Question 369 of 1,819
Switching and Network AccesshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that VLAN 40 is not permitted on the trunk because it is missing from the allowed VLAN list. The show interfaces trunk output clearly lists only VLANs 10, 20, and 30 as allowed, so even though VLAN 40 is active on the switch, it cannot cross the trunk link. This is a classic CCNA 200-301 v2 troubleshooting scenario where the distinction between a VLAN being active in the management domain and being allowed on a specific trunk is tested. A common trap is to confuse the native VLAN with the allowed VLAN list—the native VLAN only affects untagged traffic, not which VLANs can traverse the trunk. Another trap is assuming spanning tree blocks VLANs by default, but STP only blocks when a loop is detected, which is not shown here. For the exam, remember the memory tip: "Allowed is the gatekeeper, active is just the guest list."

CCNA Switching and Network Access Practice Question

This 200-301 practice question tests your understanding of switching and network access. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: a VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A switch displays the following output:

Switch# show interfaces trunk

Port Mode Encapsulation Status Native vlan Gi1/0/24 on 802.1q trunking 99

Port Vlans allowed on trunk Gi1/0/24 10,20,30

Port Vlans active in management domain Gi1/0/24 10,20,30,40

Users in VLAN 40 cannot reach resources across this trunk.

What is the most likely reason?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Open the full VLAN trunking answer →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

VLAN 40 is not permitted on the trunk

The trunk is not carrying VLAN 40 because VLAN 40 is missing from the allowed VLAN list (only 10, 20, 30 are allowed). Option A is incorrect because spanning tree does not block VLANs by default without evidence of a loop; the output shows no STP blocking. Option B is incorrect because native VLAN only affects tagging, not whether a VLAN can traverse a trunk; all VLANs can cross a trunk if permitted. Option D is incorrect because 802.1Q can carry up to 4094 VLANs, not just three. The key distinction is that a VLAN may be active on the switch but still fail to cross a specific trunk if it is not in the allowed list.

Key principle: A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • VLAN 40 is active, so spanning tree must be blocking it

    Why it's wrong here

    Spanning tree can block a VLAN path under some conditions, but this exhibit already shows a more direct and simpler explanation. VLAN 40 is not even in the allowed list. When a question gives you a concrete forwarding restriction, you should prefer that explicit evidence instead of assuming a second unseen issue such as STP blocking.

    When this WOULD be correct

    In a different scenario, if a question stated that VLAN 40 is configured but the switch output showed that spanning tree was blocking the port due to a loop, then this option would be correct. For example, if the question indicated that VLAN 40 was indeed allowed but was not reachable due to spanning tree blocking it.

  • VLAN 40 is not in the native VLAN, so it cannot cross the trunk

    Why it's wrong here

    A VLAN does not need to be the native VLAN in order to cross an 802.1Q trunk. Most VLANs cross as tagged traffic. The native VLAN is only the VLAN carried untagged on that trunk. VLAN 40 could still be transported normally if it were permitted on the trunk, but it is not.

    When this WOULD be correct

    In a different scenario, if the question stated that VLAN 40 was configured as the native VLAN and the trunk port was set to only allow tagged traffic, then this option would be correct. This would mean VLAN 40's untagged traffic would not be transmitted across the trunk.

  • VLAN 40 is not permitted on the trunk

    Why this is correct

    Correct. This is correct. The allowed VLAN list controls which VLANs are transported across the trunk. Because VLAN 40 is absent from that list, users in VLAN 40 cannot use that trunk to reach resources on the far side.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.

  • 802.1Q trunks can carry only three VLANs at a time

    Why it's wrong here

    An 802.1Q trunk is not limited to only three VLANs. The number shown here is the result of configuration, not a protocol maximum. Switches can carry many VLANs on a trunk when configured appropriately.

