CompTIA Network+ N10-009 (N10-009) — Questions 226300

520 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQhard

A security engineer is configuring a site-to-site VPN between two branch offices. The requirement is to encrypt all traffic between the two networks using IPsec. Which IPsec mode should be used to encrypt the entire IP packet including the original header?

A.Transport mode
B.Tunnel mode
C.AH only
D.ESP only
AnswerB

Tunnel mode encapsulates the entire original IP packet with a new header, encrypting everything. This is the standard mode for site-to-site IPsec VPNs.

Why this answer

Tunnel mode is the correct choice because it encrypts the entire original IP packet, including the original header, and then encapsulates it within a new IP header. This is required for site-to-site VPNs where the original source and destination IP addresses must be hidden or protected, and the new header is used for routing between the two VPN gateways.

Exam trap

Cisco often tests the distinction between Transport and Tunnel modes by asking which mode encrypts the entire packet, and candidates mistakenly choose Transport mode because they confuse 'encrypting the payload' with 'encrypting the entire packet', or they think AH provides encryption.

How to eliminate wrong answers

Option A is wrong because Transport mode only encrypts the payload of the IP packet, leaving the original IP header intact and unencrypted, which does not meet the requirement to encrypt the entire packet including the header. Option C is wrong because AH (Authentication Header) provides integrity and authentication but does not encrypt the packet; it only adds an AH header after the IP header, leaving the payload and original header in plaintext. Option D is wrong because ESP (Encapsulating Security Payload) alone can be used in either Transport or Tunnel mode; specifying 'ESP only' does not indicate the mode, and in Transport mode it would not encrypt the original header, so it is not a complete answer to the question.

227
MCQhard

A network administrator reviews firewall logs and sees thousands of SYN packets coming from various source IP addresses to a single internal web server. No ACK or RST packets are observed from these sources. Which type of attack is most likely occurring?

A.DNS amplification attack
B.SYN flood attack
C.ARP spoofing attack
D.Man-in-the-middle attack
AnswerB

A SYN flood sends many SYN packets without completing the handshake, consuming server resources and causing denial of service.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to a target server without completing the handshake (no ACK or RST). This exhausts the server's connection table resources, preventing legitimate connections. The observed pattern of many SYN packets from various sources with no subsequent ACK or RST is the hallmark of a SYN flood.

Exam trap

Cisco often tests the distinction between a SYN flood (which targets the TCP handshake) and a DNS amplification attack (which uses UDP reflection), so candidates may confuse the two because both involve high packet volumes and spoofed sources.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack uses small queries to open DNS resolvers that send large responses to a victim, typically over UDP, not TCP SYN packets. Option C is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP address on a local network, not flooding SYN packets to a web server. Option D is wrong because a man-in-the-middle attack intercepts and potentially alters communications between two parties, often using ARP spoofing or rogue access points, not a flood of SYN packets.

228
MCQmedium

A network technician is troubleshooting a user's inability to access a specific internal web application hosted on a server at 10.10.10.15:8080. The user can ping the server's IP address successfully, but the web browser displays 'connection refused'. The technician verifies that the web application service is running on the server. What is the most likely cause of the issue?

A.The server's firewall is blocking inbound connections to port 8080.
B.The web application is listening on a different port than 8080.
C.The user's web browser is configured to use an incorrect proxy server.
D.The DNS resolution is failing for the server's hostname.
AnswerA

Connection refused often indicates that a firewall is blocking the specific port. Since the server is reachable via ping, the issue is at the port level. Checking the server firewall rules for port 8080 is the next step.

Why this answer

Since the user can ping the server (ICMP success) but receives 'connection refused' on port 8080, and the service is confirmed running, the most likely cause is that the server's firewall is blocking inbound TCP connections to port 8080. A firewall rule can permit ICMP echo requests while denying TCP SYN packets to specific ports, resulting in a successful ping but a TCP RST or no response at the application layer, which manifests as 'connection refused' in the browser.

Exam trap

CompTIA often tests the distinction between ICMP reachability (ping) and TCP port accessibility, trapping candidates into thinking a successful ping means all network connectivity is fine, when in fact firewalls can selectively block specific ports while allowing ICMP.

How to eliminate wrong answers

Option B is wrong because the technician verified that the web application service is running on the server; if it were listening on a different port, the service would still be reachable on that port, but the user is specifically trying port 8080 and the service is confirmed running, so a port mismatch would not cause a 'connection refused' from the server itself. Option C is wrong because an incorrect proxy server would typically cause a different error, such as 'proxy server not responding' or a timeout, not a direct 'connection refused' from the target server; the browser would attempt to connect through the proxy, not directly to 10.10.10.15:8080. Option D is wrong because the user successfully pings the server's IP address (10.10.10.15), which bypasses DNS entirely; DNS resolution is irrelevant when using a direct IP address.

229
MCQmedium

A network administrator discovers that client workstations are receiving IP addresses from an unknown device, causing network connectivity issues. Which security feature should be configured on switches to prevent rogue DHCP servers from assigning IP addresses?

A.DHCP snooping
B.Dynamic ARP Inspection
C.Port security
D.BPDU guard
AnswerA

DHCP snooping filters DHCP traffic and allows only trusted DHCP servers, preventing rogue DHCP servers from assigning IP addresses.

Why this answer

DHCP snooping is the correct security feature because it acts as a firewall between untrusted hosts and trusted DHCP servers. By configuring ports as trusted (where legitimate DHCP servers are connected) and untrusted (client-facing ports), the switch drops all DHCP server messages (OFFER, ACK, NAK) received on untrusted ports, effectively blocking rogue DHCP servers from assigning IP addresses.

Exam trap

The trap here is that candidates confuse DHCP snooping with Dynamic ARP Inspection (DAI) because both rely on the DHCP snooping binding table, but DAI only validates ARP packets, not DHCP server messages.

How to eliminate wrong answers

Option B (Dynamic ARP Inspection) is wrong because it validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, not DHCP server spoofing. Option C (Port security) is wrong because it restricts MAC addresses per port to prevent unauthorized device access, but does not inspect or filter DHCP messages. Option D (BPDU guard) is wrong because it protects against Layer 2 loop attacks by disabling ports that receive Bridge Protocol Data Units (BPDUs) on PortFast-enabled ports, and has no role in DHCP message validation.

230
MCQhard

A security analyst receives an alert that an internal user's workstation is sending a high volume of ARP requests for multiple IP addresses on the local subnet. The analyst suspects a man-in-the-middle attack. Which security mechanism is most effective at mitigating this type of attack on a switched network?

A.Port security
B.DHCP snooping
C.Dynamic ARP Inspection
D.MAC address filtering
AnswerC

DAI uses the DHCP snooping binding table to validate ARP packets and block spoofed ARP messages.

Why this answer

Dynamic ARP Inspection (DAI) is the correct answer because it validates ARP packets on a switched network, ensuring that only legitimate ARP replies are forwarded. In a man-in-the-middle attack, an attacker sends spoofed ARP replies to associate their MAC address with the IP address of a legitimate host. DAI intercepts all ARP packets and compares them against a trusted binding table (built by DHCP snooping), dropping any that are invalid, thus preventing ARP spoofing.

Exam trap

Cisco often tests the distinction between DHCP snooping and DAI, where candidates mistakenly choose DHCP snooping because it builds the binding table, but DAI is the actual mechanism that validates ARP packets to prevent man-in-the-middle attacks.

How to eliminate wrong answers

Option A is wrong because port security limits the number of MAC addresses allowed on a switch port or restricts specific MAC addresses, but it does not inspect the content of ARP packets or prevent ARP spoofing. Option B is wrong because DHCP snooping builds a DHCP snooping binding table by monitoring DHCP messages, but it does not directly inspect or validate ARP packets; it is a prerequisite for DAI but not the mitigation mechanism itself. Option D is wrong because MAC address filtering simply allows or denies traffic based on source MAC addresses, which can be easily spoofed by an attacker and does not validate the IP-to-MAC mapping in ARP packets.

231
MCQhard

A security analyst observes that a workstation on the network is sending unsolicited ARP replies stating that the workstation's MAC address corresponds to the default gateway IP for all subnets. This behavior is causing other devices to send traffic destined for external networks to the workstation instead of the legitimate gateway. Which type of attack is being performed?

A.A: ARP spoofing
B.B: DHCP starvation
C.C: DNS poisoning
D.D: MAC flooding
AnswerA

ARP spoofing involves sending fake ARP messages to associate the attacker's MAC with another IP, typically the gateway.

Why this answer

The workstation is sending unsolicited ARP replies that map the default gateway IP to its own MAC address. This poisons the ARP caches of other devices on the network, causing them to forward traffic destined for external networks to the attacker's workstation instead of the legitimate gateway. This is the classic behavior of an ARP spoofing (or ARP poisoning) attack, which exploits the lack of authentication in the ARP protocol (RFC 826).

Exam trap

The trap here is confusing ARP spoofing with MAC flooding, because both involve MAC addresses and network interception, but MAC flooding targets the switch's CAM table to capture traffic, while ARP spoofing targets host ARP caches to redirect traffic to a specific MAC address.

How to eliminate wrong answers

Option B (DHCP starvation) is wrong because that attack floods a DHCP server with fake DHCPDISCOVER messages to exhaust the IP address pool, preventing legitimate clients from obtaining IP addresses; it does not involve sending unsolicited ARP replies. Option C (DNS poisoning) is wrong because that attack corrupts DNS resolver caches or DNS server records to redirect domain names to malicious IP addresses, not by manipulating ARP tables with MAC-to-IP mappings. Option D (MAC flooding) is wrong because that attack floods a switch with frames containing many different source MAC addresses to overflow the CAM table, forcing the switch into fail-open mode (hub mode) for traffic sniffing; it does not involve sending unsolicited ARP replies to redirect default gateway traffic.

232
MCQeasy

A network technician is explaining network segmentation to a junior technician. Which of the following devices increases the number of collision domains but does not increase the number of broadcast domains?

A.Hub
B.Switch
C.Router
D.Repeater
AnswerB

A switch creates a separate collision domain for each port but forwards all broadcast frames, so it does not increase broadcast domains.

Why this answer

A switch creates a separate collision domain for each port, so multiple devices can transmit simultaneously without collisions, but it does not segment broadcast domains; all ports remain in the same broadcast domain unless VLANs are configured. This directly matches the question's requirement: increasing collision domains without increasing broadcast domains.

Exam trap

The trap here is that candidates often confuse collision domains with broadcast domains, thinking that a switch reduces both, when in fact it only reduces collision domains while leaving broadcast domains unchanged (unless VLANs are used).

How to eliminate wrong answers

Option A is wrong because a hub operates at Layer 1 and places all connected devices into a single collision domain, so it does not increase the number of collision domains. Option C is wrong because a router operates at Layer 3 and segments both collision and broadcast domains, increasing the number of broadcast domains, which violates the condition. Option D is wrong because a repeater, like a hub, operates at Layer 1 and simply regenerates signals without creating separate collision domains, so it does not increase the number of collision domains.

233
MCQeasy

A network administrator configures a trunk link between two switches. The link is up, but no traffic from any VLAN is passed between the switches. The administrator verifies that the trunk port is configured correctly on both switches with 'switchport mode trunk' and allowed VLANs. Which of the following is the most likely cause?

A.The native VLAN is different on each switch
B.VLAN 1 has been deleted on one of the switches
C.Spanning Tree Protocol is blocking the trunk link
D.The trunk encapsulation is mismatched
AnswerD

If one switch is configured for ISL encapsulation and the other for 802.1Q, the trunk will not pass traffic because the encapsulation methods are incompatible.

Why this answer

Option D is correct because a trunk link requires both ends to use the same encapsulation protocol—either 802.1Q or ISL. If one switch is set to 'switchport trunk encapsulation dot1q' and the other uses 'isl' (or auto-negotiates to a different type), the frames will be dropped or misinterpreted, preventing any VLAN traffic from passing. The administrator verified 'switchport mode trunk' and allowed VLANs, but encapsulation mismatch is a common oversight that stops all VLAN traffic while keeping the link up.

Exam trap

CompTIA often tests the distinction between 'switchport mode trunk' (which sets the mode) and 'switchport trunk encapsulation' (which sets the protocol), leading candidates to assume that setting the mode alone is sufficient for trunking to work.

How to eliminate wrong answers

Option A is wrong because a native VLAN mismatch would cause traffic on the native VLAN to be misdirected or dropped, but it would not block all VLAN traffic; other tagged VLANs would still pass. Option B is wrong because deleting VLAN 1 on one switch would only affect traffic in VLAN 1; other allowed VLANs would continue to pass over the trunk. Option C is wrong because if Spanning Tree Protocol were blocking the trunk link, the link would show as 'blocking' or 'not forwarding' in STP state, but the question states the link is up, implying STP is not blocking it.

234
MCQhard

An organization wants to implement a security solution that uses a cloud-based service to inspect all incoming web traffic for malware and policy violations before it reaches the internal network. This type of solution is known as a:

A.Web application firewall (WAF)
B.Secure web gateway (SWG)
C.Intrusion detection system (IDS)
D.VPN concentrator
AnswerB

An SWG is a cloud-based or on-premises proxy that filters web traffic, blocks malware, and enforces policies.

Why this answer

A Secure Web Gateway (SWG) is a cloud-based security solution that inspects all outbound and inbound web traffic for malware, policy violations, and data loss. It operates at the application layer, typically using proxy-based or API-based inspection to enforce security policies before traffic reaches the internal network. This matches the requirement for a cloud service that inspects incoming web traffic for malware and policy violations.

Exam trap

The trap here is confusing a Secure Web Gateway (SWG) with a Web Application Firewall (WAF), as both deal with web traffic, but SWG focuses on user-to-web traffic inspection and policy enforcement, while WAF protects a specific web server from application-layer attacks.

