CCNA VLAN Questions

75 of 278 questions · Page 3/4 · VLAN topic · Answers revealed

151
MCQhard

SW2 receives the following STP details for VLAN 10: The root bridge ID is 32768:0001.0001.0001 (SW1), and SW2's bridge ID is 32768:0002.0002.0002. Its interface Gi0/1 has a path cost of 4 to the root, while Gi0/2 has a path cost of 19. Based on this information, which statement is correct?

A.SW2 is the root bridge for VLAN 10.
B.Gi0/1 on SW2 is the root port.
C.All SW2 ports in VLAN 10 must be designated ports.
D.STP is disabled because the priorities are equal.
AnswerB

The output states that the root is reached through Port 1, which maps to Gi0/1.

Why this answer

The root bridge has the lowest bridge ID. SW1 is the root because its bridge ID is lower than SW2's local bridge ID. On a non-root switch, the port with the best path toward the root becomes the root port, so Gi0/1 is the root port here.

Exam trap

A common exam trap is to incorrectly conclude that STP is disabled when bridge priorities are equal. Candidates may mistakenly believe that equal priorities cause STP to fail or not elect a root bridge. However, STP always elects a root bridge by comparing the MAC addresses as a tiebreaker when priorities match.

Another trap is assuming all ports on a non-root switch must be designated ports, ignoring the existence of a root port that leads toward the root bridge. Misreading the root port can lead to incorrect answers about port roles and network topology.

Why the other options are wrong

A

This option is incorrect because the root bridge ID shown in the STP details differs from SW2's local bridge ID, indicating SW2 is not the root bridge for VLAN 10.

C

This option is wrong since a non-root switch does not have all ports as designated ports; it must have one root port and may have other ports as designated or blocked.

D

This is incorrect because equal priorities do not disable STP; the protocol uses the MAC address portion of the bridge ID to break ties and continue operation.

152
PBQhard

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to two other switches (SW2 and SW3) via redundant links. All switches run IEEE 802.1D Spanning Tree Protocol. The network administrator wants SW1 to become the root bridge for VLAN 1. Currently, the root bridge is SW2. Configure SW1 to achieve this and ensure that port G0/1, which connects to an end device, immediately transitions to forwarding state upon link up and is protected from BPDU attacks.

Network Topology
G0/1 to PCSW2SW1SW3

Hints

  • The 'root primary' macro sets the priority lower than any other switch.
  • PortFast allows a port to skip listening/learning states.
  • BPDU Guard err-disables the port if a BPDU is received.
A.Configure 'spanning-tree vlan 1 root primary' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.
B.Configure 'spanning-tree vlan 1 priority 4096' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree guard root'.
C.Configure 'spanning-tree vlan 1 root secondary' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable'.
D.Configure 'spanning-tree vlan 1 priority 32768' globally, and on interface G0/1 configure 'spanning-tree portfast' and 'spanning-tree bpdufilter enable'.
AnswerA
solution
! SW1
spanning-tree vlan 1 root primary
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

The 'spanning-tree vlan 1 root primary' command reduces the bridge priority to 24576 (or lower) to ensure SW1 becomes root for VLAN 1. PortFast on G0/1 speeds up access port convergence, and BPDU Guard protects against rogue switches by disabling the port upon BPDU reception.

Exam trap

Do not confuse 'root primary' with 'root secondary' or manual priority settings. Also, remember that BPDU Guard is for access port security, while Root Guard protects the root bridge position. BPDU Filter suppresses BPDUs and is not a security feature.

Why the other options are wrong

B

The specific factual error: 'spanning-tree guard root' is a root guard feature, not BPDU guard. Also, manually setting priority to 4096 may not guarantee root if another switch has lower priority.

C

The specific factual error: 'root secondary' is for backup root, not primary. It sets priority to 28672, which is higher than the default priority of 32768 but not low enough to become root if another switch has a lower priority.

D

The specific factual error: priority 32768 is default and does not change root status. BPDU filter is not a security feature against BPDU attacks; it suppresses BPDUs entirely.

153
Multi-Selectmedium

Which of the following statements about VLAN configuration and trunking on a Cisco switch are correct? (Choose all that apply.)

Select 4 answers
.The native VLAN on a trunk link is used for untagged traffic and should match on both ends of the link.
.The default VLAN 1 cannot be deleted or removed from a switch.
.A switchport configured as an access port can carry multiple VLANs.
.Dynamic Trunking Protocol (DTP) can automatically negotiate trunking between two Cisco switches.
.The 'switchport trunk allowed vlan' command can be used to restrict which VLANs are permitted on a trunk.
.A trunk link can only carry VLANs that are globally created on the switch.

Why this answer

The native VLAN on a trunk carries untagged traffic, and mismatched native VLANs can cause spanning-tree issues, VLAN hopping, and misdirected control traffic, so both ends must match. VLAN 1 is a system-defined VLAN that cannot be deleted or shut down, making it always available. Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol that can automatically negotiate trunk links when interfaces are set to desirable or auto.

The 'switchport trunk allowed vlan' command prunes VLANs on a trunk, restricting which VLANs are permitted. A trunk link forwards traffic only for VLANs that exist in the local VLAN database, so the statement that it can only carry globally created VLANs is correct. The incorrect option is that an access port can carry multiple VLANs; in reality, an access port is assigned to a single VLAN and cannot carry traffic for multiple VLANs like a trunk.

Exam trap

A common mistake is thinking an access port can carry multiple VLANs like a trunk, or that a trunk automatically forwards all VLANs without requiring them to be locally defined.

154
MCQmedium

Exhibit: PCs in VLAN 20 are not receiving addresses from a DHCP server in another subnet. The switch SVI for VLAN 20 is up, and routing is working. Which configuration is most likely missing on the gateway for VLAN 20?

A.ip default-gateway 10.20.20.1
B.ip helper-address 10.99.99.10
C.switchport trunk allowed vlan 20
D.spanning-tree portfast default
AnswerB

That forwards DHCP broadcasts to the remote server.

Why this answer

DHCP Discover messages are broadcasts and do not cross routers by default. An ip helper-address on the client gateway interface relays those requests to a remote DHCP server.

Exam trap

A frequent exam trap is selecting the ip default-gateway command as the solution for DHCP relay issues. This command only applies to Layer 2 switches for their own management traffic and does not forward DHCP broadcasts across routed interfaces. Candidates may also mistakenly focus on VLAN trunking or spanning-tree settings, which do not affect DHCP relay functionality.

The key is to recognize that DHCP broadcasts must be explicitly forwarded by the router or Layer 3 switch interface using ip helper-address to reach a DHCP server in another subnet.

Why the other options are wrong

A

The ip default-gateway command configures the default gateway for a Layer 2 switch’s management interface and does not forward DHCP broadcasts. Since the question involves DHCP relay across routed VLANs, this command is irrelevant.

C

The switchport trunk allowed vlan 20 command controls VLAN traffic allowed on a trunk link but does not influence DHCP relay or routing between VLANs. The issue is DHCP relay, not VLAN trunk configuration.

D

The spanning-tree portfast default command enables PortFast on switch ports to speed up STP convergence and does not affect DHCP relay or routing. It is unrelated to the problem of clients not receiving DHCP addresses.

155
MCQmedium

A phone and a PC are attached to the same switchport. The intended data VLAN is VLAN 10, and the phone uses voice VLAN 20. The switchport currently has `switchport voice vlan 20` configured. The phone works, but the PC cannot reach the data network. Which command is most likely missing?

A.switchport mode dynamic auto
B.switchport voice vlan 20
C.switchport access vlan 10
D.spanning-tree guard root
AnswerC

The PC needs the correct data VLAN assignment on the access side.

Why this answer

When a Cisco IP phone and a PC share one port, the switchport often needs both a data VLAN and a voice VLAN. If the voice VLAN exists but the data access VLAN is wrong or missing, the phone can work while the PC fails.

Exam trap

Ensure both data and voice VLANs are configured when devices share a port. Don't confuse duplex or trunk settings with VLAN issues.

Why the other options are wrong

A

The phone works but the PC cannot reach the data network, indicating the PC is not in the correct VLAN. 'switchport mode dynamic auto' sets the port to negotiate trunking via DTP, which does not assign a data VLAN to the PC.

B

The PC cannot reach the data network because the switchport is likely configured as a voice VLAN only, but the data VLAN (access VLAN) is missing. Option B configures the voice VLAN, which is correct for the phone, but does not set the access VLAN for the PC.

D

The issue is that the PC cannot reach the data network, which is typically configured via the access VLAN. Spanning-tree guard root is unrelated to VLAN assignment; it prevents a switch from becoming the root bridge, not connectivity issues on a specific VLAN.

156
PBQhard

You are connected to R1, a multilayer switch acting as a DNS forwarder for two VLANs. Users on VLAN 10 report that they cannot resolve 'files.example.com' while VLAN 20 works fine. The DNS server 198.51.100.53 is reachable but returns SERVFAIL for queries from subnet 192.168.10.0/24, while server 203.0.113.53 responds correctly for both VLANs. Diagnose and fix the DNS resolution issue using nslookup and dig, then adjust the IOS-XE configuration to ensure proper name resolution. Choose the best fix that permanently resolves the problem.

Network Topology
G0/0/010.0.0.1/30198.51.100.53linkG0/0/1.10192.168.10.1/24G0/0/1.20192.168.20.1/24R1DNS ServersVLAN 10VLAN 20

Hints

  • The first DNS server returns SERVFAIL for the A record query.
  • The second DNS server resolves the name correctly.
  • Use 'no ip name-server <ip>' to remove a faulty server.
A.Remove the faulty primary DNS server using 'no ip name-server 198.51.100.53' and keep the working secondary server 203.0.113.53.
B.Add a static DNS entry for 'files.example.com' using 'ip host files.example.com 10.0.0.1' on R1.
C.Change the DNS server order so that the working server is primary using 'ip name-server 203.0.113.53 198.51.100.53'.
D.Configure the router to use only the faulty server by removing the working server with 'no ip name-server 203.0.113.53'.
AnswerA
solution
! R1
configure terminal
no ip name-server 198.51.100.53
end

Why this answer

The faulty DNS server 198.51.100.53 returns SERVFAIL for the A record query, indicating a misconfiguration or missing record on that server. Although reordering (Option C) would allow resolution to work by querying the functional server first, it is not the optimal fix because the broken server remains in the list and could still be used if the primary times out or for future queries. The best practice is to completely remove the faulty server using 'no ip name-server 198.51.100.53'.

Option B adds a static entry that only helps one domain and does not address the root cause. Option D would make the router use only the broken server, worsening the problem.

Exam trap

Do not confuse a reachable DNS server with a functional one. SERVFAIL means the server is responding but cannot resolve the query. The solution is to remove the faulty server, not reorder or add static entries.

Why the other options are wrong

C

Reordering the name servers works around the issue temporarily but leaves the faulty server in the configuration, which is not a permanent solution and violates best practice of removing misconfigured DNS servers.

157
MCQhard

Two switches are connected using four Gigabit Ethernet interfaces configured as an EtherChannel with LACP. The network administrator notices that only two of the four interfaces are active in the port-channel, and the other two are in a suspended state. Upon further investigation, the administrator finds that the two inactive interfaces correspond to remote interfaces that are configured with the 'on' mode, while the active ones correspond to remote interfaces configured with LACP active/passive. The administrator also verifies that all local interfaces have the same speed, duplex, and VLAN. What is the most likely cause of the suspended interfaces?

A.The interfaces are in err-disabled state due to a spanning-tree loop.
B.The remote switch interfaces corresponding to the suspended local interfaces are configured with the 'on' mode instead of 'active' or 'passive' for LACP.
C.The port-channel interface is shutdown.
D.There is a mismatch in the allowed VLANs on the member interfaces.
AnswerB

When one switch has LACP active/passive and the other has 'on' (static), LACP negotiation fails, and the ports become suspended. Changing the remote switch to 'active' or 'passive' allows LACP to negotiate and bundle the ports.

Why this answer

LACP requires both ends of a link to be configured in either 'active' or 'passive' mode to negotiate an EtherChannel. If some remote interfaces are set to 'on' mode (static EtherChannel), LACP negotiation fails on those links, causing the corresponding local LACP-enabled interfaces to remain in a suspended state. The local switch detects that LACP PDUs are not received on those interfaces and suspends them to prevent misconfiguration.

The other two interfaces with correctly configured remote peers form the EtherChannel successfully.

Exam trap

Cisco often tests the misconception that all interfaces must match in speed, duplex, and VLAN to form an EtherChannel, but the trap here is that the LACP mode mismatch (active/passive vs. on) is the specific cause of suspended interfaces even when other parameters are consistent.

Why the other options are wrong

A

The exhibit shows the ports as suspended, not err-disabled. Spanning-tree loops typically cause err-disable, not suspension.

C

The port-channel is up (U), so it is not shutdown.

D

The scenario explicitly states that all interfaces are configured with the same VLAN, so this is not the cause.

158
PBQmedium

You are connected to SW1 via console. SW1 is a Layer 2 switch connected to two other switches (SW2 and SW3) via trunk links. The network administrator wants to ensure that SW1 becomes the root bridge for VLAN 10 and VLAN 20. Currently, SW2 is the root for both VLANs. Configure SW1 to become the root bridge for these VLANs using the Cisco-recommended macro STP commands.

Network Topology
trunktrunkSW2SW1SW3

Hints

  • Use the 'root primary' macro to set the bridge priority to 24576.
  • Ensure VLANs 10 and 20 exist on SW1.
A.spanning-tree vlan 10 root primary; spanning-tree vlan 20 root primary
B.spanning-tree vlan 10 root secondary; spanning-tree vlan 20 root secondary
C.spanning-tree vlan 10 priority 4096; spanning-tree vlan 20 priority 4096
D.spanning-tree vlan 10 root; spanning-tree vlan 20 root
AnswerA
solution
! SW1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary

Why this answer

The 'spanning-tree vlan <vlan> root primary' command is the Cisco-recommended macro that sets the bridge priority to 24576, which is lower than the default 32768, making SW1 the root bridge for those VLANs. Option A correctly uses this macro. Option C, while it could achieve the same goal by setting priority to 4096, is not the macro command and would be considered a static configuration; the question specifically asks for the appropriate macro commands.

Option B sets priority to 28672 as a secondary root, and Option D is invalid syntax.

Exam trap

Do not confuse 'root primary' with 'root secondary'. 'root primary' sets priority to 24576 to become root; 'root secondary' sets priority to 28672 to act as backup. Also, remember that the 'root' keyword must be followed by 'primary' or 'secondary'.

Why the other options are wrong

B

Option B uses 'root secondary', which sets the priority to 28672, making SW1 a backup root, not the primary root bridge.

C

Option C uses a static priority assignment of 4096, which would also make SW1 root, but the question expects the Cisco-recommended macro command 'root primary'.

D

Option D uses incomplete syntax 'spanning-tree vlan 10 root' without 'primary' or 'secondary', which is invalid.

159
PBQhard

You are connected to Switch1. Configure an LACP EtherChannel between Switch1 and Switch2 using interfaces GigabitEthernet0/1 and GigabitEthernet0/2. The channel must be in active mode on both sides, and the port-channel interface must have VLAN 10 as the access VLAN. The current configuration has a speed/duplex mismatch and inconsistent VLAN assignments preventing the channel from forming. Verify the channel is up using 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1EtherChannelSwitch1Switch2

Hints

  • Check that all member interfaces have the same speed and duplex settings.
  • Ensure all interfaces (including the port-channel) are in the same VLAN.
  • Both sides must use LACP active mode for the channel to form.
A.Set speed auto on Gi0/1 and Gi0/2, set duplex auto on both, change access VLAN on Gi0/2 to 10, change access VLAN on Port-channel1 to 10, and set channel-group mode active on both interfaces.
B.Set speed 1000 on Gi0/1, set duplex full on Gi0/1, change access VLAN on Gi0/1 to 20, change access VLAN on Port-channel1 to 20, and set channel-group mode passive on both interfaces.
C.Set speed 100 on Gi0/2, set duplex half on Gi0/2, change access VLAN on Gi0/1 to 20, change access VLAN on Port-channel1 to 20, and set channel-group mode desirable on both interfaces.
D.Set speed auto on Gi0/1 and Gi0/2, set duplex auto on both, change access VLAN on Gi0/1 to 10, change access VLAN on Port-channel1 to 10, and set channel-group mode active on Gi0/1 and passive on Gi0/2.
AnswerA
solution
! Switch1
interface gigabitethernet0/1
speed auto
duplex auto
channel-group 1 mode active
exit
interface gigabitethernet0/2
speed auto
duplex auto
switchport access vlan 10
channel-group 1 mode active
exit
interface port-channel 1
switchport access vlan 10
end

Why this answer

The EtherChannel is not forming due to three issues: (1) Speed mismatch: Gi0/1 is set to 100 Mbps while Gi0/2 is 1000 Mbps; both must match (e.g., auto). (2) Duplex mismatch: Gi0/1 is half-duplex, Gi0/2 is full-duplex; both must be the same (e.g., full). (3) VLAN mismatch: Gi0/1 is in VLAN 10, Gi0/2 in VLAN 20, and Port-channel1 is in VLAN 1; all access VLANs must be consistent (set to VLAN 10). Additionally, the channel-group mode should be 'active' on both interfaces for LACP. The solution involves setting speed and duplex to auto, changing the access VLAN on Gi0/2 and the port-channel to VLAN 10, and setting channel-group mode to active.

Exam trap

The exam trap here is that candidates may focus only on resolving the speed/duplex and VLAN mismatches but forget to check the LACP mode requirement. Also, they might confuse LACP modes (active/passive) with PAgP modes (desirable/auto). Always verify that the mode matches the protocol and the requirement.

Why the other options are wrong

B

The specific factual error: passive mode on both sides will not form an LACP EtherChannel because neither side initiates negotiation; at least one side must be active.

C

The specific factual error: 'desirable' is a PAgP mode; LACP uses 'active' or 'passive'. Using 'desirable' would not form an LACP EtherChannel.

D

The specific factual error: the requirement explicitly states 'active mode on both sides', so setting one side to passive violates the requirement, even though the channel might still form.

