CCNA VLANs and Trunking Questions

58 questions · VLANs and Trunking · All types, answers revealed

1
MCQmedium

An engineer is configuring a new access switch for a branch office. The switch must support multiple VLANs for different departments: VLAN 10 (Engineering), VLAN 20 (Sales), and VLAN 30 (Management). The uplink to the distribution switch is a trunk. The engineer wants to ensure that only the required VLANs are allowed on the trunk and that the native VLAN is changed from the default to VLAN 99 for security reasons. Which configuration commands should the engineer apply on the access switch's uplink interface?

A.switchport mode trunk; switchport trunk native vlan 99; switchport trunk allowed vlan 10,20,30
B.switchport mode trunk; switchport trunk native vlan 99; switchport trunk allowed vlan except 10,20,30
C.switchport mode dynamic desirable; switchport trunk native vlan 99; switchport trunk allowed vlan 10,20,30
D.switchport trunk encapsulation dot1q; switchport mode trunk; switchport trunk native vlan 99
AnswerA

Correct because it sets the trunk, changes the native VLAN, and restricts allowed VLANs.

Why this answer

Option A is correct because it explicitly sets the interface to trunk mode, changes the native VLAN from the default VLAN 1 to VLAN 99 for security, and uses the 'allowed vlan' command to permit only VLANs 10, 20, and 30 on the trunk. This ensures that only the required department VLANs are carried, reducing unnecessary broadcast traffic and preventing VLAN hopping attacks by changing the native VLAN.

Exam trap

Cisco often tests the distinction between 'allowed vlan' and 'allowed vlan except' — candidates may confuse the syntax and select the option that excludes the required VLANs instead of permitting them.

How to eliminate wrong answers

Option B is wrong because 'switchport trunk allowed vlan except 10,20,30' permits all VLANs except 10, 20, and 30, which is the opposite of the requirement. Option C is wrong because 'switchport mode dynamic desirable' uses DTP to negotiate trunking, which is less secure and not a deterministic trunk configuration; the requirement is for a static trunk. Option D is wrong because it omits the 'switchport trunk allowed vlan' command, so all VLANs would be permitted by default, failing to restrict the trunk to only the required VLANs.

2
Drag & Dropmedium

Drag and drop the steps of SVI configuration for inter-VLAN routing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First create the SVI interface, assign an IP address, enable it, and then configure routing or ACLs as needed.

3
Drag & Dropmedium

Drag and drop the steps of Q-in-Q (802.1ad) double-tagging configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Q-in-Q configuration requires first enabling the feature globally, then configuring the trunk port as a dot1q tunnel port, setting the native VLAN, and finally applying the service instance to encapsulate traffic. Verification ensures proper double-tagging.

4
Matchingmedium

Drag and drop each trunk encapsulation type on the left to its matching standard or characteristic on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Open standard (IEEE); inserts 4-byte tag; supports native VLAN

Cisco proprietary; encapsulates entire frame; no native VLAN concept

VLAN 1 by default; frames sent untagged on trunk

Adds 26-byte header and 4-byte trailer

Contains 12-bit VLAN ID (0–4095)

Why these pairings

802.1Q is an open standard that inserts a 4-byte tag, supports native VLAN, and is the default on modern switches. ISL is Cisco proprietary, encapsulates the entire frame, and does not support native VLAN.

5
MCQhard

A network engineer is configuring a new Cisco Nexus 9000 switch to connect to an existing Cisco Catalyst 3850 switch. The link between them should be a trunk carrying VLANs 10, 20, and 30. The engineer configures the Nexus switch with 'switchport mode trunk' and 'switchport trunk allowed vlan 10,20,30'. However, the trunk does not come up. The Catalyst switch is configured with 'switchport mode trunk' and 'switchport trunk allowed vlan 10,20,30'. What is the most likely cause?

A.The Nexus switch does not have the 'switchport trunk encapsulation dot1q' command configured.
B.The Catalyst switch is set to dynamic auto mode.
C.The allowed VLAN list on the Nexus switch is missing VLAN 1.
D.The native VLAN is set to 999 on the Nexus switch.
AnswerA

Correct because some Nexus switches require explicit encapsulation configuration for trunking to work with Catalyst switches.

Why this answer

The most likely cause is that the Nexus switch defaults to 802.1Q encapsulation, but the Cisco Catalyst 3850 switch requires the explicit 'switchport trunk encapsulation dot1q' command to be configured on the Nexus side. Without this command, the Nexus switch may not properly negotiate or establish the trunk, as the Catalyst switch expects a specific encapsulation type. This is a common issue when interconnecting different Cisco switch platforms that handle trunk encapsulation defaults differently.

Exam trap

Cisco often tests the misconception that Nexus switches do not require the 'switchport trunk encapsulation dot1q' command because they only support 802.1Q, but the command is still necessary for trunk formation with certain Catalyst switches.

How to eliminate wrong answers

Option B is wrong because 'dynamic auto' mode on the Catalyst switch would actually allow the trunk to form if the other side is set to 'trunk' (as the Nexus is), so this would not prevent the trunk from coming up. Option C is wrong because VLAN 1 is not required to be in the allowed VLAN list for a trunk to form; the trunk will still come up even if VLAN 1 is excluded. Option D is wrong because the native VLAN mismatch (e.g., set to 999 on the Nexus) would cause a native VLAN mismatch error but would not prevent the trunk from coming up; the trunk would still be operational, though with potential issues for untagged traffic.

6
MCQmedium

Examine the following configuration snippet on a Cisco IOS switch: interface GigabitEthernet0/2 switchport mode access switchport access vlan 50 spanning-tree portfast Which statement is true about this interface?

A.The interface will immediately forward traffic without any spanning-tree delay.
B.The interface will participate in trunking and forward multiple VLANs.
C.The interface will still go through listening and learning states before forwarding.
D.The interface will only forward traffic for VLAN 1.
AnswerA

Correct. PortFast enables immediate forwarding, reducing the initial delay.

Why this answer

The `spanning-tree portfast` command on an access port configured with `switchport mode access` and `switchport access vlan 50` causes the interface to bypass the normal spanning-tree listening and learning states. This allows the port to transition directly to the forwarding state, enabling immediate traffic forwarding without the usual 30-second delay (15 seconds for listening, 15 seconds for learning) associated with Rapid Spanning Tree Protocol (RSTP) or the 50-second delay with classic STP (802.1D).

Exam trap

Cisco often tests the misconception that `spanning-tree portfast` only applies to trunk ports or that it still requires the listening/learning states, when in fact it is designed specifically to bypass those states on access ports (or trunk ports with the `spanning-tree portfast trunk` variant).

How to eliminate wrong answers

Option B is wrong because the interface is configured as an access port (`switchport mode access`), which does not participate in trunking and only forwards traffic for a single VLAN (VLAN 50), not multiple VLANs. Option C is wrong because `spanning-tree portfast` specifically causes the interface to skip the listening and learning states and immediately enter the forwarding state, contradicting the claim that it will still go through those states. Option D is wrong because the `switchport access vlan 50` command assigns the interface to VLAN 50, not VLAN 1; the default VLAN for access ports is VLAN 1 only if no explicit access VLAN is configured.

7
Matchingmedium

Drag and drop each VLAN range on the left to its matching type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Normal VLANs

Extended VLANs

Reserved VLANs

Reserved for legacy token ring and FDDI

Normal VLANs (default range)

Why these pairings

VLANs 1–1005 are normal VLANs, 1006–4094 are extended VLANs, and 0, 4095 are reserved. VLANs 1002–1005 are reserved for legacy token ring and FDDI.

8
Matchingmedium

Drag and drop each DTP mode on the left to its matching trunking behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Actively sends DTP frames; forms trunk if neighbor is trunk, desirable, or auto

Passively waits for DTP frames; forms trunk only if neighbor is trunk or desirable

Forces the interface to be a trunk regardless of DTP negotiation

Forces the interface to be an access port; never forms a trunk

Disables DTP; requires manual trunk configuration

Why these pairings

Dynamic desirable actively sends DTP frames and forms a trunk if the neighbor is trunk, dynamic desirable, or dynamic auto. Dynamic auto forms a trunk only if the neighbor is trunk or dynamic desirable. Trunk always forms a trunk.

