CCNA Wireless Infrastructure Questions

58 questions · Wireless Infrastructure · All types, answers revealed

1
Matchingmedium

Drag and drop each CAPWAP message type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages AP configuration and keepalive

Carries user traffic between AP and controller

AP finds available controllers

AP associates with a controller

Controller pushes settings to AP

Why these pairings

Control messages manage the AP (e.g., configuration, keepalive); Data messages carry user traffic; Discovery messages find controllers; Join messages establish the AP-controller association; Configuration messages push settings to the AP.

2
MCQeasy

A network engineer is upgrading a legacy wireless network that uses autonomous access points to a centralized WLC-based architecture. The engineer has installed a Cisco 9800 WLC and is converting the autonomous APs to lightweight mode. After the conversion, the APs join the WLC, but the engineer notices that the APs are not broadcasting any SSIDs. What is the most likely cause?

A.The APs are in discovery mode and have not yet downloaded their configuration from the WLC.
B.The APs require a separate management IP address to broadcast SSIDs.
C.The WLC is running an IOS version that does not support the AP model.
D.The APs must be rebooted after joining the WLC to start broadcasting SSIDs.
AnswerA

Correct because lightweight APs initially join the WLC in discovery mode and then download the full configuration, including SSID definitions.

Why this answer

The correct answer is that the APs are in discovery mode and have not yet received their configuration from the WLC. In lightweight mode, APs download their configuration from the WLC, including SSID settings. The other options are incorrect: APs do not need a separate management IP, the WLC does not need a specific IOS version for basic operation, and APs do not need to be rebooted again after joining.

3
Matchingmedium

Drag and drop each WPA security version on the left to its matching authentication method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

TKIP with PSK or 802.1X

CCMP (AES) with PSK or 802.1X

GCMP-256 with SAE or 802.1X

PSK

802.1X with GCMP-256

Why these pairings

WPA uses TKIP with PSK or 802.1X; WPA2 uses CCMP (AES) with PSK or 802.1X; WPA3 uses GCMP-256 with SAE or 802.1X; WPA2-Personal uses PSK; WPA3-Enterprise uses 802.1X with GCMP-256.

4
Drag & Dropmedium

Drag and drop the steps of the 802.1X/EAP authentication process for a wireless client into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The 802.1X/EAP process begins with the client sending an EAPoL-Start to the AP, which triggers the AP to send an EAP-Request Identity. The client responds with an EAP-Response Identity, which the AP forwards to the RADIUS server. The RADIUS server then sends EAP-Request credentials (e.g., password) to the client via the AP, and the client replies with EAP-Response credentials.

5
MCQmedium

Examine the following configuration on a Cisco 9800 WLC: ap profile default-ap-profile description "Default AP Profile" country US management-user admin Which statement is true about this configuration?

A.This profile configures the SSID for the AP.
B.The country code is set to the United States, affecting allowed channels and transmit power.
C.This profile enables 802.11r fast roaming.
D.The management user 'admin' is used for client authentication.
AnswerB

The country code determines regulatory compliance for radio operation.

Why this answer

The 'country US' command sets the regulatory domain for the APs using this profile, which is required for proper channel and power settings.

6
Matchingmedium

Drag and drop each WPA security version on the left to its matching authentication method on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Pre-Shared Key (PSK)

802.1X/EAP

Pre-Shared Key (PSK)

802.1X/EAP

Simultaneous Authentication of Equals (SAE)

Why these pairings

WPA Personal uses Pre-Shared Key (PSK); WPA Enterprise uses 802.1X/EAP; WPA2 Personal uses PSK; WPA2 Enterprise uses 802.1X/EAP; WPA3 Personal uses Simultaneous Authentication of Equals (SAE).

7
Matchingmedium

Drag and drop each 802.11 standard on the left to its matching frequency band and maximum speed on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2.4 GHz, 11 Mbps

5 GHz, 54 Mbps

2.4 GHz, 54 Mbps

2.4/5 GHz, 600 Mbps

5 GHz, 6.9 Gbps

Why these pairings

802.11b operates at 2.4 GHz with 11 Mbps; 802.11a at 5 GHz with 54 Mbps; 802.11g at 2.4 GHz with 54 Mbps; 802.11n can use both 2.4 and 5 GHz with 600 Mbps; 802.11ac operates only at 5 GHz with up to 6.9 Gbps.

8
Multi-Selecthard

Which three statements about Cisco AP join process and discovery are true? (Choose three.)

Select 3 answers
A.An AP can discover a WLC using DHCP option 43, which provides the WLC management IP address.
B.An AP can discover a WLC by sending a DNS query for 'CISCO-CAPWAP-CONTROLLER.localdomain'.
C.An AP must have a valid certificate installed to establish a DTLS session with the WLC.
D.An AP can discover a WLC by sending an SNMP broadcast to the local subnet.
E.An AP can be manually configured with the primary WLC name via the AP CLI before joining.
AnswersA, B, C

Correct because DHCP option 43 is a standard method for APs to learn the WLC IP address during boot.

Why this answer

APs discover WLCs via DHCP option 43, DNS, or local subnet broadcast. They use CAPWAP for control and data. The AP must have a valid certificate for DTLS.

