CompTIA Network+ N10-009 (N10-009) — Questions 301375

520 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQmedium

A network engineer needs to add a new switch to an existing network. The switch must be configured to support VLANs and trunking. The engineer connects the switch to the existing network via a trunk port. After configuration, the VLANs on the new switch are not receiving traffic from the core network. The core switch shows the trunk is up but no VLANs are allowed. What is the most likely cause?

A.The native VLAN mismatch
B.The trunk encapsulation is not set to 802.1Q
C.The allowed VLAN list on the trunk does not include the desired VLANs
D.The switch port mode is set to access
AnswerC

The allowed VLAN list explicitly controls which VLANs are permitted on the trunk. If the desired VLANs are not in the allowed list, their traffic will be dropped.

Why this answer

The core switch shows the trunk is up but no VLANs are allowed, which directly indicates that the allowed VLAN list on the trunk port does not include the desired VLANs. By default, a trunk port permits all VLANs, but if an administrator explicitly restricts the allowed VLAN list (e.g., with the 'switchport trunk allowed vlan' command), only those VLANs are forwarded. Since the new switch is not receiving traffic, the core switch's trunk likely has an empty or incorrect allowed VLAN list, preventing the desired VLAN traffic from crossing the trunk.

Exam trap

Cisco often tests the misconception that a trunk being 'up/up' means all VLANs are automatically allowed, when in fact the allowed VLAN list can be explicitly restricted or cleared, causing traffic loss without any physical or encapsulation issues.

How to eliminate wrong answers

Option A is wrong because a native VLAN mismatch would cause control plane issues (e.g., CDP/STP problems) or traffic being placed in the wrong VLAN, but it would not cause the trunk to show 'no VLANs are allowed' — the allowed VLAN list would still be present. Option B is wrong because if the trunk encapsulation were not set to 802.1Q, the trunk would likely not come up at all (e.g., Cisco switches default to 'negotiate' or require 'switchport trunk encapsulation dot1q'), and the core switch would not show the trunk as 'up' with a VLAN list issue; the problem statement explicitly says the trunk is up, so encapsulation is correctly configured.

302
Matchingmedium

Match each network command to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Test reachability and measure round-trip time

Trace the path packets take to a destination

Query DNS for domain name or IP resolution

Display active network connections and listening ports

View and manage IP configuration on Windows

Why these pairings

These are common network troubleshooting commands.

303
MCQmedium

A network technician needs to find which physical patch panel port in the server room connects to a specific office wall jack. Which type of network documentation should the technician consult?

A.Logical topology diagram
B.Cabling diagram
C.Network baseline
D.Rack diagram
AnswerB

Cabling diagrams document the physical cabling infrastructure, including identifiers for patch panels, wall jacks, and cables.

Why this answer

A cabling diagram provides the physical layer (Layer 1) documentation that maps specific patch panel ports to wall jacks, including cable runs, termination points, and labeling. This is exactly what the technician needs to trace the physical connection from the server room patch panel to the office wall jack.

Exam trap

CompTIA often tests the distinction between physical and logical documentation, and the trap here is that candidates confuse a logical topology diagram (which shows data flow) with a cabling diagram (which shows physical connections), leading them to select A instead of B.

How to eliminate wrong answers

Option A is wrong because a logical topology diagram shows Layer 2/3 relationships (e.g., VLANs, IP subnets, routing protocols) and does not include physical port-to-jack mappings. Option C is wrong because a network baseline is a performance benchmark (e.g., throughput, latency, utilization) used for comparison over time, not a physical connectivity map. Option D is wrong because a rack diagram shows the physical layout of equipment within racks (e.g., switch placement, power, cooling) but does not detail cable termination points or wall jack associations.

304
MCQmedium

A small office has multiple devices that need internet access but the ISP provides only a single public IPv4 address. Which network address translation (NAT) technique is most appropriate to allow all internal hosts to share that one public address?

A.Static NAT
B.Dynamic NAT
C.PAT (Port Address Translation)
D.IP masquerading
AnswerC

PAT uses ports to differentiate between sessions from different hosts, allowing a single public IP address to serve many internal devices simultaneously.

Why this answer

PAT (Port Address Translation), also known as NAT overload, is the correct choice because it allows multiple internal hosts to share a single public IPv4 address by mapping each unique internal IP:port combination to a different source port on the public address. This is the only NAT technique that provides many-to-one address translation, which is exactly what a small office with more devices than public IPs requires.

Exam trap

Cisco often tests the distinction between Dynamic NAT and PAT by presenting a scenario with a single public IP, where candidates mistakenly choose Dynamic NAT because they confuse 'dynamic' with 'shared,' not realizing Dynamic NAT still requires a pool of public IPs.

How to eliminate wrong answers

Option A is wrong because Static NAT provides a one-to-one mapping between a private IP and a public IP, which would require a separate public IP for each internal host and does not allow sharing of a single public address. Option B is wrong because Dynamic NAT maps private IPs to a pool of public IPs on a first-come, first-served basis, but it still requires as many public IPs as the number of simultaneous translations needed, so it cannot support multiple hosts with only one public IP.

305
MCQeasy

A network administrator is reviewing syslog messages generated by a switch. The administrator wants to see only the most critical events, such as system failures. Which syslog severity level should be configured as the filter?

A.0 – Emergency
B.1 – Alert
C.4 – Warning
D.7 – Debug
AnswerA

Emergency messages indicate the system is unusable and require immediate attention.

Why this answer

Syslog severity level 0 (Emergency) is the highest severity, indicating system-level failures that render the switch unusable. By filtering for level 0, the administrator ensures only the most critical events, such as kernel panics or hardware failures, are displayed, excluding all less severe messages.

Exam trap

CompTIA often tests the misconception that 'Alert' (level 1) is the highest severity because of its name, but Emergency (level 0) is actually the most critical per the syslog standard.

How to eliminate wrong answers

Option B (Alert) is wrong because severity level 1 indicates immediate action is needed (e.g., critical temperature threshold), but it is not the highest severity and includes events less critical than system failures. Option C (Warning) is wrong because level 4 indicates non-urgent notifications (e.g., configuration changes) that do not represent system failures. Option D (Debug) is wrong because level 7 is the lowest severity, used for detailed debugging information that would flood the log with non-critical data.

306
MCQeasy

A network administrator is investigating reports of slow network performance. Which tool should the administrator use to capture and analyze individual packets to identify the cause of the latency?

A.A
B.B
C.C
D.D
AnswerD

A protocol analyzer captures and displays the contents of packets, enabling detailed troubleshooting of latency issues.

Why this answer

Option D is correct because a packet analyzer (e.g., Wireshark, tcpdump) captures and decodes individual packets, allowing the administrator to inspect frame-level details, identify retransmissions, TCP window scaling issues, or application-layer delays that cause latency. Unlike aggregate monitoring tools, packet analysis provides the granularity needed to pinpoint the exact cause of slow performance.

Exam trap

The trap here is that candidates confuse a packet analyzer with a throughput tester (Option A), assuming that measuring bandwidth alone will reveal latency causes, when in fact packet-level inspection is required to identify retransmissions, windowing issues, or application-layer delays.

How to eliminate wrong answers

Option A is wrong because a bandwidth speed test (e.g., iperf, Ookla) measures throughput but does not capture or analyze individual packets; it only provides aggregate performance metrics. Option B is wrong because a network mapping tool (e.g., Nmap, CDP/LLDP) discovers devices and topology but does not inspect packet contents or latency causes. Option C is wrong because a syslog server collects log messages from devices but does not capture or decode raw packets; it relies on device-generated events, not packet-level analysis.

307
MCQmedium

A network administrator is setting up a new branch office that will connect to the main headquarters over the Internet. The connection must be encrypted and allow the branch to access internal resources as if they were directly connected. Which of the following VPN types is BEST suited for this site-to-site connection?

A.IPsec
B.SSL VPN
C.PPTP
D.L2TP
AnswerA

IPsec (Internet Protocol Security) is designed for site-to-site VPNs and offers strong encryption and authentication. It is widely used for branch connections.

Why this answer

IPsec is the correct choice because it is specifically designed for site-to-site VPNs, providing encryption and authentication at the IP layer to create a secure tunnel between two networks. This allows the branch office to access internal resources at headquarters as if they were directly connected, using a gateway-to-gateway model that encrypts all traffic between the sites.

Exam trap

Cisco often tests the distinction between remote-access VPNs (SSL VPN) and site-to-site VPNs (IPsec), where candidates mistakenly choose SSL VPN because it is commonly used for client-based access, but it lacks the full network-layer bridging required for a branch office to appear directly connected.

How to eliminate wrong answers

Option B (SSL VPN) is wrong because it is primarily a remote-access VPN that operates at the application layer, typically providing per-application access via a web browser or client, and is not optimized for full network-layer connectivity between two sites. Option C (PPTP) is wrong because it uses outdated encryption (MPPE) and authentication protocols (PAP, CHAP) that are considered insecure and deprecated in modern networks, making it unsuitable for a secure site-to-site connection.

308
MCQmedium

A network engineer needs to deploy a new wireless network in a large office with many cubicles. The goal is to provide high throughput and support multiple simultaneous users. Which IEEE standard should be implemented?

A.802.11ac
B.802.11n
C.802.11b
D.802.11g
AnswerA

802.11ac provides high throughput, supports multiple users via MU-MIMO, and is suitable for high-density office environments.

Why this answer

802.11ac (Wi-Fi 5) operates exclusively in the 5 GHz band, uses wider 80 MHz or 160 MHz channels, and supports MU-MIMO (Multi-User Multiple Input Multiple Output) to deliver high throughput and efficient handling of multiple simultaneous users in a dense office environment. This makes it the best choice among the options for a modern, high-capacity wireless deployment.

Exam trap

The trap here is that candidates often choose 802.11n because it supports MIMO and dual-band operation, overlooking that 802.11ac's MU-MIMO and wider channels provide significantly better performance for multiple simultaneous users in a dense environment.

How to eliminate wrong answers

Option B (802.11n) is wrong because while it supports MIMO and can operate in both 2.4 GHz and 5 GHz bands, its maximum channel width is 40 MHz and it does not support MU-MIMO, resulting in lower aggregate throughput and less efficient handling of multiple simultaneous users compared to 802.11ac. Option C (802.11b) is wrong because it is an outdated standard limited to 2.4 GHz, a maximum data rate of 11 Mbps, and no MIMO or OFDM support, making it completely unsuitable for high throughput and multi-user scenarios. Option D (802.11g) is wrong because although it operates in 2.4 GHz and supports OFDM with a maximum data rate of 54 Mbps, it lacks MIMO, MU-MIMO, and wider channel bonding, so it cannot provide the high throughput or simultaneous user capacity required in a dense cubicle office.

309
MCQhard

A network technician is troubleshooting an intermittent connectivity issue between two switches connected via fiber optic cable. The link status shows up/down flapping. The technician checks the optical power levels and finds they are within acceptable range. Which of the following is the most likely cause?

A.Dirty fiber connectors
B.Electromagnetic interference
C.Incorrect VLAN configuration
D.Duplex mismatch
AnswerA

Contamination on fiber end faces can cause intermittent signal degradation and link flapping.

Why this answer

Dirty fiber connectors cause intermittent connectivity by scattering or absorbing light, leading to bit errors and link flaps even when average optical power levels appear within acceptable range. The flapping occurs because transient contaminants (e.g., dust or oil) momentarily disrupt the optical signal, triggering link down events that recover when the connector is jostled or the contaminant shifts. Since the power meter measures average power, it may not detect brief attenuation spikes caused by dirt.

Exam trap

The trap here is that candidates assume acceptable average optical power levels rule out physical-layer issues, but Cisco often tests that intermittent faults like dirty connectors cause flapping despite passing a static power measurement.

How to eliminate wrong answers

Option B is wrong because electromagnetic interference (EMI) does not affect fiber optic cables, which use light and are immune to EMI; EMI would only impact copper cabling. Option C is wrong because an incorrect VLAN configuration would cause consistent connectivity failure or traffic isolation issues, not link-state flapping at the physical layer; VLAN mismatches are detected at Layer 2 and do not cause the port to go up/down.

310
MCQmedium

A network administrator needs to securely transfer backup configuration files from a router to a remote server over the internet. Which protocol should be used?

A.TFTP
B.FTP
C.SCP
D.SNMP
AnswerC

Correct. SCP uses SSH for encryption, providing secure file transfer.

Why this answer

SCP (Secure Copy Protocol) is the correct choice because it provides encrypted file transfers over SSH, ensuring confidentiality and integrity of backup configuration files transmitted over the internet. Unlike TFTP or FTP, SCP authenticates the remote server and encrypts the data in transit, which is essential for secure remote backups.

