CompTIA Network+ N10-009 (N10-009) — Questions 376450

520 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQmedium

A technician is troubleshooting intermittent wireless connectivity in a conference room. A site survey shows strong signal strength but many nearby access points are using channels that overlap with the channel used by the conference room AP. Which of the following is the most likely cause of the issue?

A.Multipath interference from reflective surfaces.
B.Co-channel interference from access points on the same channel.
C.Adjacent channel interference from access points on overlapping channels.
D.Signal attenuation due to distance from the AP.
AnswerC

Overlapping channels cause adjacent channel interference, reducing throughput and causing intermittent connectivity.

Why this answer

The site survey shows strong signal strength but many nearby access points are using channels that overlap with the channel used by the conference room AP. This directly indicates adjacent-channel interference (ACI), where overlapping channels (e.g., channels 1, 2, 3, 4, and 5 all overlap with channel 1 in the 2.4 GHz band) cause contention and retransmissions, degrading performance even with strong signal. ACI is the most likely cause because the overlapping channels create co-existence issues without being on the exact same channel.

Exam trap

Cisco often tests the distinction between co-channel interference (same channel) and adjacent-channel interference (overlapping channels), and the trap here is that candidates confuse 'overlapping channels' with 'same channel,' incorrectly selecting co-channel interference instead of adjacent-channel interference.

How to eliminate wrong answers

Option A is wrong because multipath interference from reflective surfaces typically causes signal fading or nulls, not intermittent connectivity due to overlapping channels, and the site survey shows strong signal strength, not multipath issues. Option B is wrong because co-channel interference occurs when APs are on the same channel, but the scenario explicitly states 'overlapping channels,' not the same channel, so co-channel interference is not the primary cause here. Option D is wrong because signal attenuation due to distance from the AP would manifest as weak signal strength, but the site survey shows strong signal strength, ruling out distance as the issue.

377
MCQhard

A network architect is implementing a Software-Defined Networking (SDN) solution. The SDN controller needs to communicate with the physical switches to install flow rules. Which type of API is used for this communication?

A.Southbound API
B.Northbound API
C.Eastbound API
D.Westbound API
AnswerA

Southbound APIs (e.g., OpenFlow, Netconf) are used by the SDN controller to communicate with and configure network devices.

Why this answer

The Southbound API is the correct interface because it enables the SDN controller to communicate with the underlying physical or virtual network devices (switches, routers) to install flow rules, modify forwarding tables, and gather telemetry. This API typically uses protocols such as OpenFlow, NETCONF, or OVSDB to translate controller decisions into device-level actions, making it the essential southbound channel in an SDN architecture.

Exam trap

The trap here is that candidates confuse the Southbound API with the Northbound API, mistakenly thinking the controller communicates upward to applications rather than downward to switches, or they invent 'Eastbound' or 'Westbound' as plausible-sounding but incorrect terms for controller-to-switch communication.

How to eliminate wrong answers

Option B (Northbound API) is wrong because it is used for communication between the SDN controller and higher-layer applications or orchestration tools, not for installing flow rules on physical switches. Option C (Eastbound API) is wrong because it refers to communication between multiple SDN controllers in a federated or hierarchical deployment, not between a controller and switches. Option D (Westbound API) is wrong because it is not a standard SDN API term; it is sometimes used to describe communication between controllers in different administrative domains, but it does not involve installing flow rules on switches.

378
MCQmedium

A security auditor discovers that several unused switch ports are in default configuration. The auditor recommends implementing a security measure that will disable the port if an unauthorized device is connected, and then automatically re-enable the port after a specified time period. Which feature should be configured on the switch ports?

A.802.1X with RADIUS authentication and guest VLAN
B.Port security with violation mode 'shutdown' and errdisable recovery interval
C.DHCP snooping and dynamic ARP inspection
D.Storm control and broadcast suppression
AnswerB

Port security shutdown disables the port on violation, and errdisable recovery allows automatic re-enablement after a configured time.

Why this answer

Port security with violation mode 'shutdown' disables the port when an unauthorized device is detected, and the errdisable recovery interval automatically re-enables the port after a specified time period. This directly matches the auditor's requirement to disable on unauthorized connection and auto-re-enable after a timeout.

Exam trap

Cisco often tests the distinction between port security's 'shutdown' violation mode (which triggers errdisable) and 'restrict' or 'protect' modes (which do not disable the port), leading candidates to incorrectly assume any port security mode meets the requirement for automatic re-enablement.