160
PBQhard

You are managing a Cisco WLC (192.168.1.10) via its web UI. The wireless network 'CorpSecure' has been configured but clients cannot associate. Some report 'wrong password' errors; others see the SSID but fail to connect. Additionally, management access to the WLC web UI is intermittent. Identify and resolve the issues so that wireless clients can successfully associate with 'CorpSecure' using WPA3-Personal and the WLC web UI is reliably accessible from the management VLAN (VLAN 10).

Hints

  • Check the security settings on the WLAN; clients expecting WPA3 will fail with WPA2 configured.
  • An SSID that is hidden (Broadcast disabled) may not appear in client scans unless manually entered.
  • Management access issues might be unrelated to the WLAN config; verify the management interface IP and default gateway are correct.
A.Configure the SSID with WPA3-Personal; verify management interface is on VLAN 10 with correct gateway.
B.Change the SSID security to WPA2-PSK and disable SSID broadcast; reset the WLC to factory defaults.
C.Update the WLC firmware to the latest version and change the management VLAN to VLAN 1.
D.Reconfigure the SSID with WPA3-Enterprise and enable SSID broadcast; set the management interface to use DHCP.
AnswerA
solution
! WLC
Navigate to WLANs > Edit CorpSecure > Security > Layer 2 > Select WPA3-Personal (AES) > Apply
Navigate to WLANs > Edit CorpSecure > SSID > Enable Broadcast SSID > Apply

Why this answer

The primary issue is a security mismatch: the SSID is set to WPA2-PSK while clients expect WPA3, causing 'wrong password' errors. Since clients can see the SSID, broadcast is already enabled; the secondary connection failures may be due to incompatible devices, but the correct fix is to change the security to WPA3-Personal (AES). Additionally, verify that the management interface is on VLAN 10 with the correct gateway to ensure reliable WLC web UI access.

Exam trap

Candidates might mistakenly conclude the SSID broadcast is disabled and enable it unnecessarily, overlooking that the visible SSID indicates broadcast is already on, or they might ignore the management VLAN configuration.

Why the other options are wrong

B

The specific factual error: WPA2-PSK is not compatible with clients expecting WPA3-Personal, and hiding the SSID prevents clients from seeing it.

C

The specific factual error: VLAN 1 is the default and often discouraged for management; the issue is not firmware-related but configuration-based.

D

The specific factual error: WPA3-Enterprise is not appropriate without a RADIUS server, and DHCP for management can lead to unreliable access.

161
PBQhard

You are connected to WLC-1 via SSH. A new SSID 'CorpSecure' must be configured for 5 GHz clients using WPA3-Personal. However, after creation, clients can see the SSID but fail to associate. Review the WLC configuration and fix the issue so that clients can successfully associate and obtain an IP address from VLAN 100 (subnet 10.0.100.0/24).

Network Topology
G0/0192.168.1.10/24G0/110.0.0.1/30G0/210.0.100.1/24SwitchManagementWLC-1Upstream RouterClient VLAN 100

Hints

  • Check the current security settings on the WLAN; they are using WPA2, not WPA3.
  • The radio policy is not set — clients may try to connect on 2.4 GHz, but the SSID should be 5 GHz only.
  • Ensure the WLAN is enabled after changes.
A.Change the WLAN security to WPA3-Personal, enable AES-CCMP for WPA3, set the radio policy to 5 GHz, and ensure the WLAN is mapped to the dynamic interface for VLAN 100.
B.Change the WLAN security to WPA2-Personal, enable TKIP encryption, and set the radio policy to 5 GHz.
C.Change the WLAN security to WPA3-Personal, enable AES-CCMP, but leave the radio policy as 'All' (both 2.4 GHz and 5 GHz).
D.Change the WLAN security to WPA3-Personal, enable AES-CCMP, set the radio policy to 5 GHz, but do not enable the WLAN after changes.
AnswerA
solution
! WLC-1
config wlan security wpa3 1 enable
config wlan security wpa3 psk 1 set ascii CorpSecurePass123
config wlan radio-policy 1 5ghz
config wlan enable 1
config wlan security wpa3 ciphers 1 aes-ccmp

Why this answer

The SSID was configured with WPA2 instead of WPA3. The WLC also had no radio policy set for 5 GHz only. To fix, change the WLAN security to WPA3-Personal, enable AES-CCMP for WPA3, and set the radio policy to 5 GHz.

Additionally, ensure the WLAN is mapped to the appropriate dynamic interface for VLAN 100, not the management interface, and that client VLAN 100 is reachable. The commands to modify the WLAN are: config wlan security wpa3 1 enable, config wlan security wpa3 psk ascii CorpSecurePass123 1, config wlan radio policy 802.11a-only 1, and config wlan enable 1.

Exam trap

Students often forget to change the radio policy from 'All' to a specific band, or they confuse WPA2 with WPA3. Also, they may overlook enabling the WLAN after configuration. Ensure you understand the specific requirements for WPA3 and the need to match the radio policy to the client band.

Why the other options are wrong

B

The specific factual error is that WPA2-Personal with TKIP does not meet the WPA3-Personal requirement; WPA3 mandates AES-CCMP.

C

The specific factual error is that the radio policy must be set to 5 GHz only, not 'All', to restrict access to 5 GHz clients.

D

The specific factual error is that the WLAN remains disabled, so clients cannot associate even if other settings are correct.

162
PBQhard

You are connected to a multilayer switch MLS1. Configure it so that IP phones connected to FastEthernet 0/1 and FastEthernet 0/2 use voice VLAN 20 and receive power via PoE. Additionally, FastEthernet 0/3 must be configured as an access port for a wireless access point (AP) on VLAN 30, with PoE enabled. Verify your configuration using 'show interfaces switchport' and 'show power inline'.

Hints

  • Voice VLAN is configured on the access port interface, not globally.
  • The command 'switchport voice vlan <vlan-id>' does not change the access VLAN; it adds a separate VLAN for voice traffic.
  • PoE is already enabled by default with 'power inline auto' — verify it is not disabled.
A.Configure 'switchport voice vlan 20' on Fa0/1 and Fa0/2; ensure PoE is enabled (auto) on all three ports.
B.Configure 'switchport mode trunk' on Fa0/1 and Fa0/2, and set the native VLAN to 20; enable PoE on Fa0/3.
C.Configure 'switchport access vlan 20' on Fa0/1 and Fa0/2, and 'switchport voice vlan 30' on Fa0/3; enable PoE globally.
D.Configure 'power inline never' on Fa0/1 and Fa0/2, and 'switchport voice vlan 20' on Fa0/3; ensure Fa0/3 is in trunk mode.
AnswerA
solution
! MLS1
interface FastEthernet0/1
switchport voice vlan 20
exit
interface FastEthernet0/2
switchport voice vlan 20
exit

Why this answer

The switch ports Fa0/1 and Fa0/2 are currently configured as access ports on VLAN 10, with no voice VLAN. To support IP phones, you must configure a voice VLAN (VLAN 20) on these interfaces. Additionally, PoE is already enabled (auto) but needs to remain active.

For Fa0/3, it is already an access port on VLAN 30, which is correct for an AP, but you must ensure PoE is enabled (it is). The missing configuration for Fa0/1 and Fa0/2 is the 'switchport voice vlan 20' command. After applying, verify using 'show interfaces switchport' to see the voice VLAN set, and 'show power inline' to confirm PoE delivery.

Exam trap

The exam trap is that candidates may think they need to change the access VLAN to the voice VLAN, or that they need to configure trunk ports for IP phones. Remember that IP phones use a special access port configuration with a separate voice VLAN. Also, PoE is enabled by default; do not disable it.

Why the other options are wrong

B

The specific factual error: IP phones connect to access ports with a voice VLAN, not trunk ports. The native VLAN concept is misapplied here.

C

The specific factual error: Changing the access VLAN to 20 would place the PC on the voice VLAN, which is wrong. The AP does not need a voice VLAN. PoE is per-interface.

D

The specific factual error: Disabling PoE on IP phone ports prevents them from powering on. The voice VLAN is applied to the wrong interfaces. Trunk mode is unnecessary for an AP.

163
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to router R1 via trunk link G0/1. R1 performs inter-VLAN routing using subinterfaces. VLANs 10, 20, and 30 exist on SW1. Hosts in VLAN 10 (192.168.10.0/24) can ping R1's subinterface, but cannot communicate with hosts in VLAN 20. You suspect the trunk is not allowing VLAN 20 traffic.

Network Topology
G0/0.10192.168.10.1G0/1trunkR1SW1

Hints

  • Check which VLANs are allowed on the trunk.
  • The 'allowed vlan' command can be used to add or remove VLANs.
  • Verify that VLAN 20 exists on the switch.
A.Configure 'switchport trunk allowed vlan add 20' on SW1's G0/1 interface.
B.Configure 'switchport mode access' on SW1's G0/1 interface.
C.Configure 'switchport trunk native vlan 20' on SW1's G0/1 interface.
D.Configure 'switchport trunk allowed vlan except 20' on SW1's G0/1 interface.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk allowed vlan add 20

Why this answer

Trunks carry traffic for multiple VLANs. The 'switchport trunk allowed vlan' command restricts which VLANs are permitted. Initially, VLAN 20 was not in the allowed list, so traffic was dropped.

Adding VLAN 20 to the allowed list resolves the issue.

Exam trap

Be careful with the syntax of 'switchport trunk allowed vlan'. The 'add' keyword is necessary to include a VLAN without removing others; omitting 'add' replaces the entire list. Also, 'except' excludes the specified VLAN, which is the opposite of what you want.

Why the other options are wrong

B

Access mode carries only a single VLAN, so it would stop inter-VLAN routing entirely.

C

The native VLAN is for untagged frames; changing it does not add VLAN 20 to the allowed list.

D

The 'except' keyword excludes the specified VLAN, so it would prevent VLAN 20 from being carried.

164
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two VLANs: VLAN 10 (Sales) and VLAN 20 (Engineering). A router R1 is connected to port G0/1 on SW1 for inter-VLAN routing. Currently, the router is not routing between VLANs because the trunk is not configured correctly. Configure the switch port as a trunk and ensure the router can route between VLANs using subinterfaces (Router-on-a-Stick).

Network Topology
G0/0R1SW1 G0/1

Hints

  • The router expects a trunk link to carry multiple VLANs.
  • Allowed VLAN list must include only the VLANs that need routing.
  • The switch port must be in trunk mode, not access.
A.Configure the switch port as a trunk with 802.1Q encapsulation and allow VLANs 10 and 20.
B.Configure the switch port as an access port in VLAN 10 and add VLAN 20 as a secondary VLAN.
C.Configure the switch port as a trunk with ISL encapsulation and allow all VLANs.
D.Configure the switch port as a trunk with 802.1Q encapsulation and allow VLANs 1, 10, and 20.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20

Why this answer

The switch port was in access mode, which only carries one VLAN. Changing it to trunk with 802.1Q encapsulation allows multiple VLANs to traverse to the router. The allowed VLAN list restricts to VLANs 10 and 20 for security.

Exam trap

The trap is that candidates may confuse trunking with access ports, use outdated encapsulation (ISL), or include unnecessary VLANs like VLAN 1. Always remember that for Router-on-a-Stick, the switch port must be a trunk with 802.1Q and only allow the required VLANs.

Why the other options are wrong

B

Access ports cannot carry multiple VLANs; they are assigned to a single VLAN. The concept of secondary VLAN does not exist for access ports.

C

ISL encapsulation is deprecated in favor of 802.1Q, which is the industry standard. Allowing all VLANs violates the principle of least privilege.

D

Including VLAN 1 is unnecessary and can be a security concern. The allowed VLAN list should be restricted to only the VLANs that need to be routed.

165
MCQhard

The SVI for VLAN 20 has `ip nat outside` and the WAN interface has `ip nat inside`. Hosts in VLAN 20 must reach the internet through PAT, but users report no external connectivity. Which configuration issue best explains the problem?

A.The ACL should deny 192.168.20.0/24 instead of permit it
B.The interfaces are marked with inside and outside in the wrong places
C.PAT cannot be used with a /30 WAN link
D.NAT overload requires a route-map instead of an ACL
AnswerB

Reversed NAT roles stop the expected translations.

Why this answer

NAT overload works only when the inside and outside interfaces are identified correctly. Here the roles are reversed, so translations are not built in the right direction.

Exam trap

A frequent exam trap is assuming that the ACL or the subnet mask is the cause of NAT failure when the real issue is reversed inside and outside interface roles. Candidates often overlook the importance of interface designation commands (ip nat inside and ip nat outside), which are crucial for NAT operation. Without correct interface roles, the router cannot translate addresses properly, causing hosts to lose external connectivity even if ACLs and routing are correct.

This trap is tempting because ACLs and subnetting are more familiar concepts, but interface roles are equally critical for NAT to function.

Why the other options are wrong

A

Option A is incorrect because the ACL used for NAT must permit the inside local subnet (192.168.20.0/24) to allow translation. Denying this subnet would block NAT translation, but the question states the ACL permits it, so this is not the cause.

C

Option C is incorrect because a /30 WAN link is commonly used in point-to-point connections and does not prevent PAT from functioning. PAT works independently of the WAN subnet size.

D

Option D is incorrect because NAT overload can be configured using a standard ACL; a route-map is optional and not required. The absence of a route-map does not cause the connectivity issue described.

166
MCQhard

After hardening SSH by disabling password authentication and restricting access to an ACL permitting only the management subnet 10.1.10.0/24, configuring RADIUS AAA authentication, enabling port security with a maximum of two MAC addresses on all access ports, and implementing DHCP snooping and DAI on VLAN 10, the administrator finds that users in VLAN 10 obtain DHCP addresses and access the network normally, but SSH from the management workstation (10.1.10.20) to the switch fails with timeouts.

A.The SSH ACL is misconfigured and denies port 22 from the management subnet.
B.The management workstation’s IP-to-MAC binding is missing from the DHCP snooping binding table, causing DAI to drop its ARP traffic.
C.Port security on the switch interface connected to the management workstation has learned two MAC addresses and shut down the port.
D.RADIUS AAA authentication is missing the shared secret on the switch, causing SSH login timeouts.
AnswerB

DAI relies on DHCP snooping bindings to validate ARP packets. The static IP of the workstation means no binding was learned, so DAI considers the ARP reply invalid and drops it, breaking L2 reachability.

Why this answer

The management workstation (10.1.10.20) is on the same VLAN 10 where DHCP snooping and DAI are enabled. DAI validates ARP packets against the DHCP snooping binding table. Since the workstation uses a static IP address, its IP-to-MAC binding is not automatically added to the DHCP snooping database.

DAI will drop the workstation's ARP replies, preventing the switch from learning its MAC address and causing SSH timeouts.

Exam trap

Cisco often tests the interaction between security features like DAI and static IP hosts, where candidates overlook that DAI requires explicit static bindings for non-DHCP clients, leading to connectivity failures that appear as timeouts rather than explicit denials.

Why the other options are wrong

A

Misunderstanding ACL processing—assumes a simple subnet permit ACL would block port 22 by default, but the ACL entry permits all traffic from the subnet, not just specific ports.

C

Assumes port security is the first cause of connectivity failure when MAC limits are configured, but the symptom does not indicate a port security violation; the port would need to go into err-disabled, which is not mentioned.

D

AAA failures manifest as authentication errors or prompts that time out after attempting RADIUS, but they typically affect all attempts, not a single source, unless combined with ACLs that permit other hosts but block this one.

167
PBQhard

You are connected to a multilayer switch MLS1. The network has two other switches: SW2 and SW3. The interface GigabitEthernet0/1 already has PortFast and BPDU Guard enabled. Configure MLS1 as the root bridge for VLAN 10 and VLAN 20 using the root primary command. After configuration, verify that the interface is not in err-disabled state and that the root bridge role is correctly assigned.

Network Topology
Gi0/1Gi0/2Gi0/3SiMLS1PCSW2SW3

Hints

  • Use spanning-tree vlan root primary to set the switch as root for specified VLANs.
  • Verify with show spanning-tree vlan <vlan> to confirm root bridge priority is 24576.
  • Check interface status with show interfaces gigabitethernet 0/1 status to ensure it is not err-disabled.
A.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
B.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root secondary' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
C.Configure 'spanning-tree vlan 10 priority 4096' and 'spanning-tree vlan 20 priority 4096' on MLS1. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
D.Configure 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' on MLS1. Then configure 'spanning-tree portfast default' and 'spanning-tree bpduguard default' globally. Verify with 'show spanning-tree vlan 10' and 'show interfaces gigabitEthernet0/1 status'.
AnswerA
solution
! MLS1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary

Why this answer

The interface Gi0/1 already has PortFast and BPDU Guard configured, so no additional configuration is needed for that step. Using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary' sets the priority to 24576, ensuring MLS1 becomes root for both VLANs. Verify with 'show spanning-tree vlan 10' to see the priority changed and 'show interfaces gigabitEthernet0/1 status' to confirm the port is not err-disabled.

Exam trap

Do not confuse 'root primary' with 'root secondary' or manual priority settings. The 'root primary' command automatically sets the priority to 24576, which is the recommended value. Also, avoid adding unnecessary global commands when the interface already has the required features configured.

Why the other options are wrong

B

Using 'root secondary' for VLAN 20 sets priority to 28672, leaving MLS1 as backup root, not the primary root.

C

Manually setting priority to 4096 is valid but not the recommended method; 'root primary' is simpler and ensures proper value.

D

Global portfast and bpduguard are not required because the interface is already configured with those features; this adds unnecessary commands.

168
MCQhard

A network engineer is troubleshooting a workstation that cannot access the internet. The workstation is connected to a switch port configured for access VLAN 10. The switch is a Cisco 2960-X running IOS-XE. The engineer runs 'ipconfig /all' on the workstation and sees an IPv4 address of 169.254.123.45 with a subnet mask of 255.255.0.0. The engineer then connects to the switch and issues 'show interfaces vlan 10'. What is the most likely cause of the issue?

A.The workstation is not configured to use DHCP.
B.The switch's VLAN 10 SVI is administratively down.
C.The switch port connecting the workstation is in a different VLAN.
D.The DHCP server is not configured on the network.
AnswerB

The 'administratively down' state on the SVI indicates it was manually disabled with the 'shutdown' command. This prevents the switch from routing or providing DHCP services for that VLAN, causing the workstation to get an APIPA address.

