CCNA Switching Questions

75 of 392 questions · Page 4/6 · Switching topic · Answers revealed

226
MCQhard

Refer to the exhibit. A network engineer notices packet loss and sluggish application performance on a branch-office uplink. While troubleshooting, the engineer executes the show interfaces GigabitEthernet0/1 command on the router. Based on the output, what is the most likely cause of the performance issue?

A.The interface is experiencing excessive collisions due to a duplex mismatch.
B.An upstream device is sending traffic at a rate higher than this interface can transmit, causing the output queue to overflow.
C.The interface is receiving corrupted frames, indicated by the zero input errors on the interface.
D.The output queue is full because its size is too small, and increasing the queue depth will resolve the packet loss.
AnswerB

The output queue is maxed (40/40) and output drops are very high (12450). The 5-minute output rate of 10 Mbps is far below the interface bandwidth of 100 Mbps, yet the queue is overflowing, which indicates microbursts from a faster upstream link overwhelming the slower interface. This is the classic signature of a speed mismatch.

Why this answer

The exhibit shows 12,450 output drops and an output queue that is completely full (40/40). The interface is up, operating at 100 Mb/s full-duplex, and shows zero input errors or CRC errors, ruling out physical layer corruption. The high output drops with a maxed-out output queue typically indicate that an upstream device is transmitting at a rate that exceeds the interface’s egress capacity, causing tail drops.

This is a classic symptom of a speed mismatch where, for example, a distribution switch is forwarding traffic at 1 Gbps toward a 100 Mbps uplink.

Exam trap

Candidates often try to increase the output queue size or enable QoS queuing (option D) to absorb bursts, but increasing the queue does not fix the underlying speed mismatch and can introduce excessive bufferbloat, worsening latency. The correct root cause is a mismatch in forwarding rates between the upstream device and the local interface.

Why the other options are wrong

A

Candidates sometimes associate packet loss with duplex mismatches, but a duplex mismatch would also show collisions and typically input errors, both of which are zero here.

C

Zero input errors means no physical-layer receiving problems; the candidate may misinterpret the absence of errors as a sign of some other problem, which is logically incorrect.

D

Increasing the queue size is a common workaround that masks the real problem, but the underlying mismatch in forwarding rates remains. CCNA candidates may incorrectly focus on the queue size rather than the relationship between the 100 Mb/s interface speed and a faster upstream sender.

227
MCQmedium

A switchport should automatically disable itself if too many MAC addresses are learned beyond the configured secure limit. Which port-security violation mode causes that behavior?

A.shutdown
B.protect
C.restrict
D.dynamic
AnswerA

This is correct because shutdown mode places the port into an error-disabled state when a violation occurs.

Why this answer

Shutdown is the violation mode that error-disables the port. In plain language, when the switch sees a port-security violation under shutdown mode, it reacts by taking the interface out of service rather than simply dropping frames quietly. That behavior is useful when the administrator wants a clear and strong response to unauthorized devices.

This matters because port security has several violation modes and they do not behave the same way. Restrict and protect can keep the interface up, while shutdown is the mode associated with the most visible response.

Exam trap

Be aware that not all port-security violation modes disable the port. Only Shutdown mode does this.

Why the other options are wrong

B

The 'protect' mode does not disable the port when the secure MAC address limit is exceeded; instead, it drops packets from unknown MAC addresses without generating a notification. This behavior does not match the requirement of the question.

C

The 'restrict' mode allows traffic to pass but drops packets from unknown MAC addresses, without disabling the port. This does not meet the requirement of automatically disabling the port when the MAC address limit is exceeded.

D

The 'dynamic' option is incorrect because it does not refer to a specific port-security violation mode that disables the port when the MAC address limit is exceeded. Instead, it implies the dynamic learning of MAC addresses without enforcing a security limit.

228
MCQhard

A user can connect to the employee SSID and receive the correct employee IP subnet, but access to one internal application fails only for that WLAN while wired users succeed. Which troubleshooting area is the strongest first focus?

A.A WLAN-specific policy or filtering rule affecting access to that application
B.The SSID broadcast setting
C.Whether the access point has a valid hostname
D.Whether the client is using PPP instead of Ethernet
AnswerA

This is correct because the failure is selective by WLAN and application, not a total connectivity problem.

Why this answer

The strongest first focus is the policy or filtering path specific to that WLAN or traffic class. In practical terms, the user has already shown that the correct WLAN join, authentication, and subnet assignment are working. Because wired users succeed and only one application fails from that WLAN, the most likely issue is a WLAN-specific policy, ACL, firewall rule, or path treatment affecting that application.

This is a realistic selective-access troubleshooting scenario and tests whether the candidate narrows the fault domain correctly.

Exam trap

Avoid assuming the problem is with the user's device or general network settings when the issue is isolated to a specific WLAN.

Why the other options are wrong

B

The SSID broadcast setting does not directly impact the ability of users to connect to an internal application once they are authenticated and assigned an IP address. Since wired users can access the application, the issue is likely related to WLAN-specific configurations rather than SSID visibility.

C

The access point's hostname does not directly impact application access; it primarily affects network identification and management. Since the issue is specific to WLAN access and not present for wired users, the hostname is unlikely to be the cause.

D

This option is wrong because the issue pertains to application access over a specific WLAN, not the type of connection (PPP vs. Ethernet). The problem likely lies in WLAN configuration rather than the protocol used by the client device.

229
MCQmedium

A phone and a PC are attached to the same switchport. The intended data VLAN is VLAN 10, and the phone uses voice VLAN 20. The switchport currently has `switchport voice vlan 20` configured. The phone works, but the PC cannot reach the data network. Which command is most likely missing?

A.switchport mode dynamic auto
B.switchport voice vlan 20
C.switchport access vlan 10
D.spanning-tree guard root
AnswerC

The PC needs the correct data VLAN assignment on the access side.

Why this answer

When a Cisco IP phone and a PC share one port, the switchport often needs both a data VLAN and a voice VLAN. If the voice VLAN exists but the data access VLAN is wrong or missing, the phone can work while the PC fails.

Exam trap

Ensure both data and voice VLANs are configured when devices share a port. Don't confuse duplex or trunk settings with VLAN issues.

Why the other options are wrong

A

The phone works but the PC cannot reach the data network, indicating the PC is not in the correct VLAN. 'switchport mode dynamic auto' sets the port to negotiate trunking via DTP, which does not assign a data VLAN to the PC.

B

The PC cannot reach the data network because the switchport is likely configured as a voice VLAN only, but the data VLAN (access VLAN) is missing. Option B configures the voice VLAN, which is correct for the phone, but does not set the access VLAN for the PC.

D

The issue is that the PC cannot reach the data network, which is typically configured via the access VLAN. Spanning-tree guard root is unrelated to VLAN assignment; it prevents a switch from becoming the root bridge, not connectivity issues on a specific VLAN.

230
MCQmedium

Two switches are connected with EtherChannel using LACP. One side is configured with mode active and the other side with mode passive. What happens?

A.The channel forms successfully
B.The channel stays down because both sides must be active
C.The channel forms only if PAgP is also enabled
D.The channel becomes a static Port-Channel
AnswerA

Active initiates and passive responds.

Why this answer

LACP forms an EtherChannel when at least one side actively negotiates. Active plus passive is a valid combination, so the bundle comes up if the physical settings match.

Exam trap

A frequent exam trap is believing that both sides of an LACP EtherChannel must be configured in active mode for the channel to form. This misconception leads to the incorrect assumption that active-passive combinations will fail. In reality, LACP requires only one side to be active to initiate negotiation, while the other side can be passive and respond.

Another trap is confusing LACP with PAgP, expecting that enabling PAgP alongside LACP will help form the channel, which is false because these protocols are incompatible. Understanding these nuances prevents misinterpretation of EtherChannel negotiation behavior on the exam.

Why the other options are wrong

B

This option is incorrect because both sides do not need to be active. One side active and the other passive is sufficient for LACP negotiation and channel formation.

C

This option is incorrect because PAgP is a different, Cisco proprietary protocol and does not work alongside LACP. Enabling PAgP does not affect LACP negotiation.

D

This option is incorrect because configuring one side as active and the other as passive uses LACP negotiation, not a static Port-Channel. Static Port-Channels require manual configuration on both ends without negotiation.

231
MCQhard

Two switches are connected using four Gigabit Ethernet interfaces configured as an EtherChannel with LACP. The network administrator notices that only two of the four interfaces are active in the port-channel, and the other two are in a suspended state. Upon further investigation, the administrator finds that the two inactive interfaces correspond to remote interfaces that are configured with the 'on' mode, while the active ones correspond to remote interfaces configured with LACP active/passive. The administrator also verifies that all local interfaces have the same speed, duplex, and VLAN. What is the most likely cause of the suspended interfaces?

A.The interfaces are in err-disabled state due to a spanning-tree loop.
B.The remote switch interfaces corresponding to the suspended local interfaces are configured with the 'on' mode instead of 'active' or 'passive' for LACP.
C.The port-channel interface is shutdown.
D.There is a mismatch in the allowed VLANs on the member interfaces.
AnswerB

When one switch has LACP active/passive and the other has 'on' (static), LACP negotiation fails, and the ports become suspended. Changing the remote switch to 'active' or 'passive' allows LACP to negotiate and bundle the ports.

Why this answer

LACP requires both ends of a link to be configured in either 'active' or 'passive' mode to negotiate an EtherChannel. If some remote interfaces are set to 'on' mode (static EtherChannel), LACP negotiation fails on those links, causing the corresponding local LACP-enabled interfaces to remain in a suspended state. The local switch detects that LACP PDUs are not received on those interfaces and suspends them to prevent misconfiguration.

The other two interfaces with correctly configured remote peers form the EtherChannel successfully.

Exam trap

Cisco often tests the misconception that all interfaces must match in speed, duplex, and VLAN to form an EtherChannel, but the trap here is that the LACP mode mismatch (active/passive vs. on) is the specific cause of suspended interfaces even when other parameters are consistent.

Why the other options are wrong

A

The exhibit shows the ports as suspended, not err-disabled. Spanning-tree loops typically cause err-disable, not suspension.

C

The port-channel is up (U), so it is not shutdown.

D

The scenario explicitly states that all interfaces are configured with the same VLAN, so this is not the cause.

232
PBQmedium

You are connected to SW1 via console. SW1 is a Layer 2 switch connected to two other switches (SW2 and SW3) via trunk links. The network administrator wants to ensure that SW1 becomes the root bridge for VLAN 10 and VLAN 20. Currently, SW2 is the root for both VLANs. Configure SW1 to become the root bridge for these VLANs using the Cisco-recommended macro STP commands.

Network Topology
trunktrunkSW2SW1SW3

Hints

  • Use the 'root primary' macro to set the bridge priority to 24576.
  • Ensure VLANs 10 and 20 exist on SW1.
A.spanning-tree vlan 10 root primary; spanning-tree vlan 20 root primary
B.spanning-tree vlan 10 root secondary; spanning-tree vlan 20 root secondary
C.spanning-tree vlan 10 priority 4096; spanning-tree vlan 20 priority 4096
D.spanning-tree vlan 10 root; spanning-tree vlan 20 root
AnswerA
solution
! SW1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary

Why this answer

The 'spanning-tree vlan <vlan> root primary' command is the Cisco-recommended macro that sets the bridge priority to 24576, which is lower than the default 32768, making SW1 the root bridge for those VLANs. Option A correctly uses this macro. Option C, while it could achieve the same goal by setting priority to 4096, is not the macro command and would be considered a static configuration; the question specifically asks for the appropriate macro commands.

Option B sets priority to 28672 as a secondary root, and Option D is invalid syntax.

Exam trap

Do not confuse 'root primary' with 'root secondary'. 'root primary' sets priority to 24576 to become root; 'root secondary' sets priority to 28672 to act as backup. Also, remember that the 'root' keyword must be followed by 'primary' or 'secondary'.

Why the other options are wrong

B

Option B uses 'root secondary', which sets the priority to 28672, making SW1 a backup root, not the primary root bridge.

C

Option C uses a static priority assignment of 4096, which would also make SW1 root, but the question expects the Cisco-recommended macro command 'root primary'.

D

Option D uses incomplete syntax 'spanning-tree vlan 10 root' without 'primary' or 'secondary', which is invalid.

233
PBQhard

You are connected to a multilayer switch MLS1. Configure Root Guard on switchport GigabitEthernet 0/1 (connected to an unauthorized switch) so that if a superior BPDU is received, the port is blocked instead of causing a topology change. Also enable Loop Guard on uplink GigabitEthernet 0/2 (connected to the root bridge) to prevent unidirectional link issues. Finally, enable BPDU Guard on PortFast-enabled access port GigabitEthernet 0/3 (connected to a host) so that if a BPDU is received, the port goes err-disabled. After configuration, a superior BPDU is received on G0/1 and the port is blocked; a BPDU is received on G0/3 and the port goes err-disabled. Verify these protections are active.

Hints

  • Root Guard is configured per interface under interface configuration mode using 'spanning-tree guard root'.
  • Loop Guard is configured per interface using 'spanning-tree guard loop'.
  • BPDU Guard is enabled on PortFast ports with 'spanning-tree bpduguard enable'.
A.Root Guard on G0/1, Loop Guard on G0/2, BPDU Guard on G0/3
B.Root Guard on G0/1, UplinkFast on G0/2, BPDU Guard on G0/3
C.BPDU Guard on G0/1, Loop Guard on G0/2, Root Guard on G0/3
D.Root Guard on G0/1, Loop Guard on G0/2, PortFast on G0/3
AnswerA
solution
! MLS1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

Root Guard was correctly configured on G0/1, so when a superior BPDU arrived, the port entered root-inconsistent state instead of becoming root port. Loop Guard on G0/2 prevents alternate port from becoming root if BPDUs stop. BPDU Guard on G0/3 correctly triggered err-disable upon receiving a BPDU on a PortFast port.

To restore G0/3, use 'shutdown' then 'no shutdown' after removing the BPDU source. Verification commands confirm the protections are working.

Exam trap

Trap: Mixing up which protection goes where. Root Guard is for ports that should never become root (e.g., facing unauthorized switches). Loop Guard is for ports that are alternate or root ports (uplinks).

BPDU Guard is for PortFast-enabled access ports. Also, remember that BPDU Guard triggers err-disable, while Root Guard triggers root-inconsistent (blocking) state.

Why the other options are wrong

B

UplinkFast is not designed to detect or prevent unidirectional links; it only accelerates failover.

C

The protections are applied to the wrong ports: BPDU Guard should be on access ports, Root Guard on ports facing potential rogue switches, and Loop Guard on uplinks.

D

PortFast does not prevent BPDU reception; it only skips the listening and learning states. Without BPDU Guard, the port would still process BPDUs and could become a root port.

234
PBQeasy

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to multiple PCs. The network administrator wants to implement port security on port G0/1 to allow only one MAC address and to shut down the port if a violation occurs. Additionally, the administrator wants the MAC address to be learned dynamically and added to the running configuration as sticky. Configure port security on G0/1 accordingly.

