An access point connected to a switch suddenly lets guest Wi-Fi users reach an internal printer VLAN, but only on the new wiring closet. The AP uplink is configured as a trunk with dynamic negotiation enabled, native VLAN 1, and allowed VLANs 10, 20, and 30. Guest traffic should be VLAN 40 and must not transit to internal segments. Which change best fixes the issue?
This prevents unintended trunk formation, limits the VLANs that can traverse the link, and reduces risk from the native VLAN.
Why this answer
The issue is that guest traffic (VLAN 40) is not in the allowed list, so the trunk is dropping it; however, the native VLAN 1 is being used for management and may leak traffic. By disabling dynamic trunk negotiation (DTP), configuring a static trunk, allowing only VLANs 40 and 99 (a management VLAN), and changing the native VLAN to an unused value, you ensure guest traffic is properly tagged and isolated from internal VLANs. This prevents the guest VLAN from being inadvertently trunked to internal segments and eliminates the risk of VLAN hopping via the native VLAN.
Exam trap
The trap here is that candidates think adding an ACL or allowing more VLANs will solve the problem, but the root cause is that VLAN 40 is not allowed on the trunk, and the native VLAN 1 introduces a security risk; the correct fix is to explicitly permit only the necessary VLANs and secure the native VLAN.
How to eliminate wrong answers
Option A is wrong because converting the AP uplink to an access port in VLAN 40 would force all traffic from the AP to be untagged in VLAN 40, but the AP typically sends multiple VLANs (e.g., management, guest) as tagged frames; an access port cannot carry multiple VLANs and would drop tagged frames, breaking management and other services. Option C is wrong because adding the internal printer VLAN to the allowed list would explicitly permit guest traffic to reach the printer VLAN, which is the opposite of the security requirement to isolate guest traffic from internal segments. Option D is wrong because keeping the current trunk settings means VLAN 40 is not allowed on the trunk, so guest traffic is already being dropped; adding a Layer 3 ACL would not fix the missing VLAN 40 on the trunk, and ACLs cannot compensate for a Layer 2 misconfiguration that prevents guest traffic from even reaching the switch.