CompTIA Network+ N10-009 (N10-009) — Questions 175

520 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQmedium

Users in a conference room frequently experience slow and dropping wireless connections. A site survey shows three other access points in the vicinity all using channel 6. Signal strength is adequate. What is the most likely cause?

A.Incorrect encryption settings
B.Co-channel interference
C.Incorrect SSID configured
D.Low antenna gain on the access points
AnswerB

Multiple APs on the same channel overlap, causing contention and retransmissions, which reduces throughput.

Why this answer

The correct answer is B because all three nearby access points are operating on channel 6, which causes co-channel interference. Even with adequate signal strength, overlapping basic service sets (BSSs) on the same channel lead to contention, increased collisions, and reduced throughput due to the CSMA/CA mechanism in 802.11 networks. This results in slow and dropping connections for users in the conference room.

Exam trap

The trap here is that candidates often assume signal strength is the only factor for wireless performance, but Cisco tests the understanding that co-channel interference can cause poor performance even with strong signals, especially when multiple APs share the same channel in a dense environment.

How to eliminate wrong answers

Option A is wrong because incorrect encryption settings (e.g., mismatched WPA2 keys) would prevent association or authentication entirely, not cause intermittent slow or dropping connections with adequate signal. Option C is wrong because an incorrect SSID configured would prevent clients from discovering or connecting to the network, not cause performance degradation after connection. Option D is wrong because low antenna gain on the access points would manifest as weak signal strength, but the site survey explicitly states signal strength is adequate, ruling out antenna gain issues.

2
MCQeasy

Which attack technique involves an attacker intercepting and potentially modifying the communication between two parties without their knowledge?

A.Man-in-the-middle
B.Replay attack
C.Smurf attack
D.Phishing
AnswerA

This attack allows the attacker to intercept and alter communications between two parties.

Why this answer

A man-in-the-middle (MITM) attack is correct because it specifically involves an attacker secretly intercepting and potentially altering communications between two parties who believe they are directly communicating with each other. This is achieved by the attacker inserting themselves into the communication path, often by ARP spoofing, DNS spoofing, or rogue access points, allowing them to capture, decrypt, or modify packets in transit.

Exam trap

The trap here is that candidates often confuse a replay attack with a MITM attack because both involve capturing traffic, but a replay attack only retransmits captured data without real-time interception or modification of the ongoing session.

How to eliminate wrong answers

Option B (Replay attack) is wrong because a replay attack involves capturing a valid data transmission and retransmitting it later to trick the receiver, but it does not involve intercepting and modifying live communication between two parties in real time. Option C (Smurf attack) is wrong because a Smurf attack is a distributed denial-of-service (DDoS) technique that floods a target with ICMP echo replies by spoofing the victim's IP address and sending pings to a broadcast address, not intercepting or modifying communications between two parties.

3
MCQmedium

A network operations center uses SNMP to monitor device health. An administrator needs to retrieve the current CPU utilization from a router. Which SNMP operation is most appropriate?

A.GET
B.SET
C.TRAP
D.INFORM
AnswerA

GET is used to read the value of a managed object, such as CPU utilization.

Why this answer

The SNMP GET operation is used by an NMS (Network Management System) to actively request a specific variable from a managed device, such as the current CPU utilization from a router's OID. This is a poll-based retrieval, making it the correct choice for an administrator who needs to read a single value on demand.

Exam trap

The trap here is confusing event-driven notifications (TRAP/INFORM) with on-demand data retrieval, leading candidates to select TRAP because they associate it with CPU alerts, but the question asks for retrieving current utilization, not waiting for an alert.

How to eliminate wrong answers

Option B (SET) is wrong because SET is used to modify a configuration parameter or write a value on the device, not to read data. Option C (TRAP) is wrong because TRAP is an unsolicited notification sent by the agent to the NMS when a predefined event occurs, not a request for current data. Option D (INFORM) is wrong because INFORM is a confirmed notification (requiring an acknowledgment) sent from the agent to the NMS, also used for event-driven alerts, not for polling a specific value.

4
MCQmedium

A network security analyst notices high CPU utilization on the core switch and detects a large volume of ARP replies from a single IP address that claims to be the default gateway for all local subnets. Which type of attack is MOST likely occurring?

A.ARP poisoning
B.DHCP starvation
C.MAC flooding
D.DNS amplification
AnswerA

Sending forged ARP replies to redirect traffic is the classic definition of ARP poisoning. The high volume of replies and claiming to be the gateway are strong indicators.

Why this answer

The attack described is ARP poisoning (also known as ARP spoofing), where an attacker sends forged ARP replies to associate their MAC address with the IP address of the default gateway. This causes all traffic destined for other subnets to be redirected to the attacker's machine, leading to high CPU utilization on the switch as it processes the flood of ARP packets and forwards the intercepted traffic.

Exam trap

Cisco often tests the distinction between ARP poisoning and MAC flooding by describing symptoms like 'high CPU utilization' and 'large volume of ARP replies,' which can mislead candidates into thinking MAC flooding is the answer because it also causes high CPU, but the key clue is the specific use of ARP replies targeting the default gateway IP.

How to eliminate wrong answers

Option B is wrong because DHCP starvation is a denial-of-service attack that exhausts the DHCP server's IP address pool by sending numerous DHCP discover messages, preventing legitimate clients from obtaining IP addresses; it does not involve sending ARP replies claiming to be the default gateway. Option C is wrong because MAC flooding is an attack that floods a switch with frames containing many different source MAC addresses to overflow the CAM table, forcing the switch into fail-open mode (hub-like behavior) for packet sniffing; it does not target the default gateway IP address with ARP replies.

5
MCQmedium

A network administrator is experiencing issues where unauthorized devices are offering IP addresses to clients, causing connectivity problems. Which security feature should be enabled on switches to prevent this?

A.Dynamic ARP Inspection (DAI)
B.IP Source Guard
C.DHCP Snooping
D.Port Security
AnswerC

DHCP Snooping allows only DHCP messages from trusted DHCP servers, blocking unauthorized DHCP offers.

Why this answer

C is correct because DHCP Snooping is a security feature that filters untrusted DHCP messages on a per-port basis, preventing unauthorized DHCP servers from offering IP addresses to clients. By configuring trusted ports (typically uplinks to legitimate DHCP servers) and untrusted ports (access ports), the switch drops DHCPOFFER and DHCPACK messages received on untrusted ports, directly stopping rogue DHCP server attacks.

Exam trap

The trap here is that candidates confuse the roles of DHCP Snooping, DAI, and IP Source Guard, often selecting DAI because they associate ARP with address assignment, but only DHCP Snooping directly filters unauthorized DHCP server messages.

How to eliminate wrong answers

Option A is wrong because Dynamic ARP Inspection (DAI) validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, but it does not filter DHCP messages or block unauthorized DHCP servers. Option B is wrong because IP Source Guard uses DHCP Snooping binding data to filter IP traffic based on source IP and MAC addresses, preventing IP spoofing, but it does not directly prevent rogue DHCP servers from offering addresses.

6
MCQmedium

Which of the following is a characteristic of UDP?

A.Provides guaranteed delivery
B.Uses sequence numbers
C.Supports three-way handshake
D.Has lower overhead than TCP
AnswerD

UDP has minimal header size and no connection establishment, resulting in lower overhead.

Why this answer

UDP (User Datagram Protocol) is a connectionless transport-layer protocol that provides minimal overhead compared to TCP. It does not establish a connection before sending data, nor does it provide reliability, flow control, or error recovery, making it ideal for real-time applications like VoIP and streaming where speed is prioritized over guaranteed delivery.

Exam trap

The trap here is that candidates often confuse UDP's lack of reliability with being 'unreliable' in a negative sense, but the exam tests that UDP's lower overhead is a deliberate design choice for performance-sensitive applications.

How to eliminate wrong answers

Option A is wrong because UDP does not provide guaranteed delivery; it is a best-effort protocol that does not retransmit lost packets. Option B is wrong because UDP does not use sequence numbers; sequence numbers are a feature of TCP used for ordering and reliability. Option C is wrong because UDP does not support a three-way handshake; the three-way handshake is a TCP mechanism used to establish a reliable connection.

7
MCQmedium

A network technician is analyzing a small office network topology. An 8-port switch has 7 workstations directly connected. The remaining switch port is connected to a 4-port hub, which has 4 workstations attached. All devices are configured on the same VLAN and IP subnet. How many collision domains and broadcast domains are present in this network?

A.8 collision domains, 1 broadcast domain
B.11 collision domains, 1 broadcast domain
C.12 collision domains, 5 broadcast domains
D.8 collision domains, 5 broadcast domains
AnswerA

Correct. Each switch port creates its own collision domain (8 total). The hub does not add separate collision domains; it connects all its ports into the collision domain of the switch port it is attached to. All devices are on the same VLAN, so there is one broadcast domain.

Why this answer

Switches create a separate collision domain per port, so the 8-port switch provides 8 collision domains. The hub connected to one switch port extends that single collision domain to all its attached devices, but does not create new ones. All devices are on the same VLAN and IP subnet, so there is only one broadcast domain.

Therefore, the network has 8 collision domains and 1 broadcast domain.

Exam trap

Cisco often tests the distinction between hubs (Layer 1 repeaters that extend collision domains) and switches (Layer 2 devices that segment collision domains), and the trap here is assuming that each hub port creates its own collision domain, leading to overcounting collision domains, or confusing collision domains with broadcast domains by thinking hubs or switches create multiple broadcast domains.

How to eliminate wrong answers

Option B is wrong because it counts 11 collision domains, which incorrectly assumes each hub port creates its own collision domain (hubs do not segment collision domains; they repeat all signals, so the hub and its four workstations share one collision domain with the switch port). Option C is wrong because it claims 12 collision domains and 5 broadcast domains; a hub does not create additional collision domains beyond the switch port it connects to, and all devices on the same VLAN share a single broadcast domain, not five. Option D is wrong because it states 8 collision domains (correct) but 5 broadcast domains; broadcast domains are not segmented by hubs or switches in the same VLAN, so there is exactly one broadcast domain for the entire subnet.

8
MCQeasy

A network technician configures an 802.1Q trunk link between two switches. After the configuration, VLAN 20 traffic is not passing across the trunk, although VLAN 10 traffic works fine. The technician verifies that both switches have VLAN 20 created and that the trunk is up. What is the most likely cause?

A.The native VLAN is mismatched between the switches.
B.VLAN 20 is not included in the allowed VLAN list on the trunk.
C.The trunk port is set to dynamic desirable mode.
D.The encapsulation type is ISL instead of 802.1Q.
AnswerB

By default, trunk ports allow all VLANs, but if an allowed VLAN list is configured, only listed VLANs are forwarded. VLAN 20 is likely missing.

Why this answer

The most likely cause is that VLAN 20 is not included in the allowed VLAN list on the trunk. By default, an 802.1Q trunk allows all VLANs, but if the allowed VLAN list has been manually configured or pruned, VLAN 20 may have been excluded. Since VLAN 10 works, the trunk is operational, and both switches have VLAN 20 created, the issue is specifically that the trunk is not permitting VLAN 20 traffic.

Exam trap

CompTIA often tests the misconception that a native VLAN mismatch is the default cause of VLAN-specific traffic failures, but the real issue is usually the allowed VLAN list being misconfigured or pruned.

How to eliminate wrong answers

Option A is wrong because a native VLAN mismatch would cause control plane issues (e.g., CDP or STP problems) or traffic for the native VLAN to be misdirected, but it would not selectively block only VLAN 20 while allowing VLAN 10. Option C is wrong because dynamic desirable mode is a DTP setting that negotiates trunking; if the trunk is already up and passing VLAN 10 traffic, the trunk mode is not the issue. Option D is wrong because if the encapsulation type were ISL instead of 802.1Q, the trunk would not form or would not pass any VLAN traffic correctly, not just VLAN 20; the question states the trunk is up and VLAN 10 works, so encapsulation is compatible.

9
MCQmedium

A network technician is troubleshooting an issue where users on VLAN 20 can access internal servers and the default gateway but cannot reach any external websites. The router's ACL is configured to permit all outbound traffic. What is the most likely cause of this issue?

A.The DNS server is unreachable from the VLAN
B.The DHCP server is not providing a default gateway
C.NAT is not configured or is misconfigured on the router
D.The switch port for the router is in the wrong VLAN
AnswerC

NAT is required to translate private VLAN IPs to a public IP for internet access. Even if ACLs permit traffic, without proper NAT, packets will not be forwarded to the internet. This matches the symptom of being able to reach internal resources but not external ones.

Why this answer

Since users can access internal servers and the default gateway, Layer 3 connectivity within the VLAN is working, and the router's ACL permits all outbound traffic. The inability to reach external websites while internal resources are reachable strongly indicates that Network Address Translation (NAT) is either not configured or misconfigured on the router. Without NAT, private IP addresses from VLAN 20 cannot be translated to a public IP, so return traffic from external web servers has no route back to the internal hosts.

Exam trap

CompTIA often tests the misconception that an ACL permitting all outbound traffic is sufficient for internet access, but without NAT, private IP addresses are not routable on the public internet, so the ACL alone cannot fix the issue.

How to eliminate wrong answers

Option A is wrong because if the DNS server were unreachable, users would typically get a 'DNS resolution failed' error, but they cannot reach any external websites at all, even by IP address; the scenario describes a complete inability to reach external destinations, not just name resolution failure. Option B is wrong because the DHCP server not providing a default gateway would prevent users from reaching the default gateway itself, but the question states they can access the default gateway and internal servers, so the gateway is correctly assigned. Option D is wrong because if the switch port for the router were in the wrong VLAN, users on VLAN 20 would not be able to reach the default gateway or internal servers on other VLANs, as inter-VLAN routing would be broken.