Network Topology
G0/1PC1SW1

Hints

  • Port security must be enabled on the interface first.
  • Sticky MAC automatically adds learned MAC addresses to the running config.
  • The violation mode 'shutdown' places the port in err-disabled state.
A.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation shutdown
B.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation protect
C.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address 0000.1111.2222 SW1(config-if)# switchport port-security violation shutdown
D.SW1(config)# interface G0/1 SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 1 SW1(config-if)# switchport port-security mac-address sticky SW1(config-if)# switchport port-security violation restrict
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky

Why this answer

Port security restricts access by limiting MAC addresses. With sticky learning, the first dynamically learned MAC is saved to the config. If another MAC attempts to connect, the port shuts down, preventing unauthorized access.

Exam trap

Pay close attention to the specific violation modes: 'shutdown' disables the port, 'restrict' drops frames and logs, 'protect' drops frames silently. Also, distinguish between static MAC assignment and sticky learning: sticky uses the 'mac-address sticky' command, not a manual MAC address.

Why the other options are wrong

B

The violation mode 'protect' silently drops frames from unknown MACs without disabling the port, which contradicts the requirement to shut down the port.

C

The 'mac-address' command with a specific address statically assigns that MAC, which is not dynamic. Sticky learning uses the 'mac-address sticky' command to dynamically learn and save the first MAC.

D

The 'restrict' mode does not disable the port; it only drops offending frames and logs the violation. The requirement explicitly states to shut down the port, which requires the 'shutdown' violation mode.

235
PBQhard

You are connected to Switch1. Configure an LACP EtherChannel between Switch1 and Switch2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. The channel must be in active mode on both sides, and the port-channel interface must have VLAN 10 as the access VLAN. The current configuration has a speed/duplex mismatch and inconsistent VLAN assignments preventing the channel from forming. Verify the channel is up using 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1EtherChannelSwitch1Switch2

Hints

  • Check that all member interfaces have the same speed and duplex settings.
  • Ensure all interfaces (including the port-channel) are in the same VLAN.
  • Both sides must use LACP active mode for the channel to form.
A.Set speed auto on Gi0/1 and Gi0/2, set duplex auto on both, change access VLAN on Gi0/2 to 10, change access VLAN on Port-channel1 to 10, and set channel-group mode active on both interfaces.
B.Set speed 1000 on Gi0/1, set duplex full on Gi0/1, change access VLAN on Gi0/1 to 20, change access VLAN on Port-channel1 to 20, and set channel-group mode passive on both interfaces.
C.Set speed 100 on Gi0/2, set duplex half on Gi0/2, change access VLAN on Gi0/1 to 20, change access VLAN on Port-channel1 to 20, and set channel-group mode desirable on both interfaces.
D.Set speed auto on Gi0/1 and Gi0/2, set duplex auto on both, change access VLAN on Gi0/1 to 10, change access VLAN on Port-channel1 to 10, and set channel-group mode active on Gi0/1 and passive on Gi0/2.
AnswerA
solution
! Switch1
interface gigabitethernet0/1
speed auto
duplex auto
channel-group 1 mode active
exit
interface gigabitethernet0/2
speed auto
duplex auto
switchport access vlan 10
channel-group 1 mode active
exit
interface port-channel 1
switchport access vlan 10
end

Why this answer

The EtherChannel is not forming due to three issues: (1) Speed mismatch: Gi0/1 is set to 100 Mbps while Gi0/2 is 1000 Mbps; both must match (e.g., auto). (2) Duplex mismatch: Gi0/1 is half-duplex, Gi0/2 is full-duplex; both must be the same (e.g., full). (3) VLAN mismatch: Gi0/1 is in VLAN 10, Gi0/2 in VLAN 20, and Port-channel1 is in VLAN 1; all access VLANs must be consistent (set to VLAN 10). Additionally, the channel-group mode should be 'active' on both interfaces for LACP. The solution involves setting speed and duplex to auto, changing the access VLAN on Gi0/2 and the port-channel to VLAN 10, and setting channel-group mode to active.

Exam trap

The exam trap here is that candidates may focus only on resolving the speed/duplex and VLAN mismatches but forget to check the LACP mode requirement. Also, they might confuse LACP modes (active/passive) with PAgP modes (desirable/auto). Always verify that the mode matches the protocol and the requirement.

Why the other options are wrong

B

The specific factual error: passive mode on both sides will not form an LACP EtherChannel because neither side initiates negotiation; at least one side must be active.

C

The specific factual error: 'desirable' is a PAgP mode; LACP uses 'active' or 'passive'. Using 'desirable' would not form an LACP EtherChannel.

D

The specific factual error: the requirement explicitly states 'active mode on both sides', so setting one side to passive violates the requirement, even though the channel might still form.

236
MCQhard

An EtherChannel between two switches is configured for LACP. One switch shows the member interfaces as bundled, while the other shows them as individual interfaces. Which explanation is most likely if both sides are using LACP?

A.The member interface settings do not match closely enough for bundling, even though both sides use LACP.
B.LACP always requires one side to use PAgP as a backup.
C.EtherChannel cannot operate on switch trunks.
D.One switch must disable STP before EtherChannel can form.
AnswerA

This is correct because EtherChannel depends on compatible member settings as well as the protocol.

Why this answer

The most likely explanation is that some other interface settings do not match, even though both sides are using the same EtherChannel protocol. In practical terms, LACP alone is not enough. The candidate member interfaces also need to agree on characteristics such as speed, duplex, switchport mode, allowed VLANs where relevant, and other channel-related settings. If they do not, one side may treat the links as separate instead of bundling them.

This is a common troubleshooting pattern because it tests whether you know that EtherChannel success depends on more than just the negotiation protocol name.

Exam trap

Don't assume LACP alone ensures bundling; check all interface settings for consistency.

Why the other options are wrong

B

This option is incorrect because LACP (Link Aggregation Control Protocol) does not require PAgP (Port Aggregation Protocol) as a backup; they are separate protocols. LACP can operate independently without needing PAgP on either side of the EtherChannel.

C

This option is incorrect because EtherChannel can indeed operate on switch trunks, allowing multiple VLANs to be carried over a single logical link. The issue in the question pertains to LACP configuration mismatches, not trunking capabilities.

D

This option is incorrect because Spanning Tree Protocol (STP) does not need to be disabled for EtherChannel to form; EtherChannel can operate alongside STP. Disabling STP can lead to network loops and is not a requirement for EtherChannel functionality.

237
MCQhard

Exhibit: SW2 receives superior BPDUs on both uplinks. One uplink becomes the root port and the other becomes alternate. Which factor is considered first when SW2 chooses the root port?

A.Lowest local interface MAC address
B.Lowest root path cost
C.Highest duplex setting
D.Lowest configured VLAN number
AnswerB

That is the first major comparison.

Why this answer

STP chooses the best path to the root bridge based first on the lowest root path cost. If the cost ties, it then checks the sender bridge ID and sender port ID as tie-breakers.

Exam trap

Remember that STP prioritizes root path cost first, not bridge or port IDs. Misunderstanding the order of evaluation can lead to incorrect answers.

Why the other options are wrong

A

This option is wrong because the selection of the root port is based on the lowest root path cost, not the local interface MAC address. The MAC address is not a factor in determining the root port in the Spanning Tree Protocol (STP) process.

C

This option is wrong because the selection of the root port in Spanning Tree Protocol (STP) is based on the lowest root path cost, not the duplex settings of the interfaces. Duplex settings do not influence the port selection process in STP.

D

The lowest configured VLAN number is not a factor in determining the root port in Spanning Tree Protocol (STP). The selection process prioritizes path cost, not VLAN configuration.

238
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure and recover from a BPDU guard violation on a PortFast-enabled access port.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

PortFast and BPDU guard are configured first; violation is induced; recovery requires an interface shutdown/no shutdown; verification confirms the fix.

Exam trap

The trap is that candidates may confuse the order of configuration, violation, recovery, and verification. Remember that configuration always comes first, then the event, then recovery, then verification.

239
PBQhard

You are connected to a multilayer switch MLS1. Configure it so that IP phones connected to FastEthernet 0/1 and FastEthernet 0/2 use voice VLAN 20 and receive power via PoE. Additionally, FastEthernet 0/3 must be configured as an access port for a wireless access point (AP) on VLAN 30, with PoE enabled. Verify your configuration using 'show interfaces switchport' and 'show power inline'.

Hints

  • Voice VLAN is configured on the access port interface, not globally.
  • The command 'switchport voice vlan <vlan-id>' does not change the access VLAN; it adds a separate VLAN for voice traffic.
  • PoE is already enabled by default with 'power inline auto' — verify it is not disabled.
A.Configure 'switchport voice vlan 20' on Fa0/1 and Fa0/2; ensure PoE is enabled (auto) on all three ports.
B.Configure 'switchport mode trunk' on Fa0/1 and Fa0/2, and set the native VLAN to 20; enable PoE on Fa0/3.
C.Configure 'switchport access vlan 20' on Fa0/1 and Fa0/2, and 'switchport voice vlan 30' on Fa0/3; enable PoE globally.
D.Configure 'power inline never' on Fa0/1 and Fa0/2, and 'switchport voice vlan 20' on Fa0/3; ensure Fa0/3 is in trunk mode.
AnswerA
solution
! MLS1
interface FastEthernet0/1
switchport voice vlan 20
exit
interface FastEthernet0/2
switchport voice vlan 20
exit

Why this answer

The switch ports Fa0/1 and Fa0/2 are currently configured as access ports on VLAN 10, with no voice VLAN. To support IP phones, you must configure a voice VLAN (VLAN 20) on these interfaces. Additionally, PoE is already enabled (auto) but needs to remain active.

For Fa0/3, it is already an access port on VLAN 30, which is correct for an AP, but you must ensure PoE is enabled (it is). The missing configuration for Fa0/1 and Fa0/2 is the 'switchport voice vlan 20' command. After applying, verify using 'show interfaces switchport' to see the voice VLAN set, and 'show power inline' to confirm PoE delivery.

Exam trap

The exam trap is that candidates may think they need to change the access VLAN to the voice VLAN, or that they need to configure trunk ports for IP phones. Remember that IP phones use a special access port configuration with a separate voice VLAN. Also, PoE is enabled by default; do not disable it.

Why the other options are wrong

B

The specific factual error: IP phones connect to access ports with a voice VLAN, not trunk ports. The native VLAN concept is misapplied here.

C

The specific factual error: Changing the access VLAN to 20 would place the PC on the voice VLAN, which is wrong. The AP does not need a voice VLAN. PoE is per-interface.

D

The specific factual error: Disabling PoE on IP phone ports prevents them from powering on. The voice VLAN is applied to the wrong interfaces. Trunk mode is unnecessary for an AP.

240
MCQmedium

Which spanning-tree port role receives the best BPDU toward the root bridge on a nonroot switch?

A.Designated port
B.Alternate port
C.Root port
D.Disabled port
AnswerC

Correct. The root port points toward the root bridge.

Why this answer

The root port is the port on a nonroot switch with the lowest path cost to the root bridge.

Exam trap

Be careful not to confuse port roles. Remember, the root port is specifically for receiving the best BPDU toward the root bridge, not for forwarding or redundancy.

Why the other options are wrong

A

The designated port is responsible for forwarding traffic to and from a network segment and does not receive the best BPDU toward the root bridge; instead, it sends BPDUs to other ports. Therefore, it cannot be the correct answer for identifying the port role that receives the best BPDU on a nonroot switch.

B

The alternate port does not receive the best BPDU toward the root bridge; instead, it serves as a backup path to the root bridge when the primary path fails. It is in a blocking state and does not forward traffic.

D

A Disabled port does not participate in the Spanning Tree Protocol (STP) and does not receive any BPDUs, making it incapable of receiving the best BPDU toward the root bridge.

241
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to router R1 via trunk link G0/1. R1 performs inter-VLAN routing using subinterfaces. VLANs 10, 20, and 30 exist on SW1. Hosts in VLAN 10 (192.168.10.0/24) can ping R1's subinterface, but cannot communicate with hosts in VLAN 20. You suspect the trunk is not allowing VLAN 20 traffic.

Network Topology
G0/0.10192.168.10.1G0/1trunkR1SW1

Hints

  • Check which VLANs are allowed on the trunk.
  • The 'allowed vlan' command can be used to add or remove VLANs.
  • Verify that VLAN 20 exists on the switch.
A.Configure 'switchport trunk allowed vlan add 20' on SW1's G0/1 interface.
B.Configure 'switchport mode access' on SW1's G0/1 interface.
C.Configure 'switchport trunk native vlan 20' on SW1's G0/1 interface.
D.Configure 'switchport trunk allowed vlan except 20' on SW1's G0/1 interface.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk allowed vlan add 20

Why this answer

Trunks carry traffic for multiple VLANs. The 'switchport trunk allowed vlan' command restricts which VLANs are permitted. Initially, VLAN 20 was not in the allowed list, so traffic was dropped.

Adding VLAN 20 to the allowed list resolves the issue.

Exam trap

Be careful with the syntax of 'switchport trunk allowed vlan'. The 'add' keyword is necessary to include a VLAN without removing others; omitting 'add' replaces the entire list. Also, 'except' excludes the specified VLAN, which is the opposite of what you want.

Why the other options are wrong

B

Access mode carries only a single VLAN, so it would stop inter-VLAN routing entirely.

C

The native VLAN is for untagged frames; changing it does not add VLAN 20 to the allowed list.

D

The 'except' keyword excludes the specified VLAN, so it would prevent VLAN 20 from being carried.

242
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two VLANs: VLAN 10 (Sales) and VLAN 20 (Engineering). A router R1 is connected to port G0/1 on SW1 for inter-VLAN routing. Currently, the router is not routing between VLANs because the trunk is not configured correctly. Configure the switch port as a trunk and ensure the router can route between VLANs using subinterfaces (Router-on-a-Stick).

Network Topology
G0/0R1SW1 G0/1

Hints

  • The router expects a trunk link to carry multiple VLANs.
  • Allowed VLAN list must include only the VLANs that need routing.
  • The switch port must be in trunk mode, not access.
A.Configure the switch port as a trunk with 802.1Q encapsulation and allow VLANs 10 and 20.
B.Configure the switch port as an access port in VLAN 10 and add VLAN 20 as a secondary VLAN.
C.Configure the switch port as a trunk with ISL encapsulation and allow all VLANs.
D.Configure the switch port as a trunk with 802.1Q encapsulation and allow VLANs 1, 10, and 20.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20

Why this answer

The switch port was in access mode, which only carries one VLAN. Changing it to trunk with 802.1Q encapsulation allows multiple VLANs to traverse to the router. The allowed VLAN list restricts to VLANs 10 and 20 for security.

Exam trap

The trap is that candidates may confuse trunking with access ports, use outdated encapsulation (ISL), or include unnecessary VLANs like VLAN 1. Always remember that for Router-on-a-Stick, the switch port must be a trunk with 802.1Q and only allow the required VLANs.

Why the other options are wrong

B

Access ports cannot carry multiple VLANs; they are assigned to a single VLAN. The concept of secondary VLAN does not exist for access ports.

C

ISL encapsulation is deprecated in favor of 802.1Q, which is the industry standard. Allowing all VLANs violates the principle of least privilege.