Exam trap

Cisco often tests the distinction between TFTP (for local, unsecure boot/backup) and SCP (for secure remote transfers), and the trap here is that candidates might choose TFTP because it is commonly used for router backups in lab environments, overlooking the 'over the internet' security requirement.

How to eliminate wrong answers

Option A is wrong because TFTP (Trivial File Transfer Protocol) uses UDP port 69 with no authentication or encryption, making it unsuitable for secure transfers over the internet and typically limited to local LAN bootstrapping. Option B is wrong because FTP (File Transfer Protocol) transmits data and credentials in cleartext over TCP ports 20/21, offering no encryption and exposing the backup files to interception.

311
MCQmedium

A network technician installs a new 802.3at (PoE+) access point in a warehouse. The AP is connected via a 200-foot Cat5e cable to a switch that only supports 802.3af (PoE). The AP powers on but experiences intermittent connectivity drops. What is the most likely cause?

A.The cable length exceeds the maximum allowed for PoE
B.The AP is not receiving enough power from the switch
C.Duplex mismatch between the AP and the switch
D.Radio frequency interference from warehouse equipment
AnswerB

The AP requires PoE+ (802.3at), but the switch only provides PoE (802.3af). The insufficient power can cause the AP to function erratically.

Why this answer

The switch only supports 802.3af (PoE), which provides a maximum of 15.4 watts per port, while the 802.3at (PoE+) access point requires up to 25.5 watts to operate reliably. The AP powers on because it can negotiate 802.3af power, but under load (e.g., transmitting at higher power or using multiple radios), it draws more current than the switch can supply, causing voltage droop and intermittent resets or link drops. This is a classic power budget mismatch scenario.

Exam trap

The trap here is that candidates see the AP powers on and assume power is sufficient, overlooking that 802.3at devices can operate at reduced functionality on 802.3af but will fail under higher load, leading them to incorrectly blame cable length or RF interference instead of the power budget mismatch.

How to eliminate wrong answers

Option A is wrong because the maximum cable length for Ethernet (including PoE) is 100 meters (328 feet), and the 200-foot cable is well within that limit; excessive length would cause signal attenuation, not intermittent power-related drops. Option C is wrong because duplex mismatch typically causes constant CRC errors and collisions, not intermittent connectivity drops that correlate with power draw; the AP and switch would still negotiate speed/duplex via auto-negotiation. Option D is wrong because RF interference would manifest as packet loss or retransmissions at the wireless layer, not as wired link drops or power failures; the AP would remain powered and connected to the switch.

312
MCQmedium

A network administrator plans to make a configuration change on a core switch during a maintenance window. According to best practices, which document should the administrator prepare and have approved before making the change?

A.A) Change management request
B.B) Network diagram
C.C) Incident report
D.D) Backup configuration
AnswerA

Correct. A change management request is the formal document that details the planned change, its purpose, impact, testing, and rollback plan. It requires approval before implementation.

Why this answer

A change management request is the correct document because it formalizes the proposed configuration change, including the scope, risk assessment, rollback plan, and approval chain. This ensures that all stakeholders review and authorize the change before implementation, reducing the risk of unintended network outages or security gaps. Best practices from ITIL and Cisco's own change management guidelines mandate this process for any production network device modification.

Exam trap

Cisco often tests the distinction between operational documents (diagrams, reports) and procedural documents (change requests), trapping candidates who confuse a supporting artifact with the required approval document.

How to eliminate wrong answers

Option B (Network diagram) is wrong because a network diagram is a static reference document that shows the current topology and connectivity, not a procedural document for authorizing changes; it may be used during planning but does not require approval for a specific change. Option C (Incident report) is wrong because an incident report documents an event that has already occurred (e.g., an outage or security breach), not a planned change; it is created after the fact, not before a maintenance window.

313
MCQeasy

A network administrator needs to ensure that network device configurations are automatically backed up to a central server. Which protocol is commonly used for secure file transfer of configurations?

A.TFTP
B.FTP
C.SFTP
D.HTTP
AnswerC

SFTP provides secure encrypted file transfers over SSH, ideal for backing up configurations.

Why this answer

SFTP (SSH File Transfer Protocol) is the correct choice because it provides encrypted, secure file transfers over an SSH session, making it ideal for backing up sensitive network device configurations to a central server. Unlike TFTP or FTP, SFTP ensures both authentication and data confidentiality, which is critical for network operations.

Exam trap

The trap here is that candidates often confuse TFTP's simplicity and widespread use in network device booting (e.g., IOS image transfers) with a secure backup solution, overlooking that TFTP lacks any security mechanisms.

How to eliminate wrong answers

Option A (TFTP) is wrong because it uses UDP port 69 with no encryption or authentication, making it insecure for transferring sensitive configuration files over a network. Option B (FTP) is wrong because it transmits data in cleartext, including credentials, and lacks built-in encryption, posing a security risk. Option D (HTTP) is wrong because it is unencrypted and typically used for web traffic, not for secure file transfers of configurations.

314
MCQeasy

A network administrator needs to monitor the health and performance of network devices and receive alerts when link failures occur. Which of the following protocols should be implemented?

A.SNMP
B.SMTP
C.SSH
D.TFTP
AnswerA

SNMP allows monitoring and alerting for network device status and performance.

Why this answer

SNMP (Simple Network Management Protocol) is the correct choice because it is specifically designed to monitor and manage network devices, collect performance metrics, and send traps or notifications when events like link failures occur. SNMP agents on devices report status to a management system, which can generate alerts based on thresholds or trap messages (e.g., linkDown traps per RFC 3418).

Exam trap

The trap here is that candidates often confuse SNMP with SMTP because both can be involved in alerting, but SMTP is only a delivery mechanism for email-based alerts, not the protocol that actually monitors devices and detects link failures.

How to eliminate wrong answers

Option B (SMTP) is wrong because SMTP is a protocol for sending email messages, not for network device monitoring or receiving link failure alerts; it could be used to forward alerts via email but is not the monitoring protocol itself. Option C (SSH) is wrong because SSH provides secure remote command-line access and file transfer, but it lacks the standardized polling, trap, and MIB-based monitoring capabilities required for automated health and performance monitoring. Option D (TFTP) is wrong because TFTP is a trivial file transfer protocol used for tasks like backing up configurations or upgrading firmware, not for monitoring device health or receiving link failure alerts.

315
MCQhard

A network technician is troubleshooting a router that is not forwarding packets to a remote destination network. The routing table shows a valid route learned via OSPF. The technician can successfully ping the next-hop IP address from the router. However, packets to the destination network are not being forwarded. Which of the following is the MOST likely cause?

A.CEF (Cisco Express Forwarding) is disabled or has a corruption
B.The OSPF neighbor relationship is in the EXSTART state
C.The outbound interface has been administratively shut down
D.There is an ACL blocking the return traffic
AnswerA

CEF creates a forwarding table based on the routing table. If CEF is disabled or the FIB is corrupt, the router will not forward packets even though the route appears in the routing table.

Why this answer

When a router has a valid OSPF-learned route and can ping the next-hop IP but still fails to forward packets, the issue is often with the forwarding plane rather than the control plane. CEF (Cisco Express Forwarding) is the default hardware-based switching mechanism that handles packet forwarding; if it is disabled or its Forwarding Information Base (FIB) becomes corrupted, the router will not forward packets even though the routing table (RIB) is correct. Disabling CEF forces the router to use process switching, which can also cause forwarding failures if the process is not properly handling the traffic.

Exam trap

The trap here is that candidates assume a valid route in the routing table and successful ping to the next-hop guarantee packet forwarding, but Cisco tests the distinction between the control plane (routing table) and the data plane (CEF forwarding).

How to eliminate wrong answers

Option B is wrong because the EXSTART state is a normal OSPF neighbor state during the Database Description (DD) packet exchange, and it does not prevent forwarding of packets to a remote destination; OSPF routes are only installed in the routing table after the FULL state is reached, so a route learned via OSPF implies the neighbor relationship is already in FULL state. Option C is wrong because if the outbound interface were administratively shut down, the technician would not be able to successfully ping the next-hop IP address from the router, as the interface would be in a down/down state and no traffic could egress.

316
MCQeasy

Which of the following is a characteristic of a Layer 2 network switch?

A.Makes forwarding decisions based on IP addresses
B.Uses MAC addresses to make forwarding decisions
C.Can route traffic between different VLANs without a router
D.Provides Network Address Translation (NAT)
AnswerB

Layer 2 switches use MAC address tables to forward frames to the correct port based on the destination MAC address.

Why this answer

A Layer 2 network switch operates at the Data Link layer of the OSI model and uses MAC addresses to make forwarding decisions. It examines the destination MAC address in an Ethernet frame and consults its MAC address table to determine the appropriate port to forward the frame, enabling efficient local area network communication.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 functionality, and the trap here is that candidates may confuse a switch's ability to segment VLANs with the ability to route between them, forgetting that routing requires a Layer 3 device or process.

How to eliminate wrong answers

Option A is wrong because Layer 2 switches do not use IP addresses for forwarding decisions; that is a function of Layer 3 devices like routers. Option C is wrong because switches cannot route traffic between different VLANs without a Layer 3 device such as a router or a multilayer switch with routing enabled; inter-VLAN routing requires IP-based forwarding. Option D is wrong because Network Address Translation (NAT) is a Layer 3 function typically performed by routers or firewalls, not by Layer 2 switches.

317
MCQhard

Users on a VLAN report intermittent network disconnections lasting a few seconds. The network technician checks the switch and notices a high number of CRC errors on the port connecting to the core switch. The cable test passes. What is the most likely cause?

A.Duplex mismatch between the two switches
B.STP reconvergence due to topology change
C.Broadcast storm caused by a loop
D.Faulty SFP transceiver on the core switch
AnswerA

Correct. A duplex mismatch causes collisions and CRC errors, leading to intermittent connectivity.

Why this answer

A duplex mismatch causes one side to send frames while the other is still transmitting, leading to collisions that are interpreted as CRC errors on the receiving interface. Since the cable test passes, the physical layer is fine, and the intermittent nature (lasting seconds) matches the symptom of a duplex mismatch where the half-duplex side backs off after collisions, causing brief outages.

Exam trap

Cisco often tests the misconception that CRC errors always indicate a bad cable or physical layer issue, but the trap here is that a passing cable test points to a duplex mismatch as the root cause, especially when combined with intermittent disconnections.

How to eliminate wrong answers

Option B is wrong because STP reconvergence typically causes a complete loss of connectivity for 30–50 seconds (in classic STP) or a few seconds with RSTP, but it does not produce CRC errors; CRC errors indicate layer 1/2 frame corruption, not topology changes. Option C is wrong because a broadcast storm would cause continuous high utilization and frame drops, not intermittent disconnections with CRC errors, and a loop would typically be detected by STP or cause a complete outage rather than brief, recurring disconnections.

318
Matchingmedium

Match each network service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automatically assigns IP addresses to devices

Resolves domain names to IP addresses

Translates private IP addresses to a public IP

Monitors and manages network devices

Why these pairings

These are common network services.

319
MCQmedium

A network administrator is configuring an IEEE 802.1Q trunk between two switches. Which of the following must match on both ends for the trunk to function correctly?

A.The native VLAN ID
B.The trunk port speed and duplex
C.The encapsulation type
D.The allowed VLAN list
AnswerA

A mismatched native VLAN can cause traffic on the untagged VLAN to be placed in the wrong VLAN on the other switch.

Why this answer

For an IEEE 802.1Q trunk to function correctly, the native VLAN ID must match on both ends. The native VLAN is the VLAN that carries untagged traffic across the trunk; if the IDs differ, frames from one switch's native VLAN will be placed into a different VLAN on the other switch, causing traffic misrouting and potential layer 2 loops. This is a fundamental requirement of the 802.1Q standard, and mismatched native VLANs are a common source of trunk failures.

Exam trap

The trap here is that candidates often confuse the requirement for matching native VLANs with the need for matching encapsulation type, mistakenly thinking that both ends must be set to 'dot1q' when in fact 802.1Q is the default and only option for modern trunks, making the native VLAN the critical matching parameter.

How to eliminate wrong answers

Option B is wrong because trunk port speed and duplex do not need to match for 802.1Q trunking to function; while mismatched speed/duplex can cause performance issues or link flaps, they are not a requirement for the trunk protocol itself. Option C is wrong because encapsulation type is not a configurable option on modern switches for 802.1Q trunks—802.1Q is the only encapsulation used for dot1q trunks, whereas the older ISL (Inter-Switch Link) encapsulation is Cisco-proprietary and deprecated; the question specifies IEEE 802.1Q, so encapsulation is fixed and not a variable that needs matching.