10
MCQmedium

A company is deploying a wireless network that must support both 2.4 GHz and 5 GHz frequency bands. Which IEEE 802.11 standard supports both bands and is backward compatible with older devices?

A.A) 802.11b
B.B) 802.11g
C.C) 802.11n
D.D) 802.11ac
AnswerC

802.11n supports both 2.4 GHz and 5 GHz and offers higher throughput than earlier standards.

Why this answer

802.11n (Wi-Fi 4) is the correct answer because it was the first standard to natively support both 2.4 GHz and 5 GHz bands simultaneously, using MIMO (Multiple Input Multiple Output) technology. It also maintains backward compatibility with older 802.11a/b/g devices through mandatory support for legacy modulation schemes (DSSS/CCK for 2.4 GHz and OFDM for 5 GHz).

Exam trap

The trap here is that candidates often confuse 802.11g (which is backward compatible with 802.11b but only 2.4 GHz) with a dual-band standard, or incorrectly assume 802.11ac supports 2.4 GHz because it is often marketed as 'dual-band' in consumer devices, but the IEEE 802.11ac-2013 amendment defines operation only in the 5 GHz band.

How to eliminate wrong answers

Option A (802.11b) is wrong because it operates only in the 2.4 GHz band and supports a maximum data rate of 11 Mbps using DSSS/CCK, with no 5 GHz capability. Option B (802.11g) is wrong because it operates only in the 2.4 GHz band, though it uses OFDM for up to 54 Mbps and is backward compatible with 802.11b, it lacks 5 GHz support. Option D (802.11ac) is wrong because it operates exclusively in the 5 GHz band (with optional 2.4 GHz support only via simultaneous dual-band implementations, but the standard itself is 5 GHz-only) and is not backward compatible with 2.4 GHz-only legacy devices.

11
MCQmedium

A user reports that they cannot access the internet. The technician verifies the workstation has IP address 192.168.1.10 with subnet mask 255.255.255.0 and default gateway 192.168.1.1. The user can ping the default gateway successfully. Other users on the same subnet can access the internet. Which command should the technician run on the workstation to further isolate the issue?

A.ipconfig /all
B.netstat -r
C.tracert 8.8.8.8
D.nslookup google.com
AnswerB

Displays the routing table, allowing the technician to verify if a default route via 192.168.1.1 is present. Missing or incorrect routes can cause this issue.

Why this answer

The user can ping the default gateway (192.168.1.1), indicating Layer 2 and basic Layer 3 connectivity to the local router. However, other users on the same subnet can access the internet, so the issue is likely with the workstation's routing table. The 'netstat -r' command displays the IP routing table, allowing the technician to check for a missing or incorrect default route (e.g., destination 0.0.0.0 with gateway 192.168.1.1).

This isolates whether the workstation knows how to forward traffic beyond the local subnet.

Exam trap

Cisco often tests the misconception that 'ipconfig /all' is the first step for any connectivity issue, but here the technician already has the IP configuration, so the trap is to overlook that the routing table must be examined when local connectivity works but internet access fails.

How to eliminate wrong answers

Option A (ipconfig /all) is wrong because it displays detailed IP configuration (DHCP server, DNS, MAC address) but does not show the routing table; the technician already has the IP, subnet mask, and gateway from the initial verification. Option C (tracert 8.8.8.8) is wrong because it attempts to trace the route to an external host; if the routing table is broken, tracert will fail at the first hop or hang, but it does not directly reveal the routing table contents. Option D (nslookup google.com) is wrong because it tests DNS resolution; the user cannot access the internet, but the ping to the gateway succeeded, so the issue is not DNS but rather the lack of a proper route to forward packets beyond the local network.

12
MCQmedium

A network administrator connects two switches with a trunk link that is configured to allow all VLANs. Workstations in VLAN 10 can communicate across the switches, but workstations in VLAN 20 cannot. Both VLANs are configured on the first switch. What is the most likely cause of the issue?

A.The native VLAN is mismatched on the two switches.
B.VLAN 20 is not created on the second switch.
C.The trunk uses ISL instead of 802.1Q.
D.The default gateway is missing for VLAN 20.
AnswerB

Correct. If VLAN 20 does not exist on the second switch, it will discard frames received on the trunk tagged with VLAN 20. Creating the VLAN on both switches is essential for inter-switch communication.

Why this answer

VLAN 20 is configured on the first switch but not on the second switch. Even though the trunk link allows all VLANs, the second switch must have VLAN 20 created in its VLAN database for traffic to be forwarded. Without the VLAN existing on the second switch, frames tagged for VLAN 20 are dropped at the receiving switch because there is no corresponding VLAN interface or forwarding table entry.

Exam trap

Cisco often tests the misconception that a trunk configured to 'allow all VLANs' automatically makes every VLAN functional across the link, when in fact each switch must have the VLAN defined in its local database for traffic to be processed.

How to eliminate wrong answers

Option A is wrong because a native VLAN mismatch would cause issues with untagged frames (typically management or control traffic), not with specific user VLANs like VLAN 20; both VLANs 10 and 20 are tagged on the trunk, so native VLAN mismatch would not selectively break one VLAN. Option C is wrong because ISL vs. 802.1Q encapsulation mismatch would prevent all VLAN traffic from passing across the trunk, not just VLAN 20; the fact that VLAN 10 works correctly indicates the trunk encapsulation is consistent and functional.

13
MCQmedium

A network administrator has configured SNMPv3 on a router to send traps to a central management server. The administrator notices that no traps are being received. The management server is reachable via ping from the router. Which configuration step is most likely missing?

A.Configure the SNMP community string on the router
B.Set the SNMP trap destination IP address on the router
C.Configure SNMPv3 authentication and privacy credentials on both the router and the server
D.Ensure the SNMP agent is enabled on the router
AnswerC

SNMPv3 requires matching authentication and encryption credentials on both ends. Without them, the server will not accept or decrypt traps.

Why this answer

SNMPv3 requires authentication and encryption (privacy) to be configured on both the router and the management server. Without matching credentials, the server will reject or ignore the traps, even if the network path is reachable. This is the most likely missing step because SNMPv3 does not use community strings and relies on security models (authNoPriv, authPriv, or noAuthNoPriv) that must be consistent between endpoints.

Exam trap

CompTIA often tests the misconception that SNMPv3 still requires a community string or that simply setting a trap destination is sufficient, when in fact the security credentials must be explicitly configured and matched on both devices.

How to eliminate wrong answers

Option A is wrong because SNMPv3 does not use community strings; they are only used in SNMPv1/v2c. Option B is wrong because the trap destination IP address must be set, but the question states the management server is reachable via ping, implying basic IP connectivity exists; the missing piece is the security configuration, not the destination. Option D is wrong because the SNMP agent is enabled by default on most Cisco routers and is implied to be working since the router can send other traffic; the issue is specifically with trap authentication, not the agent status.

14
MCQhard

A security analyst is investigating a potential breach. A network device shows logs indicating that it received packets with a source IP address belonging to the internal network range on its external (internet-facing) interface. This is a classic indication of which type of attack?

A.Denial-of-service (DoS) attack
B.IP spoofing
C.Man-in-the-middle (MITM) attack
D.ARP poisoning
AnswerB

IP spoofing is when an attacker forges the source IP address to appear as a trusted host. Seeing an internal IP on an external interface is a clear sign of spoofing.

Why this answer

B is correct because receiving packets with a source IP address from the internal network range on an external (internet-facing) interface is a classic sign of IP spoofing. In IP spoofing, an attacker forges the source IP address in packet headers to impersonate a trusted internal host, often to bypass access controls or launch reflection attacks. This violates the expected behavior of ingress filtering, where external interfaces should never see internal source addresses.

Exam trap

The trap here is that candidates may confuse IP spoofing with a DoS attack because spoofing is often used in DDoS amplification, but the question's specific clue—internal source IP on an external interface—directly points to spoofing, not the volumetric nature of a DoS.

How to eliminate wrong answers

Option A is wrong because a Denial-of-service (DoS) attack focuses on overwhelming a target with traffic to disrupt service, but the key indicator here is the source IP mismatch, not traffic volume or resource exhaustion. Option C is wrong because a Man-in-the-middle (MITM) attack involves intercepting and potentially altering communications between two parties, often using ARP spoofing or proxy techniques, but it does not inherently cause packets with internal source IPs to appear on an external interface.

15
MCQeasy

A user's workstation shows an IP address of 169.254.15.7 with a subnet mask of 255.255.0.0. The user cannot access any network resources. Which of the following is the most likely cause?

A.The DNS server is not responding
B.The DHCP server is unreachable
C.The subnet mask is incorrect
D.The default gateway is down
AnswerB

When a DHCP client cannot contact a DHCP server, it auto-configures with an APIPA address in the 169.254.0.0/16 range.

Why this answer

The IP address 169.254.15.7 with a /16 subnet mask is an Automatic Private IP Addressing (APIPA) address, assigned by Windows when a DHCP client fails to obtain a lease. This indicates the workstation cannot reach a DHCP server, so the most likely cause is that the DHCP server is unreachable.

Exam trap

The trap here is that candidates often confuse APIPA with a DNS or gateway issue, but APIPA specifically indicates DHCP failure, not a problem with higher-layer services or routing.

How to eliminate wrong answers

Option A is wrong because a non-responding DNS server would not cause the workstation to self-assign an APIPA address; DNS failures result in name resolution errors, not a complete loss of IP connectivity. Option C is wrong because the subnet mask 255.255.0.0 is correct for an APIPA address (169.254.0.0/16 per RFC 3927), so the mask itself is not the issue. Option D is wrong because a down default gateway would prevent access to remote networks but would not trigger APIPA assignment; the workstation would retain its DHCP-assigned IP and simply fail to route beyond the local subnet.

16
MCQeasy

Which of the following is a characteristic of a Layer 2 broadcast domain?

A.Devices can communicate using MAC addresses alone.
B.All devices must be on the same IP subnet.
C.Broadcast frames are forwarded to all ports within the domain.
D.Routers are required to communicate between devices in the same domain.
AnswerC

The key characteristic of a broadcast domain is that a broadcast frame sent by any device is received by all other devices in that domain. Switches forward broadcasts to all ports in the same VLAN.

Why this answer

A Layer 2 broadcast domain consists of all devices that receive a broadcast frame sent by any device within that domain. Switches forward broadcast frames (destination MAC FF:FF:FF:FF:FF:FF) out all ports except the ingress port, ensuring every device in the same VLAN or collision-free segment sees the broadcast. This is why option C is correct.

Exam trap

The trap here is that candidates often confuse a broadcast domain with a collision domain, or incorrectly assume that being on the same IP subnet is a requirement for receiving broadcasts, when in fact Layer 2 broadcasts are forwarded regardless of IP addressing.

How to eliminate wrong answers

Option A is wrong because while devices within a Layer 2 broadcast domain can communicate using MAC addresses alone, this is not a defining characteristic of the broadcast domain itself—it is true of any switched network, and the question asks for a characteristic of the broadcast domain specifically. Option B is wrong because devices in the same Layer 2 broadcast domain do not have to be on the same IP subnet; they can be on different subnets and still receive each other's broadcast frames, though communication between subnets would require a router. Option D is wrong because routers are not required for communication within the same broadcast domain; switches handle all Layer 2 forwarding, and a router is only needed to route between different broadcast domains (subnets/VLANs).

17
MCQeasy

Which of the following best describes the primary difference between a hub and a switch?

A.A switch is faster than a hub because it operates at Layer 3
B.A hub broadcasts all frames to all ports; a switch forwards frames only to the destination port
C.A hub can segment collision domains; a switch cannot
D.Both hubs and switches operate at the same OSI layer but use different frame types
AnswerB

This is the core difference. Hubs repeat signals out all ports; switches use MAC address tables to deliver frames selectively.

Why this answer

A hub operates at Layer 1 (physical layer) and simply repeats electrical signals out all ports, causing all connected devices to receive every frame. A switch operates at Layer 2 (data link layer) and uses the MAC address table to forward frames only to the specific port where the destination device resides, reducing unnecessary traffic and improving network efficiency.

Exam trap

The trap here is that candidates often confuse the OSI layer of a switch (Layer 2) with a router (Layer 3) and incorrectly assume switches are faster because they operate at a higher layer, or they mistakenly think hubs can segment collision domains when in fact they expand them.

How to eliminate wrong answers

Option A is wrong because a switch operates at Layer 2, not Layer 3; Layer 3 devices are routers or multilayer switches that perform routing based on IP addresses. Option C is wrong because a hub does not segment collision domains—it creates a single collision domain for all ports, while a switch segments collision domains by providing a dedicated collision domain per port. Option D is wrong because hubs and switches operate at different OSI layers (Layer 1 vs.

Layer 2) and use the same Ethernet frame types, not different ones.

18
MCQhard

A security engineer notices that the company's web server is receiving an overwhelming number of HTTP GET requests from thousands of different IP addresses around the world. The requests are for legitimate pages and are well-formed. The server is becoming unresponsive. Which type of attack is most likely occurring?

A.ARP spoofing
B.SYN flood
C.DDoS attack
D.DNS amplification
AnswerC

A distributed denial-of-service attack uses many sources to send legitimate-looking requests to overload the server.

Why this answer

The attack involves a high volume of legitimate HTTP GET requests from many distinct IP addresses, overwhelming the web server. This is a classic distributed denial-of-service (DDoS) attack, where multiple compromised systems (a botnet) coordinate to flood the target with traffic, exhausting server resources and causing unresponsiveness. The key indicators are the distributed source IPs and the use of application-layer (HTTP) requests, which distinguishes it from network-layer floods.

