Switch Implementation PBQs and Common Misconfigurations
Key Takeaways
- Switch PBQs usually ask you to repair a few mismatched settings, not redesign the network.
- Use a working port or VLAN as your reference template and compare the broken one line by line.
- Troubleshoot bottom-up: physical, access VLAN, trunk, STP, aggregation, Layer 3 gateway, then policy.
- One endpoint problem points to a port/cable/NIC/DHCP issue; a whole VLAN problem points to trunk/STP/gateway.
- Interface counters, MAC tables, STP state, and VLAN tables separate switching faults from routing faults.
How Switching PBQs Are Scored
Performance-based questions on the N10-009 give partial credit and almost always present a mostly working topology with one or two broken pieces. The fastest path to points is comparison: find the working port, VLAN, trunk, or bundle and treat it as your template, then change only what differs on the broken one. Avoid the temptation to rebuild the design - the smallest correct change is the intended answer.
Bottom-Up Troubleshooting Pattern
| Layer / feature | What to check | Evidence to read |
|---|---|---|
| Physical | Link state, cable, optic, speed/duplex | up/down, CRC, runts, giants |
| Access VLAN | Correct endpoint VLAN | VLAN table, MAC table, DHCP scope |
| Trunk | Mode, allowed VLANs, native VLAN | trunk status and VLAN list |
| STP/RSTP | Port role and root bridge | blocking/discarding state |
| Aggregation | LACP state, member consistency | port-channel summary |
| Layer 3 gateway | SVI, router subinterface, firewall | gateway ping, route table |
| Policy | ACL, port security, 802.1X | denied counters, logs |
The Misconfiguration Catalog
| Misconfiguration | Symptom | Repair |
|---|---|---|
| Wrong access VLAN | Host gets wrong subnet | Assign correct VLAN |
| VLAN not created | Port assigned but VLAN inactive | Create the VLAN, allow it where needed |
| VLAN missing from trunk | One VLAN fails on uplink | Add to allowed list |
| Native VLAN mismatch | Untagged traffic misbehaves | Match native VLAN both ends |
| Trunk to an endpoint | Unstable endpoint connectivity | Set port to access mode |
| STP root on access switch | Inefficient paths, odd blocking | Lower priority on the core |
| Port-channel mismatch | Member suspended | Match speed/duplex/VLAN/MTU/LACP |
| MTU mismatch | Large transfers fail | Align MTU end to end |
| Port-security violation | Device blocked after MAC change | Clear/adjust the policy |
PBQ Example: New Office Floor
Requirements:
| Device | Required network |
|---|---|
| User PCs | VLAN 110 |
| IP phones | Voice VLAN 120 |
| Wireless APs (multi-SSID) | Trunk: VLANs 130 and 140 |
| Uplink to distribution | Trunk: 110, 120, 130, 140 |
Correct actions:
- Set user PC ports to access VLAN 110.
- Set phone ports to data VLAN 110 + voice VLAN 120.
- Set AP ports to trunk (they carry multiple VLANs/SSIDs).
- Set the uplink to trunk and allow 110, 120, 130, 140.
- Verify a Layer 3 gateway (SVI or subinterface) exists for each VLAN.
- Confirm the native VLAN matches the distribution switch.
PBQ Example: One VLAN Down
| Evidence | Interpretation |
|---|---|
| VLAN 20 works on access switch A | VLAN exists; local ports fine |
| VLAN 20 fails across uplink to B | Trunk or STP issue likely |
| Trunk allowed list = 10, 30, 40 | VLAN 20 is missing |
| Other VLANs cross the same uplink | Physical link is healthy |
The smallest correct fix is to allow VLAN 20 on the trunk. Replacing the switch, re-IPing, or disabling STP all contradict the evidence that everything else works.
Reading Evidence
| Output clue | Meaning |
|---|---|
| MAC learned on wrong VLAN | Access VLAN or tagging issue |
| Interface admin down | Disabled in configuration |
| Err-disabled port | BPDU guard, security, or link-flap protection fired |
| STP blocking | Likely intentional loop prevention |
| Rising CRC errors | Physical layer - cable or optic |
| Rising giants counter | Oversize frames / MTU mismatch |
| No MAC from endpoint | Cable, NIC, port state, VLAN, or security |
Scope Before You Touch Shared Infrastructure
The single biggest PBQ discipline is blast-radius awareness. Before changing a trunk, an SVI, or the root bridge, ask how many users are affected by the symptom. If exactly one host is broken, the fault is on that one access port, cable, NIC, or DHCP reservation - changing a shared uplink would be wrong and could break working VLANs.
| Trap | Better reasoning |
|---|---|
| Change routing when a host is in the wrong VLAN | Fix Layer 2 membership first |
| Disable STP so every link forwards | Keep loop prevention; fix root/path design |
| Add all VLANs to every trunk | Carry only required VLANs to limit scope |
| Treat one bad endpoint as a core outage | Scope the impact before touching uplinks |
| Ignore the switch management gateway | Remote management from another subnet needs a gateway |
The Line-by-Line Comparison Tactic
When a PBQ shows a working port and a broken port side by side, walk these attributes in order and stop at the first difference:
- switchport mode (access vs trunk)
- access VLAN and voice VLAN
- trunk allowed VLANs
- native VLAN
- STP state and edge/PortFast/BPDU guard
- port security settings
- speed, duplex, and MTU
The answer is almost always the single attribute that differs from the working reference. This method beats guessing, gives partial credit on multi-step PBQs, and mirrors how real switch troubleshooting is done. Document the change you make so the simulator's verification step credits the corrected setting rather than an unrelated edit.
A user receives an IP address from the wrong subnet right after being moved to a new switchport. What should be checked first?
Only VLAN 50 fails across a trunk while every other VLAN on that trunk works. What is the most likely misconfiguration?
Match the switch clue to the most likely problem area.
Match each item on the left with the correct item on the right