BPDU Guard detects the incoming BPDU and immediately places the port into err-disabled state, preventing potential loops or topology changes. UDLD aggressive detects unidirectional links but does not cause err-disabled due to BPDU reception.

Root guard blocks ports that attempt to become the root bridge by placing them in root-inconsistent state (not err-disabled). Loop guard prevents alternate/root ports from becoming designated in the absence of BPDUs, putting the port into loop-inconsistent state, again not err-disabled.

Exam trap

Remember that BPDU Guard specifically targets BPDUs on PortFast ports, not general security or loop prevention.

Why the other options are wrong

A

UDLD aggressive detects unidirectional links but does not cause err-disabled on receiving BPDUs; it operates at Layer 1/2 for fiber links.

C

Root guard prevents a port from becoming the root bridge by moving it to root-inconsistent state, not err-disabled.

D

Loop guard prevents alternate/root ports from becoming designated when BPDUs stop, putting the port in loop-inconsistent state, not err-disabled.

104
Multi-Selectmedium

Which TWO statements are true regarding switch port configuration for access, voice, and trunk ports?

Select 2 answers
A.A switch port configured as a trunk port can simultaneously carry untagged traffic for the native VLAN and tagged traffic for multiple other VLANs.
B.When a port is configured with both an access VLAN and a voice VLAN, the switchport must be set to trunk mode.
C.The switchport mode dynamic auto command sets the port to actively attempt to form a trunk if the neighbor initiates negotiation.
D.An access port with a voice VLAN configured sends CDP or LLDP information to the IP phone to identify the voice VLAN.
E.Issuing the switchport trunk allowed vlan command automatically includes the native VLAN in the allowed list, so it never needs to be explicitly added.
AnswersA, D

Trunk ports support one native VLAN (untagged) and allow tagged traffic for additional VLANs listed in the allowed VLAN list.

Why this answer

Option A is correct because a trunk port, by definition, carries untagged frames for the native VLAN (typically VLAN 1 unless changed) and simultaneously carries tagged frames for all other VLANs allowed on the trunk. This behavior is fundamental to IEEE 802.1Q trunking, where the native VLAN is the only VLAN whose frames are sent untagged to maintain backward compatibility with devices that do not understand VLAN tagging.

Exam trap

Cisco often tests the distinction between 'dynamic auto' and 'dynamic desirable' DTP modes, where candidates mistakenly think 'auto' actively initiates trunk negotiation, when in fact it only responds to incoming DTP messages.

Why the other options are wrong

B

Multi-VLAN access ports (access + voice) stay in access mode; trunk mode is not required and would incorrectly pass all VLANs.

C

Dynamic desirable actively initiates, but dynamic auto is passive.

E

When you prune the allowed VLANs, any omitted VLANs (including the native VLAN) are blocked unless added back.

105
Matchingeasy

Match each STP-related feature or term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Speeds an edge port into forwarding state

Disables an edge port if a BPDU is received

Prevents a port from becoming a root path under superior BPDU conditions

Protects certain non-designated ports when expected BPDUs stop arriving

Why these pairings

PortFast moves an access port immediately to forwarding state, skipping listening/learning to speed host connectivity. BPDU Guard protects edge ports by disabling a PortFast port if any BPDU is received, preventing accidental loops. Root Guard ensures a port never becomes a root port by ignoring superior BPDUs, maintaining the intended root bridge placement.

Loop Guard keeps non-designated ports in blocking when expected BPDUs are lost, avoiding loops from unidirectional links. The given matches correctly pair each feature to its precise STP behavior, and other descriptions would apply to different features like Root Bridge or Alternate Port, not to these terms.

Exam trap

Be careful to match each term to its specific description. The distractors are accurate descriptions of other STP features, so you must know the exact definition of the term in the stem. Do not assume that any correct STP description is the answer; it must match the given term.

106
MCQhard

A network technician is troubleshooting an inter-VLAN routing issue on a multilayer switch. Hosts on VLAN 10 can reach the SVI for VLAN 10 (10.0.10.1) but cannot reach hosts on VLAN 20. The technician has verified that 'ip routing' is enabled and that the 'show ip route' command displays directly connected routes for both VLANs. No static routes are configured. What should the technician do next?

A.Check the ARP table for entries on VLAN 20.
B.Issue the 'show ip routing' command again to confirm routing is enabled.
C.Configure a default route pointing to the next-hop gateway.
D.Verify the VLAN membership of the destination host on VLAN 20.
AnswerA

The Layer 3 routing table is correct; the problem is likely that the switch lacks a Layer 2 MAC address for the destination host on VLAN 20. Examining the ARP cache will confirm whether the switch can map the destination IP to a MAC address, and if not, will show that ARP resolution is failing, which explains the connectivity break.

Why this answer

Because the switch has directly connected routes for both VLANs and routing is enabled, the Layer 3 forwarding logic is intact. The failure from VLAN 10 hosts to VLAN 20 hosts suggests that the switch cannot resolve the destination host's MAC address on VLAN 20, preventing Layer 2 frame encapsulation. Checking the ARP table with 'show ip arp' or similar will reveal whether the destination IPv4 address has a valid MAC entry on the correct VLAN interface.

This targets Layer 2—the most likely remaining failure point after Layer 3 has been verified.

Exam trap

Verifying the VLAN membership of the destination host (Option D) — candidates may assume the destination host is simply on the wrong VLAN, but the scenario explicitly states that the unreachable hosts are on VLAN 20, and Layer 3 connectivity is confirmed up to the SVI. The more efficient and targeted next step is to check the ARP resolution on that VLAN, which directly addresses the encapsulation failure.

Why the other options are wrong

B

This option revisits a step already completed and verified, making it redundant. Candidates might think double-checking routing is safe, but the scenario explicitly states routing is working as expected.

C

Some candidates might believe inter-VLAN communication requires a default route, but directly connected routes already provide full reachability without static routing. This action is overly drastic and misdirected.

D

Candidates often jump to VLAN misconfigurations when inter-VLAN communication fails, even when routing is confirmed. The scenario already establishes the VLAN 20 host's location; the next logical layer to inspect is ARP resolution.

107
MCQhard

Refer to the exhibit. A network administrator is troubleshooting connectivity to devices in VLAN 10 on a Layer 3 switch. The administrator issues the show ip interface brief command on SW1 and sees the output displayed. What is the most likely reason that the VLAN 10 SVI is not functioning?

A.No active ports are assigned to VLAN 10.
B.The VLAN 10 SVI has been administratively shut down.
C.The IP address configured on the VLAN 10 SVI is incorrect for the subnet.
D.The switch ports assigned to VLAN 10 are all configured as trunk ports.
AnswerA

The SVI Status and Protocol are both 'down'. This occurs when the VLAN has no active member ports, which prevents the SVI from transitioning to up/up.

Why this answer

The exhibit shows the VLAN 10 SVI with Status 'down' and Protocol 'down'. In a Cisco Layer 3 switch, an SVI will only be up/up if the VLAN exists in the VLAN database and at least one active port (access or trunk) belongs to that VLAN and is in the Spanning Tree forwarding state. Since other SVIs (Vlan1, Vlan20) and physical interfaces are up/up, the most likely cause is that no ports are actively assigned to VLAN 10, leaving the VLAN inactive.

Exam trap

Many candidates mistakenly associate a 'down/down' status with an administratively shut down interface, but that condition would display 'administratively down' in the Status field, not simply 'down'.

Why the other options are wrong

B

Candidates often confuse 'down' with 'administratively down', assuming any disabled interface will show 'down'. They need to distinguish the two statuses.

C

Some candidates think a misconfigured IP address can cause an interface to be down, but status does not reflect IP configuration.

D

A common misunderstanding is that trunk ports do not make a VLAN active; in reality, a trunk carrying VLAN 10 can activate the SVI as long as the trunk is up/up and the VLAN is not pruned.

108
MCQmedium

A wireless client can see two SSIDs from the same company: Corp and Guest. Which statement best explains what an SSID represents in this situation?

A.It is the wireless network name presented to clients for a specific WLAN.
B.It is the encryption algorithm securing the WLAN.
C.It is the radio antenna inside the AP.
D.It is the management IP address of the controller.
AnswerA

This is correct because an SSID identifies the WLAN to users and devices.

Why this answer

An SSID is the name that identifies a specific wireless LAN to clients. In practical terms, Corp and Guest are two different WLAN identifiers presented to users, even if they are broadcast by the same physical access point infrastructure. The SSID tells the client which wireless network it is trying to join.

This matters because people often confuse SSIDs with the access point itself or with the security protocol. The SSID is the network identifier, not the hardware or the encryption standard.

