- A
VLAN 40 is active, so spanning tree must be blocking it
Why wrong: Spanning tree can block a VLAN path under some conditions, but this exhibit already shows a more direct and simpler explanation. VLAN 40 is not even in the allowed list. When a question gives you a concrete forwarding restriction, you should prefer that explicit evidence instead of assuming a second unseen issue such as STP blocking.
- B
VLAN 40 is not in the native VLAN, so it cannot cross the trunk
Why wrong: A VLAN does not need to be the native VLAN in order to cross an 802.1Q trunk. Most VLANs cross as tagged traffic. The native VLAN is only the VLAN carried untagged on that trunk. VLAN 40 could still be transported normally if it were permitted on the trunk, but it is not.
- C
VLAN 40 is not permitted on the trunk
Correct. This is correct. The allowed VLAN list controls which VLANs are transported across the trunk. Because VLAN 40 is absent from that list, users in VLAN 40 cannot use that trunk to reach resources on the far side.
- D
802.1Q trunks can carry only three VLANs at a time
Why wrong: An 802.1Q trunk is not limited to only three VLANs. The number shown here is the result of configuration, not a protocol maximum. Switches can carry many VLANs on a trunk when configured appropriately.
Quick Answer
The answer is that VLAN 40 is not permitted on the trunk because it is missing from the allowed VLAN list. The show interfaces trunk output clearly lists only VLANs 10, 20, and 30 as allowed, so even though VLAN 40 is active on the switch, it cannot cross the trunk link. This is a classic CCNA 200-301 v2 troubleshooting scenario where the distinction between a VLAN being active in the management domain and being allowed on a specific trunk is tested. A common trap is to confuse the native VLAN with the allowed VLAN list—the native VLAN only affects untagged traffic, not which VLANs can traverse the trunk. Another trap is assuming spanning tree blocks VLANs by default, but STP only blocks when a loop is detected, which is not shown here. For the exam, remember the memory tip: "Allowed is the gatekeeper, active is just the guest list."
CCNA Switching and Network Access Practice Question
This 200-301 practice question tests your understanding of switching and network access. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: a VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A switch displays the following output:
Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan Gi1/0/24 on 802.1q trunking 99
Port Vlans allowed on trunk Gi1/0/24 10,20,30
Port Vlans active in management domain Gi1/0/24 10,20,30,40
Users in VLAN 40 cannot reach resources across this trunk.
What is the most likely reason?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"most likely"Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
VLAN 40 is not permitted on the trunk
The trunk is not carrying VLAN 40 because VLAN 40 is missing from the allowed VLAN list (only 10, 20, 30 are allowed). Option A is incorrect because spanning tree does not block VLANs by default without evidence of a loop; the output shows no STP blocking. Option B is incorrect because native VLAN only affects tagging, not whether a VLAN can traverse a trunk; all VLANs can cross a trunk if permitted. Option D is incorrect because 802.1Q can carry up to 4094 VLANs, not just three. The key distinction is that a VLAN may be active on the switch but still fail to cross a specific trunk if it is not in the allowed list.
Key principle: A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
VLAN 40 is active, so spanning tree must be blocking it
Why it's wrong here
Spanning tree can block a VLAN path under some conditions, but this exhibit already shows a more direct and simpler explanation. VLAN 40 is not even in the allowed list. When a question gives you a concrete forwarding restriction, you should prefer that explicit evidence instead of assuming a second unseen issue such as STP blocking.
When this WOULD be correct
In a different scenario, if a question stated that VLAN 40 is configured but the switch output showed that spanning tree was blocking the port due to a loop, then this option would be correct. For example, if the question indicated that VLAN 40 was indeed allowed but was not reachable due to spanning tree blocking it.
- ✗
VLAN 40 is not in the native VLAN, so it cannot cross the trunk
Why it's wrong here
A VLAN does not need to be the native VLAN in order to cross an 802.1Q trunk. Most VLANs cross as tagged traffic. The native VLAN is only the VLAN carried untagged on that trunk. VLAN 40 could still be transported normally if it were permitted on the trunk, but it is not.
When this WOULD be correct
In a different scenario, if the question stated that VLAN 40 was configured as the native VLAN and the trunk port was set to only allow tagged traffic, then this option would be correct. This would mean VLAN 40's untagged traffic would not be transmitted across the trunk.
