CCNA VLAN Questions

75 of 278 questions · Page 2/4 · VLAN topic · Answers revealed

76
PBQhard

You are troubleshooting a PC connected to switch SW1. The PC cannot access the internet. SW1 is connected to router R1 via port G0/1. R1 provides default gateway and DHCP services. Analyze the provided show output and fix the connectivity issue so that the PC can ping 8.8.8.8. === Show output from R1 === <pre> R1# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES manual administratively down down GigabitEthernet0/1 10.0.0.1 YES NVRAM up up </pre> === Show output from PC === <pre> C:\> ipconfig Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . : 169.254.123.45 Subnet Mask . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . : </pre> === Show output from SW1 === <pre> SW1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3 </pre>

Network Topology
G0/1G0/2G0/1G0/0SW1PC1R1

Hints

  • Check if R1's interface connected to SW1 has an IP address.
  • The DHCP pool expects the default gateway to be on the same subnet as the clients.
  • APIPA address means the PC did not receive a DHCP offer.
A.Configure R1's interface G0/0 with IP address 192.168.1.1/24 and ensure the interface is not administratively down.
B.Change the VLAN on SW1's port G0/2 to VLAN 10 and configure R1's subinterface G0/0.10 with IP 192.168.1.1/24.
C.Enable DHCP snooping on SW1 and configure the port G0/2 as a trusted port.
D.Configure a static IP address of 192.168.1.10/24 on the PC with default gateway 192.168.1.1.
AnswerA
solution
! R1
interface gigabitethernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown

Why this answer

The PC's APIPA address (169.254.x.x) indicates DHCP failure. The router's DHCP pool is correctly configured and has a lease, but the show output reveals that R1's interface G0/0 is administratively down and has no IP address. Without a working IP on G0/0, the router cannot serve DHCP or route traffic for VLAN 1, even though both the PC and the router are in the same VLAN.

Option A fixes the root cause by assigning the correct subnet IP and bringing the interface up. Option B is incorrect because moving the PC to a different VLAN or creating subinterfaces does nothing to enable the router's physical interface where DHCP and routing must run. Option C is wrong because DHCP snooping or trust configurations are irrelevant when the router's own interface is down/unaddressed.

Option D is a workaround that only masks the problem; the scenario requires a working DHCP service, and a static IP would not restore the intended design.

Exam trap

This question tests your ability to identify that a router interface must have an IP address in the client subnet for DHCP to work, even if the DHCP pool is correctly configured. Many candidates focus on VLANs or DHCP server settings but overlook the basic requirement of an IP address on the router interface.

Why the other options are wrong

B

Changing VLANs or using subinterfaces does not solve the problem because the router's physical interface must be up and have an IP address to serve the VLAN.

C

Enabling DHCP snooping or trust settings on the switch cannot fix a router interface that is administratively down and unassigned.

D

Assigning a static IP to the PC circumvents but does not resolve the root issue of the router's interface being down, and the scenario requires DHCP.

77
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a router-on-a-stick topology for inter-VLAN routing between VLANs 10 and 20, using 802.1Q trunking with native VLAN 99 for management traffic.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
6Step 6

Why this order

The sequence follows Cisco's best practices: VLANs are created first, then access ports are assigned to them. The switch trunk is configured with 802.1Q encapsulation and the native VLAN set to 99 before the router end. On the router, the physical interface must be enabled before subinterfaces can operate.

The native VLAN subinterface is created first to handle untagged frames, then the data VLAN subinterfaces are configured. This order avoids errors such as missing VLANs, incorrect encapsulation, and physical link down state.

78
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two VLANs: VLAN 10 (Sales) and VLAN 20 (Engineering). Port G0/1 is connected to a sales PC, and port G0/2 is connected to an engineering PC. You need to ensure that each PC is in the correct VLAN. However, the sales PC is currently unable to ping the engineering PC because they are in different VLANs. You have a router R1 connected to SW1 via port G0/3. Configure inter-VLAN routing using Router-on-a-Stick on R1, and ensure SW1's port G0/3 is properly configured as a trunk.

Network Topology
G0/1G0/1G0/3G0/3G0/0G0/2SW1PC1VLAN 10R1PC2VLAN 20

Hints

  • Router-on-a-Stick uses subinterfaces on the router with 802.1Q encapsulation.
  • The switch port connected to the router must be configured as a trunk to carry multiple VLANs.
  • Each subinterface must have an IP address in the respective VLAN's subnet.
A.Configure subinterfaces on R1 with encapsulation dot1Q and assign IP addresses in VLAN 10 and VLAN 20. Configure SW1 interface G0/3 as a trunk port.
B.Configure a routed port on SW1 G0/3 and assign an IP address. Then configure static routes on R1 to reach each VLAN.
C.Configure SW1 interface G0/3 as an access port in VLAN 10. Then configure R1 with a single IP address in VLAN 10 and enable proxy ARP.
D.Configure SW1 interface G0/3 as a trunk port. Then configure R1 with a single IP address on the physical interface and enable VLAN routing using the 'vlan' command.
AnswerA
solution
! R1
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
interface GigabitEthernet0/0
no shutdown

! SW1
interface GigabitEthernet0/3
switchport mode trunk

Why this answer

Router-on-a-Stick allows a single router interface to route between VLANs by using subinterfaces with 802.1Q encapsulation. The switch port must be a trunk to carry the tagged frames. This configuration enables communication between VLAN 10 and VLAN 20.

Exam trap

The key trap is that candidates often forget to configure the switch port as a trunk, or they try to use a routed port on a Layer 2 switch. Also, some may think that a single IP address on the router's physical interface is sufficient, but subinterfaces are mandatory for Router-on-a-Stick.

Why the other options are wrong

B

Layer 2 switches do not support routed ports; they only support switchport mode access or trunk.

C

An access port cannot carry multiple VLANs; a trunk is required for Router-on-a-Stick.

D

Router-on-a-Stick requires subinterfaces; a single IP address on the physical interface only handles one VLAN. The 'vlan' command is not used on routers for inter-VLAN routing.

79
PBQmedium

You are connected to SW1 via the console. SW1 is a multilayer switch with SVIs for VLANs 10 (192.168.10.1/24) and 20 (192.168.20.1/24). Hosts in VLAN 10 can ping their default gateway (192.168.10.1), but cannot ping hosts in VLAN 20. You suspect IP routing is not enabled or the SVIs are not up.

Hints

  • Check if IP routing is enabled globally.
  • Verify that the SVIs are up/up.
  • Use ping with source to test connectivity between VLANs.
A.Enable IP routing on SW1 with the 'ip routing' global configuration command.
B.Configure a trunk port between SW1 and an external router, then enable routing on the router.
C.Ensure the SVIs are not shut down and have the 'no shutdown' command applied.
D.Add a static route on SW1 pointing to the VLAN 20 subnet via the VLAN 10 SVI.
AnswerA
solution
! SW1
ip routing

Why this answer

A multilayer switch requires 'ip routing' to forward packets between VLANs. Without it, the switch acts as a Layer 2 device. Enabling IP routing allows the SVIs to route traffic between VLANs.

The verification commands confirm routing is active and SVIs are operational.

Exam trap

The trap is that candidates may focus on interface status or static routes, overlooking the fundamental requirement of 'ip routing' on a multilayer switch. Remember that SVIs can be up and pingable, but without IP routing enabled, the switch cannot forward packets between VLANs.

Why the other options are wrong

B

The specific factual error is that the question states SW1 is a multilayer switch with SVIs, so it can route internally without an external router. The issue is that IP routing is not enabled on the switch itself.

C

The specific factual error is that the SVIs are already up (hosts can ping the gateway), so 'no shutdown' is not the missing step. The problem is at Layer 3 routing, not Layer 2/3 interface status.

D

The specific factual error is that directly connected networks do not require static routes; the switch automatically installs them when the SVI is up. The problem is that 'ip routing' is not enabled, so the switch does not use these routes for forwarding.

80
MCQhard

In a network running STP, SW2 became the root bridge for VLAN 10. Both SW1 and SW2 have the same bridge priority. Why did SW2 become the root?

A.Because SW2 has the lower bridge ID due to the lower MAC address.
B.Because SW2 has the higher VLAN number configured.
C.Because SW2 has more trunk ports than SW1.
D.Because SW2 has the highest bridge priority.
AnswerA

This is correct because the priorities are equal, so the lower MAC address wins the root election.

Why this answer

SW2 became the root bridge because its bridge ID is lower. In practical terms, spanning tree elects the root bridge by comparing bridge IDs, which are based on priority plus MAC address. The device with the lowest bridge ID wins. In the exhibit, both switches use the same priority, so the tie is broken by the lower MAC address.

This is a classic STP interpretation question. Many learners focus only on priority, but if priorities match, the MAC address becomes decisive.

Exam trap

Remember, in STP, lower values are preferred. If priorities match, the MAC address decides the root bridge.

Why the other options are wrong

B

The VLAN number is not a factor in the STP root bridge election. The election is based solely on bridge ID, which consists of bridge priority and MAC address.

C

The number of trunk ports does not affect the root bridge election. STP uses bridge ID (priority and MAC address) to determine the root bridge, not port count or type.

D

The root bridge is elected based on the lowest bridge ID, not the highest. A higher bridge priority (numerically larger) makes a switch less likely to become root.

81
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a VLAN 10 subnet and enable DHCP relay for a remote client on VLAN 20.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is to globally exclude IP addresses first, preventing the DHCP server from assigning reserved addresses. Then define the DHCP pool for VLAN 10 with network parameters, enable DHCP relay on the VLAN 20 interface so it forwards requests to the server, and finally verify the service is functioning. Options that place relay before pool or exclusions after pool misorder these essential configuration steps and deviate from recommended practice.

Exam trap

Many learners mistakenly think DHCP relay must be enabled before pool creation or that exclusions are a sub‑mode command inside the pool; in fact, exclusions are configured globally and should be defined before the pool to avoid accidental assignment of excluded IPs.

82
MCQhard

A network engineer has enabled DHCP snooping on a Catalyst switch to prevent rogue DHCP servers. All access ports in VLAN 10 are untrusted. A router attached to a trunk port on the switch acts as the default gateway for VLAN 10 and is configured with the ip helper-address 10.1.2.5, which points to a remote DHCP server. After enabling DHCP snooping, hosts in VLAN 10 cannot obtain IP addresses; packet captures show DHCPDISCOVER messages are sent, but no DHCPOFFER is received. What is the most likely cause?

A.The router's ip helper-address command is pointing to an incorrect DHCP server IP address.
B.The switch port connecting to the router is not configured as a trusted port for DHCP snooping.
C.The DHCP server is on a different subnet, so the switch needs a switched virtual interface (SVI) in VLAN 10 with an IP address for Layer 3 connectivity.
D.DHCP snooping is dropping DHCPDISCOVER messages because the client access ports are untrusted.
AnswerB

DHCP snooping trusts only designated ports to forward DHCP server messages. Since the router relays the DHCPOFFER onto the trunk port, an untrusted port will cause the switch to discard the offer, resulting in DHCP failure.

Why this answer

DHCP snooping treats all ports as untrusted by default. When a router acting as a DHCP relay is connected to an untrusted trunk port, the switch drops DHCPOFFER messages received from the router because they originate from an untrusted interface. Configuring the trunk port as trusted allows DHCP server responses (OFFER, ACK) to pass through to clients.

Exam trap

Cisco often tests the distinction that DHCP snooping blocks DHCP server messages (OFFER/ACK/NAK) on untrusted ports, not client messages (DISCOVER/REQUEST), leading candidates to incorrectly assume client messages are dropped.

Why the other options are wrong

A

This distractor exploits the common tendency to blame the helper address configuration first, overlooking the security feature that silently drops the returning DHCPOFFER.

C

This plays on the misconception that a switch requires an IP address on the client VLAN to facilitate DHCP, when in fact the router acting as the relay agent provides Layer 3 connectivity.

D

This misinterprets DHCP snooping behavior: it assumes all DHCP traffic is filtered on untrusted ports, overlooking the critical distinction that only server-side messages are blocked, not client requests.

83
PBQhard

You are troubleshooting a PC (PC-A) connected to switch SW1, which is connected to router R1. PC-A has an APIPA address (169.254.23.45) and cannot reach the internet (203.0.113.1). You confirm that R1 has a correctly configured DHCP pool for the 192.168.10.0/24 subnet, but the DHCP service is not enabled. The network uses VLAN 10 with subnet 192.168.10.0/24. Verify and correct the configuration on PC-A, SW1, and R1 to restore full connectivity.

Network Topology
G0/0/0192.168.10.1/24G0/0/0192.168.10.1/24203.0.113.1PC-ASW1R1Internet

Hints

  • Check if the DHCP server process is running on R1.
  • APIPA addresses (169.254.x.x) indicate DHCP failure.
  • The DHCP pool is configured but not yet active.
A.Enable the DHCP service on R1 with the 'service dhcp' command.
B.Configure a default gateway on PC-A with the IP address 192.168.10.1.
C.Change the VLAN on SW1's interface connected to PC-A from VLAN 10 to VLAN 1.
D.Add the 'ip helper-address' command on R1's interface connected to SW1.
AnswerA
solution
! R1
service dhcp

! SW1


! PC-A

Why this answer

The APIPA address (169.254.x.x) indicates that PC-A failed to obtain a DHCP lease. The correct solution is to enable the DHCP service on R1 with 'service dhcp', which is not running despite the configured pool. Option B is incorrect because setting a default gateway on PC-A with a static IP would still require a valid address in the subnet; the APIPA address cannot communicate with 192.168.10.1.

Option C is wrong because the PC-A interface on SW1 is correctly assigned to VLAN 10. Option D is unnecessary since R1 is directly connected to the same subnet, so 'ip helper-address' is only used to forward DHCP broadcasts across router boundaries.

Exam trap

Do not assume that configuring a DHCP pool is sufficient; the DHCP service must be explicitly enabled with 'service dhcp'. Also, remember that APIPA addresses indicate DHCP failure, not just a missing gateway.

Why the other options are wrong

B

The PC's APIPA address cannot reach the 192.168.10.1 gateway because it is not in the same subnet, so configuring a default gateway alone does not restore connectivity.

C

Changing the VLAN to VLAN 1 would isolate PC-A from the correct subnet (VLAN 10), breaking connectivity instead of fixing it.

D

The 'ip helper-address' command is used on interfaces that need to forward DHCP broadcasts to a remote DHCP server; here R1 itself is the DHCP server and is directly attached, so the command is not needed.

84
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on the designated port facing a downstream switch to prevent a rogue switch from becoming root. Also, enable Loop Guard on the uplink port to prevent STP loops, and configure BPDU Guard on a PortFast-enabled access port. Ensure that if a superior BPDU is received on the Root Guard port, it is blocked, and if a BPDU is received on the BPDU Guard port, it goes err-disabled.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30trunkG0/1192.168.10.1/24R2R1access vlan 10SW2PC

Hints

  • Root Guard is applied on designated ports to block superior BPDUs.
  • Loop Guard is applied on root or alternate ports to prevent loops if BPDUs stop.
  • BPDU Guard with PortFast err-disables the port upon receiving any BPDU.
A.The configuration is correct; no changes are needed.
B.Root Guard should be applied on G0/0 instead of G0/1, and Loop Guard on G0/1 instead of G0/0.
C.BPDU Guard should be configured on G0/1 instead of G0/2, and Loop Guard should be removed from G0/0.
D.Root Guard should be applied on G0/2 instead of G0/1, and BPDU Guard should be removed from G0/2.
AnswerA
solution
! R1

Why this answer

R1 is the STP root for VLAN 10. The downstream port (G0/1) is a designated port, so Root Guard is correctly applied to prevent a superior BPDU from being accepted. The uplink port (G0/0) is a root port, so Loop Guard should be applied there to prevent an STP loop if BPDUs stop arriving.

The access port (G0/2) has PortFast and BPDU Guard enabled, which will err-disable the port if a BPDU is received. The current configuration is correct; no changes are needed. If a superior BPDU arrives on G0/1, Root Guard will block the port.

If a BPDU arrives on G0/2, BPDU Guard will err-disable it.

Exam trap

The trap is that candidates may think changes are needed because they misapply STP protections to the wrong port types. Remember: Root Guard on designated ports, Loop Guard on root/alternate ports, BPDU Guard on PortFast access ports.

Why the other options are wrong

B

Root Guard is only effective on designated ports; applying it to a root port would not prevent a rogue switch from becoming root. Loop Guard on a designated port is unnecessary and could cause false positives.

C

BPDU Guard on a trunk port would err-disable it upon receiving a BPDU, which is normal for trunk ports. Loop Guard on the root port is essential for loop prevention; removing it would leave the network vulnerable.

D

Root Guard on an access port would block the port if a superior BPDU is received, but access ports should not receive BPDUs if PortFast is enabled. BPDU Guard already handles that by err-disabling the port.

85
PBQhard

You are connected to a multilayer switch MLS1 via the console. Configure MLS1 so that IP phones connected to interface GigabitEthernet0/1 receive power via PoE, use VLAN 10 for data traffic, and use VLAN 20 for voice traffic, while the access port for an AP on GigabitEthernet0/2 should be placed in VLAN 30 and have PoE disabled. Verify your configuration using appropriate show commands.

