N10-009 Exam Questions and Answers

A network administrator is troubleshooting a connectivity issue and suspects the problem is related to the physical cabling. At which layer of the OSI model should the administrator begin their investigation?

Transport layer

Data Link layer

Physical layer

The Physical layer defines the electrical, mechanical, and procedural interface to the transmission medium, making it the correct layer for cabling issues.

Network layer

Why: The Physical layer (Layer 1) of the OSI model deals with the physical connection between devices, including cabling, connectors, and signal transmission. Starting here is appropriate when the issue is suspected to be with cabling or physical hardware.

A device is configured with IP address 192.168.1.130 and subnet mask 255.255.255.192. What is the network address of this device?

192.168.1.0

192.168.1.128

Correct: 130 is in the range 128-191, so the network address is 192.168.1.128.

192.168.1.192

192.168.1.64

Why: The subnet mask 255.255.255.192 means the network portion includes the first 26 bits. The block size is 64 (256-192). The network addresses are multiples of 64: 0, 64, 128, 192. Since 130 falls between 128 and 192, the network address is 192.168.1.128.

A network technician is explaining the concept of encapsulation to a junior technician. At which OSI layer does a packet get encapsulated with a source and destination IP address?

Layer 2

Layer 3

The network layer (Layer 3) adds the IP header containing source and destination IP addresses. This is where logical addressing occurs, enabling routing across networks.

Layer 4

Layer 1

Why: Encapsulation adds headers as data moves down the OSI stack. The IP address (source and destination) is added at the network layer (Layer 3) when the packet is formed. Layer 2 uses MAC addresses, Layer 4 uses port numbers, and Layer 1 is the physical medium.

A network engineer is designing a new IPv6 addressing scheme. The company has been assigned a /48 prefix and needs to support up to 250 subnets. Which subnet size should be used to minimize waste while meeting the requirement?

/52

/56

A /56 prefix uses 8 bits for subnetting (48+8=56), providing 256 subnets (2^8). This meets the requirement of 250 subnets with minimal waste (6 unused subnets).

/64

/60

Why: A /48 prefix provides 16 bits for subnetting (64 bits total for the network portion minus 48). To get 250 subnets, at least 8 bits are needed (2^8 = 256). Using a /56 prefix (48+8) yields 256 subnets, which meets the requirement with minimal waste. /60 would give 4096 subnets (12 bits) but wastes more addresses. /64 is the standard prefix for a single subnet and /52 gives only 16 subnets.

A network technician is explaining the difference between a hub and a switch to a junior technician. Which statement correctly describes a key difference between these devices?

A hub operates at Layer 2, while a switch operates at Layer 1.

A hub sends frames out all ports except the incoming port; a switch sends frames only to the port with the matching MAC address.

This accurately describes the behavior: hubs flood all ports, switches forward based on MAC address table.

A hub uses MAC addresses to make forwarding decisions, while a switch uses IP addresses.

A hub creates a separate collision domain for each port, while a switch creates a single collision domain.

Why: A hub operates at Layer 1 and repeats incoming signals out all ports, creating a single collision domain. A switch operates at Layer 2 and uses MAC addresses to forward frames only to the correct destination port, reducing collisions.

A network engineer needs to connect two network segments that use different physical media: one segment uses copper Ethernet and the other uses fiber optic. The device must forward frames based on MAC addresses and must not perform any routing. Which device should the engineer choose?

Layer 3 switch

Media converter

Bridge

A bridge operates at Layer 2, can connect different media types, and forwards frames using MAC addresses without routing.

Router

Why: A bridge operates at Layer 2 and can connect different physical media types while forwarding frames based on MAC addresses. Modern switches are multiport bridges, but the term 'bridge' specifically fits the requirement of connecting two segments without routing.

Want more Networking Concepts practice?

All Network Implementation questions

Domain 2: Network Implementation

A network engineer needs to segment a single physical switch into multiple broadcast domains to improve security and reduce traffic. Which technology should be implemented?

