CCNA Switching Questions

75 of 392 questions · Page 3/6 · Switching topic · Answers revealed

151
PBQhard

You are connected to SW1. The network has experienced a spanning-tree topology change, and the new root bridge is not the intended core switch. Configure SW1 with a root primary priority, enable PortFast and BPDU Guard on interface GigabitEthernet0/3 (an edge port connected to a server), and verify that a specific port in the topology is blocking. Then, after a BPDU violation occurs on G0/3, recover the interface from err-disable state without reloading the switch.

Network Topology
G0/0G0/0G0/1G0/0G0/2G0/0G0/3SW1SW2SW3SW4Server

Hints

  • Use 'spanning-tree vlan 1 root primary' to set priority to 24576.
  • PortFast and BPDU Guard are configured under the interface.
  • To recover from err-disable, you can use 'shutdown' and 'no shutdown' on the interface.
A.spanning-tree vlan 1 root primary; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpduguard enable; interface GigabitEthernet0/3; shutdown; no shutdown
B.spanning-tree vlan 1 priority 4096; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpduguard enable; interface GigabitEthernet0/3; errdisable recovery cause bpduguard
C.spanning-tree vlan 1 root secondary; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpduguard enable; interface GigabitEthernet0/3; no shutdown
D.spanning-tree vlan 1 root primary; interface GigabitEthernet0/3; spanning-tree portfast; spanning-tree bpdufilter enable; interface GigabitEthernet0/3; shutdown; no shutdown
AnswerA
solution
! SW1
configure terminal
spanning-tree vlan 1 root primary
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable
end
configure terminal
interface GigabitEthernet0/3
shutdown
no shutdown
end

Why this answer

The current root bridge has priority 32769, but the intended root should be SW1 with a lower priority. First, configure SW1 as root primary using 'spanning-tree vlan 1 root primary' or manually set priority to 24576. For edge port Gi0/3, enable PortFast with 'spanning-tree portfast' and BPDU Guard with 'spanning-tree bpduguard enable'.

After the BPDU violation, the port is err-disabled. To recover, first shut down and then no shut the interface, or use 'errdisable recovery cause bpduguard' and wait for the recovery interval, but the most direct method is to manually bounce the interface.

Exam trap

Watch out for confusing root primary vs root secondary, BPDU Guard vs BPDU filter, and the correct method to recover an err-disabled port. Manual shutdown/no shutdown is immediate, while errdisable recovery relies on a timer.

Why the other options are wrong

B

The priority value 4096 is not used by the root primary command; it sets priority to 24576. Additionally, errdisable recovery does not immediately recover the port; it requires a timer.

C

Root secondary makes the switch a secondary root, not primary. An err-disabled port requires a shutdown before no shutdown to clear the error state.

D

BPDU filter does not trigger err-disable on BPDU reception; it silently drops BPDUs. BPDU Guard is needed to protect edge ports.

152
Matchingmedium

Match each Layer 2 protection feature to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits and controls MAC address use on a switch port

Disables an edge port if a BPDU is received

Helps block rogue DHCP activity and build trusted bindings

Validates ARP traffic using trusted information

Why these pairings

Storm Control limits excessive traffic. Port Security limits MAC addresses. DHCP Snooping blocks unauthorized DHCP servers.

DAI validates ARP packets. IP Source Guard filters IP traffic based on DHCP snooping. 802.1X authenticates devices before granting access.

153
Matchingmedium

Match each wireless or edge-switch concept on the left to the description on the right that best fits it. Not all descriptions will be used. Concepts: • SSID • CAPWAP • Voice VLANPortFast Descriptions: A. Name of the wireless LAN shown to clients B. Communication relationship between lightweight APs and controller C. Separates phone traffic from ordinary data on an edge port D. Allows an endpoint-facing switchport to move quickly toward forwarding E. Delivers power to devices over Ethernet (PoE) F. Authenticates users before granting network access (802.1X) G. Aggregates multiple physical links for increased bandwidth (LACP/EtherChannel)

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Name of the wireless LAN shown to clients

Communication relationship between lightweight APs and controller

Separates phone traffic from ordinary data on an edge port

Allows an endpoint-facing switchport to move quickly toward forwarding

Why these pairings

SSID is the service set identifier, the human-readable name broadcast by access points so clients can identify the WLAN. CAPWAP (Control and Provisioning of Wireless Access Points) defines the split-MAC architecture and communication between lightweight APs and a wireless LAN controller. Voice VLAN is an access port feature that dynamically assigns IP phone traffic to a separate VLAN, isolating it from data traffic.

PortFast is a spanning-tree enhancement that bypasses listening and learning states on access ports to allow immediate forwarding, preventing connectivity delays for endpoints. Distractor E refers to Power over Ethernet, not a wireless or edge-switch naming concept; F describes 802.1X authentication, not a WLAN name or AP-controller protocol; G refers to link aggregation, not a VLAN or spanning-tree feature.

Exam trap

Do not confuse Voice VLAN with a trunk port that carries multiple VLANs — Voice VLAN actually uses the access port in conjunction with a voice VLAN ID, and PortFast is often mistaken for disabling spanning tree entirely rather than accelerating convergence.

154
MCQhard

A network engineer is troubleshooting a connectivity issue between two switches, SW1 and SW2, which are connected via four GigabitEthernet links configured as an LACP EtherChannel. Hosts on VLAN 10 connected to SW1 can ping the management IP of SW2, but cannot reach hosts on VLAN 10 connected to SW2. The engineer runs a show command on SW1. What is the most likely cause of the problem?

A.The interface Gi0/0/3 is in err-disabled state due to a spanning-tree BPDU guard violation.
B.The interface Gi0/0/3 has a different LACP port priority or is configured with 'channel-group 1 mode passive' while the other ports use 'active'.
C.The port-channel interface is down (not in use), causing all member ports to be stand-alone.
D.The switch is running out of MAC addresses for the EtherChannel, so one port cannot be added.
AnswerB

A mismatch in LACP mode (active vs. passive) or port priority can cause a port to remain in stand-alone mode. The 'I' flag indicates the port is not negotiating LACP successfully.

Why this answer

The issue is that hosts on VLAN 10 can ping the management IP of SW2 but cannot reach other hosts on the same VLAN. This indicates Layer 2 connectivity is broken for data traffic, while Layer 3 (management) traffic works. Since the EtherChannel uses LACP, if one member port (Gi0/0/3) has a different LACP port priority or is in 'passive' mode while others are 'active', LACP negotiation will fail on that link, causing it to be excluded from the channel.

The remaining three ports may still form the EtherChannel, but the missing link can cause load-balancing issues or, more critically, if the channel requires all four links for STP to forward traffic on VLAN 10, the VLAN may be blocked or the port-channel may not pass data correctly for that VLAN.

Exam trap

Cisco often tests the distinction between Layer 3 reachability (management IP) and Layer 2 data-plane issues, leading candidates to focus on STP or err-disabled states instead of LACP negotiation mismatches that cause partial channel membership.

Why the other options are wrong

A

The 'I' flag in the show command output indicates the port is in stand-alone mode, not err-disabled. An err-disabled interface would show as 'err-disabled' or have a 'D' flag, and BPDU guard violation would cause the port to be in err-disabled state, not stand-alone.

C

The show command output shows the port-channel interface as 'SU' (Layer2, in use), meaning it is operational. If the port-channel were down, all member ports would be affected, not just one. The issue is isolated to a single member port.

D

EtherChannel does not have a MAC address limit; each physical port retains its own MAC address. LACP can bundle up to 16 ports (8 active) without any MAC address exhaustion issue. This is not a realistic failure scenario.

155
MCQhard

A network engineer configures an EtherChannel between two switches. Switch A's interface is set with channel-group 1 mode active, while Switch B's identical interface is set with channel-group 1 mode auto. When verifying with show etherchannel summary, the engineer observes that the port-channel interface is down and the physical interfaces are not bundled. What is the most likely cause of the problem?

A.The LACP system priority on the active side must be lower than the auto side.
B.The mode 'auto' is a PAgP negotiation mode that is incompatible with the LACP active mode.
C.LACP requires one side to be active and the other passive; two active interfaces will not bundle.
D.The physical interfaces must be shut down and then re-enabled after configuring LACP for the bundle to form.
AnswerB

Mode auto is part of Cisco's PAgP, not LACP. It cannot negotiate with an interface using LACP active mode, so the bundle fails.

Why this answer

Option B is correct because 'active' is an LACP mode that initiates negotiations, while 'auto' is a PAgP mode that passively waits for PAgP packets. Since LACP and PAgP are incompatible protocols, the interfaces will never negotiate a bundle, leaving the port-channel down. The engineer must use matching protocol modes (e.g., both LACP active/passive or both PAgP desirable/auto) for EtherChannel to form.

Exam trap

Cisco often tests the confusion between LACP and PAgP mode keywords, especially the similarity between 'active' (LACP) and 'auto' (PAgP), leading candidates to assume they are compatible or to focus on priority or interface state rather than protocol mismatch.

Why the other options are wrong

A

LACP priority is not required for basic negotiation and does not cause a failure to bundle.

C

Active/active LACP successfully negotiates, so this is not the cause.

D

Bouncing interfaces is not required to trigger LACP negotiation.

156
PBQhard

You are connected to SW1 via console. SW1 is a Layer 2 switch connected to SW2 via three links (G0/1, G0/2, G0/3) that should form an EtherChannel using LACP. Currently, the interfaces are configured as access ports in VLAN 1. Configure the three interfaces as a LACP EtherChannel trunk that carries VLANs 1-100, and ensure the port-channel interface is operational.

Network Topology
G0/1G0/1linksSW1SW2

Hints

  • Create the port-channel interface first, then assign physical ports with 'channel-group'.
  • Use 'mode active' for LACP.
A.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1-100 interface range g0/1-3 channel-group 1 mode active switchport mode trunk
B.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1-100 interface range g0/1-3 channel-group 1 mode passive switchport mode trunk
C.interface port-channel 1 switchport mode access switchport access vlan 1 interface range g0/1-3 channel-group 1 mode active switchport mode trunk
D.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1-100 interface range g0/1-3 channel-group 1 mode on switchport mode trunk
AnswerA
solution
! SW1
interface port-channel 1
switchport mode trunk
switchport trunk allowed vlan 1-100
interface gigabitethernet0/1
channel-group 1 mode active
interface gigabitethernet0/2
channel-group 1 mode active
interface gigabitethernet0/3
channel-group 1 mode active

Why this answer

The port-channel interface is created and configured as a trunk with allowed VLANs. Physical interfaces are assigned to the channel-group with LACP active mode, which negotiates the EtherChannel with the peer. The trunk is then operational for VLANs 1-100.

Exam trap

Remember that LACP requires at least one side to be in active mode to initiate negotiation. Also, the port-channel interface configuration must match the physical interfaces' switchport mode. Do not confuse 'mode on' (static) with LACP modes.

Why the other options are wrong

B

The specific factual error: LACP passive mode does not initiate negotiation; it only responds. For the EtherChannel to form, at least one side must be active.

C

The specific factual error: The port-channel interface and physical interfaces must have consistent switchport mode configuration. Here, the port-channel is access while physical are trunk, causing a mismatch.

D

The specific factual error: 'channel-group mode on' creates a static EtherChannel without LACP. The question requires LACP, so this does not meet the requirement.

157
Matchingmedium

Drag and drop the STP-related terms on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Switch with the lowest bridge ID in the topology

Port that is in forwarding state on each LAN segment

Port that provides an alternative path to the root bridge and is in blocking state

Feature that brings a port directly into forwarding state for access ports

Feature that disables a port if a BPDU is received on a PortFast-enabled port

Why these pairings

These pairings correctly match STP terms with their standard definitions as used in networking certifications.

Exam trap

Be careful not to confuse the roles: the root bridge has no root port; root ports are only on non-root switches. Also, designated ports are per segment, not per switch. Alternate ports are blocking, not forwarding.

158
MCQhard

An IP phone connected to switch port Gi0/4 is working and receiving calls, but the PC connected to the phone's data port cannot obtain an IP address. The technician confirms that interface Gi0/4 has switchport mode access and shows switchport access vlan 10 and switchport voice vlan 100. What should the technician do next?

A.Verify the DHCP scope for VLAN 10 on the DHCP server.
B.Verify that CDP is enabled on the IP phone.
C.Verify the QoS trust state on the switch port.
D.Verify the IP phone's passthrough mode for the PC port.
AnswerD

The IP phone acts as a switch; if the phone's PC port is not configured to pass traffic untagged on the correct VLAN (passthrough mode), the PC's frames will be dropped or placed in the wrong VLAN. Checking this setting directly addresses the path from PC to switch.

Why this answer

The switch port is correctly configured with the appropriate access VLAN (10) for data and voice VLAN (100). Since the phone itself is functional, the issue is likely in how the phone tags or forwards the PC's untagged frames. The phone's internal switch must be set to passthrough mode to bridge the PC traffic onto the access VLAN.

Verifying this setting will identify if the phone is misconfigured, causing the PC to be placed in the wrong VLAN or isolated.

Exam trap

Many candidates would verify the DHCP scope for VLAN 10, mistakenly assuming the switch configuration is sufficient and the problem is a server-side issue. However, the phone itself is a layer-2 device that must be configured to pass the PC traffic correctly, making the phone's passthrough mode the most direct next step.

Why the other options are wrong

A

Assumes the switch port configuration alone guarantees proper VLAN delivery to the PC, ignoring the phone's role as a transparent bridge.

B

Confuses the mechanism for voice VLAN assignment with the requirement for data passthrough; CDP's role is only for the phone's own voice VLAN, not for the PC's data VLAN.

C

Misapplies QoS as a potential cause for a connectivity issue; it is a quality-of-service feature and does not block DHCP or initial network access.

159
PBQhard

You are troubleshooting inter-VLAN routing on a router-on-a-stick setup. R1 is connected to SW1 via trunk port G0/0. VLANs 10, 20, and 30 exist on SW1, and R1 should route between them. Currently, hosts in VLAN 10 can communicate with VLAN 20 but cannot reach VLAN 30. Review the provided configuration and fix the issue.