320
MCQmedium

A user's laptop frequently disconnects from the Wi-Fi network when they move to the conference room. Other devices in the conference room maintain stable connections. The laptop shows a strong signal in the conference room. What is the most likely cause?

A.Laptop's wireless adapter driver is outdated or faulty
B.AP channel is congested
C.Laptop is using the 5 GHz band while the AP uses 2.4 GHz
D.Interference from microwave ovens
AnswerA

A driver issue can cause erratic behavior like frequent disconnects even with good signal strength, especially when roaming or switching channels.

Why this answer

The laptop disconnects only when moving to the conference room, while other devices remain stable, ruling out environmental issues. A strong signal but frequent disconnects points to a client-side problem, most commonly an outdated or faulty wireless adapter driver that fails to handle roaming or power-save transitions properly.

Exam trap

CompTIA often tests the trap that a strong signal guarantees a stable connection, but in reality, client-side driver issues or misconfigured power-save settings can cause disconnects despite excellent RSSI.

How to eliminate wrong answers

Option B is wrong because AP channel congestion would affect all devices in the conference room, not just this one laptop. Option C is wrong because if the laptop were using 5 GHz while the AP uses 2.4 GHz, the laptop would not associate at all (no signal), rather than showing a strong signal and then disconnecting. Option D is wrong because interference from microwave ovens would impact all Wi-Fi devices in the area, especially on the 2.4 GHz band, and the laptop shows a strong signal, which is inconsistent with intermittent interference.

321
MCQhard

A technician is troubleshooting intermittent connectivity issues on a fiber link between two switches. The link light on both switches is green. Which of the following tools should the technician use to further investigate the issue?

A.Multimeter
B.Tone generator
C.Optical power meter
D.Cable certifier
AnswerC

An optical power meter measures the light power in a fiber link, helping to identify signal loss that could cause intermittent issues.

Why this answer

The correct tool is an optical power meter because the link lights are green, indicating Layer 1 signal presence, but intermittent connectivity suggests the signal strength may be marginal or fluctuating. An optical power meter measures the exact light level in dBm to verify it falls within the receiver's sensitivity range, which a simple link LED cannot detect.

Exam trap

The trap here is that candidates assume a green link light guarantees a healthy connection, but Cisco often tests that Layer 1 indicators only confirm signal presence, not signal quality, so an optical power meter is required to diagnose marginal power levels causing intermittent errors.

How to eliminate wrong answers

Option A is wrong because a multimeter measures electrical properties like voltage, resistance, and continuity in copper cables, but it cannot measure optical light levels in a fiber link. Option B is wrong because a tone generator sends an electrical signal along a copper conductor for cable tracing and identification, and it is not compatible with fiber optic cables.

322
MCQeasy

A network technician needs to back up the configuration file of a managed switch to a central server on a regular basis. The switch supports a simple and widely used protocol for this purpose. Which of the following protocols should the technician use?

A.A: TFTP
B.B: HTTP
C.C: SNMP
D.D: SSH
AnswerA

TFTP is designed for simple file transfer and is the standard protocol used by network devices for configuration backup.

Why this answer

TFTP (Trivial File Transfer Protocol) is the correct choice because it is a simple, lightweight protocol designed specifically for transferring configuration files to and from network devices like managed switches. It uses UDP port 69 and requires no authentication or complex session setup, making it ideal for automated backup scripts that run on a regular basis. While it lacks security features, its simplicity and widespread support in network equipment firmware make it the standard for this purpose.

Exam trap

CompTIA often tests the distinction between TFTP for simple file transfers and SCP/SSH for secure transfers, leading candidates to choose SSH because they assume security is always required, but the question explicitly asks for a 'simple and widely used protocol' where security is not a stated requirement.

How to eliminate wrong answers

Option B (HTTP) is wrong because HTTP is a web-based protocol typically used for accessing management interfaces via a browser, not for efficient, scriptable file transfers; it adds unnecessary overhead and is not the standard protocol for switch configuration backups. Option C (SNMP) is wrong because SNMP is used for monitoring and managing network devices via MIBs and traps, not for transferring entire configuration files; it lacks the file transfer capability required for backup. Option D (SSH) is wrong because SSH is a secure remote access protocol used for interactive command-line sessions or secure file transfer via SCP/SFTP, but the question specifies a 'simple and widely used protocol,' and SSH is more complex and resource-intensive than TFTP for automated backups.

323
MCQeasy

A network device receives a frame and forwards it based on the destination MAC address. The device does not modify the frame and only floods unknown unicast frames. At which layer of the OSI model does this device operate?

A.Layer 1
B.Layer 2
C.Layer 3
D.Layer 4
AnswerB

This describes a switch, which operates at the Data Link layer (Layer 2). It uses MAC addresses to forward frames and floods unknown unicast frames.

Why this answer

This device operates at Layer 2 (Data Link Layer) because it forwards frames based on the destination MAC address, does not modify the frame, and floods unknown unicast frames. These behaviors are characteristic of a transparent bridge or switch, which uses a MAC address table to make forwarding decisions without examining IP addresses or modifying the frame. Layer 2 devices do not perform routing or alter the frame's content, distinguishing them from Layer 3 routers.

Exam trap

Cisco often tests the distinction between Layer 2 switching and Layer 3 routing by describing a device that forwards based on MAC addresses but does not modify frames, leading candidates to mistakenly think of a router (Layer 3) because they associate 'forwarding' with routing, when in fact the key clue is the lack of frame modification and the flooding of unknown unicasts.

How to eliminate wrong answers

Option A is wrong because Layer 1 devices (e.g., hubs, repeaters) operate solely on electrical or optical signals, do not read MAC addresses, and forward all frames out all ports except the incoming port without any filtering or learning. Option C is wrong because Layer 3 devices (e.g., routers) forward packets based on destination IP addresses, modify the frame by decrementing the TTL and recalculating the checksum, and do not flood unknown unicast frames in the same manner—they use routing tables and ARP for next-hop resolution.

324
MCQmedium

A company is implementing a new wireless network for employees. The network must support seamless roaming between access points. Which protocol should be configured on the wireless controller?

A.802.1X
B.802.11r
C.802.11n
D.802.3af
AnswerB

802.11r, also known as Fast BSS Transition, reduces the time required for a client to transition between APs by caching keying information, enabling seamless roaming.

Why this answer

802.11r, also known as Fast BSS Transition (FT), enables seamless roaming by allowing a client to authenticate and derive encryption keys with a new access point before or during the reassociation process, reducing the time-sensitive handshake overhead. This is essential for real-time applications like VoIP or video calls where roaming delays must be under 50 ms to avoid perceptible drops.

Exam trap

The trap here is that candidates often confuse 802.1X (authentication) with 802.11r (fast roaming), assuming that any security-related protocol must handle roaming, when in fact 802.1X adds latency rather than reducing it.

How to eliminate wrong answers

Option A is wrong because 802.1X is a port-based network access control standard used for authentication (e.g., with RADIUS), not a roaming protocol; it does not accelerate handoffs between APs. Option C is wrong because 802.11n is a physical layer and MAC enhancement standard that increases throughput via MIMO and channel bonding, but it has no mechanism for reducing roaming latency or managing fast transitions.

325
MCQmedium

A network technician is installing a new wireless access point in a warehouse. The AP requires PoE+ (802.3at) for full operation. The technician connects the AP using a Cat5e cable run of 200 feet to a switch that only supports 802.3af (PoE). The AP powers on but has intermittent connectivity issues. What is the most likely cause?

A.The cable length exceeds the maximum for PoE
B.The switch does not support the required PoE standard
C.The AP is experiencing interference from metal racks
D.The AP is configured with the wrong SSID
AnswerB

The AP requires 802.3at (PoE+ providing up to 30W), but the switch only provides 802.3af (up to 15.4W). Insufficient power can cause erratic behavior and connectivity drops.

Why this answer

The switch only supports 802.3af (PoE), which provides up to 15.4W per port, while the AP requires 802.3at (PoE+) for full operation, which supplies up to 30W. Although the AP powers on, it may not receive sufficient power to operate all radios or features, leading to intermittent connectivity issues. The cable length of 200 feet is within the 100-meter (328-foot) limit for Cat5e, so length is not the problem.

Exam trap

The trap here is that candidates assume the AP powers on means it is fully operational, but Cisco often tests the nuance that PoE+ devices may partially power up with PoE, only to exhibit intermittent issues due to insufficient power budget.

How to eliminate wrong answers

Option A is wrong because the maximum cable length for Ethernet (including PoE) is 100 meters (328 feet), and 200 feet (approximately 61 meters) is well within that limit, so cable length does not cause the issue. Option C is wrong because while metal racks can cause RF interference, the question states the AP powers on and has intermittent connectivity, which is more consistent with power negotiation issues than with interference; interference would typically cause poor signal quality or disconnections, not power-related symptoms.

326
MCQmedium

A network administrator needs to upgrade the firmware on a critical core router. The admin has downloaded the new firmware and verified its checksum. Which of the following should the admin do before proceeding with the installation?

A.Back up the current router configuration
B.Change the management IP address
C.Disable all physical interfaces
D.Remove the old firmware image
AnswerA

A configuration backup allows restoration to the pre-upgrade state if the new firmware causes issues or if rollback is needed.

Why this answer

Before upgrading firmware on a critical core router, backing up the current configuration ensures that if the upgrade fails or causes unexpected behavior, the original operational state can be restored quickly. This is a standard best practice in network operations to minimize downtime and avoid manual reconfiguration of complex routing protocols, ACLs, and interface settings.

Exam trap

The trap here is that candidates assume removing the old firmware frees space and is necessary, but Cisco tests the understanding that the old image should be kept as a fallback to prevent a bricked device if the new firmware fails to boot.

How to eliminate wrong answers

Option B is wrong because changing the management IP address is unnecessary and would disrupt remote access during the upgrade, increasing risk. Option C is wrong because disabling all physical interfaces would cause a complete network outage, which is not required for a firmware upgrade and violates high-availability principles. Option D is wrong because removing the old firmware image before installation is dangerous; if the new firmware fails to load, the router may be left without a bootable image, requiring physical console recovery via ROMmon or TFTP.

327
MCQeasy

A user reports that they cannot access the company's internal web application at https://apps.internal.company.com. The technician can ping the server's IP address (10.10.10.20) successfully and also successfully telnet to 10.10.10.20 on port 443. However, the web browser displays 'Unable to connect'. What is the most likely cause?

A.The web server service is stopped
B.DNS resolution is failing for the FQDN
C.The browser is configured to use an incorrect proxy server
D.A firewall is blocking TCP port 443
AnswerC

If the browser is set to use a proxy server that is unavailable or misconfigured, it will fail to connect to the web server even though network connectivity is fine. Telnet and ping bypass proxy settings, confirming the server is reachable.

Why this answer

The technician can ping the server IP and telnet to port 443, proving the server is reachable and the HTTPS service is listening. However, the browser fails to load the page, which points to a client-side issue. An incorrect proxy server configuration in the browser would cause the browser to send requests to a proxy that cannot reach the internal server, resulting in 'Unable to connect' despite successful network-level connectivity tests.

Exam trap

The trap here is that candidates assume successful telnet to port 443 implies the web application is fully functional, overlooking that the browser may use a proxy server that is not involved in the telnet test, leading them to incorrectly choose a firewall or DNS issue.

How to eliminate wrong answers

Option A is wrong because telnet to port 443 succeeded, which confirms the web server service is running and accepting TCP connections on that port. Option B is wrong because the technician successfully pinged the server by IP address and telnet to the IP on port 443, and the browser would use DNS resolution to get the IP; if DNS were failing, the browser would show a 'DNS resolution failed' error, not 'Unable to connect' after the IP is resolved. Option D is wrong because a firewall blocking TCP port 443 would prevent both the telnet test and the browser from connecting, but the telnet test succeeded, indicating no firewall filtering on that port.

328
MCQmedium

A network engineer is designing a data center network and needs to ensure high availability for the core switches. Which technology allows multiple physical switches to be combined into a single logical switch to simplify management and improve redundancy?

A.Spanning Tree Protocol (STP)
B.Switch stacking
C.EtherChannel
D.Virtual Router Redundancy Protocol (VRRP)
AnswerB

Stacking combines multiple switches via dedicated stacking ports to act as one logical switch with a single management IP.

Why this answer

Switch stacking combines multiple physical switches into a single logical unit, sharing a common control plane and management interface. This simplifies configuration and provides redundancy because if one switch in the stack fails, the remaining switches continue forwarding traffic without requiring STP convergence.