How to eliminate wrong answers

Option A is wrong because 802.1X with RADIUS authentication and guest VLAN controls network access at Layer 2 using authentication, but it does not disable the port or provide automatic re-enablement after a timeout; it either grants or denies access based on credentials. Option C is wrong because DHCP snooping and dynamic ARP inspection are security features that prevent DHCP spoofing and ARP poisoning, but they do not disable switch ports upon unauthorized device connection or include an errdisable recovery mechanism. Option D is wrong because storm control and broadcast suppression limit excessive broadcast, multicast, or unknown unicast traffic to prevent network storms, but they do not disable ports based on unauthorized device detection or provide automatic re-enablement.

379
MCQhard

An attacker sends ICMP echo request packets to the broadcast address of a network, with the source IP address spoofed to be the target's IP address. This causes all hosts on the network to send ICMP echo replies to the target, overwhelming it. Which type of attack is this?

A.Smurf attack
B.Fraggle attack
C.Ping flood
D.ARP poisoning
AnswerA

A Smurf attack uses ICMP echo requests to the broadcast address with a spoofed source IP to generate a flood of replies to the victim.

Why this answer

This is a classic Smurf attack, which exploits ICMP by sending echo request packets to the network's broadcast address with the source IP spoofed as the target. All hosts on the network receive the request and reply to the spoofed source, flooding the target with ICMP echo replies and consuming its bandwidth or resources.

Exam trap

CompTIA often tests the distinction between Smurf (ICMP) and Fraggle (UDP) attacks, so candidates mistakenly choose Fraggle when they see 'broadcast' and 'spoofed source' without noting the protocol used.

How to eliminate wrong answers

Option B (Fraggle attack) is wrong because it uses UDP echo traffic to the broadcast address, not ICMP echo requests. Option C (Ping flood) is wrong because it involves sending a high volume of ICMP echo requests directly to the target from a single or multiple sources, not leveraging broadcast amplification with a spoofed source. Option D (ARP poisoning) is wrong because it manipulates ARP tables to intercept traffic on a local network, not using ICMP or broadcast amplification.

380
MCQmedium

A network technician is troubleshooting a switch port that shows a link light but has a high number of CRC errors in the interface statistics. The port is connected to a workstation's network interface card (NIC). Both devices are set to autonegotiate. What is the MOST likely cause of the CRC errors?

A.A: Duplex mismatch between the switch port and the workstation NIC
B.B: VLAN mismatch between the switch and the workstation
C.C: Incorrect MTU setting on the switch port
D.D: Broadcast storm from a loop in the network
AnswerA

Duplex mismatch causes frame collisions and CRC errors on the half-duplex side.

Why this answer

CRC errors indicate that frames received by the switch have failed the Ethernet frame check sequence (FCS) validation, meaning the data was corrupted during transmission. When both devices are set to autonegotiate but one fails to correctly negotiate the duplex setting, a duplex mismatch occurs: one side operates at full duplex while the other operates at half duplex. This causes collisions on the half-duplex side, which corrupts frames and generates CRC errors, while the full-duplex side does not detect collisions and retransmits, leading to a high error count.

Exam trap

The trap here is that candidates assume CRC errors always indicate a bad cable or physical-layer issue, but Cisco often tests the fact that a duplex mismatch is a common logical-layer cause of CRC errors when autonegotiation is involved.

How to eliminate wrong answers

Option B is wrong because a VLAN mismatch would cause the switch to drop frames at the ingress or egress due to VLAN tagging mismatches, but it would not produce CRC errors; instead, you would see discards or no connectivity. Option C is wrong because an incorrect MTU setting would cause frames larger than the MTU to be fragmented or dropped, but CRC errors are caused by physical-layer corruption or duplex issues, not by MTU mismatches. Option D is wrong because a broadcast storm from a loop would cause high CPU utilization and excessive broadcast frames, but CRC errors are specific to frame corruption, not to broadcast flooding; loops typically cause interface utilization spikes and STP-related issues.

381
MCQmedium

A network engineer is designing a network and needs to ensure that broadcast traffic is contained within a single broadcast domain. Which of the following devices should be used to create these separate broadcast domains?

A.Hub
B.Bridge
C.Switch
D.Router
AnswerD

A router operates at Layer 3 and does not forward Layer 2 broadcasts, thus separating broadcast domains per interface.