APs can be pre-configured with a primary WLC name. APs do not use SNMP to find WLCs.

9
MCQeasy

Which of the following is a valid AP mode on Cisco 9800 WLCs that allows the AP to function as a standalone access point without controller management?

A.Local mode
B.FlexConnect mode
C.Monitor mode
D.Sniffer mode
AnswerB

FlexConnect allows standalone operation with local switching.

Why this answer

Cisco APs can operate in various modes; 'FlexConnect' allows local switching and can operate independently if the WLC is unreachable.

10
Matchingmedium

Drag and drop each CAPWAP message type on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages AP configuration, keepalive, and state

Encapsulates user data frames between AP and WLC

Sent by AP to find WLCs

Sent by AP to join a WLC

Sent by WLC to push new settings to AP

Why these pairings

CAPWAP Control messages manage the AP (e.g., keepalive, configuration); CAPWAP Data messages carry user traffic between AP and WLC.

11
Drag & Dropmedium

Drag and drop the steps of the CAPWAP discovery and join process between a lightweight AP and a WLC into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The CAPWAP process starts with the AP obtaining an IP address (via DHCP), then discovering the WLC (via DHCP option 43 or DNS). The AP sends a Discovery Request, the WLC replies with a Discovery Response, and finally the AP sends a Join Request to establish the control tunnel.

12
MCQhard

An engineer is configuring a new Cisco 9800 WLC in a branch office. The WLC will manage 50 APs and must provide guest access with a captive portal. The engineer configures a guest SSID with open authentication and a redirect ACL for the captive portal. However, after the configuration, clients can associate to the guest SSID but cannot reach the captive portal page. What is the most likely cause?

A.The guest SSID is configured with open authentication, which does not support captive portal.
B.The redirect ACL is missing entries for DNS and HTTP traffic to the captive portal server.
C.The WLC does not have a dedicated guest interface configured.
D.The captive portal requires a RADIUS server to be configured on the WLC.
AnswerB

Correct because the redirect ACL must permit DNS and HTTP traffic to the portal server so that the client's initial HTTP request is redirected to the captive portal.

Why this answer

The correct answer is that the redirect ACL is not properly configured to allow DNS and HTTP traffic to the captive portal server. Without proper ACL entries, the client's HTTP request is not redirected to the portal. The other options are incorrect because open authentication does not require a pre-shared key, the WLC does not need a specific interface for guest traffic (it can use a service port or management interface), and captive portal does not require RADIUS authentication by default.

13
MCQhard

A network engineer runs the following command on a Cisco WLC: WLC# show ap stats ap-name AP-3 AP Statistics for AP-3 ---------------------- Channel Utilization: 75% Interference: 30% Noise Floor: -80 dBm Total Packets Received: 5000 Total Packets Sent: 4500 Total Errors: 1500 Based on this output, what can be concluded?

A.The AP is operating in a clean environment with low interference.
B.The high error rate suggests possible co-channel interference or signal issues.
C.The channel utilization is low, indicating spare capacity.
D.The noise floor is excellent at -80 dBm.
AnswerB

30% error rate is high and indicates problems, likely from interference or noise.

Why this answer

The output shows high channel utilization (75%), high interference (30%), and a relatively high noise floor (-80 dBm is noisy). The error rate is 1500 out of 5000 received, which is 30%, indicating a poor wireless environment.

14
MCQmedium

An engineer is configuring a Cisco 9800 WLC for high availability using a pair of WLCs in an active/standby configuration. The engineer configures the same SSID and security settings on both WLCs. However, when the active WLC fails, clients that were connected to the active WLC do not automatically reconnect to the standby WLC. What is the most likely cause?

A.The APs are not configured with the standby WLC's IP address as a backup controller.
B.Clients must be configured to roam between WLCs, which is not supported in active/standby mode.
C.The SSID name must be different on the standby WLC to avoid conflicts.
D.The APs must be rebooted after the active WLC fails to recognize the standby WLC.
AnswerA

Correct because APs must have the secondary WLC IP configured so they can fail over to it when the primary is unavailable.

Why this answer

The correct answer is that the APs are not configured to use the standby WLC as a backup. In a high availability setup, APs must be configured with both primary and secondary WLC IP addresses. The other options are incorrect: client roaming is not required for failover, SSID names can be the same, and APs do not need to be rebooted after failover if properly configured.

15
Multi-Selectmedium

Which two statements about Cisco Wireless LAN Controller (WLC) high availability (SSO) are true? (Choose two.)

Select 2 answers
A.In an SSO pair, the standby WLC maintains synchronized client and AP state information via a dedicated link.
B.SSO requires both WLCs to be connected to the same Layer 2 network for the redundant management interface.
C.During a failover event, all client sessions are dropped and must re-associate with the new active WLC.
D.SSO can be configured between any two WLC models regardless of hardware platform.
E.SSO supports only a single AP per WLC pair.
AnswersA, B

Correct because SSO uses a dedicated redundancy link to keep the standby WLC fully synchronized with the active WLC.