Exam trap

Cisco often tests the distinction between EtherChannel (link aggregation) and stacking (switch aggregation), so the trap here is confusing a technology that bundles links with one that bundles entire switches.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) prevents loops in redundant topologies by blocking ports, but it does not combine switches into a single logical device; it operates on individual switches and requires convergence time. Option C is wrong because EtherChannel bundles multiple physical links between two switches into a single logical link for increased bandwidth and redundancy, but it does not merge the switches themselves into a single logical switch.

329
MCQhard

An organization is implementing a network monitoring solution that uses SNMP. The administrator wants to receive traps from all devices but is concerned about the security of SNMPv1/v2c community strings. Which SNMP version should be used to provide authentication and encryption?

A.SNMPv1
B.SNMPv2c
C.SNMPv3
D.SNMPv4
AnswerC

SNMPv3 provides authentication, integrity, and encryption to protect SNMP traffic.

Why this answer

SNMPv3 is the correct choice because it is the only version of SNMP that provides both authentication and encryption, addressing the security concerns with SNMPv1/v2c community strings. SNMPv3 supports user-based security models (USM) with features like message integrity, authentication, and encryption (e.g., using SHA/MD5 for auth and AES/DES for privacy). This ensures that traps are sent securely, preventing unauthorized access or tampering.

Exam trap

CompTIA often tests the misconception that SNMPv2c offers improved security over SNMPv1, but in reality, both v1 and v2c are equally insecure because they use plaintext community strings, while SNMPv3 is the only version that provides authentication and encryption.

How to eliminate wrong answers

Option A is wrong because SNMPv1 uses plaintext community strings with no authentication or encryption, making it highly insecure. Option B is wrong because SNMPv2c also relies on plaintext community strings and lacks any security enhancements beyond SNMPv1, despite adding new protocol operations like GetBulk. Option D is wrong because SNMPv4 does not exist as a standard; the SNMP protocol versions are v1, v2c, and v3, with v3 being the current secure version.

330
MCQmedium

A network engineer is designing an OSPF network for a large enterprise. To reduce the size of routing tables and limit the propagation of external routes, the engineer wants to use a special area that blocks Type 5 LSAs but still allows inter-area routes via a default route. Which type of OSPF area should be configured?

A.Backbone area 0
B.Standard area
C.Stub area
D.Totally stubby area
AnswerC

A stub area blocks Type 5 LSAs (AS external routes) and injects a default route instead, reducing routing table size and external route propagation.

Why this answer

A stub area blocks Type 5 LSAs (external routes) from entering the area, forcing the area border router (ABR) to inject a default route (0.0.0.0/0) for reaching external destinations. This reduces the routing table size while still allowing inter-area routes (Type 3 LSAs) to propagate, exactly matching the requirement.

Exam trap

CompTIA often tests the distinction between stub and totally stubby areas, where candidates mistakenly choose 'totally stubby' because they think it blocks more routes, but the question explicitly requires inter-area routes to still be allowed, which only a stub area provides.

How to eliminate wrong answers

Option A is wrong because the backbone area (area 0) is the core of OSPF and does not block any LSA types; it must carry all routes, including external ones. Option B is wrong because a standard area accepts all LSA types (Type 1, 2, 3, 4, 5), so it does not reduce routing table size or block Type 5 LSAs. Option D is wrong because a totally stubby area blocks both Type 5 and Type 3 LSAs, relying entirely on a default route for both inter-area and external destinations, which is more restrictive than the requirement (which still allows inter-area routes).

331
MCQmedium

A network administrator needs to create a diagram that shows the IP addressing scheme, VLAN assignments, and routing protocols used in the network. This diagram will be used for troubleshooting and future planning. Which type of documentation should the administrator create?

A.Physical topology diagram
B.Logical topology diagram
C.Rack elevation diagram
D.Cable management plan
AnswerB

A logical diagram represents the network as seen by the OSI Layer 3, including IP subnets, VLANs, routing protocols, and logical connections.

Why this answer

A logical topology diagram is correct because it documents the IP addressing scheme, VLAN assignments, and routing protocols—abstract elements that define how data flows through the network, independent of physical device locations. This type of diagram is essential for troubleshooting Layer 3 issues and planning changes to the network's logical design.

Exam trap

Cisco often tests the distinction between physical and logical documentation by describing a scenario that mixes physical and logical elements, leading candidates to mistakenly choose a physical topology diagram when the question explicitly asks for IP schemes and VLANs.

How to eliminate wrong answers

Option A is wrong because a physical topology diagram shows the physical layout of devices, cabling, and interconnections, but it does not include IP addressing, VLANs, or routing protocols. Option C is wrong because a rack elevation diagram details the physical placement of equipment in racks, including power and cooling, but it omits logical constructs like IP schemes and routing protocols.

332
MCQeasy

A network technician needs to discover directly connected network devices and their capabilities for documentation purposes. Which protocol should be used?

A.SNMP
B.LLDP
C.ICMP
D.ARP
AnswerB

LLDP enables devices to advertise information about themselves to neighboring devices, making it suitable for discovering directly connected neighbors.

Why this answer

LLDP (Link Layer Discovery Protocol) is the correct choice because it is an IEEE 802.1AB standard protocol specifically designed to discover directly connected network devices and their capabilities, such as system name, port description, VLAN information, and management addresses. Unlike proprietary protocols, LLDP operates at Layer 2 and allows any vendor's equipment to advertise and learn about neighbors without requiring IP connectivity or a management station.

Exam trap

Cisco often tests the trap that candidates confuse LLDP with CDP (Cisco Discovery Protocol), but the question explicitly asks for a protocol to discover directly connected devices and their capabilities, and LLDP is the standards-based answer, while CDP is Cisco-proprietary and not always the correct choice in multi-vendor environments.

How to eliminate wrong answers

Option A (SNMP) is wrong because SNMP is a management protocol used to poll and retrieve MIB data from network devices, but it does not discover directly connected neighbors; it requires prior configuration and IP reachability to the target device. Option C (ICMP) is wrong because ICMP is a diagnostic and error-reporting protocol (e.g., ping, traceroute) that operates at Layer 3 and cannot discover device capabilities or directly connected neighbors at Layer 2.

333
MCQmedium

A company wants to prevent unauthorized personal devices from connecting to the corporate wired network. Employees must authenticate using their domain credentials before gaining full network access. Which security measure should be implemented on the switch ports?

A.MAC filtering
B.802.1X
C.Port security with sticky MAC
D.VLAN hopping prevention
AnswerB

802.1X uses Extensible Authentication Protocol (EAP) to authenticate devices/users against a central authentication server, enforcing access based on credentials.

Why this answer

802.1X is the correct choice because it provides port-based network access control (PNAC) that requires end devices to authenticate using domain credentials (e.g., via RADIUS) before being granted full network access. This ensures that only authorized users, not just authorized devices, can connect to the corporate wired network, meeting the requirement to prevent unauthorized personal devices.

Exam trap

The trap here is that candidates often confuse port security with 802.1X, thinking that locking MAC addresses via sticky MAC provides user-based authentication, but it only controls device identity, not user credentials, and fails to meet the requirement for domain credential authentication.

How to eliminate wrong answers

Option A is wrong because MAC filtering only checks the MAC address of the connecting device, which can be easily spoofed and does not authenticate the user with domain credentials; it also does not prevent unauthorized personal devices if their MAC is cloned. Option C is wrong because port security with sticky MAC dynamically learns and locks MAC addresses to a port, but it only controls which MAC addresses are allowed based on the device, not user authentication via domain credentials, and it can be bypassed by spoofing a learned MAC.

334
MCQmedium

A network administrator is deploying a new PoE security camera. The camera is connected to a PoE-enabled switch port, but the camera does not power on. The administrator confirms the switch port has PoE enabled and the cable is tested and functional. What is the most likely cause?

A.The cable is a crossover cable.
B.The camera requires 802.3bt (PoE++), but the switch only supports 802.3af (PoE).
C.The port is configured as an access port.
D.The camera is using a passive PoE injector.
AnswerB

The power output of 802.3af may be insufficient for a camera that needs the higher power of 802.3bt.

Why this answer

The camera requires 802.3bt (PoE++) which can deliver up to 60W or 90W, but the switch only supports 802.3af (PoE) which provides a maximum of 15.4W per port. Since the camera's power demand exceeds the switch's capability, the camera will not power on even though PoE is enabled and the cable is functional.

Exam trap

The trap here is that candidates often assume any PoE switch will power any PoE device, overlooking the critical power budget differences between 802.3af, 802.3at, and 802.3bt standards.

How to eliminate wrong answers

Option A is wrong because a crossover cable is used for connecting similar devices (e.g., switch to switch) and does not affect PoE power delivery; PoE works over both straight-through and crossover cables as long as the pairs are intact. Option C is wrong because configuring a port as an access port does not disable PoE; PoE operates independently of VLAN membership and port mode, so an access port still delivers power if PoE is enabled.

335
Matchingmedium

Match each cable type to its maximum segment length (Ethernet).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

100 meters

100 meters (55 meters for 10GBASE-T)

Up to 550 meters (depending on standard)

Up to 40 km or more

Why these pairings

These are typical maximum distances for common cabling.

336
MCQhard

A company wants to deploy a wireless network for employee devices using the highest security standard. The network will use a RADIUS server for authentication. Which authentication method should be configured?

A.WPA3-SAE
B.802.1X/EAP
C.WPA2-PSK
D.WEP with RADIUS
AnswerB

802.1X/EAP provides centralized authentication using a RADIUS server, supporting various EAP methods (e.g., EAP-TLS, PEAP) for strong, per-user security.

Why this answer

B is correct because 802.1X/EAP is the only option that provides enterprise-grade authentication using a RADIUS server. It requires each user to present unique credentials (e.g., username/password or certificate), which are verified by the RADIUS server before granting network access. This meets the requirement for the highest security standard in a corporate environment.

Exam trap

The trap here is that candidates confuse WPA3-SAE (which is indeed more secure than WPA2-PSK) with enterprise authentication, but SAE still uses a shared passphrase and cannot integrate with a RADIUS server for per-user authentication.

How to eliminate wrong answers

Option A is wrong because WPA3-SAE (Simultaneous Authentication of Equals) is a personal/PSK mode designed for home or small networks; it uses a pre-shared passphrase rather than per-user authentication via a RADIUS server. Option C is wrong because WPA2-PSK also relies on a single pre-shared key for all devices, lacks individual user authentication, and is vulnerable to dictionary attacks and key compromise, making it unsuitable for enterprise security requirements.

337
MCQmedium

A security auditor recommends implementing a solution that authenticates users and devices before granting network access, regardless of the physical port they connect to. Which technology should be deployed?

A.Port security
B.802.1X
C.VLAN hopping
D.DHCP snooping
AnswerB

802.1X provides port-based authentication using EAP and requires credentials from the device or user.

Why this answer

802.1X is the correct technology because it provides port-based network access control (PNAC) that authenticates users and devices before granting network access, regardless of the physical port they connect to. It uses the Extensible Authentication Protocol (EAP) over LAN (EAPoL) to communicate with a RADIUS server, ensuring that only authenticated endpoints are allowed on the network. This meets the auditor's requirement for authentication at the port level, independent of the switch port used.

Exam trap

The trap here is that candidates often confuse port security with 802.1X because both control port access, but port security only filters by MAC address and does not provide user authentication or integration with a central authentication server, which is the key requirement in the question.

How to eliminate wrong answers

Option A is wrong because port security is a Layer 2 feature that restricts access based on MAC addresses, not user or device authentication; it can be bypassed by MAC spoofing and does not integrate with a central authentication server like RADIUS. Option C is wrong because VLAN hopping is an attack technique used to gain unauthorized access to VLANs, not a security solution for authenticating users and devices before network access.

338
MCQmedium

A technician is troubleshooting a connectivity issue. The technician can successfully ping the IP address of a web server (10.10.10.10) from a client, but the client cannot access the web page. Firewall rules allow HTTP traffic. At which OSI layer is the issue most likely occurring?

A.Application layer (Layer 7)
B.Session layer (Layer 5)
C.Transport layer (Layer 4)
D.Network layer (Layer 3)
AnswerA

Correct. The web service (HTTP) is an Application layer protocol. If the service is not running or misconfigured, the client cannot access the web page despite lower-layer connectivity.

Why this answer

Since the client can successfully ping the web server's IP address (10.10.10.10), Layer 3 (Network) and Layer 4 (Transport) connectivity is verified, as ICMP operates at Layer 3 and uses IP. The failure to access the web page despite firewall rules allowing HTTP traffic points to an issue at Layer 7 (Application), such as a misconfigured web server (e.g., HTTP 404, incorrect document root), a missing or incorrect Host header in the HTTP request, or an application-layer proxy or authentication problem that prevents the HTTP transaction from completing.