Access never forms a trunk. None disables DTP.

9
Matchingmedium

Drag and drop each VTP mode on the left to its matching capability on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Can create, modify, and delete VLANs; advertises VLAN database

Cannot create or modify VLANs; learns VLANs from server advertisements

Forwards VTP advertisements; maintains its own VLAN database locally

Ignores all VTP advertisements; does not forward VTP messages

Enables VTP pruning to reduce unnecessary broadcast traffic

Why these pairings

VTP server can create/modify/delete VLANs and advertises them. VTP client learns VLANs but cannot modify them. VTP transparent forwards VTP messages but does not participate.

VTP off ignores VTP messages entirely.

10
Multi-Selectmedium

Which two statements about VLAN trunking using IEEE 802.1Q are true? (Choose two.)

Select 2 answers
A.The 802.1Q tag includes a 12-bit VLAN ID field.
B.The native VLAN is not tagged on an 802.1Q trunk.
C.The native VLAN must always be VLAN 1.
D.The 802.1Q tag uses a TPID value of 0x88A8.
E.802.1Q supports a maximum of 4096 VLANs.
AnswersA, B

Correct because the 802.1Q header contains a 12-bit VLAN ID (VID) allowing up to 4094 VLANs.

Why this answer

Correct: A is true because 802.1Q inserts a 4-byte tag after the source MAC address, which includes a 12-bit VLAN ID (0-4095). B is true because the native VLAN is not tagged; frames on the native VLAN are sent untagged to maintain backward compatibility with devices that do not understand trunking. C is incorrect because the native VLAN can be any VLAN, not just VLAN 1; it defaults to VLAN 1 but can be changed.

D is incorrect because the 802.1Q tag uses a TPID of 0x8100, not 0x88A8 (which is used for Q-in-Q). E is incorrect because 802.1Q supports up to 4094 usable VLANs (1-1001 and 1006-4094), not 4096.

11
Matchingmedium

Drag and drop each DTP mode on the left to its matching trunking behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Actively sends DTP frames to form trunk

Passively waits for DTP frames to form trunk

Forces the port to become a trunk regardless of neighbor

Forces the port to be an access port, no trunking

Disables DTP, trunking only if manually configured

Why these pairings

Dynamic desirable actively negotiates trunking; dynamic auto waits for a neighbor to initiate; trunk forces trunking; access forces access mode; non-negotiate disables DTP.

12
Matchingmedium

Drag and drop each trunk encapsulation on the left to its matching standard on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco proprietary, encapsulates entire frame with 30-byte header

IEEE standard, inserts 4-byte tag into frame

Untagged frames on trunk port

Why these pairings

ISL is Cisco proprietary with 30-byte header; 802.1Q is IEEE standard with 4-byte tag; only 802.1Q supports native VLAN; ISL encapsulates entire frame.

13
Multi-Selecteasy

Which two statements about VLAN configuration and verification on a Cisco IOS switch are true? (Choose two.)

Select 2 answers
A.VLAN 1 and VLANs 1002-1005 cannot be deleted.
B.The 'show vlan brief' command only displays VLANs that have been created on the switch.
C.The 'switchport access vlan 10' command automatically creates VLAN 10 if it does not exist.
D.The 'no switchport' command on a switch port places it into the default VLAN.
E.Extended VLANs (1006-4094) are stored in the vlan.dat file by default.
AnswersA, B

Correct because these are default VLANs that are automatically created and cannot be removed.

Why this answer

Correct: A is true because VLANs 1 and 1002-1005 are reserved (default) and cannot be deleted. B is true because 'show vlan brief' displays only VLANs that exist in the VLAN database, not all possible VLANs. C is incorrect because the 'switchport access vlan' command assigns a port to a VLAN, but the VLAN must already exist or be created first; the command does not automatically create the VLAN.

D is incorrect because 'no switchport' converts the interface to a Layer 3 routed port, which does not participate in VLANs. E is incorrect because the extended VLAN range (1006-4094) is not saved in vlan.dat by default; they are stored in the running configuration.

14
Multi-Selectmedium

Which three statements about trunking and VLAN pruning are true? (Choose three.)

Select 3 answers
A.VTP pruning dynamically removes VLANs from a trunk if the VLAN is not present on the remote switch.
B.Manual pruning can be achieved using the 'switchport trunk allowed vlan' command.
C.VTP pruning requires VTP to be enabled on the switches in the management domain.
D.VTP pruning is only supported in VTP version 3.
E.The 'switchport trunk native vlan' command is used to prune VLANs from a trunk.
AnswersA, B, C

Correct because VTP pruning advertises VLAN membership and prunes unnecessary VLANs from trunk links.

Why this answer

Correct: A is true because VTP pruning reduces unnecessary broadcast traffic on trunk links by dynamically removing VLANs that are not needed on a switch. B is true because pruning can be manually configured on a trunk using the 'switchport trunk allowed vlan' command to restrict which VLANs traverse the link. C is true because VTP pruning requires VTP to be configured and operating in the domain; it is not available without VTP.

D is incorrect because VTP pruning works with VTP versions 1 and 2, not just version 3. E is incorrect because the 'switchport trunk native vlan' command sets the native VLAN, not pruning; pruning is controlled by allowed VLAN lists or VTP pruning.

15
Drag & Dropmedium

Drag and drop the steps of Dynamic Trunking Protocol (DTP) negotiation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

DTP negotiation begins with the interface defaulting to dynamic desirable or auto mode. If a switchport is set to trunk, DTP sends frames to negotiate. The neighbor responds if in a compatible mode.

Once agreed, the link becomes trunking. Finally, both ends forward traffic for multiple VLANs.

16
MCQmedium

Given the following configuration on a Cisco IOS switch: interface GigabitEthernet0/6 switchport mode dynamic desirable What is the effect of this configuration?

A.The interface will actively try to form a trunk and will succeed if the other side is set to trunk, desirable, or auto.
B.The interface will only become a trunk if the other side is set to trunk.
C.The interface will always remain an access port.
D.The interface will not send DTP frames.
AnswerA

Correct. Dynamic desirable sends DTP frames and can form a trunk with several modes.

Why this answer

The `switchport mode dynamic desirable` command configures the interface to actively send Dynamic Trunking Protocol (DTP) frames to negotiate trunking. If the neighboring interface is set to trunk, dynamic desirable, or dynamic auto, the negotiation will succeed and the link will become a trunk. This is because dynamic desirable actively initiates the negotiation, unlike dynamic auto which only responds.

Exam trap

Cisco often tests the distinction between dynamic desirable and dynamic auto, where the trap is that candidates forget dynamic desirable actively sends DTP frames and can form a trunk with dynamic auto, while dynamic auto only responds and will not form a trunk with another auto interface.

How to eliminate wrong answers

Option B is wrong because the interface will not only become a trunk if the other side is set to trunk; it will also succeed if the other side is set to dynamic desirable or dynamic auto, as DTP negotiation allows these combinations. Option C is wrong because the interface will not always remain an access port; it will actively negotiate to become a trunk if the neighbor supports it. Option D is wrong because the interface will send DTP frames; dynamic desirable is an active DTP mode that transmits DTP frames to initiate trunk negotiation.

17
MCQhard

An engineer is troubleshooting a connectivity issue between two switches, SW1 and SW2, connected via a trunk. The trunk is configured with switchport mode trunk on both sides. The engineer notices that some VLANs are not passing traffic, even though they are in the allowed list. The output of 'show interfaces trunk' on SW1 shows that VLANs 10, 20, and 30 are in the allowed list and are active. However, hosts in VLAN 30 cannot reach the distribution switch. What is the most likely cause?

A.VLAN 30 is not created in the VLAN database on SW2.
B.The native VLAN is mismatched between SW1 and SW2.
C.VTP pruning is removing VLAN 30 from the trunk.
D.The trunk is not forming due to DTP negotiation.
AnswerA

Correct because a VLAN must exist in the VLAN database on both ends of a trunk for traffic to pass.