D

Including VLAN 1 is unnecessary and can be a security concern. The allowed VLAN list should be restricted to only the VLANs that need to be routed.

243
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure spanning-tree protection features including BPDU Guard, Root Guard, and Loop Guard on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order is: (1) Identify edge ports connected to end devices. (2) Configure spanning-tree portfast on those interfaces. (3) Enable BPDU Guard using the spanning-tree portfast bpduguard default global command. (4) Identify ports connected to other switches that should never become the root bridge. (5) Enable Root Guard on those interfaces with spanning-tree guard root. (6) Identify point-to-point non-edge ports susceptible to unidirectional link failures. (7) Enable Loop Guard on those interfaces with spanning-tree guard loop. This sequence first secures edge ports with PortFast and BPDU Guard to prevent accidental network loops and BPDU-based attacks, then applies Root Guard on ports where a superior BPDU should never be received to protect the root bridge placement, and finally implements Loop Guard on non-edge point-to-point links to guard against unidirectional link failures that could cause bridging loops. Identifying the ports before applying configurations ensures proper placement of each protection mechanism.

244
Multi-Selectmedium

Which TWO of the following statements accurately describe the configuration and behavior of Root Guard, Loop Guard, and BPDU Guard in Rapid PVST+ environments?

Select 2 answers
A.Root Guard, when enabled on a port, prevents that port from becoming the root port by placing it in a root-inconsistent state if a superior BPDU is received.
B.Root Guard automatically shuts down the port when a superior BPDU is received, similar to BPDU Guard.
C.Loop Guard, when enabled, disables a port if BPDUs are no longer received on it, preventing a unidirectional link failure.
D.BPDU Guard, when enabled, puts the port in an errdisable state if a BPDU is received, which is typically used on access ports to prevent unauthorized switches from connecting.
E.BPDU Guard places the port in a blocking state (loop-inconsistent) when a BPDU is received, similar to Loop Guard.
AnswersA, D

Root Guard ensures the designated port does not become a root port. Upon receiving a superior BPDU, the port enters a root-inconsistent state, blocking traffic until the superior BPDUs stop.

Why this answer

Option A is correct because Root Guard prevents a port from becoming a root port by placing it in a root-inconsistent (blocking) state upon receiving a superior BPDU, protecting the root bridge placement. Option D is correct because BPDU Guard errdisables a port upon receiving a BPDU, a feature typically applied to access ports to block unauthorized switches. Option B is wrong: Root Guard does not shut down the port; it places it in a blocked state, unlike BPDU Guard's errdisable action.

Option C is wrong: Loop Guard does not disable a port when BPDUs stop being received; instead, it moves the port to a loop-inconsistent (blocking) state to guard against unidirectional link failures. Option E is wrong: BPDU Guard errdisables ports, whereas the loop-inconsistent blocking state is used by Loop Guard or Root Guard, not BPDU Guard.

Exam trap

Cisco often tests the distinction between 'shutdown' (errdisable) and 'blocking' (inconsistent state) — candidates confuse BPDU Guard's errdisable behavior with Root Guard's or Loop Guard's blocking behavior, leading them to incorrectly select Option B.

Why the other options are wrong

B

Root Guard does not shut down the port; it places the port in a root-inconsistent state, which effectively blocks traffic but does not disable the port. BPDU Guard, on the other hand, errdisables the port.

C

Loop Guard does not disable the port; it places the port into a loop-inconsistent state, blocking traffic on that port until BPDUs are received again. The port remains administratively up.

E

BPDU Guard errdisables the port, not just blocks it. Loop Guard uses a loop-inconsistent state, which is different from errdisable. BPDU Guard is a more severe reaction.

245
MCQhard

Exhibit: SW1 is configured for EtherChannel with LACP, but the bundle does not form. What is the most likely cause?

A.The interfaces should use PAgP instead of LACP on both ends
B.One side is using LACP and the other side is using a static EtherChannel mode
C.The links must be routed ports before EtherChannel can form
D.EtherChannel requires three or more member links
AnswerB

Mode active expects LACP, while mode on does not negotiate.

Why this answer

For an LACP EtherChannel to form, both sides must negotiate with LACP using active or passive mode. One side here is set to channel-group mode on, which creates a static channel and does not speak LACP. That mismatch prevents the bundle from forming.

Exam trap

Ensure both sides of the EtherChannel are set to negotiate with LACP; avoid static channel settings.

Why the other options are wrong

A

This option is incorrect because the question specifies that LACP is being used, which is incompatible with PAgP. EtherChannel can operate with either LACP or PAgP, but not both simultaneously.

C

This option is wrong because EtherChannel can form with access ports or trunk ports, and there is no requirement for the interfaces to be routed ports for EtherChannel to function.

D

EtherChannel can function with as few as two member links; therefore, requiring three or more member links is not a valid reason for the bundle not forming in this scenario.

246
PBQhard

You are connected to a multilayer switch MLS1. The network has two other switches: SW2 and SW3. The interface GigabitEthernet0/1 already has PortFast and BPDU Guard enabled. Configure MLS1 as the root bridge for VLAN 10 and VLAN 20 using the root primary command. After configuration, verify that the interface is not in err-disabled state and that the root bridge role is correctly assigned.

Network Topology
Gi0/1Gi0/2Gi0/3SiMLS1PCSW2SW3

Hints

  • Use spanning-tree vlan root primary to set the switch as root for specified VLANs.
  • Verify with show spanning-tree vlan <vlan> to confirm root bridge priority is 24576.
  • Check interface status with show interfaces gigabitethernet 0/1 status to ensure it is not err-disabled.
A.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
B.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root secondary' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
C.Configure 'spanning-tree vlan 10 priority 4096' and 'spanning-tree vlan 20 priority 4096' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
D.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' on MLS1. Then configure 'spanning-tree portfast default' and 'spanning-tree bpduguard default' globally. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
AnswerA
solution
! MLS1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary

Why this answer

The interface Gi0/1 already has PortFast and BPDU Guard configured, so no additional configuration is needed for that step. Using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' sets the priority to 24576, ensuring MLS1 becomes root for both VLANs. Verify with 'show spanning-tree vlan 10' to see the priority changed and 'show interfaces gigabitEthernet0/1 status' to confirm the port is not err-disabled.

Exam trap

Do not confuse 'root primary' with 'root secondary' or manual priority settings. The 'root primary' command automatically sets the priority to 24576, which is the recommended value. Also, avoid adding unnecessary global commands when the interface already has the required features configured.

Why the other options are wrong

B

Using 'root secondary' for VLAN 20 sets priority to 28672, leaving MLS1 as backup root, not the primary root.

C

Manually setting priority to 4096 is valid but not the recommended method; 'root primary' is simpler and ensures proper value.

D

Global portfast and bpduguard are not required because the interface is already configured with those features; this adds unnecessary commands.

247
PBQhard

You are connected to R1, a multilayer switch with three directly connected switches. Configure Root Guard on the designated port to prevent an unauthorized switch from becoming root. Configure Loop Guard on the uplink to protect against unidirectional links. Configure BPDU Guard on all PortFast-enabled ports. Troubleshoot the scenario where a port receives a superior BPDU and is blocked by Root Guard, and another port goes err-disabled after BPDU Guard triggers.

Network Topology
Gi0/010.0.0.0/30Gi0/1Gi0/2Gi0/3R1R2SwitchASwitchBSwitchC

Hints

  • Root Guard is configured per interface with 'spanning-tree guard root'.
  • Loop Guard is configured per interface with 'spanning-tree guard loop'.
  • BPDU Guard can be enabled per PortFast port with 'spanning-tree bpduguard enable'.
A.Configure Root Guard on Gi0/2, Loop Guard on Gi0/2, and BPDU Guard on Gi0/1 and Gi0/3.
B.Configure Root Guard on Gi0/1 and Gi0/3, Loop Guard on Gi0/2, and BPDU Guard on Gi0/2.
C.Configure Root Guard on Gi0/1, Loop Guard on Gi0/3, and BPDU Guard on Gi0/2.
D.Configure Root Guard on Gi0/3, Loop Guard on Gi0/1, and BPDU Guard on Gi0/2.
AnswerA
solution
! R1
interface GigabitEthernet0/2
spanning-tree guard root
spanning-tree guard loop
exit
interface GigabitEthernet0/1
spanning-tree bpduguard enable
exit
interface GigabitEthernet0/3
spanning-tree bpduguard enable
exit

Why this answer

The scenario requires three STP protection features. Root Guard should be applied on designated port Gi0/2 (uplink) to prevent an external switch from becoming root if it sends superior BPDUs. Loop Guard should be applied on the same uplink to protect against unidirectional link failure.

BPDU Guard must be enabled on all PortFast ports (Gi0/1 and Gi0/3) to immediately err-disable them if a BPDU is received. After configuration, if a superior BPDU arrives on Gi0/2, Root Guard will block it (root-inconsistent state). If a BPDU arrives on Gi0/1 or Gi0/3, BPDU Guard will put the port in err-disable state, requiring manual or automatic recovery.

Exam trap

Candidates often confuse where to apply each STP feature. Remember: Root Guard on designated ports (uplinks), Loop Guard on root or alternate ports (uplinks), BPDU Guard on PortFast ports (access ports). Also, Root Guard and Loop Guard can be applied on the same port, but BPDU Guard is exclusive to PortFast.

Why the other options are wrong

B

Root Guard is only effective on designated ports; applying it to access ports does not prevent an external switch from becoming root via the uplink. BPDU Guard on an uplink would err-disable it unnecessarily.

C

Root Guard on an access port does not protect against superior BPDUs from an external switch on the uplink. Loop Guard on an access port is unnecessary as unidirectional links typically affect trunk links.

D

Root Guard on an access port does not prevent an external switch from becoming root via the uplink. Loop Guard on an access port is not standard practice. BPDU Guard on the uplink would cause unnecessary err-disable.

248
MCQhard

A switchport on one side of a link is configured as a trunk, but the peer side is configured as an access port. What is the most likely result?

A.The link roles are mismatched, so VLAN traffic will not be handled as intended.
B.The access side automatically becomes a routed port.
C.Both switches automatically synchronize their switchport settings.
D.The mismatch forces OSPF to change router IDs.
AnswerA

This is correct because trunk/access disagreement creates a logical mismatch.

Why this answer

The most likely result is a logical mismatch that prevents VLAN traffic from crossing the link as intended. In practical terms, one side is trying to carry multiple VLANs with tagging behavior, while the other side is treating the connection as a normal one-VLAN endpoint port. That disagreement usually leads to unexpected or failed traffic behavior.

This is a classic switching mismatch scenario. The link may still be physically up, but the two sides do not agree on how the traffic should be handled.

Exam trap

Don't assume mismatches always result in physical link failure; focus on logical traffic handling issues.

Why the other options are wrong

B

This option is incorrect because an access port does not automatically convert to a routed port when connected to a trunk port; it remains an access port and will not participate in Layer 3 routing.

C

This option is wrong because switchport settings do not automatically synchronize between devices; each port retains its configuration independently, leading to a mismatch in link roles.

D

This option is incorrect because the configuration mismatch between a trunk and an access port does not directly affect OSPF router IDs, which are determined by the OSPF process itself and not by switchport configurations.

249
MCQhard

A switchport is configured as a trunk on one side and access on the other side of the same physical link. What is the most likely result?

A.The link roles are mismatched, so VLAN traffic will not be handled as intended across the link.
B.The access side automatically becomes a routed port.
C.The switches automatically synchronize their configurations.
D.The mismatch forces OSPF to choose a new router ID.
AnswerA

This is correct because trunk/access disagreement causes a logical mismatch on the connection.

Why this answer

A trunk/access mismatch prevents the link from carrying VLAN traffic as intended. Option A correctly identifies this mismatch. Option B is wrong because access ports remain Layer 2 switchports; there is no automatic conversion to a routed port.

Option C fails because switch configurations are never auto-synchronized due to a port role mismatch. Option D is incorrect: OSPF router ID is chosen based on loopback or highest IP address and is unaffected by a Layer 2 port mismatch.

Exam trap

Beware of assuming automatic negotiation fixes all mismatches; DTP cannot resolve a trunk/access mismatch.

Why the other options are wrong

B

Access ports do not automatically become routed ports; they remain Layer 2 switchports unless explicitly configured with 'no switchport'.

C

Switches do not automatically synchronize configurations; this is not a feature supported on Cisco switches to resolve mismatches.

D

OSPF router ID is determined by the highest loopback or IP address, not by Layer 2 port configuration mismatches.

250
Multi-Selectmedium

Which TWO statements are true regarding VLAN configuration, 802.1Q trunking, and the native VLAN?

Select 2 answers
A.On an 802.1Q trunk, frames in the native VLAN are always tagged with a VLAN ID.
B.The native VLAN should be changed from the default VLAN 1 to an unused VLAN for security reasons.
C.802.1Q is a Cisco proprietary trunking protocol.
D.802.1Q supports up to 4094 VLANs (VLAN IDs 1–4094).
E.The native VLAN must be the same on both ends of an 802.1Q trunk for the trunk to operate.
AnswersB, D

Changing the native VLAN away from VLAN 1 is a security best practice to prevent VLAN hopping and reduce the risk of attacks that exploit the default native VLAN.

Why this answer

Option B is correct because changing the native VLAN from the default VLAN 1 to an unused VLAN is a recommended security best practice to prevent VLAN hopping attacks. Option D is correct because 802.1Q uses a 12-bit VLAN ID field, allowing VLAN IDs from 1 to 4094 (0 and 4095 are reserved). Option A is false: on an 802.1Q trunk, frames in the native VLAN are typically sent untagged.

Option C is false: 802.1Q is an IEEE standard, not Cisco proprietary (ISL is Cisco proprietary). Option E is false: the native VLAN does not have to match on both ends; mismatched native VLANs can cause traffic to be misclassified but the trunk will still operate.

Exam trap

Cisco often tests the misconception that 802.1Q is proprietary (it is not) and that native VLAN frames are always tagged (they are untagged by default), leading candidates to incorrectly select options A or C.

Why the other options are wrong

A

The native VLAN is specifically the VLAN that does not get a tag; all other VLANs are tagged.

C

802.1Q is an open standard, whereas ISL was Cisco proprietary.

E

Mismatched native VLANs can lead to security vulnerabilities and misrouting, but the trunk itself may still come up.

251
Matchingmedium

Match each VLAN or trunk term to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Link carrying multiple VLANs

VLAN assigned to a normal endpoint-facing port

VLAN associated with untagged traffic on an 802.1Q trunk

Setting that limits which VLANs may traverse a trunk

Why these pairings

Trunks enable multiple VLANs on one link; VLANs logically segment networks. 802.1Q is the tagging standard; native VLAN is untagged. VTP distributes VLAN database; inter-VLAN routing uses a router or Layer 3 switch to communicate between VLANs.

Exam trap

Do not confuse the purpose of a VLAN (segmentation) with trunk tagging (802.1Q) or VLAN distribution (VTP). Also, remember that the native VLAN is not used for routing; it is for untagged traffic on a trunk.