Exam trap

The trap here is that candidates confuse a SYN flood (a TCP-level attack) with a DDoS attack that uses complete HTTP requests, but the question explicitly states the requests are 'well-formed' and for 'legitimate pages,' ruling out incomplete handshake attacks.

How to eliminate wrong answers

Option A is wrong because ARP spoofing is a local network attack that manipulates Address Resolution Protocol to intercept traffic between hosts on the same subnet, not a method to flood a web server from thousands of global IPs. Option B is wrong because a SYN flood exploits the TCP three-way handshake by sending incomplete SYN packets to exhaust connection state tables, whereas this attack uses complete, well-formed HTTP GET requests. Option D is wrong because DNS amplification is a reflection/amplification attack that uses open DNS resolvers to send large DNS response packets to a victim, not HTTP GET requests.

19
MCQmedium

A router has two routes to the same destination network: one learned via OSPF with a metric of 10, and another learned via EIGRP with a composite metric of 3072. The default administrative distances are OSPF=110, EIGRP=90. Which route will be installed in the routing table?

A.The OSPF route because it has a lower metric
B.The EIGRP route because it has a lower administrative distance
C.Both routes will be installed for load balancing
D.The OSPF route because it is a link-state protocol
AnswerB

EIGRP's default administrative distance of 90 is lower than OSPF's 110, so the router chooses the EIGRP route regardless of metric values.

Why this answer

The EIGRP route is installed because administrative distance (AD) is the primary tiebreaker when multiple routing protocols provide routes to the same destination. EIGRP has a default AD of 90, which is lower than OSPF's AD of 110, so the router prefers the EIGRP route regardless of metric values. Metrics are only compared when routes come from the same protocol.

Exam trap

The trap here is that candidates often confuse metric with administrative distance, mistakenly thinking a lower OSPF metric (10) beats a higher EIGRP metric (3072), when in fact the router first compares AD values (90 vs 110) and selects the EIGRP route.

How to eliminate wrong answers

Option A is wrong because it assumes metric is the deciding factor between different routing protocols; metrics are only comparable within the same protocol, not across OSPF and EIGRP. Option C is wrong because load balancing across different routing protocols does not occur by default; the router selects only the route with the lowest administrative distance, and both routes would not be installed unless the ADs were equal and the metrics were also equal, which is not the case here.

20
MCQhard

An IPv6 address has the prefix 2001:db8::/32. Which of the following IP addresses belongs to the same prefix?

A.2001:db8:1::1
B.2001:db9::1
C.2001:db7::1
D.fe80::1
AnswerA

The first 32 bits are 2001:0db8, which matches the prefix 2001:db8::/32.

Why this answer

The prefix 2001:db8::/32 means the first 32 bits of the address must be 2001:0db8. Option A (2001:db8:1::1) expands to 2001:0db8:0001:0000:0000:0000:0000:0001, which matches the first 32 bits exactly, so it belongs to the same /32 prefix.

Exam trap

Cisco often tests the misconception that the double-colon (::) compresses the prefix itself, leading candidates to incorrectly assume that 2001:db8::/32 matches any address starting with 2001:db8, even if the second hextet is altered (e.g., 2001:db9 or 2001:db7).

How to eliminate wrong answers

Option B is wrong because 2001:db9::1 expands to 2001:0db9:...; the second hextet (0db9) differs from the required 0db8, so it falls outside the /32 prefix. Option C is wrong because 2001:db7::1 expands to 2001:0db7:...; the second hextet (0db7) also differs from 0db8, placing it in a different /32 prefix.

21
Drag & Dropmedium

Drag and drop the steps to install a new network cable and terminate it with an RJ45 connector (T568B standard) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cable termination requires proper wire order and crimping.

22
MCQeasy

A network technician is explaining the process of resolving Layer 2 addresses to Layer 3 addresses on a local network. Which protocol is used by a host to determine the MAC address of another host given its IP address?

A.DNS
B.ARP
C.DHCP
D.ICMP
AnswerB

Address Resolution Protocol (ARP) maps an IPv4 address to a MAC address on the same local network.

Why this answer

ARP (Address Resolution Protocol) is the correct answer because it is specifically designed to resolve a known Layer 3 (IP) address to an unknown Layer 2 (MAC) address on a local network. When a host needs to send a frame to another host, it first checks its ARP cache; if no entry exists, it broadcasts an ARP request containing the target IP, and the host with that IP responds with its MAC address. This process is defined in RFC 826 and operates at the data link layer, enabling direct communication within the same broadcast domain.

Exam trap

The trap here is that candidates often confuse ARP with DNS because both involve 'resolution,' but DNS resolves names to IPs (Layer 3) while ARP resolves IPs to MACs (Layer 2), and Cisco tests this distinction by including DNS as a distractor in Layer 2 addressing questions.

How to eliminate wrong answers

Option A is wrong because DNS (Domain Name System) resolves human-readable domain names to IP addresses, not MAC addresses, and operates at the application layer. Option C is wrong because DHCP (Dynamic Host Configuration Protocol) is used to automatically assign IP addresses, subnet masks, default gateways, and other network configuration parameters to hosts, but it does not perform MAC-to-IP address resolution.

23
MCQeasy

A network engineer is troubleshooting a communication issue between two hosts. The engineer determines that the data is being segmented at the source and reassembled at the destination, but the segments are arriving out of order. Which OSI layer is responsible for sequencing the segments?

A.A) Physical layer
B.B) Data Link layer
C.C) Network layer
D.D) Transport layer
AnswerD

Correct. The Transport layer (e.g., TCP) segments data at the source, assigns sequence numbers, and reassembles the data in correct order at the destination.

Why this answer

The Transport layer (Layer 4) is responsible for end-to-end communication, including segmentation, reassembly, and sequencing of data segments. Protocols like TCP use sequence numbers to order segments correctly at the destination, even if they arrive out of order. This ensures the upper layers receive a complete, ordered data stream.

Exam trap

CompTIA often tests the misconception that the Network layer (Layer 3) handles sequencing because it deals with packet fragmentation and reassembly, but fragmentation is based on MTU size, not sequence numbers for ordering; sequencing is strictly a Transport layer function.

How to eliminate wrong answers

Option A is wrong because the Physical layer (Layer 1) handles raw bit transmission over the physical medium, with no concept of segments or sequencing. Option B is wrong because the Data Link layer (Layer 2) manages frame delivery on a single link, using MAC addresses and error detection, but does not perform end-to-end segment sequencing. Option C is wrong because the Network layer (Layer 3) handles packet routing and logical addressing (e.g., IP), but relies on the Transport layer for segment sequencing; IP packets can arrive out of order and are not resequenced at Layer 3.

24
MCQeasy

A user reports that they cannot access the internet. The technician is able to ping the default gateway successfully but unable to ping a public IP address (e.g., 8.8.8.8). Which of the following is the most likely cause?

A.Incorrect DNS server configuration
B.The router's default route is missing or misconfigured
C.Duplicate IP address on the network
D.Faulty network interface card
AnswerB

A missing default route on the router prevents traffic destined for external networks from being forwarded beyond the local subnet.

Why this answer

Successful ping to the default gateway confirms Layer 2 and Layer 3 connectivity within the local subnet, but failure to ping a public IP like 8.8.8.8 indicates that traffic cannot leave the local network. This is most commonly caused by a missing or misconfigured default route on the router, which prevents the router from forwarding packets destined for external networks to the next-hop ISP gateway.

Exam trap

The trap here is that candidates often confuse DNS resolution with IP connectivity and incorrectly choose 'Incorrect DNS server configuration' when the question explicitly states a public IP address is being pinged, not a hostname.

How to eliminate wrong answers

Option A is wrong because DNS is used for name resolution, not for routing IP packets; the technician is pinging a public IP address directly, so DNS configuration is irrelevant to the failure. Option C is wrong because a duplicate IP address would cause intermittent connectivity or address conflict errors, but the technician can still successfully ping the default gateway, which would be unlikely if a duplicate IP existed on the same subnet. Option D is wrong because a faulty NIC would prevent all IP communication, including the successful ping to the default gateway, so it cannot be the cause when local connectivity is intact.

25
MCQhard

A network administrator is configuring BGP between two autonomous systems. Which BGP attribute is primarily used to influence inbound traffic to a particular AS?

A.AS_PATH
B.Next Hop
C.Local Preference
D.MED (Multi-Exit Discriminator)
AnswerD

The MED attribute is used to suggest to a neighboring AS the preferred path for inbound traffic when multiple entry points exist.

Why this answer

The Multi-Exit Discriminator (MED) is a BGP attribute used to influence inbound traffic from a neighboring AS when multiple entry points exist. A lower MED value is preferred, allowing an AS to advertise to its neighbor which path should be used to reach it, thereby influencing traffic entering the local AS.

Exam trap

The trap here is confusing MED with Local Preference: candidates often pick Local Preference because it is a well-known attribute for path selection, but it influences outbound traffic from the local AS, not inbound traffic from a neighboring AS.

How to eliminate wrong answers

Option A is wrong because AS_PATH is used for loop prevention and path selection, but it primarily influences outbound traffic from an AS, not inbound traffic to a particular AS. Option B is wrong because Next Hop specifies the next router to reach a destination and is not used to influence inbound traffic decisions. Option C is wrong because Local Preference is used within an AS to influence outbound traffic leaving the AS, not inbound traffic entering it.

26
MCQmedium

A user reports that they cannot connect to a file server on the same subnet. The technician checks the workstation's IP configuration: IP 192.168.1.10, subnet mask 255.255.255.0, default gateway 192.168.1.1. The workstation can ping the gateway but cannot ping the file server at 192.168.1.50. Which of the following is the most likely cause?

A.A
B.B
C.C
D.D
AnswerC

The server being powered off or having its network cable disconnected would cause all traffic to fail, matching the symptoms.

Why this answer

The workstation can ping the gateway (192.168.1.1) but not the file server (192.168.1.50) on the same subnet. Since both are on the same subnet (192.168.1.0/24), the default gateway is irrelevant for local traffic; ARP is used to resolve the server's IP to its MAC address. The most likely cause is that the file server's firewall is blocking ICMP (ping) traffic, preventing the echo request from reaching the server or the reply from being sent.

Exam trap

The trap here is that candidates assume a failed ping means a network connectivity issue, but CompTIA often tests that a host firewall can block ICMP while allowing other traffic, so a ping failure does not necessarily indicate a broken path.

How to eliminate wrong answers

Option A is wrong because a misconfigured subnet mask (e.g., 255.255.255.0 is correct) would affect all local communication, but the workstation can ping the gateway, indicating the mask is valid. Option B is wrong because an incorrect default gateway does not prevent communication within the same subnet; local traffic uses ARP, not the gateway. Option D is wrong because a DNS resolution issue would affect name-based connectivity, but the user is connecting via IP address (192.168.1.50), so DNS is not involved.

27
MCQeasy

A network administrator is configuring IP addresses for a new subnet. The network address is 192.168.1.0 with a subnet mask of 255.255.255.240. How many usable host addresses are available on this subnet?

A.14
B.16
C.30
D.62
AnswerA

A /28 subnet yields 16 addresses; after removing the network and broadcast addresses, 14 host addresses remain usable.

Why this answer

The subnet mask 255.255.255.240 (or /28) provides 16 total addresses per subnet. The network address (192.168.1.0) and the broadcast address (192.168.1.15) are reserved, leaving 16 - 2 = 14 usable host addresses. This is calculated as 2^(32-28) - 2 = 2^4 - 2 = 16 - 2 = 14.

Exam trap

The trap here is that candidates often forget to subtract the network and broadcast addresses, selecting the total number of addresses (16) instead of the usable host count (14).

How to eliminate wrong answers

Option B is wrong because 16 is the total number of addresses in the subnet, but it fails to subtract the two reserved addresses (network and broadcast), which are not assignable to hosts. Option C is wrong because 30 usable hosts would require a /27 subnet mask (255.255.255.224), which provides 32 total addresses minus 2, not the /28 mask given in the question.

28
MCQeasy

A company wants to ensure that only authorized employee computers can connect to the wired network. Each computer must be authenticated before it is granted access to the network. Which technology is designed to provide this port-based authentication?

A.802.1X
B.WPA2
C.MAC filtering
D.VPN
AnswerA

802.1X provides port-based authentication for wired and wireless networks, requiring credentials before granting network access.

Why this answer

802.1X is the IEEE standard for port-based Network Access Control (NAC). It uses the Extensible Authentication Protocol (EAP) over LAN (EAPoL) to authenticate a device at the switch port before granting full network access. Only after successful authentication does the switch open the port, ensuring that unauthorized computers cannot connect.

Exam trap

CompTIA often tests the distinction between authentication (802.1X) and access control methods (MAC filtering), where candidates mistakenly choose MAC filtering because they think it 'authenticates' devices, but it only identifies by MAC address without verifying identity or credentials.

How to eliminate wrong answers

Option B (WPA2) is wrong because WPA2 is a wireless security protocol that provides encryption and authentication for Wi-Fi networks, not for wired port-based authentication. Option C (MAC filtering) is wrong because MAC filtering only checks the MAC address against an allowlist, which is easily spoofed and does not provide true authentication or encryption; it is not a port-based authentication protocol like 802.1X.

29
MCQeasy

A network administrator needs to maintain a record of all configuration changes made to network switches, including the date, time, and the administrator who made the change. Which document should be used for this purpose?

A.Network topology diagram
B.Baseline configuration report
C.Change management log
D.Incident report
AnswerC

The change management log explicitly records details of each change, including the person, timestamp, and description.

Why this answer

A change management log is the correct document because it is specifically designed to record configuration changes, including the date, time, and the administrator responsible. This log provides an audit trail for network devices, ensuring compliance and facilitating troubleshooting by tracking who made what change and when.

