CCNA VLAN Questions

75 of 278 questions · Page 1/4 · VLAN topic · Answers revealed

1
Multi-Selectmedium

A router is configured as a DHCP server for VLAN 20. Clients on the VLAN can reach the default gateway, but they do not receive leases. Which two configuration issues on the router would directly prevent successful address assignment?

Select 2 answers
A.The excluded-address range removes the entire usable subnet
B.The DHCP pool is missing a dns-server statement
C.The subinterface lacks an ip helper-address
D.There are no available addresses left in the defined pool
AnswersA, D

Excluding 10.20.20.1 through 10.20.20.254 leaves nothing assignable for clients.

Why this answer

The router can serve DHCP locally without an ip helper-address. The real problem is that the excluded-address range consumes every usable host address, leaving the pool with no assignable leases.

Exam trap

A common exam trap is to incorrectly assume that missing optional DHCP parameters, such as the dns-server statement, or the absence of an ip helper-address on the subinterface, will prevent clients from receiving leases. Candidates may also overlook the impact of the excluded-address command consuming the entire subnet range, mistakenly thinking the router’s DHCP service is functioning correctly because clients can ping the gateway. The real issue is that no IP addresses remain available to assign, which is a subtle but critical configuration error that directly causes DHCP lease failures.

Why the other options are wrong

B

Incorrect because the dns-server statement is optional; its absence does not prevent the DHCP server from assigning IP addresses to clients.

C

Incorrect because the ip helper-address command is only necessary when forwarding DHCP requests across subnets, not when the router itself is the DHCP server on the VLAN.

2
MCQhard

Refer to the exhibit. A network administrator is troubleshooting a trunk link between SW1 and SW2. The trunk on interface GigabitEthernet0/0 on SW1 is not passing traffic, and all VLANs are isolated. The administrator issues the command 'show interfaces GigabitEthernet0/0 trunk' on SW1. What is the most likely cause of the issue?

A.The native VLAN is mismatched between SW1 and SW2.
B.The interface is configured as an access port instead of a trunk.
C.The interface is administratively shut down.
D.The trunk encapsulation is set to ISL on SW1, but the peer switch only supports 802.1Q.
AnswerD

The Encapsulation column shows 'isl', and the Status is 'not-trunking'. This confirms that SW1 is using ISL, which is incompatible with the peer's 802.1Q-only support, preventing trunk establishment.

Why this answer

The 'show interfaces GigabitEthernet0/0 trunk' output explicitly displays encapsulation 'isl' and status 'not-trunking'. This indicates that the port is configured for ISL encapsulation, but the trunk is not operational. Since the peer switch only supports 802.1Q, the encapsulation mismatch prevents the trunk from forming, causing the traffic isolation.

Exam trap

Option A is commonly chosen because candidates often suspect a native VLAN mismatch when trunk issues arise. However, the exhibit shows the native VLAN is 1 (default) and does not indicate any mismatch; the real cause is the ISL encapsulation setting.

Why the other options are wrong

A

Native VLAN mismatches can cause traffic to leak between VLANs, but they do not prevent a trunk from becoming operational. The output clearly shows the encapsulation type as ISL, not a native VLAN problem.

B

Candidates might assume a misconfigured mode causes the issue, but the exhibit confirms the port is in trunk mode ('on' mode).

C

New learners might equate 'not-trunking' with a shutdown state, but 'admin down' is a distinct status. The port is operationally unable to trunk, not manually disabled.

3
Drag & Dropmedium

Drag and drop the following steps into the correct order to implement DHCP services for clients in VLAN 10 using a centralized DHCP server in VLAN 20 and to protect the network with DHCP snooping.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The correct order requires the DHCP server to be configured first so it can respond to requests. Then the IP helper-address is configured on the default gateway interface for VLAN 10 to forward client broadcasts to the server. Next, DHCP snooping is enabled globally, followed by identifying the trusted port to the server (to allow DHCP replies), and then snooping is enabled on the client VLAN.

Finally, a client connection triggers a DHCP transaction that you can verify with the snooping binding table.

4
MCQhard

An engineer configures 802.1X port-based authentication on a Cisco IOS-XE switch for a voice VLAN deployment. After applying the configuration, IP phones on interface GigabitEthernet1/0/1 fail to receive a voice VLAN and remain in an unauthenticated state. The switchport is configured as an access port with voice VLAN 10. What is the most likely cause of the failure?

A.Re-authenticate the phone using 'dot1x reauthenticate interface Gi1/0/1'
B.Configure 'authentication host-mode multi-domain' on the interface
C.Add 'switchport voice vlan 10' under the interface
D.Change the port to 'authentication port-control force-authorized'
AnswerB

This command allows the switch to authorize both data and voice domains separately on the same port, enabling the phone to receive the voice VLAN.

Why this answer

The correct answer is B because in a voice VLAN deployment with 802.1X, the switchport must be configured with 'authentication host-mode multi-domain' to allow both a data device (phone) and a voice device (PC behind the phone) to authenticate separately. Without this mode, the port defaults to single-host mode, which prevents the phone from receiving the voice VLAN and keeps it in an unauthenticated state.

Exam trap

The trap here is that candidates often assume the issue is a missing voice VLAN command or an authentication failure, but Cisco specifically tests the requirement for multi-domain host mode when voice VLAN is used with 802.1X.

Why the other options are wrong

A

Re-authentication forces the phone to re-authenticate, but the port remains in single-host mode, which only allows one authenticated device. The phone's data and voice domains are not separated, so the voice VLAN assignment still fails.

C

The voice VLAN is already configured with 'switchport voice vlan 10' as stated in the scenario. The issue is not the VLAN definition but the authentication domain separation; the phone remains unauthenticated because the port cannot assign the voice VLAN without proper multi-domain support.

D

Setting 'authentication port-control force-authorized' bypasses 802.1X authentication entirely, which defeats the purpose of port-based security. It would allow the phone to connect without authentication, but the voice VLAN assignment still requires proper domain handling; moreover, this is not a secure solution.

5
MCQmedium

Two switches are connected by an 802.1Q trunk. CDP reports a native VLAN mismatch. Which issue is most likely to appear because of this?

A.Untagged traffic may be placed into different VLANs on each switch.
B.All tagged traffic on the trunk is dropped immediately.
C.STP is disabled on the trunk link.
D.The trunk automatically converts to an access port.
AnswerA

That is the classic symptom of a native VLAN mismatch.

Why this answer

A native VLAN mismatch can cause untagged traffic sent on one side to be placed into a different VLAN on the other side. That leads to confusing connectivity issues and can also create security concerns. It does not automatically disable the trunk.

Exam trap

A common exam trap is to believe that a native VLAN mismatch causes the trunk link to shut down or block all traffic. In reality, only untagged traffic is affected, and tagged VLAN traffic continues to pass normally if allowed VLANs match. Another mistake is thinking the trunk automatically converts to an access port, which Cisco switches do not do.

Candidates may also overlook that STP remains enabled and functional despite the mismatch. Focusing only on trunk status without considering untagged traffic behavior leads to incorrect answers.

Why the other options are wrong

B

This is incorrect because tagged traffic on the trunk is not dropped due to a native VLAN mismatch; tagged frames continue to be forwarded normally if VLANs are allowed on both sides.

C

This option is wrong since a native VLAN mismatch does not disable Spanning Tree Protocol; STP continues to operate normally on the trunk link.

D

This is incorrect because Cisco switches do not automatically convert a trunk port to an access port due to a native VLAN mismatch; the trunk remains active.

6
PBQhard

You are connected to the console of a Catalyst 2960+ switch named SW2. Configure the switch so that the IP phone connected to interface FastEthernet0/5 receives power via PoE and uses VLAN 150 for voice traffic, while the PC connected through the phone uses VLAN 50 for data. Additionally, the access point connected to interface FastEthernet0/10 must receive PoE and be placed in VLAN 100. Assume the interfaces are already correctly configured as access ports in VLAN 50 and VLAN 100, respectively. Verify your configuration using the appropriate show commands.

Network Topology
Fa0/5Fa0/10SW2IP PhoneAccess Point

Hints

  • Use 'switchport voice vlan' to define the voice VLAN on an access port.
  • Enable PoE on a port with 'power inline auto'.
  • Verify voice VLAN with 'show interfaces switchport' and PoE with 'show power inline'.
A.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: power inline auto. Verify with show interfaces switchport and show power inline.
B.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: switchport access vlan 100, power inline auto. Verify with show interfaces switchport and show power inline.
C.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: power inline auto. Verify with show vlan and show power inline.
D.On interface FastEthernet0/5: switchport voice vlan 150, power inline auto. On interface FastEthernet0/10: power inline auto. Verify with show interfaces trunk and show power inline.
AnswerA
solution
! SW2
configure terminal
interface FastEthernet0/5
switchport voice vlan 150
power inline auto
interface FastEthernet0/10
power inline auto
end

Why this answer

The switch had no voice VLAN or PoE configured on the ports. On FastEthernet0/5, you need to add 'switchport voice vlan 150' to separate voice traffic from data, and 'power inline auto' to enable PoE for the IP phone. On FastEthernet0/10, you only need to enable PoE with 'power inline auto' because the AP already has its access VLAN set.

After configuration, 'show interfaces switchport' will confirm the voice VLAN, and 'show power inline' will verify PoE status.

Exam trap

Avoid adding unnecessary commands like setting the access VLAN on a port that already has it configured. Also, use the correct show command: show interfaces switchport for voice VLAN, not show vlan or show interfaces trunk.

Why the other options are wrong

B

The error is adding an unnecessary access VLAN command for the AP port, which is not required and could conflict with existing configuration.

C

The error is using show vlan instead of show interfaces switchport to verify voice VLAN on a port.

D

The error is using show interfaces trunk, which is for trunk ports, not for verifying voice VLAN on an access port.

7
MCQmedium

Two switches are connected by an 802.1Q trunk. Hosts in VLAN 30 cannot communicate across the link, but VLAN 10 works. What is the most likely cause?

A.VLAN 30 is missing from the allowed VLAN list on SW2
B.VLAN 10 must be removed for VLAN 30 to pass
C.The trunk should use ISL instead of 802.1Q
D.The port on SW1 should be changed to access mode
AnswerA

SW2 is only allowing VLANs 10 and 20.

Why this answer

When one VLAN works across a trunk but another does not, the most likely cause is that the failing VLAN is missing from the allowed VLAN list on one or both switches. This is often confirmed by a 'show interfaces trunk' command. Option B is incorrect because removing VLAN 10 would break an already working VLAN and does not address VLAN 30.

Option C is incorrect because both ISL and 802.1Q carry multiple VLANs; the issue is not the encapsulation protocol. Option D is incorrect because changing a trunk port to access mode would disable the trunk entirely, preventing all VLAN traffic.

Exam trap

Beware of confusing native VLAN issues with allowed VLAN list configurations. Native VLAN problems affect untagged traffic, not specific VLANs.

Why the other options are wrong

B

Removing VLAN 10 from the allowed list would break an already functioning VLAN and would not fix VLAN 30.

C

Both ISL and 802.1Q support multiple VLANs; the problem is not the trunking protocol but the allowed VLAN list.

D

Changing a trunk port to access mode would terminate the trunk, preventing all VLAN traffic across the link.

8
MCQhard

A switchport connected to another switch should carry VLANs 10, 20, and 30. The interface is operational, but only VLAN 10 works. VLANs 20 and 30 fail. Which explanation is most likely if the port was accidentally configured as an access port in VLAN 10?

A.The interface is carrying only VLAN 10 because an access port does not transport multiple VLANs like a trunk.
B.VLAN 20 and 30 require different IP subnet masks on the switches.
C.Every inter-switch link must use a routed port instead of a trunk.
D.STP blocks all VLANs except VLAN 10 by design.
AnswerA

This is correct because an access-port misconfiguration explains why only the configured VLAN works.

Why this answer

The correct answer is A because an access port is limited to a single VLAN, so only VLAN 10 traverses the link. Option B is incorrect: IP subnet masks are irrelevant on switchports that operate at Layer 2. Option C is incorrect: inter-switch links typically use trunk ports, not routed ports.

Option D is incorrect: STP does not block based on VLAN IDs; it blocks redundant paths, not specific VLANs.

Exam trap

Be careful not to confuse access port limitations with trunk configuration issues. Always verify the port mode when troubleshooting VLAN connectivity.

Why the other options are wrong

B

IP subnet masks are Layer 3 concepts and do not affect Layer 2 VLAN propagation across a switchport. The issue here is purely Layer 2, related to the switchport mode (access vs. trunk), not IP addressing. VLANs 20 and 30 would still fail regardless of subnet mask configuration.

C

Routed ports are Layer 3 interfaces used for routing between networks, not for carrying multiple VLANs. The standard method for carrying multiple VLANs between switches is to use a trunk port, which tags frames with VLAN IDs. A routed port would not solve the issue and would break Layer 2 connectivity.

D

STP (Spanning Tree Protocol) prevents loops by blocking redundant paths, but it does not selectively block specific VLANs based on their VLAN ID. If STP were blocking VLANs 20 and 30, it would be due to a misconfiguration like PVST+ inconsistencies, not by design. The scenario describes a simple access port misconfiguration, not an STP issue.

9
Drag & Drophard

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a client VLAN and then enable a DHCP relay agent on a different interface to forward client requests to a remote server.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to first exclude addresses to prevent the DHCP server from leasing reserved or gateway IPs, then create and configure the DHCP pool (network, default gateway), next enable DHCP relay on the required interface, and finally verify. Option D follows this Cisco best practice. Option A risks assigning excluded addresses because the pool is created before exclusions.

Options B and C place relay setup before the pool is fully configured, which is incorrect.

Exam trap

Candidates often mistakenly create the DHCP pool before excluding addresses, which can lead to the server leasing addresses intended to be reserved. Always configure exclusions first, then the pool, then relay, then verify.

10
MCQhard

A switchport is configured as an access port in VLAN 10, but a user plugs in a small unmanaged switch and connects multiple devices behind it. Which security feature most directly limits that behavior at the switchport?

B.OSPF authentication
C.NetFlow
D.NTP
AnswerA

This is correct because port security can limit MAC addresses learned on the port.

Why this answer

Port security most directly limits that behavior because it can restrict how many MAC addresses are learned on the switchport. In practical terms, if the interface is supposed to support one endpoint but suddenly begins presenting multiple MAC addresses from a downstream mini-switch, port security can detect and react to that change.

This is a classic access-layer control question. VLAN assignment alone does not limit how many devices appear behind the port.

Exam trap

A frequent exam trap is assuming that VLAN assignment alone restricts the number of devices behind a switchport. VLANs only segregate traffic logically and do not prevent multiple MAC addresses from appearing on a port. Another common mistake is selecting unrelated options like OSPF authentication, which secures routing protocol exchanges but does not control Layer 2 access.

NetFlow and NTP are also unrelated to limiting connected devices. The key is recognizing that only port security directly limits how many MAC addresses can be learned on a port, thus controlling the number of connected devices.

Why the other options are wrong

B

OSPF authentication is unrelated to switchport security; it protects routing protocol exchanges but does not control physical or MAC-level access on a switchport.

C

NetFlow is a traffic monitoring tool that provides visibility into network flows but does not enforce any limits on the number of devices connected to a switchport.

D

NTP is used for time synchronization across network devices and does not provide any mechanism to restrict or control devices connected to a switchport.

11
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure inter‑VLAN routing between VLANs 10 and 20, using a router‑on‑a‑stick with VLAN 99 as the native VLAN on the trunk link.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6
7Step 7

Why this order

The correct order is: first create VLANs on the switch to define the VLAN database. Second, assign switch ports to the appropriate VLANs so that end hosts are placed in their correct broadcast domains. Third, configure the switch port facing the router as an 802.1Q trunk and set the native VLAN to 99 – this allows tagged traffic from multiple VLANs to traverse a single link while matching the native VLAN on both sides.

Fourth, enable the router's physical interface (no shutdown) so that subinterfaces can pass traffic. Next, create subinterfaces for each data VLAN, specifying the correct 802.1Q encapsulation and IP address for each VLAN's default gateway. Finally, configure the native VLAN subinterface with the native keyword to ensure that untagged frames from the trunk are handled correctly and that the native VLAN is explicitly defined on the router.

12
MCQhard

Switch SW1 sends traffic for VLAN 30 across a trunk to SW2, but hosts in VLAN 30 on SW2 cannot communicate with hosts in VLAN 30 on SW1. Other VLANs work across the trunk. Which trunk issue is most likely?

A.VLAN 30 is pruned or missing from the allowed VLAN list
B.The native VLAN is set to 1 on both switches
C.The trunk uses 802.1Q encapsulation
D.SW1 is the STP root bridge
AnswerA

Native VLAN settings can matter, but they do not best explain why other VLANs still work while VLAN 30 alone fails.

Why this answer

If only one VLAN fails across an otherwise healthy trunk, a missing or filtered VLAN in the allowed list is a common cause. Native VLAN matching and encapsulation would affect broader trunk behavior, not usually just one VLAN in this way.

Exam trap

Beware of assuming that common trunk issues like native VLAN mismatches affect only one VLAN; they typically affect all VLANs.

Why the other options are wrong

B

The native VLAN mismatch or setting does not cause a single VLAN to fail while others work. Native VLAN issues typically cause all traffic to be mis-tagged or dropped, not just one specific VLAN. Here, other VLANs work fine, so native VLAN is not the problem.

C

802.1Q is the standard trunking encapsulation used in modern networks. Using 802.1Q is correct and does not cause a single VLAN to fail. Both switches must use the same encapsulation, but that is not the issue here.