Why this answer

VLAN 30 must exist in the VLAN database on both switches for traffic to be forwarded across the trunk. Even if VLAN 30 is in the allowed list and active on SW1, if it has not been created on SW2, SW2 will discard frames tagged with VLAN 30 because it has no VLAN 30 interface or forwarding table entry. This is a common misconfiguration where the VLAN is allowed on the trunk but not present on the remote switch.

Exam trap

Cisco often tests the misconception that being in the allowed list on the trunk is sufficient for traffic to pass, when in fact the VLAN must be created in the VLAN database on both ends of the trunk.

How to eliminate wrong answers

Option B is wrong because a native VLAN mismatch would cause issues with untagged frames, not with tagged VLAN 30 traffic, and the trunk is already up. Option C is wrong because VTP pruning would remove VLAN 30 from the allowed list on the trunk, but the output shows VLAN 30 is still in the allowed list and active on SW1. Option D is wrong because the trunk is already formed (switchport mode trunk on both sides disables DTP negotiation), so the trunk is up and the issue is with VLAN 30 specifically.

18
Drag & Dropmedium

Drag and drop the steps of VLAN pruning on trunks using VTP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

VTP pruning must first be enabled globally on the VTP server, then on the trunk interface, and finally the VTP domain must be configured to allow pruning. The switch then dynamically prunes VLANs not needed on the trunk, and the pruning list can be verified with show commands.

19
MCQhard

A network engineer runs the following command on Switch SW1: SW1# show vlan id 10 VLAN ID: 10 VLAN Name: Sales VLAN Type: Ethernet VLAN State: active MTU: 1500 Remote SPAN VLAN: No Primary VLAN ID: 10 Private VLAN Type: Primary Associated Secondary VLAN IDs: 100, 200 Based on this output, what can be concluded?

A.VLAN 10 is a community VLAN.
B.VLAN 10 is an isolated VLAN.
C.VLAN 10 is a primary private VLAN.
D.VLAN 10 is a normal data VLAN with no private VLAN features.
AnswerC

The output shows 'Private VLAN Type: Primary' and associated secondary VLANs.

Why this answer

The output shows VLAN 10 configured as a Primary VLAN with associated secondary VLANs 100 and 200, which is the defining characteristic of a primary private VLAN. This is confirmed by the fields 'Private VLAN Type: Primary' and 'Associated Secondary VLAN IDs: 100, 200'. Therefore, VLAN 10 is a primary private VLAN, not a normal data VLAN.

Exam trap

Cisco often tests the distinction between the 'show vlan' output for a primary VLAN versus a secondary VLAN, and the trap here is that candidates mistakenly think the presence of 'Associated Secondary VLAN IDs' means the VLAN itself is a secondary VLAN, when in fact only the primary VLAN lists its associated secondary VLANs.

How to eliminate wrong answers

Option A is wrong because a community VLAN is a type of secondary private VLAN that allows communication within the same community and with the primary VLAN, but the output explicitly identifies VLAN 10 as a Primary VLAN, not a community VLAN. Option B is wrong because an isolated VLAN is another type of secondary private VLAN that only allows communication with the primary VLAN, and the output shows VLAN 10 as the Primary VLAN, not an isolated VLAN. Option D is wrong because the presence of 'Private VLAN Type: Primary' and associated secondary VLANs indicates that VLAN 10 is participating in private VLAN features, making it a private VLAN rather than a normal data VLAN.

20
Matchingmedium

Drag and drop each VLAN type on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries user data traffic

Carries VoIP traffic, typically uses QoS

Used for out-of-band management access

Carries untagged frames on a trunk port

VLAN 1 by default on all Cisco switches

Why these pairings

Data VLAN carries user traffic; voice VLAN carries VoIP; management VLAN for device access; native VLAN for untagged frames on trunk; default VLAN is VLAN 1.

21
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show etherchannel summary Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------------- 1 Po1(SU) LACP Gi0/1(P) Gi0/2(P) Gi0/3(D) Based on this output, what can be concluded?

A.The EtherChannel is using PAgP.
B.Port Gi0/3 is bundled in the channel.
C.The port-channel is a Layer 3 interface.
D.The EtherChannel has two active member links.
AnswerD

Gi0/1 and Gi0/2 are marked P (bundled), so two links are active.

Why this answer

The output shows that Gi0/1 and Gi0/2 have a flag of 'P' (bundled in port-channel), while Gi0/3 has a flag of 'D' (down). Therefore, only two ports are actively bundled, making option D correct. The 'SU' flags on Po1 indicate the port-channel is Layer 2 (S) and in use (U), not Layer 3.

Exam trap

Cisco often tests the interpretation of the 'show etherchannel summary' flags, where candidates mistakenly assume a port listed in the output is active, ignoring the specific flag character (e.g., 'D' vs 'P').

How to eliminate wrong answers

Option A is wrong because the protocol column explicitly shows 'LACP', not PAgP. Option B is wrong because Gi0/3 has a flag of 'D' (down), not 'P' (bundled), meaning it is not part of the active bundle. Option C is wrong because the 'S' in 'Po1(SU)' indicates Layer 2, not Layer 3 (which would be 'R').

22
MCQmedium

Consider the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet0/3 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 1 What is the effect of this configuration?

A.The interface will operate as an 802.1Q trunk, and untagged frames will be associated with VLAN 1.
B.The interface will operate as an ISL trunk.
C.The interface will drop all untagged frames.
D.The interface will only forward traffic for VLAN 1.
AnswerA

Correct. The native VLAN is 1, so untagged frames belong to VLAN 1.

Why this answer

The configuration sets the interface to 802.1Q trunking mode and explicitly defines VLAN 1 as the native VLAN. On an 802.1Q trunk, the native VLAN is the VLAN to which untagged frames are assigned when received on the trunk port. Since VLAN 1 is the default native VLAN and is explicitly configured here, untagged frames will be associated with VLAN 1, allowing them to traverse the trunk without an 802.1Q tag.

Exam trap

Cisco often tests the misconception that a trunk port drops untagged frames or that the native VLAN is only for management traffic, when in fact untagged frames are always associated with the native VLAN on an 802.1Q trunk.

How to eliminate wrong answers

Option B is wrong because the command 'switchport trunk encapsulation dot1q' explicitly sets the trunking protocol to 802.1Q, not ISL; ISL is a Cisco-proprietary encapsulation that is not supported on modern IOS-XE switches and would require 'switchport trunk encapsulation isl'. Option C is wrong because an 802.1Q trunk does not drop untagged frames; instead, it assigns them to the native VLAN (VLAN 1 by default or as configured). Option D is wrong because the interface is configured as a trunk, which forwards traffic for multiple VLANs (all allowed VLANs by default), not only VLAN 1; the native VLAN setting only affects how untagged frames are handled, not the scope of VLANs forwarded.

23
MCQhard

A network engineer runs the following command on Switch SW1: SW1# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 1 Gi0/2 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/1 1-1005 Gi0/2 1-1005 Port Vlans allowed and active in management domain Gi0/1 1,10,20 Gi0/2 1,10,20 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 1,10,20 Gi0/2 1,10,20 Based on this output, what can be concluded?

A.VLANs 2-9 are allowed but not active on the trunk.
B.The trunk is using ISL encapsulation.
C.VLAN 1 is pruned from the trunk.
D.Only VLANs 10 and 20 are forwarding traffic.
AnswerA

The 'allowed' list includes 1-1005, but only VLANs 1,10,20 are active; thus VLANs 2-9 are allowed but not active (not created in VLAN database).

Why this answer

The output shows that VLANs 1-1005 are allowed on the trunk, but only VLANs 1, 10, and 20 are listed as active in the management domain. This means VLANs 2-9 are configured on the trunk but are not active (i.e., not created or not present on the switch), so they do not forward traffic. Option A correctly identifies this condition.

Exam trap

Cisco often tests the difference between 'allowed on trunk' and 'active in management domain' to trick candidates into thinking all allowed VLANs are forwarding, when in fact only active VLANs forward traffic.