Hints

  • Voice VLAN is configured with a separate command from the access VLAN.
  • PoE can be disabled per interface using 'power inline never'.
  • Use 'show interfaces switchport' to see both voice and access VLAN assignments.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline auto ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline never
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,20 power inline auto ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline never
C.interface GigabitEthernet0/1 switchport mode access switchport access vlan 20 switchport voice vlan 10 power inline auto ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline never
D.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline never ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 30 power inline auto
AnswerA
solution
! MLS1
interface GigabitEthernet0/1
switchport voice vlan 20
power inline auto
interface GigabitEthernet0/2
switchport access vlan 30
power inline never

Why this answer

For the IP phone port (G0/1), you need to enable PoE (power inline auto) and configure the voice VLAN (switchport voice vlan 20) so that the phone uses VLAN 20 for voice and the access VLAN 10 for data. For the AP port (G0/2), you must change the access VLAN to 30 and disable PoE (power inline never) to prevent powering the AP through the switch. Verify with 'show interfaces switchport' to confirm voice VLAN and access VLAN settings, and 'show power inline' to check PoE status.

Exam trap

A common trap is confusing the voice VLAN command with trunking or swapping the access and voice VLANs. Also, remember that IP phones require PoE, while the AP in this scenario does not. Always verify with show commands.

Why the other options are wrong

B

The specific factual error is that IP phones typically use an access port with a voice VLAN, not a trunk port. Trunking is unnecessary and can cause compatibility issues.

C

The specific factual error is confusing the access VLAN and voice VLAN assignments. The voice VLAN is configured with 'switchport voice vlan', and the access VLAN with 'switchport access vlan'.

D

The specific factual error is reversing the PoE settings: 'power inline never' on the phone port and 'power inline auto' on the AP port.

86
MCQhard

A network engineer has implemented DHCP snooping on a Cisco switch to prevent unauthorized DHCP servers. The switch's VLAN 100 SVI is configured with ip helper-address to relay DHCP requests to a legitimate server in VLAN 200. Clients in VLAN 100 cannot obtain IP leases, even though the DHCP server is reachable from the switch and has available addresses.

A.The ip helper-address command has been incorrectly applied to VLAN 100 instead of VLAN 200.
B.The switch port that connects to the DHCP server's VLAN is not configured as a trusted DHCP snooping port.
C.DHCP snooping must be disabled globally because it conflicts with the configured DHCP relay agent.
D.The DHCP server lacks a valid default gateway, preventing replies from reaching the relay agent's SVI subnet.
AnswerB

DHCP snooping classifies ports as trusted or untrusted. Server-originated DHCP messages (Offer/ACK) are only allowed on trusted ports. The server's response comes from VLAN 200, so the interface facing that server must be trusted.

Why this answer

DHCP snooping treats all switch ports as untrusted by default, which blocks DHCP server messages (OFFER, ACK) from entering the switch. Even though the switch itself can reach the DHCP server, the relayed reply from the server arrives on a port that is not trusted, so DHCP snooping drops the packet before it can be forwarded to the client. Configuring the port connecting to the DHCP server as a trusted port allows the server's responses to pass through the switch, resolving the issue.

Exam trap

Cisco often tests the interaction between DHCP snooping and DHCP relay, where candidates mistakenly think the relay bypasses snooping or that the issue is with the helper-address configuration, rather than the untrusted port blocking the server's unicast reply.

Why the other options are wrong

A

Many engineers mistakenly think the helper should reside on the server VLAN; however, it must reside on the client-facing L3 interface.

C

A common misconception is that DHCP relay bypasses snooping, but snooping still inspects the server's unicast response and drops it unless the ingress port is trusted.

D

Candidates often suspect routing issues, but verified reachability eliminates this. The problem lies in the snooping policy, not IP connectivity.

87
MCQmedium

A switch stack is running PVST+. Users on VLAN 40 lose connectivity for roughly 30 seconds every time the uplink on SW2 flaps. Based on the exhibit, which change would most directly improve convergence for this VLAN?

A.Configure spanning-tree mode rapid-pvst.
B.Increase the bridge priority on SW2 for VLAN 40.
C.Disable PortFast on all access ports.
D.Convert the uplink to a routed port.
AnswerA

Rapid PVST+ is the direct fix for slow STP convergence in this case.

Why this answer

The output shows VLAN 40 is still using the legacy IEEE STP process, which converges much more slowly than Rapid PVST+. Moving the switch to rapid-pvst mode gives VLAN 40 the faster proposal/agreement behavior that typically cuts convergence time from tens of seconds to a few seconds.

Exam trap

A frequent exam trap is selecting options that change the root bridge election or port roles, such as increasing bridge priority, assuming this will speed up convergence. While root bridge placement affects path selection, it does not reduce the inherent delay caused by legacy STP timers. Another trap is disabling PortFast on access ports, which only affects edge port transitions and does not influence uplink link flap recovery times.

Additionally, converting uplinks to routed ports changes the network design and removes STP from those ports, which is not the intended solution for VLAN-specific STP convergence delays. The key mistake is confusing topology optimization with protocol speed improvements.

Why the other options are wrong

B

Increasing bridge priority changes root bridge election but does not speed up the STP convergence process, so it does not resolve the 30-second connectivity loss.

C

Disabling PortFast affects only edge ports and does not influence the convergence time of uplink ports or VLANs experiencing link flaps.

D

Converting the uplink to a routed port removes it from STP but alters network design and does not specifically improve VLAN 40’s STP convergence speed.

88
MCQhard

A network engineer receives a call that users in VLAN 10 on Switch B cannot ping the default gateway, which is a router on a stick connected to Switch A. The engineer checks the Spanning Tree Protocol state on the interface connecting Switch A to Switch B (GigabitEthernet0/1) and finds it is in a root-inconsistent state. Which command output best explains the cause of the issue?

A.The interface is in err-disable state due to BPDU guard.
B.Root guard is enabled and the port received a superior BPDU, causing it to become root-inconsistent.
C.Loop guard is enabled and the port is in a blocking state due to missing BPDUs.
D.The port is in a forwarding state but the VLAN is misconfigured.
AnswerB

Root guard on the interface caused the port to be placed in root-inconsistent state when a superior BPDU was received, blocking the port.

Why this answer

Root guard, when enabled on a port, places that port into a root-inconsistent blocking state if it receives a superior BPDU, preventing the switch from becoming the root bridge. This root-inconsistent state stops forwarding traffic, which explains why users in VLAN 10 cannot reach the default gateway. The port remains physically up but is blocked by spanning tree, so normal interface status would not show a down state, making the root-inconsistent state the key indicator.

Exam trap

Candidates often confuse root guard with BPDU guard: BPDU guard err-disables a port upon receiving any BPDU on a PortFast port, while root guard responds to superior BPDUs by placing the port in root-inconsistent state, not err-disable.

Why the other options are wrong

A

BPDU guard causes an err-disable state, which would show the interface as down or err-disabled, not as root-inconsistent.

C

Loop guard places a port into loop-inconsistent blocking state when BPDUs stop being received, not when a superior BPDU is received.

D

A forwarding state would allow traffic; the problem here is that the port is in a blocked state due to root guard, not a misconfigured VLAN.

89
PBQhard

You are connected to R1. Configure HSRP so that R1 becomes the active router for VLAN 10, with a virtual IP of 192.168.10.1. Ensure that R1 preempts if it comes back online after a failure. Also, configure R1 to decrement its HSRP priority by 20 if its GigabitEthernet0/1 interface goes down. The current configuration shows both routers as active — identify and fix the issues.

Network Topology
Gi0/0.10192.168.10.3/24Gi0/0.10192.168.10.2/24switchR1R2

Hints

  • Both routers show Active because they have equal priority and no preempt.
  • The virtual IP configured is 192.168.10.254 but the task requires 192.168.10.1.
  • To ensure R1 is active, set its priority higher than R2's default (100) and enable preempt.
A.Change the virtual IP to 192.168.10.1, set priority to 110, enable preempt, and track interface GigabitEthernet0/1 with decrement 20.
B.Change the virtual IP to 192.168.10.1, set priority to 100, enable preempt, and track interface GigabitEthernet0/1 with decrement 20.
C.Change the virtual IP to 192.168.10.254, set priority to 110, enable preempt, and track interface GigabitEthernet0/1 with decrement 20.
D.Change the virtual IP to 192.168.10.1, set priority to 110, enable preempt, but do not track any interface.
AnswerA
solution
! R1
interface GigabitEthernet0/0.10
standby 10 ip 192.168.10.1
standby 10 priority 110
standby 10 preempt
standby 10 track GigabitEthernet0/1 20

Why this answer

The scenario indicates both routers appear as Active, which is abnormal. This could result from a misconfigured virtual IP or group number mismatch. The required fix is to set the virtual IP to 192.168.10.1, assign R1 a higher priority (110 vs R2's default 100), enable preempt so R1 reclaims active role after failure, and track GigabitEthernet0/1 with a decrement of 20 to lower priority if that interface goes down.

Exam trap

Watch for three common mistakes: (1) forgetting to set a higher priority to win the election, (2) using the wrong virtual IP address, and (3) omitting the track command when required. Also note that preempt alone does not guarantee active status if priorities are equal.

Why the other options are wrong

B

HSRP election uses priority as the primary tie-breaker; equal priority leads to comparison of primary IP addresses, which may not favor R1.

C

The virtual IP address must be consistent across all HSRP routers and match the configured gateway; a mismatch prevents proper operation.

D

Without tracking, R1's priority remains unchanged even if the uplink fails, so R1 would remain active despite losing connectivity, causing traffic black-holing.

90
Drag & Dropmedium

Drag and drop the following steps into the correct order (recommended best-practice workflow) to configure VLANs, assign access ports, enable 802.1Q trunking, set the native VLAN, and verify the configuration on a Cisco switch running IOS-XE.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, create VLANs globally so they exist in the VLAN database. Next, assign access ports to the desired VLANs, ensuring end‑device connectivity is established locally. Then configure trunking on the appropriate interfaces, including setting the native VLAN; doing trunking after access port assignment prevents accidental VLAN propagation across the trunk before all access ports are correctly placed.

Verification is always the final step to confirm the entire configuration. Option D (VLAN creation → trunking → access ports → verify) is technically functional but violates the best‑practice order because trunking should be configured only after access ports are assigned to avoid potential topology issues.

Exam trap

Do not confuse the order of operations: VLANs must exist before ports can be assigned. Also, trunking is configured on specific interfaces, not globally, and should be done after access ports are set. Verification is always the final step.

91
Drag & Dropmedium

Drag and drop the following steps into the correct order to create VLANs, assign access ports, configure 802.1Q trunks, set the native VLAN, and verify with 'show vlan brief' and 'show interfaces trunk'.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

VLANs must be created before assigning ports; trunking is configured after access ports; verification is the final step.

Exam trap

Do not confuse the order of VLAN creation and port assignment. VLANs must be created before ports can be assigned to them. Also, native VLAN configuration is part of trunk configuration and should be done after trunk mode is set.

92
MCQmedium

A switch displays the following output: Interface Status VLAN Gi1/0/5 connected 20 Gi1/0/6 notconnect 1 Gi1/0/24 trunk trunk Which interface is operating as an access port in VLAN 20?

A.Gi1/0/5
B.Gi1/0/6
C.Gi1/0/24
D.None of the interfaces
AnswerA

Correct. It is connected and assigned to VLAN 20.

Why this answer

The output explicitly shows Gi1/0/5 in VLAN 20 and not operating as a trunk.

Exam trap

Be careful not to confuse trunk ports with access ports or assume interfaces not shown in the output are relevant.

Why the other options are wrong

B

Gi1/0/6 is an access port in VLAN 1 (the default VLAN), not VLAN 20. The question specifically asks for an interface operating as an access port in VLAN 20, so this option is incorrect.

C

Gi1/0/24 is configured as a trunk port, which carries traffic for multiple VLANs and is not an access port. Access ports belong to a single VLAN, so this option is incorrect.

D

Gi1/0/5 is clearly an access port in VLAN 20, so there is an interface that matches the description. Therefore, 'None of the interfaces' is incorrect.

93
MCQhard

A network engineer notices that users on VLAN 100 are experiencing intermittent connectivity to the server farm. The switch connecting these users shows no errors on the uplink interface, but the server farm switch reports a high number of input errors on its connected interface. The engineer runs 'show controllers' on the server farm switch. What is the most likely cause of the issue?

A.The interface is configured with the wrong duplex setting.
B.The SFP module is faulty or incompatible with the cable type.
C.The cable is too long, causing attenuation.
D.Auto-negotiation is disabled, causing a speed mismatch.
AnswerB

The 'show controllers' output shows the media type as 1000BaseSX SFP with auto-negotiation off, but the interface is reporting no errors. However, the other switch sees input errors. This points to a hardware issue with the SFP, such as a faulty module or a mismatch between the SFP and the fiber cable (e.g., using a single-mode SFP with multi-mode fiber).

Why this answer

The 'show controllers' command on the server farm switch reveals physical-layer issues such as framing errors, CRC errors, or alignment errors, which are often caused by faulty or incompatible SFP modules. Since the uplink interface on the user switch shows no errors, the problem is isolated to the server farm switch's interface, and a faulty SFP can introduce signal degradation or electrical issues without necessarily causing complete link failure. Option B is correct because SFP incompatibility or defects commonly produce input errors at the physical layer, even when the link appears up.

Exam trap

Cisco often tests the distinction between 'show interfaces' (which shows input errors but not the specific physical-layer cause) and 'show controllers' (which reveals the exact physical-layer errors), leading candidates to mistakenly choose duplex mismatch or cable length issues without recognizing that the command output points to SFP or transceiver problems.

Why the other options are wrong

A

The 'show controllers' output confirms Full-duplex on both ends, so a duplex mismatch is not the cause. Duplex mismatch would typically cause collisions or CRC errors, which are not indicated here.

C

While excessive cable length can cause attenuation and errors, the 'show controllers' output does not show specific error counters like symbol errors or FCS errors that would indicate attenuation. The link is up and no errors are reported on this switch, making cable length an unlikely cause.

D

Speed is set to 1000 Mbps on both ends, and auto-negotiation is off, which is normal for fiber connections. A speed mismatch would prevent the link from coming up or cause constant errors, but the link is up and no errors are reported on this switch.

94
Multi-Selectmedium

Which three of the following are required to implement inter-VLAN routing on a Cisco switch using a router-on-a-stick configuration? (Choose three.)

Select 3 answers
.A trunk link between the switch and the router, carrying multiple VLANs.
.Subinterfaces on the router, each configured with an IP address in the respective VLAN subnet.
.The switchport mode trunk command on the switch port connecting to the router.
.A separate physical router interface for each VLAN.
.IP routing enabled on the switch.
.A Layer 3 switch with routed ports.

Why this answer

In a router-on-a-stick configuration, inter-VLAN routing is achieved by connecting a single router to a switch via a trunk link. The trunk carries multiple VLANs (using 802.1Q tagging), and the router uses subinterfaces—each configured with an IP address in the respective VLAN subnet—to route traffic between VLANs. The switch port connecting to the router must be configured as a trunk (e.g., with the `switchport mode trunk` command) to allow all VLAN traffic to reach the router.

Exam trap

Cisco often tests the distinction between router-on-a-stick (which requires a trunk and subinterfaces on an external router) and inter-VLAN routing using a Layer 3 switch (which requires IP routing enabled on the switch and SVIs), leading candidates to incorrectly select options that apply to the Layer 3 switch method.

95
Multi-Selecthard

A trunk link between two switches is up, but hosts in VLAN 30 on opposite switches cannot communicate. VLAN 10 works across the same trunk. Which two causes are the most likely?

Select 2 answers
A.VLAN 30 is not allowed on the trunk on one side
B.VLAN 30 may not exist in the VLAN database on the affected switch
C.The trunk native VLAN should always be 30
D.PortFast must be disabled on the access ports in VLAN 30
AnswersA, B

If the VLAN is missing from the allowed list on one side, traffic for that VLAN will not traverse the link.

Why this answer

When one VLAN fails but others work across the same trunk, the problem is likely VLAN-specific. VLAN 30 may not exist on one switch or may not be allowed on the trunk. Option C is incorrect because the native VLAN does not need to be 30; a native VLAN mismatch would typically cause connectivity issues on all VLANs, not just VLAN 30.

Option D is incorrect because PortFast only affects the speed at which an access port enters the forwarding state and does not impact communication across an already-up trunk.

Exam trap

Don't assume trunk issues affect all VLANs equally; check for VLAN-specific settings.

Why the other options are wrong

C

The native VLAN is used for untagged traffic on a trunk and is typically VLAN 1 by default. It has no bearing on whether a specific tagged VLAN like VLAN 30 is carried; the allowed VLAN list controls that.

D

PortFast is a feature that speeds up the transition of an access port to the forwarding state, bypassing STP listening/learning. It does not affect trunk operation or whether a VLAN is carried on a trunk.

96
Multi-Selectmedium

Which three options are valid steps for configuring a router-on-a-stick inter-VLAN routing setup? (Choose three.)

Select 3 answers
.Create subinterfaces on the router for each VLAN.
.Assign an IP address to each subinterface that matches the VLAN’s default gateway.
.Enable IP routing on the router with the 'ip routing' command.
.Configure the switch ports that connect to the router as access ports in a single VLAN.
.Set the native VLAN on the trunk to match the management VLAN on the switch.
.Use the 'switchport mode access' command on the router-facing switch port.

Why this answer

In a router-on-a-stick configuration, the router uses subinterfaces to connect to multiple VLANs over a single physical interface. Each subinterface must be assigned an IP address that serves as the default gateway for its respective VLAN, and the router must have IP routing enabled (via the 'ip routing' command) to forward traffic between these subinterfaces. The three incorrect options fail because: configuring switch ports as access ports in a single VLAN would restrict connectivity to only that VLAN, breaking inter-VLAN routing; setting the native VLAN on the trunk to match the management VLAN is not required and is unrelated to router-on-a-stick functionality; and using 'switchport mode access' on the router-facing switch port would turn the link into a non-trunk access link, preventing multiple VLANs from reaching the router.