Spanning Tree Protocol (STP)

Virtual LAN (VLAN)

VLANs create separate broadcast domains on a switch, meeting the requirement.

VLAN Trunking Protocol (VTP)

Access Control List (ACL)

Why: VLANs (Virtual LANs) allow a switch to be logically divided into separate broadcast domains. Devices in different VLANs cannot communicate directly without a router, enhancing security and reducing unnecessary broadcast traffic.

A router receives a packet destined for 10.0.0.15. It has the following routes in the routing table: 10.0.0.0/8 via 192.168.1.1, 10.0.0.0/16 via 192.168.2.1, 0.0.0.0/0 via 192.168.3.1. Which route will be used?

Default route (0.0.0.0/0)

10.0.0.0/16 via 192.168.2.1

This route has a longer prefix length (16) than the /8 route, and it matches the destination (10.0.0.15 is in 10.0.0.0/16).

10.0.0.0/8 via 192.168.1.1

None; the packet is dropped

Why: Routers use the longest prefix match algorithm. The /16 route (10.0.0.0/16) is more specific than the /8 route and more specific than the default route, so it will be used to forward the packet to 10.0.0.15.

A company has just installed a new fiber optic connection between two buildings 2 km apart. The connection is using multimode fiber. However, the signal is too weak at the receiving end. What is the most likely cause?

Attenuation due to distance

Multimode fiber has a maximum effective distance that varies by speed but is generally under 1 km for higher data rates. 2 km exceeds that limit, causing significant signal loss (attenuation).

Electromagnetic interference

Incorrect termination

Crosstalk

Why: Multimode fiber is designed for shorter distances (typically up to 550 meters for 10 Gbps) due to modal dispersion. At 2 km, the signal will suffer excessive attenuation. Single-mode fiber would be appropriate for longer distances. EM interference is not a common issue with fiber, and incorrect termination or crosstalk are unlikely to be the primary cause over such a long distance.

A small office uses a wireless router that provides both wired and wireless connectivity. The router's LAN IP is 192.168.1.1. A new printer with a static IP of 192.168.1.50 cannot be reached from a laptop obtaining an IP via DHCP. The laptop's IP is 192.168.1.100. Which of the following is the most likely cause?

The printer is on a different VLAN

The subnet mask is incorrect

If the printer is configured with a static subnet mask that is not /24 (e.g., /28 or /25), it will calculate that the laptop's IP is outside its local subnet. It will then try to send traffic to the default gateway instead of directly to the laptop, and if the gateway does not forward it (or the printer's gateway is wrong), communication fails.

The default gateway is misconfigured

The DHCP scope is exhausted

Why: Since both devices have IPs in the same subnet (assuming a default /24 mask), direct communication should work. However, if the printer has a different subnet mask (e.g., /28 instead of /24), it would think the laptop is on a different network and would not attempt local ARP, causing a failure. The other options are less likely because the router is the default gateway, but for local traffic the gateway is not needed; VLANs don't apply to a simple router; and DHCP scope exhaustion would give the laptop a different IP or none.

A network engineer has established an IPsec VPN tunnel between a branch office (10.0.0.0/24) and the main office (192.168.10.0/24). The tunnel shows as up and active, but users at the branch office cannot ping the main office server at 192.168.10.10. The main office can ping the branch office gateway successfully. What is the most likely cause of this issue?

Mismatched encryption algorithms between the two VPN peers

Incorrect static route on the branch router for the 192.168.10.0/24 network

A route pointing to the tunnel interface or the remote VPN peer is necessary for traffic from the branch to reach the main office LAN.

Firewall on the main office server blocking ICMP

Incorrect IKE authentication settings

Why: The VPN tunnel is established, indicating that IPsec parameters are correct. The issue is typically that the branch office router lacks a route to the main office LAN via the VPN tunnel. Without such a route, traffic destined for 192.168.10.0/24 is sent out the default WAN interface instead of through the tunnel.