Network Topology
G0/0trunkR1SW1

Hints

  • Check the VLAN ID used in the encapsulation on each subinterface.
  • Compare the subinterface VLAN ID with the actual VLAN number for that subnet.
  • Use 'show interfaces trunk' on the switch to confirm which VLANs are active.
A.Change the encapsulation on subinterface G0/0.30 to dot1Q 30 and reapply the IP address.
B.Add a subinterface for native VLAN 1 on R1 and assign an IP address.
C.Enable IP routing on R1 with the 'ip routing' command.
D.Change the allowed VLAN list on the trunk to include VLAN 30.
AnswerA
solution
! R1
interface GigabitEthernet0/0.30
no encapsulation dot1Q 100
encapsulation dot1Q 30
no ip address 192.168.30.1 255.255.255.0
ip address 192.168.30.1 255.255.255.0
end

Why this answer

The subinterface for VLAN 30 (G0/0.30) is misconfigured with encapsulation dot1Q 100 instead of dot1Q 30, so R1 cannot forward packets to VLAN 30. VLAN 20 is correctly set up, which is why VLAN 10-to-VLAN 20 pings succeed. Changing the encapsulation to dot1Q 30 and reapplying the IP address restores full inter-VLAN routing.

IP routing is enabled by default, so no additional command is needed; the native VLAN does not require a subinterface because no hosts are in that VLAN.

Exam trap

Do not confuse the subinterface number with the VLAN ID; they can be different, but the encapsulation must match the actual VLAN. Also, remember that IP routing is enabled by default on routers, and the native VLAN does not require a subinterface unless routing for that VLAN is needed.

Why the other options are wrong

B

The native VLAN is untagged on the trunk, and R1 can handle it via the physical interface if needed, but a missing subinterface for native VLAN 1 is not the cause of the issue.

C

IP routing is already enabled; the issue is a configuration error on the subinterface, not a missing global command.

D

The trunk configuration is correct; the problem is the encapsulation mismatch on the router subinterface.

160
Multi-Selectmedium

Which three of the following are unique characteristics of RSTP (802.1w) compared to traditional STP (802.1D)? (Choose three.)

Select 3 answers
.RSTP provides faster convergence by actively negotiating port roles using proposal/agreement handshakes.
.RSTP introduces new port roles: alternate port and backup port, which are discarding but ready to transition.
.RSTP requires the use of a root bridge with a lower bridge priority than any other switch in the network.
.RSTP edge ports transition directly to the forwarding state with no delay.
.RSTP uses only three timer values (Hello, Max Age, Forward Delay) that must be identical across all switches.
.RSTP eliminates the need for BPDU messages by using link-local multicast for topology changes.

Why this answer

RSTP (802.1w) differs from traditional STP (802.1D) in three key ways:

It uses a proposal/agreement handshake to achieve rapid convergence without waiting for timers.

It introduces alternate and backup port roles—alternate ports provide a path to the root bridge via another switch, and backup ports provide a redundant path on the same segment; both are discarding but ready to transition.

Edge ports (connected only to end hosts) move directly to the forwarding state, bypassing listening and learning.

The incorrect options fail as differences:

Option C (root bridge with lower priority) is true for both STP and RSTP, so it is not a distinguishing characteristic.

Option E (only three timers) is also true for both; RSTP uses the same three timers (Hello, Max Age, Forward Delay).

Option F (eliminates BPDUs) is false—RSTP still uses BPDUs but with the Type field set to 2 and includes a flags byte for proposal/agreement.

Exam trap

Cisco often tests the misconception that RSTP eliminates the root bridge election or changes the bridge priority requirement, when in fact the root bridge selection process is identical to 802.1D.

Why the other options are wrong

C

This is not a difference; both RSTP and STP require a root bridge with a lower bridge priority than all other switches.

E

Both RSTP and STP use the same three timers (Hello, Max Age, Forward Delay); RSTP does not reduce or eliminate them.

F

RSTP still uses BPDUs—it does not eliminate them; it enhances BPDUs with new flags for faster convergence.

161
Matchingmedium

Drag and drop the STP/Rapid PVST+ terms on the left to the correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Used to elect the root bridge; consists of priority and MAC address

Port on a non-root bridge with the best path to the root bridge

Port that is in forwarding state on a given LAN segment

Feature that immediately transitions an access port to forwarding state

Feature that err-disables a PortFast port upon receiving a BPDU

Command to force a switch to become the root bridge for VLAN 1

Why these pairings

These definitions match standard STP/Rapid PVST+ terminology.

Exam trap

Do not confuse the root bridge with other STP roles like designated port or alternate port. The root bridge is a switch, not a port. Also, Rapid PVST+ is a protocol, not a role.

162
MCQhard

A switchport on one side of a link is configured as a trunk, but the peer side is configured as an access port. The physical link is up, but VLAN traffic behaves unexpectedly. What is the most likely cause?

A.The two ends disagree on whether the link is a trunk or an access port.
B.The switches must both use the same hostname.
C.The native VLAN must be set to 1 on both sides first.
D.The ports need OSPF enabled.
AnswerA

This is correct because trunk/access mismatch causes VLAN handling problems.

Why this answer

The most likely cause is a switchport mode mismatch. In practical terms, one side expects the link to carry multiple VLANs with tagging behavior, while the other side treats it as a normal one-VLAN endpoint-style access connection. The physical interface can still come up, but the two ends do not agree on how the traffic should be handled.

This is a classic Layer 2 troubleshooting pattern. The link may not be fully down, but the configuration disagreement causes logical forwarding problems.

Exam trap

Be cautious of assuming all VLAN issues are due to allowed lists or STP. Consider mode mismatches when the link is physically up but traffic is disrupted.

Why the other options are wrong

B

OSPF is a Layer 3 routing protocol used for exchanging routes between routers, not for resolving Layer 2 switchport mismatches. This issue is purely about trunk/access configuration, which is unrelated to OSPF.

C

While native VLAN mismatch can cause issues on a trunk link, the primary problem here is that one side is configured as access, not trunk. Even if native VLAN is set to 1 on both sides, the access port will still not process tagged frames correctly.

D

Hostnames are purely for identification and have no impact on switchport operation or VLAN tagging. The trunk/access mismatch is a Layer 2 configuration issue independent of hostnames.

163
Multi-Selectmedium

Which TWO statements correctly describe the configuration and effect of Root Guard and BPDU Guard on a Cisco switch?

Select 2 answers
A.Root Guard is configured on a per-port basis and causes the port to become root-inconsistent if a superior BPDU is received.
B.BPDU Guard prevents loops by disabling a trunk port that receives a BPDU from an unauthorized switch.
C.Root Guard places a port in errdisable state when a superior BPDU is received.
D.BPDU Guard is commonly enabled on ports where PortFast is configured to prevent unexpected BPDUs from causing a bridging loop.
E.Both Root Guard and BPDU Guard filter BPDUs to prevent them from being processed by the switch CPU.
AnswersA, D

Root Guard is applied to a port (usually a designated port) and if a better BPDU arrives, the port enters a root-inconsistent state, blocking traffic and preventing the switch from becoming root.

Why this answer

Option A is correct because Root Guard is configured per interface using the 'spanning-tree guard root' command. When a port with Root Guard enabled receives a superior BPDU (one that would cause the switch to become a non-root bridge), the port is placed into a root-inconsistent state, effectively blocking traffic on that port and preventing the switch from accepting a new root bridge from that direction. This protects the spanning-tree topology from unauthorized or misconfigured switches attempting to become the root bridge.

Option D is correct because BPDU Guard is commonly enabled on ports with PortFast (typically access ports connected to end devices). When a BPDU is received on such a port, BPDU Guard places the port into errdisable state, preventing potential bridging loops that could result from an unauthorized switch connecting to the network. Option B is incorrect because BPDU Guard does not prevent loops by disabling a trunk port; it is typically used on access ports (often with PortFast) and disables the port upon receiving any BPDU, not just on trunk ports.

Option C is incorrect because Root Guard places the port into root-inconsistent state (not errdisable) when a superior BPDU is received; BPDU Guard uses errdisable. Option E is incorrect because neither Root Guard nor BPDU Guard filters BPDUs; Root Guard reacts to superior BPDUs by blocking the port, and BPDU Guard reacts to any BPDU by disabling the port. Both features allow BPDUs to be processed but then take action based on the received BPDUs.

Exam trap

Cisco often tests the distinction between the states triggered by Root Guard (root-inconsistent) versus BPDU Guard (errdisable), and candidates frequently confuse the two, assuming both place the port into errdisable or that Root Guard uses errdisable.

Why the other options are wrong

B

BPDU Guard does not prevent loops by disabling a trunk port; it is typically used on access ports with PortFast and disables the port upon receiving any BPDU.

C

Root Guard places the port into root-inconsistent state, not errdisable; errdisable is the state used by BPDU Guard.

E

Neither Root Guard nor BPDU Guard filters BPDUs; they both process received BPDUs and then take action (root-inconsistent for Root Guard, errdisable for BPDU Guard).

164
PBQhard

You are connected to SW1. A LACP EtherChannel between SW1 and SW2 has already been configured using interfaces GigabitEthernet0/1 and GigabitEthernet0/2 with channel-group 1 mode active on both sides and assigned to VLAN 100. However, the channel is not forming because of a speed/duplex mismatch. The correct interface settings for this network are speed 1000 and duplex full. Interface GigabitEthernet0/1 is already configured with these settings. Only interface GigabitEthernet0/2 needs to be corrected. Identify the configuration change needed to resolve the mismatch and verify the EtherChannel is up with 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1EtherChannelSW1SW2

Hints

  • Check the speed and duplex settings on both member interfaces.
  • LACP requires all ports in the channel to have identical configuration.
  • Use the 'show interfaces status' command to quickly see speed/duplex mismatches.
A.Configure interface GigabitEthernet0/2 with 'speed 1000' and 'duplex full', then verify the EtherChannel is up.
B.Configure interface GigabitEthernet0/1 with 'speed 100' and 'duplex half', then verify the EtherChannel is up.
C.Configure interface GigabitEthernet0/2 with 'speed auto' and 'duplex auto', then verify the EtherChannel is up.
D.Configure interface GigabitEthernet0/2 with 'channel-group 1 mode active' and 'switchport access vlan 100', then verify the EtherChannel is up.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full
end
show etherchannel summary

Why this answer

The EtherChannel is not forming because GigabitEthernet0/2 is configured with speed 100 and duplex half, while GigabitEthernet0/1 is speed 1000 and duplex full. LACP requires all member ports to have identical speed and duplex settings. To fix this, configure GigabitEthernet0/2 with speed 1000 and duplex full, matching GigabitEthernet0/1.

After correction, the ports should bundle in Port-channel1 and show as bundled (P) in 'show etherchannel summary'.

Exam trap

The trap is that candidates may overlook the speed/duplex mismatch and focus only on the LACP mode or VLAN configuration. Always verify that all physical parameters match before troubleshooting EtherChannel formation.

Why the other options are wrong

B

The specific factual error is that the question implies the correct configuration should use speed 1000 and duplex full, not downgrade to 100/half. Also, LACP requires identical settings, but the goal is to match the higher speed.

C

The specific factual error is that auto-negotiation does not guarantee matching settings when one side is manually configured. The mismatch would persist.

D

The specific factual error is that the question explicitly states a speed/duplex mismatch prevents the channel from forming, and this option does not correct that mismatch.

165
PBQhard

You are connected to a multilayer switch SW1 via console. SW1 has an IP phone and an access point connected to interfaces GigabitEthernet0/1 and GigabitEthernet0/2 respectively. Configure the access ports so that the IP phone receives a voice VLAN (VLAN 110) and PoE priority critical, and the access point receives PoE priority high. Verify your configuration using show interfaces switchport and show power inline.

Network Topology
G0/1G0/2SW1IP PhoneAccess Point

Hints

  • Voice VLAN is configured under the access port interface with the 'switchport voice vlan' command.
  • PoE priority is set per interface using 'power inline priority'.
  • Use 'show interfaces switchport' to verify voice VLAN assignment.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline priority critical ! interface GigabitEthernet0/2 switchport mode access power inline priority high
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,110 power inline priority critical ! interface GigabitEthernet0/2 switchport mode access power inline priority high
C.interface GigabitEthernet0/1 switchport mode access switchport access vlan 110 switchport voice vlan 10 power inline priority critical ! interface GigabitEthernet0/2 switchport mode access power inline priority high
D.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline priority high ! interface GigabitEthernet0/2 switchport mode access power inline priority critical
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport voice vlan 110
power inline priority critical
exit
interface GigabitEthernet0/2
power inline priority high
end

Why this answer

The IP phone requires a voice VLAN configured with the switchport voice vlan command. PoE priority is set per interface using power inline priority. For the phone, the priority is critical; for the AP, it is high.

Verification with show interfaces switchport confirms voice VLAN, and show power inline shows priority settings.

Exam trap

The exam trap is mixing up the voice VLAN and access VLAN assignments, or confusing PoE priority levels. Remember that the voice VLAN is configured with switchport voice vlan, not as the access VLAN. Also, note that IP phones typically use access ports with voice VLAN, not trunks.

PoE priority critical is reserved for critical devices like phones, while high is for other important devices like APs.

Why the other options are wrong

B

The specific factual error is using trunk mode for an IP phone port instead of access mode with voice VLAN.

C

The specific factual error is reversing the VLAN assignments: the access VLAN should be data, and the voice VLAN should be voice.

D

The specific factual error is swapping the PoE priority values: the phone should be critical, the AP high.

166
MCQhard

Refer to the exhibit. A network engineer expects SW1 to be the root bridge for VLAN 1, but the show spanning-tree vlan 1 output on SW2 shows that SW2 is the root. What is the most likely cause of this issue?

A.SW1 is configured with a priority of 32769 but has a higher MAC address than SW2.
B.Spanning tree is disabled on SW1 for VLAN 1.
C.SW1 has a bridge priority of 4096, but BPDU guard is configured on SW2's port to SW1, causing the port to be err-disabled.
D.The trunk link between SW1 and SW2 is down.
AnswerD

The missing root port and the fact that SW2 sees itself as root confirm that SW2 is not receiving any BPDUs from SW1. This is exactly the behavior when the inter-switch trunk is physically down, breaking the spanning-tree topology.

Why this answer

SW2 shows itself as the root (Root ID and Bridge ID are identical, and the text 'This bridge is the root'), and there is no root port listed. In a stable spanning-tree topology, a non-root switch must have a root port to reach the root. The absence of any root port indicates that SW2 is not receiving superior BPDUs from SW1.

The most likely cause is that the trunk link between SW1 and SW2 is down, preventing BPDU exchange.

Exam trap

Many candidates select option A because they notice both priority values are 32769 and assume a MAC-address tiebreaker makes SW2 root, but they fail to see that SW2 has no root port, which would exist if the link to SW1 were operational.

Why the other options are wrong

A

Candidates focus on the matching priority numbers and overlook the missing root port that indicates a complete loss of BPDUs.

