CompTIA Network+ N10-009 (N10-009) — Questions 76150

520 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQeasy

A network technician needs to retrieve the operating system and uptime information from a router for inventory purposes. Which protocol is specifically designed for network management and monitoring?

A.SMTP
B.SNMP
C.HTTP
D.FTP
AnswerB

SNMP is used to manage and monitor network devices, including retrieving system information like OS and uptime via MIB objects.

Why this answer

SNMP (Simple Network Management Protocol) is the standard protocol specifically designed for network management and monitoring. It allows a network management station to query managed devices (like routers) for system information, including operating system version and uptime, via OIDs (Object Identifiers) in the MIB (Management Information Base).

Exam trap

CompTIA often tests that candidates confuse SNMP with other application-layer protocols like HTTP or FTP, assuming any protocol that can 'retrieve information' qualifies, but only SNMP is purpose-built for network management with standardized MIB structures.

How to eliminate wrong answers

Option A (SMTP) is wrong because SMTP (Simple Mail Transfer Protocol) is used for sending email messages, not for network management or retrieving device inventory data. Option C (HTTP) is wrong because HTTP (Hypertext Transfer Protocol) is used for web traffic and is not a dedicated network management protocol; while some devices offer a web interface, it is not designed for standardized, automated monitoring like SNMP. Option D (FTP) is wrong because FTP (File Transfer Protocol) is used for transferring files between systems, not for querying operational status or inventory information from network devices.

77
MCQeasy

At which layer of the OSI model does logical addressing (e.g., IP addresses) and routing occur?

A.Data Link layer
B.Network layer
C.Transport layer
D.Physical layer
AnswerB

The Network layer (Layer 3) uses IP addresses for logical addressing and routing decisions.

Why this answer

The Network layer (Layer 3) of the OSI model is responsible for logical addressing, such as IPv4 and IPv6 addresses, and for routing packets between different networks. Routers operate at this layer, using routing tables and protocols like OSPF, BGP, or static routes to determine the best path for data. This layer provides end-to-end delivery and handles packet fragmentation and reassembly when necessary.

Exam trap

The trap here is that candidates often confuse the Network layer's logical addressing with the Data Link layer's MAC addressing, especially when they see 'addressing' in the question and default to Layer 2 without considering the 'routing' keyword that clearly points to Layer 3.

How to eliminate wrong answers

Option A is wrong because the Data Link layer (Layer 2) uses physical (MAC) addresses for communication within a single network segment and handles framing, error detection, and media access control, not logical addressing or routing. Option C is wrong because the Transport layer (Layer 4) manages end-to-end communication, segmentation, and flow control using protocols like TCP and UDP, but it does not perform logical addressing or routing. Option D is wrong because the Physical layer (Layer 1) deals with the raw bit stream over the physical medium, including electrical signals, connectors, and cable specifications, and has no concept of addresses or routing.

78
MCQhard

A network administrator needs to ensure that only authorized devices can connect to the wired network. Each user must authenticate using their domain credentials. Which of the following should be implemented?

A.MAC filtering
B.802.1X with EAP-TLS
C.WPA2-PSK
D.Port security
AnswerB

802.1X with EAP-TLS provides user authentication using certificates, typically tied to domain credentials. It ensures that only authenticated users can gain access to the network, and it can be integrated with Active Directory.

Why this answer

802.1X with EAP-TLS is correct because it provides port-based network access control that requires each user to authenticate using their domain credentials (via a RADIUS server) before the switch port is opened for traffic. EAP-TLS uses mutual authentication with digital certificates, ensuring only authorized devices and users gain access to the wired network.

Exam trap

CompTIA often tests the distinction between port security (which is MAC-based and does not authenticate users) and 802.1X (which provides user authentication via RADIUS), leading candidates to mistakenly choose port security when the question explicitly requires domain credential authentication.

How to eliminate wrong answers

Option A is wrong because MAC filtering only checks the device's MAC address against a list, which can be easily spoofed and does not authenticate individual users with domain credentials. Option C is wrong because WPA2-PSK is a wireless security protocol that uses a pre-shared key, not suitable for wired networks and does not support per-user domain authentication. Option D is wrong because port security limits access based on MAC addresses and can enforce a maximum number of MACs per port, but it does not authenticate users with domain credentials and can be bypassed by MAC spoofing.

79
MCQmedium

A user reports that they can access the company's intranet website by IP address but not by its hostname (intranet.company.local). A technician checks the DNS server and finds that the A record exists and returns the correct IP. However, the user's browser still cannot resolve the hostname. Which of the following is the most likely cause?

A.The DNS cache on the user's workstation is corrupt.
B.The web server's certificate is expired.
C.The default gateway is misconfigured.
D.The file server is overloaded.
AnswerA

A corrupt DNS cache can cause incorrect or failed name resolution locally, even if the server record is correct.

Why this answer

The user can access the intranet by IP but not by hostname, which indicates that name resolution is failing. Since the DNS server has the correct A record, the issue is likely on the client side. A corrupt DNS cache on the workstation can cause the browser to use stale or invalid cached data, preventing successful resolution even though the authoritative DNS server returns the correct IP.

Flushing the DNS cache with `ipconfig /flushdns` would resolve this.

Exam trap

CompTIA often tests the distinction between server-side DNS configuration and client-side caching; the trap here is that candidates see 'A record exists and returns correct IP' and assume the DNS is fully functional, overlooking the client's local cache as the source of the problem.

How to eliminate wrong answers

Option B is wrong because an expired web server certificate would cause a browser security warning (e.g., 'NET::ERR_CERT_DATE_INVALID') but would not prevent hostname resolution; the user would still be able to reach the server by IP or hostname and see the warning. Option C is wrong because a misconfigured default gateway would prevent all external and internal IP-based communication, not just hostname resolution; the user can already reach the intranet by IP, so the gateway is functioning. Option D is wrong because an overloaded file server would cause slow performance or timeouts when accessing files, but it would not interfere with DNS resolution or the browser's ability to resolve a hostname.

80
Drag & Dropmedium

Drag and drop the steps to troubleshoot a network connectivity issue using the OSI model into the correct order (top-down approach).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Top-down troubleshooting starts at the application layer and works down to physical.

81
MCQmedium

A network technician is troubleshooting inter-VLAN routing. Hosts in VLAN 10 can communicate with hosts in VLAN 20, but cannot communicate with hosts in VLAN 30. All VLANs are configured on the same Layer 3 switch with SVIs. Which of the following should the technician verify FIRST?

A.VLAN 30 is not allowed on the trunk port to the switch.
B.The SVI for VLAN 30 is missing an IP address.
C.The default gateway on hosts in VLAN 10 is incorrect.
D.The routing table does not have a route to VLAN 30.
AnswerB

An SVI without an IP address cannot route traffic, which would prevent inter-VLAN communication for that VLAN.

Why this answer

Since all VLANs are configured on the same Layer 3 switch with SVIs, inter-VLAN routing occurs internally. Hosts in VLAN 10 can reach VLAN 20, proving the Layer 3 switch is routing correctly for those VLANs. The failure to reach VLAN 30 most likely indicates that the SVI for VLAN 30 is missing an IP address, which prevents the switch from having a local interface to route traffic to that subnet.

Exam trap

Cisco often tests the misconception that a missing VLAN on a trunk is the cause of inter-VLAN routing failure, but when all VLANs reside on the same Layer 3 switch, the SVI configuration is the first thing to verify.

How to eliminate wrong answers

Option A is wrong because if VLAN 30 were not allowed on the trunk port to the switch, hosts in VLAN 10 would not be able to communicate with VLAN 30 at all, but the question states all VLANs are on the same Layer 3 switch, so no trunk is involved for internal routing. Option C is wrong because if the default gateway on hosts in VLAN 10 were incorrect, they would not be able to communicate with any other VLAN, including VLAN 20, which they can reach successfully.

82
MCQmedium

A company wants to deploy a wireless network in an office with high-density client requirements. Which 802.11 technology allows multiple antennas to transmit multiple spatial streams to increase throughput?

A.MIMO (Multiple-Input Multiple-Output)
B.OFDM (Orthogonal Frequency Division Multiplexing)
C.DSSS (Direct Sequence Spread Spectrum)
D.CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance)
AnswerA

MIMO uses multiple antennas to send and receive multiple data streams simultaneously, improving capacity and throughput.

Why this answer

MIMO (Multiple-Input Multiple-Output) is the correct technology because it uses multiple antennas at both the transmitter and receiver to send and receive multiple independent spatial streams simultaneously. This spatial multiplexing directly increases data throughput without requiring additional bandwidth or higher modulation, making it ideal for high-density client environments.

Exam trap

The trap here is that candidates confuse OFDM with MIMO because both are associated with 802.11n/ac/ax, but OFDM is a modulation scheme, not a spatial-stream technology; MIMO is the specific antenna-array technique that multiplies throughput via parallel streams.

How to eliminate wrong answers

Option B is wrong because OFDM (Orthogonal Frequency Division Multiplexing) is a modulation technique that divides a channel into multiple orthogonal subcarriers to improve spectral efficiency and combat multipath interference, but it does not use multiple antennas to create spatial streams. Option C is wrong because DSSS (Direct Sequence Spread Spectrum) is an older spread-spectrum technique that spreads a signal over a wider bandwidth using a chipping code, but it cannot transmit multiple spatial streams and offers lower throughput than modern MIMO-based systems.

83
MCQmedium

A user reports that they can access a web server by its IP address (e.g., 10.10.10.50) but cannot access it by its domain name (e.g., server.example.com). The technician verifies that the DNS server is reachable and that the name resolves correctly from other workstations on the same subnet. Which of the following should the technician check NEXT?

A.Check the DNS cache on the user's workstation
B.Verify the default gateway configuration
C.Renew the DHCP lease
D.Disable the Windows Firewall
AnswerA

A corrupted or stale DNS cache can prevent a client from resolving a name even though the DNS server is functional. Flushing the cache often resolves the issue.

Why this answer

The user's workstation can reach the web server by IP but not by domain name, while other workstations resolve the name correctly. This strongly suggests a local DNS resolution issue specific to that workstation, such as a corrupted or stale DNS cache. Flushing the DNS cache with `ipconfig /flushdns` is the logical next step before investigating broader network or firewall issues.

Exam trap

CompTIA often tests the distinction between connectivity issues (routing, firewall) and name resolution issues; the trap here is that candidates jump to checking the default gateway or firewall because they think 'can't reach the website,' but the symptom of IP working while domain fails points directly to the local DNS cache or resolver configuration.

How to eliminate wrong answers

Option B is wrong because the default gateway is only involved in routing traffic to other subnets; since the user can reach the server by IP (and the server is likely on the same subnet given the 10.10.10.x address), the gateway is not relevant. Option C is wrong because renewing the DHCP lease would obtain new IP configuration (including DNS server addresses), but the technician already verified the DNS server is reachable and resolves correctly for other workstations, so the issue is not with DHCP-assigned DNS settings. Option D is wrong because disabling the Windows Firewall is a broad and insecure step; the user can already communicate with the server by IP, so a firewall rule blocking DNS or HTTP is unlikely, and the problem is specifically name resolution, not connectivity.

84
MCQhard

A network engineer is configuring a router to provide IPv6 addressing via SLAAC for hosts on a subnet. The ISP has delegated a prefix 2001:db8:1::/48 and requires the router to advertise a specific prefix 2001:db8:1:1::/64. Which command must be configured on the router's interface to advertise this prefix?

A.ipv6 nd prefix
B.ipv6 address autoconfig
C.ipv6 unicast-routing
D.ipv6 dhcp server
AnswerA

This command configures the prefix to be advertised in Router Advertisements, enabling SLAAC for hosts.

Why this answer

Option A is correct because the 'ipv6 nd prefix' command is used on a router interface to advertise a specific IPv6 prefix in Router Advertisement (RA) messages for Stateless Address Autoconfiguration (SLAAC). This command allows the network engineer to override the default prefix derived from the interface address and explicitly advertise the delegated prefix 2001:db8:1:1::/64 as required by the ISP.

Exam trap

Cisco often tests the distinction between host-side SLAAC commands (like 'ipv6 address autoconfig') and router-side prefix advertisement commands (like 'ipv6 nd prefix'), leading candidates to confuse the device role in the SLAAC process.

How to eliminate wrong answers

Option B is wrong because 'ipv6 address autoconfig' is a host-side command that enables a device to automatically configure its IPv6 address using SLAAC, not a router command to advertise a prefix. Option C is wrong because 'ipv6 unicast-routing' globally enables IPv6 routing on the router, but it does not advertise a specific prefix on an interface; it is a prerequisite for routing, not for prefix advertisement.

85
MCQhard

A security administrator observes that an employee's workstation is sending large amounts of data to an external IP address on TCP port 443. The workstation is not supposed to initiate outbound connections, and there is no business need for it. What is the most likely cause?

A.The workstation is part of a botnet and is communicating with a command-and-control server
B.A legitimate software update is being downloaded
C.The workstation is acting as a VPN client connecting to a corporate VPN server
D.The workstation is hosting a web server that is being accessed externally
AnswerA

Botnets commonly use HTTPS to blend in with normal encrypted web traffic. The large data volume and lack of business need make this the most likely explanation.

