CCNA VLAN Questions

53 of 278 questions · Page 4/4 · VLAN topic · Answers revealed

226
Multi-Selectmedium

Which TWO statements are true about configuring and verifying VLANs, 802.1Q trunking, native VLAN, and inter-VLAN routing with router-on-a-stick?

Select 2 answers
A.On a router-on-a-stick configuration, each subinterface must be configured with an IP address and the encapsulation dot1Q command to specify the VLAN ID.
B.The native VLAN is always tagged on an 802.1Q trunk link.
C.The command switchport trunk native vlan 10 is used to restrict which VLANs are allowed on a trunk.
D.When configuring a router-on-a-stick, the native VLAN must match on both the switch and the router subinterface to avoid miscommunication.
E.The command show interfaces trunk displays the IP addresses configured on router subinterfaces.
AnswersA, D

This is correct because the router needs a subinterface per VLAN, each with an IP address and the dot1Q encapsulation to identify the VLAN.

Why this answer

Option A is correct because in a router-on-a-stick configuration, each subinterface must be assigned an IP address and use the encapsulation dot1Q command to associate it with a specific VLAN ID; this enables the router to process tagged frames from multiple VLANs over a single physical link. Option D is also correct because the native VLAN configured on the switchport trunk must match the native VLAN used on the router's subinterface (or physical interface if no subinterface); a mismatch causes the router to mishandle untagged frames because it expects them to belong to the configured native VLAN, leading to communication failures. Option B is wrong because on an 802.1Q trunk, the native VLAN frames are sent untagged, not tagged.

Option C is wrong because the command 'switchport trunk native vlan 10' only changes the native VLAN; it does not restrict which VLANs are allowed—that requires 'switchport trunk allowed vlan'. Option E is wrong because 'show interfaces trunk' shows trunking status, native VLAN, and allowed VLAN lists on switch ports, not IP addresses of router subinterfaces.

Exam trap

Cisco often tests the misconception that the native VLAN is tagged on a trunk, or that the switchport trunk native vlan command controls allowed VLANs, when in fact it only changes which VLAN is untagged.

Why the other options are wrong

B

The native VLAN is sent untagged to maintain backward compatibility with devices that do not understand 802.1Q tagging.

C

The command to restrict allowed VLANs is switchport trunk allowed vlan, not the native VLAN command.

E

To see IP addresses on subinterfaces, use show ip interface brief or show running-config on the router.

227
Matchingmedium

Drag and drop the VLAN and trunking commands/concepts on the left to their correct descriptions on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configures an interface to operate as a trunk link

Sets the native VLAN on a trunk to VLAN 999

Assigns a port to VLAN 10 as an access port

VLAN that carries untagged traffic on a trunk

Creates a subinterface for router-on-a-stick

Configures 802.1Q tagging for VLAN 10 on a subinterface

Why these pairings

These are fundamental VLAN/trunking concepts: VLAN segments, trunk carries multiple VLANs, access port is single VLAN, 802.1Q is tagging standard, VLAN ID is the identifier.

Exam trap

Be careful not to confuse access ports with trunk ports. Access ports are for single VLANs, while trunk ports carry multiple VLANs. Also, native VLAN and allowed VLAN list are trunk-related concepts, not port modes.

228
MCQmedium

A network administrator is troubleshooting a new branch office where hosts in VLAN 20 on switch SW1 cannot obtain IP addresses from the DHCP server located at 192.168.10.5 in the main data center. The router R1 is configured as the default gateway for VLAN 20 with interface GigabitEthernet0/1.20. The administrator verifies that the DHCP server is reachable and has available addresses. What configuration change should the administrator make to resolve the issue?

A.Configure a static IP address on the DHCP server to ensure it is always reachable.
B.Configure the 'ip helper-address 192.168.10.5' command on the router interface GigabitEthernet0/1.20.
C.Enable DHCP snooping globally on the switch SW1.
D.Increase the DHCP lease time on the server to 30 days.
AnswerB

The ip helper-address command enables the router to forward DHCP broadcasts as unicasts to the specified DHCP server, allowing clients in VLAN 20 to obtain IP addresses from the remote server.

Why this answer

The correct answer is B because the DHCP server is on a different subnet than the hosts in VLAN 20. By default, DHCP broadcasts are not forwarded across routers. The 'ip helper-address 192.168.10.5' command on the router's subinterface GigabitEthernet0/1.20 converts the broadcast DHCP request into a unicast and forwards it to the DHCP server, allowing the hosts to obtain IP addresses.

Exam trap

Cisco often tests the misconception that DHCP issues across subnets are caused by server availability or switch security features, when the real problem is the lack of a DHCP relay agent (ip helper-address) on the router interface facing the client VLAN.

Why the other options are wrong

A

A static IP on the server does not forward broadcasts across subnets; the server's reachability is not the issue.

C

Enabling DHCP snooping without proper configuration could block legitimate DHCP traffic, and it does not solve the broadcast forwarding issue.

D

The problem is not about lease duration; clients cannot receive any DHCP offers because broadcasts are not forwarded.

229
MCQhard

A network administrator is troubleshooting a Windows 10 client that cannot reach the internet. The client is connected to a Cisco switch port configured as an access port in VLAN 100. The administrator runs ipconfig on the client and sees an IP address of 169.254.10.15 with a subnet mask of 255.255.0.0. The switch port shows status up/up. What is the most likely cause of the issue?

A.The switch port is in err-disabled state due to a spanning-tree loop.
B.The switch is not configured with an ip helper-address on the VLAN 100 SVI to forward DHCP broadcasts to the DHCP server.
C.The client is in the wrong VLAN; the switch should be configured with VLAN 200.
D.There is a duplex mismatch between the client and the switch.
AnswerB

Without an ip helper-address, DHCP broadcasts from the client in VLAN 100 are not forwarded to the DHCP server, which is likely in a different VLAN.

Why this answer

The 169.254.x.x address is an Automatic Private IP Addressing (APIPA) address, assigned by Windows when DHCP fails. Since the client is in VLAN 100 and the switch port is up/up, the most likely cause is that the VLAN 100 SVI lacks an ip helper-address command, so DHCP broadcast requests from the client are not forwarded to the DHCP server, leaving the client without a valid IP address.

Exam trap

Cisco often tests the misconception that an APIPA address indicates a physical or VLAN issue, when in fact it specifically points to DHCP failure, and the most common cause in a routed environment is the absence of ip helper-address on the SVI.

Why the other options are wrong

A

The port status is 'connected', not err-disabled.

C

No information suggests the client should be in VLAN 200; the configuration matches the intended VLAN.

D

Duplex mismatch would typically cause errors or speed/duplex issues, but the switch shows a-full, so this is not the problem.

230
MCQmedium

A PC in VLAN 30 must obtain an address from a DHCP server in VLAN 99. Which feature is required on the Layer 3 interface for VLAN 30?

AnswerC

Correct. DHCP relay is what allows a client to reach a server on another subnet.

Why this answer

DHCP Discover messages are broadcasts and do not cross Layer 3 boundaries on their own. DHCP relay, commonly configured with ip helper-address, forwards the requests to a server on another subnet.

Exam trap

A frequent exam trap is selecting DHCP snooping or port security as the solution for inter-VLAN DHCP communication. DHCP snooping is often misunderstood as a relay mechanism, but it only validates DHCP messages to prevent unauthorized servers and does not forward broadcasts between VLANs. Similarly, port security controls MAC address access on switchports but does not affect DHCP message forwarding.

Candidates may also confuse Dynamic ARP Inspection with DHCP relay, but DAI only inspects ARP traffic for security purposes. The key mistake is overlooking that DHCP broadcasts are Layer 2 broadcasts and require DHCP relay on the Layer 3 interface to reach servers in other VLANs.

Why the other options are wrong

A

Port security restricts MAC addresses on switchports to enhance security but does not forward DHCP broadcasts or enable clients in one VLAN to reach DHCP servers in another VLAN. It does not facilitate inter-VLAN DHCP communication.

B

DHCP snooping is a security feature that validates DHCP messages to prevent rogue DHCP servers but does not relay DHCP requests between VLANs. It cannot replace DHCP relay functionality needed for inter-VLAN DHCP address assignment.

D

Dynamic ARP Inspection inspects ARP traffic to prevent ARP spoofing attacks but does not forward DHCP messages or enable DHCP communication between VLANs. It is unrelated to DHCP relay or inter-VLAN DHCP address assignment.

231
MCQhard

A network administrator is troubleshooting connectivity between two directly connected Cisco switches. Hosts on VLAN 10 connected to Switch A cannot ping the default gateway on Switch B. The interface on Switch A shows 'up/up' but there are excessive CRC errors and runts. The administrator checks the interface configuration on both switches. What is the most likely cause of the issue?

A.Replace the faulty Ethernet cable.
B.Mismatched duplex and speed settings between the interfaces.
C.Disable spanning tree on both interfaces to prevent loop prevention from blocking traffic.
D.Assign the interfaces to the same VLAN to ensure Layer 2 connectivity.
AnswerB

This directly resolves the duplex mismatch. Switch A shows full-duplex/1000 Mbps, while Switch B shows half-duplex/100 Mbps. Setting both to full-duplex and 1000 Mbps eliminates the CRC errors caused by the mismatch.

Why this answer

The presence of excessive CRC errors and runts on an interface that is 'up/up' strongly indicates a Layer 1 or Layer 2 duplex mismatch. When one switch is set to full-duplex and the other to half-duplex (or auto-negotiation fails), the half-duplex side will detect collisions and retransmit, while the full-duplex side will not, leading to frame corruption (CRC errors) and truncated frames (runts). Configuring both interfaces with the same duplex and speed settings (e.g., full-duplex and 1000 Mbps) resolves this mismatch, restoring proper connectivity for VLAN 10 traffic to the default gateway.

Exam trap

Cisco often tests the concept that 'up/up' does not guarantee error-free communication, and candidates mistakenly focus on cable replacement or VLAN misconfiguration instead of recognizing CRC errors and runts as classic symptoms of a duplex mismatch.

Why the other options are wrong

A

The exhibit shows both switches have different speed and duplex settings, indicating a configuration mismatch rather than a cable fault.

C

The interface is up/up and the errors are CRC, which are not related to spanning tree operation.

D

CRC errors indicate physical or duplex issues, not VLAN misconfiguration.

232
MCQhard

A network technician is troubleshooting a connectivity issue between two directly connected switches, SW1 and SW2. Hosts on VLAN 10 connected to SW1 can ping each other but cannot ping the default gateway or any host on VLAN 10 connected to SW2. The interface on SW1 is up/up, but the interface on SW2 is up/down. What is the most likely cause of the problem?

A.Configure the interface on SW2 to use a different MTU value.
B.Ensure both switches are configured for the same duplex setting, preferably by enabling autonegotiation on both interfaces.
C.Replace the Ethernet cable connecting SW1 and SW2.
D.Check for late collisions on the interface and increase the collision window size.
AnswerB

The output from SW1 shows the interface is full-duplex, but SW2's interface is up/down. This is a classic symptom of a duplex mismatch, where one side is full and the other half-duplex. Configuring both ends to the same duplex (or enabling autonegotiation) will resolve the issue.

Why this answer

The interface on SW2 is up/down, which typically indicates a Layer 1 issue such as a duplex mismatch. Duplex mismatch occurs when one switch is manually set to full duplex and the other to half duplex or auto-negotiation fails, causing the side expecting full duplex to report up/down due to excessive errors. Option A is incorrect because MTU mismatch would cause connectivity issues but not an up/down interface state.

Option C is incorrect because a faulty cable would likely cause both interfaces to be down/down, not up/down. Option D is incorrect because late collisions are a symptom of duplex mismatch, not a separate cause; increasing collision window size is not a standard troubleshooting step. The correct solution is to ensure both switches use the same duplex setting, preferably via autonegotiation (IEEE 802.3u).

Exam trap

Cisco often tests the distinction between up/down (Layer 1 issue like duplex mismatch) and down/down (cable or power issue) to trap candidates who assume any interface problem is a bad cable.

Why the other options are wrong

A

Changing MTU values affects frame size but does not cause an interface to show up/down; that state is associated with Layer 1 issues like duplex mismatch.

C

A bad cable typically results in both interfaces showing down/down, not one up and the other up/down.

D

Late collisions are a consequence of duplex mismatch, not a root cause; adjusting collision window size is not a standard practice on modern switches.

233
MCQhard

Two switches are connected by a trunk. VLAN 50 exists on both switches, but hosts in VLAN 50 cannot communicate across the link. All other VLANs work. Based on the exhibit, what is the most likely cause?

A.VLAN 50 is not allowed on the trunk from SwitchA.
B.The native VLAN is mismatched.
C.802.1Q cannot carry VLAN 50.
D.VLAN 50 must be configured as the native VLAN first.
AnswerA

This is correct because VLAN 50 is missing from SwitchA’s allowed list.

Why this answer

Option A is correct because VLAN 50 is missing from the allowed VLAN list on the trunk, which blocks only that VLAN while allowing others. Option B is incorrect: a native VLAN mismatch would affect the native VLAN (usually VLAN 1) or cause STP issues, not specifically VLAN 50. Option C is incorrect: 802.1Q encapsulation supports all VLANs from 1 to 4094, including VLAN 50.

Option D is incorrect: VLANs do not need to be the native VLAN to be transported over a trunk; any VLAN can traverse a trunk if it is allowed.

Exam trap

Ensure you differentiate between general trunk issues and VLAN-specific configurations. Don't confuse access port settings with trunk link issues.

Why the other options are wrong

B

This option is wrong because a native VLAN mismatch would typically affect all VLANs, not just VLAN 50. Since other VLANs are functioning correctly, it indicates that the native VLAN configuration is not the issue.