Exam trap

The trap here is that candidates assume that because ping works and firewall rules allow HTTP, the issue must be at the Transport layer (e.g., a blocked port), but the question specifically states the firewall allows HTTP, so the failure is at the Application layer where the web server fails to serve the page correctly.

How to eliminate wrong answers

Option B (Session layer, Layer 5) is wrong because the Session layer manages dialog control and synchronization between applications (e.g., establishing, maintaining, and terminating sessions), but HTTP typically relies on TCP for session management, and the ability to ping and have firewall rules allow HTTP indicates that session establishment is not the bottleneck; the issue is higher up in the application protocol itself. Option C (Transport layer, Layer 4) is wrong because successful ping confirms that IP (Layer 3) and ICMP (Layer 3/4) are working, and firewall rules explicitly allow HTTP (TCP port 80), so there is no transport-layer blockage; the problem lies in how the application processes the HTTP request, not in TCP connection setup or port filtering.

339
MCQeasy

A network administrator needs to ensure that data sent from a host arrives at the correct destination on a different network. Which of the following provides the logical address used for this purpose in IPv4?

A.MAC address
B.IP address
C.Port number
D.Default gateway
AnswerB

IP addresses are hierarchical and routable, allowing packets to be forwarded across multiple networks to the destination.

Why this answer

In IPv4, the logical address used to route data between different networks is the IP address. The IP address contains a network portion that routers use to forward packets across network boundaries, ensuring the data reaches the correct destination network and host.

Exam trap

Cisco often tests the distinction between Layer 2 (MAC) and Layer 3 (IP) addressing, trapping candidates who confuse local delivery with inter-network routing.

How to eliminate wrong answers

Option A is wrong because a MAC address is a hardware address used for local delivery within the same network segment (Layer 2), not for routing between different networks. Option C is wrong because a port number identifies a specific application or service on a host (Layer 4), not the destination network or host for inter-network communication.

340
MCQhard

During a security audit, a consultant discovers that encrypted traffic between a client and a web server is being decrypted and re-encrypted by an intermediate device on the network path. Which type of attack best describes this scenario?

A.ARP poisoning
B.SSL stripping
C.Man-in-the-middle
D.Rogue DHCP
AnswerC

An MITM attack intercepts traffic between two endpoints, often using a proxy to decrypt and re-encrypt, allowing the attacker to read or modify the data without the parties realizing.

Why this answer

Option C is correct because the scenario describes a classic man-in-the-middle (MITM) attack where an intermediary intercepts, decrypts, and re-encrypts traffic between the client and server. This allows the attacker to read or modify the data while both endpoints believe they have a secure TLS session. The key indicator is the decryption and re-encryption step, which is the hallmark of an active MITM proxy.

Exam trap

The trap here is that candidates confuse the method (e.g., ARP poisoning) with the attack type (MITM), or they mistake SSL stripping for any interception of encrypted traffic, not realizing that SSL stripping removes encryption entirely rather than re-encrypting it.

How to eliminate wrong answers

Option A is wrong because ARP poisoning is a specific technique used to redirect traffic on a local network by spoofing ARP replies, but it does not inherently involve decrypting and re-encrypting encrypted traffic; it is a method to achieve a MITM position, not the attack itself. Option B is wrong because SSL stripping downgrades a secure HTTPS connection to plain HTTP by preventing the initial TLS handshake, but the scenario explicitly states that encrypted traffic is being decrypted and re-encrypted, meaning TLS is still in use, just intercepted; SSL stripping would result in unencrypted traffic, not re-encrypted.

341
Matchingmedium

Match each IEEE 802.3 standard to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Power over Ethernet (PoE) providing up to 15.4W

PoE+ providing up to 30W

PoE++ providing up to 60W or 100W

1000BASE-T (Gigabit Ethernet over copper)

Why these pairings

These are key IEEE 802.3 Ethernet standards.

342
MCQmedium

A network administrator connects a new access switch to the core switch via a trunk port. Both switches have the same VLAN database, and the trunk is configured to allow all VLANs. However, hosts on VLAN 10 connected to the new access switch cannot communicate with hosts on VLAN 10 on the core switch. The administrator verifies that the access ports for VLAN 10 are correctly configured and that the trunk link status is up/up. Which of the following is the most likely cause?

A.The trunk port is in an err-disabled state.
B.The native VLAN on the trunk port is different on the two switches.
C.The switchport mode is not set to trunk on one side.
D.The spanning-tree protocol is blocking VLAN 10 on the trunk.
AnswerB

A native VLAN mismatch can cause untagged frames to be placed into different VLANs on each switch. This can prevent communication even if the allowed VLAN list is correct. The administrator should verify that the native VLAN is the same on both ends.

Why this answer

When the native VLAN (typically VLAN 1 by default) is mismatched on a trunk link, the switches will not properly tag frames for that VLAN. Since VLAN 10 is not the native VLAN, a native VLAN mismatch does not directly block VLAN 10 traffic; however, the scenario states that both switches have the same VLAN database and the trunk allows all VLANs, so the most likely cause is a native VLAN mismatch that can cause control plane issues or miscommunication. In practice, a native VLAN mismatch can lead to VLAN 10 hosts being unable to communicate because the switches may place the native VLAN frames into different VLANs, disrupting Layer 2 connectivity for all VLANs including VLAN 10.

Exam trap

The trap here is that candidates often assume a native VLAN mismatch only affects the native VLAN itself, but it actually disrupts Layer 2 communication for all VLANs because the switches misclassify untagged frames and can cause spanning-tree inconsistencies.

How to eliminate wrong answers

Option A is wrong because an err-disabled state would cause the trunk port to show as down/down or err-disabled, not up/up as verified by the administrator. Option C is wrong because if the switchport mode were not set to trunk on one side, the trunk link would not be up/up; it would likely be in a dynamic desirable/auto mismatch state or show as an access port, and the administrator has already verified the trunk link status is up/up.

343
MCQeasy

A user reports that they cannot access the internet, but they can access local resources on the same subnet. The network administrator pings the default gateway and gets a response. Which tool should be used next to trace the path to an external website?

A.netstat
B.traceroute
C.nslookup
D.arp
AnswerB

Traceroute (tracert on Windows) sends packets with increasing TTL values to map the route to a destination. It can show where packets stop or time out, helping identify the point of failure.

Why this answer

B is correct because traceroute (tracert on Windows) is the appropriate tool to identify where packets are being dropped or delayed along the path from the local host to an external website. Since the user can access local resources and the default gateway responds to pings, the issue likely lies beyond the gateway, and traceroute will reveal the hop where connectivity fails.

Exam trap

Cisco often tests the misconception that a successful ping to the default gateway guarantees internet connectivity, but the trap here is that the problem may be at a subsequent hop, and traceroute is the correct tool to isolate that hop.

How to eliminate wrong answers

Option A is wrong because netstat displays active network connections, listening ports, and routing tables on the local host; it does not trace the path to an external destination. Option C is wrong because nslookup is used to query DNS servers to resolve domain names to IP addresses; it does not test the network path or routing between the host and an external website.

344
MCQmedium

A network technician is troubleshooting a user's inability to connect to the network. The switch port is configured with port security with the default maximum of one MAC address. The user connects a computer and a VoIP phone to the port using the phone's built-in switch. Which of the following will MOST likely occur?

A.The port will go into errdisable state
B.The phone will work but the computer will not
C.Both devices will work because the phone uses a different MAC
D.The switch will allow only the first learned MAC and block the second
AnswerA

The second MAC address triggers a port security violation, causing the port to be disabled.

Why this answer

With the default port security configuration, the switch port allows only one MAC address. When the VoIP phone connects, its own MAC address is learned first. The computer then connects through the phone's built-in switch, presenting a second MAC address, which violates the security policy.

This triggers a security violation, and by default the port is placed into the errdisable state.

Exam trap

The trap here is that candidates assume the VoIP phone's built-in switch somehow bypasses port security or that the phone and computer share a single MAC, when in fact each device has its own unique MAC address and the switch enforces the limit per port regardless of device type.

How to eliminate wrong answers

Option B is wrong because if the port goes into errdisable state due to the violation, neither the phone nor the computer will work; the entire port is disabled. Option C is wrong because while the phone does use a different MAC, the switch does not differentiate between device types—it enforces the MAC address limit strictly, so both devices cannot coexist on a single port with a limit of one MAC address.

345
MCQeasy

A network engineer needs to transfer a large database file from one server to another across a WAN link. The transfer must be reliable and guarantee that the data arrives without errors. Which transport layer protocol should the engineer use?

A.UDP
B.IP
C.TCP
D.ICMP
AnswerC

TCP provides reliable, ordered delivery of data with error checking and retransmission. It is the correct choice for file transfers where data integrity is critical.

Why this answer

TCP (Transmission Control Protocol) is the correct choice because it provides reliable, connection-oriented data transfer with error checking, retransmission of lost packets, and in-order delivery. For a large database file transfer across a WAN link, TCP ensures the data arrives completely and without errors, which is essential for database integrity.

Exam trap

The trap here is that candidates often confuse UDP with reliability because they associate it with 'fast' transfers, but Cisco tests the fundamental distinction that only TCP provides guaranteed, error-free delivery at the transport layer.

How to eliminate wrong answers

Option A is wrong because UDP (User Datagram Protocol) is a connectionless, unreliable protocol that does not guarantee delivery, order, or error recovery; it is suitable for real-time applications like streaming or VoIP where occasional packet loss is acceptable. Option B is wrong because IP (Internet Protocol) operates at the network layer (Layer 3), not the transport layer; it handles addressing and routing but provides no reliability or error checking for the data payload.

346
MCQhard

An attacker is eavesdropping on network traffic to capture sensitive data sent over an unencrypted HTTP connection. Which technology should be implemented to protect data in transit between clients and web servers?

A.SSL/TLS
B.IPSec
C.SSH
D.SNMPv3
AnswerA

SSL/TLS is the standard for encrypting web traffic (HTTPS).

Why this answer

SSL/TLS (Secure Sockets Layer/Transport Layer Security) operates at the application layer to encrypt HTTP traffic, creating HTTPS. This ensures that data transmitted between clients and web servers is encrypted, preventing eavesdroppers from reading sensitive information like passwords or credit card numbers. TLS is the standard protocol for securing HTTP communications, as defined in RFC 8446.

Exam trap

CompTIA often tests the distinction between encryption protocols by layering (e.g., IPSec at Layer 3 vs. TLS at Layer 4/Application), causing candidates to pick IPSec because it is a well-known security protocol, even though it does not directly protect HTTP traffic.

How to eliminate wrong answers

Option B is wrong because IPSec operates at the network layer (Layer 3) and is designed to secure IP packets between hosts or networks, not specifically for HTTP traffic between clients and web servers; it would require complex configuration and does not integrate natively with web browsers. Option C is wrong because SSH (Secure Shell) is used for secure remote login and command execution, typically over TCP port 22, and does not protect HTTP traffic; it can tunnel other protocols but is not the standard for web traffic encryption. Option D is wrong because SNMPv3 provides authentication and encryption for network management traffic (Simple Network Management Protocol), not for HTTP sessions between clients and web servers.

347
MCQeasy

A network administrator is implementing a change management process. Which of the following is the PRIMARY benefit of following this process?

A.It reduces the cost of implementing new hardware
B.It ensures that all network changes are automated
C.It minimizes the impact of changes on network operations and reduces errors
D.It documents the network topology for future reference
AnswerC

The core goal of change management is to manage changes in a controlled manner to prevent outages and errors.

Why this answer

The primary benefit of a change management process is to minimize the impact of changes on network operations and reduce errors. By requiring documented planning, approval, and rollback procedures, change management ensures that modifications are reviewed and tested before implementation, which directly reduces the risk of misconfigurations and unplanned outages.

Exam trap

The trap here is that candidates confuse the procedural benefit of reducing errors with cost savings or automation, but the CompTIA N10-009 exam specifically tests that change management's core purpose is operational stability and risk mitigation, not financial or automation outcomes.

How to eliminate wrong answers

Option A is wrong because change management does not directly reduce hardware costs; it focuses on procedural control, not procurement savings. Option B is wrong because change management does not mandate automation; it is a procedural framework that can be applied to both manual and automated changes, and automation is a separate operational goal.

348
MCQmedium

A network technician is explaining the concept of encapsulation to a junior technician. At which OSI layer does a packet get encapsulated with a source and destination IP address?

