CompTIA Network+ N10-009 (N10-009) — Questions 151225

520 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQmedium

An NOC technician observes that the average latency on a critical WAN link has risen sharply. To determine which applications are consuming the most bandwidth and contributing to the latency, which tool should the technician use?

A.A) NetFlow
B.B) SNMP
C.C) Syslog
D.D) Ping
AnswerA

Correct. NetFlow captures traffic flows and allows analysis of bandwidth usage by application, source, and destination.

Why this answer

NetFlow is the correct tool because it provides per-flow traffic analysis, allowing the technician to identify which applications (by protocol and port) are consuming the most bandwidth on the WAN link. Unlike simple bandwidth monitors, NetFlow exports detailed records of source/destination IPs, ports, and byte counts, enabling precise identification of bandwidth-hungry applications contributing to increased latency.

Exam trap

CompTIA often tests the distinction between SNMP (which shows aggregate bandwidth) and NetFlow (which shows per-application bandwidth), leading candidates to mistakenly choose SNMP because they associate it with bandwidth monitoring, even though it cannot identify specific applications.

How to eliminate wrong answers

Option B (SNMP) is wrong because SNMP polls interface counters (e.g., ifInOctets) to show aggregate bandwidth utilization, but it cannot identify individual applications or flows. Option C (Syslog) is wrong because Syslog is a logging protocol for system events and errors, not a traffic analysis tool; it provides no visibility into bandwidth consumption by application. Option D (Ping) is wrong because Ping measures round-trip latency and reachability using ICMP echo requests, but it cannot reveal which applications are using bandwidth or contributing to latency.

152
MCQhard

A company wants to ensure that only authorized users can access the internal network by requiring both a password and a one-time code from a mobile app. This is an example of:

A.Two-factor authentication
B.Single sign-on
C.Biometric authentication
D.Multifactor authentication with three factors
AnswerA

Two distinct factors (knowledge and possession) are required, making this two-factor authentication.

Why this answer

Two-factor authentication (2FA) requires exactly two distinct authentication factors from different categories: something you know (password) and something you have (one-time code from a mobile app). This matches the scenario precisely, as the password is a knowledge factor and the mobile app-generated code is a possession factor, satisfying the definition of 2FA.

Exam trap

CompTIA often tests the distinction between two-factor authentication and multifactor authentication, where candidates mistakenly think that using two different types of the same factor (e.g., two passwords) counts as 2FA, but the key is that the factors must come from different categories (knowledge, possession, inherence).

How to eliminate wrong answers

Option B is wrong because single sign-on (SSO) allows a user to authenticate once and access multiple systems without re-entering credentials, but it does not inherently require two different factors; it typically uses a single factor (e.g., password) or can be combined with 2FA, but the scenario explicitly describes two distinct factors, not just a single authentication event. Option C is wrong because biometric authentication uses a unique biological trait (e.g., fingerprint, face scan) as a single factor, not a combination of a password and a one-time code; the scenario does not involve any biometric element. Option D is wrong because multifactor authentication with three factors would require three distinct categories (e.g., knowledge, possession, and inherence), but the scenario only uses two factors (password and one-time code), so it is two-factor, not three-factor.

153
MCQhard

A network administrator must monitor network devices using SNMP. The security policy mandates strong encryption for both authentication and data integrity. Which SNMP version and security level should be implemented?

A.SNMPv1
B.SNMPv2c
C.SNMPv3 with noAuthNoPriv
D.SNMPv3 with authPriv
AnswerD

Correct. The authPriv security level provides both authentication (HMAC-MD5 or HMAC-SHA) and encryption (DES, 3DES, or AES), fulfilling the requirements.

Why this answer

SNMPv3 with authPriv is correct because it provides both authentication (to verify the source of messages) and encryption (to ensure data integrity and confidentiality). The security policy mandates strong encryption for both authentication and data integrity, which only the authPriv security level fulfills by using HMAC-SHA/MD5 for authentication and AES/DES for encryption.

Exam trap

Cisco often tests the misconception that SNMPv3 always provides encryption, but candidates must remember that noAuthNoPriv and authNoPriv are valid security levels that do not meet a 'strong encryption' mandate.

How to eliminate wrong answers

Option A is wrong because SNMPv1 uses only community strings for authentication (sent in plaintext) and provides no encryption, failing the strong encryption mandate. Option B is wrong because SNMPv2c also relies on plaintext community strings and lacks any encryption or authentication mechanisms. Option C is wrong because SNMPv3 with noAuthNoPriv provides neither authentication nor encryption, which does not meet the security policy requirements.

154
MCQmedium

A technician installs a new wireless access point that requires 25 watts of power using Power over Ethernet (PoE). The existing switch only supports 802.3af (15.4W per port). What is the most likely result?

A.The access point will power on but may not transmit at full power.
B.The access point will not power on.
C.The switch port will be damaged.
D.The access point will power on and function normally.
AnswerB

The switch provides only 15.4W per port, which is insufficient for the 25W requirement. The AP will not receive enough power to start up.

Why this answer

The existing switch supports only 802.3af (PoE), which provides a maximum of 15.4 watts per port. The access point requires 25 watts, which exceeds the 802.3af power budget. Since the switch cannot deliver the required power, the access point will not power on.

This is a strict power negotiation failure under IEEE 802.3 standards.

Exam trap

The trap here is that candidates often assume a device will 'work at reduced power' or 'negotiate down' when the power requirement exceeds the standard, but PoE standards enforce a strict power classification and will not power a device that cannot be fully supported.

How to eliminate wrong answers

Option A is wrong because if the switch cannot supply the minimum power required by the powered device (PD), the PD will not power on at all; 802.3af does not allow partial power delivery or reduced functionality—it either provides the negotiated power or fails the classification. Option C is wrong because PoE switches have overcurrent protection and will not be damaged by attempting to power a device that requests more power than available; the port simply refuses to supply power or shuts down the power negotiation.

155
MCQmedium

A company wants to ensure that only authorized devices that comply with security policies (such as updated antivirus and OS patches) are allowed to connect to the internal network. Both wired and wireless connections are used. Which of the following security solutions would best enforce this requirement?

A.VPN
B.Network Access Control (NAC)
C.Access control list (ACL)
D.Intrusion prevention system (IPS)
AnswerB

NAC solutions like Cisco ISE or Aruba ClearPass can enforce security policies by scanning endpoints before allowing access and quarantining non-compliant devices.

Why this answer

Network Access Control (NAC) is the correct solution because it enforces security policies by inspecting the health and compliance of devices—such as checking for updated antivirus definitions and OS patches—before granting access to the network. NAC can operate on both wired (e.g., 802.1X) and wireless (e.g., WPA2-Enterprise with RADIUS) connections, blocking or quarantining non-compliant devices. This matches the requirement to ensure only authorized, policy-compliant devices connect.

Exam trap

The trap here is that candidates often confuse NAC with VPN or ACL, thinking VPN provides endpoint security or ACLs can enforce policy compliance, but NAC is the only solution that performs dynamic, policy-based admission control based on device health and authorization.

How to eliminate wrong answers

Option A (VPN) is wrong because a VPN provides encrypted tunnels for remote access or site-to-site connectivity, but it does not enforce endpoint compliance checks like antivirus or patch status; it assumes the device is already trusted or uses separate client checks that are not integrated into network admission. Option C (ACL) is wrong because an access control list filters traffic based on IP addresses, ports, or protocols at Layer 3/4, but it cannot assess device health or enforce security policies like antivirus updates or OS patch levels; ACLs are static and do not perform dynamic posture validation.

156
MCQmedium

A technician connects a user's workstation to a switch port. The cable passes a physical test, and the switch port LED is green, but the workstation cannot establish a network connection. What is the most likely cause?

A.Incorrect VLAN assignment on the switch port
B.Duplex mismatch between the workstation and the switch
C.The workstation has a static IP address in the wrong subnet
D.A faulty cable
AnswerB

A duplex mismatch can cause severe frame errors and prevent successful communication even though the physical link is up.

Why this answer

A duplex mismatch occurs when one side of a link is set to full-duplex and the other to half-duplex, often due to a failed autonegotiation. Even though the cable passes a physical test and the switch port LED is green (indicating link at Layer 1), the mismatch causes excessive collisions and frame errors at Layer 2, preventing successful network communication. The workstation cannot establish a connection because the switch and NIC are not coordinating their transmission/reception timing correctly.

Exam trap

Cisco often tests duplex mismatch by pairing a green link LED (Layer 1 OK) with a complete lack of connectivity, tricking candidates into thinking the issue must be at Layer 3 (IP addressing) or Layer 2 (VLAN), when the real problem is a Layer 2 duplex negotiation failure that corrupts frames without breaking the physical link.

How to eliminate wrong answers

Option A is wrong because an incorrect VLAN assignment would still allow the switch port to show a green LED and the workstation to obtain a link, but the workstation would likely be unable to communicate with devices outside its VLAN; however, the question states the workstation cannot establish any network connection, and a VLAN mismatch typically results in connectivity to specific subnets rather than a complete failure. Option C is wrong because a static IP address in the wrong subnet would still allow Layer 2 connectivity (the switch port LED would be green and the cable test would pass), but the workstation would be able to send frames to the default gateway if ARP resolves; the complete inability to establish a connection points to a Layer 1/2 issue, not an IP addressing problem.

157
MCQeasy

A network administrator wants to ensure that only a specific laptop can connect to a particular switch port. The laptop's MAC address is known. Which security feature should be configured?

A.802.1X
B.Port security
C.DHCP snooping
D.BPDU guard
AnswerB

Port security allows the administrator to configure allowed MAC addresses per port, limiting access to specific devices. This directly meets the requirement.

Why this answer

Port security is the correct feature because it allows the administrator to statically configure the allowed MAC address on a specific switch port. Once configured, the switch will only forward traffic from that MAC address, dropping frames from any other source MAC. This directly fulfills the requirement to restrict access to a single known laptop.

Exam trap

Cisco often tests the distinction between port security (which controls MAC-level access on a single port) and 802.1X (which controls network access via authentication), leading candidates to mistakenly choose 802.1X because they associate it with 'security' and 'laptop access' without understanding the specific requirement of a static MAC binding.

How to eliminate wrong answers

Option A is wrong because 802.1X is a port-based network access control protocol that uses authentication (e.g., via RADIUS) to grant or deny access, but it does not statically bind a specific MAC address to a port; it authenticates the user or device dynamically. Option C is wrong because DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding table, but it does not restrict which MAC address can connect to a specific switch port; it prevents rogue DHCP servers and IP spoofing.

158
MCQmedium

A user reports that their workstation cannot connect to the network. The technician checks the IP configuration and sees that the workstation has an IP address of 169.254.25.110. The DHCP server is operational and has available addresses. The switch port connected to the workstation shows a solid green link light. What should the technician check NEXT?

A.Check the DNS server configuration.
B.Replace the network cable between the wall jack and the workstation.
C.Check the switch port configuration for security features such as DHCP snooping or port security.
D.Verify the default gateway setting on the workstation.
AnswerC

Security features on the switch port may be blocking DHCP discovery messages or responses, causing the workstation to receive no offer and fall back to APIPA. This is the most logical next step.

Why this answer

The workstation has an APIPA address (169.254.x.x), which indicates it failed to obtain a DHCP lease. Since the DHCP server is operational and has available addresses, the issue likely lies with the switch port configuration. Security features such as DHCP snooping or port security can block DHCP traffic or limit the number of MAC addresses, preventing the workstation from receiving a valid IP address.

Checking the switch port configuration is the logical next step.

Exam trap

The trap here is that candidates often assume a link light guarantees full connectivity and jump to DNS or gateway issues, but Cisco tests the understanding that APIPA addresses specifically indicate DHCP failure, and the next step is to investigate Layer 2 security features that could block DHCP traffic.

How to eliminate wrong answers

Option A is wrong because DNS server configuration is irrelevant when the workstation has not obtained a valid IP address; DNS resolution requires a valid IP and default gateway. Option B is wrong because the solid green link light indicates the physical layer (cable and link) is functioning correctly, so replacing the cable is unlikely to resolve the DHCP issue. Option D is wrong because verifying the default gateway is premature; the workstation first needs a valid IP address from DHCP, and the APIPA address indicates the DHCP process failed.

159
MCQmedium

A company wants to enforce network access control such that only authenticated users can connect to the wired network. The authentication server will use RADIUS. Which IEEE standard should be implemented?

A.802.11i
B.802.1X
C.802.3af
D.802.1Q
AnswerB

802.1X provides port-based authentication for wired and wireless networks, using RADIUS or other authentication servers.

Why this answer

802.1X is the IEEE standard for port-based network access control (PNAC). It provides a framework for authenticating devices before granting access to a wired or wireless LAN, using an authentication server such as RADIUS. This directly meets the requirement to enforce network access control so that only authenticated users can connect to the wired network.

Exam trap

The trap here is that 802.11i sounds security-related and is often confused with 802.1X because both involve authentication, but 802.11i is strictly for wireless encryption (WPA2) and does not control port-based access on wired networks.

How to eliminate wrong answers

Option A (802.11i) is wrong because it is a wireless security standard that specifies encryption and authentication for Wi-Fi networks (WPA2), not wired network access control. Option C (802.3af) is wrong because it defines Power over Ethernet (PoE) delivery, which is unrelated to authentication or network access enforcement.

160
MCQmedium

A network technician is troubleshooting an intermittent link between two switches connected via single-mode fiber. The interface logs show frequent 'link up / link down' events, sometimes several times per hour. The technician has verified that the SFPs are compatible and the fiber cable is within distance specifications. Which of the following is the most likely cause of the issue?

A.Electromagnetic interference (EMI) from nearby power cables
B.Dirty or contaminated fiber connectors
C.Mismatched VLAN configurations on the switches
D.Duplex mismatch between the two switch ports
AnswerB

Contamination on fiber end-faces can attenuate the optical signal, causing intermittent connections. Cleaning the connectors often resolves such issues.