Exam trap

Do not confuse SSIDs with physical devices or security protocols; they are identifiers for networks.

Why the other options are wrong

B

The SSID is simply the network name broadcast by the access point; encryption algorithms like WPA2 or WPA3 are configured separately on the WLAN and are not part of the SSID itself.

C

An SSID is a logical identifier, not a physical component. The radio antenna is hardware that transmits and receives wireless signals, but it does not define the network name.

D

The management IP address of a wireless controller is used for administrative access to the controller, not for client connectivity. Clients use the SSID to identify and connect to a WLAN, not the controller's IP.

109
MCQhard

A network administrator implements a set of spanning-tree enhancements to secure the switching infrastructure. Later, a help desk ticket reports that a user in a remote office cannot connect to any network resources. While investigating, the administrator notices that the switch port connecting the remote office switch to the distribution switch is in a 'root-inconsistent' state and is blocking traffic. Which protection feature, if misapplied, most likely caused this issue?

AnswerB

Root Guard ensures that a port cannot become a root port. When a superior BPDU is received on a Root Guard-enabled port, the port transitions to a root-inconsistent state and blocks traffic, exactly as described in the scenario.

Why this answer

Root Guard is the correct answer because it forces an interface to be a designated port. If a switch receives a superior BPDU (indicating a root bridge with a lower bridge ID) on a Root Guard-enabled port, the port is placed into a 'root-inconsistent' state and blocks traffic to prevent the attached switch from becoming the root bridge. This matches the symptom described: a port in 'root-inconsistent' state blocking traffic after spanning-tree enhancements were applied.

Exam trap

Cisco often tests the distinction between 'root-inconsistent' (Root Guard) and 'loop-inconsistent' (Loop Guard) states, and the trap here is that candidates confuse the two or assume BPDU Guard is responsible for any BPDU-related blocking.

Why the other options are wrong

A

A loop-inconsistent state is different from the root-inconsistent state observed. Loop Guard acts when BPDUs stop arriving, not when they appear with a superior root claim.

C

While BPDU Guard also reacts to incoming BPDUs, it puts the port in err-disabled (shutdown) state, not a blocking state named 'root-inconsistent'. The symptom described is not error-disabled.

D

BPDU Filter would not cause the port to show a root-inconsistent state. The symptom is a protective blocking state, which BPDU Filter does not provide.

110
MCQhard

Two switches are configured for LACP EtherChannel. One side is set to passive and the other side is also set to passive. What is the most likely outcome?

A.The EtherChannel will not form because neither side initiates LACP negotiation.
B.The EtherChannel always forms because passive mode is preferred.
C.The links automatically become a routed interface.
D.The switches delete the bundle configuration automatically.
AnswerA

This is correct because LACP passive mode listens for negotiation but does not initiate it. With both sides passive, no LACP packets are sent, so the EtherChannel never forms.

Why this answer

The EtherChannel will not form because LACP passive mode only listens for negotiation; it does not initiate it. When both sides are set to passive, neither side sends LACP packets, so the bundle cannot be established. This is a deterministic outcome, not merely unlikely.

Exam trap

Ensure at least one side is set to active in LACP configurations to avoid non-formation of the channel.

Why the other options are wrong

B

Passive mode does not initiate LACP negotiation; it only responds to incoming LACPDUs. Therefore, with both sides passive, no LACPDUs are exchanged, and the EtherChannel will not form. The statement that passive mode is preferred is incorrect; active mode is typically used on at least one side to initiate the channel.

C

LACP operates at Layer 2 and does not change the interface type. The ports remain switchports (Layer 2) unless explicitly configured with 'no switchport'. LACP mode has no effect on Layer 3 routing functionality.

D

LACP configuration is not automatically deleted when negotiation fails. The configuration remains in the running-config, and the ports will simply not form an EtherChannel. The administrator must manually remove the configuration if desired.

111
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, and then recover a port that enters err-disabled state.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence applies STP protections to their proper port roles: Root Guard on designated ports to prevent unexpected superior BPDUs, Loop Guard on non-designated ports to prevent unidirectional link failure from causing loops, and BPDU Guard on PortFast ports to block rogue switches. Distractors B and D are wrong because they mismatch the guard types to port roles (e.g., B puts Loop Guard on designated, Root Guard on non-designated; D does the opposite). Distractor C incorrectly reverses the recovery steps by re-enabling the port before enabling errdisable recovery globally, and it also reorders protection configuration without logical benefit.

Exam trap

The exam trap is confusing which protection goes on which port role. Remember: Root Guard protects designated ports from becoming root; Loop Guard protects non-designated ports from becoming forwarding; BPDU Guard protects PortFast ports. Also, recovery order: global first, then interface re-enable.

112
Matchingmedium

Match each wireless term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized platform used to manage access points

Name that identifies the wireless network to clients

Wireless security standard

Protocol associated with AP-to-controller communication

Why these pairings

SSID is the human-readable network name. BSSID is the unique MAC address of an AP radio. ESSID is the same SSID used across multiple APs in an extended network.

Beacons are management frames that advertise the network. Probe requests are sent by clients to find APs. Association is the process of connecting a client to an AP.

Exam trap

Do not confuse SSID with BSSID, Beacon frames, or Association. SSID is simply the network name; the other terms refer to different concepts.

113
MCQmedium

A switch interface connected to another switch must carry VLANs 10, 20, and 30 only. Which command best enforces that requirement on the trunk?

A.switchport trunk allowed vlan 10,20,30
B.switchport access vlan 10,20,30
C.switchport mode dynamic auto
D.switchport trunk native vlan 10,20,30
AnswerA

This is correct because it explicitly restricts the trunk to VLANs 10, 20, and 30.

Why this answer

The correct command is the one that explicitly sets the allowed VLAN list on the trunk. In plain language, the administrator wants the inter-switch link to carry only the named VLANs instead of every VLAN by default. Cisco trunks can transport multiple VLANs, but that does not mean every VLAN should always be permitted. Restricting the allowed list supports cleaner design and helps reduce unnecessary VLAN transport.

This is a common CCNA switching task because it distinguishes between creating a trunk and controlling what the trunk actually carries. Simply enabling trunking is not enough when the requirement names exact VLANs. The answer must directly restrict the allowed list rather than change the native VLAN or apply an unrelated access-port command.

Exam trap

A common exam trap is selecting commands that do not correctly restrict VLANs on a trunk. For example, using 'switchport access vlan 10,20,30' is invalid because access ports support only one VLAN. Another trap is confusing the native VLAN setting with allowed VLANs; 'switchport trunk native vlan' only defines the untagged VLAN and does not filter VLANs.

Also, relying on dynamic trunk negotiation commands like 'switchport mode dynamic auto' does not restrict VLANs and can lead to trunks carrying all VLANs by default. These mistakes cause VLAN traffic to flow where it shouldn’t, violating design requirements.

Why the other options are wrong

B

Incorrect because 'switchport access vlan' applies only to access ports and cannot specify multiple VLANs; it does not configure trunk VLANs.

C

Incorrect because 'switchport mode dynamic auto' controls trunk negotiation but does not limit which VLANs are allowed on the trunk.

D

Incorrect because 'switchport trunk native vlan' sets only one native VLAN for untagged traffic and does not restrict the allowed VLAN list.

114
MCQhard

An EtherChannel should form using LACP between two switches. One side is configured for LACP active, and the other side is configured for LACP active. What is the expected result if the other link settings also match?

A.The EtherChannel should form if the other interface settings are compatible.
B.The channel fails because both sides must be passive.
C.The channel becomes a routed interface automatically.
D.All VLAN tags are removed from the bundle by default.
AnswerA

This is correct because active/active is a valid LACP negotiation pairing.

Why this answer

The EtherChannel should form successfully if the underlying link settings are compatible. LACP active/active is a valid combination, as both switches actively negotiate the bundle. However, the channel does not automatically become a routed interface (option C is incorrect because EtherChannel can operate as Layer 2 or Layer 3 depending on configuration, not automatically due to LACP mode).

Additionally, VLAN tags are not removed by default from the bundle (option D is incorrect; VLAN tagging is preserved based on the switchport mode and allowed VLAN settings). The key troubleshooting point is to ensure that other interface parameters such as speed, duplex, and VLAN settings match across the member ports.

Exam trap

Don't confuse LACP active/active with incompatible settings; they are designed to negotiate successfully.

Why the other options are wrong

B

LACP passive/passive is the pairing that fails to form an EtherChannel because both sides wait for the other to initiate negotiation, resulting in no LACP PDUs being sent. Active/active is a valid and functional combination.

C

LACP operates at Layer 2 and does not change the interface type; the EtherChannel remains a Layer 2 port-channel unless explicitly configured with 'no switchport' or an IP address. The question does not mention any Layer 3 configuration.