    When this WOULD be correct

    In a different scenario where the question states that a switch is configured to only allow a maximum of three VLANs on a trunk, and the output confirms that only three VLANs are listed, this option would be correct. The question would need to specify a limitation on the number of VLANs allowed on the trunk.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

VLAN 40 is not permitted on the trunkCorrect answer

Why this is correct

Correct. This is correct. The allowed VLAN list controls which VLANs are transported across the trunk. Because VLAN 40 is absent from that list, users in VLAN 40 cannot use that trunk to reach resources on the far side.

VLAN 40 is active, so spanning tree must be blocking itWrong answer — click to see why

Why this is wrong here

Spanning Tree Protocol (STP) can block a VLAN if there is a loop, but the output shows VLAN 40 is active in the management domain and not listed as blocked. The explicit absence of VLAN 40 from the allowed VLAN list is the direct cause, not STP.

★ When this WOULD be the correct answer

In a different scenario, if a question stated that VLAN 40 is configured but the switch output showed that spanning tree was blocking the port due to a loop, then this option would be correct. For example, if the question indicated that VLAN 40 was indeed allowed but was not reachable due to spanning tree blocking it.

Why candidates choose this

Students may confuse STP blocking with VLAN filtering, especially when a VLAN is active but not forwarding. However, STP blocking would affect all VLANs on a port, not a single VLAN, and the trunk status shows 'trunking' indicating STP is not blocking the entire port.

VLAN 40 is not in the native VLAN, so it cannot cross the trunkWrong answer — click to see why

Why this is wrong here

The native VLAN is only for untagged traffic on an 802.1Q trunk. All other VLANs are tagged and can cross the trunk regardless of the native VLAN. VLAN 40 is not the native VLAN, but that does not prevent it from being carried if permitted.

★ When this WOULD be the correct answer

In a different scenario, if the question stated that VLAN 40 was configured as the native VLAN and the trunk port was set to only allow tagged traffic, then this option would be correct. This would mean VLAN 40's untagged traffic would not be transmitted across the trunk.

Why candidates choose this

There is a common misconception that only the native VLAN can cross a trunk, or that non-native VLANs require special configuration. In reality, any VLAN can be tagged and carried as long as it is in the allowed list.

802.1Q trunks can carry only three VLANs at a timeWrong answer — click to see why

Why this is wrong here

802.1Q has no limit of three VLANs per trunk; it can support up to 4094 VLANs. The output shows only three VLANs allowed because of configuration, not a protocol limitation.

★ When this WOULD be the correct answer

In a different scenario where the question states that a switch is configured to only allow a maximum of three VLANs on a trunk, and the output confirms that only three VLANs are listed, this option would be correct. The question would need to specify a limitation on the number of VLANs allowed on the trunk.

Why candidates choose this

The output shows exactly three VLANs in the allowed list, which might lead a student to think there is a limit. However, this is just a coincidence of the configuration, not a protocol constraint.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

Ensure you differentiate between VLANs configured on the switch and those allowed on the trunk. Just because a VLAN is active doesn't mean it's allowed on a trunk.

Trap categories for this question

  • Command / output trap

    Spanning tree can block a VLAN path under some conditions, but this exhibit already shows a more direct and simpler explanation. VLAN 40 is not even in the allowed list. When a question gives you a concrete forwarding restriction, you should prefer that explicit evidence instead of assuming a second unseen issue such as STP blocking.