D

STP root bridge status does not affect which VLANs are allowed on a trunk. STP prevents loops but does not block specific VLANs unless configured with VLAN-based STP (like PVST+). Even then, being the root does not block a VLAN; it only influences port roles.

13
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two redundant links to SW2 (G0/1 and G0/2). The network administrator wants to use both links for load balancing and redundancy by configuring EtherChannel. You need to configure a Layer 2 EtherChannel using LACP on both switches. The port-channel should be in VLAN 1.

Network Topology
G0/1G0/1EtherChannelSW1SW2

Hints

  • LACP uses modes active or passive; both sides must be active or one active and one passive.
  • The physical interfaces must have the same configuration before being added to the port-channel.
  • The port-channel interface inherits the configuration applied to it, not the physical interfaces.
A.interface port-channel 1 switchport mode access switchport access vlan 1 interface range GigabitEthernet0/1-2 channel-group 1 mode active
B.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1 interface range g0/1-2 channel-group 1 mode desirable
C.interface port-channel 1 switchport mode access switchport access vlan 1 interface range g0/1-2 channel-group 1 mode passive
D.interface port-channel 1 switchport mode access switchport access vlan 1 interface g0/1 channel-group 1 mode active interface g0/2 channel-group 2 mode active
AnswerA
solution
! SW1
interface GigabitEthernet0/1
channel-group 1 mode active
interface GigabitEthernet0/2
channel-group 1 mode active
interface Port-channel1
switchport mode access
switchport access vlan 1

! SW2
interface GigabitEthernet0/1
channel-group 1 mode active
interface GigabitEthernet0/2
channel-group 1 mode active
interface Port-channel1
switchport mode access
switchport access vlan 1

Why this answer

EtherChannel bundles multiple physical links into a single logical link for load balancing and redundancy. LACP (mode active) negotiates the bundle automatically. The port-channel interface must be configured with the desired switchport settings.

Exam trap

Be careful to distinguish between LACP modes (active/passive) and PAgP modes (desirable/auto). Also, remember that all interfaces in an EtherChannel must use the same channel-group number and have consistent switchport settings. A common mistake is to configure trunk when an access port is needed, or to use passive on both sides, which prevents the bundle from forming.

Why the other options are wrong

B

Uses PAgP mode 'desirable' instead of LACP mode 'active'. Additionally, configuring trunk is unnecessary for a single VLAN access port.

C

Using 'passive' on both sides would prevent the EtherChannel from forming because neither side sends LACP packets.

D

Using different channel-group numbers creates separate EtherChannels, not a single bundle. Both interfaces must be in the same channel-group to form one logical link.

14
Multi-Selectmedium

Which TWO statements correctly describe the configuration and behavior of a router-on-a-stick setup for inter-VLAN routing?

Select 2 answers
A.Each subinterface on the router must be configured with an IP address that belongs to the corresponding VLAN's subnet.
B.The switch port connecting to the router must be configured as an access port in VLAN 1.
C.The native VLAN on the trunk must be the same VLAN as the one used for management traffic.
D.The router's physical interface must be in 'no shutdown' state, but subinterfaces do not require a separate 'no shutdown' command.
E.The router's subinterface for the native VLAN must use the 'encapsulation dot1q <vlan-id> native' command.
AnswersA, D

For the router to route traffic for a VLAN, the subinterface must have an IP address in the same subnet as that VLAN. This allows the router to act as the default gateway for hosts in that VLAN.

Why this answer

Option A is correct because each subinterface is assigned an IP address in the subnet of its corresponding VLAN, enabling the router to act as the default gateway and route between VLANs using 802.1Q tags. Option D is correct because the physical interface must be 'no shutdown' to pass traffic, and subinterfaces inherit this state; they do not have their own shutdown command. Option B is incorrect because the switch port connecting to the router must be configured as a trunk port, not an access port, to carry multiple VLANs.

Option C is incorrect because the native VLAN on the trunk does not have to be the same as the management VLAN; they are separate concepts. Option E is incorrect because the 'encapsulation dot1q <vlan-id> native' command is only needed on the subinterface for the native VLAN to tag or untag frames appropriately; it is not required for all native VLAN configurations (e.g., if the native VLAN is left at default 1, the command may be optional).

Exam trap

The trap here is that candidates often think subinterfaces need a separate 'no shutdown' command, but Cisco tests that the physical interface must be 'no shutdown' and subinterfaces inherit that state, making option D correct.

Why the other options are wrong

B

The switch port must be a trunk port to carry multiple VLANs, not an access port assigned to VLAN 1.

C

The native VLAN on the trunk is used for untagged traffic and does not have to match the management VLAN.

E

The 'encapsulation dot1q <vlan-id> native' command is not always required for the native VLAN; it depends on whether the native VLAN is used for a subinterface.

15
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure VLANs, assign access ports, set up 802.1Q trunking with a native VLAN, and verify the configuration on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

VLAN creation precedes port assignment; trunking configuration follows access port assignment; verification is last.

Exam trap

The exam trap is that candidates may confuse the order of VLAN creation and port assignment, or think trunking should be configured before access ports. Remember: VLANs must exist first, then assign ports, then configure trunking, then verify.

16
PBQhard

You are connected to SW1. Configure an LACP EtherChannel between SW1 and SW2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. The port-channel interface must be configured as a trunk allowing VLANs 10, 20, and 30. Currently, the channel is not forming due to a mismatch in speed/duplex and VLAN configuration on SW2. Troubleshoot and resolve the issue so that the EtherChannel comes up as a Layer 2 trunk.

Network Topology
Gi0/1Gi0/1LACP EtherChannelSW1SW2

Hints

  • Check the speed and duplex settings on SW2's physical interfaces.
  • Compare the allowed VLAN list on SW2's physical interfaces to the port-channel trunk.
  • Use 'show etherchannel summary' to see if ports are bundled or down.
A.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 1000, duplex full, and on the port-channel interface, set allowed VLANs to 10,20,30.
B.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 100, duplex half, and on the port-channel interface, set allowed VLANs to 10,20,30.
C.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 1000, duplex full, and on the port-channel interface, set allowed VLANs to 10,20.
D.On SW2, configure interfaces GigabitEthernet0/1 and 0/2 with speed 1000, duplex full, and on the port-channel interface, set allowed VLANs to 1-4094.
AnswerA
solution
! SW2
interface gigabitEthernet0/1
speed 1000
duplex full
switchport trunk allowed vlan 10,20,30
interface gigabitEthernet0/2
speed 1000
duplex full
switchport trunk allowed vlan 10,20,30

Why this answer

The EtherChannel is not forming because SW2's interfaces have speed 100 and duplex half, while SW1's interfaces have speed 1000 and duplex full. Additionally, the allowed VLANs on SW2's trunk must include VLAN 30, and this should be configured on the port-channel interface, not the physical interfaces. To fix, on SW2, set the speed to 1000 and duplex to full on Gi0/1 and Gi0/2, then on the port-channel interface, configure allowed VLANs 10,20,30.

After these changes, the channel will come up as a Layer 2 trunk.

Exam trap

The exam trap is that candidates may focus solely on the speed/duplex mismatch and forget to verify the VLAN allowed list on the trunk. Also, they might incorrectly try to match by lowering SW1's settings instead of raising SW2's.

Why the other options are wrong

B

The specific factual error is that LACP requires all member interfaces to have identical speed and duplex settings; changing SW2 to 100/half does not match SW1's 1000/full.

C

The specific factual error is that the trunk must allow all required VLANs; omitting VLAN 30 violates the requirement.

D

The specific factual error is that the configuration does not match the requirement to allow only VLANs 10, 20, and 30; it allows all VLANs instead.

17
MCQhard

A switch trunk must carry VLANs 10, 20, and 30, but traffic for VLAN 20 is failing. The trunk allowed list on one side is `10,30`. What is the most likely cause?

A.VLAN 20 is missing from the allowed VLAN list on one side of the trunk.
B.The trunk must be converted to an access port for VLAN 20 to work.
C.VLAN 20 must always be the native VLAN.
D.The switches must both use ISL instead of 802.1Q.
AnswerA

This is correct because the trunk is explicitly not permitting VLAN 20 on that side.

Why this answer

The most likely cause is that VLAN 20 is not in the allowed VLAN list on one side of the trunk. Option B is incorrect because converting the trunk to an access port would block all other VLANs, not just fix VLAN 20. Option C is incorrect because there is no requirement that VLAN 20 must be the native VLAN; native VLAN is unrelated to allowed list filtration.

Option D is incorrect because ISL vs 802.1Q does not affect per-VLAN filtering; the allowed list is a separate configuration independent of the encapsulation type.

Exam trap

Focus on the allowed list configuration, not on VLAN existence or trunk mode. Misconfigurations in allowed lists are a common trap.

Why the other options are wrong

B

Converting the trunk to an access port would remove all other VLANs, not solve the selective failure for VLAN 20.

C

There is no requirement that VLAN 20 must be the native VLAN; the native VLAN is used for untagged traffic and is unrelated to the allowed VLAN list.

D

The encapsulation type (ISL vs 802.1Q) does not affect per-VLAN allowed lists; the issue is purely about the allowed list configuration.

18
MCQhard

A network administrator has configured HSRP between RouterA and RouterB for VLAN 10. End hosts using the virtual IP 192.168.1.1 as their default gateway experience intermittent connectivity losses, and pings to 192.168.1.1 often fail. The output of 'show standby brief' on both routers shows the state as Active. What is the most likely cause?

A.The virtual IP address is configured on only one router.
B.The routers are configured with mismatched HSRP authentication methods.
C.The HSRP group number on one router is set to 0.
D.The priority on both routers is configured to the same value.
AnswerB

Mismatched authentication (e.g., MD5 vs. text) causes each router to disregard the other's HSRP hellos. Each then assumes no peers exist and becomes Active, leading to both routers claiming the virtual IP and MAC, which results in ARP table flapping and intermittent connectivity.

Why this answer

When both routers show the HSRP state as Active, a 'dual-active' scenario exists, which causes intermittent connectivity because both routers forward traffic for the virtual IP. Mismatched HSRP authentication methods (e.g., one router using plain-text authentication and the other using MD5) prevent the routers from exchanging proper Hello messages, so they fail to negotiate a single Active router. This is the most likely cause because authentication mismatches break the HSRP adjacency, leading to both routers assuming the Active role.

Exam trap

Cisco often tests the concept that HSRP authentication mismatches cause a dual-active failure, while candidates may incorrectly assume that equal priorities or group number 0 are the root cause.

Why the other options are wrong

A

A missing virtual IP on one router does not cause both to be Active; the router without the virtual IP cannot claim the Active role for that address.

C

A group number mismatch does not cause both routers to appear as Active for the same virtual IP; they would be in separate groups.

D

Equal priority does not lead to multiple Active routers; HSRP uses the interface IP address as a tiebreaker to elect a single Active router.

19
MCQhard

A trunk link between two switches is up, but voice phones connected through one access switch no longer receive the correct voice VLAN treatment. Data users still pass traffic. Which area should be checked first?

A.Whether the voice VLAN is being carried and handled correctly across the switching path.
B.Whether OSPFv3 neighbors are fully adjacent on the phone switch ports.
C.Whether the wireless controller has the correct guest SSID.
D.Whether BGP uses a lower metric than the static route.
AnswerA

This is correct because selective failure affecting phones points to voice-VLAN handling rather than complete link failure.

Why this answer

The first area to check is the end-to-end handling of the voice VLAN across the switching path. In practical terms, the data VLAN can still work while the voice VLAN experiences a forwarding, configuration, or policy problem. Because the phones depend on the correct voice VLAN behavior, that VLAN path should be examined first rather than assuming the whole trunk is broken.

This is a selective-services troubleshooting question. One class of traffic can fail even when ordinary user data still works.

Exam trap

Be cautious not to assume that a general network issue is the cause when only specific traffic types are affected. Focus on the specific VLAN configuration first.

Why the other options are wrong

B

OSPFv3 is an IPv6 routing protocol and has no role in Layer 2 voice VLAN handling on access ports. The issue is about VLAN assignment and trunking, not routing protocol adjacency.

C

The scenario involves wired switches and IP phones, not wireless LAN. Guest SSID configuration on a wireless controller is unrelated to voice VLAN treatment on a wired trunk link.

D

BGP is an exterior routing protocol used for interdomain routing, not for Layer 2 VLAN handling. The symptom is about voice VLAN treatment on a trunk, which is unrelated to BGP metrics or static routes.

20
Matchingmedium

Match each VLAN-related term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The VLAN assigned to a normal end-device access port

The VLAN used to carry phone voice traffic separately

A link carrying traffic for multiple VLANs

The VLAN associated with untagged traffic on an 802.1Q trunk

Why these pairings

Each VLAN type serves a specific purpose: Access VLAN for end devices, Trunk VLAN for multiple VLANs over a link, Native VLAN for untagged frames, Voice VLAN for phones, Management VLAN for admin access, and Data VLAN for user traffic.

Exam trap

Be careful not to confuse the function of a trunk link with a VLAN type. Also, remember that native VLAN and voice VLAN are not separate VLAN types; they are specific uses of data VLANs.

21
PBQhard

You are connected to R1. Configure HSRP on R1 and R2 so that R1 is the active gateway for VLAN 100 with a virtual IP of 192.0.2.254. R1 should preempt and track its G0/1 interface to decrement priority by 20 if it goes down. Currently, both routers show active for the group, and the virtual IP is incorrectly set. Troubleshoot and fix the configuration on R1 only.

Hints

  • Check the virtual IP address in the standby configuration.
  • Ensure R1's priority is higher than R2's to become active.
  • Preempt must be configured to re-elect after a priority change.
A.Change the virtual IP to 192.0.2.254 and set priority to 110.
B.Change the virtual IP to 192.0.2.254 and remove the track command.
C.Change the virtual IP to 192.0.2.254 and configure preempt on R2.
D.Change the virtual IP to 192.0.2.254 and set priority to 100.
AnswerA
solution
! R1
interface GigabitEthernet0/0.100
standby 1 ip 192.168.100.254
standby 1 priority 110
standby 1 preempt

Why this answer

The issue is that both routers are active because the virtual IP on R1 was 192.168.100.254, which is not in the same subnet as the interface IP (192.0.2.1/24), so HSRP couldn't form a common group. Changing the virtual IP to 192.0.2.254 fixes the subnet mismatch. Additionally, setting R1's priority to 110 ensures it becomes the active router because it has preempt configured, and the higher priority overrides R2's default 100.

The track command remains correct as it reduces priority if G0/1 fails.

Exam trap

Trap: Candidates may focus on the track command or preempt, but the primary issue is the virtual IP mismatch and default priority. Always verify the virtual IP belongs to the same subnet as the interface and adjust priority to ensure the desired active router.

Why the other options are wrong

B

Removing the track command would prevent R1 from decrementing priority when G0/1 fails, violating the requirement to track the interface.

C

Configuring preempt on R2 might allow it to take over, but the task only asks to fix R1; the primary issue is the virtual IP mismatch on R1.

D

Setting priority to 100 (the default) without preempt? Actually, R1 already has preempt, but with equal priority, the highest IP wins, which might be R2, so R1 might not become active. Increasing priority to 110 is required.

22
PBQhard

You are connected to R1. Configure R1 and SW1 so that hosts in VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) can communicate via the router-on-a-stick setup. The current configuration has errors: the trunk port between SW1 and R1 has a native VLAN mismatch, VLAN 30 is not allowed on the trunk, and the subinterface encapsulation is incorrect. Correct these issues and enable inter-VLAN routing.

Network Topology
G0/1trunkSW1R1

Hints

  • Check the native VLAN on both ends of the trunk: R1's subinterface .30 should use the native keyword.
  • Ensure VLAN 30 is allowed on the SW1 trunk; you may need to add it to the allowed list.
  • Enable ip routing globally on R1 to route between VLANs.
A.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 99 native; on SW1, allow VLAN 30 on the trunk interface.
B.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 30; on SW1, remove VLAN 30 from the trunk allowed list.
C.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 30; on SW1, set the native VLAN to 1 on the trunk.
D.On R1, configure interface GigabitEthernet0/0.30 with encapsulation dot1Q 30; on SW1, configure the trunk to allow only VLANs 10 and 20.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0.30
encapsulation dot1Q 30 native
exit
interface GigabitEthernet0/0
no shutdown
exit
ip routing
exit
copy running-config startup-config

Why this answer

The native VLAN on SW1 is 99 but R1's physical interface defaults to VLAN 1, causing a mismatch. To fix this, R1's subinterface Gi0/0.30 must be set with encapsulation dot1Q 99 native, making R1's native VLAN 99 and matching SW1. VLAN 30 is not allowed on the trunk, preventing any traffic in that VLAN; it must be added to the trunk's allowed list on SW1.

After these corrections, inter-VLAN routing for VLANs 10 and 20 will function correctly.

Exam trap

Candidates often assume that setting a subinterface's encapsulation to 'dot1Q 30 native' will fix any mismatch, but the native VLAN ID must be explicitly aligned with the switch's native VLAN configuration.

Why the other options are wrong

B

The specific factual error: VLAN 30 must be allowed on the trunk for the router to receive and forward traffic for that VLAN.

C

The specific factual error: The native VLAN must match on both ends of the trunk; changing SW1 to VLAN 1 would not resolve the mismatch with R1's native VLAN 30.

D

The specific factual error: The trunk must allow all VLANs that need to be routed, including the native VLAN (30), otherwise the router cannot communicate with hosts in VLAN 30.

23
PBQhard

You are connected to a multilayer switch MLS1. Configure FastEthernet0/1 as an access port for an IP phone and a PC, with voice VLAN 20 and data VLAN 10. Also enable PoE on the port. Then verify the configuration using 'show interfaces switchport' and 'show power inline'.