Why this answer

SSO uses a pair of WLCs in active/standby mode with stateful failover. The standby maintains synchronized client and AP state. A Layer 2 link is required between the two WLCs for the redundant management interface.

SSO does not require identical hardware models, but they must be from the same platform family.

16
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show ap rf-profile summary RF-Profile Name: default-rf-profile Description: Default RF Profile Band: 5 GHz Channel Width: 20/40/80 MHz Data Rates: 6,9,12,18,24,36,48,54 Mbps Power Level: 1 (max) RF-Profile Name: high-density Description: High Density RF Profile Band: 5 GHz Channel Width: 20 MHz Data Rates: 12,18,24,36,48,54 Mbps Power Level: 3 Based on this output, what can be concluded?

A.The high-density profile is designed to support more clients by using narrower channels and lower power.
B.The default profile uses only 20 MHz channels.
C.The high-density profile disables all data rates below 12 Mbps.
D.The default profile is used for 2.4 GHz band.
AnswerA

Narrower channels (20 MHz) and lower power reduce co-channel interference, which is beneficial in high-density environments.

Why this answer

The output shows two RF profiles. The default profile uses wider channel widths (up to 80 MHz) and higher power, while the high-density profile uses only 20 MHz channels and lower power to reduce interference and support more clients.

17
Drag & Dropmedium

Drag and drop the steps of WPA3 client authentication process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

WPA3 uses Simultaneous Authentication of Equals (SAE) handshake. The client first sends an SAE commit to the AP, the AP responds with its own SAE commit, then both compute a shared key. Next, the client sends an SAE confirm message, and finally the AP sends its SAE confirm to complete authentication.

18
Drag & Dropmedium

Drag and drop the steps of WPA3 client authentication process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

WPA3 uses SAE (Simultaneous Authentication of Equals) handshake. First, the AP announces WPA3 capability in beacons. The client then initiates the SAE commit exchange, followed by the SAE confirm exchange.

After SAE completes, the 4-Way Handshake occurs, and finally group key is installed.

19
MCQhard

A company is deploying a new wireless network in a large warehouse. The network engineer must choose between using a centralized WLC architecture (with CAPWAP tunnels) or a converged access (SD-Access) wireless architecture. The warehouse has high-density client areas and requires low latency for real-time applications like voice and video. Which architecture should the engineer choose and why?

A.Centralized WLC architecture, because it provides better RF management and security.
B.Converged access (SD-Access) wireless, because it allows local switching of traffic at the access layer, reducing latency.
C.Centralized WLC architecture, because it requires fewer access points to cover the warehouse.
D.Converged access (SD-Access) wireless, because it requires fewer WLCs to manage the network.
AnswerB

Correct because SD-Access wireless enables local switching, which minimizes latency for real-time traffic by avoiding backhaul to a central WLC.

Why this answer

The correct answer is converged access (SD-Access) because it enables local switching of traffic at the access layer, reducing latency and improving performance for real-time applications. Centralized CAPWAP tunnels would force all traffic back to the WLC, increasing latency. The other options are incorrect because centralized architecture does not inherently provide better RF management, and SD-Access does not require more APs or more WLCs.

20
MCQmedium

Examine the following configuration on a Cisco 9800 WLC: wireless profile policy test-policy no security wpa no security wpa2 security wpa3 security wpa3 akm sae security ft over-the-ds What is the effect of the 'security ft over-the-ds' command?

A.It enables 802.11r fast roaming using over-the-air messaging.
B.It enables 802.11r fast roaming using the distribution system for key exchange.
C.It disables fast roaming for this policy.
D.It configures the AP to use a different radio band.
AnswerB

Over-the-DS uses the wired network for key distribution.

Why this answer

The 'ft over-the-ds' command enables Fast Transition (802.11r) using the over-the-DS (Distribution System) method, which is used for seamless roaming.

21
MCQmedium

A network administrator issues the following command on a Cisco WLC: WLC# show ap config general AP-1 AP Name: AP-1 MAC Address: aabb.cc00.0100 Country Code: US - United States Regulatory Domain: 802.11bg: -A 802.11a: -A AP Submode: Normal AP Mode: Local AP Join Priority: 1 Primary Controller: WLC-1 Secondary Controller: WLC-2 Tertiary Controller: WLC-3 Based on this output, what can be concluded?

A.The AP is operating in FlexConnect mode.
B.The AP will attempt to join the primary controller WLC-1 first.
C.The AP is in Monitor mode and will not serve clients.
D.The AP has a join priority of 1, meaning it is the highest priority.
AnswerB

The primary controller is configured as WLC-1, and APs try to join their primary controller first.

Why this answer

The output shows the AP is in Local mode (not FlexConnect or Monitor). It has a primary, secondary, and tertiary controller configured, which is typical for high availability. The AP will attempt to join the primary controller first.

22
MCQmedium

A network engineer is deploying a new wireless LAN controller (WLC) in a campus network. The WLC must manage 200 access points across three buildings. The engineer configures the WLC with a management IP address and enables CAPWAP. However, the access points fail to join the WLC. The APs are in the same VLAN as the WLC and can ping the WLC's management IP. What is the most likely cause of the APs not joining?