Why this answer

The workstation is sending large amounts of data to an external IP on TCP port 443, which is commonly used for HTTPS traffic. Since the workstation is not authorized to initiate outbound connections and has no business need for this traffic, the most likely cause is that it has been compromised and is part of a botnet, using HTTPS to communicate with a command-and-control (C2) server to evade detection by blending in with legitimate encrypted web traffic.

Exam trap

The trap here is that candidates may assume TCP 443 always indicates legitimate HTTPS traffic, such as a software update or VPN, without considering that attackers commonly use this port to hide malicious C2 communications, especially when the workstation has no business need for outbound connections.

How to eliminate wrong answers

Option B is wrong because a legitimate software update would typically be initiated by the workstation contacting a known update server (e.g., Microsoft, Adobe) on TCP 443, but the scenario states the workstation is not supposed to initiate outbound connections and has no business need for this traffic, making an unauthorized update or malware more likely. Option C is wrong because a VPN client connecting to a corporate VPN server would use a specific VPN protocol (e.g., IPsec, OpenVPN, or WireGuard) on a designated port, not necessarily TCP 443, and the traffic would be to a known internal or authorized external VPN endpoint, not an arbitrary external IP; moreover, the workstation is not authorized to initiate outbound connections, so a VPN client would violate policy.

86
MCQhard

A security administrator is configuring a wireless network to use WPA3-Enterprise. Which authentication server protocol is required for WPA3-Enterprise?

A.RADIUS
B.LDAP
C.TACACS+
D.Kerberos
AnswerA

Correct. WPA3-Enterprise uses 802.1X for authentication, which requires a RADIUS server to authenticate users against a database.

Why this answer

WPA3-Enterprise requires 802.1X/EAP authentication, which uses RADIUS as the backend authentication server protocol. RADIUS handles the exchange of EAP frames between the authenticator (access point) and the authentication server, enforcing per-user credentials and supporting the mandatory 192-bit security suite for WPA3-Enterprise. Without RADIUS, the 802.1X framework cannot operate, making it the only required protocol for this deployment.

Exam trap

The trap here is that candidates often confuse TACACS+ with RADIUS because both are AAA protocols, but TACACS+ is used for device administration (e.g., router login) while RADIUS is the only protocol that supports 802.1X/EAP for wireless network access.

How to eliminate wrong answers

Option B (LDAP) is wrong because LDAP is a directory access protocol used to query and modify directory services (e.g., Active Directory), not an authentication server protocol for 802.1X; it lacks the RADIUS attributes and EAP handling needed for WPA3-Enterprise. Option C (TACACS+) is wrong because TACACS+ is a Cisco-proprietary protocol designed for device administration (AAA for CLI/management access), not for network access authentication like 802.1X; it separates authentication, authorization, and accounting into different packets, which is incompatible with the RADIUS-based 802.1X flow. Option D (Kerberos) is wrong because Kerberos is a ticket-based authentication protocol used within a domain (e.g., Windows Active Directory) for single sign-on, not for wireless 802.1X; it cannot encapsulate EAP frames or communicate with access points as a RADIUS server does.

87
MCQmedium

A user reports that they can access internal resources such as file shares and printers by name, but they cannot access any external websites. The technician checks the IP configuration and finds the workstation has a valid IP address, subnet mask, default gateway, and DNS server addresses. The technician can successfully ping the default gateway and an external IP address like 8.8.8.8. Which of the following should the technician check NEXT?

A.Perform a traceroute to the external website to identify the point of failure.
B.Verify that the DNS server can resolve external domain names.
C.Check the Windows Firewall on the workstation to ensure it is not blocking outbound HTTP traffic.
D.Renew the DHCP lease on the workstation.
AnswerB

The user can access internal resources by name and can reach external IPs, so the DNS server must be able to resolve external names. If the DNS server is not configured to forward queries or is using a root hint that fails, this would explain the symptom.

Why this answer

The user can access internal resources by name and can ping an external IP address (8.8.8.8), which confirms that IP routing, the default gateway, and basic network connectivity are working. The inability to access external websites by name, despite having DNS server addresses configured, points directly to a DNS resolution failure for external domains. Therefore, the next logical step is to verify that the configured DNS server can resolve external domain names, such as by using `nslookup` or `dig` to query a public domain like google.com.

Exam trap

The trap here is that candidates assume a successful ping to an external IP means all network layers are fine, but they overlook that DNS resolution is a separate service that can fail independently, leading them to waste time on traceroute or firewall checks.

How to eliminate wrong answers

Option A is wrong because performing a traceroute to an external website requires the hostname to be resolved first; since DNS resolution is failing, traceroute will fail immediately and not identify the point of failure. Option C is wrong because the Windows Firewall would block all outbound HTTP traffic, not just to external websites; the user can already access internal resources by name, and pinging an external IP works, so a firewall rule blocking outbound HTTP is inconsistent with the symptom of only failing on external name resolution.

88
MCQeasy

A user reports that they can browse to a website by typing its IP address (e.g., 93.184.216.34) but cannot access it by typing the domain name (e.g., www.example.com). The user's workstation receives IP configuration via DHCP. Which of the following is the most likely cause?

A.The default gateway is misconfigured.
B.The DNS server address is incorrect or unreachable.
C.The web server's SSL certificate is expired.
D.The workstation's hosts file has an incorrect entry.
AnswerB

The user can access resources by IP but not by name, which is a classic symptom of DNS failure. The technician should verify that the DNS server settings are correct and that the DNS server is reachable from the workstation.

Why this answer

The user can reach the website by IP address but not by domain name, which isolates the issue to name resolution. DNS translates domain names to IP addresses; if the DNS server address provided by DHCP is incorrect or unreachable, the workstation cannot resolve www.example.com to 93.184.216.34. This is the most likely cause because all other connectivity (default gateway, web server) is confirmed working by the successful IP-based access.

Exam trap

The trap here is that candidates confuse a DNS failure with a gateway or web server issue, but the key clue is that IP-based access works, which eliminates routing and server problems and points squarely to name resolution.

How to eliminate wrong answers

Option A is wrong because a misconfigured default gateway would prevent all off-subnet traffic, including the successful IP-based access to 93.184.216.34, so the user would not be able to browse at all. Option C is wrong because an expired SSL certificate would cause a browser security warning or HTTPS failure, but it would not prevent the initial TCP connection or HTTP access; the user can still reach the site by IP, indicating the web server is reachable and the certificate issue is unrelated to name resolution.

89
MCQhard

A security engineer is configuring a firewall to protect an internal network. The requirement is that internal users can initiate connections to the internet, but external hosts should not be able to initiate connections to internal hosts unless the internal host first requested the connection. Which firewall technology should be used?

A.Stateless packet filtering
B.Stateful inspection
C.Application proxy
D.Packet filtering based on ACL only
AnswerB

Stateful firewalls track the state of connections and permit inbound packets only if they match an existing session.

Why this answer

Stateful inspection (B) tracks the state of active connections by maintaining a state table that records source/destination IPs, ports, and sequence numbers. It allows return traffic for connections initiated from the internal network while blocking unsolicited inbound traffic, which directly matches the requirement that external hosts cannot initiate connections unless the internal host requested them first.

Exam trap

Cisco often tests the misconception that stateless packet filtering can handle return traffic by simply allowing inbound packets with a high source port, but without state tracking, it cannot verify that the packet actually belongs to an existing session, making stateful inspection the correct answer.

How to eliminate wrong answers

Option A is wrong because stateless packet filtering examines each packet in isolation based only on static rules (e.g., ACLs) without tracking connection state, so it cannot distinguish between a packet belonging to an established internal-initiated session and an unsolicited inbound packet. Option C is wrong because an application proxy acts as an intermediary that terminates and re-creates connections at the application layer, which provides deep inspection but is overkill for simply allowing return traffic; it also introduces higher latency and is not the standard technology for stateful connection tracking.

90
MCQmedium

A company is implementing a DMZ to host public-facing web and email servers. The DMZ network uses private IP addresses, and the internal network also uses private IP addresses. The company has only one public IP address assigned to the border router's external interface. Which of the following should be configured to allow internet users to access the DMZ servers?

A.Port forwarding to the private IP addresses of the servers.
B.NAT with overload to translate multiple internal addresses to the single public IP.
C.Static NAT mapping each DMZ server to a unique public IP.
D.A VPN tunnel between the DMZ and the internal network.
AnswerA

Correct. Port forwarding translates incoming traffic on specific ports to the appropriate private IP, enabling external access to internal servers.

Why this answer

Port forwarding (often configured as static NAT with a single public IP) allows the border router to forward incoming traffic on specific TCP/UDP ports (e.g., 80 for web, 25 for SMTP) to the private IP addresses of the DMZ servers. Since the company has only one public IP, this is the only way to direct external requests to the correct internal server without requiring multiple public IPs.

Exam trap

The trap here is that candidates confuse PAT (overload NAT) with port forwarding, assuming that PAT alone can handle inbound connections, when in fact PAT only supports outbound-initiated sessions unless explicit port forwarding rules are configured.

How to eliminate wrong answers

Option B is wrong because NAT with overload (PAT) translates multiple internal addresses to a single public IP for outbound traffic, but it does not allow unsolicited inbound connections from the internet to specific private IPs; it only maintains a state table for return traffic. Option C is wrong because static NAT mapping each DMZ server to a unique public IP requires multiple public IP addresses, which the company does not have (only one public IP is available).

91
MCQeasy

A network administrator wants to evaluate the current bandwidth utilization on a core switch to determine if an upgrade is needed. The administrator needs to understand typical usage patterns. Which of the following should the administrator perform first?

A.Implement QoS policies to prioritize traffic.
B.Collect performance data over a period of time.
C.Upgrade the switch to a higher capacity model.
D.Enable SNMP traps for link down events.
AnswerB

Collecting data over time establishes a baseline of normal utilization, which is the first step in evaluating if an upgrade is needed.

Why this answer

To evaluate bandwidth utilization and determine if an upgrade is needed, the administrator must first establish a baseline of typical usage patterns. This is done by collecting performance data over a period of time (e.g., using SNMP to poll interface counters or NetFlow/sFlow to capture traffic flows) to identify peak loads, average utilization, and trends. Without this historical data, any decision to upgrade or implement QoS would be based on guesswork rather than evidence.

Exam trap

The trap here is that candidates often jump to implementing QoS (Option A) as a quick fix for perceived congestion, but Cisco tests the principle that you must first measure and baseline network performance before making any configuration or hardware changes.

How to eliminate wrong answers

Option A is wrong because implementing QoS policies should be based on observed traffic patterns and performance data; applying QoS without first understanding utilization risks misconfiguring policies that may not address actual congestion or could degrade critical traffic. Option C is wrong because upgrading the switch to a higher capacity model is a reactive and costly action that should only be taken after data collection confirms that current bandwidth is insufficient; performing the upgrade first ignores the need for evidence-based capacity planning.

92
MCQmedium

A network administrator needs to centrally collect and analyze log messages from multiple routers and switches. Which protocol should be used to forward these log messages to a central server?

A.SNMP
B.Syslog
C.SMTP
D.HTTP
AnswerB

Syslog is the standard protocol for forwarding log messages from network devices to a central logging server.

Why this answer

Syslog (B) is the correct protocol because it is specifically designed for centralized logging and event message collection from network devices. It uses UDP port 514 (or TCP 6514 for reliable delivery) to forward log messages from routers and switches to a central syslog server, enabling administrators to collect, analyze, and archive logs from multiple devices in a standardized format.

Exam trap

The trap here is that candidates often confuse SNMP traps with syslog messages, thinking SNMP can replace syslog for log collection, but SNMP traps are structured notifications for specific events, not a general-purpose log forwarding protocol.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) is used for monitoring and managing network devices by polling or receiving traps for specific metrics (e.g., interface status, CPU load), not for forwarding free-form log messages; it lacks the structured logging capabilities of syslog. Option C is wrong because SMTP (Simple Mail Transfer Protocol) is designed for email transmission, not for forwarding system logs; using SMTP would require converting logs into email messages, which is inefficient and not a standard practice for centralized log collection.

93
MCQeasy

A network administrator needs to document the physical placement of devices in a server room, including exact rack location, port labels, and cable connections between patch panels and switches. Which type of diagram is most appropriate?

A.Network topology map
B.Rack diagram
C.Wiring schematic
D.Logical topology diagram
AnswerB

A rack diagram precisely documents the physical arrangement of devices in racks, including ports and cabling.

Why this answer

A rack diagram is specifically designed to document the physical placement of devices in a server room, including exact rack units, port labels, and cable connections between patch panels and switches. This type of diagram provides a visual representation of the physical layout, which is essential for asset management, troubleshooting, and maintenance planning.

Exam trap

The trap here is that candidates confuse a logical topology map (which shows IP subnets and routing) with a physical rack diagram, leading them to choose the topology map when the question explicitly asks for physical placement and cable connections.

How to eliminate wrong answers

Option A is wrong because a network topology map focuses on logical connections and data flow between devices (e.g., IP addressing, routing protocols) rather than physical rack locations and cable details. Option C is wrong because a wiring schematic typically shows electrical circuits and signal paths at a component level, not the physical rack placement or port-to-port cable connections in a structured cabling environment.

94
MCQmedium

A network administrator is implementing a new wireless network that will use WPA2-Enterprise. Which of the following must be configured on the network to support this security method?