Hints

  • The interface currently has 'no switchport' — remove that to make it a Layer 2 port.
  • You need to set both access VLAN and voice VLAN using the switchport command.
  • PoE is currently disabled globally or per interface — enable it with 'power inline auto'.
A.interface FastEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline auto no shutdown
B.interface FastEthernet0/1 no switchport ip address 192.168.1.1 255.255.255.0 power inline auto no shutdown
C.interface FastEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,20 power inline auto no shutdown
D.interface FastEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline never no shutdown
AnswerA
solution
! MLS1
configure terminal
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 20
power inline auto
end

Why this answer

Option A is correct because it configures FastEthernet0/1 as an access port with data VLAN 10, voice VLAN 20, and PoE enabled, which is the required setup for an IP phone and PC. Option B is incorrect because 'no switchport' makes the interface a routed port (Layer 3), but it needs to be a Layer 2 access port to support an IP phone and PC. Option C is incorrect because trunk mode is used for switch-to-switch links, not for connecting end devices like an IP phone and PC.

Option D is incorrect because 'power inline never' disables PoE, but the IP phone requires power; it should use 'power inline auto'.

Exam trap

The trap is that candidates may incorrectly use 'no switchport' to make the interface a routed port, or use trunk mode instead of access mode with voice VLAN. Remember that for end devices, the port must be an access port; the voice VLAN is configured separately. Also, ensure PoE is enabled with 'auto', not 'never'.

Why the other options are wrong

B

'no switchport' creates a routed port, which cannot handle VLANs for an IP phone and PC.

C

Trunk mode is for inter-switch links, not for end devices; access mode is required.

D

'power inline never' disables PoE, but the IP phone needs power from the switch.

24
PBQmedium

You are connected to R1 via console. R1 is a router that needs to provide DHCP services to hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The router has two subinterfaces on GigabitEthernet0/0: G0/0.10 (192.168.10.1/24) and G0/0.20 (192.168.20.1/24) with 802.1Q encapsulation. Configure R1 as a DHCP server for both VLANs, excluding addresses 192.168.10.1-10 and 192.168.20.1-10, with a lease of 1 day. Ensure DNS server 8.8.8.8 is provided.

Network Topology
G0/0.10192.168.10.1/24trunkR1SW1

Hints

  • Use 'ip dhcp excluded-address' to reserve addresses.
  • Create DHCP pools with 'network', 'default-router', and 'dns-server'.
  • Lease time is in days; use 'lease 1' for 1 day.
A.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 1 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 1
B.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 /24 default-router 192.168.10.1 dns-server 8.8.8.8 lease 1 0 0 ip dhcp pool VLAN20 network 192.168.20.0 /24 default-router 192.168.20.1 dns-server 8.8.8.8 lease 1 0 0
C.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 24 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 24
D.ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 lease 24 ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 lease 24
AnswerA
solution
! R1
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp pool VLAN10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
lease 1
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
lease 1

Why this answer

Option A correctly uses `lease 1` for a 1-day lease, dotted decimal subnet masks, and proper DHCP pool settings. Option B incorrectly uses CIDR notation `/24` in the network command, which IOS does not accept. Option C uses `lease 24`, which is interpreted as 24 days, not 1 day.

Option D also incorrectly uses `lease 24`, resulting in a 24-day lease instead of the required 1-day lease.

Exam trap

Be careful with the lease command: the default unit is days, not hours. Also, remember that the network command in DHCP pool configuration requires a subnet mask in dotted decimal format, not CIDR prefix length. Excluded addresses are configured globally, not within the pool.

Why the other options are wrong

B

The network command in DHCP pool configuration requires a subnet mask in dotted decimal format, not CIDR notation like /24.

C

The lease command uses days as its unit; `lease 24` sets a 24-day lease, not the required 1 day.

D

The lease command sets duration in days, so `lease 24` gives a 24-day lease instead of a 1-day lease.

25
MCQhard

After configuring a trunk port to allow VLAN 40, a technician finds that VLAN 40 is not listed among the VLANs in spanning tree forwarding state in the show interfaces trunk output. What is the most likely cause?

A.The trunk port is using ISL encapsulation, which does not support VLAN 40.
B.The technician omitted the 'add' keyword when adding VLAN 40 to the allowed list, so the trunk no longer permits VLAN 40.
C.VLAN 40 has not been created in the VLAN database on the switch.
D.VTP pruning is enabled, and VLAN 40 is not needed by any downstream neighbor, so it is pruned from this trunk.
AnswerC

A VLAN must be defined in the local VLAN database for the switch to build a spanning-tree instance and forward frames for that VLAN. If it is permitted on the trunk but does not exist, the switch marks it as pruned and it will not appear in the 'VLANs in spanning tree forwarding state' list. This is the exact symptom presented.

Why this answer

Even if a VLAN is included in the trunk's allowed list, the switch cannot forward frames for that VLAN unless it exists in the local VLAN database. A non-existent VLAN is placed in a pruned state and will not appear as forwarding in show interfaces trunk. The allowed-list command worked, but the missing VLAN definition prevents the VLAN from being active on the trunk.

Exam trap

Option B: the classic mistake of omitting the 'add' keyword when modifying the allowed list is tempting because it is a very common trunk configuration error. However, that error would result in the VLAN not even appearing in the allowed list column, not simply missing from the forwarding state. The question states the VLAN was added to the allowed list, so the missing VLAN database entry is the correct culprit.

Why the other options are wrong

A

Candidates might associate VLAN support with trunk encapsulation types, but ISL fully supports VLAN 40. This is a distractor.

B

This is a common operational mistake, but the resulting output would show VLAN 40 missing from the 'Vlans allowed' column, not from the forwarding list.

D

Candidates might confuse local pruning (due to non-existent VLAN) with VTP pruning. VTP pruning would also require a multi-switch VTP domain and is less likely in a standalone troubleshooting scenario.

26
MCQmedium

A client on VLAN 20 must obtain an IPv4 lease from a DHCP server located on VLAN 100. Which feature is required on the Layer 3 interface for VLAN 20?

A.NAT overload
B.DHCP relay
D.Private VLAN
AnswerB

Correct. The SVI or routed interface needs DHCP relay.

Why this answer

A DHCP relay agent forwards client broadcasts as unicast to the remote server, typically using ip helper-address.

Exam trap

A common exam trap is selecting NAT overload or port security as the required feature for DHCP communication across VLANs. NAT overload is used for IP address translation and does not forward DHCP broadcasts, while port security restricts MAC addresses on switch ports but does not relay DHCP messages. Another trap is confusing private VLANs with DHCP relay; private VLANs isolate Layer 2 domains but do not forward DHCP requests between VLANs.

The key is understanding that DHCP relay is the only feature that forwards DHCP broadcasts as unicast messages across Layer 3 boundaries, enabling clients on VLAN 20 to obtain leases from a DHCP server on VLAN 100.

Why the other options are wrong

A

NAT overload translates private IP addresses to a public IP for outbound traffic but does not forward DHCP broadcasts between VLANs. It is unrelated to DHCP relay functionality required for inter-VLAN DHCP communication.

C

Port security restricts which MAC addresses can connect to a switch port but does not forward DHCP broadcasts or relay DHCP messages between VLANs, so it cannot enable DHCP communication across VLANs.

D

Private VLANs isolate devices within a VLAN for security purposes but do not provide DHCP relay capabilities or forward DHCP requests between VLANs, making this option incorrect.

27
MCQhard

A switchport connected to a user workstation is placed in VLAN 30. The administrator also wants to prevent that port from learning more than one MAC address. Which feature should be configured?

AnswerA

This is correct because port security can enforce a maximum number of MAC addresses on the switchport.

Why this answer

The correct feature is port security. In practical terms, port security lets the administrator control how many MAC addresses can be learned on a switchport and what happens if that limit is exceeded. That makes it a very natural fit for a user-facing access port where one endpoint is expected and unmanaged extra devices are not.

This is a common access-layer hardening technique. VLAN assignment controls where the traffic belongs, but it does not limit who or what can appear on the port. Port security adds that second layer of control.

Exam trap

Don't confuse VLAN assignment or ACLs with port security; they serve different functions.

Why the other options are wrong

B

EtherChannel is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, not to limit MAC address learning on a single port. It does not provide any mechanism to restrict the number of MAC addresses learned on a switchport.

C

OSPF passive-interface is a routing protocol feature used to prevent OSPF from sending hello messages on an interface, typically used on interfaces that do not have OSPF neighbors. It has no effect on MAC address learning or switchport security.

D

Native VLAN is a concept used on trunk ports to specify the VLAN that carries untagged traffic. It does not control MAC address learning or limit the number of MAC addresses on a switchport.

28
MCQhard

PCs in VLAN 40 are not receiving addresses from the centralized DHCP server at 172.16.1.10. What should be configured on the VLAN 40 default gateway interface?

A.ip dhcp excluded-address 10.40.40.1 10.40.40.10
B.ip helper-address 172.16.1.10
C.service dhcp
D.ip default-gateway 172.16.1.10
AnswerB

Correct choice.

Why this answer

When DHCP clients and the DHCP server are on different subnets, the router interface serving the client subnet must relay broadcasts to the server with the ip helper-address command.

Exam trap

Ensure you understand the difference between DHCP relay and DHCP security features like snooping, as well as local DHCP server configuration.

Why the other options are wrong

A

The 'ip dhcp excluded-address' command is used on a DHCP server to prevent certain addresses from being assigned, not on a router interface to forward DHCP requests. This command would not help clients in VLAN 40 reach the centralized DHCP server.

C

The 'service dhcp' command globally enables the DHCP server or relay agent on a Cisco device, but it does not specify where to forward requests. Without the 'ip helper-address' command, DHCP broadcasts will not be forwarded to the server.

D

The 'ip default-gateway' command is used on a switch to set a default gateway for management purposes, not to forward DHCP broadcasts. It does not provide DHCP relay functionality.

29
PBQhard

You are connected to SW1. The current configuration on SW1 is: interfaces GigabitEthernet0/1 and GigabitEthernet0/2 are set to channel-group mode passive; Gi0/1 has speed 100, duplex half, and access VLAN 20; Gi0/2 has speed 1000, duplex full, and access VLAN 10. You need to form an LACP EtherChannel between SW1 and SW2. Ensure the channel forms by setting the channel-group mode to active on SW1's member ports. Also correct the speed/duplex mismatch and VLAN mismatch so that the port-channel interface is in the up/up state. Finally, verify the EtherChannel summary shows the channel as a Layer 2 bundle in use.

Network Topology
Gi0/1Gi0/1LACP EtherChannelSW1SW2

Hints

  • LACP requires at least one side to be in active mode to initiate negotiation.
  • All member ports must have identical speed, duplex, and VLAN configuration.
  • Use the 'channel-group 1 mode active' command to set LACP active mode.
A.Change channel-group mode to active on both ports, set speed 1000 and duplex full on Gi0/1, set access VLAN 10 on Gi0/2.
B.Change channel-group mode to passive on both ports, set speed 100 and duplex half on Gi0/2, set access VLAN 20 on Gi0/1.
C.Change channel-group mode to desirable on both ports, set speed 1000 and duplex full on Gi0/1, set access VLAN 10 on Gi0/2.
D.Change channel-group mode to active on both ports, set speed 100 and duplex half on Gi0/1, set access VLAN 20 on Gi0/2.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
speed 1000
duplex full
channel-group 1 mode active
exit
interface GigabitEthernet0/2
switchport access vlan 10
channel-group 1 mode active
end

Why this answer

The EtherChannel fails because both member ports are set to mode passive, preventing LACP negotiation. Additionally, Gi0/1 has speed 100/duplex half while Gi0/2 has speed 1000/duplex full—a mismatch that causes one port to be suspended. Finally, the VLANs differ (10 vs 20), which also prevents bundling.

The solution: change the channel-group mode to active on both ports, set consistent speed (1000) and duplex (full) on Gi0/1, and set the same access VLAN (10) on Gi0/2. After these corrections, the port-channel should form and show as (SU) in the summary.

Exam trap

The exam often tests that LACP requires at least one side to be active, and that speed, duplex, and VLAN must match across all member ports. Do not confuse PAgP and LACP modes.

Why the other options are wrong

B

Passive mode requires the other side to be active; both passive means no negotiation. Speed/duplex mismatch (100/half vs 1000/full) and VLAN mismatch (20 vs 10) prevent bundling.

C

The mode 'desirable' is used with Cisco's proprietary PAgP protocol, not with the IEEE standard LACP. Using it would not form an LACP EtherChannel.

D

Speed/duplex mismatch causes one port to be suspended in the EtherChannel. VLAN mismatch prevents the port-channel from being in up/up state as a Layer 2 bundle.

30
PBQhard

You are connected to R1, a multilayer switch running Rapid PVST+. The current root bridge for VLAN 10 has priority 24586 and for VLAN 20 has priority 24676. Configure R1 so that it becomes the root bridge for VLAN 10 and VLAN 20. Then enable PortFast and BPDU Guard on interface FastEthernet0/1, which connects to an access switch. Finally, diagnose why interface FastEthernet0/2 has entered an err-disabled state and recover it.

Network Topology
Fa0/1Fa0/2Access SwitchSiR1Another Switch

Hints

  • Set root priority to a value lower than 24586 for VLAN 10 and 24676 for VLAN 20.
  • PortFast and BPDU Guard must be configured under the interface.
  • An interface in err-disabled state due to BPDU Guard requires a manual shutdown/no shutdown to recover.
A.Configure spanning-tree vlan 10,20 priority 4096; on Fa0/1: spanning-tree portfast and spanning-tree bpduguard enable; on Fa0/2: shutdown then no shutdown.
B.Configure spanning-tree vlan 10,20 root primary; on Fa0/1: spanning-tree portfast; on Fa0/2: no shutdown.
C.Configure spanning-tree vlan 10,20 priority 8192; on Fa0/1: spanning-tree portfast; on Fa0/2: no shutdown.
D.Configure spanning-tree vlan 10,20 priority 4096; on Fa0/1: spanning-tree portfast and spanning-tree bpduguard enable; on Fa0/2: shutdown.
AnswerA
solution
! R1
configure terminal
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 4096
interface FastEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable
interface FastEthernet0/2
shutdown
no shutdown
end

Why this answer

To become the root bridge, R1’s priority must be lower than the current root’s priority. Setting the priority to 4096 (or any value lower than 24586/24676) accomplishes this. Option A correctly uses `spanning-tree vlan 10,20 priority 4096` (though the actual command per VLAN is `spanning-tree vlan 10 priority 4096` and `spanning-tree vlan 20 priority 4096`).

It also enables PortFast and BPDU Guard on Fa0/1 to prevent BPDU reception on an edge port, and recovers the err-disabled Fa0/2 by cycling `shutdown` then `no shutdown`. Options B and C fail because they do not enable BPDU Guard, leaving the interface vulnerable. Option D fails because it only shuts down Fa0/2 without the `no shutdown` command, so the interface remains administratively down.

Exam trap

Candidates often mistakenly believe that the priority must be set to the absolute lowest (e.g., 0) or that `root primary` always works, but the real requirement is simply a priority lower than the current root. Also, they may forget that an err-disabled interface requires both `shutdown` and `no shutdown` to recover.

Why the other options are wrong

B

The 'root primary' command sets priority to 24576, which is higher than the current root priority for VLAN 10 (24586) and VLAN 20 (24676) — actually 24576 is lower than 24586 and 24676, so it would become root. Wait, check: 24576 < 24586, so it would become root. But the command 'root primary' sets priority to 24576 only if the current root priority is above 24576; if the current root priority is 24586, it sets to 24576, which is lower, so R1 would become root.

However, the question states the current root has priority 24586 and 24676, so 'root primary' would set to 24576, which is lower than 24586 but not lower than 24676? Actually 24576 < 24676, so it would become root for both. But the correct answer uses 4096, which is even lower. The key is that 'root primary' might not guarantee becoming root if another switch has a lower priority.

Also, BPDU Guard is missing, and recovery requires shutdown first.

C

BPDU Guard is not configured on Fa0/1, leaving the port vulnerable to BPDU attacks. Also, the err-disabled recovery requires a shutdown command before no shutdown.

D

Simply shutting down the interface does not recover it from err-disable; you must also re-enable it with 'no shutdown'.

31
MCQhard

A multilayer switch has SVIs for VLAN 10 and VLAN 20. Hosts in both VLANs can reach their local SVI, but they cannot reach each other. Which additional configuration is most likely required?

A.Enable `ip routing` on the multilayer switch.
B.Convert all access ports into trunks.
C.Make both VLANs use the same IP subnet.
D.Disable spanning tree on both VLANs.
AnswerA

This is correct because the switch needs Layer 3 routing enabled to forward traffic between SVIs.

Why this answer

The most likely missing configuration is `ip routing`. In practical terms, the switch already has Layer 3 gateway interfaces for the VLANs, which is why hosts can reach their local SVI. But inter-VLAN communication still requires the switch to actually route between those VLAN interfaces. Without IP routing enabled, the SVIs can exist and respond locally without forwarding traffic between them.

This is a classic multilayer-switch question because many learners assume that creating SVIs automatically enables inter-VLAN routing. It does not. The device must also be told to behave as a Layer 3 forwarding device across those VLAN interfaces.

Exam trap

Don't assume SVIs automatically enable inter-VLAN routing; IP routing must be explicitly enabled.

Why the other options are wrong

B

Converting all access ports to trunks is unnecessary and incorrect because host-facing ports should remain access ports assigned to a single VLAN. Trunks are used to carry multiple VLANs between switches, not to connect end hosts. This change would not enable inter-VLAN routing.