B

Candidates may assume no BPDUs means STP is off, but the intended root designation suggests STP is on and a physical disconnect is the primary suspect.

C

Candidates recall that BPDU guard can block ports, but they fail to differentiate between a missing port due to err-disable and a missing port due to a physically down link, which looks identical in this output.

167
Multi-Selectmedium

Which two statements accurately describe a controller-based WLAN compared with a set of independently managed APs?

Select 2 answers
A.It centralizes management and policy across multiple access points.
B.It can improve consistency when deploying WLAN settings across many APs.
C.It removes the need for access points entirely.
D.It replaces the need for DHCP on all client devices.
E.It is the same thing as WPA3.
AnswersA, B

This is correct because centralized management is a main architectural benefit.

Why this answer

A controller-based WLAN centralizes operational control and helps apply policies more consistently across many APs. In practical terms, this improves scalability and reduces the burden of touching each AP individually when changes are needed. The APs still provide the radio service, but they are coordinated under a shared management model.

This question is about architecture, not about claiming that a controller replaces APs or that it removes all other network services.

Exam trap

A common exam trap is assuming that a controller-based WLAN eliminates the need for access points or other network services like DHCP. Some candidates mistakenly believe the controller replaces APs entirely, but APs remain essential for providing wireless connectivity. Others confuse controller-based management with wireless security protocols such as WPA3, which are unrelated concepts.

Misunderstanding these distinctions can lead to incorrect answers by conflating architecture roles with security features or network services.

Why the other options are wrong

C

Option C is incorrect because access points are still required to provide the actual wireless radio connectivity; the controller does not replace APs.

D

Option D is incorrect since DHCP or other IP configuration methods are still needed for client devices; the controller does not replace these network services.

E

Option E is incorrect because WPA3 is a wireless security standard and does not relate to the architectural concept of controller-based WLAN management.

168
Drag & Dropmedium

Drag and drop the following steps into the recommended order to configure a switch port for a VoIP phone (voice VLAN + data VLAN), an AP trunk, and a PoE-powered IoT device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Although the switch does not enforce a strict sequence for these commands, the recommended workflow for clarity and consistency is to first enter global configuration mode, then interface configuration mode, then set trunking to support multiple VLANs, assign the voice VLAN, and finally configure PoE. Option D incorrectly omits global configuration mode. Option B places PoE before trunking and voice VLAN, which is less logical.

Option C configures the voice VLAN before setting the trunk mode, which can be confusing.

Exam trap

A common trap is to think that the switch enforces a rigid order (e.g., voice VLAN requires trunk mode). In reality, all command sequences except D produce a working config, but the exam expects the most logical and recommended order: trunk, voice VLAN, then PoE.

169
PBQhard

You are connected to SW1. Two switches, SW1 and SW2, are connected via four GigabitEthernet links. Configure LACP EtherChannel between them using interfaces GigabitEthernet0/1 through GigabitEthernet0/4 on SW1. Set the channel-group mode to active on SW1. The port-channel interface must be configured as a trunk, allowing VLANs 10, 20, 30. However, the EtherChannel is not forming. The current configuration is shown below. Identify and fix the issue, then verify the EtherChannel is operational.

Network Topology
Gi0/1-4Gi0/1-44x linksSW1SW2

Hints

  • Compare the Layer 2/Layer 3 status of the port-channel interface with the member interfaces.
  • Check the 'show etherchannel summary' flags: 'SD' means Layer 3 and down; 'SU' means Layer 2 and up.
  • The port-channel interface must match the operational mode (Layer 2) of the member switchports.
A.Remove 'no switchport' and IP address from Port-channel1, then configure 'switchport mode trunk' and 'switchport trunk allowed vlan 10,20,30'.
B.Change the channel-group mode on the member interfaces from active to passive.
C.Add the 'switchport nonegotiate' command to the member interfaces.
D.Configure the member interfaces with 'channel-group 1 mode on' instead of active.
AnswerA
solution
! SW1
interface Port-channel1
no ip address 192.168.1.1 255.255.255.0
no no switchport
switchport mode trunk
switchport trunk allowed vlan 10,20,30

Why this answer

The EtherChannel is not forming because the Port-channel1 interface is configured as a Layer 3 interface (no switchport, IP address), while the member interfaces are Layer 2 switchports (switchport mode trunk). This mismatch prevents the channel from bundling. To fix this, configure Port-channel1 as a Layer 2 trunk interface with the same allowed VLANs.

The solution: remove the no switchport command and the IP address, then apply switchport mode trunk and switchport trunk allowed vlan 10,20,30. After correction, the ports should bundle and the show etherchannel summary will show the ports as bundled (P) and the port-channel as Layer 2 (S).

Exam trap

The exam trap is that candidates often focus on LACP modes or trunk negotiation but overlook the Layer 2/Layer 3 mismatch between the port-channel interface and member interfaces. Always ensure the port-channel interface is configured as either Layer 2 or Layer 3 to match the member ports.

Why the other options are wrong

B

The specific factual error: The problem is a Layer 2/Layer 3 mismatch, not the LACP mode. Active mode is valid and commonly used.

C

The specific factual error: 'switchport nonegotiate' affects trunk negotiation, not EtherChannel bundling.

D

The specific factual error: The mode change does not fix the interface type mismatch; the port-channel must be Layer 2 to match the member ports.

170
MCQmedium

A network engineer is troubleshooting a connectivity issue between two hosts on different VLANs. The engineer captures traffic on an IOS-XE router's GigabitEthernet0/1 interface using embedded packet capture (EPC). The output shows ARP requests from Host A (192.168.1.10) but no ARP replies from Host B (192.168.2.20). What is the most likely cause of this issue?

A.The router's interface is configured as an access port instead of a trunk.
B.The router's interface does not have an IP address configured in the VLAN 2 subnet.
C.Host A is in a different VLAN than the router's interface.
D.The router's interface has a duplex mismatch with the switch.
AnswerB

For inter-VLAN routing, the router must have an IP address in each VLAN's subnet to act as the default gateway and respond to ARP requests. Without an IP in VLAN 2, it cannot reply to ARP requests for 192.168.2.20.

Why this answer

The router's GigabitEthernet0/1 interface must have an IP address in the same subnet as Host B (192.168.2.20) to act as the default gateway for VLAN 2. Without an IP address in the VLAN 2 subnet, the router cannot respond to ARP requests for that subnet, so Host A's ARP requests for Host B go unanswered. This is the most likely cause because the router performs inter-VLAN routing only when it has an interface (or subinterface) with an IP address in the destination VLAN's subnet.

Exam trap

Cisco often tests the misconception that a router automatically routes between VLANs if it is connected to a switch via a trunk, but the router must have an IP address in each VLAN's subnet to respond to ARP and forward traffic.

Why the other options are wrong

A

The router's interface is a routed port, not a switchport; access/trunk concepts apply to switch interfaces. Even if it were a switch interface, the issue is about ARP replies, which require Layer 3 addressing, not trunking.

C

ARP requests are Layer 2 broadcasts; if the router's interface is in the same VLAN as Host A, it will receive the request. The problem is that the router does not reply, indicating it lacks an IP in the destination subnet.

D

Duplex mismatch causes CRC errors and collisions, but ARP requests would still be received and could be replied to. The capture shows clean ARP requests with no replies, pointing to a Layer 3 issue, not physical layer.

171
MCQhard

A switch port connected to a user PC should be placed in VLAN 20 and must not negotiate trunking. Which configuration is the most appropriate?

A.switchport mode access switchport access vlan 20
B.switchport mode trunk switchport trunk native vlan 20
C.switchport mode dynamic desirable switchport trunk allowed vlan 20
D.no switchport ip address 192.168.20.1 255.255.255.0
AnswerA

This is correct because it explicitly makes the port an access port in VLAN 20.

Why this answer

The most appropriate configuration is to force the interface into access mode and assign it to VLAN 20. In practical terms, a normal user-facing switch port is supposed to carry one VLAN only. There is no reason to rely on dynamic trunk negotiation for a desktop or laptop connection. Explicit access-port configuration is cleaner, more predictable, and safer.

This is a common switching best-practice question. The wrong answers usually leave room for unwanted trunking behavior or move the interface into a completely different role. The right answer combines the correct port role with the correct VLAN membership.

Exam trap

Avoid assuming 'auto' mode is always safe; it can lead to unintended trunking.

Why the other options are wrong

B

This configuration makes the port a trunk port, which is used to carry multiple VLANs between switches, not for a single user PC. The 'switchport trunk native vlan 20' command sets the native VLAN for untagged traffic on the trunk, but the port still actively negotiates trunking via DTP, violating the requirement to not negotiate trunking.

C

The 'switchport mode dynamic desirable' command actively attempts to form a trunk with the connected device via DTP, which contradicts the requirement to not negotiate trunking. Additionally, 'switchport trunk allowed vlan 20' only restricts which VLANs are allowed on the trunk, but the port is still in trunking mode, not an access port.

D

The 'no switchport' command converts the Layer 2 switch port into a Layer 3 routed interface, which cannot be assigned to a VLAN. This configuration is used for routing between VLANs or connecting to routers, not for connecting a user PC to a specific VLAN.

172
Drag & Dropmedium

A network engineer is configuring a new access switch that will connect to a distribution switch. The engineer must ensure that local hosts are placed in the correct VLANs before enabling trunking to the distribution switch to prevent VLAN mismatches and broadcast issues. Drag and drop the steps into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to create VLANs first, then assign access ports to those VLANs so local hosts are properly placed and operational. Only then should 802.1Q trunks be configured to extend VLANs to other switches, because trunking before access port assignment could lead to operational inconsistencies. Options B and D would require access ports before VLANs exist, and Option C configures trunks prematurely in this scenario.

Exam trap

The exam trap is that candidates may confuse the order of creating VLANs and assigning ports. Always remember that VLANs must exist before they can be used. Also, trunk configuration typically comes after access port assignment in a logical workflow, though it is not strictly required.

173
Multi-Selectmedium

Which THREE statements about STP and Rapid PVST+ are correct?

Select 3 answers
A.Rapid PVST+ creates a separate spanning-tree instance for each VLAN, enabling per-VLAN load balancing.
B.PortFast should be configured on trunk ports to quickly transition them to forwarding state.
C.Rapid PVST+ uses a proposal/agreement process to quickly transition ports to forwarding.
D.BPDU Guard places a port in the error-disabled state if a BPDU is received, protecting against unexpected switches.
E.To make a switch the root bridge, you should assign it the highest bridge priority value among all switches.
AnswersA, C, D

Rapid PVST+ is Cisco's implementation of RSTP that runs one STP instance per VLAN. This allows the network to use different root bridges and forwarding paths per VLAN, distributing traffic across redundant links.

Why this answer

Rapid PVST+ is Cisco's per-VLAN implementation of the Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w). It creates a separate spanning-tree instance for each VLAN, which allows each instance to converge independently and enables per-VLAN load balancing by blocking different ports in different VLANs. This is a key advantage over classic STP (802.1D), which runs a single instance for all VLANs.

Exam trap

Cisco often tests the misconception that PortFast can be applied to trunk ports or that it accelerates STP convergence on trunks, but PortFast is only for edge ports and does not participate in the spanning-tree algorithm.

Why the other options are wrong

B

PortFast is unsafe on trunk ports; it is intended only for edge access ports.

E

The root bridge is determined by the lowest bridge priority, not the highest.

174
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure Root Guard on designated ports, Loop Guard on non-designated ports, and BPDU Guard on PortFast ports, including the recovery steps when a port enters err-disabled.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is Option A because: 1) Root Guard is applied to designated ports to protect the root bridge election; 2) Loop Guard is applied to non-designated ports to prevent loops caused by unidirectional links; 3) BPDU Guard is applied to PortFast-enabled ports to shut down ports that receive BPDUs unexpectedly. Options B, C, and D incorrectly assign these guards to the wrong port roles (e.g., Option B places BPDU Guard on designated ports and Root Guard on non-designated ports, which violates the intended protection). Steps 4 and 5 apply only to BPDU Guard, as it transitions the port to err-disabled state upon BPDU reception; Root Guard and Loop Guard cause blocking states (root-inconsistent or loop-inconsistent), not err-disabled.

Therefore, the recovery steps (errdisable recovery and manual re-enable) are only relevant for ports configured with BPDU Guard.

Exam trap

Do not confuse the port roles: Root Guard is for designated ports, Loop Guard for non-designated, and BPDU Guard for PortFast. Also remember that errdisable recovery requires both global configuration and manual interface re-enablement.

175
MCQhard

Two switches should form an EtherChannel with LACP. One side is set to active and the other is set to passive. If the remaining interface settings match, what is the expected result?

A.The EtherChannel should form successfully.
B.The EtherChannel fails because both sides must be active.
C.The interfaces automatically become routed ports.
D.The switches delete the port-channel automatically.
AnswerA

This is correct because active/passive is a valid LACP negotiation pairing.

Why this answer

The EtherChannel should form successfully. In practical terms, active mode initiates LACP negotiation and passive mode listens and responds. Because one side is actively starting the negotiation, the bundle can come up if the interfaces also match in operational settings such as speed, duplex, switchport mode, and VLAN characteristics.

This is a classic LACP pairing question. Active/passive works. Passive/passive is the combination that usually fails to start the bundle.

Exam trap

Remember, LACP requires only one side to be active; passive mode will still respond.

Why the other options are wrong

B

LACP allows an active port to form a bundle with a passive port; the passive side simply waits for LACP packets from the active side. Therefore, both sides do not need to be active.

C

LACP mode does not change the Layer 2 or Layer 3 status of interfaces; it only controls the negotiation of EtherChannel bundling. Interfaces remain as switchports unless explicitly configured as routed ports.

D

LACP negotiation failure does not automatically delete the port-channel interface or its configuration. The port-channel remains, but the member ports will not bundle and will operate as individual ports.

176
MCQhard

A switch receives BPDUs on a user-facing port configured as an edge port, but instead of just blocking the port role it fully error-disables it. Which protection feature most likely explains that behavior?

AnswerA

This is correct because BPDU Guard typically error-disables an edge port that receives BPDUs.

Why this answer

BPDU Guard most likely explains that behavior. In practical terms, BPDU Guard is used to protect ports that are expected to face ordinary endpoints, not other switches. If BPDUs appear on such a port, the device treats that as a serious topology-policy violation and shuts the port down.

This is different from features that merely influence spanning-tree role choice without fully error-disabling the interface.