D

EtherChannel formation does not alter VLAN tagging; if the interfaces are trunk ports, VLAN tags remain intact. The bundle simply aggregates bandwidth while preserving existing VLAN configurations.

115
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and recover from a BPDU Guard violation on a PortFast-enabled access port using Cisco IOS-XE CLI commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence (A) configures PortFast globally, then enables BPDU Guard per interface, and recovers manually with shutdown/no shutdown. Option B attempts recovery with a non-existent 'clear spanning-tree bpduguard' command. Option C incorrectly uses 'spanning-tree portfast bpduguard default' which is a global command applied in interface mode, causing a syntax error.

Option D uses 'errdisable recovery cause bpduguard' in privileged EXEC mode, but this command is a global configuration command and does not manually recover the port; it enables automatic recovery after a timer.

Exam trap

Be careful not to confuse manual recovery (shutdown/no shutdown) with automatic recovery (errdisable recovery). Also, remember that BPDU Guard is configured per interface with 'spanning-tree bpduguard enable', not globally with 'default' in interface mode.

116
MCQhard

A network administrator is troubleshooting connectivity issues in a switched network. Hosts on VLAN 10 connected to SwitchC cannot reach the VLAN 10 gateway, which is connected to SwitchA. The administrator checks the STP status on SwitchC and sees that the port connecting to the root bridge is in a blocking state. The administrator also notices that the VLAN 10 gateway is reachable from SwitchA, but not from SwitchC. What is the most likely cause of this issue?

A.Configure PortFast on interface Gi0/2 to bring it up immediately.
B.Change the STP priority on SwitchC to a lower value (e.g., 24576) to ensure it is not the root bridge.
C.Enable BPDU Guard on interface Gi0/2 to prevent BPDU attacks.
D.Configure the spanning-tree mode to PVST+ instead of Rapid PVST+.
AnswerB

By setting the priority to 24576, SwitchC's bridge ID becomes 24586 (24576+10), which is lower than the current root's 32778. This will cause SwitchC to become the root bridge if that is the intent, or by setting it to a higher priority (like 40960) it would lose the election. However, the correct action is to make SwitchC's priority higher (numerically lower) to correct the misconfiguration. In this case, the intended root (SwitchA) should have a lower priority, or SwitchC should have a higher priority (e.g., 32768) to not be root. Actually, the correct answer is to adjust the priority so that SwitchC is not root. Setting it to 24576 would make it root, which might be the desired outcome if SwitchA is misconfigured. But given the symptom, the most direct fix is to ensure the correct root bridge has the lowest priority. The exhibit shows SwitchC's priority is 40960, which is too high, so lowering it to a value less than the current root (32768) would make it root, but that might not be the intended design. The typical fix is to set the priority on the desired root switch to a lower value. However, since the question asks for the most likely cause, the answer is to correct the priority on SwitchC to match the intended root. Given the options, B is correct because it addresses the priority misconfiguration.

Why this answer

The root bridge for VLAN 10 is SwitchA, and SwitchC's port to the root bridge is in a blocking state due to STP. Since the VLAN 10 gateway is reachable from SwitchA but not from SwitchC, the issue is that SwitchC is not the root bridge and its path to the root is blocked, preventing traffic from reaching the gateway. Lowering the STP priority on SwitchC to 24576 would make it the root bridge for VLAN 10, ensuring its port to the gateway is in a forwarding state and restoring connectivity.

Exam trap

Cisco often tests the misconception that a blocked port is always a problem to be fixed with PortFast or BPDU Guard, when the real issue is STP root bridge election and the need to adjust priority to ensure the correct switch becomes root for that VLAN.

Why the other options are wrong

A

PortFast is used to bypass the listening and learning states on access ports, but it does not resolve the root bridge election issue. The port is blocking due to STP topology inconsistency, not because of slow convergence.

C

BPDU Guard is used to protect against unauthorized switches by disabling a port if a BPDU is received, but it does not fix the root bridge election issue. The port is blocking due to STP, not due to BPDU violations.

D

Both PVST+ and Rapid PVST+ use the same bridge ID election process. Changing the mode would not resolve the priority misconfiguration; the root bridge election is based on bridge priority and MAC address, not the STP variant.

117
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a Cisco switch interface, then recover from a BPDU guard violation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct configuration sequence applies PortFast and BPDU Guard directly in interface configuration mode with 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After a BPDU guard violation disables the port, manual recovery requires re-enabling the interface with 'shutdown' followed by 'no shutdown' (or configuring errdisable recovery). The other options incorrectly use global defaults, Root Guard, or false automatic recovery intervals.

Exam trap

Do not confuse BPDU Guard with Root Guard. BPDU Guard errdisables the port upon receiving any BPDU; Root Guard only prevents the port from becoming a root port. Also, remember that errdisable recovery is not automatic by default; you must configure it if you want automatic recovery.

118
MCQhard

A wireless client can associate to the correct corporate SSID and authenticate successfully, but receives an address from the guest network instead of the employee network. Which troubleshooting area is strongest?

A.Incorrect WLAN-to-role or VLAN mapping after successful authentication.
B.The client must be using the wrong subnet mask manually.
C.The AP must be missing PPP encapsulation.
D.The issue is that STP root election failed.
AnswerA

This is correct because the client is landing in the wrong logical segment after joining successfully.

Why this answer

The client successfully authenticates to the corporate SSID but receives an IP address from the guest network, indicating that the authentication phase is working correctly. The issue lies in the post-authentication mapping: the WLAN is likely mapped to the wrong VLAN or role (e.g., a RADIUS server attribute or local VLAN assignment is misconfigured), causing the client to be placed in the guest VLAN instead of the employee VLAN. This is a common misconfiguration in WLAN-to-VLAN or WLAN-to-role mapping after successful 802.1X authentication.

Exam trap

Cisco often tests the distinction between authentication success and post-authentication authorization (VLAN/role mapping), tricking candidates into focusing on DHCP or IP configuration issues when the real problem is the VLAN assignment after authentication.

Why the other options are wrong

B

The client receives an address from the guest network, indicating that the DHCP server or VLAN assignment is incorrect. A manually configured wrong subnet mask would not cause the client to obtain an IP from a different network; it would simply prevent proper communication within the assigned subnet. The issue is at the network assignment level, not a host configuration error.

C

PPP encapsulation is used on serial WAN links, not in wireless LAN environments. Wireless clients connect via 802.11, and APs use Ethernet or CAPWAP to connect to the network. PPP has no role in VLAN assignment or DHCP for wireless clients.

D

STP root election determines the root bridge in a switched network to prevent loops, but it does not affect VLAN assignment for wireless clients. Even if STP root election failed, it would not cause a client to receive an IP from the wrong network; it would more likely cause network instability or loops.

119
Matchingmedium

Drag and drop the PortFast and BPDU protection commands on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Immediately transitions port to forwarding state

Err-disables port upon receiving a BPDU

Prevents port from becoming root port

Prevents port from becoming designated if BPDUs stop arriving

Drops all BPDUs sent and received on the port

Reverts port to normal STP listening/learning

Why these pairings

These commands are used to configure PortFast and BPDU protection on Cisco switches.

Exam trap

Be careful to distinguish between interface-level and global commands. The 'default' keyword applies globally, not per interface.

120
MCQhard

A network administrator recently configured BPDU Guard on all access ports of a switch to protect against rogue switches. After the change, users in VLAN 10 report intermittent connectivity issues and frequent link flaps. The administrator checks the switch and notices that several ports are in an err-disabled state. What is the most likely cause of the problem?

A.Root Guard is preventing the port from becoming a root port.
B.BPDU Guard is enabled on access ports that are receiving BPDUs, causing the ports to go into err-disabled state.
C.Loop Guard has detected a unidirectional link and placed the port into err-disabled state.
D.BPDU Guard is globally enabled but not configured on the interface, so the port is err-disabled due to a BPDU received.
AnswerB

BPDU Guard is designed to work with PortFast; if enabled on non-PortFast ports, any BPDU received will err-disable the port.

Why this answer

BPDU Guard is configured to protect against rogue switches by placing a port into an err-disabled state upon receiving a BPDU. In this scenario, BPDU Guard is enabled on access ports that are receiving BPDUs (possibly from a rogue switch or misconfiguration), causing the ports to err-disable and flap. PortFast is not required for BPDU Guard to function; the issue is that BPDUs are being received on ports that are not expected to receive them.

The intermittent connectivity occurs as ports cycle into err-disabled and are re-enabled.