C

Making both VLANs use the same IP subnet would break the fundamental purpose of VLANs, which is to separate broadcast domains and logically segment the network. Hosts in different VLANs must be in different subnets for proper routing; otherwise, they would expect to communicate directly at Layer 2, which is not possible across VLANs.

D

Disabling Spanning Tree Protocol (STP) on both VLANs would not enable inter-VLAN routing; it would only risk creating Layer 2 loops and broadcast storms. STP is a loop-prevention mechanism and has no role in Layer 3 routing between VLANs.

32
MCQhard

A network engineer configures an EtherChannel between two Cisco switches SW1 and SW2 using LACP. After configuration, hosts connected to SW1 report intermittent connectivity to hosts on SW2. The engineer checks the EtherChannel status and sees that the trunk is up but only allows VLAN 1, while the hosts communicate across VLANs 10 and 20. Which command should the engineer apply to both switches to resolve the issue?

A.channel-group 1 mode active
B.switchport trunk allowed vlan 1,10,20
C.lacp rate fast
D.switchport mode trunk
AnswerB

This command ensures that all member ports of the EtherChannel have the same VLAN list. Inconsistent allowed VLANs across member ports can cause traffic to be dropped intermittently. Applying this to all member interfaces on both switches resolves the issue.

Why this answer

The output shows the EtherChannel is up but only VLAN 1 is allowed on the trunk, while the hosts on SW1 and SW2 communicate across VLANs 10 and 20. Applying 'switchport trunk allowed vlan 1,10,20' on both switches ensures all necessary VLANs are permitted over the EtherChannel, resolving the intermittent connectivity caused by dropped traffic for VLANs 10 and 20.

Exam trap

The trap here is that candidates assume the EtherChannel is fully functional once it shows as up/up, overlooking that the trunk's VLAN allowed list must match on both sides to pass traffic for all required VLANs.

Why the other options are wrong

A

The ports are already configured with LACP active mode, as indicated by the protocol being LACP and the ports being bundled. Reapplying this command does not address the root cause of intermittent connectivity, which is likely due to VLAN mismatch.

C

The 'lacp rate fast' command changes the LACP packet transmission rate to every second, which is used for faster failure detection. It does not affect VLAN consistency or cause intermittent connectivity; the issue is likely due to VLAN mismatch, not LACP rate.

D

The ports are already configured as trunk ports (the Po1 is Layer2 and trunking is implied). Reapplying 'switchport mode trunk' does not address the VLAN inconsistency that causes intermittent connectivity.

33
MCQmedium

A switch port connected to an end host should forward traffic for one VLAN only and should not negotiate trunking. Which configuration approach best fits that requirement?

A.Configure the interface with `switchport mode access`
B.Configure the interface with `switchport mode trunk`
C.Configure the interface with `switchport mode dynamic desirable`
D.Configure the interface with `no switchport`
AnswerA

This is correct because access mode is the normal one-VLAN configuration for an end-host port.

Why this answer

The best approach is to configure the interface as an access port. In plain language, this tells the switch that the interface is for a normal endpoint and should belong to one VLAN rather than carry multiple VLANs like a trunk. It also avoids reliance on dynamic trunk negotiation, which is usually unnecessary and potentially confusing for a user-facing connection.

This is a standard access-layer design principle. End hosts such as PCs and printers usually connect to access ports, not trunks. That is why the correct answer is the one centered on explicit access-port behavior.

Exam trap

Avoid confusing trunking features with access port requirements. Remember, end devices typically connect via access ports.

Why the other options are wrong

B

A trunk port is designed to carry traffic for multiple VLANs between switches, not for a single end host. Using switchport mode trunk on an access port would allow multiple VLANs and enable trunk negotiation, violating the requirement.

C

The dynamic desirable mode actively attempts to form a trunk with the connected device using DTP. This allows trunk negotiation, which contradicts the requirement to not negotiate trunking and to forward traffic for only one VLAN.

D

The no switchport command converts the Layer 2 switch port into a Layer 3 routed port, which does not operate as a switch port and cannot be assigned to a VLAN. This is used for routing between VLANs, not for connecting an end host to a single VLAN.

34
MCQhard

A switch has DHCP snooping enabled and Dynamic ARP Inspection enabled on VLAN 30. A printer with a static IP on VLAN 30 cannot communicate because its ARP packets are being dropped. What is the best fix?

A.Disable DAI on all VLANs globally.
B.Configure a static ARP inspection entry or ARP ACL for the printer.
C.Trust the user-facing printer access port for DHCP snooping and DAI.
D.Change the printer to use a larger MTU.
AnswerB

Correct. Static devices need a trusted binding source.

Why this answer

DAI relies on trusted bindings. Static-IP devices that are not learned through DHCP often require a static ARP ACL or equivalent trusted binding mechanism.

Exam trap

A common exam trap is to disable Dynamic ARP Inspection entirely or trust the user-facing access port to fix ARP packet drops from static IP devices. Disabling DAI weakens the network’s ARP spoofing protection, which is against best practices and exam expectations. Trusting access ports is too broad and can allow malicious ARP traffic, defeating the purpose of DAI.

The trap is that these options seem easier but compromise security, whereas the correct approach is to configure static ARP inspection entries or ARP ACLs for static IP devices to maintain security and functionality.

Why the other options are wrong

A

Disabling DAI on all VLANs globally removes ARP spoofing protection network-wide, which is excessive and reduces security unnecessarily. The question requires a targeted fix, so this option is incorrect.

C

Trusting the user-facing printer access port for DHCP snooping and DAI is too permissive and can allow malicious ARP packets, weakening security. It is not recommended as a best practice or exam answer.

D

Changing the printer to use a larger MTU does not affect ARP packet validation or DAI behavior. MTU size is unrelated to ARP inspection, so this option is irrelevant and incorrect.

35
Multi-Selectmedium

Which TWO statements about 802.1Q trunking, native VLANs, and inter-VLAN routing are correct? (Choose two.)

Select 2 answers
A.802.1Q trunking is a Cisco-proprietary protocol that uses a 4-byte tag to identify VLAN membership.
B.By default, frames belonging to the native VLAN are sent untagged across an 802.1Q trunk.
C.Inter-VLAN routing can be accomplished using a Layer 2 switch configured with VLAN access maps.
D.The native VLAN must be identical on both ends of an 802.1Q trunk to avoid native VLAN mismatch errors.
E.Switches strip the 802.1Q tag from all frames before forwarding them out of a trunk port.
AnswersB, D

The 802.1Q specification sends native VLAN traffic without a tag, allowing the receiving switch to identify the native VLAN.

Why this answer

Option B is correct because, by default, 802.1Q trunking treats the native VLAN (typically VLAN 1) as untagged. Frames in the native VLAN are sent without an 802.1Q tag, allowing interoperability with devices that do not understand trunking. This behavior is defined in IEEE 802.1Q and is essential for backward compatibility.

Exam trap

Cisco often tests the misconception that all frames on a trunk are tagged, but the trap here is that the native VLAN is sent untagged by default, and candidates may incorrectly assume that inter-VLAN routing can be done with a Layer 2 switch alone.

Why the other options are wrong

A

802.1Q is an open IEEE standard. Cisco-proprietary trunking is Inter-Switch Link (ISL).

C

Layer 2 switches cannot route between VLANs. Inter-VLAN routing requires a Layer 3 device such as a router or a Layer 3 switch with SVIs.

E

Trunk ports forward tagged frames so the receiving switch can distinguish VLANs. Removing tags from all frames would defeat the purpose of trunking.

36
PBQhard

You are connected to R1 via the console. The network operations center (NOC) has asked you to configure R1 as an NTP client of the NTP server at 192.0.2.10 (reachable via VLAN 100, SVI 192.168.1.1/24). They also need all system messages of level 'debug' (level 7) and higher forwarded to the syslog server at 203.0.113.50. The current configuration shows that NTP is not working (stratum 16) and syslog is only sending critical and higher messages. Fix both issues.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR2R1switchNTP serverSyslog server

Hints

  • Check the source IP of NTP packets; the server may require a specific source address.
  • NTP synchronization fails if the router does not have a route to the NTP server; verify connectivity.
  • The logging trap level controls which severity messages are sent; 'critical' only sends levels 0-2.
A.Configure 'ntp source Vlan100' and 'logging trap debugging'.
B.Configure 'ntp server 192.0.2.10' and 'logging trap 7'.
C.Configure 'ntp source Vlan100' and 'logging trap warnings'.
D.Configure 'ntp update-calendar' and 'logging trap informational'.
AnswerA
solution
! R1
ntp source Vlan100
logging trap debugging

Why this answer

The NTP client is not synchronizing because there is no source interface specified; the NTP packets may be sourced from an unexpected interface and the server may ignore them. The solution is to configure 'ntp source Vlan100' to ensure NTP packets use the correct source IP. Additionally, the syslog trap level is set to 'critical', which filters out messages with severity lower than critical (like warnings, errors, etc.).

The NOC requires all messages up to debug level; therefore, change the logging trap level to 'debugging' with 'logging trap debugging'.

Exam trap

Do not confuse the NTP server command with the source interface command. The server command specifies the server, but the source interface ensures the correct source IP. For syslog, remember that 'debugging' is the keyword for the lowest severity level; using 'warnings' or 'informational' will exclude debug messages.

Why the other options are wrong

B

The specific factual error: 'logging trap 7' is not a valid Cisco IOS command; the correct command uses the keyword 'debugging'. Also, the NTP server command alone does not fix the source interface issue.

C

The specific factual error: 'logging trap warnings' only sends messages with severity 0-4, missing severity 5-7 (notifications, informational, debug).

D

The specific factual error: 'ntp update-calendar' is not needed for NTP synchronization; the source interface is the key missing piece. 'logging trap informational' does not include debug messages.

37
MCQmedium

A switchport is configured as an access port for VLAN 20, but users connected to it cannot reach the default gateway. The switch shows the interface as up/up. Which switch misconfiguration is the most likely cause?

A.The access port is missing a speed command
B.VLAN 20 has not been created on the switch
C.The switch has not enabled VTP transparent mode
D.The port should use DTP desirable mode
AnswerB

Correct choice.

Why this answer

If the access port is assigned to VLAN 20 but VLAN 20 does not exist in the VLAN database, traffic is not placed into a usable VLAN and hosts lose connectivity. The port can still appear physically up while forwarding fails at Layer 2.

Exam trap

A common exam trap is assuming that an interface showing up/up means the port is fully functional and correctly forwarding traffic. Candidates may overlook the necessity of creating the VLAN in the switch’s VLAN database. Without VLAN 20 existing, the switch cannot forward traffic for that VLAN, even though the physical link is active.

This leads to confusion because the interface status does not reflect VLAN misconfiguration, causing users to lose connectivity to the default gateway despite the port appearing operational.

Why the other options are wrong

A

The absence of a speed command on the access port does not prevent VLAN forwarding or connectivity to the default gateway. Speed settings affect physical link parameters but not VLAN membership or Layer 2 forwarding.

C

VTP transparent mode controls VLAN propagation between switches but does not affect whether a VLAN exists locally. Missing VLANs must be created manually regardless of VTP mode.

D

DTP desirable mode is used to negotiate trunk links and is irrelevant for access ports, which do not trunk and only carry untagged frames for a single VLAN.

38
MCQmedium

A switch interface connects to a user PC and should belong only to VLAN 30. Which command assigns that VLAN after the interface is in access mode?

A.switchport access vlan 30
B.switchport trunk allowed vlan 30
C.encapsulation dot1Q 30
D.ip helper-address 30
AnswerA

This is correct because it assigns VLAN 30 to the access port.

Why this answer

After an interface is placed into access mode, the command used to assign its VLAN is `switchport access vlan 30`. In plain language, this tells the switch which VLAN the endpoint traffic on that access port belongs to. Access mode defines the role of the interface, and the access VLAN command defines the specific VLAN membership for that role.

This distinction matters because some commands change the port’s behavior while others set the VLAN it uses. The correct answer is the one that directly assigns VLAN 30 to the access port rather than modifying a trunk or a native VLAN setting.

Exam trap

Be careful not to confuse commands for trunk ports with those for access ports. Ensure you understand the difference between setting a port mode and assigning a VLAN.

Why the other options are wrong

B

The command 'switchport trunk allowed vlan 30' is used on trunk ports to specify which VLANs are allowed to traverse the trunk link. It does not assign a VLAN to an access port; instead, it filters VLANs on a trunk, which is not appropriate for a port connected to a single PC.

C

The command 'encapsulation dot1Q 30' is used on a router subinterface to enable 802.1Q trunking and specify the VLAN for that subinterface. It is not a valid command on a switch access port, and switch ports do not use encapsulation commands for VLAN assignment.

D

The command 'ip helper-address 30' is used to configure DHCP relay on a router or Layer 3 switch interface, forwarding DHCP broadcasts to a DHCP server. It has nothing to do with VLAN assignment on a switch port.

39
MCQhard

PCs in VLAN 30 on SwitchA cannot reach PCs in VLAN 30 on SwitchB. VLAN 30 exists on both switches and all other VLANs work across the same link. Based on the exhibit, what is the most likely cause?

A.VLAN 30 is not allowed on the trunk from SwitchA.
B.The native VLAN is mismatched.
C.The trunk must use ISL instead of 802.1Q.
D.VLAN 30 must be configured as the native VLAN.
AnswerA

This is correct because VLAN 30 is missing from SwitchA’s allowed list.

Why this answer

The trunk is up, but VLAN 30 is missing from the allowed list on SwitchA. In plain language, the hallway between the switches is open, but one side is refusing to carry that specific VLAN through the hallway. Since the other VLANs are working, the failure is selective rather than total. That strongly points to an allowed-VLAN problem rather than a broader trunk outage.

This is a classic CCNA switching scenario because it tests whether you can separate trunk health from per-VLAN forwarding. A trunk can be operational and still block one VLAN if that VLAN is not permitted on one side. The native VLAN and encapsulation are not the issue shown here — the mismatch in the allowed list is.

Exam trap

Be careful not to confuse general trunk issues with specific VLAN forwarding problems. Always check the allowed VLAN list when specific VLANs fail to pass.

Why the other options are wrong

B

The exhibit shows both switches have native VLAN 1 configured, so there is no mismatch. A native VLAN mismatch would cause all VLAN traffic to fail or be misdirected, not just a single VLAN.

C

Since other VLANs are working across the same trunk, the trunk encapsulation (802.1Q) is functioning correctly. Changing to ISL would not fix the issue and would break connectivity for all VLANs.

D

A VLAN does not need to be the native VLAN to traverse a trunk; native VLAN is only for untagged traffic. Making VLAN 30 the native VLAN would not solve the problem and could introduce other issues.

40
PBQhard

You are troubleshooting a client connectivity issue on PC1, which is connected to switch SW1. PC1 reports that it cannot access the internet, but it can ping its default gateway (192.168.1.1). The network uses VLAN 10 for the client subnet. Examine the following show outputs: On PC1, ipconfig shows IP 192.168.1.10, default gateway 192.168.1.1, DNS server 192.168.1.1. On SW1, show running-config includes 'interface Vlan10' with IP 192.168.1.1 255.255.255.0, but no 'ip dns server' and no 'ip name-server' commands. SW1's show ip route displays a default route via 203.0.113.1. Identify the root cause. Configure the necessary fix on the appropriate device to restore full connectivity.

Network Topology
G0/1G0/1203.0.113.1/30203.0.113.1/30PC1SW1RouterInternet

Hints

  • Check DNS configuration on the switch.
  • The PC's DNS server is likely the default gateway (switch).
  • The switch needs to be configured to forward DNS queries.
A.Configure 'ip dns server' and 'ip name-server 8.8.8.8' on SW1.
B.Configure 'ip default-gateway 192.168.1.1' on SW1.
C.Configure 'ip route 0.0.0.0 0.0.0.0 203.0.113.1' on SW1.
D.Configure 'ip domain-lookup' on SW1.
AnswerA
solution
! SW1
ip name-server 8.8.8.8

Why this answer

PC1 is configured with DNS server 192.168.1.1, which is the switch SW1. However, SW1 lacks DNS forwarding capability. To enable DNS relay on the switch, both the 'ip dns server' command (to activate the DNS forwarder) and 'ip name-server 8.8.8.8' (to point to an upstream resolver) are required.

Option A provides the necessary configuration to restore DNS resolution and internet connectivity.

Exam trap

Do not assume that internet connectivity issues are always routing problems. When a client can ping the gateway but cannot access websites, the issue is often DNS. Also, remember that 'ip name-server' configures DNS servers, while 'ip domain-lookup' only enables the DNS client feature.

Why the other options are wrong

B

A default gateway is needed only for management traffic from the switch itself, not for DNS forwarding; the switch already communicates with the router via its default route.

C

A static default route is already present and unrelated to DNS resolution; adding another route would not solve the name resolution failure.

D

The 'ip domain-lookup' command only enables the DNS client on the switch itself, not DNS forwarding for clients like PC1.

41
PBQhard

You are connected to SW1 via the console. The network uses Rapid-PVST+ and you need to ensure that SW1 becomes the root bridge for VLAN 10 and VLAN 20. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/1, which connects to a workstation. After configuration, the workstation is moved and the port goes err-disabled. Diagnose the cause and recover the port without reloading the switch.