Why this answer

The workstation has an APIPA address (169.254.x.x), which indicates it failed to obtain a DHCP lease. Since the switch's VLAN 10 SVI is administratively down, the workstation cannot reach the DHCP server (which may be on a different subnet or the SVI itself), causing the DHCP request to time out and the workstation to self-assign an APIPA address. Option B is correct because an administratively down SVI breaks Layer 3 connectivity for that VLAN, preventing DHCP traffic from being routed.

Exam trap

Cisco often tests the distinction between a Layer 2 connectivity issue (like VLAN mismatch) and a Layer 3 issue (like an SVI being down), where candidates incorrectly assume a VLAN mismatch because the workstation gets an APIPA address, but the APIPA address actually points to a DHCP failure, not a VLAN mismatch.

Why the other options are wrong

A

The workstation likely has DHCP enabled, but the switch's SVI being down prevents DHCP discovery from reaching a server.

C

A VLAN mismatch would likely result in a different IP address or no connectivity, but the SVI being down is a more direct cause.

D

The absence of a DHCP server is a possible cause, but the exhibit clearly shows the SVI is administratively down, which is a more specific and immediate issue.

169
MCQhard

A network engineer is troubleshooting connectivity issues for hosts in VLAN 10. Hosts in VLAN 10 are unable to ping the default gateway at 192.168.10.1. The engineer checks the switch configuration and notices that the SVI for VLAN 10 is configured with an IP address, but the interface is in a down/down state. What is the most likely cause of this issue?

A.The interface is administratively shut down.
B.VLAN 10 does not exist in the VLAN database.
C.The IP address is not in the correct subnet for VLAN 10.
D.The switch does not have a default gateway configured.
AnswerB

The SVI for VLAN 10 is down/down because the VLAN is not created. Once VLAN 10 is created with the 'vlan 10' command in global configuration mode, the SVI will come up if there is at least one active port in that VLAN.

Why this answer

An SVI (Switch Virtual Interface) will remain in a down/down state if the corresponding VLAN does not exist in the switch's VLAN database. Even if the SVI is configured with an IP address, the interface cannot come up because there is no Layer 2 VLAN to associate with it. This is a common cause of SVI down/down issues when the VLAN has not been created or has been deleted.

Exam trap

Cisco often tests the distinction between an SVI being down due to a missing VLAN versus an administratively shutdown interface, leading candidates to mistakenly choose the administrative shutdown option when the interface status shows 'down/down' instead of 'administratively down'.

Why the other options are wrong

A

The running-config shows 'no shutdown', so this is not the cause.

C

The IP address and subnet mask are correctly configured for the VLAN.

D

The SVI status is not affected by the presence or absence of a default gateway.

170
Multi-Selectmedium

Which TWO statements are true regarding VLAN configuration, 802.1Q trunking, and the native VLAN?

Select 2 answers
A.On an 802.1Q trunk, frames in the native VLAN are always tagged with a VLAN ID.
B.The native VLAN should be changed from the default VLAN 1 to an unused VLAN for security reasons.
C.802.1Q is a Cisco proprietary trunking protocol.
D.802.1Q supports up to 4094 VLANs (VLAN IDs 1–4094).
E.The native VLAN must be the same on both ends of an 802.1Q trunk for the trunk to operate.
AnswersB, D

Changing the native VLAN away from VLAN 1 is a security best practice to prevent VLAN hopping and reduce the risk of attacks that exploit the default native VLAN.

Why this answer

Option B is correct because changing the native VLAN from the default VLAN 1 to an unused VLAN is a recommended security best practice to prevent VLAN hopping attacks. Option D is correct because 802.1Q uses a 12-bit VLAN ID field, allowing VLAN IDs from 1 to 4094 (0 and 4095 are reserved). Option A is false: on an 802.1Q trunk, frames in the native VLAN are typically sent untagged.

Option C is false: 802.1Q is an IEEE standard, not Cisco proprietary (ISL is Cisco proprietary). Option E is false: the native VLAN does not have to match on both ends; mismatched native VLANs can cause traffic to be misclassified but the trunk will still operate.

Exam trap

Cisco often tests the misconception that 802.1Q is proprietary (it is not) and that native VLAN frames are always tagged (they are untagged by default), leading candidates to incorrectly select options A or C.

Why the other options are wrong

A

The native VLAN is specifically the VLAN that does not get a tag; all other VLANs are tagged.

C

802.1Q is an open standard, whereas ISL was Cisco proprietary.

E

Mismatched native VLANs can lead to security vulnerabilities and misrouting, but the trunk itself may still come up.

171
Matchingmedium

Match each VLAN or trunk term to its most accurate purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Link carrying multiple VLANs

VLAN assigned to a normal endpoint-facing port

VLAN associated with untagged traffic on an 802.1Q trunk

Setting that limits which VLANs may traverse a trunk

Why these pairings

Trunks enable multiple VLANs on one link; VLANs logically segment networks. 802.1Q is the tagging standard; native VLAN is untagged. VTP distributes VLAN database; inter-VLAN routing uses a router or Layer 3 switch to communicate between VLANs.

Exam trap

Do not confuse the purpose of a VLAN (segmentation) with trunk tagging (802.1Q) or VLAN distribution (VTP). Also, remember that the native VLAN is not used for routing; it is for untagged traffic on a trunk.

172
MCQhard

After enabling Dynamic ARP Inspection on VLAN 20, a network engineer notices that some hosts lose connectivity. The affected hosts have correct IP addresses and MAC addresses, but they cannot ping the default gateway. All other hosts on the same VLAN work fine. Further investigation reveals that the non-functioning hosts are using static IP configurations, while the working hosts are DHCP clients. What is the most likely cause?

A.The DHCP snooping binding table is exhausted and cannot accept new bindings for the static hosts.
B.IP Source Guard is also enabled on VLAN 20 and is blocking traffic from hosts that have no DHCP snooping binding.
C.DAI is dropping ARP packets from the static hosts because they do not have a corresponding entry in the DHCP snooping binding table.
D.The switch is detecting ARP spoofing from the static hosts and has shut down their switchport interfaces for security.
AnswerC

When DAI is enabled, it checks every ARP packet on untrusted ports against the DHCP snooping binding table. Since the static hosts have no DHCP lease, no binding exists, and DAI drops their ARP packets, preventing them from learning the gateway MAC address and causing loss of connectivity.

Why this answer

Dynamic ARP Inspection (DAI) uses the DHCP snooping binding table to validate ARP packets. Hosts with statically assigned IP addresses have no DHCP binding entry, so DAI considers their ARP packets invalid and drops them, preventing these hosts from resolving MAC addresses and thus causing loss of connectivity.

Exam trap

Option B (IP Source Guard) is tempting because both features rely on the DHCP snooping binding table, but IP Source Guard filters IP data traffic, not ARP packets. The specific symptom of failed ARP resolution after enabling DAI points directly to DAI's ARP validation, not IP traffic filtering.

Why the other options are wrong

A

Candidates may think that a large number of untrusted hosts could overwhelm the binding table, but static hosts do not interact with DHCP and would not fill the table or be rejected.

B

Candidates often confuse DAI and IP Source Guard since both use DHCP snooping; however, DAI specifically validates ARP packets, which matches the symptom of connectivity loss due to ARP resolution failure.

D

Some candidates might associate ARP security features with port shutdown, but standard DAI operation does not disable ports, and the symptom does not indicate interface down events.

173
MCQhard

An administrator notices that hosts in VLAN 30 on SW1 cannot communicate with hosts in VLAN 30 on SW2, even though both switches are connected via an 802.1Q trunk. Traffic for VLANs 10 and 20 passes without issues across the same trunk. The trunk is configured to allow all VLANs, and the allowed VLAN list explicitly includes VLAN 30. What is the most likely cause of the problem?

A.The native VLAN is mismatched between SW1 and SW2, and VLAN 30 is the native VLAN on one side.
B.The trunk encapsulation is set to ISL on one switch and 802.1Q on the other.
C.Spanning Tree Protocol has placed VLAN 30 in a blocking state on the trunk link.
D.The switched virtual interface (SVI) for VLAN 30 on SW1 is administratively down.
AnswerA

A native VLAN mismatch causes one switch to send untagged frames for VLAN 30 while the other expects tagged frames, so the receiving switch cannot associate the untagged traffic with VLAN 30, leading to a communication failure only for that VLAN.

Why this answer

The most likely cause is a native VLAN mismatch. When the native VLAN is mismatched on an 802.1Q trunk, traffic for the native VLAN is not tagged, so frames from VLAN 30 on one switch are received as untagged frames on the other switch and placed into the switch's configured native VLAN. If the native VLAN on one side is VLAN 30 and on the other side is a different VLAN (e.g., VLAN 1), the hosts in VLAN 30 cannot communicate because the frames are interpreted as belonging to different VLANs.

Traffic for VLANs 10 and 20 passes because they are not the native VLAN and are properly tagged.

Exam trap

Cisco often tests the native VLAN mismatch scenario by describing a trunk that works for most VLANs but fails for one specific VLAN, leading candidates to incorrectly suspect STP blocking or SVI issues instead of recognizing the native VLAN mismatch.

Why the other options are wrong

B

This would cause a complete trunk failure, not a failure limited to a single VLAN.

C

STP would not randomly block one VLAN on a point-to-point trunk while the rest are forwarding; this is not a typical behavior.

D

Layer 2 switching within the same VLAN does not require an SVI; an SVI is only needed for routing between VLANs or management.

174
MCQhard

Exhibit: A switch interface connected to an IP phone and PC is configured as an access port in VLAN 10. The PC works, but the phone does not register. What additional configuration is most likely needed?

A.switchport trunk encapsulation dot1q
B.switchport voice vlan <voice-vlan-id>
C.channel-group 1 mode active
D.ip helper-address on the switchport
AnswerB

Correct choice.

Why this answer

An IP phone commonly requires a voice VLAN so tagged voice traffic is separated from the data VLAN used by the attached PC. Without a voice VLAN, the PC can still work on the access VLAN while the phone fails to register properly.

Exam trap

Don't confuse portfast or trunk mode with the need for a voice VLAN. Focus on the specific requirements of IP phones.

Why the other options are wrong

A

This option is incorrect because the question specifies an access port configuration, which does not require trunk encapsulation. Access ports do not use trunking protocols like dot1q, as they are meant for single VLAN traffic only.

C

This option is wrong because the channel-group command is used for configuring EtherChannel, which is not relevant to the issue of the IP phone not registering on an access port. The problem lies in the VLAN configuration for voice traffic, not in link aggregation.

D

The 'ip helper-address' command is used to forward DHCP requests from clients to a DHCP server, but it does not address the registration issue of the IP phone in this scenario, which is related to VLAN configuration.

175
PBQhard

You are connected to R1 via console. R1 is a router-on-a-stick connecting VLAN 10 and VLAN 20 on a single link to switch SW1. Currently, hosts in VLAN 10 cannot ping hosts in VLAN 20, and some VLAN 10 hosts report intermittent connectivity. Examine the provided configuration and output, then fix all issues to restore full inter-VLAN routing and stable trunk operation.

Network Topology
G0/0 trunkG0/1 trunkR1SW1

Hints

  • Check the physical interface configuration on R1 for trunking and native VLAN.
  • Examine R1's global configuration for the 'ip routing' command.
  • Compare the native VLAN on SW1 (99) with R1's subinterface encapsulation.
A.On R1, configure 'ip routing', add subinterface G0/0.99 with 'encapsulation dot1Q 99 native' and an IP address, and ensure G0/0 is not shutdown.
B.On R1, configure 'ip routing' and change the encapsulation on the VLAN 10 subinterface to 'encapsulation dot1Q 10 native'.
C.On R1, configure 'ip routing' and add an IP address to the physical interface GigabitEthernet0/0.
D.On R1, configure 'ip routing' and change the encapsulation on the VLAN 20 subinterface to 'encapsulation dot1Q 20 native'.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/0.99
encapsulation dot1Q 99 native
ip address 10.0.0.1 255.255.255.252
exit
ip routing

Why this answer

Three issues prevent inter-VLAN routing and cause intermittent connectivity. First, R1 lacks a subinterface configured for the native VLAN (VLAN 99) with the 'encapsulation dot1Q 99 native' command; this subinterface is needed because SW1 expects the native VLAN to be tagged on the router side for consistency. Second, the global command 'ip routing' is missing, which disables routing between VLANs.

Third, the physical interface GigabitEthernet0/0 might be administratively down; ensure 'no shutdown' is applied. Option A correctly fixes all issues: it adds the native VLAN subinterface, enables routing, and ensures the interface is up. The other options fail because they either misconfigure the native VLAN encapsulation on the wrong subinterface or apply an IP address to the physical interface (which does not support routing on a router-on-a-stick).

Exam trap

Watch for missing 'ip routing' command in router-on-a-stick scenarios; without it, inter-VLAN routing fails. Also, ensure native VLANs match on both ends of a trunk; a mismatch can cause intermittent connectivity or complete failure for the native VLAN.

Why the other options are wrong

B

The native VLAN must match on both ends; SW1 uses VLAN 99 as native, so R1 must use VLAN 99 as native, not VLAN 10.

C

Router-on-a-stick uses subinterfaces, not the physical interface IP. The physical interface only needs to be up and trunking.

D

The native VLAN must be consistent across the trunk; SW1 uses VLAN 99, so R1 must use VLAN 99 as native.

176
MCQmedium

Hosts in VLAN 10 need to communicate with hosts in VLAN 20. What is required for that communication to work?

A.A DHCP server
B.A DNS server
C.A Layer 3 routing function
D.A second access switch
AnswerC

Correct. Layer 3 routing is required.

Why this answer

Traffic between VLANs must be routed. A router or multilayer switch provides the Layer 3 function needed for inter-VLAN communication.

Exam trap

Do not confuse trunk links or access ports with routing functions; they serve different purposes in VLAN configurations.

Why the other options are wrong

A

A DHCP server is not required for communication between VLANs; it only assigns IP addresses to devices within a network. VLAN communication requires routing, which a DHCP server does not provide.

B

A DNS server is not required for VLAN communication, as DNS resolves domain names to IP addresses, which does not facilitate inter-VLAN routing. Communication between VLANs requires Layer 3 routing, not name resolution.

D

A second access switch is not required for VLAN communication; VLANs can communicate through a Layer 3 device such as a router or a Layer 3 switch. The existing switch infrastructure can handle VLANs without needing additional switches.

177
MCQhard

A multilayer switch must route traffic between VLAN 10 and VLAN 20. Which condition is required for that to happen?

A.SVIs for the VLANs plus Layer 3 routing enabled on the switch
B.All ports in both VLANs configured as trunks
C.A separate OSPF process on every access port
D.Port security disabled on every edge port
AnswerA

This is correct because inter-VLAN routing on a multilayer switch requires routed VLAN interfaces and IP routing capability.

Why this answer

Inter-VLAN routing on a multilayer switch depends on having functional Layer 3 gateway interfaces for the VLANs and routing enabled on the switch. In plain language, the switch needs a routed brain for each VLAN, usually in the form of SVIs, and it must actually be operating as a Layer 3 device rather than only as a pure Layer 2 switch. Without those conditions, traffic may switch inside a VLAN but cannot be routed between different VLANs.

This is a core CCNA design idea because people often assume creating VLANs alone automatically gives them inter-VLAN communication. In reality, VLANs create separation, and routing is what reconnects them under controlled conditions. A trunk between switches can carry VLAN traffic, but it does not itself perform Layer 3 routing between the VLANs. The correct answer is the requirement that makes the switch act as the gateway between VLANs.

Exam trap

Don't confuse trunking with routing; trunk ports carry VLAN traffic but don't route it.

Why the other options are wrong

B

This option is wrong because configuring all ports as trunks does not facilitate inter-VLAN routing; SVIs and Layer 3 routing are necessary for that functionality.

C

This option is wrong because OSPF is a routing protocol used for dynamic routing, and access ports do not participate in routing processes. Routing between VLANs requires SVIs and Layer 3 capabilities, not OSPF on access ports.

D

Port security being disabled on every edge port is not a requirement for routing traffic between VLANs; it pertains to security configurations rather than routing functionality. VLAN routing can occur regardless of port security settings.

178
PBQhard

You are connected to R1 via console. The network consists of R1, R2, and a multilayer switch MLS1. R1's GigabitEthernet0/0 connects to MLS1's GigabitEthernet1/0/1 (VLAN 10), and MLS1's GigabitEthernet1/0/2 connects to R2's GigabitEthernet0/0. The goal is to enable IPv6 communication between R1 and R2 across the layer-3 switch. Currently, R1 and R2 cannot ping each other's IPv6 addresses. Configure R1's G0/0 with the IPv6 prefix 2001:db8:1:10::/64 using EUI-64, and R2's G0/0 with static IPv6 address 2001:db8:1:10::2/64. Also ensure MLS1 has IPv6 routing enabled and an IPv6 address on VLAN 10 (2001:db8:1:10::3/64). Troubleshoot and fix any layer-2 or layer-3 issues preventing connectivity.

Network Topology
G0/0G1/0/1G1/0/1G0/0SiMLS1R1R2

Hints

  • R1's G0/0 has no IPv6 address configured.
  • The correct command uses the 'eui-64' keyword to generate the interface ID from the MAC.
  • After configuration, R1 should be able to ping the other IPv6 addresses.
A.Configure 'ipv6 address 2001:db8:1:10::/64 eui-64' on R1's G0/0 interface.
B.Enable IPv6 routing on R1 with 'ipv6 unicast-routing'.
C.Configure 'ipv6 address 2001:db8:1:10::1/64' on R1's G0/0 interface (without EUI-64).
D.Change the VLAN on MLS1's G1/0/1 to match R1's VLAN.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ipv6 address 2001:db8:1:10::1/64 eui-64
end

Why this answer

R1 has no IPv6 address configured on G0/0. The required prefix is 2001:db8:1:10::/64 using EUI-64, which generates the interface ID from the MAC address. The command 'ipv6 address 2001:db8:1:10::/64 eui-64' must be entered in interface configuration mode.