Why this answer

Intermittent link flaps on single-mode fiber, despite compatible SFPs and correct distance, are most often caused by dirty or contaminated fiber connectors. Even microscopic dust or oil on the end face can scatter light, causing signal loss that triggers the switch's optical receiver to lose sync and flap the link. This matches the symptom of frequent 'link up / link down' events without any configuration mismatch.

Exam trap

The trap here is that candidates assume fiber is immune to physical-layer issues and jump to configuration problems like duplex mismatch or EMI, but CompTIA often tests the fact that fiber connectors are the most common source of intermittent link flaps due to contamination.

How to eliminate wrong answers

Option A is wrong because single-mode fiber is immune to electromagnetic interference (EMI) — fiber uses light, not electrical signals, so nearby power cables cannot induce noise. Option C is wrong because mismatched VLAN configurations would cause traffic to be dropped or misrouted, but they would not cause the physical link to go up and down; the interface would remain up. Option D is wrong because duplex mismatch is impossible on fiber optic links — both 1000BASE-LX and 10GBASE-LR operate at full duplex only, and auto-negotiation is not used for speed/duplex on fiber; the link would either fail to come up or run with errors, not flap repeatedly.

161
MCQeasy

A user reports that they cannot connect to a file server on the same subnet. The technician checks the IP configuration and sees an IP address of 169.254.5.10. What is the most likely cause?

A.The DHCP server is unreachable
B.The default gateway is misconfigured
C.The DNS server is down
D.The file server is offline
AnswerA

APIPA addresses are assigned when DHCP fails, so the DHCP server is unreachable.

Why this answer

The IP address 169.254.5.10 is an Automatic Private IP Addressing (APIPA) address from the 169.254.0.0/16 range, which Windows assigns when a DHCP client fails to obtain a lease from a DHCP server. Since the user is on the same subnet as the file server, a missing default gateway or DNS server would not prevent local connectivity, but the inability to reach the DHCP server indicates a broader network issue that also prevents the client from obtaining a valid IP address.

Exam trap

The trap here is that candidates often confuse APIPA with a DNS or gateway issue, but APIPA specifically indicates a DHCP failure, and local subnet connectivity does not require a gateway or DNS to function.

How to eliminate wrong answers

Option B is wrong because a misconfigured default gateway only affects traffic destined for other subnets, not local subnet communication; the user can still connect to a file server on the same subnet with a valid IP address. Option C is wrong because DNS resolution is not required for IP-based connections to a file server on the same subnet; the user could connect using the server's IP address directly even if DNS is down.

162
Matchingmedium

Match each network device to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forwards packets between different networks based on IP addresses

Forwards frames within the same network based on MAC addresses

Filters traffic based on security rules

Connects wireless clients to a wired network

Why these pairings

These are essential network devices.

163
MCQhard

A network engineer is troubleshooting connectivity issues between two data center switches that are configured to support jumbo frames with an MTU of 9000. The link is a 10 Gigabit Ethernet fiber connection. Large file transfers fail, but small transfers succeed. What is the most likely cause?

A.A
B.B
C.C
D.D
AnswerC

An intermediate device with a standard MTU will drop large frames, causing jumbo frame traffic to fail.

Why this answer

The most likely cause is that the MTU mismatch is causing large frames to be dropped. Jumbo frames of 9000 bytes require a consistent MTU across the entire Layer 2 path. If one switch is configured for 9000 and the other for the standard 1500, large frames will be silently discarded because the receiving switch cannot reassemble them.

Small transfers succeed because they fit within the standard MTU.

Exam trap

The trap here is that candidates often assume a physical layer issue (like a bad cable or transceiver) when the symptom is selective failure based on packet size, but the real cause is an MTU mismatch, which is a Layer 2 configuration problem.

How to eliminate wrong answers

Option A is wrong because a duplex mismatch would cause collisions and errors on all traffic, not just large file transfers, and 10 Gigabit Ethernet fiber links typically auto-negotiate duplex to full. Option B is wrong because a faulty SFP+ transceiver would cause intermittent or complete link failure, not a selective failure based on frame size; the link would likely show errors or go down entirely.

164
MCQeasy

Which IPv6 address type is used for one-to-many communication and is similar to an IPv4 multicast address?

A.Multicast
B.Anycast
C.Unicast
D.Broadcast
AnswerA

Multicast delivers packets to all interested nodes in a group, analogous to IPv4 multicast.

Why this answer

IPv6 multicast addresses (FF00::/8) are designed for one-to-many communication, where a single packet is delivered to multiple interfaces that have joined the multicast group. This directly parallels the behavior of IPv4 multicast addresses (224.0.0.0/4), making option A correct.

Exam trap

The trap here is that candidates confuse anycast with multicast because both involve groups of interfaces, but anycast delivers to only one member (the nearest), while multicast delivers to all members.

How to eliminate wrong answers

Option B is wrong because anycast addresses are used for one-to-one-of-many communication, where a packet is delivered to the nearest interface (by routing metric) among a group, not to all members simultaneously. Option C is wrong because unicast addresses (e.g., global unicast, link-local) are strictly one-to-one communication between a single source and a single destination. Option D is wrong because IPv6 does not have a broadcast address; broadcast functionality is replaced by multicast (e.g., the all-nodes multicast address FF02::1).

165
MCQmedium

A security analyst notices a large number of incoming TCP packets to a server with the FIN, PSH, and URG flags set. This pattern is characteristic of which type of network scan?

A.SYN scan
B.Xmas tree scan
C.Null scan
D.ACK scan
AnswerB

An Xmas tree scan sets the FIN, PSH, and URG flags. It is a stealthy technique used to probe open/closed ports.

Why this answer

An Xmas tree scan sends TCP packets with the FIN, PSH, and URG flags set (the packet 'lights up' like a Christmas tree). This is a stealth scan technique used to probe open or closed ports based on RFC 793 behavior: closed ports should respond with an RST packet, while open ports may ignore the packet (or respond differently depending on the OS). The pattern described—FIN, PSH, and URG all set—is the definitive signature of an Xmas tree scan.

Exam trap

CompTIA often tests the distinction between Xmas tree, Null, and SYN scans by focusing on the specific flag combinations, so the trap here is confusing the FIN/PSH/URG set (Xmas tree) with a Null scan (no flags) or a SYN scan (only SYN).

How to eliminate wrong answers

Option A is wrong because a SYN scan sends only the SYN flag set, not FIN, PSH, and URG. Option C is wrong because a Null scan sends a TCP packet with no flags set (all flags zero), not the combination of FIN, PSH, and URG. Option D is wrong because an ACK scan sends packets with only the ACK flag set, used to map firewall rules, not to detect open ports via the FIN/PSH/URG combination.

166
MCQeasy

Which device operates at Layer 1 (Physical) of the OSI model and regenerates electrical signals to extend the distance of a network segment?

A.Switch
B.Router
C.Hub
D.Bridge
AnswerC

A hub is a Layer 1 device that repeats incoming signals to all ports, extending the physical range of the network.

Why this answer

A hub operates at Layer 1 (Physical) of the OSI model. It receives incoming electrical signals on one port and regenerates (repeats) those signals out to all other ports, effectively extending the physical reach of a network segment. Unlike switches or routers, it performs no frame inspection or forwarding decisions.

Exam trap

CompTIA often tests the distinction between a hub (Layer 1, signal regeneration) and a bridge/switch (Layer 2, frame forwarding), trapping candidates who confuse signal regeneration with MAC-based forwarding.

How to eliminate wrong answers

Option A is wrong because a switch operates at Layer 2 (Data Link) and uses MAC addresses to make forwarding decisions, not simply regenerating electrical signals. Option B is wrong because a router operates at Layer 3 (Network) and forwards packets based on IP addresses, not electrical signal regeneration. Option D is wrong because a bridge operates at Layer 2 (Data Link) and uses MAC addresses to segment collision domains, though it does regenerate signals, it is not a pure Layer 1 device like a hub.

167
MCQeasy

In a network, a collision domain is a network segment where which of the following is true?

A.A: Only one device can transmit at a time to avoid data collisions
B.B: All devices share the same IP subnet
C.C: Broadcast traffic is confined to that segment
D.D: MAC addresses are resolved to IP addresses
AnswerA

This is the definition of a collision domain; collisions occur if two devices transmit simultaneously.

Why this answer

In a collision domain, only one device can transmit at a time because if two or more devices transmit simultaneously, their signals collide, corrupting the data. This is a fundamental characteristic of half-duplex Ethernet segments, such as those using hubs or legacy bus topologies, where the medium is shared and CSMA/CD (Carrier Sense Multiple Access with Collision Detection) is used to manage access.

Exam trap

The trap here is that candidates often confuse collision domains with broadcast domains, mistakenly thinking that confining broadcast traffic or sharing an IP subnet defines a collision domain, when in fact collision domains are strictly about physical-layer contention for the medium.

How to eliminate wrong answers

Option B is wrong because sharing the same IP subnet defines a broadcast domain at Layer 3, not a collision domain, which is a Layer 1/2 concept. Option C is wrong because broadcast traffic being confined to a segment describes a broadcast domain, typically bounded by a router or VLAN, not a collision domain. Option D is wrong because MAC-to-IP address resolution is performed by ARP (Address Resolution Protocol) and is unrelated to collision domains; it operates across broadcast domains.

168
MCQeasy

Which of the following uniquely identifies a hardware network interface on a device?

A.MAC address
B.IP address
C.Subnet mask
D.Default gateway
AnswerA

A MAC address is a 48-bit hardware address assigned to each network interface card (NIC) for local network communications.

Why this answer

A MAC (Media Access Control) address is a hardware-embedded, globally unique identifier assigned to a network interface controller (NIC) by the manufacturer. It operates at Layer 2 (Data Link Layer) of the OSI model and is used for local network communication, ensuring that no two devices on the same broadcast domain have the same MAC address.

Exam trap

The trap here is that candidates often confuse the MAC address with the IP address, thinking the IP address is the hardware identifier, but Cisco tests that the MAC address is the only Layer 2 permanent identifier, while IP addresses are logical and can be reassigned via DHCP or static configuration.

How to eliminate wrong answers

Option B (IP address) is wrong because an IP address is a logical, network-layer (Layer 3) identifier that can change based on the network the device is connected to, and it does not uniquely identify the hardware interface itself. Option C (Subnet mask) is wrong because it is a 32-bit value used to divide an IP address into network and host portions, not an identifier for any interface. Option D (Default gateway) is wrong because it is the IP address of a router that forwards traffic to other networks, not a property of the local device's hardware interface.

169
MCQmedium

A technician is troubleshooting a connectivity issue. A client can successfully ping its default gateway but cannot ping a server located on a different subnet. The router's routing table shows a valid route to the server's network. What should the technician check NEXT?

A.The ACL applied to the router interface
B.The DNS resolution for the server
C.The ARP cache on the client
D.The duplex settings on the client NIC
AnswerA

An ACL might be blocking the traffic even though a valid route exists. ACLs are evaluated after the routing decision.

Why this answer

Since the client can ping its default gateway but not a server on a different subnet, Layer 3 routing is working (the router has a valid route). The most likely cause is an ACL on the router interface that is blocking traffic to the server's network. ACLs filter traffic based on source/destination IP, protocol, or port, and can permit or deny packets even when a valid route exists.

Exam trap

CompTIA often tests the misconception that a valid route in the routing table guarantees end-to-end connectivity, but ACLs can override routing decisions by filtering traffic at the interface level.

How to eliminate wrong answers

Option B is wrong because DNS resolution is not required for ICMP ping; pings use IP addresses, not hostnames, so DNS is irrelevant to the connectivity failure. Option C is wrong because the ARP cache on the client is only used to resolve the next-hop MAC address for the default gateway; since the client can already ping the gateway, ARP is functioning correctly. Option D is wrong because duplex mismatch would cause packet loss or collisions on the local link, but the client can successfully communicate with the default gateway, indicating the Layer 1/2 link is fine.

170
MCQhard

A network administrator needs to ensure high availability for a critical server that has two network interfaces connected to two different switches. Which configuration should be implemented to provide failover and load balancing at the network layer?

A.Link aggregation (LACP)
B.Virtual IP (VRRP/HSRP)
C.Spanning Tree Protocol (STP)
D.Port mirroring
AnswerB

VRRP/HSRP allows two devices to share a virtual IP address so that if one fails, the other takes over seamlessly, providing network-layer redundancy.

Why this answer

Virtual IP protocols like VRRP or HSRP provide first-hop redundancy by allowing two or more routers (or servers acting as routers) to share a virtual IP address. If the active interface fails, the standby interface takes over the virtual IP, ensuring seamless failover at Layer 3. Additionally, with multiple virtual IP groups, traffic can be load-balanced across the two interfaces, meeting both high-availability and load-balancing requirements at the network layer.

Exam trap

CompTIA often tests the distinction between Layer 2 redundancy (LACP, STP) and Layer 3 redundancy (VRRP/HSRP), leading candidates to choose Link Aggregation because it sounds like 'load balancing' without realizing it operates at a different layer and cannot provide failover across separate switches at the network layer.

How to eliminate wrong answers

Option A is wrong because Link Aggregation (LACP) operates at Layer 2, combining multiple physical links into a single logical link for increased bandwidth and redundancy, but it does not provide Layer 3 failover or load balancing of IP traffic across separate switches—it requires both interfaces to be on the same switch or a stack. Option C is wrong because Spanning Tree Protocol (STP) prevents Layer 2 loops by blocking redundant paths; it does not provide failover or load balancing at the network layer and would actually block one of the two interfaces to avoid loops. Option D is wrong because Port mirroring (SPAN) copies traffic from one port to another for monitoring or analysis purposes; it has no role in failover or load balancing.

171
MCQmedium

A network administrator wants to collect logs from multiple routers and switches to a central server for analysis. Which protocol should be configured on the devices to send logs to the server?

A.SNMP
B.Syslog
C.NetFlow
D.TFTP
AnswerB

Syslog is specifically designed for logging and log collection, making it the correct choice.