252
PBQhard

You are connected to a multilayer switch MLS1. Configure Root Guard on the designated port facing another switch SW2 to prevent it from becoming root, configure Loop Guard on the uplink port to the core, and configure BPDU Guard on a PortFast-enabled access port. After configuration, a superior BPDU arrives on the designated port—confirm it is blocked by Root Guard. Then, simulate a BPDU on the access port to verify it goes err-disabled due to BPDU Guard.

Hints

  • Root Guard is configured per interface under the interface configuration mode.
  • Loop Guard uses the same command but with 'loop' keyword.
  • BPDU Guard on PortFast ports can be enabled globally or per interface; use per-interface for this task.
A.Root Guard on Gi0/2, Loop Guard on Gi0/1, BPDU Guard on Gi0/0
B.Root Guard on Gi0/1, Loop Guard on Gi0/2, BPDU Guard on Gi0/0
C.Root Guard on Gi0/0, Loop Guard on Gi0/1, BPDU Guard on Gi0/2
D.Root Guard on Gi0/2, Loop Guard on Gi0/0, BPDU Guard on Gi0/1
AnswerA
solution
! MLS1
interface GigabitEthernet0/2
spanning-tree guard root
exit
interface GigabitEthernet0/1
spanning-tree guard loop
exit
interface GigabitEthernet0/0
spanning-tree bpduguard enable
exit

Why this answer

First, Root Guard was applied on Gi0/2 (the designated port) with 'spanning-tree guard root' to prevent SW2 from becoming root. Second, Loop Guard was applied on the uplink Gi0/1 with 'spanning-tree guard loop' to protect against unidirectional links. Third, BPDU Guard was applied on the PortFast-enabled access port Gi0/0 with 'spanning-tree bpduguard enable'.

When a superior BPDU arrives on Gi0/2, Root Guard transitions it to a root-inconsistent (blocked) state. If a BPDU is received on Gi0/0, BPDU Guard err-disables the port. Verification shows the blocked state on Gi0/2 and err-disabled on Gi0/0.

Exam trap

Do not confuse the purposes of Root Guard, Loop Guard, and BPDU Guard. Root Guard blocks superior BPDUs on designated ports; Loop Guard prevents loops on root/alternate ports; BPDU Guard err-disables PortFast ports upon BPDU reception. Pay attention to port roles: designated, root, and access.

Why the other options are wrong

B

Root Guard is intended for ports that should not become root; applying it on the uplink would block legitimate superior BPDUs from the core. Loop Guard on the designated port would not protect against unidirectional links on the uplink.

C

Root Guard on an access port is unnecessary and would not prevent the switch from becoming root via other ports. BPDU Guard on the designated port would disable it instead of blocking the BPDU.

D

Loop Guard on an access port does not protect against unidirectional links on the uplink. BPDU Guard on the uplink would err-disable the core connection if a BPDU is received, which is undesirable.

253
MCQhard

An administrator notices that hosts in VLAN 30 on SW1 cannot communicate with hosts in VLAN 30 on SW2, even though both switches are connected via an 802.1Q trunk. Traffic for VLANs 10 and 20 passes without issues across the same trunk. The trunk is configured to allow all VLANs, and the allowed VLAN list explicitly includes VLAN 30. What is the most likely cause of the problem?

A.The native VLAN is mismatched between SW1 and SW2, and VLAN 30 is the native VLAN on one side.
B.The trunk encapsulation is set to ISL on one switch and 802.1Q on the other.
C.Spanning Tree Protocol has placed VLAN 30 in a blocking state on the trunk link.
D.The switched virtual interface (SVI) for VLAN 30 on SW1 is administratively down.
AnswerA

A native VLAN mismatch causes one switch to send untagged frames for VLAN 30 while the other expects tagged frames, so the receiving switch cannot associate the untagged traffic with VLAN 30, leading to a communication failure only for that VLAN.

Why this answer

The most likely cause is a native VLAN mismatch. When the native VLAN is mismatched on an 802.1Q trunk, traffic for the native VLAN is not tagged, so frames from VLAN 30 on one switch are received as untagged frames on the other switch and placed into the switch's configured native VLAN. If the native VLAN on one side is VLAN 30 and on the other side is a different VLAN (e.g., VLAN 1), the hosts in VLAN 30 cannot communicate because the frames are interpreted as belonging to different VLANs.

Traffic for VLANs 10 and 20 passes because they are not the native VLAN and are properly tagged.

Exam trap

Cisco often tests the native VLAN mismatch scenario by describing a trunk that works for most VLANs but fails for one specific VLAN, leading candidates to incorrectly suspect STP blocking or SVI issues instead of recognizing the native VLAN mismatch.

Why the other options are wrong

B

This would cause a complete trunk failure, not a failure limited to a single VLAN.

C

STP would not randomly block one VLAN on a point-to-point trunk while the rest are forwarding; this is not a typical behavior.

D

Layer 2 switching within the same VLAN does not require an SVI; an SVI is only needed for routing between VLANs or management.

254
MCQhard

Exhibit: A switch interface connected to an IP phone and PC is configured as an access port in VLAN 10. The PC works, but the phone does not register. What additional configuration is most likely needed?

A.switchport trunk encapsulation dot1q
B.switchport voice vlan <voice-vlan-id>
C.channel-group 1 mode active
D.ip helper-address on the switchport
AnswerB

Correct choice.

Why this answer

An IP phone commonly requires a voice VLAN so tagged voice traffic is separated from the data VLAN used by the attached PC. Without a voice VLAN, the PC can still work on the access VLAN while the phone fails to register properly.

Exam trap

Don't confuse portfast or trunk mode with the need for a voice VLAN. Focus on the specific requirements of IP phones.

Why the other options are wrong

A

This option is incorrect because the question specifies an access port configuration, which does not require trunk encapsulation. Access ports do not use trunking protocols like dot1q, as they are meant for single VLAN traffic only.

C

This option is wrong because the channel-group command is used for configuring EtherChannel, which is not relevant to the issue of the IP phone not registering on an access port. The problem lies in the VLAN configuration for voice traffic, not in link aggregation.

D

The 'ip helper-address' command is used to forward DHCP requests from clients to a DHCP server, but it does not address the registration issue of the IP phone in this scenario, which is related to VLAN configuration.

255
PBQhard

You are connected to R1 via console. R1 is a router-on-a-stick connecting VLAN 10 and VLAN 20 on a single link to switch SW1. Currently, hosts in VLAN 10 cannot ping hosts in VLAN 20, and some VLAN 10 hosts report intermittent connectivity. Examine the provided configuration and output, then fix all issues to restore full inter-VLAN routing and stable trunk operation.

Network Topology
G0/0 trunkG0/1 trunkR1SW1

Hints

  • Check the physical interface configuration on R1 for trunking and native VLAN.
  • Examine R1's global configuration for the 'ip routing' command.
  • Compare the native VLAN on SW1 (99) with R1's subinterface encapsulation.
A.On R1, configure 'ip routing', add subinterface G0/0.99 with 'encapsulation dot1Q 99 native' and an IP address, and ensure G0/0 is not shutdown.
B.On R1, configure 'ip routing' and change the encapsulation on the VLAN 10 subinterface to 'encapsulation dot1Q 10 native'.
C.On R1, configure 'ip routing' and add an IP address to the physical interface GigabitEthernet0/0.
D.On R1, configure 'ip routing' and change the encapsulation on the VLAN 20 subinterface to 'encapsulation dot1Q 20 native'.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/0.99
encapsulation dot1Q 99 native
ip address 10.0.0.1 255.255.255.252
exit
ip routing

Why this answer

Three issues prevent inter-VLAN routing and cause intermittent connectivity. First, R1 lacks a subinterface configured for the native VLAN (VLAN 99) with the 'encapsulation dot1Q 99 native' command; this subinterface is needed because SW1 expects the native VLAN to be tagged on the router side for consistency. Second, the global command 'ip routing' is missing, which disables routing between VLANs.

Third, the physical interface GigabitEthernet0/0 might be administratively down; ensure 'no shutdown' is applied. Option A correctly fixes all issues: it adds the native VLAN subinterface, enables routing, and ensures the interface is up. The other options fail because they either misconfigure the native VLAN encapsulation on the wrong subinterface or apply an IP address to the physical interface (which does not support routing on a router-on-a-stick).

Exam trap

Watch for missing 'ip routing' command in router-on-a-stick scenarios; without it, inter-VLAN routing fails. Also, ensure native VLANs match on both ends of a trunk; a mismatch can cause intermittent connectivity or complete failure for the native VLAN.

Why the other options are wrong

B

The native VLAN must match on both ends; SW1 uses VLAN 99 as native, so R1 must use VLAN 99 as native, not VLAN 10.

C

Router-on-a-stick uses subinterfaces, not the physical interface IP. The physical interface only needs to be up and trunking.

D

The native VLAN must be consistent across the trunk; SW1 uses VLAN 99, so R1 must use VLAN 99 as native.

256
MCQhard

A host is physically connected to switch port Gi0/3. The technician runs 'show mac address-table' but does not find the host's MAC address for Gi0/3. The port status shows 'up/up', and the host was connected only a few minutes ago. What should the technician do next?

A.Clear the MAC address table with 'clear mac address-table dynamic' to force immediate relearning.
B.Verify the VLAN assignment on Gi0/3 using 'show vlan brief' or 'show interfaces Gi0/3 switchport'.
C.Check the STP state of Gi0/3 with 'show spanning-tree interface Gi0/3' to ensure it is not blocking.
D.Inspect the ARP cache with 'show ip arp' to check for duplicate IP addresses.
AnswerB

The switch learns MAC addresses per VLAN. If Gi0/3 is in an unexpected VLAN, the MAC address will be learned in that VLAN's table and not visible in the default or expected VLAN view. Checking the VLAN membership directly confirms whether the host is in the correct Layer 2 broadcast domain.

Why this answer

The MAC address table is learned per VLAN. If the port is assigned to a VLAN different from the one the technician expects, the host's MAC will be learned in that different VLAN and may not appear in the output shown. Checking the VLAN membership with 'show vlan' or 'show interfaces switchport' verifies the Layer 2 broadcast domain, which is the most likely reason the MAC is missing from the expected view.

Exam trap

Many candidates think the table entry aged out prematurely and try to clear the MAC address table, but the default aging timer is 300 seconds and the host was just connected. This skips the basic Layer 2 configuration check.

Why the other options are wrong

A

This is a drastic action that does not address a VLAN mismatch; the same symptom would recur.

C

Jumping to STP before confirming basic Layer 2 VLAN membership is not the most efficient next step.

D

This option confuses Layer 2 MAC learning with Layer 3 ARP resolution, and does not help locate the MAC entry in the address table.

257
MCQmedium

Hosts in VLAN 10 need to communicate with hosts in VLAN 20. What is required for that communication to work?

A.A DHCP server
B.A DNS server
C.A Layer 3 routing function
D.A second access switch
AnswerC

Correct. Layer 3 routing is required.

Why this answer

Traffic between VLANs must be routed. A router or multilayer switch provides the Layer 3 function needed for inter-VLAN communication.

Exam trap

Do not confuse trunk links or access ports with routing functions; they serve different purposes in VLAN configurations.

Why the other options are wrong

A

A DHCP server is not required for communication between VLANs; it only assigns IP addresses to devices within a network. VLAN communication requires routing, which a DHCP server does not provide.

B

A DNS server is not required for VLAN communication, as DNS resolves domain names to IP addresses, which does not facilitate inter-VLAN routing. Communication between VLANs requires Layer 3 routing, not name resolution.

D

A second access switch is not required for VLAN communication; VLANs can communicate through a Layer 3 device such as a router or a Layer 3 switch. The existing switch infrastructure can handle VLANs without needing additional switches.

258
MCQhard

A multilayer switch must route traffic between VLAN 10 and VLAN 20. Which condition is required for that to happen?

A.SVIs for the VLANs plus Layer 3 routing enabled on the switch
B.All ports in both VLANs configured as trunks
C.A separate OSPF process on every access port
D.Port security disabled on every edge port
AnswerA

This is correct because inter-VLAN routing on a multilayer switch requires routed VLAN interfaces and IP routing capability.

Why this answer

Inter-VLAN routing on a multilayer switch depends on having functional Layer 3 gateway interfaces for the VLANs and routing enabled on the switch. In plain language, the switch needs a routed brain for each VLAN, usually in the form of SVIs, and it must actually be operating as a Layer 3 device rather than only as a pure Layer 2 switch. Without those conditions, traffic may switch inside a VLAN but cannot be routed between different VLANs.

This is a core CCNA design idea because people often assume creating VLANs alone automatically gives them inter-VLAN communication. In reality, VLANs create separation, and routing is what reconnects them under controlled conditions. A trunk between switches can carry VLAN traffic, but it does not itself perform Layer 3 routing between the VLANs. The correct answer is the requirement that makes the switch act as the gateway between VLANs.

Exam trap

Don't confuse trunking with routing; trunk ports carry VLAN traffic but don't route it.

Why the other options are wrong

B

This option is wrong because configuring all ports as trunks does not facilitate inter-VLAN routing; SVIs and Layer 3 routing are necessary for that functionality.

C

This option is wrong because OSPF is a routing protocol used for dynamic routing, and access ports do not participate in routing processes. Routing between VLANs requires SVIs and Layer 3 capabilities, not OSPF on access ports.

D

Port security being disabled on every edge port is not a requirement for routing traffic between VLANs; it pertains to security configurations rather than routing functionality. VLAN routing can occur regardless of port security settings.

259
PBQhard

You are connected to switch SW1. The network uses Rapid-PVST+ and SW1 has been accidentally configured with a low spanning-tree priority, causing it to become the root bridge for VLAN 10 even though it should not be. Additionally, an edge port connected to a server is repeatedly receiving BPDUs, causing it to go into err-disabled state. Configure SW1 so that it is never the root bridge for VLAN 10, and configure the edge port so that it automatically recovers from err-disabled state after 300 seconds. Finally, verify that SW1 is not the root bridge for VLAN 10.

Network Topology
Gi0/0Gi0/0Gi0/1SW1SW2Server

Hints

  • To prevent a switch from becoming root, set its priority to a value higher than the current root's priority (e.g., 32768).
  • The errdisable recovery cause command enables automatic recovery; the interval command sets the timeout.
  • After configuration, verify with 'show spanning-tree vlan 10' that the bridge ID priority is not the lowest.
A.spanning-tree vlan 10 priority 36864; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
B.spanning-tree vlan 10 priority 4096; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
C.spanning-tree vlan 10 root secondary; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
D.spanning-tree vlan 10 priority 32768; errdisable recovery cause all; errdisable recovery interval 300; show spanning-tree vlan 10
AnswerA
solution
! SW1
no spanning-tree vlan 10 priority 4096
spanning-tree vlan 10 priority 32768
errdisable recovery cause bpduguard
errdisable recovery interval 300

Why this answer

The issue is that SW1 has the spanning-tree priority for VLAN 10 set to 4096, which makes it the root bridge. To prevent this, you must set the priority higher than the current root bridge's priority (e.g., 32768 or higher). Additionally, the edge port (G0/1) is in err-disabled state because it received a BPDU while PortFast was enabled (BPDU Guard triggered).