Exam trap

The trap here is that candidates confuse a baseline configuration report with a change log, thinking it records changes, when in fact a baseline is a snapshot of a known good state, not a running history of modifications.

How to eliminate wrong answers

Option A is wrong because a network topology diagram shows the physical or logical layout of devices and connections, not a historical record of configuration changes. Option B is wrong because a baseline configuration report captures the initial or standard configuration state of a device, not a log of subsequent changes. Option D is wrong because an incident report documents security events or network outages, not routine configuration changes made by administrators.

30
MCQhard

A user at a branch office reports that they cannot connect to a file server at the main office. The branch office connects to the main office via a site-to-site VPN, and the VPN tunnel shows as active. The user can ping the main office's default gateway but not the file server. Which of the following should the technician check NEXT?

A.A) Check the routing tables on the branch router
B.B) Check the DNS resolution for the file server
C.C) Check the VPN encryption settings
D.D) Check the file server's antivirus software
AnswerA

Correct. The branch router may not have a route to the file server's subnet, or the main office router may not have a route back to the branch subnet. Verifying routing tables on both ends is essential.

Why this answer

The VPN tunnel is active and the user can ping the main office's default gateway, which confirms that Layer 3 connectivity exists across the tunnel. However, the file server is unreachable, indicating that the traffic destined for the file server's subnet is not being forwarded correctly. The next logical step is to check the routing tables on the branch router to ensure there is a specific route (or a default route) pointing to the VPN tunnel interface for the file server's network.

Without this route, the branch router may be dropping the packets or sending them out the wrong interface.

Exam trap

Cisco often tests the misconception that a 'tunnel up' status guarantees end-to-end connectivity, but the trap here is that routing misconfiguration can allow the tunnel to be established while specific subnets remain unreachable.

How to eliminate wrong answers

Option B is wrong because DNS resolution is not the issue; the user can ping the main office's default gateway, which shows IP connectivity is working, and a DNS failure would prevent name resolution but not a direct IP ping to the file server. Option C is wrong because the VPN tunnel is active and the user can reach the main office gateway, which proves that encryption settings are correctly negotiated; mismatched encryption would cause the tunnel to fail entirely or drop all traffic, not selectively block the file server.

31
MCQmedium

A company needs a subnet that will support exactly 50 devices. Which subnet mask provides the minimum number of usable host addresses while still accommodating the requirement?

A.255.255.255.128 (/25)
B.255.255.255.192 (/26)
C.255.255.255.224 (/27)
D.255.255.255.240 (/28)
AnswerB

/26 provides 62 usable hosts, which is the smallest subnet that can accommodate 50 devices.

Why this answer

Option B (255.255.255.192, /26) provides 2^(32-26) - 2 = 62 usable host addresses, which is the smallest subnet that supports exactly 50 devices. A /27 yields only 30 usable addresses (too few), while a /25 yields 126 usable addresses (wasteful). The requirement is to minimize waste while meeting the need.

Exam trap

Cisco often tests the candidate's ability to distinguish between total addresses and usable host addresses, with the trap being that candidates forget to subtract the network and broadcast addresses, leading them to incorrectly select a /27 (which has 32 total addresses but only 30 usable).

How to eliminate wrong answers

Option A is wrong because 255.255.255.128 (/25) provides 126 usable host addresses, which far exceeds the requirement of 50 devices and is not the minimum subnet mask. Option C is wrong because 255.255.255.224 (/27) provides only 30 usable host addresses (2^(32-27) - 2 = 30), which is insufficient to support 50 devices.

32
MCQmedium

A user can ping the default gateway (192.168.1.1) but cannot ping the external IP address 8.8.8.8. Other users on the same subnet can ping 8.8.8.8 without issue. The user's IP configuration is correct: IP 192.168.1.10/24, default gateway 192.168.1.1, DNS 8.8.8.8. What is the most likely cause?

A.The computer's firewall is blocking outbound ICMP
B.The router is missing a default route to the internet
C.The DNS server is not resolving the hostname
D.The network cable is loose or faulty
AnswerA

Firewalls often block ICMP by default or may have been configured to do so. Since other users work, the problem is local to this machine.

Why this answer

The user can ping the default gateway (192.168.1.1) but not the external IP 8.8.8.8, while other users on the same subnet can ping 8.8.8.8 without issue. This isolates the problem to the user's specific host, not the network infrastructure. A local firewall on the user's computer blocking outbound ICMP (Internet Control Message Protocol) traffic would prevent ping to external IPs while still allowing local subnet communication, as ICMP is often restricted by default in some security policies.

Exam trap

The trap here is that candidates often assume a routing or DNS issue when the problem is host-specific, but the key clue is that other users on the same subnet succeed, pointing to a local host configuration or firewall problem rather than a network-wide fault.

How to eliminate wrong answers

Option B is wrong because if the router were missing a default route to the internet, no user on the subnet would be able to ping 8.8.8.8, but the question states other users can do so without issue. Option C is wrong because DNS resolution is not required for pinging an IP address directly (8.8.8.8); DNS is only needed when pinging a hostname, and the user is pinging an IP address.

33
MCQeasy

A network technician is explaining the role of a network switch to a new employee. Which of the following best describes the primary function of a switch in a local area network?

A.It forwards data based on IP addresses.
B.It forwards data based on MAC addresses.
C.It connects different networks and performs routing.
D.It amplifies and repeats the signal to all ports.
AnswerB

A layer 2 switch uses MAC addresses to forward frames to the correct destination port, reducing unnecessary traffic.

Why this answer

A network switch operates at Layer 2 of the OSI model and uses MAC addresses to make forwarding decisions. When a frame arrives, the switch examines the destination MAC address, looks it up in its MAC address table, and forwards the frame only to the port associated with that address, reducing collision domains and improving network efficiency.

Exam trap

Cisco often tests the distinction between Layer 2 switching (MAC addresses) and Layer 3 routing (IP addresses), and the trap here is that candidates confuse the switch's forwarding decision with that of a router, especially when dealing with multilayer switches that can perform both functions.

How to eliminate wrong answers

Option A is wrong because switches forward data based on MAC addresses, not IP addresses; IP address-based forwarding is the function of a router (Layer 3 device). Option C is wrong because connecting different networks and performing routing is the role of a router, not a switch; a switch operates within a single local area network and does not route between subnets.

34
MCQhard

Users at a remote branch office cannot access internet resources. The branch's edge router shows that the WAN interface is up. The default route is configured to point to next-hop 192.0.2.2, but the admin can successfully ping 192.0.2.1 from the router. What is the most likely cause?

A.The router's WAN interface is configured with the wrong subnet mask
B.The default route is missing or has an incorrect next-hop IP
C.NAT is not configured on the router
D.A firewall on the router is blocking outbound traffic
AnswerB

The router can reach the ISP's gateway IP (192.0.2.1), but the default route points to 192.0.2.2, which is not the correct next-hop. This prevents internet traffic from being forwarded properly.

Why this answer

The correct answer is B because the admin can ping 192.0.2.1 (the WAN interface IP) but not reach 192.0.2.2 (the next-hop), indicating that the default route is either missing or misconfigured. Since the WAN interface is up and the local IP is reachable, the issue is with the routing table entry pointing to the next-hop, not with the interface or subnet mask. Without a valid default route, the router cannot forward traffic destined for the internet.

Exam trap

The trap here is that candidates assume a successful ping to the WAN interface IP (192.0.2.1) means the WAN link is fully functional, but they overlook that the default route's next-hop (192.0.2.2) is a different address that must also be reachable for internet traffic to be forwarded.

How to eliminate wrong answers

Option A is wrong because if the WAN interface had the wrong subnet mask, the admin would likely be unable to ping 192.0.2.1 (the interface's own IP) or the interface would show as down; the fact that the interface is up and the local IP is reachable rules out a subnet mask mismatch. Option C is wrong because NAT is not required for basic internet reachability from the router itself; the router can route packets without NAT, and the issue is that the router has no valid path to forward traffic, not that it cannot translate addresses.

35
MCQhard

A user on VLAN 10 reports that they cannot access a file server on VLAN 20. The user can ping the default gateway (interface on the router) and other devices within VLAN 10. The router has an 'ip helper-address' for DHCP but no static routes or dynamic routing configured for inter-VLAN routing. The file server is correctly configured with an IP address in VLAN 20. What is the most likely cause of the communication failure?

A.The router is configured with an ACL that blocks traffic from VLAN 10 to VLAN 20
B.The router does not have a route to the VLAN 20 subnet
C.The switch port connecting the user to the network is configured with port security limiting MAC addresses
D.The file server has a firewall blocking ICMP ping requests
AnswerB

If the router has no directly connected interface for VLAN 20 (e.g., no subinterface or SVI), it does not have a route to that subnet. Without a route, packets from VLAN 10 to VLAN 20 are dropped.

Why this answer

The router has no route to the VLAN 20 subnet. Even though the router is directly connected to VLAN 20 via its subinterface, inter-VLAN routing requires the router to have a connected route in its routing table for that subnet. Without a route (either connected or static), the router cannot forward packets from VLAN 10 to VLAN 20.

The 'ip helper-address' only forwards DHCP broadcasts, not general traffic.

Exam trap

Cisco often tests the misconception that a router with an 'ip helper-address' can route between VLANs, when in fact it only forwards specific broadcast traffic and does not provide inter-VLAN routing without proper routing entries.

How to eliminate wrong answers

Option A is wrong because there is no mention of an ACL being configured; the question states no static routes or dynamic routing is configured, but does not mention ACLs, and an ACL would need to be explicitly applied to block traffic. Option C is wrong because port security limiting MAC addresses would prevent the user from communicating with any device, including the default gateway and other VLAN 10 devices, which the user can successfully ping.

36
MCQhard

A security analyst is investigating a potential data exfiltration. The analyst notices that a server is sending DNS queries to an external IP address on TCP port 53, and the DNS responses are unusually large. The server is not a DNS server. Which technique is most likely being used?

A.DNS amplification attack
B.DNS tunneling
C.DNS zone transfer
D.DNS cache poisoning
AnswerB

DNS tunneling uses DNS protocol to encapsulate other data, often for command-and-control or data exfiltration. Large response sizes and unusual use of TCP port 53 are indicators.

Why this answer

DNS tunneling encodes non-DNS data (e.g., exfiltrated files) within DNS queries and responses, often using TCP port 53 to bypass firewalls. The unusually large responses are a hallmark of tunneled data being returned in DNS payloads, and the fact that the server is not a DNS server strongly indicates it is being used as a client for covert data transfer.

Exam trap

CompTIA often tests the distinction between DNS amplification (a DDoS attack using UDP reflection) and DNS tunneling (a covert channel using TCP or UDP for data exfiltration), and the trap here is that candidates see 'large responses' and immediately think amplification, ignoring the TCP port 53 and non-DNS server context.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack uses UDP (not TCP) and relies on spoofed source IPs to flood a victim with large responses, not to exfiltrate data from a non-DNS server. Option C is wrong because a DNS zone transfer is a legitimate administrative operation between authoritative DNS servers using TCP port 53, but it transfers zone data (not arbitrary data) and requires the server to be a DNS server. Option D is wrong because DNS cache poisoning corrupts a resolver's cache with forged records (e.g., to redirect traffic), not to exfiltrate data via large responses from a non-DNS server.

37
MCQeasy

Which of the following network topologies provides the highest level of redundancy and fault tolerance?

A.Star
B.Bus
C.Ring
D.Mesh
AnswerD

A mesh topology offers multiple redundant paths, providing the highest fault tolerance.

Why this answer

A mesh topology provides the highest level of redundancy and fault tolerance because every node has a dedicated point-to-point connection to every other node. This means that if any single link or node fails, traffic can be immediately rerouted through multiple alternative paths without any single point of failure. In a full mesh, the number of links is n(n-1)/2, ensuring maximum path diversity and resilience.

Exam trap

Cisco often tests the misconception that a ring topology (especially a dual-ring like FDDI) offers the highest fault tolerance, but candidates must remember that a full mesh provides more redundant paths and no single point of failure, whereas even a dual ring can be disrupted by multiple simultaneous failures.

How to eliminate wrong answers

Option A is wrong because a star topology relies on a central hub or switch; if that central device fails, all connected nodes lose connectivity, creating a single point of failure. Option B is wrong because a bus topology uses a single shared backbone cable; a break or fault in the backbone brings down the entire segment, and it offers no redundancy. Option C is wrong because a ring topology connects nodes in a closed loop; while some ring variants (e.g., FDDI) use dual rings for fault tolerance, a standard single-ring topology breaks entirely if any one node or link fails, and even dual rings provide less path diversity than a mesh.

38
MCQmedium

A user reports that their laptop is connected to the corporate Wi-Fi network but cannot access the internet. Other users in the same area are able to access the internet without issues. The laptop shows a valid IP address of 192.168.1.25/24 and the default gateway is 192.168.1.1. Which of the following should the technician check NEXT?

A.DNS server configuration on the laptop
B.DHCP server lease exhaustion
C.Access point channel utilization
D.Switch port status on the distribution switch
AnswerA

If DNS is misconfigured, the laptop will not be able to resolve domain names even though it has connectivity. This is a common isolated issue.

Why this answer

Since the laptop has a valid IP address (192.168.1.25/24) and default gateway (192.168.1.1), and other users can access the internet, the issue is isolated to this laptop. A common cause is incorrect or missing DNS server configuration, which prevents domain name resolution even though IP-level connectivity exists. The technician should verify the DNS server addresses in the laptop's IPv4 settings or run 'nslookup' to confirm resolution.

Exam trap

The trap here is that candidates assume a valid IP address and gateway mean full internet connectivity, overlooking that DNS misconfiguration is a classic isolated symptom where other users work fine.