Why this answer

Syslog (RFC 5424) is the standard protocol for sending event messages (logs) from network devices like routers and switches to a central log server. It uses UDP port 514 by default (or TCP 6514 for reliable delivery) and allows administrators to collect, store, and analyze system messages from multiple devices in one location.

Exam trap

Cisco often tests the distinction between SNMP traps (event alerts) and syslog (continuous log streaming), leading candidates to mistakenly choose SNMP because they think 'traps' are the same as sending logs.

How to eliminate wrong answers

Option A (SNMP) is wrong because SNMP is used for monitoring and managing device status via MIBs and traps, not for streaming continuous log messages; SNMP traps are event-driven alerts, not a full log collection mechanism. Option C (NetFlow) is wrong because NetFlow is a traffic accounting and flow analysis protocol that exports IP flow statistics (e.g., source/destination IPs, ports, byte counts), not system logs or event messages. Option D (TFTP) is wrong because TFTP is a trivial file transfer protocol used for backing up or restoring device configurations and firmware images, not for sending real-time log data to a server.

172
MCQmedium

A company is deploying a wireless network in an office where employees move between floors. They want clients to authenticate once and maintain connectivity without re-authenticating when roaming between access points (APs). Which IEEE wireless standard provides this fast roaming capability?

A.802.11r
B.802.11i
C.802.11e
D.802.11n
AnswerA

Correct. 802.11r enables fast roaming by pre-establishing security keys with candidate APs.

Why this answer

802.11r, also known as Fast BSS Transition (FT), enables clients to roam between access points without re-authenticating at each new AP. It achieves this by using a cached Pairwise Master Key (PMK) and a four-way handshake that is optimized to reduce the time required for reassociation, typically completing in under 50 milliseconds. This ensures seamless connectivity for mobile users moving between floors.

Exam trap

Cisco often tests the distinction between 802.11i (security) and 802.11r (fast roaming), so the trap here is confusing the authentication protocol with the roaming optimization standard, leading candidates to pick 802.11i because it deals with keys and handshakes.

How to eliminate wrong answers

Option B (802.11i) is wrong because it defines security mechanisms like WPA2 and the four-way handshake for initial authentication, but it does not include fast roaming optimizations; it requires a full re-authentication on each roam. Option C (802.11e) is wrong because it focuses on Quality of Service (QoS) enhancements, such as WMM and traffic prioritization, not on roaming or authentication speed. Option D (802.11n) is wrong because it specifies high-throughput improvements like MIMO and channel bonding (up to 600 Mbps), with no provisions for fast roaming or reduced re-authentication latency.

173
MCQhard

A company is implementing 802.1X port-based authentication on its wired network to control access. The network uses Active Directory for user accounts. Which type of server must be deployed to authenticate clients connecting to the switch ports?

A.A DNS server
B.A DHCP server
C.A RADIUS server
D.A Kerberos server
AnswerC

RADIUS is the standard protocol for 802.1X authentication. The switch acts as a RADIUS client, sending authentication requests to the RADIUS server, which validates credentials against an identity store (e.g., Active Directory).

Why this answer

802.1X port-based authentication requires a RADIUS server to act as the authentication server that validates client credentials against the identity store (Active Directory). The switch (authenticator) forwards EAP frames from the client (supplicant) to the RADIUS server, which checks the credentials and instructs the switch to grant or deny port access.

Exam trap

Cisco often tests the misconception that because Active Directory uses Kerberos, a Kerberos server can directly authenticate switch ports, but 802.1X mandates a RADIUS server as the intermediary that translates EAP frames into authentication requests the switch can process.

How to eliminate wrong answers

Option A is wrong because a DNS server resolves hostnames to IP addresses and plays no role in authenticating users or controlling port access. Option B is wrong because a DHCP server assigns IP addresses dynamically but does not perform authentication or enforce port-based access control. Option D is wrong because Kerberos is a ticket-based authentication protocol used within Active Directory for domain logon, but 802.1X requires a RADIUS server to mediate authentication between the switch and the identity store; the switch cannot directly process Kerberos tickets.

174
MCQmedium

A company is implementing a wireless network and needs to support high-density client environments with minimal interference. Which IEEE 802.11 standard operates in the 5 GHz band and provides the highest throughput among the options?

A.802.11ac
B.802.11n
C.802.11g
D.802.11b
AnswerA

Correct. 802.11ac operates exclusively in the 5 GHz band and can achieve multi-gigabit throughput using wider channels, MIMO, and beamforming.

Why this answer

802.11ac (Wi-Fi 5) operates exclusively in the 5 GHz band and supports up to 8 spatial streams, 256-QAM modulation, and channel bonding up to 160 MHz, yielding theoretical throughput exceeding 6.9 Gbps. This makes it the highest-throughput option among the listed standards for high-density environments with minimal interference, as the 5 GHz band offers more non-overlapping channels and less co-channel contention than 2.4 GHz.

Exam trap

The trap here is that candidates often confuse 802.11n as the highest-throughput option because it supports both bands and is widely deployed, but they overlook that 802.11ac is strictly 5 GHz and offers significantly higher throughput through wider channels and higher-order modulation.

How to eliminate wrong answers

Option B (802.11n) is wrong because it operates in both 2.4 GHz and 5 GHz bands but caps at 600 Mbps with 40 MHz channels and 64-QAM, offering lower throughput than 802.11ac. Option C (802.11g) is wrong because it operates only in the 2.4 GHz band with a maximum of 54 Mbps using OFDM, and it suffers from interference from Bluetooth and microwaves. Option D (802.11b) is wrong because it operates only in the 2.4 GHz band with a maximum of 11 Mbps using DSSS, making it obsolete for high-density deployments.

175
MCQeasy

A network engineer needs to update the firmware on dozens of access points located across multiple office floors. The APs are managed by a central wireless controller. Which protocol should the controller use to transfer the firmware file to each AP?

A.FTP
B.TFTP
C.HTTP
D.SNMP
AnswerB

TFTP is lightweight and widely supported by network devices for transferring firmware images.

Why this answer

The correct answer is TFTP (Trivial File Transfer Protocol). Wireless LAN controllers (WLCs) use TFTP to push firmware images to lightweight access points (APs) because TFTP is lightweight, connectionless, and requires minimal memory and processing overhead on the AP. This makes it ideal for the simple, one-way file transfer of a firmware binary during the AP boot or upgrade process, where the AP acts as a TFTP client and the controller as the server.

Exam trap

The trap here is that candidates often choose FTP or HTTP because they are more familiar for file transfers, but they overlook that TFTP is the standard protocol used by Cisco wireless controllers for AP firmware upgrades due to its simplicity and low overhead.

How to eliminate wrong answers

Option A (FTP) is wrong because FTP requires a full TCP connection with session management and authentication, which adds unnecessary complexity and overhead for a simple firmware push to dozens of APs; controllers typically do not run an FTP server for AP upgrades. Option C (HTTP) is wrong because HTTP is a web-based protocol that is not natively supported by lightweight APs for firmware downloads; controllers use TFTP or occasionally CAPWAP multicast for image distribution, not HTTP. Option D (SNMP) is wrong because SNMP is a management and monitoring protocol used for reading and writing MIB variables (e.g., configuration changes or status polling), not for bulk file transfer of firmware images.

176
MCQhard

An organization uses OSPF as its interior gateway protocol in a multi-area design. After a core router failure, the network takes a long time to reconverge. Which technology can be implemented to improve convergence speed?

A.Use static routes instead of OSPF
B.Increase OSPF hello and dead timers
C.Implement Bidirectional Forwarding Detection (BFD)
D.Configure all routers in a single OSPF area
AnswerC

BFD provides sub-second failure detection, which allows OSPF to converge much faster.

Why this answer

BFD provides sub-second failure detection by sending rapid, lightweight hello packets independently of OSPF's own hello mechanism. When a core router fails, BFD detects the link down in milliseconds and immediately signals OSPF to trigger reconvergence, drastically reducing the time OSPF would otherwise spend waiting for its own dead timer to expire.

Exam trap

CompTIA often tests the misconception that increasing OSPF timers or using a single area speeds up convergence, when in fact BFD is the correct technology for sub-second failure detection without altering OSPF's own protocol timers.

How to eliminate wrong answers

Option A is wrong because static routes lack dynamic adaptability and would require manual intervention to reroute around failures, making convergence slower and operationally impractical in a multi-area OSPF design. Option B is wrong because increasing hello and dead timers would actually slow down failure detection, making reconvergence take even longer, which is the opposite of the desired outcome. Option D is wrong because collapsing all routers into a single OSPF area would eliminate the benefits of hierarchical design (e.g., smaller LSDBs, summarization) and could increase convergence time due to larger link-state databases and more frequent SPF calculations, not improve it.

177
MCQmedium

A network administrator needs to connect two switches located in separate buildings 150 meters apart. The connection must support 10 Gbps speeds. Which cabling type is most appropriate?

A.Cat6a twisted pair
B.Cat7 twisted pair
C.Multi-mode fiber optic
D.Single-mode fiber optic
AnswerC

Multi-mode fiber with 10GBASE-SR supports 10 Gbps up to 300 meters, making it ideal for this 150-meter link.

Why this answer

Multi-mode fiber optic (MMF) is the most appropriate choice because it supports 10 Gbps speeds over distances up to 300 meters (using OM3 or OM4 fiber) with cost-effective transceivers (e.g., 10GBASE-SR). The 150-meter distance exceeds the 100-meter maximum for twisted-pair copper cabling (Cat6a or Cat7) at 10 Gbps, making fiber the only viable option among the choices.

Exam trap

The trap here is that candidates often assume Cat7 is superior to Cat6a for longer distances, but both are limited to 100 meters for 10GBASE-T, and the question's 150-meter requirement forces the choice to fiber; CompTIA often tests this distance limitation to distinguish copper from fiber solutions.

How to eliminate wrong answers

Option A is wrong because Cat6a twisted pair has a maximum distance of 100 meters for 10GBASE-T, and the 150-meter run exceeds this limit, causing signal degradation. Option B is wrong because Cat7 twisted pair, while rated for higher frequencies, still adheres to the same 100-meter distance limitation for 10GBASE-T as Cat6a; it does not extend the reach for 10 Gbps. Option D is wrong because single-mode fiber optic (SMF) supports 10 Gbps over much longer distances (kilometers) but is overkill and more expensive for a 150-meter link; multi-mode fiber is the cost-effective standard for this distance.

178
MCQmedium

A network security analyst notices that the firewall is logging traffic on the external interface that has a source IP address of 10.0.1.5, which is within the internal network range. This is most likely the result of which type of attack?

A.DNS poisoning
B.IP spoofing
C.ARP poisoning
D.VLAN hopping
AnswerB

IP spoofing involves crafting packets with a forged source IP address to impersonate an internal host.

Why this answer

The firewall is logging traffic on its external interface with a source IP address from the internal RFC 1918 range (10.0.1.5). This indicates the source IP has been forged, because private IP addresses should never appear as source addresses on a public-facing interface. This is the classic signature of an IP spoofing attack, where the attacker modifies the source IP in the packet header to impersonate an internal host.

Exam trap

The trap here is that candidates confuse IP spoofing with ARP poisoning, because both involve address impersonation, but ARP poisoning is a Layer 2 attack confined to the local subnet, whereas IP spoofing can originate from anywhere on the Internet and is visible on the external interface.

How to eliminate wrong answers

Option A is wrong because DNS poisoning involves corrupting DNS resolver caches or zone data to redirect traffic to malicious sites, not forging source IP addresses on firewall logs. Option C is wrong because ARP poisoning operates at Layer 2 within a broadcast domain, manipulating ARP tables to intercept traffic, and would not cause a private IP to appear on an external firewall interface. Option D is wrong because VLAN hopping exploits trunk port misconfigurations (e.g., double tagging or switch spoofing) to gain access to traffic on other VLANs, and does not involve forging source IP addresses on an external interface.

179
MCQhard

A security analyst has enabled DHCP snooping on all VLANs of the company's switches to mitigate the risk of rogue DHCP servers. After implementation, the analyst discovers that clients are still receiving IP addresses from an unauthorized DHCP server. The unauthorized server is connected to a switch port that is currently configured as a trusted port. What should the analyst do to stop the rogue DHCP server from offering addresses?

A.Enable Dynamic ARP Inspection on the VLAN.
B.Change the port connecting the unauthorized server to an untrusted port.
C.Configure port security on the unauthorized server's port to limit MAC addresses.
D.Increase the rate limit on the unauthorized server's port.
AnswerB

DHCP snooping treats trusted ports as authorized sources of DHCP offers. By making the port untrusted, the switch will drop any DHCP server messages received on that port.

Why this answer

DHCP snooping operates by designating switch ports as either trusted or untrusted. Trusted ports are allowed to send DHCP server messages (OFFER, ACK), while untrusted ports are blocked from sending such messages. Since the rogue server is connected to a trusted port, it can still offer IP addresses.

Changing the port to untrusted will cause the switch to drop all DHCP server messages from that port, stopping the rogue server.

Exam trap

CompTIA often tests the misconception that DHCP snooping alone blocks all rogue servers, but the trap is that it only works if the rogue server's port is correctly classified as untrusted; candidates may forget that a trusted port bypasses all DHCP snooping filtering.

How to eliminate wrong answers

Option A is wrong because Dynamic ARP Inspection (DAI) validates ARP packets, not DHCP messages; it does not prevent a rogue DHCP server from offering addresses. Option C is wrong because port security limits the number of MAC addresses on a port but does not inspect or block DHCP server messages; the rogue server could still send DHCPOFFERs. Option D is wrong because increasing the rate limit would allow more DHCP packets, not block them; rate limiting is used to prevent DoS attacks, not to enforce DHCP snooping trust boundaries.

180
MCQeasy

A user calls the help desk stating that they cannot access any network resources. The technician asks the user to run ipconfig and the output shows an IP address of 169.254.15.20 with a subnet mask of 255.255.0.0. Which of the following is the most likely cause?