To automatically recover from err-disabled, you need to configure errdisable recovery cause bpduguard and set the interval to 300 seconds. After configuration, verify with 'show spanning-tree vlan 10' that SW1 is no longer the root and 'show errdisable recovery' to confirm the recovery settings.

Exam trap

Students often confuse the priority values: lower priority is better to become root. To prevent a switch from becoming root, set its priority higher than the current root's. Also, remember that 'root secondary' sets a low priority (28672) and does not prevent root election.

For errdisable recovery, use the specific cause (bpduguard) rather than 'all'.

Why the other options are wrong

B

The priority 4096 is too low and would still result in SW1 being the root bridge.

C

The 'root secondary' command does not prevent the switch from becoming root; it only makes it the backup root.

D

Using 'cause all' is not the best practice; the requirement is to recover from bpduguard specifically.

260
MCQhard

Refer to the exhibit. A network administrator runs the show vlan brief command on SW2. Interface GigabitEthernet0/2 is intended to be an access port in VLAN 10, but it does not appear in the output. What is the most likely cause?

A.The interface is configured with switchport mode dynamic auto and no trunk has been negotiated, causing it to be hidden.
B.The interface is administratively shut down, and down ports are excluded from the show vlan brief output.
C.The interface is configured as a trunk port and therefore does not appear under any VLAN in show vlan brief.
D.VLAN 10 is not active, so the port assigned to it is not displayed in the listing.
AnswerC

show vlan brief only displays ports that are in access mode. Trunk ports are not included because they belong to all VLANs allowed on the trunk. The output shows VLAN 10 with members Gi0/9–Gi0/11 but not Gi0/2, confirming it is not an access port.

Why this answer

The show vlan brief command lists only access ports that are statically or dynamically assigned to a VLAN. Trunk ports carry traffic for multiple VLANs and are not displayed in this table. The absence of GigabitEthernet0/2, despite VLAN 10 being active and containing other ports, indicates that the interface is likely operating as a trunk port.

Exam trap

Candidates often mistakenly believe that a shutdown interface will not appear in show vlan brief. In reality, an access port assigned to a VLAN appears in the output regardless of its administrative or operational state.

Why the other options are wrong

A

Confusion about how dynamic trunking protocol (DTP) modes interact with VLAN membership display.

B

Misconception that only operational interfaces are shown in VLAN membership tables.

D

Overlooking the explicit 'active' status and port list for VLAN 10 in the output.

261
MCQhard

A network engineer is troubleshooting connectivity between two hosts in different VLANs on the same switch. Host A in VLAN 10 (10.10.10.5/24) cannot ping Host B in VLAN 20 (10.10.20.5/24). The switch is configured as a router-on-a-stick with a trunk port to an external router. The trunk port is up/up, but inter-VLAN routing fails. What is the most likely cause?

A.The trunk port is not in trunking mode; it is in dynamic desirable mode.
B.The native VLAN on the switch trunk is VLAN 1, but the router subinterface for VLAN 1 is not configured with the 'native' keyword or is missing.
C.The VLANs are not allowed on the trunk; the allowed VLAN list is missing VLAN 10 and 20.
D.The switch ports Gi0/4 and Gi0/5 are in access mode but not assigned to the correct VLANs.
AnswerC

When an allowed VLAN list on a trunk is configured and does not include VLAN 10 and VLAN 20, all tagged frames from those VLANs are dropped, causing inter-VLAN routing failure even though the trunk is up/up.

Why this answer

The most likely cause is that the allowed VLAN list on the trunk is missing VLAN 10 and 20. Even though the trunk port is up/up, if the switch's allowed VLAN list has been restricted (for example, using the switchport trunk allowed vlan command) and does not include those VLANs, all frames tagged with VLAN 10 or 20 will be discarded at the trunk. This directly prevents inter-VLAN routing despite the trunk being operational, whereas a native VLAN mismatch only affects untagged traffic and would not impact the tagged frames between the two hosts.

Exam trap

A common trap is assuming an up/up trunk automatically passes traffic for all VLANs, overlooking that the allowed VLAN list can be manually pruned and must include every VLAN that needs to traverse the trunk.

Why the other options are wrong

A

Dynamic desirable mode can still form a trunk if the other side is willing; the trunk is already up/up, so the port mode is not the issue.

B

A native VLAN mismatch or missing native subinterface only affects untagged frames; the hosts in VLAN 10 and VLAN 20 send tagged traffic, so this would not break their routing.

D

The hosts' access port configurations would prevent intra-VLAN communication if misassigned, but the question describes an inter-VLAN routing failure through the trunk, not a problem with the access ports themselves.

262
MCQhard

A user on a wireless guest network can associate successfully, obtains an IP address, but cannot reach the Internet. Which troubleshooting area should be examined first if the WLAN itself is working?

A.The post-association forwarding or policy path, such as guest routing or Internet access policy
B.The SSID broadcast name, because it must be wrong
C.The AP radio antenna type only
D.OSPFv3 area configuration on the laptop
AnswerA

This is correct because WLAN join and IP assignment have already succeeded.

Why this answer

If association and addressing are already successful, the first area to examine is the forwarding or policy path beyond simple WLAN join behavior. In practical terms, the client has passed the discovery, authentication, and addressing stages. The problem is now more likely to involve routing, gateway reachability, NAT, firewall policy, or guest-access restrictions rather than the SSID itself.

This question is about understanding which stage of the workflow has already succeeded.

Exam trap

Avoid assuming issues with association or IP assignment when these steps have already succeeded.

Why the other options are wrong

B

The SSID broadcast name is not relevant in this scenario because the user has already associated successfully and obtained an IP address, indicating that the SSID is correct and functioning.

C

The AP radio antenna type does not directly impact a user's ability to obtain an IP address or reach the Internet after successful association. This option is irrelevant since the user is already connected to the network.

D

OSPFv3 area configuration is related to routing protocols and is not directly relevant to a user's inability to access the Internet on a guest network after successfully associating. The issue is likely related to network policies or forwarding paths rather than routing configurations on the user's device.

263
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PortFast and BPDU Guard on a Cisco switch interface, then recover after a BPDU violation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First enable PortFast to allow immediate transition to forwarding, then enable BPDU Guard to protect against BPDU reception. Recovery steps are configured last to automatically restore the port after a violation.

Exam trap

Do not confuse the order: PortFast must come before BPDU Guard. Also, recovery is configured last, not first. Remember that BPDU Guard requires PortFast to be enabled on the interface.

264
MCQmedium

On an 802.1Q trunk, which VLAN is sent untagged by default on many Cisco switches unless changed?

A.VLAN 10
B.VLAN 20
C.VLAN 1
D.The highest configured VLAN
AnswerC

Correct. VLAN 1 is the default native VLAN on many platforms.

Why this answer

On many Cisco platforms, VLAN 1 is the default native VLAN. Native VLAN traffic is sent untagged unless the native VLAN is changed.

Exam trap

Be cautious not to confuse commonly used VLANs in practice with the default native VLAN set by Cisco.

Why the other options are wrong

A

VLAN 10 is not the default untagged VLAN on Cisco switches; instead, VLAN 1 is typically used for this purpose unless configured otherwise. Therefore, selecting VLAN 10 would be incorrect in the context of the question.

B

VLAN 20 is not the default untagged VLAN on Cisco switches; instead, VLAN 1 is typically sent untagged on 802.1Q trunks unless configured otherwise. Therefore, selecting VLAN 20 does not align with the standard behavior of Cisco switch configurations.

D

This option is incorrect because the default untagged VLAN on many Cisco switches is VLAN 1, not the highest configured VLAN. The highest configured VLAN can vary based on the network setup and does not have a default status in this context.

265
MCQhard

A multilayer switch has working SVIs for VLAN 10 and VLAN 20, but traffic between the VLANs fails. Hosts can ping their own gateway interfaces. Which misconfiguration is most strongly suggested if the SVIs themselves are correct?

A.IP routing is not enabled on the multilayer switch.
B.Both VLANs need to use the same IP subnet.
C.All access ports must be converted into trunks.
D.The wireless controller must provide the default gateway.
AnswerA

This is correct because the switch needs Layer 3 forwarding enabled to route between VLAN interfaces.

Why this answer

The correct answer is A: IP routing is not enabled. The switch can ping SVIs locally because they are directly connected, but without `ip routing`, it cannot forward packets between VLANs. Option B is wrong because different VLANs require different subnets for routing.

Option C is wrong because access ports do not need to be trunks; SVIs handle routing at Layer 3. Option D is wrong because the wireless controller does not provide the default gateway for wired VLAN routing; the SVI does.

Exam trap

Remember that SVIs alone do not enable inter-VLAN routing; IP routing must be explicitly enabled on the switch.

Why the other options are wrong

B

Different VLANs must use different IP subnets for routing; using the same subnet would break Layer 3 separation.

C

Access ports remain as access ports; inter-VLAN routing requires SVIs with routing enabled, not trunk conversion of access ports.

D

The default gateway for each VLAN is the SVI IP address; a wireless controller is irrelevant to Layer 3 forwarding between wired VLANs.

266
MCQmedium

Exhibit: Users report that they can see the corporate SSID but fail authentication immediately after entering credentials. Guest wireless works on the same access point. Which issue is most likely?

A.The AP is using the wrong channel width
B.The RADIUS or AAA server is unreachable for the enterprise WLAN
C.The corporate SSID has a mismatched RADIUS shared secret
D.The SSID must be configured as hidden
AnswerB

WPA2-Enterprise depends on AAA communication for user authentication.

Why this answer

When clients can see the SSID and associate at Layer 2 but fail right after entering credentials, a broken 802.1X or RADIUS path is a common cause. RF coverage is clearly not the main problem because the SSID is visible and guest service works.

Exam trap

Be careful not to confuse visibility and connectivity issues with authentication problems. The SSID is visible, so focus on authentication-related configurations.

Why the other options are wrong

A

The AP using the wrong channel width would not cause immediate authentication failures; it typically affects connectivity or performance rather than authentication processes. Since the guest wireless works, the channel width is likely not the issue.

C

A mismatched RADIUS shared secret would cause authentication failures, but guest wireless works on the same access point, indicating the AP itself is functional; the more likely cause is that the RADIUS server is completely unreachable, not just a shared secret mismatch.

D

Configuring the SSID as hidden would not cause immediate authentication failures; users would simply not see the SSID unless they manually entered it. The issue described involves users seeing the SSID but failing authentication, indicating a problem beyond SSID visibility.

267
MCQhard

Two switches are connected by a trunk. VLAN 50 exists on both switches, but traffic still fails across the link. The allowed VLAN list is correct. Which additional item should be checked next?

A.Check for a trunk mismatch such as native VLAN inconsistency or other trunk-parameter problems.
B.Reset OSPF process IDs on both switches.
C.Add ip helper-address under every access interface.
D.Disable the MAC address table.
AnswerA

This is correct because VLAN permission alone does not guarantee the trunk is healthy end to end.

Why this answer

After confirming that the VLAN exists on both switches and is allowed on the trunk, another important item to verify is whether the trunk itself is actually operational with the expected encapsulation and whether there is a native VLAN or other trunk inconsistency. In plain language, just because the VLAN is listed does not guarantee the trunk is healthy in every relevant way. Trunking problems can still occur because of broader configuration mismatches.

This question is about disciplined troubleshooting. Once the obvious allowed-list issue is ruled out, the next step is to keep checking other trunk-related characteristics rather than jumping immediately to unrelated routing or service features. The correct answer is the one that stays grounded in trunk-specific verification.

Exam trap

Don't jump to unrelated issues like spanning tree or IP configuration when the problem is clearly trunk-related.

Why the other options are wrong

B

Resetting OSPF process IDs does not address VLAN traffic issues over a trunk link, as OSPF is a routing protocol and unrelated to Layer 2 VLAN configurations.

C

Adding an ip helper-address is irrelevant to VLAN traffic issues across a trunk link, as this command is used for forwarding DHCP requests, not for resolving VLAN connectivity problems.

D

Disabling the MAC address table would not resolve VLAN traffic issues across a trunk link, as it pertains to Layer 2 forwarding and would disrupt normal switch operations, leading to further connectivity problems.

268
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure an LACP EtherChannel on two Cisco switches using active mode.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

To configure an LACP EtherChannel in active mode, you must first enter interface configuration mode on the physical interfaces (e.g., using interface range). Next, assign those interfaces to a channel group using the channel-group command with the mode active keyword; this enables LACP negotiation and ensures the switch actively attempts to form a bundle. After the member ports are configured, you can optionally set parameters on the Port-Channel interface (such as switchport mode trunk).

Finally, verify the EtherChannel is operational with show etherchannel summary. Using mode passive, on, or desirable would not enable LACP active negotiation or would use a different protocol (PAgP), which does not meet the requirement.

Exam trap

Remember that LACP uses active and passive modes, while PAgP uses desirable and auto. Do not confuse the protocols or their modes.

269
MCQhard

A network administrator is troubleshooting an issue where hosts on VLAN 10 cannot ping the default gateway at 192.168.10.1. The router (R1) has an SVI for VLAN 10 with IP 192.168.10.1/24. The administrator captures traffic on the router's G0/0/0 interface (trunk to the switch) and reviews the embedded packet capture output. What is the root cause of the problem?

A.The router's SVI for VLAN 10 is administratively down.
B.The switch port connecting the host is configured in the wrong VLAN (e.g., VLAN 20 instead of VLAN 10).
C.An inbound ACL on the router's SVI is blocking ICMP echo requests from the host.
D.The router has ICMP redirects enabled, causing it to ignore the pings.
AnswerB

The router is sending ARP requests, but the host never receives them because the switch port is in a different VLAN. This prevents the router from learning the host's MAC address, causing the ping to fail.

Why this answer

The captured traffic on the trunk shows that the router is not receiving any frames tagged with VLAN 10 from the host. If the switch port connecting the host is configured in VLAN 20 instead of VLAN 10, the host's frames will be tagged with VLAN 20 (or remain untagged in the access VLAN 20) and will not reach the router's SVI for VLAN 10, causing the ping to fail. This is the most direct cause given the symptom that the host cannot ping the default gateway.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 issues, and the trap here is that candidates assume the problem is on the router (e.g., ACL or interface state) when the packet capture reveals that the traffic never reaches the router's SVI due to a VLAN mismatch on the switch access port.

Why the other options are wrong

A

The SVI is operational, so this cannot be the root cause.

C

The router receives the ICMP requests, so an inbound ACL would have dropped them before they reached the capture buffer.

D

ICMP redirects do not prevent the router from responding to pings; they only send redirect messages when appropriate.