Exam trap

Cisco often tests the requirement to explicitly enable IP routing with the 'ip routing' command, as it is disabled by default on some router platforms, leading candidates to assume routing is automatically active.

97
MCQhard

A switch port is configured with `switchport voice vlan 150` and `switchport access vlan 20`. Which statement best explains the design purpose?

A.It separates voice and data traffic on the same edge port by assigning them to different VLANs.
B.It turns the port into a routed WAN interface.
C.It forces the phone to use CAPWAP before receiving power.
D.It makes VLAN 150 the native VLAN on all trunks automatically.
AnswerA

This is correct because that is the classic voice-VLAN access-port design.

Why this answer

The design purpose is to let the switch support a phone and an attached workstation on the same physical access port while placing their traffic into different VLANs. In practical terms, the phone can use the voice VLAN while the user's data traffic uses the access VLAN. This is a common enterprise edge design for IP telephony.

The key idea is role separation on one port, not trunking the port as a normal inter-switch link.

Exam trap

Avoid confusing voice VLAN configurations with trunking or prioritization settings.

Why the other options are wrong

B

The commands `switchport voice vlan 150` and `switchport access vlan 20` are used on a Layer 2 switch port, not a routed interface. A routed WAN interface would require `no switchport` and an IP address configuration, which is not present here.

C

CAPWAP (Control and Provisioning of Wireless Access Points) is a protocol used for wireless LAN controller and access point communication, not for voice VLAN configuration. The voice VLAN feature is unrelated to CAPWAP.

D

The `switchport voice vlan` command only affects the specific access port where it is configured, not all trunk ports. The native VLAN on trunks is configured separately with `switchport trunk native vlan`.

98
PBQhard

You are connected to R1. The network consists of R1, a router, and SW1, a Layer 2 switch. VLANs 10 (192.168.10.0/24) and 20 (192.168.20.0/24) are configured on SW1 with hosts in each VLAN. R1 must perform inter-VLAN routing using a router-on-a-stick configuration on interface G0/0. Currently, hosts in VLAN 10 cannot ping hosts in VLAN 20. Configure R1 and identify and resolve the issue.

Hints

  • Check if IP routing is enabled globally on the router.
  • Ensure the physical interface is not administratively down.
  • Verify that the subinterface encapsulation matches the VLANs on the switch.
A.Enable IP routing on R1 with the 'ip routing' global configuration command.
B.Configure the physical interface G0/0 with an IP address and enable trunking with 'switchport mode trunk'.
C.Ensure the trunk between R1 and SW1 is configured with 'switchport trunk allowed vlan 10,20' on SW1.
D.Add the 'no shutdown' command on R1's subinterfaces G0/0.10 and G0/0.20.
AnswerA
solution
! R1
configure terminal
ip routing
interface GigabitEthernet0/0
no shutdown

Why this answer

The problem is that R1 is missing the 'ip routing' command, which is required to enable IP routing on a router. Without it, R1 cannot forward packets between the subinterfaces. Additionally, the trunk between R1 and SW1 may not be operational because R1's physical interface G0/0 has no IP address and is not set to trunk mode (though subinterfaces handle encapsulation).

The solution is to enable IP routing globally and ensure the physical interface is up (no shutdown).

Exam trap

Do not assume that a router automatically routes between its interfaces; the 'ip routing' command must be explicitly enabled. Also, remember that subinterfaces do not have their own shutdown state.

Why the other options are wrong

B

Assigning an IP to the physical interface would prevent subinterfaces from working, and 'switchport mode trunk' is invalid on a router interface.

C

The problem is specifically that R1 cannot route between VLANs due to missing 'ip routing', not a trunk pruning issue.

D

Subinterfaces cannot be individually shut down; the physical interface controls the link state.

99
PBQhard

You are connected to R1. The network uses OSPF between R1 and R2. Configure an extended ACL on R1 so that hosts in VLAN 10 (192.168.10.0/24) can reach the web server at 203.0.113.100 only via HTTP/HTTPS, and hosts in VLAN 20 (192.168.20.0/24) can reach it via any TCP service except HTTP/HTTPS. All other traffic to the server must be denied. Apply the ACL outbound on the interface facing the server. Currently, the ACL is missing the permit for VLAN 20 traffic, causing connectivity loss.

Network Topology
G0/0192.0.2.1/30G0/0192.0.2.2/30linkG0/1203.0.113.1/24203.0.113.100/24linkR2R1Web Server

Hints

  • The current ACL blocks HTTP/HTTPS from all sources, but VLAN 20 should be allowed to use those ports.
  • Use the 'range' keyword to permit a contiguous set of ports for VLAN 20, excluding ports 80 and 443.
  • Remember to deny all other traffic to the server after the permits.
A.Remove the two deny statements and add: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 79, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 81 442, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 444 65535, then deny ip any any
B.Add a permit statement for VLAN 20 before the deny statements: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 65535
C.Remove the two deny statements and add: permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq www, permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq 443
D.Add a deny statement for VLAN 20 HTTP/HTTPS before the existing permit statements: deny tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq www, deny tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 eq 443, then add a permit tcp 192.168.20.0 0.0.0.255 host 203.0.113.100 range 1 65535
AnswerA
solution
! R1
configure terminal
no ip access-list extended BLOCK_HTTP
ip access-list extended BLOCK_HTTP
permit tcp 192.168.10.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 80
permit tcp 192.168.10.0 0.0.0.255 203.0.113.100 0.0.0.0 eq 443
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 1 79
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 81 442
permit tcp 192.168.20.0 0.0.0.255 203.0.113.100 0.0.0.0 range 444 65535
deny ip any 203.0.113.100 0.0.0.0
end
clear access-list counters BLOCK_HTTP

Why this answer

The ACL BLOCK_HTTP is applied inbound on G0/0, which is the interface toward the server. The first two deny statements incorrectly block HTTP/HTTPS from any source, including VLAN 20 which should be allowed. The correct approach is to permit HTTP/HTTPS only for VLAN 10, and permit all other TCP services (except HTTP/HTTPS) for VLAN 20, then deny all other traffic.

The solution removes the overly broad deny statements and adds specific permits for VLAN 20 to reach the server on any TCP port except 80 and 443, followed by an explicit deny ip any any to enforce the implicit deny.

Exam trap

The trap is that the existing deny statements for HTTP/HTTPS are too broad; they block VLAN 20's required access. Candidates might think they need to add permits before the denies, but they must also ensure the permits for VLAN 20 exclude HTTP/HTTPS. Another trap is forgetting to add an explicit deny at the end, though the implicit deny exists, the question explicitly states 'All other traffic to the server must be denied' so an explicit deny is good practice.

Why the other options are wrong

B

The specific factual error is that the permit statement does not exclude ports 80 and 443. It allows all TCP ports, which is too permissive.

C

The specific factual error is that the permit statements allow the very ports that should be denied for VLAN 20. This misinterprets the requirement.

D

The specific factual error is that the permit statement is too broad and overrides the deny statements. The correct approach is to permit only non-HTTP/HTTPS ports, not all ports.

100
PBQhard

You are connected to the console of switch SW1. A user on VLAN 10 reports they cannot reach the internet (203.0.113.1). The switch is configured as a Layer 3 switch with SVIs. Identify and correct the misconfiguration that prevents the user's default gateway from functioning. The user's PC has IP address 192.168.10.50/24 and uses 192.168.10.1 as its default gateway.

Network Topology
192.168.10.50/24198.51.100.1198.51.100.1203.0.113.1PCSW1R1Internet

Hints

  • Check the SVI configuration for any 'no' commands that might affect ARP behavior.
  • The switch has a default route, but the client may not be able to resolve the gateway MAC address.
  • Proxy ARP is disabled on the SVI; re-enable it.
A.The SVI for VLAN 10 has 'no ip proxy-arp' configured, and there is no default route on the switch.
B.The SVI for VLAN 10 has the wrong IP address configured; it should be 192.168.10.254 instead of 192.168.10.1.
C.The switch has a default route pointing to 203.0.113.1, but the SVI for VLAN 10 is missing the 'ip helper-address' command.
D.The VLAN 10 interface is administratively down, and the switch needs to be reloaded to apply the configuration.
AnswerA
solution
! SW1
interface Vlan10
ip proxy-arp

Why this answer

The switch's SVI for VLAN 10 has the correct IP address (192.168.10.1) and will always respond to ARP requests for that address regardless of the proxy‑arp setting. The real problem is the absence of a default route, so the switch cannot forward traffic destined for the Internet (203.0.113.1). Option A correctly points to the missing default route as the root cause; the 'no ip proxy-arp' line is present but irrelevant to the SVI's own ARP behavior.

The solution is to configure a default route toward the next‑hop router (198.51.100.1).

Exam trap

Candidates often assume that an SVI needs proxy ARP enabled to answer ARP for its own IP address, overlooking that a Layer 3 switch always responds to ARP requests for its interface addresses. The more critical oversight is forgetting that a Layer 3 switch, like a router, requires a default route to reach external networks.

Why the other options are wrong

B

The specific factual error is that the SVI IP must match the default gateway configured on the client; changing it to a different address would not fix the issue.

C

The specific factual error is confusing DHCP relay with routing; 'ip helper-address' does not affect the default gateway's ability to forward traffic.

D

The specific factual error is that an administratively down interface would cause complete loss of connectivity, not just internet access, and reloading is not a standard troubleshooting step for configuration issues.

101
Matchingmedium

Match each wireless or edge-switch concept on the left to the description on the right that best fits it. Not all descriptions will be used. Concepts: • SSID • CAPWAP • Voice VLANPortFast Descriptions: A. Name of the wireless LAN shown to clients B. Communication relationship between lightweight APs and controller C. Separates phone traffic from ordinary data on an edge port D. Allows an endpoint-facing switchport to move quickly toward forwarding E. Delivers power to devices over Ethernet (PoE) F. Authenticates users before granting network access (802.1X) G. Aggregates multiple physical links for increased bandwidth (LACP/EtherChannel)

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Name of the wireless LAN shown to clients

Communication relationship between lightweight APs and controller

Separates phone traffic from ordinary data on an edge port

Allows an endpoint-facing switchport to move quickly toward forwarding

Why these pairings

SSID is the service set identifier, the human-readable name broadcast by access points so clients can identify the WLAN. CAPWAP (Control and Provisioning of Wireless Access Points) defines the split-MAC architecture and communication between lightweight APs and a wireless LAN controller. Voice VLAN is an access port feature that dynamically assigns IP phone traffic to a separate VLAN, isolating it from data traffic.

PortFast is a spanning-tree enhancement that bypasses listening and learning states on access ports to allow immediate forwarding, preventing connectivity delays for endpoints. Distractor E refers to Power over Ethernet, not a wireless or edge-switch naming concept; F describes 802.1X authentication, not a WLAN name or AP-controller protocol; G refers to link aggregation, not a VLAN or spanning-tree feature.

Exam trap

Do not confuse Voice VLAN with a trunk port that carries multiple VLANs — Voice VLAN actually uses the access port in conjunction with a voice VLAN ID, and PortFast is often mistaken for disabling spanning tree entirely rather than accelerating convergence.

102
MCQhard

A network engineer is troubleshooting a connectivity issue between two switches, SW1 and SW2, which are connected via four GigabitEthernet links configured as an LACP EtherChannel. Hosts on VLAN 10 connected to SW1 can ping the management IP of SW2, but cannot reach hosts on VLAN 10 connected to SW2. The engineer runs a show command on SW1. What is the most likely cause of the problem?

A.The interface Gi0/0/3 is in err-disabled state due to a spanning-tree BPDU guard violation.
B.The interface Gi0/0/3 has a different LACP port priority or is configured with 'channel-group 1 mode passive' while the other ports use 'active'.
C.The port-channel interface is down (not in use), causing all member ports to be stand-alone.
D.The switch is running out of MAC addresses for the EtherChannel, so one port cannot be added.
AnswerB

A mismatch in LACP mode (active vs. passive) or port priority can cause a port to remain in stand-alone mode. The 'I' flag indicates the port is not negotiating LACP successfully.

Why this answer

The issue is that hosts on VLAN 10 can ping the management IP of SW2 but cannot reach other hosts on the same VLAN. This indicates Layer 2 connectivity is broken for data traffic, while Layer 3 (management) traffic works. Since the EtherChannel uses LACP, if one member port (Gi0/0/3) has a different LACP port priority or is in 'passive' mode while others are 'active', LACP negotiation will fail on that link, causing it to be excluded from the channel.

The remaining three ports may still form the EtherChannel, but the missing link can cause load-balancing issues or, more critically, if the channel requires all four links for STP to forward traffic on VLAN 10, the VLAN may be blocked or the port-channel may not pass data correctly for that VLAN.

Exam trap

Cisco often tests the distinction between Layer 3 reachability (management IP) and Layer 2 data-plane issues, leading candidates to focus on STP or err-disabled states instead of LACP negotiation mismatches that cause partial channel membership.

Why the other options are wrong

A

The 'I' flag in the show command output indicates the port is in stand-alone mode, not err-disabled. An err-disabled interface would show as 'err-disabled' or have a 'D' flag, and BPDU guard violation would cause the port to be in err-disabled state, not stand-alone.

C

The show command output shows the port-channel interface as 'SU' (Layer2, in use), meaning it is operational. If the port-channel were down, all member ports would be affected, not just one. The issue is isolated to a single member port.

D

EtherChannel does not have a MAC address limit; each physical port retains its own MAC address. LACP can bundle up to 16 ports (8 active) without any MAC address exhaustion issue. This is not a realistic failure scenario.

103
PBQhard

You are connected to SW1 via console. SW1 is a Layer 2 switch connected to SW2 via three links (G0/1, G0/2, G0/3) that should form an EtherChannel using LACP. Currently, the interfaces are configured as access ports in VLAN 1. Configure the three interfaces as a LACP EtherChannel trunk that carries VLANs 1-100, and ensure the port-channel interface is operational.

Network Topology
G0/1G0/1linksSW1SW2

Hints

  • Create the port-channel interface first, then assign physical ports with 'channel-group'.
  • Use 'mode active' for LACP.
A.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1-100 interface range g0/1-3 channel-group 1 mode active switchport mode trunk
B.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1-100 interface range g0/1-3 channel-group 1 mode passive switchport mode trunk
C.interface port-channel 1 switchport mode access switchport access vlan 1 interface range g0/1-3 channel-group 1 mode active switchport mode trunk
D.interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1-100 interface range g0/1-3 channel-group 1 mode on switchport mode trunk
AnswerA
solution
! SW1
interface port-channel 1
switchport mode trunk
switchport trunk allowed vlan 1-100
interface gigabitethernet0/1
channel-group 1 mode active
interface gigabitethernet0/2
channel-group 1 mode active
interface gigabitethernet0/3
channel-group 1 mode active

Why this answer

The port-channel interface is created and configured as a trunk with allowed VLANs. Physical interfaces are assigned to the channel-group with LACP active mode, which negotiates the EtherChannel with the peer. The trunk is then operational for VLANs 1-100.

Exam trap

Remember that LACP requires at least one side to be in active mode to initiate negotiation. Also, the port-channel interface configuration must match the physical interfaces' switchport mode. Do not confuse 'mode on' (static) with LACP modes.

Why the other options are wrong

B

The specific factual error: LACP passive mode does not initiate negotiation; it only responds. For the EtherChannel to form, at least one side must be active.

C

The specific factual error: The port-channel interface and physical interfaces must have consistent switchport mode configuration. Here, the port-channel is access while physical are trunk, causing a mismatch.

D

The specific factual error: 'channel-group mode on' creates a static EtherChannel without LACP. The question requires LACP, so this does not meet the requirement.

104
PBQhard

You are connected to WLC-1 via the management interface (192.168.1.100/24). The wireless network 'CustomerNet' uses WPA3-Personal, but clients are failing to associate. The SSID is hidden and the correct VLAN is 30. Configure the WLAN and SSID parameters to allow successful client associations and verify the configuration.

Network Topology
Cisco APWLC-1Clients

Hints

  • Remember to create the interface before assigning it to the WLAN.
  • WPA3-Personal uses a pre-shared key (PSK) but the command is 'security wpa3'.
  • The SSID broadcast must be enabled ('broadcast-ssid enable') for clients to discover it.
A.Create a new interface 'vlan30' with VLAN 30, then create a new WLAN with SSID 'CustomerNet', set security to WPA3-Personal, enable SSID broadcast, and assign the 'vlan30' interface.
B.Modify the existing GuestNet WLAN: change security to WPA3-Personal, enable SSID broadcast, and change the interface to 'guest' (VLAN 20).
C.Create a new WLAN with SSID 'CustomerNet', set security to WPA2-PSK, enable SSID broadcast, and assign the 'guest' interface (VLAN 20).
D.Modify the GuestNet WLAN: change security to WPA3-Personal, keep SSID broadcast disabled, and change the interface to a new interface mapped to VLAN 30.
AnswerA
solution
! WLC-1
config terminal
interface customer
vlan 30
ip address 192.168.30.1 255.255.255.0
exit
wlan 3
ssid CustomerNet
broadcast-ssid enable
security wpa3
security wpa akm psk set-key ascii 0 CiscoSecure123
interface customer
no shutdown
end

Why this answer

The GuestNet WLAN (ID 2) currently uses WPA2 with PSK, but clients expect WPA3-Personal. Additionally, the SSID is hidden (broadcast disabled) and the interface is set to guest (VLAN 20) instead of the required VLAN 30. To fix, create a new WLAN (or modify WLAN 2) to use WPA3-Personal, enable SSID broadcast, and assign it to a new interface mapped to VLAN 30.