How to eliminate wrong answers

Option B is wrong because the encapsulation is explicitly shown as '802.1q', not ISL, which is a Cisco proprietary protocol that is now largely deprecated. Option C is wrong because VLAN 1 is listed in the 'Vlans in spanning tree forwarding state and not pruned' section, indicating it is forwarding and not pruned; pruning would remove it from that list. Option D is wrong because VLAN 1 is also in the forwarding state and not pruned, so traffic for VLAN 1 is also being forwarded, not just VLANs 10 and 20.

24
MCQeasy

A network engineer is configuring a new Cisco Catalyst switch to connect to an existing network. The uplink to the distribution switch is configured as a trunk. The engineer wants to ensure that the trunk uses 802.1Q encapsulation and that the native VLAN is set to VLAN 100. The distribution switch is a Cisco Catalyst 3850. Which configuration should the engineer apply on the uplink interface?

A.switchport mode trunk; switchport trunk native vlan 100
B.switchport trunk encapsulation dot1q; switchport mode trunk; switchport trunk native vlan 100
C.switchport mode dynamic desirable; switchport trunk native vlan 100
D.switchport mode trunk; switchport trunk allowed vlan 100
AnswerA

Correct because it sets the trunk and changes the native VLAN to 100.

Why this answer

Option A is correct because on modern Cisco Catalyst switches that run LAN Base or IP Base software, the default trunk encapsulation is 802.1Q, so the 'switchport trunk encapsulation dot1q' command is not required. The 'switchport mode trunk' forces the interface into trunking mode, and 'switchport trunk native vlan 100' sets the native VLAN to 100, which matches the requirement.

Exam trap

Cisco often tests the fact that on modern switches (like the 3850), the 'switchport trunk encapsulation dot1q' command is not available because 802.1Q is the only supported encapsulation, leading candidates to incorrectly include it.

How to eliminate wrong answers

Option B is wrong because on a Catalyst 3850 (which runs IOS XE), the 'switchport trunk encapsulation dot1q' command is not supported; the switch only supports 802.1Q encapsulation and does not accept this command, making it invalid. Option C is wrong because 'switchport mode dynamic desirable' uses DTP to negotiate trunking, which does not guarantee the interface will become a trunk and does not set the native VLAN to 100. Option D is wrong because 'switchport trunk allowed vlan 100' restricts the trunk to only VLAN 100, rather than setting the native VLAN to 100, which is a different function.

25
MCQmedium

An engineer is troubleshooting a problem where a host in VLAN 20 cannot communicate with a host in VLAN 30, even though both are connected to the same access switch. The access switch is configured with VLANs 20 and 30, and the uplink to the distribution switch is a trunk that allows both VLANs. The distribution switch has SVIs for both VLANs and IP routing is enabled. The engineer verifies that the trunk is up and both VLANs are allowed. What is the most likely cause of the communication failure?

A.The hosts are not configured with the correct default gateway pointing to the SVI on the distribution switch.
B.The trunk is not allowing VLAN 20 or VLAN 30.
C.Spanning Tree Protocol is blocking the SVI interfaces.
D.The native VLAN mismatch on the trunk is causing the issue.
AnswerA

Correct because hosts need a default gateway to route traffic to other VLANs; if misconfigured, inter-VLAN communication fails.

Why this answer

Hosts in different VLANs must communicate through a Layer 3 device. The correct default gateway for each host should be the IP address of the SVI on the distribution switch for its respective VLAN. If the hosts are configured with an incorrect or no default gateway, traffic cannot be routed between VLAN 20 and VLAN 30, even though the trunk and SVIs are properly configured.

Exam trap

Cisco often tests the misconception that a properly configured trunk and SVIs alone guarantee inter-VLAN communication, when in fact the hosts must have the correct default gateway configured to reach the SVI.

How to eliminate wrong answers

Option B is wrong because the engineer already verified that the trunk is up and both VLANs are allowed, so a trunk misconfiguration is not the cause. Option C is wrong because Spanning Tree Protocol (STP) operates on Layer 2 interfaces and does not block SVI interfaces; SVIs are virtual Layer 3 interfaces and are not subject to STP blocking. Option D is wrong because a native VLAN mismatch on a trunk would cause issues for untagged traffic (typically management or CDP), but it would not prevent routed communication between hosts in different VLANs if the trunk is up and both VLANs are allowed.

26
Multi-Selectmedium

Which two statements about native VLANs on an 802.1Q trunk are true? (Choose two.)

Select 2 answers
A.Frames belonging to the native VLAN are transmitted untagged on the trunk link.
B.The native VLAN must be the same on both ends of the trunk link.
C.The native VLAN can be any VLAN from 1 to 4094.
D.The native VLAN is always VLAN 1 and cannot be changed.
E.A native VLAN mismatch will cause all traffic on the trunk to be dropped.
AnswersA, B

802.1Q does not tag frames for the native VLAN, so they are sent as standard Ethernet frames.

Why this answer

The native VLAN is a key concept in 802.1Q trunking. Frames on the native VLAN are sent untagged to maintain compatibility with legacy devices that do not understand VLAN tags. Both ends of the trunk must agree on the native VLAN; a mismatch can cause connectivity issues or VLAN hopping.

The default native VLAN is VLAN 1.

27
MCQmedium

Given the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet0/1 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,20,30 What is the effect of this configuration?

A.The interface will forward traffic for VLANs 10, 20, and 30, and all untagged frames will be placed into VLAN 999.
B.The interface will forward traffic for all VLANs except 10, 20, and 30, and the native VLAN is 1.
C.The interface will operate as an access port in VLAN 999.
D.The interface will forward traffic for VLANs 10, 20, and 30, and all frames will be tagged including the native VLAN.
AnswerA

Correct. The allowed VLAN list restricts traffic to those three VLANs, and the native VLAN is 999.

Why this answer

Option A is correct because the configuration sets the interface as a trunk port, explicitly allows only VLANs 10, 20, and 30 to traverse it, and designates VLAN 999 as the native VLAN. On a trunk, the native VLAN is used for untagged frames (e.g., DTP, CDP, or any traffic sent without an 802.1Q header), so all untagged frames received or sent on this interface will be associated with VLAN 999.

Exam trap

Cisco often tests the distinction between the native VLAN being untagged by default and the 'switchport trunk native vlan tag' command that forces tagging, leading candidates to incorrectly assume that all VLANs on a trunk are always tagged.

How to eliminate wrong answers

Option B is wrong because the 'switchport trunk allowed vlan 10,20,30' command explicitly permits only those VLANs, not all VLANs except them; the interface will not forward traffic for any other VLANs. Option C is wrong because the 'switchport mode trunk' command forces the interface to operate as a trunk port, not an access port; the native VLAN setting does not change the port mode. Option D is wrong because the native VLAN on an 802.1Q trunk is by default untagged; the configuration does not include 'switchport trunk native vlan tag' (which would force tagging of the native VLAN), so frames in VLAN 999 remain untagged.

28
Drag & Dropmedium

Drag and drop the steps of configuring a native VLAN mismatch detection into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, configure the trunk interface with a specific native VLAN. Then, set the neighbor's trunk to a different native VLAN. The mismatch causes CDP to log an error.

The switch then disables the trunk port. Finally, the administrator corrects the native VLAN to match.

29
Drag & Dropmedium

Drag and drop the steps of Q-in-Q (802.1ad) double-tagging configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First enable the dot1q tunnel globally, then configure the access VLAN on the interface, enable the tunnel mode, and set the native VLAN to avoid conflicts.

30
Multi-Selecthard

Which three statements about Dynamic Trunking Protocol (DTP) are true? (Choose three.)

Select 3 answers
A.DTP is a Cisco proprietary protocol.
B.DTP frames are sent on the native VLAN.
C.The 'switchport mode dynamic desirable' setting causes the interface to actively attempt to form a trunk.
D.DTP operates at Layer 3 of the OSI model.
E.DTP is used to negotiate trunking on routed ports.
AnswersA, B, C

Correct because DTP is only available on Cisco switches and is not standardized.