How to eliminate wrong answers

Option A is wrong because a Web Application Firewall (WAF) protects specific web applications from attacks like SQL injection and XSS by filtering HTTP traffic to and from the application, not by inspecting all incoming web traffic for malware and policy violations. Option C is wrong because an Intrusion Detection System (IDS) monitors network traffic for suspicious activity and alerts administrators, but it does not actively inspect or block traffic for malware and policy violations in a cloud-based proxy manner. Option D is wrong because a VPN concentrator terminates VPN tunnels and encrypts/decrypts traffic, but it does not perform content inspection for malware or policy violations.

235
MCQhard

Users in a warehouse report that their wireless tablets lose connectivity when moving near large metal racks. The signal strength remains high but throughput drops significantly. What is the most likely cause?

A.Signal attenuation
B.Multipath interference
C.Co-channel interference
D.Insufficient DHCP scope
AnswerB

Metal racks cause signal reflections, creating multiple signal paths that interfere with each other, resulting in high signal strength but poor throughput.

Why this answer

When wireless signals reflect off large metal surfaces, multiple copies of the signal arrive at the receiver at slightly different times, causing multipath interference. This phase cancellation effect corrupts the signal, forcing the 802.11 MAC layer to retransmit frames, which drastically reduces throughput even though the received signal strength indicator (RSSI) remains high. The metal racks in the warehouse act as reflective surfaces, creating a classic multipath environment.

Exam trap

The trap here is that candidates confuse high signal strength with good signal quality, not realizing that multipath can cause high RSSI but poor throughput due to phase cancellation and retransmissions.

How to eliminate wrong answers

Option A is wrong because signal attenuation refers to a reduction in signal power over distance or through obstacles, but the scenario states signal strength remains high, ruling out attenuation. Option C is wrong because co-channel interference occurs when multiple access points or devices transmit on the same channel, causing collisions and reduced throughput, but the problem is localized to movement near metal racks, not a channel utilization issue. Option D is wrong because an insufficient DHCP scope would prevent devices from obtaining IP addresses, causing complete connectivity loss, not a drop in throughput while maintaining a connection.

236
MCQmedium

A user reports intermittent connectivity issues. The technician runs ping tests and notices that pings to the default gateway sometimes fail and sometimes succeed. While pinging, the technician observes that some replies have high latency. Which tool should the technician use to analyze the path and identify where packets are being delayed?

A.traceroute / tracert
B.nslookup
C.ipconfig
D.arp
AnswerA

Traceroute sends packets with increasing TTL values to map the path and measure latency at each hop, useful for identifying where delays or failures occur.

Why this answer

Traceroute (tracert on Windows) is the correct tool because it sends packets with incrementing Time-to-Live (TTL) values to map the entire Layer 3 path from source to destination. By measuring the round-trip time (RTT) for each hop, it can pinpoint exactly which router or link is introducing high latency or packet loss, addressing the intermittent connectivity and delayed replies observed in the ping tests.

Exam trap

CompTIA often tests that candidates confuse ping (which only tests end-to-end reachability and latency) with traceroute (which isolates the problematic hop), leading them to overlook traceroute when the question explicitly asks for path analysis.

How to eliminate wrong answers

Option B (nslookup) is wrong because it is a DNS query tool used to resolve domain names to IP addresses or vice versa; it does not analyze network path latency or packet loss. Option C (ipconfig) is wrong because it displays local TCP/IP configuration details (IP address, subnet mask, default gateway) but cannot trace routes or measure hop-by-hop delays. Option D (arp) is wrong because it manipulates or displays the local ARP cache, which maps IP addresses to MAC addresses on a local network; it provides no path analysis beyond the first hop.

237
MCQeasy

A network technician is explaining the OSI model to a junior technician. The technician mentions that the Transport layer is responsible for end-to-end communication and data segmentation. Which protocol operates at the Transport layer?

A.IP
B.TCP
C.Ethernet
D.HTTP
AnswerB

Correct. TCP operates at the Transport layer (Layer 4) and provides reliable, connection-oriented communication with segmentation and reassembly.

Why this answer

TCP (Transmission Control Protocol) operates at Layer 4 (Transport) of the OSI model, providing reliable, connection-oriented end-to-end communication and data segmentation with sequencing and acknowledgment. It ensures data is delivered error-free and in order, directly fulfilling the described responsibilities.

Exam trap

CompTIA often tests the distinction between TCP and UDP at the Transport layer, but here the trap is that candidates confuse IP (Layer 3) with Transport layer protocols because IP is fundamental to networking, yet it does not perform end-to-end communication or segmentation.

How to eliminate wrong answers

Option A is wrong because IP (Internet Protocol) operates at Layer 3 (Network), not the Transport layer; it handles logical addressing and routing, not end-to-end communication or segmentation. Option C is wrong because Ethernet operates at Layer 2 (Data Link) and Layer 1 (Physical), dealing with frame delivery on a local network segment, not end-to-end transport. Option D is wrong because HTTP (Hypertext Transfer Protocol) operates at Layer 7 (Application), defining how web clients and servers exchange data, not transport-layer functions.

238
MCQmedium

A network technician is troubleshooting a workstation that intermittently loses network connectivity. The link LED on the switch port is blinking slowly. The technician checks the cable and it appears fine. Which of the following is the most likely cause?

A.Duplex mismatch
B.Incorrect VLAN assignment
C.Bad cable
D.Spanning Tree blocking
AnswerA

A duplex mismatch often causes a slow blinking link light, intermittent connectivity, and errors on the interface.

Why this answer

A slow-blinking link LED on a switch port typically indicates a duplex mismatch, where one device is set to full duplex and the other to half duplex. This causes frame collisions and CRC errors, leading to intermittent connectivity even though the cable appears fine. The symptom of intermittent loss with a physically good cable is classic for duplex mismatch, as the port is still electrically connected but suffers from excessive retransmissions.

Exam trap

The trap here is that candidates often associate a blinking link LED with a physical layer issue like a bad cable, but Cisco tests the specific pattern of a slow blink to indicate a duplex mismatch, not a cable fault.

How to eliminate wrong answers

Option B is wrong because incorrect VLAN assignment would cause the workstation to be unable to communicate with devices in other VLANs, but the link LED would remain solid (or blink normally) and connectivity would be consistently absent, not intermittent. Option C is wrong because a bad cable would typically cause the link LED to be off or flicker erratically, not blink slowly, and the technician already checked the cable and found it fine. Option D is wrong because Spanning Tree blocking would result in a complete loss of connectivity (no traffic at all) on that port, not intermittent drops, and the port LED would usually be amber or off, not blinking slowly.

239
MCQmedium

A network technician runs the command "traceroute 8.8.8.8" from a workstation. The output shows the first hop as the default gateway, the second hop as an internal router, and then a series of asterisks (* * *) before reaching the destination. What does the series of asterisks indicate?

A.The destination is unreachable
B.The intermediate routers are not responding to ICMP time-exceeded messages
C.The TTL expired at the last hop
D.The connection is encrypted
AnswerB

Asterisks indicate that those routers did not send back the ICMP time-exceeded message, often due to firewall filtering.

Why this answer

The series of asterisks indicates that intermediate routers beyond the second hop are not responding with ICMP Time-Exceeded messages when the TTL expires. Traceroute relies on these ICMP responses to identify each hop; if a router is configured to drop ICMP or not send the message, the output shows asterisks for that hop. The destination is still reachable, as the final hop succeeds, so the asterisks do not indicate unreachability.

Exam trap

Cisco often tests the misconception that asterisks mean the destination is unreachable, but the key is that traceroute still reaches the final hop, so the asterisks only indicate missing ICMP responses from intermediate routers, not a failure to reach the target.

How to eliminate wrong answers

Option A is wrong because the destination (8.8.8.8) is reached, as shown by the final hop completing; asterisks only indicate missing responses from intermediate routers, not that the destination is unreachable. Option C is wrong because the TTL expiring at the last hop would produce a response from the destination itself (ICMP Echo Reply) or an ICMP Time-Exceeded from the previous hop, not a series of asterisks; asterisks occur when TTL expires but no ICMP message is sent back. Option D is wrong because encryption (e.g., IPsec or TLS) does not affect traceroute's ability to receive ICMP Time-Exceeded messages; asterisks are caused by routers silently dropping ICMP or not generating the required message, not by encryption.

240
MCQhard

A security analyst is reviewing logs and finds that a single MAC address is rapidly requesting IP addresses from a DHCP server, each time with a different client ID. The DHCP server is exhausting its address pool. Which type of attack is occurring?

A.DHCP starvation attack
B.MAC flooding attack
C.ARP spoofing
D.DNS poisoning
AnswerA

This is exactly the description of a DHCP starvation attack, where the attacker floods the DHCP server with requests to deplete the address pool.

Why this answer

A DHCP starvation attack occurs when an attacker sends numerous DHCP discover messages, each with a unique client ID (chaddr), to exhaust the DHCP server's address pool. This prevents legitimate clients from obtaining IP addresses, as the server believes all leases are assigned. The rapid requests with different client IDs from a single MAC address are a hallmark of this attack.

Exam trap

The trap here is confusing DHCP starvation with MAC flooding, as both involve 'flooding' and MAC addresses, but MAC flooding targets switch CAM tables, not DHCP servers.

How to eliminate wrong answers

Option B is wrong because a MAC flooding attack targets network switches by flooding them with frames containing unique source MAC addresses to overflow the CAM table, causing the switch to fail open and act like a hub; it does not involve DHCP requests. Option C is wrong because ARP spoofing involves sending forged ARP replies to associate an attacker's MAC address with the IP address of a legitimate host, enabling man-in-the-middle attacks; it does not exhaust DHCP address pools. Option D is wrong because DNS poisoning corrupts the DNS resolver's cache with false mappings, redirecting users to malicious sites; it has no direct impact on DHCP address allocation.

241
MCQeasy

Which of the following is a characteristic of a connectionless protocol at the transport layer?

A.It establishes a session before sending data
B.It guarantees delivery using acknowledgments
C.It does not require a virtual circuit
D.It retransmits lost segments
AnswerC

Connectionless protocols send data independently without setting up a virtual circuit or logical connection.

Why this answer

Connectionless protocols at the transport layer, such as UDP (User Datagram Protocol), do not establish a virtual circuit or session before sending data. Each datagram is sent independently without prior coordination, making the protocol stateless and reducing overhead. This characteristic is fundamental to UDP's design, as defined in RFC 768.

Exam trap

The trap here is that candidates confuse 'connectionless' at the transport layer with 'connectionless' at the network layer (IP), leading them to think that IP's lack of virtual circuits applies to all layers, but the question specifically targets transport-layer behavior where UDP is the key example.

How to eliminate wrong answers

Option A is wrong because establishing a session before sending data is a characteristic of connection-oriented protocols like TCP, which use a three-way handshake to create a virtual circuit. Option B is wrong because guaranteeing delivery using acknowledgments is a feature of TCP, not connectionless protocols; UDP does not provide delivery guarantees. Option D is wrong because retransmitting lost segments is a reliability mechanism of TCP, which uses sequence numbers and acknowledgments to detect and resend lost data; connectionless protocols like UDP do not track or retransmit lost segments.

242
MCQeasy

A security auditor is reviewing firewall logs and notices repeated login attempts from a single external IP address to the company's SSH server. Which type of attack is likely occurring?

A.Brute force attack
B.Man-in-the-middle attack
C.ARP poisoning
D.DDoS attack
AnswerA

A brute force attack systematically tries passwords or encryption keys. In this case, repeated SSH login attempts from one IP are classic signs of a password guessing attempt.

Why this answer

Repeated login attempts from a single external IP to an SSH server are characteristic of a brute force attack, where an attacker systematically tries many username/password combinations to gain unauthorized access. SSH (port 22) is a common target because it provides remote shell access, and automated tools like Hydra or Medusa can rapidly test credentials. The firewall logs show multiple failed authentication attempts from the same source, which is the hallmark of this attack type.

Exam trap

Cisco often tests the distinction between a brute force attack (repeated single-source login attempts) and a DDoS attack (traffic flood from multiple sources), so candidates mistakenly choose DDoS when they see 'repeated attempts' without recognizing the single-source, credential-guessing nature of the activity.

How to eliminate wrong answers

Option B is wrong because a man-in-the-middle attack involves intercepting and potentially altering communications between two parties, not repeated login attempts from a single IP; it would require the attacker to position themselves between the client and server, often using ARP spoofing or rogue certificates. Option C is wrong because ARP poisoning is a Layer 2 attack that manipulates the ARP cache to redirect traffic on a local network, not external SSH login attempts; it would not appear as repeated authentication failures from a single external IP. Option D is wrong because a DDoS attack aims to overwhelm a service with traffic from multiple sources (distributed) to cause denial of service, not to guess credentials; a single external IP making repeated login attempts does not constitute a distributed attack.

243
MCQhard

A user reports intermittent inability to access websites. When the issue occurs, the user can ping external IP addresses (e.g., 8.8.8.8) but cannot ping domain names like google.com. The user's IP configuration shows a DNS server address of 8.8.8.8. What is the most likely cause?

A.The DNS server is reachable but not responding due to high load.
B.The default gateway is down.
C.The corporate firewall is blocking UDP port 53.
D.The user's machine has a corrupted DNS cache.
AnswerA

Correct. If the DNS server is overloaded, it may drop queries intermittently. The user can still ping the server (ICMP is different from DNS), but DNS queries time out.

Why this answer

The user can ping external IP addresses (e.g., 8.8.8.8) but cannot resolve domain names like google.com, which indicates that IP connectivity is working but DNS resolution is failing. Since the DNS server address is 8.8.8.8 and the user can ping it, the server is reachable; however, intermittent failures suggest the server is overwhelmed and dropping or not responding to queries. This matches the symptom of a reachable but unresponsive DNS server due to high load, where ICMP (ping) succeeds but UDP/53 DNS queries time out.