C

802.1Q is a standard that can carry VLANs up to 4096, including VLAN 50. Therefore, the issue of VLAN 50 not communicating is not due to the protocol's inability to carry it.

D

This option is wrong because VLAN 50 can exist on a trunk without being the native VLAN; it does not need to be configured as such to communicate across the trunk link.

234
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch connected to router R1 via trunk port G0/1. The trunk is currently using VLAN 1 as native VLAN, but the network administrator wants to change the native VLAN to VLAN 99 for security. Configure the trunk on G0/1 to use native VLAN 99 and verify.

Hints

  • The native VLAN is configured per trunk interface.
  • Use show interfaces trunk to see allowed VLANs and native VLAN.
A.SW1(config)# interface g0/1 SW1(config-if)# switchport trunk native vlan 99 SW1(config-if)# end SW1# show interfaces trunk
B.SW1(config)# interface g0/1 SW1(config-if)# switchport trunk allowed vlan 99 SW1(config-if)# end SW1# show vlan brief
C.SW1(config)# vlan 99 SW1(config-vlan)# name Native SW1(config-vlan)# exit SW1(config)# interface g0/1 SW1(config-if)# switchport mode trunk SW1(config-if)# switchport trunk native vlan 99 SW1(config-if)# end SW1# show interfaces trunk
D.SW1(config)# interface g0/1 SW1(config-if)# switchport trunk native vlan 99 SW1(config-if)# end SW1# show vlan id 99
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport trunk native vlan 99

Why this answer

Changing the native VLAN on a trunk prevents VLAN hopping attacks. The native VLAN carries untagged traffic; here it is changed from default VLAN 1 to VLAN 99.

Exam trap

The exam trap is confusing the 'switchport trunk native vlan' command with 'switchport trunk allowed vlan' or thinking that you need to create the VLAN or re-enter trunk mode. Also, ensure you use the correct verification command: 'show interfaces trunk' shows native VLAN, not 'show vlan'.

Why the other options are wrong

B

The specific factual error is confusing the allowed VLAN list with the native VLAN configuration. The native VLAN is set with 'switchport trunk native vlan', not 'switchport trunk allowed vlan'.

C

The specific factual error is including extra steps that are not needed. The trunk already exists, so 'switchport mode trunk' is redundant. Creating VLAN 99 is also unnecessary if it already exists or is not required for the native VLAN change.

D

The specific factual error is using the wrong verification command. 'show interfaces trunk' is needed to see trunk parameters including native VLAN.

235
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on port GigabitEthernet0/1 (designated port) to protect against superior BPDUs from an unauthorized switch, Loop Guard on uplink GigabitEthernet0/2 to prevent forwarding loops on unidirectional links, and BPDU Guard on PortFast-enabled GigabitEthernet0/3 to shut down the port if a BPDU is received. After configuration, troubleshoot the scenario: a superior BPDU is received on G0/1, causing it to be blocked by Root Guard, and an unauthorized switch sends a BPDU to G0/3, placing it in err-disable state. Verify the final configuration and state.

Network Topology
G0/1G0/2G0/3SiR1AccessSwitchCoreSwitchServer

Hints

  • Root Guard is configured with 'spanning-tree guard root' on the interface that should never become a non-designated port. It will block the port if a superior BPDU is received.
  • Loop Guard is enabled with 'spanning-tree guard loop' on interfaces where BPDU loss could cause a loop. It prevents the port from transitioning to forwarding if BPDUs stop.
  • BPDU Guard is configured with 'spanning-tree bpduguard enable' on PortFast ports. Any BPDU received will error-disable the port, requiring manual recovery with 'shutdown' followed by 'no shutdown'.
A.[CORRECT] Root Guard on G0/1 is correctly configured; when a superior BPDU is received, the port is placed into a root-inconsistent state (BKN* in show spanning-tree) to prevent the switch from becoming root. Loop Guard on G0/2 prevents loops if BPDUs stop arriving due to a unidirectional link. BPDU Guard on G0/3, combined with PortFast, err-disables the port upon receiving any BPDU, as shown by the err-disabled status. To recover, the administrator must manually re-enable the interface after removing the offending device. No additional configuration is required; the existing commands are correct and produce the expected behavior.
B.Root Guard on G0/1 is incorrectly configured; it should be configured on the root port, not the designated port. Loop Guard on G0/2 is correctly configured. BPDU Guard on G0/3 is correctly configured, but the port should automatically recover from err-disable state after a timeout.
C.Root Guard on G0/1 is correctly configured. Loop Guard on G0/2 is incorrectly configured because Loop Guard should be applied to root ports, not uplink ports. BPDU Guard on G0/3 is correctly configured, but the port should be in a blocking state, not err-disabled.
D.Root Guard on G0/1 is correctly configured. Loop Guard on G0/2 is correctly configured. BPDU Guard on G0/3 is incorrectly configured because BPDU Guard should be applied to trunk ports, not access ports, and the port should be placed in a root-inconsistent state.
AnswerA
solution
! R1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

The scenario demonstrates three STP protection mechanisms. Root Guard on G0/1 is correctly configured; when a superior BPDU is received, the port is placed into a root-inconsistent state (BKN* in show spanning-tree) to prevent the switch from becoming root. Loop Guard on G0/2 prevents loops if BPDUs stop arriving due to a unidirectional link.

BPDU Guard on G0/3, combined with PortFast, err-disables the port upon receiving any BPDU, as shown by the err-disabled status. To recover, the administrator must manually re-enable the interface after removing the offending device. No additional configuration is required; the existing commands are correct and produce the expected behavior.

Exam trap

Watch out for confusion between Root Guard and BPDU Guard states: Root Guard causes root-inconsistent (BKN*), while BPDU Guard causes err-disable. Also, remember Root Guard is for designated ports, not root ports. Loop Guard can be applied to any port expecting BPDUs, not just root ports.

Why the other options are wrong

B

The specific factual error: Root Guard is applied to designated ports, not root ports. BPDU Guard does not auto-recover by default.

C

The specific factual error: Loop Guard is not restricted to root ports; it can be used on any port where BPDUs are expected. BPDU Guard results in err-disable, not blocking.

D

The specific factual error: BPDU Guard is not limited to access ports; it works on any PortFast-enabled port. The state is err-disable, not root-inconsistent.

236
MCQhard

A network administrator notices that a workstation connected to a Cisco switch port cannot communicate with other devices on the same VLAN. The switch port is up/up, but the workstation reports slow performance and intermittent connectivity. What is the most likely cause of this issue?

A.Replace the faulty Ethernet cable between the switch and the workstation.
B.A duplex mismatch between the switch port and the workstation.
C.Assign the switch port to the correct VLAN.
D.Disable spanning-tree on the port to prevent frequent topology changes.
AnswerB

Duplex mismatch causes one side to transmit simultaneously while the other waits, leading to collisions, errors, and degraded throughput, consistent with the described symptoms.

Why this answer

A duplex mismatch occurs when one end of the link is set to full-duplex and the other to half-duplex. The half-duplex end detects collisions and the full-duplex end does not, causing late collisions, CRC errors, and retransmissions. This results in slow performance and intermittent connectivity even though the port is operationally up.

Exam trap

Cisco often tests the concept that a link being up/up does not guarantee error-free communication, and candidates mistakenly focus on VLAN or cable issues instead of recognizing duplex mismatch as the cause of slow performance and intermittent connectivity.

Why the other options are wrong

A

No cable-related errors are shown.

C

VLAN issues would typically prevent communication entirely or show input errors from misconfigured trunking.

D

The port is stable and not flapping.

237
PBQhard

You are connected to R1 (a router acting as DHCP server) via the console. Configure R1 to provide DHCP addresses for VLAN 10 (192.168.10.0/24) on the switch SW1, which is connected via R1's G0/0. Exclude the first 10 addresses (192.168.10.1-10) and the last address (192.168.10.254). Set the default gateway to 192.168.10.1 and DNS server to 203.0.113.10. On SW1, enable DHCP snooping globally and for VLAN 10, configure G0/1 as trusted toward R1, and ensure the ip helper-address on the switch's VLAN 10 SVI points to R1's G0/0 IP. The current config has a wrong helper-address and an oversized excluded range; identify and fix all issues.

Network Topology
G0/1 (SW1) to G0/0 (R1 10.0.0.1/30)SW1R1

Hints

  • Check the excluded-address range on R1 — it might be too broad.
  • Verify the helper-address on SW1's VLAN 10 SVI — it should be the DHCP server's interface IP, not a different subnet.
  • DHCP snooping requires the uplink to the DHCP server to be configured as trusted.
A.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10 and ip dhcp excluded-address 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
B.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 192.168.10.1.
C.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.10; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface Vlan10: ip helper-address 10.0.0.1.
D.On R1: ip dhcp excluded-address 192.168.10.1 192.168.10.254; ip dhcp pool VLAN10: network 192.168.10.0 255.255.255.0, default-router 192.168.10.1, dns-server 203.0.113.10. On SW1: ip dhcp snooping, ip dhcp snooping vlan 10, interface G0/1: ip dhcp snooping trust, interface Vlan10: ip helper-address 10.0.0.1.
AnswerA
solution
! R1
no ip dhcp excluded-address 192.168.10.1 192.168.10.254
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.10.254

! SW1
interface Vlan10
no ip helper-address 192.168.20.1
ip helper-address 10.0.0.1
exit
interface GigabitEthernet0/1
ip dhcp snooping trust

Why this answer

The DHCP server R1 had an excluded range that covered the entire subnet (192.168.10.1 through 192.168.10.254), preventing any addresses from being assigned. This was corrected by first removing that oversized exclusion, then setting the excluded range to 192.168.10.1 192.168.10.10 and adding 192.168.10.254 as a separate excluded address. On SW1, the ip helper-address pointed to 192.168.20.1 (wrong), which should be R1's G0/0 IP 10.0.0.1.

Also, DHCP snooping was enabled globally and for VLAN 10, but G0/1 (link to R1) was not trusted; it was set to trusted. These changes allow DHCP requests from VLAN 10 to be relayed to R1 and trusted from the correct interface. Option A is technically incomplete because it fails to include the removal of the original oversized exclusion.

Exam trap

A common trap is to add new exclusions without removing the old ones; Cisco IOS does not overwrite exclusions—it appends. You must explicitly remove the original oversized range or no addresses will be leased.

Why the other options are wrong

B

This option omits the `ip dhcp snooping trust` on G0/1 and uses the wrong helper-address (192.168.10.1, which is the default gateway, not R1's interface IP 10.0.0.1).

C

This option omits both the `ip dhcp snooping trust` on G0/1 and does not include the separate exclusion for 192.168.10.254.

D

This option leaves the oversized excluded range (192.168.10.1 to 192.168.10.254) intact, which blocks all address assignments, and uses the wrong helper-address (10.0.0.1 but on SW1's VLAN 10 SVI it is missing the trust on G0/1).

238
PBQmedium

You are connected to SW1 via the console. The network uses VLANs 10 (Sales) and 20 (Engineering). A new switch SW2 is connected to SW1 via G0/1. You need to enable CDP to discover neighbor devices and verify that SW1 sees SW2. Currently, CDP is disabled globally.

Network Topology
G0/1G0/1linkSW1SW2

Hints

  • CDP is a Cisco proprietary protocol.
  • The command to enable it globally is straightforward.
  • After enabling, wait a few seconds for neighbor discovery.
A.Enable CDP globally with 'cdp run' and verify with 'show cdp neighbors'.
B.Enable CDP on interface G0/1 with 'cdp enable' and verify with 'show cdp neighbors'.
C.Enable CDP globally with 'cdp run' and verify with 'show cdp interface'.
D.Enable CDP globally with 'cdp enable' and verify with 'show cdp neighbors'.
AnswerA
solution
! SW1
cdp run

Why this answer

CDP is disabled globally with 'no cdp run'. Re-enabling with 'cdp run' allows SW1 to discover directly connected Cisco devices, including SW2. Option B is incorrect because interface-level 'cdp enable' requires CDP to already be enabled globally; since CDP is globally disabled, this command has no effect.

Option C is incorrect because 'show cdp interface' displays CDP parameters per interface, not the neighbor table; you need 'show cdp neighbors' to see discovered devices. Option D is incorrect because 'cdp enable' is not a valid global command; the correct global command is 'cdp run'.

Exam trap

Remember that CDP has both global and interface-level configuration. If CDP is disabled globally, interface-level commands have no effect. Always use 'cdp run' to enable globally and 'show cdp neighbors' to see neighbors.

Why the other options are wrong

B

Interface-level 'cdp enable' requires CDP to be enabled globally first; with global CDP disabled, this command is ineffective.

C

'show cdp interface' shows CDP status and counters on interfaces, not the list of neighboring devices; use 'show cdp neighbors' to see neighbors.

D

'cdp enable' is an interface command, not a global command; the global command to enable CDP is 'cdp run'.

239
Multi-Selectmedium

Which three of the following are characteristics of Layer 2 Ethernet switches that support VLANs? (Choose three.)

Select 3 answers
.They forward frames based on the destination MAC address.
.They can segment a LAN into multiple broadcast domains.
.They use ARP to resolve IP addresses to MAC addresses.
.They use the Spanning Tree Protocol to prevent Layer 2 loops.
.They perform routing between VLANs without a router.
.They forward frames based on the destination IP address.

Why this answer

Layer 2 Ethernet switches that support VLANs forward frames based on the destination MAC address, which is the fundamental switching decision. They can segment a LAN into multiple broadcast domains because each VLAN creates its own isolated broadcast domain, preventing unnecessary traffic propagation. They use the Spanning Tree Protocol (STP) to prevent Layer 2 loops by dynamically blocking redundant paths, ensuring a loop-free topology.