A.The WLC does not have a CAPWAP source interface configured.
B.The APs are not configured with DHCP option 43 to point to the WLC.
C.The APs are running an incompatible IOS version that does not support CAPWAP.
D.The APs must be assigned a static IP address to join the WLC.
AnswerA

Correct because the CAPWAP source interface must be configured on the WLC so that APs can discover and communicate with it. Without it, the WLC may not respond to CAPWAP discovery requests.

Why this answer

The correct answer is that the APs are unable to discover the WLC via CAPWAP because the WLC's CAPWAP source interface is not configured or is misconfigured. Even though the APs can ping the management IP, CAPWAP discovery requires the WLC to respond from a consistent source IP. The other options are less likely: DHCP option 43 is not needed if APs are in the same subnet, APs do not need a specific IOS version to join, and APs do not need a static IP if they can obtain one via DHCP.

23
MCQmedium

Given the following snippet from a Cisco 9800 WLC: ap ethernet-port default-ethernet-port description "Default Ethernet Port" mode trunk allowed vlan 10,20,30 native vlan 10 What is the effect of this configuration on the AP?

A.The AP's Ethernet port will tag all traffic with VLAN 10.
B.The AP will use VLAN 10 for management traffic and VLANs 20 and 30 for client traffic.
C.The AP will only allow VLAN 10 traffic.
D.The AP's Ethernet port is configured as an access port.
AnswerB

Native VLAN is typically for management; other VLANs are for client data.

Why this answer

The Ethernet port configuration on an AP defines how the AP's wired interface handles VLANs, typically for management and client traffic.

24
Multi-Selectmedium

Which three statements about RRM (Radio Resource Management) in a Cisco wireless LAN are true? (Choose three.)

Select 3 answers
A.RRM automatically selects the best channel for each AP based on interference measurements.
B.RRM requires a dedicated hardware controller to perform RF calculations.
C.RRM can adjust the transmit power of APs to optimize coverage and reduce co-channel interference.
D.RRM uses a leader AP to collect and distribute RF measurements to other APs in the same RF group.
E.RRM automatically enables client load balancing across APs in the same coverage area.
AnswersA, C, D

Correct because RRM's Dynamic Channel Assignment (DCA) algorithm uses real-time RF data to assign channels with minimal interference.

Why this answer

RRM dynamically adjusts channel and power settings based on RF measurements, uses a leader AP to coordinate, and can be configured to run at a scheduled interval. It does not require a dedicated hardware controller (it runs on the WLC) and does not automatically enable client load balancing (that is a separate feature).

25
Multi-Selecthard

Which three statements about Cisco Wireless LAN Controller (WLC) mobility groups are true? (Choose three.)

Select 3 answers
A.Controllers in the same mobility group must be in the same IP subnet.
B.A mobility group can contain up to 24 controllers.
C.Mobility groups enable seamless client roaming between controllers without re-authentication.
D.Mobility tunnels between controllers must be symmetric and use the same source and destination IP addresses.
E.All controllers in a mobility group must be the same hardware model.
AnswersB, C, D

Correct because Cisco WLCs support a maximum of 24 controllers in a single mobility group.

Why this answer

Mobility groups allow seamless client roaming across controllers, support up to 24 controllers per group, require symmetric mobility tunnels, and use a backup controller list for redundancy. They do not require all controllers to be in the same subnet or same hardware model.

26
MCQeasy

What is the default CAPWAP control path DTLS encryption mode on Cisco 9800 WLCs?

A.Enabled
B.Disabled
C.Optional (configurable per AP)
D.Only for data path
AnswerA

DTLS is enabled by default for control path.

Why this answer

By default, DTLS encryption is enabled for the CAPWAP control path to secure management traffic between AP and WLC.

27
MCQmedium

Consider the following configuration on a Cisco 9800 WLC: ap join-profile default-join-profile description "Default Join Profile" controller 1 primary 10.1.1.1 controller 2 secondary 10.1.1.2 What is the purpose of this configuration?

A.It configures the AP's management IP address.
B.It specifies the WLCs that the AP should attempt to join in order of priority.
C.It enables CAPWAP DTLS encryption.
D.It defines the AP's radio parameters.
AnswerB

The primary and secondary keywords set the join priority.

Why this answer

Join profiles define how APs discover and connect to WLCs, including primary and secondary controller IP addresses.

28
Multi-Selecteasy

Which two statements about Cisco Aironet 2800/3800 series APs are true? (Choose two.)

Select 2 answers
A.These APs support 802.11ac Wave 2 with MU-MIMO technology.
B.These APs are Wi-Fi 6 (802.11ax) capable.
C.These APs have integrated antennas and are designed for indoor deployments.
D.These APs support modular field-replaceable radios for future upgrades.
E.These APs can operate in both local and FlexConnect modes.
AnswersA, C

Correct because the 2800/3800 series are 802.11ac Wave 2 APs that support Multi-User MIMO.

Why this answer

The 2800/3800 series APs are 802.11ac Wave 2 devices that support MU-MIMO and have integrated antennas; they do not support 802.11ax (Wi-Fi 6) and are not modular with field-replaceable radios.