A.The DNS server is not responding
B.The DHCP server is unreachable
C.The default gateway is misconfigured
D.There is a duplicate IP address on the network
AnswerB

When DHCP fails, Windows automatically assigns an APIPA address, indicating the device could not contact a DHCP server.

Why this answer

The IP address 169.254.15.20 with a subnet mask of 255.255.0.0 is an Automatic Private IP Addressing (APIPA) address, which Windows assigns when a DHCP client fails to receive a lease from a DHCP server. Since the user cannot access any network resources, the most likely cause is that the DHCP server is unreachable, preventing the client from obtaining a valid IP address, default gateway, and DNS server settings.

Exam trap

The trap here is that candidates often confuse APIPA with a DNS failure or gateway issue, but APIPA specifically indicates the DHCP process failed, not that other network services are misconfigured.

How to eliminate wrong answers

Option A is wrong because a non-responsive DNS server would not cause the client to obtain an APIPA address; the client would still have a valid DHCP-assigned IP address but would fail to resolve hostnames. Option C is wrong because a misconfigured default gateway would not result in an APIPA address; the client would have a valid IP from DHCP but would be unable to route traffic off the local subnet. Option D is wrong because a duplicate IP address would cause a conflict warning and possible connectivity issues, but the client would still have a valid DHCP-assigned IP address, not an APIPA address.

181
MCQeasy

Which network topology connects all devices to a central device?

A.Star
B.Mesh
C.Bus
D.Ring
AnswerA

A star topology uses a central device to connect all end devices.

Why this answer

In a star topology, each device connects directly to a central device such as a switch or hub. This central device manages all communication between endpoints, meaning any data sent from one device must pass through the central point before reaching its destination. This design simplifies fault isolation because a single cable failure only affects the connected device, not the entire network.

Exam trap

The trap here is that candidates often confuse a physical star topology with a logical bus topology (e.g., early Ethernet using a hub) and forget that a switch-based star creates a point-to-point logical connection, eliminating the shared medium and collision domain of a bus.

How to eliminate wrong answers

Option B is wrong because a mesh topology connects every device to every other device, either fully or partially, without relying on a single central device; this provides redundancy but increases cabling and complexity. Option C is wrong because a bus topology uses a single shared backbone cable where all devices tap into the same line, and a failure in the backbone can bring down the entire segment. Option D is wrong because a ring topology connects devices in a closed loop where each device has exactly two neighbors, and data travels sequentially around the ring; there is no central device, and a single break can disrupt the entire ring unless a dual-ring or self-healing mechanism (e.g., FDDI) is used.

182
MCQmedium

A network engineer is implementing VLANs for a company. The finance department's workstations are connected to switch ports configured as access ports in VLAN 20. The finance server is located in a different building and is connected to a second switch. The two switches are interconnected via a trunk link. What must be configured on the trunk link to allow finance workstations to communicate with the finance server?

A.Allow VLAN 20 on the trunk
B.Set the native VLAN to 20 on both switches
C.Configure the trunk port as an access port in VLAN 20
D.Enable VLAN pruning for all VLANs on the trunk
AnswerA

By default, some trunks may carry only VLAN 1 unless explicitly configured. Adding VLAN 20 to the allowed VLAN list on the trunk ensures that traffic from VLAN 20 can traverse the link.

Why this answer

A trunk link carries traffic for multiple VLANs. By default, all VLANs are allowed on a trunk, but if VLAN 20 is not explicitly permitted, its traffic will be dropped. Configuring 'switchport trunk allowed vlan 20' on both ends ensures that frames tagged with VLAN 20 traverse the trunk, enabling communication between the finance workstations (access ports in VLAN 20) and the finance server.

Exam trap

Cisco often tests the misconception that simply creating a VLAN and assigning access ports is enough for inter-switch communication, when in fact the trunk must explicitly permit that VLAN in its allowed list.

How to eliminate wrong answers

Option B is wrong because setting the native VLAN to 20 on both switches would cause untagged frames to be placed into VLAN 20, but the finance workstations and server are already sending tagged frames (since they are in VLAN 20 and the trunk expects tagged traffic for non-native VLANs); this misconfiguration can lead to VLAN hopping or mismatched VLANs. Option C is wrong because a trunk port cannot be configured as an access port; these are mutually exclusive port modes—an access port belongs to a single VLAN, while a trunk port carries multiple VLANs. Option D is wrong because VLAN pruning (via VTP pruning or manual configuration) removes unused VLANs from the trunk to conserve bandwidth, but enabling pruning for all VLANs would block VLAN 20 traffic if it is not actively used on the other switch, which is not the goal.

183
MCQmedium

A network technician is assigned a subnet mask of 255.255.255.248. How many usable host addresses are available in this subnet?

A.A) 6
B.B) 8
C.C) 14
D.D) 30
AnswerA

Correct. /29 gives 8 total addresses minus 2 = 6 usable hosts.

Why this answer

The subnet mask 255.255.255.248 corresponds to a /29 prefix length, which provides 2^(32-29) = 8 total addresses. Subtracting the network address and broadcast address leaves 8 - 2 = 6 usable host addresses.

Exam trap

Cisco often tests the distinction between total addresses and usable host addresses, trapping candidates who forget to subtract the two reserved addresses (network and broadcast) from the total.

How to eliminate wrong answers

Option B is wrong because 8 is the total number of addresses in the subnet, not the number of usable hosts; the usable count excludes the network and broadcast addresses. Option C is wrong because 14 usable hosts would require a /28 mask (255.255.255.240), not a /29. Option D is wrong because 30 usable hosts would require a /27 mask (255.255.255.224), not a /29.

184
MCQmedium

A network administrator is connecting two switches to increase bandwidth and provide redundancy. Which technology should be used to combine multiple physical links into a single logical link?

A.Spanning Tree Protocol
B.Link Aggregation Control Protocol
C.VLAN Trunking Protocol
D.Rapid Spanning Tree Protocol
AnswerB

LACP combines multiple physical links into a single logical link, increasing bandwidth and providing failover.

Why this answer

Link Aggregation Control Protocol (LACP) is the correct technology because it allows multiple physical Ethernet links to be combined into a single logical link, increasing aggregate bandwidth and providing redundancy. LACP (IEEE 802.3ad) automatically negotiates and manages the bundling of ports between switches, ensuring that traffic is load-balanced across the member links and that the bundle remains operational even if one physical link fails.

Exam trap

Cisco often tests the misconception that STP or RSTP can be used to increase bandwidth, but the trap here is that STP and RSTP only provide redundancy by blocking ports to prevent loops, not by actively combining links for higher throughput.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) is designed to prevent loops in a network topology by blocking redundant paths, not to combine links for increased bandwidth. Option C is wrong because VLAN Trunking Protocol (VTP) is used to manage VLAN configurations across switches, not to aggregate physical links. Option D is wrong because Rapid Spanning Tree Protocol (RSTP) is an enhancement of STP that provides faster convergence after a topology change, but it still does not bundle links for bandwidth or redundancy.

185
MCQmedium

A network administrator is troubleshooting an intermittent link between two switches connected by single-mode fiber. The interface log shows "Link up / Link down" events multiple times per hour. Which of the following is the most likely cause?

A.Incorrect VLAN configuration on the switch ports
B.Crossed fiber pairs
C.Dirty fiber connectors
D.Duplex mismatch between the switches
AnswerC

Dirty connectors can cause intermittent signal loss as the light is partially blocked. This is a common cause of flapping fiber links. Cleaning the connectors often resolves the issue.

Why this answer

Dirty fiber connectors cause intermittent signal loss by scattering or absorbing light, which leads to CRC errors and repeated link flaps as the optical transceiver struggles to maintain synchronization. This matches the 'Link up / Link down' pattern seen in the logs, especially on single-mode fiber where precise alignment is critical.

Exam trap

The trap here is that candidates often jump to duplex mismatch or VLAN misconfiguration as common causes of link issues, but the intermittent 'Link up / Link down' pattern specifically points to a physical-layer problem like dirty connectors, not a Layer 2 configuration error.

How to eliminate wrong answers

Option A is wrong because incorrect VLAN configuration would cause traffic isolation or connectivity issues, not physical link state changes; VLAN mismatches do not trigger link flaps. Option B is wrong because crossed fiber pairs (e.g., TX/RX swapped) typically result in a complete failure to establish link, not intermittent up/down events, as the transceiver cannot detect a valid signal. Option D is wrong because duplex mismatch on fiber links is rare (fiber is usually full-duplex by default) and would cause late collisions or high error rates, not repeated link flaps; auto-negotiation issues on fiber are uncommon and would not produce the described log pattern.

186
MCQhard

A network administrator scheduled a change window to upgrade the firmware on a core switch. During the upgrade, the switch fails to boot properly. The administrator needs to restore the switch to its previous operational state. Which of the following should the administrator have done before the upgrade to facilitate a successful rollback?

A.Notified all users of the maintenance window.
B.Backed up the current configuration and firmware image.
C.Disconnected all redundant links.
D.Set the switch to boot from an alternative image.
AnswerB

A backup of both the configuration and the firmware image is essential to restore the switch to its exact previous state.

Why this answer

Option B is correct because backing up both the current configuration and the firmware image ensures that the administrator can restore the switch to its exact previous operational state if the upgrade fails. Without a backup of the firmware image, the switch may not have a valid bootable image to revert to, even if the configuration is saved. This is a fundamental prerequisite for any firmware upgrade rollback plan.

Exam trap

The trap here is that candidates often confuse 'backing up the configuration' with 'backing up the firmware image,' assuming a configuration backup alone is sufficient for a full rollback, but without the firmware image the switch may have no bootable OS to load.

How to eliminate wrong answers

Option A is wrong because notifying users of the maintenance window is a communication best practice but does not provide any technical mechanism to restore the switch after a failed boot. Option C is wrong because disconnecting redundant links is a safety measure to prevent loops or traffic disruptions during the upgrade, but it does not preserve the previous firmware or configuration for rollback. Option D is wrong because setting the switch to boot from an alternative image only works if a valid alternative image already exists on the device; without a prior backup, there may be no alternative image available, and this action does not guarantee a rollback to the exact previous state.

187
MCQhard

An attacker intercepts communication between two parties and is able to modify the data in transit without either party's knowledge. Which type of attack is this?

A.Man-in-the-middle
B.ARP spoofing
C.DNS poisoning
D.Replay attack
AnswerA

A man-in-the-middle attack precisely describes an attacker intercepting and modifying communications between two endpoints without their knowledge.

Why this answer

A man-in-the-middle (MITM) attack occurs when an adversary secretly intercepts and potentially alters the communication between two parties who believe they are directly communicating with each other. The attacker can modify data in transit without either party's knowledge by placing themselves in the logical or physical path of the data flow, often by exploiting weaknesses in authentication or encryption. This matches the scenario described, where the attacker both intercepts and modifies the data.

Exam trap

Cisco often tests the distinction between the attack type (MITM) and the technique used to achieve it (ARP spoofing, DNS poisoning), so candidates mistakenly select the technique rather than the overarching attack described in the scenario.

How to eliminate wrong answers

Option B (ARP spoofing) is wrong because ARP spoofing is a specific technique used to achieve a man-in-the-middle position on a local network by sending forged ARP replies to associate the attacker's MAC address with the IP address of a legitimate host, but it is not the attack itself—it is a method to enable an MITM attack. Option C (DNS poisoning) is wrong because DNS poisoning corrupts the DNS cache to redirect traffic to a malicious server, which can facilitate an MITM attack, but the attack described is the interception and modification of data in transit, not the redirection itself. Option D (Replay attack) is wrong because a replay attack involves capturing and retransmitting valid data to trick the receiver, not modifying the data in transit; the attacker in a replay attack does not alter the payload.

188
MCQmedium

A network technician is configuring a small office network with two subnets: 10.0.1.0/24 and 10.0.2.0/24. Each subnet has its own switch, and both switches are connected to a router with interfaces 10.0.1.1 and 10.0.2.1. Hosts on subnet A can ping the router's interface in their subnet but cannot ping hosts on subnet B. Which of the following is the most likely cause?

A.The router is not configured with a routing protocol.
B.IP routing is disabled on the router.
C.The hosts in subnet A have the wrong default gateway.
D.The switch in subnet A is blocking ICMP traffic.
AnswerB

If IP routing is disabled, the router will not forward packets between its interfaces, preventing inter-subnet communication.

Why this answer

The hosts on subnet A can ping their default gateway (10.0.1.1) but cannot reach hosts on subnet B, which indicates that the router is not forwarding packets between the two directly connected subnets. This behavior is characteristic of a router with IP routing disabled, as the router will not perform inter-VLAN or inter-subnet forwarding unless the 'ip routing' command is enabled globally. Without IP routing, the router acts as a host and will only respond to traffic destined for its own interfaces, dropping any packets that require forwarding to another subnet.

Exam trap

Cisco often tests the distinction between 'routing protocol' and 'IP routing' — candidates mistakenly think a routing protocol is required for directly connected subnets, when in fact the 'ip routing' global command is the fundamental enabler of any Layer 3 forwarding.

How to eliminate wrong answers

Option A is wrong because a routing protocol is unnecessary for forwarding between directly connected subnets; the router can use its connected routes without any dynamic routing protocol. Option C is wrong because the hosts in subnet A can ping their default gateway (10.0.1.1), which proves the default gateway is correctly configured; if it were wrong, they would not be able to reach the router interface. Option D is wrong because the switch in subnet A is a Layer 2 device and does not block ICMP traffic between subnets; ICMP filtering would be applied on the router, not the switch, and the hosts can already ping the router interface, confirming Layer 2 connectivity is fine.

189
MCQmedium

A network administrator needs to upgrade the backbone link between two switches to fiber optic to eliminate electromagnetic interference. The distance between the switches is 350 meters. Which transceiver type should be used?

A.1000BASE-SX
B.1000BASE-LX
C.1000BASE-CX
D.1000BASE-T
AnswerA

1000BASE-SX operates over multi-mode fiber and supports distances up to 220-550 meters, covering 350 meters.