Exam trap

The trap here is that candidates often assume a reachable server (via ping) means all services are working, but Cisco tests the distinction between ICMP reachability and UDP/TCP service availability, especially for DNS where high load can cause intermittent failures.

How to eliminate wrong answers

Option B is wrong because if the default gateway were down, the user would not be able to ping external IP addresses like 8.8.8.8, as traffic would have no route out of the local subnet. Option C is wrong because if the corporate firewall were blocking UDP port 53, DNS resolution would fail consistently, not intermittently, and the user would also be unable to ping domain names at any time. Option D is wrong because a corrupted DNS cache would cause resolution failures for specific domains or return stale records, but the user can still ping external IPs and the issue is intermittent; flushing the cache would typically resolve a cache corruption issue, but the described pattern points to a server-side problem.

244
MCQeasy

A network monitoring tool uses SNMP to collect data from devices. What is the primary purpose of SNMP traps?

A.To allow a manager to poll devices for current status
B.To enable devices to send unsolicited alerts to the management system
C.To encrypt SNMP communications
D.To provide authentication for SNMP messages
AnswerB

Traps are event-driven, unsolicited messages from agents to the manager for alerting purposes.

Why this answer

SNMP traps are unsolicited messages sent by an SNMP agent to the network management system (NMS) to immediately notify it of a significant event, such as a link failure or high CPU utilization. This push mechanism allows the NMS to react in real time without having to poll the device, reducing bandwidth and processing overhead. The correct answer is B because traps are specifically designed for asynchronous alerting, not for polling, encryption, or authentication.

Exam trap

Cisco often tests the distinction between traps (unsolicited, unconfirmed) and informs (confirmed), and candidates mistakenly think traps are used for polling or that they inherently provide security features like encryption or authentication.

How to eliminate wrong answers

Option A is wrong because polling devices for current status is performed using SNMP Get requests (GetRequest, GetNextRequest, GetBulkRequest), not traps; traps are unsolicited alerts sent from the agent to the manager. Option C is wrong because SNMPv3 provides encryption (via the USM module) but traps themselves are not a mechanism for encryption; they are a message type that can be encrypted if SNMPv3 is used. Option D is wrong because authentication for SNMP messages is provided by SNMPv3's User-based Security Model (USM), not by traps; traps are a notification type that can include authenticated data but do not provide authentication themselves.

245
MCQmedium

A network administrator is configuring a new switch to carry traffic for multiple VLANs on a single link to a router. Which IEEE standard is used for VLAN tagging on Ethernet trunks?

A.802.3af
B.802.1D
C.802.1Q
D.802.11ac
AnswerC

802.1Q is the standard for VLAN tagging, allowing switches to identify which VLAN a frame belongs to across a trunk link.

Why this answer

802.1Q is the IEEE standard that defines VLAN tagging on Ethernet trunks, inserting a 4-byte tag into the Ethernet frame to identify VLAN membership. This allows multiple VLANs to traverse a single link between a switch and a router, enabling inter-VLAN routing without separate physical interfaces.

Exam trap

Cisco often tests the distinction between 802.1Q (tagging) and 802.1D (STP), leading candidates to confuse VLAN trunking with loop prevention protocols.

How to eliminate wrong answers

Option A is wrong because 802.3af is the IEEE standard for Power over Ethernet (PoE), which delivers power over Ethernet cabling, not VLAN tagging. Option B is wrong because 802.1D is the original IEEE standard for the Spanning Tree Protocol (STP), which prevents loops in a network, not VLAN tagging. Option D is wrong because 802.11ac is a wireless networking standard for Wi-Fi operating in the 5 GHz band, not related to Ethernet VLAN tagging.

246
MCQmedium

A technician is troubleshooting a user's computer that cannot access any network resources. The technician runs ipconfig and sees an IP address of 169.254.18.33 with a subnet mask of 255.255.0.0. The computer is connected to a switch port configured for VLAN 10. The DHCP server is located in a different subnet (VLAN 200) and is reachable via a router. The technician confirms that the switch port is in the correct VLAN and that the cabling is good. Which of the following is the MOST likely cause of the issue?

A.The DHCP server is not authorized in Active Directory
B.The router does not have a DHCP relay (ip helper-address) configured
C.The computer's NIC is faulty
D.The switch port is in the wrong VLAN
AnswerB

Without a DHCP relay, DHCP broadcast requests from the client in VLAN 10 cannot reach the DHCP server in VLAN 200, leading to APIPA assignment.

Why this answer

The 169.254.x.x address is an Automatic Private IP Addressing (APIPA) address, assigned when a DHCP client fails to receive a lease. Since the DHCP server is on VLAN 200 and the client is on VLAN 10, a DHCP relay (ip helper-address) must be configured on the router interface facing VLAN 10 to forward DHCP broadcast requests as unicast to the DHCP server. Without this relay, the DHCP server never receives the client's discover message, causing the client to self-assign an APIPA address.

Exam trap

The trap here is that candidates see a 169.254.x.x address and immediately blame a faulty NIC or DHCP server issue, overlooking the need for a DHCP relay when the server is on a different subnet.

How to eliminate wrong answers

Option A is wrong because DHCP server authorization in Active Directory is a Windows Server security feature that prevents rogue DHCP servers, but it does not affect the router's ability to forward DHCP broadcasts between VLANs. Option C is wrong because a faulty NIC would typically show no link light or connectivity at all, but the computer received a valid APIPA address, indicating the NIC is functioning at Layer 2. Option D is wrong because the technician already confirmed the switch port is in the correct VLAN (VLAN 10), so this is not the cause.

247
MCQmedium

After replacing a faulty network cable, a user reports that they can access local resources but not the internet. The technician verifies that the user's IP address is 192.168.1.100 with a subnet mask of 255.255.255.0 and a default gateway of 192.168.1.1. The technician can ping the default gateway successfully. Which of the following should the technician check NEXT?

A.A) DNS configuration
B.B) DHCP server
C.C) Router's firewall ACLs
D.D) Switch port VLAN assignment
AnswerA

Correct. DNS resolves domain names to IP addresses; if DNS is misconfigured, the user can reach IP addresses but not domain names. Since the gateway is reachable, DNS is the most likely next check.

Why this answer

The user can access local resources and successfully ping the default gateway, which confirms that Layer 2 and Layer 3 connectivity to the local network is working. The inability to access the internet while local access works points to a name resolution failure, as the browser relies on DNS to translate domain names to IP addresses. Checking DNS configuration is the logical next step because a misconfigured or missing DNS server would prevent internet access even when IP connectivity is intact.

Exam trap

The trap here is that candidates assume internet access failure must be a gateway or routing issue, but the successful ping to the default gateway proves Layer 3 connectivity is fine, forcing the focus to DNS as the most common cause of 'can't browse but can ping local.'

How to eliminate wrong answers

Option B is wrong because the user already has a valid IP address (192.168.1.100) and can ping the default gateway, indicating that the DHCP server is functioning and has assigned an address; checking the DHCP server again would be redundant. Option C is wrong because the router's firewall ACLs would block all traffic (including pings) to the internet, but the technician can ping the default gateway successfully, and local resources are accessible, so ACLs are not the immediate issue. Option D is wrong because the switch port VLAN assignment would affect local network segmentation; if the VLAN were incorrect, the user would likely not be able to access local resources or ping the default gateway, which they can.

248
MCQmedium

A network administrator is deploying a wireless network in a warehouse environment with many metal racks. Clients using 802.11ac report strong signal strength but very low throughput. What is the most likely cause?

A.Co-channel interference from neighboring access points
B.Multipath interference caused by signal reflections off metal surfaces
C.The encryption method is set to WEP, which limits throughput
D.Too many clients are connected to the same access point
AnswerB

Metal racks cause reflections, leading to multipath. With strong signal but low throughput, multipath is the classic symptom. 802.11ac uses MIMO to mitigate multipath, but severe multipath can still degrade performance.

Why this answer

In a warehouse with many metal racks, 802.11ac signals reflect off the metal surfaces, creating multiple signal paths that arrive at the receiver at slightly different times. This multipath interference causes phase cancellation and intersymbol interference, which degrades the signal-to-noise ratio and forces the use of lower modulation and coding schemes (MCS), drastically reducing throughput despite strong RSSI.

Exam trap

The trap here is that candidates see 'strong signal strength' and assume the issue is at Layer 2 or higher (co-channel interference, encryption, or client count), but the metal racks create a classic multipath scenario where RSSI is high but SNR is low due to phase cancellation.

How to eliminate wrong answers

Option A is wrong because co-channel interference from neighboring APs would typically cause high retry rates and channel utilization, not strong signal strength with low throughput; the symptom here is specifically multipath, not contention. Option C is wrong because WEP encryption does limit throughput due to its 40-bit RC4 overhead, but it is not used with 802.11ac (which requires WPA2 or WPA3), and the question states clients are using 802.11ac, so WEP is not a valid configuration. Option D is wrong because too many clients per AP would cause contention and airtime fairness issues, but the symptom of strong signal with low throughput points to a physical-layer impairment, not client density.

249
MCQeasy

A network administrator wants to automate the backup of configuration files from multiple routers and switches. Which protocol is commonly used for this purpose and is supported by most network devices?

A.FTP
B.TFTP
C.SFTP
D.HTTP
AnswerB

TFTP is a lightweight, connectionless protocol that is ideal for transferring small files like configuration backups without complex setup.

Why this answer

TFTP (Trivial File Transfer Protocol) is the correct choice because it is a lightweight, connectionless UDP-based protocol (port 69) that is widely supported on network devices like routers and switches for automated configuration backups. Its simplicity and minimal overhead make it ideal for scripting backup operations, even though it lacks security features like authentication or encryption.

Exam trap

Cisco often tests the distinction between TFTP and FTP/SFTP by emphasizing that TFTP is the simplest and most universally supported protocol for automated backups, even though it lacks security, leading candidates to incorrectly choose SFTP for its encryption without considering device support limitations.

How to eliminate wrong answers

Option A is wrong because FTP (File Transfer Protocol) uses TCP (ports 20/21) and requires session establishment and authentication, which adds complexity and is less commonly supported in automated scripts on network devices compared to TFTP. Option C is wrong because SFTP (SSH File Transfer Protocol) runs over SSH (port 22) and provides encryption and authentication, but many older or lower-end network devices do not support SFTP, and it is not the default or most common protocol for simple configuration backups. Option D is wrong because HTTP (Hypertext Transfer Protocol) is typically used for web-based management interfaces and is not a standard protocol for direct device-to-server configuration file transfers; it lacks the lightweight, UDP-based efficiency that TFTP offers for automated backups.

250
MCQeasy

A network technician is reviewing the OSI model to understand how data is encapsulated when a web request is sent from a client to a server. At which layer does the web browser's HTTP request data get encapsulated with a TCP segment header?

A.Application layer
B.Presentation layer
C.Session layer
D.Transport layer
AnswerD

The Transport layer (Layer 4) takes data from upper layers, segments it, and adds a TCP or UDP header. For HTTP, the TCP segment header is added at this layer.

Why this answer

The Transport layer (Layer 4) is responsible for encapsulating application data with a TCP or UDP segment header. When a web browser sends an HTTP request, the HTTP data is passed down from the Application layer to the Transport layer, where the TCP segment header (including source/destination ports, sequence numbers, and checksum) is added. This encapsulation occurs at Layer 4, not at any higher layer.

Exam trap

The trap here is that candidates often confuse the Application layer (where HTTP data is generated) with the layer where the TCP header is added, mistakenly thinking encapsulation happens at Layer 7 instead of Layer 4.

How to eliminate wrong answers

Option A is wrong because the Application layer (Layer 7) is where the HTTP request data originates, but it does not add a TCP segment header; it only formats the application data. Option B is wrong because the Presentation layer (Layer 6) handles data translation, encryption, and compression (e.g., SSL/TLS handshake), not TCP header encapsulation. Option C is wrong because the Session layer (Layer 5) manages session establishment, maintenance, and termination (e.g., NetBIOS or RPC), but it does not add transport protocol headers.

251
MCQhard

A company is connecting two buildings that are 300 meters apart. The link must support 10 Gbps. Which combination of cable and transceiver should be used?

A.Cat6a UTP with 10GBASE-T
B.Cat5e UTP with 1000BASE-T
C.Single-mode fiber with 10GBASE-LR
D.Multimode fiber with 10GBASE-SR
AnswerC

10GBASE-LR over single-mode fiber supports 10 Gbps up to 10 km, fully satisfying the 300-meter distance.

Why this answer

Option C is correct because single-mode fiber (SMF) with 10GBASE-LR supports 10 Gbps over distances up to 10 km, easily covering the 300-meter requirement. 10GBASE-LR uses 1310 nm laser optics over single-mode fiber, providing low signal loss and high bandwidth for long-reach links.

Exam trap

The trap here is that candidates often assume Cat6a can handle 10 Gbps at any distance, forgetting the 100-meter limitation for twisted-pair copper, or they confuse 10GBASE-LR with 10GBASE-SR, which has a shorter reach on multimode fiber.

How to eliminate wrong answers

Option A is wrong because Cat6a UTP with 10GBASE-T is limited to a maximum distance of 100 meters for 10 Gbps, far short of the required 300 meters. Option B is wrong because Cat5e UTP with 1000BASE-T supports only 1 Gbps, not the required 10 Gbps, and is also limited to 100 meters.

252
MCQmedium

A security engineer is configuring port security on a switch to prevent unauthorized devices from connecting. The requirement is that only the first device to connect to a port is allowed, and if a different device connects, the port should be disabled. Which port security violation mode should be configured?