Configure the interface first, then apply to the WLAN.

Exam trap

A common trap is to assume that modifying the existing WLAN is sufficient, but you must also ensure the correct VLAN interface exists and is assigned. Additionally, candidates often forget that a hidden SSID must be broadcast for clients to discover it, especially when clients are failing to associate.

Why the other options are wrong

B

The specific factual error is that the interface remains set to 'guest' (VLAN 20) instead of being changed to VLAN 30 as required.

C

The specific factual errors are using WPA2-PSK (clients expect WPA3-Personal) and assigning the wrong VLAN (20 instead of 30).

D

The specific factual error is that the SSID broadcast remains disabled, which means clients cannot see the SSID and will not attempt to associate.

105
PBQhard

You are connected to R1. Configure DHCP services so that hosts on VLAN 10 (192.168.10.0/24) can obtain IP addresses from R1. Additionally, configure the switch SW1 to prevent rogue DHCP server attacks on that VLAN. The current configuration has a misconfigured helper-address and an excluded-address range that is too broad.

Network Topology
G0/0.10192.168.10.1/24SW1R1Hosts

Hints

  • The helper-address should point to the DHCP server itself, not an external address.
  • The excluded-address range is too wide; leave room for hosts to get IPs.
  • On the switch, only the port connecting to the legitimate DHCP server should be trusted.
A.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as trusted.
B.On R1, change the helper-address to 192.168.10.255 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set all ports as trusted.
C.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.254. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as untrusted.
D.On R1, change the helper-address to 192.168.10.1 and the excluded-address range to 192.168.10.1 192.168.10.10. On SW1, enable DHCP snooping globally and for VLAN 10, and set interface G0/1 as untrusted.
AnswerA
solution
! R1
configure terminal
no ip dhcp excluded-address 192.168.10.1 192.168.10.254
ip dhcp excluded-address 192.168.10.1 192.168.10.10
interface GigabitEthernet0/0.10
no ip helper-address 10.0.0.2
ip helper-address 192.168.10.1
end

! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
ip dhcp snooping trust
interface GigabitEthernet0/2
no ip dhcp snooping limit rate 10
ip dhcp snooping limit rate 15
end

Why this answer

The helper-address on R1's subinterface points to 10.0.0.2 instead of the DHCP server's IP (R1 itself, which is the server). The excluded-address range excludes all addresses in the subnet, preventing any host from getting an IP. The fix: change helper-address to 192.168.10.1 (loopback or interface IP of R1), and narrow the excluded range to the first 10 addresses (or just the gateway).

On SW1, enable DHCP snooping globally and for VLAN 10, and mark the port facing R1 (G0/1) as trusted; other ports should be untrusted to block rogue servers.

Exam trap

Watch out for two common traps: (1) The helper-address must be the DHCP server's unicast IP, not a broadcast address. (2) DHCP snooping trusted ports are for server connections; untrusted ports are for clients. Misplacing these will break DHCP or security.

Why the other options are wrong

B

The helper-address must be a unicast IP address of the DHCP server, not a broadcast address. Additionally, only ports connected to legitimate DHCP servers should be trusted; all other ports must be untrusted to block rogue servers.

C

The excluded-address range should only reserve a few addresses (e.g., for the gateway and static assignments), not the entire subnet. The port connected to the DHCP server must be trusted to allow DHCP server messages; untrusted ports block such messages.

D

DHCP snooping requires that ports connected to legitimate DHCP servers be configured as trusted. Untrusted ports are for client-facing ports where rogue servers might appear; they drop DHCP server messages.

106
PBQhard

You are managing a Cisco WLC (WLC-1) with IP 10.10.10.10. A wireless client reports it can see the SSID 'CorpNet' but fails to associate. The SSID is configured for WPA3, but the client only supports WPA2. Additionally, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a mismatch. Your task: reconfigure the WLAN to use WPA2-PSK with AES encryption, correct the VLAN assignment to 10, and ensure the SSID is hidden. Also, verify that management access via the WLC web UI is restricted to the 192.168.1.0/24 subnet.

Network Topology
APWLC-1Client

Hints

  • The client cannot join because WPA3 is required but the client only supports WPA2.
  • The WLAN is on VLAN 100, but the AP is on VLAN 10 — this mismatch prevents client traffic from being properly bridged.
  • Management access is open to all; restrict it to the subnet that contains your admin workstation.
A.Change security to WPA2-PSK with AES, disable PMF, map WLAN to management interface (VLAN 10), disable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
B.Change security to WPA2-PSK with TKIP, enable PMF, map WLAN to VLAN 100, enable SSID broadcast, restrict HTTP access to 192.168.1.0/24.
C.Change security to WPA3-PSK with AES, disable PMF, map WLAN to VLAN 10, disable SSID broadcast, restrict HTTP/HTTPS access to 10.10.10.0/24.
D.Change security to WPA2-PSK with AES, enable PMF, map WLAN to VLAN 10, enable SSID broadcast, restrict HTTP/HTTPS access to 192.168.1.0/24.
AnswerA
solution
! WLC-1
config wlan 1
no security wpa3
security wpa2
security wpa2 akm psk
security wpa2 encryption aes
no security wpa3 pmf
interface VLAN10
no broadcast-ssid
end
config management
management http subnet 192.168.1.0 255.255.255.0
management https subnet 192.168.1.0 255.255.255.0
end

Why this answer

The client cannot associate because the WLAN requires WPA3 (PMF required) but the client only supports WPA2. Also, the WLAN is mapped to VLAN 100, but the AP is on VLAN 10, causing a VLAN mismatch that prevents client traffic from reaching the correct subnet. The SSID is broadcast (visible), and management access is open to all subnets.

To fix: change the WLAN security to WPA2-PSK with AES, disable PMF, map the WLAN to the management interface (VLAN 10), disable SSID broadcast, and restrict HTTP/HTTPS access to subnet 192.168.1.0/24.

Exam trap

The exam trap is that candidates may overlook the VLAN mismatch or the requirement to disable PMF when switching from WPA3 to WPA2. Also, they might forget to restrict both HTTP and HTTPS, or confuse the management subnet with the WLC IP address. Always verify client capabilities and VLAN assignments.

Why the other options are wrong

B

The specific factual error: TKIP is deprecated and not used with WPA2-PSK; PMF must be disabled for WPA2-only clients; VLAN 100 is incorrect; SSID broadcast should be disabled; HTTPS access must also be restricted.

C

The specific factual error: WPA3-PSK requires PMF and is incompatible with WPA2-only clients; the allowed subnet for management is 192.168.1.0/24, not 10.10.10.0/24.

D

The specific factual error: PMF is not supported by all WPA2 clients and can cause association issues; SSID broadcast should be disabled to hide the SSID.

107
MCQhard

A network technician is troubleshooting a router-on-a-stick configuration. R1 has sub-interface G0/0.10 with encapsulation dot1q 10 and IP 192.168.10.1/24, and sub-interface G0/0.20 with encapsulation dot1q 20 and IP 192.168.20.1/24. Hosts in VLAN 10 cannot reach hosts in VLAN 20. The physical interface G0/0 is up and no shutdown. Both sub-interfaces show up/up. What should the technician do next?

A.Verify the switch port connected to R1 is configured as a trunk and allows VLANs 10 and 20.
B.Verify the encapsulation dot1Q numbers on the sub-interfaces match the VLAN assignments.
C.Verify the default gateway settings on hosts in VLANs 10 and 20.
D.Check the physical interface G0/0 for interface errors or duplex mismatches.
AnswerA

This directly addresses the most probable cause: a missing or misconfigured trunk on the switch side. Even with router sub-interfaces up/up, the link must be a trunk carrying the correct VLANs for inter-VLAN routing to function.

Why this answer

The router's sub-interfaces being 'up/up' only confirms the physical link and Layer 2 protocol (using the native VLAN untagged, often VLAN 1) are active. It does not prove that the switch port is a trunk, nor that VLANs 10 and 20 are allowed across the link. Without a properly configured trunk, tagged frames for those VLANs will not traverse.

Verifying the switch port trunk configuration and allowed VLANs is the most logical next step to resolve inter-VLAN communication at Layer 2 before investigating Layer 3 settings.

Exam trap

Verifying the default gateway on hosts (option C) – candidates often skip the trunk verification and assume the router's config is correct because the sub-interfaces are up. However, 'up/up' status does not guarantee VLAN-tagged traffic can pass; it only indicates a working physical link and protocol on the native VLAN.

Why the other options are wrong

B

Candidates may think the encapsulation numbers might be swapped, but the stem confirms they are correctly assigned to the respective VLAN IDs.

C

Many candidates jump to end-host configuration, assuming the router is fully reachable because interfaces are up/up, but the trunk is the prerequisite for any communication between VLANs.

D

Candidates might think any communication loss warrants a physical layer check, but here the symptoms point strongly toward a Layer 2 trunking issue.

108
MCQhard

An IP phone connected to switch port Gi0/4 is working and receiving calls, but the PC connected to the phone's data port cannot obtain an IP address. The technician confirms that interface Gi0/4 has switchport mode access and shows switchport access vlan 10 and switchport voice vlan 100. What should the technician do next?

A.Verify the DHCP scope for VLAN 10 on the DHCP server.
B.Verify that CDP is enabled on the IP phone.
C.Verify the QoS trust state on the switch port.
D.Verify the IP phone's passthrough mode for the PC port.
AnswerD

The IP phone acts as a switch; if the phone's PC port is not configured to pass traffic untagged on the correct VLAN (passthrough mode), the PC's frames will be dropped or placed in the wrong VLAN. Checking this setting directly addresses the path from PC to switch.

Why this answer

The switch port is correctly configured with the appropriate access VLAN (10) for data and voice VLAN (100). Since the phone itself is functional, the issue is likely in how the phone tags or forwards the PC's untagged frames. The phone's internal switch must be set to passthrough mode to bridge the PC traffic onto the access VLAN.

Verifying this setting will identify if the phone is misconfigured, causing the PC to be placed in the wrong VLAN or isolated.

Exam trap

Many candidates would verify the DHCP scope for VLAN 10, mistakenly assuming the switch configuration is sufficient and the problem is a server-side issue. However, the phone itself is a layer-2 device that must be configured to pass the PC traffic correctly, making the phone's passthrough mode the most direct next step.

Why the other options are wrong

A

Assumes the switch port configuration alone guarantees proper VLAN delivery to the PC, ignoring the phone's role as a transparent bridge.

B

Confuses the mechanism for voice VLAN assignment with the requirement for data passthrough; CDP's role is only for the phone's own voice VLAN, not for the PC's data VLAN.

C

Misapplies QoS as a potential cause for a connectivity issue; it is a quality-of-service feature and does not block DHCP or initial network access.

109
PBQhard

You are troubleshooting inter-VLAN routing on a router-on-a-stick setup. R1 is connected to SW1 via trunk port G0/0. VLANs 10, 20, and 30 exist on SW1, and R1 should route between them. Currently, hosts in VLAN 10 can communicate with VLAN 20 but cannot reach VLAN 30. Review the provided configuration and fix the issue.

Network Topology
G0/0trunkR1SW1

Hints

  • Check the VLAN ID used in the encapsulation on each subinterface.
  • Compare the subinterface VLAN ID with the actual VLAN number for that subnet.
  • Use 'show interfaces trunk' on the switch to confirm which VLANs are active.
A.Change the encapsulation on subinterface G0/0.30 to dot1Q 30 and reapply the IP address.
B.Add a subinterface for native VLAN 1 on R1 and assign an IP address.
C.Enable IP routing on R1 with the 'ip routing' command.
D.Change the allowed VLAN list on the trunk to include VLAN 30.
AnswerA
solution
! R1
interface GigabitEthernet0/0.30
no encapsulation dot1Q 100
encapsulation dot1Q 30
no ip address 192.168.30.1 255.255.255.0
ip address 192.168.30.1 255.255.255.0
end

Why this answer

The subinterface for VLAN 30 (G0/0.30) is misconfigured with encapsulation dot1Q 100 instead of dot1Q 30, so R1 cannot forward packets to VLAN 30. VLAN 20 is correctly set up, which is why VLAN 10-to-VLAN 20 pings succeed. Changing the encapsulation to dot1Q 30 and reapplying the IP address restores full inter-VLAN routing.

IP routing is enabled by default, so no additional command is needed; the native VLAN does not require a subinterface because no hosts are in that VLAN.

Exam trap

Do not confuse the subinterface number with the VLAN ID; they can be different, but the encapsulation must match the actual VLAN. Also, remember that IP routing is enabled by default on routers, and the native VLAN does not require a subinterface unless routing for that VLAN is needed.

Why the other options are wrong

B

The native VLAN is untagged on the trunk, and R1 can handle it via the physical interface if needed, but a missing subinterface for native VLAN 1 is not the cause of the issue.

C

IP routing is already enabled; the issue is a configuration error on the subinterface, not a missing global command.

D

The trunk configuration is correct; the problem is the encapsulation mismatch on the router subinterface.

110
PBQhard

You are connected via the console to SW1, a Cisco Catalyst 2960 switch. The network administrator reports that users in VLAN 10 (Sales) cannot ping the default gateway 192.168.10.1, which is on R1's GigabitEthernet0/1 interface. SW1's interface GigabitEthernet0/1 connects to R1 and is configured as an access port in VLAN 10. R1's interface GigabitEthernet0/1 is configured with IP 192.168.10.1/24 and no shutdown. However, the link between them is up but the line protocol is down on both sides.

Network Topology
G0/1G0/1linkR1SW1

Hints

  • Check the interface status on both sides for speed/duplex mismatch.
  • Use 'show interfaces' to see if there are CRC errors or runts.
  • Manually set speed and duplex to the same values on both ends.
A.Configure the switchport to use the same speed and duplex settings as the router interface.
B.Change the switchport mode to trunk to allow VLAN 10 traffic to pass to the router.
C.Assign the IP address 192.168.10.1 to the switch's VLAN 10 interface.
D.Enable CDP on both devices to verify neighbor information.
AnswerA
solution
! R1
interface GigabitEthernet0/1
duplex full
speed 100

! SW1
interface GigabitEthernet0/1
duplex full
speed 100

Why this answer

The line protocol down indicates a Layer 1 or Layer 2 issue. The switch was likely set to auto-negotiate while the router defaulted to auto, but mismatch can occur. Setting both sides to 100 Mbps full duplex resolves the issue.

Exam trap

Do not confuse 'line protocol down' with IP addressing or VLAN issues. The line protocol down is a Layer 1/2 problem, often caused by speed/duplex mismatch. Always check physical and data link layer first.

Why the other options are wrong

B

The problem is Layer 1/2, not VLAN tagging. A trunk is used when multiple VLANs need to traverse the link, but the line protocol down indicates a physical or data link issue.

C

The switch's SVI (VLAN interface) is used for management, not for routing user traffic. The problem is at Layer 1/2, not Layer 3.

D

CDP requires the line protocol to be up to exchange information. Enabling CDP does not resolve speed/duplex mismatches.

111
MCQhard

A switchport on one side of a link is configured as a trunk, but the peer side is configured as an access port. The physical link is up, but VLAN traffic behaves unexpectedly. What is the most likely cause?

A.The two ends disagree on whether the link is a trunk or an access port.
B.The switches must both use the same hostname.
C.The native VLAN must be set to 1 on both sides first.
D.The ports need OSPF enabled.
AnswerA

This is correct because trunk/access mismatch causes VLAN handling problems.

Why this answer

The most likely cause is a switchport mode mismatch. In practical terms, one side expects the link to carry multiple VLANs with tagging behavior, while the other side treats it as a normal one-VLAN endpoint-style access connection. The physical interface can still come up, but the two ends do not agree on how the traffic should be handled.

This is a classic Layer 2 troubleshooting pattern. The link may not be fully down, but the configuration disagreement causes logical forwarding problems.

Exam trap

Be cautious of assuming all VLAN issues are due to allowed lists or STP. Consider mode mismatches when the link is physically up but traffic is disrupted.

Why the other options are wrong

B

OSPF is a Layer 3 routing protocol used for exchanging routes between routers, not for resolving Layer 2 switchport mismatches. This issue is purely about trunk/access configuration, which is unrelated to OSPF.

C

While native VLAN mismatch can cause issues on a trunk link, the primary problem here is that one side is configured as access, not trunk. Even if native VLAN is set to 1 on both sides, the access port will still not process tagged frames correctly.

D

Hostnames are purely for identification and have no impact on switchport operation or VLAN tagging. The trunk/access mismatch is a Layer 2 configuration issue independent of hostnames.