Detailed technical explanation

How to think about this question

A VLAN (Virtual Local Area Network) logically segments a switch into separate broadcast domains, allowing devices in the same VLAN to communicate as if they were on the same physical network. Trunk links between switches carry traffic for multiple VLANs simultaneously by tagging frames with VLAN identifiers using protocols like 802.1Q. The trunk port configuration determines which VLANs are allowed to traverse the link, controlling inter-switch VLAN traffic flow. The 'allowed VLANs' list on a trunk port explicitly controls which VLANs can send and receive traffic across that trunk. Even if a VLAN is active and configured on the switch, it will not be carried over the trunk unless it is included in the allowed VLAN list. This filtering mechanism is crucial for network segmentation and security, preventing unwanted VLAN traffic from crossing certain links. The native VLAN is only the VLAN that is sent untagged on the trunk and does not affect whether other VLANs are permitted. A common exam trap is to confuse VLAN presence on the switch with VLAN permission on the trunk. Just because a VLAN is active on the switch does not guarantee it can cross every trunk link. Misunderstanding the allowed VLAN list leads to incorrect assumptions about connectivity issues. Practically, network engineers must verify trunk allowed VLANs when troubleshooting VLAN reachability problems, as missing VLANs in this list block traffic even if the VLAN exists and is active on both ends.

KKey Concepts to Remember

  • A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.
  • An 802.1Q trunk port carries traffic for multiple VLANs by tagging frames with VLAN identifiers to distinguish VLAN membership.
  • The allowed VLAN list on a trunk port controls which VLANs are permitted to send and receive traffic across that trunk link.
  • A VLAN must be included in the trunk's allowed VLAN list to be transported across the trunk, regardless of its active status on the switch.
  • The native VLAN is the VLAN that is sent untagged on an 802.1Q trunk and does not restrict other VLANs from crossing the trunk.
  • Traffic from VLANs not permitted on a trunk is blocked at the trunk interface, preventing communication across that link.
  • Switches can have VLANs active in the management domain that do not cross trunks if those VLANs are excluded from the allowed VLAN list.
  • Troubleshooting VLAN connectivity issues requires verifying both VLAN existence on switches and VLAN permission on trunk links.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Review a VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Switching and Network Access — This question tests Switching and Network Access — A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network..

What is the correct answer to this question?

The correct answer is: VLAN 40 is not permitted on the trunk — The trunk is not carrying VLAN 40 because VLAN 40 is missing from the allowed VLAN list (only 10, 20, 30 are allowed). Option A is incorrect because spanning tree does not block VLANs by default without evidence of a loop; the output shows no STP blocking. Option B is incorrect because native VLAN only affects tagging, not whether a VLAN can traverse a trunk; all VLANs can cross a trunk if permitted. Option D is incorrect because 802.1Q can carry up to 4094 VLANs, not just three. The key distinction is that a VLAN may be active on the switch but still fail to cross a specific trunk if it is not in the allowed list.

What should I do if I get this 200-301 question wrong?

Review a VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network., then practise related 200-301 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on 200-301

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Exhibit: Users on SW2 in VLAN 30 can reach local devices but not hosts in VLAN 30 on SW1. What is the most likely reason?

hard
  • A.The trunk native VLAN is 1 on both sides
  • B.VLAN 30 is not allowed on the trunk
  • C.SW2 must run VTP server mode
  • D.Spanning tree blocks all user VLANs by default

Why B: The trunk is allowing only VLANs 10 and 20. Even though both switches have VLAN 30 defined locally, VLAN 30 traffic cannot cross the trunk unless that VLAN is allowed on the link. Option A is incorrect because the native VLAN (default 1) does not affect tagged VLAN 30 traffic, and native VLAN mismatch causes different issues. Option C is incorrect because VTP is used for VLAN database synchronization, not for forwarding traffic over a trunk; switches do not need to be VTP servers to pass VLAN traffic. Option D is incorrect because spanning tree only blocks redundant paths to prevent loops, not all user VLANs by default.

Variation 2. A switch displays this output: Port Name Status Vlan Fa0/1 connected 10 Fa0/2 connected 10 Fa0/24 connected trunk Which port should be checked first if a user in VLAN 20 cannot reach the distribution switch over the uplink?

medium
  • A.Fa0/1
  • B.Fa0/2
  • C.Fa0/24
  • D.Any access port in VLAN 1

Why C: If users in VLAN 20 must cross the uplink, the trunk port is the first place to verify allowed VLANs and tagging.

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.