A.Layer 2
B.Layer 3
C.Layer 4
D.Layer 1
AnswerB

The network layer (Layer 3) adds the IP header containing source and destination IP addresses. This is where logical addressing occurs, enabling routing across networks.

Why this answer

At Layer 3 (the Network layer), the packet is encapsulated with a source and destination IP address. This is defined by the Internet Protocol (IP), which handles logical addressing and routing across networks. The IP header is added to the payload from the upper layers, creating a packet that can be forwarded by routers.

Exam trap

The trap here is that candidates often confuse Layer 2 MAC addressing with Layer 3 IP addressing, mistakenly thinking the packet is encapsulated with IP addresses at the Data Link layer, but encapsulation with IP addresses occurs strictly at the Network layer.

How to eliminate wrong answers

Option A is wrong because Layer 2 (Data Link layer) encapsulates frames with MAC addresses, not IP addresses, using protocols like Ethernet or PPP. Option C is wrong because Layer 4 (Transport layer) encapsulates segments with port numbers and sequence numbers (e.g., TCP or UDP headers), not IP addresses. Option D is wrong because Layer 1 (Physical layer) deals with raw bit transmission over media, such as electrical signals or light pulses, and does not perform encapsulation.

349
Drag & Dropmedium

Drag and drop the steps to configure a firewall rule allowing inbound HTTPS traffic to a web server into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall rules require defining protocol, port, and direction.

350
MCQeasy

A user reports that they cannot access any network resources. The technician checks the IP configuration on the workstation and sees an IP address of 169.254.10.55 with a subnet mask of 255.255.0.0. Which of the following should the technician check NEXT?

A.Configure a static IP address on the workstation
B.Verify that the DHCP server is available and reachable
C.Check the DNS server configuration on the workstation
D.Replace the network cable
AnswerB

APIPA occurs when DHCP is unavailable. Checking the DHCP server is the correct next step, as it addresses the root cause of the failure to obtain an IP lease.

Why this answer

The IP address 169.254.10.55 with a subnet mask of 255.255.0.0 is an Automatic Private IP Addressing (APIPA) address, which Windows assigns when a DHCP server is unreachable. The next logical step is to verify that the DHCP server is available and reachable, as this directly addresses the root cause of the failed DHCP lease acquisition.

Exam trap

Cisco often tests the misconception that a 169.254.x.x address indicates a DNS or static IP issue, when in fact it specifically points to DHCP server unreachability as the primary cause.

How to eliminate wrong answers

Option A is wrong because configuring a static IP address is a workaround, not a troubleshooting step; the technician should first determine why DHCP failed before manually assigning an address. Option C is wrong because DNS configuration is irrelevant when the workstation has not obtained a valid IP address from DHCP; DNS queries cannot function without a routable IP address and default gateway.

351
MCQeasy

Which of the following IPv6 addresses is a link-local address?

A.2001:db8::1
B.fe80::1
C.ff02::1
D.2000::/3
AnswerB

Addresses starting with fe80: are link-local and are used for communication on the same link (e.g., Neighbor Discovery).

Why this answer

Option B (fe80::1) is correct because IPv6 link-local addresses always begin with the prefix fe80::/10, as defined in RFC 4291. These addresses are automatically assigned to every IPv6-enabled interface and are only valid on a single link (subnet), never routed. The address fe80::1 is a common example of a link-local address.

Exam trap

Cisco often tests the distinction between the link-local prefix (fe80::/10) and the multicast prefix (ff00::/8), so candidates may confuse ff02::1 (all-nodes multicast) with a link-local unicast address.

How to eliminate wrong answers

Option A is wrong because 2001:db8::1 is a global unicast address from the documentation prefix (2001:db8::/32) reserved for examples and documentation, not a link-local address. Option C is wrong because ff02::1 is a multicast address (prefix ff00::/8) specifically the all-nodes link-local multicast group, not a unicast link-local address.

352
MCQmedium

A network administrator needs to identify which application protocols are consuming the most bandwidth on the company WAN link. Which of the following tools should the administrator use?

A.NetFlow analyzer
B.Packet sniffer (e.g., tcpdump)
C.Port scanner (e.g., Nmap)
D.Bandwidth speed test
AnswerA

NetFlow collects flow records that show application-level details such as protocol and port numbers, enabling bandwidth usage analysis per application.

Why this answer

A NetFlow analyzer is the correct tool because it collects flow-level metadata (e.g., source/destination IPs, ports, protocol, and byte counts) from routers or switches, enabling the administrator to identify which application protocols (via port/protocol analysis) are consuming the most bandwidth over time. Unlike packet-level tools, NetFlow provides aggregated traffic statistics without storing full packet payloads, making it efficient for long-term WAN bandwidth monitoring.

Exam trap

Cisco often tests the distinction between flow-based monitoring (NetFlow) and packet-level analysis (sniffers), trapping candidates who think a packet sniffer is the best tool for long-term bandwidth usage by application, when in fact it is too resource-intensive and lacks built-in aggregation for that purpose.

How to eliminate wrong answers

Option B (Packet sniffer, e.g., tcpdump) is wrong because it captures full packet payloads in real time, which is impractical for sustained WAN link analysis due to high storage and processing overhead, and it does not natively aggregate bandwidth usage by application protocol. Option C (Port scanner, e.g., Nmap) is wrong because it is designed to probe for open ports and services on hosts, not to measure ongoing bandwidth consumption or application protocol usage on a network link.

353
MCQmedium

A network engineer is deploying 802.1X authentication for a wireless network. The security policy requires mutual authentication between the client and the network using certificates on both ends. Which EAP method should the engineer select?

A.EAP-MD5
B.EAP-TLS
C.PEAP
D.EAP-FAST
AnswerB

EAP-TLS uses certificates on both the server and client, providing strong mutual authentication.

Why this answer

EAP-TLS (Transport Layer Security) is the correct choice because it provides mutual authentication using certificates on both the client and the server, satisfying the security policy requirement. Unlike other EAP methods, EAP-TLS requires a PKI with certificates installed on both endpoints, ensuring that each side validates the other's identity before establishing the connection.

Exam trap

CompTIA often tests the distinction between EAP methods that use certificates on both ends versus those that use certificates only on the server side, leading candidates to mistakenly choose PEAP or EAP-FAST when the question explicitly requires mutual certificate authentication.

How to eliminate wrong answers

Option A (EAP-MD5) is wrong because it only provides one-way authentication (server to client) using a simple MD5 hash challenge, does not support mutual authentication, and is vulnerable to dictionary attacks. Option C (PEAP) is wrong because although it creates a TLS tunnel for server-side certificate authentication, it typically authenticates the client via inner methods like MSCHAPv2 or GTC, not with a client certificate, so it does not meet the mutual certificate requirement. Option D (EAP-FAST) is wrong because it uses a Protected Access Credential (PAC) for authentication rather than certificates on both ends, and while it can support mutual authentication, it does not inherently require client certificates as specified in the policy.

354
MCQmedium

A network administrator wants to collect and analyze logs from multiple network devices in a central location. Which of the following protocols should be used?

A.SNMP
B.Syslog
C.SMTP
D.FTP
AnswerB

Syslog is a protocol specifically for transporting log messages over IP networks. It allows devices to send logs to a centralized server for storage and analysis.

Why this answer

Syslog is the correct protocol because it is specifically designed for centralized log collection and analysis from network devices. It uses UDP port 514 (or TCP 6514 for reliable delivery) to send event messages from routers, switches, and firewalls to a central syslog server, enabling administrators to aggregate and review logs for troubleshooting and security monitoring.

Exam trap

The trap here is that candidates confuse SNMP traps (which are unsolicited alerts about device conditions) with syslog messages, but SNMP traps are for specific events like link up/down, not for general log collection, while syslog is the standard for aggregating all log entries.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) is used for monitoring and managing device status and performance metrics via MIBs and OIDs, not for collecting and analyzing log messages; it polls for data like CPU load or interface errors, not event logs. Option C is wrong because SMTP (Simple Mail Transfer Protocol) is used for sending email messages between mail servers, not for centralized log collection from network devices; it lacks the structured log format and transport mechanisms needed for syslog aggregation.

355
MCQmedium

A network administrator wants to segment the network into multiple virtual LANs to reduce broadcast traffic. Which device is required to route traffic between these VLANs?

A.Layer 2 switch
B.Router or Layer 3 switch
C.Bridge
D.Hub
AnswerB

Both routers and Layer 3 switches can route traffic between VLANs by processing IP packets.

Why this answer

VLANs operate at Layer 2, isolating broadcast domains. To route traffic between different VLANs, a device that can forward packets based on Layer 3 IP addresses is required. A router or a Layer 3 switch (which performs hardware-based routing using ASICs) provides the necessary inter-VLAN routing functionality.

Exam trap

CompTIA often tests the misconception that a Layer 2 switch alone can route between VLANs if it supports VLAN tagging (802.1Q), but the switch must have Layer 3 routing capabilities (either as a Layer 3 switch or with an external router) to actually forward traffic between VLANs.

How to eliminate wrong answers

Option A is wrong because a Layer 2 switch forwards frames based on MAC addresses and cannot perform IP routing; it would require an external router or a Layer 3 switch to route between VLANs. Option C is wrong because a bridge operates at Layer 2, connecting two network segments and forwarding frames based on MAC addresses, with no capability for IP routing between VLANs. Option D is wrong because a hub is a physical-layer device that simply repeats electrical signals on all ports, offering no segmentation or routing capabilities at all.

356
MCQmedium

A company wants to prevent unauthorized devices from connecting to the wired network by authenticating users or devices before granting network access. Which of the following technologies should be implemented on the switch ports to achieve this?

A.A: 802.1X
B.B: Port security with MAC address sticky
C.C: Access control lists (ACLs)
D.D: DHCP snooping
AnswerA

802.1X provides port-based authentication, blocking access until credentials are verified.

Why this answer

802.1X is an IEEE standard (802.1X-2020) for port-based Network Access Control (NAC). It authenticates users or devices via EAP (Extensible Authentication Protocol) before the switch port transitions from the unauthorized (blocking) state to the authorized (forwarding) state, effectively preventing unauthorized devices from accessing the wired network.

Exam trap

CompTIA often tests the misconception that port security with sticky MAC addresses provides authentication, but it only restricts MAC addresses and does not verify user identity or credentials, making it a layer-2 control, not an authentication mechanism.

How to eliminate wrong answers

Option B is wrong because port security with MAC address sticky only learns and restricts MAC addresses on a port; it does not authenticate users or devices via credentials or certificates, and can be bypassed by MAC spoofing. Option C is wrong because ACLs filter traffic based on IP addresses, ports, or protocols after a device is already connected; they do not authenticate or prevent initial connection to the switch port. Option D is wrong because DHCP snooping is a security feature that filters untrusted DHCP messages to prevent rogue DHCP servers, but it does not authenticate or block unauthorized devices from connecting to the port.

357
MCQmedium

A network technician is troubleshooting intermittent internet access for a single user. The user’s workstation can ping the default gateway consistently, but web pages fail to load intermittently. Which of the following should the technician check NEXT?

A.A) DNS server configuration
B.B) DHCP lease time
C.C) Switch port speed and duplex settings
D.D) Firewall rules blocking ICMP
AnswerA

Correct. DNS is responsible for resolving domain names to IP addresses. If DNS is intermittent, web pages will fail to load while other IP-based connectivity (like pinging the gateway) works.

Why this answer

The user can ping the default gateway consistently, indicating Layer 3 connectivity to the local network is intact. However, intermittent web page failures suggest a name resolution issue, as DNS translates domain names to IP addresses. If the DNS server is misconfigured, unreachable, or returning stale records, the browser will fail to load pages even though basic IP connectivity works.

Checking DNS server configuration is the logical next step because it directly addresses the symptom of name resolution failures.

Exam trap

Cisco often tests the distinction between Layer 3 reachability (ping success) and application-layer failures (web browsing), leading candidates to incorrectly focus on DHCP or switch port settings instead of DNS.

How to eliminate wrong answers

Option B is wrong because DHCP lease time affects IP address assignment and renewal, but the user can consistently ping the gateway, proving they have a valid IP address and lease; intermittent web failures are not caused by lease timing. Option C is wrong because switch port speed and duplex mismatches typically cause packet loss, CRC errors, or complete connectivity loss, not intermittent name resolution failures; the user's consistent ping success rules out a duplex mismatch or speed negotiation issue.

358
MCQmedium

A network administrator is configuring a trunk port between two switches. Both switches have been set with native VLAN 99. However, traffic from some VLANs is not passing over the trunk. What should the administrator verify?