Why this answer

1000BASE-SX (option A) is correct because it supports distances up to 550 meters over multimode fiber (MMF) at 850 nm wavelength, making it suitable for the 350-meter backbone link. It is designed to eliminate electromagnetic interference (EMI) by using fiber optic cabling, and the distance falls within its maximum reach for common multimode fiber types like OM2 or OM3.

Exam trap

Cisco often tests the distance limitations of fiber transceivers, and the trap here is that candidates might choose 1000BASE-LX because they assume 'longer distance is always better,' overlooking that 1000BASE-SX is the correct, cost-effective choice for the given 350-meter range over multimode fiber.

How to eliminate wrong answers

Option B (1000BASE-LX) is wrong because it is typically used for longer distances (up to 5 km over single-mode fiber or 550 m over multimode fiber with mode conditioning patch cables), but it is overkill for a 350-meter link and more expensive than SX; the question specifies a straightforward upgrade to eliminate EMI, not long-haul requirements. Option C (1000BASE-CX) is wrong because it uses copper twinaxial cabling with a maximum distance of only 25 meters, which cannot reach 350 meters and does not eliminate electromagnetic interference as it is a copper-based solution. Option D (1000BASE-T) is wrong because it operates over twisted-pair copper cabling (Cat5e or higher) with a maximum distance of 100 meters, far short of 350 meters, and it is susceptible to electromagnetic interference, directly contradicting the requirement.

190
MCQhard

A network has a single switch with VLANs 10, 20, and 30 configured. The switch is connected to a router that has three subinterfaces, each in a different VLAN. How many broadcast domains are present?

A.1
B.3
C.4
D.5
AnswerB

Each VLAN (10, 20, 30) creates its own broadcast domain. Router subinterfaces do not combine them.

Why this answer

Each VLAN is a separate Layer 2 broadcast domain. With VLANs 10, 20, and 30 configured on the switch and a router using subinterfaces to route between them, there are exactly three broadcast domains — one per VLAN. Broadcasts are confined to their VLAN and do not cross VLAN boundaries without a Layer 3 device.

Exam trap

The trap here is that candidates often count the router subinterfaces as separate broadcast domains, not realizing that broadcast domains are strictly Layer 2 constructs and that the router only provides inter-VLAN routing without adding new broadcast domains.

How to eliminate wrong answers

Option A is wrong because a single broadcast domain would imply no VLAN segmentation, but the switch has three VLANs configured, each isolating broadcasts. Option C is wrong because four broadcast domains would require an additional VLAN or a separate management VLAN acting as a distinct broadcast domain, which is not described. Option D is wrong because five broadcast domains would require five separate VLANs or a mix of VLANs and routed ports, neither of which is present in the scenario.

191
MCQeasy

A network engineer needs to connect two devices that are 150 meters apart with a 10 Gbps link. Which cabling type is most suitable?

A.Cat6a UTP
B.Cat7 STP
C.Single-mode fiber
D.Multimode fiber
AnswerC

Single-mode fiber supports 10 Gbps over distances of many kilometers, making it ideal for a 150-meter link.

Why this answer

Single-mode fiber (SMF) is the correct choice because it supports 10 Gbps transmission over distances well beyond 150 meters, typically up to 10 km or more using 10GBASE-LR optics. In contrast, copper cabling like Cat6a or Cat7 is limited to 100 meters for 10GBASE-T, and multimode fiber (MMF) with 10GBASE-SR is limited to about 300-400 meters depending on the fiber grade (e.g., OM3/OM4), but SMF provides the most reliable and future-proof solution for this distance.

Exam trap

The trap here is that candidates often assume multimode fiber is sufficient for any distance under 300 meters, but the exam emphasizes 'most suitable' based on scalability and performance, making single-mode fiber the better choice even for shorter runs when future-proofing is considered.

How to eliminate wrong answers

Option A is wrong because Cat6a UTP supports 10GBASE-T only up to 100 meters, so it cannot reach 150 meters. Option B is wrong because Cat7 STP, while shielded, still adheres to the same 100-meter distance limitation for 10GBASE-T per TIA/EIA standards. Option D is wrong because multimode fiber (e.g., OM3/OM4) with 10GBASE-SR can reach up to 300-400 meters, which technically covers 150 meters, but single-mode fiber is more suitable for this distance due to lower attenuation, higher bandwidth, and better scalability for future upgrades; the question asks for the 'most suitable' cabling type, and SMF is the optimal choice for a 150-meter 10 Gbps link.

192
MCQeasy

A network administrator wants to prevent unauthorized devices from being plugged into switch ports. Only devices with specific MAC addresses should be allowed on each port. Which switch security feature should be enabled?

A.DHCP snooping
B.Dynamic ARP inspection
C.Port security
D.802.1X
AnswerC

Correct. Port security limits the MAC addresses that can communicate through a switch port, preventing unauthorized devices from connecting.

Why this answer

Port security is the correct feature because it allows the administrator to restrict which MAC addresses can communicate through a switch port. By configuring allowed MAC addresses (sticky or static), any device with an unknown MAC address attempting to send traffic will trigger a security violation (shutdown, restrict, or protect). This directly addresses the requirement to prevent unauthorized devices from being plugged into switch ports.

Exam trap

CompTIA often tests the distinction between port security (MAC-based access control) and 802.1X (authentication-based access control), leading candidates to incorrectly choose 802.1X when the question explicitly mentions 'specific MAC addresses' rather than user credentials or certificates.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding table, but it does not restrict which MAC addresses can be plugged into a port. Option B is wrong because Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing, but it does not control which devices are physically connected to a port. Option D is wrong because 802.1X is a port-based network access control (PNAC) protocol that uses authentication (EAP) to grant or deny network access, but it does not rely on a static list of MAC addresses; it requires a RADIUS server and credentials or certificates.

193
MCQmedium

A user reports that they cannot access the internal web server by its fully qualified domain name (intranet.company.com). The workstation's IP configuration shows a DNS server of 8.8.8.8, but the internal DNS server is 10.0.0.10. The user can successfully ping the server's IP address (10.0.0.50). What is the MOST likely cause of the issue?

A.A: The workstation is using the wrong DNS server address
B.B: The subnet mask on the workstation is incorrect
C.C: The network cable is faulty
D.D: The default gateway is misconfigured
AnswerA

The DNS server should be set to the internal DNS server to resolve internal hostnames.

Why this answer

The workstation's DNS server is set to 8.8.8.8 (a public Google DNS server), which cannot resolve the internal domain name 'intranet.company.com' because that zone is only hosted on the internal DNS server at 10.0.0.10. Since the user can ping the server's IP address (10.0.0.50), network connectivity is fine, confirming the issue is name resolution. The most likely cause is that the workstation is using the wrong DNS server address.

Exam trap

The trap here is that candidates often confuse a DNS resolution failure with a network connectivity issue, but the ability to ping the IP address proves the problem is strictly name resolution, not layer 2 or layer 3 problems.

How to eliminate wrong answers

Option B is wrong because an incorrect subnet mask would prevent communication with any host on a different subnet, but the user can successfully ping the server's IP address, indicating layer 3 connectivity is intact. Option C is wrong because a faulty network cable would cause a complete loss of connectivity, not just a failure to resolve a name while pinging by IP succeeds. Option D is wrong because a misconfigured default gateway would block traffic to remote networks, but the internal web server is on the same subnet (10.0.0.0/24 implied), so local ARP-based communication would still work; the user can ping the server, proving the gateway is not the issue.

194
MCQhard

A network engineer is configuring a new wireless LAN for a high-density environment such as a conference hall. The engineer needs to minimize co-channel interference. Which of the following should be configured on the access points?

A.Increase transmit power
B.Decrease transmit power
C.Decrease beacon interval
D.Implement channel bonding
AnswerB

Decreasing transmit power shrinks cells, allowing more non-overlapping APs and reducing interference.

Why this answer

In a high-density environment like a conference hall, decreasing transmit power on access points reduces the cell size, which allows for more APs to be placed closer together without their coverage areas overlapping excessively. This minimizes co-channel interference by ensuring that APs on the same channel are physically separated, improving overall throughput and client performance.

Exam trap

The trap here is that candidates mistakenly think increasing transmit power improves performance in dense environments, when in fact it exacerbates co-channel interference by creating larger, overlapping cells.

How to eliminate wrong answers

Option A is wrong because increasing transmit power enlarges the coverage cell, causing more overlap between APs on the same channel and worsening co-channel interference. Option C is wrong because decreasing the beacon interval increases the frequency of beacon frames, which adds overhead and can degrade performance, but does not directly address co-channel interference. Option D is wrong because channel bonding (e.g., 40 MHz in 2.4 GHz or 80/160 MHz in 5 GHz) increases the channel width, which reduces the number of non-overlapping channels available and actually increases the likelihood of co-channel interference in dense deployments.

195
MCQmedium

A company wants to increase the bandwidth between two switches without upgrading the existing 1 Gbps copper links. Both switches support 802.3ad. Which technology should be implemented?

A.Link aggregation (LACP)
B.VLAN trunking
C.Port mirroring
D.StackWise
AnswerA

Correct. LACP aggregates multiple physical links into one logical link, increasing overall bandwidth.

Why this answer

Link aggregation using LACP (802.3ad) allows multiple 1 Gbps copper links to be combined into a single logical link, increasing bandwidth between the two switches without upgrading the physical interfaces. Since both switches support 802.3ad, they can negotiate and manage the aggregated link dynamically, providing both increased throughput and link redundancy.

Exam trap

The trap here is that candidates often confuse link aggregation with stacking (StackWise) or VLAN trunking, thinking any multi-link technology increases bandwidth, but only LACP/802.3ad properly combines physical links for higher throughput between two switches.

How to eliminate wrong answers

Option B is wrong because VLAN trunking (802.1Q) is used to carry multiple VLANs over a single link, not to increase bandwidth by combining multiple physical links. Option C is wrong because port mirroring (SPAN) copies traffic from one port to another for monitoring purposes and does not increase bandwidth or aggregate links. Option D is wrong because StackWise is a Cisco proprietary technology for combining multiple switches into a single logical switch, not for aggregating links between two existing switches.

196
MCQmedium

A network administrator needs to automatically back up the configuration files of all network devices (routers, switches, firewalls) to a central server every night. The administrator requires the transfer to be encrypted to protect sensitive configuration data. Which protocol should the administrator use to retrieve the configuration files?

A.TFTP
B.FTP
C.SCP
D.HTTP
AnswerC

SCP (Secure Copy) runs over SSH, ensuring encryption and authentication. It is commonly used for secure file transfers in network environments.

Why this answer

SCP (Secure Copy Protocol) uses SSH for encrypted file transfers, making it ideal for securely retrieving configuration files from network devices to a central server. It ensures both authentication and data encryption, protecting sensitive configuration data during transit.

Exam trap

Cisco often tests SCP versus TFTP, where candidates mistakenly choose TFTP because it is simpler and commonly used for backups, but they overlook the encryption requirement specified in the question.

How to eliminate wrong answers

Option A is wrong because TFTP (Trivial File Transfer Protocol) uses UDP port 69 with no encryption or authentication, making it insecure for transferring sensitive configuration files. Option B is wrong because FTP (File Transfer Protocol) transmits data in cleartext, including usernames and passwords, and lacks encryption unless used with FTPS (FTP over SSL/TLS). Option D is wrong because HTTP (Hypertext Transfer Protocol) transmits data in cleartext and does not provide encryption; HTTPS would be required for secure transfers, but it is not listed as an option.

197
MCQmedium

Which of the following protocols is used to automatically assign IP addresses to devices on a network and also provides the subnet mask and default gateway?

A.DNS
B.DHCP
C.ARP
D.ICMP
AnswerB

DHCP provides automatic IP configuration including subnet mask and default gateway.

Why this answer

DHCP (Dynamic Host Configuration Protocol) is the correct answer because it is specifically designed to automatically assign IP addresses to devices on a network, along with essential configuration parameters such as the subnet mask and default gateway. When a DHCP client sends a discover message, the DHCP server responds with an offer that includes these details, allowing the client to fully participate in network communication without manual configuration.

Exam trap

Cisco often tests the distinction between DHCP and DNS, where candidates mistakenly think DNS assigns IP addresses because it 'looks up' information, but DNS only resolves names, not addresses or subnet masks.

How to eliminate wrong answers

Option A (DNS) is wrong because DNS (Domain Name System) resolves human-readable domain names to IP addresses, not assign IP addresses or provide subnet masks and default gateways. Option C (ARP) is wrong because ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network, and does not handle IP address assignment or gateway information. Option D (ICMP) is wrong because ICMP (Internet Control Message Protocol) is used for error reporting and diagnostic functions like ping, not for IP address allocation or configuration.

198
MCQhard

A security administrator is configuring a firewall to allow remote employees to access the company's internal web server (port 443) from the internet. The web server has an internal IP address of 10.0.0.5. The firewall has a public IP of 203.0.113.10. Which type of firewall rule should be created?

A.A) Port forwarding (DNAT) rule
B.B) Allow rule with source any, destination 10.0.0.5, port 443
C.C) Access control list on the internal interface
D.D) VPN rule to require remote access VPN
AnswerA

Correct. Port forwarding translates the destination IP and port of incoming traffic from the public IP to the private IP of the web server, allowing external access.

Why this answer

A port forwarding (DNAT) rule is required because the web server uses a private RFC 1918 IP address (10.0.0.5), which is not routable on the public internet. The firewall must translate the destination IP from its public address (203.0.113.10) to the internal server's private address, allowing inbound traffic on port 443 to reach the correct internal host.

Exam trap

The trap here is that candidates often confuse a simple 'allow' rule with the necessary NAT translation, failing to realize that without DNAT, the firewall has no way to forward the packet to the private IP address of the internal server.

How to eliminate wrong answers

Option B is wrong because a simple allow rule with destination 10.0.0.5 would never be matched by traffic arriving from the internet, as the packet's destination IP is the firewall's public IP (203.0.113.10), not the private IP. Option C is wrong because an access control list on the internal interface would only filter traffic already inside the network, not handle the necessary destination address translation for inbound internet traffic. Option D is wrong because a VPN rule is not required for this scenario; the question explicitly states the goal is to allow direct access to the web server from the internet, not to require a VPN tunnel.