Exam trap

Be careful not to confuse BPDU Guard with other spanning tree protection features that do not disable ports upon receiving BPDUs.

Why the other options are wrong

B

Root guard does not error-disable a port; instead, it places the port into a root-inconsistent state if a superior BPDU is received, preventing the port from becoming a root port. It is used to enforce the root bridge location, not to disable ports upon BPDU reception.

C

Port security restricts the number of MAC addresses learned on a port and can error-disable the port if a violation occurs (e.g., too many MAC addresses). It does not react to BPDUs; its focus is on MAC address learning, not spanning-tree BPDUs.

D

DHCP snooping is a security feature that filters DHCP messages and can error-disable a port if a DHCP violation occurs (e.g., rogue DHCP server). It does not inspect or react to BPDUs, which are layer 2 spanning-tree frames.

177
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a switch port for data and voice traffic.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order is: 1) Enter interface configuration mode, because all port-specific commands must be applied under the interface. 2) Set the port as an access port with 'switchport mode access'—a voice VLAN can only be assigned on an access port. 3) Assign the data VLAN with 'switchport access vlan' to ensure proper Layer 2 forwarding for data traffic. 4) Assign the voice VLAN with 'switchport voice vlan' so the IP phone's voice frames are tagged with the voice VLAN. 5) Enable PortFast with 'spanning-tree portfast' to immediately transition the port to forwarding, preventing DHCP timeouts for the phone and host.

178
MCQeasy

A switchport should allow only one learned MAC address and shut down if a different device is connected later. Which port security violation mode and limit combination best fits that goal?

A.maximum 1 with violation shutdown
B.maximum 10 with violation protect
C.maximum 1 with violation restrict and no logging
D.maximum unlimited with violation shutdown
AnswerA

This is the strict option that disables the port after a violation.

Why this answer

The usual setup is maximum 1 MAC address with violation mode shutdown. That way the port is disabled when an unauthorized device appears.

Exam trap

Be careful not to confuse the different port security violation modes. Only shutdown mode disables the port upon a violation.

Why the other options are wrong

B

The maximum limit of 10 MAC addresses is too high for the requirement of allowing only one learned MAC address. Additionally, protect mode drops frames from unknown MACs but does not shut down the port, so the port remains active even after a violation.

C

Restrict mode does not shut down the port; it only logs and drops frames from unknown MACs. The requirement explicitly states the port should shut down, which restrict does not achieve.

D

Setting the maximum to unlimited defeats the purpose of limiting MAC addresses to one. Even though violation mode is shutdown, the port will never trigger a violation because there is no limit, so it will never shut down due to port security.

179
MCQhard

A network administrator has configured Rapid PVST+ on all switches and globally enabled BPDU Guard. After connecting a new access switch to an existing distribution switch, the distribution switch interface goes into err-disabled state. The new switch is configured with PortFast on its uplink port. What is the most likely cause of the err-disabled state?

A.Disable Root Guard on the distribution switch interface
B.Disable BPDU Guard on the distribution switch interface
C.Remove PortFast from the new access switch uplink interface
D.Configure the interface as an access port instead of trunk
AnswerB

BPDU Guard err-disables a PortFast-enabled port upon receiving any BPDU. Since this is a trunk port expecting BPDUs, BPDU Guard should not be enabled. Removing it allows the port to stay up while Root Guard still protects against an unwanted root bridge.

Why this answer

The distribution switch interface entered err-disabled because it received a BPDU while BPDU Guard was enabled. BPDU Guard is not automatically enabled with PortFast; it must be explicitly turned on, and the scenario assumes it is active. When a BPDU arrives on a BPDU Guard–enabled port, the switch err-disables it to prevent loops.

Disabling BPDU Guard on that interface resolves the condition. Disabling Root Guard (option A) would not stop the BPDU Guard trigger; removing PortFast (option C) would not disable the already-enabled BPDU Guard; and changing the port to access mode (option D) is irrelevant to BPDU Guard behavior.

Exam trap

Many learners incorrectly assume BPDU Guard is enabled by default on PortFast ports; in reality, it requires explicit configuration, so the exam may present a scenario where BPDU Guard is already enabled to test this distinction.

Why the other options are wrong

A

Root Guard does not cause err-disable; it only prevents the port from becoming a root port. The err-disabled state is triggered by BPDU Guard, not Root Guard.

C

PortFast on the access switch's uplink does not cause err-disable on the distribution switch. PortFast only affects the access switch's port state, not the distribution switch's interface.

D

The err-disable is caused by BPDU Guard, not by trunking misconfiguration. Changing the port mode to access would not resolve the BPDU Guard issue and could disrupt connectivity.

180
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an LACP EtherChannel on Cisco IOS-XE switches.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global config mode. Then create the port-channel interface. Next, configure the channel-group mode on each physical interface to active for LACP.

Finally, verify the configuration.

Exam trap

A common trap is to configure the channel-group mode on physical interfaces before creating the port-channel interface, or to forget that global configuration mode is the first step. Always remember the sequence: global config -> port-channel interface -> physical interface channel-group -> verification.

181
MCQhard

Users in VLAN 60 on switch SW2 cannot reach the default gateway located on switch SW1. The trunk between SW1 and SW2 is operational and allows VLAN 60. What is the most likely reason for this issue?

A.VLAN 60 does not exist locally on SW2.
B.The native VLAN must be changed to 60 on both switches.
C.VLAN 60 is not allowed on the trunk link.
D.The default gateway must be configured as a loopback on SW2.
AnswerA

This is correct because trunk allowance alone is not enough if the VLAN is missing from the local switch.

Why this answer

VLAN 60 has not been created locally on SW2, even though the trunk can carry its traffic. A switch never processes VLAN traffic for a VLAN it doesn't know about; it discards tagged frames from the trunk destined for that VLAN and prevents access ports from assigning frames to it. (A) is correct. (B) is incorrect because native VLAN configuration only affects untagged frames—changing it to 60 is unnecessary for tagged VLAN 60 traffic. (C) is incorrect because the trunk is already configured to allow VLAN 60, so trunk filtering isn't the problem. (D) is incorrect because a default gateway is simply an IP address on a router or Layer 3 switch interface (like SVIs) and does not require a loopback on SW2.

Exam trap

Don't assume trunk configuration alone resolves VLAN issues; ensure VLANs exist on all relevant switches.

Why the other options are wrong

B

Native VLAN configuration does not affect tagged VLAN 60 traffic—native VLAN only matters for untagged frames.

C

The trunk is stated to allow VLAN 60, so VLAN filtering is not the problem; a student might misread the premise.

D

The default gateway resides on SW1, not SW2; configuring a loopback on SW2 does not create a gateway for VLAN 60.

182
MCQhard

After a hub was connected to interface Gi0/10, the interface immediately entered errdisable state. The following syslog message was generated: '%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred on interface Gi0/10.' What is the strongest explanation for why Gi0/10 shut down?

A.Port security detected more MAC addresses than allowed on the interface.
B.The interface received a superior BPDU and became the root port.
C.The hub forced the interface to become a routed port.
D.DHCP snooping always shuts a port when a hub is attached.
AnswerA

This is correct because the configuration allows only one secure MAC and the violation message confirms the policy breach.

Why this answer

The strongest explanation is a port-security violation caused by the switch seeing more secure MAC addresses than the interface allows. In practical terms, a hub or unmanaged device can cause multiple end hosts to appear behind one access port. If the interface is configured with a maximum of one secure MAC address, additional learned MACs trigger the violation action.

This is a realistic access-layer security scenario because the port does not fail randomly. It fails because the observed behavior violates the configured policy.

Exam trap

Remember that port security specifically deals with MAC address limits, not broadcast storms or spanning-tree issues.

Why the other options are wrong

B

The exhibit shows a port-security violation message, not an STP topology change. A superior BPDU would cause a root port election, not a port shutdown due to security policy.

C

Connecting a hub does not change the interface type; a switchport remains a Layer 2 interface unless explicitly configured with 'no switchport'. The exhibit shows a Layer 2 security violation, not a routed port conversion.

D

DHCP snooping does not automatically shut down a port when a hub is attached; it filters DHCP messages and can disable ports only if a DHCP server is detected on an untrusted port. The exhibit clearly shows a port-security violation message.

183
Drag & Dropmedium

What is the correct order of steps to capture and analyze traffic on IOS-XE using the embedded packet capture feature, and in Wireshark to isolate a Layer 2 or Layer 3 fault?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order for embedded packet capture on IOS-XE is to first define the capture point with the desired interface and optional filter, then start the capture, stop it after capturing the needed traffic, and finally export the file for analysis in Wireshark. Option A accurately reflects this sequence. Option B fails because the capture must be defined before starting.

Option C fails because exporting should occur after stopping the capture. Option D fails because analysis is performed externally, not on the router.

Exam trap

Do not confuse the order of operations: you must define the capture point before starting, and you must stop the capture before exporting. Also, remember that analysis is done externally, not on the router itself.

184
MCQhard

Exhibit: Clients can see the corporate SSID but fail authentication after entering valid usernames and passwords. Which issue is the best explanation?

A.The AP is using the wrong RF channel
B.The RADIUS path or shared secret is failing
C.The SSID must be hidden for enterprise authentication
D.The clients need a voice VLAN assignment first
AnswerB

WPA2-Enterprise depends on successful RADIUS authentication.

Why this answer

WPA2-Enterprise relies on 802.1X with a RADIUS server. If the RADIUS server is unreachable or the shared secret is wrong, users can see the SSID and attempt to authenticate, but the login process fails. Option A is incorrect because RF channel issues would cause connectivity problems, not authentication failures after association.

Option C is incorrect because hiding the SSID is irrelevant to enterprise authentication; the issue is server-side. Option D is incorrect because a voice VLAN is not required for standard client authentication and would not cause login failure.

Exam trap

Remember that WPA2-Enterprise relies on a RADIUS server. Authentication issues often stem from server communication problems, not client-side settings.

Why the other options are wrong

A

RF channel issues cause connectivity or performance problems, not authentication failures after a successful association.

C

Hiding the SSID does not affect the 802.1X authentication process; the failure is likely due to RADIUS communication.

D

Voice VLAN assignment is unrelated to client authentication; clients do not need a voice VLAN to authenticate.

185
MCQmedium

A port connected to an end-user PC should not send or expect VLAN tags from the endpoint. Which interface type is appropriate on the switch?

C.Routed port
D.Port-channel interface
AnswerA

This is correct because an access port is the normal single-VLAN switchport type for end devices such as PCs.

Why this answer

The appropriate interface type is an access port. In plain language, a normal user PC is expected to connect to one VLAN and send ordinary untagged Ethernet frames. The switch associates that traffic with the configured access VLAN.

This is different from a trunk, which is designed to carry multiple VLANs and commonly uses tagging to preserve VLAN identity across the link. Routed ports are Layer 3 interfaces used for routing between VLANs, not for attaching a single end-user PC. Port-channel interfaces aggregate multiple physical links for redundancy and bandwidth, but they do not determine whether VLAN tagging is used; the underlying port mode (access or trunk) still applies.

Therefore, access port is the only correct choice for an untagged, single-VLAN end-device connection.

Exam trap

Don't confuse the need for VLANs with the need for VLAN tagging. Access ports handle untagged traffic for single VLANs.

Why the other options are wrong

B

A trunk port is designed to carry traffic for multiple VLANs using 802.1Q tagging, which is not expected from a standard PC. Using a trunk port for a PC would cause the switch to expect tagged frames, leading to communication failures.

C

A routed port is a Layer 3 interface used for routing between VLANs or connecting to routers, not for connecting end-user PCs. It does not operate as a Layer 2 switchport and would not handle VLAN tagging as required.

D

A port-channel interface is a logical bundling of multiple physical links for increased bandwidth and redundancy, not a single connection to an end-user PC. It is used between switches or to servers, not for typical PC access.

186
PBQeasy

You are connected to SW1 via the console. SW1 is a Layer 2 switch with an access port G0/1 connected to a server. The network administrator has noticed that the server is sending BPDUs, which could cause network instability. You need to configure PortFast and BPDU Guard on port G0/1 to prevent BPDU-related issues and ensure the port transitions to forwarding state immediately.

Network Topology
G0/1ServerSW1

Hints

  • PortFast enables immediate transition from blocking to forwarding state.
  • BPDU Guard disables the port if a BPDU is received.
  • These features are typically applied to access ports connected to end devices.
A.interface G0/1 spanning-tree portfast spanning-tree bpduguard enable
B.interface G0/1 spanning-tree portfast spanning-tree guard root
C.interface G0/1 spanning-tree portfast spanning-tree bpdufilter enable
D.interface G0/1 spanning-tree portfast spanning-tree bpduguard default
AnswerA
solution
! SW1
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

PortFast allows an access port to bypass STP listening/learning states, providing immediate connectivity. BPDU Guard protects the network by shutting down the port if a BPDU is received, preventing potential loops from unauthorized switches.

Exam trap

Cisco exams often test the exact syntax for STP features. Remember that BPDU Guard uses 'enable' at the interface level, while BPDU Filter uses 'enable' as well. Root Guard uses 'guard root'.

Do not confuse these or use global commands on interfaces.

Why the other options are wrong

B

The specific factual error is confusing Root Guard with BPDU Guard. Root Guard is used to enforce the root bridge position, not to protect against BPDUs.

C

The specific factual error is that BPDU Filter silently drops BPDUs instead of taking action, which can allow loops to form if an unauthorized switch is connected.

D

The specific factual error is using the global configuration command on an interface. The global command enables BPDU Guard on all PortFast-enabled ports, but the question asks to configure it on a specific port.

187
Matchingeasy

Match each STP-related term or feature to its most accurate function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The central reference switch for STP path calculation

The best path on a non-root switch toward the root bridge

Feature that speeds an edge port into forwarding

Feature that disables an edge port if a BPDU is received

Why these pairings

In STP, the root bridge is elected as the central reference switch for path calculation. The root port on a non-root switch is the port with the lowest cost path toward the root bridge. PortFast allows an edge port to immediately transition to the forwarding state, bypassing listening and learning.

BPDU Guard protects the network by placing an edge port into errdisable state if a BPDU is received, preventing accidental loops.

Exam trap

Be careful not to confuse the roles of root port and designated port. The root port is the port on a non-root bridge with the lowest cost to the root bridge, while the designated port is the port on a segment with the lowest cost to the root bridge. Also, remember that the Bridge ID is priority + MAC, not just priority.

188
PBQhard

You are connected to R1. Configure inter-VLAN routing on R1 using router-on-a-stick so that hosts in VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) can communicate. The switch SW1 is already configured with VLANs and trunking, but R1's current configuration prevents traffic. Identify and fix the issues.