Why this answer

Correct: A is true because DTP is Cisco proprietary and not supported on non-Cisco switches. B is true because DTP uses VLAN 1 (the native VLAN) for its frames; if the native VLAN is mismatched, DTP may fail. C is true because the 'switchport mode dynamic desirable' interface configuration command actively sends DTP frames to negotiate trunking.

D is incorrect because DTP operates at Layer 2, not Layer 3. E is incorrect because DTP is not used on routed ports; it only applies to switch ports in access or trunk mode.

31
MCQhard

A network engineer runs the following command on Switch SW1: SW1# show interfaces gi0/1 trunk Port Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/1 10,20 Port Vlans allowed and active in management domain Gi0/1 10,20 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 10,20 Based on this output, what can be concluded?

A.VLAN 1 is allowed on this trunk.
B.The trunk is using DTP dynamic desirable mode.
C.Only VLANs 10 and 20 are allowed on this trunk.
D.The native VLAN is 10.
AnswerC

The 'Vlans allowed on trunk' line explicitly shows 10,20.

Why this answer

The output shows that the 'Vlans allowed on trunk' list contains only VLANs 10 and 20. This means the trunk has been explicitly configured to permit only those VLANs, and all other VLANs (including VLAN 1) are pruned or blocked from traversing the trunk. Therefore, only VLANs 10 and 20 are allowed, making option C correct.

Exam trap

Cisco often tests the distinction between the native VLAN and the allowed VLAN list; candidates mistakenly assume that the native VLAN is always permitted on the trunk, but the allowed list explicitly controls which VLANs can pass traffic, and the native VLAN must be included in that list to be forwarded.

How to eliminate wrong answers

Option A is wrong because the 'Vlans allowed on trunk' line explicitly lists only VLANs 10 and 20; VLAN 1 is not included, so it is not allowed on this trunk. Option B is wrong because the 'Mode' field shows 'on', which indicates that trunking is statically configured (no DTP negotiation), not using DTP dynamic desirable mode. Option D is wrong because the 'Native vlan' field shows '1', not 10; the native VLAN is the VLAN used for untagged traffic on the trunk, and here it is VLAN 1.

32
Drag & Dropmedium

Drag and drop the steps of VLAN pruning on trunks using VTP into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

VTP pruning must be enabled globally before configuring the pruning-eligible list on a specific trunk interface. The global VTP pruning command enables the feature, then per-interface configuration restricts which VLANs can be pruned.

33
MCQmedium

What is the purpose of the Dynamic Trunking Protocol (DTP) on Cisco switches?

A.To automatically negotiate trunking between two Cisco switches.
B.To dynamically assign VLANs to access ports.
C.To provide security by encrypting trunk traffic.
D.To prevent loops in the network.
AnswerA

Correct. DTP negotiates trunk links.

Why this answer

DTP (Dynamic Trunking Protocol) is a Cisco proprietary protocol used to automatically negotiate the operational mode (access or trunk) of a switch port between two Cisco switches. When both ends are configured with DTP modes like dynamic desirable or dynamic auto, the link can become a trunk without manual configuration, simplifying deployment in environments where trunking is needed.

Exam trap

The trap here is that candidates confuse DTP with VTP (VLAN Trunking Protocol), which manages VLAN database propagation, or assume DTP provides security features like encryption, when in fact it only negotiates trunking and can be a security risk.

How to eliminate wrong answers

Option B is wrong because DTP negotiates trunking, not VLAN assignment; VLANs are assigned to access ports via the 'switchport access vlan' command or VTP, not DTP. Option C is wrong because DTP provides no encryption or security; trunk traffic encryption is handled by protocols like MACsec (802.1AE) or IPsec, not DTP. Option D is wrong because loop prevention is the function of Spanning Tree Protocol (STP), not DTP; DTP can actually create loops if misconfigured with STP disabled.

34
Matchingmedium

Drag and drop each VLAN type on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Carries user data traffic

Carries VoIP traffic; uses QoS trust boundaries

Carries management traffic (e.g., SSH, SNMP, syslog)

Carries untagged frames on an 802.1Q trunk

Unused VLAN; all ports assigned to it are shut down to prevent loops

Why these pairings

Data VLAN carries user traffic. Voice VLAN carries VoIP traffic (typically VLAN 100–199). Management VLAN carries management traffic (e.g., SSH, SNMP).

Native VLAN carries untagged frames on a trunk (default VLAN 1). Black-hole VLAN is unused and dropped to prevent loops.

35
MCQeasy

A network engineer is configuring a new Cisco Catalyst 9300 switch to connect to an existing network. The uplink to the core switch is configured as a trunk. The engineer wants to ensure that all VLANs except VLAN 1 are allowed on the trunk, and that the native VLAN is set to VLAN 999. Which configuration should the engineer apply on the uplink interface?

A.switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan except 1
B.switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan remove 1
C.switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan 2-4094
D.switchport mode trunk; switchport trunk native vlan 999; switchport trunk allowed vlan none
AnswerA

Correct because it sets the trunk, changes the native VLAN, and allows all VLANs except VLAN 1.

Why this answer

Option A is correct because the 'switchport trunk allowed vlan except 1' command explicitly permits all VLANs except VLAN 1 on the trunk, while the 'switchport trunk native vlan 999' command sets the native VLAN to 999, ensuring that untagged frames on the trunk belong to VLAN 999 instead of the default VLAN 1. This meets the requirement to exclude VLAN 1 from the allowed list and change the native VLAN.

Exam trap

Cisco often tests the difference between 'switchport trunk allowed vlan remove' and 'switchport trunk allowed vlan except', where candidates mistakenly think 'remove' is equivalent to 'except', but 'remove' only deletes a VLAN from the current list and requires the list to be pre-populated, while 'except' sets the list to all VLANs minus the specified ones in a single command.

How to eliminate wrong answers

Option B is wrong because 'switchport trunk allowed vlan remove 1' only removes VLAN 1 from the current allowed list, but if the default allowed VLAN list (all VLANs) was not explicitly set first, the command may behave inconsistently; more importantly, the syntax 'remove' is used to delete a VLAN from the existing allowed list, not to exclude it from the start, and the question requires a configuration that ensures all VLANs except VLAN 1 are allowed, which is better achieved with the 'except' keyword. Option C is wrong because 'switchport trunk allowed vlan 2-4094' explicitly lists VLANs 2 through 4094, but this excludes VLANs 0 and 1, and more critically, it does not account for reserved VLANs (like VLAN 1002-1005) that are not included in the range 2-4094, potentially blocking those VLANs; the 'except 1' command is more precise and inclusive. Option D is wrong because 'switchport trunk allowed vlan none' removes all VLANs from the trunk, effectively blocking all traffic, which does not meet the requirement to allow all VLANs except VLAN 1.

36
Drag & Dropmedium

Drag and drop the steps of VLAN mapping on trunk interfaces into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First enter the trunk interface, configure encapsulation, then apply the VLAN mapping policy (translate or map), and finally verify the mapping.

37
Multi-Selecthard

Which three statements about trunking and VLAN pruning are true? (Choose three.)

Select 3 answers
A.VTP pruning reduces unnecessary broadcast traffic by preventing a trunk from carrying traffic for VLANs that have no active ports in the VLAN on downstream switches.
B.VTP pruning is enabled globally using the 'vtp pruning' command in global configuration mode.
C.VTP pruning can be enabled on a VTP client switch.
D.Manual VLAN pruning using 'switchport trunk allowed vlan' overrides VTP pruning for that specific trunk interface.
E.VTP pruning can remove the native VLAN from a trunk link.
AnswersA, B, D

This is the primary benefit of VTP pruning; it dynamically prunes VLANs from trunk links.

Why this answer

VTP pruning reduces unnecessary broadcast traffic on trunk links by dynamically removing VLANs from trunk allowed lists when no downstream switch has ports in that VLAN. VTP pruning is enabled globally with the 'vtp pruning' command. It requires VTP to be in server or transparent mode; clients cannot enable pruning.

The 'switchport trunk allowed vlan' command can manually prune VLANs, and this overrides VTP pruning for that interface. VTP pruning does not affect the native VLAN, which is always allowed.