Exam trap

Cisco often tests the misconception that switches use ARP or that VLANs segment collision domains, when in fact VLANs segment broadcast domains and switches forward based on MAC addresses, not IP addresses.

240
PBQhard

You are connected to R1. The network uses a router-on-a-stick design with a single switch (SW1) and two VLANs: VLAN 10 (10.0.10.0/24) and VLAN 20 (10.0.20.0/24). The current configuration has connectivity issues: PCs in VLAN 20 cannot ping the router interface or each other, and there is a native VLAN mismatch on the trunk. Configure R1 to correct the native VLAN mismatch, ensure the trunk allows both VLANs, enable inter-VLAN routing, and fix any subinterface encapsulation errors so that all PCs can reach the router and each other across VLANs.

Hints

  • Check the native VLAN on both sides of the trunk
  • Ensure the trunk allows all required VLANs
  • Router-on-a-stick requires ip routing to be enabled
A.interface gig0/0 no shutdown switchport trunk native vlan 99 switchport trunk allowed vlan 10,20 ip routing
B.interface gig0/0.10 encapsulation dot1Q 10 ip address 10.0.10.1 255.255.255.0 interface gig0/0.20 encapsulation dot1Q 20 ip address 10.0.20.1 255.255.255.0
C.interface gig0/0 no shutdown switchport trunk native vlan 1 switchport trunk allowed vlan 10,20 ip routing
D.interface gig0/0 no shutdown switchport trunk native vlan 99 switchport trunk allowed vlan 10,20 no ip routing
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no switchport
switchport trunk native vlan 99
switchport trunk allowed vlan 10,20
exit
ip routing

Why this answer

The issue is a native VLAN mismatch: R1 subinterface .99 uses native VLAN 99, but the switch expects native VLAN 1 (default). Additionally, VLAN 20 traffic may be blocked if the switch trunk does not allow VLAN 20, and 'ip routing' is missing on R1 (though it appears to have routes, but the command may not be present). The fix: on R1, set the native VLAN on the physical interface to 99 (or match switch), ensure the trunk allows VLANs 10 and 20, and enable IP routing.

Also verify subinterface encapsulation is correct. In this case, the candidate must issue 'interface gig0/0', 'no shutdown', 'switchport trunk native vlan 99', 'switchport trunk allowed vlan 10,20', and 'ip routing'.

Exam trap

Cisco exams often test the concept that native VLAN must match on both ends of a trunk. Also, remember that 'ip routing' is required for inter-VLAN routing on a router, even with subinterfaces configured.

Why the other options are wrong

B

Missing commands to set native VLAN on the physical interface and enable ip routing.

C

The native VLAN should match the switch's native VLAN (99), not default to 1.

D

IP routing must be enabled for the router to route between subinterfaces.

241
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a switch port for a VoIP phone (voice VLAN + data VLAN), an AP trunk, and a PoE-powered IoT device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First create VLANs, then assign data and voice VLANs to the phone port, configure the AP trunk, and lastly enable PoE on the IoT port.

Exam trap

The trap is that candidates may enable PoE too early or configure trunks before VLANs exist. Remember: VLANs must be created first, then assigned to ports, and PoE is typically enabled last.

242
PBQhard

You are connected to R1 via the console. R1 is the DHCP server for the 192.168.50.0/24 LAN. Configure DHCP on R1 to assign addresses from 192.168.50.10 to 192.168.50.200, with default gateway 192.168.50.1 and DNS server 8.8.8.8. Also, configure R1 to act as a DHCP relay agent for the 10.0.0.0/30 link to reach a remote DHCP server at 203.0.113.10. Then, troubleshoot and fix a misconfiguration that causes clients on VLAN 50 to not receive IP addresses.

Network Topology
G0/0:192.168.50.1/24G0/1:10.0.0.1/30linkR1VLAN 50 clientsRemote DHCP server at

Hints

  • Check the excluded-address range — it may be too large.
  • A helper-address on the same subnet as the DHCP server is not needed.
  • The relay agent must be configured on the interface that receives the client broadcasts.
A.[CORRECT] The DHCP pool is misconfigured: the excluded-address range covers most of the pool (192.168.50.1 through 192.168.50.200), but leaves 192.168.50.201-254 assignable, violating the requirement. The correct configuration should exclude 192.168.50.1-9 (gateway) and 192.168.50.201-254 (upper end). The 'ip helper-address' on GigabitEthernet0/0 is unnecessary because R1 itself is the DHCP server for that subnet; it should be removed. The relay agent configuration is missing on the interface facing the remote DHCP server—'ip helper-address 203.0.113.10' should be added to GigabitEthernet0/1.
B.The DHCP pool is misconfigured: the excluded-address range should be 192.168.50.1 192.168.50.9, but the helper-address on GigabitEthernet0/0 is correct because it forwards DHCP requests to the remote server. The relay agent configuration is missing on GigabitEthernet0/1.
C.The DHCP pool is correctly configured with excluded-address 192.168.50.1 192.168.50.9. The issue is that the 'ip helper-address' on GigabitEthernet0/1 is missing; it should be added to forward requests to the remote server. Additionally, the 'ip helper-address' on GigabitEthernet0/0 is correct because it forwards requests from VLAN 50 to the remote server.
D.The DHCP pool is misconfigured: the excluded-address range should be 192.168.50.1 192.168.50.9. The 'ip helper-address' on GigabitEthernet0/0 should be removed. The relay agent configuration is correct because 'ip helper-address 203.0.113.10' is already configured on GigabitEthernet0/1.
AnswerA
solution
! R1
no ip dhcp excluded-address 192.168.50.1 192.168.50.200
ip dhcp excluded-address 192.168.50.1 192.168.50.9
interface GigabitEthernet0/0
no ip helper-address 203.0.113.10
exit
interface GigabitEthernet0/1
ip helper-address 203.0.113.10
exit

Why this answer

The DHCP pool is misconfigured: the excluded-address range of 192.168.50.1 through 192.168.50.200 covers most of the pool, but leaves addresses 192.168.50.201 to 192.168.50.254 assignable, which violates the requirement to assign addresses only from 192.168.50.10 to 192.168.50.200. To meet the requirement, you must exclude both the lower range (192.168.50.1 to 192.168.50.9, reserving the gateway) and the upper range (192.168.50.201 to 192.168.50.254). Additionally, the 'ip helper-address' on GigabitEthernet0/0 is unnecessary because R1 itself is the DHCP server for that subnet; it should be removed.

The relay agent configuration is missing on the interface facing the remote DHCP server—'ip helper-address 203.0.113.10' should be added to GigabitEthernet0/1 so that broadcasts from the 10.0.0.0/30 subnet are forwarded.

Exam trap

A single 'ip dhcp excluded-address' range does not limit the DHCP pool to only the desired contiguous range; you must explicitly exclude all addresses you do not want assigned, even those at the upper end. Ensure you create multiple excluded-address ranges when the pool is not contiguous.

Why the other options are wrong

B

The specific factual error is that a helper-address should not be configured on an interface where the router itself is the DHCP server for that subnet.

C

The specific factual error is that the helper-address on the LAN interface is not needed and would cause issues, and the excluded-address range is actually correct in this option, but the question's misconfiguration is the excluded-address being too broad.

D

The specific factual error is that the helper-address on the interface facing the remote server is not configured, so DHCP broadcasts from the 10.0.0.0/30 subnet will not be forwarded.

243
PBQhard

You are connected to R1 via the console. R1 and R2 are running HSRP for the VLAN 10 subnet 192.168.10.0/24. Currently both routers are active for group 10, causing instability. Configure R1 so that it becomes the active router when its G0/0 interface is up, and R2 takes over only if R1's G0/0 fails. Also correct the virtual IP address to 192.168.10.1. Verify with show standby brief.

Hints

  • Check the virtual IP address on R1; it does not match the required 192.168.10.1.
  • Both routers are active because preempt is missing on R2; ensure R1 can reclaim active role.
  • Use the track interface feature to reduce priority on R1 if its G0/0 goes down.
A.On R1: interface GigabitEthernet0/0, standby 10 ip 192.168.10.1, standby 10 preempt, standby 10 track GigabitEthernet0/0 decrement 60. On R2: standby 10 preempt.
B.On R1: interface GigabitEthernet0/0, standby 10 ip 192.168.10.1, standby 10 preempt, standby 10 track GigabitEthernet0/0 decrement 10. On R2: no additional configuration.
C.On R1: interface GigabitEthernet0/0, standby 10 ip 192.168.10.1, standby 10 preempt, standby 10 track GigabitEthernet0/0 decrement 60. On R2: no additional configuration.
D.On R1: interface GigabitEthernet0/0, standby 10 ip 192.168.10.254, standby 10 preempt, standby 10 track GigabitEthernet0/0 decrement 60. On R2: standby 10 preempt.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
no standby 10 ip 192.168.10.254
standby 10 ip 192.168.10.1
standby 10 track GigabitEthernet0/0 decrement 60
end

Why this answer

The dual-active state was caused by R1 having an incorrect virtual IP address (192.168.10.254 instead of 192.168.10.1), making it active for a different HSRP group. Correcting the VIP to 192.168.10.1 on R1 aligns both routers to the same group. Enabling preempt on R2 (and it should already be enabled on R1) allows R1 to reclaim the active role after the VIP correction.

Additionally, interface tracking with a decrement of 60 ensures that if R1's G0/0 fails, R1's priority drops below 100, allowing R2 to take over.

Exam trap

Remember that preempt must be enabled on both HSRP routers for proper failover and reclamation. Also, interface tracking decrement must be large enough to drop priority below the standby router's priority. Finally, always verify the virtual IP address matches the required gateway.

Why the other options are wrong

B

The decrement value of 10 does not cause R1's priority to drop below R2's default priority of 100 (assuming R1 starts at 100, it becomes 90, still above R2's 100? Actually 90 < 100, but without preempt on R2, R2 won't become active. The main error is missing preempt on R2 and insufficient decrement to ensure R2 takes over.

C

Missing preempt on R2 prevents R1 from becoming active again after a failure, which violates the requirement that R1 should be active when its interface is up.

D

The virtual IP is not corrected to 192.168.10.1; it stays at 192.168.10.254, which is not the correct gateway address for the subnet.

244
MCQmedium

PCs in VLAN 30 on SwitchA cannot reach servers in VLAN 30 on SwitchB. All other VLANs work across the trunk. What is the most likely cause?

A.The native VLAN is mismatched between the switches.
B.VLAN 30 should be configured as the native VLAN on both ends.
C.SwitchB must use ISL instead of 802.1Q.
D.VLAN 30 is not allowed on the trunk from SwitchA.
AnswerD

This is correct because the exhibit clearly shows VLAN 30 missing from the allowed list on SwitchA. A VLAN must be permitted across the trunk on both sides for end-to-end communication.

Why this answer

The trunk is up and carrying multiple VLANs, but VLAN 30 is missing from the allowed list on one side. Since SwitchA and SwitchB both need to permit VLAN 30 on the trunk, if SwitchA's allowed VLAN list does not include VLAN 30, traffic for that VLAN cannot cross. Native VLAN mismatch or ISL vs 802.1Q issues would affect all VLANs, not just VLAN 30.

Thus, the most likely cause is that VLAN 30 is not allowed on the trunk from SwitchA.

Exam trap

Be cautious of assuming native VLAN mismatches or protocol issues when the problem is specific to the allowed VLAN list.

Why the other options are wrong

A

This option is wrong because a native VLAN mismatch would typically affect all VLANs across the trunk, not just VLAN 30. In this scenario, only VLAN 30 is experiencing connectivity issues, indicating a different problem.

B

This option is wrong because configuring VLAN 30 as the native VLAN does not directly affect the ability of PCs in VLAN 30 on SwitchA to communicate with servers in VLAN 30 on SwitchB, especially if VLAN 30 is already properly configured on both switches.

C

SwitchB using ISL instead of 802.1Q is not relevant to the connectivity issue between VLAN 30 on SwitchA and SwitchB. The problem is likely due to VLAN 30 not being allowed on the trunk, not the encapsulation method used.

245
MCQmedium

Users on VLAN 20 are not receiving IPv4 addresses from the centralized DHCP server at 10.50.0.10. Users in other VLANs are working normally. Based on the exhibit, which change should fix the issue for VLAN 20 clients?

A.Change the helper address on interface Vlan20 to 10.50.0.10.
B.Convert the VLAN 20 user ports to trunk mode.
C.Configure a default gateway on the user PCs manually.
D.Disable DHCP snooping on VLAN 20.
AnswerA

That points DHCP relay to the actual DHCP server.

Why this answer

The SVI for VLAN 20 is forwarding DHCP requests to the wrong helper address. DHCP relay depends on the Layer 3 interface for that VLAN sending client broadcasts to the correct server. Trunks, access ports, and the DHCP pool name on the server are not the first issue shown here.

DHCP snooping can filter DHCP server replies on untrusted ports, but since other VLANs are working and no trust misconfiguration is indicated, the root cause is the incorrect ip helper-address on Vlan20.

Exam trap

A frequent exam trap is assuming that user ports must be trunks or that disabling DHCP snooping will fix DHCP address assignment issues. In reality, user ports should remain in access mode to maintain VLAN membership, and DHCP snooping is unrelated to this specific forwarding problem because the exhibit shows a misconfigured helper address while other VLANs function normally. Another common mistake is thinking that manually configuring a default gateway on clients solves DHCP problems, but DHCP discovery requires proper relay configuration on the Layer 3 interface.

Misconfiguring or omitting the ip helper-address on the VLAN interface causes DHCP requests to fail, which is the core issue here.

Why the other options are wrong

D

Disabling DHCP snooping is unnecessary because the other VLANs work, and the scenario does not indicate a trust misconfiguration; the real problem is the incorrect helper address on Vlan20.