Network Topology
G0/0trunkR1SW1

Hints

  • Check if the physical interface is administratively down.
  • Verify that the trunk is allowing VLANs 10 and 20.
  • Ensure 'ip routing' is enabled (it is by default).
A.Enable the physical interface with the 'no shutdown' command on R1.
B.Change the encapsulation on the subinterfaces to use dot1Q with native VLAN 10 and 20 respectively.
C.Enable IP routing globally with the 'ip routing' command on R1.
D.Remove the 'no shutdown' from the subinterfaces and apply it only to the physical interface.
AnswerA
solution
! R1
interface GigabitEthernet0/0
no shutdown
exit
show interfaces trunk

Why this answer

The issue was that the physical interface GigabitEthernet0/0 on R1 was administratively down, causing all subinterfaces for VLANs 10 and 20 to be in a down state. Enabling it with 'no shutdown' brings the trunk up, allowing inter-VLAN routing because the switch already has trunking configured. The other options are incorrect because they suggest steps that are either already in place (IP routing) or not needed (changing encapsulation or moving no shutdown to subinterfaces).

Exam trap

A common mistake is overlooking that router-on-a-stick requires the physical interface to be administratively up, as subinterfaces cannot function independently.

Why the other options are wrong

B

Changing encapsulation is unnecessary because the subinterfaces already use the correct dot1Q encapsulation for VLANs 10 and 20.

C

The 'ip routing' command is already enabled by default on routers, and global routing is not the problem here.

D

Subinterfaces do not support a 'no shutdown' command; their operational state is determined solely by the physical interface.

189
MCQmedium

Why is BPDU Guard commonly enabled on PortFast-enabled access ports?

A.To make STP root election happen faster
B.To disable STP permanently on access ports
C.To err-disable a port if it receives unexpected BPDUs
D.To allow only one MAC address on the access port
AnswerC

That is the core purpose of BPDU Guard.

Why this answer

PortFast ports are meant for end devices, not for switches. BPDU Guard protects the LAN by shutting down a PortFast port that unexpectedly starts receiving BPDUs, which usually means an unauthorized switch was connected.

Exam trap

Don't confuse BPDU Guard with PortFast or BPDU filtering; each has distinct roles.

Why the other options are wrong

A

BPDU Guard is a security feature that err-disables a port upon receiving BPDUs; it does not accelerate root election. Root election speed is influenced by STP timers and bridge priorities, not BPDU Guard.

B

BPDU Guard does not disable STP permanently; it only reacts to BPDU reception by err-disabling the port. STP remains active on other ports, and the port can be re-enabled after the violation is resolved.

D

Limiting MAC addresses on a port is the function of port security, not BPDU Guard. BPDU Guard specifically monitors for BPDU frames and takes action if any are received.

190
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure inter-VLAN routing using a router-on-a-stick topology.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Inter-VLAN routing via router-on-a-stick requires creating VLANs on the switch, placing access ports in those VLANs, configuring a trunk to the router with the correct native VLAN to avoid mismatch, enabling the physical router interface, and then defining subinterfaces per VLAN with 802.1Q encapsulation and IP addresses. This ensures traffic from different VLANs can be routed.

191
MCQhard

A trunk link has a native VLAN mismatch between two switches. What is the most likely result?

A.All VLANs except the native VLAN stop forwarding immediately.
B.Untagged frames can be interpreted as belonging to different VLANs on each switch.
C.The trunk automatically converts to an access port.
D.STP is disabled on the trunk until the mismatch is corrected.
AnswerB

Correct. That is the classic native VLAN mismatch issue.

Why this answer

Untagged traffic may be placed into different VLANs on each side of the trunk, causing traffic leakage or connectivity problems.

Exam trap

Be careful not to confuse native VLAN mismatches with issues that affect tagged traffic or automatic switch behavior.

Why the other options are wrong

A

A native VLAN mismatch does not cause all other VLANs to stop forwarding. The trunk continues to forward frames for all VLANs, but untagged frames (native VLAN) are miscommunicated.

C

A trunk port does not automatically convert to an access port due to a native VLAN mismatch. The trunk remains operational, but the native VLAN mismatch causes problems for untagged traffic.

D

STP continues to run normally on the trunk link despite a native VLAN mismatch. The mismatch does not disable STP; it only affects the handling of untagged frames.

192
Drag & Dropmedium

A network troubleshooter is using Cisco IOS-XE's embedded packet capture feature to capture traffic on an interface and then analyze it in Wireshark to isolate a Layer 2 or Layer 3 fault. Which of the following sequences represents the correct order of steps?

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct workflow is to first define the capture point (interface and any filters), then start the capture, stop it when sufficient data is collected, export the captured packets to a file, and finally open that file in Wireshark for analysis. Starting the capture before defining the point, exporting before stopping, or defining the point after stopping all result in an invalid or incomplete capture process.

Exam trap

Remember that the capture point must be defined before starting the capture, and the capture must be stopped before exporting. Do not confuse the order of these steps.

193
Multi-Selectmedium

Which two statements accurately describe why organizations use separate employee and guest WLANs?

Select 2 answers
A.They allow different access policies and trust boundaries for different user groups.
B.They help isolate guest access from internal corporate resources.
C.They eliminate the need for wireless security.
D.They make all roaming problems disappear automatically.
E.They replace the need for VLANs or policy controls behind the scenes.
AnswersA, B

This is correct because policy separation is a key reason for distinct WLANs.

Why this answer

Organizations use separate WLANs because different user groups usually require different trust levels, policies, and access rights. In practical terms, employees may need access to internal business systems, while guests usually need a more limited and isolated experience. Separate WLANs make that segmentation and policy enforcement easier.

This is a design and security decision, not just a naming preference.

Exam trap

Avoid assuming that separate WLANs are used for performance improvements or marketing purposes; focus on security and access control.

Why the other options are wrong

C

Separate WLANs do not eliminate the need for wireless security; both employee and guest WLANs require encryption (e.g., WPA2/WPA3) and authentication mechanisms to protect data in transit and prevent unauthorized access.

D

Roaming problems, such as handoff delays or authentication re-requirements, are not automatically resolved by having separate WLANs; they depend on factors like controller configuration, AP placement, and roaming protocols (e.g., 802.11r).

E

Separate WLANs do not replace the need for VLANs or policy controls; in fact, they often rely on VLANs to segregate traffic and on additional policies (e.g., ACLs, firewall rules) to enforce access restrictions between the WLANs and the network.

194
MCQhard

An administrator connects a new access-layer switch to a distribution switch. The link comes up but remains in a blocking state and does not forward frames. The administrator issues the show command shown in the exhibit. What is the most likely reason the link is blocked?

A.BPDU Guard is enabled on the port, and the new switch's BPDUs caused the port to enter err-disable state.
B.Loop Guard is enabled, and the port has stopped receiving BPDUs, leading to a loop-inconsistent state.
C.Root Guard is configured on the port, and the new access switch is sending superior BPDUs, triggering a root-inconsistent state.
D.The port is configured with PortFast, and the new switch's BPDU triggered a loop, causing the port to err-disable.
AnswerC

Root Guard intentionally places a port into root-inconsistent (blocking) state when it receives a superior BPDU, preventing an unwanted switch from becoming the root bridge. The show spanning-tree inconsistentports output confirms a root-inconsistent condition.

Why this answer

The link is blocked because Root Guard is configured on the distribution switch port. When the new access-layer switch sends superior BPDUs (with a lower bridge priority), Root Guard transitions the port to a root-inconsistent (blocking) state to protect the current root bridge from being usurped. This prevents the new switch from becoming the root bridge, which would disrupt the spanning-tree topology.

Exam trap

Cisco often tests the distinction between err-disable states (BPDU Guard) and blocking states (Root Guard, Loop Guard), so the trap here is assuming any BPDU-related protection causes err-disable, when Root Guard specifically causes a blocking state without err-disable.

Why the other options are wrong

A

BPDU Guard results in err-disable, which is not reflected in the show spanning-tree inconsistentports output. The exhibit clearly shows Root Inconsistent, indicating Root Guard, not BPDU Guard.

B

Loop Guard creates a loop-inconsistent listing, not root-inconsistent. The command output explicitly indicates Root Inconsistent, ruling out Loop Guard.

D

Without BPDU Guard, PortFast does not react to BPDUs with a blocking state. The exhibit's root-inconsistent inconsistency is specific to Root Guard, not PortFast or BPDU Guard.

195
MCQmedium

After a switch replacement, users in VLAN 30 cannot reach devices in other VLANs. The replacement switch has a trunk link to the distribution switch that shows as up/up. What is the most likely cause?

A.The native VLAN must be changed to 30
B.VLAN 30 is not permitted on the trunk link
C.The uplink should be configured as an access port
D.STP must be disabled on VLAN 30
AnswerB

The trunk allowed list does not include VLAN 30.

Why this answer

The trunk is up, but VLAN 30 is not allowed on it. Traffic from that VLAN never crosses the uplink, so inter-VLAN reachability fails for users in VLAN 30 even though the local access ports may still look fine.

Exam trap

Ensure you distinguish between management settings and VLAN configuration. Focus on trunk settings when inter-VLAN issues arise.

Why the other options are wrong

A

Changing the native VLAN to 30 would not resolve the issue because the native VLAN is used for untagged traffic on a trunk, and the problem is that VLAN 30 traffic is not being allowed at all. Additionally, native VLAN mismatch can cause connectivity issues, but it does not specifically prevent only VLAN 30 from reaching other VLANs.

C

Configuring the uplink as an access port would place it in a single VLAN, preventing traffic from multiple VLANs (including VLAN 30) from traversing the link. Since the switch needs to carry traffic for multiple VLANs, the uplink must remain a trunk port.

D

Disabling STP on VLAN 30 would be dangerous as it could cause bridging loops and network instability. Moreover, STP does not control whether a VLAN is allowed on a trunk; it only prevents loops. The issue is a missing VLAN in the trunk allowed list, not a spanning-tree problem.

196
MCQmedium

A switch administrator enters the following commands on interface GigabitEthernet1/0/10: interface g1/0/10 switchport mode access switchport access vlan 30 spanning-tree portfast spanning-tree bpduguard enable A user connects a small managed switch to this port, and the access port immediately changes to an err-disabled state. Which feature caused the port to shut down?

C.Access VLAN 30 assignment
D.The interface being in access mode
AnswerB

Correct. BPDU Guard is correct because it is specifically designed to shut down an edge port that should not receive BPDUs. In plain terms, the switch sees evidence that another switch was attached and decides to protect the topology by disabling the port instead of allowing a possible loop or unexpected spanning-tree participation.

Why this answer

BPDU Guard is the feature that caused the shutdown. This question is really about separating two features that are often configured together on user-facing ports: PortFast and BPDU Guard. PortFast helps an edge port come up quickly, which is useful for PCs and phones.

BPDU Guard adds protection by watching for BPDUs on that same port. If a switch is connected where only an end device should exist, the newly connected switch may send BPDUs. The local switch interprets that as a topology risk and disables the port to protect the Layer 2 network.

The clues are the err-disabled state and the fact that another switch was connected. VLAN assignment and access mode are normal here and do not explain the shutdown.

Exam trap

Remember that BPDU Guard, not PortFast, causes a port to shut down when BPDUs are received. PortFast only affects port transition speed.

Why the other options are wrong

A

PortFast is a feature that allows a port to transition immediately to the forwarding state, bypassing the usual spanning-tree listening and learning phases. It does not cause a port to shut down or enter an err-disabled state; it only speeds up convergence for end-user devices.

C

Assigning an access VLAN (VLAN 30) simply places the port into a specific broadcast domain for user traffic. It has no mechanism to detect or react to BPDUs, and it does not cause a port to enter an err-disabled state. The port would remain operational regardless of the VLAN assignment.

D

Configuring a port as an access port is a standard practice for connecting end devices. It does not inherently cause any shutdown or err-disabled condition. The port remains up and forwarding traffic unless another feature, such as BPDU Guard, triggers a protective action.

197
Multi-Selectmedium

Which TWO statements correctly describe the configuration and verification of EtherChannel with LACP?

Select 2 answers
A.LACP uses the 'active' and 'passive' modes to negotiate an EtherChannel.
B.The 'show etherchannel summary' command displays the channel group number, port-channel interface, member ports, and their status.
C.LACP uses the 'auto' and 'desirable' modes to negotiate an EtherChannel.
D.The 'show etherchannel summary' command shows the LACP system priority for each channel.
E.An EtherChannel can be formed only if all member ports use the same LACP mode.
AnswersA, B

LACP defines two modes: 'active' (initiates negotiation) and 'passive' (responds to negotiation). At least one side must be active for the channel to form.

Why this answer

Option A is correct because LACP (IEEE 802.3ad) uses 'active' and 'passive' modes to negotiate an EtherChannel. Option B is correct because the 'show etherchannel summary' command displays the channel group number, port-channel interface, member ports, and their status flags (e.g., P for in port-channel, S for suspended). Option C is incorrect because 'auto' and 'desirable' are PAgP modes, not LACP modes.

Option D is incorrect because 'show etherchannel summary' does not show LACP system priority; that is displayed with 'show lacp sys-id' or 'show etherchannel detail'. Option E is incorrect because an EtherChannel can be formed with mismatched LACP modes as long as at least one side is 'active'; for example, 'active' + 'passive' works.

Exam trap

Cisco often tests the distinction between LACP modes ('active'/'passive') and PAgP modes ('auto'/'desirable'), and candidates frequently confuse which protocol uses which set of modes.

Why the other options are wrong

C

LACP does not use 'auto' and 'desirable' modes; those are PAgP modes.

D

The 'show etherchannel summary' command does not display LACP system priority; that is shown via 'show lacp sys-id' or 'show etherchannel detail'.

E

An EtherChannel can be formed even if member ports use different LACP modes (e.g., active and passive), as long as at least one side is active.

198
MCQhard

A network engineer connects a new switch to an existing Rapid PVST+ campus network. The new switch is intended to serve as an additional access-layer switch, but after connecting its uplinks, the engineer discovers that the root bridge for VLAN 10 has changed to this new switch, and several access ports on other switches with PortFast and BPDU Guard enabled are now in err-disabled state. Some users report intermittent connectivity loss.