Network Topology
Gi0/1Gi0/2SW1workstationother switch

Hints

  • Use 'spanning-tree vlan <vlan> priority <value>' to set root bridge priority (lower values are preferred).
  • A port in err-disabled due to BPDU Guard must be manually recovered with 'shutdown' and 'no shutdown' after removing the BPDU source.
  • Check which VLANs the switch is currently root for using 'show spanning-tree'.
A.Configure spanning-tree vlan 10 priority 4096 and spanning-tree vlan 20 priority 4096. Then on interface GigabitEthernet0/1, configure spanning-tree portfast and spanning-tree bpduguard enable. After removing the BPDU source, use 'shutdown' and 'no shutdown' to recover the port.
B.Configure spanning-tree vlan 10,20 root primary and spanning-tree portfast on Gi0/1; then use 'errdisable recovery cause bpduguard' to automatically recover the port.
C.Configure spanning-tree vlan 10,20 priority 0 and spanning-tree bpduguard enable on Gi0/1; then use 'no spanning-tree bpduguard' to recover the port.
D.Configure spanning-tree vlan 10,20 priority 4096 and spanning-tree portfast on Gi0/1; then use 'clear spanning-tree detected-protocols' to recover the port.
AnswerA
solution
! SW1
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 4096
interface GigabitEthernet0/1
shutdown
no shutdown

Why this answer

SW1 is currently the root for VLAN 10 but not for VLAN 20. To become root for both VLANs, set the spanning-tree priority to a lower value (e.g., 4096) for each VLAN. The port Gi0/1 went err-disabled because it received a BPDU, which is unexpected on a PortFast edge port with BPDU Guard enabled.

To recover, first identify and remove the BPDU source (likely another switch connected to that port), then use 'shutdown' followed by 'no shutdown' on the interface to bring it back up.

Exam trap

Do not confuse 'root primary' with a guaranteed root election; always check for lower priorities. Also, remember that err-disabled ports require manual intervention (shutdown/no shutdown) unless you configure errdisable recovery. BPDU Guard err-disables the port; simply disabling BPDU Guard does not recover it.

Why the other options are wrong

B

The 'root primary' command does not guarantee root status if another switch has a priority lower than 24576. The question expects manual recovery, not automatic.

C

Priority 0 is not incorrect but is not the standard recommendation. The recovery method is wrong: disabling BPDU Guard does not clear the err-disabled state.

D

The command 'clear spanning-tree detected-protocols' does not clear the err-disabled state; it only resets the port's protocol state.

42
MCQhard

A network technician is troubleshooting a connectivity issue for a PC connected to switch port Gi1/0/12. The PC can ping its default gateway (192.168.10.1) but cannot ping a server at 192.168.20.10. The switch is configured with VLAN 10 for the access port and is connected to a router-on-a-stick. The technician runs 'show vlan brief' and 'show interfaces trunk' on the switch. What is the most likely cause of the problem?

A.The trunk port Gi1/0/24 is not in trunking mode.
B.The router is missing a subinterface for VLAN 20.
C.The switch port Gi1/0/12 is not assigned to VLAN 10.
D.The PC has a duplicate IP address with the server.
AnswerB

The PC in VLAN 10 can ping its gateway, but VLAN 20 traffic cannot be routed because the router lacks a subinterface for VLAN 20.

Why this answer

The PC can ping its default gateway (192.168.10.1) but not the server at 192.168.20.10, indicating Layer 3 routing is failing between VLANs. Since the switch is configured with VLAN 10 for the access port and uses a router-on-a-stick, the router must have a subinterface for VLAN 20 to route traffic to the server's subnet. The absence of a subinterface for VLAN 20 prevents the router from forwarding packets from VLAN 10 to VLAN 20, making option B correct.

Exam trap

Cisco often tests the misconception that a trunk misconfiguration (option A) is the cause, but the PC's ability to ping the gateway confirms the trunk is working for VLAN 10, so the real issue is the missing subinterface for the destination VLAN.

Why the other options are wrong

A

The trunk port Gi1/0/24 is in 'on' mode and trunking, as shown in 'show interfaces trunk'. Therefore, the trunk is operational and not the cause of the issue.

C

The 'show vlan brief' output shows that port Gi1/0/12 is assigned to VLAN 10, so the PC is in the correct VLAN. This is not the issue.

D

A duplicate IP address would cause connectivity issues to the gateway as well, but the PC can ping the gateway successfully. Therefore, duplicate IP is not the problem.

43
Drag & Dropmedium

Drag and drop the steps into the recommended configuration order for setting up VLANs, assigning access ports, configuring 802.1Q trunking with a non-default native VLAN, and verifying the setup on a Cisco IOS-XE switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

After creating VLANs, the recommended order is to configure trunking with a non-default native VLAN before assigning access ports. This ensures the trunk is ready with the correct native VLAN, preventing mismatches and allowing the switch to carry traffic for the new VLANs. Options B and D fail because VLANs must exist first.

Option A places trunking last, which is not the best practice.

Exam trap

Candidates often assume that access ports must be assigned before trunking, but in a recommended workflow, configuring trunking early helps avoid native VLAN mismatches and aligns with common Cisco configuration guides.

44
MCQhard

A network administrator is troubleshooting a connectivity issue between two remote sites connected via a WAN link. Hosts on VLAN 10 at Site A (192.168.10.0/24) cannot ping the server at Site B (10.10.20.100). The router at Site A has a default route configured with the next-hop IP address 10.10.10.2. The administrator checks the routing table on Router A and notices that the default route is not installed. What is the most likely cause of the problem?

A.The static route for 10.10.20.0/24 is missing from the routing table.
B.The GigabitEthernet0/0 interface is administratively down.
C.The default route is not configured; the gateway of last resort is missing.
D.The next-hop router 10.10.10.2 is unreachable.
AnswerD

A static route with a next-hop IP is only installed in the routing table when that next-hop is reachable. Since the default route is missing from the routing table, the next-hop 10.10.10.2 must be unreachable, making option D the correct diagnosis.

Why this answer

Option D is correct because the default route uses a next-hop IP (10.10.10.2) and will only be installed in the routing table if that next-hop is reachable. Since the router’s routing table shows no default route, the most likely cause is that the next-hop 10.10.10.2 is unreachable, preventing the static route from being used. This explains why traffic fails despite the configuration.

Exam trap

Cisco often tests the misconception that a default route alone guarantees connectivity, when in reality the next-hop must be reachable; candidates may overlook verifying the next-hop's availability.

Why the other options are wrong

A

The routing table shows a static route to 10.10.20.0/24 via 10.10.10.2, so the route is present. The issue is not a missing route.

B

The interface is shown as directly connected with a local address, indicating it is up and operational. An administratively down interface would show 'administratively down' in the status.

C

The output shows 'Gateway of last resort is 10.10.10.2 to network 0.0.0.0', confirming the default route is configured.

45
PBQhard

You are connected to a Multilayer Switch MLS1. Configure the switch so that interface GigabitEthernet1/0/1 is an access port for VLAN 10, with voice VLAN 110 for an IP phone, and enable PoE. Additionally, interface GigabitEthernet1/0/2 must be an access port for VLAN 20 to connect an AP. Verify the configuration using 'show interfaces switchport' and 'show power inline'.

Network Topology
G1/0/1G1/0/2SiMLS1IP PhoneAP

Hints

  • Use 'switchport mode access' to set the port as an access port.
  • For the IP phone port, apply both 'switchport access vlan' and 'switchport voice vlan' commands.
  • PoE is enabled by default but ensure 'power inline auto' is configured.
A.interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline auto interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
B.interface GigabitEthernet1/0/1 switchport mode trunk switchport trunk allowed vlan 10,110 power inline auto interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
C.interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline never interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
D.interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 110 switchport voice vlan 10 power inline auto interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20
AnswerA
solution
! MLS1
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 110
power inline auto
exit
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 20
exit

Why this answer

Option A is correct. It configures Gi1/0/1 as an access port in VLAN 10 with voice VLAN 110 and PoE enabled, and Gi1/0/2 as an access port in VLAN 20. Option B is wrong because it uses 'switchport mode trunk' instead of 'switchport mode access'.

For a voice VLAN, the port should be an access port, not a trunk. Option C is wrong because it disables PoE with 'power inline never', but the IP phone requires power. Option D is wrong because it assigns the access VLAN as 110 and voice VLAN as 10, reversing the intended roles.

Verify with 'show interfaces switchport' and 'show power inline'.

Exam trap

Watch out for the difference between access and trunk ports when a voice VLAN is involved. The voice VLAN is configured on an access port, not a trunk. Also, ensure PoE is enabled (auto) and not disabled (never).

Finally, do not confuse the access VLAN with the voice VLAN.

Why the other options are wrong

B

The specific factual error is using 'switchport mode trunk' instead of 'switchport mode access'. Access ports are used for end devices like IP phones and APs, not trunks.

C

The specific factual error is using 'power inline never' which disables PoE. The correct command to enable PoE is 'power inline auto'.

D

The specific factual error is reversing the VLAN assignments: 'switchport access vlan 110' and 'switchport voice vlan 10' instead of the correct order.

46
MCQhard

A network technician notices CDP native VLAN mismatch warnings between switches SW1 and SW2 on their trunk link. The technician runs 'show interfaces trunk' on SW1 and sees native VLAN 1, then on SW2 and sees native VLAN 99. Data traffic is currently passing, but the mismatch can cause broadcast loops. What should the technician do next?

A.Add VLAN 99 to the allowed VLAN list on the trunk interface of SW1.
B.Remove the trunk configuration and set both interfaces as access ports in VLAN 1.
C.Enable spanning‑tree PortFast on the trunk ports.
D.Configure the native VLAN to match on both ends of the trunk.
AnswerD

The root cause is a configured native VLAN mismatch (1 vs 99). Changing one switch’s native VLAN to match the other (or setting both to a common VLAN) immediately resolves the CDP warning and eliminates the potential for broadcast loops caused by the mismatch. This is the most direct and least disruptive next step.

Why this answer

The correct action is to configure the native VLAN to match on both ends of the trunk. CDP reports a native VLAN mismatch when the native VLANs differ on the two sides of a trunk link. Although data traffic may still pass because 802.1Q does not tag frames on the native VLAN, the mismatch can cause broadcast loops and security risks, as frames from one native VLAN may be misinterpreted on the other side.

Setting both sides to the same native VLAN (e.g., VLAN 1 or VLAN 99) resolves the mismatch and ensures proper Layer 2 behavior.

Exam trap

Cisco often tests the misconception that data traffic passing means the configuration is fine, but the trap here is that the native VLAN mismatch can still cause serious issues like broadcast loops and security vulnerabilities, even if user data appears to work.

Why the other options are wrong

A

Common misconception: the warning message implies a VLAN is not allowed, but native VLAN mismatch means the trunk ports disagree on the native VLAN, not that a VLAN is missing from the allowed list.

B

Over‑reaction: candidates might think a trunk problem requires eliminating the trunk, but the correct approach is to correct the native VLAN parameter on the existing trunk.

C

Wrong feature: PortFast addresses access port convergence, not VLAN mismatches. Candidates may reach for any familiar command, but it targets the wrong layer and port type.

47
MCQhard

A trunk link between two switches is operational, but one side shows a native VLAN mismatch warning. What is the main concern with that condition?

A.Untagged traffic may be associated with different VLANs on each end of the trunk
B.All tagged VLAN traffic is automatically converted to routed traffic
C.The mismatch forces OSPF adjacency reset on all routers
D.The trunk can carry only one VLAN until the mismatch is cleared
AnswerA

This is correct because that is the direct risk of a native VLAN mismatch.

Why this answer

A native VLAN mismatch can cause untagged traffic to be interpreted as belonging to different VLANs on each end of the trunk. In plain language, the two switches disagree about where untagged frames belong. That can lead to confusing traffic behavior, reachability problems for certain flows, and operational warnings. It is not always a total outage, but it is a design inconsistency that should be corrected.

This matters because trunks carry multiple VLANs, and the native VLAN defines how untagged traffic is handled. If both ends do not agree, the logical treatment of those frames becomes inconsistent. The correct answer is the one that focuses on misclassification of untagged traffic, not on unrelated routing behavior.

Exam trap

Be careful not to confuse native VLAN mismatches with general trunk failures or issues affecting tagged traffic.

Why the other options are wrong

B

A native VLAN mismatch does not convert tagged traffic into routed traffic. Tagged frames continue to be switched based on their VLAN tags, and the trunk remains a Layer 2 link. The mismatch only affects untagged frames on the native VLAN.

C

A native VLAN mismatch is a Layer 2 trunking issue and does not directly affect OSPF or any routing protocol. OSPF adjacency is a Layer 3 process and would only be impacted if the mismatch caused connectivity loss for the router interfaces, but the mismatch itself does not force OSPF adjacency resets.

D

A native VLAN mismatch does not prevent the trunk from carrying other tagged VLANs. Tagged frames for other VLANs are still forwarded correctly because they are not affected by the native VLAN configuration. The trunk can carry multiple VLANs, but the native VLAN traffic is misdirected.

48
Multi-Selectmedium

Which four of the following are characteristics of Dynamic Trunking Protocol (DTP) and VLAN Trunking Protocol (VTP) used in Cisco switching? (Choose four.)

Select 4 answers
.DTP is a Cisco proprietary protocol used to negotiate trunking between two switches.
.VTP allows synchronization of VLAN information across switches in the same VTP domain.
.A switch configured with 'switchport mode dynamic desirable' actively attempts to form a trunk using DTP.
.VTP pruning helps reduce unnecessary broadcast traffic by limiting flooded traffic to only switches that need the VLAN.
.VTP transparent mode stores and forwards VTP advertisements but also modifies the VLAN database based on received updates.
.DTP can form a trunk regardless of whether both ends are configured with 'switchport nonegotiate'.

Why this answer

The four correct statements are: (1) DTP is a Cisco proprietary protocol for negotiating trunk links; (2) VTP synchronizes VLAN information across switches in the same VTP domain; (3) 'switchport mode dynamic desirable' actively sends DTP frames to form a trunk; (4) VTP pruning reduces unnecessary broadcast traffic by limiting flooded traffic to only switches that need the VLAN. The two incorrect statements: VTP transparent mode forwards VTP advertisements but does **not** modify its VLAN database based on received updates—it only passes them through. DTP **cannot** form a trunk when both ends are configured with 'switchport nonegotiate' because that command disables DTP frame transmission entirely, preventing trunk negotiation.

Exam trap

Cisco often tests the distinction between DTP modes (dynamic desirable vs. dynamic auto) and the fact that VTP can cause catastrophic VLAN propagation errors if revision numbers are not reset before adding a switch to a production network.

49
PBQhard

You are connected to R1. Configure router-on-a-stick inter-VLAN routing so that hosts in VLAN 10 and VLAN 20 can communicate through R1. The switch (not shown) is already configured with the correct VLANs and trunk. Troubleshoot and fix any issues in the current R1 configuration.

Network Topology
G0/0 802.1Q trunk to switchtrunkR1Switch

Hints

  • Check if the main physical interface is administratively down.
  • The subinterfaces require the parent interface to be up.
  • Verify that ip routing is enabled (it is already).
A.Enable IP routing globally and bring up the main interface GigabitEthernet0/0 with 'no shutdown'.
B.Change the encapsulation on the subinterfaces to 'encapsulation dot1Q 10 native' and 'encapsulation dot1Q 20 native'.
C.Remove the subinterfaces and configure IP addresses directly on GigabitEthernet0/0.
D.Add 'ip routing' on each subinterface individually.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no shutdown
end

Why this answer

The R1 configuration has two subinterfaces (G0/0.10 and G0/0.20) with correct VLAN encapsulation and IP addresses, but inter-VLAN routing fails because the main interface G0/0 is not configured as a trunk (no 'no shutdown' and no 'ip routing' globally). Enable IP routing globally with 'ip routing' and ensure GigabitEthernet0/0 is administratively up with 'no shutdown'. The subinterfaces will then route between VLANs.

Exam trap

Do not assume that configuring subinterfaces with encapsulation and IP addresses is sufficient. Always verify that 'ip routing' is enabled globally and that the main physical interface is not shut down. These are common oversights that cause inter-VLAN routing to fail.

Why the other options are wrong

B

The specific factual error: The 'native' keyword should only be applied to the subinterface that matches the native VLAN (usually VLAN 1 by default), not to all subinterfaces.

C

The specific factual error: Router-on-a-stick requires subinterfaces with VLAN encapsulation to handle multiple VLANs over a single trunk link. Assigning an IP to the physical interface only works for a single VLAN (usually the native VLAN).

D

The specific factual error: 'ip routing' is a global configuration command that enables Layer 3 forwarding on the entire router. It is not available under interface configuration mode.

50
MCQhard

A switch displays the following output: Switch# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi1/0/24 on 802.1q trunking 99 Port Vlans allowed on trunk Gi1/0/24 10,20,30 Port Vlans active in management domain Gi1/0/24 10,20,30,40 Users in VLAN 40 cannot reach resources across this trunk. What is the most likely reason?

A.VLAN 40 is active, so spanning tree must be blocking it
B.VLAN 40 is not in the native VLAN, so it cannot cross the trunk
C.VLAN 40 is not permitted on the trunk
D.802.1Q trunks can carry only three VLANs at a time
AnswerC

Correct. This is correct. The allowed VLAN list controls which VLANs are transported across the trunk. Because VLAN 40 is absent from that list, users in VLAN 40 cannot use that trunk to reach resources on the far side.

Why this answer

The trunk is not carrying VLAN 40 because VLAN 40 is missing from the allowed VLAN list (only 10, 20, 30 are allowed). Option A is incorrect because spanning tree does not block VLANs by default without evidence of a loop; the output shows no STP blocking. Option B is incorrect because native VLAN only affects tagging, not whether a VLAN can traverse a trunk; all VLANs can cross a trunk if permitted.