A.A RADIUS server
B.A pre-shared key
C.A certificate authority
D.A VPN concentrator
AnswerA

WPA2-Enterprise relies on 802.1X, which requires a RADIUS server to handle authentication.

Why this answer

WPA2-Enterprise uses 802.1X authentication, which requires a RADIUS server to centralize authentication, authorization, and accounting (AAA). The RADIUS server validates user credentials (e.g., against Active Directory or LDAP) and distributes the Pairwise Master Key (PMK) to the access point, enabling per-user, per-session encryption keys. Without a RADIUS server, the enterprise authentication framework cannot function.

Exam trap

The trap here is that candidates confuse WPA2-Enterprise with WPA2-Personal and assume a pre-shared key is required, or they overgeneralize the role of a certificate authority, thinking it is mandatory for all enterprise Wi-Fi deployments when it is only required for specific EAP methods like EAP-TLS.

How to eliminate wrong answers

Option B is wrong because a pre-shared key (PSK) is used in WPA2-Personal, not WPA2-Enterprise; PSK uses a single static key shared among all clients, which lacks the per-user authentication and scalability required in enterprise environments. Option C is wrong because while a certificate authority (CA) may be used to issue server certificates for EAP-TLS or to validate RADIUS server identity, it is not a mandatory component of WPA2-Enterprise; other EAP methods like PEAP-MSCHAPv2 or EAP-TTLS can operate without a CA by using server-side certificates that are self-signed or validated via other means.

95
MCQeasy

A device is configured with IP address 192.168.1.130 and subnet mask 255.255.255.192. What is the network address of this device?

A.192.168.1.0
B.192.168.1.128
C.192.168.1.192
D.192.168.1.64
AnswerB

Correct: 130 is in the range 128-191, so the network address is 192.168.1.128.

Why this answer

The network address is found by performing a bitwise AND between the IP address 192.168.1.130 and the subnet mask 255.255.255.192. The mask 255.255.255.192 has a prefix length of /26, meaning the first 26 bits are the network portion. 192.168.1.130 in binary is 11000000.10101000.00000001.10000010, and the mask is 11111111.11111111.11111111.11000000; the AND yields 11000000.10101000.00000001.10000000, which is 192.168.1.128.

Exam trap

Cisco often tests the confusion between the network address and the broadcast address, especially when the IP address falls near the boundary of a subnet, leading candidates to mistakenly pick the broadcast address (192.168.1.192) or the default classful network (192.168.1.0).

How to eliminate wrong answers

Option A is wrong because 192.168.1.0 is the network address for a /24 subnet (255.255.255.0), not for a /26 subnet; it incorrectly assumes the default classful boundary. Option C is wrong because 192.168.1.192 is actually the broadcast address for the 192.168.1.128/26 subnet, not the network address; it results from setting all host bits to 1 instead of 0.

96
MCQeasy

A network engineer is designing a subnet that can support at least 10 hosts. Which subnet mask would provide exactly 14 usable host addresses?

A./27
B./28
C./29
D./30
AnswerB

Correct. /28 gives 2^(32-28)-2 = 14 usable hosts, satisfying the requirement of at least 10 and exactly 14.

Why this answer

A /28 subnet mask (255.255.255.240) provides 16 total addresses per subnet. Subtracting the network address and broadcast address leaves 14 usable host addresses, which exactly meets the requirement of at least 10 hosts.

Exam trap

Cisco often tests the distinction between total addresses and usable addresses, where candidates forget to subtract the network and broadcast addresses, leading them to incorrectly select /29 (8 total addresses) thinking it supports 8 hosts.

How to eliminate wrong answers

Option A (/27) is wrong because it provides 30 usable host addresses (32 total minus 2), which exceeds the requirement of exactly 14 usable addresses. Option C (/29) is wrong because it provides only 6 usable host addresses (8 total minus 2), which is insufficient to support at least 10 hosts.

97
MCQmedium

An organization uses a AAA server for network device authentication. The security team requires that all authentication traffic be fully encrypted and that authorization commands be logged per user. Which protocol is best suited for this requirement?

A.RADIUS with EAP-TLS
B.TACACS+
C.LDAP over SSL
D.Kerberos
AnswerB

Correct. TACACS+ encrypts the entire authentication packet and separates AAA functions, enabling detailed command-level authorization logging.

Why this answer

TACACS+ is the best choice because it encrypts the entire authentication packet (including username, password, and all other fields) and supports per-user command authorization logging. This meets the requirement for fully encrypted authentication traffic and detailed audit trails for each user's commands.

Exam trap

The trap here is that candidates often confuse RADIUS's partial encryption (password only) with full encryption, or assume LDAP over SSL can handle device AAA, but TACACS+ is the only protocol that fully encrypts all traffic and logs per-user commands for network device administration.

How to eliminate wrong answers

Option A is wrong because RADIUS with EAP-TLS only encrypts the authentication exchange (EAP over RADIUS), but the rest of the RADIUS packet (including authorization attributes) is not fully encrypted—only the password is obfuscated with a shared secret. Option C is wrong because LDAP over SSL encrypts the LDAP session but does not provide network device command authorization or logging; it is a directory access protocol, not a AAA protocol for device administration. Option D is wrong because Kerberos provides strong authentication via tickets but does not include authorization or accounting for device commands; it is designed for single sign-on in a domain, not for per-user command logging on network devices.

98
MCQmedium

A network technician is troubleshooting communication between two switches. The trunk link between them is up, and both switches have the same list of allowed VLANs. However, devices in VLAN 10 on one switch cannot communicate with devices in VLAN 10 on the other switch. What is the MOST likely cause of this issue?

A.Native VLAN mismatch
B.Speed or duplex mismatch
C.Spanning Tree Protocol blocking the port
D.VLAN 10 is not created on one of the switches
AnswerA

If the native VLAN configured on the trunk interfaces differs between the switches, traffic for that VLAN may not pass correctly.

Why this answer

A native VLAN mismatch is the most likely cause because when two switches have different native VLANs configured on a trunk, they will incorrectly tag or fail to tag frames for that VLAN. In this scenario, devices in VLAN 10 cannot communicate because the native VLAN frames (which are sent untagged) are being dropped or misinterpreted by the receiving switch, even though both switches list VLAN 10 as allowed. The trunk is up and the allowed VLAN list matches, so the issue points directly to a mismatch in the native VLAN configuration.

Exam trap

CompTIA often tests the native VLAN mismatch scenario by presenting a trunk that is up and has matching allowed VLANs, leading candidates to overlook the native VLAN configuration and incorrectly choose options like STP blocking or VLAN not created.

How to eliminate wrong answers

Option B is wrong because a speed or duplex mismatch would cause physical-layer errors, CRC errors, or interface resets, but the trunk link is reported as up and the issue is isolated to VLAN 10 communication, not all traffic. Option C is wrong because if Spanning Tree Protocol were blocking the port, the trunk link would not be in an up/up state; STP blocking would prevent all traffic on the port, not just VLAN 10. Option D is wrong because the question states both switches have the same list of allowed VLANs, which implies VLAN 10 is created on both switches; if it were missing, the allowed list would not match.

99
MCQmedium

A network engineer is installing a WLAN in a warehouse with many metal shelves and racks. During a site survey, the engineer notices significant signal degradation in certain areas. Which wireless propagation phenomenon is most likely causing the issue?

A.Refraction
B.Diffraction
C.Reflection
D.Absorption
AnswerC

Metal surfaces reflect Wi-Fi signals, causing multipath interference and dead spots. This is a common issue in warehouses.

Why this answer

In a warehouse with many metal shelves and racks, the primary cause of signal degradation is reflection. Metal surfaces act as RF reflectors, causing the wireless signal to bounce off them, which leads to multipath interference and dead zones where the signal cancels out or becomes too weak to be usable. This is a common issue in environments with high metal density, as the reflected waves interfere with the direct path signal.

Exam trap

CompTIA often tests the trap where candidates confuse reflection with diffraction, thinking that signal bending around metal edges (diffraction) is the main issue, but in dense metal environments, reflection off flat metal surfaces is the dominant cause of signal degradation and dead zones.

How to eliminate wrong answers

Option A is wrong because refraction involves the bending of radio waves as they pass through media of different densities (e.g., air to glass), which is not the dominant issue with metal shelves. Option B is wrong because diffraction is the bending of waves around obstacles (e.g., edges of shelves), which can cause some signal spread but is not the primary cause of significant degradation from metal surfaces. Option D is wrong because absorption occurs when materials like concrete or water absorb RF energy, but metal primarily reflects rather than absorbs 2.4/5 GHz signals.

100
MCQmedium

A router receives a packet destined for 10.0.0.15. It has the following routes in the routing table: 10.0.0.0/8 via 192.168.1.1, 10.0.0.0/16 via 192.168.2.1, 0.0.0.0/0 via 192.168.3.1. Which route will be used?

A.Default route (0.0.0.0/0)
B.10.0.0.0/16 via 192.168.2.1
C.10.0.0.0/8 via 192.168.1.1
D.None; the packet is dropped
AnswerB

This route has a longer prefix length (16) than the /8 route, and it matches the destination (10.0.0.15 is in 10.0.0.0/16).

Why this answer

The router will use the route 10.0.0.0/16 via 192.168.2.1 because it has the longest prefix match (16 bits) for the destination 10.0.0.15. The /16 route is more specific than the /8 route and the default route, so it is preferred regardless of administrative distance or metric.

Exam trap

The trap here is that candidates often assume administrative distance or metric determines the route selection, but the longest prefix match always takes precedence over these metrics when multiple routes match the destination.

How to eliminate wrong answers

Option A is wrong because the default route (0.0.0.0/0) is only used when no more specific route matches the destination; here, both the /8 and /16 routes match, so the default is not selected. Option C is wrong because although the /8 route matches the destination, the /16 route is a longer prefix match (16 bits vs. 8 bits), and routers always prefer the most specific route in the forwarding table.

101
MCQeasy

A technician is troubleshooting a user's inability to reach a specific website. The user can reach other websites without issue. The technician runs nslookup on the user's workstation and receives the correct IP address for the website. However, a ping to that IP address fails. Which of the following is the most likely cause?

A.The default gateway is misconfigured.
B.The website server is blocking ICMP requests.
C.The DNS server is not resolving the domain name.
D.The subnet mask is incorrect.
AnswerB

Many servers disable ICMP echo replies for security, but HTTP traffic can still function. Since DNS resolves correctly but ping fails, ICMP is likely blocked.

Why this answer

Since nslookup returns the correct IP address, DNS resolution is working. The ping fails despite a valid IP, which indicates that the destination server is reachable at the network layer but is not responding to ICMP echo requests. Many web servers are configured to block ICMP to reduce attack surface or prevent reconnaissance, which is a common security practice.

Exam trap

The trap here is that candidates assume a failed ping means the host is unreachable, ignoring that ICMP can be blocked independently of the application traffic the user is trying to access.

How to eliminate wrong answers

Option A is wrong because a misconfigured default gateway would prevent all external traffic, not just a single website, and the user can reach other websites. Option C is wrong because nslookup successfully resolves the domain to the correct IP, proving DNS is functioning properly. Option D is wrong because an incorrect subnet mask would cause local connectivity issues or inability to reach any remote hosts, not a failure specific to one website.

102
MCQhard

A network administrator is configuring a monitoring system to collect metrics from network devices. The administrator needs to ensure that the monitoring system can automatically discover the devices and obtain detailed information about their configuration and status, such as interface descriptions and software versions. Which protocol is best suited for this purpose?

A.SNMP
B.LLDP
C.NetFlow
D.Syslog
AnswerA

SNMP (especially with SNMPv2c or v3) allows a management station to query device MIBs for detailed information such as interface descriptions, software versions, and status. It can also be used for discovery by polling known community strings.

Why this answer

SNMP (Simple Network Management Protocol) is the correct choice because it is specifically designed for network management and monitoring. It allows a management system to automatically discover devices (via SNMP walks or queries to MIBs) and retrieve detailed configuration and status information, such as interface descriptions and software versions, by reading OIDs from the device's MIB. This matches the requirement for automatic discovery and detailed data collection.

Exam trap

The trap here is that candidates often confuse LLDP's neighbor discovery capability with SNMP's management and monitoring functionality, mistakenly thinking LLDP can provide detailed device configuration and status information when it only advertises basic identity and capabilities.

How to eliminate wrong answers

Option B (LLDP) is wrong because LLDP is a link-layer discovery protocol used to advertise device identity, capabilities, and neighbors on a local network; it does not provide a mechanism for a monitoring system to poll detailed configuration or status metrics like software versions or interface descriptions. Option C (NetFlow) is wrong because NetFlow is a flow-based traffic accounting and analysis protocol that captures metadata about network flows (e.g., source/destination IPs, ports, packet counts); it is not designed for device discovery or retrieving configuration and status information.

103
MCQeasy

A network administrator needs to schedule a firmware upgrade for a critical router. Which document should be used to formally communicate the change, seek approval, and track the implementation?

A.A) Change management request
B.B) Network diagram
C.C) Service level agreement (SLA)
D.D) Baseline performance report
AnswerA

Correct. A change management request is the standard document for proposing, approving, and tracking changes to network devices.