Additionally, MLS1 has IPv6 routing enabled (as seen by the connected route), but R1's interface is missing the IPv6 address. After configuration, R1 will be able to ping R2 and MLS1. No other changes are needed because R2 and MLS1 are correctly configured.

Exam trap

Do not confuse global IPv6 routing enablement with interface address configuration. The presence of a connected route indicates routing is enabled; the missing piece is the interface address. Also, pay attention to specific requirements like EUI-64.

Why the other options are wrong

B

IPv6 unicast-routing is already enabled; the problem is at the interface level.

C

The requirement specifies EUI-64; omitting it results in a static address that does not match the intended configuration.

D

The VLAN configuration is correct; no change is needed.

179
PBQhard

You are connected to switch SW1. The network uses Rapid-PVST+ and SW1 has been accidentally configured with a low spanning-tree priority, causing it to become the root bridge for VLAN 10 even though it should not be. Additionally, an edge port connected to a server is repeatedly receiving BPDUs, causing it to go into err-disabled state. Configure SW1 so that it is never the root bridge for VLAN 10, and configure the edge port so that it automatically recovers from err-disabled state after 300 seconds. Finally, verify that SW1 is not the root bridge for VLAN 10.

Network Topology
Gi0/0Gi0/0Gi0/1SW1SW2Server

Hints

  • To prevent a switch from becoming root, set its priority to a value higher than the current root's priority (e.g., 32768).
  • The errdisable recovery cause command enables automatic recovery; the interval command sets the timeout.
  • After configuration, verify with 'show spanning-tree vlan 10' that the bridge ID priority is not the lowest.
A.spanning-tree vlan 10 priority 36864; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
B.spanning-tree vlan 10 priority 4096; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
C.spanning-tree vlan 10 root secondary; errdisable recovery cause bpduguard; errdisable recovery interval 300; show spanning-tree vlan 10
D.spanning-tree vlan 10 priority 32768; errdisable recovery cause all; errdisable recovery interval 300; show spanning-tree vlan 10
AnswerA
solution
! SW1
no spanning-tree vlan 10 priority 4096
spanning-tree vlan 10 priority 32768
errdisable recovery cause bpduguard
errdisable recovery interval 300

Why this answer

The issue is that SW1 has the spanning-tree priority for VLAN 10 set to 4096, which makes it the root bridge. To prevent this, you must set the priority higher than the current root bridge's priority (e.g., 32768 or higher). Additionally, the edge port (G0/1) is in err-disabled state because it received a BPDU while PortFast was enabled (BPDU Guard triggered).

To automatically recover from err-disabled, you need to configure errdisable recovery cause bpduguard and set the interval to 300 seconds. After configuration, verify with 'show spanning-tree vlan 10' that SW1 is no longer the root and 'show errdisable recovery' to confirm the recovery settings.

Exam trap

Students often confuse the priority values: lower priority is better to become root. To prevent a switch from becoming root, set its priority higher than the current root's. Also, remember that 'root secondary' sets a low priority (28672) and does not prevent root election.

For errdisable recovery, use the specific cause (bpduguard) rather than 'all'.

Why the other options are wrong

B

The priority 4096 is too low and would still result in SW1 being the root bridge.

C

The 'root secondary' command does not prevent the switch from becoming root; it only makes it the backup root.

D

Using 'cause all' is not the best practice; the requirement is to recover from bpduguard specifically.

180
MCQhard

Refer to the exhibit. A network administrator runs the show vlan brief command on SW2. Interface GigabitEthernet0/2 is intended to be an access port in VLAN 10, but it does not appear in the output. What is the most likely cause?

A.The interface is configured with switchport mode dynamic auto and no trunk has been negotiated, causing it to be hidden.
B.The interface is administratively shut down, and down ports are excluded from the show vlan brief output.
C.The interface is configured as a trunk port and therefore does not appear under any VLAN in show vlan brief.
D.VLAN 10 is not active, so the port assigned to it is not displayed in the listing.
AnswerC

show vlan brief only displays ports that are in access mode. Trunk ports are not included because they belong to all VLANs allowed on the trunk. The output shows VLAN 10 with members Gi0/9–Gi0/11 but not Gi0/2, confirming it is not an access port.

Why this answer

The show vlan brief command lists only access ports that are statically or dynamically assigned to a VLAN. Trunk ports carry traffic for multiple VLANs and are not displayed in this table. The absence of GigabitEthernet0/2, despite VLAN 10 being active and containing other ports, indicates that the interface is likely operating as a trunk port.

Exam trap

Candidates often mistakenly believe that a shutdown interface will not appear in show vlan brief. In reality, an access port assigned to a VLAN appears in the output regardless of its administrative or operational state.

Why the other options are wrong

A

Confusion about how dynamic trunking protocol (DTP) modes interact with VLAN membership display.

B

Misconception that only operational interfaces are shown in VLAN membership tables.

D

Overlooking the explicit 'active' status and port list for VLAN 10 in the output.

181
PBQhard

You are connected to the console of R1. The network administrator reports that hosts in VLAN 10 cannot reach the server at 192.168.1.100. R1 is the default gateway for VLAN 10 via subinterface G0/0.10. The link between R1 and the switch SW1 appears to be up, but pings fail. Your task is to identify and resolve the issue.

Network Topology
G0/0.10192.168.10.1/24G0/1trunkG0/1R1SW1access port VLAN10PC1

Hints

  • Check the interface status and error counters on the link.
  • Auto-negotiation might have failed; try manually setting speed and duplex.
  • The trunk link must be operational for inter-VLAN routing.
A.Check the interface status on R1's G0/0.10 subinterface; it may be administratively down.
B.Verify that the VLAN 10 SVI on SW1 has an IP address in the correct subnet.
C.Check the duplex and speed settings on the physical interface G0/0 of R1 and the corresponding switchport on SW1; they may be mismatched.
D.Ensure that the native VLAN on the trunk between R1 and SW1 is VLAN 1.
AnswerC
solution
! R1
interface GigabitEthernet0/0
duplex full
speed 100
no shutdown

! SW1
interface GigabitEthernet0/1
duplex full
speed 100
no shutdown

Why this answer

The link between R1 and SW1 had mismatched duplex/speed settings because auto-negotiation failed, causing excessive CRC errors and packet loss. Manually setting both sides to 100/full resolves the issue.

Exam trap

Do not assume that a link showing 'up/up' means error-free communication. Always check for CRC errors and duplex mismatches when pings fail despite the interface being up. Subinterfaces depend on the physical interface; troubleshoot the physical layer first.

Why the other options are wrong

A

The specific factual error is that subinterfaces do not have an independent line protocol state; they depend on the physical interface. The problem is likely a physical layer issue like duplex mismatch.

B

The specific factual error is that the SVI is not involved in this scenario; the router's subinterface handles routing for VLAN 10. The link between R1 and SW1 is the bottleneck.

D

The specific factual error is that native VLAN mismatch causes different symptoms (e.g., CDP/STP issues) and does not cause line protocol down or CRC errors.

182
MCQhard

A network engineer is troubleshooting connectivity between two hosts in different VLANs on the same switch. Host A in VLAN 10 (10.10.10.5/24) cannot ping Host B in VLAN 20 (10.10.20.5/24). The switch is configured as a router-on-a-stick with a trunk port to an external router. The trunk port is up/up, but inter-VLAN routing fails. What is the most likely cause?

A.The trunk port is not in trunking mode; it is in dynamic desirable mode.
B.The native VLAN on the switch trunk is VLAN 1, but the router subinterface for VLAN 1 is not configured with the 'native' keyword or is missing.
C.The VLANs are not allowed on the trunk; the allowed VLAN list is missing VLAN 10 and 20.
D.The switch ports Gi0/4 and Gi0/5 are in access mode but not assigned to the correct VLANs.
AnswerC

When an allowed VLAN list on a trunk is configured and does not include VLAN 10 and VLAN 20, all tagged frames from those VLANs are dropped, causing inter-VLAN routing failure even though the trunk is up/up.

Why this answer

The most likely cause is that the allowed VLAN list on the trunk is missing VLAN 10 and 20. Even though the trunk port is up/up, if the switch's allowed VLAN list has been restricted (for example, using the switchport trunk allowed vlan command) and does not include those VLANs, all frames tagged with VLAN 10 or 20 will be discarded at the trunk. This directly prevents inter-VLAN routing despite the trunk being operational, whereas a native VLAN mismatch only affects untagged traffic and would not impact the tagged frames between the two hosts.

Exam trap

A common trap is assuming an up/up trunk automatically passes traffic for all VLANs, overlooking that the allowed VLAN list can be manually pruned and must include every VLAN that needs to traverse the trunk.

Why the other options are wrong

A

Dynamic desirable mode can still form a trunk if the other side is willing; the trunk is already up/up, so the port mode is not the issue.

B

A native VLAN mismatch or missing native subinterface only affects untagged frames; the hosts in VLAN 10 and VLAN 20 send tagged traffic, so this would not break their routing.

D

The hosts' access port configurations would prevent intra-VLAN communication if misassigned, but the question describes an inter-VLAN routing failure through the trunk, not a problem with the access ports themselves.

183
MCQhard

A DHCP client on VLAN 30 is not receiving an IP address from a DHCP server (10.99.99.20) on another subnet. The SVI for VLAN 30 is configured with an IP address and is up, but the DHCP relay command is missing. Which command should be added to the SVI configuration?

A.ip directed-broadcast
B.ip helper-address 10.99.99.20
C.service dhcp-server 10.99.99.20
D.default-router 10.99.99.20
AnswerB

The helper address forwards DHCP broadcasts as unicast to the server.

Why this answer

DHCP Discover messages are broadcasts and do not cross routers by default. On an SVI or routed interface facing the clients, an ip helper-address relays those broadcasts to the DHCP server on another subnet.

Exam trap

A frequent exam trap is selecting ip directed-broadcast or default-router as the solution for DHCP relay issues. ip directed-broadcast only enables forwarding of directed broadcasts but does not relay DHCP requests to servers on other subnets. default-router is a DHCP pool parameter that assigns a gateway to clients but does not affect how DHCP broadcasts are forwarded. Another trap is assuming service dhcp-server is an interface command for relay, which it is not. These distractors test your understanding of DHCP relay mechanisms and Cisco IOS command usage.

Why the other options are wrong

A

The ip directed-broadcast command enables forwarding of directed broadcasts but does not relay DHCP requests. It is unrelated to DHCP relay and will not solve the problem of clients not receiving addresses from a remote DHCP server.

C

service dhcp-server is not a valid Cisco IOS interface command for DHCP relay. It does not configure the router to forward DHCP broadcasts and thus will not resolve the issue.

D

default-router is a DHCP pool parameter used to assign the default gateway IP address to clients. It does not configure the interface to relay DHCP broadcasts and is not relevant to the relay configuration.

184
MCQmedium

On an 802.1Q trunk, which VLAN is sent untagged by default on many Cisco switches unless changed?

A.VLAN 10
B.VLAN 20
C.VLAN 1
D.The highest configured VLAN
AnswerC

Correct. VLAN 1 is the default native VLAN on many platforms.

Why this answer

On many Cisco platforms, VLAN 1 is the default native VLAN. Native VLAN traffic is sent untagged unless the native VLAN is changed.

Exam trap

Be cautious not to confuse commonly used VLANs in practice with the default native VLAN set by Cisco.

Why the other options are wrong

A

VLAN 10 is not the default untagged VLAN on Cisco switches; instead, VLAN 1 is typically used for this purpose unless configured otherwise. Therefore, selecting VLAN 10 would be incorrect in the context of the question.

B

VLAN 20 is not the default untagged VLAN on Cisco switches; instead, VLAN 1 is typically sent untagged on 802.1Q trunks unless configured otherwise. Therefore, selecting VLAN 20 does not align with the standard behavior of Cisco switch configurations.

D

This option is incorrect because the default untagged VLAN on many Cisco switches is VLAN 1, not the highest configured VLAN. The highest configured VLAN can vary based on the network setup and does not have a default status in this context.

185
MCQhard

A multilayer switch has working SVIs for VLAN 10 and VLAN 20, but traffic between the VLANs fails. Hosts can ping their own gateway interfaces. Which misconfiguration is most strongly suggested if the SVIs themselves are correct?

A.IP routing is not enabled on the multilayer switch.
B.Both VLANs need to use the same IP subnet.
C.All access ports must be converted into trunks.
D.The wireless controller must provide the default gateway.
AnswerA

This is correct because the switch needs Layer 3 forwarding enabled to route between VLAN interfaces.

Why this answer

The correct answer is A: IP routing is not enabled. The switch can ping SVIs locally because they are directly connected, but without `ip routing`, it cannot forward packets between VLANs. Option B is wrong because different VLANs require different subnets for routing.

Option C is wrong because access ports do not need to be trunks; SVIs handle routing at Layer 3. Option D is wrong because the wireless controller does not provide the default gateway for wired VLAN routing; the SVI does.

Exam trap

Remember that SVIs alone do not enable inter-VLAN routing; IP routing must be explicitly enabled on the switch.

Why the other options are wrong

B

Different VLANs must use different IP subnets for routing; using the same subnet would break Layer 3 separation.

C

Access ports remain as access ports; inter-VLAN routing requires SVIs with routing enabled, not trunk conversion of access ports.

D

The default gateway for each VLAN is the SVI IP address; a wireless controller is irrelevant to Layer 3 forwarding between wired VLANs.

186
PBQhard

You are connected to R1 via the console. The routers R1 and R2 are directly connected using their GigabitEthernet0/0 interfaces, which are in VLAN 100 and use subnet 192.168.1.0/24. Both routers are currently showing as active for HSRP group 10. Configure HSRP on R1's GigabitEthernet0/0 to become the active router (priority 150, preempt enabled, virtual IP 192.168.1.254). Ensure that if R1's GigabitEthernet0/1 WAN interface goes down, its HSRP priority decrements by 30 so that R2 can take over. Also, correct any existing misconfiguration in the HSRP setup.

Hints

  • Check if preempt is actually enabled by looking for the 'P' flag in show standby brief.
  • Both routers being active often indicates a duplicate virtual IP or missing preempt.
  • Use 'standby 10 preempt' to enable preemption, and 'standby 10 priority 150' to set priority.
A.Configure: interface GigabitEthernet0/0, standby 10 ip 192.168.1.254, standby 10 priority 150, standby 10 preempt, standby 10 track GigabitEthernet0/1 decrement 30. Also, ensure preempt is enabled on R1 (currently missing) and correct any duplicate virtual IP.
B.Configure: interface GigabitEthernet0/0, standby 10 ip 192.168.1.254, standby 10 priority 150, standby 10 preempt, standby 10 track GigabitEthernet0/1 decrement 30. No other changes needed because preempt is already enabled.
C.Configure: interface GigabitEthernet0/0, standby 10 ip 192.168.1.254, standby 10 priority 150, standby 10 preempt, standby 10 track GigabitEthernet0/1 decrement 30. Also, change the virtual IP to 192.168.1.1 because the current one is wrong.
D.Configure: interface GigabitEthernet0/0, standby 10 ip 192.168.1.254, standby 10 priority 150, standby 10 preempt, standby 10 track GigabitEthernet0/1 decrement 30. Also, remove the standby 10 track command from R2 to prevent conflicts.
AnswerA
solution
! R1
interface GigabitEthernet0/0
standby 10 priority 150
standby 10 preempt
standby 10 track GigabitEthernet0/1 decrement 30
end

Why this answer

Both routers showing as active means either R2 has an equal or higher priority or preempt is missing, preventing a single active election. To fix this, on R1's GigabitEthernet0/0 interface, set standby priority 150 with preempt enabled. Add tracking of GigabitEthernet0/1 with decrement 30 so the priority drops to 120 if the WAN link fails, allowing R2 to become active.

The existing misconfiguration is that preempt is either absent or disabled, causing a split-brain scenario; this solution makes R1 the active router and provides correct failover.

Exam trap

Always verify HSRP preempt with 'show standby' to see the 'P' flag; configuration alone does not guarantee it is active. Also, remember that both routers showing as active is a symptom of missing preempt or duplicate virtual IP, not necessarily a tracking issue.

Why the other options are wrong

B

Preempt is not already enabled—otherwise both routers would not show as active. Failing to enable preempt leaves the split‑brain condition unresolved.

C

The virtual IP 192.168.1.254 is correctly assigned to the HSRP group; changing it would replace the default gateway for all hosts, breaking connectivity.

D

Removing tracking from R2 is irrelevant; the problem is R1's missing preempt and low priority, not R2's configuration. Both routers showing active is not caused by tracking on R2.

187
MCQhard

Two switches are connected by a trunk. VLAN 50 exists on both switches, but traffic still fails across the link. The allowed VLAN list is correct. Which additional item should be checked next?

A.Check for a trunk mismatch such as native VLAN inconsistency or other trunk-parameter problems.
B.Reset OSPF process IDs on both switches.
C.Add ip helper-address under every access interface.
D.Disable the MAC address table.
AnswerA

This is correct because VLAN permission alone does not guarantee the trunk is healthy end to end.

Why this answer

After confirming that the VLAN exists on both switches and is allowed on the trunk, another important item to verify is whether the trunk itself is actually operational with the expected encapsulation and whether there is a native VLAN or other trunk inconsistency. In plain language, just because the VLAN is listed does not guarantee the trunk is healthy in every relevant way. Trunking problems can still occur because of broader configuration mismatches.

This question is about disciplined troubleshooting. Once the obvious allowed-list issue is ruled out, the next step is to keep checking other trunk-related characteristics rather than jumping immediately to unrelated routing or service features. The correct answer is the one that stays grounded in trunk-specific verification.

Exam trap

Don't jump to unrelated issues like spanning tree or IP configuration when the problem is clearly trunk-related.

Why the other options are wrong

B

Resetting OSPF process IDs does not address VLAN traffic issues over a trunk link, as OSPF is a routing protocol and unrelated to Layer 2 VLAN configurations.

C

Adding an ip helper-address is irrelevant to VLAN traffic issues across a trunk link, as this command is used for forwarding DHCP requests, not for resolving VLAN connectivity problems.

D

Disabling the MAC address table would not resolve VLAN traffic issues across a trunk link, as it pertains to Layer 2 forwarding and would disrupt normal switch operations, leading to further connectivity problems.