A.Protect
B.Restrict
C.Shutdown
D.Sticky
AnswerC

Shutdown mode (or 'shutdown' violation) disables the port when a violation occurs, which is the most secure response and meets the requirement.

Why this answer

The 'shutdown' violation mode disables the port entirely when a violation occurs, which meets the requirement that the port be disabled if a different device connects. This is the only mode that physically err-disables the port, preventing any further traffic until manually re-enabled.

Exam trap

Cisco often tests the distinction that 'shutdown' is the only mode that physically disables the port, while 'restrict' and 'protect' only filter traffic but leave the port administratively up, leading candidates to mistakenly choose 'restrict' because it logs violations.

How to eliminate wrong answers

Option A is wrong because 'protect' mode drops packets from unauthorized devices but does not disable the port or generate an alert, allowing the unauthorized device to remain connected silently. Option B is wrong because 'restrict' mode drops packets from unauthorized devices and generates a syslog/SNMP alert but does not disable the port, so the port remains operational for the original authorized device.

253
MCQmedium

A user reports that they cannot access the internet. The user's workstation has an IP address of 192.168.1.100/24, with a default gateway of 192.168.1.1. The user can ping the default gateway but cannot ping 8.8.8.8. Other users on the same subnet can ping 8.8.8.8. The technician checks the switch and sees the user's port is up. What should the technician check next?

A.Check the router's routing table for a route to the internet
B.Check the workstation's IP configuration for a misconfigured default gateway or DNS
C.Check the DNS server configuration on the workstation
D.Check the switch port for VLAN misconfiguration
AnswerB

The user can ping the gateway, so the gateway IP (192.168.1.1) is reachable. But if the gateway is not the correct router for internet access, or if the workstation has a local firewall blocking outbound traffic, internet access may fail.

Why this answer

Since the user can ping the default gateway (192.168.1.1) but not 8.8.8.8, while other users on the same subnet can reach 8.8.8.8, the issue is isolated to this workstation. The most likely cause is a misconfigured default gateway (e.g., wrong IP or subnet mask) or DNS settings, as the gateway is reachable but traffic is not being forwarded correctly. Option B directly addresses checking the workstation's IP configuration for these misconfigurations, which is the logical next step after verifying local connectivity.

Exam trap

The trap here is that candidates often jump to checking the router's routing table (Option A) or DNS (Option C) when the symptom is a ping failure to an IP address, but the key clue is that other users on the same subnet are unaffected, isolating the problem to the workstation's configuration.

How to eliminate wrong answers

Option A is wrong because the router's routing table is likely correct since other users on the same subnet can reach the internet; checking it would be premature and not isolate the workstation-specific issue. Option C is wrong because DNS is not required to ping 8.8.8.8 (an IP address), so DNS misconfiguration cannot explain the failure to ping that IP. Option D is wrong because the switch port is up and other users on the same subnet are working, indicating no VLAN misconfiguration; a VLAN mismatch would affect all users on that port or subnet.

254
MCQeasy

A network engineer needs to install 15 wireless access points that each require 25W of power. The available switch provides PoE+ (802.3at) with a total power budget of 740W. The engineer also needs to connect 10 IP cameras that each require 12W. Which of the following should the engineer verify before proceeding with the installation?

A.The total power consumption of all devices does not exceed the switch's power budget.
B.The switch supports LLDP-MED for power negotiation.
C.All PoE devices are from the same manufacturer.
D.The cable length does not exceed 150 meters.
AnswerA

Correct. Ensuring the combined power draw is within the switch's budget is essential to prevent power failures.

Why this answer

The total power required is 15 APs × 25W + 10 cameras × 12W = 375W + 120W = 495W, which is well below the switch's 740W PoE+ budget. However, the engineer must verify that the cumulative power draw does not exceed the budget, as exceeding it would cause some ports to be denied power or shut down. This is the fundamental prerequisite for any PoE deployment.

Exam trap

The trap here is that candidates may overlook the simple power budget calculation and instead focus on irrelevant details like manufacturer compatibility or cable length limits, but the core requirement is ensuring the total wattage does not exceed the switch's PoE budget.

How to eliminate wrong answers

Option B is wrong because LLDP-MED is used for advanced power negotiation and device discovery, but it is not required for basic PoE+ operation; the switch can deliver power without it. Option C is wrong because PoE is standardized (802.3at), so devices from different manufacturers are fully interoperable as long as they comply with the standard. Option D is wrong because the maximum cable length for Ethernet (100BASE-TX/1000BASE-T) is 100 meters, not 150 meters; exceeding this can cause signal degradation and power loss.

255
MCQeasy

Which of the following describes the purpose of a default gateway on a host in a TCP/IP network?

A.It translates domain names to IP addresses
B.It assigns IP addresses to devices on the network
C.It forwards traffic from the local network to other networks
D.It filters traffic to prevent unauthorized access
AnswerC

The default gateway is the router that sends packets destined for non-local networks to the appropriate path.

Why this answer

The default gateway is the router interface on the local subnet that a host uses to send packets destined for IP addresses outside its own network. When a host determines that the destination IP is not in its local subnet (via its subnet mask), it forwards the frame to the default gateway's MAC address, which then routes the packet toward the remote network. Without a default gateway, a host can only communicate with devices on the same local broadcast domain.

Exam trap

The trap here is that candidates confuse the default gateway with a DNS server or DHCP server, because all three are often configured on the same router in small networks, but the exam specifically tests the Layer 3 forwarding role of the default gateway.

How to eliminate wrong answers

Option A is wrong because translating domain names to IP addresses is the function of a DNS server, not a default gateway; the default gateway operates at Layer 3 (routing) while DNS operates at the application layer. Option B is wrong because assigning IP addresses to devices is typically done by a DHCP server, which may run on a router but is not the purpose of the default gateway itself; the default gateway's role is purely forwarding traffic between networks.

256
MCQmedium

A company is deploying a new wireless network for employee devices and wants to use the most secure encryption method currently available for WPA2/3. Which encryption standard should be used?

A.WEP
B.TKIP
C.AES
D.DES
AnswerC

AES is a strong symmetric encryption algorithm used in WPA2 and WPA3 to provide robust wireless security.

Why this answer

AES (Advanced Encryption Standard) is the most secure encryption method available for WPA2 and WPA3. WPA2 mandates AES-CCMP, and WPA3 uses AES-GCMP, both of which are based on the AES block cipher, providing strong confidentiality and integrity. This makes AES the correct choice for the highest security in modern Wi-Fi deployments.

Exam trap

Cisco often tests the misconception that TKIP is acceptable for WPA2 security, but the trap is that WPA2 mandates AES-CCMP for certification, and TKIP is only a backward-compatible option that should never be used in a secure deployment.

How to eliminate wrong answers

Option A is wrong because WEP (Wired Equivalent Privacy) is an obsolete, deprecated encryption standard that uses the RC4 cipher with a static key, making it trivially vulnerable to attacks like ARP replay and IV collision. Option B is wrong because TKIP (Temporal Key Integrity Protocol) is a legacy encryption method for WPA that also uses RC4 and is vulnerable to attacks such as Beck-Tews and Michael MIC exhaustion; it is not considered secure for modern networks and is not supported in WPA3.

257
MCQmedium

A network administrator wants to be alerted immediately when any interface on a core router goes down. The administrator has already configured SNMP community strings. Which additional configuration is necessary to receive these alerts?

A.A) Configure the router to send SNMP traps to the NMS
B.B) Perform an SNMP walk of the interface OIDs
C.C) Use SNMP get to retrieve interface status periodically
D.D) Configure SNMP set to change interface parameters
AnswerA

Correct. Alerts for interface down events are sent via SNMP traps. The router must be configured with the IP address of the trap receiver (NMS).

Why this answer

SNMP traps are unsolicited notifications sent from the managed device (the router) to the Network Management Station (NMS) when a specific event occurs, such as an interface going down. Since the administrator wants immediate alerts without polling, configuring the router to send SNMP traps to the NMS is the correct approach. The SNMP community strings are already set, so the missing piece is the trap destination and enabling trap generation for interface state changes.

Exam trap

CompTIA often tests the distinction between polling (SNMP get/walk) and event-driven notifications (traps), and candidates mistakenly choose periodic polling (Option C) thinking it provides 'immediate' alerts, not realizing that polling introduces latency and is not truly immediate.

How to eliminate wrong answers

Option B is wrong because an SNMP walk is a polling operation that retrieves all OIDs in a subtree; it does not enable real-time alerts and requires the NMS to initiate the query. Option C is wrong because using SNMP get to periodically retrieve interface status is a polling mechanism, which introduces delay and does not provide immediate notification of an interface down event. Option D is wrong because SNMP set is used to modify configuration parameters on the device, not to receive alerts; it is a write operation, not a notification mechanism.

258
MCQmedium

A small business uses a wireless network for employees and guests. The owner wants to ensure that guest devices cannot access internal resources such as file servers and printers. Which network security technique should be implemented?

A.VLAN segmentation with separate SSID for guests
B.MAC address filtering
C.WPA2 encryption
D.Disabling SSID broadcast
AnswerA

Placing guest traffic on a separate VLAN and configuring access control lists (ACLs) prevents guest devices from reaching internal subnets while still providing internet access.

Why this answer

VLAN segmentation with a separate SSID for guests is the correct approach because it creates a logical network boundary that isolates guest traffic from internal resources. By assigning the guest SSID to a distinct VLAN, the network can enforce access control lists (ACLs) at the Layer 3 switch or firewall, preventing guest devices from reaching file servers, printers, or other internal subnets while still allowing internet access.

Exam trap

The trap here is that candidates often confuse encryption (WPA2) with network segmentation, assuming that securing the wireless link inherently protects internal resources, when in fact encryption only protects data in transit and does not control east-west traffic between devices on the same SSID.

How to eliminate wrong answers

Option B is wrong because MAC address filtering only controls which devices can associate with the wireless network based on their hardware addresses; it does not restrict traffic between devices once they are connected, nor does it prevent a guest device from accessing internal resources if it is on the same subnet. Option C is wrong because WPA2 encryption secures the wireless link between the client and the access point, but it does not provide any Layer 2 or Layer 3 segmentation; all devices that authenticate with the same SSID and encryption key can communicate freely with each other and with any reachable internal resource.

259
MCQmedium

A network engineer is designing a new switched network and needs to ensure that broadcast traffic from one department does not reach another department's workstations. The engineer plans to use VLANs. Which of the following must be configured on the switches to isolate broadcast domains as intended?

A.Configure all switch ports as trunk ports and use VLAN 1 for all departments.
B.Assign each department's workstations to a unique VLAN and configure their switch ports as access ports in that VLAN.
C.Place all workstations in the same VLAN and use a firewall to filter broadcast traffic between departments.
D.Configure each switch port as a trunk and use a different native VLAN for each department.
AnswerB

Access ports belong to a single VLAN, creating separate broadcast domains. This is the correct method to isolate traffic between departments.

Why this answer

VLANs segment a switched network into separate broadcast domains at Layer 2. By assigning each department's workstations to a unique VLAN and configuring their switch ports as access ports in that VLAN, broadcast traffic from one VLAN is confined to that VLAN and cannot reach workstations in another VLAN. This achieves the isolation required without additional filtering devices.

Exam trap

The trap here is that candidates may think a firewall can filter Layer 2 broadcast traffic within the same VLAN, but firewalls operate at Layer 3 and above, so they cannot prevent broadcasts from flooding all ports in a single VLAN.

How to eliminate wrong answers

Option A is wrong because configuring all switch ports as trunk ports and using VLAN 1 for all departments would place all devices in the same broadcast domain (VLAN 1), failing to isolate broadcast traffic between departments. Option C is wrong because placing all workstations in the same VLAN keeps them in a single broadcast domain; a firewall operates at Layer 3 and cannot filter Layer 2 broadcast traffic within the same VLAN, so broadcasts would still reach all workstations.

260
MCQmedium

A client and server are establishing a TCP connection. The client sends a SYN segment to the server. The server responds with a SYN-ACK segment. What is the next segment in the handshake?

A.ACK
B.RST
C.FIN
D.SYN
AnswerA

The final acknowledgment (ACK) confirms the server's SYN-ACK and completes the handshake.

Why this answer

The TCP three-way handshake requires the client to acknowledge the server's SYN-ACK by sending an ACK segment. This completes the handshake, establishing a full-duplex connection with synchronized sequence numbers. Without this final ACK, the server remains in a half-open state, unable to begin data transmission.

Exam trap

Cisco often tests the misconception that the handshake ends after the SYN-ACK, or that a FIN or RST could be used to complete the handshake, when in fact the final ACK is mandatory to transition the server's state from SYN-RECEIVED to ESTABLISHED.

How to eliminate wrong answers

Option B (RST) is wrong because a reset segment is used to abort a connection or reject a connection attempt, not to complete a successful handshake; sending an RST here would terminate the process prematurely. Option C (FIN) is wrong because a FIN segment is used to gracefully close an established connection, not to complete the initial handshake; sending a FIN at this stage would indicate an immediate desire to close a connection that hasn't even been fully opened yet.

261
MCQmedium

A network administrator needs to identify which hosts are generating the most traffic on the network and what types of traffic (e.g., HTTP, FTP). Which monitoring technology should be deployed?

A.SNMP
B.NetFlow
C.Syslog
D.ICMP
AnswerB

Correct. NetFlow collects detailed flow data, allowing identification of top talkers, applications, and traffic patterns.

Why this answer

NetFlow is the correct choice because it provides detailed visibility into network traffic flows, including source/destination IPs, ports, protocols, and application-level information (e.g., HTTP, FTP). Unlike SNMP, which only gives aggregate interface statistics, or Syslog, which logs device events, NetFlow captures per-flow metadata that directly answers the question of which hosts are generating the most traffic and what types of traffic they are using.