Exam trap

A common mistake is believing BPDU Guard requires PortFast to function; in reality, BPDU Guard can be enabled per-interface without PortFast and will err-disable the port when a BPDU is received.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port by placing it in a root-inconsistent state, not err-disabled. It does not cause link flaps or err-disable ports.

C

Loop Guard prevents alternate or root ports from becoming designated in the absence of BPDUs, but it does not err-disable ports. It places ports in a loop-inconsistent state, which is not err-disabled.

D

The global 'spanning-tree portfast bpduguard default' command only applies BPDU Guard to PortFast-enabled ports. If a port receives a BPDU and is not PortFast, it will not be err-disabled by this global command. The scenario states BPDU Guard was configured on all access ports, implying interface-level configuration.

121
MCQhard

A wireless client joins the correct SSID and gets an address in the correct employee subnet, but cannot reach only one internal application while everything else works. Which troubleshooting area is the strongest first target?

A.The path or policy specific to that application, since general employee connectivity already works.
B.The SSID broadcast setting, because the client must not be joined correctly.
C.The voice VLAN on the wired access port connected to the AP uplink.
D.The OSPF router ID on the client device.
AnswerA

This is correct because the symptoms isolate the problem to one application rather than general WLAN access.

Why this answer

The strongest first target is the application path or policy specific to that application because the client already has general connectivity: it joined the correct SSID, authenticated, and obtained an IP address in the employee subnet. A failure limited to one internal application indicates that basic WLAN join, DHCP, and overall routing are working; therefore, ACLs, firewall rules, DNS resolution for that service, or application-specific policies are the likely cause. Option B (SSID broadcast setting) is irrelevant because the client successfully joined the SSID and has connectivity.

Option C (voice VLAN on the wired access port) is not a first target because the symptom involves a single data application, not voice, and the client is on the employee subnet, not a voice VLAN. Option D (OSPF router ID on the client) is invalid because client devices do not typically run OSPF; OSPF runs on routers, not wireless clients.

Exam trap

Avoid restarting troubleshooting from basic connectivity steps when the problem is isolated to a specific application.

Why the other options are wrong

B

The client has already joined the correct SSID, authenticated, and received an IP address in the correct subnet, so the SSID broadcast setting is not the issue. The problem is specific to one application, not general connectivity.

C

The voice VLAN on the AP uplink is used for VoIP traffic, not for general data applications. Since the client can access other internal resources, the issue is not related to the AP uplink configuration.

D

OSPF router IDs are used by routers in OSPF routing, not by end-client devices. Clients do not run OSPF, so this is irrelevant to the problem.

122
PBQmedium

You are connected to SW1 via console. SW1 is a Layer 2 switch with two ports (G0/1 and G0/2) connected to a host. The host should be able to send and receive traffic on VLAN 10 and VLAN 20. Configure the two ports as a trunk link to the host, but ensure that the trunk only carries VLANs 10 and 20, and set the native VLAN to VLAN 99.

Network Topology
G0/1, G0/2HostSW1

Hints

  • Use the 'switchport trunk allowed vlan' command to restrict which VLANs are carried.
  • The native VLAN must match on both ends of the trunk.
A.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10,20 switchport trunk native vlan 99
B.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10-20 switchport trunk native vlan 99
C.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10,20 switchport native vlan 99
D.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10,20 switchport trunk native vlan 1
AnswerA
solution
! SW1
interface gigabitethernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 99
interface gigabitethernet0/2
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 99

Why this answer

Configuring the ports as trunks allows multiple VLANs. The 'allowed vlan' command restricts the trunk to only VLANs 10 and 20, while 'native vlan 99' sets the untagged VLAN to 99, ensuring proper tagging and avoiding VLAN mismatch.

Exam trap

Watch out for the difference between 'switchport trunk allowed vlan 10,20' (list) and 'switchport trunk allowed vlan 10-20' (range). Also, remember that on a trunk port, the native VLAN command must include the 'trunk' keyword: 'switchport trunk native vlan'. Finally, always verify that the native VLAN is set to the required value, not left at the default.

Why the other options are wrong

B

The specific factual error is using a range (10-20) instead of a list (10,20), which includes unintended VLANs.

C

The specific factual error is omitting the 'trunk' keyword in the native VLAN command, which is required for trunk ports.

D

The specific factual error is setting the native VLAN to 1 instead of 99, which does not meet the requirement.

123
MCQhard

An engineer lowers the spanning-tree path cost on one uplink of a nonroot switch. What is the expected result if all else stays equal?

A.The switch becomes the root bridge immediately.
B.That uplink becomes more likely to be the root port.
C.All designated ports on downstream switches immediately recalculate their port roles.
D.The switch will stop transmitting BPDUs on that port until convergence is complete.
AnswerB

Correct. Lower root-path cost is preferred.

Why this answer

Lowering the path cost on a nonroot switch's uplink makes that link more attractive to the root bridge, increasing its likelihood of being selected as the root port. Option A is wrong because root bridge election depends on bridge priority and MAC address, not local path cost changes. Option C is false because designated ports on downstream switches are determined by their own topology and are unaffected by cost changes on an upstream nonroot switch's uplink.

Option D is incorrect because BPDU transmission is governed by STP timers and port roles, not by adjusting path cost.

Exam trap

Remember, path cost adjustments influence root port selection, not root bridge election or port blocking.

Why the other options are wrong

A

Reducing path cost on a nonroot switch does not affect the root bridge election, which is determined by lowest bridge ID.

C

Changing cost on one uplink of a nonroot switch does not force all designated ports on downstream switches into blocking; only a topology change might trigger recalculations.

D

Path cost adjustment does not stop BPDUs; BPDUs continue to be sent from all ports in the spanning tree.

124
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a router-on-a-stick topology for inter-VLAN routing between VLANs 10 and 20, using 802.1Q trunking with native VLAN 99 for management traffic.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The sequence follows Cisco's best practices: VLANs are created first, then access ports are assigned to them. The switch trunk is configured with 802.1Q encapsulation and the native VLAN set to 99 before the router end. On the router, the physical interface must be enabled before subinterfaces can operate.

The native VLAN subinterface is created first to handle untagged frames, then the data VLAN subinterfaces are configured. This order avoids errors such as missing VLANs, incorrect encapsulation, and physical link down state.

125
MCQhard

Two switches should form an EtherChannel using LACP. One side is configured active and the other passive. If the port settings otherwise match, what is the expected result?

A.The EtherChannel should form if the other interface settings are compatible.
B.The EtherChannel fails because both sides must be active.
C.the bundle forms but only in PAgP mode
D.only the active side attempts to bundle
AnswerA

This is correct because active/passive is a valid LACP negotiation pairing.

Why this answer

The EtherChannel should form successfully. In plain language, active mode initiates LACP negotiation and passive mode listens and responds. Because one side is active, the negotiation can begin and the bundle can come up as long as the underlying interface settings are compatible.

This is a standard LACP pairing. The important lesson is that active/passive works, while passive/passive usually does not. The correct answer is the one that recognizes active/passive as a valid combination.

Exam trap

Remember that active/passive works for LACP, but passive/passive does not initiate negotiation.

Why the other options are wrong

C

LACP and PAgP are incompatible, so the bundle cannot form in PAgP mode when one side uses LACP.

D

The passive side will respond to LACP negotiations, so both sides participate and the bundle forms.

126
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two VLANs: VLAN 10 (Sales) and VLAN 20 (Engineering). Port G0/1 is connected to a sales PC, and port G0/2 is connected to an engineering PC. You need to ensure that each PC is in the correct VLAN. However, the sales PC is currently unable to ping the engineering PC because they are in different VLANs. You have a router R1 connected to SW1 via port G0/3. Configure inter-VLAN routing using Router-on-a-Stick on R1, and ensure SW1's port G0/3 is properly configured as a trunk.

Network Topology
G0/1G0/1G0/3G0/3G0/0G0/2SW1PC1VLAN 10R1PC2VLAN 20

Hints

  • Router-on-a-Stick uses subinterfaces on the router with 802.1Q encapsulation.
  • The switch port connected to the router must be configured as a trunk to carry multiple VLANs.
  • Each subinterface must have an IP address in the respective VLAN's subnet.
A.Configure subinterfaces on R1 with encapsulation dot1Q and assign IP addresses in VLAN 10 and VLAN 20. Configure SW1 interface G0/3 as a trunk port.
B.Configure a routed port on SW1 G0/3 and assign an IP address. Then configure static routes on R1 to reach each VLAN.
C.Configure SW1 interface G0/3 as an access port in VLAN 10. Then configure R1 with a single IP address in VLAN 10 and enable proxy ARP.
D.Configure SW1 interface G0/3 as a trunk port. Then configure R1 with a single IP address on the physical interface and enable VLAN routing using the 'vlan' command.
AnswerA
solution
! R1
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
interface GigabitEthernet0/0
no shutdown

! SW1
interface GigabitEthernet0/3
switchport mode trunk

Why this answer

Router-on-a-Stick allows a single router interface to route between VLANs by using subinterfaces with 802.1Q encapsulation. The switch port must be a trunk to carry the tagged frames. This configuration enables communication between VLAN 10 and VLAN 20.

