Question 542 of 2,015
SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to configure the trunk port connecting to the DHCP server as a trusted port for DHCP snooping. This is correct because DHCP snooping, by default, treats all switch ports as untrusted, meaning it drops all DHCP server-originated messages like DHCPOFFER, DHCPACK, and DHCPNAK on those ports. Since the DHCP server is sending its acknowledgments through a trunk port, those DHCPACK messages are being filtered out, preventing clients from receiving their assigned IP addresses and causing the duplicate IP issue. On the ENCOR 350-401 exam, this scenario tests your understanding of the DHCP snooping trust boundary—a common trap is to forget that even trunk ports are untrusted by default, so you must explicitly mark the port facing the legitimate server with the `ip dhcp snooping trust` command. A solid memory tip is to think of the DHCP server as the only source of truth: trust the port it sits on, and everything else stays untrusted.

CCNP Security Practice Question

This 350-401 practice question tests your understanding of security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Your company has deployed a Cisco Catalyst 9300 switch stack as the distribution layer for a campus network. The network uses VLANs 10 (data), 20 (voice), and 30 (management). The switch stack is configured with DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard (IPSG) on access ports. Recently, users in VLAN 10 report intermittent connectivity issues. You notice that some users receive duplicate IP addresses from the DHCP server. The DHCP server is connected to a trunk port on the switch stack. After reviewing logs, you see that DHCPACK messages are being dropped on the trunk port. The DHCP snooping binding table shows entries for legitimate clients, but also some entries with MAC addresses from a different vendor. Which action should you take to resolve the issue?

Question 1hardmultiple choice
Open the full VLAN trunking answer →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Configure the trunk port connecting to the DHCP server as a trusted port for DHCP snooping.

The DHCP snooping feature treats all ports as untrusted by default, which means DHCP server messages (DHCPOFFER, DHCPACK, DHCPNAK) are dropped on untrusted ports. Since the DHCP server is connected to a trunk port and DHCPACK messages are being dropped, that trunk port must be explicitly configured as a trusted port for DHCP snooping using the 'ip dhcp snooping trust' interface command. This allows legitimate DHCP server responses to reach clients, resolving the duplicate IP address issue caused by clients not receiving their assigned addresses.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Manually shut down the access ports that have unknown MAC addresses in the binding table.

    Why it's wrong here

    This does not address the DHCP server response being dropped.

  • Disable Dynamic ARP Inspection on VLAN 10.

    Why it's wrong here

    DAI validates ARP packets, not DHCP messages.

  • Configure the trunk port connecting to the DHCP server as a trusted port for DHCP snooping.

    Why this is correct

    DHCP snooping drops DHCP server responses on untrusted ports.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Disable IP Source Guard on all access ports in VLAN 10.

    Why it's wrong here

    IPSG filters IP traffic based on binding table, not DHCP messages.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the default untrusted behavior of DHCP snooping on all ports, tricking candidates into thinking that only access ports need trust configuration, when in fact the port facing the DHCP server (even a trunk) must be explicitly trusted to allow server messages through.

Detailed technical explanation

How to think about this question

DHCP snooping builds a binding table by monitoring DHCP messages on untrusted ports; however, the switch must trust the port connected to the legitimate DHCP server to allow DHCP server-originated messages (like DHCPACK) to pass through. Without the 'ip dhcp snooping trust' command on the trunk port, the switch drops all DHCP server messages, causing clients to fail to receive their assigned IP addresses, which can lead to duplicate IP conflicts when clients retry or use stale addresses. In a real-world scenario, this often happens when a new switch is deployed and the DHCP server is connected to a trunk that carries multiple VLANs, and the administrator forgets to apply the trust command on that trunk interface.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 350-401 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-401 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-401 question test?

Security — This question tests Security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Configure the trunk port connecting to the DHCP server as a trusted port for DHCP snooping. — The DHCP snooping feature treats all ports as untrusted by default, which means DHCP server messages (DHCPOFFER, DHCPACK, DHCPNAK) are dropped on untrusted ports. Since the DHCP server is connected to a trunk port and DHCPACK messages are being dropped, that trunk port must be explicitly configured as a trusted port for DHCP snooping using the 'ip dhcp snooping trust' interface command. This allows legitimate DHCP server responses to reach clients, resolving the duplicate IP address issue caused by clients not receiving their assigned addresses.

What should I do if I get this 350-401 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on 350-401

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A network administrator is troubleshooting a DHCP snooping issue on a Cisco switch. The switch is configured with DHCP snooping globally and on VLAN 10. The trusted interface is GigabitEthernet0/1 connected to the DHCP server. However, clients on VLAN 10 are not receiving IP addresses from the DHCP server. What is the most likely cause?

hard
  • A.The switch has IP Source Guard enabled, blocking valid DHCP traffic.
  • B.The interface GigabitEthernet0/1 is not configured as a trusted port for DHCP snooping.
  • C.The DHCP server is on a different subnet and the switch lacks an IP helper address.
  • D.The DHCP server is sending offers too quickly, exceeding the rate-limit on the switch.

Why B: Option B is correct because the scenario states that DHCP snooping is configured globally and on VLAN 10, and that GigabitEthernet0/1 is connected to the DHCP server. However, for DHCP snooping to allow DHCP server messages (OFFER, ACK) to be forwarded, the interface connected to the legitimate DHCP server must be explicitly configured as a trusted port using the 'ip dhcp snooping trust' interface command. Without this, the switch treats all DHCP server responses as untrusted and drops them, preventing clients from receiving IP addresses.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-401 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-401 exam.