270
PBQhard

You are connected to Multilayer Switch SW1. Configure LACP EtherChannel between SW1 and SW2 using ports GigabitEthernet0/1 and GigabitEthernet0/2. Ensure the channel is formed and active. The current configuration has mismatched VLAN assignments and speed/duplex settings preventing the channel from coming up. Verify the channel state using 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1LACP EtherChannelSW1SW2

Hints

  • Check that both physical ports have identical speed and duplex settings.
  • Ensure the allowed VLAN list on each member port matches the Port-channel interface.
  • Use 'show etherchannel summary' to see if ports are in a suspended (D) or bundled (P) state.
A.Configure both Gi0/1 and Gi0/2 with speed 1000, duplex full, and switchport trunk allowed vlan 10,20,30.
B.Configure both Gi0/1 and Gi0/2 with speed 100, duplex half, and switchport trunk allowed vlan 30.
C.Configure both Gi0/1 and Gi0/2 with speed 1000, duplex full, and switchport trunk allowed vlan 10,20.
D.Configure both Gi0/1 and Gi0/2 with speed 1000, duplex full, and switchport mode access.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk allowed vlan 10,20,30
exit
interface GigabitEthernet0/2
speed 1000
duplex full
switchport trunk allowed vlan 10,20,30
exit

Why this answer

The EtherChannel is down because the two member ports on SW1 have inconsistent configurations. GigabitEthernet0/1 is set to speed 1000 and duplex full with allowed VLANs 10,20, while GigabitEthernet0/2 is set to speed 100 and duplex half with allowed VLAN 30. LACP requires all member ports to have identical speed, duplex, and VLAN allowed lists.

To fix, on SW1 configure both Gi0/1 and Gi0/2 with the same speed (1000), duplex (full), and trunk allowed VLANs (10,20,30). The Port-channel interface already has the correct allowed VLANs. After correction, 'show etherchannel summary' should show both ports as bundled (P).

Exam trap

The exam trap is that candidates often focus only on speed/duplex mismatches and forget that VLAN allowed lists must also match. Additionally, they may assume that the Port-channel interface inherits settings from member ports, but in fact, the member ports must match the Port-channel configuration.

Why the other options are wrong

B

The specific factual error is that LACP requires all member ports to have identical configurations, and this option does not align with the existing Port-channel configuration.

C

The specific factual error is that the VLAN allowed list must match across all member ports and the Port-channel interface; omitting VLAN 30 will cause inconsistency.

D

The specific factual error is that LACP requires consistent switchport mode (access or trunk) across all member ports and the Port-channel interface.

271
PBQhard

You are connected to switch SW1. Configure Rapid-PVST+ so that SW1 becomes the root bridge for VLAN 10 and VLAN 20. On interface GigabitEthernet0/2, enable PortFast and BPDUGuard. Then, a BPDU is received on that port, causing err-disable. Diagnose the issue and recover the interface without rebooting the switch.

Hints

  • Use 'spanning-tree vlan <vlan> root primary' to set priority to 24576 or 24596.
  • BPDUGuard will err-disable the port if a BPDU is received; use 'errdisable recovery cause bpduguard' to auto-recover.
  • After recovery, the port may need a manual shutdown/no shutdown to clear the err-disable state.
A.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'errdisable recovery cause bpduguard' to enable automatic recovery, or manually do 'shutdown' followed by 'no shutdown' on the interface.
B.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'clear spanning-tree detected-protocols' on the interface.
C.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'no spanning-tree bpduguard enable' on the interface, then re-enable it.
D.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'reload' on the switch to reset all interfaces.
AnswerA
solution
! SW1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary
interface GigabitEthernet0/2
spanning-tree portfast
spanning-tree bpduguard enable
errdisable recovery cause bpduguard
interface GigabitEthernet0/2
shutdown
no shutdown

Why this answer

First, configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. Then, on interface Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard defaults to shutting down a port when a BPDU is received.

To recover, use 'errdisable recovery cause bpduguard' to allow automatic recovery or 'shutdown' followed by 'no shutdown' on the interface. The blocking port is Gi0/2 in VLAN 20 because the current root has a higher priority than SW1's configured priority, but since SW1 becomes root, all ports are designated.

Exam trap

The exam trap is that candidates may confuse the recovery method for BPDUGuard err-disable with other STP commands. Remember: BPDUGuard err-disables the port; to recover, use 'errdisable recovery cause bpduguard' or manual shutdown/no shutdown. Do not use 'clear spanning-tree detected-protocols' or remove BPDUGuard alone.

Why the other options are wrong

B

The specific factual error is that 'clear spanning-tree detected-protocols' does not recover err-disabled ports; it only re-initiates STP negotiations.

C

The specific factual error is that disabling BPDUGuard does not automatically bring the port back up; the err-disable state must be cleared separately.

D

The specific factual error is that reloading is overkill and not the recommended recovery method; it disrupts all traffic unnecessarily.

272
MCQhard

A user reports that the corporate SSID is visible and accepts the correct password, but the client always lands in a quarantined remediation network. Which troubleshooting area is strongest?

A.Post-authentication policy, role, or VLAN assignment logic
B.Whether the SSID is hidden instead of broadcast
C.Whether the AP uplink uses PPP encapsulation
D.Whether OSPF designated routers are elected correctly
AnswerA

This is correct because the symptom points to how the authenticated client is being classified after joining.

Why this answer

The strongest troubleshooting area is post-authentication policy or role assignment. The client already sees the SSID and successfully authenticates, so the problem is not RF visibility or password failure. Landing in a remediation network indicates a policy decision after authentication, such as a mismatched VLAN assignment or client role.

Option B (hidden SSID) is irrelevant because the SSID is visible. Option C (PPP encapsulation) does not affect post-authentication network placement. Option D (OSPF DR election) is unrelated to client VLAN assignment.

Exam trap

Don't confuse initial connectivity problems with post-authentication issues. Focus on what happens after the connection is established.

Why the other options are wrong

B

A hidden SSID would prevent the SSID from appearing, but the user reports the SSID is visible, so this does not match the symptom.

C

PPP encapsulation on an AP uplink concerns Layer 2 framing, not the post-authentication VLAN or policy assignment that causes quarantine.

D

OSPF designated router election occurs at Layer 3 within routing, while the issue is about client VLAN placement after authentication, which is a Layer 2 access-control function.

273
PBQhard

You are connected to R1. The network consists of R1, SW1, and two VLANs (10 and 20). SW1 has hosts in VLAN 10 and VLAN 20 connected to its access ports. Configure R1 for router-on-a-stick inter-VLAN routing using subinterfaces on G0/0. The physical interface G0/0 is administratively up (no shutdown). The current configuration is incomplete and has errors preventing communication between the VLANs. Fix the configuration so that hosts in VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) can ping each other through R1.

Hints

  • Check the global configuration for the 'ip routing' command.
  • Verify that the subinterfaces have correct encapsulation and IP addresses.
  • Ensure the trunk between R1 and SW1 allows VLANs 10 and 20, and native VLAN matches.
A.Enable IP routing with the 'ip routing' global configuration command.
B.Change the encapsulation on subinterface G0/0.10 to dot1Q 20 and on G0/0.20 to dot1Q 10.
C.Add the 'no shutdown' command on the physical interface G0/0.
D.Configure the native VLAN on the trunk to match the subinterface for VLAN 1.
AnswerA
solution
! R1
configure terminal
ip routing
end

Why this answer

The primary fault is that IP routing is disabled globally on R1 (missing 'ip routing' command), so even though subinterfaces are correctly configured, the router cannot route between VLANs. The physical interface G0/0 is already administratively up, so issuing 'no shutdown' would not fix the problem. Thus, enabling 'ip routing' resolves the inter-VLAN communication issue.

The other options either incorrectly swap encapsulation or address a native VLAN scenario not indicated in the exhibit.

Exam trap

Do not assume that configuring subinterfaces and IP addresses is sufficient for inter-VLAN routing. The 'ip routing' command is required to enable the router's forwarding capability. Many candidates forget this global command and waste time troubleshooting other aspects.

Why the other options are wrong

B

Swapping the encapsulation would map VLAN 10 to the wrong VLAN ID, breaking connectivity.

C

The physical interface is already up; adding 'no shutdown' is redundant and does not resolve the missing routing capability.

D

The native VLAN on the trunk is not the cause of the problem, and the subinterface for VLAN 1 is not required for inter-VLAN routing.

274
Multi-Selecthard

Which two conditions must match on two switch ports before they can successfully form a Layer 2 EtherChannel? (Choose two.)

Select 2 answers
A.The switchport mode and VLAN settings
B.The STP root bridge ID on both switches
C.The speed and duplex settings
D.The interface description
E.The ARP timeout value
AnswersA, C

Correct. Access/trunk mode and related VLAN settings must match across the member links.

Why this answer

Layer 2 EtherChannel members must have compatible Layer 2 configuration. Port mode, VLAN-related settings, speed, and duplex all need to align for the bundle to form correctly.

Exam trap

Remember that EtherChannel requires consistent speed and duplex settings, and also consistent switchport mode (access or trunk) and allowed VLANs.

Why the other options are wrong

B

This option is wrong because the STP root bridge ID does not directly affect the formation of an EtherChannel; EtherChannel requires matching port configurations, not spanning tree parameters.

D

The interface description does not affect the formation of an EtherChannel, as it is merely a label for identification purposes and does not influence Layer 2 connectivity or protocol negotiation.

E

The ARP timeout value does not affect the formation of a Layer 2 EtherChannel, as EtherChannel operates at Layer 2 and is concerned with port configurations, not Layer 3 settings like ARP.

275
MCQmedium

A user says the phone connected to a switch port works, but the attached PC does not get network access. What is the most likely switch-side issue?

A.The access VLAN for the PC is misconfigured
B.The voice VLAN should always match the access VLAN
C.PortFast blocks the PC from sending traffic
D.The phone requires the switch to be in trunk mode
AnswerA

The PC uses the access VLAN, not the voice VLAN.

Why this answer

An IP phone can use a voice VLAN while the attached PC uses the access VLAN. If the access VLAN is missing or wrong, the phone may still work while the PC fails.

Exam trap

Ensure you understand the difference between voice and access VLANs and how they affect different devices on the same port.

How to eliminate wrong answers

Eliminate B because a trunk port should allow both devices access. Eliminate C because an administratively down port would disable both devices. Eliminate D because the phone is working, indicating the voice VLAN is configured.

A is correct because it explains why the PC lacks connectivity while the phone works.

276
MCQhard

A switch has a root port and an alternate port for the same VLAN. Which statement best explains the operational role of the alternate port?

A.It is a backup path toward the root bridge and normally does not forward while the active root path is healthy.
B.It always forwards traffic at the same time as the root port for load balancing.
C.It is the port that elects the root bridge for the VLAN.
D.It is a special routed port used for inter-VLAN communication.
AnswerA

This is correct because an alternate port is a standby path in STP.

Why this answer

The alternate port acts as a backup path toward the root bridge and stays in a non-forwarding state under normal conditions. In practical terms, STP keeps it ready in case the active path fails, but it does not allow it to forward frames while the primary root path is healthy. That is how STP preserves redundancy without creating loops.

This question is useful because many learners understand root ports and designated ports but do not clearly understand what the alternate role represents.

Exam trap

Don't confuse STP's redundancy roles with load balancing or congestion management. Remember, alternate ports are for backup, not active traffic routing.

Why the other options are wrong

B

Option B is incorrect because an alternate port does not forward traffic while the root port is active; it serves as a backup path and only becomes active if the root port fails.

C

This option is wrong because the alternate port does not participate in the election process for the root bridge; it only serves as a backup path to the root bridge once it is established.

D

Option D is incorrect because an alternate port is not a routed port; it operates at Layer 2 and is part of the Spanning Tree Protocol, which does not involve routing functionalities for inter-VLAN communication.

277
Drag & Dropmedium

You need to configure a new switch. According to Cisco’s recommended workflow, you should assign access ports to their VLANs before configuring trunk links to ensure that end devices are functional before inter-switch connectivity is tested. Drag and drop the following steps into the correct order to configure VLANs, assign access ports, set up 802.1Q trunking with a native VLAN, and verify the configuration on a Cisco switch running IOS-XE.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to first create VLANs so they exist, then assign access ports to those VLANs to make end devices operational, then configure the trunk link with a native VLAN to connect to another switch, and finally verify with show commands. This sequence follows Cisco best practices by getting access ports functional before establishing trunking. Option C is incorrect because configuring the trunk before assigning access ports could leave end devices in the wrong VLAN while the trunk is already active, potentially causing unexpected broadcast domain behavior.

Options B and D are wrong because they attempt to assign ports or configure a trunk before the VLANs are created, which would fail.

Exam trap

The exam trap is that candidates may try to assign ports to VLANs before creating them, or configure trunk native VLAN before the VLAN exists. Always create VLANs first, then assign ports, then configure trunking.

278
MCQhard

A trunk between two switches is up, but users in VLAN 40 cannot communicate across it. The output shows both sides allow VLAN 40. What is another likely trunk-related cause to check next?

A.Native VLAN mismatch between the two trunk ends
B.Missing router ID in OSPF
C.Incorrect NTP source interface
D.Lack of PAT overload on the WAN router
AnswerA

This is correct because a native VLAN mismatch is a common trunk-related issue worth checking after allowed VLANs have been verified.

Why this answer

If VLAN 40 is allowed on both ends and the trunk is up, a native VLAN mismatch is still worth checking because trunk problems are not limited to the allowed VLAN list. In plain language, the link may be carrying traffic, but if the two switches disagree on how untagged traffic should be treated, behavior can still become unpredictable. Native VLAN mismatches are a well-known source of warnings and unexpected traffic handling on 802.1Q trunks.

That does not mean every VLAN problem is caused by the native VLAN, but once the obvious allowed-list issue has been ruled out, it becomes a logical next trunk-specific item to verify.

Exam trap

Don't assume that allowed VLANs are the only trunk-related issue; native VLAN mismatches can also disrupt communication.

Why the other options are wrong

B

This option is wrong because the question specifically addresses VLAN communication issues over a trunk link, which are unrelated to OSPF router ID configuration. OSPF router ID affects routing protocols, not VLAN traffic directly.

C

NTP source interface is unrelated to VLAN communication issues over a trunk link; it primarily affects time synchronization across devices. Since the question focuses on VLAN connectivity, this option does not address the core problem.

D

Lack of PAT overload on the WAN router is unrelated to VLAN communication issues between switches. This option pertains to address translation for outbound traffic, not VLAN trunking problems.

279
PBQhard

You are connected to a multilayer switch MLS1. The network has two other switches SW1 and SW2 forming a triangle topology. Currently, SW1 is the root bridge but it should be SW2. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/2 of MLS1, which connects to a host. Simulate a BPDU violation on that port and then recover the port from err-disabled state.

Network Topology
Gi0/0Gi0/0Gi0/1Gi0/1Gi0/2Gi0/2Gi0/2SiMLS1SW1SW2Host

Hints

  • Check which switch is currently root and change the priority on MLS1 to allow SW2 to become root.
  • The err-disabled port needs to be re-enabled with 'no shutdown' after the cause is removed.
  • Ensure PortFast and BPDU Guard are configured on the edge port.
A.On MLS1, remove 'spanning-tree vlan 1 root primary' and set priority to 4096; on SW2, set priority to 0. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover with 'shutdown' then 'no shutdown'.
B.On MLS1, set priority to 0 to make it root; on SW2, set priority to 4096. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover by removing BPDU Guard.
C.On MLS1, remove 'spanning-tree vlan 1 root primary' and set priority to 4096; on SW2, set priority to 0. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover by reloading MLS1.
D.On MLS1, set priority to 0; on SW2, set priority to 4096. On MLS1 Gi0/2, configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'. After BPDU violation, recover with 'no shutdown'.
AnswerA
solution
! MLS1
configure terminal
no spanning-tree vlan 1 root primary
spanning-tree vlan 1 priority 4096
interface gigabitEthernet 0/2
no shutdown

Why this answer

Currently, SW1 is the root bridge per the topology, but the goal is to make SW2 the root. On MLS1, removing the 'spanning-tree vlan 1 root primary' command and setting a higher priority (4096) ensures it does not interfere. On SW2, set priority to 0 to make it root.