A.The VTP domain name matches on both switches.
B.The allowed VLAN list on the trunk port.
C.The speed and duplex settings are identical.
D.The spanning tree protocol is disabled.
AnswerB

By default, trunk ports allow all VLANs, but administrators sometimes restrict the allowed VLAN list. If a VLAN is not in the allowed list, its traffic will not pass.

Why this answer

The trunk port's allowed VLAN list explicitly controls which VLANs are permitted to traverse the link. Even when both switches agree on the native VLAN (99), if a particular VLAN is not included in the allowed list on either side, its traffic will be dropped. This is a common misconfiguration that prevents specific VLAN traffic from passing over the trunk.

Exam trap

Cisco often tests the misconception that native VLAN mismatch is the only cause of trunk issues, but here the native VLAN matches, so candidates might overlook the allowed VLAN list as the root cause.

How to eliminate wrong answers

Option A is wrong because VTP (VLAN Trunking Protocol) domain name matching is only required if VTP is used to synchronize VLAN databases, but trunk operation itself does not depend on VTP; the question describes a scenario where VLANs exist on both switches, so VTP is irrelevant. Option C is wrong because speed and duplex mismatches would cause link-level errors or the port to not come up at all, not selectively block traffic from some VLANs while allowing others.

359
MCQmedium

A network engineer plans to change the routing protocol configuration on a core router that will affect all branch connectivity. According to change management best practices, which step should the engineer perform BEFORE implementing the change?

A.Implement the change during business hours to ensure staff availability
B.Create a detailed rollback plan
C.Notify all users after the change is complete
D.Test the change directly on the production router
AnswerB

A rollback plan ensures that the change can be safely reversed if something goes wrong, a key part of change management.

Why this answer

Creating a detailed rollback plan is a fundamental change management best practice because it ensures that if the routing protocol reconfiguration (e.g., switching from EIGRP to OSPF or modifying redistribution) causes connectivity loss to all branches, the engineer can revert to the previous configuration quickly and safely. Without a rollback plan, a failed change could result in prolonged network downtime while troubleshooting from scratch, violating the principle of minimizing business impact. This step is performed before implementation to predefine the exact commands or backup configuration needed to restore the original routing state.

Exam trap

The trap here is that candidates may confuse 'notify users after the change' with a valid communication step, but change management requires prior notification and approval, not post-change notification.

How to eliminate wrong answers

Option A is wrong because implementing the change during business hours increases the risk of disrupting production traffic; change management best practices typically schedule changes during maintenance windows to minimize user impact. Option C is wrong because notifying users after the change is complete violates the change management principle of proactive communication; users and stakeholders should be notified before the change to set expectations and allow for contingency planning.

360
MCQmedium

Which of the following is a characteristic of UDP when compared to TCP?

A.A) UDP uses sequence numbers for ordering
B.B) UDP provides reliable data delivery
C.C) UDP has lower overhead due to minimal header
D.D) UDP requires a three-way handshake to establish a connection
AnswerC

Correct. UDP has a smaller header (8 bytes) compared to TCP (20 bytes) and no connection setup, resulting in lower overhead.

Why this answer

UDP (User Datagram Protocol) has a minimal 8-byte header compared to TCP's 20-byte header, resulting in lower overhead and faster transmission. Unlike TCP, UDP does not provide reliability, flow control, or error recovery, making it ideal for real-time applications like VoIP or video streaming where speed is prioritized over guaranteed delivery.

Exam trap

The trap here is that candidates often confuse UDP's lack of reliability with it being 'unusable' or 'broken,' but the exam tests that UDP's lower overhead is a deliberate design choice for performance-sensitive applications where occasional packet loss is acceptable.

How to eliminate wrong answers

Option A is wrong because UDP does not use sequence numbers; sequence numbers are a TCP feature used for ordering and reassembly of segments. Option B is wrong because UDP is connectionless and does not provide reliable data delivery; reliability is a TCP characteristic achieved through acknowledgments and retransmissions. Option D is wrong because UDP does not require a three-way handshake; the three-way handshake is a TCP mechanism used to establish a connection before data transfer.

361
MCQmedium

A network administrator is configuring a firewall to allow external users to securely access an internal web server. Which security technique should be used to place the web server in a separate, isolated network segment that is still accessible from the internet?

A.VLAN
B.DMZ
C.VPN
D.NAT
AnswerB

A DMZ is specifically designed to host public-facing services while isolating them from the internal network.

Why this answer

A DMZ (demilitarized zone) is a separate, isolated network segment that exposes internal services, such as a web server, to external users while keeping the internal LAN secure. By placing the web server in the DMZ, the firewall can allow inbound traffic from the internet to the DMZ while blocking direct access to the internal network, enforcing strict access control policies.

Exam trap

The trap here is that candidates often confuse VLANs with security isolation, assuming a VLAN alone provides the same protection as a DMZ, but VLANs lack the firewall-enforced access controls and segmentation from the internet that a DMZ requires.

How to eliminate wrong answers

Option A is wrong because a VLAN segments traffic at Layer 2 but does not inherently provide security isolation from the internet; a VLAN alone cannot control inbound access or protect the internal network from external threats. Option C is wrong because a VPN creates an encrypted tunnel for remote users to access the internal network, but it does not place the web server in an isolated segment; instead, it extends the internal network, which would expose internal resources to external users. Option D is wrong because NAT translates private IP addresses to public ones but does not create an isolated network segment; it only hides internal addresses and does not provide the security boundary that a DMZ offers.

362
MCQhard

A security analyst is investigating a network anomaly. The analyst notices that the company's web server is receiving a large number of TCP SYN packets from random source IP addresses, all destined for port 80. The web server is responding with SYN-ACK packets, but the connections are never completed. This is causing the server's connection table to fill up, degrading performance for legitimate users. Which type of attack is being described?

A.Ping of death
B.Smurf attack
C.SYN flood
D.DNS amplification
AnswerC

A SYN flood sends many TCP SYN packets with spoofed IPs, never completing the handshake, exhausting server resources. This matches the description.

Why this answer

The attack described is a SYN flood, a type of denial-of-service (DoS) attack that exploits the TCP three-way handshake. The attacker sends a high volume of TCP SYN packets with spoofed source IP addresses to the server's port 80. The server responds with SYN-ACK packets to each spoofed source and waits for the final ACK, which never arrives, causing the server's half-open connection table (backlog queue) to fill up and exhaust resources, degrading performance for legitimate users.

Exam trap

The trap here is that candidates confuse a SYN flood with a Smurf attack or DNS amplification because all three are volumetric DoS attacks, but the key differentiator is the protocol and mechanism: SYN flood uses TCP SYN packets targeting the three-way handshake, while Smurf uses ICMP and DNS amplification uses UDP.

How to eliminate wrong answers

Option A is wrong because a Ping of Death attack involves sending an oversized or malformed ICMP packet that causes a buffer overflow on the target system, not a flood of TCP SYN packets. Option B is wrong because a Smurf attack uses ICMP echo requests sent to a network's broadcast address with a spoofed source IP, causing all hosts on that network to reply to the victim, overwhelming it with ICMP traffic, not TCP SYN packets. Option D is wrong because a DNS amplification attack leverages open DNS resolvers to send large DNS response traffic to a victim by sending small queries with a spoofed source IP, typically over UDP, not TCP SYN packets to port 80.

363
MCQeasy

A network technician notices a high volume of broadcast traffic on a flat network. Which device will best reduce the size of the broadcast domain?

A.Hub
B.Switch
C.Router
D.Bridge
AnswerC

Routers operate at Layer 3 and do not forward broadcasts by default. By creating separate subnets and using a router, broadcast traffic is confined to each subnet.

Why this answer

A router is the correct choice because it operates at Layer 3 and uses IP subnetting to segment a network into separate broadcast domains. By default, routers do not forward broadcast traffic (e.g., ARP requests sent to 255.255.255.255 or subnet-directed broadcasts) between interfaces, thus reducing the scope of broadcast propagation.

Exam trap

The trap here is that candidates often confuse broadcast domains with collision domains, incorrectly assuming that a switch reduces broadcast domains because it reduces collision domains, but a switch only segments collision domains while leaving broadcast domains intact.

How to eliminate wrong answers

Option A is wrong because a hub operates at Layer 1 and simply repeats electrical signals out all ports, creating a single collision domain and a single broadcast domain—it cannot reduce broadcast traffic. Option B is wrong because a switch operates at Layer 2 and, while it segments collision domains per port, it still forwards broadcast frames (destination MAC FF:FF:FF:FF:FF:FF) out all ports within the same VLAN, so it does not reduce the size of the broadcast domain.

364
MCQmedium

A network administrator wants to centrally collect and analyze event logs from routers, switches, and firewalls. Which protocol is most commonly used for sending log messages from network devices to a central log server?

A.SNMP
B.Syslog
C.NetFlow
D.ICMP
AnswerB

Syslog is the de facto standard for logging messages from network devices. It allows administrators to forward logs to a central server for analysis and archiving.

Why this answer

Syslog (RFC 5424) is the standard protocol for sending event messages from network devices like routers, switches, and firewalls to a central log server. It uses UDP port 514 by default and provides a structured format with facility codes and severity levels, enabling centralized collection and analysis of logs. This makes it the most commonly used protocol for this purpose.

Exam trap

Cisco often tests the distinction between Syslog (for event logs) and SNMP traps (for alerts/status changes), leading candidates to mistakenly choose SNMP because both involve sending data from devices to a server.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) is used for monitoring and managing device status via polling and traps, not for sending detailed event logs; it collects metrics like CPU load or interface errors, not syslog messages. Option C is wrong because NetFlow is a traffic accounting protocol that exports IP flow metadata (e.g., source/destination IPs, ports, packet counts) for network traffic analysis, not event logs from device operations.

365
MCQmedium

A network administrator needs to allow multiple VLANs to traverse a single link between two switches. Which configuration must be applied on the switch ports?

A.Access port
B.Trunk port
C.Hybrid port
D.Routed port
AnswerB

A trunk port is configured to carry multiple VLANs by tagging frames with VLAN information using 802.1Q or ISL.

Why this answer

A trunk port is configured to carry traffic for multiple VLANs over a single link by tagging frames with IEEE 802.1Q VLAN identifiers. This allows the switch to distinguish which VLAN each frame belongs to, enabling inter-switch VLAN connectivity without requiring separate physical links per VLAN.

Exam trap

The trap here is that candidates often confuse a trunk port with an access port, thinking that multiple VLANs can be carried by simply assigning multiple VLANs to an access port, but access ports can only be assigned a single untagged VLAN.

How to eliminate wrong answers

Option A is wrong because an access port belongs to only one VLAN and strips any VLAN tags, making it unable to carry multiple VLANs. Option C is wrong because hybrid ports are a vendor-specific concept (e.g., Huawei) and are not a standard Cisco term for this scenario; Cisco switches use trunk ports for multi-VLAN links. Option D is wrong because a routed port is a Layer 3 interface used for routing, not for carrying multiple VLANs over a single link.

366
MCQmedium

A technician is troubleshooting a user's inability to access the internet. The user can successfully ping the default gateway and internal servers, but cannot ping a public IP address such as 8.8.8.8. The technician checks the firewall logs and confirms that outbound ICMP traffic to 8.8.8.8 is permitted. Which of the following is the most likely cause of the issue?

A.Incorrect DNS server configuration on the workstation
B.Missing default route on the router
C.Incorrect subnet mask on the workstation
D.Malware on the workstation is blocking ICMP traffic
AnswerB

A missing default route on the router prevents packets destined for external networks from being forwarded beyond the router, even though the workstation can reach the router itself.

Why this answer

The user can ping the default gateway and internal servers, which confirms that Layer 2 and Layer 3 connectivity within the local network is working. However, the inability to ping a public IP (8.8.8.8) indicates that traffic is not being forwarded beyond the local subnet. A missing default route on the router means the router does not know where to send packets destined for external networks, so it drops them.

Since outbound ICMP is permitted on the firewall, the issue is routing, not filtering.

Exam trap

The trap here is that candidates often assume a firewall rule is blocking traffic when the symptom is a ping failure, but the question explicitly states ICMP is permitted, shifting the focus to routing; Cisco tests the distinction between policy-based blocking and routing-based unreachability.

How to eliminate wrong answers

Option A is wrong because DNS resolution is not required to ping a public IP address; the ping command uses the IP directly (8.8.8.8), so incorrect DNS would only affect name resolution, not IP connectivity. Option C is wrong because an incorrect subnet mask would prevent the workstation from communicating with the default gateway or internal servers, but the user can successfully ping both, ruling out a subnet mask misconfiguration.