Exam trap

The trap here is that candidates often confuse SNMP's ability to show interface utilization with the need to identify specific hosts and application types, leading them to pick SNMP when NetFlow is required for per-flow granularity.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) polls counters like interface bytes/packets but does not identify individual hosts or application types—it only shows aggregate bandwidth usage per interface. Option C is wrong because Syslog is a logging protocol for device events (e.g., errors, reboots, security alerts) and does not capture traffic flow data or application-layer details; it cannot identify which hosts are generating traffic or differentiate HTTP from FTP.

262
MCQeasy

A small office uses a wireless router that provides both wired and wireless connectivity. The router's LAN IP is 192.168.1.1. A new printer with a static IP of 192.168.1.50 cannot be reached from a laptop obtaining an IP via DHCP. The laptop's IP is 192.168.1.100. Which of the following is the most likely cause?

A.The printer is on a different VLAN
B.The subnet mask is incorrect
C.The default gateway is misconfigured
D.The DHCP scope is exhausted
AnswerB

If the printer is configured with a static subnet mask that is not /24 (e.g., /28 or /25), it will calculate that the laptop's IP is outside its local subnet. It will then try to send traffic to the default gateway instead of directly to the laptop, and if the gateway does not forward it (or the printer's gateway is wrong), communication fails.

Why this answer

The laptop obtains an IP address via DHCP, which typically assigns a subnet mask of 255.255.255.0 for a /24 network. If the printer has a static IP of 192.168.1.50 but is configured with an incorrect subnet mask (e.g., 255.255.255.252), the printer may believe it is on a different subnet than the laptop (192.168.1.100). This prevents the laptop from reaching the printer because the printer will not respond to ARP requests or will send traffic to its default gateway instead of directly to the laptop.

Exam trap

Cisco often tests the misconception that a misconfigured default gateway is the cause of local subnet communication failures, but the trap here is that the default gateway is irrelevant for same-subnet traffic; the real issue is the subnet mask, which determines whether the destination is considered local or remote.

How to eliminate wrong answers

Option A is wrong because there is no mention of VLANs in the scenario; the router is a simple wireless router providing a single LAN segment, and both devices share the same IP subnet (192.168.1.0/24), so a VLAN mismatch would require separate broadcast domains and is not indicated. Option C is wrong because a misconfigured default gateway would affect the printer's ability to reach devices on other subnets or the internet, but it does not prevent communication between two devices on the same subnet; communication within the same subnet relies on ARP and direct MAC-layer delivery, not the default gateway.

263
MCQeasy

Which of the following describes a unicast transmission?

A.One-to-one communication
B.One-to-many communication
C.One-to-all communication
D.Many-to-many communication
AnswerA

Unicast delivers data to a single destination host.

Why this answer

Unicast transmission is defined as one-to-one communication where a single source sends data to a single destination. In IPv4 networking, this is the standard method for most client-server interactions, such as a host sending an HTTP request to a web server. The destination MAC address in the Ethernet frame is the unique address of the target device, ensuring only that device processes the frame.

Exam trap

The trap here is that candidates often confuse unicast with multicast because both involve a single source, but they forget that unicast is strictly one-to-one, while multicast is one-to-many to a subscribed group.

How to eliminate wrong answers

Option B is wrong because one-to-many communication describes multicast transmission, where a single source sends data to a specific group of interested receivers (e.g., using IGMP and multicast IP addresses in the 224.0.0.0/4 range). Option C is wrong because one-to-all communication describes broadcast transmission, where a single source sends data to every device on the network segment (e.g., using the broadcast MAC address FF:FF:FF:FF:FF:FF or the IPv4 broadcast address 255.255.255.255).

264
MCQmedium

A network engineer is designing a subnet to accommodate 50 devices in a single broadcast domain. The engineer uses a /26 subnet mask. How many usable host addresses are available?

A.30
B.62
C.126
D.254
AnswerB

Correct. /26 provides 62 usable addresses, enough for 50 devices with room for growth.

Why this answer

A /26 subnet mask provides 2^(32-26) = 64 total addresses. Subtracting the network and broadcast addresses leaves 62 usable host addresses. This is sufficient for 50 devices in a single broadcast domain.

Exam trap

The trap here is that candidates often forget to subtract the network and broadcast addresses, or they confuse the total addresses (64) with usable addresses (62), leading them to pick 64 or misapply the formula for a different prefix length.

How to eliminate wrong answers

Option A is wrong because it corresponds to a /27 subnet mask (32 total addresses, 30 usable), not a /26. Option C is wrong because it corresponds to a /25 subnet mask (128 total addresses, 126 usable). Option D is wrong because it corresponds to a /24 subnet mask (256 total addresses, 254 usable).

265
Matchingmedium

Match each OSI layer to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data Link layer; handles MAC addressing and framing

Network layer; handles routing and logical addressing

Transport layer; handles reliable delivery and flow control

Application layer; provides network services to applications

Why these pairings

These are key layers of the OSI model.

266
MCQmedium

A network administrator is setting up SNMPv3 on a router for secure monitoring. Which of the following is required for SNMPv3 authentication?

A.Community string
B.Username and password
C.Encryption key
D.Public key
AnswerB

SNMPv3 authentication requires a username and an authentication password (or passphrase) that is used to generate a hash, verifying the source of the message.

Why this answer

SNMPv3 introduces a security model that requires a username and password (authentication passphrase) for authentication, moving away from the community-string-based model of SNMPv1/v2c. The password is used with an authentication protocol like MD5 or SHA to verify the identity of the manager before allowing access. Without a valid username and password combination, SNMPv3 will reject the request.

Exam trap

The trap here is that candidates confuse the community string (SNMPv1/v2c) with SNMPv3's username/password model, or they mistakenly think an encryption key alone satisfies authentication requirements, when in fact authentication and privacy are configured independently.

How to eliminate wrong answers

Option A is wrong because community strings are used only in SNMPv1 and SNMPv2c for authentication, not in SNMPv3, which uses a user-based security model (USM) defined in RFC 3414. Option C is wrong because an encryption key is used for privacy (encryption of SNMP payloads), not for authentication; authentication and privacy are separate security levels in SNMPv3.

267
MCQhard

An engineer is configuring a network and needs to understand the default behavior of an IPv6 node. When an IPv6 interface is initialized, which type of address is automatically assigned without any configuration server?

A.Global unicast address
B.Unique local address
C.Link-local address
D.Multicast address
AnswerC

Link-local addresses (fe80::/10) are automatically created when an IPv6 interface is enabled, using methods like EUI-64 or privacy extensions.

Why this answer

When an IPv6 interface is initialized, it automatically generates a link-local address (fe80::/10) using Stateless Address Autoconfiguration (SLAAC) without requiring any external server (e.g., DHCPv6). This address is mandatory for neighbor discovery and other link-local communication, allowing the node to operate on the local network segment immediately.

Exam trap

Cisco often tests the misconception that a global unicast address is automatically assigned, but the trap here is that only the link-local address is generated by default, while global and unique local addresses require additional configuration or router presence.

How to eliminate wrong answers

Option A is wrong because a global unicast address (2000::/3) requires either manual configuration or SLAAC with a router advertisement (RA) from a router; it is not automatically assigned upon interface initialization. Option B is wrong because a unique local address (fc00::/7) is designed for private, site-local communication and must be manually configured or assigned via DHCPv6; it is not auto-generated by default.

268
MCQhard

An organization's security policy requires that all remote access VPN connections use two-factor authentication and that the VPN clients are compliant with the latest patch levels before gaining network access. Which technology combination provides these capabilities?

A.SSL VPN with client certificate authentication
B.IPsec VPN using preshared keys
C.NAC integrated with a reverse proxy
D.VPN with RADIUS authentication and posture assessment
AnswerD

RADIUS can enforce two-factor authentication (e.g., via OTP) and work with a NAC (posture) server to check client health (patch levels) before allowing full VPN access.

Why this answer

Option D is correct because RADIUS authentication can enforce two-factor authentication (e.g., via token or OTP), and posture assessment (often via Network Access Control or a VPN posture plugin) checks the client's patch level before granting network access. This combination directly satisfies the policy requirements for both multi-factor authentication and endpoint compliance verification.

Exam trap

The trap here is that candidates often confuse 'two-factor authentication' with simply using a certificate (Option A) or a preshared key (Option B), failing to recognize that posture assessment is a separate, critical requirement that RADIUS combined with a NAC or posture system uniquely fulfills.

How to eliminate wrong answers

Option A is wrong because SSL VPN with client certificate authentication provides only single-factor authentication (the certificate) and does not inherently perform posture assessment for patch compliance. Option B is wrong because IPsec VPN using preshared keys provides only a single shared secret for authentication, lacking two-factor authentication and any mechanism to verify client patch levels. Option C is wrong because NAC integrated with a reverse proxy focuses on access control at the application layer and does not natively provide VPN connectivity or the two-factor authentication required for remote access VPN connections.

269
MCQmedium

Two switches are connected via a trunk link configured with allowed VLANs 10, 20, and 30. Hosts on VLAN 20 can communicate across the trunk, but hosts on VLAN 30 cannot. Which of the following is the most likely cause?

A.A
B.B
C.C
D.D
AnswerD

If VLAN 30 is only created on one switch, the other switch will not have the VLAN in its database and will drop frames from that VLAN.

Why this answer

Option D is correct because the most likely cause is that VLAN 30 is not allowed on the trunk link. Even though the trunk is configured with allowed VLANs 10, 20, and 30, if VLAN 30 is not present in the allowed VLAN list on one of the switch ports (e.g., due to a missing 'switchport trunk allowed vlan add 30' command or a pruning issue), frames from VLAN 30 will be dropped at the trunk. This explains why hosts on VLAN 20 can communicate while those on VLAN 30 cannot.

Exam trap

The trap here is that candidates often confuse trunk allowed VLAN configuration with native VLAN settings or assume a spanning-tree issue is VLAN-specific, when in fact spanning-tree blocks the entire trunk, not individual VLANs.

How to eliminate wrong answers

Option A is wrong because a misconfigured access port on the switch for VLAN 30 would affect only that specific port, not the trunk link itself; the trunk would still forward VLAN 30 traffic if allowed. Option B is wrong because a native VLAN mismatch on the trunk would cause issues with untagged frames, but VLAN 30 is a tagged VLAN in the allowed list, so it would not be affected by native VLAN problems. Option C is wrong because a spanning-tree blocking state on the trunk would block all VLANs, not just VLAN 30; if the trunk were blocked, VLAN 20 traffic would also fail.

270
MCQmedium

A network engineer is reviewing RFC 1918 address ranges to plan a private IP addressing scheme. Which of the following IP addresses falls within the private address space for Class A?

A.172.16.0.1
B.192.168.1.1
C.10.10.10.1
D.172.32.0.1
AnswerC

10.10.10.1 falls within the 10.0.0.0/8 block, which is the Class A private address space defined in RFC 1918.

Why this answer

Option C is correct because RFC 1918 defines the Class A private address range as 10.0.0.0/8, which includes all addresses from 10.0.0.0 to 10.255.255.255. 10.10.10.1 falls within this range, making it a valid private IP address for internal network use.

Exam trap

The trap here is that candidates often confuse the Class B private range (172.16.0.0/12) with any 172.x.x.x address, forgetting that only 172.16.0.0 through 172.31.255.255 are private, while 172.32.0.0 and above are public.

How to eliminate wrong answers

Option A is wrong because 172.16.0.1 belongs to the Class B private range (172.16.0.0/12), not Class A. Option B is wrong because 192.168.1.1 belongs to the Class C private range (192.168.0.0/16), not Class A. Option D is wrong because 172.32.0.1 is outside the RFC 1918 private address space; the Class B private range is 172.16.0.0/12 (172.16.0.0 through 172.31.255.255), and 172.32.0.1 is a public IP address.

271
MCQmedium

A network technician needs to capture and analyze packets on a specific network segment to identify the source of a performance slowdown. Which tool is best suited for this task?

A.Protocol analyzer (e.g., Wireshark)
B.Port scanner (e.g., Nmap)
C.Ping
D.Traceroute
AnswerA

Protocol analyzers capture raw packets and allow detailed inspection of headers and payloads, ideal for troubleshooting performance issues.

Why this answer

A protocol analyzer like Wireshark is the correct tool because it captures and decodes packets at the data-link layer, allowing the technician to inspect frame headers, IP addresses, TCP/UDP ports, and payload contents on a specific network segment. This deep packet inspection is essential for identifying the root cause of performance slowdowns, such as excessive retransmissions, high latency, or application-layer issues. Unlike other tools, a protocol analyzer provides granular visibility into traffic patterns and protocol behavior.

Exam trap

The trap here is that candidates often confuse a protocol analyzer with a port scanner or a simple connectivity tool, assuming that Ping or Traceroute can provide enough data to diagnose performance slowdowns, when in fact they lack the packet-level detail required for root-cause analysis.

How to eliminate wrong answers

Option B (Port scanner, e.g., Nmap) is wrong because it is designed to discover open ports and services on hosts, not to capture and analyze packets for performance troubleshooting. Option C (Ping) is wrong because it only tests basic reachability and round-trip time using ICMP echo requests, which does not provide packet-level details or capture traffic on a segment. Option D (Traceroute) is wrong because it maps the path packets take to a destination by manipulating TTL values, but it does not capture or analyze the content of packets on a specific network segment.

272
MCQmedium

Users in a department report that the network is extremely slow. A technician checks the access switch and notices that a single port shows a high number of CRC errors and runts. The link LED is solid green. Which of the following is the most likely cause of the issue?