38
Drag & Dropmedium

Drag and drop the steps of SVI configuration for inter-VLAN routing into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

SVI configuration requires first creating the VLAN, then the SVI interface, assigning an IP address, enabling the interface, and finally verifying routing. This order ensures the VLAN exists before the SVI is created and routing is enabled.

39
MCQhard

A network engineer is deploying a new server farm with multiple servers connected to a Cisco Nexus 9000 switch. Each server is dual-homed to two separate access switches for redundancy. The servers are configured with NIC teaming in active-standby mode. The engineer wants to ensure that if the active link fails, traffic continues without interruption. The access switches are connected to each other via a trunk. Which technology should the engineer implement on the access switches to prevent loops and allow both uplinks to be active?

A.Configure a vPC domain between the two access switches and use a vPC on the server-facing ports.
B.Enable Spanning Tree Protocol (STP) to block one of the links to prevent loops.
C.Configure an EtherChannel between the server and each access switch individually.
D.Implement Virtual Switching System (VSS) on the access switches.
AnswerA

Correct because vPC allows both switches to act as a single logical switch for the server, providing active-active links and redundancy.

Why this answer

A is correct because a vPC (Virtual Port Channel) allows two access switches to appear as a single logical device to the server, enabling both uplinks to be active simultaneously while preventing loops. This is essential for active-standby NIC teaming, as vPC ensures that if one link fails, the other continues forwarding traffic without requiring STP to block a port, thus providing seamless failover and loop-free operation.

Exam trap

Cisco often tests the distinction between vPC (Nexus) and VSS (Catalyst), and candidates may mistakenly choose VSS for Nexus switches, not realizing it is platform-specific.

How to eliminate wrong answers

Option B is wrong because enabling STP would block one of the redundant uplinks to prevent loops, which contradicts the requirement to keep both uplinks active and would cause traffic interruption during failover due to STP convergence delays. Option C is wrong because configuring an EtherChannel between the server and each access switch individually is not possible; EtherChannel requires a single logical link between two devices, and the server is dual-homed to two separate switches, so each switch would need its own EtherChannel, which does not prevent loops between the switches. Option D is wrong because VSS is a Cisco Catalyst technology that bundles two switches into a single logical entity, but it is not supported on Nexus 9000 switches; vPC is the correct Nexus-specific solution for this scenario.

40
Drag & Dropmedium

Drag and drop the steps of Private VLAN (PVLAN) configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

PVLAN configuration requires first creating the primary VLAN, then the secondary VLANs (community or isolated), associating them, and finally configuring host ports as PVLAN ports. The order ensures proper VLAN hierarchy and port assignment.

41
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show interfaces gi0/1 trunk Port Mode Encapsulation Status Native vlan Gi0/1 desirable n-802.1q trunking 1 Port Vlans allowed on trunk Gi0/1 1-1005 Port Vlans allowed and active in management domain Gi0/1 1,10,20 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 1,10,20 Based on this output, what can be concluded?

A.The interface is configured as an access port.
B.The trunk is using ISL encapsulation.
C.VLANs 2-9 are allowed but not active.
D.The native VLAN is 10.
AnswerC

Allowed VLANs are 1-1005, but only 1,10,20 are active; thus VLANs 2-9 are allowed but not active.

Why this answer

The output shows that VLANs 1-1005 are allowed on the trunk, but only VLANs 1, 10, and 20 are active in the management domain. This means VLANs 2-9 and 11-19, 21-1005 are allowed but not active (i.e., not created or not present on the switch). Option C correctly identifies that VLANs 2-9 are among those allowed but not active.

Exam trap

The trap here is that candidates often confuse 'allowed on trunk' with 'active in management domain', leading them to assume all allowed VLANs are actually forwarding traffic, when in fact only those listed in the second line are active.

How to eliminate wrong answers

Option A is wrong because the interface is in 'desirable' mode and shows 'trunking' status, which indicates it is a trunk port, not an access port. Option B is wrong because the encapsulation is 'n-802.1q' (likely a typo for '802.1q'), which is IEEE 802.1Q, not ISL (Cisco's proprietary encapsulation). Option D is wrong because the output explicitly shows 'Native vlan 1', not 10.

42
Matchingmedium

Drag and drop each VLAN range on the left to its matching type on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Normal range VLANs

Extended range VLANs

Reserved VLANs (cannot be used)

Default FDDI and Token Ring VLANs

Default Ethernet VLAN

Why these pairings

VLANs 1–1005 are normal range, 1006–4094 extended, 0 and 4095 reserved, 1002–1005 are default token ring/FDDI VLANs, and 1 is the default Ethernet VLAN.

43
MCQmedium

A network engineer is troubleshooting a connectivity issue between two switches, SW1 and SW2, connected via a trunk link. SW1 is a Cisco Catalyst 3850 running IOS-XE, and SW2 is a Cisco Catalyst 2960 running IOS. The trunk is configured as a dynamic desirable mode on SW1 and dynamic auto on SW2. The engineer notices that the trunk is not forming. What is the most likely cause?

A.The native VLAN is different on SW1 and SW2.
B.SW2 does not support DTP.
C.The trunk encapsulation is set to ISL on SW1.
D.VLAN 1 is not allowed on the trunk.
AnswerA

Correct because a native VLAN mismatch can cause DTP frames to be dropped, preventing trunk negotiation.

Why this answer

Option A is correct because when DTP modes are dynamic desirable (SW1) and dynamic auto (SW2), the trunk should form successfully if both switches support DTP and the encapsulation matches. However, if the native VLAN is mismatched, the trunk will not form because Cisco switches use DTP frames to negotiate trunking, and a native VLAN mismatch causes DTP to fail, preventing the trunk from coming up. This is a common issue that overrides the DTP negotiation.

Exam trap

Cisco often tests the misconception that DTP modes alone guarantee trunk formation, but the trap here is that a native VLAN mismatch silently breaks DTP negotiation, overriding the dynamic desirable/auto combination.

How to eliminate wrong answers

Option B is wrong because the Cisco Catalyst 2960 running IOS does support DTP; it is a common access-layer switch that supports dynamic auto and dynamic desirable modes. Option C is wrong because the Cisco Catalyst 3850 running IOS-XE only supports 802.1Q encapsulation and cannot be configured with ISL; if ISL were set, the switch would reject it or default to 802.1Q, but this would not prevent trunk formation with a 2960 that also supports 802.1Q. Option D is wrong because VLAN 1 is allowed on the trunk by default, and even if it were removed, the trunk would still form (though traffic for VLAN 1 would be blocked); the issue here is trunk negotiation failure, not traffic filtering.

44
MCQeasy

What is the default native VLAN on a Cisco switch trunk port?

A.VLAN 1
B.VLAN 0
C.VLAN 1002
D.VLAN 4095
AnswerA

Correct. The default native VLAN is VLAN 1.

Why this answer

The default native VLAN on a Cisco switch trunk port is VLAN 1. The native VLAN is the VLAN that carries untagged traffic over a trunk link, and by default, all switch ports (including trunk ports) belong to VLAN 1. This is defined in the IEEE 802.1Q standard, which specifies that frames on the native VLAN are not tagged with a VLAN ID.

Exam trap

Cisco often tests the misconception that the native VLAN is always VLAN 1 by default, but the trap is that candidates may confuse it with the management VLAN (also often VLAN 1) or assume that changing the native VLAN is required for trunking to work.

How to eliminate wrong answers

Option B is wrong because VLAN 0 is not a valid VLAN number; VLAN IDs range from 1 to 4094, with 0 and 4095 reserved for internal use (e.g., 802.1p priority tagging). Option C is wrong because VLAN 1002 is one of the default VLANs (1002-1005) reserved for legacy Token Ring and FDDI networks, not the native VLAN. Option D is wrong because VLAN 4095 is reserved for implementation-specific use (e.g., 'all VLANs' in some Cisco configurations) and is not a valid native VLAN.

45
Multi-Selectmedium

Which two statements about DTP (Dynamic Trunking Protocol) are true? (Choose two.)