246
PBQhard

You are troubleshooting a wired client connectivity issue on VLAN 10. PC1 (192.168.10.50/24) cannot reach the internet. The gateway is R1's subinterface G0/0.10 at 192.168.10.1. R1 has a default route to ISP router 203.0.113.1. From PC1, ping 192.168.10.1 fails, but ipconfig shows correct IP. Analyze the provided outputs and fix the problem on R1 so that PC1 can ping its default gateway.

Network Topology
G0/0.10192.168.10.1/24G0/0.10192.168.10.1/24203.0.113.1PC1VLAN10SW1R1ISP

Hints

  • Check the physical interface state of G0/0.
  • A subinterface cannot forward traffic if the parent interface is down.
  • Verify the default route is present for internet access.
A.Enable the physical interface GigabitEthernet0/0 with 'no shutdown'.
B.Configure 'no shutdown' on subinterface G0/0.10 and add a static route for 192.168.10.0/24 pointing to the ISP.
C.Change the IP address of subinterface G0/0.10 to 192.168.10.254 and add a default route via 203.0.113.1.
D.Enable VLAN 10 on the switch and configure trunking between the switch and R1.
AnswerA
solution
! R1
interface GigabitEthernet0/0
no shutdown

Why this answer

PC1 has a correct IP configuration and can reach its gateway IP 192.168.10.1 now that the physical interface is no longer administratively down. The R1 subinterface G0/0.10 already has the correct IP address, but the parent interface GigabitEthernet0/0 was shut down, preventing the subinterface from passing traffic. Issuing 'no shutdown' under the main interface restores connectivity because subinterfaces depend on the physical interface being up.

The default route to 203.0.113.1 was already present as stated in the stem, so no routing change is needed.

Exam trap

Remember that subinterfaces rely on the physical interface state; always check the parent interface status first when troubleshooting VLAN or subinterface connectivity.

Why the other options are wrong

B

The specific factual error: Subinterfaces cannot be individually shut/no shut; they depend on the physical interface. Also, adding a route for the local network is redundant.

C

The specific factual error: The gateway IP must match the PC's configured default gateway. Changing it would break connectivity even if the interface were up.

D

The specific factual error: The switch configuration may be correct; the issue is specifically on R1's interface. The question asks to fix the problem on R1.

247
MCQhard

A switchport connected to another switch should carry multiple VLANs, but it was manually configured as an access port. What is the most likely operational result?

A.The link will not carry multiple VLANs as intended because an access port handles one VLAN only.
B.The switch automatically converts the access port into a proper trunk.
C.The port becomes a routed Layer 3 interface.
D.The VLANs are summarized into one prefix automatically.
AnswerA

This is correct because access mode is the wrong role for a multi-VLAN inter-switch link.

Why this answer

An access port is designed to carry only a single VLAN. If the link is intended to carry multiple VLANs, it must be configured as a trunk. The switch will not automatically convert the port to a trunk (B).

The port remains a Layer 2 access port, not a routed Layer 3 interface (C). VLANs are not automatically summarized into a single prefix (D). The most likely result is that the link will not carry multiple VLANs as intended.

Exam trap

Beware of confusing automatic port mode changes with manual configurations. Access ports do not auto-convert to trunk mode.

Why the other options are wrong

B

Switches do not automatically convert an access port to a trunk; manual configuration is required.

C

An access port remains a Layer 2 interface; it does not become a routed Layer 3 interface.

D

VLANs operate at Layer 2 and are not automatically summarized into a single prefix; that would be a routing function.

248
PBQhard

You are troubleshooting a wired client connectivity issue. A user on VLAN 10 (subnet 192.168.10.0/24) reports that they cannot reach the internet. The client PC is connected to switch SW1, which is connected to router R1. You have console access to the client PC and R1. Identify and fix the misconfiguration so that the client can ping the internet host 203.0.113.1.

Hints

  • The client's IP 169.254.10.25 indicates DHCP failure; check if the router has a DHCP pool.
  • The router has no default route; the client cannot reach the internet even with a correct IP.
  • Ensure the DHCP pool includes the correct network and default gateway.
A.Configure R1 as a DHCP server for VLAN 10, excluding the router's IP, and add a default route to 203.0.113.1.
B.Change the client's IP address to a static IP in the 192.168.10.0/24 subnet and set the default gateway to 203.0.113.1.
C.Enable DHCP snooping on SW1 and configure the client port as trusted.
D.Configure a static route on the client PC to 203.0.113.1 via the router's IP.
AnswerA
solution
! R1
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp pool LAN_POOL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
exit
ip route 0.0.0.0 0.0.0.0 203.0.113.1

Why this answer

The client PC has an APIPA address (169.254.x.x) because it failed to obtain an IP via DHCP. The DHCP server is likely the router R1, but the router is not configured as a DHCP server. To fix this, configure R1 as a DHCP server for VLAN 10, excluding the router's own IP from the pool, and set the default gateway and DNS.

Then the client can renew its IP and reach the internet. Additionally, the router lacks a default route to the internet; add a static default route pointing to the next-hop (203.0.113.1).

Exam trap

Do not confuse the need for a DHCP server with security features like DHCP snooping. Also, remember that the default gateway must be on the same subnet as the client, not the internet host.

Why the other options are wrong

B

The default gateway must be an IP on the same subnet as the client, typically the router's LAN interface.

C

DHCP snooping does not provide DHCP services; it only filters DHCP messages.

D

The client must first have a valid IP and default gateway; static routes on a host are rarely used and not the issue here.

249
MCQhard

A network engineer notices that Host A in VLAN 10 (10.10.10.50/24) can successfully ping its default gateway 10.10.10.1, but cannot ping the VLAN 20 SVI (10.20.20.1) or any hosts in VLAN 20. The SVIs for both VLAN 10 and VLAN 20 are in an up/up state, and the switch's trunk ports are correctly allowing both VLANs. What is the most likely cause?

A.The ip routing global configuration command is missing.
B.The VLAN 20 SVI is administratively shut down.
C.The trunk between the access switch and the Layer 3 switch is misconfigured as an access port.
D.The default gateway on Host A is configured incorrectly.
AnswerA

The missing 'ip routing' command prevents the Layer 3 switch from performing routing between VLANs, even though the SVIs are up and hosts can reach their own gateways.

Why this answer

Host A can reach its default gateway (10.10.10.1), which is the VLAN 10 SVI, but cannot reach the VLAN 20 SVI (10.20.20.1) or any hosts in VLAN 20. This indicates that Layer 2 connectivity is working (trunk allows both VLANs, SVIs are up/up), but inter-VLAN routing is failing. On a multilayer switch, inter-VLAN routing requires the global command 'ip routing' to enable the switch's IP routing engine; without it, the switch acts as a Layer 2 device only and cannot forward packets between different VLANs.

Exam trap

Cisco often tests the distinction between a switch operating as a Layer 2 device versus a Layer 3 device, and the trap here is that candidates assume SVIs in an up/up state automatically provide inter-VLAN routing, forgetting the mandatory 'ip routing' command.

Why the other options are wrong

B

Candidates may overlook the explicit mention that the SVIs are up/up, mistakenly thinking a shut SVI could be the problem.

C

Trunk misconfiguration is a common inter-VLAN issue, but the scenario explicitly says the trunks are working properly, making this answer invalid.

D

The successful ping to the default gateway proves the gateway is correct. Without 'ip routing', the switch can't forward packets from VLAN 10 to VLAN 20, but it can respond to local VLAN requests.

250
PBQhard

You are connected to R1. The network consists of R1, SW1, and two hosts (Host-A on VLAN 10, Host-B on VLAN 20). SW1 has two access ports (one per VLAN) and a trunk to R1. Configure R1 for router-on-a-stick inter-VLAN routing. The current configuration has a native VLAN mismatch and a missing subinterface for VLAN 20. Fix these issues so that Host-A and Host-B can ping each other.

Hints

  • Check if all required subinterfaces are present.
  • Examine the native VLAN on the trunk.
  • Verify that IP routing is enabled globally.
A.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 1 on the trunk, and enable ip routing.
B.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 99 on the trunk, and enable ip routing.
C.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 1 on the trunk, but do not enable ip routing.
D.Configure interface G0/0.20 with encapsulation dot1Q 20 and IP address 192.168.20.1 255.255.255.0, set native VLAN to 99 on the trunk, and do not enable ip routing.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
exit
interface GigabitEthernet0/0
no encapsulation dot1Q 99
exit
ip routing
end

Why this answer

The native VLAN mismatch exists: R1 expects native VLAN 99, but SW1 likely uses native VLAN 1 (default). This causes CDP/STP issues but not directly inter-VLAN routing; however, for proper operation, set native VLAN to 1 on R1. Additionally, the subinterface for VLAN 20 is missing, so traffic from VLAN 20 cannot be routed.

Finally, 'ip routing' is disabled, preventing any inter-VLAN routing. Solution: change native VLAN on trunk to 1, create subinterface G0/0.20 with encapsulation dot1Q 20 and IP 192.168.20.1/24, and enable ip routing.

Exam trap

Be careful to identify all issues in the scenario. Candidates often focus only on the missing subinterface and forget to check the native VLAN mismatch and the global 'ip routing' command. Always verify that routing is enabled and that native VLANs match on both ends of the trunk.

Why the other options are wrong

B

The native VLAN mismatch is not resolved; the switch likely uses native VLAN 1, so R1 should also use 1 or both sides must be configured consistently.

C

IP routing is disabled by default on Cisco routers; it must be explicitly enabled for the router to perform routing functions.

D

Two errors: native VLAN mismatch persists and IP routing is disabled, so packets cannot be routed between VLANs.

251
PBQhard

You are connected to R1. Configure IPv4 and IPv6 addressing on R1's GigabitEthernet0/0 and GigabitEthernet0/1 interfaces so that R1 can reach R2 and the internal host on VLAN 10. R1 G0/0 connects to R2 (198.51.100.0/24), and R1 G0/1 connects to a switch with VLAN 10 (192.168.1.0/24). The current configuration has a wrong subnet mask on G0/0, missing IPv6 addresses, and a duplicate IP on G0/1. Fix all issues and verify connectivity.

Network Topology
G0/0198.51.100.1/24G0/0198.51.100.2/24G0/1192.168.1.254/24192.168.1.10/24R2R1Switch VLAN 10Host

Hints

  • Check the subnet mask on G0/0 — the IP and mask must match the connected subnet.
  • Look at the ARP table on G0/1 — the IP 192.168.1.1 is already in use by another device.
  • IPv6 requires both a global unicast address and a link-local address; use 'ipv6 enable' to generate EUI-64 link-local.
A.On G0/0, change subnet mask to 255.255.255.0, add IPv6 address 2001:db8:1::1/64 and enable ipv6 enable; on G0/1, change IP to 192.168.1.254/24 and add IPv6 address 2001:db8:2::1/64.
B.On G0/0, change subnet mask to 255.255.255.252, add IPv6 address 2001:db8:1::1/64; on G0/1, keep IP 192.168.1.1/24 and add IPv6 address 2001:db8:2::1/64.
C.On G0/0, change subnet mask to 255.255.255.0, add IPv6 address 2001:db8:1::1/64; on G0/1, change IP to 192.168.1.254/24 but do not configure IPv6.
D.On G0/0, keep subnet mask 255.255.255.252, add IPv6 address 2001:db8:1::1/64 and enable ipv6 enable; on G0/1, change IP to 192.168.1.254/24 and add IPv6 address 2001:db8:2::1/64.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip address 198.51.100.1 255.255.255.0
ipv6 address 2001:db8:1::1/64
ipv6 address fe80::1 link-local
ipv6 enable
exit
interface GigabitEthernet0/1
no ip address 192.168.1.1 255.255.255.0
ip address 192.168.1.254 255.255.255.0
ipv6 address 2001:db8:2::1/64
ipv6 address fe80::254 link-local
ipv6 enable
exit

Why this answer

The GigabitEthernet0/0 interface had a wrong subnet mask (255.255.255.252 instead of 255.255.255.0), causing R1 to think R2 (198.51.100.2) was on a different subnet, so pings failed. Additionally, IPv6 was not configured at all; we added both a static global unicast address (2001:db8:1::1/64) and configured a static link-local address (fe80::1) on G0/0. On G0/1, the IP address 192.168.1.1 was already in use by another device (seen in ARP cache with age 0), so we changed it to 192.168.1.254 (the usual default gateway for VLAN 10).

Finally, we verified with show commands and pings.

Exam trap

Watch out for subnet mask mismatches: the mask on the router interface must match the network prefix of the connected subnet. Also, remember that IPv6 requires explicit configuration (ipv6 address and ipv6 enable) and that duplicate IP addresses must be resolved. Do not assume a /30 mask is correct just because it is a point-to-point link; always check the network statement.

Why the other options are wrong

B

The subnet mask on G0/0 must be /24 to match the connected network; a /30 mask would put R2 in a different subnet. Also, the duplicate IP on G0/1 is not resolved.

C

IPv6 must be configured on both interfaces to enable IPv6 connectivity. Omitting IPv6 on G0/1 leaves the interface without IPv6 capability.

D

The subnet mask on G0/0 must be changed to /24 to match the network 198.51.100.0/24. Keeping /30 is the original wrong configuration.

252
PBQhard

You are connected to R1. The network has two VLANs (10 and 20) on SW1, connected to R1 via a trunk. Currently, hosts in VLAN 10 cannot reach the router or each other across VLANs. Configure R1 with the correct subinterface encapsulation and IP addressing, and ensure the trunk on SW1 allows both VLANs. Also, fix any native VLAN mismatch on the trunk link. Which configuration steps will resolve the issues?