Exam trap

The key trap is that candidates often forget to configure the switch port as a trunk, or they try to use a routed port on a Layer 2 switch. Also, some may think that a single IP address on the router's physical interface is sufficient, but subinterfaces are mandatory for Router-on-a-Stick.

Why the other options are wrong

B

Layer 2 switches do not support routed ports; they only support switchport mode access or trunk.

C

An access port cannot carry multiple VLANs; a trunk is required for Router-on-a-Stick.

D

Router-on-a-Stick requires subinterfaces; a single IP address on the physical interface only handles one VLAN. The 'vlan' command is not used on routers for inter-VLAN routing.

127
Multi-Selectmedium

Which three of the following are true regarding the operation of Rapid Spanning Tree Protocol (RSTP) compared to classic STP (802.1D)? (Choose three.)

Select 3 answers
.RSTP uses proposal/agreement to achieve faster convergence.
.RSTP reduces the number of port states from five to three.
.RSTP introduces the concept of alternate and backup ports.
.RSTP requires the use of the UplinkFast feature to speed up convergence.
.RSTP uses timer-based convergence identical to 802.1D.
.RSTP eliminates the blocking state entirely.

Why this answer

RSTP (802.1w) uses a proposal/agreement handshake process to rapidly transition ports to the forwarding state without relying on timers, achieving convergence in under a second in most switched networks. This is a fundamental improvement over classic STP (802.1D), which depends on slow timer-based convergence. Additionally, RSTP reduces the classic five port states (blocking, listening, learning, forwarding, disabled) to three (discarding, learning, forwarding) and introduces new port roles—alternate and backup—to provide faster failover by maintaining a ready alternative path to the root.

Exam trap

Cisco often tests the misconception that RSTP eliminates the blocking state entirely, when in fact it renames it to discarding and still uses it for alternate and backup ports.

128
Matchingmedium

Drag and drop the port configuration commands/technologies on the left to their corresponding descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configures the port as a non-trunking access port

Limits the number of MAC addresses on a desktop access port

Separates VoIP traffic into a dedicated VLAN

Assigns the data VLAN for desktop or AP devices

Immediately transitions an end-device port to forwarding state

Macro that sets portfast, mode access, and port-security for IoT/virtual hosts

Why these pairings

These are common Cisco IOS commands used for port configuration, each with a specific function.

Exam trap

Candidates often confuse commands that set port mode (access/trunk) with commands that assign VLANs or set encapsulation. Remember that 'switchport mode access' is the specific command to make a port an access port; other commands like 'switchport access vlan' or 'switchport trunk encapsulation' serve different purposes and do not change the port mode.

129
PBQmedium

You are connected to SW1 via the console. SW1 is a multilayer switch with SVIs for VLANs 10 (192.168.10.1/24) and 20 (192.168.20.1/24). Hosts in VLAN 10 can ping their default gateway (192.168.10.1), but cannot ping hosts in VLAN 20. You suspect IP routing is not enabled or the SVIs are not up.

Hints

  • Check if IP routing is enabled globally.
  • Verify that the SVIs are up/up.
  • Use ping with source to test connectivity between VLANs.
A.Enable IP routing on SW1 with the 'ip routing' global configuration command.
B.Configure a trunk port between SW1 and an external router, then enable routing on the router.
C.Ensure the SVIs are not shut down and have the 'no shutdown' command applied.
D.Add a static route on SW1 pointing to the VLAN 20 subnet via the VLAN 10 SVI.
AnswerA
solution
! SW1
ip routing

Why this answer

A multilayer switch requires 'ip routing' to forward packets between VLANs. Without it, the switch acts as a Layer 2 device. Enabling IP routing allows the SVIs to route traffic between VLANs.

The verification commands confirm routing is active and SVIs are operational.

Exam trap

The trap is that candidates may focus on interface status or static routes, overlooking the fundamental requirement of 'ip routing' on a multilayer switch. Remember that SVIs can be up and pingable, but without IP routing enabled, the switch cannot forward packets between VLANs.

Why the other options are wrong

B

The specific factual error is that the question states SW1 is a multilayer switch with SVIs, so it can route internally without an external router. The issue is that IP routing is not enabled on the switch itself.

C

The specific factual error is that the SVIs are already up (hosts can ping the gateway), so 'no shutdown' is not the missing step. The problem is at Layer 3 routing, not Layer 2/3 interface status.

D

The specific factual error is that directly connected networks do not require static routes; the switch automatically installs them when the SVI is up. The problem is that 'ip routing' is not enabled, so the switch does not use these routes for forwarding.

130
Matchingmedium

Match each wireless concept to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The WLAN name shown to clients

Device that provides wireless connectivity

Design in which centralized devices manage APs

Wireless security standard

Why these pairings

SSID is the WLAN name broadcasted to clients, making it synonymous with 'The WLAN name shown to clients.' An access point is the device that bridges wireless clients to the wired network, directly matching 'Device that provides wireless connectivity.' A controller-based WLAN uses a central controller to manage multiple APs, which aligns with 'Design in which centralized devices manage APs.' WPA2 is a security protocol for wireless networks, fitting 'Wireless security standard.' The other concepts (BSSID, beacon frames, etc.) are related but not part of this matching exercise.

Exam trap

Watch out for common confusions: SSID vs BSSID (name vs MAC), the roles of beacon frames (advertisement) vs probe requests (discovery), and the correct order of authentication (before association). Cisco exams often test these distinctions.

131
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to a PC on port G0/1. The network administrator wants to secure the port by allowing only two MAC addresses and enabling sticky MAC learning. Additionally, if a violation occurs, the port should be put into error-disabled state. Configure port security on G0/1 with maximum MAC addresses of 2, sticky learning, and shutdown violation mode.

Network Topology
G0/1SW1PC

Hints

  • Port security must first be enabled with switchport port-security.
  • Sticky MAC dynamically learns and saves MAC addresses to running-config.
A.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation shutdown
B.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation restrict
C.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation protect
D.SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 2 SW1(config-if)# switchport port-security mac-address 0000.1111.2222 SW1(config-if)# switchport port-security violation shutdown
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation shutdown

Why this answer

Port security restricts access based on MAC addresses. The first command, `switchport port-security`, enables port security on the interface. With sticky, learned MACs are saved to the running config; `shutdown` violation mode places the port in error-disable state, requiring manual recovery.

Option A includes all required commands in the correct order. Option B uses `restrict`, which drops traffic but does not errdisable. Option C uses `protect`, which drops silently without logging.

Option D manually configures a specific MAC instead of enabling sticky learning, so it does not meet the requirement for sticky.

Exam trap

Do not confuse the three violation modes: shutdown (error-disable), restrict (drop + log), and protect (drop silently). Also, remember that sticky MAC learning is enabled with the 'mac-address sticky' command, not by manually configuring a MAC address.

Why the other options are wrong

B

The violation mode 'restrict' does not place the port in error-disabled state; it only drops traffic from unauthorized MACs and increments a counter.

C

The 'protect' mode drops violating frames but does not disable the port or generate syslog messages; it is the least restrictive violation mode.

D

The command 'switchport port-security mac-address' manually assigns a MAC address, whereas 'switchport port-security mac-address sticky' enables dynamic learning and storage of MAC addresses.

132
MCQhard

An EtherChannel uses LACP. One side is configured correctly, but the peer side has a different switchport mode on one of the member links. What is the most likely result?

A.The bundle may fail to form correctly because the member-link settings are inconsistent.
B.The switch automatically rewrites the peer configuration to match.
C.LACP converts the mismatched link into a routed interface automatically.
D.The mismatched link is placed in a spanning-tree blocking state.
AnswerA

This is correct because EtherChannel depends on compatible member settings.

Why this answer

The most likely result is that the bundle will not form cleanly because EtherChannel requires member links to agree on important operational settings. In practical terms, LACP negotiation alone is not enough. The links also need compatible characteristics such as switchport mode, VLAN handling, speed, and duplex where relevant.

This is a common troubleshooting pattern. It tests whether you know that bundle membership depends on configuration consistency, not just on enabling LACP.

Exam trap

Do not assume LACP can resolve all configuration mismatches. Ensure all settings are consistent across member links.