199
MCQmedium

A security analyst notices that the DHCP server is responding to a large number of DHCP Discover messages from a single MAC address, but that client never sends a DHCP Request to complete the lease. This pattern repeats continuously. Which type of attack is most likely occurring?

A.ARP poisoning
B.DNS amplification
C.DHCP starvation
D.Rogue DHCP server
AnswerC

The scenario describes a classic DHCP starvation attack. The attacker floods the DHCP server with Discover messages, causing it to exhaust its address pool. Legitimate clients then cannot obtain IP addresses.

Why this answer

Option C is correct because the described behavior—a single MAC address sending continuous DHCP Discover messages without completing the lease with a DHCP Request—is the hallmark of a DHCP starvation attack. The attacker exhausts the DHCP server's IP address pool by claiming all available leases, preventing legitimate clients from obtaining IP addresses. This attack targets the DHCP protocol's four-step DORA (Discover, Offer, Request, Acknowledge) process by never completing the handshake.

Exam trap

The trap here is that candidates confuse DHCP starvation with a rogue DHCP server attack, but the key distinction is that starvation exhausts the legitimate server's pool via incomplete handshakes, while a rogue server offers its own IPs to intercept traffic.

How to eliminate wrong answers

Option A is wrong because ARP poisoning involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP, not flooding DHCP Discover messages. Option B is wrong because DNS amplification is a reflection-based DDoS attack that uses open DNS resolvers to flood a victim with amplified traffic, not DHCP messages. Option D is wrong because a rogue DHCP server attack involves an unauthorized server offering IP addresses to clients, not a single MAC address flooding Discover messages to exhaust the legitimate server's pool.

200
MCQhard

A switch is connected to a network printer. The switch port is manually configured for 100 Mbps and full duplex. The printer is configured for auto-negotiation. The link is up, but there are many FCS errors on the switch port. What is the most likely cause?

A.Duplex mismatch
B.Bad Ethernet cable
C.Speed mismatch
D.Printer driver issues
AnswerA

The manually-configured full duplex setting forces the link to operate at full duplex, but the printer's auto-negotiation may negotiate half duplex, leading to a duplex mismatch and errors.

Why this answer

The most likely cause is a duplex mismatch. The switch port is manually set to full duplex, while the printer is using auto-negotiation. When one side is manually configured and the other is set to auto-negotiation, the auto-negotiating side fails to detect the manual setting and defaults to half duplex.

This mismatch causes collisions and frame check sequence (FCS) errors on the full-duplex side, as the half-duplex side does not properly handle simultaneous transmission.

Exam trap

CompTIA often tests the misconception that a speed mismatch causes FCS errors, but the trap here is that a speed mismatch prevents the link from coming up, while a duplex mismatch allows the link to be up but with errors.

How to eliminate wrong answers

Option B is wrong because a bad Ethernet cable typically causes intermittent connectivity, link flaps, or CRC errors, but not the specific pattern of FCS errors associated with a duplex mismatch; a bad cable would also likely cause the link to drop or show excessive alignment errors. Option C is wrong because a speed mismatch would prevent the link from coming up entirely, as both sides must agree on speed for the physical layer to establish a link; since the link is up, speed is matched. Option D is wrong because printer driver issues affect the data being sent from the host to the printer, not the physical-layer framing or collision behavior on the switch port; FCS errors are a Layer 1/2 issue, not a driver problem.

201
MCQmedium

A network administrator has completed a scheduled firmware upgrade on a core switch. After verifying successful operation, which document should the administrator update to reflect the new firmware version?

A.Network logical topology diagram
B.Change management log
C.Rack diagram
D.Inventory management system
AnswerB

The change management log records all network changes, including firmware upgrades, providing an audit trail for compliance and troubleshooting.

Why this answer

The change management log is the correct document to update because it records all modifications to the network, including firmware upgrades, along with details such as the date, reason, and new version. This log ensures compliance with ITIL change management processes and provides an audit trail for troubleshooting and future changes. Updating it after a successful firmware upgrade is a standard operational procedure to maintain accurate change history.

Exam trap

Cisco often tests the distinction between documentation types, and the trap here is that candidates confuse the inventory management system (which tracks hardware assets) with the change management log (which tracks operational changes), leading them to choose D instead of B.

How to eliminate wrong answers

Option A is wrong because a network logical topology diagram shows the logical layout of devices, subnets, and routing protocols, not firmware versions; updating it with firmware details would clutter the diagram and violate its purpose. Option C is wrong because a rack diagram documents physical device placement, rack units, and cabling, not software or firmware versions; it is used for physical asset management, not version tracking. Option D is wrong because an inventory management system tracks hardware assets, serial numbers, and procurement details, but firmware versions are typically not its primary focus; while some systems may include firmware, the change management log is the formal record for documenting changes like firmware upgrades.

202
MCQmedium

A network administrator wants to centrally monitor the bandwidth utilization on a router's serial interface over time. The monitoring tool needs to periodically poll the router for current interface counters. Which protocol should be used for this polling?

A.SNMP
B.Syslog
C.NetFlow
D.ICMP
AnswerA

SNMP uses MIBs to expose interface counters, which a management station can poll (SNMP GET requests) to calculate bandwidth utilization over time.

Why this answer

SNMP (Simple Network Management Protocol) is the correct choice because it is specifically designed for polling network devices to retrieve operational statistics such as interface counters (e.g., ifInOctets, ifOutOctets) from a Management Information Base (MIB). The network administrator can configure an SNMP manager to periodically poll the router's serial interface OIDs, enabling centralized bandwidth utilization monitoring over time.

Exam trap

Cisco often tests the distinction between polling (SNMP) and push-based reporting (Syslog, NetFlow), and the trap here is that candidates confuse NetFlow's flow export capability with simple interface counter polling, or assume Syslog can be used for periodic data retrieval.

How to eliminate wrong answers

Option B (Syslog) is wrong because Syslog is a protocol for event logging and message forwarding, not for polling interface counters; it sends unsolicited log messages from devices to a server. Option C (NetFlow) is wrong because NetFlow is a flow-based traffic accounting and analysis technology that exports detailed IP flow records, not a polling mechanism for simple interface counters. Option D (ICMP) is wrong because ICMP is used for network diagnostics like ping and traceroute, not for retrieving interface utilization data from a router's MIB.

203
MCQmedium

A network administrator is designing a Layer 2 network with redundant links between switches. Which protocol should be implemented to prevent loops in the network?

A.STP (Spanning Tree Protocol)
B.OSPF (Open Shortest Path First)
C.VRRP (Virtual Router Redundancy Protocol)
D.LACP (Link Aggregation Control Protocol)
AnswerA

STP prevents loops by dynamically blocking ports to ensure a single active path between any two network segments.

Why this answer

STP (Spanning Tree Protocol) is the correct choice because it is specifically designed to prevent Layer 2 loops in networks with redundant links. It achieves this by placing redundant switch ports into a blocking state, creating a loop-free logical topology while maintaining physical redundancy for failover.

Exam trap

The trap here is that candidates often confuse STP with VRRP or OSPF because both involve 'redundancy' and 'loop prevention,' but STP is the only protocol that operates at Layer 2 to prevent switching loops.

How to eliminate wrong answers

Option B (OSPF) is wrong because it is a Layer 3 link-state routing protocol used for IP route discovery and loop prevention at the network layer, not for Layer 2 loop prevention. Option C (VRRP) is wrong because it is a First Hop Redundancy Protocol (FHRP) that provides default gateway redundancy by allowing multiple routers to share a virtual IP, not for preventing Layer 2 loops. Option D (LACP) is wrong because it is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, but it does not prevent loops; in fact, LACP itself requires STP to block loops if redundant LACP bundles exist.

204
MCQeasy

Which device is used to connect two different network segments and makes forwarding decisions based on IP addresses?

A.Switch
B.Router
C.Hub
D.Bridge
AnswerB

A router forwards packets based on IP addresses, connecting different networks.

Why this answer

A router is the correct device because it operates at Layer 3 (Network layer) of the OSI model and makes forwarding decisions based on destination IP addresses. It connects two different network segments (subnets) and uses routing tables to determine the best path for packet delivery, often employing protocols like OSPF or BGP.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 devices, trapping candidates who confuse a switch's MAC-based forwarding with a router's IP-based forwarding, especially when the question mentions 'different network segments'—a switch can segment collision domains but not broadcast domains, while a router segments broadcast domains.

How to eliminate wrong answers

Option A is wrong because a switch operates at Layer 2 (Data Link layer) and forwards frames based on MAC addresses, not IP addresses, and it typically connects devices within the same network segment. Option C is wrong because a hub is a Layer 1 device that simply repeats electrical signals to all ports without any forwarding logic or address awareness. Option D is wrong because a bridge, while it can connect two network segments, operates at Layer 2 and makes forwarding decisions based on MAC addresses, not IP addresses.

205
MCQhard

A network technician is troubleshooting an issue where Server A can ping Server B by IP address, but Server B cannot ping Server A. Both servers are in the same VLAN and subnet, connected to the same switch. The switch ports are configured identically, and there are no ACLs or firewalls between them. Which of the following is the MOST likely cause?

A.Server A's firewall is blocking incoming ICMP
B.Server B's firewall is blocking outgoing ICMP
C.The cable connecting Server A is faulty
D.There is a duplex mismatch on Server B's switch port
AnswerA

A firewall on Server A can permit outgoing replies while blocking incoming requests, causing the one-way ping failure.

Why this answer

Server A can ping Server B by IP address, meaning ICMP echo requests from Server A reach Server B and echo replies return successfully. However, Server B cannot ping Server A, which indicates that ICMP echo requests from Server B are not reaching Server A or their replies are blocked. Since both servers are in the same VLAN/subnet with no ACLs or firewalls between them, the most likely cause is that Server A's host-based firewall is blocking incoming ICMP (echo requests), preventing Server B's pings from being processed.

This is a classic symptom of a one-way firewall rule that permits outbound ICMP but denies inbound ICMP.

Exam trap

CompTIA often tests the misconception that a firewall blocking outgoing ICMP on Server B would cause the symptom, but the correct reasoning is that the blocking must be on the target server (Server A) for incoming ICMP, creating a one-way ping scenario.

How to eliminate wrong answers

Option B is wrong because if Server B's firewall were blocking outgoing ICMP, Server B would be unable to send any ICMP echo requests at all, but the problem is specifically that Server B cannot ping Server A while Server A can ping Server B—this asymmetry points to a receive-side block on Server A, not a send-side block on Server B. Option C is wrong because a faulty cable on Server A would cause bidirectional communication failure (both pings would fail), not a unidirectional issue; the fact that Server A can ping Server B proves the cable and Layer 1 connectivity are functional. Option D is wrong because a duplex mismatch on Server B's switch port would typically cause CRC errors, late collisions, and poor performance in both directions, but it would not selectively block ICMP echo requests from Server B while allowing Server A's pings to succeed—duplex issues affect all traffic symmetrically.

206
MCQeasy

A security analyst notices that the company's web server is receiving a high volume of TCP SYN packets from a single source IP address, but the server is not completing the three-way handshake. Which type of attack is most likely occurring?

A.A) SYN flood
B.B) Smurf attack
C.C) Ping of death
D.D) ARP poisoning
AnswerA

Correct. A SYN flood is a DoS attack that sends numerous SYN packets, leaving half-open connections and consuming server resources.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets from a spoofed or single source IP without completing the handshake. The server allocates resources for each half-open connection, eventually exhausting its connection table and denying service to legitimate users. This matches the scenario where the server receives many SYN packets but never completes the handshake.

Exam trap

CompTIA often tests the distinction between a SYN flood and a Smurf attack by describing a flood of packets from a single source—candidates confuse the ICMP-based Smurf attack with the TCP-based SYN flood because both involve flooding, but the protocol and mechanism are completely different.

How to eliminate wrong answers

Option B (Smurf attack) is wrong because it uses ICMP echo requests sent to a broadcast address with a spoofed source IP, causing all hosts on the network to reply to the victim, overwhelming it with ICMP traffic—not TCP SYN packets. Option C (Ping of death) is wrong because it involves sending an oversized or malformed ICMP packet that causes a buffer overflow on the target, not a flood of TCP SYN packets. Option D (ARP poisoning) is wrong because it manipulates ARP tables to intercept traffic on a local network segment, not to overwhelm a server with TCP SYN packets.

207
MCQmedium

A network administrator is configuring a trunk link between a switch and a router to support multiple VLANs. The switch's trunk port is set to dot1q encapsulation. Which configuration must match on the router to ensure proper communication?

A.The IP address of the router interface must be in the same subnet as the management VLAN
B.The subinterface encapsulation must match the switch's native VLAN default
C.The native VLAN on the router subinterface must be consistent with the switch's native VLAN
D.The router must be configured with inter-VLAN routing static routes
AnswerC

Both ends of a trunk must agree on the native VLAN, typically VLAN 1 by default, but it can be changed. Inconsistency can cause miscommunication or security risks.

Why this answer

Option C is correct because the native VLAN on the router subinterface must match the switch's native VLAN to ensure untagged frames are handled consistently. On a dot1q trunk, the native VLAN is the only VLAN whose frames are sent untagged; if the router expects a different native VLAN, it will drop or misclassify those frames, breaking communication for that VLAN.

Exam trap

The trap here is that candidates often confuse 'native VLAN' with 'default VLAN' or think the encapsulation type (dot1q) alone is sufficient, overlooking the critical requirement that the native VLAN must be explicitly matched on both sides of the trunk.

How to eliminate wrong answers

Option A is wrong because the IP address of the router interface does not need to be in the same subnet as the management VLAN; the router subinterface IPs are assigned per VLAN, and the management VLAN is a separate administrative concept. Option B is wrong because the subinterface encapsulation must be set to 'dot1q' (not match the switch's native VLAN default), and the encapsulation command specifies the VLAN ID, not the native VLAN default. Option D is wrong because inter-VLAN routing static routes are not required for a simple router-on-a-stick configuration; the router forwards frames directly between subinterfaces using connected routes derived from the IP addresses configured on each subinterface.