Option D is incorrect because 802.1Q can carry up to 4094 VLANs, not just three. The key distinction is that a VLAN may be active on the switch but still fail to cross a specific trunk if it is not in the allowed list.

Exam trap

Ensure you differentiate between VLANs configured on the switch and those allowed on the trunk. Just because a VLAN is active doesn't mean it's allowed on a trunk.

Why the other options are wrong

A

Spanning Tree Protocol (STP) can block a VLAN if there is a loop, but the output shows VLAN 40 is active in the management domain and not listed as blocked. The explicit absence of VLAN 40 from the allowed VLAN list is the direct cause, not STP.

B

The native VLAN is only for untagged traffic on an 802.1Q trunk. All other VLANs are tagged and can cross the trunk regardless of the native VLAN. VLAN 40 is not the native VLAN, but that does not prevent it from being carried if permitted.

D

802.1Q has no limit of three VLANs per trunk; it can support up to 4094 VLANs. The output shows only three VLANs allowed because of configuration, not a protocol limitation.

51
MCQhard

A network administrator has configured a DHCP server on VLAN 100 with an IP address of 192.168.100.10/24. Clients on VLAN 200 (192.168.200.0/24) report that they cannot obtain an IP address via DHCP. The router is configured with a DHCP relay on the VLAN 200 interface. The administrator checks the router configuration and verifies that the relay is in place, but clients still fail to get an address. The switch that the router and clients connect to has DHCP snooping enabled. What is the most likely cause of this issue?

A.The DHCP server is on a different subnet and the relay address is incorrect.
B.DHCP snooping is blocking the relay agent because the relay interface is not trusted.
C.The DHCP server is unreachable from the router.
D.The ip helper-address command is missing from the VLAN 200 interface.
AnswerB

The 'show ip dhcp relay information trusted' output shows 'Not configured', which means the relay agent is not trusting the DHCP server's responses. This causes the switch to drop DHCP server responses when DHCP snooping is enabled. The fix is to configure 'ip dhcp relay information trusted' on the interface facing the DHCP server.

Why this answer

The scenario states that DHCP snooping is enabled on the switch. When DHCP snooping is active, it discards DHCP messages received on untrusted ports. The router's VLAN 200 interface, which is configured as a DHCP relay agent, must be configured as a trusted port for DHCP snooping; otherwise, the relayed messages are silently dropped.

Option A is incorrect because the relay address is correctly pointing to the DHCP server's subnet. Option C is too generic and unlikely since the router and switch are directly connected. Option D is incorrect because the relay is verified to be in place.

Therefore, the most likely cause is DHCP snooping blocking the relay agent due to the relay interface not being trusted.

Exam trap

Cisco often tests the misconception that a correctly configured DHCP relay alone guarantees DHCP operation, ignoring that DHCP snooping can silently drop relayed messages if the relay interface is not trusted.

Why the other options are wrong

A

The relay address 192.168.100.10 is correctly configured to point to the DHCP server on VLAN 100. The issue is not with the relay address being incorrect.

C

The DHCP server is on the same router (VLAN 100 interface) and is reachable; the relay configuration is correct. The server is not unreachable.

D

The exhibit shows 'ip helper-address 192.168.100.10' is configured on GigabitEthernet0/1, which is the VLAN 200 interface. The command is present.

52
MCQhard

A multilayer switch has SVIs for VLAN 10 and VLAN 20, but hosts in those VLANs still cannot reach each other. The SVIs are up/up. Which additional condition is most likely required?

A.IP routing must be enabled on the multilayer switch
B.Every access port must be converted to a trunk
C.DHCP snooping must be disabled globally
D.The switch must remove all VLAN assignments
AnswerA

This is correct because the switch needs Layer 3 routing enabled to route between active SVIs.

Why this answer

If the SVIs are up but inter-VLAN traffic still fails, the most likely missing condition is that IP routing is not enabled on the multilayer switch. In plain language, the switch has the VLAN gateway interfaces present, but it has not been told to behave as a Layer 3 router between them. Without IP routing enabled, the SVIs can exist and still not actually route traffic between VLANs.

This is a classic multilayer-switch design issue because many learners assume the presence of SVIs alone automatically creates routing. In reality, routed forwarding between VLANs still requires the switch to operate as a Layer 3 device. That is why enabling routing is the best answer.

Exam trap

Don't assume SVIs automatically enable routing; IP routing must be explicitly configured.

Why the other options are wrong

B

Converting all access ports to trunk ports is unnecessary and incorrect for inter-VLAN routing. Access ports belong to a single VLAN, and hosts connect via access ports. Trunk ports are used to carry multiple VLANs between switches, not to connect end hosts.

Changing all ports to trunks would break connectivity for hosts.

C

DHCP snooping is a security feature that filters DHCP messages and does not affect Layer 3 routing between VLANs. Disabling it would not enable inter-VLAN communication. The issue is routing, not DHCP.

D

Removing all VLAN assignments would break the network entirely, as hosts would lose their VLAN membership and connectivity. VLANs are essential for segmenting the network; removing them would not solve the routing issue.

53
PBQhard

You are connected to R1, a multilayer switch acting as the root bridge for VLAN 10. The network has experienced a loop, and interface GigabitEthernet0/1 on R1 is currently in err-disabled state due to a BPDU guard violation. Configure the switch to recover automatically from err-disable state after 300 seconds, then verify that the interface comes back up.

Hints

  • The errdisable recovery command is in global configuration mode.
  • Use the 'show errdisable recovery' command to check the current causes and timers.
  • The interface will not recover immediately; you can use 'clear errdisable interface Gi0/1' to test manually.
A.Configure 'errdisable recovery cause bpduguard' and 'errdisable recovery interval 300' globally, then verify with 'show interfaces status'.
B.Configure 'spanning-tree portfast bpduguard default' and 'errdisable recovery interval 300' globally, then verify with 'show spanning-tree'.
C.Configure 'errdisable recovery cause all' and 'errdisable recovery interval 300' globally, then verify with 'show errdisable recovery'.
D.Configure 'errdisable recovery cause bpduguard' and 'errdisable recovery interval 300' on interface GigabitEthernet0/1, then verify with 'show interfaces GigabitEthernet0/1'.
AnswerA
solution
! R1
errdisable recovery cause bpduguard
errdisable recovery interval 300

Why this answer

The interface Gi0/1 is in err-disabled state because BPDU Guard detected an unexpected BPDU on a PortFast-enabled access port. To recover automatically, configure errdisable recovery cause bpduguard and set the recovery interval to 300 seconds with errdisable recovery interval 300. After applying these commands, the interface will automatically come out of err-disable state after 300 seconds.

The blocking port on Gi0/2 is expected because R1 is the root bridge and Gi0/2 is an alternate port providing redundancy; no action is needed for that blocking state.

Exam trap

The trap is that candidates may confuse enabling BPDU guard with configuring recovery, or they may think recovery commands are applied per-interface. Remember that errdisable recovery is a global setting, and you must specify the exact cause unless you want to recover from all causes.

Why the other options are wrong

B

The specific factual error: 'spanning-tree portfast bpduguard default' enables BPDU guard, not recovery. Recovery requires 'errdisable recovery cause bpduguard'.

C

The specific factual error: Using 'cause all' is not the best practice; the question implies a specific cause. Also, the verification command is correct but the configuration is not precise.

D

The specific factual error: errdisable recovery is a global configuration command, not interface-specific.

54
MCQhard

A switch port should allow an IP phone and attached PC to operate correctly. The phone should place voice traffic in VLAN 200 while the PC remains in VLAN 20. Which configuration approach best supports that design?

A.Configure the port with an access VLAN for data and a voice VLAN for the phone
B.Configure the port as a routed port with no switchport
C.Configure the port as an EtherChannel member
D.Use a native VLAN only and disable all tagging
AnswerA

This is correct because Cisco voice-VLAN design allows user data and tagged voice traffic to coexist correctly on one edge port.

Why this answer

The best approach is to configure the access VLAN for user data and the voice VLAN separately. In plain language, the PC should remain a normal untagged data endpoint in VLAN 20, while the phone can tag its own voice traffic for VLAN 200. Cisco access-port designs support this exact use case and allow the switch to keep voice and user traffic logically separated without requiring two physical ports.

This is a classic CCNA edge-port design. It is not a general trunking problem, and it does not require EtherChannel or router subinterfaces. The important idea is that one switchport can support an access VLAN and a voice VLAN together in a way designed specifically for IP phones with downstream PCs.

Exam trap

Avoid assuming trunk mode is needed for VLANs; understand access vs. voice VLANs for edge ports.

Why the other options are wrong

B

A routed port (no switchport) is used for Layer 3 routing between switches or routers, not for connecting end devices like IP phones and PCs. It does not support VLAN assignment or the coexistence of multiple VLANs on a single port, making it unsuitable for this scenario.

C

EtherChannel is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy. It does not provide any mechanism to separate voice and data traffic into different VLANs on a single port, and it is not relevant to the requirement of connecting an IP phone and PC.

D

Using a native VLAN only and disabling all tagging would place all traffic (voice and data) in the same VLAN, which contradicts the requirement to separate voice into VLAN 200 and data into VLAN 20. The native VLAN is used for untagged traffic on a trunk, but this design requires distinct VLANs with tagging for voice.

55
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch. Port GigabitEthernet0/1 connects to a PC in VLAN 10, and port GigabitEthernet0/2 connects to a server in VLAN 20. Both ports are currently in VLAN 1. Configure SW1 to assign GigabitEthernet0/1 to VLAN 10 and GigabitEthernet0/2 to VLAN 20, and verify the configuration.

Network Topology
G0/1G0/2SW1PCServer

Hints

  • Use switchport mode access to configure the port as an access port.
  • Use switchport access vlan to assign the VLAN.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 interface GigabitEthernet0/2 switchport mode access switchport access vlan 20 end show vlan brief
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10 interface GigabitEthernet0/2 switchport mode trunk switchport trunk allowed vlan 20 end show interfaces trunk
C.vlan 10 name PC_VLAN vlan 20 name Server_VLAN interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 interface GigabitEthernet0/2 switchport mode access switchport access vlan 20 end show vlan brief
D.interface GigabitEthernet0/1 switchport access vlan 10 interface GigabitEthernet0/2 switchport access vlan 20 end show vlan brief
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20

Why this answer

Access ports carry traffic for a single VLAN. By assigning G0/1 to VLAN 10 and G0/2 to VLAN 20, the PC and server are placed in their respective VLANs.

Exam trap

Do not confuse access ports with trunk ports. Access ports are for end devices; trunk ports are for switch-to-switch connections. Also, remember that 'switchport mode access' is required before assigning a VLAN; otherwise, the port may not behave as expected.

Why the other options are wrong

B

Trunk ports are not appropriate for end devices; they are designed for inter-switch links.

C

The question does not require creating or naming VLANs; it only asks to assign ports to existing VLANs.

D

The 'switchport mode access' command is required to explicitly set the port as an access port; otherwise, the port might negotiate trunking.

56
PBQhard

You are connected to the WLC via its management IP 192.168.10.10. A new corporate SSID 'SecureCorp' must be configured for WPA3-Personal with PSK 'Cisco123' on the 5 GHz radio only. The SSID should be broadcast. The WLAN must be mapped to interface 'corp_vlan' (VLAN 100). After configuration, a wireless client reports it cannot see or connect to the SSID. Troubleshoot and resolve the client's association failure.

Network Topology
192.168.10.50192.168.10.50APWLCClient

Hints

  • The client cannot see the SSID in its Wi-Fi list — check broadcast setting.
  • All other WLAN parameters are correct; only one setting prevents discovery.
  • Use the 'broadcast-ssid' command under the WLAN configuration.
A.Enable SSID broadcast for the SecureCorp WLAN.
B.Change the security mode to WPA2-Personal with the same PSK.
C.Reconfigure the WLAN to use interface 'management' instead of 'corp_vlan'.
D.Disable the 5 GHz radio and enable the 2.4 GHz radio for the SecureCorp WLAN.
AnswerA
solution
! WLC
config wlan 1
broadcast-ssid
end

Why this answer

The client cannot see the SSID because SSID broadcast is disabled. The SSID is configured to be broadcast, but the actual setting is off. To resolve, enable SSID broadcast on the WLAN.

The security and VLAN settings are correct. Enabling broadcast allows the client to discover the network without manual entry.

Exam trap

Do not confuse SSID visibility issues with security or VLAN misconfigurations. A hidden SSID prevents discovery; the client must either manually configure the SSID or the administrator must enable broadcast. Always check the broadcast setting first when a client cannot see a WLAN.

Why the other options are wrong

B

The specific factual error is that the security mode does not affect SSID visibility; the problem is the broadcast setting.

C

The specific factual error is that interface mapping controls VLAN assignment for traffic, not SSID broadcast.

D

The specific factual error is that radio band selection does not affect SSID broadcast; the hidden SSID prevents discovery on any band.

57
MCQhard

A network engineer notices that users in VLAN 10 report intermittent connectivity and slow file transfers to a server on the same switch. The engineer issues the show interfaces fa0/1 command on the switch port connected to the server and observes a high number of runts, input errors, and CRC errors, while output errors are minimal. The interface configuration shows speed 100 and duplex full.

A.The server NIC is set to 10 Mbps half-duplex, causing a speed mismatch.
B.The server NIC is auto-negotiating to 100 Mbps half-duplex, resulting in a duplex mismatch.
C.The cable connecting the server to the switch is faulty, introducing excessive noise.
D.The switch port is configured with an incorrect native VLAN, causing duplex negotiation issues.
AnswerB

With the switch forced to full-duplex and the server using auto-negotiation, the server defaults to half-duplex. The duplex mismatch leads to collisions on the half-duplex side, generating runts, CRC errors, and input errors on the switch port.

Why this answer

Option B is correct because the symptoms—high runts, input errors, and CRC errors with minimal output errors—are classic indicators of a duplex mismatch. When the switch port is hardcoded to 100 Mbps full-duplex and the server NIC auto-negotiates to 100 Mbps half-duplex (a common fallback when one side is manually set), collisions occur on the full-duplex side, corrupting frames and causing input errors. The speed matches (both 100 Mbps), so the issue is purely duplex-related.

Exam trap

Cisco often tests the misconception that speed and duplex mismatches always occur together; the trap here is that a duplex mismatch can exist even when speed matches, and the error pattern (high input errors, low output errors) specifically points to duplex, not cabling or VLAN issues.

Why the other options are wrong

A

Misconception that speed mismatch produces specific error counters; in reality, incompatible speeds cause link failure, not runts and CRC errors.

C

Misconception that CRC errors alone point to a bad cable; duplex mismatch is one of the most common causes of runts and CRC errors on forced-full interfaces.

D

Misconception that a VLAN mismatch can trigger interface errors; these errors are purely physical/data-link layer phenomena unrelated to VLAN settings.

58
PBQmedium

You are connected to R1 via the console. R1 is a router that needs to provide DHCP services for hosts on VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The DHCP server is located on VLAN 10 at 192.168.10.100, but hosts on VLAN 20 cannot reach it directly. Configure R1 to forward DHCP broadcasts from VLAN 20 to the DHCP server.

Network Topology
G0/0.10192.168.10.1/24G0/0.20192.168.20.1/24DHCP ServerVLAN 10R1VLAN 20Hosts

Hints

  • The helper address should be placed on the interface that receives the DHCP broadcast.
  • The helper address is the server's IP address.
  • Only one command is needed.
A.interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip helper-address 192.168.10.100
B.interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip helper-address 192.168.10.100
C.interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip dhcp relay information option
D.ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1
AnswerA
solution
! R1
interface GigabitEthernet0/0.20
ip helper-address 192.168.10.100

Why this answer

The ip helper-address command enables the router to forward UDP broadcasts (including DHCP) to a specific server. Placing it on the VLAN 20 subinterface ensures that DHCP requests from VLAN 20 are unicast to the server on VLAN 10.

Exam trap

The key trap is placing the ip helper-address on the wrong interface. Remember: the helper-address must be on the interface that receives the client's broadcast, not on the server's interface. Also, do not confuse ip helper-address with DHCP server configuration or relay option commands.

Why the other options are wrong

B

The ip helper-address must be configured on the interface that receives the client broadcasts (VLAN 20), not the server's VLAN.

C

This command enables relay agent information insertion, not the actual forwarding of DHCP packets to a server.

D

The question states the DHCP server is at 192.168.10.100, so R1 should relay, not serve.

59
PBQhard

You are connected to SW1. Configure LACP EtherChannel between SW1 and SW2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. Ensure the channel forms and passes traffic for VLAN 10. Troubleshoot and fix any issues preventing the channel from coming up.

Network Topology
Gi0/1Gi0/1LACPSW1SW2

Hints

  • Check the speed and duplex settings on both member interfaces.
  • Verify that the port-channel interface and member ports are both Layer2 or both Layer3.
  • Ensure LACP mode is active on at least one side to initiate negotiation.
A.Configure speed 1000 and duplex full on Gi0/2, change port-channel 1 to switchport mode trunk with allowed vlan 10, and set both Gi0/1 and Gi0/2 to channel-group 1 mode active.
B.Configure speed 1000 and duplex full on Gi0/2, change port-channel 1 to no switchport, and set both Gi0/1 and Gi0/2 to channel-group 1 mode passive.
C.Configure speed 100 and duplex half on Gi0/1 to match Gi0/2, change port-channel 1 to switchport mode trunk with allowed vlan 10, and set both Gi0/1 and Gi0/2 to channel-group 1 mode active.
D.Configure speed 1000 and duplex full on Gi0/2, change port-channel 1 to switchport mode access with access vlan 10, and set both Gi0/1 and Gi0/2 to channel-group 1 mode desirable.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full
channel-group 1 mode active
exit
interface GigabitEthernet0/1
channel-group 1 mode active
exit
interface Port-channel1
switchport
switchport mode trunk
switchport trunk allowed vlan 10
no ip address
end

Why this answer

The EtherChannel is not forming because of multiple mismatches: speed (1000 vs 100), duplex (full vs half), and the port-channel interface is configured as Layer3 (no switchport) while the member ports are Layer2 (switchport mode trunk). First, correct the speed and duplex on Gi0/2 to match Gi0/1 (speed 1000, duplex full). Then change the port-channel to switchport mode trunk and set the allowed VLAN.