Why the other options are wrong

B

Switches do not automatically rewrite peer configurations; configuration changes must be made manually or via network automation tools. LACP only negotiates parameters like speed and duplex, not switchport mode or VLAN settings.

C

LACP operates at Layer 2 and does not change the interface type; a mismatched link remains a Layer 2 interface. Converting to a routed interface requires manual configuration with 'no switchport' command.

D

This is incorrect because a switchport mode mismatch in an EtherChannel typically causes the link to be suspended or placed into an errdisable state, not into a spanning-tree blocking state. Spanning tree deals with loops, not port-channel parameter mismatches.

133
MCQhard

A client connects to an employee WLAN using 802.1X authentication. The authentication process completes successfully, but the client fails to obtain an IP address via DHCP. What is the most likely cause?

A.The client is being placed into the wrong policy or VLAN after successful authentication.
B.The WLAN is configured with the wrong SSID, which prevents DHCP packets from being forwarded.
C.The client has a static IP address manually configured, causing a DHCP conflict.
D.The access point is configured with an incorrect default gateway, preventing DHCP relay.
AnswerA

Post‑authentication VLAN assignment via RADIUS attributes can override the default interface VLAN. If the assigned VLAN has no DHCP server, the client cannot obtain an address.

Why this answer

Even after successful 802.1X authentication, the client may be assigned to the wrong VLAN or policy through RADIUS attributes (such as Tunnel-Type or Cisco AV-pair). If that VLAN lacks a DHCP server or correct subnet, the client will not receive an IP address. The other options describe issues that either prevent association entirely (wrong SSID) or are not typical causes in controller-based WLANs (static IP, AP gateway misconfiguration).

Exam trap

Cisco often tests the distinction between authentication success and post-authentication network access, leading candidates to focus on pre-authentication issues (like wrong PSK or RADIUS timeout) when the real problem is VLAN assignment or DHCP relay misconfiguration.

Why the other options are wrong

B

An incorrect SSID would prevent the client from associating to the WLAN at all, not allow authentication followed by DHCP failure.

C

A statically configured IP is less likely the strongest cause because the client would either not use DHCP or would obtain an APIPA address, and the issue is specifically about failing to obtain a correct address via DHCP.

D

The access point’s default gateway does not impact DHCP forwarding for client traffic; in controller-based deployments, DHCP packets are handled by the controller or bridged directly to the wired network.

134
Drag & Drophard

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, including recovery steps when a port enters err-disabled.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Root Guard must be applied first on designated ports to prevent unwanted root bridge changes, then Loop Guard on non-designated ports to prevent loops, followed by BPDU Guard on PortFast ports. Recovery steps are last because they apply after a violation occurs.

Exam trap

The trap is that candidates may confuse the order of applying STP protections. Remember: Root Guard first (designated ports), then Loop Guard (non-designated), then BPDU Guard (PortFast), and recovery last. Do not place recovery first or mix up the sequence.

135
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on the designated port facing a downstream switch to prevent a rogue switch from becoming root. Also, enable Loop Guard on the uplink port to prevent STP loops, and configure BPDU Guard on a PortFast-enabled access port. Ensure that if a superior BPDU is received on the Root Guard port, it is blocked, and if a BPDU is received on the BPDU Guard port, it goes err-disabled.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30trunkG0/1192.168.10.1/24R2R1access vlan 10SW2PC

Hints

  • Root Guard is applied on designated ports to block superior BPDUs.
  • Loop Guard is applied on root or alternate ports to prevent loops if BPDUs stop.
  • BPDU Guard with PortFast err-disables the port upon receiving any BPDU.
A.The configuration is correct; no changes are needed.
B.Root Guard should be applied on G0/0 instead of G0/1, and Loop Guard on G0/1 instead of G0/0.
C.BPDU Guard should be configured on G0/1 instead of G0/2, and Loop Guard should be removed from G0/0.
D.Root Guard should be applied on G0/2 instead of G0/1, and BPDU Guard should be removed from G0/2.
AnswerA
solution
! R1

Why this answer

R1 is the STP root for VLAN 10. The downstream port (G0/1) is a designated port, so Root Guard is correctly applied to prevent a superior BPDU from being accepted. The uplink port (G0/0) is a root port, so Loop Guard should be applied there to prevent an STP loop if BPDUs stop arriving.

The access port (G0/2) has PortFast and BPDU Guard enabled, which will err-disable the port if a BPDU is received. The current configuration is correct; no changes are needed. If a superior BPDU arrives on G0/1, Root Guard will block the port.

If a BPDU arrives on G0/2, BPDU Guard will err-disable it.

Exam trap

The trap is that candidates may think changes are needed because they misapply STP protections to the wrong port types. Remember: Root Guard on designated ports, Loop Guard on root/alternate ports, BPDU Guard on PortFast access ports.

Why the other options are wrong

B

Root Guard is only effective on designated ports; applying it to a root port would not prevent a rogue switch from becoming root. Loop Guard on a designated port is unnecessary and could cause false positives.

C

BPDU Guard on a trunk port would err-disable it upon receiving a BPDU, which is normal for trunk ports. Loop Guard on the root port is essential for loop prevention; removing it would leave the network vulnerable.

D

Root Guard on an access port would block the port if a superior BPDU is received, but access ports should not receive BPDUs if PortFast is enabled. BPDU Guard already handles that by err-disabling the port.

136
Multi-Selectmedium

Which three of the following correctly describe how a Layer 2 switch handles frames? (Choose three.)

Select 3 answers
.If the destination MAC address is a known unicast, the switch forwards the frame only out of the port associated with that MAC address.
.If the destination MAC address is broadcast (FFFF.FFFF.FFFF), the switch floods the frame out all ports except the incoming port.
.If the destination MAC address is unknown (not in the MAC address table), the switch drops the frame to prevent loops.
.The switch dynamically learns MAC addresses by examining the source MAC address of incoming frames on each port.
.The switch updates the MAC address table every 30 seconds by default using CDP advertisements.
.If the source MAC address in a frame matches the destination MAC address, the switch forwards the frame to all ports.

Why this answer

A Layer 2 switch forwards known unicasts only to the associated port (A), floods broadcasts out all ports except the incoming port (B), and dynamically learns MAC addresses from source MACs of frames (D). Unknown unicasts are flooded, not dropped (C is wrong). MAC address table learning relies on source MAC inspection, not CDP (E is wrong).

If source and destination MAC are identical, the frame is not forwarded; it is typically dropped (F is wrong).

Exam trap

Cisco often tests the misconception that an unknown unicast is dropped, but the correct behavior is flooding; the trap is that candidates confuse 'unknown unicast' with 'unicast not in the table' and incorrectly assume it is treated like a loop-prevention drop.

137
PBQhard

You are connected to a multilayer switch MLS1 via the console. Configure MLS1 so that IP phones connected to interface GigabitEthernet0/1 receive power via PoE, use VLAN 10 for data traffic, and use VLAN 20 for voice traffic, while the access port for an AP on GigabitEthernet0/2 should be placed in VLAN 30 and have PoE disabled. Verify your configuration using appropriate show commands.

Hints

  • Voice VLAN is configured with a separate command from the access VLAN.
  • PoE can be disabled per interface using 'power inline never'.
  • Use 'show interfaces switchport' to see both voice and access VLAN assignments.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline auto ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline never
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,20 power inline auto ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline never
C.interface GigabitEthernet0/1 switchport mode access switchport access vlan 20 switchport voice vlan 10 power inline auto ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline never
D.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline never ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline auto
AnswerA
solution
! MLS1
interface GigabitEthernet0/1
switchport voice vlan 20
power inline auto
interface GigabitEthernet0/2
switchport access vlan 30
power inline never

Why this answer

For the IP phone port (G0/1), you need to enable PoE (power inline auto) and configure the voice VLAN (switchport voice vlan 20) so that the phone uses VLAN 20 for voice and the access VLAN 10 for data. For the AP port (G0/2), you must change the access VLAN to 30 and disable PoE (power inline never) to prevent powering the AP through the switch. Verify with 'show interfaces switchport' to confirm voice VLAN and access VLAN settings, and 'show power inline' to check PoE status.

Exam trap

A common trap is confusing the voice VLAN command with trunking or swapping the access and voice VLANs. Also, remember that IP phones require PoE, while the AP in this scenario does not. Always verify with show commands.

Why the other options are wrong

B

The specific factual error is that IP phones typically use an access port with a voice VLAN, not a trunk port. Trunking is unnecessary and can cause compatibility issues.

C

The specific factual error is confusing the access VLAN and voice VLAN assignments. The voice VLAN is configured with 'switchport voice vlan', and the access VLAN with 'switchport access vlan'.

D

The specific factual error is reversing the PoE settings: 'power inline never' on the phone port and 'power inline auto' on the AP port.