- ✓
VLAN 40 is not permitted on the trunk
Why this is correct
Correct. This is correct. The allowed VLAN list controls which VLANs are transported across the trunk. Because VLAN 40 is absent from that list, users in VLAN 40 cannot use that trunk to reach resources on the far side.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.
- ✗
802.1Q trunks can carry only three VLANs at a time
Why it's wrong here
An 802.1Q trunk is not limited to only three VLANs. The number shown here is the result of configuration, not a protocol maximum. Switches can carry many VLANs on a trunk when configured appropriately.
When this WOULD be correct
In a different scenario where the question states that a switch is configured to only allow a maximum of three VLANs on a trunk, and the output confirms that only three VLANs are listed, this option would be correct. The question would need to specify a limitation on the number of VLANs allowed on the trunk.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓VLAN 40 is not permitted on the trunkCorrect answer▾
Why this is correct
Correct. This is correct. The allowed VLAN list controls which VLANs are transported across the trunk. Because VLAN 40 is absent from that list, users in VLAN 40 cannot use that trunk to reach resources on the far side.
✗VLAN 40 is active, so spanning tree must be blocking itWrong answer — click to see why▾
Why this is wrong here
Spanning Tree Protocol (STP) can block a VLAN if there is a loop, but the output shows VLAN 40 is active in the management domain and not listed as blocked. The explicit absence of VLAN 40 from the allowed VLAN list is the direct cause, not STP.
★ When this WOULD be the correct answer
In a different scenario, if a question stated that VLAN 40 is configured but the switch output showed that spanning tree was blocking the port due to a loop, then this option would be correct. For example, if the question indicated that VLAN 40 was indeed allowed but was not reachable due to spanning tree blocking it.
Why candidates choose this
Students may confuse STP blocking with VLAN filtering, especially when a VLAN is active but not forwarding. However, STP blocking would affect all VLANs on a port, not a single VLAN, and the trunk status shows 'trunking' indicating STP is not blocking the entire port.
✗VLAN 40 is not in the native VLAN, so it cannot cross the trunkWrong answer — click to see why▾
Why this is wrong here
The native VLAN is only for untagged traffic on an 802.1Q trunk. All other VLANs are tagged and can cross the trunk regardless of the native VLAN. VLAN 40 is not the native VLAN, but that does not prevent it from being carried if permitted.
★ When this WOULD be the correct answer
In a different scenario, if the question stated that VLAN 40 was configured as the native VLAN and the trunk port was set to only allow tagged traffic, then this option would be correct. This would mean VLAN 40's untagged traffic would not be transmitted across the trunk.
Why candidates choose this
There is a common misconception that only the native VLAN can cross a trunk, or that non-native VLANs require special configuration. In reality, any VLAN can be tagged and carried as long as it is in the allowed list.
✗802.1Q trunks can carry only three VLANs at a timeWrong answer — click to see why▾
Why this is wrong here
802.1Q has no limit of three VLANs per trunk; it can support up to 4094 VLANs. The output shows only three VLANs allowed because of configuration, not a protocol limitation.
★ When this WOULD be the correct answer
In a different scenario where the question states that a switch is configured to only allow a maximum of three VLANs on a trunk, and the output confirms that only three VLANs are listed, this option would be correct. The question would need to specify a limitation on the number of VLANs allowed on the trunk.
Why candidates choose this
The output shows exactly three VLANs in the allowed list, which might lead a student to think there is a limit. However, this is just a coincidence of the configuration, not a protocol constraint.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Ensure you differentiate between VLANs configured on the switch and those allowed on the trunk. Just because a VLAN is active doesn't mean it's allowed on a trunk.
Trap categories for this question
Command / output trap
Spanning tree can block a VLAN path under some conditions, but this exhibit already shows a more direct and simpler explanation. VLAN 40 is not even in the allowed list. When a question gives you a concrete forwarding restriction, you should prefer that explicit evidence instead of assuming a second unseen issue such as STP blocking.