A network administrator adds a new server to VLAN 20. The switch port is configured as an access port in VLAN 20, and the server has a correct static IP address in that subnet. However, the server cannot communicate with other devices in the same VLAN. The VLAN exists on the switch and other devices in VLAN 20 are working. What is the most likely cause of this issue?

The switch port is configured as a trunk port instead of an access port

A trunk port expects 802.1Q tagged frames; the server sends untagged frames, so the switch may not associate them with VLAN 20, causing communication failure within the VLAN.

VLAN 20 is not allowed on the trunk to the router

The server does not have a default gateway configured

The port is administratively down

Why: If the switch port is accidentally configured as a trunk port, it will expect tagged frames from the server. A standard access port sends and receives untagged frames. When the server sends untagged frames to a trunk port, the switch may not forward them correctly to other access ports in VLAN 20, breaking communication.

Want more Network Implementation practice?

All Network Operations questions

Domain 3: Network Operations

A network operations center uses SNMP to monitor device health. An administrator needs to retrieve the current CPU utilization from a router. Which SNMP operation is most appropriate?

GET

GET is used to read the value of a managed object, such as CPU utilization.

SET

TRAP

INFORM

Why: The SNMP GET operation is used to retrieve the value of a specific OID from a managed device, such as CPU utilization. It is a request-response operation initiated by the manager.

A network administrator needs to ensure that network device configurations are automatically backed up to a central server. Which protocol is commonly used for secure file transfer of configurations?

TFTP

FTP

SFTP

SFTP provides secure encrypted file transfers over SSH, ideal for backing up configurations.

HTTP

Why: SFTP (SSH File Transfer Protocol) provides secure file transfer over SSH, encrypting both authentication and data. It is commonly used for backing up device configurations securely.

An NOC technician observes that the CPU usage on a core switch has been consistently above 90% for the past hour. Which SNMP operation should the technician use to monitor the CPU load over time with minimal network overhead?

SNMP GET

SNMP GETNEXT

SNMP WALK

SNMP TRAP

SNMP traps are unsolicited messages from the agent to the NMS when certain events occur (e.g., CPU threshold exceeded). They reduce overhead because the NMS does not need to poll; the agent sends data only when necessary.

Why: To minimize network overhead, using SNMP traps is most efficient because they send notifications only when a threshold is exceeded, rather than requiring constant polling. SNMP GET, GETNEXT, and WALK all involve the NMS requesting data, which increases traffic and processor load on the device. Traps push data only when events occur.

A network administrator is preparing to upgrade the firmware on a critical router. Which document should the administrator consult to understand the steps required to minimize downtime and ensure a successful upgrade?

SLA

Change management plan

The change management plan documents the process for making changes to the network, including risk assessment, detailed steps, testing, approval, and rollback procedures. It is the appropriate resource to ensure a methodical and safe upgrade.

Network diagram

Baseline performance report

Why: A change management plan outlines the procedures for implementing changes in a controlled manner, including steps, rollback plans, and downtime windows. While vendor upgrade guides are specific, the change management plan is the internal document that consolidates all necessary steps and approvals. An SLA defines service levels, a network diagram shows topology, and a baseline report shows performance metrics—none provide the procedural steps for the upgrade.

An NOC technician receives an alert that latency on a critical WAN link has increased significantly. The technician needs to analyze the latency trend over the past week to identify patterns. Which approach is the most efficient for gathering this historical data?

Use SNMP traps to alert on each latency spike

Use SNMP polling with a suitable MIB to collect latency metrics at regular intervals

Polling gathers data at set intervals, which can be stored for trend analysis. This is the standard method for historical performance monitoring.

Run a continuous ping test and manually log timestamps

Use traceroute to identify each hop and measure latency per hop

Why: SNMP polling can be configured to regularly retrieve MIB variables, such as interface statistics and response times, which are stored in a monitoring system. This allows for historical analysis and trend identification with minimal manual effort.

A network administrator needs to upgrade the firmware on a critical core router. The admin has downloaded the new firmware and verified its checksum. Which of the following should the admin do before proceeding with the installation?

Back up the current router configuration

A configuration backup allows restoration to the pre-upgrade state if the new firmware causes issues or if rollback is needed.

