Back to Cisco SCOR / CCNP Security Core 350-701 questions

Scenario-based practice

VLAN and Inter-VLAN Routing Scenarios

Practise 350-701 VLAN and trunking questions covering access ports, trunk ports, allowed VLAN lists, native VLAN, inter-VLAN routing, and command-output troubleshooting.

15
scenario questions
350-701
exam code
Cisco
vendor

Scenario guide

How to approach vlan and inter-vlan routing scenarios

VLAN misconfiguration is one of the top sources of connectivity failures in real networks and one of the most tested areas on the CCNA. These questions cover VLAN access ports, 802.1Q trunks, native VLANs, and router-on-a-stick or layer-3 switch inter-VLAN routing.

Quick answer

Routing questions usually test route selection (administrative distance, metric), how static routes are configured and when they are preferred over dynamic routing.

Administrative distance comparing routing sources.

Static route configuration: next-hop vs exit interface.

Default route propagation and the gateway of last resort.

Recursive routing table lookups.

Related practice questions

Related 350-701 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?

Question 2mediummultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting an issue where users in the finance VLAN are unable to access a critical server in the server VLAN. The switch logs show multiple 'Authentication failed' messages for MAC addresses in the finance VLAN. The switchport security feature is enabled on the access ports. What is the most likely cause of the issue?

Question 3easymultiple choice
Open the full VLAN trunking answer →

A network administrator is troubleshooting an issue where users in the Sales VLAN cannot access the internet through the Cisco Firepower Threat Defense (FTD) device. The FTD is configured with a security policy that allows traffic from the Sales subnet to any destination. However, the traffic is being blocked. Which feature should the administrator check first to resolve the issue?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

An organization is using Cisco ISE to enforce posture compliance. Endpoints that are non-compliant should be placed into a quarantine VLAN. Which ISE policy component is used to assign the VLAN?

Question 5mediummultiple choice
Open the full VLAN trunking answer →

A network security engineer is deploying Cisco Firepower Threat Defense (FTD) in a data center. The requirement is to inspect traffic between two internal VLANs while allowing the firewall to enforce access control policies based on source and destination zones. Which deployment mode should the engineer use?

Question 6mediummultiple choice
Open the full VLAN trunking answer →

An engineer is troubleshooting a user who cannot access the network after successful 802.1X authentication. The user's PC receives an IP address from DHCP, but cannot reach the internet. The switch port is in the correct VLAN (10) after authentication. The ISE posture policy requires the user to install a corporate certificate, but the user skipped that step. What is the most likely cause of the internet access failure?

Question 7hardmultiple choice
Open the full VLAN trunking answer →

During a security incident, an engineer needs to quickly quarantine an endpoint that is connected to a switch via 802.1X. The engineer wants to use ISE to send a Change of Authorization (CoA) to move the port to a restrictive VLAN. What must be configured on the switch to allow ISE to send CoA?

Question 8mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is implementing TrustSec on a Cisco switch. The goal is to tag traffic from the engineering VLAN with Security Group Tag (SGT) 10 and enforce policies on upstream switches. Which configuration is required on the access switch to propagate the SGT?

Question 9hardmultiple choice
Open the full VLAN trunking answer →

Refer to the exhibit. A network administrator is troubleshooting device tracking on a Cisco switch. The output shows two devices in VLAN 100. The switch is configured with IPv6 first-hop security features. The administrator notices that the device with MAC address aaaa.bbbb.cccc is not receiving RA guard protection. What is the most likely reason?

Exhibit

Router# show device-tracking database
 Device-tracking database for Vlan 100:
  Device ID     MAC Address      Interface      VLAN     Last seen
  *             0050.7966.6800   Gi0/1/0        100      00:00:12
  *             aaaa.bbbb.cccc   Gi0/1/1        100      00:00:05
Question 10easymultiple choice
Open the full VLAN trunking answer →

A guest device in VLAN 200 attempts to reach a server at 10.10.1.1. What happens to the traffic?

Exhibit

Refer to the exhibit.

! Switch configuration snippet
ip access-list extended BLOCK_GUEST
 deny ip any 10.10.0.0 0.0.255.255
 permit ip any any
!
vlan access-map BLOCK_MAP 10
 match ip address BLOCK_GUEST
 action drop
vlan access-map BLOCK_MAP 20
 action forward
!
vlan filter BLOCK_MAP vlan-list 200
Question 11easymultiple choice
Open the full VLAN trunking answer →

A junior engineer is configuring MAB (MAC Authentication Bypass) on a Cisco switch for legacy printers. After configuration, the printers are still being placed into the default VLAN instead of the authorized VLAN. Which configuration is missing?

Question 12easymultiple choice
Full question →

A network engineer is troubleshooting an 802.1X deployment where some Windows 10 endpoints fail to authenticate. Logs show that the client sends an EAPoL-Start but never receives an EAP-Request/Identity. The switch port configuration is:

interface GigabitEthernet0/1
 switchport mode access

authentication port-control auto dot1x pae authenticator Which additional command is most likely needed?

Question 13hardmultiple choice
Open the full VLAN trunking answer →

An engineer is implementing Cisco ISE posture assessment for corporate Windows laptops. The requirement: endpoints that are missing critical Microsoft security patches must be quarantined in a remediation VLAN. The ISE posture policy uses an 'Application Condition' to check for the patch. However, some laptops with missing patches are still allowed access. During testing, the engineer notices that the posture agent reports 'NAC Agent: Posture Unknown' for those laptops. What is the most likely cause?

Question 14hardmultiple choice
Open the full VLAN trunking answer →

A financial institution with a flat Layer 2 network has experienced a ransomware incident where an infected workstation in the accounting department propagated laterally to a server in the finance department. The network spans 10 switches connected in a star topology with a collapsed core. The IT team wants to implement segmentation to contain such threats in the future, without requiring major hardware upgrades and with minimal change to IP addressing. The network currently uses a single VLAN with /16 subnet. Which of the following approaches would BEST achieve the segmentation goal, considering the constraints?

Question 15mediummultiple choice
Open the full VLAN trunking answer →

A company wants to provide both corporate and guest wireless access using the same access points. They require that guest users be placed into a separate VLAN and have internet-only access. Which Cisco solution should be used?

These 350-701 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 350-701 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.