Finally, change the LACP mode on both interfaces to 'active' to initiate negotiation. After these changes, the channel should come up.

Exam trap

Watch for mismatches in speed, duplex, and Layer2/Layer3 configuration between member ports and the port-channel interface. Also, ensure LACP mode is active on at least one side to initiate negotiation.

Why the other options are wrong

B

The specific factual error: The port-channel interface must match the Layer2 configuration of member ports; using no switchport creates a Layer3 interface that cannot trunk VLANs. Additionally, passive mode requires an active partner to form the channel.

C

The specific factual error: Speed and duplex should be consistent across all member links, but the correct resolution is to correct the misconfigured interface (Gi0/2) to match the working one (Gi0/1), not vice versa.

D

The specific factual error: Access mode cannot carry multiple VLANs; trunk mode is required for VLAN 10. Additionally, desirable is a PAgP keyword, not LACP. LACP uses active or passive.

60
MCQhard

Refer to the exhibit. A network administrator is troubleshooting a connectivity issue on switch SW1. Users connected to port Gi0/3 are unable to reach resources in VLAN 30. The administrator issues the show vlan brief command and receives the output shown. What is the most likely cause of the problem?

A.The Gi0/3 port is in an error-disabled state due to port security violations.
B.The VLAN 30 SVI is administratively down.
C.VLAN 30 is administratively shut down.
D.Spanning Tree Protocol has placed Gi0/3 into a blocking state for VLAN 30.
AnswerC

The Status field for VLAN 30 clearly displays 'act/lshut', which is Cisco’s notation for an administratively shut-down VLAN. This prevents any data plane forwarding on ports assigned to that VLAN.

Why this answer

The 'show vlan brief' output shows VLAN 30 as 'active' but the ports assigned to it are not listed, and the VLAN is not present in the output at all. This indicates that VLAN 30 has been administratively shut down (shutdown command applied under the VLAN configuration mode), which prevents any traffic from being forwarded through that VLAN, even if the switch port Gi0/3 is configured as an access port in VLAN 30. The correct answer is C because an administratively shutdown VLAN will not appear in the 'show vlan brief' output, and all ports assigned to it will be unable to communicate within that VLAN.

Exam trap

Cisco often tests the distinction between a VLAN being 'shutdown' versus a VLAN being 'active' but with no ports assigned, and candidates mistakenly think that a missing VLAN in 'show vlan brief' means it doesn't exist, rather than recognizing it could be administratively disabled.

Why the other options are wrong

A

Candidates often confuse port-level issues with VLAN-level states. Port security violations would result in an err-disable status, which is not reflected in the VLAN status column; the VLAN would still show 'active' if it were enabled.

B

Candidates may mistake the VLAN shutdown for an SVI shutdown because both involve the 'shutdown' keyword. However, the SVI state would appear in 'show ip interface brief' or 'show interface vlan 30', not here.

D

Candidates often attribute connectivity loss to STP blocking, which is a common cause of forwarding issues. However, this exhibit’s specific clue is the 'act/lshut' flag, directing attention to the VLAN administrative state.

61
Multi-Selectmedium

Which TWO statements accurately describe 802.1Q trunking and inter-VLAN routing on Cisco switches?

Select 2 answers
A.The native VLAN on a trunk port sends frames with an 802.1Q tag containing VLAN ID 1.
B.802.1Q trunking adds a 4-byte tag that includes a 12-bit VLAN ID field, increasing the maximum frame size.
C.A router-on-a-stick configuration uses subinterfaces, each mapped to a VLAN with 802.1Q encapsulation and an IP address in a unique subnet.
D.A trunk port can only forward traffic for one VLAN at a time.
E.The native VLAN on a trunk cannot be changed from VLAN 1.
AnswersB, C

The 802.1Q tag is 4 bytes, consisting of TPID and TCI, where the TCI contains a 12-bit VLAN ID.

Why this answer

Option B is correct because 802.1Q trunking inserts a 4-byte tag into the Ethernet frame, which includes a 12-bit VLAN ID field (supporting up to 4094 VLANs). This tag increases the maximum frame size from 1518 bytes to 1522 bytes, which is a key characteristic of 802.1Q encapsulation.

Exam trap

Cisco often tests the misconception that the native VLAN is always VLAN 1 and that it is tagged, when in fact the native VLAN is untagged and can be changed to any VLAN number.

Why the other options are wrong

A

By default, frames belonging to the native VLAN (VLAN 1) traverse a trunk link without an 802.1Q tag.

D

Trunk ports differentiate frames from multiple VLANs using VLAN tags, permitting concurrent forwarding for all allowed VLANs.

E

Cisco switches allow administrators to assign any active VLAN as the native VLAN for a trunk port.

62
PBQhard

You are securing the spanning-tree topology on R1, the root bridge for VLAN 10. Intended configurations: Root Guard on GigabitEthernet1/0/3, Loop Guard on gigabit interfaces 1/0/1 and 1/0/2, and BPDU Guard on all PortFast-enabled interfaces. After initial configuration, a superior BPDU on G1/0/3 blocks the port (expected), and a host on G1/0/5 triggers BPDU Guard, causing err-disable (expected). However, you realize Loop Guard was not applied to the uplinks. Troubleshoot and apply the missing configuration.

Hints

  • Root Guard on the root bridge may cause blocking if a superior BPDU is received; this is correct behavior unless the port should be a root port.
  • Loop Guard prevents alternate or root ports from becoming designated in case of unidirectional link failure; it is safe on trunk uplinks.
  • BPDU Guard err-disables a PortFast port when a BPDU is received; re-enable with 'no shutdown' after fixing the cause.
A.Remove Root Guard from G1/0/3 and configure it with 'spanning-tree guard loop' to prevent the blockage.
B.Re-enable G1/0/5 with 'no shutdown' and apply 'spanning-tree bpduguard enable' on all PortFast-enabled interfaces to prevent future err-disable.
C.Configure Loop Guard on G1/0/1 and G1/0/2 with 'spanning-tree guard loop' and recover G1/0/5 from err-disable by issuing 'shutdown' followed by 'no shutdown'.
D.Remove BPDU Guard from all PortFast interfaces and configure 'spanning-tree portfast bpdufilter default' to prevent err-disable.
AnswerC
solution
! R1
interface GigabitEthernet1/0/1
spanning-tree guard loop
interface GigabitEthernet1/0/2
spanning-tree guard loop
interface GigabitEthernet1/0/5
shutdown
no shutdown

Why this answer

The candidate must first identify that Root Guard is correctly configured on G1/0/3, causing it to block (BKN*ROOT_Guard) upon receiving a superior BPDU, which is correct behavior. However, the task states to protect the root bridge role; since R1 is already root, Root Guard is appropriate. The err-disabled port G1/0/5 indicates BPDU Guard triggered; this is expected because a host connected to a PortFast port sent a BPDU.

To resolve, the candidate should re-enable the port with 'no shutdown' and ensure BPDU Guard is properly applied. Additionally, Loop Guard is missing on uplinks G1/0/1 and G1/0/2; it must be configured with 'spanning-tree guard loop' under each interface. No changes to Root Guard are needed; the blockage is intentional.

Exam trap

Do not assume that a blocked port due to Root Guard is a problem; it is intentional. Also, do not confuse BPDU Guard with BPDU Filter; BPDU Guard err-disables, while BPDU Filter suppresses BPDUs. Remember that err-disabled ports must be manually re-enabled with 'no shutdown'.

Why the other options are wrong

A

Root Guard is designed to block a port that receives superior BPDUs, which is exactly what happened. The configuration is correct and should not be removed.

B

BPDU Guard is correctly configured; the err-disable is expected behavior when a BPDU is received on a PortFast port. The solution is to re-enable the port and ensure the host is not a switch.

D

BPDU Filter is not a substitute for BPDU Guard; it prevents the port from sending or receiving BPDUs, which can cause bridging loops. The correct action is to re-enable the port, not change the protection mechanism.

63
MCQhard

Refer to the exhibit. A network engineer is troubleshooting a connectivity issue on SW3. A host connected to the same segment as SW3's GigabitEthernet0/0 interface cannot reach any network resources. The engineer issues the show spanning-tree vlan 10 command and receives the output shown. Based on the output, what is the most likely cause?

A.GigabitEthernet0/0 is administratively down, which prevents the host from communicating.
B.The port is in the Blocking state because the switch detected a loop and moved the port to error-disabled state.
C.The port is blocked because SW3 has a lower bridge priority than the root bridge and should be the designated port for that segment.
D.The interface GigabitEthernet0/0 is in the Blocking state because it received a superior BPDU, making it an alternate port to the root bridge.
AnswerD

The output explicitly shows role 'Altn' and state 'BLK' for Gi0/0. An alternate port is blocked because it receives better BPDUs on that interface than it can send, providing an alternate path to the root bridge. This is correct STP behavior, and the blocking state prevents the host from communicating.

Why this answer

The output shows that GigabitEthernet0/0 is in the Blocking state for VLAN 10. In Rapid PVST+ or classic STP, a port enters the Blocking state when it receives a superior BPDU (i.e., a BPDU with a lower bridge ID or lower path cost to the root), causing it to become an alternate (or backup) port rather than a designated or root port. This prevents the host from reaching network resources because the port does not forward traffic.

Exam trap

Cisco often tests the distinction between a port being blocked due to normal STP operation (receiving a superior BPDU) versus being error-disabled or administratively down, leading candidates to incorrectly assume a physical or administrative issue.

Why the other options are wrong

A

Candidates may incorrectly associate the blocked state with an administratively disabled interface.

B

Candidates often confuse error-disabled state (caused by features like BPDU guard) with the standard STP blocking state.

C

Candidates may misunderstand the root election process and assume a lower priority switch always becomes designated for all segments, ignoring the Altn role.

64
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch with three redundant links to SW2: G0/1, G0/2, and G0/3. The network is experiencing loops, and STP is not configured. You need to enable STP and ensure that SW1 becomes the root bridge for VLAN 1. Configure STP on SW1 and set its priority to 4096 for VLAN 1.

Network Topology
G0/1G0/1SW1SW2

Hints

  • STP uses bridge priority to determine root bridge; lower priority wins.
  • The default priority is 32768; setting it to 4096 ensures SW1 becomes root.
A.spanning-tree vlan 1 priority 4096
B.spanning-tree vlan 1 root primary
C.spanning-tree vlan 1 priority 32768
D.spanning-tree vlan 1 priority 8192
AnswerA
solution
! SW1
spanning-tree vlan 1 priority 4096

Why this answer

By setting the STP priority to 4096 for VLAN 1, SW1 has a lower priority than the default, making it the root bridge for that VLAN.

Exam trap

The exam may test your ability to recall the exact command syntax for setting STP priority. Remember that 'spanning-tree vlan <vlan> priority <value>' sets the priority directly, while 'root primary' is a macro that sets it to 24576. Always check the exact value required.

Why the other options are wrong

B

The 'root primary' macro sets priority to 24576, not 4096.

C

A priority of 32768 is the default, so it does not guarantee root bridge status.

D

The requirement is to set priority to exactly 4096, not 8192.

65
PBQhard

You are connected to SW1. Configure an LACP EtherChannel between SW1 and SW2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. Set the channel-group mode to active on both switches. Verify that the port-channel interface is configured with VLAN 100 as an access port. Then, troubleshoot and fix the issue that prevents the EtherChannel from forming due to a mismatched speed on one of the member links. After correction, verify the EtherChannel is up with 'show etherchannel summary'.

Hints

  • Check the speed and duplex settings on all member interfaces.
  • LACP requires identical speed and duplex on all ports in the channel.
  • Use the 'speed' and 'duplex' commands under the interface to match the working member.
A.Set speed 1000 and duplex full on interface GigabitEthernet0/2 of SW1, ensuring the corresponding interface on SW2 has matching settings, then verify with 'show etherchannel summary'.
B.Change the channel-group mode to desirable on both switches and verify with 'show etherchannel summary'.
C.Remove the access VLAN configuration from the port-channel interface and configure it as a trunk port instead.
D.Configure the channel-group mode to passive on SW1 and active on SW2, then verify with 'show etherchannel summary'.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full

Why this answer

The EtherChannel fails because interface GigabitEthernet0/2 on SW1 has a mismatched speed (likely 100 Mbps) compared to the other member link (1000 Mbps). LACP requires all member ports to have identical speed and duplex. The solution is to set the speed on Gi0/2 to 1000 and duplex to full.

After correction, the port will bundle, and the port-channel will come up. Verification with 'show etherchannel summary' should show both ports as 'P' (bundled) and the port-channel as 'SU' (in use, Layer2).

Exam trap

Do not confuse LACP modes (active/passive) with PAgP modes (desirable/auto). Also, remember that physical parameters like speed and duplex must match across all member ports; logical configurations like VLAN or trunking are separate but must also be consistent. Always verify the root cause before changing unrelated settings.

Why the other options are wrong

B

The specific factual error is that 'desirable' is a PAgP mode, not LACP. LACP uses 'active' and 'passive' modes.

C

The specific factual error is that the problem is physical (speed mismatch), not logical (VLAN/trunking). Changing the port type does not address the root cause.

D

The specific factual error is that the speed mismatch is the root cause, not the LACP mode. Even with correct modes, the EtherChannel will not form if speeds differ.

66
MCQhard

A network engineer notices that hosts on VLAN 100 (192.168.10.0/24) cannot ping the loopback interface (10.0.0.1/32) of a directly connected router R2. The engineer checks R1's routing table and sees an entry for 10.0.0.0/24 via a different next-hop, but no entry for 10.0.0.1/32. What is the most likely reason for the connectivity failure?

A.The loopback interface on R2 is administratively down.
B.R2 is advertising the loopback as a /24 network, not a /32 host route.
C.R1 has a route for 10.0.0.0/24 via a different next-hop, causing a routing loop.
D.The EIGRP metric for the /24 route is too high, so R1 prefers the connected route.
AnswerB

The loopback address 10.0.0.1/32 is typically advertised as a /32. If R2's loopback is configured with a /24 mask, it advertises 10.0.0.0/24. R1 then has a /24 route but no /32 route, so when trying to reach 10.0.0.1, the longest-prefix match fails, and the router drops the packet.

Why this answer

The issue is that R2 is advertising its loopback interface (10.0.0.1/32) as a /24 network (10.0.0.0/24) into the routing protocol. R1 receives this /24 route and installs it in its routing table, but when it tries to reach 10.0.0.1, it performs a longest-prefix match. Since R1 has a more specific /32 route for 10.0.0.1 via a different next-hop (or no /32 route at all), it does not use the /24 route to reach the loopback, causing the ping to fail.

Exam trap

Cisco often tests the concept that a routing protocol may advertise a loopback interface with a different prefix length than configured, and candidates mistakenly think the issue is a routing loop or metric problem rather than a prefix-length mismatch.

Why the other options are wrong

A

If the loopback interface were administratively down, R2 would not advertise any route for 10.0.0.0/24 via EIGRP. However, R1's routing table shows a /24 route via EIGRP, indicating the interface is up and the route is being advertised.

C

A routing loop would require packets to be forwarded back and forth between routers. In this scenario, R1 has a connected route for 10.0.0.0/24 and an EIGRP route for the same prefix, but it will use the connected route due to lower administrative distance. There is no loop because the next-hop for the connected route is directly connected, and packets are not sent to another router.

D

The EIGRP metric of 30720 is normal for a loopback route, and the connected route is preferred due to its lower administrative distance (0 vs 90), not because of a high metric. Even if the metric were lower, the connected route would still be preferred. The core issue is the missing /32 route, not the metric.

67
Multi-Selectmedium

Which four of the following are correct statements about VLAN configuration and verification on a Cisco switch? (Choose four.)

Select 3 answers
.The 'switchport mode access' command places the interface into a non-trunking mode.
.By default, all ports on a Cisco switch are in VLAN 1.
.The 'show vlan brief' command displays VLANs that are active on the switch.
.VLANs 1002–1005 are reserved for user-created VLANs.
.A VLAN must be manually created before its name can be assigned.
.The 'switchport trunk native vlan' command restricts the native VLAN to only tagged frames.

Why this answer

The 'switchport mode access' command configures the interface as an access port, operating in non-trunking mode and carrying traffic for a single VLAN. By default, all ports on a Cisco switch are assigned to VLAN 1, which is the default and management VLAN. The 'show vlan brief' command displays all active VLANs along with their names and assigned ports.

A VLAN does not need to be manually created before its name can be assigned; you can assign a port to a new VLAN, which automatically creates it, and then enter VLAN configuration mode to set its name. The false statements are that VLANs 1002–1005 are reserved for user-created VLANs (they are legacy FDDI/Token Ring VLANs) and that the 'switchport trunk native vlan' command restricts the native VLAN to only tagged frames (native VLAN traffic is sent untagged).

Exam trap

Candidates often confuse the native VLAN as carrying tagged frames, and mistakenly believe VLANs 1002–1005 are user-configurable, when in fact they are reserved for legacy technologies.