188
MCQhard

A network administrator is troubleshooting an issue where hosts on VLAN 10 cannot ping the default gateway at 192.168.10.1. The router (R1) has an SVI for VLAN 10 with IP 192.168.10.1/24. The administrator captures traffic on the router's G0/0/0 interface (trunk to the switch) and reviews the embedded packet capture output. What is the root cause of the problem?

A.The router's SVI for VLAN 10 is administratively down.
B.The switch port connecting the host is configured in the wrong VLAN (e.g., VLAN 20 instead of VLAN 10).
C.An inbound ACL on the router's SVI is blocking ICMP echo requests from the host.
D.The router has ICMP redirects enabled, causing it to ignore the pings.
AnswerB

The router is sending ARP requests, but the host never receives them because the switch port is in a different VLAN. This prevents the router from learning the host's MAC address, causing the ping to fail.

Why this answer

The captured traffic on the trunk shows that the router is not receiving any frames tagged with VLAN 10 from the host. If the switch port connecting the host is configured in VLAN 20 instead of VLAN 10, the host's frames will be tagged with VLAN 20 (or remain untagged in the access VLAN 20) and will not reach the router's SVI for VLAN 10, causing the ping to fail. This is the most direct cause given the symptom that the host cannot ping the default gateway.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 issues, and the trap here is that candidates assume the problem is on the router (e.g., ACL or interface state) when the packet capture reveals that the traffic never reaches the router's SVI due to a VLAN mismatch on the switch access port.

Why the other options are wrong

A

The SVI is operational, so this cannot be the root cause.

C

The router receives the ICMP requests, so an inbound ACL would have dropped them before they reached the capture buffer.

D

ICMP redirects do not prevent the router from responding to pings; they only send redirect messages when appropriate.

189
PBQhard

You are connected to Multilayer Switch SW1. Configure LACP EtherChannel between SW1 and SW2 using ports GigabitEthernet0/1 and GigabitEthernet0/2. Ensure the channel is formed and active. The current configuration has mismatched VLAN assignments and speed/duplex settings preventing the channel from coming up. Verify the channel state using 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1LACP EtherChannelSW1SW2

Hints

  • Check that both physical ports have identical speed and duplex settings.
  • Ensure the allowed VLAN list on each member port matches the Port-channel interface.
  • Use 'show etherchannel summary' to see if ports are in a suspended (D) or bundled (P) state.
A.Configure both Gi0/1 and Gi0/2 with speed 1000, duplex full, and switchport trunk allowed vlan 10,20,30.
B.Configure both Gi0/1 and Gi0/2 with speed 100, duplex half, and switchport trunk allowed vlan 30.
C.Configure both Gi0/1 and Gi0/2 with speed 1000, duplex full, and switchport trunk allowed vlan 10,20.
D.Configure both Gi0/1 and Gi0/2 with speed 1000, duplex full, and switchport mode access.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk allowed vlan 10,20,30
exit
interface GigabitEthernet0/2
speed 1000
duplex full
switchport trunk allowed vlan 10,20,30
exit

Why this answer

The EtherChannel is down because the two member ports on SW1 have inconsistent configurations. GigabitEthernet0/1 is set to speed 1000 and duplex full with allowed VLANs 10,20, while GigabitEthernet0/2 is set to speed 100 and duplex half with allowed VLAN 30. LACP requires all member ports to have identical speed, duplex, and VLAN allowed lists.

To fix, on SW1 configure both Gi0/1 and Gi0/2 with the same speed (1000), duplex (full), and trunk allowed VLANs (10,20,30). The Port-channel interface already has the correct allowed VLANs. After correction, 'show etherchannel summary' should show both ports as bundled (P).

Exam trap

The exam trap is that candidates often focus only on speed/duplex mismatches and forget that VLAN allowed lists must also match. Additionally, they may assume that the Port-channel interface inherits settings from member ports, but in fact, the member ports must match the Port-channel configuration.

Why the other options are wrong

B

The specific factual error is that LACP requires all member ports to have identical configurations, and this option does not align with the existing Port-channel configuration.

C

The specific factual error is that the VLAN allowed list must match across all member ports and the Port-channel interface; omitting VLAN 30 will cause inconsistency.

D

The specific factual error is that LACP requires consistent switchport mode (access or trunk) across all member ports and the Port-channel interface.

190
PBQhard

You are connected to switch SW1. Configure Rapid-PVST+ so that SW1 becomes the root bridge for VLAN 10 and VLAN 20. On interface GigabitEthernet0/2, enable PortFast and BPDUGuard. Then, a BPDU is received on that port, causing err-disable. Diagnose the issue and recover the interface without rebooting the switch.

Hints

  • Use 'spanning-tree vlan <vlan> root primary' to set priority to 24576 or 24596.
  • BPDUGuard will err-disable the port if a BPDU is received; use 'errdisable recovery cause bpduguard' to auto-recover.
  • After recovery, the port may need a manual shutdown/no shutdown to clear the err-disable state.
A.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'errdisable recovery cause bpduguard' to enable automatic recovery, or manually do 'shutdown' followed by 'no shutdown' on the interface.
B.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'clear spanning-tree detected-protocols' on the interface.
C.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'no spanning-tree bpduguard enable' on the interface, then re-enable it.
D.Configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. On Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard shuts down the port when a BPDU is received. To recover, use 'reload' on the switch to reset all interfaces.
AnswerA
solution
! SW1
spanning-tree vlan 10 root primary
spanning-tree vlan 20 root primary
interface GigabitEthernet0/2
spanning-tree portfast
spanning-tree bpduguard enable
errdisable recovery cause bpduguard
interface GigabitEthernet0/2
shutdown
no shutdown

Why this answer

First, configure SW1 as root for VLAN 10 and 20 using 'spanning-tree vlan 10 root primary' and 'spanning-tree vlan 20 root primary'. Then, on interface Gi0/2, enable PortFast with 'spanning-tree portfast' and BPDUGuard with 'spanning-tree bpduguard enable'. The err-disable state occurs because BPDUGuard defaults to shutting down a port when a BPDU is received.

To recover, use 'errdisable recovery cause bpduguard' to allow automatic recovery or 'shutdown' followed by 'no shutdown' on the interface. The blocking port is Gi0/2 in VLAN 20 because the current root has a higher priority than SW1's configured priority, but since SW1 becomes root, all ports are designated.

Exam trap

The exam trap is that candidates may confuse the recovery method for BPDUGuard err-disable with other STP commands. Remember: BPDUGuard err-disables the port; to recover, use 'errdisable recovery cause bpduguard' or manual shutdown/no shutdown. Do not use 'clear spanning-tree detected-protocols' or remove BPDUGuard alone.

Why the other options are wrong

B

The specific factual error is that 'clear spanning-tree detected-protocols' does not recover err-disabled ports; it only re-initiates STP negotiations.

C

The specific factual error is that disabling BPDUGuard does not automatically bring the port back up; the err-disable state must be cleared separately.

D

The specific factual error is that reloading is overkill and not the recommended recovery method; it disrupts all traffic unnecessarily.

191
MCQhard

A network administrator has configured a Cisco switch as a DHCP server for the 192.168.1.0/24 subnet. Hosts in VLAN 10 are unable to obtain IP addresses via DHCP. The switch's SVI for VLAN 10 is up/up. What is the most likely cause of the problem?

A.The VLAN 10 SVI is not configured with an IP address in the 192.168.1.0/24 subnet.
B.The DHCP server is including the network and broadcast addresses in the pool, causing conflicts. Use the 'ip dhcp excluded-address' command to exclude them.
C.DHCP snooping is blocking DHCP messages on the switch port connected to the hosts.
D.The DHCP pool is not bound to VLAN 10. Use the 'vlan' command under the pool configuration.
AnswerB

The conflict detection shows that addresses 192.168.1.1 (network) and 192.168.1.254 (broadcast) are in conflict. These should be excluded to prevent the DHCP server from leasing them.

Why this answer

Option B is correct. The most likely cause is that the DHCP server pool includes the network (192.168.1.0) and broadcast (192.168.1.255) addresses, which are reserved and cannot be leased. When a host requests an IP, the server may attempt to assign one of these addresses, causing a conflict and preventing successful DHCP lease completion.

Using the 'ip dhcp excluded-address' command to exclude these addresses from the pool resolves the issue. Option A is not the best answer because the SVI for VLAN 10 is up/up and must already have an IP address in the 192.168.1.0/24 subnet for the DHCP server to offer addresses to that subnet; if it were missing, DHCP would fail completely, but the symptom would likely be no offers at all, not address conflicts. The problem described is consistent with the pool including reserved addresses, which is a common misconfiguration.

Exam trap

Learners often overlook that the DHCP pool's range must exclude network and broadcast addresses; they may incorrectly suspect DHCP snooping, an SVI misconfiguration, or a missing VLAN binding instead.

Why the other options are wrong

A

The SVI must have an IP address for routing, but the DHCP server can serve addresses from any pool regardless of the SVI's subnet. The issue is with the pool itself.

C

If DHCP snooping were blocking messages, the 'Malformed messages' counter might increase, but the server would still receive some messages. The zero count indicates no messages are reaching the server.

D

There is no 'vlan' command under a DHCP pool. The pool serves all hosts in the subnet regardless of VLAN association.

192
MCQmedium

A network administrator needs to configure VLANs and access ports on 200 managed switches across multiple locations. The administrator requires a solution that uses a push‑based deployment model, does not require any agent software to be installed on the switches, and can be executed from a central control node. Which automation tool is most suitable for this task?

A.Puppet
B.Chef
C.Ansible
D.Python scripts
AnswerC

Ansible operates in a push mode over SSH, requiring no agents on managed devices.

Why this answer

Ansible is the most suitable tool because it uses a push-based model (SSH) to apply configurations directly to network devices without requiring any agent software. It operates from a central control node, making it ideal for managing 200 switches across multiple locations with a single playbook execution.

Exam trap

Cisco often tests the distinction between push-based (Ansible) and pull-based (Puppet, Chef) models, and the trap here is assuming that any scripting language like Python is a complete automation tool rather than a component that requires additional orchestration.

Why the other options are wrong

A

Requires agents and is pull‑based, failing both the agentless and push requirements.

B

Agents are mandatory, and the pull mechanism contradicts the push requirement.

D

Lacks built‑in push‑based orchestration, idempotency, and agentless design without significant custom development, making it less suitable than a purpose‑built tool.

193
PBQhard

You are connected to R1. The network consists of R1, SW1, and two VLANs (10 and 20). SW1 has hosts in VLAN 10 and VLAN 20 connected to its access ports. Configure R1 for router-on-a-stick inter-VLAN routing using subinterfaces on G0/0. The physical interface G0/0 is administratively up (no shutdown). The current configuration is incomplete and has errors preventing communication between the VLANs. Fix the configuration so that hosts in VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24) can ping each other through R1.

Hints

  • Check the global configuration for the 'ip routing' command.
  • Verify that the subinterfaces have correct encapsulation and IP addresses.
  • Ensure the trunk between R1 and SW1 allows VLANs 10 and 20, and native VLAN matches.
A.Enable IP routing with the 'ip routing' global configuration command.
B.Change the encapsulation on subinterface G0/0.10 to dot1Q 20 and on G0/0.20 to dot1Q 10.
C.Add the 'no shutdown' command on the physical interface G0/0.
D.Configure the native VLAN on the trunk to match the subinterface for VLAN 1.
AnswerA
solution
! R1
configure terminal
ip routing
end

Why this answer

The primary fault is that IP routing is disabled globally on R1 (missing 'ip routing' command), so even though subinterfaces are correctly configured, the router cannot route between VLANs. The physical interface G0/0 is already administratively up, so issuing 'no shutdown' would not fix the problem. Thus, enabling 'ip routing' resolves the inter-VLAN communication issue.

The other options either incorrectly swap encapsulation or address a native VLAN scenario not indicated in the exhibit.

Exam trap

Do not assume that configuring subinterfaces and IP addresses is sufficient for inter-VLAN routing. The 'ip routing' command is required to enable the router's forwarding capability. Many candidates forget this global command and waste time troubleshooting other aspects.

Why the other options are wrong

B

Swapping the encapsulation would map VLAN 10 to the wrong VLAN ID, breaking connectivity.

C

The physical interface is already up; adding 'no shutdown' is redundant and does not resolve the missing routing capability.

D

The native VLAN on the trunk is not the cause of the problem, and the subinterface for VLAN 1 is not required for inter-VLAN routing.

194
MCQhard

A switch has a root port and an alternate port for the same VLAN. Which statement best explains the operational role of the alternate port?

A.It is a backup path toward the root bridge and normally does not forward while the active root path is healthy.
B.It always forwards traffic at the same time as the root port for load balancing.
C.It is the port that elects the root bridge for the VLAN.
D.It is a special routed port used for inter-VLAN communication.
AnswerA

This is correct because an alternate port is a standby path in STP.

Why this answer

The alternate port acts as a backup path toward the root bridge and stays in a non-forwarding state under normal conditions. In practical terms, STP keeps it ready in case the active path fails, but it does not allow it to forward frames while the primary root path is healthy. That is how STP preserves redundancy without creating loops.

This question is useful because many learners understand root ports and designated ports but do not clearly understand what the alternate role represents.

Exam trap

Don't confuse STP's redundancy roles with load balancing or congestion management. Remember, alternate ports are for backup, not active traffic routing.

Why the other options are wrong

B

Option B is incorrect because an alternate port does not forward traffic while the root port is active; it serves as a backup path and only becomes active if the root port fails.

C

This option is wrong because the alternate port does not participate in the election process for the root bridge; it only serves as a backup path to the root bridge once it is established.

D

Option D is incorrect because an alternate port is not a routed port; it operates at Layer 2 and is part of the Spanning Tree Protocol, which does not involve routing functionalities for inter-VLAN communication.

195
Drag & Dropmedium

You need to configure a new switch. According to Cisco’s recommended workflow, you should assign access ports to their VLANs before configuring trunk links to ensure that end devices are functional before inter-switch connectivity is tested. Drag and drop the following steps into the correct order to configure VLANs, assign access ports, set up 802.1Q trunking with a native VLAN, and verify the configuration on a Cisco switch running IOS-XE.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct order is to first create VLANs so they exist, then assign access ports to those VLANs to make end devices operational, then configure the trunk link with a native VLAN to connect to another switch, and finally verify with show commands. This sequence follows Cisco best practices by getting access ports functional before establishing trunking. Option C is incorrect because configuring the trunk before assigning access ports could leave end devices in the wrong VLAN while the trunk is already active, potentially causing unexpected broadcast domain behavior.

Options B and D are wrong because they attempt to assign ports or configure a trunk before the VLANs are created, which would fail.

Exam trap

The exam trap is that candidates may try to assign ports to VLANs before creating them, or configure trunk native VLAN before the VLAN exists. Always create VLANs first, then assign ports, then configure trunking.

196
MCQhard

A trunk between two switches is up, but users in VLAN 40 cannot communicate across it. The output shows both sides allow VLAN 40. What is another likely trunk-related cause to check next?

A.Native VLAN mismatch between the two trunk ends
B.Missing router ID in OSPF
C.Incorrect NTP source interface
D.Lack of PAT overload on the WAN router
AnswerA

This is correct because a native VLAN mismatch is a common trunk-related issue worth checking after allowed VLANs have been verified.

Why this answer

If VLAN 40 is allowed on both ends and the trunk is up, a native VLAN mismatch is still worth checking because trunk problems are not limited to the allowed VLAN list. In plain language, the link may be carrying traffic, but if the two switches disagree on how untagged traffic should be treated, behavior can still become unpredictable. Native VLAN mismatches are a well-known source of warnings and unexpected traffic handling on 802.1Q trunks.

That does not mean every VLAN problem is caused by the native VLAN, but once the obvious allowed-list issue has been ruled out, it becomes a logical next trunk-specific item to verify.

Exam trap

Don't assume that allowed VLANs are the only trunk-related issue; native VLAN mismatches can also disrupt communication.

Why the other options are wrong

B

This option is wrong because the question specifically addresses VLAN communication issues over a trunk link, which are unrelated to OSPF router ID configuration. OSPF router ID affects routing protocols, not VLAN traffic directly.

C

NTP source interface is unrelated to VLAN communication issues over a trunk link; it primarily affects time synchronization across devices. Since the question focuses on VLAN connectivity, this option does not address the core problem.

D

Lack of PAT overload on the WAN router is unrelated to VLAN communication issues between switches. This option pertains to address translation for outbound traffic, not VLAN trunking problems.

197
MCQhard

Exhibit: Users on SW2 in VLAN 30 can reach local devices but not hosts in VLAN 30 on SW1. What is the most likely reason?

A.The trunk native VLAN is 1 on both sides
B.VLAN 30 is not allowed on the trunk
C.SW2 must run VTP server mode
D.Spanning tree blocks all user VLANs by default
AnswerB

Correct choice.

Why this answer

The trunk is allowing only VLANs 10 and 20. Even though both switches have VLAN 30 defined locally, VLAN 30 traffic cannot cross the trunk unless that VLAN is allowed on the link. Option A is incorrect because the native VLAN (default 1) does not affect tagged VLAN 30 traffic, and native VLAN mismatch causes different issues.

Option C is incorrect because VTP is used for VLAN database synchronization, not for forwarding traffic over a trunk; switches do not need to be VTP servers to pass VLAN traffic. Option D is incorrect because spanning tree only blocks redundant paths to prevent loops, not all user VLANs by default.

Exam trap

Ensure you verify trunk configurations when VLAN traffic is not passing between switches, even if VLANs are correctly configured locally.

Why the other options are wrong

A

This option is incorrect because the native VLAN being set to 1 does not prevent VLAN 30 traffic from being transmitted across the trunk link. The issue lies in VLAN 30 not being allowed on the trunk, which is not addressed by the native VLAN setting.

C

This option is incorrect because VTP server mode is not required for VLANs to communicate across switches; VLAN configuration can be done independently on each switch. The issue in the question is related to trunking and VLAN allowance, not VTP mode.

D

Spanning Tree Protocol (STP) does not block all user VLANs by default; it only blocks specific ports to prevent loops. In this case, the issue is related to VLAN 30 not being allowed on the trunk, not STP blocking the VLAN.