112
PBQhard

You are connected to SW1. A LACP EtherChannel between SW1 and SW2 has already been configured using interfaces GigabitEthernet0/1 and GigabitEthernet0/2 with channel-group 1 mode active on both sides and assigned to VLAN 100. However, the channel is not forming because of a speed/duplex mismatch. The correct interface settings for this network are speed 1000 and duplex full. Interface GigabitEthernet0/1 is already configured with these settings. Only interface GigabitEthernet0/2 needs to be corrected. Identify the configuration change needed to resolve the mismatch and verify the EtherChannel is up with 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1EtherChannelSW1SW2

Hints

  • Check the speed and duplex settings on both member interfaces.
  • LACP requires all ports in the channel to have identical configuration.
  • Use the 'show interfaces status' command to quickly see speed/duplex mismatches.
A.Configure interface GigabitEthernet0/2 with 'speed 1000' and 'duplex full', then verify the EtherChannel is up.
B.Configure interface GigabitEthernet0/1 with 'speed 100' and 'duplex half', then verify the EtherChannel is up.
C.Configure interface GigabitEthernet0/2 with 'speed auto' and 'duplex auto', then verify the EtherChannel is up.
D.Configure interface GigabitEthernet0/2 with 'channel-group 1 mode active' and 'switchport access vlan 100', then verify the EtherChannel is up.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full
end
show etherchannel summary

Why this answer

The EtherChannel is not forming because GigabitEthernet0/2 is configured with speed 100 and duplex half, while GigabitEthernet0/1 is speed 1000 and duplex full. LACP requires all member ports to have identical speed and duplex settings. To fix this, configure GigabitEthernet0/2 with speed 1000 and duplex full, matching GigabitEthernet0/1.

After correction, the ports should bundle in Port-channel1 and show as bundled (P) in 'show etherchannel summary'.

Exam trap

The trap is that candidates may overlook the speed/duplex mismatch and focus only on the LACP mode or VLAN configuration. Always verify that all physical parameters match before troubleshooting EtherChannel formation.

Why the other options are wrong

B

The specific factual error is that the question implies the correct configuration should use speed 1000 and duplex full, not downgrade to 100/half. Also, LACP requires identical settings, but the goal is to match the higher speed.

C

The specific factual error is that auto-negotiation does not guarantee matching settings when one side is manually configured. The mismatch would persist.

D

The specific factual error is that the question explicitly states a speed/duplex mismatch prevents the channel from forming, and this option does not correct that mismatch.

113
PBQhard

You are connected to a multilayer switch SW1 via console. SW1 has an IP phone and an access point connected to interfaces GigabitEthernet0/1 and GigabitEthernet0/2 respectively. Configure the access ports so that the IP phone receives a voice VLAN (VLAN 110) and PoE priority critical, and the access point receives PoE priority high. Verify your configuration using show interfaces switchport and show power inline.

Network Topology
G0/1G0/2SW1IP PhoneAccess Point

Hints

  • Voice VLAN is configured under the access port interface with the 'switchport voice vlan' command.
  • PoE priority is set per interface using 'power inline priority'.
  • Use 'show interfaces switchport' to verify voice VLAN assignment.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline priority critical ! interface GigabitEthernet0/2 switchport mode access power inline priority high
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,110 power inline priority critical ! interface GigabitEthernet0/2 switchport mode access power inline priority high
C.interface GigabitEthernet0/1 switchport mode access switchport access vlan 110 switchport voice vlan 10 power inline priority critical ! interface GigabitEthernet0/2 switchport mode access power inline priority high
D.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 110 power inline priority high ! interface GigabitEthernet0/2 switchport mode access power inline priority critical
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport voice vlan 110
power inline priority critical
exit
interface GigabitEthernet0/2
power inline priority high
end

Why this answer

The IP phone requires a voice VLAN configured with the switchport voice vlan command. PoE priority is set per interface using power inline priority. For the phone, the priority is critical; for the AP, it is high.

Verification with show interfaces switchport confirms voice VLAN, and show power inline shows priority settings.

Exam trap

The exam trap is mixing up the voice VLAN and access VLAN assignments, or confusing PoE priority levels. Remember that the voice VLAN is configured with switchport voice vlan, not as the access VLAN. Also, note that IP phones typically use access ports with voice VLAN, not trunks.

PoE priority critical is reserved for critical devices like phones, while high is for other important devices like APs.

Why the other options are wrong

B

The specific factual error is using trunk mode for an IP phone port instead of access mode with voice VLAN.

C

The specific factual error is reversing the VLAN assignments: the access VLAN should be data, and the voice VLAN should be voice.

D

The specific factual error is swapping the PoE priority values: the phone should be critical, the AP high.

114
MCQhard

Refer to the exhibit. A network engineer expects SW1 to be the root bridge for VLAN 1, but the show spanning-tree vlan 1 output on SW2 shows that SW2 is the root. What is the most likely cause of this issue?

A.SW1 is configured with a priority of 32769 but has a higher MAC address than SW2.
B.Spanning tree is disabled on SW1 for VLAN 1.
C.SW1 has a bridge priority of 4096, but BPDU guard is configured on SW2's port to SW1, causing the port to be err-disabled.
D.The trunk link between SW1 and SW2 is down.
AnswerD

The missing root port and the fact that SW2 sees itself as root confirm that SW2 is not receiving any BPDUs from SW1. This is exactly the behavior when the inter-switch trunk is physically down, breaking the spanning-tree topology.

Why this answer

SW2 shows itself as the root (Root ID and Bridge ID are identical, and the text 'This bridge is the root'), and there is no root port listed. In a stable spanning-tree topology, a non-root switch must have a root port to reach the root. The absence of any root port indicates that SW2 is not receiving superior BPDUs from SW1.

The most likely cause is that the trunk link between SW1 and SW2 is down, preventing BPDU exchange.

Exam trap

Many candidates select option A because they notice both priority values are 32769 and assume a MAC-address tiebreaker makes SW2 root, but they fail to see that SW2 has no root port, which would exist if the link to SW1 were operational.

Why the other options are wrong

A

Candidates focus on the matching priority numbers and overlook the missing root port that indicates a complete loss of BPDUs.

B

Candidates may assume no BPDUs means STP is off, but the intended root designation suggests STP is on and a physical disconnect is the primary suspect.

C

Candidates recall that BPDU guard can block ports, but they fail to differentiate between a missing port due to err-disable and a missing port due to a physically down link, which looks identical in this output.

115
Drag & Dropmedium

Drag and drop the following steps into the recommended order to configure a switch port for a VoIP phone (voice VLAN + data VLAN), an AP trunk, and a PoE-powered IoT device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

Although the switch does not enforce a strict sequence for these commands, the recommended workflow for clarity and consistency is to first enter global configuration mode, then interface configuration mode, then set trunking to support multiple VLANs, assign the voice VLAN, and finally configure PoE. Option D incorrectly omits global configuration mode. Option B places PoE before trunking and voice VLAN, which is less logical.

Option C configures the voice VLAN before setting the trunk mode, which can be confusing.

Exam trap

A common trap is to think that the switch enforces a rigid order (e.g., voice VLAN requires trunk mode). In reality, all command sequences except D produce a working config, but the exam expects the most logical and recommended order: trunk, voice VLAN, then PoE.

116
PBQhard

You are connected to SW1. Two switches, SW1 and SW2, are connected via four GigabitEthernet links. Configure LACP EtherChannel between them using interfaces GigabitEthernet0/1 through GigabitEthernet0/4 on SW1. Set the channel-group mode to active on SW1. The port-channel interface must be configured as a trunk, allowing VLANs 10, 20, 30. However, the EtherChannel is not forming. The current configuration is shown below. Identify and fix the issue, then verify the EtherChannel is operational.

Network Topology
Gi0/1-4Gi0/1-44x linksSW1SW2

Hints

  • Compare the Layer 2/Layer 3 status of the port-channel interface with the member interfaces.
  • Check the 'show etherchannel summary' flags: 'SD' means Layer 3 and down; 'SU' means Layer 2 and up.
  • The port-channel interface must match the operational mode (Layer 2) of the member switchports.
A.Remove 'no switchport' and IP address from Port-channel1, then configure 'switchport mode trunk' and 'switchport trunk allowed vlan 10,20,30'.
B.Change the channel-group mode on the member interfaces from active to passive.
C.Add the 'switchport nonegotiate' command to the member interfaces.
D.Configure the member interfaces with 'channel-group 1 mode on' instead of active.
AnswerA
solution
! SW1
interface Port-channel1
no ip address 192.168.1.1 255.255.255.0
no no switchport
switchport mode trunk
switchport trunk allowed vlan 10,20,30

Why this answer

The EtherChannel is not forming because the Port-channel1 interface is configured as a Layer 3 interface (no switchport, IP address), while the member interfaces are Layer 2 switchports (switchport mode trunk). This mismatch prevents the channel from bundling. To fix this, configure Port-channel1 as a Layer 2 trunk interface with the same allowed VLANs.

The solution: remove the no switchport command and the IP address, then apply switchport mode trunk and switchport trunk allowed vlan 10,20,30. After correction, the ports should bundle and the show etherchannel summary will show the ports as bundled (P) and the port-channel as Layer 2 (S).

Exam trap

The exam trap is that candidates often focus on LACP modes or trunk negotiation but overlook the Layer 2/Layer 3 mismatch between the port-channel interface and member interfaces. Always ensure the port-channel interface is configured as either Layer 2 or Layer 3 to match the member ports.

Why the other options are wrong

B

The specific factual error: The problem is a Layer 2/Layer 3 mismatch, not the LACP mode. Active mode is valid and commonly used.

C

The specific factual error: 'switchport nonegotiate' affects trunk negotiation, not EtherChannel bundling.

D

The specific factual error: The mode change does not fix the interface type mismatch; the port-channel must be Layer 2 to match the member ports.

117
MCQhard

A user on VLAN 10 reports that they cannot ping the default gateway at 192.168.10.1 from their PC with IP 192.168.10.50/24. The switch interface connecting to the PC is up/up, and the PC shows a valid IP configuration. What is the most likely cause of this connectivity failure?

A.Change the switchport mode to trunk to allow VLAN 10 traffic.
B.Configure an SVI for VLAN 10 with an IP address in the 192.168.10.0/24 subnet.
C.Change the PC's IP address to a different subnet, such as 192.168.20.0/24.
D.Recreate VLAN 10 and reassign the port to it.
AnswerB

This creates a Layer 3 interface on the switch that can serve as the default gateway for hosts in VLAN 10.

Why this answer

The PC and default gateway are on the same subnet (192.168.10.0/24), but the switch lacks a Layer 3 interface for VLAN 10. Without an SVI (Switch Virtual Interface) configured with an IP address in that subnet, the switch cannot route traffic to the gateway or respond to ARP requests from the PC, breaking connectivity even though the access port is up/up.

Exam trap

Cisco often tests the misconception that a VLAN alone provides Layer 3 connectivity, when in fact an SVI or a separate router-on-a-stick configuration is required for inter-VLAN routing and default gateway functionality.

Why the other options are wrong

A

A trunk port is used to carry multiple VLANs between switches, not to connect an end device like a PC. Configuring the switchport as trunk would break connectivity because the PC expects an access port.

C

Changing the PC's IP subnet would not resolve the issue because the PC would still need a default gateway on its new subnet. The root cause is the missing SVI on the switch, not the PC's IP address.

D

Recreating VLAN 10 and reassigning the port does not address the missing SVI. The VLAN already exists and the port is correctly assigned; the issue is at Layer 3, not Layer 2.

118
MCQmedium

A network engineer is troubleshooting a connectivity issue between two hosts on different VLANs. The engineer captures traffic on an IOS-XE router's GigabitEthernet0/1 interface using embedded packet capture (EPC). The output shows ARP requests from Host A (192.168.1.10) but no ARP replies from Host B (192.168.2.20). What is the most likely cause of this issue?

A.The router's interface is configured as an access port instead of a trunk.
B.The router's interface does not have an IP address configured in the VLAN 2 subnet.
C.Host A is in a different VLAN than the router's interface.
D.The router's interface has a duplex mismatch with the switch.
AnswerB

For inter-VLAN routing, the router must have an IP address in each VLAN's subnet to act as the default gateway and respond to ARP requests. Without an IP in VLAN 2, it cannot reply to ARP requests for 192.168.2.20.

Why this answer

The router's GigabitEthernet0/1 interface must have an IP address in the same subnet as Host B (192.168.2.20) to act as the default gateway for VLAN 2. Without an IP address in the VLAN 2 subnet, the router cannot respond to ARP requests for that subnet, so Host A's ARP requests for Host B go unanswered. This is the most likely cause because the router performs inter-VLAN routing only when it has an interface (or subinterface) with an IP address in the destination VLAN's subnet.

Exam trap

Cisco often tests the misconception that a router automatically routes between VLANs if it is connected to a switch via a trunk, but the router must have an IP address in each VLAN's subnet to respond to ARP and forward traffic.

Why the other options are wrong

A

The router's interface is a routed port, not a switchport; access/trunk concepts apply to switch interfaces. Even if it were a switch interface, the issue is about ARP replies, which require Layer 3 addressing, not trunking.

C

ARP requests are Layer 2 broadcasts; if the router's interface is in the same VLAN as Host A, it will receive the request. The problem is that the router does not reply, indicating it lacks an IP in the destination subnet.

D

Duplex mismatch causes CRC errors and collisions, but ARP requests would still be received and could be replied to. The capture shows clean ARP requests with no replies, pointing to a Layer 3 issue, not physical layer.

119
MCQhard

A switch port connected to a user PC should be placed in VLAN 20 and must not negotiate trunking. Which configuration is the most appropriate?

A.switchport mode access switchport access vlan 20
B.switchport mode trunk switchport trunk native vlan 20
C.switchport mode dynamic desirable switchport trunk allowed vlan 20
D.no switchport ip address 192.168.20.1 255.255.255.0
AnswerA

This is correct because it explicitly makes the port an access port in VLAN 20.

Why this answer

The most appropriate configuration is to force the interface into access mode and assign it to VLAN 20. In practical terms, a normal user-facing switch port is supposed to carry one VLAN only. There is no reason to rely on dynamic trunk negotiation for a desktop or laptop connection. Explicit access-port configuration is cleaner, more predictable, and safer.

This is a common switching best-practice question. The wrong answers usually leave room for unwanted trunking behavior or move the interface into a completely different role. The right answer combines the correct port role with the correct VLAN membership.

Exam trap

Avoid assuming 'auto' mode is always safe; it can lead to unintended trunking.

Why the other options are wrong

B

This configuration makes the port a trunk port, which is used to carry multiple VLANs between switches, not for a single user PC. The 'switchport trunk native vlan 20' command sets the native VLAN for untagged traffic on the trunk, but the port still actively negotiates trunking via DTP, violating the requirement to not negotiate trunking.

C

The 'switchport mode dynamic desirable' command actively attempts to form a trunk with the connected device via DTP, which contradicts the requirement to not negotiate trunking. Additionally, 'switchport trunk allowed vlan 20' only restricts which VLANs are allowed on the trunk, but the port is still in trunking mode, not an access port.

D

The 'no switchport' command converts the Layer 2 switch port into a Layer 3 routed interface, which cannot be assigned to a VLAN. This configuration is used for routing between VLANs or connecting to routers, not for connecting a user PC to a specific VLAN.

120
Drag & Dropmedium

A network engineer is configuring a new access switch that will connect to a distribution switch. The engineer must ensure that local hosts are placed in the correct VLANs before enabling trunking to the distribution switch to prevent VLAN mismatches and broadcast issues. Drag and drop the steps into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to create VLANs first, then assign access ports to those VLANs so local hosts are properly placed and operational. Only then should 802.1Q trunks be configured to extend VLANs to other switches, because trunking before access port assignment could lead to operational inconsistencies. Options B and D would require access ports before VLANs exist, and Option C configures trunks prematurely in this scenario.

Exam trap

The exam trap is that candidates may confuse the order of creating VLANs and assigning ports. Always remember that VLANs must exist before they can be used. Also, trunk configuration typically comes after access port assignment in a logical workflow, though it is not strictly required.

121
PBQhard

You are connected to the Cisco WLC (WLC-1) via its management IP 192.168.1.10. The wireless network 'CorpNet' is configured but clients cannot associate. Troubleshoot and resolve the issue: clients report 'Association failed' and the SSID is not visible in site surveys. Ensure that after your fix, the SSID is broadcast, WPA3 is used, and the WLAN is mapped to VLAN 20. Also, verify the WLC management interface is accessible over HTTPS.

Network Topology
switchWLC-1clients

Hints

  • Check if the WLAN is enabled and broadcasting the SSID.
  • Verify that the WLAN is mapped to a user VLAN, not the management interface.
  • Ensure HTTPS is enabled for web management access.
A.Enable the WLAN, set Broadcast SSID to Enabled, create a dynamic interface for VLAN 20 and map the WLAN to it, and enable the HTTPS server.
B.Enable the WLAN, set Broadcast SSID to Enabled, change the interface to the management interface, and enable the HTTPS server.
C.Enable the WLAN, keep Broadcast SSID Disabled for security, create a dynamic interface for VLAN 20 and map the WLAN to it, and enable the HTTPS server.
D.Enable the WLAN, set Broadcast SSID to Enabled, create a dynamic interface for VLAN 20 and map the WLAN to it, but leave HTTPS disabled for security.
AnswerA
solution
! WLC-1
config wlan 1 enable
config wlan 1 broadcast-ssid enable
config wlan 1 interface vlan20
config interface create vlan20 20
config interface address vlan20 192.168.20.1 255.255.255.0
config wlan 1 interface vlan20
ip http secure-server

Why this answer

The WLAN was disabled, the SSID was hidden (Broadcast SSID Disabled), and it was incorrectly mapped to the management interface instead of a user VLAN. Additionally, HTTPS access was disabled. The solution: enable the WLAN, enable SSID broadcast, change the interface to a VLAN 20 interface (e.g., create a dynamic interface 'vlan20' with VLAN 20), and enable the HTTPS server for management access.

Note: On an AireOS WLC, the correct commands use `config wlan enable <wlan_id>`, `config wlan broadcast-ssid enable <wlan_id>`, and `config network secureweb enable` for HTTPS.