How to eliminate wrong answers

Option B is wrong because DHCP server lease exhaustion would affect multiple users in the area, not just one laptop, and the laptop already has a valid IP address from the 192.168.1.0/24 subnet, indicating a lease was successfully assigned. Option C is wrong because access point channel utilization would cause performance degradation or connectivity issues for all users on that AP, not just a single laptop, and the laptop is already associated with the network.

39
MCQhard

A network architect is designing a Software-Defined Networking (SDN) based network. Which of the following components is responsible for making centralized forwarding decisions and communicating those decisions to the physical switches using southbound APIs?

A.Application layer
B.Control layer
C.Data plane
D.East-west interfaces
AnswerB

The control layer (SDN controller) centralizes the control plane and programs switches via southbound APIs, determining how packets should be forwarded.

Why this answer

In SDN architecture, the control layer (also known as the SDN controller) is the centralized entity responsible for making all forwarding decisions. It communicates these decisions to the physical switches via southbound APIs, such as OpenFlow, which program the flow tables in the data plane. This separation of the control plane from the data plane is the fundamental principle of SDN.

Exam trap

The trap here is that candidates confuse the control layer with the data plane, thinking that the physical switches themselves make forwarding decisions, but in SDN the control layer is logically centralized and the switches are simple forwarding devices.

How to eliminate wrong answers

Option A is wrong because the application layer consists of business logic and network services (e.g., load balancers, firewalls) that communicate with the control layer via northbound APIs, not directly with switches. Option C is wrong because the data plane (or forwarding plane) is the part of the switch that actually forwards packets based on flow table entries; it does not make centralized decisions. Option D is wrong because east-west interfaces are used for communication between multiple SDN controllers for synchronization and high availability, not for sending forwarding decisions to physical switches.

40
MCQeasy

What is the default administrative distance for OSPF routes on a typical Cisco router?

A.90
B.100
C.110
D.120
AnswerC

OSPF uses an AD of 110 by default, making it more trusted than RIP (120) but less than EIGRP (90) and external EIGRP (170).

Why this answer

Option C is correct because the default administrative distance for OSPF routes on a Cisco router is 110. Administrative distance is a trustworthiness metric used to select the best route when multiple routing protocols provide a route to the same destination; a lower value is preferred. OSPF's default AD of 110 is higher than that of static routes (1) and EIGRP (90/170), but lower than RIP (120) and IS-IS (115).

Exam trap

CompTIA often tests the default administrative distances for OSPF, EIGRP, and RIP, and the trap here is confusing OSPF's AD of 110 with EIGRP's AD of 90 or RIP's AD of 120, especially since OSPF is a link-state protocol while EIGRP is a hybrid, leading candidates to misremember the values.

How to eliminate wrong answers

Option A is wrong because 90 is the default administrative distance for internal EIGRP routes, not OSPF. Option B is wrong because 100 is not a default administrative distance for any common routing protocol on Cisco routers; it is sometimes used for iBGP in some implementations but is not the OSPF default. Option D is wrong because 120 is the default administrative distance for RIP routes, not OSPF.

41
MCQmedium

A network engineer needs to securely transfer router configuration files to a central backup server. The backup server supports SCP and TFTP. Which protocol should the engineer use?

A.SCP
B.TFTP
C.HTTP
D.FTP
AnswerA

SCP provides encryption and authentication, securing the configuration file during transfer.

Why this answer

SCP (Secure Copy Protocol) is the correct choice because it encrypts both the authentication and the data transfer using SSH, ensuring confidentiality and integrity of the router configuration files during transit. TFTP, while simple and often used for network device backups, lacks any encryption or authentication, making it insecure for transferring sensitive configuration data over a network.

Exam trap

The trap here is that TFTP is commonly associated with router configuration backups in many study materials, leading candidates to overlook the 'securely' keyword in the question and choose TFTP despite its lack of encryption.

How to eliminate wrong answers

Option B (TFTP) is wrong because it uses UDP port 69 with no encryption or authentication, exposing the configuration files to interception and tampering. Option C (HTTP) is wrong because it transmits data in plaintext over TCP port 80, offering no security for sensitive files. Option D (FTP) is wrong because it sends credentials and data in cleartext over TCP ports 20/21, and even with FTP over TLS (FTPS), it is not as straightforward or commonly supported for router backups as SCP, which leverages the existing SSH infrastructure.

42
MCQhard

An organization needs to authenticate network administrators and control which commands each administrator can execute on routers and switches. The solution must support granular per-command authorization and encrypt the entire session. Which protocol is best suited for this requirement?

A.TACACS+
B.RADIUS
C.LDAP
D.Kerberos
AnswerA

Correct. TACACS+ encrypts the entire session and supports granular command authorization for device administration.

Why this answer

TACACS+ is the correct choice because it separates authentication, authorization, and accounting (AAA) functions, allowing granular per-command authorization on routers and switches. It encrypts the entire session, including the username, password, and all command traffic, unlike RADIUS which only encrypts the password. This makes TACACS+ ideal for environments requiring strict command-level control and full session encryption.

Exam trap

CompTIA often tests the distinction that RADIUS is commonly used for network access control (e.g., 802.1X) but fails for device administration because it lacks per-command authorization and full-session encryption, leading candidates to mistakenly choose RADIUS due to its familiarity.

How to eliminate wrong answers

Option B (RADIUS) is wrong because it only encrypts the password in the access-request packet, leaving the rest of the session (including commands) unencrypted, and it does not support per-command authorization—it only provides service-level authorization (e.g., permit/deny network access). Option C (LDAP) is wrong because it is a directory access protocol used for querying and modifying directory services (e.g., user attributes), not for AAA or session encryption; it lacks command authorization and full-session encryption capabilities. Option D (Kerberos) is wrong because it is a ticket-based authentication protocol designed for single sign-on in Windows domains, not for per-command authorization on network devices; it does not encrypt the entire session or provide granular command control.

43
MCQmedium

A network security analyst notices that a switch's CPU utilization is spiking and that the switch is flooding unicast frames to all ports. The analyst suspects a MAC address table overflow attack. Which of the following security features should be configured on the switch's access ports to mitigate this type of attack?

A.BPDU guard
B.Port security
C.DHCP snooping
D.Dynamic ARP Inspection (DAI)
AnswerB

Port security limits the number of MAC addresses per port, directly mitigating MAC flooding attacks.

Why this answer

Port security mitigates MAC address table overflow attacks by limiting the number of MAC addresses that can be learned on an access port. When the configured limit is exceeded, the switch can take action (e.g., shutdown or restrict) to prevent an attacker from flooding the CAM table with fake source MAC addresses, which would otherwise cause the switch to fail open and flood unicast frames out all ports.

Exam trap

The trap here is that candidates often confuse port security with other Layer 2 security features like BPDU guard or DHCP snooping, but only port security directly limits the number of MAC addresses learned on a port to prevent CAM table overflow.

How to eliminate wrong answers

Option A is wrong because BPDU guard is designed to protect against Spanning Tree Protocol (STP) manipulation by disabling a port if it receives a BPDU, not to limit MAC address learning or prevent CAM table overflow. Option C is wrong because DHCP snooping filters untrusted DHCP messages and builds a DHCP snooping binding table to prevent rogue DHCP servers, but it does not directly limit the number of MAC addresses learned on a port. Option D is wrong because Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing, but it does not restrict the number of MAC addresses that can be learned on a port.

44
MCQeasy

At which layer of the OSI model does a network device encapsulate data into frames and add source and destination MAC addresses?

A.Layer 1 – Physical
B.Layer 2 – Data Link
C.Layer 3 – Network
D.Layer 4 – Transport
AnswerB

The Data Link layer creates frames, adds MAC addresses, and provides error detection. It is the correct layer for this function.

Why this answer

The Data Link layer (Layer 2) is responsible for node-to-node communication and encapsulates packets from the Network layer into frames. It adds a header containing the source and destination MAC addresses, which are used for delivery within the same local network segment. This process is defined by IEEE 802 standards such as Ethernet (802.3) and Wi-Fi (802.11).

Exam trap

CompTIA often tests the distinction between MAC addresses (Layer 2) and IP addresses (Layer 3), and the trap here is that candidates may confuse the encapsulation process and incorrectly associate MAC addressing with the Network layer due to familiarity with IP addressing.

How to eliminate wrong answers

Option A is wrong because the Physical layer (Layer 1) deals with the transmission and reception of raw bit streams over a physical medium, such as electrical signals, light pulses, or radio waves, and does not perform framing or MAC addressing. Option C is wrong because the Network layer (Layer 3) encapsulates data into packets and adds source and destination IP addresses, not MAC addresses, and is responsible for logical addressing and routing across networks. Option D is wrong because the Transport layer (Layer 4) provides end-to-end communication services, segmenting data into segments (TCP) or datagrams (UDP), and adds port numbers and sequence numbers, not MAC addresses.

45
MCQeasy

A network administrator wants to automate IP address assignment for client devices. Which protocol should be used?

A.DHCP
B.DNS
C.ARP
D.ICMP
AnswerA

DHCP dynamically provides IP configuration to devices, making it the correct protocol for automated IP address assignment.

Why this answer

DHCP (Dynamic Host Configuration Protocol) automates IP address assignment by leasing IP configurations to client devices from a defined pool. This eliminates the need for manual static IP configuration, making it the correct protocol for automated IP address management.

Exam trap

CompTIA often tests the distinction between DHCP for address assignment and DNS for name resolution, leading candidates to confuse the two when the question mentions 'automating IP address assignment'.

How to eliminate wrong answers

Option B (DNS) is wrong because DNS translates domain names to IP addresses, it does not assign IP addresses to clients. Option C (ARP) is wrong because ARP resolves IP addresses to MAC addresses on a local network, it does not provide IP address assignment. Option D (ICMP) is wrong because ICMP is used for error reporting and diagnostic functions like ping, not for IP address allocation.

46
MCQmedium

A user reports they can access internal servers and the default gateway but cannot reach external websites. The technician checks the router's ACL and finds a rule that permits all outbound traffic. What is the most likely cause?

A.DNS resolution failure
B.Incorrect default gateway
C.NAT configuration issue
D.Proxy server misconfiguration
AnswerC

NAT is required to translate private addresses to a public address for internet access. If NAT is not configured or malfunctioning, outbound traffic will not reach the internet even if the ACL permits it.

Why this answer

The user can access internal servers and the default gateway, indicating Layer 3 connectivity within the local network. However, external websites are unreachable. Since the ACL permits all outbound traffic, the issue is not a blocked outbound rule.

The most likely cause is a NAT configuration issue, such as missing or incorrect IP masquerading (PAT) on the router's outside interface, which prevents internal private IP addresses from being translated to a public IP address for internet access.

Exam trap

CompTIA often tests the misconception that an ACL permitting all outbound traffic guarantees internet access, when in fact NAT must be properly configured to translate private IP addresses to a routable public IP address for external reachability.

How to eliminate wrong answers

Option A is wrong because a DNS resolution failure would typically prevent domain names from resolving to IP addresses, but the user could still reach external websites by IP address; the symptom here is complete inability to reach external sites, and DNS is not required for IP-based access. Option B is wrong because an incorrect default gateway would prevent the user from reaching any external networks, but the user can already access internal servers and the default gateway itself, indicating the gateway is correctly configured for local routing. Option D is wrong because a proxy server misconfiguration could cause issues with web traffic, but the problem is at the router level (ACL checked), and the symptom affects all external websites, not just HTTP/HTTPS; NAT is a more fundamental requirement for internet access from private addresses.

47
MCQmedium

A network administrator adds a new server to VLAN 20. The switch port is configured as an access port in VLAN 20, and the server has a correct static IP address in that subnet. However, the server cannot communicate with other devices in the same VLAN. The VLAN exists on the switch and other devices in VLAN 20 are working. What is the most likely cause of this issue?

A.The switch port is configured as a trunk port instead of an access port
B.VLAN 20 is not allowed on the trunk to the router
C.The server does not have a default gateway configured
D.The port is administratively down
AnswerA

A trunk port expects 802.1Q tagged frames; the server sends untagged frames, so the switch may not associate them with VLAN 20, causing communication failure within the VLAN.

Why this answer

The scenario states the switch port is configured as an access port in VLAN 20, but the server cannot communicate with other devices in the same VLAN. If the port were actually configured as a trunk port, it would expect frames to be tagged with a VLAN ID. An untagged frame from the server would be placed into the native VLAN (typically VLAN 1), not VLAN 20, causing a mismatch.

This explains why the server, despite having a correct static IP in VLAN 20's subnet, cannot reach other devices in VLAN 20.

Exam trap

CompTIA often tests the distinction between access and trunk ports by presenting a scenario where a device has correct IP settings but cannot communicate within its VLAN, tempting candidates to blame routing or gateway issues when the real problem is a layer 2 VLAN mismatch caused by trunk mode on an access port.

How to eliminate wrong answers

Option B is wrong because VLAN 20 not being allowed on the trunk to the router would affect inter-VLAN routing, not communication within the same VLAN (which is purely layer 2). Option C is wrong because a default gateway is only needed for communication outside the local subnet; devices in the same VLAN communicate directly via ARP and MAC addresses, so a missing default gateway does not prevent intra-VLAN connectivity. Option D is wrong because if the port were administratively down, the server would have no link at all, and the administrator would likely see a 'down/down' interface status, not a scenario where the server has a static IP but cannot communicate.

48
MCQmedium

A user reports that they cannot access a web server at 10.0.1.200. The user can ping the server's IP address but cannot open the web page. The web server is known to be running and accessible from other users on the same subnet. What is the most likely cause?