198
Drag & Dropmedium

Arrange the following steps in a valid configuration order. Note: VLANs must be created first, verification last. The access-port assignment and trunk configuration (steps B and C) can be performed in any order after VLAN creation.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The only mandatory ordering is to create VLANs first (step A) and verify last (step D). Steps B (assign access ports) and C (configure trunking with native VLAN) have no technical dependency on each other—both require VLANs to exist, but either can be done before the other. The explanation must not imply a fixed B→C sequence, as it is arbitrary and could mislead candidates.

Exam trap

Candidates often confuse the order of VLAN creation and port assignment. Remember: VLANs must exist before they can be assigned to any port. Also, verification is always the last step.

199
Multi-Selectmedium

Which four of the following correctly describe characteristics or best practices for VLAN trunking and Layer 2 switch configuration? (Choose four.)

Select 4 answers
.802.1Q trunking uses a native VLAN that carries untagged traffic; both ends of the trunk must agree on the native VLAN.
.Dynamic Trunking Protocol (DTP) can be used to negotiate trunking between Cisco switches if both ports are set to dynamic desirable or trunk mode.
.VLAN 1 is the default native VLAN on Cisco switches and is considered a best practice to use for all user traffic to simplify management.
.A switchport configured as an access port can belong to multiple VLANs simultaneously if using VLAN pruning.
.VLAN Trunking Protocol (VTP) in transparent mode allows a switch to forward VTP advertisements but does not synchronize its VLAN database.
.When connecting two switches, it is recommended to manually set the trunk mode to avoid DTP negotiation errors and security risks.

Why this answer

802.1Q trunking defines a native VLAN that carries untagged traffic; both ends must agree on the native VLAN to prevent misdirection and security issues. DTP can negotiate trunking between Cisco switches when ports are set to dynamic desirable or trunk mode, allowing automatic trunk establishment. VTP in transparent mode forwards VTP advertisements to other switches but does not synchronize its VLAN database, making it safe for maintaining local VLAN control.

Manually setting trunk mode is a best practice to avoid DTP negotiation errors and security risks, as DTP can be exploited. Option 3 is incorrect because using VLAN 1 for user traffic is a security vulnerability; it is recommended to change the native VLAN and prune VLAN 1. Option 4 is incorrect because an access port belongs to only one VLAN; VLAN pruning is used on trunk links to restrict VLAN traffic, not to allow an access port to carry multiple VLANs.

Exam trap

Cisco often tests the misconception that VLAN 1 is a best practice for user traffic, when in fact it is a well-known security vulnerability and should be changed or pruned.

200
PBQhard

You are connected to SW1. Configure an LACP EtherChannel between SW1 and SW2 using ports GigabitEthernet0/1 and GigabitEthernet0/2. Set the channel-group mode to active on both sides. The port-channel interface should be configured as a trunk allowing VLANs 10, 20, and 30. Initially, the EtherChannel fails to form due to mismatched speed/duplex on one link. Identify and correct the issue, then verify the channel is up and operational.

Network Topology
Gi0/1-Gi0/2Gi0/1-Gi0/2EtherChannelSW1SW2

Hints

  • Check the speed and duplex settings on each member interface.
  • LACP requires all ports in the channel to have identical speed and duplex.
  • Use 'show interfaces status' to quickly see speed/duplex mismatches.
A.Change speed and duplex on Gi0/2 to 1000 and full, then verify with 'show etherchannel summary'.
B.Change the channel-group mode on Gi0/2 to passive, then verify with 'show etherchannel summary'.
C.Change the allowed VLANs on the port-channel to include only VLAN 1, then verify with 'show etherchannel summary'.
D.Change the port-channel interface to access mode, then verify with 'show etherchannel summary'.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
speed 1000
duplex full

Why this answer

The EtherChannel fails because GigabitEthernet0/2 has speed 100 and duplex half, while GigabitEthernet0/1 has speed 1000 and duplex full. LACP requires all member ports to have identical speed and duplex settings. To resolve, change the speed and duplex on Gi0/2 to match Gi0/1: 'speed 1000' and 'duplex full'.

After correction, the channel will bundle. Verify with 'show etherchannel summary' to see both ports in the 'P' (bundled) state.

Exam trap

Do not confuse Layer 1 issues (speed/duplex) with Layer 2 configuration (VLANs, trunking) or LACP mode settings. Always check physical parameters first when an EtherChannel fails to form.

Why the other options are wrong

B

The specific factual error is that LACP modes must be compatible (active-active or active-passive), but the question states both sides are active, so mode is not the issue.

C

The specific factual error is that VLAN settings are irrelevant to the physical bundling of ports in an EtherChannel.

D

The specific factual error is that interface mode is a Layer 2 property unrelated to the physical bundling process.

201
PBQhard

You are connected to R1. Configure DHCP server on R1 to assign addresses from 192.168.50.0/24 to hosts on VLAN 50, excluding 192.168.50.1-192.168.50.20, with default-router 192.168.50.1 and DNS server 8.8.8.8. On switch SW1, configure DHCP snooping globally and on VLAN 50, and enable trusted ports on the uplink to R1. Then, a host on VLAN 50 reports it received an incorrect IP address; troubleshoot and fix the issue: the wrong helper-address is configured on SW1, the excluded range is too large, and a rogue DHCP server is present on port Fa0/5.

Hints

  • Check the DHCP snooping configuration first — is it enabled and on the correct VLAN?
  • Look at the helper-address: the DHCP server is on the SVI, not on the point-to-point link.
  • The excluded range on R1 is too large; it should only exclude the first 20 addresses.
A.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, correct the excluded range on R1 to 192.168.50.1-192.168.50.20, and change the helper-address on SW1's G0/1 to 192.168.50.1.
B.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and change the helper-address on SW1's G0/1 to 10.0.0.1.
C.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and correct the excluded range on R1 to 192.168.50.1-192.168.50.20.
D.Enable DHCP snooping globally and on VLAN 50, trust the uplink port to R1, and change the helper-address on SW1's G0/1 to 192.168.50.1.
AnswerA
solution
! R1
configure terminal
no ip dhcp excluded-address 192.168.50.1 192.168.50.100
ip dhcp excluded-address 192.168.50.1 192.168.50.20
end
write memory

! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 50
interface GigabitEthernet0/1
ip dhcp snooping trust
no ip helper-address 10.0.0.1
ip helper-address 192.168.50.1
interface FastEthernet0/5
shutdown
end
write memory

Why this answer

The host received a wrong IP because a rogue DHCP server on Fa0/5 was responding. First, enable DHCP snooping globally with 'ip dhcp snooping' and on VLAN 50 with 'ip dhcp snooping vlan 50'. Then, trust the uplink port to R1 (G0/1) with 'ip dhcp snooping trust'.

Next, fix the excluded range on R1: change it to exclude only the first 20 addresses (192.168.50.1-192.168.50.20) so that hosts can obtain other addresses. Finally, correct the helper-address on SW1's G0/1: change 'ip helper-address 10.0.0.1' to 'ip helper-address 192.168.50.1' because the DHCP server is on the VLAN 50 SVI, not on the point-to-point link.

Exam trap

This question tests your ability to troubleshoot a multi-faceted DHCP issue. Common traps include: (1) forgetting that DHCP snooping must be enabled both globally and per VLAN, (2) assuming the helper-address should be the router's link IP instead of the server's SVI IP, (3) overlooking the excluded range configuration, and (4) thinking that only one of the issues needs to be fixed. Always verify all components: snooping, trust, helper-address, and pool configuration.

Why the other options are wrong

B

The helper-address must be the IP of the DHCP server, which is the SVI address 192.168.50.1, not the link address 10.0.0.1.

C

The helper-address misconfiguration prevents DHCP requests from being forwarded to the correct server, so fixing only the excluded range is insufficient.

D

The excluded range must be corrected to allow hosts to receive addresses from the pool; otherwise, the DHCP server will not assign addresses.

202
MCQhard

A trunk is up between two switches, but traffic for VLAN 40 fails while other VLANs work. Which output item should be checked first?

A.Whether VLAN 40 is included in the allowed VLAN list on the trunk
B.Whether the router ID matches on both switches
C.Whether NetFlow is enabled on the VLAN
D.Whether NTP is synchronized on the switches
AnswerA

This is correct because a missing VLAN in the allowed list is a common cause of one-VLAN failure on an otherwise working trunk.

Why this answer

The first thing to check is whether VLAN 40 appears in the trunk’s allowed VLAN list. In practical terms, this is a selective failure, not a total trunk failure. Since other VLANs are crossing successfully, the link is operational. That strongly suggests one VLAN is being excluded rather than the trunk being generally broken.

This is one of the most common VLAN troubleshooting patterns in switching.

Exam trap

Avoid assuming a total trunk failure when only one VLAN is affected. Focus on VLAN-specific configurations.

Why the other options are wrong

B

This option is wrong because the router ID is relevant for routing protocols, not for VLAN traffic issues on a trunk link. The problem specifically pertains to VLAN 40 traffic, which is not influenced by router IDs.

C

NetFlow is a network protocol used for collecting IP traffic information, but it does not directly affect VLAN traffic flow on a trunk link. Therefore, checking if NetFlow is enabled does not address the issue of VLAN 40 traffic failure.

D

NTP synchronization is not directly related to VLAN traffic issues on a trunk link; it primarily affects time-sensitive protocols. Therefore, checking NTP synchronization would not help diagnose why VLAN 40 traffic is failing.

203
MCQhard

Clients in VLAN 30 are not receiving addresses from the DHCP server located in VLAN 99. Which configuration change should be made on the Layer 3 interface for VLAN 30?

A.Add ip dhcp snooping trust under interface Vlan30.
B.Add switchport mode trunk under interface Vlan30.
C.Add ip default-gateway 10.99.99.20 under interface Vlan30.
D.Add ip helper-address 10.99.99.20 under interface Vlan30.
AnswerD

This is correct because the SVI for VLAN 30 is the interface that receives the client DHCP broadcasts. By adding `ip helper-address 10.99.99.20`, the Layer 3 device forwards the request as a unicast packet to the DHCP server in VLAN 99.

Why this answer

The DHCP server is on a different subnet, so the client broadcast messages from VLAN 30 will not naturally cross the Layer 3 boundary. In simple terms, the clients are asking for an address by shouting on their own floor of the building, but the server lives on another floor and cannot hear that broadcast directly. The router or Layer 3 switch must relay the request for them. On Cisco devices, that relay function is usually configured with `ip helper-address` on the interface that receives the client broadcasts.

Here, that receiving interface is Vlan30, because that is the default gateway for the clients in VLAN 30. Pointing `ip helper-address` to 10.99.99.20 tells the Layer 3 device to forward DHCP requests to the remote server. DHCP snooping trust is a separate security feature, trunk mode is unrelated to an SVI, and `ip default-gateway` is not the correct solution for relaying DHCP across subnets.

Exam trap

Remember that DHCP snooping and trunk mode do not facilitate DHCP relay. Focus on the purpose of `ip helper-address` for relaying requests across VLANs.

Why the other options are wrong

A

This option is wrong because enabling DHCP snooping trust on VLAN 30 does not facilitate communication with the DHCP server in VLAN 99; it only protects against rogue DHCP servers.

B

Adding 'switchport mode trunk' under interface Vlan30 is incorrect because VLAN 30 is already configured as a Layer 3 interface, and trunking is not applicable to Layer 3 interfaces. This command is used for Layer 2 interfaces to allow multiple VLANs over a single link.

C

This option is wrong because the command 'ip default-gateway' is used to set a default gateway for a Layer 2 device, not for enabling DHCP relay on a Layer 3 interface. Clients in VLAN 30 need a helper address to reach the DHCP server in VLAN 99.

204
MCQhard

Refer to the exhibit. A network administrator is troubleshooting connectivity issues for hosts on VLAN 50 on SW1. The hosts on VLAN 50 cannot reach any devices outside SW1, even though the trunk link between SW1 and SW2 is up. The administrator issues the 'show interfaces GigabitEthernet0/1 trunk' command on SW1. Based on the output, what is the most likely cause of the issue?

A.The native VLAN on the trunk is misconfigured, causing VLAN 50 traffic to be dropped.
B.The trunk is operating in access mode instead of trunk mode, preventing VLAN 50 traffic.
C.VLAN 50 is not in the allowed VLAN list on the trunk.
D.Spanning tree protocol has blocked the trunk port for VLAN 50, isolating the hosts.
AnswerC

The exhibit explicitly shows the allowed VLANs as '1-49,60-4094', which omits VLAN 50. This prevents traffic for VLAN 50 from traversing the trunk.

Why this answer

The 'show interfaces GigabitEthernet0/1 trunk' output would list the allowed VLANs on the trunk. If VLAN 50 is not included in the allowed VLAN list, traffic from VLAN 50 will be dropped at the trunk, preventing hosts on SW1 from reaching devices outside SW1. This is the most likely cause because the trunk is up but VLAN 50 traffic is not forwarded.

Exam trap

Cisco often tests the distinction between native VLAN misconfiguration and allowed VLAN list misconfiguration, where candidates mistakenly attribute all trunk issues to native VLAN mismatches rather than checking the allowed VLAN list.

Why the other options are wrong

A

The assumption that a native VLAN mismatch can drop tagged VLAN traffic is a common misunderstanding.

B

Misreading the output may lead to believing the trunk is not in trunking mode.

D

Confusing spanning tree blocking with allowed VLAN filtering; the output shows no block state, only absence of the VLAN.

205
PBQmedium

You are connected to the console of SW1. The network administrator reports that a workstation connected to interface FastEthernet0/1 cannot communicate with the rest of the network. The workstation is configured for VLAN 10, but the interface is in VLAN 1.

Hints

  • Use 'show vlan brief' to see VLAN assignments.
  • The interface is currently in VLAN 1.
  • Change the access VLAN to 10.
A.Configure the interface as a trunk port.
B.Configure the interface as an access port and assign it to VLAN 10.
C.Configure the interface as a trunk port and allow VLAN 10.
D.Configure the interface as a dynamic desirable port.
AnswerB
solution
! SW1
interface FastEthernet0/1
switchport access vlan 10

Why this answer

The port was in VLAN 1 instead of VLAN 10. By configuring 'switchport access vlan 10', the workstation is now in the correct VLAN and can communicate with the rest of the network.

Exam trap

This question tests your understanding of access ports versus trunk ports and how to assign a VLAN to an access port. A common trap is to think that trunking is needed to carry VLAN traffic, but for end devices, access ports are used. Remember that 'switchport access vlan' is the command to assign a VLAN to an access port.

Why the other options are wrong

A

Trunk ports are used to carry multiple VLANs between switches, not to assign a single workstation to a specific VLAN.

C

Trunk ports are designed to carry multiple VLANs and are typically used between switches, not for end-user devices.

D

DTP modes control whether a port becomes a trunk or remains an access port; they do not change the access VLAN.

206
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure VLANs, assign access ports, set up 802.1Q trunks with a native VLAN, and verify the configuration using show commands.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence ensures VLANs exist before any port assignment or trunk configuration. Creating VLANs first is essential because both access and trunk ports depend on VLANs being present. Access port assignment and trunk configuration are independent steps that can occur in either order after VLANs are created.

Verification using 'show vlan brief', 'show interfaces trunk', and 'show interfaces switchport' is always the final step to confirm the setup.

Exam trap

A common mistake is to attempt assigning ports to VLANs before the VLANs exist, which will be rejected. Additionally, some learners mistakenly think trunk configuration must follow access port assignment, but the order between these two steps is interchangeable as long as VLANs are created first.

207
MCQhard

Refer to the exhibit. A network administrator connects an IP phone to interface GigabitEthernet1/0/1 on a Cisco Catalyst switch. The PC connected through the phone works normally on the data VLAN, but the phone cannot obtain an IP address and fails to register with the call server. Which action will resolve the problem?

A.Configure 'switchport trunk allowed vlan 10,20' on interface Gi1/0/1 and change the switchport mode to trunk.
B.Add 'switchport voice vlan 20' on interface GigabitEthernet1/0/1.
C.Issue 'switchport access vlan 20' and 'switchport voice vlan 10' on interface Gi1/0/1.
D.Enable 'switchport port-security mac-address sticky' on the interface and manually add the phone’s MAC address to the access VLAN.
AnswerB

This command enables the access port to support a voice VLAN, telling the phone to tag voice frames with VLAN 20 while leaving data in VLAN 10.

Why this answer

The PC works on the data VLAN, but the phone cannot obtain an IP address, indicating the phone is not receiving the correct VLAN assignment. The phone should be placed in the voice VLAN (VLAN 20) using the 'switchport voice vlan 20' command, which allows the switch to tag the phone's traffic with VLAN 20 via CDP/LLDP, enabling it to get an IP from the voice VLAN DHCP server.

Exam trap

Cisco often tests the distinction between 'switchport access vlan' (for data) and 'switchport voice vlan' (for voice), and the trap here is that candidates may confuse which VLAN is assigned to which device, or incorrectly think trunking is required for a phone connection.

Why the other options are wrong

A

A trunk port does not provide the voice VLAN advertisement mechanism to the phone; the PC would need to send tagged frames, which typical endpoint NICs do not do.

C

The phone requires access to VLAN 20 for voice services, and the PC must remain in VLAN 10 for data; this configuration does the opposite, failing to meet the requirement.

D

The phone still cannot learn the voice VLAN; port security does not provide a DHCP address or make the switch advertise VLAN 20 to the phone.

208
MCQmedium

A PC connected to switch port Gi0/10 should be in VLAN 20 but receives broadcasts only from VLAN 1. Which switchport setting is most likely wrong?

A.switchport mode trunk
B.switchport access vlan 20 missing or incorrect
C.speed 1000
D.duplex full
AnswerB

Correct. The access VLAN setting most directly controls this behavior.

Why this answer

The PC is receiving broadcasts only from VLAN 1, which indicates the switchport is not correctly assigned to VLAN 20. The most likely cause is that the 'switchport access vlan 20' command is missing or incorrect, leaving the port in its default VLAN (VLAN 1). This prevents the PC from participating in VLAN 20 and receiving its broadcasts.