Detailed technical explanation
How to think about this question
A VLAN (Virtual Local Area Network) logically segments a switch into separate broadcast domains, allowing devices in the same VLAN to communicate as if they were on the same physical network. Trunk links between switches carry traffic for multiple VLANs simultaneously by tagging frames with VLAN identifiers using protocols like 802.1Q. The trunk port configuration determines which VLANs are allowed to traverse the link, controlling inter-switch VLAN traffic flow. The 'allowed VLANs' list on a trunk port explicitly controls which VLANs can send and receive traffic across that trunk. Even if a VLAN is active and configured on the switch, it will not be carried over the trunk unless it is included in the allowed VLAN list. This filtering mechanism is crucial for network segmentation and security, preventing unwanted VLAN traffic from crossing certain links. The native VLAN is only the VLAN that is sent untagged on the trunk and does not affect whether other VLANs are permitted. A common exam trap is to confuse VLAN presence on the switch with VLAN permission on the trunk. Just because a VLAN is active on the switch does not guarantee it can cross every trunk link. Misunderstanding the allowed VLAN list leads to incorrect assumptions about connectivity issues. Practically, network engineers must verify trunk allowed VLANs when troubleshooting VLAN reachability problems, as missing VLANs in this list block traffic even if the VLAN exists and is active on both ends.
KKey Concepts to Remember
- A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.
- An 802.1Q trunk port carries traffic for multiple VLANs by tagging frames with VLAN identifiers to distinguish VLAN membership.
- The allowed VLAN list on a trunk port controls which VLANs are permitted to send and receive traffic across that trunk link.
- A VLAN must be included in the trunk's allowed VLAN list to be transported across the trunk, regardless of its active status on the switch.
- The native VLAN is the VLAN that is sent untagged on an 802.1Q trunk and does not restrict other VLANs from crossing the trunk.
- Traffic from VLANs not permitted on a trunk is blocked at the trunk interface, preventing communication across that link.
- Switches can have VLANs active in the management domain that do not cross trunks if those VLANs are excluded from the allowed VLAN list.
- Troubleshooting VLAN connectivity issues requires verifying both VLAN existence on switches and VLAN permission on trunk links.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.
Real-world example
How this comes up in practice
A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.
What to study next
Got this wrong? Here's your next step.
Review a VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Switching and Network Access — study guide chapter
Learn the concepts, then practise the questions
- →
Switching and Network Access practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Switching and Network Access — This question tests Switching and Network Access — A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network..
What is the correct answer to this question?
The correct answer is: VLAN 40 is not permitted on the trunk — The trunk is not carrying VLAN 40 because VLAN 40 is missing from the allowed VLAN list (only 10, 20, 30 are allowed). Option A is incorrect because spanning tree does not block VLANs by default without evidence of a loop; the output shows no STP blocking. Option B is incorrect because native VLAN only affects tagging, not whether a VLAN can traverse a trunk; all VLANs can cross a trunk if permitted. Option D is incorrect because 802.1Q can carry up to 4094 VLANs, not just three. The key distinction is that a VLAN may be active on the switch but still fail to cross a specific trunk if it is not in the allowed list.
What should I do if I get this 200-301 question wrong?
Review a VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
2 more ways this is tested on 200-301
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Exhibit: Users on SW2 in VLAN 30 can reach local devices but not hosts in VLAN 30 on SW1. What is the most likely reason?
hard- A.The trunk native VLAN is 1 on both sides
- ✓ B.VLAN 30 is not allowed on the trunk
- C.SW2 must run VTP server mode
- D.Spanning tree blocks all user VLANs by default
Why B: The trunk is allowing only VLANs 10 and 20. Even though both switches have VLAN 30 defined locally, VLAN 30 traffic cannot cross the trunk unless that VLAN is allowed on the link. Option A is incorrect because the native VLAN (default 1) does not affect tagged VLAN 30 traffic, and native VLAN mismatch causes different issues. Option C is incorrect because VTP is used for VLAN database synchronization, not for forwarding traffic over a trunk; switches do not need to be VTP servers to pass VLAN traffic. Option D is incorrect because spanning tree only blocks redundant paths to prevent loops, not all user VLANs by default.
Variation 2. A switch displays this output: Port Name Status Vlan Fa0/1 connected 10 Fa0/2 connected 10 Fa0/24 connected trunk Which port should be checked first if a user in VLAN 20 cannot reach the distribution switch over the uplink?
medium- A.Fa0/1
- B.Fa0/2
- ✓ C.Fa0/24
- D.Any access port in VLAN 1
Why C: If users in VLAN 20 must cross the uplink, the trunk port is the first place to verify allowed VLANs and tagging.
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.