Exam trap

This question tests your ability to identify multiple misconfigurations simultaneously. Common traps: confusing management interface with user VLANs, thinking hidden SSID is acceptable when broadcast is required, and overlooking the HTTPS requirement. Also, ensure you use AireOS-specific commands, not IOS commands like `ip http secure-server`.

Always verify all requirements in the question.

Why the other options are wrong

B

The specific factual error: The management interface is for WLC management traffic, not client data. Client traffic should be on a separate user VLAN.

C

The specific factual error: Broadcast SSID must be enabled for the SSID to be visible. Disabling it hides the SSID, which contradicts the requirement to make it visible.

D

The specific factual error: HTTPS must be enabled for management access. Disabling it would block HTTPS connections to the WLC.

122
MCQhard

Users in VLAN 60 on switch SW2 cannot reach the default gateway located on switch SW1. The trunk between SW1 and SW2 is operational and allows VLAN 60. What is the most likely reason for this issue?

A.VLAN 60 does not exist locally on SW2.
B.The native VLAN must be changed to 60 on both switches.
C.VLAN 60 is not allowed on the trunk link.
D.The default gateway must be configured as a loopback on SW2.
AnswerA

This is correct because trunk allowance alone is not enough if the VLAN is missing from the local switch.

Why this answer

VLAN 60 has not been created locally on SW2, even though the trunk can carry its traffic. A switch never processes VLAN traffic for a VLAN it doesn't know about; it discards tagged frames from the trunk destined for that VLAN and prevents access ports from assigning frames to it. (A) is correct. (B) is incorrect because native VLAN configuration only affects untagged frames—changing it to 60 is unnecessary for tagged VLAN 60 traffic. (C) is incorrect because the trunk is already configured to allow VLAN 60, so trunk filtering isn't the problem. (D) is incorrect because a default gateway is simply an IP address on a router or Layer 3 switch interface (like SVIs) and does not require a loopback on SW2.

Exam trap

Don't assume trunk configuration alone resolves VLAN issues; ensure VLANs exist on all relevant switches.

Why the other options are wrong

B

Native VLAN configuration does not affect tagged VLAN 60 traffic—native VLAN only matters for untagged frames.

C

The trunk is stated to allow VLAN 60, so VLAN filtering is not the problem; a student might misread the premise.

D

The default gateway resides on SW1, not SW2; configuring a loopback on SW2 does not create a gateway for VLAN 60.

123
PBQhard

You are connected to the multilayer switch MLS1 in a branch network. The DHCP server on router R1 is supposed to serve the 192.168.20.0/24 VLAN 20, but clients in VLAN 20 are not receiving IP addresses. Additionally, a rogue DHCP server has been detected on VLAN 20. Configure MLS1 to enable DHCP snooping on VLAN 20, set the trust state on the uplink port to R1, and limit the rate of DHCP packets on access ports. Then, on R1, correct the DHCP configuration so that the pool for VLAN 20 uses the correct default-router (192.168.20.1) and DNS server (8.8.8.8), and ensure that the excluded-address range is not too large (exclude only the first 10 addresses). Verify the solution.

Network Topology
G0/010.0.0.2/30G0/010.0.0.1/30linkG0/1 access VLAN 20192.168.20.0/24linkSiMLS1R1Clients

Hints

  • On MLS1, DHCP snooping must be globally enabled and then applied to VLAN 20.
  • The uplink to R1 must be trusted; access ports should have rate limiting to prevent DHCP starvation.
  • On R1, the excluded-address range was too broad; only exclude the first 10 addresses. The default-router and DNS server were incorrect.
A.On MLS1: ip dhcp snooping, ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8
B.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.254, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8
C.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.10.1 dns-server 4.4.4.4
D.On MLS1: ip dhcp snooping vlan 20, interface Gig0/0 ip dhcp snooping trust, interface Gig0/1 ip dhcp snooping limit rate 10. On R1: ip dhcp excluded-address 192.168.20.1 192.168.20.10, ip dhcp pool VLAN20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8, but no ip dhcp snooping enabled globally on MLS1
AnswerA
solution
! R1
configure terminal
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp pool VLAN20_POOL
default-router 192.168.20.1
dns-server 8.8.8.8
end

! MLS1
ip dhcp snooping
ip dhcp snooping vlan 20
interface GigabitEthernet0/0
ip dhcp snooping trust
exit
interface GigabitEthernet0/1
ip dhcp snooping limit rate 10
end

Why this answer

The problem had three faults: First, the DHCP pool on R1 had a wrong default-router (192.168.10.1 instead of 192.168.20.1) and an incorrect DNS server (4.4.4.4 instead of 8.8.8.8). Second, the excluded-address range was too large (excluding all addresses from .1 to .254 effectively blocked all dynamic assignments; corrected to exclude only .1 through .10). Third, DHCP snooping was disabled on MLS1, allowing a rogue DHCP server.

To enable DHCP snooping, both the global `ip dhcp snooping` command and the VLAN-specific `ip dhcp snooping vlan 20` command are required. With snooping enabled, the uplink port Gig0/0 was set as trusted and the access port Gig0/1 was configured with rate limiting to prevent DHCP starvation attacks.

Exam trap

Watch for three separate issues: DHCP pool misconfiguration (default-router, DNS, excluded range), DHCP snooping not enabled globally, and the need to set trust on the uplink. Candidates often forget the global 'ip dhcp snooping' command or misconfigure the excluded range.

Why the other options are wrong

B

The excluded-address range is too large; it should only exclude the first 10 addresses (1-10) to allow dynamic allocation from .11 onward.

C

The default-router must be the gateway for VLAN 20 (192.168.20.1), and the DNS server should be 8.8.8.8 as specified.

D

The global 'ip dhcp snooping' command is required to activate the feature; omitting it leaves DHCP snooping disabled entirely.

124
MCQhard

Two routers, R1 and R2, have been configured with HSRP for VLAN 10 to provide default gateway redundancy to hosts. The virtual IP address is 192.168.10.1. After configuration, end hosts report inconsistent connectivity to the gateway, and a failover test reveals that when the active router is shut down, connectivity is lost. The network administrator checks the HSRP status on both routers. Based on the output shown, what is the most likely cause of the redundancy failure?

A.R2 has a lower HSRP priority than R1, so it cannot become standby.
B.The HSRP group number is mismatched between R1 and R2.
C.The HSRP authentication strings do not match.
D.HSRP version 1 is used on R1 while version 2 is used on R2.
AnswerB

R1 uses group 10, while R2 uses group 20. This creates two isolated HSRP processes with no shared virtual MAC or failover capability, which directly explains the redundancy failure.

Why this answer

HSRP uses the group number to identify the virtual router instance. If the group numbers on R1 and R2 do not match, they will not form a neighbor relationship or exchange HSRP messages, so neither router will know the other exists. This prevents failover: when the active router goes down, the standby router does not take over because it never learned about the active router's state.

The output would show that each router believes it is the active router (or that no standby exists), confirming the mismatch.

Exam trap

Cisco often tests the HSRP group number mismatch as a subtle cause of redundancy failure because candidates focus on priority or authentication and overlook the fundamental requirement that the group number must be identical on all routers in the same virtual router group.

Why the other options are wrong

A

The output shows R2 is Active in its own group (20); priority only affects role election within the same group. The real problem is separate group numbers.

C

With mismatched authentication, the state would not be Active. The exhibit clearly shows Active on both routers, so authentication is not the cause.

D

Version mismatch would not change the displayed group number; the group number discrepancy is the direct evidence shown in the exhibit.

125
MCQmedium

A port connected to an end-user PC should not send or expect VLAN tags from the endpoint. Which interface type is appropriate on the switch?

C.Routed port
D.Port-channel interface
AnswerA

This is correct because an access port is the normal single-VLAN switchport type for end devices such as PCs.

Why this answer

The appropriate interface type is an access port. In plain language, a normal user PC is expected to connect to one VLAN and send ordinary untagged Ethernet frames. The switch associates that traffic with the configured access VLAN.

This is different from a trunk, which is designed to carry multiple VLANs and commonly uses tagging to preserve VLAN identity across the link. Routed ports are Layer 3 interfaces used for routing between VLANs, not for attaching a single end-user PC. Port-channel interfaces aggregate multiple physical links for redundancy and bandwidth, but they do not determine whether VLAN tagging is used; the underlying port mode (access or trunk) still applies.

Therefore, access port is the only correct choice for an untagged, single-VLAN end-device connection.

Exam trap

Don't confuse the need for VLANs with the need for VLAN tagging. Access ports handle untagged traffic for single VLANs.

Why the other options are wrong

B

A trunk port is designed to carry traffic for multiple VLANs using 802.1Q tagging, which is not expected from a standard PC. Using a trunk port for a PC would cause the switch to expect tagged frames, leading to communication failures.

C

A routed port is a Layer 3 interface used for routing between VLANs or connecting to routers, not for connecting end-user PCs. It does not operate as a Layer 2 switchport and would not handle VLAN tagging as required.

D

A port-channel interface is a logical bundling of multiple physical links for increased bandwidth and redundancy, not a single connection to an end-user PC. It is used between switches or to servers, not for typical PC access.

126
PBQhard

You are connected to R1. Configure inter-VLAN routing on R1 using router-on-a-stick so that hosts in VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) can communicate. The switch SW1 is already configured with VLANs and trunking, but R1's current configuration prevents traffic. Identify and fix the issues.

Network Topology
G0/0trunkR1SW1

Hints

  • Check if the physical interface is administratively down.
  • Verify that the trunk is allowing VLANs 10 and 20.
  • Ensure 'ip routing' is enabled (it is by default).
A.Enable the physical interface with the 'no shutdown' command on R1.
B.Change the encapsulation on the subinterfaces to use dot1Q with native VLAN 10 and 20 respectively.
C.Enable IP routing globally with the 'ip routing' command on R1.
D.Remove the 'no shutdown' from the subinterfaces and apply it only to the physical interface.
AnswerA
solution
! R1
interface GigabitEthernet0/0
no shutdown
exit
show interfaces trunk

Why this answer

The issue was that the physical interface GigabitEthernet0/0 on R1 was administratively down, causing all subinterfaces for VLANs 10 and 20 to be in a down state. Enabling it with 'no shutdown' brings the trunk up, allowing inter-VLAN routing because the switch already has trunking configured. The other options are incorrect because they suggest steps that are either already in place (IP routing) or not needed (changing encapsulation or moving no shutdown to subinterfaces).

Exam trap

A common mistake is overlooking that router-on-a-stick requires the physical interface to be administratively up, as subinterfaces cannot function independently.

Why the other options are wrong

B

Changing encapsulation is unnecessary because the subinterfaces already use the correct dot1Q encapsulation for VLANs 10 and 20.

C

The 'ip routing' command is already enabled by default on routers, and global routing is not the problem here.

D

Subinterfaces do not support a 'no shutdown' command; their operational state is determined solely by the physical interface.

127
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure inter-VLAN routing using a router-on-a-stick topology.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Inter-VLAN routing via router-on-a-stick requires creating VLANs on the switch, placing access ports in those VLANs, configuring a trunk to the router with the correct native VLAN to avoid mismatch, enabling the physical router interface, and then defining subinterfaces per VLAN with 802.1Q encapsulation and IP addresses. This ensures traffic from different VLANs can be routed.

128
MCQhard

A trunk link has a native VLAN mismatch between two switches. What is the most likely result?

A.All VLANs except the native VLAN stop forwarding immediately.
B.Untagged frames can be interpreted as belonging to different VLANs on each switch.
C.The trunk automatically converts to an access port.
D.STP is disabled on the trunk until the mismatch is corrected.
AnswerB

Correct. That is the classic native VLAN mismatch issue.

Why this answer

Untagged traffic may be placed into different VLANs on each side of the trunk, causing traffic leakage or connectivity problems.

Exam trap

Be careful not to confuse native VLAN mismatches with issues that affect tagged traffic or automatic switch behavior.

Why the other options are wrong

A

A native VLAN mismatch does not cause all other VLANs to stop forwarding. The trunk continues to forward frames for all VLANs, but untagged frames (native VLAN) are miscommunicated.

C

A trunk port does not automatically convert to an access port due to a native VLAN mismatch. The trunk remains operational, but the native VLAN mismatch causes problems for untagged traffic.

D

STP continues to run normally on the trunk link despite a native VLAN mismatch. The mismatch does not disable STP; it only affects the handling of untagged frames.

129
MCQmedium

After a switch replacement, users in VLAN 30 cannot reach devices in other VLANs. The replacement switch has a trunk link to the distribution switch that shows as up/up. What is the most likely cause?

A.The native VLAN must be changed to 30
B.VLAN 30 is not permitted on the trunk link
C.The uplink should be configured as an access port
D.STP must be disabled on VLAN 30
AnswerB

The trunk allowed list does not include VLAN 30.

Why this answer

The trunk is up, but VLAN 30 is not allowed on it. Traffic from that VLAN never crosses the uplink, so inter-VLAN reachability fails for users in VLAN 30 even though the local access ports may still look fine.

Exam trap

Ensure you distinguish between management settings and VLAN configuration. Focus on trunk settings when inter-VLAN issues arise.

Why the other options are wrong

A

Changing the native VLAN to 30 would not resolve the issue because the native VLAN is used for untagged traffic on a trunk, and the problem is that VLAN 30 traffic is not being allowed at all. Additionally, native VLAN mismatch can cause connectivity issues, but it does not specifically prevent only VLAN 30 from reaching other VLANs.

C

Configuring the uplink as an access port would place it in a single VLAN, preventing traffic from multiple VLANs (including VLAN 30) from traversing the link. Since the switch needs to carry traffic for multiple VLANs, the uplink must remain a trunk port.

D

Disabling STP on VLAN 30 would be dangerous as it could cause bridging loops and network instability. Moreover, STP does not control whether a VLAN is allowed on a trunk; it only prevents loops. The issue is a missing VLAN in the trunk allowed list, not a spanning-tree problem.

130
MCQhard

Based on the exhibit, which configuration should be added to restore DHCP service for clients in VLAN 30?

A.ip helper-address 10.99.99.20 under interface Vlan30
B.switchport mode trunk under interface Vlan30
C.ip default-gateway 10.99.99.20 under interface Vlan30
D.spanning-tree portfast under interface Vlan30
AnswerA

This is correct because the VLAN 30 SVI must relay DHCP requests toward the remote server.

Why this answer

The correct fix is to add an IP helper address pointing to the remote DHCP server on the Layer 3 interface for VLAN 30. In practical terms, the clients are sending DHCP discovery as a broadcast, and the server is on another subnet. The SVI for VLAN 30 is the local gateway that must relay those requests toward the server.

This is one of the most exam-realistic campus troubleshooting scenarios because it tests both subnet boundaries and the role of the local gateway interface.

Exam trap

A common exam trap is confusing the ip helper-address command with ip default-gateway or Layer 2 commands like switchport mode trunk. Candidates might incorrectly apply switchport commands to an SVI, which is a Layer 3 interface, or think setting ip default-gateway will relay DHCP requests. These mistakes cause DHCP broadcasts to fail reaching the remote server, leading to no IP address assignment for clients.

Understanding that ip helper-address is the DHCP relay mechanism on Layer 3 interfaces is critical to avoid this trap.

Why the other options are wrong

B

Incorrect. The command switchport mode trunk is a Layer 2 switchport configuration and cannot be applied to an SVI, which is a Layer 3 interface. This does not affect DHCP relay.

C

Incorrect. The ip default-gateway command sets the default gateway for management traffic on a Layer 2 device and does not relay DHCP broadcasts. It does not restore DHCP service for clients.

D

Incorrect. The spanning-tree portfast command is used on physical Layer 2 switchports to speed up port transitions and has no effect on DHCP relay or SVIs.

131
MCQmedium

A switch administrator enters the following commands on interface GigabitEthernet1/0/10: interface g1/0/10 switchport mode access switchport access vlan 30 spanning-tree portfast spanning-tree bpduguard enable A user connects a small managed switch to this port, and the access port immediately changes to an err-disabled state. Which feature caused the port to shut down?

C.Access VLAN 30 assignment
D.The interface being in access mode
AnswerB

Correct. BPDU Guard is correct because it is specifically designed to shut down an edge port that should not receive BPDUs. In plain terms, the switch sees evidence that another switch was attached and decides to protect the topology by disabling the port instead of allowing a possible loop or unexpected spanning-tree participation.

Why this answer

BPDU Guard is the feature that caused the shutdown. This question is really about separating two features that are often configured together on user-facing ports: PortFast and BPDU Guard. PortFast helps an edge port come up quickly, which is useful for PCs and phones.

BPDU Guard adds protection by watching for BPDUs on that same port. If a switch is connected where only an end device should exist, the newly connected switch may send BPDUs. The local switch interprets that as a topology risk and disables the port to protect the Layer 2 network.

The clues are the err-disabled state and the fact that another switch was connected. VLAN assignment and access mode are normal here and do not explain the shutdown.

Exam trap

Remember that BPDU Guard, not PortFast, causes a port to shut down when BPDUs are received. PortFast only affects port transition speed.

Why the other options are wrong

A

PortFast is a feature that allows a port to transition immediately to the forwarding state, bypassing the usual spanning-tree listening and learning phases. It does not cause a port to shut down or enter an err-disabled state; it only speeds up convergence for end-user devices.

C

Assigning an access VLAN (VLAN 30) simply places the port into a specific broadcast domain for user traffic. It has no mechanism to detect or react to BPDUs, and it does not cause a port to enter an err-disabled state. The port would remain operational regardless of the VLAN assignment.