Network Topology
Gi0/1Gi0/0trunkSW1R1

Hints

  • Check the native VLAN on the trunk; it's currently 1 but not configured on R1.
  • R1 needs a subinterface for the native VLAN with the 'native' keyword.
  • IP routing must be enabled for inter-VLAN routing to work.
A.On R1, configure subinterface Gi0/0.1 with encapsulation dot1Q 1 native and IP 192.168.1.1/24, and enable ip routing. On SW1, ensure trunk Gi0/1 allows VLANs 10,20 and set native VLAN 1.
B.On R1, configure subinterface Gi0/0.10 with encapsulation dot1Q 10 and IP 192.168.10.1/24, and subinterface Gi0/0.20 with encapsulation dot1Q 20 and IP 192.168.20.1/24. Enable ip routing. On SW1, change native VLAN to 10 on trunk Gi0/1.
C.On R1, configure subinterface Gi0/0.1 with encapsulation dot1Q 1 (without native keyword) and IP 192.168.1.1/24. Enable ip routing. On SW1, ensure trunk Gi0/1 allows VLANs 10,20 and set native VLAN 1.
D.On R1, configure subinterface Gi0/0.10 with encapsulation dot1Q 10 native and IP 192.168.10.1/24, and subinterface Gi0/0.20 with encapsulation dot1Q 20 and IP 192.168.20.1/24. Enable ip routing. On SW1, set native VLAN to 10 on trunk Gi0/1.
AnswerA
solution
! R1
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
ip routing

Why this answer

The current issue is a native VLAN mismatch and missing IP routing. SW1's trunk port Gi0/1 uses native VLAN 1, sending untagged frames for VLAN 1. R1 has subinterfaces for VLANs 10 and 20 but no subinterface handling untagged native traffic, causing VLAN 10 traffic (if it were tagged) to reach R1 but native traffic to be dropped.

Additionally, IP routing is not enabled, preventing inter‑VLAN forwarding even if subinterfaces are correctly addressed. Option A resolves both problems by adding a subinterface dot1Q 1 native with an IP address, enabling IP routing, and ensuring the trunk allows VLANs 10 and 20 with native VLAN 1. Option B creates subinterfaces for VLANs 10 and 20 but changes the switch native VLAN to 10 without a matching native subinterface on R1, so untagged VLAN 10 traffic still fails.

Option C incorrectly uses 'encapsulation dot1Q 1' without the native keyword, so it expects tagged VLAN 1 frames, which do not match the switch's untagged native traffic. Option D changes the native VLAN to 10 on both sides, but this requires modifying the existing VLAN design; moreover, it does not guarantee that hosts in VLAN 10 will be able to reach the router if they are using IP 192.168.1.1 as their default gateway, and the trunk may still be missing allowed VLANs—making A the simplest, design‑coherent solution.

Exam trap

Watch out for native VLAN mismatches: the router must have a subinterface with 'encapsulation dot1Q <vlan> native' to match the switch's native VLAN. Also, remember that 'ip routing' is required for router-on-a-stick to forward between VLANs.

Why the other options are wrong

B

Changing the native VLAN to 10 on the switch without a matching 'encapsulation dot1Q 10 native' subinterface on R1 causes native VLAN traffic to be dropped.

C

Using 'encapsulation dot1Q 1' (without native) tells the router to expect tagged VLAN 1 frames, which will never arrive because the switch sends native VLAN 1 untagged.

D

Altering the network to make VLAN 10 the native VLAN is unnecessary and can break existing connectivity; the correct fix is to accommodate the existing native VLAN 1 design.

253
MCQhard

What is the strongest explanation for why hosts in VLAN 40 are receiving addresses from the wrong DHCP scope?

A.The relay path is sending requests to the wrong DHCP scope or server target.
B.The VLAN 40 SVI must be changed to a trunk port.
C.DHCP can provide only one scope in the entire network.
D.The clients must use static addresses before DHCP relay can work.
AnswerA

This is correct because the clients are receiving addresses, but from the wrong network scope.

Why this answer

Option A is correct because the DHCP relay agent (typically configured on the VLAN 40 SVI with the 'ip helper-address' command) is forwarding client broadcast requests to a DHCP server that either has no scope for VLAN 40 or has a scope configured for a different subnet. This causes the server to assign an address from the wrong scope, as the relay agent does not filter by scope—it simply forwards the packet to the configured server IP.

Exam trap

Cisco often tests the misconception that DHCP can only serve one scope per network, when in fact the issue is typically a misconfigured relay path or server scope mapping, not a protocol limitation.

Why the other options are wrong

B

This option is wrong because an SVI (Switched Virtual Interface) for a VLAN cannot be configured as a trunk port; it must be an access port. VLANs are typically assigned to access ports, and changing the SVI to a trunk would not resolve DHCP scope issues.

C

This option is incorrect because DHCP can support multiple scopes across different VLANs, allowing for distinct address ranges for each VLAN. Thus, having multiple scopes is not a limitation of DHCP itself.

D

This option is incorrect because DHCP relay does not require clients to use static addresses; it is designed to facilitate dynamic IP address assignment. Static addresses would not affect the relay process or the DHCP server's ability to assign addresses from the correct scope.

254
MCQhard

A PC connected to SW1 cannot reach the default gateway. The access port is assigned to VLAN 20, and the switch output shows that VLAN 20 is inactive. What is the most likely cause?

A.Port security has shut down the interface
B.VLAN 20 does not exist or is not active on the switch
C.The port must be converted to a trunk
D.The default gateway must be configured on the physical switch port
AnswerB

That is exactly what the inactive VLAN status is telling you.

Why this answer

The port is operationally up, but VLAN 20 is listed as inactive because that VLAN does not exist in the VLAN database. An access port assigned to a missing VLAN will not carry normal user traffic for that VLAN.

Exam trap

Ensure the VLAN is created and active in the VLAN database when troubleshooting connectivity issues.

Why the other options are wrong

A

This option is wrong because the question specifies that the PC cannot reach the default gateway due to VLAN issues, not because of port security settings. Port security would typically result in the interface being in an error-disabled state, which is not indicated here.

C

This option is incorrect because converting the port to a trunk would not resolve the issue of the PC not reaching the default gateway if VLAN 20 is not configured or active. The problem lies in the VLAN configuration, not the port type.

D

This option is incorrect because the default gateway is typically configured on the device (e.g., a router or PC) rather than on the switch port itself. The issue in the question pertains to VLAN configuration, not gateway settings.

255
PBQmedium

You are connected to SW1, a Layer 2 switch. Port G0/1 connects to a PC in VLAN 10. Management requires that only one MAC address is allowed on this port, and if a violation occurs, the port should shut down and a log message should be generated. Additionally, you need to ensure that the port enables rapidly and does not wait for STP convergence. Currently, the PC has MAC address aaaa.bbbb.cccc.

Network Topology
G0/1SW1PC

Hints

  • Port security must be enabled first.
  • Use the 'mac-address' command to specify the allowed MAC.
  • PortFast bypasses STP listening/learning for access ports.
A.switchport port-security; switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation shutdown; spanning-tree portfast
B.switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation restrict; spanning-tree portfast
C.switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation protect; spanning-tree portfast
D.switchport port-security maximum 1; switchport port-security mac-address aaaa.bbbb.cccc; switchport port-security violation shutdown; no spanning-tree portfast
AnswerA
solution
! SW1
interface GigabitEthernet0/1
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address aaaa.bbbb.cccc
switchport port-security violation shutdown
spanning-tree portfast

Why this answer

Port security limits access to a port based on MAC addresses. The correct sequence must first enable port security with the `switchport port-security` command. Then setting maximum to 1 with a specific MAC ensures only that device can connect.

Violation shutdown disables the port if an unauthorized MAC appears. PortFast allows the port to transition to forwarding immediately, which is appropriate for end-user devices. Options B and C use wrong violation modes (restrict or protect) that do not shut the port and may not log.

Option D uses correct violation mode but omits PortFast, causing STP delays.

Exam trap

The key trap is confusing the three port security violation modes: shutdown (disables port + logs), restrict (drops traffic + logs but port stays up), and protect (drops traffic silently, no log). Also, remember that PortFast is needed for immediate forwarding on access ports.

Why the other options are wrong

B

The specific factual error: 'restrict' does not disable the port; it only filters traffic and logs the violation, but the port remains operational.

C

The specific factual error: 'protect' silently drops unauthorized traffic without logging or disabling the port.

D

The specific factual error: PortFast is required to bypass STP convergence; without it, the port will wait for STP to transition, causing delay.

256
MCQhard

After configuring DHCP snooping on VLAN 10 to prevent rogue DHCP servers, all clients in the VLAN stop receiving DHCP offers from the legitimate DHCP server that is connected to port Gi0/1. The administrator verifies the DHCP server is operational and reachable. What should the technician do next?

B.Configure interface Gi0/1 as a DHCP snooping trusted port.
C.Add an ip helper-address on the VLAN 10 SVI pointing to the DHCP server.
D.Reconfigure the DHCP server scope to include DHCP Option 82.
AnswerB

DHCP snooping blocks DHCP server messages on untrusted ports. Since the legitimate server is on Gi0/1, trusting the port allows the switch to forward DHCP offers from that port, resolving the issue.

Why this answer

By default, DHCP snooping marks all ports as untrusted, which blocks DHCP server replies (including offers) from those ports. Since the legitimate server is connected to Gi0/1, the port must be explicitly trusted to allow DHCP offers through. This step directly addresses the Layer 2 access control mechanism.

Exam trap

The most common mistake is to enable Dynamic ARP Inspection on VLAN 10, assuming it is required for DHCP snooping to work, but DAI only uses the DHCP snooping binding table and does not control DHCP traffic.

Why the other options are wrong

A

Misunderstanding that DAI controls DHCP traffic rather than ARP packets.

C

Assuming DHCP snooping introduces routing changes or that the server is on a different subnet.

D

Confusing DHCP snooping with DHCP relay agent functionality and option 82 insertion.

257
MCQhard

A network engineer notices that after adding a new switch to the network, a different switch unexpectedly becomes the STP root bridge, disrupting all VLANs. The new switch has the default priority (32768) but has a lower MAC address than all existing switches. What is the most likely cause?

A.The new switch is running PVST+ while the existing switches use Rapid PVST+
B.Root Guard is enabled on the new switch’s uplink ports facing the existing root
C.The existing root bridge has a bridge priority lower than the default value of 32768
D.The new switch was added with a bridge priority of 4096
AnswerC

If the existing root bridge’s priority is less than 32768 (e.g., 4096 or 0), its Bridge ID is lower than the new switch’s default 32768 + lower MAC. STP always elects the switch with the lowest Bridge ID as the root bridge. Thus, despite the new switch’s lower MAC, the manually lowered priority keeps the existing switch as root.

Why this answer

In STP, bridge priority is the primary parameter for root election. If the existing root bridge has a bridge priority lower than the default 32768, it will have a lower Bridge ID regardless of its MAC address, so it remains the root. The new switch’s lower MAC would only win if all bridge priorities are equal (default).

This explains why a different switch becomes root even though the new one has a lower MAC.

Exam trap

Many candidates focus solely on the MAC address tie-breaker and forget that bridge priority is compared first. They may also confuse root guard functionality—root guard prevents a port from becoming a root port, but does not cause another switch to become the root.

Why the other options are wrong

A

Candidates may think that STP version incompatibility disrupts root election, but both versions use the same BPDU format and root election rules.

B

Candidates often associate Root Guard with preventing a switch from becoming the root. However, it does not cause another switch to become root; it just protects the network from unexpected superior BPDUs.

D

Candidates may confuse the symptom and think that a low priority on the new switch causes the problem, but this would make the new switch the root, not another switch.

258
MCQhard

A network administrator notices that hosts in VLAN 10 cannot ping the default gateway (192.168.10.1). The switch's SVI for VLAN 10 is configured and the output of the show ip interface brief command shows its status as up/up. An embedded packet capture is configured. The exhibit shows ARP requests from a host to 192.168.10.1 but no ARP reply. Based on the exhibit, what is the most likely cause of the connectivity issue?

A.The default gateway is configured incorrectly on the host.
B.The switchport connecting the host is not assigned to VLAN 10.
C.An ACL is applied to the SVI blocking ICMP.
D.The SVI is administratively down.
AnswerB

The SVI for VLAN 10 is configured and responding to pings, but the host cannot ping the gateway because it is in a different VLAN. The access port must be in VLAN 10 for the host to communicate with the SVI.

Why this answer

The correct answer is B because the packet capture shows ARP requests from the host but no reply, indicating the switch's VLAN 10 SVI is not receiving the ARP frames. Since the SVI is confirmed up/up, the most likely cause is that the switchport connecting the host is not assigned to VLAN 10, causing the frames to be on a different VLAN. Option A is incorrect because the host's default gateway is correctly set to 192.168.10.1 (the SVI's IP); ARP requests are being sent but not answered.

Option C is wrong because an ACL on the SVI would not block ARP (ARP is a Layer 2 protocol not filtered by IP ACLs), and the capture would show a reply if the SVI received the request. Option D is incorrect because the exhibit shows the SVI is up/up, ruling out an administratively down condition.

Exam trap

Cisco often tests the distinction between Layer 2 connectivity (VLAN assignment) and Layer 3 issues (ACL, SVI state), where candidates mistakenly blame IP configuration or ACLs when the root cause is a VLAN mismatch preventing ARP resolution.

Why the other options are wrong

A

The host's default gateway is correctly configured as 192.168.10.1, evident from the ARP requests being sent to that address.

C

An IP ACL on the SVI does not block ARP (it operates at Layer 2), so it would not prevent ARP replies.

D

The exhibit's show ip interface brief output confirms the SVI is in up/up state, proving it is not administratively down.