29
Multi-Selecthard

Which three statements about Cisco DNA Center wireless assurance are true? (Choose three.)

Select 3 answers
A.DNA Center collects telemetry from wireless controllers and access points to provide health scores for clients and APs.
B.DNA Center can be used to troubleshoot client connectivity issues by replaying historical client association events.
C.DNA Center uses synthetic test clients (sensors) to simulate client traffic and measure wireless performance.
D.DNA Center replaces the WLC for real-time client association and roaming decisions.
E.DNA Center requires a dedicated wireless LAN controller to be deployed solely for assurance data collection.
AnswersA, B, C

Correct because DNA Center uses telemetry from the network infrastructure to compute health scores for proactive monitoring.

Why this answer

DNA Center provides proactive health monitoring, client troubleshooting via historical data, and sensor-based proactive testing. It does not replace the WLC for real-time client association, nor does it require a separate controller for assurance data.

30
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show client summary Client MAC Address AP Name WLAN State Protocol RSSI SNR 00:11:22:33:44:55 AP-1 1 Run 802.11ac -65 25 00:11:22:33:44:66 AP-2 2 Run 802.11n -70 20 00:11:22:33:44:77 AP-1 1 Run 802.11ac -60 30 00:11:22:33:44:88 AP-3 3 Probe 802.11ax -75 15 Based on this output, what can be concluded?

A.All clients are fully associated and passing traffic.
B.The client with MAC 00:11:22:33:44:88 is attempting to associate but is not yet connected.
C.The client with MAC 00:11:22:33:44:55 has the best signal strength.
D.All clients are using 802.11ac or higher.
AnswerB

Probe state indicates the client is sending probe requests but not yet associated.

Why this answer

The output shows client states: 'Run' means associated and active, 'Probe' means the client is probing but not yet associated. The client with MAC ending 88 is in Probe state, indicating it is not fully connected.

31
Matchingmedium

Drag and drop each wireless roaming method on the left to its matching 802.11 standard on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

802.11r

802.11k

802.11v

802.11k

802.11r

Why these pairings

802.11r provides Fast BSS Transition (FT); 802.11k provides Radio Resource Measurement (RRM) for neighbor reports; 802.11v provides BSS Transition Management (BTM) for network-assisted roaming.

32
MCQhard

A network engineer is deploying a wireless mesh network using outdoor access points. The mesh APs are configured to use 802.11a/n on the 5 GHz band for backhaul and 802.11b/g/n on the 2.4 GHz band for client access. The engineer notices that the mesh backhaul links are unstable and have high packet loss. What is the most likely cause of the instability?

A.The 5 GHz band is being used for both backhaul and client access, causing co-channel interference.
B.The 802.11a/n standard is obsolete and does not support mesh networking.
C.The mesh APs require a wired Ethernet connection to the root AP.
D.The 2.4 GHz band provides better range for backhaul than the 5 GHz band.
AnswerA

Correct because using the same band for backhaul and client access can cause interference if channels overlap; dedicated backhaul channels should be used.

Why this answer

The correct answer is that the backhaul and client access channels are overlapping, causing interference. Using the same band for both backhaul and client access can lead to co-channel interference, especially if channels are not carefully planned. The other options are less likely: 802.11a/n is not obsolete, mesh backhaul does not require a wired connection, and 5 GHz generally has better range than 2.4 GHz for backhaul.

33
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show ap config general AP-2 AP Name: AP-2 MAC Address: aabb.cc00.0200 Country Code: US - United States Regulatory Domain: 802.11bg: -A 802.11a: -A AP Submode: FlexConnect AP Mode: FlexConnect AP Join Priority: 2 Primary Controller: WLC-1 Secondary Controller: WLC-2 Tertiary Controller: WLC-3 Based on this output, what can be concluded?

A.The AP is operating in Local mode and will tunnel all traffic to the WLC.
B.The AP can locally switch client traffic and maintain connectivity even if the WLC is unreachable.
C.The AP will only work if the WLC is directly connected at Layer 2.
D.The AP is in Monitor mode and will not serve clients.
AnswerB

FlexConnect APs can locally switch traffic and operate independently if the WLC is unreachable.

Why this answer

The output shows the AP is in FlexConnect mode, which means it can locally switch traffic and maintain connectivity to the WLC over a WAN. The AP has a primary, secondary, and tertiary controller configured.

34
MCQmedium

An engineer is deploying a wireless network in a hospital that requires strict security and client isolation. The network must support 802.1X authentication for employees and a separate guest SSID with a captive portal. The engineer configures the WLC with RADIUS servers for 802.1X and a local web server for the captive portal. However, guest users can access the internal network after authentication. What configuration change is needed?

A.Enable client isolation (peer-to-peer blocking) on the guest SSID.
B.Configure 802.1X authentication for the guest SSID as well.
C.Apply a VLAN ACL on the guest VLAN to block access to internal subnets.
D.Place the guest SSID on the same VLAN as the employee SSID.
AnswerA

Correct because client isolation prevents guest clients from communicating with each other and with internal network resources, ensuring security.