Exam trap

Cisco often tests the misconception that a trunk port is needed for VLAN membership, but for a single end device, an access port with the correct VLAN assignment is required.

Why the other options are wrong

A

The switchport mode trunk setting is incorrect because a trunk port allows multiple VLANs to pass, while the question indicates that the PC should only receive broadcasts from VLAN 20. Therefore, the issue lies with the access VLAN configuration.

C

The speed setting of 1000 Mbps (1 Gbps) does not influence VLAN membership or broadcast traffic; it only affects the data transfer rate. Therefore, this option does not address the issue of the PC receiving broadcasts only from VLAN 1.

D

The duplex setting of the switch port does not influence VLAN membership or broadcast traffic. Therefore, a duplex configuration of 'full' does not affect the ability of a PC to receive broadcasts from VLAN 20.

209
MCQmedium

A switch displays this output: Port Name Status Vlan Fa0/1 connected 10 Fa0/2 connected 10 Fa0/24 connected trunk Which port should be checked first if a user in VLAN 20 cannot reach the distribution switch over the uplink?

A.Fa0/1
B.Fa0/2
C.Fa0/24
D.Any access port in VLAN 1
AnswerC

Correct. The trunk carries inter-switch VLAN traffic.

Why this answer

If users in VLAN 20 must cross the uplink, the trunk port is the first place to verify allowed VLANs and tagging.

Exam trap

Don't confuse access ports with trunk ports; only trunk ports can carry multiple VLANs.

Why the other options are wrong

A

Fa0/1 is connected to VLAN 10, and since the user in VLAN 20 cannot reach the distribution switch, checking this port would not address the issue, as it is not part of the user's VLAN.

B

Fa0/2 is connected to VLAN 10, which means it cannot facilitate communication for a user in VLAN 20. The issue lies with the trunk port, which is responsible for carrying multiple VLANs, including VLAN 20.

D

Option D is incorrect because it suggests checking any access port in VLAN 1, which is not relevant to the user's issue in VLAN 20. The problem lies with the trunk port not allowing VLAN 20 traffic, not with access ports in VLAN 1.

210
MCQhard

A switch trunk is carrying several VLANs, but VLAN 99 traffic is failing. The trunk allowed list includes VLAN 99 on both sides. Which statement best explains why a VLAN can still fail even when it is allowed?

A.Because the VLAN may still be absent, inactive, or otherwise not operational locally even if it is allowed on the trunk
B.Because allowing a VLAN on a trunk automatically disables it
C.Because VLANs can cross trunks only when PAT is enabled
D.Because VLAN 99 must always be the native VLAN
AnswerA

This is correct because an allowed-list entry alone does not guarantee that the VLAN exists and operates correctly end to end.

Why this answer

A VLAN can still fail across a trunk even when it is allowed because the allowed list is only one part of the overall design. In plain language, a switch may permit the VLAN on the link, but if the VLAN does not actually exist locally, is not active, or if some other trunk characteristic is inconsistent, traffic can still fail. This is an important CCNA troubleshooting principle: one correct line of configuration does not guarantee the full end-to-end condition is correct.

Candidates often stop at the allowed VLAN list because it is visible in common show commands. However, VLAN presence, local status, and other trunk parameters still matter. The best answer is the one recognizing that permission on the trunk does not automatically prove the entire VLAN path is healthy.

Exam trap

A common exam trap is assuming that simply including VLAN 99 in the trunk allowed list guarantees that VLAN 99 traffic will pass. Many candidates stop troubleshooting once they see the VLAN is allowed on the trunk, neglecting to verify if VLAN 99 is actually created and active on each switch. This mistake leads to incorrect conclusions, as the allowed list only controls trunk forwarding permissions, not VLAN existence or operational status.

The exam tests your understanding that VLAN configuration and status are equally critical for successful VLAN traffic flow.

Why the other options are wrong

B

Incorrect. Allowing a VLAN on a trunk does not disable it; this option contradicts how VLANs and trunks operate in Cisco switches.

C

Incorrect. Port Address Translation (PAT) is unrelated to VLAN trunking. VLANs do not require PAT to cross trunks.

D

Incorrect. VLAN 99 does not have to be the native VLAN to function on a trunk. The native VLAN is independent of VLAN allowance and operation.

211
PBQhard

You are connected to R1. Configure R1 as a DHCP server for VLAN 20 clients (192.168.20.0/24) with DNS server 203.0.113.10 and default gateway 192.168.20.1. On switch SW1, enable DHCP snooping globally and on VLAN 20, configure the uplink to R1 as trusted, and ensure that the DHCP server is reachable via ip helper-address on the VLAN 20 SVI. Currently, clients are not receiving IP addresses because of misconfigurations: the excluded-address range on R1 is too large (excluding the entire subnet), the helper-address on SW1 points to a wrong IP (192.0.2.99), and a rogue DHCP server is connected to port Fa0/3 on SW1. Fix all issues so that clients can get addresses securely.

Hints

  • The excluded-address range is too broad; narrow it to only the gateway and a small reserved range.
  • The helper-address must point to the DHCP server's IP, which is on a different subnet.
  • DHCP snooping must be enabled globally and per VLAN, and the port connecting to the legitimate DHCP server must be trusted.
A.On R1, change the excluded-address range to 192.168.20.1 192.168.20.1; on SW1, configure ip helper-address 10.0.0.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
B.On R1, remove the excluded-address range entirely; on SW1, configure ip helper-address 192.168.20.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
C.On R1, change the excluded-address range to 192.168.20.1 192.168.20.254; on SW1, configure ip helper-address 192.0.2.99 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, and configure the uplink to R1 as trusted.
D.On R1, change the excluded-address range to 192.168.20.1 192.168.20.1; on SW1, configure ip helper-address 10.0.0.1 under interface Vlan20; enable DHCP snooping globally and on VLAN 20, but do not configure any trusted ports.
AnswerA
solution
! R1
no ip dhcp excluded-address 192.168.20.0 192.168.20.255
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.20.2 192.168.20.10

! SW1
ip dhcp snooping
ip dhcp snooping vlan 20
interface FastEthernet0/1
ip dhcp snooping trust
exit
interface Vlan20
no ip helper-address 192.0.2.99
ip helper-address 10.0.0.1

Why this answer

The DHCP server had an excluded-address range covering the entire subnet (192.168.20.0–255), which prevented any IP from being assigned. Fix: change the excluded range to only include the gateway (192.168.20.1) and optionally other reserved addresses. The helper-address on SW1 pointed to 192.0.2.99 (nonexistent) instead of the DHCP server at 10.0.0.1; correct it.

DHCP snooping was disabled; enable it globally and on VLAN 20, then configure the uplink to R1 (port connecting to R1) as trusted and the port connecting the rogue server (Fa0/3) as untrusted (or simply leave it untrusted by default, but the rogue server will be blocked).

Exam trap

A common trap is forgetting that the excluded-address range should only reserve specific addresses, not the whole subnet. Another trap is confusing the helper-address with the default gateway or leaving the incorrect IP. Also, many candidates enable DHCP snooping but forget to configure the trusted port, which breaks legitimate DHCP traffic.

Why the other options are wrong

B

The helper-address must point to the DHCP server, not the default gateway. The excluded-address range should include the gateway to prevent conflicts.

C

The excluded-address range must be limited to reserved addresses only, not the entire usable range. The helper-address must be corrected to 10.0.0.1.

D

DHCP snooping requires the port connected to the legitimate DHCP server to be explicitly trusted; otherwise, all DHCP server messages are discarded.

212
PBQhard

You are connected to SW1. The network has three switches (SW1, SW2, SW3) running Rapid-PVST+. SW1 should be the root bridge for VLAN 10. PortFast and BPDU Guard must be enabled on all edge ports connected to end hosts. An err-disabled port (G0/1) has occurred due to a BPDU violation on an edge port. Recover the port and ensure it is configured correctly to prevent recurrence.

Network Topology
Gi0/0Gi0/0Gi0/2Gi0/0Gi0/1SW1SW2SW3Host

Hints

  • The port is in err-disabled state. You need to manually recover it by cycling the interface.
  • After recovery, verify the port is forwarding and still has PortFast and BPDU Guard enabled.
  • If the err-disabled condition recurs, the connected device may be sending BPDUs; consider removing BPDU Guard from that port if it is not truly an edge port.
A.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree bpduguard disable' on the interface.
B.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree portfast' and 'spanning-tree bpduguard enable' on the interface.
C.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then configure 'spanning-tree guard root' on the interface.
D.Enter interface configuration mode for Gi0/1, issue 'shutdown' followed by 'no shutdown', then verify that the connected device is not a switch or remove it from the network.
AnswerD
solution
! SW1
configure terminal
interface gigabitEthernet 0/1
shutdown
no shutdown
end

Why this answer

The port Gi0/1 is in err-disabled state because BPDU Guard disabled it after receiving a BPDU on a PortFast edge port. First, shut down the interface and then re-enable it with 'no shutdown' to recover from err-disabled. However, to prevent recurrence, the root cause must be addressed: the connected device (likely another switch) should not be sending BPDUs on an edge port.

Optionally, you can disable BPDU Guard on that specific port if it is not truly an edge port, but the task requires PortFast and BPDU Guard on edge ports. The correct fix is to ensure no BPDUs are sent from the downstream device or use 'spanning-tree bpduguard disable' on that port if it is not an edge port (but the task mandates BPDU Guard). Since the scenario requires BPDU Guard, the candidate should recover the port and then verify that the connected device is not a switch (or remove it from the topology).

Exam trap

The exam trap is that candidates may focus on recovering the port (shutdown/no shutdown) but forget to address why the BPDU was received. Simply re-enabling BPDU Guard or reapplying PortFast will not prevent recurrence. The key is to ensure the connected device is not sending BPDUs, either by removing it or reclassifying the port.

Why the other options are wrong

A

The specific factual error is that BPDU Guard should not be disabled on a port that is supposed to be an edge port with BPDU Guard enabled.

B

The specific factual error is that simply re-enabling the same features does not prevent recurrence; the source of BPDUs must be removed or the port must be reconfigured as a non-edge port.

C

The specific factual error is that Root Guard and BPDU Guard serve different purposes; Root Guard does not stop BPDU Guard from disabling the port.

213
MCQhard

A network administrator is troubleshooting connectivity from a PC (192.168.1.10/24) to a server at 10.0.0.5/24. The PC's default gateway is 192.168.1.1. Router R1 has a directly connected route to 10.0.0.0/24 via interface GigabitEthernet0/1, which is connected to another VLAN. The server is actually located on the 10.0.0.0/16 network, reachable via a static route through 192.168.1.2. What is the most likely cause of the connectivity issue?

A.The route to 10.0.0.0/16 has a lower administrative distance than the directly connected route.
B.The directly connected route to 10.0.0.0/24 is the most specific match but is incorrect for the destination.
C.The route to 10.0.0.0/8 has a higher metric, so it is not used.
D.The router does not have a default route, so traffic to 10.0.0.5 is dropped.
AnswerB

The longest-prefix match algorithm selects 10.0.0.0/24 over /16 or /8, but this route points to an interface that cannot reach 10.0.0.5.

Why this answer

Option B is correct because the router's routing table contains a directly connected route to 10.0.0.0/24, which is the most specific match (longest prefix) for the destination 10.0.0.5. However, if that directly connected subnet is not actually the network where the server resides (e.g., it points to a different interface or VLAN), traffic will be forwarded incorrectly. The router always prefers the most specific prefix, even if another route (like a summary) is administratively preferred or has a lower metric.

Exam trap

Cisco often tests the concept that the longest prefix match overrides administrative distance and metric, leading candidates to incorrectly assume that a lower AD or metric route will be chosen when a more specific but incorrect route exists.

Why the other options are wrong

A

You might think that OSPF routes are more reliable, but directly connected routes are always preferred regardless of AD.

C

You might confuse metric with prefix length; metric only matters when prefix lengths are equal.

D

A default route is only used when no more specific route exists; here a specific route exists.

214
PBQhard

You are connected to R1, a multilayer switch acting as an HSRP active gateway for VLAN 100. The network requires R1 to be the active router with a virtual IP of 192.168.100.1. Currently, both R1 and the peer router R2 show as active in 'show standby brief', and the virtual IP is misconfigured. Configure HSRP on R1 to fix these issues: set priority to 110, enable preempt, correct the virtual IP, and track interface GigabitEthernet0/1 (decrement priority by 20 if it goes down).

Network Topology
linkG0/1:10.0.0.1/30linkR1R2upstream router

Hints

  • Check the virtual IP address configured under the standby group — it should match the expected virtual IP.
  • Preempt is disabled by default; verify if it's configured to allow R1 to become active after a failure.
  • Use 'show standby' to see all details including tracking status.
A.interface Vlan100 standby 100 ip 192.168.100.1 standby 100 priority 110 standby 100 preempt standby 100 track GigabitEthernet0/1 20
B.interface Vlan100 standby 100 ip 192.168.100.254 standby 100 priority 110 standby 100 preempt standby 100 track GigabitEthernet0/1 20
C.interface Vlan100 standby 100 ip 192.168.100.1 standby 100 priority 100 standby 100 preempt standby 100 track GigabitEthernet0/1 20
D.interface Vlan100 standby 100 ip 192.168.100.1 standby 100 priority 110 standby 100 track GigabitEthernet0/1 20
AnswerA
solution
! R1
interface Vlan100
standby 100 ip 192.168.100.1
standby 100 priority 110
standby 100 preempt
standby 100 track GigabitEthernet0/1 20

Why this answer

The problem had multiple issues: the virtual IP was wrong (192.168.100.254 instead of 192.168.100.1), preempt was not enabled (both routers could claim active), and priority was default (100). Additionally, interface tracking was missing to decrement priority if the upstream link failed. The solution consists of four commands: 'standby 100 ip 192.168.100.1' to set the correct virtual IP, 'standby 100 priority 110' to make R1 the active router, 'standby 100 preempt' to allow R1 to reclaim active role after recovery, and 'standby 100 track GigabitEthernet0/1 20' to reduce priority by 20 if that interface goes down.

Exam trap

Watch out for three common HSRP pitfalls: (1) virtual IP must match the configured gateway, (2) preempt is required for a router to reclaim active role after recovery, and (3) priority must be higher than the peer to be preferred. Also, remember that interface tracking decrements priority, so the tracked interface must be specified correctly.

Why the other options are wrong

B

The virtual IP address is wrong; it should be 192.168.100.1, not 192.168.100.254.

C

Priority must be higher than the default (100) to ensure R1 becomes the active router; 110 is required.

D

Preempt is required to allow R1 to reclaim the active role when its priority becomes higher again after a failure.

215
MCQeasy

Which VLAN is used by default for most switch ports on a new Cisco switch?

A.VLAN 1
B.VLAN 99
C.VLAN 1002
D.No VLAN until the port is manually assigned
AnswerA

That is the default VLAN on most Cisco switches.

Why this answer

On a default Cisco switch, access ports belong to VLAN 1 until changed. Best practice is usually to move user ports away from VLAN 1, but the default is still VLAN 1.

Exam trap

Remember that VLAN 1 is the default VLAN on Cisco switches, despite being discouraged for use in production environments.

Why the other options are wrong

B

VLAN 99 is not the default VLAN for switch ports on a new Cisco switch; the default is VLAN 1. VLAN 99 is often used in specific configurations but is not the factory default setting.

C

VLAN 1002 is a reserved VLAN for Token Ring and FDDI, and it is not the default VLAN for switch ports on a new Cisco switch. Most switch ports default to VLAN 1 unless configured otherwise.

D

This option is incorrect because, by default, Cisco switches assign all ports to VLAN 1, not leaving them unassigned. Every port is part of VLAN 1 unless configured otherwise.

216
MCQhard

A network engineer is troubleshooting a link between two Cisco switches that are connected via a 1000BASE-LX SFP transceiver. Hosts on VLAN 10 on Switch A cannot ping the default gateway on Switch B. The interface on Switch A is up, but the engineer notices CRC errors incrementing. What should the engineer do to resolve this issue?

A.Replace the SFP with a 1000BASE-SX transceiver
B.Use a mode-conditioning patch cable between the SFP and the fiber patch panel
C.Configure the same VLAN on both switch interfaces
D.Replace the fiber cable with a single-mode fiber cable
AnswerB

A mode-conditioning patch cable corrects the mismatch when using a single-mode transceiver over multimode fiber, preventing signal dispersion.

Why this answer

The 1000BASE-LX SFP transceiver operates at 1310 nm over single-mode fiber (SMF). When connected to multimode fiber (MMF), the larger core diameter causes excessive modal dispersion, leading to CRC errors. A mode-conditioning patch cable (mode-conditioning patch cord) launches the laser off-center into the MMF core, reducing differential mode delay and restoring proper signal integrity.

This is a known Cisco best practice for LX transceivers on MMF links.

Exam trap

Cisco often tests the misconception that CRC errors always indicate a bad cable or transceiver, when in fact the root cause can be a mode mismatch between LX optics and multimode fiber that is fixed with a mode-conditioning patch cable rather than replacing the fiber or transceiver.

Why the other options are wrong

A

Using SX would not fix the issue because the fiber is multimode and LX is designed for longer distances; the problem is the cable type mismatch, not the transceiver type.

C

The interface is up/up, so VLAN mismatch is not the issue.

D

Although replacing with single-mode fiber would work, the exhibit does not show CRC errors, so the problem is more likely a mode-conditioning issue.

217
Multi-Selectmedium

Which TWO commands are required to configure a switch port to support both a desktop PC and a VoIP phone using voice VLAN?

Select 2 answers
A.switchport mode access
B.switchport mode trunk
C.switchport voice vlan <vlan-id>
D.switchport access vlan <vlan-id>
E.switchport port-security maximum 1
AnswersA, C

This command configures the port as an access port, which is required for connecting a desktop PC and a VoIP phone (the phone typically uses the access port for data and a separate voice VLAN).

Why this answer

Option A, 'switchport mode access,' is required because voice VLAN only operates on an access port. Option C, 'switchport voice vlan <vlan-id>,' is the command that actually assigns the voice VLAN ID. Option B is incorrect because a trunk port would not properly separate voice and data traffic as the phone expects an access port.