A.Duplex mismatch between the switch port and the connected device
B.Faulty network cable
C.Broadcast storm
D.VLAN misconfiguration
AnswerA

Duplex mismatch causes collisions and errors because one device transmits while the other cannot receive properly, leading to CRC and runt frames.

Why this answer

A duplex mismatch occurs when one device operates at full duplex and the other at half duplex. The full-duplex side does not perform Carrier Sense Multiple Access with Collision Detection (CSMA/CD), so it transmits without checking for collisions. The half-duplex side detects collisions, causing late collisions that manifest as CRC errors and runts on the switch port.

The solid green link LED indicates Layer 1 connectivity is intact, ruling out a physical cable fault.

Exam trap

CompTIA often tests duplex mismatch by showing a solid green link LED alongside CRC errors and runts, tricking candidates into thinking the cable is faulty because they assume a solid LED means perfect physical connectivity.

How to eliminate wrong answers

Option B is wrong because a faulty network cable typically causes link flaps, intermittent connectivity, or a blinking/off link LED, not a solid green LED with high CRC errors and runts. Option C is wrong because a broadcast storm floods the network with broadcast frames, overwhelming all ports and causing high CPU utilization and throughput issues, not isolated CRC errors and runts on a single port. Option D is wrong because a VLAN misconfiguration would cause connectivity issues such as inability to reach resources in other VLANs or incorrect VLAN tagging, not physical-layer errors like CRC and runts.

273
MCQeasy

A network engineer wants to segment a LAN into multiple broadcast domains without purchasing additional hardware. Which of the following technologies should be implemented?

A.Subnetting
B.VLANs
C.VPN
D.NAT
AnswerB

VLANs allow a single switch to support multiple broadcast domains, each isolated at Layer 2.

Why this answer

VLANs (Virtual Local Area Networks) allow a network engineer to logically segment a single physical LAN switch into multiple isolated broadcast domains without purchasing additional hardware. By assigning switch ports to different VLAN IDs, broadcast traffic is confined to ports within the same VLAN, effectively creating separate Layer 2 networks on the same switch infrastructure.

Exam trap

CompTIA often tests the misconception that subnetting alone can segment broadcast domains, but subnetting only divides IP address space; without VLANs, all devices on the same switch remain in one broadcast domain at Layer 2.

How to eliminate wrong answers

Option A (Subnetting) is wrong because subnetting operates at Layer 3 (IP) and divides a network into smaller IP ranges, but it does not create separate broadcast domains at Layer 2; without VLANs, all devices on the same physical switch still share a single broadcast domain regardless of subnet. Option C (VPN) is wrong because VPNs create encrypted tunnels over public networks for remote connectivity, not for segmenting a local LAN into multiple broadcast domains. Option D (NAT) is wrong because NAT translates private IP addresses to public ones for internet access and has no role in creating broadcast domains on a LAN.

274
MCQmedium

A company is deploying a new wireless network for a small office. The network will consist of three access points. The IT manager wants the APs to automatically coordinate radio frequency settings and client roaming without a dedicated controller. Which technology should be implemented?

A.Mesh network
B.Controller-based wireless
C.Standalone APs
D.Cloud-managed access points
AnswerD

Cloud-managed APs use a cloud controller to handle RF optimization, coordination, and roaming without a local dedicated controller.

Why this answer

Cloud-managed access points (APs) are the correct choice because they can automatically coordinate radio frequency (RF) settings and client roaming without a dedicated on-premises controller. The cloud-based management platform handles channel selection, power adjustment, and fast roaming (e.g., 802.11r/k/v) by communicating with each AP over the internet, making it ideal for a small office with only three APs.

Exam trap

The trap here is that candidates often confuse 'cloud-managed' with 'standalone' APs, assuming that any AP without a local controller must be standalone, but cloud-managed APs use an external controller in the cloud to provide coordinated features.

How to eliminate wrong answers

Option A is wrong because a mesh network is designed for wireless backhaul between APs to extend coverage, not for automatic RF coordination or seamless client roaming without a controller. Option B is wrong because controller-based wireless requires a dedicated hardware or virtual controller on-premises to manage APs, which contradicts the requirement of no dedicated controller. Option C is wrong because standalone APs operate independently and cannot automatically coordinate RF settings or support seamless roaming between multiple APs without a central management system.

275
MCQmedium

A user reports intermittent connectivity issues. The technician notices that the link lights on both the PC and the switch are solid, but the user experiences periodic drops. The technician runs a cable test and finds that one pair of wires is open. Which standard is the cable likely violating?

A.TIA/EIA-568
B.IEEE 802.3
C.ISO 9001
D.RFC 1918
AnswerA

TIA/EIA-568 is the standard for commercial building telecommunications cabling; an open pair violates its requirements.

Why this answer

The TIA/EIA-568 standard specifies the wiring pinouts and performance requirements for twisted-pair cabling, including that all four pairs must be properly terminated and continuous. An open pair violates this standard because it breaks the required electrical continuity, leading to signal degradation and intermittent connectivity. The solid link lights indicate basic electrical connectivity on some pairs, but the open pair causes periodic drops when the network attempts to use that pair for data transmission.

Exam trap

The trap here is that candidates see 'link lights solid' and assume the cable is fully functional, but solid link lights only indicate that at least one pair (or the necessary pairs for the negotiated speed) is electrically connected, not that all pairs meet the TIA/EIA-568 standard for the expected speed.

How to eliminate wrong answers

Option B is wrong because IEEE 802.3 defines Ethernet physical layer and MAC protocols (e.g., 10BASE-T, 100BASE-TX), not cabling termination standards; an open pair would still be a cabling issue, not a violation of the Ethernet standard itself. Option C is wrong because ISO 9001 is a quality management system standard for processes and procedures, not a technical cabling specification; it does not address wire continuity or pinout requirements.

276
MCQhard

A security analyst is reviewing firewall logs and sees many incoming packets with a source IP address that matches the internal IP range of the company (10.0.0.0/8) arriving on the external interface. Which type of attack is likely being attempted?

A.Smurf attack
B.IP spoofing attack
C.SYN flood
D.DNS amplification
AnswerB

Correct. The attacker is spoofing the source IP address to appear as an internal host, trying to bypass firewall rules that may allow internal traffic without inspection.

Why this answer

The correct answer is B because packets arriving on the external interface with a source IP address from the internal 10.0.0.0/8 range indicate that the attacker is forging (spoofing) the source address to impersonate an internal host. This is a classic IP spoofing attack, often used to bypass access control lists or to launch further attacks that rely on trust relationships based on source IP.

Exam trap

CompTIA often tests the distinction between IP spoofing and other attacks by focusing on the specific packet characteristic (source IP matching internal range on an external interface) rather than the attack's goal or volume, leading candidates to confuse it with a Smurf or SYN flood attack.

How to eliminate wrong answers

Option A is wrong because a Smurf attack uses ICMP echo requests with a spoofed source IP of the victim, sent to a network's broadcast address, causing all hosts to reply to the victim; it does not specifically involve internal IP ranges arriving on the external interface. Option C is wrong because a SYN flood targets the TCP three-way handshake by sending many SYN packets without completing the handshake, exhausting server resources; the source IP may be spoofed but the key indicator is a high volume of incomplete connections, not packets with internal source IPs on the external interface. Option D is wrong because a DNS amplification attack uses open DNS resolvers to send large responses to a spoofed victim IP, typically using UDP and small queries; the attack traffic is reflected from DNS servers, not characterized by internal source IPs on the external interface.

277
Drag & Dropmedium

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes require global config mode and must specify the destination network, subnet mask, and next-hop address or exit interface.

278
MCQmedium

A network administrator wants to prevent unauthorized devices from connecting to the network by limiting the number of MAC addresses allowed on a switch port. Which security feature should be configured?

A.802.1X
B.Port security
C.DHCP snooping
D.Dynamic ARP inspection
AnswerB

Port security restricts the number of MAC addresses allowed on a port, preventing unauthorized devices from connecting.

Why this answer

Port security is the correct feature because it directly restricts the number of unique MAC addresses that can be learned on a switch port, preventing unauthorized devices from connecting. When the configured limit is exceeded, the switch can take actions such as shutdown, restrict, or protect, effectively blocking the unauthorized device. This is a Layer 2 access control mechanism that operates on the switch port itself.

Exam trap

Cisco often tests the distinction between port security (MAC address limiting) and 802.1X (authentication), leading candidates to mistakenly choose 802.1X when the question explicitly asks about limiting the number of MAC addresses.

How to eliminate wrong answers

Option A is wrong because 802.1X is a port-based network access control protocol that authenticates devices via a RADIUS server, but it does not limit the number of MAC addresses on a port; it either grants or denies access based on credentials. Option C is wrong because DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding table to prevent rogue DHCP servers, but it does not enforce a MAC address limit on a switch port.

279
MCQmedium

A network administrator configures VLAN 10 (Sales) and VLAN 20 (Engineering) on a switch. The switch is connected to a router via a trunk interface for inter-VLAN routing. Users in VLAN 10 can reach the router and external networks, but users in VLAN 20 cannot communicate outside their VLAN. The router's subinterface for VLAN 20 is configured correctly with an IP address and encapsulation dot1Q 20. What is the MOST likely cause of the issue?

A.A: The switchport mode for VLAN 20 is set to access
B.B: VLAN 20 is not allowed on the trunk
C.C: The router needs to be rebooted to apply the subinterface configuration
D.D: The native VLAN on the trunk is misconfigured
AnswerB

If VLAN 20 is pruned or not included in the allowed list on the trunk, frames from VLAN 20 cannot reach the router.

Why this answer

The router's subinterface for VLAN 20 is correctly configured, so the issue lies on the switch side. If VLAN 20 is not explicitly allowed on the trunk interface connecting the switch to the router, frames from VLAN 20 will be dropped by the switch, preventing inter-VLAN routing. The default trunk allowed VLAN list often includes only VLAN 1, so VLAN 20 must be added with the 'switchport trunk allowed vlan add 20' command.

Exam trap

CompTIA often tests the distinction between the router subinterface being correctly configured and the switch trunk not permitting the VLAN, leading candidates to incorrectly suspect the router or native VLAN settings.

How to eliminate wrong answers

Option A is wrong because if the switchport mode for VLAN 20 were set to access, the port would be an access port in VLAN 20, which would still allow communication within VLAN 20 but would not affect trunking to the router; the issue is about inter-VLAN routing across the trunk. Option C is wrong because rebooting the router is unnecessary; subinterface configurations take effect immediately after being applied and do not require a reboot. Option D is wrong because the native VLAN misconfiguration would affect untagged traffic on the trunk, but the problem is specific to VLAN 20's tagged traffic not being allowed, not the native VLAN.

280
MCQmedium

A network engineer is configuring IPv6 on a router interface. Which of the following is a valid global unicast IPv6 address?

A.fe80::1
B.2001:db8::1
C.ff02::1
D.::1
AnswerB

2001:db8::/32 is reserved for documentation and examples, but it is within the global unicast range (2000::/3) and is a valid global unicast address.

Why this answer

2001:db8::1 is a valid global unicast IPv6 address because it falls within the 2000::/3 range defined by RFC 4291 for global unicast addresses. The address is routable on the public internet, making it suitable for global communication.

Exam trap

The trap here is that candidates often confuse link-local addresses (fe80::/10) with global unicast addresses, or they mistakenly think multicast addresses (ff00::/8) are unicast, because all three start with 'f' but have different scopes and purposes.

How to eliminate wrong answers

Option A is wrong because fe80::1 is a link-local unicast address (fe80::/10), which is only valid on a single link and cannot be routed. Option C is wrong because ff02::1 is a multicast address (ff00::/8), specifically the all-nodes link-local multicast group, and is not a unicast address.

281
MCQhard

A network engineer has established an IPsec VPN tunnel between a branch office (10.0.0.0/24) and the main office (192.168.10.0/24). The tunnel shows as up and active, but users at the branch office cannot ping the main office server at 192.168.10.10. The main office can ping the branch office gateway successfully. What is the most likely cause of this issue?

A.Mismatched encryption algorithms between the two VPN peers
B.Incorrect static route on the branch router for the 192.168.10.0/24 network
C.Firewall on the main office server blocking ICMP
D.Incorrect IKE authentication settings
AnswerB

A route pointing to the tunnel interface or the remote VPN peer is necessary for traffic from the branch to reach the main office LAN.

Why this answer

The tunnel is up and active, and the main office can ping the branch office gateway, which confirms that Phase 1 and Phase 2 of IPsec are correctly negotiated and that the tunnel is passing traffic from the main office toward the branch. However, branch users cannot reach 192.168.10.10, indicating that return traffic from the branch is not being routed into the tunnel. The most likely cause is that the branch router lacks a static route for 192.168.10.0/24 pointing to the tunnel interface (or the IPsec virtual interface), so packets from the branch destined for the main office are sent out the wrong interface or dropped instead of being encrypted and forwarded through the VPN.

Exam trap

Cisco often tests the distinction between a tunnel being 'up' (IPsec SAs established) and traffic actually flowing correctly, leading candidates to incorrectly assume that a working tunnel guarantees bidirectional reachability without verifying routing or crypto ACLs.

How to eliminate wrong answers

Option A is wrong because mismatched encryption algorithms would prevent the IPsec tunnel from establishing or staying up; the tunnel is reported as up and active, so Phase 2 parameters (including encryption algorithms) must match. Option C is wrong because the main office can ping the branch office gateway successfully, which proves that ICMP traffic is not being blocked by a firewall on the main office server; the issue is one-way reachability from the branch, not a blanket ICMP block.

282
MCQmedium

An OSPF network uses a multi-access segment with four routers. All router interfaces have the default OSPF priority of 1. Which router becomes the Designated Router (DR)?