259
MCQhard

A network engineer notices that a workstation in VLAN 10 cannot communicate with hosts in VLAN 20. The workstation is connected to an access layer switch port that shows 'up/up' in show ip interface brief. The switch's trunk port to the router is up, and the router's sub-interface for VLAN 10 is also in an up/up state. The router-on-a-stick configuration appears operational, but inter-VLAN traffic still fails. What is the most likely cause?

A.The switch port to the workstation is incorrectly configured as a trunk instead of an access port.
B.The native VLAN on the trunk between the switch and router is mismatched.
C.VLAN 10 is not allowed on the trunk link.
D.The router sub-interface for VLAN 10 is missing the encapsulation dot1q command.
AnswerD

In router-on-a-stick, each sub-interface must be mapped to a VLAN with the 'encapsulation dot1q <vlan>' command. Without it, the sub-interface cannot identify or tag frames for VLAN 10, so it never processes them, despite showing up/up. This perfectly explains why the workstation can't reach other VLANs.

Why this answer

The router-on-a-stick configuration requires each sub-interface to use the `encapsulation dot1q <vlan-id>` command to tag traffic with the correct VLAN ID. Without this command, the sub-interface will not accept or forward frames tagged for VLAN 10, even if the interface is administratively up. Since the workstation in VLAN 10 can reach its local gateway but not VLAN 20, the missing encapsulation is the most likely cause.

Exam trap

Cisco often tests the misconception that a sub-interface being 'up/up' guarantees it is fully operational for inter-VLAN routing, when in fact the missing `encapsulation dot1q` command leaves the sub-interface unable to process tagged frames.

Why the other options are wrong

A

Candidates may confuse the access port configuration with a trunk, but the stem explicitly states the port shows 'up/up' in show ip interface brief, which does not indicate trunk status.

B

Native VLAN mismatch is a common troubleshooting issue, but it only affects untagged traffic on the native VLAN—not tagged VLANs like VLAN 10.

C

Candidates often assume the allowed VLAN list is the culprit, but default trunk behavior permits all VLANs unless explicitly pruned, and the stem gives no indication of pruning.

260
MCQmedium

A DHCP server is located on a different VLAN from the clients. Which feature is required so the clients can still receive addresses?

B.DHCP relay
D.NAT overload
AnswerB

Correct. DHCP relay enables cross-VLAN DHCP service.

Why this answer

DHCP relay forwards client broadcasts to a remote server as unicast, typically using ip helper-address on the Layer 3 interface.

Exam trap

A common exam trap is selecting DHCP snooping as the solution for clients on different VLANs to receive DHCP addresses. DHCP snooping is a security mechanism that filters DHCP messages to prevent rogue servers but does not forward DHCP broadcasts across VLANs. Another tempting but incorrect choice is port security, which controls MAC address access on switch ports but does not affect DHCP broadcast forwarding.

NAT overload is unrelated to DHCP address assignment and only translates IP addresses for outbound traffic. The key misunderstanding is confusing DHCP relay’s role in forwarding broadcasts with security or address translation features.

Why the other options are wrong

A

DHCP snooping is a security feature that prevents unauthorized DHCP servers by filtering DHCP messages. It does not forward DHCP broadcasts across VLANs, so it cannot enable clients on different VLANs to receive addresses.

C

Port security restricts the number and identity of MAC addresses on switch ports to enhance security. It does not affect DHCP broadcast forwarding or enable clients to receive addresses from servers on different VLANs.

D

NAT overload translates multiple private IP addresses to a single public IP address for outbound traffic. It does not address the issue of forwarding DHCP broadcasts between VLANs or enable DHCP clients to obtain addresses from remote servers.

261
MCQhard

Two switches are connected via an IEEE 802.1Q trunk. Hosts in VLAN 30 on opposite sides cannot communicate, yet hosts in VLAN 10 communicate normally. Both switches have VLAN 30 in their VLAN database, and the trunk link is operational. What is the most likely cause?

A.VLAN 30 is pruned or not allowed on one side of the trunk
B.The native VLAN must be set to 30
C.STP blocks all VLANs on the trunk when one VLAN fails
D.The trunk must be changed to access mode for VLAN 30
AnswerA

That directly explains why VLAN 10 works and VLAN 30 does not.

Why this answer

If a VLAN is not allowed on one side of the trunk, frames for that VLAN are dropped even though other VLANs continue to work. Option A correctly identifies that VLAN 30 is either pruned or missing from the allowed list on one end. Option B is wrong because the native VLAN only affects untagged frames and would not cause the filtering of a tagged VLAN like VLAN 30.

Option C is incorrect because STP can block individual VLANs per port, but it does not block all VLANs on a trunk due to a single VLAN’s issue—only the affected VLAN would be blocked. Option D is invalid because converting the trunk to access mode would break all VLAN trunking, including the working VLAN 10.

Exam trap

Ensure you check the trunk configuration for allowed VLANs, not just VLAN existence or port assignments.

Why the other options are wrong

B

The native VLAN setting only governs untagged traffic on the trunk, not the tagged frames of VLAN 30, so it cannot fix a missing allowed VLAN.

C

STP does not globally block all VLANs on a trunk; per‑VLAN spanning tree can block individual VLANs, but a single VLAN failure would not cause the trunk to block all traffic.

D

Changing the trunk to access mode would restrict the link to a single VLAN, breaking VLAN 10 connectivity as well, which contradicts the working state of VLAN 10.

262
Multi-Selectmedium

Which three of the following statements about VLAN Trunking Protocol (VTP) are correct? (Choose three.)

Select 3 answers
.VTP pruning helps reduce unnecessary broadcast traffic on trunk links by pruning VLANs that are not active on any downstream switch.
.A VTP server can create, modify, and delete VLANs, and these changes are propagated to all other switches in the same VTP domain.
.VTP transparent mode switches forward VTP advertisements but do not synchronize their VLAN database from the server.
.VTP version 3 supports extended VLANs (1006-4094) and is backward compatible with VTP version 1 and 2.
.A switch in VTP client mode can create local VLANs that are not advertised to the rest of the domain.
.VTP advertisements are sent as multicast frames using the destination MAC address 0180.c200.0000.

Why this answer

All three selected statements are correct: VTP pruning reduces unnecessary broadcast traffic by pruning inactive VLANs from trunk links; a VTP server can create/modify/delete VLANs and propagates changes; transparent mode forwards advertisements but does not synchronize. The three distractors are incorrect. D: VTP version 3 is not backward compatible with version 1 and 2; it requires compatible versions.

E: A VTP client cannot create local VLANs; it only synchronizes from the server. F: VTP uses multicast MAC address 0100.0CCC.CCCC for advertisements, not 0180.c200.0000 which is used by other protocols like STP.

Exam trap

Cisco often tests the distinction between VTP modes, especially that transparent mode forwards advertisements but does not synchronize, and that VTP pruning is a separate feature that must be enabled on the VTP server to take effect.

Why the other options are wrong

D

VTP version 3 is not backward compatible with versions 1 and 2; it uses a different format and does not interop.

E

A VTP client switch cannot create local VLANs; it synchronizes its VLAN database from the VTP server.

F

VTP advertisements use the multicast MAC address 0100.0CCC.CCCC, not 0180.c200.0000 which is used for protocols like STP.

263
Multi-Selectmedium

Which TWO statements correctly describe the configuration and use of a voice VLAN on a Cisco switch port?

Select 2 answers
A.The voice VLAN is configured using the 'switchport mode trunk' command.
B.When a voice VLAN is configured, the switch port operates in two VLANs: one for data and one for voice traffic.
C.The voice VLAN must be the same as the native VLAN on the trunk link.
D.The IP phone uses CDP or LLDP to learn the voice VLAN ID from the switch.
E.The data VLAN and voice VLAN must be in the same IP subnet.
AnswersB, D

With voice VLAN, the port is an access port for the data VLAN and also accepts tagged traffic on the voice VLAN, effectively operating in two VLANs.

Why this answer

Option B is correct because when a voice VLAN is configured on a Cisco switch port, the port operates in two separate VLANs simultaneously: one for data traffic (the access VLAN) and one for voice traffic (the voice VLAN). This is achieved using the 'switchport voice vlan' command, which allows the switch to tag voice frames with the voice VLAN ID while leaving data frames untagged (or tagged with the access VLAN). This separation ensures that voice traffic receives appropriate QoS treatment and is isolated from data traffic.

Exam trap

Cisco often tests the misconception that a voice VLAN requires trunking or that the voice VLAN must match the native VLAN, but in reality, a voice VLAN is configured on an access port using the 'switchport voice vlan' command, and the native VLAN concept applies only to trunk ports.

Why the other options are wrong

A

Trunk mode is used to carry multiple VLANs, but for a single access port with voice, the port remains in access mode and uses the voice VLAN feature.

C

The native VLAN is used for untagged traffic on a trunk, while the voice VLAN is a specific VLAN that carries tagged voice traffic from the phone.

E

They are separate VLANs and usually belong to different subnets for logical separation and management.

264
MCQhard

An engineer is troubleshooting a first-hop redundancy issue on a subnet where two routers, R1 and R2, are configured with HSRP. Hosts on the VLAN are intermittently losing connectivity to the default gateway. The engineer runs the `show standby` command on R1 and sees this output: ``` Vlan1 - Group 10 State is Active 2 state changes, last state change 00:00:45 Virtual IP address is 192.168.1.254 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.2 secs Preemption enabled Active router is local Standby router is 192.168.1.1, priority 200 (configured 200) Priority 150 (configured 150) Group name is "hsrp-Vlan1-10" (default) ``` What is the most likely root cause of the problem?

A.Increase the priority on R1 above 150.
B.Change the HSRP group number on R1 to 20.
C.Disable preemption on R1.
D.Increase the hello timer on R1 to 10 seconds.
AnswerA

R1's priority of 100 is lower than the active router's 150. With preemption enabled, R1 will only become active if its priority is higher. Raising R1's priority above 150 allows it to preempt and become the active router, resolving the instability.

Why this answer

The output shows R1 is in the 'Active' state with priority 150, but the 'Standby' router (R2) has a higher priority of 200. With preemption enabled (as indicated by 'Preempt' in the output), R2 will preempt R1 and become the active router, causing intermittent connectivity as the active gateway flips. Increasing R1's priority above 150 (e.g., to 210) ensures R1 remains the active router, stabilizing the default gateway.

Exam trap

Cisco often tests the misconception that increasing the hello timer or disabling preemption on the local router solves a preemption issue caused by a higher-priority remote router, when in fact the fix is to either raise the local priority or disable preemption on the higher-priority neighbor.

Why the other options are wrong

B

This would break the HSRP relationship entirely, not fix the priority issue.

C

Preemption is not the cause; it is actually desired to allow a higher-priority router to take over.

D

This does not address the priority mismatch and could worsen convergence time.

265
PBQeasy

You are connected to SW1, a Layer 2 switch. The network administrator wants to prevent unauthorized switches from being connected to access ports. Port G0/1 is an access port in VLAN 10. You need to configure BPDU Guard on this port to protect against STP loops caused by rogue switches. Additionally, enable PortFast for immediate transition to forwarding.

Hints

  • PortFast should be applied to access ports to reduce STP convergence time.
  • BPDU Guard disables the port if a BPDU is received.
  • Both commands are under the interface configuration.
A.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree bpduguard enable
B.SW1(config)# spanning-tree portfast default SW1(config)# spanning-tree bpduguard default
C.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree guard root
D.SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree bpduguard disable
AnswerA
solution
! SW1
interface GigabitEthernet0/1
spanning-tree portfast
spanning-tree bpduguard enable

Why this answer

PortFast allows an access port to skip STP listening/learning and transition immediately to forwarding. BPDU Guard protects against STP loops by error-disabling the port if a BPDU is received, which would indicate an unauthorized switch connection.

Exam trap

Be careful to distinguish between interface-level and global commands for PortFast and BPDU Guard. Also, remember that BPDU Guard uses 'bpduguard enable' (not 'disable') and is different from Root Guard ('guard root').

Why the other options are wrong

B

The specific factual error is that global commands affect all ports, not a single interface.

C

The specific factual error is confusing Root Guard with BPDU Guard; they serve different purposes.

D

The specific factual error is using the 'disable' keyword instead of 'enable' to activate BPDU Guard.

266
PBQhard

You are connected to R1. The network uses HSRP to provide first-hop redundancy for VLAN 10 clients. R1 should be the active router with a priority of 150, preempt enabled, and should track interface GigabitEthernet0/1 (decrement priority by 20 if it goes down). The virtual IP is 192.168.10.254. Currently, both routers are active for the same group. Fix the configuration on R1 so that it becomes the active router and preempts when possible.

Network Topology
Gi0/0192.168.10.1/24Gi0/0192.168.10.2/24Gi0/110.0.0.1/30R2switchR1WANISP

Hints

  • Both routers show as active because preempt is missing and priority is equal (default 100).
  • You need to increase the priority and enable preempt on R1.
  • Use the 'track' command to decrement priority if the uplink fails.
A.interface Vlan10\n standby 10 ip 192.168.10.254\n standby 10 priority 150\n standby 10 preempt\n standby 10 track GigabitEthernet0/1 20
B.interface Vlan10\n standby 10 ip 192.168.10.254\n standby 10 priority 150\n standby 10 preempt\n standby 10 track GigabitEthernet0/1 20 decrement
C.interface Vlan10\n standby 10 ip 192.168.10.254\n standby 10 priority 150\n standby 10 preempt delay 20\n standby 10 track GigabitEthernet0/1
D.interface Vlan10\n standby 10 ip 192.168.10.254\n standby 10 priority 150\n standby 10 preempt\n standby 10 track GigabitEthernet0/1 20 priority
AnswerA
solution
! R1
interface GigabitEthernet0/0
standby 10 priority 150
standby 10 preempt
standby 10 track GigabitEthernet0/1 20

Why this answer

Both routers are active for HSRP group 10 because the virtual IP address is not configured or is mismatched, causing a split-brain scenario. The correct fix must include setting the virtual IP with 'standby 10 ip 192.168.10.254', raising R1's priority to 150, enabling preempt, and tracking GigabitEthernet0/1 with a decrement of 20. Option A supplies all required commands with proper syntax.