A.The new switch was connected to a port configured as a trunk with a native VLAN mismatch.
B.The new switch’s bridge priority is lower than the existing root bridge, and it was connected to a port with BPDU Guard enabled.
C.The new switch has PortFast enabled on its uplinks.
D.The BPDU Guard feature was globally enabled on all ports, including trunk ports.
AnswerB

A lower bridge priority causes the new switch to become the root for VLAN 10. Plugging it into a BPDU Guard-enabled port (which is normally an edge port with PortFast) results in the port receiving BPDUs and going err-disabled. This perfectly explains both symptoms.

Why this answer

The new switch's bridge priority is lower (numerically smaller) than the existing root bridge, so it becomes the new root for VLAN 10. When it sends superior BPDUs out its uplinks, the neighboring switch's access ports with PortFast and BPDU Guard enabled receive these BPDUs, triggering err-disable state on those ports, causing connectivity loss.

Exam trap

Cisco often tests the misconception that BPDU Guard only applies to access ports or that it prevents root bridge changes, when in fact it reacts to any BPDU received on a PortFast port, regardless of the BPDU's source or priority.

Why the other options are wrong

A

Attributing the issue to a native VLAN mismatch overlooks the root election change and the BPDU Guard-triggered err-disable state.

C

This answer ignores the root election shift and the BPDU Guard events; PortFast misconfiguration alone would not cause these symptoms.

D

This fails to account for the selective err-disable of only access ports and the concurrent root bridge change, which points to a targeted misconfiguration rather than a blanket global setting.

199
Multi-Selectmedium

Which two statements accurately describe WPA2 and WPA3 in wireless security?

Select 2 answers
A.Both are wireless security standards used to help protect WLAN access and traffic.
B.WPA3 is the newer standard relative to WPA2.
C.Both are names for specific 802.11 radio frequencies.
D.WPA2 and WPA3 are types of trunk ports.
E.WPA3 eliminates the need for SSIDs.
AnswersA, B

This is correct because WPA2 and WPA3 are both WLAN security standards.

Why this answer

WPA2 and WPA3 are wireless security standards used to protect WLAN access and traffic. In practical terms, both are associated with securing wireless communication, but WPA3 is generally positioned as the newer standard with security improvements over WPA2. The key idea at CCNA level is recognizing them as WLAN security standards rather than confusing them with SSIDs, controllers, or radio bands.

You do not need deep protocol internals here. You need the role and relative positioning right.

Exam trap

Avoid assuming WPA3 is limited to specific frequency bands or that WPA2 offers superior security features.

Why the other options are wrong

C

WPA2 and WPA3 are security protocols, not radio frequencies. 802.11 radio frequencies refer to bands like 2.4 GHz and 5 GHz, which are unrelated to security standards.

D

Trunk ports are a concept in switched networks for carrying multiple VLANs, typically using 802.1Q tagging. WPA2 and WPA3 have nothing to do with switch port configuration.

E

WPA3 does not eliminate the need for SSIDs; SSIDs are still required to identify and differentiate wireless networks. WPA3 focuses on authentication and encryption, not network identification.

200
PBQhard

You are connected to R1. The network uses a router-on-a-stick design with a single switch (SW1) and two VLANs (10 and 20). Currently, hosts in VLAN 10 cannot ping hosts in VLAN 20, and the trunk between R1 and SW1 shows a native VLAN mismatch. Examine the provided configuration and output, then apply the necessary corrections to R1 so that inter-VLAN routing works correctly.

Hints

  • Check the native VLAN on the trunk — it might not match the switch.
  • Examine each subinterface's encapsulation — one may have the wrong VLAN ID.
  • Is IP routing enabled? The router needs to forward between VLANs.
A.Change the native VLAN on R1's trunk interface to 99, correct the encapsulation on G0/0.20 to dot1Q 20, and enable IP routing globally.
B.Change the native VLAN on R1's trunk interface to 99, correct the encapsulation on G0/0.20 to dot1Q 20, but do not enable IP routing because it is enabled by default.
C.Change the native VLAN on R1's trunk interface to 1, correct the encapsulation on G0/0.20 to dot1Q 20, and enable IP routing globally.
D.Change the native VLAN on R1's trunk interface to 99, correct the encapsulation on G0/0.10 to dot1Q 10, and enable IP routing globally.
AnswerA
solution
! R1
interface GigabitEthernet0/0
switchport trunk native vlan 99
exit
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
exit
ip routing

Why this answer

The configuration has three issues: 1) The native VLAN on the trunk is VLAN 1, but the switch expects VLAN 99 (common mismatch scenario). 2) Subinterface G0/0.20 uses encapsulation dot1Q 10 instead of 20, causing VLAN 20 traffic to be mis-tagged. 3) The 'ip routing' command is missing globally, so R1 cannot route between subinterfaces. To fix, configure the main interface G0/0 with 'encapsulation dot1Q 99 native' to set the native VLAN to 99, correct the encapsulation on G0/0.20 to 'dot1Q 20', and enable IP routing with 'ip routing'.

Exam trap

Candidates often forget to enable 'ip routing' globally, assuming it is on by default. They may also overlook the native VLAN mismatch or incorrectly use a Layer 2 switchport command instead of 'encapsulation dot1Q 99 native' on the router interface.

Why the other options are wrong

B

The specific factual error is that IP routing is not enabled by default; it requires the 'ip routing' global command.

C

The specific factual error is that the native VLAN must match on both sides; changing R1's native VLAN to 1 does not match the switch's native VLAN 99.

D

The specific factual error is that the subinterface G0/0.20 is associated with VLAN 20, so its encapsulation must be dot1Q 20, not 10.

201
MCQhard

A network engineer notices that a newly connected switch-to-switch link is up, but traffic from multiple VLANs is not passing. When issuing the show interfaces trunk command, no trunk ports are listed. Both switch ports are configured with switchport mode dynamic auto. What is the most likely cause?

A.There is a native VLAN mismatch between the two switches.
B.The connecting cable is a straight-through Ethernet cable rather than a crossover cable.
C.One switch lacks a VLAN that exists on the other switch.
D.Both ports are set to dynamic auto, so neither switch initiates DTP negotiation.
AnswerD

In dynamic auto mode, a switch port passively waits for DTP negotiation requests. When both ends are dynamic auto, no side initiates the negotiation, so the ports default to access mode. This perfectly matches the symptom: the link is up, but no trunk appears under show interfaces trunk, and multi-VLAN traffic is not passing.

Why this answer

When both ends of a link are set to switchport mode dynamic auto, neither switch will initiate DTP negotiation. Dynamic auto responds only to DTP requests; it never sends them. Therefore, no DTP messages are exchanged, and both ports silently remain in access mode.

This explains why the link is up and passing traffic only for the access VLAN, and no trunk ports appear in the output. Other issues (native VLAN mismatch, straight-through cable, missing VLANs) do not prevent trunk formation—they affect operational behavior or management reporting but would still show a trunk interface if DTP negotiation succeeded.

Exam trap

Many candidates incorrectly believe a native VLAN mismatch prevents trunk formation because they confuse DTP negotiation failure with CDP/STP native VLAN mismatch errors. In reality, DTP does not check native VLAN compatibility; a trunk will still form and then generate log messages about the mismatch.

Why the other options are wrong

A

Confusing DTP trunk negotiation with the operational consequences of a native VLAN mismatch.

B

Assuming that a crossover cable is mandatory for switch-to-switch connections, ignoring auto-MDIX.

C

Mistaking the ability to forward traffic for a specific VLAN with the ability to negotiate a trunk.

202
MCQhard

Two switches, SW1 and SW2, are connected via a trunk link. Hosts in VLAN 50 on SW1 cannot communicate with hosts in VLAN 50 on SW2, while hosts in other VLANs communicate normally. What is the most likely cause?

A.VLAN 50 is not allowed on the trunk from SW1.
B.The native VLAN must be changed to 50 on both switches.
C.The trunk must be changed to an access port.
D.The switches must run PPP on the uplink.
AnswerA

This is correct because VLAN 50 is missing from the allowed list on SW1.

Why this answer

The strongest explanation is that VLAN 50 is missing from the allowed VLAN list on one side of the trunk. In practical terms, the trunk is up and carrying other VLANs, so the problem is selective rather than total. When one VLAN is omitted from the allowed list, only that VLAN fails while others continue to work normally.

This is a high-value switching troubleshooting pattern because it rewards careful reading of operational output rather than generic trunk theory.

Exam trap

Be careful to distinguish between total trunk failures and selective VLAN issues. Check the allowed VLAN list on trunk links when only one VLAN is affected.

Why the other options are wrong

B

The native VLAN is used for untagged traffic on a trunk and does not affect the forwarding of tagged frames for other VLANs. Changing the native VLAN to 50 would not resolve the issue because VLAN 50 frames are still tagged and require inclusion in the allowed VLAN list.

C

An access port can only carry a single VLAN, so changing the trunk to an access port would prevent the link from carrying multiple VLANs, including VLAN 50. The link is intended to carry multiple VLANs, so a trunk is required.

D

PPP (Point-to-Point Protocol) is a WAN protocol used on serial links, not on Ethernet trunks. Ethernet trunks use 802.1Q or ISL encapsulation, and PPP has no relevance to VLAN trunking issues.

203
MCQhard

Users report that their PCs take over 30 seconds to obtain IP addresses and reach the network after being powered on. A network technician checks a switch port connected to a PC and observes that the port transitions through blocking, listening, learning, and then forwarding states, taking about 30 seconds to complete. The switch is running standard 802.1D STP. The technician confirms the port is an access port and only connects to a PC. What should the technician do next?

A.Reduce the STP forward delay timer globally on the switch.
B.Enable PortFast on the access port.
C.Disable STP on the access VLAN assigned to the port.
D.Enable Rapid PVST+ on the switch.
AnswerB

PortFast is designed for ports that connect to end hosts. It forces the port to transition directly to the forwarding state, skipping the normal STP listening and learning phases, which is exactly what is needed to eliminate the 30-second boot-time delay.

Why this answer

The correct next action is to enable PortFast on the access port. PortFast allows a port to immediately transition to the forwarding state, bypassing the listening and learning phases, which is safe because the port connects only to an end device and cannot create a bridging loop. This directly resolves the 30-second boot-time delay without making network-wide changes.

Exam trap

Many candidates select 'Enable Rapid PVST+' under the mistaken belief that upgrading the STP protocol eliminates the 30-second forwarding delay. However, even with Rapid PVST+, an edge port must be explicitly configured with PortFast (or edge port) to skip the learning/listening phases; otherwise, it still undergoes a similar convergence process.

Why the other options are wrong

A

This action is too drastic and impacts all ports, whereas the issue is specific to access ports connected to end devices. PortFast is the standard, safe method for eliminating delay on edge ports.

C

Candidates might think that turning off STP on a single VLAN is a quick fix, but it removes the safety net against loops and is not a recommended network practice. PortFast provides the immediate-forwarding benefit while preserving STP loop protection.

D

Candidates often assume that Rapid PVST+ immediately forwards on all access ports, but the edge port behavior must be configured. The scenario explicitly mentions the port is an access port connected only to a PC; the immediate fix is to enable PortFast, not change the entire STP mode.

204
MCQhard

A phone and PC share one switchport. The phone works, but the PC cannot reach its normal data resources. The switchport voice VLAN is configured, and the access VLAN is incorrect. Which explanation is strongest?

A.The PC is likely in the wrong data VLAN even though the phone still uses the correct voice VLAN.
B.If the phone works, the PC must also work because both use the same VLAN always.
C.The issue must be BGP because phones cannot use VLANs.
D.The access VLAN becomes irrelevant whenever a voice VLAN is configured.
AnswerA

This is correct because voice and data use different VLAN roles on the same physical port.

Why this answer

Option A is correct because the switchport is configured with a voice VLAN for the phone and an access VLAN for the PC. If the access VLAN is incorrect, the PC will be placed in the wrong data VLAN, preventing it from reaching its normal data resources, while the phone continues to operate correctly on its designated voice VLAN. This is a common misconfiguration where the data VLAN ID does not match the network segment the PC expects.

Exam trap

Cisco often tests the misconception that a working phone implies the PC is also correctly configured, but the trap here is that voice and data VLANs are independent, so a misconfigured access VLAN only affects the PC.

Why the other options are wrong

B

This statement is incorrect because the phone and PC can operate on different VLANs on the same port. The phone uses the voice VLAN, while the PC uses the access (data) VLAN. They are not required to use the same VLAN, and misconfiguration of the access VLAN can cause the PC to fail while the phone works.

C

BGP (Border Gateway Protocol) is a routing protocol used between autonomous systems, not related to VLAN configuration on a switchport. The issue described is about Layer 2 VLAN assignment, not Layer 3 routing. BGP has no role in this scenario.

D

The access VLAN remains relevant even when a voice VLAN is configured. The access VLAN is used for the PC's data traffic, while the voice VLAN is used for the phone's traffic. If the access VLAN is incorrect, the PC will not be able to communicate on the correct data network.

205
Multi-Selectmedium

Which TWO statements correctly describe the behavior of Rapid PVST+ in a Layer 2 network?

Select 2 answers
A.Rapid PVST+ runs a separate instance of RSTP for each VLAN.
B.Rapid PVST+ is an enhancement of PVST+ and uses the same timer-based convergence as standard 802.1D.
C.Rapid PVST+ uses the 802.1D standard to compute the spanning tree for each VLAN.
D.PortFast and BPDU Guard are commonly configured on access ports to prevent loops and speed up convergence.
E.Rapid PVST+ uses the 802.1Q trunking protocol to reduce the number of spanning-tree instances.
AnswersA, D

Rapid PVST+ is a per-VLAN implementation of RSTP (802.1w). Each VLAN runs its own RSTP instance, allowing independent root bridge election and port roles per VLAN. This enables load balancing across VLANs.

Why this answer

Rapid PVST+ runs a separate instance of RSTP (802.1w) for each VLAN, enabling per-VLAN rapid convergence and load balancing. Option D is correct because PortFast allows access ports to transition to forwarding immediately, while BPDU Guard prevents loops by disabling a port that receives a BPDU. Option B is incorrect because Rapid PVST+ uses RSTP's handshake mechanism, not timer-based convergence like 802.1D.

Option C is wrong: Rapid PVST+ is based on 802.1w, not 802.1D. Option E is false because Rapid PVST+ does not use 802.1Q to reduce instances; it maintains a separate spanning-tree instance per VLAN.

Exam trap

Cisco often tests the distinction between PVST+ (802.1D-based) and Rapid PVST+ (802.1w-based), and the trap here is assuming Rapid PVST+ still relies on timer-based convergence like standard 802.1D, when in fact it uses the faster RSTP handshake mechanism.