D

Configuring a port as an access port is a standard practice for connecting end devices. It does not inherently cause any shutdown or err-disabled condition. The port remains up and forwarding traffic unless another feature, such as BPDU Guard, triggers a protective action.

132
MCQhard

A network engineer connects a new switch to an existing Rapid PVST+ campus network. The new switch is intended to serve as an additional access-layer switch, but after connecting its uplinks, the engineer discovers that the root bridge for VLAN 10 has changed to this new switch, and several access ports on other switches with PortFast and BPDU Guard enabled are now in err-disabled state. Some users report intermittent connectivity loss.

A.The new switch was connected to a port configured as a trunk with a native VLAN mismatch.
B.The new switch’s bridge priority is lower than the existing root bridge, and it was connected to a port with BPDU Guard enabled.
C.The new switch has PortFast enabled on its uplinks.
D.The BPDU Guard feature was globally enabled on all ports, including trunk ports.
AnswerB

A lower bridge priority causes the new switch to become the root for VLAN 10. Plugging it into a BPDU Guard-enabled port (which is normally an edge port with PortFast) results in the port receiving BPDUs and going err-disabled. This perfectly explains both symptoms.

Why this answer

The new switch's bridge priority is lower (numerically smaller) than the existing root bridge, so it becomes the new root for VLAN 10. When it sends superior BPDUs out its uplinks, the neighboring switch's access ports with PortFast and BPDU Guard enabled receive these BPDUs, triggering err-disable state on those ports, causing connectivity loss.

Exam trap

Cisco often tests the misconception that BPDU Guard only applies to access ports or that it prevents root bridge changes, when in fact it reacts to any BPDU received on a PortFast port, regardless of the BPDU's source or priority.

Why the other options are wrong

A

Attributing the issue to a native VLAN mismatch overlooks the root election change and the BPDU Guard-triggered err-disable state.

C

This answer ignores the root election shift and the BPDU Guard events; PortFast misconfiguration alone would not cause these symptoms.

D

This fails to account for the selective err-disable of only access ports and the concurrent root bridge change, which points to a targeted misconfiguration rather than a blanket global setting.

133
MCQhard

A network technician is troubleshooting connectivity between two directly connected Cisco switches. Hosts on VLAN 10 connected to SwitchA cannot ping the default gateway on SwitchB. The interface on SwitchB shows up/up, but the interface on SwitchA shows up/down. The technician examines the interface configuration and status on SwitchA. What is the most likely cause of this issue?

A.Replace the Ethernet cable because it is faulty.
B.Configure both interfaces with the same duplex and speed settings, either both auto or both manually set to full-duplex and 1000 Mbps.
C.Issue the 'shutdown' and 'no shutdown' commands on the interface to recover from err-disabled state.
D.Check the VLAN configuration on SwitchA because the interface is administratively down.
AnswerB

The line protocol being down with up/up on the remote suggests a duplex mismatch, which can occur when one side is manually set and the other is auto-negotiating. Setting both sides consistently resolves the issue.

Why this answer

The interface on SwitchA shows up/down, meaning Layer 1 is active but the line protocol is down. This is commonly caused by a speed mismatch between the two ends. A duplex mismatch, in contrast, typically results in both interfaces showing up/up with CRC errors.

Therefore, the most likely cause is that the speed settings differ—for example, one interface is set to auto-negotiate while the other is hard-coded to a specific speed. Configuring both interfaces with identical speed and duplex settings, either both auto or both manually configured, resolves the issue.

Exam trap

The trap is that up/down is often misinterpreted as a faulty cable or an err-disabled state, but it actually points to a speed mismatch or auto-negotiation failure, not a duplex mismatch.

Why the other options are wrong

A

The interface status shows 'up, line protocol is down', which indicates a Layer 2 issue, not a physical cable fault. Additionally, no CRC, runts, giants, or collisions are reported, so the cable is likely not faulty.

C

The interface status is 'up, line protocol is down', not 'err-disabled'. The err-disabled state would show 'err-disabled' in the interface status, and a shutdown/no shutdown would be appropriate only for err-disabled recovery.

D

The interface status is 'up', not 'administratively down'. An administratively down interface would show 'administratively down, line protocol is down'. VLAN configuration issues typically cause the interface to be up/up but unable to forward traffic, not up/down.

134
PBQmedium

You are connected to the console of R1. The network administrator reports that hosts on VLAN 10 cannot ping the default gateway (192.168.10.1). R1's GigabitEthernet0/1 is connected to a switch with trunk port allowing VLAN 10 and 20. The interface configuration on R1 appears correct, but the VLAN 10 interface is not operational.

Network Topology
G0/1 .1trunkR1SW1

Hints

  • Check the status of the subinterface.
  • Verify that the physical interface is not administratively down.
  • Confirm that the encapsulation command is correct.
A.The physical interface GigabitEthernet0/1 was administratively down.
B.The VLAN 10 subinterface was configured with the wrong encapsulation dot1q VLAN ID.
C.The switch port connected to R1 was not configured as a trunk.
D.The VLAN 10 subinterface was missing the 'no shutdown' command.
AnswerA
solution
! R1
interface GigabitEthernet0/1
no shutdown
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0

Why this answer

The GigabitEthernet0/1 interface was administratively down (missing 'no shutdown' in the initial config). Although the subinterface had 'no shutdown', the physical interface must also be up. Bringing up the physical interface resolved the issue.

Exam trap

Do not assume that subinterfaces can be independently brought up; always check the physical interface state first. A common trap is to focus on subinterface configuration while ignoring the parent interface.

Why the other options are wrong

B

The specific factual error is that the subinterface would still show as up/up (though traffic would not be forwarded) if the encapsulation were wrong; the problem is the physical interface being down.

C

The specific factual error is that the switch trunk configuration is given as correct; the problem is on the router side, not the switch.

D

The specific factual error is that subinterfaces do not have an independent administrative state; they rely on the physical interface being up.

135
PBQhard

You are connected to R1. The network uses a router-on-a-stick design with a single switch (SW1) and two VLANs (10 and 20). Currently, hosts in VLAN 10 cannot ping hosts in VLAN 20, and the trunk between R1 and SW1 shows a native VLAN mismatch. Examine the provided configuration and output, then apply the necessary corrections to R1 so that inter-VLAN routing works correctly.

Hints

  • Check the native VLAN on the trunk — it might not match the switch.
  • Examine each subinterface's encapsulation — one may have the wrong VLAN ID.
  • Is IP routing enabled? The router needs to forward between VLANs.
A.Change the native VLAN on R1's trunk interface to 99, correct the encapsulation on G0/0.20 to dot1Q 20, and enable IP routing globally.
B.Change the native VLAN on R1's trunk interface to 99, correct the encapsulation on G0/0.20 to dot1Q 20, but do not enable IP routing because it is enabled by default.
C.Change the native VLAN on R1's trunk interface to 1, correct the encapsulation on G0/0.20 to dot1Q 20, and enable IP routing globally.
D.Change the native VLAN on R1's trunk interface to 99, correct the encapsulation on G0/0.10 to dot1Q 10, and enable IP routing globally.
AnswerA
solution
! R1
interface GigabitEthernet0/0
switchport trunk native vlan 99
exit
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
exit
ip routing

Why this answer

The configuration has three issues: 1) The native VLAN on the trunk is VLAN 1, but the switch expects VLAN 99 (common mismatch scenario). 2) Subinterface G0/0.20 uses encapsulation dot1Q 10 instead of 20, causing VLAN 20 traffic to be mis-tagged. 3) The 'ip routing' command is missing globally, so R1 cannot route between subinterfaces. To fix, configure the main interface G0/0 with 'encapsulation dot1Q 99 native' to set the native VLAN to 99, correct the encapsulation on G0/0.20 to 'dot1Q 20', and enable IP routing with 'ip routing'.

Exam trap

Candidates often forget to enable 'ip routing' globally, assuming it is on by default. They may also overlook the native VLAN mismatch or incorrectly use a Layer 2 switchport command instead of 'encapsulation dot1Q 99 native' on the router interface.

Why the other options are wrong

B

The specific factual error is that IP routing is not enabled by default; it requires the 'ip routing' global command.

C

The specific factual error is that the native VLAN must match on both sides; changing R1's native VLAN to 1 does not match the switch's native VLAN 99.

D

The specific factual error is that the subinterface G0/0.20 is associated with VLAN 20, so its encapsulation must be dot1Q 20, not 10.

136
MCQhard

A network engineer notices that a newly connected switch-to-switch link is up, but traffic from multiple VLANs is not passing. When issuing the show interfaces trunk command, no trunk ports are listed. Both switch ports are configured with switchport mode dynamic auto. What is the most likely cause?

A.There is a native VLAN mismatch between the two switches.
B.The connecting cable is a straight-through Ethernet cable rather than a crossover cable.
C.One switch lacks a VLAN that exists on the other switch.
D.Both ports are set to dynamic auto, so neither switch initiates DTP negotiation.
AnswerD

In dynamic auto mode, a switch port passively waits for DTP negotiation requests. When both ends are dynamic auto, no side initiates the negotiation, so the ports default to access mode. This perfectly matches the symptom: the link is up, but no trunk appears under show interfaces trunk, and multi-VLAN traffic is not passing.

Why this answer

When both ends of a link are set to switchport mode dynamic auto, neither switch will initiate DTP negotiation. Dynamic auto responds only to DTP requests; it never sends them. Therefore, no DTP messages are exchanged, and both ports silently remain in access mode.

This explains why the link is up and passing traffic only for the access VLAN, and no trunk ports appear in the output. Other issues (native VLAN mismatch, straight-through cable, missing VLANs) do not prevent trunk formation—they affect operational behavior or management reporting but would still show a trunk interface if DTP negotiation succeeded.

Exam trap

Many candidates incorrectly believe a native VLAN mismatch prevents trunk formation because they confuse DTP negotiation failure with CDP/STP native VLAN mismatch errors. In reality, DTP does not check native VLAN compatibility; a trunk will still form and then generate log messages about the mismatch.

Why the other options are wrong

A

Confusing DTP trunk negotiation with the operational consequences of a native VLAN mismatch.

B

Assuming that a crossover cable is mandatory for switch-to-switch connections, ignoring auto-MDIX.

C

Mistaking the ability to forward traffic for a specific VLAN with the ability to negotiate a trunk.

137
MCQhard

Two switches, SW1 and SW2, are connected via a trunk link. Hosts in VLAN 50 on SW1 cannot communicate with hosts in VLAN 50 on SW2, while hosts in other VLANs communicate normally. What is the most likely cause?

A.VLAN 50 is not allowed on the trunk from SW1.
B.The native VLAN must be changed to 50 on both switches.
C.The trunk must be changed to an access port.
D.The switches must run PPP on the uplink.
AnswerA

This is correct because VLAN 50 is missing from the allowed list on SW1.

Why this answer

The strongest explanation is that VLAN 50 is missing from the allowed VLAN list on one side of the trunk. In practical terms, the trunk is up and carrying other VLANs, so the problem is selective rather than total. When one VLAN is omitted from the allowed list, only that VLAN fails while others continue to work normally.

This is a high-value switching troubleshooting pattern because it rewards careful reading of operational output rather than generic trunk theory.

Exam trap

Be careful to distinguish between total trunk failures and selective VLAN issues. Check the allowed VLAN list on trunk links when only one VLAN is affected.

Why the other options are wrong

B

The native VLAN is used for untagged traffic on a trunk and does not affect the forwarding of tagged frames for other VLANs. Changing the native VLAN to 50 would not resolve the issue because VLAN 50 frames are still tagged and require inclusion in the allowed VLAN list.

C

An access port can only carry a single VLAN, so changing the trunk to an access port would prevent the link from carrying multiple VLANs, including VLAN 50. The link is intended to carry multiple VLANs, so a trunk is required.

D

PPP (Point-to-Point Protocol) is a WAN protocol used on serial links, not on Ethernet trunks. Ethernet trunks use 802.1Q or ISL encapsulation, and PPP has no relevance to VLAN trunking issues.

138
MCQhard

A phone and PC share one switchport. The phone works, but the PC cannot reach its normal data resources. The switchport voice VLAN is configured, and the access VLAN is incorrect. Which explanation is strongest?

A.The PC is likely in the wrong data VLAN even though the phone still uses the correct voice VLAN.
B.If the phone works, the PC must also work because both use the same VLAN always.
C.The issue must be BGP because phones cannot use VLANs.
D.The access VLAN becomes irrelevant whenever a voice VLAN is configured.
AnswerA

This is correct because voice and data use different VLAN roles on the same physical port.

Why this answer

Option A is correct because the switchport is configured with a voice VLAN for the phone and an access VLAN for the PC. If the access VLAN is incorrect, the PC will be placed in the wrong data VLAN, preventing it from reaching its normal data resources, while the phone continues to operate correctly on its designated voice VLAN. This is a common misconfiguration where the data VLAN ID does not match the network segment the PC expects.

Exam trap

Cisco often tests the misconception that a working phone implies the PC is also correctly configured, but the trap here is that voice and data VLANs are independent, so a misconfigured access VLAN only affects the PC.

Why the other options are wrong

B

This statement is incorrect because the phone and PC can operate on different VLANs on the same port. The phone uses the voice VLAN, while the PC uses the access (data) VLAN. They are not required to use the same VLAN, and misconfiguration of the access VLAN can cause the PC to fail while the phone works.

C

BGP (Border Gateway Protocol) is a routing protocol used between autonomous systems, not related to VLAN configuration on a switchport. The issue described is about Layer 2 VLAN assignment, not Layer 3 routing. BGP has no role in this scenario.

D

The access VLAN remains relevant even when a voice VLAN is configured. The access VLAN is used for the PC's data traffic, while the voice VLAN is used for the phone's traffic. If the access VLAN is incorrect, the PC will not be able to communicate on the correct data network.

139
MCQhard

A network administrator is troubleshooting connectivity issues in a switched network. Users on VLAN 10 report intermittent connectivity to the server farm. The network uses Rapid PVST+ as the spanning-tree protocol. The administrator examines the switch that is the root bridge for VLAN 10 and notices that one of the uplink interfaces to an access switch is in a blocking state. What is the most likely cause of this issue?

A.Change the port type of Gi0/3 to trunk to allow multiple VLANs.
B.Configure spanning-tree portfast on Gi0/3 to speed up convergence.
C.Check the spanning-tree priority on other switches to ensure the intended root bridge has the lowest priority for VLAN 10.
D.Enable BPDU guard on Gi0/3 to prevent unauthorized switches from affecting the network.
AnswerC

The root bridge is elected based on the lowest bridge priority. If another switch has a lower priority, it becomes the root, causing ports on the current root to block. Verifying and adjusting priorities will ensure the correct root bridge election.

Why this answer

In Rapid PVST+, the root bridge for a VLAN should have all its ports in a forwarding state. If an uplink interface on the root bridge is blocking, it indicates that another switch is being elected as the root bridge for VLAN 10, likely because it has a lower spanning-tree priority. By checking and adjusting the priority on other switches, the administrator can ensure the intended switch becomes the root bridge, resolving the intermittent connectivity caused by suboptimal path selection.

Exam trap

Cisco often tests the misconception that a blocking port on a root bridge indicates a physical or configuration issue with that specific port, when in fact it signals that the switch is not the root bridge due to a lower priority on another switch.

Why the other options are wrong

A

Changing the port type to trunk does not affect spanning-tree root bridge election or port roles. The blocking state is determined by spanning-tree topology, not by trunk configuration.

B

Portfast is intended for access ports connected to end devices to bypass listening/learning states; it is not used on uplinks and does not resolve a blocking state caused by spanning-tree topology.

D

BPDU guard is used on access ports to protect against rogue switches by disabling the port if a BPDU is received. It does not affect root bridge election or port roles on uplinks.

140
Matchingmedium

Match each switchport or VLAN term to its most accurate meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Switchport that normally carries one VLAN for an endpoint

Link that carries multiple VLANs

Setting that restricts which VLANs may traverse the trunk

VLAN associated with untagged traffic on an 802.1Q trunk

Why these pairings

Access ports are in one VLAN; trunk ports carry multiple VLANs with tags. Switchport mode commands set the port type. VLANs create separate broadcast domains; SVIs provide Layer 3 routing for VLANs.

Exam trap

The exam trap here is confusing the definitions of access ports and trunk ports, or associating an access port with the concept of a VLAN or SVI. Remember that an access port is a Layer 2 port that belongs to exactly one VLAN and does not tag frames.

141
PBQmedium

You are connected to R1 via the console. R1 is a Cisco ISR 4321 router running IOS-XE 17.3. The network team has reported intermittent connectivity issues between VLAN 10 hosts and the server at 10.0.0.100. You suspect a routing problem and need to analyze the IP routing table, ARP cache, and interface status to identify the cause. Use the provided outputs to diagnose the issue.

Network Topology
G0/0192.168.10.1/24G0/110.0.0.1/30G0/010.0.0.2/30linkG0/010.0.0.2/3010.0.0.100linkHostsVLAN 10R1R2Server

Hints

  • Check the IP routing table for a default route or specific route to 10.0.0.100.
  • Examine the ARP cache to see if the MAC address of the next hop (10.0.0.2) is present.
  • Verify that both interfaces are up/up and have correct IP addresses.
A.The routing table shows a default route via 192.168.1.1, but the ARP cache has an incomplete entry for that next-hop IP, indicating a Layer 2 connectivity issue.
B.The routing table has a static route to 10.0.0.0/24 via 192.168.1.2, but the interface GigabitEthernet0/0/0 is administratively down.
C.The routing table shows a route to 10.0.0.0/16 via 192.168.1.1, but the ARP cache has a complete entry for 192.168.1.1, indicating the issue is at Layer 3.
D.The routing table has no route to 10.0.0.100, and the ARP cache is empty for all entries, indicating a complete routing failure.
AnswerA
solution
! R1
show ip route
show ip arp
show interfaces GigabitEthernet0/0
show interfaces GigabitEthernet0/1

Why this answer

The issue is likely a missing or incorrect route, an incomplete ARP entry, or an interface problem. By checking the routing table, you can confirm if a route to 10.0.0.100 exists. The ARP cache shows whether the next-hop MAC is learned.