A.Default gateway is misconfigured
B.ACL blocking port 80 or 443
C.DNS resolution failure
D.Duplicate IP address
AnswerB

ICMP is allowed but TCP traffic to the web server is blocked, which is typical of an ACL filtering specific ports.

Why this answer

The user can ping the server (ICMP works) but cannot access the web page, which indicates Layer 3 connectivity is fine but the specific TCP ports (80 for HTTP or 443 for HTTPS) are being blocked. An ACL applied on the server, a switch, or a router between the user and the server is the most likely cause, as it would permit ICMP echo requests while denying HTTP/HTTPS traffic. Other users on the same subnet can access the server, ruling out server-side or subnet-wide issues.

Exam trap

The trap here is that candidates assume a successful ping means full network connectivity, but ICMP and TCP are separate protocols that can be filtered independently by ACLs, so ping working does not guarantee web access.

How to eliminate wrong answers

Option A is wrong because a misconfigured default gateway would prevent the user from reaching any off-subnet destination, but the user can ping the server (which is on the same subnet) and the issue is specific to HTTP/HTTPS, not general connectivity. Option C is wrong because DNS resolution failure would prevent the user from resolving a hostname to an IP address, but the user is accessing the server by its IP address (10.0.1.200) and can ping it, so DNS is not involved. Option D is wrong because a duplicate IP address would cause intermittent connectivity or complete failure for both ping and HTTP, but the user can consistently ping the server and other users can access the web page, making a duplicate IP unlikely.

49
MCQeasy

A network technician is explaining the difference between a hub and a switch to a junior technician. Which statement correctly describes a key difference between these devices?

A.A hub operates at Layer 2, while a switch operates at Layer 1.
B.A hub sends frames out all ports except the incoming port; a switch sends frames only to the port with the matching MAC address.
C.A hub uses MAC addresses to make forwarding decisions, while a switch uses IP addresses.
D.A hub creates a separate collision domain for each port, while a switch creates a single collision domain.
AnswerB

This accurately describes the behavior: hubs flood all ports, switches forward based on MAC address table.

Why this answer

B is correct because a hub operates at Layer 1 (physical layer) and blindly repeats electrical signals out all ports except the incoming port, creating a single collision domain. In contrast, a switch operates at Layer 2 (data link layer) and uses the MAC address table to forward frames only to the specific port associated with the destination MAC address, reducing unnecessary traffic and creating separate collision domains per port.

Exam trap

Cisco often tests the confusion between Layer 1 and Layer 2 operations, where candidates mistakenly think a hub operates at Layer 2 or that a switch uses IP addresses, but the key trap is reversing the collision domain behavior—hub creates one collision domain, switch creates many.

How to eliminate wrong answers

Option A is wrong because a hub operates at Layer 1 (physical layer), not Layer 2, while a switch operates at Layer 2 (data link layer), not Layer 1. Option C is wrong because a hub does not use MAC addresses for forwarding decisions—it simply floods all ports; a switch uses MAC addresses, not IP addresses, for forwarding decisions at Layer 2. Option D is wrong because a hub creates a single collision domain for all ports, while a switch creates a separate collision domain for each port, thereby reducing collisions.

50
MCQmedium

A network administrator needs to connect two buildings 2 km apart using single-mode fiber. Which transceiver type should be used?

A.1000BASE-T
B.1000BASE-SX
C.1000BASE-LX
D.10GBASE-SR
AnswerC

1000BASE-LX operates over single-mode fiber and can reach distances of 5 km or more.

Why this answer

1000BASE-LX (Long Wavelength) operates at 1310 nm over single-mode fiber and supports distances up to 5 km (and often up to 10 km with proper link budgets), making it the correct choice for a 2 km link. Single-mode fiber is required for distances beyond 550 m, and 1000BASE-LX is the Gigabit Ethernet standard designed for such single-mode runs.

Exam trap

Cisco often tests the misconception that 1000BASE-SX can be used for long distances because it is a common Gigabit Ethernet standard, but the trap is that SX is strictly for multimode fiber and limited to 550 m, while LX is the correct choice for single-mode runs beyond that distance.

How to eliminate wrong answers

Option A (1000BASE-T) is wrong because it uses twisted-pair copper cabling (Cat5e/Cat6) and is limited to 100 meters, not 2 km. Option B (1000BASE-SX) is wrong because it uses short-wavelength (850 nm) optics designed for multimode fiber, with a maximum reach of only 550 m (and often less at lower-grade multimode). Option D (10GBASE-SR) is wrong because it is a 10 Gigabit Ethernet standard using short-wavelength (850 nm) optics over multimode fiber, limited to about 300-400 meters, and does not match the required 1 Gbps speed or single-mode fiber for a 2 km distance.

51
MCQmedium

A network administrator has just connected a new access switch to the core switch via a trunk port. The administrator configured the trunk port on both switches with the same allowed VLAN list. However, hosts on VLAN 10 connected to the new access switch cannot communicate with hosts on VLAN 10 on the core switch. The trunk is operational and shows up/up. What is the most likely cause?

A.A) VLAN 10 has not been created on the new access switch
B.B) Native VLAN mismatch on the trunk
C.C) Trunk encapsulation mismatch (ISL vs 802.1Q)
D.D) STP is blocking the VLAN 10 traffic on the trunk
AnswerA

Correct. If the VLAN does not exist in the switch's database, the switch will not forward frames for that VLAN, even though the trunk is configured to allow it.

Why this answer

The most likely cause is that VLAN 10 has not been created on the new access switch. Even though the trunk port is up/up and the allowed VLAN list matches, a switch will not forward traffic for a VLAN that does not exist in its local VLAN database. Without the VLAN being created, the switch drops all frames tagged with VLAN 10, preventing communication between hosts on that VLAN across the trunk.

Exam trap

Cisco often tests the misconception that a trunk with matching allowed VLAN lists is sufficient for traffic to pass, but candidates forget that the VLAN must exist in the local VLAN database on both switches for traffic to be forwarded.

How to eliminate wrong answers

Option B is wrong because a native VLAN mismatch would cause control plane issues (e.g., CDP/STP mismatches) but would not specifically block VLAN 10 traffic if both sides have the same allowed VLAN list; the native VLAN is used for untagged frames, not for tagged VLAN 10 traffic. Option C is wrong because modern Cisco switches default to 802.1Q encapsulation and auto-negotiate; an encapsulation mismatch would prevent the trunk from coming up (the port would not show up/up). Option D is wrong because STP blocking on a trunk typically blocks all VLANs or none, and if STP were blocking VLAN 10, the trunk would still show up/up but the specific VLAN would be in a blocking state; however, the question states the trunk is operational, and STP blocking is less likely than the VLAN simply not being created.

52
MCQhard

A security analyst needs to deploy a device that can perform deep packet inspection and block specific application-layer attacks in real time. Which of the following devices is MOST appropriate for this purpose?

A.Stateful firewall
B.Intrusion Prevention System (IPS)
C.Proxy server
D.VPN concentrator
AnswerB

IPS sits inline, performs deep packet inspection, and can actively block malicious traffic, including application-layer attacks.

Why this answer

An Intrusion Prevention System (IPS) is designed to inspect traffic in real time, perform deep packet inspection (DPI) up to Layer 7, and automatically block malicious traffic, including application-layer attacks such as SQL injection or cross-site scripting. Unlike a passive IDS, an IPS sits inline and can drop or reset sessions based on signature or anomaly detection, making it the most appropriate device for this requirement.

Exam trap

The trap here is that candidates often confuse an IPS with a stateful firewall, assuming that stateful inspection includes deep packet inspection, but stateful firewalls only check packet headers and connection state, not application-layer payloads.

How to eliminate wrong answers

Option A is wrong because a stateful firewall operates at Layers 3 and 4, tracking connection state but lacking the ability to perform deep packet inspection at the application layer or block specific application-layer attacks like HTTP-based exploits. Option C is wrong because a proxy server primarily acts as an intermediary for client requests, caching content and filtering URLs, but it does not natively perform real-time deep packet inspection or automatically block application-layer attacks with the same inline prevention capabilities as an IPS. Option D is wrong because a VPN concentrator is designed to terminate encrypted tunnels and manage VPN connections, focusing on encryption and authentication, not on inspecting or blocking application-layer threats.

53
MCQeasy

A user reports that they can access a website by its IP address but not by its domain name. Which of the following is most likely the issue?

A.A) DNS resolution failure
B.B) Incorrect default gateway
C.C) Duplicate IP address
D.D) Corrupted TCP/IP stack
AnswerA

Correct. DNS is responsible for translating domain names to IP addresses; a failure in DNS will cause name resolution to fail while IP-based access works.

Why this answer

Accessing a website by IP address but not by domain name indicates that the client can reach the web server over the network, but the name-to-IP translation process is failing. This is a classic symptom of a DNS resolution failure, where the client cannot query or receive a valid A or AAAA record for the domain from its configured DNS server.

Exam trap

The trap here is that candidates often confuse DNS failure with a gateway or routing issue, but the ability to reach the server by IP proves Layer 3 connectivity is working, isolating the problem to the application layer name resolution process.

How to eliminate wrong answers

Option B is wrong because an incorrect default gateway would prevent traffic from leaving the local subnet entirely, making both IP and domain access fail. Option C is wrong because a duplicate IP address would cause intermittent connectivity or address conflict errors, but it would not selectively break domain name resolution while allowing IP-based access. Option D is wrong because a corrupted TCP/IP stack would cause general network communication failures, not a specific failure of DNS resolution while other IP-based traffic succeeds.

54
MCQmedium

A user reports that they cannot access an internal web server at http://intranet.company.local but can access other internet websites. The technician runs ping intranet.company.local and receives replies successfully. Which tool should the technician use next to isolate the issue?

A.nslookup
B.tracert
C.netstat
D.ipconfig
AnswerA

nslookup queries DNS servers to verify hostname-to-IP resolution, which is the most likely cause when ping succeeds but web access fails.

Why this answer

The technician can reach the server by IP (ping succeeds) but not by hostname (http://intranet.company.local), which points to a name resolution failure. nslookup is the correct next step because it queries DNS to verify whether the hostname resolves to the correct IP address, isolating the issue to DNS rather than connectivity or server availability.

Exam trap

The trap here is that candidates see successful ping replies and assume the server is fully reachable, overlooking that ping uses ICMP and bypasses hostname resolution if the IP is already cached or manually entered, while HTTP access depends on DNS resolving the hostname to the correct IP.

How to eliminate wrong answers

Option B (tracert) is wrong because it traces the network path to a destination, but since ping already succeeded, the path is functional and tracert would not reveal why the hostname fails to resolve. Option C (netstat) is wrong because it shows active connections, listening ports, and routing tables on the local machine, but it does not test name resolution or query DNS servers. Option D (ipconfig) is wrong because it displays local TCP/IP configuration (IP address, subnet mask, default gateway) but does not perform DNS lookups or test resolution of a specific hostname.

55
MCQhard

A network engineer is designing a new IPv6 addressing scheme. The company has been assigned a /48 prefix and needs to support up to 250 subnets. Which subnet size should be used to minimize waste while meeting the requirement?

A./52
B./56
C./64
D./60
AnswerB

A /56 prefix uses 8 bits for subnetting (48+8=56), providing 256 subnets (2^8). This meets the requirement of 250 subnets with minimal waste (6 unused subnets).

Why this answer

A /56 subnet provides 256 subnets (2^(56-48) = 2^8 = 256), which meets the requirement of up to 250 subnets with minimal waste. A /48 prefix is the site-level allocation, and using a /56 subnet mask leaves 8 bits for subnetting, offering exactly the needed capacity without over-allocating address space.

Exam trap

Cisco often tests the misconception that /64 is the only valid subnet size in IPv6, but the question asks for subnet size to minimize waste for subnets, not for SLAAC, so candidates incorrectly choose /64 without considering the requirement for only 250 subnets.

How to eliminate wrong answers

Option A (/52) is wrong because it provides only 16 subnets (2^(52-48) = 2^4 = 16), which is far fewer than the required 250 subnets. Option C (/64) is wrong because it provides 65,536 subnets (2^(64-48) = 2^16 = 65,536), which is excessive and wastes address space, though it is the standard subnet size for SLAAC. Option D (/60) is wrong because it provides 4,096 subnets (2^(60-48) = 2^12 = 4,096), which is more than needed but still wasteful compared to a /56.

56
MCQhard

A network engineer is troubleshooting intermittent call drops on a VoIP deployment. The network uses separate VLANs for voice (VLAN 20) and data (VLAN 10). Switch ports connecting the IP phones are configured with the correct voice VLAN. Which of the following is the MOST likely cause to check NEXT?

A.Verify that QoS markings and queuing are configured on the switches and routers
B.Check the DNS server for the phone's name resolution
C.Replace the patch cables from the phones to the switches
D.Increase the DHCP lease time for the phones
AnswerA

QoS ensures voice traffic is prioritized over data. Without proper QoS on all network devices, voice packets can be dropped when the network is congested.

Why this answer

Intermittent call drops on a VoIP deployment with separate voice and data VLANs most likely stem from insufficient or misconfigured QoS markings and queuing. Voice traffic is sensitive to latency, jitter, and packet loss, which occur when data traffic competes for bandwidth without proper prioritization. Verifying that switches and routers have consistent QoS policies (e.g., marking with DSCP EF for RTP and queuing with strict priority) is the logical next step after ensuring the voice VLAN is correctly assigned.

Exam trap

CompTIA often tests the misconception that physical layer issues (like bad cables) are the primary cause of intermittent VoIP problems, when in fact intermittent drops are more commonly due to QoS misconfiguration in a converged network.