208
MCQeasy

Which of the following best describes the primary function of a subnet mask in IPv4 networking?

A.It identifies which part of an IP address is the network address and which part is the host address
B.It dynamically assigns IP addresses to devices on the network
C.It encrypts data packets to ensure secure communication
D.It specifies the IP address of the router that forwards traffic to other networks
AnswerA

The subnet mask is used to divide the IP address into network and host bits, allowing devices to determine if a destination is on the same local network or requires routing.

Why this answer

The subnet mask is a 32-bit value that separates the IP address into network and host portions through a bitwise AND operation. This allows routers and hosts to determine whether a destination IP is on the same local network or requires forwarding to a default gateway. Without the subnet mask, a device cannot distinguish the network prefix from the host identifier, making routing impossible.

Exam trap

CompTIA often tests the misconception that the subnet mask assigns IP addresses or acts as a gateway, so candidates confuse it with DHCP or the default gateway, especially when questions pair subnet mask with 'dynamic' or 'router' in the answer choices.

How to eliminate wrong answers

Option B is wrong because dynamic IP address assignment is the function of DHCP (Dynamic Host Configuration Protocol), not the subnet mask. Option C is wrong because encryption of data packets is performed by protocols like IPsec, TLS, or SSH, not by the subnet mask. Option D is wrong because the IP address of the router that forwards traffic to other networks is the default gateway, which is a separate configuration parameter, not the subnet mask.

209
MCQmedium

A network administrator is configuring a new WAN link between two offices using MPLS. Which of the following is a characteristic of MPLS?

A.It uses label switching to forward packets
B.It requires a dedicated point-to-point circuit
C.It operates at Layer 7 of the OSI model
D.It encrypts all data in transit
AnswerA

MPLS routers (LSRs) assign and swap labels to route traffic efficiently, independent of IP headers.

Why this answer

MPLS (Multiprotocol Label Switching) operates by attaching short, fixed-length labels to packets at the ingress router. These labels are used by intermediate routers (LSRs) to make forwarding decisions based on the label rather than the IP header, which enables faster switching and traffic engineering. This label-swapping mechanism is the defining characteristic of MPLS, distinguishing it from traditional IP routing.

Exam trap

The trap here is that candidates confuse MPLS with a dedicated leased line or assume it provides security features like encryption, when in fact MPLS is a label-switching technology that operates below Layer 3 and above Layer 2.

How to eliminate wrong answers

Option B is wrong because MPLS does not require a dedicated point-to-point circuit; it can run over any underlying transport (e.g., Ethernet, Frame Relay, ATM) and supports any-to-any connectivity through a shared MPLS backbone. Option C is wrong because MPLS is often described as operating at Layer 2.5 (between Layer 2 and Layer 3), not Layer 7; it does not involve application-layer functions. Option D is wrong because MPLS does not inherently encrypt data; it relies on separate mechanisms like IPsec or MACsec for encryption, and MPLS itself provides no confidentiality.

210
MCQhard

A security analyst notices that an attacker is sending crafted packets with overlapping IP fragments to a target server, causing the server to crash. Which type of attack is described?

A.Teardrop attack
B.Smurf attack
C.Ping flood
D.SYN flood
AnswerA

The Teardrop attack exploits overlapping IP fragments, matching the description.

Why this answer

This is a Teardrop attack, which exploits a vulnerability in the IP fragmentation reassembly process. The attacker sends a series of fragmented IP packets with intentionally overlapping fragment offsets, causing the target system to miscalculate the size of the reassembled packet, leading to a buffer overflow and system crash. This attack specifically targets the IP stack's handling of fragment offset fields in the IP header.

Exam trap

CompTIA often tests the distinction between attacks that exploit protocol logic flaws (like Teardrop) versus volumetric or handshake-based attacks, so candidates may confuse Teardrop with a SYN flood because both can cause crashes, but the key difference is that Teardrop targets IP fragmentation, not TCP state exhaustion.

How to eliminate wrong answers

Option B is wrong because a Smurf attack uses ICMP echo requests (pings) sent to a network's broadcast address with a spoofed source IP, causing all hosts on that network to reply to the victim, overwhelming it with traffic — it does not involve IP fragmentation. Option C is wrong because a Ping flood is a simple volumetric denial-of-service attack that sends a high volume of ICMP echo request packets to consume bandwidth and CPU, not crafted overlapping fragments. Option D is wrong because a SYN flood exploits the TCP three-way handshake by sending a flood of TCP SYN packets with spoofed source IPs, leaving half-open connections and exhausting server resources — it does not manipulate IP fragmentation.

211
MCQhard

A network administrator has configured a switch with four VLANs: VLAN 10, 20, 30, and 99 (native). The switch is connected to a router via an 802.1Q trunk link. The router has subinterfaces for VLANs 10, 20, and 30, each with an IP address. VLAN 99 is used for management and does not have a router subinterface. How many Layer 3 broadcast domains exist in this network?

A.1
B.2
C.3
D.4
AnswerD

Correct. Each of the four VLANs (10, 20, 30, 99) is a separate broadcast domain, regardless of router subinterface configuration.

Why this answer

Each VLAN is a separate Layer 2 broadcast domain, and a router subinterface provides the default gateway for that VLAN, creating a corresponding Layer 3 broadcast domain. VLAN 99 (native) has no router subinterface, so it does not have a Layer 3 broadcast domain. Therefore, only VLANs 10, 20, and 30 have Layer 3 broadcast domains, totaling 3.

Exam trap

CompTIA often tests the distinction between Layer 2 broadcast domains (one per VLAN) and Layer 3 broadcast domains (one per routed subnet), leading candidates to incorrectly count all VLANs as Layer 3 domains even when a native VLAN lacks a subinterface.

How to eliminate wrong answers

Option A is wrong because it assumes all VLANs share a single Layer 3 broadcast domain, which would only be true if no routing occurred (e.g., a flat Layer 2 network). Option B is wrong because it suggests only two VLANs are routed, ignoring the third subinterface. Option D is wrong because it counts VLAN 99 as a Layer 3 broadcast domain, but without a router subinterface, VLAN 99 remains purely Layer 2 and does not participate in Layer 3 forwarding.

212
MCQhard

A network engineer configures OSPF on two routers with a primary link (1 Gbps) and a backup link (100 Mbps). The engineer expects traffic to always use the primary link unless it fails, but the router is sending traffic over the backup link. What is the most likely cause?

A.A
B.B
C.C
D.D
AnswerB

If the primary link's cost is higher (e.g., due to a misconfigured interface bandwidth), OSPF will choose the lower-cost backup link.

Why this answer

OSPF uses cost to determine the best path, calculated as 10^8 / interface bandwidth. A 1 Gbps link has a cost of 1 (100,000,000 / 1,000,000,000), while a 100 Mbps link has a cost of 1 (100,000,000 / 100,000,000). Since both costs are equal, OSPF will load-balance traffic across both links instead of preferring the primary link, which is why traffic is seen on the backup link.

Exam trap

CompTIA often tests the misconception that OSPF prefers higher bandwidth links automatically, but the trap is that OSPF's default cost calculation makes any link at 100 Mbps or faster have the same cost of 1, causing equal-cost multipath (ECMP) instead of primary/backup behavior.

How to eliminate wrong answers

Option A is wrong because OSPF does not use hop count; it uses cost based on bandwidth. Option C is wrong because OSPF does not have a native 'primary' or 'backup' designation; it relies on cost metrics, and equal costs cause ECMP. Option D is wrong because OSPF does not use a hold-down timer for path selection; that is a concept from distance-vector protocols like RIP or EIGRP.

213
MCQeasy

A company is extending its network to a new building located 200 meters away. The link must support 1 Gbps speeds. Which cabling type should be used?

A.Cat5e
B.Cat6
C.Single-mode fiber
D.Coaxial cable
AnswerC

Single-mode fiber can transmit 1 Gbps over distances far exceeding 200 meters.

Why this answer

Single-mode fiber (SMF) is the correct choice because it supports 1 Gbps speeds over distances far exceeding 200 meters, typically up to 5 km or more using 1000BASE-LX optics. Copper cabling like Cat5e and Cat6 is limited to a maximum segment length of 100 meters for 1 Gbps (1000BASE-T), making them unsuitable for this 200-meter link.

Exam trap

The trap here is that candidates often assume Cat6 can exceed 100 meters because it supports higher frequencies (250 MHz vs. 100 MHz for Cat5e), but the 100-meter distance limit for 1000BASE-T is a physical layer standard constraint, not a cable grade limitation.

How to eliminate wrong answers

Option A (Cat5e) is wrong because its maximum supported distance for 1 Gbps (1000BASE-T) is 100 meters, and the required link is 200 meters. Option B (Cat6) is wrong because, while it supports 1 Gbps, its maximum segment length is also 100 meters for 1000BASE-T, insufficient for 200 meters. Option D (Coaxial cable) is wrong because it is not designed for modern 1 Gbps Ethernet; it is used for legacy broadband or cable TV (e.g., DOCSIS) and lacks the bandwidth and standards support for 1000BASE-T.

214
MCQmedium

A network engineer configures an 802.1Q trunk between two switches. The trunk is up, but VLAN 10 traffic is not passing. The engineer checks and confirms that VLAN 10 exists on both switches. The show interfaces trunk command displays 'allowed VLANs: none'. What is the most likely cause?

A.The trunk encapsulation is not set to dot1q
B.The native VLAN mismatch
C.The allowed VLAN list is empty
D.VLAN 10 is not created on one of the switches
AnswerC

The output explicitly shows 'allowed VLANs: none', meaning no VLANs are permitted on the trunk. The engineer must add VLAN 10 to the allowed list.

Why this answer

The 'show interfaces trunk' output showing 'allowed VLANs: none' explicitly indicates that the allowed VLAN list on the trunk has been manually cleared or set to none, which blocks all VLAN traffic including VLAN 10. Even though VLAN 10 exists on both switches, the trunk port's VLAN filter prevents any frames from being forwarded. This is the most direct cause of the issue.

Exam trap

CompTIA often tests the distinction between 'VLAN not created' and 'VLAN not allowed on trunk' — the trap here is that candidates assume VLAN 10 not passing must mean it doesn't exist on one switch, ignoring that the trunk's allowed VLAN list can independently block traffic even when the VLAN is present on both sides.

How to eliminate wrong answers

Option A is wrong because if the trunk encapsulation were not set to dot1q, the trunk would not form or would use ISL, but the 'show interfaces trunk' output would not display 'allowed VLANs: none'; instead, it would show a different encapsulation error or the trunk would be down. Option B is wrong because a native VLAN mismatch would cause a spanning-tree inconsistency or CDP/STP errors, but it would not result in an empty allowed VLAN list; the allowed VLAN list would still show the default VLAN 1 or configured ranges. Option D is wrong because the engineer confirmed VLAN 10 exists on both switches, so this is not the cause; the 'allowed VLANs: none' output overrides any VLAN existence.

215
MCQhard

A security analyst detects a large number of DNS queries for the same domain from multiple internal hosts. The responses contain large payloads. Which type of attack is likely occurring?

A.DNS cache poisoning
B.DNS amplification
C.DNS tunneling
D.DNS zone transfer
AnswerB

DNS amplification uses small queries to trigger large responses, overwhelming the target with traffic.

Why this answer

DNS amplification is a type of reflection-based DDoS attack where an attacker sends a small query (e.g., ANY or DNSSEC-signed record request) with a spoofed source IP (the victim's address) to an open DNS resolver. The resolver responds with a large payload (often 50–100x larger than the query), flooding the victim's network. The scenario describes many internal hosts making queries to the same domain and receiving large responses, which matches the amplification effect from a compromised or misconfigured internal resolver.

Exam trap

CompTIA often tests the distinction between DNS amplification and DNS cache poisoning by describing 'large payloads' and 'many hosts' — the trap is that candidates confuse the reflection/amplification mechanism with the cache corruption of poisoning, but amplification focuses on traffic volume, not record integrity.

How to eliminate wrong answers

Option A is wrong because DNS cache poisoning (also called DNS spoofing) involves injecting forged DNS records into a resolver's cache to redirect traffic to malicious sites, not generating large payloads from many hosts. Option C is wrong because DNS tunneling encodes non-DNS data (e.g., SSH, HTTP) within DNS queries and responses to bypass firewalls, but it does not inherently produce large payloads from many hosts querying the same domain. Option D is wrong because a DNS zone transfer is a legitimate replication mechanism between authoritative DNS servers (using AXFR/IXFR), not an attack that causes large responses to multiple internal hosts.

216
MCQeasy

A company is deploying a new wireless network in a warehouse. The network administrator needs to ensure that clients can seamlessly roam between access points without losing connectivity. Which of the following should be configured?

A.A) Same SSID and security settings on all APs
B.B) Different channels per AP to reduce interference
C.C) WPA2-Enterprise with RADIUS authentication
D.D) Mesh topology for AP interconnection
AnswerA

Correct. A common SSID and matching security credentials enable clients to roam seamlessly between APs.

Why this answer

Configuring the same SSID and security settings on all access points (APs) is essential for seamless roaming because clients use the SSID to identify the network and the security credentials to authenticate. When a client moves between APs, it can re-associate without needing to re-authenticate or discover a new network, provided the SSID and security parameters (e.g., PSK or 802.1X configuration) are identical. This ensures a smooth handoff and maintains connectivity during roaming.

Exam trap

The trap here is that candidates often confuse the need for different channels (to avoid interference) with the requirement for seamless roaming, or they assume that enterprise authentication (WPA2-Enterprise) is mandatory for roaming, when in fact the core requirement is simply consistent SSID and security settings across all APs.