Change the management IP address

Disable all physical interfaces

Remove the old firmware image

Why: Before any firmware upgrade, the current configuration must be backed up to ensure it can be restored if the upgrade fails or causes unexpected behavior. This is a standard best practice in network operations.

Want more Network Operations practice?

All Network Security questions

Domain 4: Network Security

A security analyst notices that an attacker is sending crafted packets with overlapping IP fragments to a target server, causing the server to crash. Which type of attack is described?

Teardrop attack

The Teardrop attack exploits overlapping IP fragments, matching the description.

Smurf attack

Ping flood

SYN flood

Why: A Teardrop attack manipulates overlapping IP fragments to cause a denial of service. When the target reassembles the fragments, the overlapping data causes a crash or buffer overflow.

A company wants to implement network access control that requires users to authenticate before gaining access to the network. The NAC solution uses a policy that checks for antivirus updates and OS patches. Which component enforces the policy?

Supplicant

Authenticator

The authenticator (e.g., a switch) enforces the policy by controlling the port state based on the authentication result.

Authentication server

Policy server

Why: In a typical 802.1X-based NAC architecture, the authenticator (often a switch or wireless access point) enforces access control by allowing or denying traffic based on the authentication result and posture assessment. The authentication server validates credentials and policies, but the enforcement point is the authenticator.

A security auditor is reviewing firewall logs and notices repeated login attempts from a single external IP address to the company's SSH server. Which type of attack is likely occurring?

Brute force attack

A brute force attack systematically tries passwords or encryption keys. In this case, repeated SSH login attempts from one IP are classic signs of a password guessing attempt.

Man-in-the-middle attack

ARP poisoning

DDoS attack

Why: Repeated login attempts from a single IP targeting a service like SSH is characteristic of a brute force attack, where the attacker tries many username/password combinations to gain access. A man-in-the-middle attack intercepts communications, ARP poisoning targets local networks, and DDoS involves overwhelming a service with traffic, not repeated login attempts.

A network administrator wants to prevent unauthorized devices from connecting to the company's Ethernet ports. The company uses a centralized authentication server. Which IEEE standard should be implemented?

802.1X

IEEE 802.1X provides authentication for devices connecting to a LAN port. It uses EAP exchanges between the supplicant (device), authenticator (switch), and authentication server (RADIUS) to permit or deny access.

802.11i

802.3af

802.1Q

Why: IEEE 802.1X is a port-based Network Access Control (NAC) standard that authenticates devices before granting access to the network. It works with a central authentication server (RADIUS). 802.11i is wireless security (WPA2), 802.3af is PoE, and 802.1Q is for VLAN trunking.

A security analyst notices that a web server is receiving a large number of ICMP echo reply packets from many different external hosts. The server did not send any echo requests. Which type of attack is most likely occurring?

Smurf attack

The Smurf attack uses IP broadcast and spoofing to cause multiple replies to be sent to the victim, creating a flood of ICMP traffic.

Ping flood

ICMP tunneling

Fraggle attack

Why: In a Smurf attack, the attacker sends ICMP echo request packets with a spoofed source IP address (the victim's IP) to a network's broadcast address. All hosts on that network respond with echo replies, flooding the victim. The observed symptoms match this amplification attack.

A company wants to ensure that only authorized employee computers can connect to the wired network. Each computer must be authenticated before it is granted access to the network. Which technology is designed to provide this port-based authentication?

802.1X

802.1X provides port-based authentication for wired and wireless networks, requiring credentials before granting network access.

WPA2

MAC filtering

VPN

Why: 802.1X is an IEEE standard for port-based Network Access Control (NAC). It authenticates devices or users before allowing access to the network via Ethernet or wireless. It can integrate with an authentication server such as RADIUS.

Want more Network Security practice?

All Network Troubleshooting questions

Domain 5: Network Troubleshooting

A user reports intermittent connectivity on a laptop that moves between floors. The signal strength fluctuates. Which tool would best help identify signal interference and dead zones?