Why this answer

A change management request is the formal document used to communicate, seek approval, and track the implementation of a firmware upgrade on a critical router. This process ensures that the change is reviewed by stakeholders, risks are assessed, and a rollback plan is documented, which is essential for maintaining network stability and compliance with ITIL or organizational change control policies.

Exam trap

The trap here is that candidates may confuse a change management request with a network diagram or SLA, thinking that documenting the topology or contractual guarantees is sufficient for scheduling and approving a change, but only the formal change management process provides the required approval and tracking trail.

How to eliminate wrong answers

Option B (Network diagram) is wrong because it is a visual representation of the network topology and device interconnections, not a formal process document for requesting or tracking changes. Option C (Service level agreement) is wrong because it defines performance metrics and uptime guarantees between a provider and customer, not a mechanism for scheduling or approving specific operational changes like firmware upgrades.

104
MCQmedium

A network engineer needs to assign IP addresses to a new subnet that will support exactly 25 devices. Which subnet mask would provide the minimum number of usable host addresses while still accommodating the requirement?

A.255.255.255.240 (/28)
B.255.255.255.224 (/27)
C.255.255.255.192 (/26)
D.255.255.255.128 (/25)
AnswerB

/27 provides 28 usable hosts, which meets the requirement with minimal waste.

Why this answer

Option B (255.255.255.224, /27) provides 32 total addresses per subnet, with 30 usable host addresses (2^(32-27)-2 = 30). This is the smallest subnet that can accommodate exactly 25 devices, as /28 yields only 14 usable hosts and /26 yields 62, which is excessive.

Exam trap

Cisco often tests the common misconception that the number of usable hosts equals 2^(host bits) without subtracting the network and broadcast addresses, leading candidates to incorrectly choose a /28 mask thinking 16 addresses are enough for 25 devices.

How to eliminate wrong answers

Option A is wrong because 255.255.255.240 (/28) provides only 14 usable host addresses (2^(32-28)-2 = 14), which is insufficient for 25 devices. Option C is wrong because 255.255.255.192 (/26) provides 62 usable host addresses (2^(32-26)-2 = 62), which far exceeds the requirement of 25 devices and is not the minimum subnet mask.

105
MCQeasy

A client obtains an IP address from a DHCP server but cannot resolve hostnames. The client can ping the default gateway and external IP addresses successfully. What is the most likely cause?

A.Incorrect subnet mask
B.DNS server misconfiguration
C.Default gateway not set
D.Firewall blocking DNS
AnswerB

DNS is used for hostname resolution. If the DNS server address is wrong or unreachable, name resolution will fail even though IP connectivity works.

Why this answer

The client can ping external IP addresses and the default gateway, confirming that IP connectivity and routing are functional. However, the inability to resolve hostnames points directly to a DNS resolution failure, which occurs when the DNS server address is misconfigured or unreachable. Since DHCP provided the IP address, the DNS server setting is likely incorrect or missing in the DHCP scope.

Exam trap

Cisco often tests the distinction between IP connectivity and name resolution, trapping candidates who assume that successful pings to external IPs imply DNS is working, when in fact DNS is a separate service that must be explicitly configured.

How to eliminate wrong answers

Option A is wrong because an incorrect subnet mask would prevent communication with hosts outside the local subnet, but the client can ping external IP addresses successfully, ruling out a subnet mask issue. Option C is wrong because the default gateway is correctly set, as evidenced by successful pings to external IP addresses; if it were missing, external pings would fail.

106
MCQmedium

A user reports that they can access the internet but cannot connect to an internal file server at IP address 192.168.1.50. The technician successfully pings the file server's IP address from the user's workstation. The file server is on the same subnet as the user. What is the most likely cause of this issue?

A.The file server has an incorrect default gateway configured.
B.The user's workstation has an incorrect DNS server configured.
C.The file server's firewall is blocking the file-sharing protocol while allowing ICMP.
D.The user's workstation has a duplicate IP address assigned.
AnswerC

This is the most likely cause. The file server's firewall may permit ping (ICMP) but block the specific application port (e.g., TCP 445), which stops the file share connection while allowing ping to succeed.

Why this answer

The technician can ping the file server (ICMP success) but the user cannot connect to it using the file-sharing protocol (e.g., SMB on TCP/445). This indicates network-layer reachability is fine, but the application-layer service is blocked. The most likely cause is the file server's host-based firewall (e.g., Windows Defender Firewall) allowing ICMP Echo Requests while blocking inbound SMB traffic, which is a common misconfiguration.

Exam trap

The trap here is that candidates assume a successful ping guarantees full connectivity, but ICMP and application traffic use different protocols and ports, so a firewall can block one while allowing the other.

How to eliminate wrong answers

Option A is wrong because the file server is on the same subnet as the user, so a default gateway is not required for local communication; ARP resolves the IP to MAC directly without routing. Option B is wrong because DNS is used for name resolution, but the user is connecting to the file server by IP address (192.168.1.50), so an incorrect DNS server would not affect the connection.

107
MCQmedium

A network administrator is creating documentation for a new data center. Which type of diagram is BEST for showing the logical relationships between VLANs and their associated subnets?

A.Physical topology diagram
B.Logical topology diagram
C.Wiring diagram
D.Rack elevation diagram
AnswerB

Logical topology diagrams show network segments, virtual LANs, IP addressing schemes, and routing – perfect for documenting VLAN and subnet relationships.

Why this answer

A logical topology diagram is the correct choice because it illustrates how devices communicate across the network, including the mapping of VLANs to their associated IP subnets. This type of diagram abstracts away physical cabling and device locations to focus on Layer 2 and Layer 3 relationships, such as VLAN IDs, subnet masks, and default gateways. It is essential for documenting network segmentation and troubleshooting inter-VLAN routing.

Exam trap

The trap here is that candidates often confuse 'logical topology' with 'physical topology,' assuming that a physical diagram can show VLANs because VLANs are configured on physical switches, but VLANs are a Layer 2 abstraction that must be documented separately.

How to eliminate wrong answers

Option A is wrong because a physical topology diagram shows the physical layout of cables, devices, and ports, not the logical relationships between VLANs and subnets. Option C is wrong because a wiring diagram details the specific cabling paths, patch panels, and termination points, which is irrelevant to VLAN-to-subnet mappings. Option D is wrong because a rack elevation diagram displays the physical placement of equipment in racks, including U positions and power/cooling considerations, but does not convey logical network segmentation.

108
MCQmedium

A user reports that they can access internal websites but cannot access any external websites. Other users in the same subnet can access external sites. The user's IP configuration shows a correct IP, subnet mask, and default gateway. What is the most likely cause?

A.The DNS server is not reachable.
B.The proxy server settings are incorrect.
C.The default gateway is misconfigured.
D.The web browser has a corrupted cache.
AnswerB

Incorrect proxy settings (e.g., pointing to a non-existent or wrong proxy) would prevent external access while allowing internal access if the proxy is bypassed for internal addresses. This is a common client-specific issue.

Why this answer

The user can access internal websites but not external ones, while other users in the same subnet have no issues. This points to a client-specific configuration problem rather than a network-wide issue. Incorrect proxy server settings on the user's machine can prevent external HTTP/HTTPS traffic from being routed correctly, even though internal traffic (which may bypass the proxy) works fine.

Exam trap

CompTIA often tests the distinction between network-layer issues (like default gateway or DNS) and application-layer issues (like proxy configuration), leading candidates to incorrectly choose DNS or gateway problems when the symptom is isolated to a single user with correct IP settings.

How to eliminate wrong answers

Option A is wrong because if the DNS server were unreachable, the user would likely be unable to resolve both internal and external domain names, but they can access internal websites, indicating DNS resolution is working for internal resources. Option C is wrong because the default gateway is confirmed correct in the user's IP configuration, and other users in the same subnet with the same gateway can access external sites, ruling out a gateway misconfiguration. Option D is wrong because a corrupted browser cache typically causes display or loading issues for specific pages, not a complete inability to access all external websites while internal access remains unaffected.

109
MCQmedium

In the OSI model, which layer is responsible for establishing, managing, and terminating sessions between applications, as well as providing checkpoints and recovery?

A.Transport layer
B.Session layer
C.Network layer
D.Data link layer
AnswerB

The session layer (Layer 5) is responsible for establishing, maintaining, and terminating sessions between applications. It also provides synchronization points for checkpointing and recovery.

Why this answer

The Session layer (Layer 5) of the OSI model is explicitly responsible for establishing, managing, and terminating sessions between applications, as well as providing checkpointing and recovery mechanisms. This layer uses protocols like NetBIOS, RPC, and PPTP to coordinate dialog control, synchronization points, and session restoration after failures, ensuring that long-lived transactions can resume from a checkpoint rather than restarting entirely.

Exam trap

Cisco often tests the Session layer by describing its functions in a way that sounds like Transport-layer reliability (e.g., 'checkpoints and recovery'), leading candidates to mistakenly choose the Transport layer because they associate recovery with TCP's retransmission, but TCP only recovers lost segments, not application sessions.

How to eliminate wrong answers

Option A is wrong because the Transport layer (Layer 4) handles end-to-end delivery, segmentation, reassembly, and error recovery at the segment level (e.g., TCP retransmission), but it does not manage application-level sessions, checkpoints, or dialog control. Option C is wrong because the Network layer (Layer 3) is responsible for logical addressing (IP addresses), routing, and packet forwarding, not for session management or recovery between applications.

110
MCQeasy

A company wants to allow external users to access a web server located in the DMZ. The firewall has three interfaces: inside, outside, and DMZ. Which firewall rule is necessary?

A.A
B.B
C.C
D.D
AnswerB

This rule permits external users to initiate connections to the web server in the DMZ on port 80.

Why this answer

Option B is correct because it allows traffic from the outside (external users) to the DMZ web server while keeping the inside network protected. In a three-legged firewall setup, the necessary rule permits inbound HTTP/HTTPS traffic from the outside interface to the DMZ interface, typically with a destination IP of the web server and port 80/443. This ensures external access is isolated from the internal network, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates often confuse the direction of traffic flow, mistakenly selecting a rule that allows inside-to-DMZ traffic (Option A) thinking it enables external access, when in fact external users initiate from the outside interface.

How to eliminate wrong answers

Option A is wrong because it likely permits traffic from the inside to the DMZ, which is not needed for external user access and could inadvertently allow internal hosts to initiate connections to the DMZ without proper control. Option C is wrong because it probably allows traffic from the DMZ to the inside, which would expose the internal network to potential threats from the DMZ, violating security best practices that restrict DMZ-to-inside traffic unless explicitly required and inspected.

111
Matchingmedium

Match each network topology to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

All devices connect to a central hub or switch

Every device connects to every other device

All devices share a single communication line

Each device connects to two others, forming a closed loop

Why these pairings

These are basic network topologies.

112
MCQeasy

A company wants to prevent unauthorized devices from connecting to the corporate network. The policy requires that only specific MAC addresses are permitted on switch ports. Which security feature should be implemented on the switches?

A.802.1X authentication
B.MAC filtering / Port security
C.VLAN hopping prevention
D.DHCP snooping
AnswerB

Port security (MAC filtering) allows an administrator to define a list of allowed MAC addresses on a switch port. Any device with a MAC not on the list is blocked from sending traffic.

Why this answer

MAC filtering, also known as port security, is the correct feature because it allows the switch to restrict access to a port based on the source MAC address of incoming frames. By configuring a list of allowed MAC addresses, the switch will drop traffic from any unauthorized device, directly enforcing the policy that only specific MAC addresses are permitted on switch ports.

Exam trap

Cisco often tests the distinction between MAC-based port security and 802.1X authentication, where candidates mistakenly choose 802.1X because it is a more robust access control method, but the question specifically asks for a feature that permits only specific MAC addresses, which is exactly what port security does.

How to eliminate wrong answers

Option A is wrong because 802.1X authentication is a port-based network access control protocol that uses an authentication server (e.g., RADIUS) to validate user or device credentials, not MAC addresses; it does not inherently filter by MAC address and requires a supplicant and authentication server infrastructure. Option C is wrong because VLAN hopping prevention is a security measure to stop an attacker from gaining access to traffic on other VLANs by exploiting switch configuration weaknesses (e.g., double tagging or DTP abuse), and it does not control which devices can connect to a specific switch port based on MAC addresses.

113
MCQhard

A company wants to prevent unauthorized users from plugging into network jacks and gaining access to the wired network. Which of the following security mechanisms should be implemented at the switch level?

A.MAC address filtering
B.Port security
C.802.1X
D.Dynamic ARP Inspection
AnswerC

802.1X requires user or device authentication via an authentication server (RADIUS) before the switch port becomes active.

Why this answer

802.1X is a port-based Network Access Control (NAC) standard (IEEE 802.1X) that authenticates devices before granting full network access. When a device plugs into a switch port, the switch (as the authenticator) blocks all traffic except EAPoL (Extensible Authentication Protocol over LAN) frames until the device successfully authenticates via a RADIUS server. This prevents unauthorized users from gaining network access simply by connecting to a live jack.

Exam trap

The trap here is that candidates confuse port security (which only limits MAC addresses) with 802.1X (which provides actual authentication), leading them to pick port security because it sounds like it 'secures the port' at the switch level.