On MLS1 Gi0/2, configure PortFast and BPDU Guard. If a BPDU is received, the port goes err-disabled; to recover, issue 'shutdown' then 'no shutdown' after resolving the BPDU source.

Exam trap

Trap: Candidates may forget that the root bridge is determined by lowest priority. They might set the wrong switch to lower priority or use incorrect recovery methods like reloading or removing BPDU Guard.

Why the other options are wrong

B

The specific factual error: Setting MLS1 priority to 0 makes it root, opposite of the requirement. Removing BPDU Guard does not recover the port; 'no shutdown' is needed.

C

The specific factual error: Reloading the switch is not the standard recovery for an err-disabled port; 'no shutdown' is the proper command.

D

The specific factual error: MLS1 should have a higher priority (e.g., 4096) and SW2 a lower priority (e.g., 0) to make SW2 root. The option does the opposite.

280
MCQhard

Exhibit: Users on SW2 in VLAN 30 can reach local devices but not hosts in VLAN 30 on SW1. What is the most likely reason?

A.The trunk native VLAN is 1 on both sides
B.VLAN 30 is not allowed on the trunk
C.SW2 must run VTP server mode
D.Spanning tree blocks all user VLANs by default
AnswerB

Correct choice.

Why this answer

The trunk is allowing only VLANs 10 and 20. Even though both switches have VLAN 30 defined locally, VLAN 30 traffic cannot cross the trunk unless that VLAN is allowed on the link. Option A is incorrect because the native VLAN (default 1) does not affect tagged VLAN 30 traffic, and native VLAN mismatch causes different issues.

Option C is incorrect because VTP is used for VLAN database synchronization, not for forwarding traffic over a trunk; switches do not need to be VTP servers to pass VLAN traffic. Option D is incorrect because spanning tree only blocks redundant paths to prevent loops, not all user VLANs by default.

Exam trap

Ensure you verify trunk configurations when VLAN traffic is not passing between switches, even if VLANs are correctly configured locally.

Why the other options are wrong

A

This option is incorrect because the native VLAN being set to 1 does not prevent VLAN 30 traffic from being transmitted across the trunk link. The issue lies in VLAN 30 not being allowed on the trunk, which is not addressed by the native VLAN setting.

C

This option is incorrect because VTP server mode is not required for VLANs to communicate across switches; VLAN configuration can be done independently on each switch. The issue in the question is related to trunking and VLAN allowance, not VTP mode.

D

Spanning Tree Protocol (STP) does not block all user VLANs by default; it only blocks specific ports to prevent loops. In this case, the issue is related to VLAN 30 not being allowed on the trunk, not STP blocking the VLAN.

281
MCQhard

A network administrator has several access points. All APs except one have successfully joined the wireless controller. The administrator verifies the failing AP’s IP address, subnet mask, and controller IP address are correctly configured. What is the most likely reason the AP cannot join the controller?

A.The AP has an incorrect default gateway for its subnet.
B.CAPWAP can be used only if the AP has no IP address.
C.The AP must use PPP instead of Ethernet to reach the controller.
D.The controller can support only 14 APs maximum.
AnswerA

If the AP's default gateway is wrong, it cannot send packets to the controller that resides on a different subnet, even if the IP address and controller discovery settings are correct.

Why this answer

The most likely cause is that the AP has an incorrect default gateway. For the AP to reach the controller (which may be on a different subnet), it needs a correct default gateway to route traffic. The other APs joined successfully, eliminating a controller-wide issue.

Option B is incorrect because CAPWAP requires an IP address; it does not work without one. Option C is incorrect because CAPWAP uses IP/UDP, not PPP. Option D is unlikely because there is no indication that the controller is at its AP limit; the problem affects only one AP, suggesting an individual misconfiguration.

Exam trap

Avoid assuming global issues when only one AP is affected; focus on individual AP configuration and connectivity.

Why the other options are wrong

B

CAPWAP tunnels require the AP to have an IP address; the statement is false.

C

CAPWAP operates over IP using UDP ports, not PPP.

D

The controller may have an AP capacity limit, but with only one AP failing and no evidence that the limit is 14, this is not the strongest explanation.

282
Matchingmedium

Match each trunking term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Link carrying multiple VLANs

Setting that restricts which VLANs may cross the trunk

VLAN associated with untagged traffic on the trunk

VLAN assigned to a normal endpoint-facing port

Why these pairings

These pairings match common trunking terms with their accurate definitions in networking.

Exam trap

Be careful not to confuse the native VLAN with tagged VLANs: native VLAN frames are untagged on a trunk. Also, remember that DTP is used for negotiation, not for configuration of native VLAN or allowed VLANs.

283
MCQhard

Refer to the exhibit. A network engineer notices that a user connected to GigabitEthernet0/5 cannot access the network. The engineer issues the show port-security interface GigabitEthernet0/5 command. Based on the output, what is the most likely cause of the issue?

A.The interface is administratively shut down.
B.An unauthorized device with a different MAC address was connected, triggering a port-security violation and placing the port in an error-disabled state.
C.The sticky MAC address feature is disabled, allowing any MAC address to cause a violation.
D.The maximum number of secure MAC addresses has been exceeded, causing the port to err-disable.
AnswerB

The output shows 'Port Status: Secure-shutdown' after a violation, a violation count of 3, and the 'Last Source Address' (aaaa.bbbb.cccc) differing from the sticky MAC. This confirms an unauthorized MAC triggered the violation and shut down the port.

Why this answer

The exhibit shows the port status as 'Secure-shutdown', which indicates the port has been error-disabled due to a port-security violation. The 'Last Source Address' (aaaa.bbbb.cccc) is different from the sticky MAC address, and the violation count is 3, proving an unauthorized device attempted to connect, causing the shutdown.

Exam trap

Many candidates incorrectly assume that the violation occurred because the maximum number of MAC addresses was exceeded, but the output shows Maximum MAC Addresses set to 1 and Total MAC Addresses also at 1, meaning the limit was not exceeded. The real trigger is the mismatched source MAC address.

Why the other options are wrong

A

A common misconception is that any down state is an admin shutdown, but Cisco IOS distinguishes 'Secure-shutdown' for port-security errdisable from 'administratively down'.

C

Some candidates misread the output and assume sticky is off, but the presence of a sticky MAC count proves it is active.

D

It is tempting to assume any violation with maximum 1 is due to exceeding the limit, but in this case the secure MAC is the original sticky address, and the violation is from a different unauthorized MAC, which still respects the limit count but fails the authorization check.

284
Drag & Dropmedium

Arrange the following steps in a valid configuration order. Note: VLANs must be created first, verification last. The access-port assignment and trunk configuration (steps B and C) can be performed in any order after VLAN creation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The only mandatory ordering is to create VLANs first (step A) and verify last (step D). Steps B (assign access ports) and C (configure trunking with native VLAN) have no technical dependency on each other—both require VLANs to exist, but either can be done before the other. The explanation must not imply a fixed B→C sequence, as it is arbitrary and could mislead candidates.

Exam trap

Candidates often confuse the order of VLAN creation and port assignment. Remember: VLANs must exist before they can be assigned to any port. Also, verification is always the last step.

285
Matchingmedium

Match each switch security or protection feature to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits and controls MAC address use on a switch port

Disables an edge port if a BPDU is received

Helps block rogue DHCP behavior and build trusted bindings

Validates ARP traffic using trusted information

Why these pairings

Each security feature protects against specific threats: port security limits MAC addresses, DHCP snooping blocks rogue DHCP servers, DAI validates ARP, storm control limits traffic storms, root guard enforces STP root placement, and BPDU guard protects against rogue BPDUs on access ports.

Exam trap

Do not confuse Port Security with other security features. Port Security limits MAC addresses; it does not inspect DHCP, ARP, or BPDU packets. Each feature has a distinct purpose.

286
MCQhard

Which command output would be the best next step to verify whether the port-channel is operational after configuration changes?

A.show etherchannel summary
B.show ip ospf neighbor
C.show ip route
D.show access-lists
AnswerA

This is correct because it directly verifies bundle status and member participation.

Why this answer

The best next step is to check EtherChannel status directly. In practical terms, after fixing the member-link configuration, the quickest verification is to inspect the summary output that shows whether the bundle exists and whether the member ports are actively participating. That is more direct than checking unrelated switching or routing tables.

This is a simulation-style 'what do you verify next' question, which is important for realistic CCNA prep.

Exam trap

Avoid confusing general interface or trunk status with specific EtherChannel status. Always use the command that directly addresses the feature in question.

Why the other options are wrong

B

The command 'show ip ospf neighbor' is used to display OSPF neighbor relationships, which is not directly related to verifying the operational status of a port-channel. This command would not provide information about the port-channel configuration or status.

C

The command 'show ip route' is used to display the routing table of a device, which does not provide information about the operational status of a port-channel after configuration changes.

D

The command 'show access-lists' is not relevant for verifying the operational status of a port-channel; it focuses on access control lists rather than link aggregation status.

287
PBQhard

You are connected to SW1. Configure an LACP EtherChannel between SW1 and SW2 using ports GigabitEthernet0/1 and GigabitEthernet0/2. Set the channel-group mode to active on both sides. The port-channel interface should be configured as a trunk allowing VLANs 10, 20, and 30. Initially, the EtherChannel fails to form due to mismatched speed/duplex on one link. Identify and correct the issue, then verify the channel is up and operational.

Network Topology
Gi0/1-Gi0/2Gi0/1-Gi0/2EtherChannelSW1SW2

Hints

  • Check the speed and duplex settings on each member interface.
  • LACP requires all ports in the channel to have identical speed and duplex.
  • Use 'show interfaces status' to quickly see speed/duplex mismatches.
A.Change speed and duplex on Gi0/2 to 1000 and full, then verify with 'show etherchannel summary'.
B.Change the channel-group mode on Gi0/2 to passive, then verify with 'show etherchannel summary'.
C.Change the allowed VLANs on the port-channel to include only VLAN 1, then verify with 'show etherchannel summary'.
D.Change the port-channel interface to access mode, then verify with 'show etherchannel summary'.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full

Why this answer

The EtherChannel fails because GigabitEthernet0/2 has speed 100 and duplex half, while GigabitEthernet0/1 has speed 1000 and duplex full. LACP requires all member ports to have identical speed and duplex settings. To resolve, change the speed and duplex on Gi0/2 to match Gi0/1: 'speed 1000' and 'duplex full'.

After correction, the channel will bundle. Verify with 'show etherchannel summary' to see both ports in the 'P' (bundled) state.

Exam trap

Do not confuse Layer 1 issues (speed/duplex) with Layer 2 configuration (VLANs, trunking) or LACP mode settings. Always check physical parameters first when an EtherChannel fails to form.

Why the other options are wrong

B

The specific factual error is that LACP modes must be compatible (active-active or active-passive), but the question states both sides are active, so mode is not the issue.

C

The specific factual error is that VLAN settings are irrelevant to the physical bundling of ports in an EtherChannel.

D

The specific factual error is that interface mode is a Layer 2 property unrelated to the physical bundling process.

288
MCQeasy

An AP broadcasts the correct SSID, but many clients on one floor experience poor performance while the same SSID works well on another floor. Which category of issue is most strongly suggested first?

A.A radio-frequency or local wireless environment issue on that floor
B.The SSID name must be misspelled only on that floor
C.BGP autonomous system mismatch
D.IPv6 loopback addressing on the clients
AnswerA

This is correct because the problem is location-specific while the SSID itself works elsewhere.

Why this answer

The issue is location-specific, with performance problems only on one floor. This strongly suggests a local radio frequency (RF) or wireless environment issue such as interference, signal attenuation, or channel congestion on that floor. The SSID is correctly broadcast because clients on other floors connect successfully, so option B (misspelling) is not plausible.

Options C and D are unrelated to wireless performance: BGP is a routing protocol not used in basic WLAN deployments, and IPv6 loopback addressing does not affect client connectivity or throughput. Therefore, the most direct and likely first suspect is an RF or environmental issue on that specific floor.

Exam trap

Avoid assuming that SSID issues are always configuration-related; consider environmental factors when performance issues are location-specific.

Why the other options are wrong

B

An SSID misspelling would prevent all clients from seeing the SSID, but since clients on other floors connect successfully, this cannot be the issue.

C

BGP autonomous system mismatch is a routing protocol concept unrelated to wireless LAN performance issues and would not cause performance problems on a single floor.

D

IPv6 loopback addressing is a configuration detail that does not impact wireless client performance or connectivity in a local-area network context.

289
MCQhard

A trunk is up between two switches, but traffic for VLAN 40 fails while other VLANs work. Which output item should be checked first?

A.Whether VLAN 40 is included in the allowed VLAN list on the trunk
B.Whether the router ID matches on both switches
C.Whether NetFlow is enabled on the VLAN
D.Whether NTP is synchronized on the switches
AnswerA

This is correct because a missing VLAN in the allowed list is a common cause of one-VLAN failure on an otherwise working trunk.

Why this answer

The first thing to check is whether VLAN 40 appears in the trunk’s allowed VLAN list. In practical terms, this is a selective failure, not a total trunk failure. Since other VLANs are crossing successfully, the link is operational. That strongly suggests one VLAN is being excluded rather than the trunk being generally broken.

This is one of the most common VLAN troubleshooting patterns in switching.

Exam trap

Avoid assuming a total trunk failure when only one VLAN is affected. Focus on VLAN-specific configurations.

Why the other options are wrong

B

This option is wrong because the router ID is relevant for routing protocols, not for VLAN traffic issues on a trunk link. The problem specifically pertains to VLAN 40 traffic, which is not influenced by router IDs.

C

NetFlow is a network protocol used for collecting IP traffic information, but it does not directly affect VLAN traffic flow on a trunk link. Therefore, checking if NetFlow is enabled does not address the issue of VLAN 40 traffic failure.

D

NTP synchronization is not directly related to VLAN traffic issues on a trunk link; it primarily affects time-sensitive protocols. Therefore, checking NTP synchronization would not help diagnose why VLAN 40 traffic is failing.

290
MCQhard

A switchport connected to another switch is configured with `switchport mode dynamic auto` on both ends. What is the most likely outcome if neither side actively negotiates trunking?

A.The link is likely to remain non-trunking because both sides are waiting passively.
B.The link always becomes a trunk immediately.
C.The link becomes a routed Layer 3 link.
D.All VLANs are deleted from both switches.
AnswerA

This is correct because dynamic auto on both ends does not normally force trunk formation.