Why this answer

The correct answer is to enable client isolation (or peer-to-peer blocking) on the guest SSID. This prevents guest clients from communicating with each other and with internal resources. The other options are incorrect: 802.1X is not needed for guests, VLAN ACLs would be more complex, and guest traffic should be on a separate VLAN, but isolation must also be enforced at the wireless level.

35
Matchingmedium

Drag and drop each wireless AP mode on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Normal client access with CAPWAP tunnel to controller

Client traffic switched locally at the AP

Listens for rogue devices without serving clients

Captures 802.11 packets for analysis

Detects rogue APs without client association

Why these pairings

Local mode provides normal client access with CAPWAP tunnel; FlexConnect switches client traffic locally at the AP; Monitor mode listens for rogue devices; Sniffer mode captures packets for analysis; Rogue detector mode detects rogues without serving clients.

36
Drag & Dropmedium

Drag and drop the steps of Cisco Flex (FlexConnect) AP mode operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

A FlexConnect AP first discovers and joins the WLC, then downloads its configuration and policy. When a client associates, the AP locally switches traffic if configured. The AP sends client data to the WLC for authentication and then applies the downloaded policy locally.

37
Matchingmedium

Drag and drop each wireless roaming method on the left to its matching 802.11 standard on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

802.11r

802.11k

802.11k

802.11v

802.11v

Why these pairings

802.11r enables fast BSS transition (FT) with reduced reauthentication time; 802.11k provides neighbor report and channel information; 802.11v offers network-assisted power saving and BSS transition management.

38
MCQeasy

A network engineer is troubleshooting a wireless network where clients in a specific area report slow speeds and frequent disconnections. The engineer uses a spectrum analyzer and finds high utilization on channel 11 in the 2.4 GHz band. The engineer also notices that several neighboring access points are using channel 11. What is the most likely cause of the issue?

A.Co-channel interference from neighboring access points using the same channel.
B.Adjacent channel interference from access points using channels 10 and 12.
C.Non-WiFi interference from devices like microwaves or cordless phones.
D.The access point is overloaded with too many clients.
AnswerA

Correct because multiple APs on the same channel cause co-channel interference, leading to collisions and poor performance.

Why this answer

The correct answer is co-channel interference from neighboring APs using the same channel. This causes contention and collisions, degrading performance. Adjacent channel interference would occur if channels overlapped (e.g., channels 10 and 11), but the scenario specifies same channel.

Non-WiFi interference is possible but not indicated. Client load on a single AP would cause high utilization but not necessarily disconnections.

39
Multi-Selectmedium

Which two statements about the Cisco FlexConnect architecture are true? (Choose two.)

Select 2 answers
A.FlexConnect APs can locally switch client data traffic when the CAPWAP tunnel to the WLC is down.
B.FlexConnect APs must always tunnel all client traffic back to the WLC for central switching.
C.FlexConnect APs can be assigned to a FlexConnect group to share the same VLAN and ACL configuration.
D.FlexConnect APs require a direct Layer 2 connection to the WLC at all times.
E.FlexConnect APs cannot support native VLAN tagging on the uplink interface.
AnswersA, C

Correct because FlexConnect supports local switching even if the WLC is unreachable, using the local VLAN configuration.

Why this answer

FlexConnect allows local switching and backup connectivity when the WLC is unreachable. Central switching requires the CAPWAP tunnel to the WLC. FlexConnect groups are used to apply common policies, not to assign APs to different VLANs.

Native VLAN tagging is supported on the uplink port.

40
Matchingmedium

Drag and drop each wireless AP mode on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Serves clients with CAPWAP control and data to WLC

Switches client data locally at the AP

Listens for rogue access points on all channels

Captures packets and forwards to a remote analyzer

Detects rogue devices by monitoring wired traffic

Why these pairings

Local mode serves clients with CAPWAP control and data; FlexConnect mode switches client data locally; Monitor mode listens for rogue APs; Sniffer mode captures packets for analysis; Rogue Detector mode detects rogue devices via wired network.

41
MCQmedium

What is the maximum number of WLANs that can be configured on a single AP in a Cisco 9800 WLC deployment?

A.8
B.16
C.32
D.64
AnswerB

Up to 16 WLANs per radio are supported on modern APs.

Why this answer

Cisco APs support up to 16 WLANs (SSIDs) per radio, though the exact number may vary by platform.

42
Drag & Dropmedium

Drag and drop the steps of 802.11r Fast BSS Transition (FT) roaming steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

802.11r FT roaming uses a key hierarchy to reduce latency. The client first discovers the target AP via scanning. The client sends an FT Authentication request containing a Mobility Domain Identifier (MDIE) and R0KH-ID.

The target AP responds with an FT Authentication response with key data. The client then sends an FT Association request, and the AP completes the process with an FT Association response.

43
MCQmedium

Given the following WLAN configuration on a Cisco 9800 WLC: wlan test-wlan 1 test-ssid client vlan VLAN10 no security wpa no security wpa2 security wpa3 no security ft What is a potential issue with this configuration?