Why this answer

A router operates at Layer 3 of the OSI model and does not forward broadcast frames by default, making it the correct device to segment a network into separate broadcast domains. Each interface on a router creates a distinct broadcast domain, ensuring that broadcast traffic is contained within that interface's subnet.

Exam trap

Cisco often tests the misconception that a switch creates separate broadcast domains, but a switch only separates collision domains; without VLANs, all ports on a switch belong to the same broadcast domain.

How to eliminate wrong answers

Option A is wrong because a hub is a Layer 1 device that simply repeats electrical signals out all ports, so it cannot isolate broadcast traffic; all connected devices share the same collision and broadcast domain. Option B is wrong because a bridge is a Layer 2 device that forwards frames based on MAC addresses but still forwards broadcasts out all ports except the receiving port, so it does not create separate broadcast domains. Option C is wrong because a switch is also a Layer 2 device; while it segments collision domains per port, it still floods broadcast frames to all ports within the same VLAN, meaning a single switch (or multiple switches in the same VLAN) constitutes one broadcast domain unless VLANs are configured.

382
MCQmedium

A user reports slow network performance on their workstation. The technician checks the switch port and sees a high number of CRC errors. Which of the following is the MOST likely cause of this issue?

A.A faulty cable
B.Duplex mismatch
C.VLAN mismatch
D.Incorrect MTU setting
AnswerB

A duplex mismatch occurs when one device is set to full duplex and the other to half duplex. This causes late collisions and CRC errors, leading to poor performance.

Why this answer

CRC errors indicate data corruption at the data link layer, typically caused by collisions or electrical interference. A duplex mismatch occurs when one device operates at full duplex and the other at half duplex, leading to collisions on a full-duplex link that corrupt frames and generate CRC errors. This is the most common cause of CRC errors on a switch port.

Exam trap

Cisco often tests the misconception that CRC errors are always caused by bad cabling, but the most common cause in exam scenarios is a duplex mismatch, especially when one device is set to auto-negotiate and the other is hard-coded.

How to eliminate wrong answers

Option A is wrong because a faulty cable typically causes physical layer issues like link flaps, excessive collisions, or alignment errors, not specifically CRC errors; CRC errors are more directly tied to duplex mismatches. Option C is wrong because a VLAN mismatch prevents communication entirely or causes connectivity issues at Layer 2, but does not generate CRC errors on the switch port. Option D is wrong because an incorrect MTU setting causes fragmentation or packet drops, not CRC errors, which are frame-level corruption detected by the FCS.

383
Matchingmedium

Match each wireless standard to its maximum theoretical speed.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

11 Mbps

54 Mbps

600 Mbps

1.3 Gbps (or up to 6.9 Gbps with multi-user MIMO)

Why these pairings

These are common Wi-Fi standards and their speeds.

384
MCQmedium

A user's computer is unable to obtain a DHCP lease after connecting to a new switch port. The user's computer displays an IP address in the 169.254.x.x range. Other users on the same VLAN can obtain IP addresses successfully. The switch port is configured for 802.1X authentication. What is the most likely cause?

A.The DHCP server has exhausted its address pool.
B.The switch port is in a blocked state due to a spanning tree loop.
C.The user's computer has not authenticated via 802.1X and is placed in a restricted VLAN.
D.The network cable is faulty.
AnswerC

With 802.1X, unauthenticated devices are often placed in a restricted VLAN that may not include the DHCP server or have limited access. This explains why the computer gets an APIPA address while other devices on the same physical port (if authenticated) work normally.

Why this answer

When 802.1X authentication is enabled on a switch port, the port initially operates in an unauthorized state, restricting traffic to only EAPoL (802.1X) frames. If the user's computer fails to authenticate (e.g., due to missing supplicant, incorrect credentials, or certificate issues), the switch can place the port into a restricted or guest VLAN that lacks a DHCP server or is isolated from the production network. The 169.254.x.x address (APIPA) indicates the client could not reach a DHCP server, which aligns with being placed in a VLAN without DHCP services.

Exam trap

Cisco often tests the misconception that a 169.254.x.x address always indicates a DHCP server problem, but the trap here is that the issue is actually an 802.1X authentication failure placing the port into a restricted VLAN without DHCP, not a global DHCP exhaustion or spanning-tree issue.