How to eliminate wrong answers

Option A is wrong because MAC address filtering only checks the source MAC against a static list and does not authenticate the user or device; MAC addresses can be easily spoofed, and it provides no per-session or credential-based security. Option B is wrong because port security limits the number of MAC addresses allowed on a port and can shut down the port on violation, but it does not authenticate the user or device; an attacker with a valid MAC address can still gain access without any authentication challenge.

114
MCQmedium

A network administrator is connecting two switches and wants to increase the bandwidth between them while also providing redundancy in case one link fails. Which technology should be configured on the switch ports?

A.Spanning Tree Protocol (STP)
B.Link Aggregation Control Protocol (LACP)
C.VLAN trunking (802.1Q)
D.Power over Ethernet (PoE)
AnswerB

LACP negotiates the bundling of physical ports into a single logical link, providing increased throughput and failover.

Why this answer

Link Aggregation Control Protocol (LACP) allows multiple physical links between two switches to be combined into a single logical link, increasing aggregate bandwidth and providing redundancy: if one physical link fails, traffic continues over the remaining links. This directly meets the requirement for both higher bandwidth and link-level fault tolerance.

Exam trap

The trap here is that candidates confuse STP's loop prevention with redundancy, but STP actively blocks redundant links to avoid loops, whereas LACP allows all links to forward traffic simultaneously while still providing failover.

How to eliminate wrong answers

Option A (Spanning Tree Protocol) is wrong because STP prevents loops by blocking redundant links, which would actually disable the extra links rather than using them for increased bandwidth or active redundancy. Option C (VLAN trunking, 802.1Q) is wrong because it tags frames to carry multiple VLANs over a single link but does not combine multiple links for bandwidth or provide link-level redundancy. Option D (Power over Ethernet) is wrong because it delivers electrical power to devices over Ethernet cabling and has no effect on link aggregation or redundancy between switches.

115
MCQhard

An NOC technician observes that the CPU usage on a core switch has been consistently above 90% for the past hour. Which SNMP operation should the technician use to monitor the CPU load over time with minimal network overhead?

A.SNMP GET
B.SNMP GETNEXT
C.SNMP WALK
D.SNMP TRAP
AnswerD

SNMP traps are unsolicited messages from the agent to the NMS when certain events occur (e.g., CPU threshold exceeded). They reduce overhead because the NMS does not need to poll; the agent sends data only when necessary.

Why this answer

D is correct because SNMP TRAP is an unsolicited notification sent from the agent (the switch) to the NMS, which allows the NOC to receive CPU load alerts only when a threshold is exceeded, minimizing network overhead by avoiding continuous polling. In this scenario, the technician wants to monitor CPU load over time with minimal overhead, and traps provide event-driven reporting rather than periodic requests, reducing bandwidth and processing load on both the switch and the network.

Exam trap

The trap here is that candidates often confuse SNMP TRAP with SNMP GET, assuming that polling is necessary for monitoring, but the question explicitly asks for minimal network overhead, which traps achieve by eliminating the need for repeated requests.

How to eliminate wrong answers

Option A is wrong because SNMP GET is a synchronous request-response operation that polls a single OID, requiring repeated queries to track CPU load over time, which generates significant network overhead and CPU load on the managed device. Option B is wrong because SNMP GETNEXT is used to traverse a MIB tree by retrieving the next OID in sequence, but it still requires repeated polling to monitor a value over time, increasing overhead compared to event-driven traps. Option C is wrong because SNMP WALK performs a series of GETNEXT operations to retrieve a subtree of OIDs, which is even more bandwidth-intensive and CPU-heavy than a single GET, making it unsuitable for minimal-overhead monitoring of a single metric like CPU load.

116
MCQhard

A network security administrator is configuring authentication for network devices and wants to use a protocol that supports separate encryption of the entire authentication packet. Which of the following protocols is designed to encrypt the entire authentication packet and is commonly used with AAA services?

A.RADIUS
B.TACACS+
C.LDAP
D.Kerberos
AnswerB

TACACS+ encrypts the entire payload of the authentication packet, providing greater confidentiality for all authentication information.

Why this answer

TACACS+ is the correct answer because it encrypts the entire authentication packet, including the username, password, and all other fields, using a shared secret key. This full-packet encryption is a key differentiator from RADIUS, which only encrypts the password field. TACACS+ is commonly used with AAA services to provide separate authentication, authorization, and accounting processes.

Exam trap

Cisco often tests the misconception that RADIUS encrypts the entire packet because it uses a shared secret, but in reality, only the password is encrypted, whereas TACACS+ encrypts the full payload.

How to eliminate wrong answers

Option A (RADIUS) is wrong because it only encrypts the password field in the authentication packet, leaving other fields like username and service type in cleartext; it also combines authentication and authorization into a single process, unlike TACACS+. Option C (LDAP) is wrong because it is a directory access protocol used for querying and modifying directory services, not a AAA protocol; it does not encrypt the entire authentication packet by default and relies on external mechanisms like LDAPS for encryption.

117
MCQmedium

A technician is troubleshooting a user's inability to connect to a server. The technician runs 'tracert' from the user's workstation and sees that traffic stops at a particular router. The last hop shows a timeout. Which of the following is the most likely cause?

A.The destination server is powered off.
B.The router is blocking ICMP echo requests.
C.There is a routing loop.
D.The next hop router is unreachable from that router.
AnswerD

If the router cannot reach the next hop, it cannot forward packets further, causing tracert to hang at that router.

Why this answer

The 'tracert' command relies on ICMP Time Exceeded messages from intermediate routers to map the path. When traffic stops at a particular router and the next hop shows a timeout, it indicates that the router cannot forward the packet to the next hop, meaning the next hop router is unreachable. This is the most direct cause because the traceroute fails to receive a response from the next hop, not because the destination is off or ICMP is blocked.

Exam trap

The trap here is that candidates often confuse a timeout caused by ICMP filtering (Option B) with a true connectivity failure, but ICMP filtering would cause timeouts at the filtering router itself, not at the next hop, and traceroute uses different ICMP types that are often permitted even when echo requests are blocked.

How to eliminate wrong answers

Option A is wrong because if the destination server were powered off, the traceroute would still show successful hops up to the last router before the destination, and the final hop would timeout, not a middle hop. Option B is wrong because if the router were blocking ICMP echo requests, the traceroute would still receive ICMP Time Exceeded messages from that router (since those are different ICMP types), and the timeout would occur at the next hop, not at the blocking router. Option C is wrong because a routing loop would cause traceroute to show repeated hops with increasing TTL values, not a single timeout at a specific router; the TTL would expire at the same router repeatedly.

118
Drag & Dropmedium

Drag and drop the steps for a disaster recovery procedure after a server failure into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Disaster recovery follows assessment, restore, rebuild, patch, test.

119
MCQeasy

Which layer of the OSI model is responsible for logical addressing and routing of packets between networks?

A.Data Link layer
B.Network layer
C.Transport layer
D.Application layer
AnswerB

The Network layer provides logical addressing and routing functions, enabling communication across different networks.

Why this answer

The Network layer (Layer 3) is responsible for logical addressing (e.g., IPv4/IPv6 addresses) and routing packets between different networks by determining the best path using routing protocols such as OSPF, BGP, or static routes. Unlike the Data Link layer, which handles physical addressing (MAC) within a single network segment, the Network layer enables end-to-end delivery across multiple hops.

Exam trap

Cisco often tests the distinction between logical addressing (Layer 3) and physical addressing (Layer 2), leading candidates to mistakenly choose the Data Link layer because they associate 'addressing' with MAC addresses rather than IP addresses.

How to eliminate wrong answers

Option A is wrong because the Data Link layer (Layer 2) handles physical addressing (MAC addresses) and frame delivery within a single broadcast domain, not logical addressing or routing between networks. Option C is wrong because the Transport layer (Layer 4) manages end-to-end communication, segmentation, and error recovery (e.g., TCP/UDP), but does not perform logical addressing or routing. Option D is wrong because the Application layer (Layer 7) provides network services to user applications (e.g., HTTP, FTP), and has no role in packet forwarding or logical addressing.

120
MCQmedium

A user reports that they can connect to the internet by IP address but cannot access any websites by domain name. Which command-line tool should a technician use first to isolate the issue?

A.ping
B.nslookup
C.tracert
D.netstat
AnswerB

Nslookup is designed to query DNS servers and can verify that domain names are being resolved correctly.

Why this answer

The user can reach the internet by IP address but not by domain name, which indicates a DNS resolution failure. The `nslookup` command queries DNS servers directly to test name resolution, making it the correct first step to isolate whether the issue is with the DNS server, the client's DNS configuration, or a network path to the DNS server.

Exam trap

The trap here is that candidates often choose `ping` first because it is the most familiar troubleshooting tool, but the symptom of working IP connectivity with failed domain resolution specifically points to DNS, making `nslookup` the targeted diagnostic command.

How to eliminate wrong answers

Option A (ping) is wrong because ping tests basic IP connectivity using ICMP echo requests; since the user can already connect by IP address, ping would succeed and not reveal the DNS problem. Option C (tracert) is wrong because tracert traces the Layer 3 path to a destination using ICMP TTL-exceeded messages; it would show a working route to the IP but cannot diagnose DNS resolution failures. Option D (netstat) is wrong because netstat displays active network connections, routing tables, and interface statistics; it does not perform DNS queries or test name resolution.

121
MCQeasy

Which transport layer protocol is used by VoIP and streaming video because it provides low latency and does not require retransmission?

A.TCP
B.UDP
C.ICMP
D.IGMP
AnswerB

UDP is connectionless, low-latency, and does not retransmit lost packets, making it ideal for VoIP and streaming video.

Why this answer

VoIP and streaming video use UDP (User Datagram Protocol) because it is connectionless and provides low-latency transmission without retransmission of lost packets. This is critical for real-time applications where a slight delay is more disruptive than occasional packet loss.

Exam trap

CompTIA often tests the misconception that 'reliable delivery is always better,' leading candidates to choose TCP, but the trap is that real-time applications prioritize low latency over guaranteed delivery, making UDP the correct choice.

How to eliminate wrong answers

Option A is wrong because TCP (Transmission Control Protocol) is connection-oriented and provides reliable delivery with retransmission, which introduces latency and jitter unsuitable for real-time streaming. Option C is wrong because ICMP (Internet Control Message Protocol) is a network-layer protocol used for error reporting and diagnostics (e.g., ping), not for transporting application data. Option D is wrong because IGMP (Internet Group Management Protocol) is used for managing multicast group memberships at the network layer, not for end-to-end data transport.

122
MCQmedium

A network administrator is configuring a trunk link between two switches. The link is up, but devices on VLAN 30 cannot communicate across the trunk. Devices on VLAN 10 and 20 can communicate. What should the administrator verify?

A.Ensure the native VLAN is the same on both switches
B.Verify that VLAN 30 is included in the allowed VLAN list on both switches
C.Check the trunk encapsulation type on both switches
D.Confirm that port security is not enabled on the trunk interfaces
AnswerB

Trunk ports can have a configured list of allowed VLANs. If VLAN 30 is not permitted, its traffic will not pass.

Why this answer

The trunk link is operational for VLANs 10 and 20 but not for VLAN 30, which indicates that VLAN 30 is likely not permitted on the trunk. By default, a trunk allows all VLANs, but if an administrator has manually configured an allowed VLAN list, VLAN 30 may have been omitted. Verifying that VLAN 30 is included in the allowed VLAN list on both switches will resolve the issue.

Exam trap

The trap here is that candidates often confuse native VLAN mismatch (which causes spanning-tree or BPDU issues) with a missing allowed VLAN, or they assume encapsulation must be checked even though the trunk is already operational for other VLANs.

How to eliminate wrong answers

Option A is wrong because the native VLAN mismatch would cause issues for untagged traffic (typically VLAN 1 by default), not specifically for a single tagged VLAN like VLAN 30. Option C is wrong because trunk encapsulation type (e.g., 802.1Q vs. ISL) must match for the trunk to form at all; since the link is up and other VLANs work, encapsulation is already compatible.

123
MCQmedium

A network administrator wants to centrally monitor the status of all network devices and receive alerts when an interface goes down. Which protocol and feature combination should the administrator use?

A.SNMP with traps
B.SNMP with polling
C.Syslog with severity levels
D.NetFlow with flow logs
AnswerA

SNMP traps are notifications sent by network devices to an SNMP manager upon events, enabling real-time alerts for interface status changes.

Why this answer

SNMP traps provide unsolicited, asynchronous notifications from network devices to the management station when specific events occur, such as an interface going down. This allows the administrator to receive immediate alerts without continuously polling each device, making it the ideal protocol and feature combination for real-time status monitoring and alerting.

Exam trap

CompTIA often tests the distinction between SNMP traps (event-driven) and SNMP polling (request-response), where candidates mistakenly choose polling because they think it provides continuous monitoring, but traps are the correct choice for immediate alerting on specific events like interface down.

How to eliminate wrong answers

Option B is wrong because SNMP with polling requires the management station to periodically query each device, which introduces latency in detecting interface state changes and increases network overhead, making it unsuitable for immediate alerting. Option C is wrong because Syslog is primarily used for logging event messages with severity levels, but it does not provide a standardized mechanism for real-time alerting on interface status changes; it relies on the management system to parse logs, which can introduce delays. Option D is wrong because NetFlow with flow logs is designed for traffic flow analysis and network performance monitoring, not for tracking device interface operational status or generating alerts on interface state changes.