How to eliminate wrong answers

Option B is wrong because using different channels per AP is a best practice for reducing co-channel interference, but it does not directly enable seamless roaming; clients can still roam between APs on different channels as long as the SSID and security settings match. Option C is wrong because WPA2-Enterprise with RADIUS authentication enhances security and supports fast roaming via mechanisms like 802.11r, but it is not a requirement for basic seamless roaming; clients can roam seamlessly with WPA2-Personal if the SSID and passphrase are identical across APs. Option D is wrong because a mesh topology for AP interconnection describes how APs communicate with each other (e.g., wireless backhaul), but it does not affect the client-side roaming behavior; clients roam based on SSID and security consistency, not the AP interconnection method.

217
MCQmedium

A network engineer is planning a wireless LAN for an open office with 50 users. To maximize performance by using multiple non-overlapping channels, which frequency band should be primarily used?

A.2.4 GHz
B.5 GHz
C.6 GHz
D.900 MHz
AnswerB

5 GHz provides many non-overlapping channels, allowing better channel planning and reduced interference.

Why this answer

The 5 GHz band is the best choice for maximizing performance in an open office with 50 users because it offers up to 23 non-overlapping channels (using 20 MHz channels) compared to only 3 in the 2.4 GHz band. This allows for better channel reuse, reduced co-channel interference, and higher aggregate throughput in a dense user environment.

Exam trap

Cisco often tests the misconception that more channels always mean better performance, but the trap here is that candidates may overlook client device compatibility and regulatory availability when considering the 6 GHz band, or they may incorrectly assume the 2.4 GHz band's longer range is beneficial for high-density performance.

How to eliminate wrong answers

Option A is wrong because the 2.4 GHz band provides only 3 non-overlapping channels (1, 6, 11), leading to severe co-channel interference and poor performance in a high-density deployment of 50 users. Option C is wrong because while the 6 GHz band (Wi-Fi 6E/7) offers many non-overlapping channels, it is not yet widely supported by all client devices and may not be the primary band for a general deployment; the question asks for the band to be 'primarily used' given current typical enterprise hardware. Option D is wrong because the 900 MHz band is used for low-data-rate, long-range applications (e.g., IoT, SCADA) and lacks the bandwidth and channel count needed for a high-performance wireless LAN serving 50 users.

218
MCQeasy

At which layer of the OSI model does end-to-end communication and data segmentation occur?

A.Session layer
B.Transport layer
C.Network layer
D.Data link layer
AnswerB

The Transport layer segments data, provides reliability (TCP) or fast delivery (UDP), and handles end-to-end communication. Examples: TCP and UDP.

Why this answer

The transport layer (Layer 4) is responsible for end-to-end communication between source and destination hosts, as well as data segmentation and reassembly. Protocols such as TCP and UDP operate at this layer, with TCP providing reliable, connection-oriented service by segmenting data into segments and managing flow control and error recovery.

Exam trap

The trap here is that candidates confuse the transport layer's end-to-end communication with the network layer's end-to-end delivery of packets, forgetting that Layer 4 provides logical communication between processes (ports) while Layer 3 provides logical communication between hosts (IP addresses).

How to eliminate wrong answers

Option A is wrong because the session layer (Layer 5) manages dialog control, session establishment, and synchronization, not end-to-end communication or data segmentation. Option C is wrong because the network layer (Layer 3) handles logical addressing (e.g., IP addresses) and routing between networks, not segmentation of data into segments. Option D is wrong because the data link layer (Layer 2) deals with framing, MAC addressing, and error detection on a single link, not end-to-end transport or segmentation.

219
MCQeasy

A network device receives a frame on one port and forwards it out to all other ports. The device does not examine the destination MAC address. Which type of device is being described?

A.Switch
B.Hub
C.Bridge
D.Router
AnswerB

Hubs are Layer 1 devices that forward signals to all ports without any intelligence. They do not read MAC addresses.

Why this answer

A hub operates at Layer 1 (physical layer) of the OSI model and simply repeats incoming electrical or optical signals out all other ports without any processing of the frame's destination MAC address. This behavior matches the description exactly: the device receives a frame on one port and forwards it out all other ports without examining the MAC address.

Exam trap

Cisco often tests the distinction between Layer 1 (hub) and Layer 2 (switch/bridge) devices by describing the 'flooding' behavior of a switch when the MAC address is unknown, which can trick candidates into thinking a switch forwards to all ports without examining the MAC address, but a switch always examines the destination MAC address first.

How to eliminate wrong answers

Option A is wrong because a switch examines the destination MAC address in the frame header, uses its MAC address table to make forwarding decisions, and sends the frame only to the specific port associated with that MAC address (or floods only if unknown). Option C is wrong because a bridge, like a switch, operates at Layer 2 and examines the destination MAC address to decide whether to forward or filter the frame based on its bridging table. Option D is wrong because a router operates at Layer 3, examines the destination IP address in the packet header, and forwards packets based on routing table entries, not by blindly repeating frames out all ports.

220
MCQmedium

A network administrator needs to upgrade the firmware on a core switch. According to change management best practices, which step should be performed first?

A.Download the new firmware
B.Create a backup of the current configuration
C.Submit a change request
D.Schedule a maintenance window
AnswerC

The first step is to submit a change request for approval.

Why this answer

According to change management best practices, the first step in any network change is to submit a change request (option C). This ensures the proposed firmware upgrade is reviewed, approved, and documented before any technical actions are taken, reducing the risk of unplanned outages and providing a rollback plan. Skipping this step violates ITIL/change management frameworks and can lead to unauthorized changes that impact network stability.

Exam trap

The trap here is that candidates often confuse operational best practices with technical steps, assuming that backing up the configuration (option B) is always the first action, but change management mandates that formal authorization precedes any technical work, even backups, to ensure proper governance and audit trails.

How to eliminate wrong answers

Option A is wrong because downloading the new firmware before obtaining approval violates change control processes; the firmware should only be obtained after the change is authorized. Option B is wrong because while creating a backup of the current configuration is a critical step, it should occur after the change request is approved and as part of the implementation plan, not as the first step. Option D is wrong because scheduling a maintenance window is a downstream activity that depends on the approved change request and its risk assessment; performing it first would be premature without formal authorization.

221
MCQmedium

A network administrator is preparing to upgrade the firmware on a critical router. Which document should the administrator consult to understand the steps required to minimize downtime and ensure a successful upgrade?

A.SLA
B.Change management plan
C.Network diagram
D.Baseline performance report
AnswerB

The change management plan documents the process for making changes to the network, including risk assessment, detailed steps, testing, approval, and rollback procedures. It is the appropriate resource to ensure a methodical and safe upgrade.

Why this answer

The change management plan documents the approved procedures, rollback steps, and communication protocols for performing maintenance on critical infrastructure. Consulting this plan ensures the administrator follows the organization's predefined steps to minimize downtime and mitigate risks during the firmware upgrade.

Exam trap

The trap here is that candidates confuse a change management plan with a network diagram or SLA, assuming that knowing the topology or contractual uptime is sufficient to perform a safe upgrade, when in fact the procedural steps and rollback strategy are documented only in the change management plan.

How to eliminate wrong answers

Option A is wrong because an SLA (Service Level Agreement) defines uptime guarantees and penalties, not the step-by-step upgrade procedures. Option C is wrong because a network diagram shows physical/logical topology and device connections, but does not contain the operational steps or rollback procedures needed for a firmware upgrade. Option D is wrong because a baseline performance report captures normal traffic and utilization metrics for comparison after a change, but it does not prescribe the upgrade process itself.

222
MCQmedium

A network engineer needs to implement a wireless network in a large open-plan office with high client density. The network must provide the fastest possible speeds and efficient handling of many simultaneous connections. Which IEEE 802.11 standard should be used?

A.802.11ac
B.802.11n
C.802.11ax
D.802.11r
AnswerC

802.11ax (Wi-Fi 6) is the latest standard optimized for high-density environments with features like OFDMA, MU-MIMO, and improved modulation, providing the fastest speeds and best efficiency.

Why this answer

802.11ax (Wi-Fi 6) is the correct choice because it introduces Orthogonal Frequency Division Multiple Access (OFDMA) and MU-MIMO (both uplink and downlink), which significantly improve spectral efficiency and capacity in high-density environments. It also supports 1024-QAM modulation for higher data rates, making it ideal for an open-plan office with many simultaneous connections.

Exam trap

The trap here is that candidates often confuse 802.11ac (Wi-Fi 5) as the fastest standard because of its high single-user throughput, but they overlook that 802.11ax (Wi-Fi 6) is specifically designed for high-density, multi-user scenarios with OFDMA and improved MU-MIMO.

How to eliminate wrong answers

Option A is wrong because 802.11ac (Wi-Fi 5) operates only in the 5 GHz band and uses OFDM, which is less efficient than OFDMA for handling many concurrent clients; it lacks the uplink MU-MIMO and OFDMA features needed for high-density environments. Option B is wrong because 802.11n (Wi-Fi 4) is limited to 40 MHz channels, 64-QAM, and only supports up to 4 spatial streams, resulting in lower maximum throughput and poor performance under high client density. Option D is wrong because 802.11r is not a PHY-layer standard for speed or capacity; it is a fast roaming protocol (FT) that reduces authentication latency during handoffs between access points, not a solution for raw throughput or dense client handling.

223
MCQhard

A company's public web server is experiencing a flood of TCP SYN packets from multiple external IP addresses. The server's connection table is full, causing new legitimate connections to be dropped. Which of the following mitigation techniques should be implemented to protect the server while still allowing legitimate traffic?

A.Implement SYN cookies on the server.
B.Increase the server's TCP connection backlog.
C.Enable bogon filtering on the perimeter firewall.
D.Deploy an intrusion prevention system (IPS) with signature detection.
AnswerA

SYN cookies encode connection information in the SYN-ACK response, enabling the server to remain stateless until the handshake completes. This prevents the connection table from filling up.

Why this answer

SYN cookies allow the server to avoid storing connection state in the TCP backlog until the three-way handshake completes. When the SYN flood fills the connection table, the server encodes the initial sequence number (ISN) with cryptographic information about the connection, enabling it to verify the ACK from a legitimate client without consuming table entries. This technique preserves resources for legitimate traffic while dropping spoofed or incomplete handshakes.

Exam trap

Cisco often tests the misconception that increasing the TCP backlog (Option B) is a viable defense against SYN floods, but candidates must recognize that backlog tuning only delays exhaustion, whereas SYN cookies provide a stateless, scalable solution.

How to eliminate wrong answers

Option B is wrong because increasing the TCP connection backlog only raises the threshold for the queue size, but a SYN flood will still fill the larger queue and cause drops; it does not prevent resource exhaustion. Option C is wrong because bogon filtering blocks traffic from invalid or private IP addresses, but the attack uses multiple external IPs that are likely routable and legitimate-looking, so bogon filtering would not stop the flood. Option D is wrong because an IPS with signature detection can identify and block known attack patterns, but it may not keep pace with a high-volume SYN flood and can introduce latency; more importantly, it does not address the server's connection table exhaustion directly, whereas SYN cookies are a lightweight, stateless mitigation at the server itself.

224
MCQhard

A network administrator is configuring OSPF on routers in a multi-area network. The administrator wants to ensure that a router in area 1 does not learn external routes (Type 5 LSAs) injected by an ASBR in area 0, but it must still learn inter-area routes (Type 3 LSAs). The administrator wants to reduce the routing table size. Which OSPF area type should be configured for area 1?

A.Stub area
B.Totally stubby area
C.Not-so-stubby-area (NSSA)
D.Normal area
AnswerA

A stub area blocks Type 5 LSAs (external routes) but allows Type 3 LSAs (inter-area routes). It also uses a default route for external destinations.

Why this answer

A stub area blocks Type 5 LSAs (external routes) from entering the area while still allowing Type 3 LSAs (inter-area routes). This meets the requirement of preventing external routes from the ASBR in area 0 from being learned by routers in area 1, while still permitting inter-area routing and reducing the routing table size.

Exam trap

Cisco often tests the distinction between stub and totally stubby areas, where candidates mistakenly choose totally stubby when they only need to block external routes but still require inter-area routes.

How to eliminate wrong answers

Option B (Totally stubby area) is wrong because it blocks both Type 5 LSAs and Type 3 LSAs, preventing the router from learning inter-area routes, which violates the requirement. Option C (Not-so-stubby-area, NSSA) is wrong because it allows Type 7 LSAs (external routes) to be imported into the area, which would still permit external route learning, contrary to the requirement. Option D (Normal area) is wrong because it allows all LSA types, including Type 5 LSAs, so the router would learn external routes, failing to reduce the routing table as desired.

225
MCQmedium

A network administrator needs to analyze bandwidth usage by application and identify top talkers on the network. Which protocol or technology should be used to export detailed traffic flow information from routers and switches to a central collector?

A.NetFlow
B.SNMP
C.ICMP
D.SMTP
AnswerA

NetFlow exports flow records that contain information about each traffic flow, enabling detailed bandwidth and application analysis.

Why this answer

NetFlow is the correct choice because it is a Cisco-developed protocol designed specifically to export detailed IP traffic flow information—including source/destination IPs, ports, protocols, and byte counts—from routers and switches to a central collector for bandwidth usage analysis and top talker identification. Unlike simpler monitoring tools, NetFlow provides per-flow granularity, enabling administrators to pinpoint which applications and hosts are consuming the most bandwidth.

Exam trap

Cisco often tests the distinction between SNMP and NetFlow, where candidates mistakenly choose SNMP because they associate it with network monitoring, but SNMP lacks the per-flow granularity needed for top talker and application analysis.

How to eliminate wrong answers

Option B (SNMP) is wrong because SNMP is used for polling device statistics like interface utilization and error counters, but it does not export per-flow traffic details such as application-level data or top talkers; it only provides aggregate interface-level metrics. Option C (ICMP) is wrong because ICMP is a network-layer protocol used for error reporting and diagnostic utilities like ping and traceroute, not for exporting traffic flow records. Option D (SMTP) is wrong because SMTP is an application-layer protocol for email transmission and has no role in network traffic flow export or bandwidth analysis.

Page 2

Page 3 of 7

Page 4

All pages