Cable tester

Multimeter

Spectrum analyzer

A spectrum analyzer visualizes RF signals, helping to locate interference and weak signal areas.

Protocol analyzer

Why: A spectrum analyzer measures radio frequency signals, identifying interference, signal strength, and dead zones in a wireless environment. It is the appropriate tool for analyzing wireless signal issues.

A user reports that they cannot access the internet, but they can access local resources on the same subnet. The network administrator pings the default gateway and gets a response. Which tool should be used next to trace the path to an external website?

netstat

traceroute

Traceroute (tracert on Windows) sends packets with increasing TTL values to map the route to a destination. It can show where packets stop or time out, helping identify the point of failure.

nslookup

arp

Why: When a user can access local resources but not the internet, and the default gateway is reachable, the issue likely lies beyond the gateway. Traceroute identifies the path packets take to a destination, pinpointing where packets are dropped or delayed. Netstat shows local connections, nslookup tests DNS resolution, and arp shows IP-to-MAC mappings, none of which trace the route.

After replacing a faulty switch, several users in the same VLAN report that they cannot communicate with the server that is on a different subnet. The switch is connected to the router via a trunk port. Which command should the administrator run on the router to verify that the VLAN is allowed on the trunk?

show vlan

show interfaces trunk

'show interfaces trunk' lists trunk interfaces, their mode, encapsulation, and the allowed VLAN list. If the required VLAN is not in the allowed list, traffic for that VLAN will not pass over the trunk.

show mac address-table

show ip route

Why: The trunk port must have the correct VLAN allowed. The command 'show interfaces trunk' on a Cisco router or switch displays which VLANs are allowed on the trunk. 'show vlan' shows VLAN assignments on the switch, but not trunk permissions. 'show mac address-table' shows MAC addresses learned, and 'show ip route' shows routing table, neither of which verify VLAN trunking.

A user reports that they cannot access an internal web server at http://intranet.company.local but can access other internet websites. The technician runs ping intranet.company.local and receives replies successfully. Which tool should the technician use next to isolate the issue?

nslookup

nslookup queries DNS servers to verify hostname-to-IP resolution, which is the most likely cause when ping succeeds but web access fails.

tracert

netstat

ipconfig

Why: Since ping succeeded, the server is reachable at the network layer. The problem is likely name resolution or application layer. The nslookup tool checks DNS resolution and can verify whether the hostname resolves correctly, which is the appropriate next step.

A user calls the help desk stating that they cannot access any network resources. The technician asks the user to run ipconfig and the output shows an IP address of 169.254.15.20 with a subnet mask of 255.255.0.0. Which of the following is the most likely cause?

The DNS server is not responding

The DHCP server is unreachable

When DHCP fails, Windows automatically assigns an APIPA address, indicating the device could not contact a DHCP server.

The default gateway is misconfigured

There is a duplicate IP address on the network

Why: An IP address in the 169.254.0.0/16 range is an Automatic Private IP Addressing (APIPA) address, which Windows assigns when a DHCP server cannot be reached. The most likely cause is that the DHCP server is unreachable or the DHCP client is unable to obtain a lease.

A network technician is troubleshooting intermittent internet access for a single user. The user’s workstation can ping the default gateway consistently, but web pages fail to load intermittently. Which of the following should the technician check NEXT?

A) DNS server configuration

Correct. DNS is responsible for resolving domain names to IP addresses. If DNS is intermittent, web pages will fail to load while other IP-based connectivity (like pinging the gateway) works.

B) DHCP lease time

C) Switch port speed and duplex settings

D) Firewall rules blocking ICMP

Why: Since the workstation can ping the default gateway, layer 3 connectivity to the local network is working. The intermittent failure of web pages suggests a higher-layer issue, most likely DNS resolution. Checking the DNS server configuration is the best next step. Other options like DHCP lease time would affect IP configuration, but the user already has an IP. Switch port speed/duplex or firewall rules could cause issues, but they are less likely given that pings work consistently.

Want more Network Troubleshooting practice?