124
MCQhard

A security analyst is reviewing DHCP server logs and notices that a single MAC address is sending an extremely high number of DHCP discover packets. The DHCP server is responding, but the client never sends a DHCP request. Which type of attack is most likely occurring?

A.A) DHCP starvation
B.B) ARP poisoning
C.C) MAC flooding
D.D) DNS spoofing
AnswerA

Correct. This is a classic DHCP starvation attack, where the attacker sends many DHCP discovers to deplete the IP pool.

Why this answer

A DHCP starvation attack works by flooding the DHCP server with DHCPDISCOVER packets from spoofed MAC addresses, exhausting the server's IP address pool. In this scenario, a single MAC address sending excessive DHCPDISCOVER packets without completing the DORA handshake (no DHCPREQUEST) is a classic indicator of a starvation attack, as the attacker aims to consume all available leases and cause a denial of service for legitimate clients.

Exam trap

The trap here is confusing DHCP starvation with MAC flooding, as both involve 'flooding' and MAC addresses, but MAC flooding targets switch CAM tables at Layer 2, while DHCP starvation targets the DHCP server at Layer 7 (application layer) using DHCP protocol messages.

How to eliminate wrong answers

Option B is wrong because ARP poisoning involves sending forged ARP replies to associate the attacker's MAC address with the IP address of a legitimate host (e.g., the default gateway), enabling man-in-the-middle attacks; it does not involve DHCPDISCOVER packets or IP address pool exhaustion. Option C is wrong because MAC flooding targets a switch's CAM table by sending frames with many different source MAC addresses to overflow the table and force the switch into fail-open mode (hub behavior), not by sending DHCPDISCOVER packets to a DHCP server.

125
MCQhard

A network administrator configures a router to send syslog messages to a central log server. The administrator can ping the server from the router, but the server is not receiving any logs. What is the most likely cause?

A.The syslog server is using the wrong protocol (TCP instead of UDP)
B.UDP port 514 is blocked between the router and the server
C.The syslog service on the server is not running
D.The router's clock is not synchronized with the server
AnswerB

The router can reach the server (ping works), so the path is up. Syslog relies on UDP 514; if that port is blocked, logs will not be delivered.

Why this answer

Syslog messages are sent via UDP port 514 by default. Since the administrator can ping the server (ICMP works), but no logs arrive, the most likely cause is that a firewall or ACL is blocking UDP port 514 between the router and the server. This is a classic connectivity issue where Layer 3 reachability exists but the specific transport-layer port is filtered.

Exam trap

The trap here is that candidates see 'ping works' and assume full connectivity, forgetting that syslog uses a specific UDP port that may be filtered even when ICMP is permitted.

How to eliminate wrong answers

Option A is wrong because syslog uses UDP by default (RFC 5424), not TCP; while some implementations support TCP, the standard and most common configuration is UDP, and the question does not indicate a TCP-based syslog setup. Option C is wrong because if the syslog service were not running, the administrator would typically see a 'connection refused' or similar error when attempting to send logs, but here the router can ping the server, indicating the server is reachable and the service is likely running; the issue is a blocked port, not a stopped service.

126
MCQmedium

A network technician notices that a switch port connected to a user's computer is showing a high number of CRC errors and late collisions. The link is operating at 100 Mbps, full duplex according to the switch. Which of the following is the most likely cause of these errors?

A.Cable length exceeds 100 meters
B.Duplex mismatch
C.Faulty switch port
D.Electromagnetic interference
AnswerB

If the computer is running at half duplex while the switch is at full duplex, collisions occur when both try to send simultaneously, leading to late collisions and CRC errors.

Why this answer

CRC errors and late collisions in a full-duplex link are classic symptoms of a duplex mismatch. When one side is set to full duplex and the other to half duplex, the half-duplex side does not sense the carrier before transmitting, leading to collisions that are detected late in the frame. The switch reports full duplex, so the user's NIC is likely stuck at half duplex, causing these errors.

Exam trap

Cisco often tests the misconception that CRC errors alone indicate a cabling issue, but the presence of late collisions alongside CRC errors is the key indicator of a duplex mismatch, not a cable length problem.

How to eliminate wrong answers

Option A is wrong because excessive cable length (beyond 100 meters for 100BASE-TX) primarily causes attenuation and signal degradation, leading to CRC errors but not late collisions; late collisions specifically indicate a timing issue with collision detection, which is absent in full-duplex links. Option C is wrong because a faulty switch port would typically show a broader range of errors (e.g., runts, giants, or interface resets) and often cause complete link drops or flapping, not the specific combination of CRC errors and late collisions that points to a duplex mismatch.

127
MCQmedium

A network engineer needs to configure a trunk link between two Cisco switches so that only VLANs 10, 20, and 30 are allowed. Which command set will accomplish this?

A.switchport trunk allowed vlan 10,20,30
B.switchport mode trunk
C.switchport trunk native vlan 1
D.switchport trunk encapsulation dot1q
AnswerA

This command explicitly allows only the listed VLANs on the trunk. All other VLANs are denied.

Why this answer

Option A is correct because the 'switchport trunk allowed vlan' command explicitly defines which VLANs are permitted to traverse the trunk link. By specifying '10,20,30', only traffic from those VLANs is forwarded, while all other VLANs are pruned from the trunk. This is the standard method for restricting VLANs on an IEEE 802.1Q trunk between Cisco switches.

Exam trap

CompTIA often tests the distinction between configuring trunk mode ('switchport mode trunk') and restricting VLANs ('switchport trunk allowed vlan'), leading candidates to mistakenly think that setting the interface to trunk alone is sufficient to limit VLAN traffic.

How to eliminate wrong answers

Option B is wrong because 'switchport mode trunk' only sets the interface to trunking mode; it does not restrict which VLANs are allowed, so by default all VLANs (1–4094) are permitted. Option C is wrong because 'switchport trunk native vlan 1' sets the native VLAN for untagged traffic on the trunk, but it does not filter which VLANs are allowed; native VLAN configuration is unrelated to VLAN permission lists. Option D is wrong because 'switchport trunk encapsulation dot1q' specifies the trunking protocol (802.1Q) but does not control which VLANs are permitted; this command is only needed on older switches that support both ISL and 802.1Q.

128
MCQeasy

A network administrator needs to ensure that all changes to network devices are properly reviewed, approved, and tracked. Which process should the administrator implement?

A.Change management
B.Incident management
C.Problem management
D.Asset management
AnswerA

Change management formalizes the process for planning, approving, and documenting changes to minimize impact.

Why this answer

Change management is the formal process for requesting, reviewing, approving, implementing, and documenting changes to network devices. It ensures that all modifications are authorized, tracked, and have a rollback plan, which directly meets the requirement for review, approval, and tracking.

Exam trap

CompTIA often tests the distinction between change management (proactive, planned) and incident management (reactive, unplanned), leading candidates to confuse the two when the question emphasizes 'tracking' and 'approval'.

How to eliminate wrong answers

Option B (Incident management) is wrong because it focuses on restoring normal service after an unplanned interruption, not on controlling planned changes. Option C (Problem management) is wrong because it deals with identifying and resolving the root cause of recurring incidents, not with the approval and tracking of intentional modifications. Option D (Asset management) is wrong because it tracks the lifecycle and inventory of hardware/software assets, not the process of making changes to those devices.

129
MCQhard

Users in VLAN 10 cannot obtain IP addresses from the DHCP server located in VLAN 20. The router interface for VLAN 10 has an ip helper-address 192.168.20.5 command configured, and users can ping the DHCP server IP (192.168.20.5) from the router. However, users receive APIPA addresses. What is the most likely cause?

A.The DHCP server does not have a scope configured for the 192.168.1.0/24 subnet (VLAN 10)
B.The router's ip helper-address is configured on the wrong interface
C.The switch port connecting users is configured as a trunk instead of an access port
D.The router's ACL is blocking DHCP offers from the server
AnswerA

The DHCP server uses the gateway IP (giaddr) in the relayed packet to determine which scope to use. Without a matching scope, the server does not respond.

Why this answer

The ip helper-address command on the router correctly forwards DHCPDISCOVER broadcasts from VLAN 10 to the DHCP server at 192.168.20.5. Since users can ping the server from the router, Layer 3 connectivity exists. However, the DHCP server must have a scope (or address pool) for the subnet of the requesting clients (192.168.1.0/24) to offer an IP address; without it, the server ignores the request, and clients fall back to APIPA (169.254.x.x).

Exam trap

CompTIA often tests the misconception that ip helper-address alone guarantees DHCP success, but the trap is that the DHCP server must have a scope matching the client's subnet (identified by the giaddr) to issue an address.

How to eliminate wrong answers

Option B is wrong because the ip helper-address is correctly placed on the VLAN 10 interface (the ingress interface for DHCP broadcasts from clients), which is the standard configuration. Option C is wrong because a trunk port would not prevent DHCP; it would carry multiple VLANs but still allow client traffic in VLAN 10, and APIPA indicates no DHCP response, not a VLAN mismatch. Option D is wrong because if an ACL were blocking DHCP offers (UDP port 67/68), the router would still forward the client's DISCOVER, but the server's OFFER would be dropped; however, the question states users can ping the server from the router, implying no ACL is blocking return traffic, and the server's lack of a scope is the more direct cause.

130
MCQeasy

A network administrator needs to schedule a firmware upgrade for a critical switch during a maintenance window. After the upgrade is completed and verified, which document should the administrator update to reflect the new firmware version?

A.Incident response plan
B.Network topology diagram
C.Configuration baseline document
D.Change request form
AnswerC

The baseline document includes software versions and configurations; it should be updated after changes to maintain an accurate reference.

Why this answer

The configuration baseline document records the approved configuration of a network device, including firmware versions. After a firmware upgrade is verified, updating this document ensures that the baseline reflects the current, known-good state for change management and troubleshooting. The administrator must update the baseline to maintain configuration consistency and audit compliance.

Exam trap

The trap here is that candidates confuse the configuration baseline document with the network topology diagram, but the topology diagram only shows device interconnections, not the software version running on each device.

How to eliminate wrong answers

Option A is wrong because the incident response plan documents procedures for handling security breaches or network outages, not routine firmware version tracking. Option B is wrong because the network topology diagram shows physical and logical connections between devices, not software or firmware versions.

131
MCQmedium

A network administrator is configuring a router-on-a-stick to route between two VLANs (VLAN 10 and VLAN 20). The router has two subinterfaces: GigabitEthernet0/1.10 with encapsulation dot1Q 10 and IP 10.10.10.1/24, and GigabitEthernet0/1.20 with encapsulation dot1Q 20 and IP 10.10.20.1/24. The switch port connected to the router is configured as an access port in VLAN 10. Hosts in VLAN 10 can ping the router's VLAN 10 interface, but hosts in VLAN 20 cannot ping the router's VLAN 20 interface. What is the most likely cause?

A.The router subinterface for VLAN 20 is not enabled.
B.The switch port connecting to the router should be configured as a trunk.
C.The hosts in VLAN 20 do not have a default gateway configured.
D.The router's VLAN 20 subinterface has an incorrect IP address.
AnswerB

A trunk port carries traffic for multiple VLANs. Since the router uses subinterfaces with 802.1Q encapsulation, the switch must allow tagged frames for both VLANs.

Why this answer

The router-on-a-stick design requires the switch port connecting to the router to be configured as a trunk port, not an access port. An access port only carries traffic for a single VLAN (VLAN 10 in this case), so frames from VLAN 20 are dropped at the switch port before reaching the router. Configuring the port as a trunk with allowed VLANs 10 and 20 would enable the router's subinterfaces to receive and forward traffic for both VLANs.

Exam trap

CompTIA often tests the distinction between access and trunk ports in router-on-a-stick scenarios, trapping candidates who assume that configuring subinterfaces alone is sufficient without ensuring the switch port is set to trunk mode.

How to eliminate wrong answers

Option A is wrong because the subinterface for VLAN 20 is configured with encapsulation dot1Q 20 and an IP address, and there is no indication it is administratively down; the issue is that frames from VLAN 20 never reach the router due to the access port. Option C is wrong because the problem is at Layer 2 connectivity—hosts in VLAN 20 cannot even ping the router's VLAN 20 interface, which is a direct link issue, not a default gateway reachability problem. Option D is wrong because the IP address 10.10.20.1/24 on subinterface GigabitEthernet0/1.20 is correct for VLAN 20; the hosts cannot ping it because the switch port drops their VLAN 20 frames, not because of an IP mismatch.

132
MCQmedium

A network administrator needs to schedule a firmware update for several switches during a maintenance window. Which of the following documents should be updated immediately after the changes are complete?

A.Network diagram
B.Change management request
C.Performance baseline
D.Service level agreement
AnswerB

The change management request documents the planned change, approval, and post-implementation results. Updating it after completion is a key step in the change management process.

Why this answer

The change management request is the correct document to update immediately after completing the firmware update because it serves as the official record that the change was implemented, tested, and closed. This ensures audit compliance, rollback documentation, and approval tracking, which are critical in ITIL-based change management processes. Updating the network diagram or performance baseline may be done later as part of post-change verification, but the change management request must be updated first to formally close the change window.