Why the other options are wrong

D

VLANs 1002–1005 are reserved for legacy FDDI and Token Ring, not user-created VLANs.

F

The native VLAN on a trunk sends frames untagged; this command sets the native VLAN, not a tagging restriction.

68
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch. Ports G0/1 and G0/2 are connected to two PCs that should be in VLAN 10 (Sales). Port G0/3 is a trunk link to another switch. The PCs are currently unable to communicate because the ports are in VLAN 1. Configure the switch to place the ports in the correct VLAN and ensure the trunk is properly configured with 802.1Q encapsulation and native VLAN 99.

Network Topology
trunkPC1SW1 G0/1SW1 G0/2OtherSwitch

Hints

  • Check the current VLAN assignment on access ports.
  • The trunk encapsulation must be set to dot1q for 802.1Q support.
  • Native VLAN should match on both ends of the trunk.
A.Create VLAN 10, assign G0/1 and G0/2 as access ports in VLAN 10, configure G0/3 as trunk with encapsulation dot1q and native VLAN 99.
B.Create VLAN 10, assign G0/1 and G0/2 as access ports in VLAN 10, configure G0/3 as trunk with encapsulation isl and native VLAN 99.
C.Create VLAN 10, assign G0/1 and G0/2 as trunk ports in VLAN 10, configure G0/3 as trunk with encapsulation dot1q and native VLAN 99.
D.Create VLAN 10, assign G0/1 and G0/2 as access ports in VLAN 10, configure G0/3 as trunk with encapsulation dot1q and native VLAN 1.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport access vlan 10
interface GigabitEthernet0/2
switchport access vlan 10
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 99

Why this answer

VLAN 10 must be created and the access ports must be explicitly set to access mode with 'switchport mode access' before assigning them to VLAN 10. Assigning the access ports to VLAN 10 places the PCs in the correct broadcast domain. The trunk needed explicit 802.1Q encapsulation and a native VLAN change to 99 for security and consistency.

Exam trap

Be careful to distinguish between access and trunk ports: access ports belong to a single VLAN for end devices, while trunk ports carry multiple VLANs between switches. Also, remember that 802.1Q is the standard trunking protocol, and native VLAN should be changed from default 1 for security.

Why the other options are wrong

B

The specific factual error is that ISL is a legacy Cisco proprietary trunking protocol, and modern switches default to 802.1Q. The question specifies 802.1Q encapsulation.

C

The specific factual error is that ports connected to end devices (PCs) should be access ports, not trunk ports. Trunk ports are used for inter-switch links.

D

The specific factual error is that the native VLAN must be explicitly set to 99. Native VLAN 1 is the default and is often targeted in VLAN hopping attacks.

69
MCQhard

A technician is troubleshooting a network issue where hosts in VLAN 20 on SW1 cannot communicate with hosts in VLAN 20 on SW2. Both switches are connected by an Ethernet trunk link that is up/up and configured as a trunk. The VLAN databases on both switches include VLAN 20, and the spanning tree for VLAN 20 is in a forwarding state on all ports. Hosts within VLAN 20 on each switch can communicate with each other locally. What is the most likely cause?

A.The native VLAN is mismatched on the two ends of the trunk.
B.VLAN 20 has not been created in the VLAN database on SW2.
C.The trunk encapsulation is mismatched between SW1 and SW2.
D.VLAN 20 is not in the switchport trunk allowed VLAN list on the trunk port between SW1 and SW2.
AnswerD

When a trunk port’s allowed VLAN list explicitly excludes a VLAN, the switch drops all frames tagged for that VLAN, even though the VLAN exists locally and the trunk is active. This results in the described symptom of local intra-VLAN communication working but no cross-switch communication for VLAN 20.

Why this answer

The most likely cause is that VLAN 20 is not included in the allowed VLAN list on the trunk port between SW1 and SW2. Even though the trunk is up/up and VLAN 20 exists in the VLAN database, the switchport trunk allowed vlan command restricts which VLANs can traverse the trunk. If VLAN 20 is omitted from this list, frames from VLAN 20 will be dropped at the trunk, preventing inter-switch communication for that VLAN.

Exam trap

Cisco often tests the distinction between VLAN existence in the database and VLAN permission on a trunk; candidates mistakenly think that if a VLAN is created and spanning tree is forwarding, it must work, but the trunk allowed list is an independent filter that can block traffic.

Why the other options are wrong

A

Candidates may think that a native VLAN mismatch breaks all trunk functions.

B

Candidates may assume that a missing VLAN on one switch explains inter-switch failures, ignoring that local communication would also fail.

C

Candidates might overlook that the trunk link is operational, which implies matching encapsulation.

70
MCQhard

A network technician is troubleshooting an inter-VLAN routing issue on a multilayer switch. Hosts on VLAN 10 can reach the SVI for VLAN 10 (10.0.10.1) but cannot reach hosts on VLAN 20. The technician has verified that 'ip routing' is enabled and that the 'show ip route' command displays directly connected routes for both VLANs. No static routes are configured. What should the technician do next?

A.Check the ARP table for entries on VLAN 20.
B.Issue the 'show ip routing' command again to confirm routing is enabled.
C.Configure a default route pointing to the next-hop gateway.
D.Verify the VLAN membership of the destination host on VLAN 20.
AnswerA

The Layer 3 routing table is correct; the problem is likely that the switch lacks a Layer 2 MAC address for the destination host on VLAN 20. Examining the ARP cache will confirm whether the switch can map the destination IP to a MAC address, and if not, will show that ARP resolution is failing, which explains the connectivity break.

Why this answer

Because the switch has directly connected routes for both VLANs and routing is enabled, the Layer 3 forwarding logic is intact. The failure from VLAN 10 hosts to VLAN 20 hosts suggests that the switch cannot resolve the destination host's MAC address on VLAN 20, preventing Layer 2 frame encapsulation. Checking the ARP table with 'show ip arp' or similar will reveal whether the destination IPv4 address has a valid MAC entry on the correct VLAN interface.

This targets Layer 2—the most likely remaining failure point after Layer 3 has been verified.

Exam trap

Verifying the VLAN membership of the destination host (Option D) — candidates may assume the destination host is simply on the wrong VLAN, but the scenario explicitly states that the unreachable hosts are on VLAN 20, and Layer 3 connectivity is confirmed up to the SVI. The more efficient and targeted next step is to check the ARP resolution on that VLAN, which directly addresses the encapsulation failure.

Why the other options are wrong

B

This option revisits a step already completed and verified, making it redundant. Candidates might think double-checking routing is safe, but the scenario explicitly states routing is working as expected.

C

Some candidates might believe inter-VLAN communication requires a default route, but directly connected routes already provide full reachability without static routing. This action is overly drastic and misdirected.

D

Candidates often jump to VLAN misconfigurations when inter-VLAN communication fails, even when routing is confirmed. The scenario already establishes the VLAN 20 host's location; the next logical layer to inspect is ARP resolution.

71
MCQhard

Refer to the exhibit. A network administrator is troubleshooting connectivity to devices in VLAN 10 on a Layer 3 switch. The administrator issues the show ip interface brief command on SW1 and sees the output displayed. What is the most likely reason that the VLAN 10 SVI is not functioning?

A.No active ports are assigned to VLAN 10.
B.The VLAN 10 SVI has been administratively shut down.
C.The IP address configured on the VLAN 10 SVI is incorrect for the subnet.
D.The switch ports assigned to VLAN 10 are all configured as trunk ports.
AnswerA

The SVI Status and Protocol are both 'down'. This occurs when the VLAN has no active member ports, which prevents the SVI from transitioning to up/up.

Why this answer

The exhibit shows the VLAN 10 SVI with Status 'down' and Protocol 'down'. In a Cisco Layer 3 switch, an SVI will only be up/up if the VLAN exists in the VLAN database and at least one active port (access or trunk) belongs to that VLAN and is in the Spanning Tree forwarding state. Since other SVIs (Vlan1, Vlan20) and physical interfaces are up/up, the most likely cause is that no ports are actively assigned to VLAN 10, leaving the VLAN inactive.

Exam trap

Many candidates mistakenly associate a 'down/down' status with an administratively shut down interface, but that condition would display 'administratively down' in the Status field, not simply 'down'.

Why the other options are wrong

B

Candidates often confuse 'down' with 'administratively down', assuming any disabled interface will show 'down'. They need to distinguish the two statuses.

C

Some candidates think a misconfigured IP address can cause an interface to be down, but status does not reflect IP configuration.

D

A common misunderstanding is that trunk ports do not make a VLAN active; in reality, a trunk carrying VLAN 10 can activate the SVI as long as the trunk is up/up and the VLAN is not pruned.

72
MCQmedium

A switch interface connected to another switch must carry VLANs 10, 20, and 30 only. Which command best enforces that requirement on the trunk?

A.switchport trunk allowed vlan 10,20,30
B.switchport access vlan 10,20,30
C.switchport mode dynamic auto
D.switchport trunk native vlan 10,20,30
AnswerA

This is correct because it explicitly restricts the trunk to VLANs 10, 20, and 30.

Why this answer

The correct command is the one that explicitly sets the allowed VLAN list on the trunk. In plain language, the administrator wants the inter-switch link to carry only the named VLANs instead of every VLAN by default. Cisco trunks can transport multiple VLANs, but that does not mean every VLAN should always be permitted. Restricting the allowed list supports cleaner design and helps reduce unnecessary VLAN transport.

This is a common CCNA switching task because it distinguishes between creating a trunk and controlling what the trunk actually carries. Simply enabling trunking is not enough when the requirement names exact VLANs. The answer must directly restrict the allowed list rather than change the native VLAN or apply an unrelated access-port command.

Exam trap

A common exam trap is selecting commands that do not correctly restrict VLANs on a trunk. For example, using 'switchport access vlan 10,20,30' is invalid because access ports support only one VLAN. Another trap is confusing the native VLAN setting with allowed VLANs; 'switchport trunk native vlan' only defines the untagged VLAN and does not filter VLANs.

Also, relying on dynamic trunk negotiation commands like 'switchport mode dynamic auto' does not restrict VLANs and can lead to trunks carrying all VLANs by default. These mistakes cause VLAN traffic to flow where it shouldn’t, violating design requirements.

Why the other options are wrong

B

Incorrect because 'switchport access vlan' applies only to access ports and cannot specify multiple VLANs; it does not configure trunk VLANs.

C

Incorrect because 'switchport mode dynamic auto' controls trunk negotiation but does not limit which VLANs are allowed on the trunk.

D

Incorrect because 'switchport trunk native vlan' sets only one native VLAN for untagged traffic and does not restrict the allowed VLAN list.

73
MCQhard

A network administrator is troubleshooting connectivity issues in a switched network. Hosts on VLAN 10 connected to SwitchC cannot reach the VLAN 10 gateway, which is connected to SwitchA. The administrator checks the STP status on SwitchC and sees that the port connecting to the root bridge is in a blocking state. The administrator also notices that the VLAN 10 gateway is reachable from SwitchA, but not from SwitchC. What is the most likely cause of this issue?

A.Configure PortFast on interface Gi0/2 to bring it up immediately.
B.Change the STP priority on SwitchC to a lower value (e.g., 24576) to ensure it is not the root bridge.
C.Enable BPDU Guard on interface Gi0/2 to prevent BPDU attacks.
D.Configure the spanning-tree mode to PVST+ instead of Rapid PVST+.
AnswerB

By setting the priority to 24576, SwitchC's bridge ID becomes 24586 (24576+10), which is lower than the current root's 32778. This will cause SwitchC to become the root bridge if that is the intent, or by setting it to a higher priority (like 40960) it would lose the election. However, the correct action is to make SwitchC's priority higher (numerically lower) to correct the misconfiguration. In this case, the intended root (SwitchA) should have a lower priority, or SwitchC should have a higher priority (e.g., 32768) to not be root. Actually, the correct answer is to adjust the priority so that SwitchC is not root. Setting it to 24576 would make it root, which might be the desired outcome if SwitchA is misconfigured. But given the symptom, the most direct fix is to ensure the correct root bridge has the lowest priority. The exhibit shows SwitchC's priority is 40960, which is too high, so lowering it to a value less than the current root (32768) would make it root, but that might not be the intended design. The typical fix is to set the priority on the desired root switch to a lower value. However, since the question asks for the most likely cause, the answer is to correct the priority on SwitchC to match the intended root. Given the options, B is correct because it addresses the priority misconfiguration.

Why this answer

The root bridge for VLAN 10 is SwitchA, and SwitchC's port to the root bridge is in a blocking state due to STP. Since the VLAN 10 gateway is reachable from SwitchA but not from SwitchC, the issue is that SwitchC is not the root bridge and its path to the root is blocked, preventing traffic from reaching the gateway. Lowering the STP priority on SwitchC to 24576 would make it the root bridge for VLAN 10, ensuring its port to the gateway is in a forwarding state and restoring connectivity.

Exam trap

Cisco often tests the misconception that a blocked port is always a problem to be fixed with PortFast or BPDU Guard, when the real issue is STP root bridge election and the need to adjust priority to ensure the correct switch becomes root for that VLAN.

Why the other options are wrong

A

PortFast is used to bypass the listening and learning states on access ports, but it does not resolve the root bridge election issue. The port is blocking due to STP topology inconsistency, not because of slow convergence.

C

BPDU Guard is used to protect against unauthorized switches by disabling a port if a BPDU is received, but it does not fix the root bridge election issue. The port is blocking due to STP, not due to BPDU violations.

D

Both PVST+ and Rapid PVST+ use the same bridge ID election process. Changing the mode would not resolve the priority misconfiguration; the root bridge election is based on bridge priority and MAC address, not the STP variant.

74
MCQhard

A network administrator recently configured BPDU Guard on all access ports of a switch to protect against rogue switches. After the change, users in VLAN 10 report intermittent connectivity issues and frequent link flaps. The administrator checks the switch and notices that several ports are in an err-disabled state. What is the most likely cause of the problem?

A.Root Guard is preventing the port from becoming a root port.
B.BPDU Guard is enabled on access ports that are receiving BPDUs, causing the ports to go into err-disabled state.
C.Loop Guard has detected a unidirectional link and placed the port into err-disabled state.
D.BPDU Guard is globally enabled but not configured on the interface, so the port is err-disabled due to a BPDU received.
AnswerB

BPDU Guard is designed to work with PortFast; if enabled on non-PortFast ports, any BPDU received will err-disable the port.

Why this answer

BPDU Guard is configured to protect against rogue switches by placing a port into an err-disabled state upon receiving a BPDU. In this scenario, BPDU Guard is enabled on access ports that are receiving BPDUs (possibly from a rogue switch or misconfiguration), causing the ports to err-disable and flap. PortFast is not required for BPDU Guard to function; the issue is that BPDUs are being received on ports that are not expected to receive them.

The intermittent connectivity occurs as ports cycle into err-disabled and are re-enabled.

Exam trap

A common mistake is believing BPDU Guard requires PortFast to function; in reality, BPDU Guard can be enabled per-interface without PortFast and will err-disable the port when a BPDU is received.

Why the other options are wrong

A

Root Guard prevents a port from becoming a root port by placing it in a root-inconsistent state, not err-disabled. It does not cause link flaps or err-disable ports.

C

Loop Guard prevents alternate or root ports from becoming designated in the absence of BPDUs, but it does not err-disable ports. It places ports in a loop-inconsistent state, which is not err-disabled.

D

The global 'spanning-tree portfast bpduguard default' command only applies BPDU Guard to PortFast-enabled ports. If a port receives a BPDU and is not PortFast, it will not be err-disabled by this global command. The scenario states BPDU Guard was configured on all access ports, implying interface-level configuration.

75
PBQmedium

You are connected to SW1 via console. SW1 is a Layer 2 switch with two ports (G0/1 and G0/2) connected to a host. The host should be able to send and receive traffic on VLAN 10 and VLAN 20. Configure the two ports as a trunk link to the host, but ensure that the trunk only carries VLANs 10 and 20, and set the native VLAN to VLAN 99.

Network Topology
G0/1, G0/2HostSW1

Hints

  • Use the 'switchport trunk allowed vlan' command to restrict which VLANs are carried.
  • The native VLAN must match on both ends of the trunk.
A.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10,20 switchport trunk native vlan 99
B.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10-20 switchport trunk native vlan 99
C.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10,20 switchport native vlan 99
D.interface range gigabitethernet0/1-2 switchport mode trunk switchport trunk allowed vlan 10,20 switchport trunk native vlan 1
AnswerA
solution
! SW1
interface gigabitethernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 99
interface gigabitethernet0/2
switchport mode trunk
switchport trunk allowed vlan 10,20
switchport trunk native vlan 99

Why this answer

Configuring the ports as trunks allows multiple VLANs. The 'allowed vlan' command restricts the trunk to only VLANs 10 and 20, while 'native vlan 99' sets the untagged VLAN to 99, ensuring proper tagging and avoiding VLAN mismatch.

Exam trap

Watch out for the difference between 'switchport trunk allowed vlan 10,20' (list) and 'switchport trunk allowed vlan 10-20' (range). Also, remember that on a trunk port, the native VLAN command must include the 'trunk' keyword: 'switchport trunk native vlan'. Finally, always verify that the native VLAN is set to the required value, not left at the default.

Why the other options are wrong

B

The specific factual error is using a range (10-20) instead of a list (10,20), which includes unintended VLANs.

C

The specific factual error is omitting the 'trunk' keyword in the native VLAN command, which is required for trunk ports.

D

The specific factual error is setting the native VLAN to 1 instead of 99, which does not meet the requirement.

Page 1 of 4 · 278 questions totalNext →

Ready to test yourself?

Try a timed practice session using only VLAN questions.