Other options either omit the vital IP configuration or have invalid keywords like 'decrement' or 'preempt delay'.

Exam trap

Be careful with the exact syntax of HSRP commands. The 'standby track' command does not include the words 'decrement' or 'priority'. Also, 'preempt delay' is for delaying preemption, not for tracking.

Ensure you specify the decrement value correctly.

Why the other options are wrong

B

The specific factual error is that 'decrement' is not a valid keyword in the standby track command. The decrement value is specified directly after the interface.

C

The specific factual error is that 'preempt delay' is not the correct way to configure tracking. Tracking is done with the 'standby track' command, and the decrement value must be specified.

D

The specific factual error is that 'priority' is not a valid keyword in the standby track command. The decrement value is specified directly after the interface.

267
MCQhard

Refer to the exhibit. An engineer configured PortFast on interface GigabitEthernet0/1, which connects to a server that does not participate in spanning tree. However, the port remains in the listening state for the full forward delay period before transitioning to forwarding. The engineer issues the show spanning-tree vlan 10 detail command. Based on the output, what is the most likely cause?

A.The port is configured as a trunk, so PortFast is not active.
B.BPDU Guard is enabled on the port, causing it to block.
C.The forward delay timer is set too high, and PortFast cannot override it.
D.The server is sending BPDUs, causing the port to lose its PortFast state.
AnswerA

PortFast is only effective on access ports. The exhibit shows ‘Edge port: no (default) portfast: no (default)’ despite the engineer enabling PortFast, indicating the port is operating as a trunk (or not an access port). Therefore, PortFast has no effect and the normal STP listening/learning states apply.

Why this answer

The exhibit shows that GigabitEthernet0/1 is in ‘listening’ state with a forward delay timer of 12 seconds, and the lines ‘Edge port: no (default) portfast: no (default)’ indicate that PortFast is disabled. PortFast only takes effect on access ports; since the port is configured as a trunk (implied by the disconnected state of PortFast despite the engineer’s configuration), it does not skip listening/learning. The port is not in err-disabled state (no BPDU Guard block), and no BPDUs have been received (BPDU: received 0), ruling out other options.

Exam trap

Candidates often assume that the forward delay timer always causes slow convergence, but PortFast bypasses that timer entirely on access ports. Here, PortFast is disabled, so the timer runs normally, but the root cause is that PortFast is not active due to the port being a trunk.

Why the other options are wrong

B

The port is not in an err-disabled state; BPDU Guard causes the port to be shut down, not to stay in listening.

C

Misunderstanding that PortFast bypasses timers completely on access ports; the high forward delay is irrelevant if PortFast were active.

D

The assumption that the server is sending BPDUs is contradicted by the output showing zero BPDUs received.

268
PBQhard

You are connected to R1, a multilayer switch acting as the STP root for VLAN 10. Configure Root Guard on port GigabitEthernet0/1 (designated port) to protect against superior BPDUs from an unauthorized switch, Loop Guard on uplink GigabitEthernet0/2 to prevent loops, and BPDU Guard on PortFast-enabled GigabitEthernet0/3. After configuration, a superior BPDU arrives on G0/1, blocking the port; verify the Root Guard state and ensure BPDU Guard triggers err-disable on G0/3.

Network Topology
G0/1: designated portG0/2: uplinkG0/3: PortFastR1Access SwitchCore SwitchEnd Device

Hints

  • Root Guard is applied on ports that should never become root; use 'spanning-tree guard root'.
  • Loop Guard prevents alternate or root ports from becoming designated when BPDUs stop; use 'spanning-tree guard loop' on uplinks.
  • BPDU Guard combined with PortFast err-disables a port upon BPDU reception; enable with 'spanning-tree bpduguard enable' under the interface.
A.G0/1 is in root-inconsistent state; G0/3 is in err-disabled state.
B.G0/1 is in blocking state; G0/3 is in err-disabled state.
C.G0/1 is in root-inconsistent state; G0/3 is in blocking state.
D.G0/1 is in err-disabled state; G0/3 is in root-inconsistent state.
AnswerA
solution
! R1
interface GigabitEthernet0/1
spanning-tree guard root
interface GigabitEthernet0/2
spanning-tree guard loop
interface GigabitEthernet0/3
spanning-tree bpduguard enable

Why this answer

Root Guard is needed on the designated port (G0/1) to prevent an unauthorized switch from becoming root by sending superior BPDUs. Loop Guard on the uplink (G0/2) prevents loops if BPDUs stop arriving. BPDU Guard on PortFast ports (G0/3) immediately err-disables them upon BPDU reception.

The configuration uses 'spanning-tree guard root' on G0/1, 'spanning-tree guard loop' on G0/2, and 'spanning-tree bpduguard enable' on G0/3. Verification shows G0/1 blocked by root-inconsistent state and G0/3 in err-disabled state.

Exam trap

Do not confuse the states caused by Root Guard (root-inconsistent) and BPDU Guard (err-disable). Also, remember that Root Guard is applied to designated ports, not root or alternate ports.

Why the other options are wrong

B

Root Guard uses a specific 'root-inconsistent' state, not the generic 'blocking' state.

C

BPDU Guard triggers err-disable, not blocking. Blocking is an STP state, not an error state.

D

Root Guard and BPDU Guard have different effects: root-inconsistent vs. err-disable. Mixing them up is a common error.

269
PBQhard

You are connected to switch SW1 via console. The network uses Rapid-PVST+ and you need to ensure that SW1 becomes the root bridge for VLANs 10 and 20. Additionally, configure PortFast and BPDU Guard on interface GigabitEthernet0/2, which connects to an end host. Finally, diagnose why interface GigabitEthernet0/3 is in err-disabled state and bring it back operational.

Hints

  • PortFast and BPDU Guard are configured under the interface.
  • Err-disabled recovery often requires a manual shutdown/no shutdown.
  • Check the errdisable cause with 'show interfaces Gi0/3' to understand the specific issue.
A.Configure SW1 with spanning-tree vlan 10,20 priority 4096, enable PortFast and BPDU Guard on Gi0/2, and recover Gi0/3 by identifying the cause and using shutdown/no shutdown.
B.Set SW1's priority to 0 for VLANs 10 and 20, enable PortFast on Gi0/2, and recover Gi0/3 by reloading the switch.
C.Configure SW1 with spanning-tree vlan 10,20 root primary, enable PortFast and BPDU Guard globally, and recover Gi0/3 by using the 'errdisable recovery cause all' command.
D.Set SW1's priority to 8192 for VLANs 10 and 20, enable PortFast on Gi0/2, and recover Gi0/3 by removing and reinserting the cable.
AnswerA
solution
! SW1
interface GigabitEthernet0/2
spanning-tree portfast
spanning-tree bpduguard enable
exit
interface GigabitEthernet0/3
shutdown
no shutdown
exit

Why this answer

To make SW1 the root bridge for VLANs 10 and 20, configure 'spanning-tree vlan 10,20 priority 4096' (a valid multiple of 4096). Interface Gi0/2 connects to an end host, so enable PortFast with 'spanning-tree portfast' and BPDU Guard with 'spanning-tree bpduguard enable' under the interface to protect against accidental BPDU reception. Gi0/3 is in err-disabled state.

Common causes include a port-security violation, UDLD misconfiguration, or a loopback detection. To recover, identify the cause with 'show interfaces status err-disabled', then administratively shut and no shut the interface. Option A correctly accomplishes these tasks.

Option B uses an invalid priority value (0) and reloading the switch is unnecessary. Option C configures 'root primary', which sets priority to 24576 but not 4096, and globally enabling PortFast and BPDU Guard is not recommended; also 'errdisable recovery cause all' might recover the port automatically but does not address the root cause. Option D uses priority 8192 (too high) and physical cable manipulation is not a valid recovery method.

Exam trap

Watch out for common mistakes: using invalid priority values (like 0), relying on 'root primary' which dynamically adjusts priority, forgetting BPDU Guard on edge ports, and attempting physical recovery instead of CLI commands. Always verify priority is a multiple of 4096 and that err-disable recovery uses administrative actions.

Why the other options are wrong

B

The specific factual error: Priority 0 is not a valid STP priority value; valid values are 0-61440 in increments of 4096, but 0 is reserved and not used in Cisco IOS. Also, reloading is not the recommended recovery for err-disable.

C

The specific factual error: 'root primary' does not set a fixed priority; it adjusts dynamically. Global PortFast and BPDU Guard can cause issues on trunk ports. 'errdisable recovery cause all' only enables automatic recovery after a timeout, not immediate recovery.

D

The specific factual error: Priority 8192 does not guarantee root bridge status if another switch has a lower priority. BPDU Guard is required on edge ports. Cable reseating does not clear err-disable state.

270
PBQhard

You are connected to R1. The network has three departments: Sales (VLAN 10, 192.168.1.0/24), Engineering (VLAN 20, 192.168.2.0/24), and Management (VLAN 99, 192.168.99.0/24). A single switch SW1 connects to R1 via trunk interface G0/0. Subinterfaces for VLANs 10, 20, and 99 are already configured on R1 with correct encapsulation and IP addresses. However, inter-VLAN communication is failing. Troubleshoot and fix the configuration issue on R1 to enable routing between all VLANs.

Network Topology
G0/0trunkR1SW1

Hints

  • Check the global routing status on R1.
  • The subinterfaces are correctly configured but the router cannot forward packets between them.
  • A single global command enables inter-VLAN routing on a router.
A.Enable 'ip routing' globally on R1.
B.Configure a subinterface for VLAN 1 and assign it an IP address.
C.Change the encapsulation on the subinterfaces from dot1Q to ISL.
D.Add a static route on R1 pointing to each VLAN subnet.
AnswerA
solution
! R1
configure terminal
ip routing

Why this answer

The router has correctly configured subinterfaces with 802.1Q encapsulation and IP addresses for VLANs 10, 20, and 99. However, 'ip routing' is disabled globally, so the router cannot forward packets between subinterfaces. Additionally, the native VLAN on the trunk is VLAN 1, but no subinterface for VLAN 1 is configured, and the native VLAN mismatch could cause issues; however, the main problem is the lack of IP routing.

Enable 'ip routing' globally and optionally configure a subinterface for the native VLAN if needed. The solution requires only 'ip routing' to enable inter-VLAN routing.

Exam trap

The trap is that candidates often focus on trunking issues or missing subinterfaces, but the most common misconfiguration in router-on-a-stick is forgetting to enable 'ip routing' globally. Always check the running-config for 'ip routing' before troubleshooting other aspects.

Why the other options are wrong

B

The specific factual error: The native VLAN does not need a subinterface; the router can still route traffic for other VLANs without it.

C

The specific factual error: ISL is not commonly used and would not fix the routing issue; the problem is IP routing disabled.

D

The specific factual error: Directly connected routes are automatically added; no static routes are required.

271
MCQmedium

Users on a new access switch can reach devices in their own VLAN but cannot reach the default gateway on the distribution switch. Based on the exhibit, what is the most likely cause?

A.VLAN 30 is missing from the allowed VLAN list on the trunk.
B.The user ports should be configured as trunks.
C.The SVI for VLAN 30 must be shutdown for inter-VLAN routing to work.
D.The trunk native VLAN must be changed to VLAN 30.
AnswerA

That prevents VLAN 30 frames from reaching the distribution switch.

Why this answer

The trunk allows only VLANs 10 and 20, so VLAN 30 traffic never crosses the uplink. Local switching inside VLAN 30 on the access switch can still work, which is why same-VLAN communication succeeds. Adding VLAN 30 to the allowed list is the direct fix.

Exam trap

A common exam trap is assuming that user ports must be trunks to enable VLAN communication beyond the local switch. In reality, user ports should remain access ports assigned to a single VLAN. Another trap is thinking that the SVI for VLAN 30 must be shut down to fix routing issues, but an active SVI is necessary for inter-VLAN routing.

Additionally, candidates may incorrectly focus on native VLAN mismatches, which do not block VLAN 30 traffic if the VLAN is not allowed on the trunk. The real issue is the missing VLAN 30 in the trunk's allowed VLAN list, which prevents VLAN 30 frames from reaching the distribution switch and the default gateway.

Why the other options are wrong

B

Incorrect because user ports should be configured as access ports, not trunks. Configuring user ports as trunks is unnecessary and can cause security and connectivity issues.

C

Incorrect because the SVI for VLAN 30 must be active for inter-VLAN routing to function. Shutting down the SVI would prevent routing, not enable it.

D

Incorrect because changing the trunk native VLAN to VLAN 30 is unrelated to the problem. Native VLAN mismatches affect untagged traffic but do not block VLAN 30 tagged frames if the VLAN is allowed.

272
PBQhard

You are connected to a Cisco 9800 WLC (WLC1) via its management interface. A wireless client reports association failures with SSID 'CorpNet'. The client uses WPA3-Personal, but the WLAN is configured for WPA2. Additionally, the SSID is hidden and the client is on the wrong VLAN (VLAN 20 instead of VLAN 100). Fix these issues so the client can associate successfully with WPA3, on VLAN 100, and with the SSID broadcast enabled.

