Which TWO statements are true about configuring and verifying VLANs, 802.1Q trunking, native VLAN, and inter-VLAN routing with router-on-a-stick?
This is correct because the router needs a subinterface per VLAN, each with an IP address and the dot1Q encapsulation to identify the VLAN.
Why this answer
Option A is correct because in a router-on-a-stick configuration, each subinterface must be assigned an IP address and use the encapsulation dot1Q command to associate it with a specific VLAN ID; this enables the router to process tagged frames from multiple VLANs over a single physical link. Option D is also correct because the native VLAN configured on the switchport trunk must match the native VLAN used on the router's subinterface (or physical interface if no subinterface); a mismatch causes the router to mishandle untagged frames because it expects them to belong to the configured native VLAN, leading to communication failures. Option B is wrong because on an 802.1Q trunk, the native VLAN frames are sent untagged, not tagged.
Option C is wrong because the command 'switchport trunk native vlan 10' only changes the native VLAN; it does not restrict which VLANs are allowed—that requires 'switchport trunk allowed vlan'. Option E is wrong because 'show interfaces trunk' shows trunking status, native VLAN, and allowed VLAN lists on switch ports, not IP addresses of router subinterfaces.
Exam trap
Cisco often tests the misconception that the native VLAN is tagged on a trunk, or that the switchport trunk native vlan command controls allowed VLANs, when in fact it only changes which VLAN is untagged.
Why the other options are wrong
The native VLAN is sent untagged to maintain backward compatibility with devices that do not understand 802.1Q tagging.
The command to restrict allowed VLANs is switchport trunk allowed vlan, not the native VLAN command.
To see IP addresses on subinterfaces, use show ip interface brief or show running-config on the router.