How to eliminate wrong answers

Option B is wrong because DNS name resolution is not directly involved in call continuity; phones typically use IP addresses or SIP URIs, and intermittent call drops are not caused by DNS failures. Option C is wrong because replacing patch cables addresses physical layer issues, which would cause complete connectivity loss or persistent errors, not intermittent call drops that are characteristic of congestion or QoS problems. Option D is wrong because increasing DHCP lease time prevents IP address expiration but does not affect real-time voice quality; intermittent call drops are not related to DHCP renewal intervals.

57
MCQmedium

A user reports intermittent connectivity on a laptop that moves between floors. The signal strength fluctuates. Which tool would best help identify signal interference and dead zones?

A.Cable tester
B.Multimeter
C.Spectrum analyzer
D.Protocol analyzer
AnswerC

A spectrum analyzer visualizes RF signals, helping to locate interference and weak signal areas.

Why this answer

A spectrum analyzer is the correct tool because it visualizes radio frequency (RF) energy across the 2.4 GHz and 5 GHz bands, allowing you to identify sources of interference (e.g., cordless phones, microwave ovens) and locate dead zones where signal strength drops below usable thresholds. Unlike other tools, it directly measures the RF environment rather than relying on logical-layer data.

Exam trap

The trap here is that candidates confuse a protocol analyzer (which sees logical traffic) with a spectrum analyzer (which sees physical RF energy), leading them to choose D because they think packet captures reveal interference, when in fact interference is invisible at the protocol level.

How to eliminate wrong answers

Option A is wrong because a cable tester is used to verify physical connectivity and wiring faults in copper or fiber cabling, not to analyze wireless RF interference or signal strength fluctuations. Option B is wrong because a multimeter measures electrical properties like voltage, current, and resistance in wired circuits, and cannot detect wireless signal interference or dead zones. Option D is wrong because a protocol analyzer (e.g., Wireshark) captures and decodes packets at Layer 2-7, but it cannot measure RF signal strength or identify non-802.11 interference sources.

58
MCQmedium

A network engineer needs to segment a single physical switch into multiple broadcast domains to improve security and reduce traffic. Which technology should be implemented?

A.Spanning Tree Protocol (STP)
B.Virtual LAN (VLAN)
C.VLAN Trunking Protocol (VTP)
D.Access Control List (ACL)
AnswerB

VLANs create separate broadcast domains on a switch, meeting the requirement.

Why this answer

A VLAN (Virtual LAN) segments a physical switch into multiple isolated broadcast domains at Layer 2. By assigning ports to different VLANs, broadcast traffic is confined to each VLAN, improving security and reducing unnecessary traffic. This directly meets the requirement without requiring additional hardware.

Exam trap

CompTIA often tests the distinction between VLANs (which create broadcast domains) and VTP (which only propagates VLAN information), leading candidates to confuse configuration management with actual segmentation.

How to eliminate wrong answers

Option A is wrong because STP prevents loops in a redundant network but does not create broadcast domains; it manages path redundancy. Option C is wrong because VTP is a Cisco proprietary protocol for synchronizing VLAN configurations across switches, not for segmenting broadcast domains itself. Option D is wrong because ACLs filter traffic based on IP addresses or ports at Layer 3/4, but they do not segment Layer 2 broadcast domains.

59
MCQmedium

A company is deploying VoIP phones and wants to ensure voice packets receive priority over data packets on the network. Which technology should be implemented on the switches and routers?

A.VLAN
B.Quality of Service (QoS)
C.Spanning Tree Protocol (STP)
D.Power over Ethernet (PoE)
AnswerB

QoS can classify and mark voice traffic (e.g., using CoS or DSCP) and give it higher priority in queues, ensuring quality.

Why this answer

Quality of Service (QoS) is the correct technology because it allows network devices to classify, mark, and prioritize voice traffic (e.g., using DSCP EF or CoS 5) over data traffic, ensuring low latency, jitter, and packet loss for VoIP. Switches and routers use QoS queuing mechanisms like LLQ or CBWFQ to guarantee bandwidth for voice packets, which is essential for real-time communications.

Exam trap

Cisco often tests the misconception that VLANs alone provide traffic prioritization, but VLANs only separate traffic; QoS is the actual mechanism for priority handling, and candidates frequently confuse logical separation with performance guarantees.

How to eliminate wrong answers

Option A (VLAN) is wrong because VLANs segment traffic logically but do not provide prioritization; they separate voice and data into different broadcast domains but cannot give voice packets priority over data. Option C (Spanning Tree Protocol) is wrong because STP prevents Layer 2 loops and provides redundancy, but it has no mechanism for traffic prioritization or bandwidth allocation. Option D (Power over Ethernet) is wrong because PoE delivers electrical power to devices like VoIP phones over Ethernet cables, but it does not influence packet forwarding priority or queuing behavior.

60
MCQeasy

A user reports that they cannot access any company resources. The technician runs 'ipconfig' and sees that the workstation has an IP address of 169.254.100.25 with a subnet mask of 255.255.0.0. The technician also notices that the 'Default Gateway' is blank. What is the most likely cause?

A.The DNS server is not responding.
B.The DHCP server is unavailable or unreachable.
C.The workstation has a static IP address configured.
D.The network cable is unplugged.
AnswerB

APIPA is assigned when a DHCP client cannot contact a DHCP server; this is the most likely cause.

Why this answer

The IP address 169.254.100.25 with a subnet mask of 255.255.0.0 is an Automatic Private IP Addressing (APIPA) address, which Windows assigns when a DHCP client fails to obtain a lease. The blank Default Gateway confirms that no DHCP server responded, so the workstation cannot reach any company resources beyond its local subnet.

Exam trap

The trap here is that candidates often confuse APIPA with a link-local address caused by a physical cable issue, but APIPA requires the interface to be in a connected state; a disconnected cable would show no IP address or a 'Media disconnected' status in ipconfig.

How to eliminate wrong answers

Option A is wrong because a non-responsive DNS server would not cause the workstation to self-assign an APIPA address; DNS failures occur after IP configuration is complete, and the workstation would still have a valid DHCP lease. Option C is wrong because a static IP address would not produce a 169.254.x.x address; static configurations use user-defined addresses, not APIPA ranges. Option D is wrong because an unplugged network cable would typically result in a disconnected media state or a 'Media disconnected' message in ipconfig, not an APIPA address; APIPA is assigned only when the interface is physically up but cannot reach a DHCP server.

61
MCQeasy

A company wants to allow employees to securely access internal resources (email, file servers) when working from home over the internet. Which technology should be implemented to create an encrypted tunnel between the employee's remote computer and the corporate network?

A.VPN concentrator
B.Firewall
C.DMZ
D.Intrusion detection system (IDS)
AnswerA

A VPN concentrator terminates VPN connections from remote clients, providing encrypted tunnels for secure access to internal resources.

Why this answer

A VPN concentrator is the correct technology because it terminates VPN tunnels from remote users, creating an encrypted tunnel (using protocols like IPsec or TLS) between the employee's remote computer and the corporate network. This ensures that all traffic to internal resources such as email and file servers is securely encapsulated and protected from interception over the internet.

Exam trap

The trap here is that candidates may confuse a firewall's ability to allow or block VPN traffic (e.g., permitting UDP 500 for IPsec) with the firewall itself being the device that terminates the VPN tunnel, but only a VPN concentrator or VPN gateway performs the actual encryption and tunnel management.

How to eliminate wrong answers

Option B (Firewall) is wrong because a firewall filters traffic based on rules but does not create encrypted tunnels; it lacks the VPN termination and encryption capabilities required for secure remote access. Option C (DMZ) is wrong because a DMZ is a network segment that hosts public-facing services (e.g., web servers) and is not designed to establish encrypted tunnels from remote clients to internal resources. Option D (Intrusion detection system (IDS)) is wrong because an IDS monitors network traffic for malicious activity but does not provide encryption or tunnel establishment for remote access.

62
MCQeasy

A network engineer is explaining to a manager why wireless networks often have lower throughput than wired Ethernet. Which of the following best describes the primary reason for this difference?

A.Wireless uses a different MAC method that requires waiting for an acknowledgment, reducing available bandwidth.
B.Wireless operates at half-duplex, while wired Ethernet typically operates at full-duplex.
C.Wireless uses CSMA/CA which involves a collision avoidance mechanism that adds overhead, whereas wired Ethernet uses CSMA/CD which only responds after collision.
D.Wireless signals are subject to interference, but the MAC protocol is identical to Ethernet.
AnswerC

Correct. CSMA/CA requires proactive steps to avoid collisions, reducing the effective data rate. CSMA/CD is more efficient in wired networks because it transmits immediately and handles collisions after they occur.

Why this answer

Option C is correct because wireless networks use CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance), which requires stations to perform a four-way handshake (RTS/CTS) and wait for an acknowledgment before transmitting. This collision avoidance mechanism introduces significant overhead, reducing effective throughput. In contrast, wired Ethernet uses CSMA/CD, which detects collisions after they occur and does not require such proactive overhead, allowing higher throughput.

Exam trap

The trap here is that candidates often assume half-duplex operation (Option B) is the primary cause, but Cisco tests the deeper understanding that the MAC protocol's overhead (CSMA/CA vs. CSMA/CD) is the fundamental reason for throughput differences, not just the duplex mode.

How to eliminate wrong answers

Option A is wrong because while wireless does use a different MAC method (CSMA/CA) that requires acknowledgments, the primary throughput difference is due to the collision avoidance overhead, not just the acknowledgment wait time. Option B is wrong because although wireless typically operates at half-duplex, this is a consequence of the shared medium and CSMA/CA, not the primary reason for lower throughput; wired Ethernet can also operate at half-duplex but still achieves higher throughput due to CSMA/CD's lower overhead. Option D is wrong because wireless signals are indeed subject to interference, but the MAC protocol is not identical to Ethernet; wireless uses CSMA/CA while wired Ethernet uses CSMA/CD, and this protocol difference is the key factor.

63
MCQhard

A network administrator is concerned about DHCP security. To prevent rogue DHCP servers from offering incorrect IP addresses, the administrator enables DHCP snooping on the switches. Additionally, the administrator wants to prevent DHCP starvation attacks that exhaust the DHCP pool. Which feature should be enabled on the switch to specifically mitigate DHCP starvation?

A.Dynamic ARP Inspection (DAI)
B.IP Source Guard (IPSG)
C.Port Security
D.Rate limiting on DHCP packets
AnswerD

DHCP rate limiting (often configured as part of DHCP snooping) restricts the number of DHCP packets per second from a port, mitigating starvation attacks.

Why this answer

Rate limiting on DHCP packets (option D) is the correct feature to mitigate DHCP starvation attacks. DHCP starvation works by flooding the network with fake DHCP discover messages, each using a different MAC address, to exhaust the DHCP server's address pool. By limiting the rate at which DHCP packets are accepted from a given interface, the switch can drop excessive requests before they reach the DHCP server, preventing pool exhaustion without blocking legitimate traffic.

Exam trap

Cisco often tests the distinction between DHCP snooping features: candidates confuse DHCP snooping's role in preventing rogue servers (by filtering DHCP server messages) with the need for a separate rate-limiting mechanism to prevent starvation attacks.

How to eliminate wrong answers

Option A is wrong because Dynamic ARP Inspection (DAI) validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, not DHCP starvation. Option B is wrong because IP Source Guard (IPSG) filters IP traffic based on the DHCP snooping binding table to prevent IP spoofing, but it does not limit the volume of DHCP requests. Option C is wrong because Port Security limits the number of MAC addresses allowed on a switch port to prevent MAC flooding attacks, but it does not rate-limit DHCP packets or directly prevent DHCP starvation.

64
MCQmedium

An organization uses OSPF as its interior gateway protocol in a multi-area design. After a core router failure, the network takes several seconds to reconverge. Which technology can be implemented to improve convergence speed?

A.Implement LSA throttling
B.Enable OSPF fast hello timers
C.Configure BFD (Bidirectional Forwarding Detection)
D.Convert all areas to stub areas
AnswerC

BFD provides sub-second failure detection, allowing OSPF to converge much faster than with default timers.

Why this answer

BFD provides sub-second failure detection times (as low as 50 ms) independent of the routing protocol, allowing OSPF to reconverge much faster than relying on its default dead timer intervals. By detecting link failures in milliseconds, BFD triggers OSPF to immediately recalculate routes, drastically reducing the convergence delay after a core router failure.

Exam trap

Cisco often tests the distinction between OSPF fast hello timers (which still rely on seconds-based dead intervals) and BFD (which provides true sub-second detection), leading candidates to mistakenly choose fast hello timers as the faster solution.

How to eliminate wrong answers

Option A is wrong because LSA throttling controls the rate at which LSAs are generated and processed, which can reduce CPU load during flapping but does not speed up failure detection or convergence. Option B is wrong because OSPF fast hello timers reduce the hello and dead intervals (e.g., 1-second hello, 3-second dead), which still results in seconds-long detection times, not the sub-second detection that BFD provides. Option D is wrong because converting areas to stub areas restricts the types of LSAs allowed (no Type 5 LSAs), which reduces routing table size but has no effect on failure detection speed or convergence time.

65
Drag & Dropmedium

Drag and drop the steps to recover a lost router password on a Cisco device into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password recovery involves boot interruption, register change, and config reload.

66
MCQmedium

A company is implementing 802.1X port-based authentication on its wired network to ensure only authorized devices can connect. Which of the following servers is required to authenticate users and devices?

A.A) RADIUS server
B.B) Syslog server
C.C) TACACS+ server
D.D) NTP server
AnswerA

Correct. RADIUS is the most common protocol for 802.1X authentication and is widely supported.