Why this answer

If both ends are set to dynamic auto, the most likely outcome is that the link does not become a trunk automatically. In plain language, both interfaces are waiting passively for the other side to initiate the negotiation. Since neither side is actively trying to form the trunk, the link typically remains non-trunking unless one side is changed to a more active mode or trunk is configured directly.

This is a classic DTP behavior question because it tests whether you understand the difference between active and passive negotiation roles. The correct answer is the one that reflects the passive nature of dynamic auto on both sides.

Exam trap

Be careful not to confuse dynamic auto with dynamic desirable. Only dynamic desirable actively negotiates trunking.

Why the other options are wrong

B

This option is wrong because `switchport mode dynamic auto` does not force immediate trunking; it relies on negotiation, and if neither side actively negotiates, the link remains non-trunking.

C

This option is wrong because a switchport configured with `switchport mode dynamic auto` does not automatically convert to a routed Layer 3 link unless explicitly configured to do so. The default behavior is to remain in access mode unless trunking is negotiated.

D

Option D is incorrect because configuring `switchport mode dynamic auto` does not delete VLANs; it merely affects trunk negotiation. VLANs remain configured on the switches regardless of trunking status.

291
MCQhard

A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?

A.Alternate port
B.Root port
C.Designated port
D.Disabled port
AnswerB

Correct. Lowest-cost path to the root becomes the root port.

Why this answer

On a non-root switch, the port with the lowest path cost toward the root bridge becomes the root port. The higher-cost uplink would become an alternate (blocked) port. A designated port is found on the upstream switch toward this switch, not on the non-root switch itself.

A disabled port is administratively shut down, which does not apply here.

Exam trap

Remember, the root port is determined by the lowest path cost to the root bridge, not by any other criteria.

Why the other options are wrong

A

The higher-cost uplink becomes an alternate (blocked) port, not the lower-cost one.

C

A designated port exists on the upstream switch toward this switch, not on the non-root switch.

D

A disabled port is administratively shut down, not a port with a lower STP cost.

292
MCQhard

Clients in VLAN 30 are not receiving addresses from the DHCP server located in VLAN 99. Which configuration change should be made on the Layer 3 interface for VLAN 30?

A.Add ip dhcp snooping trust under interface Vlan30.
B.Add switchport mode trunk under interface Vlan30.
C.Add ip default-gateway 10.99.99.20 under interface Vlan30.
D.Add ip helper-address 10.99.99.20 under interface Vlan30.
AnswerD

This is correct because the SVI for VLAN 30 is the interface that receives the client DHCP broadcasts. By adding `ip helper-address 10.99.99.20`, the Layer 3 device forwards the request as a unicast packet to the DHCP server in VLAN 99.

Why this answer

The DHCP server is on a different subnet, so the client broadcast messages from VLAN 30 will not naturally cross the Layer 3 boundary. In simple terms, the clients are asking for an address by shouting on their own floor of the building, but the server lives on another floor and cannot hear that broadcast directly. The router or Layer 3 switch must relay the request for them. On Cisco devices, that relay function is usually configured with `ip helper-address` on the interface that receives the client broadcasts.

Here, that receiving interface is Vlan30, because that is the default gateway for the clients in VLAN 30. Pointing `ip helper-address` to 10.99.99.20 tells the Layer 3 device to forward DHCP requests to the remote server. DHCP snooping trust is a separate security feature, trunk mode is unrelated to an SVI, and `ip default-gateway` is not the correct solution for relaying DHCP across subnets.

Exam trap

Remember that DHCP snooping and trunk mode do not facilitate DHCP relay. Focus on the purpose of `ip helper-address` for relaying requests across VLANs.

Why the other options are wrong

A

This option is wrong because enabling DHCP snooping trust on VLAN 30 does not facilitate communication with the DHCP server in VLAN 99; it only protects against rogue DHCP servers.

B

Adding 'switchport mode trunk' under interface Vlan30 is incorrect because VLAN 30 is already configured as a Layer 3 interface, and trunking is not applicable to Layer 3 interfaces. This command is used for Layer 2 interfaces to allow multiple VLANs over a single link.

C

This option is wrong because the command 'ip default-gateway' is used to set a default gateway for a Layer 2 device, not for enabling DHCP relay on a Layer 3 interface. Clients in VLAN 30 need a helper address to reach the DHCP server in VLAN 99.

293
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure BPDU Guard, Loop Guard, and Root Guard on a Cisco switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order starts by entering global configuration mode, then globally enabling PortFast on all access ports to allow immediate transition to forwarding state. BPDU Guard is then enabled globally on all PortFast-enabled ports to protect against unauthorized switches. Next, Loop Guard is enabled globally to prevent loops from unidirectional links.

Afterwards, the specific uplink interface is selected and Root Guard is applied to prevent a rogue switch from becoming the root bridge. This sequence follows Cisco best practices: apply fast convergence first, then protect the edge with BPDU Guard, apply loop prevention globally, and finally secure core links with Root Guard.

294
MCQhard

Refer to the exhibit. A network administrator is troubleshooting connectivity issues for hosts on VLAN 50 on SW1. The hosts on VLAN 50 cannot reach any devices outside SW1, even though the trunk link between SW1 and SW2 is up. The administrator issues the 'show interfaces GigabitEthernet0/1 trunk' command on SW1. Based on the output, what is the most likely cause of the issue?

A.The native VLAN on the trunk is misconfigured, causing VLAN 50 traffic to be dropped.
B.The trunk is operating in access mode instead of trunk mode, preventing VLAN 50 traffic.
C.VLAN 50 is not in the allowed VLAN list on the trunk.
D.Spanning tree protocol has blocked the trunk port for VLAN 50, isolating the hosts.
AnswerC

The exhibit explicitly shows the allowed VLANs as '1-49,60-4094', which omits VLAN 50. This prevents traffic for VLAN 50 from traversing the trunk.

Why this answer

The 'show interfaces GigabitEthernet0/1 trunk' output would list the allowed VLANs on the trunk. If VLAN 50 is not included in the allowed VLAN list, traffic from VLAN 50 will be dropped at the trunk, preventing hosts on SW1 from reaching devices outside SW1. This is the most likely cause because the trunk is up but VLAN 50 traffic is not forwarded.

Exam trap

Cisco often tests the distinction between native VLAN misconfiguration and allowed VLAN list misconfiguration, where candidates mistakenly attribute all trunk issues to native VLAN mismatches rather than checking the allowed VLAN list.

Why the other options are wrong

A

The assumption that a native VLAN mismatch can drop tagged VLAN traffic is a common misunderstanding.

B

Misreading the output may lead to believing the trunk is not in trunking mode.

D

Confusing spanning tree blocking with allowed VLAN filtering; the output shows no block state, only absence of the VLAN.

295
MCQhard

A switch port connected to an end host is configured with both PortFast and BPDU Guard. What is the most likely outcome if a small switch is connected there and starts sending BPDUs?

A.The port is error-disabled by BPDU Guard.
B.The port automatically becomes the root port.
C.The port converts into a trunk for the attached switch.
D.The port ignores the BPDU because PortFast disables STP entirely.
AnswerA

This is correct because BPDU Guard disables the edge port when a BPDU is received.

Why this answer

BPDU Guard places the port into an error-disabled state upon receiving a BPDU, because PortFast defines the port as an edge port that should never receive BPDUs. Option B is incorrect because receiving a BPDU does not automatically make a port a root port; root port selection depends on bridge ID and path cost, and BPDU Guard prevents further STP processing by disabling the port. Option C is incorrect because a port cannot convert to a trunk solely by receiving a BPDU; trunking requires manual configuration or Dynamic Trunking Protocol (DTP).

Option D is incorrect because PortFast does not disable STP entirely; it only speeds up initial convergence, and BPDU Guard actively responds to BPDUs by error-disabling the port.

Exam trap

Remember, BPDU Guard is about protection, not ignoring or processing BPDUs. It disables the port to prevent loops.

Why the other options are wrong

B

This option is wrong because a port configured with PortFast and BPDU Guard will not automatically become the root port when it receives BPDUs; instead, it will be error-disabled due to BPDU Guard's protective mechanism.

C

This option is incorrect because a port configured with PortFast and BPDU Guard does not convert to a trunk when receiving BPDUs; instead, BPDU Guard will disable the port to prevent potential loops.

D

This option is incorrect because PortFast does not disable Spanning Tree Protocol (STP) entirely; it only allows the port to transition to the forwarding state immediately without waiting for STP convergence. BPDU Guard will still take effect if BPDUs are received on a PortFast-enabled port.

296
Matchingmedium

Match each trunking or switchport term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A switch link that can carry multiple VLANs

A switchport that normally belongs to one VLAN for endpoint traffic

The VLAN associated with untagged traffic on an 802.1Q trunk

The setting that restricts which VLANs a trunk may carry

Why these pairings

These terms define how switchports handle VLAN traffic in trunking environments.

Exam trap

Candidates often confuse terms like 'access port' and 'trunk port' or mistake protocols (802.1Q) and properties (native VLAN) for port types. Focus on the function: trunk ports carry multiple VLANs; access ports carry one; 802.1Q is the tagging method; native VLAN is the untagged VLAN on a trunk.

297
Multi-Selectmedium

Which three of the following are functions of the Spanning Tree Protocol (STP) in a switched network? (Choose three.)

Select 3 answers
.STP prevents loops by placing redundant ports into a blocking state, leaving only one active path between any two network segments.
.STP elects a root bridge based on the lowest bridge ID (priority + MAC address).
.STP ensures that all ports on a non-root bridge eventually become root ports.
.STP uses BPDUs to exchange topology information between switches.
.STP automatically load-balances traffic across all redundant links equally.
.STP transitions a port from blocking to forwarding immediately after the Max Age timer expires.

Why this answer

STP prevents loops by placing redundant ports into a blocking state, ensuring only one active logical path exists between any two network segments (option A). It elects a root bridge based on the lowest bridge ID (priority + MAC address) to serve as the reference for all path calculations (option B). STP uses Bridge Protocol Data Units (BPDUs) to exchange topology information between switches (option D).

Option C is false because only one port per non-root bridge becomes the root port; the others are designated or alternate/blocking ports. Option E is false because STP does not load-balance; it blocks redundant links to prevent loops, and load-balancing requires techniques like EtherChannel or Multiple Spanning Tree. Option F is false because after Max Age expires, a port transitions from blocking to listening, then learning, and finally forwarding (each with its own timer); it does not transition immediately to forwarding.

Exam trap

Cisco often tests the misconception that STP makes all ports on a non-root bridge become root ports, when in fact only one port per bridge is elected as the root port, and the rest become designated or alternate/blocking ports.

298
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure VLANs, assign access ports, set up 802.1Q trunks with a native VLAN, and verify the configuration using show commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence ensures VLANs exist before any port assignment or trunk configuration. Creating VLANs first is essential because both access and trunk ports depend on VLANs being present. Access port assignment and trunk configuration are independent steps that can occur in either order after VLANs are created.

Verification using 'show vlan brief', 'show interfaces trunk', and 'show interfaces switchport' is always the final step to confirm the setup.

Exam trap

A common mistake is to attempt assigning ports to VLANs before the VLANs exist, which will be rejected. Additionally, some learners mistakenly think trunk configuration must follow access port assignment, but the order between these two steps is interchangeable as long as VLANs are created first.

299
MCQhard

Refer to the exhibit. A network administrator connects an IP phone to interface GigabitEthernet1/0/1 on a Cisco Catalyst switch. The PC connected through the phone works normally on the data VLAN, but the phone cannot obtain an IP address and fails to register with the call server. Which action will resolve the problem?

A.Configure 'switchport trunk allowed vlan 10,20' on interface Gi1/0/1 and change the switchport mode to trunk.
B.Add 'switchport voice vlan 20' on interface GigabitEthernet1/0/1.
C.Issue 'switchport access vlan 20' and 'switchport voice vlan 10' on interface Gi1/0/1.
D.Enable 'switchport port-security mac-address sticky' on the interface and manually add the phone’s MAC address to the access VLAN.
AnswerB

This command enables the access port to support a voice VLAN, telling the phone to tag voice frames with VLAN 20 while leaving data in VLAN 10.

Why this answer

The PC works on the data VLAN, but the phone cannot obtain an IP address, indicating the phone is not receiving the correct VLAN assignment. The phone should be placed in the voice VLAN (VLAN 20) using the 'switchport voice vlan 20' command, which allows the switch to tag the phone's traffic with VLAN 20 via CDP/LLDP, enabling it to get an IP from the voice VLAN DHCP server.

Exam trap

Cisco often tests the distinction between 'switchport access vlan' (for data) and 'switchport voice vlan' (for voice), and the trap here is that candidates may confuse which VLAN is assigned to which device, or incorrectly think trunking is required for a phone connection.

Why the other options are wrong

A

A trunk port does not provide the voice VLAN advertisement mechanism to the phone; the PC would need to send tagged frames, which typical endpoint NICs do not do.

C

The phone requires access to VLAN 20 for voice services, and the PC must remain in VLAN 10 for data; this configuration does the opposite, failing to meet the requirement.

D

The phone still cannot learn the voice VLAN; port security does not provide a DHCP address or make the switch advertise VLAN 20 to the phone.

300
MCQhard

A network engineer notices that an uplink port on a distribution switch has moved to a root-inconsistent state and is blocking traffic. The port is configured with Root Guard and is connected to a new access switch. The new access switch has a lower bridge priority than the current root bridge. What is the most likely cause?

A.BPDU Guard has errdisabled the port because a BPDU was received on an access port.
B.BPDU Filter is blocking inbound BPDUs, causing the switch to fail to detect the topology change and isolate the port.
C.Root Guard has placed the port into root-inconsistent state because the new switch advertised a superior BPDU.
D.Loop Guard has detected a unidirectional link and placed the port in a blocking state to prevent a loop.
AnswerC

Root Guard is designed to prevent the port from becoming a root port. Upon receiving a superior BPDU (lower bridge ID), it places the port in root-inconsistent state, effectively blocking traffic. This directly matches the symptom described.

Why this answer

The port moved to root-inconsistent because Root Guard is enabled. Root Guard detects superior BPDUs (lower bridge ID) and immediately places the port in a broken state (root-inconsistent) to prevent the new switch from becoming the root bridge, thereby blocking traffic. This matches the symptom perfectly.

Other features would manifest differently.

Exam trap

Option A (BPDU Guard) is the most common trap because both BPDU Guard and Root Guard react to BPDUs, but BPDU Guard errdisables the port when any BPDU is received, not specifically causing a root-inconsistent state. Candidates often confuse these two features.

Why the other options are wrong

A

Candidates mistakenly equate BPDU Guard with any BPDU-induced blocking, but the state 'root-inconsistent' is specific to Root Guard.

B

Candidates may think that filtering BPDUs leads to port isolation, but BPDU Filter would not trigger a protective state like root-inconsistent.

D

Candidates often confuse Loop Guard and Root Guard because both can cause inconsistent states, but Loop Guard triggers loop-inconsistent, not root-inconsistent, and is triggered by BPDU loss, not receipt of superior BPDUs.

← PreviousPage 4 of 6 · 392 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Switching questions.