138
MCQmedium

Which command places a switch interface into trunking mode directly instead of relying on negotiation?

A.switchport mode trunk
B.switchport access vlan 10
C.switchport mode dynamic auto
D.spanning-tree portfast
AnswerA

This is correct because it directly forces the interface into trunk mode.

Why this answer

The direct command is `switchport mode trunk`. In plain language, this tells the switch to behave as a trunk port rather than waiting to negotiate that role through DTP. That makes the administrative intent clear and avoids ambiguity. In many production environments, explicit configuration is preferred because it is easier to understand and troubleshoot than relying on negotiation behavior.

This is a core CCNA switching idea because trunks and access ports serve very different purposes. The wrong answers either describe negotiation states or commands that relate to other aspects of VLAN behavior. The best answer is the one that directly forces the interface into trunk mode instead of merely suggesting or passively waiting for trunking.

Exam trap

Be careful not to confuse commands that involve negotiation or specify encapsulation with those that directly set the mode.

Why the other options are wrong

B

The command 'switchport access vlan 10' assigns the interface to a specific access VLAN, placing it in access mode, not trunk mode. Trunk mode is required to carry multiple VLANs, and this command does not enable trunking.

C

The command 'switchport mode dynamic auto' places the interface in a mode that waits for the neighboring switch to initiate trunking via DTP. It does not directly force trunking; the interface will only become a trunk if the neighbor is set to 'dynamic desirable' or 'trunk'.

D

The command 'spanning-tree portfast' is used to speed up the transition of an access port to the forwarding state, bypassing the listening and learning phases. It has no effect on trunking mode and is unrelated to VLAN trunk configuration.

139
MCQhard

A network engineer receives a call that users in VLAN 10 on Switch B cannot ping the default gateway, which is a router on a stick connected to Switch A. The engineer checks the Spanning Tree Protocol state on the interface connecting Switch A to Switch B (GigabitEthernet0/1) and finds it is in a root-inconsistent state. Which command output best explains the cause of the issue?

A.The interface is in err-disable state due to BPDU guard.
B.Root guard is enabled and the port received a superior BPDU, causing it to become root-inconsistent.
C.Loop guard is enabled and the port is in a blocking state due to missing BPDUs.
D.The port is in a forwarding state but the VLAN is misconfigured.
AnswerB

Root guard on the interface caused the port to be placed in root-inconsistent state when a superior BPDU was received, blocking the port.

Why this answer

Root guard, when enabled on a port, places that port into a root-inconsistent blocking state if it receives a superior BPDU, preventing the switch from becoming the root bridge. This root-inconsistent state stops forwarding traffic, which explains why users in VLAN 10 cannot reach the default gateway. The port remains physically up but is blocked by spanning tree, so normal interface status would not show a down state, making the root-inconsistent state the key indicator.

Exam trap

Candidates often confuse root guard with BPDU guard: BPDU guard err-disables a port upon receiving any BPDU on a PortFast port, while root guard responds to superior BPDUs by placing the port in root-inconsistent state, not err-disable.

Why the other options are wrong

A

BPDU guard causes an err-disable state, which would show the interface as down or err-disabled, not as root-inconsistent.

C

Loop guard places a port into loop-inconsistent blocking state when BPDUs stop being received, not when a superior BPDU is received.

D

A forwarding state would allow traffic; the problem here is that the port is in a blocked state due to root guard, not a misconfigured VLAN.

140
PBQmedium

You are connected to SW1 via console. SW1 is a Layer 2 switch. Port G0/1 connects to a PC that should be allowed only one MAC address. Currently, the port is configured with default settings. You need to enable port security on G0/1, set the maximum MAC addresses to 1, configure the port to shut down if a violation occurs, and ensure that the first learned MAC address is sticky (i.e., saved to the running config).

Network Topology
G0/1PCSW1

Hints

  • Port security must be enabled on an access port or trunk port.
  • The 'sticky' keyword makes the MAC address sticky and adds it to the running config.
A.interface G0/1 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown switchport port-security mac-address sticky
B.interface G0/1 switchport port-security switchport port-security maximum 1 switchport port-security violation protect switchport port-security mac-address sticky
C.interface G0/1 switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky
D.interface G0/1 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown switchport port-security mac-address 0000.1111.2222
AnswerA
solution
! SW1
interface gigabitethernet0/1
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky

Why this answer

Enabling port security and setting maximum MAC addresses to 1 limits the port to one device. The violation shutdown mode disables the port if another MAC attempts to use it. Sticky MAC learning dynamically learns the first MAC and saves it to the running configuration.

Exam trap

Be careful to distinguish between the different violation modes: shutdown (disables port), protect (drops packets without notification), and restrict (drops packets and sends SNMP trap). Also, note that sticky MAC learning is different from statically configuring a MAC address; sticky learning automatically saves the learned MAC to the running config.

Why the other options are wrong

B

The violation mode 'protect' does not shut down the port; it only drops offending traffic. The question explicitly requires the port to shut down.

C

The maximum MAC addresses must be set to 1 to restrict the port to a single device. Setting it to 2 allows an additional device.

D

The command 'switchport port-security mac-address 0000.1111.2222' statically assigns a MAC address, which does not allow dynamic learning. Sticky learning is enabled with the 'sticky' keyword.

141
MCQhard

A network administrator is troubleshooting connectivity loss in a switched network. All switches run Rapid PVST+. A host connected to an access port on SwitchC can no longer reach the default gateway. The access port is configured with PortFast and BPDU Guard. The administrator checks the interface status and finds it in an err-disabled state. What is the most likely cause of this issue?

A.The root bridge election failed, causing a loop.
B.BPDU Guard detected a BPDU on a PortFast-enabled port and disabled it.
C.Rapid PVST+ is not compatible with PortFast.
D.The port is configured as a trunk but should be an access port.
AnswerB

BPDU Guard is enabled on Gi0/1, and a BPDU was received, causing the port to go err-disabled.

Why this answer

B is correct because BPDU Guard is designed to protect the spanning-tree topology by disabling a PortFast-enabled port if it receives a BPDU, placing the port in err-disabled state. Option A is incorrect: a root bridge election failure would not cause a port to err-disable; loops do not directly trigger this state without BPDU Guard. Option C is incorrect because PortFast and BPDU Guard work with all spanning-tree variants including Rapid PVST+.

Option D is incorrect: a trunk misconfiguration alone would not cause err-disable unless BPDU Guard detects a BPDU on a PortFast port.

Exam trap

Cisco often tests the misconception that PortFast and BPDU Guard are incompatible with Rapid PVST+, but in reality, PortFast is a port-level feature that works identically across all spanning-tree variants, and BPDU Guard is the mechanism that causes the err-disabled state when a BPDU is received.

Why the other options are wrong

A

A root bridge election failure would not place the port in err-disabled state; it would cause loops but not trigger BPDU Guard directly.

C

PortFast and BPDU Guard are fully compatible with Rapid PVST+; this option implies incompatibility, which is incorrect.

D

A trunk misconfiguration alone would not cause the port to go err-disable unless a BPDU is received on a PortFast-enabled port, and BPDU Guard is the specific mechanism for that.

142
Multi-Selectmedium

Which three statements accurately describe the operation of the Spanning Tree Protocol (STP) root bridge election? (Choose three.)

Select 3 answers
.The switch with the lowest bridge ID (priority + MAC address) becomes the root bridge.
.If two switches have the same priority, the one with the lowest MAC address is chosen.
.All ports on the root bridge are placed in the designated role.
.The root bridge is always the switch with the highest MAC address.
.The root bridge priority can be modified using the 'spanning-tree vlan vlan-id root secondary' command to force it to become root.
.The root bridge election occurs every 30 seconds by default.

Why this answer

The Spanning Tree Protocol (STP) root bridge election is based on the bridge ID, which combines a configurable priority (default 32768) and the switch's MAC address. The switch with the lowest bridge ID wins the election, making option 1 correct. If priorities are equal, the MAC address serves as the tiebreaker, so the switch with the lowest MAC address is chosen, confirming option 2.

Once elected, all ports on the root bridge become designated ports (forwarding), as they are the most efficient paths to the root, making option 3 correct.

Exam trap

Cisco often tests the misconception that the root bridge is elected periodically (e.g., every 30 seconds) or that the 'root secondary' command forces a switch to become root, when in fact the election is event-driven and the command only sets a specific priority for backup purposes.