Exam trap

Cisco often tests the misconception that updating the network diagram is the most immediate post-change task, but the change management request must be updated first to formally close the change window and satisfy audit requirements.

How to eliminate wrong answers

Option A is wrong because the network diagram is a static representation of logical or physical topology and is not the immediate post-change document; it should be updated only after the change is fully verified and stable, not as the first step. Option C is wrong because the performance baseline is a historical reference for normal network behavior and is updated after collecting post-change performance data to compare against the baseline, not immediately upon completion of the firmware update.

133
MCQmedium

A company's wireless network currently uses WPA2-PSK with a shared passphrase. A security audit identifies that the passphrase is weak and shared among all employees. Which of the following would provide the MOST secure wireless access while addressing the shared passphrase issue?

A.Implement WPA2-Enterprise with 802.1X
B.Upgrade to WPA3-Personal with a strong passphrase
C.Disable SSID broadcast
D.Enable MAC address filtering
AnswerA

WPA2-Enterprise uses individual user authentication via a RADIUS server, removing the shared key vulnerability.

Why this answer

WPA2-Enterprise with 802.1X eliminates the shared passphrase by using a RADIUS server to authenticate each user individually, typically via EAP methods such as PEAP or EAP-TLS. This provides per-user credentials (e.g., username/password or certificates), so compromising one user's credentials does not expose the entire network. It also supports dynamic per-session encryption keys, making it far more secure than any shared-passphrase solution.

Exam trap

The trap here is that candidates often assume upgrading to WPA3-Personal (with SAE) is sufficient, but the question specifically requires addressing the 'shared passphrase' issue, which only per-user authentication (802.1X) can solve.

How to eliminate wrong answers

Option B is wrong because WPA3-Personal still uses a shared passphrase (SAE handshake), which does not address the core issue of a single shared credential among all employees; if the passphrase is weak or leaked, all users are still at risk. Option C is wrong because disabling SSID broadcast only hides the network name from simple scans, but it does not change the authentication method or protect against a weak shared passphrase; attackers can easily discover hidden SSIDs using passive monitoring tools like airodump-ng.

134
MCQmedium

A company wants to allow inbound HTTPS traffic to a web server located in the DMZ from the Internet. The firewall has three interfaces: Inside (corporate network), Outside (Internet), and DMZ (web server). Which of the following firewall rules is required?

A.Allow traffic from Outside to DMZ on port 443
B.Allow traffic from DMZ to Outside on port 443
C.Allow traffic from Inside to DMZ on port 443
D.Allow traffic from Outside to Inside on port 443
AnswerA

This rule permits HTTPS traffic from the Internet (Outside) to the web server in the DMZ, which is the requirement.

Why this answer

The correct rule is to allow traffic from the Outside (Internet) interface to the DMZ interface on TCP port 443 (HTTPS). This permits inbound web requests to reach the web server while keeping the corporate Inside network isolated. The firewall must explicitly permit this traffic because the default implicit deny rule would otherwise block all inbound connections from the Outside zone.

Exam trap

The trap here is that candidates often confuse the direction of the traffic flow, mistakenly thinking the rule should allow traffic from the DMZ to the Outside (Option B) because they focus on the server sending responses, rather than the client initiating the connection.

How to eliminate wrong answers

Option B is wrong because it allows traffic from the DMZ to the Outside on port 443, which would permit outbound HTTPS requests from the web server to the Internet, not inbound client connections. Option C is wrong because it allows traffic from the Inside (corporate network) to the DMZ on port 443, which is unnecessary for external web access and could expose the DMZ server to internal threats, violating the principle of least privilege.

135
MCQeasy

At which layer of the OSI model does a device provide flow control, error detection, and recovery for end-to-end communication?

A.A: Transport layer
B.B: Network layer
C.C: Data Link layer
D.D: Session layer
AnswerA

The Transport layer manages end-to-end connections, flow control, and error recovery.

Why this answer

The Transport layer (Layer 4) is responsible for end-to-end communication between source and destination hosts. It provides flow control (e.g., TCP's sliding window mechanism), error detection (via checksums in TCP and UDP headers), and recovery (through TCP retransmission of lost segments). These functions ensure reliable data delivery across the network, distinguishing it from lower layers that handle hop-by-hop or link-local tasks.

Exam trap

Cisco often tests the distinction between hop-by-hop (Data Link) and end-to-end (Transport) responsibilities, tricking candidates into confusing link-layer error detection (e.g., Ethernet CRC) with end-to-end recovery, which is exclusively a Transport layer function.

How to eliminate wrong answers

Option B is wrong because the Network layer (Layer 3) handles routing and logical addressing (e.g., IP), but does not provide end-to-end flow control or error recovery; it relies on upper layers for reliability. Option C is wrong because the Data Link layer (Layer 2) provides flow control and error detection only on a single link (e.g., Ethernet's CRC), not for end-to-end communication across multiple hops.

136
MCQmedium

A network engineer plans to change the routing protocol configuration on a core router that will affect connectivity to all branches. According to change management best practices, which step should the engineer perform BEFORE implementing the change?

A.Notify all branch users of the upcoming change
B.Create a backout plan to revert the change if necessary
C.Document the current router configuration
D.Schedule the change during a maintenance window
AnswerB

A backout plan is essential for minimizing risk during network changes.

Why this answer

Creating a backout plan is a critical step in change management because it provides a documented procedure to revert the router to its previous operational state if the new routing protocol configuration causes connectivity loss or instability. Without a backout plan, the engineer risks prolonged outages across all branches while troubleshooting or attempting to reconstruct the original configuration from memory or incomplete logs. This aligns with ITIL change management best practices, which prioritize risk mitigation and service continuity.

Exam trap

The trap here is that candidates confuse 'documenting the current configuration' (a preparatory step) with the actual change management requirement to 'create a backout plan,' which is the specific step that ensures the change can be safely undone if it fails.

How to eliminate wrong answers

Option A is wrong because notifying all branch users before the change is a communication step that typically occurs after the change plan is approved and a backout strategy is defined; notifying users prematurely does not mitigate technical risk or provide a recovery mechanism. Option C is wrong because documenting the current router configuration is a prerequisite for creating a backout plan, but it is not the step itself—the backout plan explicitly uses that documentation to define the revert procedure, making documentation a supporting action rather than the primary step required before implementation.

137
MCQeasy

A junior network technician asks which device operates at Layer 2 of the OSI model and uses MAC addresses to forward frames. Which device is the technician describing?

A.Hub
B.Switch
C.Router
D.Firewall
AnswerB

Switches use MAC addresses to forward frames at Layer 2.

Why this answer

A switch operates at Layer 2 (Data Link layer) of the OSI model and uses MAC addresses to make forwarding decisions. It builds a MAC address table by learning source MAC addresses from incoming frames and then forwards frames only to the specific port associated with the destination MAC address, reducing collision domains and improving network efficiency.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 devices by asking about forwarding decisions based on MAC vs. IP addresses, and the trap here is that candidates may confuse a switch with a router because both can connect multiple devices, but only the switch operates purely at Layer 2 using MAC addresses.

How to eliminate wrong answers

Option A is wrong because a hub operates at Layer 1 (Physical layer) and simply repeats electrical signals out all ports, with no ability to read or use MAC addresses; it creates a single collision domain and cannot filter frames. Option C is wrong because a router operates at Layer 3 (Network layer) and forwards packets based on IP addresses, not MAC addresses; it uses routing tables and protocols like OSPF or BGP to determine the best path.

138
MCQeasy

A network monitoring system uses SNMP to poll interface statistics from switches every 5 minutes. This polling is causing high CPU utilization on the switches. Which of the following actions would BEST reduce the CPU load on the switches while still providing monitoring data?

A.Use SNMP traps instead of polling
B.Increase the SNMP community string
C.Disable SNMP on unused interfaces
D.Change the SNMP version to v1
AnswerA

Traps are unsolicited messages sent by the switch only when an event occurs, reducing the need for frequent polling.

Why this answer

SNMP traps are push-based notifications sent by the switch only when a significant event occurs (e.g., link up/down, threshold crossing), eliminating the need for the NMS to poll every 5 minutes. This reduces CPU load because the switch no longer processes periodic GET requests, which require CPU cycles to gather interface statistics from the MIB. Traps still provide monitoring data by alerting the NMS to changes, though they may not offer the same granularity as polling for all counters.

Exam trap

The trap here is that candidates often confuse 'reducing the scope of polling' (like disabling unused interfaces) with 'eliminating the polling mechanism itself,' but the correct answer targets the fundamental shift from pull-based (polling) to push-based (traps) communication to reduce CPU load.

How to eliminate wrong answers

Option B is wrong because increasing the SNMP community string (a shared password for v1/v2c) does not reduce CPU utilization; it only changes authentication credentials and may even increase overhead if the string is longer. Option C is wrong because disabling SNMP on unused interfaces reduces the amount of data that can be polled but does not eliminate the polling requests themselves—the switch still processes GET requests for active interfaces, and the CPU load from polling remains largely unchanged.

139
MCQmedium

A security administrator discovers that an attacker has intercepted data between two legitimate hosts by redirecting traffic through a rogue device. Which type of attack is this?

A.ARP poisoning
B.DNS poisoning
C.Man-in-the-middle
D.Replay attack
AnswerC

The scenario describes an attacker intercepting communications between two hosts by inserting themselves in the path. This is the classic definition of a man-in-the-middle attack.

Why this answer

This is a classic man-in-the-middle (MITM) attack, where the attacker intercepts and potentially alters communication between two legitimate hosts by inserting a rogue device into the data path. The key characteristic is the redirection of traffic through the attacker's device, which allows them to capture, inspect, or modify packets in transit.

Exam trap

CompTIA often tests the distinction between the attack type (MITM) and the technique used to achieve it (ARP poisoning), leading candidates to choose the method rather than the broader category.

How to eliminate wrong answers

Option A is wrong because ARP poisoning is a specific technique used to achieve a MITM attack on a local network by corrupting ARP caches, but the question describes the broader attack type (redirection through a rogue device), not the method. Option B is wrong because DNS poisoning corrupts DNS resolution to redirect traffic to a malicious IP, but the scenario explicitly states traffic is intercepted between two legitimate hosts via a rogue device, not through DNS manipulation. Option D is wrong because a replay attack involves capturing and retransmitting valid data to deceive a receiver, not intercepting and redirecting live traffic through a rogue device.

140
MCQmedium

A network administrator wants to allow wireless clients to seamlessly roam between access points without re-authenticating to the RADIUS server for each transition. Which IEEE standard should be implemented?

A.802.11r
B.802.11k
C.802.11w
D.802.1X
AnswerA

802.11r reduces latency for roaming by allowing key caching.

Why this answer

802.11r, also known as Fast BSS Transition (FT), enables wireless clients to roam between access points without re-authenticating to the RADIUS server by using a cached Pairwise Master Key (PMK) and performing a faster, over-the-air or over-the-DS key exchange. This reduces the time required for roaming handoffs, which is critical for real-time applications like VoIP.

Exam trap

CompTIA often tests the distinction between 802.11k (which helps clients decide where to roam) and 802.11r (which speeds up the actual authentication process), leading candidates to confuse 'neighbor reports' with 'fast roaming authentication'.

How to eliminate wrong answers

Option B (802.11k) is wrong because it provides neighbor report and radio resource measurement information to help clients decide when to roam, but it does not eliminate the need for re-authentication to the RADIUS server. Option C (802.11w) is wrong because it focuses on protecting management frames (e.g., deauthentication and disassociation) from forgery, not on reducing authentication overhead during roaming. Option D (802.1X) is wrong because it is a port-based access control standard that defines the initial authentication process (EAP over RADIUS), but it does not provide a mechanism for fast roaming without re-authentication; in fact, full 802.1X re-authentication would cause the latency that 802.11r aims to avoid.

141
MCQhard

Two routers are configured with OSPF in the same area, but they do not form an adjacency. Router A shows OSPF state EXSTART, and Router B shows state EXSTART. Which of the following is the most likely cause?

A.The OSPF Hello and Dead intervals are mismatched
B.The OSPF area IDs are different
C.The MTU is mismatched between the two routers
D.The network type is misconfigured (e.g., one side is broadcast, the other is point-to-point)
AnswerC

If the MTU size differs, the DBD packets exchanged in ExStart may be too large for one interface, causing the router to reject them and remain stuck in ExStart state.

Why this answer

When OSPF routers are stuck in the EXSTART state, it indicates that they have progressed past the 2-Way and ExStart phases but are unable to exchange Database Description (DBD) packets. The most common cause is an MTU mismatch, because OSPF will not proceed to the Exchange state if a DBD packet exceeds the interface MTU of the neighbor. This causes the routers to continuously renegotiate the master/slave relationship without completing the exchange.

Exam trap

CompTIA often tests the MTU mismatch trap by having candidates confuse it with Hello/Dead interval mismatches, but the key clue is that both routers are stuck in EXSTART, not in INIT or 2-Way.

How to eliminate wrong answers

Option A is wrong because mismatched Hello/Dead intervals prevent OSPF neighbors from reaching the 2-Way state, not EXSTART; the routers would remain stuck in the INIT or DOWN state. Option B is wrong because mismatched area IDs prevent the formation of any adjacency at all, as OSPF routers will not even send Hello packets to neighbors in a different area; they would not reach EXSTART. Option D is wrong because a network type mismatch (e.g., broadcast vs. point-to-point) typically causes the routers to get stuck in the EXSTART state, but this is less common than MTU mismatch and often manifests as a neighbor state of EXSTART/EXCHANGE with repeated retransmissions; however, the most likely cause in this scenario is MTU mismatch, as it is a frequent and direct cause of EXSTART stalling.