Why the other options are wrong

B

Rapid PVST+ uses RSTP's rapid handshake process, not timer-based convergence like standard 802.1D.

C

Rapid PVST+ is based on the 802.1w standard (RSTP), not 802.1D.

E

Rapid PVST+ runs a separate instance per VLAN and does not use 802.1Q to consolidate instances.

206
MCQhard

A network administrator is troubleshooting connectivity issues in a switched network. Users on VLAN 10 report intermittent connectivity to the server farm. The network uses Rapid PVST+ as the spanning-tree protocol. The administrator examines the switch that is the root bridge for VLAN 10 and notices that one of the uplink interfaces to an access switch is in a blocking state. What is the most likely cause of this issue?

A.Change the port type of Gi0/3 to trunk to allow multiple VLANs.
B.Configure spanning-tree portfast on Gi0/3 to speed up convergence.
C.Check the spanning-tree priority on other switches to ensure the intended root bridge has the lowest priority for VLAN 10.
D.Enable BPDU guard on Gi0/3 to prevent unauthorized switches from affecting the network.
AnswerC

The root bridge is elected based on the lowest bridge priority. If another switch has a lower priority, it becomes the root, causing ports on the current root to block. Verifying and adjusting priorities will ensure the correct root bridge election.

Why this answer

In Rapid PVST+, the root bridge for a VLAN should have all its ports in a forwarding state. If an uplink interface on the root bridge is blocking, it indicates that another switch is being elected as the root bridge for VLAN 10, likely because it has a lower spanning-tree priority. By checking and adjusting the priority on other switches, the administrator can ensure the intended switch becomes the root bridge, resolving the intermittent connectivity caused by suboptimal path selection.

Exam trap

Cisco often tests the misconception that a blocking port on a root bridge indicates a physical or configuration issue with that specific port, when in fact it signals that the switch is not the root bridge due to a lower priority on another switch.

Why the other options are wrong

A

Changing the port type to trunk does not affect spanning-tree root bridge election or port roles. The blocking state is determined by spanning-tree topology, not by trunk configuration.

B

Portfast is intended for access ports connected to end devices to bypass listening/learning states; it is not used on uplinks and does not resolve a blocking state caused by spanning-tree topology.

D

BPDU guard is used on access ports to protect against rogue switches by disabling the port if a BPDU is received. It does not affect root bridge election or port roles on uplinks.

207
Matchingmedium

Match each switchport or VLAN term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Switchport that normally carries one VLAN for an endpoint

Link that carries multiple VLANs

Setting that restricts which VLANs may traverse the trunk

VLAN associated with untagged traffic on an 802.1Q trunk

Why these pairings

Access ports are in one VLAN; trunk ports carry multiple VLANs with tags. Switchport mode commands set the port type. VLANs create separate broadcast domains; SVIs provide Layer 3 routing for VLANs.

Exam trap

The exam trap here is confusing the definitions of access ports and trunk ports, or associating an access port with the concept of a VLAN or SVI. Remember that an access port is a Layer 2 port that belongs to exactly one VLAN and does not tag frames.

208
Matchingmedium

Match each EtherChannel term or state to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Standards-based protocol used to negotiate an EtherChannel bundle

Indicates a port is bundled in the channel

Indicates a port is operating individually and not bundled

Indicates the port-channel is Layer 2 and in use

Why these pairings

LACP is a standards-based protocol (IEEE 802.3ad) that dynamically negotiates an EtherChannel bundle. In the port state output, 'P' (Port is in Active Port Mode) means the port is bundled into the channel. 'I' (Port is in Individual Mode) indicates the port is operating alone and not part of any bundle. 'SU' (Layer 2, In-Use) shown in the port-channel interface status confirms the logical bundle is Layer 2 and administratively up. These terms directly map to the given meanings.

Exam trap

Be careful not to confuse PAgP and LACP modes. PAgP uses Desirable and Auto; LACP uses Active and Passive. Also, remember that 'On' is not a negotiation protocol but a static configuration.

209
MCQmedium

Which command places a switch port into access mode directly?

A.switchport mode access
B.switchport trunk allowed vlan 10
C.switchport mode dynamic desirable
D.no switchport
AnswerA

This is correct because it directly forces the interface into access mode.

Why this answer

A switch port is placed into access mode with the `switchport mode access` command. In plain language, this tells the switch that the interface should behave as a single-VLAN user-facing access port rather than as a trunk or a negotiation-based port. This is the normal choice for an endpoint such as a PC, printer, or IP camera that should belong to one VLAN.

This command matters because it makes the intended role of the interface explicit. That clarity is useful operationally and helps avoid accidental trunking behavior. The correct answer is the command that directly defines the switchport as access rather than assigning a VLAN without setting the role or relying on negotiation.

Exam trap

Be careful not to confuse VLAN assignment or negotiation commands with those that explicitly set port modes.

Why the other options are wrong

B

The command 'switchport trunk allowed vlan 10' is used on a trunk port to specify which VLANs are allowed to traverse the trunk link. It does not change the port mode to access; instead, it assumes the port is already a trunk. Therefore, it is incorrect for placing a switch port into access mode.

C

The command 'switchport mode dynamic desirable' enables Dynamic Trunking Protocol (DTP) to actively negotiate trunking with the connected device. This does not directly place the port into access mode; instead, it allows the port to become a trunk if the neighbor agrees. The port remains in a dynamic state until negotiation completes.

D

The command 'no switchport' converts a Layer 2 switch port into a Layer 3 routed port, which is used for routing between VLANs or connecting to routers. This removes all Layer 2 switching functionality, including VLAN assignment, and is the opposite of placing the port into access mode.

210
Multi-Selecthard

Two switches are connected with an EtherChannel using LACP. The bundle stays down and the physical interfaces show individual links, not a port-channel member state. Which two conditions must match on both sides for the channel to form successfully?

Select 2 answers
A.The member interfaces must have compatible speed and duplex settings
B.The trunk native VLAN must always be VLAN 1
C.The interfaces must use the same channel protocol and compatible LACP settings
D.The STP priority values on both switches must be identical
AnswersA, C

Mismatched operational characteristics can prevent EtherChannel formation.

Why this answer

LACP active/passive is valid, but the interfaces still have to match operationally and be configured compatibly for the same bundle. Speed, duplex, trunking, and channel protocol consistency all matter.

Exam trap

Remember that VLAN and trunking settings are important for trunk links but not specifically required for EtherChannel formation.

Why the other options are wrong

B

The native VLAN does not have to be VLAN 1; it can be any VLAN as long as both sides of the trunk agree. The requirement for EtherChannel is that the native VLAN must match on both sides, but it does not have to be VLAN 1.

D

STP priority values do not affect EtherChannel formation; STP operates on the logical port-channel interface after the bundle is formed. EtherChannel requirements focus on physical and protocol compatibility, not spanning-tree parameters.

211
Multi-Selectmedium

Which three of the following are true about the operation of DHCP snooping? (Choose three.)

Select 3 answers
.DHCP snooping builds a binding database of trusted DHCP clients.
.Interfaces connected to DHCP servers are configured as trusted ports.
.DHCP snooping can prevent DHCP starvation attacks.
.DHCP snooping is enabled globally and requires no per-VLAN configuration.
.DHCP snooping automatically blocks all BOOTP traffic.
.DHCP snooping only works with DHCPv6.

Why this answer

DHCP snooping is a security feature that builds and maintains a DHCP snooping binding database by monitoring DHCP messages exchanged on trusted and untrusted ports. It prevents rogue DHCP servers and DHCP starvation attacks by filtering DHCP messages based on the trust state of the interface. The binding database records the IP address, MAC address, VLAN, and port information for each DHCP client that successfully obtains a lease through a trusted DHCP server.

Exam trap

Cisco often tests the misconception that DHCP snooping is automatically applied to all VLANs once enabled globally, but in reality you must explicitly enable it on each VLAN with the 'ip dhcp snooping vlan' command.

212
MCQeasy

What problem does Spanning Tree Protocol solve in a switched network?

A.IP address exhaustion
B.Layer 2 switching loops
C.Slow DNS lookups
D.Weak wireless encryption
AnswerB

Correct. Loop prevention is the core purpose of STP.

Why this answer

STP prevents Layer 2 loops by blocking redundant paths when necessary, which avoids broadcast storms and MAC table instability.

Exam trap

Avoid confusing STP with technologies like EtherChannel, IPsec, or QoS, which address different network concerns.

Why the other options are wrong

A

Spanning Tree Protocol (STP) operates at Layer 2 and has no mechanism to manage or allocate IP addresses; IP address exhaustion is addressed by protocols like DHCP or IPv6 transition technologies.

C

DNS lookups are application-layer processes that rely on IP connectivity and name resolution servers; STP does not influence DNS performance or resolution speed.

D

Wireless encryption is a security feature implemented at the data link layer (e.g., WPA2/3) and is unrelated to STP, which deals with physical topology loop prevention.

213
Matchingmedium

Match each trunk or VLAN term to its most accurate function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Link carrying traffic for multiple VLANs

VLAN assigned to a normal endpoint-facing port

VLAN associated with untagged traffic on an 802.1Q trunk

Setting that restricts which VLANs may cross a trunk

Why these pairings

Access ports carry traffic for one VLAN only; trunk ports carry multiple VLANs using tagging. The native VLAN is untagged on a trunk; VLAN 1 is the default. 802.1Q is the standard for tagging, and voice VLAN separates voice traffic.

Exam trap

Be careful not to confuse the native VLAN (untagged) with other VLANs (tagged) on a trunk. Also, remember that VLAN 1 is the default data VLAN, not the voice VLAN.

214
MCQmedium

SW1 is the root bridge for VLAN 10. A user switch receives a BPDU on an access port connected to a desk-side unmanaged switch. What should happen if BPDU Guard is enabled on that port?

A.The port transitions to forwarding more quickly
B.The port is moved to err-disabled state
C.The switch elects a new root bridge
D.The port becomes a trunk automatically
AnswerB

BPDU Guard shuts the port down when a BPDU is seen on an edge port.

Why this answer

BPDU Guard is designed to protect edge ports. If a BPDU is received on a PortFast access port, the switch places the interface into the err-disabled state to stop a potential Layer 2 loop or rogue switch.

Exam trap

Remember that BPDU Guard actively disables ports, it doesn't just log or ignore BPDUs.

Why the other options are wrong

A

PortFast allows a port to transition to forwarding immediately upon link up, but it does not react to BPDU reception. BPDU Guard is a separate feature that disables the port upon receiving a BPDU, not accelerate forwarding.

C

Receiving a BPDU on a single edge port does not trigger a root bridge election. Root bridge election is based on bridge ID comparison across the entire spanning-tree domain, not on a single BPDU on a port.

D

BPDU Guard does not change the port mode; it only reacts to BPDU reception by disabling the port. Port mode (access or trunk) is configured separately and is not affected by STP protection features.

215
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an LACP EtherChannel on two Cisco switches.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

To configure LACP EtherChannel, start by entering global configuration mode on both switches. Then create the port-channel interface using 'interface port-channel' (optional but good practice). Finally, assign physical interfaces to the port-channel with LACP active mode using the 'channel-group' command, which handles both port binding and mode setting in one step.

Verify with 'show etherchannel summary'.

Exam trap

A common mistake is to treat enabling LACP active as a separate configuration step after assigning interfaces; in reality, the mode is set as part of the 'channel-group' command itself.

216
Matchingmedium

Drag and drop the VLAN/trunking commands and terms on the left to their correct descriptions or functions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables 802.1Q trunking on a switch interface

Assigns an access port to VLAN 10

VLAN that carries untagged traffic on a trunk link; default is VLAN 1

Changes the native VLAN on a trunk to VLAN 99

Uses subinterfaces on a single router interface to route between VLANs

Why these pairings

These pairings match common VLAN/trunking commands and terms to their correct descriptions.

Exam trap

Do not confuse the commands for access and trunk ports. Remember that 'switchport mode access' places the port in access mode, while 'switchport mode trunk' places it in trunk mode. Also, the native VLAN and VLAN 1 are related to trunking and default settings, not to the configuration of an access port.

217
MCQmedium

Exhibit: A wireless client can see the SSID and associates successfully, but it never gets network access. Other users on the same SSID work. Which issue is the best fit?

A.The AP is advertising the wrong channel width
B.The client failed to obtain a valid IP address from DHCP
C.The SSID must be changed from broadcast to hidden
D.WPA2 automatically blocks clients until NTP is configured
AnswerB

Association without a working IP configuration is a classic symptom.

Why this answer

Successful association means the radio connection is up. If only one client fails to get network access while others work, the most likely issue is a client-specific addressing problem such as not obtaining a valid DHCP lease. Option A is incorrect because channel width affects all clients, not just one.

Option C is incorrect because hiding the SSID does not affect network access after association. Option D is incorrect because WPA2 does not block clients due to NTP; NTP is unrelated to client authentication.

Exam trap

Don't confuse association issues with post-association network access problems. Ensure you understand the difference between connecting to the SSID and obtaining network access.

Why the other options are wrong

A

Channel width affects all clients on the AP, not just a single client.

C

Hiding the SSID only prevents the SSID from being broadcast; it does not impact network access after association.

D

WPA2 does not require NTP for client authentication; NTP is for time synchronization, not client access control.

218
PBQhard

You are connected to SW1. This is a Layer 2 switch that connects multiple IP phones and an AP. The AP is on Gi0/3 and must receive PoE and be placed in VLAN 100 (native VLAN). IP phones on Gi0/1 and Gi0/2 must use VLAN 20 for voice and VLAN 10 for data, and must receive PoE. Currently, the AP cannot get an IP address and the phones have no voice connectivity. Configure SW1 to fix these issues.

Network Topology
Gi0/0trunkGi0/1Gi0/3SW1upstream switchIP phonesAP

Hints

  • IP phones need a separate voice VLAN configured under the access interface.
  • PoE must be explicitly enabled on each interface that needs to supply power.
  • Check the AP interface for PoE status using 'show power inline Gi0/3'.
A.interface Gi0/1; switchport voice vlan 20; power inline auto; interface Gi0/2; switchport voice vlan 20; power inline auto; interface Gi0/3; power inline auto
B.interface Gi0/1; switchport voice vlan 10; power inline auto; interface Gi0/2; switchport voice vlan 10; power inline auto; interface Gi0/3; switchport access vlan 100; power inline auto
C.interface Gi0/1; switchport voice vlan 20; interface Gi0/2; switchport voice vlan 20; interface Gi0/3; switchport access vlan 100
D.interface Gi0/1; power inline auto; interface Gi0/2; power inline auto; interface Gi0/3; power inline auto; switchport trunk native vlan 100
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport voice vlan 20
power inline auto
exit
interface GigabitEthernet0/2
switchport voice vlan 20
power inline auto
exit
interface GigabitEthernet0/3
power inline auto
exit

Why this answer

The AP on Gi0/3 requires PoE (power inline auto) and must be on a trunk port with native VLAN 100. The current configuration likely lacks PoE, and the port may be set as an access port instead of a trunk. For the IP phones on Gi0/1 and Gi0/2, the missing 'switchport voice vlan 20' command prevents voice traffic from using VLAN 20, and PoE must also be enabled.