A.The WLAN is missing a security key management (AKM) configuration.
B.The client VLAN is incorrectly configured.
C.WPA3 is not supported on this platform.
D.The SSID name is too long.
AnswerA

WPA3 requires an AKM (e.g., SAE) to be configured; the snippet does not show 'security wpa3 akm sae'.

Why this answer

WPA3 requires support for 802.11r (Fast Transition) for optimal roaming; disabling it may cause compatibility issues with some clients.

44
MCQmedium

A network engineer is troubleshooting a wireless network where clients in a conference room experience intermittent connectivity. The engineer notices that the access point in that room is showing a high number of CRC errors on its uplink interface. The AP is connected to a Cisco 9300 switch via a copper cable. What is the most likely cause of the CRC errors?

A.The AP is overloaded with too many clients.
B.The Ethernet cable is faulty or of poor quality.
C.The switch port is configured with a duplex mismatch.
D.The AP is not receiving enough power from Power over Ethernet (PoE).
AnswerB

Correct because CRC errors on a copper link are usually due to physical layer problems like faulty cables, bad connectors, or interference.

Why this answer

CRC errors typically indicate physical layer issues such as faulty cabling, bad connectors, or electromagnetic interference. Since the AP is connected via copper, a faulty cable is the most likely cause. Duplex mismatch would cause alignment errors, not just CRC.

AP overload would not cause CRC errors on the uplink. PoE issues would cause power problems, not CRC errors.

45
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show ap inventory all AP Inventory Information ----------------------- AP Name: AP-1 Base MAC: aabb.cc00.0100 Model: AIR-CAP3702I-A-K9 Software: 8.5.151.0 AP Name: AP-2 Base MAC: aabb.cc00.0200 Model: AIR-AP2802I-B-K9 Software: 8.5.151.0 AP Name: AP-3 Base MAC: aabb.cc00.0300 Model: AIR-AP3802I-A-K9 Software: 8.5.151.0 Based on this output, what can be concluded?

A.All APs are running the same software version and are compatible with the WLC.
B.AP-1 is a lightweight AP and AP-2 and AP-3 are autonomous APs.
C.AP-3 has a hardware failure because its model is different.
D.The WLC is running a software version that only supports AP-2 and AP-3.
AnswerA

The output shows all APs have the same software version 8.5.151.0, indicating compatibility.

Why this answer

The show ap inventory all command displays the model and software version of each AP. The output shows three APs with different models but the same software version. The key point is that the CAP3702I is a legacy AP that requires a specific software version, while the 2800 and 3800 series are newer.

The output indicates all APs are running the same software, which is compatible with the WLC version.

46
Drag & Dropmedium

Drag and drop the steps of Wireless client IP address assignment via DHCP bridging into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DHCP bridging, the AP bridges the client's DHCP request to the wired network. The client first associates and sends a DHCP Discover broadcast. The AP bridges this frame to the wired VLAN.

The DHCP server responds with a DHCP Offer, which the AP bridges back to the client. The client then sends a DHCP Request, and the server sends a DHCP Ack to complete the assignment.

47
Drag & Dropmedium

Drag and drop the steps of Wireless client IP address assignment via DHCP bridging into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In DHCP bridging, the client first associates and authenticates. The AP then bridges the DHCP Discover from the client to the wired network. The DHCP server replies with Offer, the client sends Request, and the server sends Ack, completing the process.

48
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show ap rf-profile summary RF-Profile Name: default-rf-profile Description: Default RF Profile Band: 2.4 GHz Channel Width: 20 MHz Data Rates: 1,2,5.5,11,6,9,12,18,24,36,48,54 Mbps Power Level: 1 (max) RF-Profile Name: low-power Description: Low Power Profile Band: 2.4 GHz Channel Width: 20 MHz Data Rates: 1,2,5.5,11,6,9,12,18,24,36,48,54 Mbps Power Level: 5 Based on this output, what can be concluded?

A.The low-power profile reduces the transmit power of the AP.
B.The default profile uses 40 MHz channels.
C.The low-power profile disables all data rates below 12 Mbps.
D.The low-power profile is for 5 GHz band.
AnswerA

Power level 5 is lower than level 1, so the AP transmits at lower power.

Why this answer

Both profiles use 2.4 GHz and 20 MHz channels. The low-power profile uses a higher power level number (5) which typically means lower power (since power level is inversely related to power output on Cisco APs). The default profile uses power level 1 (max power).

49
Drag & Dropmedium

Drag and drop the steps of WLC high availability SSO failover steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In HA SSO, the active WLC fails, the standby detects the failure via RP link, takes over the active role, reinitializes interfaces, and then clients reassociate to the new active WLC.

50
Drag & Dropmedium

Drag and drop the steps of WLC high availability SSO failover steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In WLC SSO HA, the active WLC fails, triggering the standby to take over. The standby detects the failure via loss of heartbeat and link state. It then assumes the active role, reinitializing interfaces and applying the synchronized configuration.

The standby (now active) sends gratuitous ARP to update the network. Finally, client sessions and CAPWAP tunnels are re-established with the new active WLC.