142
MCQmedium

A network administrator notices that several workstations on the network are receiving IP addresses from an unknown source, causing intermittent connectivity issues. The DHCP server is located in the server room and is the only authorized DHCP server. Which security feature should be implemented on the access switches to prevent rogue DHCP servers from distributing IP addresses?

A.DHCP Snooping
B.Dynamic ARP Inspection
C.IP Source Guard
D.Port Security
AnswerA

DHCP Snooping filters DHCP messages and only allows DHCP offers from trusted ports, blocking rogue DHCP servers.

Why this answer

DHCP Snooping is the correct security feature because it filters untrusted DHCP messages on access switches. By configuring ports connected to end-user workstations as untrusted, the switch drops DHCP server responses (OFFER, ACK) received on those ports, preventing rogue DHCP servers from distributing IP addresses. This ensures only the authorized DHCP server in the server room can provide IP configurations.

Exam trap

Cisco often tests the distinction between DHCP Snooping and Dynamic ARP Inspection, where candidates mistakenly choose DAI because they confuse DHCP spoofing with ARP spoofing, but DHCP Snooping is the specific mechanism to block rogue DHCP servers.

How to eliminate wrong answers

Option B (Dynamic ARP Inspection) is wrong because it validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, not DHCP server impersonation. Option C (IP Source Guard) is wrong because it uses DHCP Snooping binding table entries to filter IP traffic based on source IP and MAC addresses, but it does not directly block rogue DHCP server messages; it prevents IP spoofing by clients, not unauthorized DHCP offers.

143
MCQhard

A network administrator is creating a performance baseline for a new VoIP application. Which metric is most critical to monitor in order to ensure good voice quality for end users?

A.Bandwidth utilization
B.Latency
C.Jitter
D.Packet loss
AnswerB

Voice quality degrades significantly with high latency (over 150 ms). Low latency is essential for natural conversation.

Why this answer

Latency is the most critical metric for VoIP voice quality because it directly impacts the conversational flow. High latency (above 150 ms one-way, per ITU-T G.114) causes noticeable delays that disrupt natural conversation, leading to user dissatisfaction. While jitter and bandwidth are important, latency is the primary factor that degrades the interactive experience.

Exam trap

Cisco often tests the misconception that jitter is the most critical metric because it causes choppy audio, but the trap is that jitter can be corrected with a buffer, whereas latency is a cumulative, uncorrectable delay that directly breaks real-time interactivity.

How to eliminate wrong answers

Option A is wrong because bandwidth utilization, while important for capacity planning, does not directly affect voice quality as long as sufficient bandwidth is available; VoIP codecs like G.711 require only ~64 kbps per call. Option C is wrong because jitter is a variation in packet delay that can be mitigated by a jitter buffer (typically 30-50 ms), whereas latency cannot be buffered without worsening the delay, making it the more fundamental issue.

144
MCQhard

A company wants to implement network access control that requires users to authenticate before gaining access to the network. The NAC solution uses a policy that checks for antivirus updates and OS patches. Which component enforces the policy?

A.Supplicant
B.Authenticator
C.Authentication server
D.Policy server
AnswerB

The authenticator (e.g., a switch) enforces the policy by controlling the port state based on the authentication result.

Why this answer

The Authenticator (typically a switch or wireless access point) is the component that enforces the NAC policy by controlling access to the network port or SSID. It receives the authentication result from the Authentication Server and applies the policy (e.g., placing the endpoint in a quarantine VLAN if antivirus or OS patch checks fail). This enforcement is defined in IEEE 802.1X, where the Authenticator acts as the gatekeeper between the Supplicant and the network.

Exam trap

The trap here is that candidates often confuse the Authentication Server (which makes the decision) with the Authenticator (which enforces the decision), especially when the question emphasizes 'policy checks' like antivirus updates, leading them to incorrectly select the server.

How to eliminate wrong answers

Option A is wrong because the Supplicant is the client software (e.g., the device requesting access) that provides credentials and posture information, but it does not enforce the policy—it only responds to authentication challenges. Option C is wrong because the Authentication Server (typically a RADIUS server like Cisco ISE) validates credentials and posture data and sends an Access-Accept or Access-Reject message, but the actual enforcement (e.g., blocking or restricting the port) is performed by the Authenticator, not the server.

145
MCQhard

A security analyst is investigating a user's complaint that their wireless connection keeps disconnecting. The analyst uses a wireless scanning tool and discovers two access points broadcasting the same SSID 'CorpNet' with different BSSIDs. One is the legitimate company AP on channel 1, and the other is on channel 11 with a strong signal and security set to 'Open'. Which of the following attacks is most likely occurring?

A.War driving
B.Rogue access point
C.Evil twin
D.Bluesnarfing
AnswerC

The presence of two APs with the same SSID, one with strong signal and open security, strongly indicates an evil twin attack designed to capture credentials and traffic.

Why this answer

The presence of two access points broadcasting the same SSID 'CorpNet' with different BSSIDs, where the second AP is on channel 11 with a strong signal and security set to 'Open', is characteristic of an evil twin attack. The attacker sets up a fraudulent AP with the same SSID as the legitimate network but without encryption, tricking users into connecting to it and exposing their credentials or traffic. This differs from a rogue AP, which typically mimics the corporate network but may not necessarily use an open security setting or a different channel to lure victims.

Exam trap

Cisco often tests the distinction between a rogue AP (an unauthorized device plugged into the wired network) and an evil twin (a standalone malicious AP that mimics the SSID without being connected to the corporate infrastructure), so candidates must remember that the key differentiator is the open security and different channel used to lure clients away from the legitimate AP.

How to eliminate wrong answers

Option A is wrong because war driving is the act of searching for Wi-Fi networks by moving around a location, not an attack that causes disconnections by presenting a malicious duplicate AP. Option B is wrong because a rogue access point is an unauthorized AP connected to the corporate network, often with the same security settings, whereas the described scenario involves an open, strong-signal AP on a different channel actively competing with the legitimate AP to cause client disconnections.

146
MCQeasy

Which of the following best describes the purpose of the TCP three-way handshake?

A.To establish a reliable connection between two hosts
B.To terminate a connection gracefully
C.To resolve an IP address to a MAC address
D.To encrypt data between two devices
AnswerA

Correct. The three-way handshake sets up a TCP connection with synchronized sequence numbers.

Why this answer

The TCP three-way handshake is the process by which two hosts synchronize sequence numbers and establish a reliable connection before data transfer begins. It involves the exchange of SYN, SYN-ACK, and ACK segments, ensuring both sides are ready to communicate and agree on initial sequence numbers (ISNs) as defined in RFC 793.

Exam trap

The trap here is that candidates confuse the TCP three-way handshake with connection termination (the four-way handshake) or with lower-layer address resolution protocols like ARP, leading them to select the graceful termination or IP-to-MAC resolution options.

How to eliminate wrong answers

Option B is wrong because terminating a connection gracefully is accomplished using the TCP four-way handshake (FIN/ACK exchange), not the three-way handshake. Option C is wrong because resolving an IP address to a MAC address is the function of ARP (Address Resolution Protocol), not a TCP handshake mechanism.

147
MCQmedium

A network administrator wants to collect performance data from network devices over time and receive alerts when thresholds are exceeded. Which protocol should be used?

A.syslog
B.SNMP
C.NetFlow
D.ICMP
AnswerB

SNMP allows polling of MIB objects and sending traps when thresholds are exceeded.

Why this answer

SNMP (Simple Network Management Protocol) is designed to collect performance data from network devices by polling MIB (Management Information Base) objects and can generate traps or inform requests to send alerts when thresholds are exceeded. This makes it the correct choice for proactive monitoring and threshold-based alerting.

Exam trap

The trap here is that candidates confuse syslog (which can also send alerts via log messages) with SNMP's dedicated alerting mechanism (traps/informs), but syslog lacks the structured polling and MIB-based threshold monitoring that SNMP provides for performance data collection.

How to eliminate wrong answers

Option A is wrong because syslog is a logging protocol used for collecting event messages (RFC 5424), not for polling performance metrics or generating threshold-based alerts. Option C is wrong because NetFlow is a flow-based traffic accounting protocol that exports metadata about network flows (e.g., source/destination IP, ports, protocol) but does not poll device performance counters or send threshold alerts. Option D is wrong because ICMP is a diagnostic and error-reporting protocol (e.g., ping, traceroute) that provides connectivity and reachability checks, not ongoing performance data collection or alerting.

148
MCQmedium

A network administrator needs to collect detailed data about network traffic flows, including source/destination IP addresses, ports, and protocols, to analyze bandwidth usage patterns. Which technology should be used?

A.SNMP
B.NetFlow
C.Syslog
D.ICMP
AnswerB

NetFlow captures metadata about each flow (conversation), including IP addresses, ports, and protocol, enabling detailed traffic analysis.

Why this answer

NetFlow is the correct choice because it is specifically designed to collect detailed metadata about network traffic flows, including source and destination IP addresses, ports, protocols, and byte counts. This granular flow-level data enables administrators to analyze bandwidth usage patterns, identify top talkers, and perform capacity planning. Unlike SNMP, which provides aggregate interface statistics, NetFlow exports flow records that contain the exact fields needed for deep traffic analysis.

Exam trap

Cisco often tests the distinction between SNMP (which provides aggregate interface statistics) and NetFlow (which provides per-flow metadata), and the trap here is that candidates mistakenly choose SNMP because they associate it with bandwidth monitoring, without realizing it lacks the detailed flow-level fields required for the scenario.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) polls counters like interface octets and errors, but it does not capture per-flow details such as source/destination IP addresses, ports, or protocols; it provides only aggregate bandwidth utilization at the interface level. Option C is wrong because Syslog is a logging protocol for event messages and system alerts, not a flow-export technology; it cannot collect or report on traffic flow metadata like IP addresses, ports, or protocols.

149
MCQeasy

A network engineer needs to connect two buildings that are 200 meters apart with a 1 Gbps link. The path is outdoors and susceptible to lightning strikes. Which cable type is the most appropriate for this scenario?

A.Cat6a UTP
B.Multimode fiber optic
C.Cat5e UTP
D.Single-mode fiber optic
AnswerB

Multimode fiber (e.g., 1000BASE-SX) supports 1 Gbps over 200m easily, is immune to electrical interference and lightning, and is cost-effective for this distance.

Why this answer

Multimode fiber optic cable is the most appropriate choice because it supports 1 Gbps over distances up to 550 meters (using OM2/OM3 fiber) and is completely immune to electromagnetic interference (EMI) from lightning strikes. Unlike copper cabling, fiber uses light pulses for transmission, so it does not conduct electricity, making it ideal for outdoor runs between buildings where lightning is a risk.

Exam trap

The trap here is that candidates often choose Cat6a UTP because they focus on bandwidth and distance but forget the outdoor lightning risk, assuming that higher-category copper can handle longer distances, when in fact all UTP copper is limited to 100 meters for Ethernet and is conductive.

How to eliminate wrong answers

Option A is wrong because Cat6a UTP is a copper cable that can conduct electrical surges from lightning strikes, posing a safety and equipment damage risk, and its maximum recommended outdoor distance for 1 Gbps is 100 meters, which is insufficient for a 200-meter link without repeaters. Option C is wrong because Cat5e UTP also uses copper conductors, is susceptible to lightning-induced surges, and its maximum distance for 1 Gbps is 100 meters, making it unsuitable for the required 200-meter outdoor run.

150
MCQeasy

A user can ping the default gateway (192.168.1.1) but cannot access the internet (e.g., ping 8.8.8.8 fails). The user's IP is correctly configured as 192.168.1.10/24. What should the technician check next?

A.Check the PC's DNS server settings
B.Verify the subnet mask on the PC
C.Check the router's default route configuration
D.Examine the switch port VLAN assignment
AnswerC

The router must have a default route to forward traffic to the internet. Without it, packets destined for external networks will be dropped.

Why this answer

Since the user can ping the default gateway (192.168.1.1), Layer 2 and Layer 3 connectivity within the local subnet is working, and the PC's IP configuration is correct. The failure to reach 8.8.8.8 indicates that the router does not have a valid path to external networks, which is typically provided by a default route (0.0.0.0/0). Checking the router's default route configuration is the logical next step because without it, the router cannot forward traffic destined for non-local networks.

Exam trap

Cisco often tests the distinction between local connectivity (pinging the gateway) and external connectivity (pinging a public IP), where candidates mistakenly jump to DNS or subnet mask issues instead of recognizing the router's lack of a default route as the root cause.

How to eliminate wrong answers

Option A is wrong because DNS server settings are irrelevant when testing connectivity via a direct IP address like 8.8.8.8; DNS is only needed for name resolution, not for IP-level reachability. Option B is wrong because the subnet mask is already correctly configured as /24 (255.255.255.0), and if it were misconfigured, the user would likely not be able to ping the default gateway either, as the PC would not consider the gateway to be on the same subnet.

Page 1

Page 2 of 7

Page 3

All pages