Why this answer

802.1X port-based authentication relies on the Extensible Authentication Protocol (EAP) over LAN (EAPoL) between the supplicant (device) and the authenticator (switch), which then forwards authentication requests to a central authentication server. A RADIUS server is the required backend because it validates credentials (e.g., username/password or certificates) and returns an Accept/Reject decision to the switch, enabling or disabling the port. RADIUS is the standard protocol defined in IEEE 802.1X for this purpose, supporting EAP methods like PEAP, EAP-TLS, and EAP-FAST.

Exam trap

Cisco often tests the misconception that TACACS+ can replace RADIUS in 802.1X environments, but TACACS+ encrypts the entire packet body and is designed for device administration (e.g., CLI access), not for 802.1X port-based authentication, which mandates RADIUS per the IEEE 802.1X standard.

How to eliminate wrong answers

Option B is wrong because a Syslog server is used for centralized logging of network events (e.g., authentication failures or switch reboots) and does not perform authentication decisions; it only receives log messages via UDP port 514. Option C is wrong because TACACS+ is a Cisco-proprietary protocol that separates authentication, authorization, and accounting (AAA) and typically uses TCP port 49, but it is not designed for 802.1X port-based authentication; 802.1X specifically requires RADIUS as the authentication server per the IEEE standard.

67
MCQmedium

An employee plugs a personal laptop into a network jack and then the laptop is infected with malware that spreads to other devices on the network. Which security control would have most effectively prevented this scenario?

A.MAC filtering on the switch
B.802.1X authentication
C.VLAN segmentation
D.Access control lists on the router
AnswerB

802.1X requires devices to authenticate (e.g., via username/password or certificates) before the switch port becomes active, effectively blocking unauthorized devices from accessing the network.

Why this answer

802.1X authentication requires devices to authenticate before gaining network access, typically via EAP (Extensible Authentication Protocol) over RADIUS. In this scenario, the employee's personal laptop would be blocked at the port level because it lacks valid credentials, preventing the malware from ever reaching the internal network and spreading to other devices.

Exam trap

Cisco often tests the misconception that MAC filtering or VLAN segmentation alone can prevent unauthorized device access, when in fact 802.1X is the only option that provides per-port authentication and dynamic VLAN assignment based on credentials.

How to eliminate wrong answers

Option A is wrong because MAC filtering only checks the MAC address against an allowed list, but MAC addresses can be easily spoofed by an attacker or malware, and it does not authenticate the user or device identity. Option C is wrong because VLAN segmentation separates traffic into logical groups but does not prevent an unauthorized device from connecting to a switch port; once the laptop is plugged in and assigned to a VLAN, it can still spread malware within that VLAN unless additional access controls are applied.

68
MCQmedium

A user reports that they can access the internet but cannot access the internal web server at 10.10.10.100. The technician can ping the server's IP from the router that serves as the user's default gateway. Which of the following is the MOST likely cause?

A.The server's default gateway is misconfigured
B.The user's workstation has a firewall blocking port 80
C.The router has a missing route to the server's network
D.The server's subnet mask is incorrect
AnswerA

If the server's default gateway is not the router that forwarded the request, the server can receive packets but cannot reply properly, causing a one-way communication failure.

Why this answer

The user can reach the internet but not the internal web server at 10.10.10.100, while the technician can ping that server from the router (the default gateway). This indicates that the router has a valid route to the server's network and the server is reachable from the router's perspective. The most likely cause is that the server's default gateway is misconfigured: the server does not know how to send return traffic back to the user's subnet, so the TCP handshake fails (the SYN-ACK never reaches the user).

Exam trap

The trap here is that candidates assume a successful ping from the router to the server means end-to-end connectivity is fine, but they overlook the fact that the server's return path to the user's subnet requires a correctly configured default gateway on the server itself.

How to eliminate wrong answers

Option B is wrong because a workstation firewall blocking port 80 would prevent the user from initiating outbound HTTP traffic, but the user can access the internet (which typically uses port 80/443), so a local firewall is not the issue. Option C is wrong because the technician can ping the server's IP from the router, which proves the router has a route to the 10.10.10.0/24 network; a missing route would cause the ping to fail.

69
MCQhard

A network administrator is configuring OSPF on a router that has interfaces in only one area and does not perform route redistribution. Which OSPF router type best describes this router?

A.Backbone router
B.Internal router
C.Area Border Router (ABR)
D.Autonomous System Boundary Router (ASBR)
AnswerB

An internal router belongs to a single OSPF area (non‑backbone) and does not perform redistribution. This matches the description.

Why this answer

An internal router has all its interfaces in a single OSPF area and does not perform route redistribution. Since the router's interfaces are confined to one area and it does not connect to other routing domains, it fits the definition of an internal router. This type of router maintains a single link-state database for that area and does not generate Type 3 or Type 5 LSAs.

Exam trap

Cisco often tests the distinction between an internal router and an ABR by making candidates assume that any router not in area 0 is an internal router, but the trap is that an ABR must have interfaces in multiple areas, while an internal router has all interfaces in a single area regardless of which area it is.

How to eliminate wrong answers

Option A is wrong because a backbone router must have at least one interface in area 0 (the backbone area), but the question states the router has interfaces in only one area, which could be any area, not necessarily area 0. Option C is wrong because an Area Border Router (ABR) must have interfaces in at least two different areas (one being area 0) and connects those areas, but the router here has interfaces in only one area and does not perform inter-area routing.

70
MCQmedium

A network administrator is creating a new VLAN that will contain 20 devices. The administrator wants to use the most efficient subnet that provides enough usable IP addresses while minimizing waste. Which of the following subnet masks should be used?

A.255.255.255.240 (/28)
B.255.255.255.224 (/27)
C.255.255.255.248 (/29)
D.255.255.255.192 (/26)
AnswerB

A /27 provides 30 usable addresses, which is the smallest subnet that can accommodate 20 hosts.

Why this answer

A /27 subnet mask (255.255.255.224) provides 32 total addresses, of which 30 are usable (2^5 - 2 = 30). This is the most efficient choice for 20 devices because it offers exactly enough usable IPs with minimal waste (only 10 unused addresses), whereas a /28 would provide only 14 usable addresses (insufficient) and a /29 would provide only 6 usable addresses (also insufficient).

Exam trap

The trap here is that candidates often confuse the total number of addresses in a subnet with the number of usable host addresses, forgetting to subtract 2 for the network and broadcast addresses, and may incorrectly select a /28 thinking it provides 16 addresses (when only 14 are usable).

How to eliminate wrong answers

Option A is wrong because 255.255.255.240 (/28) provides only 14 usable addresses (2^4 - 2 = 14), which is insufficient for 20 devices. Option C is wrong because 255.255.255.248 (/29) provides only 6 usable addresses (2^3 - 2 = 6), far too few for the required 20 devices.

71
MCQhard

A user's computer obtains an IP address from DHCP, can ping the default gateway, but cannot access any external websites. The technician runs 'tracert 8.8.8.8' from the user's computer. The first hop shows the default gateway with low latency, but the second hop shows a timeout. What is the most likely cause?

A.The user's computer firewall is blocking outbound web traffic.
B.The DNS server is not resolving domain names.
C.The router's default route pointing to the ISP is missing or incorrectly configured.
D.The ISP's DNS server is unreachable.
AnswerC

This is the most likely cause. The router can forward packets to the default gateway, but without a valid default route to the next hop ISP router, traffic cannot leave the local network.

Why this answer

The traceroute shows that the user's computer can reach the default gateway (first hop) but times out at the second hop, which is the ISP's router. This indicates that the local router does not have a valid default route pointing to the ISP, so it cannot forward traffic beyond the local subnet. Without a correct default route, packets destined for external networks (like 8.8.8.8) are dropped, even though the user's computer can ping the gateway and obtain an IP via DHCP.

Exam trap

The trap here is that candidates often confuse a DNS resolution failure with a routing failure, but the traceroute to an IP address bypasses DNS entirely, so the timeout at the second hop isolates the issue to the router's default route rather than DNS or the local firewall.

How to eliminate wrong answers

Option A is wrong because a local firewall blocking outbound web traffic would not cause a timeout at the second hop in a traceroute; the first hop would still succeed, but the firewall would drop the packets before they reach the gateway, or the traceroute would show a timeout at the first hop. Option B is wrong because DNS resolution is not tested by a traceroute to an IP address (8.8.8.8); the issue is with routing, not name resolution. Option D is wrong because the ISP's DNS server being unreachable would affect name resolution, but the traceroute to 8.8.8.8 uses an IP address, so DNS is not involved; the timeout at the second hop points to a routing problem, not a DNS issue.

72
MCQmedium

A network administrator is about to implement a QoS policy on a core router. According to change management best practices, which step should the administrator perform FIRST to ensure the policy can be reverted if it causes unexpected issues?

A.Save the running configuration to the startup configuration.
B.Back up the current configuration to an external TFTP or SCP server.
C.Test the QoS policy in a lab environment.
D.Schedule a maintenance window and notify the help desk.
AnswerB

A backup stored externally provides a reliable restore point that is independent of the router's memory. This is the best practice before making major changes.

Why this answer

Option B is correct because, under change management best practices, the first step before implementing any change is to create a reliable backup of the current configuration to an external server (e.g., TFTP, SCP, FTP). This ensures that if the QoS policy causes unexpected issues such as traffic drops or misclassification, the administrator can restore the original configuration exactly as it was, even if the router reboots or the running-config is lost. Saving to startup-config (Option A) would overwrite the known-good baseline, making reversion impossible without a separate backup.

Exam trap

The trap here is that candidates often choose 'Save the running configuration to the startup configuration' (Option A) thinking it preserves the current state, but this actually commits the change permanently, preventing a clean rollback if the new policy fails.

How to eliminate wrong answers

Option A is wrong because saving the running configuration to the startup configuration overwrites the known-good baseline, so if the QoS policy causes issues, the administrator cannot revert to the pre-change state without an external backup. Option C is wrong because testing in a lab environment is a best practice but is not the FIRST step when implementing a change on a production device; the immediate priority is to secure a backup of the current production configuration to enable rollback. Option D is wrong because scheduling a maintenance window and notifying the help desk is an important procedural step but should occur after the backup is completed, as the backup is the technical prerequisite for safe rollback.

73
MCQmedium

A network administrator needs to document the network for auditing purposes. Which type of documentation provides the most detailed information about the physical connections between devices, including cable types and patch panel ports?

A.Logical diagram
B.Network topology map
C.Wiring schematic
D.Asset management database
AnswerC

Wiring schematics provide detailed physical cable paths, including patch panels, ports, and cable types.

Why this answer

A wiring schematic provides the most detailed information about physical connections, including cable types, patch panel ports, and exact pin-to-pin wiring. This level of detail is essential for auditing physical infrastructure, as it documents the actual cabling plant rather than logical or high-level connectivity.

Exam trap

The trap here is that candidates often confuse a network topology map (which shows device interconnections) with a wiring schematic, but the topology map lacks the specific cable type and patch panel port details required for physical-layer auditing.

How to eliminate wrong answers

Option A is wrong because a logical diagram shows IP subnets, VLANs, and routing relationships, not physical cable types or patch panel ports. Option B is wrong because a network topology map typically illustrates the arrangement of devices and links at a high level, but it does not include granular details like cable specifications or patch panel port mappings. Option D is wrong because an asset management database tracks inventory and configuration items (e.g., serial numbers, warranty info) but does not document the physical cabling connections or port-level wiring.

74
MCQmedium

A network administrator needs to be notified immediately when the CPU utilization on a core router exceeds 90%. Which SNMP mechanism should be configured on the router?

A.SNMP get
B.SNMP trap
C.SNMP walk
D.SNMP set
AnswerB

Traps are sent by the device to the NMS when conditions such as high CPU utilization are met.

Why this answer

B is correct because SNMP traps are unsolicited notifications sent from an SNMP agent (the router) to the manager when a predefined condition occurs, such as CPU utilization exceeding 90%. This allows immediate notification without waiting for the manager to poll, which is essential for urgent alerts.

Exam trap

Cisco often tests the distinction between polling (get/walk) and event-driven notifications (trap/inform), and the trap here is that candidates confuse SNMP get with a proactive alert mechanism, forgetting that get requires the manager to initiate the request.

How to eliminate wrong answers

Option A is wrong because SNMP get is a polling mechanism where the manager requests a specific OID value from the agent; it does not provide immediate notification when a threshold is exceeded. Option C is wrong because SNMP walk is used to retrieve a subtree of OIDs sequentially, typically for discovery or bulk data collection, and is not designed for event-driven alerts.

75
MCQeasy

A network technician is explaining the difference between connection-oriented and connectionless protocols to a junior technician. Which of the following protocols is connectionless at the transport layer?

A.TCP
B.UDP
C.ICMP
D.ARP
AnswerB

UDP is a connectionless protocol; it sends data without establishing a connection, making it faster but less reliable.

Why this answer

UDP (User Datagram Protocol) is the correct answer because it is a connectionless transport-layer protocol. It does not establish a session or guarantee delivery, instead sending datagrams independently without handshaking or acknowledgments, which makes it suitable for real-time applications like VoIP and streaming.

Exam trap

The trap here is that candidates often confuse ICMP or ARP as transport-layer protocols because they are involved in network communication, but the question specifically asks for the transport layer, where only TCP and UDP reside, and UDP is the connectionless one.

How to eliminate wrong answers

Option A is wrong because TCP (Transmission Control Protocol) is connection-oriented at the transport layer, requiring a three-way handshake and maintaining state for reliable, ordered delivery. Option C is wrong because ICMP (Internet Control Message Protocol) operates at the network layer (Layer 3), not the transport layer, and is used for error reporting and diagnostics. Option D is wrong because ARP (Address Resolution Protocol) operates at the data link layer (Layer 2) to map IP addresses to MAC addresses, and is not a transport-layer protocol.

Page 1 of 7

Page 2

All pages