Question 503 of 2,015
VRF and Path IsolationhardMultiple ChoiceObjective-mapped

CCNP VRF and Path Isolation Practice Question

This 350-401 practice question tests your understanding of vrf and path isolation. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An enterprise uses VRF-lite to isolate guest Wi-Fi traffic from corporate traffic on a Cisco Catalyst 9300 switch. The guest VRF (GUEST) is configured on VLAN 100, and the corporate VRF (CORP) on VLAN 200. Both VRFs use the same default gateway router connected via a trunk. The engineer notices that guest devices can reach the internet but cannot access the guest captive portal hosted on a server in VLAN 100. The server's IP is reachable from the switch itself. What is the issue?

Question 1hardmultiple choice
Open the full VLAN trunking answer →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The guest server is in a different VLAN than the guest wireless subnet, and inter-VLAN routing is not configured within the GUEST VRF.

The issue is that the guest captive portal server resides in VLAN 100, but the guest wireless subnet is likely in a different VLAN or subnet within the GUEST VRF. Since VRF-lite provides separate routing tables, inter-VLAN routing within the same VRF must be explicitly configured (e.g., using SVIs with 'ip routing' and proper VRF forwarding). The switch can reach the server because it is directly connected, but guest devices cannot because their traffic is not routed between the wireless subnet and the server's VLAN within the GUEST VRF.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The guest server is in a different VLAN than the guest wireless subnet, and inter-VLAN routing is not configured within the GUEST VRF.

    Why this is correct

    Correct because if the guest wireless clients and the captive portal server are in different VLANs but both in the GUEST VRF, the switch must have an SVI for each VLAN in the GUEST VRF and routing must be enabled. Without proper VRF-aware routing, packets are dropped.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The trunk between the switch and the router is not allowing VLAN 100.

    Why it's wrong here

    Incorrect because the switch can reach the server's IP, indicating the server is reachable from the switch itself, so VLAN 100 is allowed on the trunk.

  • The guest VRF is missing the route-target export command.

    Why it's wrong here

    Incorrect because VRF-lite does not require route-target; route-targets are used in MPLS VPN environments.

  • The captive portal server is configured with a default gateway that points to the corporate VRF.

    Why it's wrong here

    Incorrect because if the server were in the corporate VRF, it would not be reachable from the switch in the GUEST VRF; the switch can reach it, so it must be in the same VRF.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the misconception that simply placing devices in the same VLAN guarantees connectivity, ignoring that VRF-lite requires explicit inter-VLAN routing configuration within each VRF, even if the VLANs are on the same switch.

Detailed technical explanation

How to think about this question

In VRF-lite, each VRF maintains its own separate routing table and Forwarding Information Base (FIB). For traffic to flow between two subnets within the same VRF, the switch must have SVIs configured with 'ip vrf forwarding GUEST' and 'ip address' on each VLAN, and inter-VLAN routing must be enabled globally with 'ip routing'. A common real-world scenario is when guest wireless clients are in a different subnet (e.g., 10.1.1.0/24) than the captive portal server (e.g., 10.1.2.0/24), both within VLAN 100, requiring an SVI for each subnet and proper routing within the VRF.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 350-401 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-401 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-401 question test?

VRF and Path Isolation — This question tests VRF and Path Isolation — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The guest server is in a different VLAN than the guest wireless subnet, and inter-VLAN routing is not configured within the GUEST VRF. — The issue is that the guest captive portal server resides in VLAN 100, but the guest wireless subnet is likely in a different VLAN or subnet within the GUEST VRF. Since VRF-lite provides separate routing tables, inter-VLAN routing within the same VRF must be explicitly configured (e.g., using SVIs with 'ip routing' and proper VRF forwarding). The switch can reach the server because it is directly connected, but guest devices cannot because their traffic is not routed between the wireless subnet and the server's VLAN within the GUEST VRF.

What should I do if I get this 350-401 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-401 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-401 exam.