Interface status indicates if the link is operational. The solution commands reveal these details, allowing you to pinpoint the cause (e.g., default route missing, ARP timeout, or interface down).

Exam trap

The exam trap is that candidates often jump to routing table issues first, but the question emphasizes 'intermittent' connectivity, which typically indicates Layer 2 problems like ARP failures or flapping interfaces. Always correlate routing table, ARP cache, and interface status together.

Why the other options are wrong

B

The specific factual error is that an administratively down interface results in a hard failure, not intermittent connectivity.

C

The specific factual error is that a complete ARP entry indicates no Layer 2 problem, contradicting the symptom of intermittent connectivity.

D

The specific factual error is that a missing route results in consistent unreachability, not intermittent problems.

142
Matchingmedium

Match each trunk or VLAN term to its most accurate function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Link carrying traffic for multiple VLANs

VLAN assigned to a normal endpoint-facing port

VLAN associated with untagged traffic on an 802.1Q trunk

Setting that restricts which VLANs may cross a trunk

Why these pairings

Access ports carry traffic for one VLAN only; trunk ports carry multiple VLANs using tagging. The native VLAN is untagged on a trunk; VLAN 1 is the default. 802.1Q is the standard for tagging, and voice VLAN separates voice traffic.

Exam trap

Be careful not to confuse the native VLAN (untagged) with other VLANs (tagged) on a trunk. Also, remember that VLAN 1 is the default data VLAN, not the voice VLAN.

143
MCQmedium

SW1 is the root bridge for VLAN 10. A user switch receives a BPDU on an access port connected to a desk-side unmanaged switch. What should happen if BPDU Guard is enabled on that port?

A.The port transitions to forwarding more quickly
B.The port is moved to err-disabled state
C.The switch elects a new root bridge
D.The port becomes a trunk automatically
AnswerB

BPDU Guard shuts the port down when a BPDU is seen on an edge port.

Why this answer

BPDU Guard is designed to protect edge ports. If a BPDU is received on a PortFast access port, the switch places the interface into the err-disabled state to stop a potential Layer 2 loop or rogue switch.

Exam trap

Remember that BPDU Guard actively disables ports, it doesn't just log or ignore BPDUs.

Why the other options are wrong

A

PortFast allows a port to transition to forwarding immediately upon link up, but it does not react to BPDU reception. BPDU Guard is a separate feature that disables the port upon receiving a BPDU, not accelerate forwarding.

C

Receiving a BPDU on a single edge port does not trigger a root bridge election. Root bridge election is based on bridge ID comparison across the entire spanning-tree domain, not on a single BPDU on a port.

D

BPDU Guard does not change the port mode; it only reacts to BPDU reception by disabling the port. Port mode (access or trunk) is configured separately and is not affected by STP protection features.

144
PBQhard

You are connected to R1. The network administrator reports that hosts on VLAN 10 cannot communicate with the server attached to R2's GigabitEthernet0/1 interface. Troubleshoot and resolve the issue. Identify the root cause and apply the necessary fix on R1.

Network Topology
G0/0192.168.1.1/30linkG0/1192.168.1.5/30G0/1192.168.1.6/30linklinkR2R1Switch1Hosts in VLAN10

Hints

  • The high input error count on G0/0 suggests a Layer 1 issue, possibly duplex mismatch.
  • Compare the configured duplex on R1's G0/0 with the typical auto-negotiation settings on a switch.
  • Reverting to auto-negotiation on both speed and duplex is often the solution for such mismatches.
A.Configure 'no duplex' and 'no speed' under interface GigabitEthernet0/0 to enable auto-negotiation.
B.Change the duplex setting on GigabitEthernet0/0 to half-duplex using 'duplex half'.
C.Apply 'speed 100' and 'duplex full' on GigabitEthernet0/0 to match a common switch configuration.
D.Clear the interface counters on GigabitEthernet0/0 with 'clear counters gigabitethernet0/0' without changing any configuration.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no duplex
no speed
end
clear counters GigabitEthernet0/0

Why this answer

The issue is a duplex mismatch on GigabitEthernet0/0. R1 is configured with 'duplex full' and 'speed 1000', but the connected switch port is likely set to auto-negotiate or is set to half-duplex. This causes high input errors (1500) and degraded performance.

The fix is to set R1's G0/0 to auto-negotiate both speed and duplex, matching the switch's configuration. Enter interface configuration mode for G0/0, issue 'no duplex' and 'no speed' to revert to auto, then clear the interface counters with 'clear counters gigabitethernet0/0'.

Exam trap

The exam trap is that candidates often focus on speed mismatches or clearing counters, but the real issue is duplex mismatch. Remember that on GigabitEthernet interfaces, auto-negotiation is the default and recommended setting; static duplex/speed settings can cause mismatches and errors.

Why the other options are wrong

B

The specific factual error is that manually setting half-duplex does not resolve a mismatch; it may create a new mismatch or degrade performance further.

C

The specific factual error is that GigabitEthernet interfaces usually operate at 1000 Mbps; setting speed to 100 may cause the interface to not come up or to underperform.

D

The specific factual error is that clearing counters is a diagnostic step, not a fix. The root cause (duplex mismatch) remains unaddressed.

145
MCQhard

Based on the exhibit, why are clients in VLAN 70 failing to resolve hostnames even though they can reach remote IP addresses?

A.The clients are missing valid DNS server information.
B.The default gateway must be removed from the DHCP scope.
C.The clients must use PPP before DNS works.
D.The VLAN must be converted to the native VLAN on all trunks.
AnswerA

This is correct because hostname-based access fails while direct IP access works, and the scope shown does not provide a DNS server option.

Why this answer

The strongest explanation is that the clients are missing valid DNS server information. In practical terms, successful reachability to remote IP addresses proves that Layer 3 forwarding is working. The failure occurs only when a hostname is used, which points to a naming service problem rather than a general connectivity problem. The DHCP scope shown provides an address and default gateway, but no DNS server option is defined.

This is a very realistic IP-services troubleshooting pattern because the network path works while application usability still fails.

Exam trap

A frequent exam trap is to mistake the inability to resolve hostnames as a routing or VLAN trunking problem. Candidates might incorrectly believe that removing the default gateway or converting the VLAN to the native VLAN on trunks will resolve the issue. However, these options do not address DNS resolution, which is an application-layer service independent of Layer 3 forwarding.

The trap arises because clients can reach remote IP addresses, misleading candidates to focus on routing or VLAN configuration rather than missing DNS server information in the DHCP scope.

Why the other options are wrong

B

Removing the default gateway from the DHCP scope is incorrect because the default gateway is essential for routing traffic outside the local VLAN. Its presence does not cause hostname resolution failures.

C

The suggestion that clients must use PPP before DNS works is incorrect because PPP is unrelated to DNS resolution in a typical VLAN and DHCP environment. DNS operates independently of PPP.

D

Converting the VLAN to the native VLAN on all trunks does not affect DNS resolution. This option addresses Layer 2 trunking issues, which are unrelated to the hostname resolution problem described.

146
PBQhard

You are troubleshooting a client connectivity issue on VLAN 10. The client PC1 is connected to switch SW1, which is connected to router R1 acting as the default gateway. PC1 can ping its own IP and the default gateway (10.1.10.1) but cannot reach the internet. From the provided router outputs, identify the fault and apply the necessary fix on R1.

Network Topology
G0/0.1010.1.10.1/24G0/0.1010.1.10.1/24PC1SW1R1ISP

Hints

  • Check if R1 has a default route
  • Look at the Gateway of last resort in the routing table
  • The missing command is under global configuration mode
A.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 10.1.10.254
B.Configure a static route on R1: ip route 8.8.8.8 255.255.255.255 10.1.10.254
C.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 10.1.10.1
D.Configure a default route on R1: ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
AnswerA
solution
! R1
configure terminal
ip route 0.0.0.0 0.0.0.0 10.1.10.254
end

Why this answer

PC1 can ping its own IP and the gateway (10.1.10.1) but not the internet (8.8.8.8). The router R1 has no default route to forward traffic to the internet. The fix is to configure a default route on R1 pointing to the next-hop IP address of the upstream router (e.g., 10.1.10.254) or an exit interface.

After adding the default route, R1 will be able to forward traffic outside the local subnet.

Exam trap

Trap: Candidates often confuse the client's default gateway with the router's next-hop for internet traffic. They may also think a host route to the specific destination is sufficient, or that using an exit interface alone is always valid. Remember: for internet access, a default route (0.0.0.0/0) is needed, and on Ethernet, always specify a next-hop IP.

Why the other options are wrong

B

The specific factual error is that a host route does not provide general internet access; it only covers the specified destination.

C

The specific factual error is that the next-hop must be a different device (upstream router), not the router's own interface IP.

D

The specific factual error is that on Ethernet interfaces, a next-hop IP is required to avoid potential ARP resolution problems; using only the exit interface is not the standard practice.

147
Matchingmedium

Drag and drop the VLAN/trunking commands and terms on the left to their correct descriptions or functions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables 802.1Q trunking on a switch interface

Assigns an access port to VLAN 10

VLAN that carries untagged traffic on a trunk link; default is VLAN 1

Changes the native VLAN on a trunk to VLAN 99

Uses subinterfaces on a single router interface to route between VLANs

Why these pairings

These pairings match common VLAN/trunking commands and terms to their correct descriptions.

Exam trap

Do not confuse the commands for access and trunk ports. Remember that 'switchport mode access' places the port in access mode, while 'switchport mode trunk' places it in trunk mode. Also, the native VLAN and VLAN 1 are related to trunking and default settings, not to the configuration of an access port.

148
PBQhard

You are connected to SW1. This is a Layer 2 switch that connects multiple IP phones and an AP. The AP is on Gi0/3 and must receive PoE and be placed in VLAN 100 (native VLAN). IP phones on Gi0/1 and Gi0/2 must use VLAN 20 for voice and VLAN 10 for data, and must receive PoE. Currently, the AP cannot get an IP address and the phones have no voice connectivity. Configure SW1 to fix these issues.

Network Topology
Gi0/0trunkGi0/1Gi0/3SW1upstream switchIP phonesAP

Hints

  • IP phones need a separate voice VLAN configured under the access interface.
  • PoE must be explicitly enabled on each interface that needs to supply power.
  • Check the AP interface for PoE status using 'show power inline Gi0/3'.
A.interface Gi0/1; switchport voice vlan 20; power inline auto; interface Gi0/2; switchport voice vlan 20; power inline auto; interface Gi0/3; power inline auto
B.interface Gi0/1; switchport voice vlan 10; power inline auto; interface Gi0/2; switchport voice vlan 10; power inline auto; interface Gi0/3; switchport access vlan 100; power inline auto
C.interface Gi0/1; switchport voice vlan 20; interface Gi0/2; switchport voice vlan 20; interface Gi0/3; switchport access vlan 100
D.interface Gi0/1; power inline auto; interface Gi0/2; power inline auto; interface Gi0/3; power inline auto; switchport trunk native vlan 100
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport voice vlan 20
power inline auto
exit
interface GigabitEthernet0/2
switchport voice vlan 20
power inline auto
exit
interface GigabitEthernet0/3
power inline auto
exit

Why this answer

The AP on Gi0/3 requires PoE (power inline auto) and must be on a trunk port with native VLAN 100. The current configuration likely lacks PoE, and the port may be set as an access port instead of a trunk. For the IP phones on Gi0/1 and Gi0/2, the missing 'switchport voice vlan 20' command prevents voice traffic from using VLAN 20, and PoE must also be enabled.

The provided solution adds the necessary voice VLAN and PoE commands. Option A is correct because it applies voice VLAN 20 and PoE to the phone ports, and PoE to the AP port. Option B incorrectly assigns voice VLAN 10; Option C omits PoE on the AP port; Option D applies PoE globally but fails to set voice VLANs and incorrectly configures trunk native VLAN on all ports.

Exam trap

Trap: Candidates often forget to enable PoE on ports that need it, or they confuse the voice VLAN with the data VLAN. Always verify that both power and VLAN assignments are correct for IP phones and PoE devices.

Why the other options are wrong

B

The specific factual error is that the voice VLAN is set to VLAN 10 instead of VLAN 20, which contradicts the requirement that voice traffic uses VLAN 20.

C

The specific factual error is the failure to enable PoE on the interfaces, which is required for both the AP and IP phones to operate.

D

The specific factual error is the omission of the 'switchport voice vlan 20' command on the phone ports, leaving them without voice VLAN assignment.

149
PBQhard

You are troubleshooting a wireless client association failure on a Cisco WLC. The client is unable to connect to the corporate SSID 'CorpNet' and reports an authentication error. Review the WLC configuration and fix the issue so that the client can associate and obtain an IP address from VLAN 100. The WLC management IP is 192.168.1.10/24.

Hints

  • Check the security settings — the client may not support WPA3.
  • Verify if the SSID is hidden — the client cannot scan for it.
  • Ensure the VLAN assigned to the WLAN matches the client's subnet.
A.Change the WLAN security to WPA2, enable SSID broadcast, and configure the WLAN interface to use VLAN 100 with a DHCP scope on that VLAN.
B.Change the WLAN security to WPA3 only, enable SSID broadcast, and change the management interface IP to 192.168.100.10/24.
C.Keep WPA3, disable SSID broadcast for security, and configure the WLAN interface to use VLAN 100 with a DHCP scope on VLAN 1.
D.Change the WLAN security to WPA2, keep SSID broadcast disabled, and configure the WLAN interface to use VLAN 1.
AnswerA
solution
! WLC
configure terminal
wlan CorpNet 1 CorpNet
security wpa2
security wpa akm psk
security wpa psk ascii 7 1234567890abcdef
no security wpa3-sae
broadcast-ssid enable
interface wlan 1
vlan 100
end

Why this answer

The client authentication and DHCP issues are caused by: (1) WPA3 being configured while the client only supports WPA2, (2) SSID broadcast disabled, preventing client discovery, and (3) the WLAN's client VLAN (100) lacking a DHCP server or scope. The management interface VLAN (1) does not interfere with client DHCP. To resolve, change security to WPA2, enable SSID broadcast, and ensure the WLAN is associated with the correct VLAN (100) and a DHCP scope exists on that VLAN.

Exam trap

Be careful not to confuse the management interface VLAN with the client data VLAN. Also, remember that SSID broadcast must be enabled for clients to discover the network, and security settings must match client capabilities. Always verify DHCP scope placement matches the client VLAN.

Why the other options are wrong

B

The specific factual error is that WPA3-only security may not be supported by the client, and changing the management interface IP does not resolve the client VLAN assignment issue.

C

The specific factual errors are: WPA3 may not be compatible, disabling SSID broadcast hides the network, and DHCP scope must be on the same VLAN as the client (VLAN 100).

D

The specific factual errors are: SSID broadcast must be enabled for client discovery, and the WLAN interface must be mapped to VLAN 100, not VLAN 1.

150
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two links to SW2 configured as an EtherChannel using LACP. The EtherChannel is not coming up. Interface G0/2 was accidentally configured as an access port in VLAN 10, while G0/1 is configured as a trunk. The administrator wants to use LACP to bundle the links. Troubleshoot and fix the configuration to bring up the EtherChannel.

Hints

  • All interfaces in an EtherChannel must have identical configuration.
  • Check if the interfaces are in the same VLAN or trunk mode.
  • LACP active mode requires matching configurations on both ends.
A.Change interface G0/2 to trunk mode and ensure both interfaces have the same allowed VLAN list.
B.Change interface G0/1 to access VLAN 10 to match G0/2.
C.Remove the access VLAN configuration from G0/2 and leave it as a default switchport (dynamic desirable).
D.Change the EtherChannel mode from LACP to PAgP on both switches.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
no switchport access vlan 10
switchport mode trunk

Why this answer

The EtherChannel was down because interface G0/2 was an access port in VLAN 10, while G0/1 was a trunk. For LACP to bundle the links, all member interfaces must have the same configuration, including VLAN and trunk settings. Changing G0/2 to trunk mode resolved the issue.

Exam trap

Do not confuse the requirement for consistent interface configurations with the negotiation protocol. The most common cause of EtherChannel failure is mismatched VLAN or trunk settings, not the protocol (LACP vs PAgP). Always verify that all member ports have identical configurations.

Why the other options are wrong

B

The specific factual error is that changing G0/1 to access VLAN 10 would not resolve the mismatch if the intended configuration is trunking. It would only create a different mismatch if the other side expects trunking.

C

The specific factual error is that dynamic desirable mode does not ensure trunking; it relies on DTP negotiation, which may fail if the other side is set to trunk. Additionally, the VLAN mismatch (access vs trunk) would still prevent EtherChannel formation.

D

The specific factual error is that the protocol does not affect the requirement for consistent interface configurations. Both LACP and PAgP require identical VLAN and trunk settings on all member ports.

← PreviousPage 2 of 4 · 278 questions totalNext →

Ready to test yourself?

Try a timed practice session using only VLAN questions.