Option D is a common data VLAN configuration but is not strictly necessary for voice VLAN operation; the access VLAN can be left as the default or configured separately. Option E is wrong because 'switchport port-security maximum 1' would allow only a single MAC address, while the port must support two devices (the phone and the PC), second MAC being the phone's internal switch.

Exam trap

Candidates often mistakenly include 'switchport access vlan' as one of the two required commands, but the question specifically asks for voice VLAN configuration, not the full port setup.

Why the other options are wrong

B

Trunk mode is incompatible because the phone expects an access port, and the voice VLAN is tagged internally by the phone, not by switch port trunking.

D

Configuring an access VLAN is not mandatory for voice VLAN; the question targets only the commands unique to enabling the voice feature.

E

Limiting the port to one MAC address would block the PC's MAC, breaking dual-device support provided by the phone's internal switch.

218
MCQhard

A network administrator is configuring a Layer 2 EtherChannel between two switches. Switch A uses 'channel-group 1 mode active', and Switch B uses 'channel-group 1 mode desirable'. All member interfaces are trunk ports with identical allowed VLANs. The EtherChannel fails to form. What is the most likely cause?

A.The switches are using different EtherChannel negotiation protocols.
B.A Layer 2 EtherChannel cannot carry trunk links.
C.The channel-group number must be different on each switch.
D.The member interfaces must be in access mode before the bundle can form.
AnswerA

LACP active cannot form a channel with PAgP desirable.

Why this answer

The two switches are using different negotiation protocols: LACP (active) on one side and PAgP (desirable) on the other. EtherChannel requires both sides to use the same protocol, so this protocol mismatch prevents the bundle from forming. The other settings—trunking, VLAN configuration, and channel-group number—are correctly configured and do not cause the failure.

Exam trap

Ensure both sides of an EtherChannel use the same negotiation protocol; mismatches are a common setup error.

Why the other options are wrong

B

This option is incorrect because a Layer 2 EtherChannel can indeed carry trunk links, allowing multiple VLANs to be transmitted over the same logical link. The issue with the EtherChannel not forming is more likely related to mismatched negotiation protocols or other configuration errors.

C

This option is wrong because the channel-group number must be the same on both switches for an EtherChannel to form. Different numbers would prevent the aggregation of the links.

D

This option is wrong because a Layer 2 EtherChannel can indeed carry trunk links, allowing multiple VLANs to be transmitted over the same link. Therefore, the inability to form the EtherChannel is not due to the mode of the member interfaces.

219
PBQhard

You are connected to SW1. The current configurations of interfaces GigabitEthernet0/1 and GigabitEthernet0/2 are as follows: Gi0/1: speed 100, duplex half, switchport access vlan 10 Gi0/2: speed 1000, duplex full, switchport access vlan 20 The port-channel interface 1 does not exist. Configure a LACP EtherChannel between SW1 and SW2 using these two interfaces, with port-channel 1 and mode active on both sides. Ensure the channel forms by resolving any speed/duplex or VLAN mismatches. After configuration, verify with 'show etherchannel summary'.

Network Topology
Gi0/1Gi0/1LACPSW1SW2

Hints

  • Check speed and duplex consistency between member interfaces.
  • All member interfaces must be in the same VLAN.
  • The port-channel interface VLAN must match the physical interfaces.
A.The EtherChannel will not form because the physical interfaces have mismatched speed/duplex and VLAN assignments. You must configure both interfaces with the same speed (1000), duplex (full), and access VLAN (10), then apply channel-group 1 mode active on each.
B.The EtherChannel will form successfully because LACP active mode negotiates the channel regardless of speed/duplex or VLAN differences.
C.The EtherChannel will not form because the port-channel interface must be configured with the same VLAN as the physical interfaces, but the physical interfaces can have different speeds.
D.The EtherChannel will form successfully because the port-channel interface inherits the VLAN from the first physical interface added, so no additional configuration is needed.
AnswerA
solution
! SW1
interface GigabitEthernet0/1
speed 1000
duplex full
switchport access vlan 10
channel-group 1 mode active
interface GigabitEthernet0/2
speed 1000
duplex full
switchport access vlan 10
channel-group 1 mode active
interface Port-channel1
switchport access vlan 10

Why this answer

The EtherChannel fails because member interfaces have mismatched speed/duplex (Gi0/1 is 100/half, Gi0/2 is 1000/full) and different VLANs (VLAN 10 vs 20). Additionally, the port-channel interface and physical interfaces must have matching VLAN assignments. To fix, unify both physical interfaces to the same speed (1000), duplex (full), and access VLAN (10).

Then set channel-group mode active on each physical interface. Finally, ensure the port-channel interface also uses VLAN 10. Verify with 'show etherchannel summary' which should show the port-channel as SU (in use).

Exam trap

Cisco exam traps often test the requirement for identical speed, duplex, and VLAN on all EtherChannel member interfaces. Do not assume LACP can negotiate mismatches; it only handles aggregation, not physical or VLAN parameters.

Why the other options are wrong

B

LACP active mode only enables negotiation, but it does not resolve underlying parameter mismatches. The interfaces must still have consistent speed, duplex, and VLAN configuration.

C

All member interfaces must have identical speed and duplex settings. Even if VLANs match, speed mismatch will cause the channel to fail.

D

The port-channel interface is a logical interface that requires its own VLAN configuration. Physical interfaces must have identical VLAN assignments; otherwise, the channel will not form.

220
PBQhard

You are connected to a multilayer switch MLSW1. PortFast and BPDU Guard have already been enabled on interface GigabitEthernet0/1, which connects to an end device, and a BPDU received on that interface placed it in the err-disabled state. Configure Rapid PVST+ so that MLSW1 becomes the root bridge for VLAN 10 with a priority of 4096. Recover the interface by re-enabling it. Finally, verify which port is blocking on VLAN 10 by connecting to MLSW2 and executing the appropriate show command.

Network Topology
G0/1 to PCG0/2 to MLSW3 G0/1G0/2 to MLSW3 G0/1G0/2 to MLSW1 G0/3SiMLSW2SiMLSW1SiMLSW3

Hints

  • Check the current root priority and adjust with 'spanning-tree vlan <vlan> priority <value>'.
  • An err-disabled interface can be recovered by administrative shutdown and no shutdown.
  • Look at the spanning-tree topology to find which port is blocking; it will be in 'ALT' role with 'BLK' state.
A.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; shutdown; no shutdown; show spanning-tree vlan 10
B.spanning-tree vlan 10 root primary; interface GigabitEthernet0/1; no shutdown; show spanning-tree vlan 10
C.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; no shutdown; show interfaces status
D.spanning-tree vlan 10 priority 4096; interface GigabitEthernet0/1; shutdown; no shutdown; show running-config
AnswerA
solution
! MLSW1
spanning-tree vlan 10 priority 4096
interface gigabitEthernet 0/1
shutdown
no shutdown

Why this answer

The correct solution sets the spanning-tree priority for VLAN 10 to 4096 on MLSW1, ensuring it becomes the root bridge. PortFast and BPDU Guard are already configured on G0/1, which caused the interface to go err-disabled when a BPDU was received. To recover, you must issue the 'shutdown' followed by 'no shutdown' commands on the interface.

Because MLSW1 is the root bridge, it has no blocking ports; the blocking port (alternate) will be seen on a downstream switch like MLSW2. Therefore, verification must be done on MLSW2 using 'show spanning-tree vlan 10' to view the alternate blocking port. Option A correctly includes all required steps.

Option B uses 'root primary' (priority 24576) instead of the specified 4096, lacks the recovery commands, and verifies on the wrong device. Option C omits the err-disabled recovery and uses the wrong verification command. Option D also verifies with 'show running-config', which does not display STP port roles.

Exam trap

Remember that 'spanning-tree vlan <vlan> root primary' sets priority to 24576, not a custom value. Also, err-disabled recovery requires a shutdown followed by no shutdown. Always use 'show spanning-tree vlan <vlan>' to verify port roles, not 'show interfaces status' or 'show running-config'.

Why the other options are wrong

B

The specific factual error: 'root primary' sets priority to 24576, not 4096. Also, err-disabled recovery requires a shutdown followed by no shutdown.

C

The specific factual error: err-disabled recovery requires a shutdown before no shutdown. 'show interfaces status' does not display STP port roles.

D

The specific factual error: 'show running-config' does not display STP port roles or blocking status.

221
PBQmedium

You are connected to SW1 via console. SW1 is a multilayer switch with SVIs for VLAN 10 (192.168.10.1/24) and VLAN 20 (192.168.20.1/24). Hosts in VLAN 10 and VLAN 20 need to communicate with each other. Currently, inter-VLAN routing is not working. You need to enable routing on SW1 and verify that the SVIs are operational.

Network Topology
G0/1G0/2SW1HostAHostB

Hints

  • Check if 'ip routing' is already enabled.
  • Verify that the SVIs are up with 'no shutdown'.
A.Enable IP routing using the 'ip routing' global configuration command.
B.Configure a routing protocol such as OSPF or EIGRP on the SVIs.
C.Assign IP addresses to the physical interfaces connected to the hosts.
D.Create a trunk port and connect a router to perform router-on-a-stick.
AnswerA
solution
! SW1
ip routing

Why this answer

The 'ip routing' command enables Layer 3 routing on the multilayer switch, allowing SVIs to route between VLAN 10 and VLAN 20. Option B is unnecessary because directly connected SVIs do not require a routing protocol; routing protocols are only needed for routes learned from other routers, and 'ip routing' must still be enabled. Option C would require converting the physical interfaces to routed ports, which would break the existing Layer 2 VLAN topology and is not the intended solution.

Option D provides an external router-on-a-stick solution but does not enable routing on SW1 itself, which is the required task. Therefore, only option A correctly enables inter-VLAN routing on SW1.

Exam trap

The trap is that many candidates assume SVIs automatically route traffic once they have IP addresses. However, on a multilayer switch, you must explicitly enable IP routing with the 'ip routing' command. Without it, the switch remains a Layer 2 device and SVIs only serve as management interfaces.

Why the other options are wrong

B

Routing protocols like OSPF or EIGRP are not required for directly connected SVIs; only 'ip routing' is needed to enable Layer 3 routing.

C

Assigning IP addresses to physical interfaces would convert them to routed ports, breaking the existing Layer 2 VLAN configuration and is not the correct approach.

D

Using an external router with router-on-a-stick would enable inter-VLAN routing but does not enable routing on SW1 as required.

222
MCQhard

Refer to the exhibit. A network engineer notices that on a four-link EtherChannel bundle between two switches, all traffic from a particular VLAN is being forwarded over only one physical link, while the other three links remain idle. The engineer suspects a load-balancing issue and issues the show etherchannel load-balance command, the output of which is shown. What is the most likely cause of the uneven traffic distribution?

A.The switch is using source‑MAC‑address load balancing, and multiple end hosts are appearing with the same source MAC address.
B.The EtherChannel is misconfigured with an LACP active/passive mode mismatch, forcing only one link to bundle.
C.VLAN pruning on the trunk has removed the VLAN from three of the four member interfaces.
D.Spanning Tree Protocol has blocked three of the four links in the EtherChannel because they form a loop.
AnswerA

The show etherchannel load-balance output confirms the global load‑balancing method is src‑mac. With this method, frames with an identical source MAC always hash to the same physical member link, causing all traffic from hosts sharing that MAC to use only one link.

Why this answer

The exhibit shows the load-balancing method is 'src-mac'. When source-MAC-based hashing is used, all frames with the same source MAC address egress the same physical member link. If multiple end hosts are behind a router or proxy and appear with identical source MAC, the hash algorithm always selects the same link, leaving the other links in the bundle idle.

Exam trap

Many candidates choose LACP misconfiguration because they recall that mode mismatches can limit the number of active links. However, the exhibit explicitly displays the load‑balancing method, not the LACP negotiation state. A mode mismatch would prevent the EtherChannel from forming, not leave it forming but with only one link carrying traffic.

Why the other options are wrong

B

Candidates may think that an LACP problem explains a single active link, but a mismatch would cause the entire EtherChannel to fail, not selectively use one member.

C

Candidates might mistake an idle member for a pruned VLAN, but pruning would not affect all traffic, only the specific VLAN, and it is not related to the load‑balance method shown.

D

Candidates may associate an idle link with STP blocking, but an EtherChannel bundle presents one logical link to STP. A blocking state on some members only would indicate a serious configuration error, not the load‑balance method shown.

223
MCQhard

A switchport connected to another switch is configured as an access port by mistake. Which symptom is most likely in a multi-VLAN design?

A.Only one VLAN is likely to pass correctly, while other VLAN traffic across the link fails
B.The link negotiates as a trunk but drops all VLAN traffic
C.The switch generates excessive broadcasts on all VLANs
D.The switch stops learning MAC addresses entirely
AnswerA

This is correct because an access port normally carries one VLAN rather than multiple VLANs.

Why this answer

The most likely symptom is that only one VLAN’s traffic works correctly across the link while traffic for other VLANs fails. In plain language, an access port belongs to one VLAN in normal switching behavior. If an inter-switch link that should carry multiple VLANs is accidentally configured as an access port, the network loses the ability to transport the other VLANs.

The physical link may stay up, which can make the problem seem subtle, but the logical role of the port is wrong.

Exam trap

Be cautious not to confuse physical link status with logical configuration issues. An access port will not drop the link but will restrict traffic to a single VLAN.

Why the other options are wrong

B

An access port cannot negotiate trunking; it simply forwards only one VLAN's traffic.

C

Broadcast storms are not caused by an access port misconfiguration.

224
MCQhard

After enabling DHCP snooping on VLAN 10, a technician finds that clients in that VLAN are no longer receiving IP addresses from the DHCP server. The server is connected to port Gi0/24. What is the most likely cause?

A.The port Gi0/24 has not been configured as a trusted port for DHCP snooping.
B.The DHCP server is on a different subnet, and the VLAN 10 SVI does not have an ip helper-address configured.
C.The DHCP snooping database location was not configured, causing the switch to discard all DHCP server messages.
D.The DHCP snooping binding table does not contain an entry for the DHCP server’s MAC address, so offers are being discarded.
AnswerA

DHCP snooping immediately blocks all DHCP server messages on untrusted ports. Because Gi0/24 is the uplink to the DHCP server, it must be explicitly set as trusted (ip dhcp snooping trust), otherwise the switch will drop the DHCP offers sent by the server.

Why this answer

DHCP snooping classifies all ports as untrusted by default, and an untrusted port drops DHCP server messages (OFFER/ACK) to prevent rogue servers. Because the uplink Gi0/24 was not explicitly configured as a trusted port with ip dhcp snooping trust, the legitimate DHCP offers from the server are being discarded, so clients never receive addresses. The other options are not the cause: an ip helper-address would still be needed if the server were remote and was working before snooping (so it is already in place); the DHCP snooping database is not required for traffic forwarding; and the binding table does not need to contain the server’s MAC to permit server traffic.

Exam trap

D. Candidates often misunderstand the role of the DHCP snooping binding table and think the switch must have learned the server’s MAC to allow DHCP traffic, but the binding table is used to filter client traffic, not to authorize servers.

Why the other options are wrong

B

This option assumes that the loss of DHCP service is due to a missing relay agent, but the symptom started only after enabling snooping, not after an infrastructure change that would affect the relay path.

C

The idea that a missing database causes immediate traffic blocking is a common misinterpretation of the database’s role—it is purely for persistency, not for runtime filtering.

D

Many candidates assume that DHCP snooping uses a reverse-check against the binding table for any DHCP server messages, but the filtering is based solely on the trusted/untrusted port state, not on a learned server entry.

225
PBQhard

You are connected to SW1, a multilayer switch. Configure DHCP snooping and an IP helper-address so that clients in VLAN 20 receive IP addresses from the DHCP server at 10.0.0.2. The DHCP server is already configured with a pool for 192.168.20.0/24, but clients are not getting addresses. Identify and correct the issues in the current configuration.

Network Topology
G0/010.0.0.1/30G0/1SW1DHCP ServerClient

Hints

  • Check the helper-address on VLAN 20 — is it pointing to the correct server IP?
  • DHCP snooping must be enabled globally and for the specific VLAN.
  • The port towards the DHCP server must be configured as trusted.
A.Enable DHCP snooping globally and on VLAN 20, configure interface G0/0 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
B.Enable DHCP snooping globally and on VLAN 20, configure interface G0/1 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
C.Enable DHCP snooping globally and on VLAN 20, configure interface G0/0 as trusted, and keep the ip helper-address as 10.0.0.3 because that is the correct server address.
D.Enable DHCP snooping globally and on VLAN 20, configure both interfaces G0/0 and G0/1 as trusted, and change the ip helper-address on the SVI for VLAN 20 from 10.0.0.3 to 10.0.0.2.
AnswerA
solution
! SW1
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 20
interface gigabitethernet0/0
ip dhcp snooping trust
interface vlan20
no ip helper-address 10.0.0.3
ip helper-address 10.0.0.2
end
write memory

Why this answer

The DHCP relay helper-address was pointing to 10.0.0.3 instead of the actual server at 10.0.0.2. Also, DHCP snooping was not enabled. After enabling DHCP snooping globally and on VLAN 20, configure the uplink to the DHCP server as a trusted port (G0/0) and the access port (G0/1) as untrusted (default).

Finally, correct the helper-address to 10.0.0.2. These steps allow DHCP broadcasts from VLAN 20 to be relayed to the server and prevent rogue DHCP attacks.

Exam trap

A common trap is to trust all ports or to forget that the ip helper-address must match the actual DHCP server IP. Also, candidates may confuse which port should be trusted: only the port facing the legitimate DHCP server should be trusted, not client-facing ports.

Why the other options are wrong

B

The specific factual error is that the access port (G0/1) should be untrusted, not trusted. Only the uplink port to the legitimate DHCP server should be trusted.

C

The specific factual error is that the ip helper-address must be set to the actual DHCP server IP (10.0.0.2), not 10.0.0.3.

D

The specific factual error is that only the uplink port (G0/0) should be trusted; trusting the access port (G0/1) allows any device connected to that port to act as a DHCP server.

← PreviousPage 3 of 4 · 278 questions totalNext →

Ready to test yourself?

Try a timed practice session using only VLAN questions.