Select 2 answers
A.DTP is a Cisco proprietary protocol.
B.The default switchport mode on a Cisco Catalyst switch is dynamic desirable.
C.DTP frames are sent continuously on a trunk port to maintain the trunk.
D.The 'switchport nonegotiate' command enables DTP on an interface.
E.DTP supports both 802.1Q and ISL trunking encapsulation.
AnswersA, B

DTP is indeed Cisco proprietary and is not standardized in IEEE 802.1Q.

Why this answer

DTP is a Cisco proprietary protocol used to negotiate trunking between switches. The default mode on Cisco switches is dynamic desirable, which will actively try to form a trunk. DTP frames are sent only over access ports when trunking is being negotiated, but not over trunk ports once the trunk is established.

The 'switchport nonegotiate' command disables DTP, and trunk formation then relies on manual configuration.

46
Drag & Dropmedium

Drag and drop the steps of adding a new VLAN to a trunk link into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, create the VLAN globally on the switch. Then, verify the VLAN exists. Next, ensure the trunk allows that VLAN.

After that, check the trunk's allowed VLAN list. Finally, test connectivity for hosts in the new VLAN.

47
MCQeasy

Which of the following is a valid VLAN range that can be created on a Cisco IOS switch?

A.VLAN 100
B.VLAN 0
C.VLAN 4095
D.VLAN 1006
AnswerA

Correct. VLAN 100 is within the standard range of 1-1005.

Why this answer

VLAN 100 is a valid VLAN ID because Cisco IOS switches support VLANs in the range 1–1005 for normal-range VLANs, and VLAN 100 falls within this range. Normal-range VLANs are stored in the vlan.dat file and can be created on a standard IOS switch without requiring extended VLAN configuration.

Exam trap

Cisco often tests the misconception that any VLAN ID from 1 to 4094 is valid on any switch, but the trap here is that extended VLANs (1006–4094) require specific VTP modes or configuration, and VLANs 0, 1002–1005, and 4095 are reserved or not user-creatable.

How to eliminate wrong answers

Option B is wrong because VLAN 0 is reserved and cannot be used; VLAN IDs start at 1. Option C is wrong because VLAN 4095 is reserved for implementation use and is not available for user-created VLANs; the maximum usable VLAN ID is 4094. Option D is wrong because VLAN 1006 is in the extended VLAN range (1006–4094), which requires a switch running in transparent mode or with VTP version 3, and is not a valid normal-range VLAN that can be created by default on a standard IOS switch.

48
MCQmedium

Examine the following configuration on a Cisco IOS-XE switch: interface GigabitEthernet0/5 switchport mode trunk switchport trunk native vlan 999 switchport trunk allowed vlan 10,20,30 switchport nonegotiate What is the effect of the 'switchport nonegotiate' command?

A.The interface will not send DTP frames, but will still respond to incoming DTP frames.
B.The interface will not send or process DTP frames, and remains a trunk.
C.The interface will revert to an access port.
D.The interface will negotiate trunking using ISL instead of DTP.
AnswerB

Correct. DTP is completely disabled, and the static trunk configuration remains.

Why this answer

The 'switchport nonegotiate' command disables Dynamic Trunking Protocol (DTP) on the interface. When configured on a trunk port, the interface will neither send nor process any DTP frames, ensuring the port remains in trunk mode regardless of the neighbor's DTP configuration. This is commonly used when connecting to non-Cisco devices that do not support DTP, or to prevent unwanted trunk negotiation.

Exam trap

Cisco often tests the misconception that 'switchport nonegotiate' only stops sending DTP frames but still allows the interface to respond to them, when in fact it disables all DTP processing, both sending and receiving.

How to eliminate wrong answers

Option A is wrong because 'switchport nonegotiate' prevents the interface from both sending and processing DTP frames; it does not allow the interface to respond to incoming DTP frames. Option C is wrong because the interface does not revert to an access port; it remains a trunk as explicitly configured with 'switchport mode trunk'. Option D is wrong because DTP is used to negotiate either ISL or 802.1Q trunking, but 'switchport nonegotiate' disables DTP entirely, not switches to ISL negotiation.

49
Drag & Dropmedium

Drag and drop the steps of VLAN mapping on trunk interfaces into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

VLAN mapping requires first enabling the feature globally, then configuring the trunk interface, mapping the VLANs, and finally verifying the translation. The order ensures proper translation between customer and service provider VLANs.

50
Multi-Selecthard

Which three statements about VLAN configuration and verification are true? (Choose three.)

Select 3 answers
A.A VLAN can be created using the 'vlan vlan-id' command in global configuration mode.
B.The 'show vlan brief' command displays all VLANs, including the reserved VLANs 1002-1005.
C.VLAN 1 can be deleted from the switch.
D.The 'switchport access vlan' command automatically creates the VLAN if it does not already exist.
E.The 'show interfaces trunk' command shows only the trunking interfaces and their native VLAN.
AnswersA, B, D

This is the standard method to create a VLAN; the switch then enters VLAN configuration sub-mode.

Why this answer

VLANs can be created in global configuration mode or in VLAN database mode (though the latter is deprecated). The 'show vlan brief' command displays active VLANs and their ports. VLAN 1 and VLANs 1002-1005 are reserved and cannot be deleted.

The 'switchport access vlan' command assigns a port to a VLAN, but the VLAN must exist first or it will be created automatically on some platforms. The 'show interfaces trunk' command shows trunking interfaces and allowed VLAN lists.

51
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show interfaces gi0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Based on this output, what can be concluded?

A.The interface is configured as an access port.
B.DTP is enabled on this interface.
C.The native VLAN is tagged with 802.1Q.
D.All VLANs except 2-1001 are pruned.
AnswerB

'Negotiation of Trunking: On' indicates DTP is enabled.

Why this answer

The output shows 'Negotiation of Trunking: On', which indicates that Dynamic Trunking Protocol (DTP) is enabled on the interface. DTP is a Cisco proprietary protocol used to negotiate trunking between switches. Since the interface is in trunk mode and DTP is on, option B is correct.

Exam trap

Cisco often tests the distinction between 'Pruning VLANs Enabled' and 'Trunking VLANs Enabled', where candidates mistakenly think that VLANs listed under pruning are actively removed from the trunk, when in fact they are only eligible for pruning if VTP pruning is enabled.

How to eliminate wrong answers

Option A is wrong because the 'Administrative Mode: trunk' and 'Operational Mode: trunk' clearly indicate the port is configured as a trunk, not an access port. Option C is wrong because 'Administrative Native VLAN tagging: enabled' means the switch will tag frames on the native VLAN with an 802.1Q header, but the native VLAN itself (VLAN 1) is not tagged by default; tagging is an additional configuration that forces tagging of native VLAN frames, not that the native VLAN is inherently tagged. Option D is wrong because 'Trunking VLANs Enabled: ALL' shows all VLANs are allowed on the trunk, while 'Pruning VLANs Enabled: 2-1001' indicates VLANs 2-1001 are eligible for pruning by VTP, not that they are currently pruned.

52
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show dtp interface gi0/1 DTP information on GigabitEthernet0/1: DTP: Enabled DTP mode: Desirable DTP negotiate: TRUE DTP status: Trunk DTP trunk status: Trunking DTP timer: 30 DTP max-age: 2 DTP encapsulation: 802.1q DTP refresh rate: Both DTP requests: 10 DTP errors: 0 Based on this output, what can be concluded?

A.The interface is in access mode.
B.The interface will not form a trunk unless the neighbor is set to trunk or desirable.
C.The interface is using ISL encapsulation.
D.DTP is disabled on this interface.
AnswerB

DTP mode desirable actively sends DTP frames to form a trunk; it can form a trunk with a neighbor set to trunk, desirable, or auto.

Why this answer

The output shows DTP mode is 'Desirable' and DTP status is 'Trunking', meaning the interface is actively attempting to form a trunk. In DTP, a switchport in desirable mode will only successfully negotiate a trunk if the neighboring interface is configured as trunk (on) or desirable; if the neighbor is in access mode or dynamic auto, the trunk will not form. Therefore, option B is correct.