The provided solution adds the necessary voice VLAN and PoE commands. Option A is correct because it applies voice VLAN 20 and PoE to the phone ports, and PoE to the AP port. Option B incorrectly assigns voice VLAN 10; Option C omits PoE on the AP port; Option D applies PoE globally but fails to set voice VLANs and incorrectly configures trunk native VLAN on all ports.

Exam trap

Trap: Candidates often forget to enable PoE on ports that need it, or they confuse the voice VLAN with the data VLAN. Always verify that both power and VLAN assignments are correct for IP phones and PoE devices.

Why the other options are wrong

B

The specific factual error is that the voice VLAN is set to VLAN 10 instead of VLAN 20, which contradicts the requirement that voice traffic uses VLAN 20.

C

The specific factual error is the failure to enable PoE on the interfaces, which is required for both the AP and IP phones to operate.

D

The specific factual error is the omission of the 'switchport voice vlan 20' command on the phone ports, leaving them without voice VLAN assignment.

219
MCQmedium

A network engineer checks EtherChannel status on a switch and sees the following output: Group Port-channel Protocol Ports ------+-------------+---------+----------------------------- 1 Po1(SD) LACP Gi1/0/1(s) Gi1/0/2(I) What is the most likely reason the EtherChannel is not forwarding traffic?

A.The member interfaces have mismatched speed or duplex settings
B.The port channel is Layer 3 instead of Layer 2
C.At least one member interface is not bundled correctly, so the logical channel is down
D.LACP requires exactly four links to form a bundle
AnswerC

Correct. This is correct. The logical EtherChannel is down because the physical members are not properly bundled. The status display is telling you that the switch did not build a working aggregated link, so the port-channel cannot carry traffic as intended.

Why this answer

The safest conclusion from this output is that the member interfaces are not successfully participating in the bundle, so the logical port-channel is down. Cisco exam questions often test whether you can read the status flags without overcommitting to a very specific root cause that the exhibit does not explicitly prove. One member is suspended and another is not bundled into the channel correctly, so the EtherChannel never reaches a healthy forwarding state.

In the real world, that can happen because of trunk mismatches, allowed VLAN mismatches, native VLAN problems, inconsistent channel-group settings, or negotiation issues. The key exam skill is recognizing that the bundle itself failed, not guessing one hidden configuration line that is not shown.

Exam trap

Avoid assuming the problem is due to physical layer issues like speed or duplex when the output suggests a configuration mismatch.

Why the other options are wrong

A

The output shows individual port statuses (s) and (I), which indicate LACP negotiation states, not speed/duplex mismatches. While speed/duplex mismatches can cause EtherChannel issues, the specific flags in the exhibit point to a bundling problem, not a mismatch.

B

A Layer 3 port-channel can function correctly if configured properly. The output does not indicate any Layer 2 vs Layer 3 mismatch; the problem is that the member interfaces are not successfully bundling into the logical channel, as shown by the (s) and (I) status flags.

D

LACP does not require exactly four links; it can form bundles with 2 to 8 active links (and up to 16 total with standby). The exhibit shows only two member ports, which is perfectly valid for an EtherChannel.

220
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two links to SW2 configured as an EtherChannel using LACP. The EtherChannel is not coming up. Interface G0/2 was accidentally configured as an access port in VLAN 10, while G0/1 is configured as a trunk. The administrator wants to use LACP to bundle the links. Troubleshoot and fix the configuration to bring up the EtherChannel.

Hints

  • All interfaces in an EtherChannel must have identical configuration.
  • Check if the interfaces are in the same VLAN or trunk mode.
  • LACP active mode requires matching configurations on both ends.
A.Change interface G0/2 to trunk mode and ensure both interfaces have the same allowed VLAN list.
B.Change interface G0/1 to access VLAN 10 to match G0/2.
C.Remove the access VLAN configuration from G0/2 and leave it as a default switchport (dynamic desirable).
D.Change the EtherChannel mode from LACP to PAgP on both switches.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
no switchport access vlan 10
switchport mode trunk

Why this answer

The EtherChannel was down because interface G0/2 was an access port in VLAN 10, while G0/1 was a trunk. For LACP to bundle the links, all member interfaces must have the same configuration, including VLAN and trunk settings. Changing G0/2 to trunk mode resolved the issue.

Exam trap

Do not confuse the requirement for consistent interface configurations with the negotiation protocol. The most common cause of EtherChannel failure is mismatched VLAN or trunk settings, not the protocol (LACP vs PAgP). Always verify that all member ports have identical configurations.

Why the other options are wrong

B

The specific factual error is that changing G0/1 to access VLAN 10 would not resolve the mismatch if the intended configuration is trunking. It would only create a different mismatch if the other side expects trunking.

C

The specific factual error is that dynamic desirable mode does not ensure trunking; it relies on DTP negotiation, which may fail if the other side is set to trunk. Additionally, the VLAN mismatch (access vs trunk) would still prevent EtherChannel formation.

D

The specific factual error is that the protocol does not affect the requirement for consistent interface configurations. Both LACP and PAgP require identical VLAN and trunk settings on all member ports.

221
Multi-Selectmedium

Which three of the following are true regarding the configuration and operation of a Cisco switch port in access mode? (Choose three.)

Select 3 answers
.An access port belongs to a single VLAN and carries traffic for that VLAN only.
.By default, all switch ports are in VLAN 1 unless explicitly changed.
.The 'switchport mode access' command is required before assigning a VLAN to the port.
.Voice VLAN can be configured on an access port to carry both data (native VLAN) and voice (voice VLAN) traffic.
.An access port will drop any frames that are received with an 802.1Q tag.
.The 'switchport access vlan' command automatically creates the VLAN if it does not already exist in the VLAN database.

Why this answer

An access port is configured to belong to a single VLAN and carries traffic for that VLAN only. By default, all switch ports are placed in VLAN 1. The 'switchport mode access' command is not strictly required before assigning a VLAN; however, for a port to operate as a dedicated access port, the command is necessary to prevent it from forming a trunk via DTP.

Option 5 is incorrect because an access port with a voice VLAN does accept tagged frames for the voice VLAN; it does not drop all tagged frames. Option 6 is incorrect because the 'switchport access vlan' command does not automatically create the VLAN; the VLAN must already exist in the VLAN database or be created manually.

Exam trap

Cisco often tests the misconception that assigning a VLAN to a port automatically puts it in access mode, but in reality, the port's mode must be explicitly set with 'switchport mode access' to prevent it from becoming a trunk via DTP.

222
Multi-Selectmedium

Which TWO statements correctly describe aspects of interpreting packet capture output for Layer 2/3 troubleshooting using Wireshark or embedded packet capture on IOS-XE?

Select 2 answers
A.A DHCP Discover packet in a Wireshark capture shows a unicast destination MAC address to the DHCP server.
B.A large number of ARP requests for the same IP address in a packet capture suggests a possible Layer 3 connectivity issue, such as a missing default gateway.
C.A TCP SYN-ACK packet in a capture indicates that the three-way handshake failed and the destination is unreachable.
D.When using embedded packet capture on IOS-XE, you can capture packets on both ingress and egress directions to see if a router is dropping or modifying packets.
E.The TTL value in a captured IP packet always shows the original TTL set by the source host.
AnswersB, D

Repeated ARP requests for the same IP indicate that the device cannot resolve the MAC address, often because the destination is unreachable or the gateway is misconfigured.

Why this answer

Option B is correct because a large number of ARP requests for the same IP address indicates that the device is repeatedly trying to resolve the Layer 3 address to a Layer 2 MAC address, but no device is responding. This often happens when the target IP (e.g., the default gateway) is unreachable or misconfigured, pointing to a Layer 3 connectivity issue. Option D is correct because IOS-XE embedded packet capture supports both ingress and egress capture directions, allowing you to verify whether a router is dropping or modifying packets as they transit.

Option A is incorrect: DHCP Discover is broadcast, not unicast, because the client does not yet know the server’s MAC address. Option C is incorrect: a SYN-ACK is part of a successful three-way handshake (SYN, SYN-ACK, ACK) and indicates the server is reachable; if the handshake failed, you would see only SYN packets or RST packets. Option E is incorrect: the TTL value in a captured packet shows the current TTL after decrementing by each hop; the original TTL is not preserved in the packet.

Exam trap

Cisco often tests the distinction between broadcast and unicast in DHCP and ARP operations, and the trap here is that candidates may assume DHCP Discover is unicast to the server or that a SYN-ACK indicates failure, when in fact it confirms reachability.

Why the other options are wrong

A

DHCP Discover is always broadcast (destination FF:FF:FF:FF:FF:FF), not unicast, because the client does not know the DHCP server's MAC address.

C

A TCP SYN-ACK indicates the server received the SYN and is willing to establish the connection; it is part of a successful three-way handshake, not a failure.

E

The TTL in a captured packet is the value after decrementing at each hop; the original TTL is set by the source but is not preserved in the packet header.

223
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to two other switches (SW2 and SW3) via redundant links. All switches run IEEE 802.1D Spanning Tree Protocol. The network administrator wants SW1 to become the root bridge for VLAN 1. Currently, the root bridge is SW2. Configure SW1 to achieve this and ensure that port G0/1, which connects to an end device, immediately transitions to forwarding state upon link up and is protected from BPDU attacks.

Network Topology
G0/1 to PCSW2SW1SW3

Hints

  • The 'root primary' macro sets the priority lower than any other switch.
  • PortFast allows a port to skip listening/learning states.
  • BPDU Guard err-disables the port if a BPDU is received.
A.Configure 'spanning-tree vlan 1 root primary' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.
B.Configure 'spanning-tree vlan 1 priority 4096' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree guard root'.
C.Configure 'spanning-tree vlan 1 root secondary' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.
D.Configure 'spanning-tree vlan 1 priority 32768' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpdufilter enable'.
AnswerA
solution
! SW1
spanning-tree vlan 1 root primary
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

The 'spanning-tree vlan 1 root primary' command reduces the bridge priority to 24576 (or lower) to ensure SW1 becomes root for VLAN 1. PortFast on G0/1 speeds up access port convergence, and BPDU Guard protects against rogue switches by disabling the port upon BPDU reception.

Exam trap

Do not confuse 'root primary' with 'root secondary' or manual priority settings. Also, remember that BPDU Guard is for access port security, while Root Guard protects the root bridge position. BPDU Filter suppresses BPDUs and is not a security feature.

Why the other options are wrong

B

The specific factual error: 'spanning-tree guard root' is a root guard feature, not BPDU guard. Also, manually setting priority to 4096 may not guarantee root if another switch has lower priority.

C

The specific factual error: 'root secondary' is for backup root, not primary. It sets priority to 28672, which is higher than the default priority of 32768 but not low enough to become root if another switch has a lower priority.

D

The specific factual error: priority 32768 is default and does not change root status. BPDU filter is not a security feature against BPDU attacks; it suppresses BPDUs entirely.

224
Multi-Selectmedium

Which of the following statements about VLAN configuration and trunking on a Cisco switch are correct? (Choose all that apply.)

Select 4 answers
.The native VLAN on a trunk link is used for untagged traffic and should match on both ends of the link.
.The default VLAN 1 cannot be deleted or removed from a switch.
.A switchport configured as an access port can carry multiple VLANs.
.Dynamic Trunking Protocol (DTP) can automatically negotiate trunking between two Cisco switches.
.The 'switchport trunk allowed vlan' command can be used to restrict which VLANs are permitted on a trunk.
.A trunk link can only carry VLANs that are globally created on the switch.

Why this answer

The native VLAN on a trunk carries untagged traffic, and mismatched native VLANs can cause spanning-tree issues, VLAN hopping, and misdirected control traffic, so both ends must match. VLAN 1 is a system-defined VLAN that cannot be deleted or shut down, making it always available. Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol that can automatically negotiate trunk links when interfaces are set to desirable or auto.

The 'switchport trunk allowed vlan' command prunes VLANs on a trunk, restricting which VLANs are permitted. A trunk link forwards traffic only for VLANs that exist in the local VLAN database, so the statement that it can only carry globally created VLANs is correct. The incorrect option is that an access port can carry multiple VLANs; in reality, an access port is assigned to a single VLAN and cannot carry traffic for multiple VLANs like a trunk.

Exam trap

A common mistake is thinking an access port can carry multiple VLANs like a trunk, or that a trunk automatically forwards all VLANs without requiring them to be locally defined.

225
MCQhard

A switch receives superior BPDUs on a port where the design requires that no downstream device ever become the root path for that segment. Which feature is the best fit for that requirement?

AnswerA

This is correct because root guard prevents the port from becoming a root path when superior BPDUs appear.

Why this answer

Root guard is the best fit because it is designed to prevent a port from becoming the path toward a new root bridge when superior BPDUs are received. In practical terms, it protects the intended STP topology by keeping that port from taking on a root-related forwarding role when the design says it should not.

This is different from BPDU Guard, which is more commonly used on edge ports to disable them entirely if BPDUs appear. Root guard is about protecting topology roles, not just edge-port assumptions.

Exam trap

A common exam trap is selecting BPDU guard instead of root guard because both involve BPDU handling. BPDU guard disables a port immediately upon receiving any BPDU, which is suitable for edge ports but not for ports where topology control is required. Root guard, on the other hand, only blocks ports that receive superior BPDUs, allowing normal BPDUs from the current root bridge.

Confusing these features can lead to incorrect answers, as BPDU guard does not protect the root path role but rather protects against unauthorized devices on edge ports.

Why the other options are wrong

B

BPDU guard is incorrect because it disables a port upon receiving any BPDU, which is suitable for edge ports but does not control root path roles or topology changes.

C

Port security is unrelated to STP root path control; it manages MAC address access on a port and does not affect BPDU processing or root bridge election.

D

DHCP snooping protects against rogue DHCP servers by filtering DHCP messages and does not interact with STP or root bridge election mechanisms.

← PreviousPage 3 of 6 · 392 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Switching questions.