A.The router with the highest router ID
B.The router with the lowest IP address on the segment
C.The router with the highest bandwidth on the connecting interface
D.The router with the oldest uptime
AnswerA

Correct. When priorities are equal, the highest router ID determines the DR.

Why this answer

In an OSPF multi-access network, the Designated Router (DR) is elected based on the highest OSPF priority value, with a tie-breaking mechanism using the highest Router ID. Since all routers have the default priority of 1, the router with the highest Router ID wins the DR election. This ensures a stable topology for reducing LSA flooding and adjacency overhead.

Exam trap

The trap here is that candidates often confuse the DR election tie-breaker with the OSPF route selection metric (cost/bandwidth) or assume the lowest IP address is used, but the actual tie-breaker is the highest Router ID after priority.

How to eliminate wrong answers

Option B is wrong because the DR election does not consider the IP address on the segment; the tie-breaker after priority is the highest Router ID, not the lowest IP address. Option C is wrong because interface bandwidth is irrelevant to OSPF DR election; OSPF uses priority and Router ID, not bandwidth or cost, for this election.

283
MCQmedium

A network monitoring system alerts that a specific router interface has been flapping (repeatedly going up and down) for the past hour. Which of the following is the MOST likely cause of this behavior?

A.Faulty transceiver
B.High CPU utilization on the router
C.Incorrect SNMP community string
D.Routing protocol misconfiguration
AnswerA

A faulty SFP or GBIC can cause the interface to lose link sporadically, resulting in flapping.

Why this answer

A faulty transceiver is the most likely cause of interface flapping because physical-layer issues, such as a failing SFP or GBIC, can cause intermittent loss of signal or link synchronization. The router's interface detects the loss of carrier and brings the link down, then re-establishes it when the signal returns, creating a repeated up/down cycle. This is a common hardware failure mode distinct from software or configuration problems.

Exam trap

The trap here is that candidates confuse 'route flapping' (caused by routing protocol issues) with 'interface flapping' (a physical-layer problem), leading them to incorrectly select routing protocol misconfiguration.

How to eliminate wrong answers

Option B is wrong because high CPU utilization on the router can cause slow processing but does not directly cause the physical link state to toggle; it may lead to control-plane issues like dropped routing updates but not interface flapping. Option C is wrong because an incorrect SNMP community string would prevent the monitoring system from polling or receiving traps, but it would not cause the interface itself to go up and down. Option D is wrong because a routing protocol misconfiguration can cause route flapping (routes being advertised and withdrawn) but does not cause the physical interface state to change; the interface remains up while the routing table fluctuates.

284
MCQmedium

A user reports that they can connect to the corporate Wi-Fi network but cannot access any network resources including the intranet and internet. The IP configuration shows an IP address of 169.254.25.100 with a subnet mask of 255.255.0.0. What is the most likely cause?

A.The DNS server is not responding
B.The DHCP server is unavailable or the request is not reaching it
C.The subnet mask is incorrect
D.The switch port has port security enabled that has blocked the device
AnswerB

APIPA occurs when DHCP fails. Possible causes include DHCP server down, a misconfigured DHCP relay, or a VLAN mismatch preventing DHCP broadcast from reaching the server.

Why this answer

The IP address 169.254.25.100 with a subnet mask of 255.255.0.0 is an Automatic Private IP Addressing (APIPA) address, which is assigned by the operating system when a DHCP server is unavailable or the DHCP request fails. Since the user can connect to Wi-Fi but cannot access any network resources, the most likely cause is that the DHCP server is not responding or the DHCP discover/offer/request/ack sequence is failing, leaving the device with a link-local address that cannot route to the corporate network or internet.

Exam trap

The trap here is that candidates often confuse APIPA with a DNS failure, but the 169.254.x.x address is a definitive indicator of DHCP failure, not a name resolution problem.

How to eliminate wrong answers

Option A is wrong because a non-responsive DNS server would still allow the device to obtain a valid DHCP lease and IP address; the symptom of an APIPA address indicates a DHCP failure, not a DNS issue. Option C is wrong because the subnet mask of 255.255.0.0 is correct for an APIPA address (169.254.0.0/16 per RFC 3927), and an incorrect subnet mask would not cause the device to fall back to a 169.254.x.x address. Option D is wrong because port security on a switch port would block the device entirely at Layer 2, preventing any connectivity including Wi-Fi association; the user can connect to Wi-Fi, so the issue is at Layer 3 (IP addressing), not Layer 2 access control.

285
MCQmedium

A network administrator needs to schedule a firmware upgrade on a core switch during the next maintenance window. According to best practices, which document should the administrator create and have approved before making the change?

A.A network diagram showing the current topology.
B.An incident report detailing previous firmware issues.
C.A change request form with a rollback plan and approval signatures.
D.A baseline performance report from the current firmware version.
AnswerC

A change request is the standard document used in change management. It includes the scope, risk assessment, implementation steps, rollback plan, and requires approval from the change board.

Why this answer

Option C is correct because a change request form with a rollback plan and approval signatures ensures that the firmware upgrade follows the ITIL change management process, which is a best practice for network operations. This document provides a structured approach to assess risks, obtain authorization, and define steps to revert the switch to its previous state if the upgrade fails, minimizing downtime and impact on the network.

Exam trap

The trap here is that candidates confuse operational documents (like diagrams or incident reports) with the formal change management documentation required by ITIL, leading them to overlook the need for a change request with a rollback plan and approval signatures.

How to eliminate wrong answers

Option A is wrong because a network diagram showing the current topology is a reference document for understanding the network layout, but it does not serve as a formal authorization or risk mitigation plan for a change. Option B is wrong because an incident report detailing previous firmware issues is a historical record for troubleshooting, not a forward-looking document that outlines the change procedure, rollback steps, or obtains approval for a scheduled upgrade.

286
MCQmedium

A company hosts a web server in a DMZ. The firewall has three interfaces: inside (corporate network), outside (Internet), and DMZ. Which firewall rule is necessary to allow external users to access the web server?

A.Allow traffic from the outside interface to the DMZ interface on port 80
B.Allow traffic from the inside interface to the DMZ interface on port 80
C.Allow traffic from the outside interface to the inside interface on port 80
D.Deny all traffic by default and create no specific rules
AnswerA

This rule permits external traffic to reach the web server in the DMZ while keeping the internal network isolated.

Why this answer

Option A is correct because external users on the Internet (outside interface) need to reach the web server located in the DMZ. The firewall must permit inbound traffic from the outside zone to the DMZ zone on TCP port 80 (HTTP) to allow web requests while keeping the corporate network (inside) isolated from direct external access.

Exam trap

The trap here is that candidates mistakenly choose Option B or C, confusing the direction of traffic or thinking that external users need access to the inside network, when the correct security design is to restrict external traffic only to the DMZ.

How to eliminate wrong answers

Option B is wrong because it allows traffic from the inside (corporate network) to the DMZ, which is not required for external user access; this rule would be for internal users, not Internet users. Option C is wrong because it allows traffic from the outside directly to the inside interface, bypassing the DMZ entirely and exposing the corporate network to external threats, which violates the security principle of placing the web server in a DMZ.

287
MCQmedium

A security analyst is configuring a firewall to allow HTTPS traffic from the internet to an internal web server with a private IP address. The firewall must translate the destination IP address of incoming packets to the private server IP. Which type of NAT should be configured?

A.Source NAT (SNAT)
B.Destination NAT (DNAT)
C.Static NAT
D.Port Address Translation (PAT)
AnswerB

DNAT modifies the destination IP address of incoming packets, allowing them to be forwarded to an internal server.

Why this answer

Destination NAT (DNAT) is used to translate the destination IP address of incoming packets from a public IP to a private IP, allowing external HTTPS traffic to reach an internal web server. This is exactly what the scenario requires: the firewall must rewrite the destination address of packets arriving from the internet to the private server IP. DNAT is commonly implemented using the 'ip nat inside source static' command in Cisco IOS, where the 'inside' keyword refers to the translation of destination addresses for inbound traffic.

Exam trap

CompTIA often tests the distinction between SNAT and DNAT by describing a scenario where traffic comes from the internet to an internal server, and candidates mistakenly choose SNAT because they think 'source' refers to the packet's origin (the internet), when in fact SNAT always translates the source address of outbound traffic, not the destination of inbound traffic.

How to eliminate wrong answers

Option A is wrong because Source NAT (SNAT) translates the source IP address of outbound packets, not the destination IP of inbound packets; it is used to allow internal hosts to access the internet using a public IP. Option C is wrong because Static NAT is a type of NAT that provides a one-to-one mapping between a public and private IP address, but it does not specify whether the translation applies to source or destination; in this context, the required behavior is specifically destination translation, which is DNAT, not just any static mapping. Option D is wrong because Port Address Translation (PAT) is a form of NAT that also translates port numbers to allow multiple internal hosts to share a single public IP, but it does not specifically address the requirement to translate the destination IP of incoming packets; PAT is typically used for outbound source translation (overloading) or inbound destination translation with port forwarding, but the question explicitly asks for the type of NAT that translates the destination IP, which is DNAT, not PAT.

288
MCQmedium

A user reports that they can access the company's intranet but not the internet. The technician checks the IP configuration and finds that the default gateway is set to 192.168.1.1, and the user can ping that IP. Which of the following is the most likely cause?

A.The DNS server address is incorrect.
B.The router's NAT configuration is faulty.
C.The DHCP server is not providing a default gateway.
D.The user's workstation has a static IP address.
AnswerB

NAT translates private IPs to public IPs. If it is misconfigured, internal hosts can reach the gateway but not the internet.

Why this answer

Since the user can ping the default gateway (192.168.1.1) and access the intranet, Layer 3 connectivity to the local router is functional. The inability to reach the internet, despite having a valid gateway, points to a failure in the router's NAT (Network Address Translation) configuration. NAT is required to translate private RFC 1918 addresses (like 192.168.1.x) to a public IP for internet access; without it, packets are routed to the gateway but cannot be forwarded beyond the local network.

Exam trap

The trap here is that candidates often assume internet access failure is always a DNS or gateway issue, but the ability to ping the gateway and access local resources isolates the problem to the router's NAT translation, not the workstation's IP configuration.

How to eliminate wrong answers

Option A is wrong because an incorrect DNS server address would prevent name resolution (e.g., browsing by domain name), but the user cannot access the internet at all, even by IP address; the problem is routing/NAT, not DNS. Option C is wrong because the user already has a default gateway of 192.168.1.1 and can ping it, proving the DHCP server (or static assignment) successfully provided a gateway. Option D is wrong because having a static IP address does not inherently prevent internet access; the issue is that the router is not performing NAT, regardless of whether the IP is static or DHCP-assigned.

289
MCQmedium

A network administrator wants to configure routers to send syslog messages only for events of severity 'error' (3) or higher (more severe). Which severity level should be set as the trap level?

A.0 (emergencies)
B.3 (errors)
C.2 (critical)
D.4 (warnings)
AnswerB

Correct. Setting the trap level to 3 ensures that all messages with severity 0, 1, 2, and 3 are logged. This matches the requirement of errors and higher severity.

Why this answer

Option B is correct because setting the trap level to 3 (errors) instructs the router to send syslog messages for severity 3 and all numerically lower (more severe) levels (0, 1, 2, 3). This matches the requirement to capture events of severity 'error' (3) or higher severity.

Exam trap

The trap here is that candidates often mistakenly think the trap level filters only that exact severity, when in fact it includes that level and all numerically lower (more severe) levels, leading them to choose a lower number like 2 or 0 instead of the correct 3.

How to eliminate wrong answers

Option A is wrong because setting the trap level to 0 (emergencies) would only send messages for severity 0, missing all events at severity 1, 2, and 3, including the required 'error' events. Option C is wrong because setting the trap level to 2 (critical) would send messages for severities 0, 1, and 2, but would exclude severity 3 (errors), which the administrator explicitly wants to include.

290
MCQmedium

A network administrator needs to connect two switches that are 80 meters apart using UTP cabling and achieve 1 Gbps speed. The administrator has Cat5e and Cat6 cables available. Which standard should be used?

A.1000BASE-T
B.1000BASE-LX
C.10GBASE-T
D.100BASE-TX
AnswerA

1000BASE-T supports 1 Gbps over UTP up to 100 meters, suitable for this distance.

Why this answer

1000BASE-T (IEEE 802.3ab) is the correct standard because it supports 1 Gbps over Cat5e or Cat6 UTP cabling at distances up to 100 meters. With 80 meters between switches, both cable types are well within the 100-meter reach, and 1000BASE-T is designed specifically for twisted-pair copper at this speed.

Exam trap

The trap here is that candidates may choose 10GBASE-T because they see Cat6 available, forgetting that Cat6 only supports 10GBASE-T up to 55 meters and Cat5e not at all, while 1000BASE-T is the correct match for 1 Gbps over UTP at 80 meters.

How to eliminate wrong answers

Option B (1000BASE-LX) is wrong because it uses single-mode or multimode fiber optic cabling, not UTP, and requires a fiber transceiver. Option C (10GBASE-T) is wrong because it requires Cat6a or Cat7 cabling for 10 Gbps over 80 meters; Cat5e cannot support 10GBASE-T at any distance, and Cat6 is limited to 55 meters for 10GBASE-T. Option D (100BASE-TX) is wrong because it only supports 100 Mbps, not the required 1 Gbps, even though it works over Cat5e/Cat6 UTP.

291
MCQeasy

A network administrator is documenting the network topology. Which of the following tools is best suited for creating a diagram that shows the logical connections between network devices?

A.Microsoft Excel
B.Microsoft Visio
C.SNMP
D.Notepad
AnswerB

Visio is a professional diagramming application commonly used to create detailed network topology diagrams, including logical and physical layouts.