143
Drag & Dropmedium

Drag and drop the following steps into the correct order (recommended best-practice workflow) to configure VLANs, assign access ports, enable 802.1Q trunking, set the native VLAN, and verify the configuration on a Cisco switch running IOS-XE.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, create VLANs globally so they exist in the VLAN database. Next, assign access ports to the desired VLANs, ensuring end‑device connectivity is established locally. Then configure trunking on the appropriate interfaces, including setting the native VLAN; doing trunking after access port assignment prevents accidental VLAN propagation across the trunk before all access ports are correctly placed.

Verification is always the final step to confirm the entire configuration. Option D (VLAN creation → trunking → access ports → verify) is technically functional but violates the best‑practice order because trunking should be configured only after access ports are assigned to avoid potential topology issues.

Exam trap

Do not confuse the order of operations: VLANs must exist before ports can be assigned. Also, trunking is configured on specific interfaces, not globally, and should be done after access ports are set. Verification is always the final step.

144
Drag & Dropmedium

Drag and drop the following steps into the correct order to create VLANs, assign access ports, configure 802.1Q trunks, set the native VLAN, and verify with 'show vlan brief' and 'show interfaces trunk'.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

VLANs must be created before assigning ports; trunking is configured after access ports; verification is the final step.

Exam trap

Do not confuse the order of VLAN creation and port assignment. VLANs must be created before ports can be assigned to them. Also, native VLAN configuration is part of trunk configuration and should be done after trunk mode is set.

145
Matchingmedium

Match each access-layer feature to its most accurate function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Speeds an edge port into forwarding state

Disables an edge port if a BPDU is received

Separates phone voice traffic from normal user data

Limits and controls MAC address use on a switch port

Why these pairings

PortFast speeds up STP convergence by immediately transitioning an edge port (connected to an end host) from blocking to forwarding state, bypassing listening and learning. BPDU Guard disables an edge port (errdisable) if a BPDU is received, protecting against accidental loops from misconfigured devices. Voice VLAN separates voice traffic from data by assigning a dedicated VLAN to IP phones, enabling QoS and traffic prioritization.

Port Security limits the number of allowed MAC addresses on a switch port and can disable the port or alert if unauthorized MACs are detected, controlling access.

Exam trap

Candidates often confuse PortFast with BPDU Guard, thinking both speed convergence, or mix up voice VLAN with port security. Remember: PortFast is for fast STP transitions, BPDU Guard is for loop protection, voice VLAN isolates phone traffic, and port security controls MAC addresses.

146
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Rapid PVST+ with a designated root bridge, PortFast, and BPDU Guard on access ports.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Set the spanning-tree mode to Rapid PVST+: This enables Rapid PVST+ globally, a prerequisite for the root primary command to function correctly. 2. Configure the switch as the root bridge for VLAN 1: Lowers the bridge priority to guarantee this switch becomes the root, defining the STP topology. 3.

Enter interface configuration mode for the access ports: Prepares the specific ports where PortFast and BPDU Guard are applied. 4. Enable PortFast on the interfaces: Allows immediate transition to forwarding state, bypassing listening/learning phases. 5. Enable BPDU Guard on the interfaces: Protects the network by err-disabling the port if a BPDU is received, which should occur only after PortFast is enabled on access ports.

147
Multi-Selecthard

A trunk link between two switches is up, but hosts in VLAN 30 on opposite switches cannot communicate. VLAN 10 works across the same trunk. Which two causes are the most likely?

Select 2 answers
A.VLAN 30 is not allowed on the trunk on one side
B.VLAN 30 may not exist in the VLAN database on the affected switch
C.The trunk native VLAN should always be 30
D.PortFast must be disabled on the access ports in VLAN 30
AnswersA, B

If the VLAN is missing from the allowed list on one side, traffic for that VLAN will not traverse the link.

Why this answer

When one VLAN fails but others work across the same trunk, the problem is likely VLAN-specific. VLAN 30 may not exist on one switch or may not be allowed on the trunk. Option C is incorrect because the native VLAN does not need to be 30; a native VLAN mismatch would typically cause connectivity issues on all VLANs, not just VLAN 30.

Option D is incorrect because PortFast only affects the speed at which an access port enters the forwarding state and does not impact communication across an already-up trunk.

Exam trap

Don't assume trunk issues affect all VLANs equally; check for VLAN-specific settings.

Why the other options are wrong

C

The native VLAN is used for untagged traffic on a trunk and is typically VLAN 1 by default. It has no bearing on whether a specific tagged VLAN like VLAN 30 is carried; the allowed VLAN list controls that.

D

PortFast is a feature that speeds up the transition of an access port to the forwarding state, bypassing STP listening/learning. It does not affect trunk operation or whether a VLAN is carried on a trunk.

148
Matchingmedium

Drag and drop the items on the left to match the descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables a port as an 802.1Q trunk port

The VLAN that carries untagged frames on a trunk link

Open standard for VLAN tagging on Ethernet frames

Process of forwarding traffic between different VLANs

Displays a summary of VLANs and their assigned ports

Why these pairings

VLANs segment a switch into multiple broadcast domains. 802.1Q trunking encapsulates frames with a VLAN tag, while the native VLAN carries untagged traffic. 'switchport mode trunk' configures a trunk port, 'show vlan brief' lists VLAN assignments, and inter-VLAN routing enables communication between VLANs typically using a router or Layer 3 switch.

149
MCQhard

A switch port is configured with `switchport voice vlan 150` and `switchport access vlan 20`. Which statement best explains the design purpose?

A.It separates voice and data traffic on the same edge port by assigning them to different VLANs.
B.It turns the port into a routed WAN interface.
C.It forces the phone to use CAPWAP before receiving power.
D.It makes VLAN 150 the native VLAN on all trunks automatically.
AnswerA

This is correct because that is the classic voice-VLAN access-port design.

Why this answer

The design purpose is to let the switch support a phone and an attached workstation on the same physical access port while placing their traffic into different VLANs. In practical terms, the phone can use the voice VLAN while the user's data traffic uses the access VLAN. This is a common enterprise edge design for IP telephony.

The key idea is role separation on one port, not trunking the port as a normal inter-switch link.

Exam trap

Avoid confusing voice VLAN configurations with trunking or prioritization settings.

Why the other options are wrong

B

The commands `switchport voice vlan 150` and `switchport access vlan 20` are used on a Layer 2 switch port, not a routed interface. A routed WAN interface would require `no switchport` and an IP address configuration, which is not present here.

C

CAPWAP (Control and Provisioning of Wireless Access Points) is a protocol used for wireless LAN controller and access point communication, not for voice VLAN configuration. The voice VLAN feature is unrelated to CAPWAP.

D

The `switchport voice vlan` command only affects the specific access port where it is configured, not all trunk ports. The native VLAN on trunks is configured separately with `switchport trunk native vlan`.

150
PBQhard

You are connected to R1. The network consists of R1, a router, and SW1, a Layer 2 switch. VLANs 10 (192.168.10.0/24) and 20 (192.168.20.0/24) are configured on SW1 with hosts in each VLAN. R1 must perform inter-VLAN routing using a router-on-a-stick configuration on interface G0/0. Currently, hosts in VLAN 10 cannot ping hosts in VLAN 20. Configure R1 and identify and resolve the issue.

Hints

  • Check if IP routing is enabled globally on the router.
  • Ensure the physical interface is not administratively down.
  • Verify that the subinterface encapsulation matches the VLANs on the switch.
A.Enable IP routing on R1 with the 'ip routing' global configuration command.
B.Configure the physical interface G0/0 with an IP address and enable trunking with 'switchport mode trunk'.
C.Ensure the trunk between R1 and SW1 is configured with 'switchport trunk allowed vlan 10,20' on SW1.
D.Add the 'no shutdown' command on R1's subinterfaces G0/0.10 and G0/0.20.
AnswerA
solution
! R1
configure terminal
ip routing
interface GigabitEthernet0/0
no shutdown

Why this answer

The problem is that R1 is missing the 'ip routing' command, which is required to enable IP routing on a router. Without it, R1 cannot forward packets between the subinterfaces. Additionally, the trunk between R1 and SW1 may not be operational because R1's physical interface G0/0 has no IP address and is not set to trunk mode (though subinterfaces handle encapsulation).

The solution is to enable IP routing globally and ensure the physical interface is up (no shutdown).

Exam trap

Do not assume that a router automatically routes between its interfaces; the 'ip routing' command must be explicitly enabled. Also, remember that subinterfaces do not have their own shutdown state.

Why the other options are wrong

B

Assigning an IP to the physical interface would prevent subinterfaces from working, and 'switchport mode trunk' is invalid on a router interface.

C

The problem is specifically that R1 cannot route between VLANs due to missing 'ip routing', not a trunk pruning issue.

D

Subinterfaces cannot be individually shut down; the physical interface controls the link state.

← PreviousPage 2 of 6 · 392 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Switching Network Access questions.