51
MCQmedium

A network engineer runs the following command on a Cisco WLC: WLC# show ap stats ap-name AP-1 AP Statistics for AP-1 ---------------------- Channel Utilization: 45% Interference: 10% Noise Floor: -95 dBm Total Packets Received: 15000 Total Packets Sent: 12000 Total Errors: 200 Based on this output, what can be concluded?

A.The channel is heavily congested with utilization above 80%.
B.The noise floor is high, indicating potential interference.
C.The AP is experiencing a significant number of errors relative to packets received.
D.The channel utilization is moderate and the noise floor is low.
AnswerD

45% utilization is moderate, and -95 dBm noise floor is low, indicating a relatively clean channel.

Why this answer

The output shows channel utilization at 45%, which is moderate but not extremely high. The noise floor is -95 dBm, which is good (low noise). The error rate is 200 out of 15000 received, which is about 1.3%, acceptable.

52
Multi-Selectmedium

Which two statements about Cisco FlexConnect are true? (Choose two.)

Select 2 answers
A.FlexConnect APs can locally switch client data traffic at the remote site without tunneling it to the WLC.
B.FlexConnect APs always maintain a control and data tunnel to the WLC, even in standalone mode.
C.FlexConnect supports all encryption methods including CCKM and 802.11r in local switching mode.
D.FlexConnect APs can perform rogue detection and containment even when disconnected from the WLC.
E.FlexConnect APs can authenticate clients locally using a local RADIUS server or a local user database when the WLC is unreachable.
AnswersA, E

Correct because FlexConnect local switching mode allows client traffic to be bridged locally at the AP, reducing WAN bandwidth usage.

Why this answer

FlexConnect allows APs to locally switch client traffic and to function independently when the WLC is unreachable, but it does not support all encryption methods (e.g., CCKM is not supported in FlexConnect local switching mode) and it does not support rogue detection in standalone mode.

53
Drag & Dropmedium

Drag and drop the steps of the 802.11 client association process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The 802.11 client association process begins with the client sending a Probe Request to discover networks, followed by a Probe Response from the AP. Then the client sends an Authentication Request, the AP replies with an Authentication Response, and finally the client sends an Association Request, which the AP confirms with an Association Response.

54
MCQmedium

Given the following configuration snippet on a Cisco 9800 WLC: wireless profile policy test-policy no security ft aaa-override no mac-filtering no wlan-switch central-switching What is the effect of this configuration?

A.Client traffic is locally switched at the AP.
B.Client traffic is centrally switched through the WLC.
C.Fast roaming (802.11r) is enabled for this policy.
D.MAC filtering is enabled for client authentication.
AnswerB

Central switching means all client data is tunneled to the WLC.

Why this answer

The 'central-switching' command in a wireless profile policy forces all client traffic to be tunneled back to the WLC, overriding any per-WLAN switching decisions.

55
Matchingmedium

Drag and drop each 802.11 standard on the left to its matching frequency band and maximum data rate on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2.4 GHz, up to 11 Mbps

5 GHz, up to 54 Mbps

2.4 GHz, up to 54 Mbps

2.4/5 GHz, up to 600 Mbps

5 GHz, up to 6.9 Gbps

Why these pairings

802.11b operates at 2.4 GHz with 11 Mbps; 802.11a operates at 5 GHz with 54 Mbps; 802.11g operates at 2.4 GHz with 54 Mbps; 802.11n operates at both 2.4 and 5 GHz with 600 Mbps; 802.11ac operates at 5 GHz with up to 6.9 Gbps.

56
Drag & Dropmedium

Drag and drop the steps of Cisco Flex (FlexConnect) AP mode operation into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In FlexConnect mode, the AP first discovers the WLC and forms a CAPWAP tunnel. The WLC then pushes the local switching and authentication configuration to the AP. When a client associates, the AP performs local authentication (if configured) or forwards to WLC.

The AP then locally switches the client data traffic. Finally, the AP maintains connectivity with the WLC for management and monitoring.

57
Drag & Dropmedium

Drag and drop the steps of 802.11r Fast BSS Transition (FT) roaming steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

802.11r FT roaming uses a fast handshake. The client sends an FT Authentication request to the new AP, which replies with an FT Authentication response. Then the client sends an FT Reassociation Request, the new AP confirms, and finally the client installs the PMK keys.

58
MCQeasy

A network engineer runs the following command on a Cisco WLC: WLC# show wlan summary WLAN ID SSID Status Security Interface 1 Guest Enabled Open guest-vlan 2 Corporate Enabled WPA2 corp-vlan 3 IoT Disabled WPA2 iot-vlan 4 Management Enabled WPA2 mgmt-vlan Based on this output, what can be concluded?

A.All WLANs are currently active and serving clients.
B.WLAN 3 is not operational because it is disabled.
C.The Guest WLAN uses WPA2 security.
D.The Management WLAN is on the guest-vlan interface.
AnswerB

The Status column shows Disabled for WLAN 3.

Why this answer

The output shows WLANs and their status. WLAN 3 (IoT) is disabled, meaning it is not broadcasting or accepting clients. The other WLANs are enabled.

Ready to test yourself?

Try a timed practice session using only Wireless Infrastructure questions.