367
MCQhard

A network technician is troubleshooting connectivity between two branch offices connected by a site-to-site VPN. The VPN tunnel shows as active and up. Users at Branch A can ping the VPN gateway IP at Branch B successfully, but they cannot access any servers behind the firewall at Branch B. The firewall at Branch B is stateful and its logs show that traffic from Branch A is being dropped. What is the most likely cause?

A.Mismatched encryption algorithms
B.Asymmetric routing causing the stateful firewall to drop return traffic
C.Incorrect DNS configuration
D.MTU mismatch causing fragmentation issues
AnswerB

The stateful firewall expects to see both directions of a connection. If traffic from Branch A enters one firewall interface but the return traffic leaves via a different path, the firewall sees the return packet as unsolicited and drops it.

Why this answer

The VPN tunnel is active and Branch A can ping the VPN gateway IP at Branch B, confirming that the tunnel itself and Layer 3 connectivity are functional. However, a stateful firewall tracks connection states based on source/destination IP and port; if traffic from Branch A enters the firewall on one interface but return traffic exits via a different path (asymmetric routing), the firewall sees the return packets as not belonging to any established session and drops them. This matches the log showing traffic being dropped despite the tunnel being up.

Exam trap

Cisco often tests the misconception that a 'green' tunnel status guarantees end-to-end application connectivity, but the trap here is that stateful firewalls require symmetric traffic flows, and candidates may incorrectly blame encryption mismatches or DNS when the tunnel itself is operational.

How to eliminate wrong answers

Option A is wrong because mismatched encryption algorithms would prevent the VPN tunnel from establishing or staying active, but the tunnel is up and ping succeeds, indicating Phase 1 and Phase 2 parameters match. Option C is wrong because incorrect DNS configuration would cause name resolution failures, not the dropping of traffic at the firewall; the issue is at Layer 4 (stateful inspection), not at Layer 7 (application).

368
MCQhard

A network engineer has successfully established an IPsec site-to-site VPN tunnel between a branch office (10.0.1.0/24) and the main office (192.168.1.0/24). The tunnel status shows as active, and both sides can ping each other's tunnel interface IP addresses. However, users at the branch office cannot ping the main office server at 192.168.1.10, and the main office cannot ping the branch office server at 10.0.1.10. The firewall rules on both sides permit IPsec traffic and all internal traffic. What should the engineer check NEXT?

A.Verify routing entries on both routers to ensure the remote internal subnets are reachable via the tunnel.
B.Check the IPsec security associations for encryption algorithm mismatch.
C.Disable the firewall on the internal interfaces temporarily.
D.Regenerate the pre-shared key on both sides.
AnswerA

Both routers need to have routes pointing to the remote internal subnets (e.g., 192.168.1.0/24 and 10.0.1.0/24) with the tunnel interface as the next hop. Without these routes, traffic from internal hosts will not be directed into the tunnel.

Why this answer

The tunnel is active and both sides can ping each other's tunnel interface IPs, confirming that IPsec phase 1 and phase 2 are established and the tunnel itself is functional. However, users cannot reach the remote internal subnets (10.0.1.0/24 and 192.168.1.0/24), which indicates a routing problem: the routers likely lack routes for those remote subnets pointing to the tunnel interface. Without proper routing entries, traffic destined for the remote LAN is sent out the wrong interface or dropped, even though the tunnel is up.

Exam trap

Cisco often tests the distinction between tunnel reachability (pinging the tunnel interface IP) and subnet reachability (pinging hosts behind the tunnel), trapping candidates who assume a working tunnel automatically means all traffic flows correctly, when in fact routing for the remote LANs must be explicitly configured.

How to eliminate wrong answers

Option B is wrong because an encryption algorithm mismatch would prevent the IPsec security associations (SAs) from forming, causing the tunnel to fail or show as not active — but the tunnel is active and tunnel interface pings succeed, so the SAs are correctly negotiated. Option C is wrong because disabling the firewall on internal interfaces is an unnecessary and risky troubleshooting step; the firewall rules already permit IPsec and internal traffic, and the problem is not firewall-related since tunnel interface pings work, indicating the firewall is not blocking the tunnel itself.

369
MCQeasy

Which of the following network devices operates at Layer 1 of the OSI model and forwards all incoming electrical signals to all of its ports?

A.Router
B.Switch
C.Hub
D.Bridge
AnswerC

A hub is a Layer 1 device that repeats all incoming signals to all ports without any intelligence or filtering.

Why this answer

A hub operates at Layer 1 (Physical layer) of the OSI model and is a multiport repeater. It regenerates and forwards every incoming electrical signal out of all ports except the incoming port, regardless of the intended destination, because it has no intelligence to process MAC addresses or frames.

Exam trap

Cisco often tests the distinction between a hub and a switch, where candidates mistakenly think a switch forwards all incoming traffic to all ports (like a hub) because they confuse broadcast traffic with general forwarding behavior.

How to eliminate wrong answers

Option A is wrong because a router operates at Layer 3 (Network layer) and forwards packets based on IP addresses, not electrical signals; it does not blindly forward signals to all ports. Option B is wrong because a switch operates at Layer 2 (Data Link layer) and forwards frames based on MAC addresses, using a MAC address table to selectively forward traffic only to the specific destination port, not to all ports.

370
MCQmedium

A technician is troubleshooting an issue where a wireless client can associate with an access point but cannot obtain an IP address via DHCP. The technician checks the DHCP server and sees no lease requests from the client's MAC address. Which of the following is the most likely cause?

A.The client's wireless adapter is faulty
B.The AP is not configured with a DHCP relay
C.The client's SSID is incorrect
D.The AP's radio is operating on the wrong channel
AnswerB

Correct. When the DHCP server is on a different subnet than the wireless clients, the AP or a Layer 3 device must relay DHCP broadcasts. Without a relay, the client's DHCP discover messages never reach the server.

Why this answer

The client can associate with the AP but cannot obtain an IP address, and the DHCP server shows no lease requests from the client's MAC. This indicates that DHCP discovery broadcasts are not reaching the DHCP server, which is common when the client and server are on different subnets and the AP (or a Layer 3 device) is not configured with a DHCP relay (ip helper-address). Without a relay, broadcast DHCP messages are dropped at the router, so the server never sees the request.

Exam trap

The trap here is that candidates often assume the AP automatically forwards DHCP broadcasts to the server, forgetting that broadcast traffic does not cross Layer 3 boundaries without an explicit relay configuration.

How to eliminate wrong answers

Option A is wrong because a faulty wireless adapter would typically prevent association or cause intermittent connectivity, but here the client successfully associates, ruling out hardware failure. Option C is wrong because an incorrect SSID would prevent association entirely, not allow association while blocking DHCP. Option D is wrong because the AP operating on the wrong channel would cause poor signal or inability to associate, but the client has already associated, so channel mismatch is not the issue.

371
Matchingmedium

Match each network attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attacker sends fake ARP messages to associate their MAC with another IP

Corrupts DNS cache to redirect traffic to malicious sites

Overwhelms a target with traffic from multiple sources

Attacker intercepts communication between two parties

Why these pairings

These are common network security threats.

372
MCQeasy

At which layer of the OSI model does a switch that uses MAC addresses to forward frames operate?

A.Layer 1
B.Layer 2
C.Layer 3
D.Layer 4
AnswerB

Layer 2 (Data Link layer) uses MAC addresses to switch frames within a network segment.

Why this answer

A switch that uses MAC addresses to forward frames operates at Layer 2 (Data Link layer) of the OSI model. Layer 2 is responsible for node-to-node data transfer and error detection, using MAC addresses as the addressing scheme. The switch builds a MAC address table by learning source MAC addresses from incoming frames and then forwards frames based on the destination MAC address, making forwarding decisions at this layer.

Exam trap

The trap here is that candidates often confuse a switch's MAC address-based forwarding with a router's IP-based forwarding, mistakenly selecting Layer 3, or they think of a hub's operation at Layer 1 and incorrectly apply that to a switch.

How to eliminate wrong answers

Option A is wrong because Layer 1 (Physical layer) deals with the physical transmission of raw bits over a medium, such as electrical signals, light, or radio waves, and does not interpret MAC addresses or frames. Option C is wrong because Layer 3 (Network layer) uses logical IP addresses for routing packets between networks, not MAC addresses for forwarding frames within a local network. Option D is wrong because Layer 4 (Transport layer) manages end-to-end communication, segmentation, and flow control using protocols like TCP and UDP, and does not involve MAC address-based forwarding.

373
MCQhard

A network administrator has configured a router to send syslog messages to a server with the command 'logging trap 4'. The administrator notices that the syslog server is receiving messages with severity levels 0, 1, and 2. Which of the following best explains why these messages are being received?

A.The 'trap' level indicates the minimum severity; only messages with severity 4 and above are sent.
B.The router is misconfigured and sending all messages regardless of the trap level.
C.Syslog severity levels are reversed; lower numbers indicate higher urgency, so trap 4 includes levels 0-4.
D.The syslog server is configured to accept only levels 0-2, so it filters out the others.
AnswerC

Correct. Lower severity numbers (0) are more critical, and 'logging trap 4' instructs the router to send messages with severity 0 through 4.

Why this answer

C is correct because in syslog, severity levels are inverted: lower numbers indicate higher urgency (0=emergency, 1=alert, 2=critical). The command 'logging trap 4' sets a threshold that includes all messages with a severity level of 4 or lower (i.e., more urgent), so levels 0, 1, and 2 are included. This is defined in RFC 5424 and is standard behavior on Cisco IOS devices.

Exam trap

Cisco often tests the inverted nature of syslog severity levels, where the trap level is a maximum threshold (inclusive of all lower numbers), not a minimum, causing candidates to incorrectly assume that higher numbers are more severe.

How to eliminate wrong answers

Option A is wrong because it incorrectly states that the trap level indicates the minimum severity and only sends messages with severity 4 and above; in reality, the trap level sets the maximum severity number allowed, so lower numbers (higher urgency) are included. Option B is wrong because the router is not misconfigured; the behavior is correct per syslog standards, and the administrator is seeing the expected messages for the configured trap level.

374
MCQmedium

A network administrator is creating a new VLAN 50 on a switch. After creating the VLAN, the administrator notices that the switch does not send VLAN information to other switches in the network. Which of the following is the most likely reason?

A.VTP mode is set to transparent.
B.The trunk link is not configured.
C.The VLAN is not allowed on the trunk.
D.STP is blocking the VLAN.
AnswerA

In transparent mode, the switch forwards VTP advertisements but does not originate or propagate its own VLAN changes.

Why this answer

When VTP mode is set to transparent, the switch does not originate or forward VTP advertisements, so VLAN changes made on it are not propagated to other switches. This explains why VLAN 50 was created locally but not shared with the rest of the network.

Exam trap

Cisco often tests the misconception that a trunk misconfiguration (like not allowing the VLAN on the trunk) is the cause of VTP propagation failure, when in fact VTP transparent mode completely disables advertisement generation regardless of trunk settings.

How to eliminate wrong answers

Option B is wrong because a trunk link is required for VLAN information to be passed between switches, but the absence of a trunk would prevent all VLAN traffic, not specifically the failure to send VLAN information. Option C is wrong because if a VLAN is not allowed on the trunk, it would block traffic for that VLAN across the trunk, but it would not prevent the switch from sending VTP advertisements about the VLAN; VTP operates independently of the allowed VLAN list.

375
MCQeasy

Which of the following best describes the function of a default gateway?

A.It translates private IP addresses to public IP addresses.
B.It provides DHCP services to clients.
C.It routes packets from a local subnet to destinations on other networks.
D.It performs DNS resolution for network clients.
AnswerC

This is the fundamental purpose of a default gateway.

Why this answer

The default gateway is a router or Layer 3 device on a local subnet that serves as the next-hop IP address for packets destined to networks outside the local subnet. When a host determines that the destination IP is not on the same subnet (using its subnet mask), it forwards the packet to the default gateway's MAC address via ARP, which then routes the packet toward the remote network. Without a correctly configured default gateway, a host can only communicate within its own subnet.

Exam trap

Cisco often tests the misconception that the default gateway performs NAT or DHCP, but the trap here is that candidates confuse the default gateway's routing role with other common router functions like NAT or DHCP services.

How to eliminate wrong answers

Option A is wrong because translating private IP addresses to public IP addresses is the function of Network Address Translation (NAT), typically performed by a router or firewall, not the default gateway itself. Option B is wrong because providing DHCP services is the role of a DHCP server, which can be a separate server or a router configured with DHCP services, but it is not the primary or defining function of a default gateway.

Page 4

Page 5 of 7

Page 6

All pages