Why this answer

Microsoft Visio is the correct tool because it is specifically designed for creating professional network topology diagrams, including logical connections between devices. Unlike general-purpose tools, Visio provides network-specific shapes, templates, and layering capabilities that accurately represent logical relationships such as VLANs, subnets, and routing paths.

Exam trap

The trap here is that candidates confuse SNMP (a monitoring protocol) with a diagramming tool, assuming it can generate topology maps automatically, but SNMP only provides raw data and requires a separate tool like Visio for logical visualization.

How to eliminate wrong answers

Option A is wrong because Microsoft Excel is a spreadsheet application used for data analysis and tabular organization, not for creating network topology diagrams; it lacks network-specific shapes and connection logic. Option C is wrong because SNMP (Simple Network Management Protocol) is a network management protocol used for monitoring and collecting device metrics, not for diagramming logical connections. Option D is wrong because Notepad is a plain text editor with no graphical or diagramming capabilities, making it unsuitable for any visual topology representation.

292
MCQmedium

A company has deployed a WPA2-Enterprise wireless network. Users report that they cannot authenticate. The RADIUS server logs show that authentication attempts are received but no responses are sent back to the wireless controller. The wireless controller and RADIUS server are on different subnets, separated by a firewall. Which of the following is the MOST likely cause?

A.The wireless clients do not support the correct EAP method.
B.The firewall is blocking RADIUS traffic on UDP ports 1812 and 1813.
C.The RADIUS server is not in the same broadcast domain as the wireless controller.
D.The SSID is not being broadcast.
AnswerB

RADIUS uses specific UDP ports. If these are blocked, the RADIUS server cannot send back authentication responses, causing authentication to time out.

Why this answer

The RADIUS server logs show authentication attempts are received but no responses are sent back, indicating the request reached the server but the reply is being dropped. Since the wireless controller and RADIUS server are on different subnets separated by a firewall, the most likely cause is that the firewall is blocking the return RADIUS traffic. RADIUS uses UDP ports 1812 for authentication and 1813 for accounting, and these must be open in both directions for successful communication.

Exam trap

The trap here is that candidates often assume the issue is with client configuration (EAP method) or layer 2 connectivity (broadcast domain), when the symptom of 'requests received but no responses sent' points directly to a firewall blocking the return path, a classic network-layer troubleshooting scenario.

How to eliminate wrong answers

Option A is wrong because if the wireless clients did not support the correct EAP method, the RADIUS server would typically send a rejection or challenge response, not simply fail to send any response at all; the server logs show requests are received, so the issue is at the network layer, not the client configuration. Option C is wrong because RADIUS operates at the application layer and does not require the server and controller to be in the same broadcast domain; they can communicate across subnets via routed paths, and the firewall is the specific point of failure indicated by the symptom of no responses being sent back.

293
MCQeasy

At which layer of the OSI model does the conversion of data frames into electrical signals for transmission occur?

A.Layer 1 (Physical)
B.Layer 2 (Data Link)
C.Layer 3 (Network)
D.Layer 4 (Transport)
AnswerA

The Physical layer defines the electrical, mechanical, and procedural characteristics for transmitting bits over a medium.

Why this answer

Layer 1 (Physical) is responsible for the actual transmission of raw bits over a physical medium. This includes converting data frames received from Layer 2 into electrical signals (e.g., voltage levels on copper), light pulses (fiber optic), or radio waves (wireless). The Physical layer defines the hardware specifications, such as connectors, cable types, and signaling methods like Manchester encoding or NRZ.

Exam trap

The trap here is that candidates often confuse the Data Link layer's role in 'framing' with the actual physical transmission, leading them to select Layer 2 when the question specifically asks about conversion to electrical signals.

How to eliminate wrong answers

Option B (Layer 2, Data Link) is wrong because the Data Link layer handles framing, MAC addressing, and error detection (e.g., CRC), but it does not perform the conversion of frames into electrical signals; it passes frames down to the Physical layer for that conversion. Option C (Layer 3, Network) is wrong because the Network layer is responsible for logical addressing (e.g., IP addresses) and routing decisions, not for the physical transmission of bits or signal generation.

294
MCQmedium

A network administrator needs to identify which devices are generating the most traffic on a WAN link. The administrator requires detailed flow data including source and destination IP addresses, ports, and protocols. Which technology should be deployed?

A.SNMP polling
B.NetFlow
C.Syslog
D.ICMP
AnswerB

NetFlow records contain flow attributes like IP addresses, ports, and protocol, ideal for traffic analysis.

Why this answer

NetFlow is the correct technology because it provides detailed flow-level data, including source and destination IP addresses, ports, and protocols, which is exactly what the administrator needs to identify which devices are generating the most traffic on a WAN link. Unlike SNMP or Syslog, NetFlow exports metadata about network flows, allowing for granular traffic analysis and bandwidth usage per conversation.

Exam trap

The trap here is that candidates often confuse SNMP's interface utilization data with the detailed per-flow information that only NetFlow provides, leading them to choose SNMP polling when the question explicitly asks for source/destination IPs, ports, and protocols.

How to eliminate wrong answers

Option A is wrong because SNMP polling retrieves aggregate interface statistics (e.g., bytes in/out, packet counts) but does not provide per-flow details like source/destination IPs, ports, or protocols. Option C is wrong because Syslog is used for logging system events and error messages, not for capturing network traffic flow data or bandwidth usage per conversation.

295
MCQmedium

A network administrator needs to analyze bandwidth utilization and application traffic patterns on a WAN link. The administrator requires detailed flow-level data, including source/destination IP addresses, ports, and protocol. Which technology should be deployed?

A.SNMP
B.NetFlow
C.Syslog
D.ICMP
AnswerB

NetFlow exports flow records containing detailed information about each network conversation, ideal for traffic analysis.

Why this answer

NetFlow is the correct choice because it provides detailed flow-level data, including source/destination IP addresses, ports, and protocol information, which is essential for analyzing bandwidth utilization and application traffic patterns on a WAN link. Unlike simpler monitoring tools, NetFlow captures metadata about each network flow, allowing administrators to identify which applications and hosts are consuming bandwidth.

Exam trap

CompTIA often tests the distinction between SNMP and NetFlow, where candidates mistakenly choose SNMP because they think it provides detailed traffic analysis, but SNMP only gives aggregate interface counters, not per-flow data.

How to eliminate wrong answers

Option A (SNMP) is wrong because it provides aggregate interface statistics (e.g., bandwidth utilization, packet counts) but lacks the granular flow-level details such as source/destination IP addresses, ports, and protocols. Option C (Syslog) is wrong because it is used for logging system events and error messages, not for capturing network traffic flow data or bandwidth utilization patterns. Option D (ICMP) is wrong because it is a diagnostic protocol used for error reporting and connectivity testing (e.g., ping, traceroute) and does not provide any flow-level or application-layer traffic analysis.

296
MCQeasy

A network administrator wants to prevent unauthorized DHCP servers from offering IP addresses to clients on a switch. Which security feature should be enabled?

A.BPDU guard
B.DHCP snooping
C.Dynamic ARP inspection
D.Port security
AnswerB

DHCP snooping inspects DHCP traffic and allows only authorized DHCP servers on trusted ports, blocking any DHCP offers from untrusted ports.

Why this answer

DHCP snooping is the correct answer because it is a security feature specifically designed to filter untrusted DHCP messages on a switch. By configuring trusted and untrusted ports, DHCP snooping drops DHCP server responses (OFFER, ACK) received on untrusted ports, effectively preventing rogue DHCP servers from assigning IP addresses to clients.

Exam trap

The trap here is that candidates confuse DHCP snooping with Dynamic ARP Inspection, but DAI only validates ARP traffic, not DHCP offers, while BPDU guard is an STP mechanism unrelated to DHCP security.

How to eliminate wrong answers

Option A is wrong because BPDU guard is a Spanning Tree Protocol (STP) feature that disables a port upon receiving a Bridge Protocol Data Unit (BPDU), preventing bridge loops; it does not inspect or filter DHCP messages. Option C is wrong because Dynamic ARP Inspection (DAI) validates ARP packets by checking them against the DHCP snooping binding table to prevent ARP spoofing, but it does not block unauthorized DHCP server offers.

297
MCQmedium

A network administrator wants to prevent unauthorized devices from connecting to the company's Ethernet ports. The company uses a centralized authentication server. Which IEEE standard should be implemented?

A.802.1X
B.802.11i
C.802.3af
D.802.1Q
AnswerA

IEEE 802.1X provides authentication for devices connecting to a LAN port. It uses EAP exchanges between the supplicant (device), authenticator (switch), and authentication server (RADIUS) to permit or deny access.

Why this answer

802.1X is the IEEE standard for port-based Network Access Control (NAC) that authenticates devices before granting access to an Ethernet port. It uses a centralized authentication server (typically RADIUS) to verify credentials, preventing unauthorized devices from connecting to the network. This directly matches the requirement of controlling access at the port level with a centralized server.

Exam trap

The trap here is that candidates confuse 802.1X with wireless security standards like 802.11i, because both involve authentication, but 802.1X is specifically for wired port-based access control.

How to eliminate wrong answers

Option B is wrong because 802.11i (WPA2) is a wireless security standard that defines encryption and authentication for Wi-Fi networks, not for wired Ethernet ports. Option C is wrong because 802.3af is the Power over Ethernet (PoE) standard that delivers power over Ethernet cabling, and it has no authentication or access control capabilities.

298
MCQmedium

A company wants to protect its internal network by placing web servers that need to be accessible from the internet in a separate network segment. Which security architecture best describes this setup?

A.Intranet
B.VPN
C.DMZ
D.Extranet
AnswerC

A DMZ provides a buffer zone where public-facing servers are placed, allowing controlled access from the internet while keeping the internal network protected.

Why this answer

A DMZ (demilitarized zone) is a network segment that sits between the internal trusted network and the external untrusted internet. By placing web servers in the DMZ, the company ensures that external users can access the servers without directly exposing the internal network, as traffic must pass through a firewall that enforces strict access control policies. This architecture is specifically designed to isolate public-facing services from internal assets, reducing the attack surface.

Exam trap

The trap here is that candidates confuse a DMZ with a VPN, thinking that a VPN provides the same isolation for public servers, when in fact a VPN is designed for secure remote access to internal resources, not for hosting services accessible to the general internet.

How to eliminate wrong answers

Option A is wrong because an intranet is a private, internal network that is not directly accessible from the internet; it is used for internal communication and resources, not for hosting publicly accessible web servers. Option B is wrong because a VPN (Virtual Private Network) creates an encrypted tunnel for remote users to securely access the internal network, but it does not provide a separate network segment for public-facing servers; it is a connectivity method, not a security architecture for isolating internet-accessible services.

299
MCQmedium

After replacing a faulty switch, several users in the same VLAN report that they cannot communicate with the server that is on a different subnet. The switch is connected to the router via a trunk port. Which command should the administrator run on the router to verify that the VLAN is allowed on the trunk?

A.show vlan
B.show interfaces trunk
C.show mac address-table
D.show ip route
AnswerB

'show interfaces trunk' lists trunk interfaces, their mode, encapsulation, and the allowed VLAN list. If the required VLAN is not in the allowed list, traffic for that VLAN will not pass over the trunk.

Why this answer

The `show interfaces trunk` command displays which VLANs are allowed on each trunk port. Since the switch is connected to the router via a trunk, this command verifies whether the VLAN of the affected users is permitted on that trunk. If the VLAN is missing from the allowed list, traffic to the server on a different subnet will be dropped at the router interface.

Exam trap

The trap here is that candidates confuse `show vlan` (which shows local switch VLANs) with `show interfaces trunk` (which shows VLAN filtering on the trunk), leading them to pick A when the real issue is trunk permission, not VLAN existence.

How to eliminate wrong answers

Option A is wrong because `show vlan` displays VLAN membership and port assignments on the switch, not trunk VLAN filtering on the router; it cannot show which VLANs are allowed on a trunk link. Option C is wrong because `show mac address-table` shows MAC-to-port mappings on the switch, which is irrelevant to verifying VLAN permission on a trunk between the switch and router.

300
MCQmedium

A switch port is configured as a trunk with native VLAN 99. When a frame tagged with VLAN 99 is received on the trunk, the switch displays an error. What is the most likely issue?

A.The trunk is using 802.1Q encapsulation and the remote switch expects ISL
B.The remote switch is sending frames on VLAN 99 as untagged
C.The remote switch is tagging frames on the native VLAN
D.The allowed VLAN list does not include VLAN 99
AnswerC

When a trunk is configured with native VLAN 99, frames for that VLAN should be sent untagged. If the remote switch sends them tagged, the receiving switch may log errors or drop the frames because it expects untagged frames for the native VLAN.

Why this answer

The native VLAN is the VLAN that carries untagged traffic on an 802.1Q trunk. By design, frames belonging to the native VLAN should be sent untagged. When a switch receives a frame tagged with the native VLAN ID (VLAN 99), it indicates a mismatch in native VLAN configuration between the two ends of the trunk.

The switch logs an error because it expects native VLAN frames to be untagged, but the remote switch is incorrectly tagging them.

Exam trap

Cisco often tests the misconception that native VLAN frames are always tagged, when in fact they must remain untagged on an 802.1Q trunk, and the error occurs because the remote switch is tagging them.

How to eliminate wrong answers

Option A is wrong because 802.1Q is the only encapsulation supported on modern Cisco switches for trunking; ISL is a legacy Cisco-proprietary protocol that is not used in current networks, and a mismatch would cause the trunk to fail entirely, not just produce an error on native VLAN frames. Option B is wrong because if the remote switch were sending frames on VLAN 99 as untagged, the local switch would accept them normally as native VLAN traffic without generating an error; the error occurs precisely because the frames are tagged when they should be untagged.

Page 3

Page 4 of 7

Page 5

All pages