Exam trap

Cisco often tests the misconception that 'dynamic desirable' will form a trunk with any neighbor, but the trap is that it requires the neighbor to be in trunk or desirable mode, not dynamic auto or access.

How to eliminate wrong answers

Option A is wrong because the interface is in trunking state (DTP status: Trunking), not access mode. Option C is wrong because the output explicitly shows 'DTP encapsulation: 802.1q', not ISL. Option D is wrong because the output shows 'DTP: Enabled', so DTP is clearly enabled on this interface.

53
MCQmedium

An engineer is troubleshooting a problem where a trunk link between two Cisco switches is not passing traffic for VLAN 10, but other VLANs are working. The trunk is configured with switchport mode trunk on both sides. The engineer checks the allowed VLAN list and sees VLAN 10 is included. The native VLAN is set to 1 on both sides. What is the most likely cause?

A.VLAN 10 is not created in the VLAN database on one of the switches.
B.VTP pruning has removed VLAN 10 from the trunk.
C.The native VLAN is mismatched.
D.Spanning Tree Protocol is blocking VLAN 10 on the trunk.
AnswerA

Correct because the VLAN must exist on both switches for traffic to pass.

Why this answer

The most likely cause is that VLAN 10 is not created in the VLAN database on one of the switches. Even if VLAN 10 is included in the allowed VLAN list on the trunk, a switch will not forward traffic for a VLAN that does not exist in its local VLAN database. The trunk interface will be operationally down for that specific VLAN, preventing traffic from passing.

Exam trap

Cisco often tests the distinction between a VLAN being allowed on a trunk and a VLAN being created in the VLAN database, leading candidates to focus on trunk configuration rather than verifying the VLAN's existence on both switches.

How to eliminate wrong answers

Option B is wrong because VTP pruning removes VLANs from the trunk only when no switch in the VTP domain has any active ports in that VLAN; if VLAN 10 is configured on the trunk and other VLANs work, VTP pruning is unlikely to be the issue. Option C is wrong because the native VLAN is set to 1 on both sides, so there is no mismatch; a native VLAN mismatch would cause issues for untagged traffic, not specifically for VLAN 10. Option D is wrong because Spanning Tree Protocol (STP) blocks per-VLAN on a per-interface basis only if there is a loop or port role change; STP would not block only VLAN 10 while allowing other VLANs unless VLAN 10 has a specific topology issue, but the question states other VLANs are working, making this less likely than a missing VLAN database entry.

54
MCQmedium

Given the following configuration on a Cisco IOS switch: interface GigabitEthernet0/4 switchport mode trunk switchport trunk allowed vlan except 100-200 What is the effect of this configuration?

A.The trunk will forward traffic for all VLANs except VLANs 100 through 200.
B.The trunk will only forward traffic for VLANs 100 through 200.
C.The trunk will forward traffic for all VLANs.
D.The trunk will not forward any traffic because the allowed list is empty.
AnswerA

Correct. The 'except' keyword excludes the specified range.

Why this answer

The 'switchport trunk allowed vlan except 100-200' command explicitly removes VLANs 100 through 200 from the allowed VLAN list on the trunk. All other VLANs (1-99 and 201-4094) remain permitted. This is the standard behavior of the 'except' keyword in Cisco IOS trunk configuration.

Exam trap

Cisco often tests the 'except' keyword to trap candidates who confuse it with 'add' or 'remove', leading them to think the trunk only forwards the specified range or that the allowed list becomes empty.

How to eliminate wrong answers

Option B is wrong because the 'except' keyword excludes the specified VLAN range, not includes it; the trunk will forward traffic for all VLANs except 100-200, not only those VLANs. Option C is wrong because the configuration explicitly removes VLANs 100-200, so the trunk does not forward traffic for all VLANs. Option D is wrong because the allowed list is not empty; it contains all VLANs except 100-200, so traffic for other VLANs is still forwarded.

55
MCQhard

A network engineer runs the following command on Switch SW1: SW1# show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0011.2233.4455 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0011.2233.4455 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg FWD 4 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Desg FWD 4 128.3 P2p Based on this output, what can be concluded?

A.This switch is the root bridge for VLAN 10.
B.Gi0/2 is a root port.
C.The spanning-tree mode is PVST+.
D.VLAN 10 has a forwarding delay of 30 seconds.
AnswerA

The output explicitly states 'This bridge is the root'.

Why this answer

The output explicitly states 'This bridge is the root' for VLAN 10, and the Root ID and Bridge ID are identical (same priority 32778 and address 0011.2233.4455), confirming SW1 is the root bridge for VLAN 10. All interfaces are in the Designated (Desg) role and Forwarding (FWD) state, which is expected for a root bridge because root bridges have no root ports.

Exam trap

Cisco often tests the misconception that a switch with all Designated ports must be the root bridge, but the trap here is that candidates may overlook the explicit 'This bridge is the root' statement and instead focus on port roles, or they may confuse the 'protocol ieee' output with PVST+ when it actually indicates standard 802.1D STP.

How to eliminate wrong answers

Option B is wrong because Gi0/2 is listed with a role of 'Desg' (Designated), not 'Root'; a root port only exists on non-root bridges to reach the root bridge, and since SW1 is the root, it has no root ports. Option C is wrong because the output shows 'Spanning tree enabled protocol ieee', which indicates IEEE 802.1D (standard STP), not PVST+; PVST+ would show 'protocol ieee' as well, but the key distinction is that PVST+ is Cisco's per-VLAN implementation of 802.1D, and the output does not include any PVST+-specific fields like 'PortFast' or 'BPDU guard' indications, nor does it mention 'PVST+' explicitly. Option D is wrong because the output clearly states 'Forward Delay 15 sec', not 30 seconds; the forward delay is 15 seconds, which is the default for 802.1D, and it is not doubled.

56
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3 10 Sales active Gi0/4, Gi0/5 20 Engineering active Gi0/6, Gi0/7 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Based on this output, what can be concluded?

A.All ports shown are in trunk mode.
B.VLANs 1002-1005 are active and supported.
C.Interfaces Gi0/1, Gi0/2, and Gi0/3 are in VLAN 1.
D.VLAN 20 has no ports assigned.
AnswerC

The output clearly lists Gi0/1, Gi0/2, Gi0/3 under VLAN 1, indicating they are access ports in that VLAN.

Why this answer

Option C is correct because the 'show vlan brief' output explicitly lists Gi0/1, Gi0/2, and Gi0/3 under VLAN 1 (default), confirming these interfaces are access ports assigned to VLAN 1. VLAN 1 is the default VLAN on Cisco switches, and all ports not explicitly configured otherwise belong to it.

Exam trap

Cisco often tests the distinction between access and trunk port representation in 'show vlan brief' versus 'show interfaces trunk', leading candidates to incorrectly assume all listed ports are trunk ports or that VLANs 1002-1005 are fully functional.

How to eliminate wrong answers

Option A is wrong because the output shows ports assigned to specific VLANs, which is characteristic of access ports, not trunk ports; trunk ports carry multiple VLANs and would not be listed under a single VLAN in 'show vlan brief'. Option B is wrong because VLANs 1002-1005 are shown with status 'act/unsup', meaning they are administratively active but unsupported on modern hardware (e.g., no FDDI or Token Ring interfaces), so they are not fully active and supported. Option D is wrong because VLAN 20 (Engineering) has ports Gi0/6 and Gi0/7 assigned, as clearly listed in the output.

57
Matchingmedium

Drag and drop each VTP mode on the left to its matching capability on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Can create, modify, and delete VLANs; advertises VTP updates

Cannot create VLANs; synchronizes from VTP servers

Forwards VTP advertisements but does not process them

Disables VTP; does not forward advertisements

Why these pairings

VTP server advertises and accepts changes; client accepts but cannot create; transparent forwards but does not participate; off disables VTP completely.

58
Drag & Dropmedium

Drag and drop the steps of Private VLAN (PVLAN) configuration steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First create the primary VLAN, then the secondary VLANs (community or isolated), then associate them. Finally configure host and promiscuous ports.

Ready to test yourself?

Try a timed practice session using only VLANs and Trunking questions.