Network Topology
192.168.100.2/24networkWLC1AP

Hints

  • Check the WLAN security settings: WPA3 requires 'security wpa wpa3' and removal of 'wpa2'.
  • The SSID is hidden; use 'broadcast-ssid' under the WLAN configuration.
  • The policy tag assigns VLAN 20; change it to VLAN 100 to match client requirements.
A.Enable SSID broadcast, change security to WPA3-Personal, and assign VLAN 100 in the policy tag.
B.Enable SSID broadcast, change security to WPA2-PSK, and assign VLAN 20 in the policy tag.
C.Disable SSID broadcast, change security to WPA3-Personal, and assign VLAN 100 in the policy tag.
D.Enable SSID broadcast, change security to WPA3-Enterprise, and assign VLAN 100 in the policy tag.
AnswerA
solution
! WLC1
configure terminal
wlan CorpNet 1 CorpNet
broadcast-ssid
no security wpa wpa2
security wpa wpa3
security wpa psk set-ccmp 0 7 1234567890
exit
wireless tag policy default-policy
vlan 100
end
write memory

Why this answer

The WLAN was configured for WPA2-PSK with a hidden SSID, and the policy tag assigned VLAN 20 instead of VLAN 100. To fix: (1) Enable SSID broadcast with 'broadcast-ssid'. (2) Change security to WPA3-Personal by removing WPA2 and enabling WPA3 with 'security wpa wpa3' and 'security wpa psk set-ccmp'. (3) Assign VLAN 100 in the policy tag with 'vlan 100'. The client should then associate.

Exam trap

Be careful to distinguish between WPA2 and WPA3, and between Personal (PSK) and Enterprise (802.1X). Also, remember that a hidden SSID must be broadcast for clients to discover it, and VLAN assignment is done in the policy tag, not the SSID configuration.

Why the other options are wrong

B

The specific factual error is that the client uses WPA3-Personal, so changing to WPA2-PSK does not meet the requirement. Also, VLAN 20 is the wrong VLAN.

C

The specific factual error is that the SSID is currently hidden and the client cannot see it; enabling broadcast is required, not disabling.

D

The specific factual error is that WPA3-Personal uses a pre-shared key, while WPA3-Enterprise requires 802.1X authentication. The client is configured for Personal mode.

273
MCQhard

A user reports that their computer cannot access the network. The technician checks the computer's IP configuration and finds an APIPA address (169.254.x.x). The computer is connected to a switch port on VLAN 20. The DHCP server is located on VLAN 1. The technician then examines the router's interfaces using 'show ip interface brief' and sees that all interfaces shown are up/up. What should the technician do next?

A.Check the DHCP server logs to see if it is receiving Discover messages.
B.Verify that the ip helper-address command is configured on the router's VLAN 20 interface.
C.Attempt to ping the DHCP server's IP address from the host's APIPA address.
D.Restart the DHCP service on the server and recheck the host.
AnswerB

The router is the intervlan router, and the DHCP server is on a different subnet. For a DHCP Discover broadcast to cross VLANs, the router must have an IP helper-address pointing to the DHCP server's IP address on the VLAN 20 interface. Since all ports are up/up, the problem is almost certainly the missing relay. Checking this config directly addresses the most probable cause.

Why this answer

The APIPA address (169.254.x.x) indicates the host failed to obtain a DHCP lease. Since the DHCP server is on VLAN 1 and the host is on VLAN 20, a DHCP relay (ip helper-address) must be configured on the router's VLAN 20 interface to forward DHCP broadcast messages to the server. The 'show ip interface brief' shows all interfaces are up/up, so the next logical step is to verify the relay configuration.

Exam trap

Cisco often tests the concept that a DHCP relay (ip helper-address) is required when the DHCP server is on a different subnet, and candidates mistakenly focus on server-side issues or ping tests instead of the router configuration.

Why the other options are wrong

A

This action assumes the DHCP request has already reached the server; it bypasses verifying the network path that would deliver the broadcast to the server, which is the most likely missing piece.

C

Candidates might think that if the ping fails, the problem is network connectivity, but APIPA addresses are non-routable and the test itself is invalid in this context.

D

Many techs jump to rebooting a service when a simple configuration check would reveal the real problem. This violates the principle of least intrusive troubleshooting.

274
PBQhard

You are connected to a single switch, SW1, which is a Cisco Catalyst 2960 running Cisco IOS. Configure port GigabitEthernet0/1 as an access port for a Cisco IP phone and a PC on the same VLAN (Voice VLAN 20, Data VLAN 10). The switch must provide PoE to the phone. Additionally, configure GigabitEthernet0/2 as an access port for a wireless access point (AP) that requires PoE. Verify both configurations using the appropriate show commands. The current running-config is incomplete; you must add the necessary commands.

Hints

  • Voice VLAN is configured with a separate command on the interface.
  • PoE may be disabled; use 'power inline auto' to enable it.
  • Use 'show interfaces switchport' to confirm voice VLAN assignment.
A.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline auto interface GigabitEthernet0/2 switchport mode access switchport access vlan 10 power inline auto
B.interface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan 10,20 power inline auto interface GigabitEthernet0/2 switchport mode access switchport access vlan 10 power inline auto
C.interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 switchport voice vlan 20 power inline never interface GigabitEthernet0/2 switchport mode access switchport access vlan 10 power inline auto
D.interface GigabitEthernet0/1 switchport mode access switchport access vlan 20 switchport voice vlan 10 power inline auto interface GigabitEthernet0/2 switchport mode access switchport access vlan 10 power inline auto
AnswerA
solution
! SW1
configure terminal
interface gigabitEthernet 0/1
switchport voice vlan 20
power inline auto
exit
interface gigabitEthernet 0/2
power inline auto
end
write memory

Why this answer

The configuration was missing the voice VLAN assignment on Gi0/1 and PoE settings on both ports. For Gi0/1, the command 'switchport voice vlan 20' is required to separate voice traffic from data traffic. For both Gi0/1 and Gi0/2, PoE must be enabled; by default 'power inline auto' is set, but since the ports show 'off', they may have been disabled.

The solution ensures PoE is enabled with 'power inline auto' and sets the voice VLAN correctly. Verification with 'show interfaces switchport' should show 'Voice VLAN: 20' and 'show power inline' should show 'auto' for both ports.

Exam trap

Candidates often confuse the need for a trunk port when multiple VLANs are involved, but the voice VLAN feature allows an access port to carry both data and voice traffic. Also, remember that 'power inline auto' is the default but may need to be explicitly configured if disabled. Always verify with 'show interfaces switchport' to see the voice VLAN and 'show power inline' to see PoE status.

Why the other options are wrong

B

The specific factual error is that trunk ports are used to carry multiple VLANs between switches, not for connecting end devices like phones and PCs. The correct method is to use an access port with a voice VLAN.

C

The specific factual error is that 'power inline never' explicitly disables PoE, which would prevent the phone from powering on. The correct command is 'power inline auto' to enable PoE detection and delivery.

D

The specific factual error is that the VLAN numbers are reversed. The access VLAN should be the data VLAN (10), and the voice VLAN should be 20. Swapping them would place data traffic in VLAN 20 and voice in VLAN 10, which is not the intended configuration.

275
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure a Cisco switch access port with a data VLAN and a voice VLAN.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enter global configuration mode with 'configure terminal'. Next, select the interface using 'interface GigabitEthernet0/1'. Then, set the port to access mode with 'switchport mode access' to prevent trunk negotiation.

After that, assign the data VLAN with 'switchport access vlan 10'. Finally, assign the voice VLAN with 'switchport voice vlan 20'. This order ensures the interface is properly configured before VLAN assignment and prevents DTP from creating a trunk.

276
MCQhard

A technician is troubleshooting a connectivity issue where a workstation connected to a Cisco switch port cannot ping other hosts that are in the same VLAN 10 segment. The technician runs the show mac address-table command and notices that the workstation's MAC address is listed on VLAN 1, not VLAN 10. What is the most likely cause?

A.The switch port is not configured with the switchport access vlan 10 command.
B.The switch port is configured as a trunk with native VLAN 1.
C.The MAC address table contains a stale entry that must be cleared.
D.Spanning Tree Protocol has placed the port in a blocking state.
AnswerA

When an access port's VLAN is not explicitly set, the port defaults to VLAN 1. The workstation's MAC is learned on VLAN 1, causing connectivity failure with VLAN 10 hosts. Adding the switchport access vlan 10 command resolves the issue.

Why this answer

The workstation's MAC address appears in VLAN 1 instead of VLAN 10 because the switch port is operating in the default VLAN (VLAN 1). The most likely cause is that the port has not been explicitly assigned to VLAN 10 using the `switchport access vlan 10` command. Without this command, the port remains in its default access VLAN (VLAN 1), so all frames from the workstation are associated with VLAN 1, preventing communication with hosts in VLAN 10.

Exam trap

Cisco often tests the default VLAN behavior (VLAN 1) and the fact that an access port without an explicit VLAN assignment remains in VLAN 1, leading candidates to overlook the missing `switchport access vlan` command and instead blame trunking, STP, or MAC table aging.

Why the other options are wrong

B

Candidates often assume any VLAN mismatch with VLAN 1 indicates a trunk misconfiguration, but a missing access VLAN is the more common and direct cause.

C

Candidates might think that an outdated MAC record is causing the VLAN display, but the dynamic learning process reflects the actual port VLAN.

D

Tempting because a blocked port can disrupt connectivity, but the MAC address table entry would still appear on the correct VLAN, not default to VLAN 1.

277
MCQmedium

Exhibit: A host on VLAN 10 can ping the local SVI but not a server in VLAN 20. The Layer 3 switch has both VLAN interfaces up. What is the next item to verify first?

A.Whether the server in VLAN 20 has the correct default gateway
B.Whether the switch should disable IP routing
C.Whether VLAN 10 should be the native VLAN
D.Whether the host should use a /8 mask instead of /24
AnswerA

End-host gateway issues are a very common reason for one-way inter-VLAN failures.

Why this answer

If the source host can reach its own default gateway, the local VLAN and access port are probably fine. The next practical check is whether the server in VLAN 20 has the correct IP address, mask, and default gateway configured.

Exam trap

A frequent exam trap is to overlook the remote device’s default gateway configuration and instead suspect the Layer 3 switch’s routing or VLAN setup. Candidates often assume that because the VLAN interfaces are up, routing must be functional. However, if the server in VLAN 20 lacks the correct default gateway pointing to its VLAN SVI, it cannot return traffic to the source host, causing failed pings.

This one-way communication failure can mislead candidates into troubleshooting switch settings unnecessarily, wasting time and missing the root cause.

Why the other options are wrong

B

Disabling IP routing on the Layer 3 switch would prevent inter-VLAN routing entirely. Since both VLAN interfaces are up and the host can ping its local SVI, IP routing is likely enabled, so this is not the first item to verify.

C

The native VLAN setting affects untagged traffic on trunk links but does not directly impact inter-VLAN routing or the ability of hosts to communicate across VLANs. It is not the primary cause of the described symptom.

D

Using a /8 mask instead of /24 would cause subnetting issues, but since the host can ping its own VLAN interface, the subnet mask is likely correct. This is not the first or most probable cause of the problem.

278
PBQmedium

You are connected to SW1 via the console. SW1 is a Layer 2 switch with two VLANs (10 - Sales, 20 - Engineering). Port G0/1 is connected to a PC in VLAN 10, and port G0/2 is connected to a PC in VLAN 20. The switch needs to be configured to allow inter-VLAN communication using an external router connected to port G0/3. Currently, the PCs cannot communicate across VLANs. Configure the switch to support Router-on-a-Stick with VLAN 10 as the native VLAN on the trunk.

Network Topology
G0/1G0/1G0/3G0/3G0/0G0/0PC1SW1R1PC2

Hints

  • Remember to set the trunk port encapsulation if needed (though modern switches default to dot1q).
  • The native VLAN on the trunk must match what the router expects.
  • Use switchport mode access for ports connecting to end devices.
A.Configure G0/1 as access VLAN 10, G0/2 as access VLAN 20, G0/3 as trunk with native VLAN 10, and allow VLANs 10 and 20 on the trunk.
B.Configure G0/1 as access VLAN 10, G0/2 as access VLAN 20, G0/3 as trunk with native VLAN 1, and allow VLANs 10 and 20 on the trunk.
C.Configure G0/1 as access VLAN 10, G0/2 as access VLAN 20, G0/3 as trunk with native VLAN 10, but do not allow VLAN 10 on the trunk.
D.Configure G0/1 as trunk with native VLAN 10, G0/2 as trunk with native VLAN 20, G0/3 as trunk with native VLAN 10, and allow VLANs 10 and 20 on all trunks.
AnswerA
solution
! SW1
vlan 10
name Sales
vlan 20
name Engineering
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20
interface GigabitEthernet0/3
switchport mode trunk
switchport trunk native vlan 10

Why this answer

Access ports assign PCs to their respective VLANs. The trunk port carries multiple VLANs to the router, and setting the native VLAN to 10 ensures untagged frames on the trunk belong to VLAN 10, which the router's subinterface for VLAN 10 will handle as untagged.

Exam trap

A common trap is to leave the native VLAN as the default VLAN 1 or to forget that the native VLAN must be explicitly allowed on the trunk. Also, candidates may incorrectly configure PC-facing ports as trunks instead of access ports. Always verify the native VLAN matches the router's untagged subinterface and that the allowed VLAN list includes all necessary VLANs.

Why the other options are wrong

B

The native VLAN must match the VLAN that the router's subinterface handles as untagged. Setting it to VLAN 1 violates the requirement.

C

The trunk must carry all VLANs that need inter-VLAN communication. Excluding VLAN 10 prevents its traffic from reaching the router.

D

PCs are end devices that expect untagged frames; they should be connected to access ports, not trunk ports.

← PreviousPage 4 of 4 · 278 questions total

Ready to test yourself?

Try a timed practice session using only VLAN questions.