How to eliminate wrong answers

Option A is wrong because the DHCP server has not exhausted its address pool; other users on the same VLAN can obtain IP addresses successfully, proving the DHCP server is operational. Option B is wrong because a spanning tree blocked state would affect all users on that VLAN, not just one port, and the user's computer would not receive any IP address (or would show a 0.0.0.0 address) rather than a 169.254.x.x APIPA address. Option D is wrong because a faulty cable would typically prevent link establishment entirely (no link light, no carrier) or cause intermittent connectivity, but the user's computer did obtain a link and an APIPA address, indicating Layer 1 is functional.

385
MCQmedium

A company wants to deploy a wireless network with the highest level of security for client authentication. The network will use a RADIUS server. Which authentication method should be used?

A.WPA2-PSK
B.WPA3-SAE
C.802.1X with EAP-TLS
D.802.1X with PEAP
AnswerC

EAP-TLS provides mutual authentication using certificates on both client and server, offering the highest level of security for enterprise wireless.

Why this answer

Option C is correct because 802.1X with EAP-TLS provides certificate-based mutual authentication, eliminating the risk of credential theft or dictionary attacks. This is the strongest authentication method for enterprise wireless networks, as it requires both the client and the RADIUS server to present valid X.509 certificates, ensuring a cryptographically verified identity on both sides.

Exam trap

The trap here is that candidates often confuse PEAP with EAP-TLS because both use TLS, but PEAP only authenticates the server with a certificate while the client authenticates with a password (e.g., MSCHAPv2), making it less secure than full mutual certificate authentication in EAP-TLS.

How to eliminate wrong answers

Option A is wrong because WPA2-PSK uses a pre-shared key that is shared among all clients, making it vulnerable to offline dictionary attacks and lacking per-user authentication or centralized RADIUS integration. Option B is wrong because WPA3-SAE, while more secure than WPA2-PSK, still relies on a shared password (simultaneous authentication of equals) and does not provide certificate-based mutual authentication or integration with a RADIUS server for individual user credentials. Option D is wrong because 802.1X with PEAP uses a server-side certificate but tunnels the client authentication (typically MSCHAPv2) inside a TLS tunnel, which is susceptible to credential theft if the tunnel is compromised or if the client does not validate the server certificate properly.

386
MCQeasy

Which of the following IP addresses is a private IP address as defined by RFC 1918?

A.169.254.1.1
B.172.32.1.1
C.192.168.1.1
D.172.15.1.1
AnswerC

192.168.1.1 belongs to the 192.168.0.0/16 private address range, commonly used in home and small business networks.

Why this answer

Option C (192.168.1.1) is correct because RFC 1918 reserves the 192.168.0.0/16 block (192.168.0.0 – 192.168.255.255) for private use within local networks. This address is not routable on the public internet, making it suitable for internal LAN addressing.

Exam trap

The trap here is that candidates often remember 172.x.x.x as private but forget the specific range (172.16.0.0/12), leading them to select 172.32.1.1 or 172.15.1.1, both of which are public addresses.

How to eliminate wrong answers

Option A is wrong because 169.254.1.1 falls within the 169.254.0.0/16 range, which is reserved for Automatic Private IP Addressing (APIPA) used when a DHCP server is unreachable, not for private addressing per RFC 1918. Option B is wrong because 172.32.1.1 is in the 172.32.0.0/16 range, which is outside the RFC 1918 private block 172.16.0.0/12 (172.16.0.0 – 172.31.255.255); addresses like 172.32.x.x are public or non-private. Option D is wrong because 172.15.1.1 is in the 172.15.0.0/16 range, which is below the RFC 1918 private block 172.16.0.0/12 and is a public IP address.

387
MCQmedium

Users in a branch office report that file transfers to the data center are slow. A technician runs a traceroute and sees consistently high latency on hop 5. The technician then pings hop 5 and gets replies with varying response times. There are no errors reported on the interface. What is the most likely cause?

A.Routing loop causing packets to be dropped.
B.Interface congestion causing queuing delays.
C.DNS server misconfiguration causing lookup delays.
D.Firewall inspecting traffic and adding latency.
AnswerB

Congestion leads to packet queuing, resulting in high and variable latency. This is a common cause of performance degradation.

Why this answer

High latency on hop 5 with varying response times and no interface errors indicates that the router at hop 5 is experiencing congestion, causing packets to be queued before transmission. This queuing delay results in increased and variable round-trip times (RTT), which is a classic symptom of interface congestion. The absence of errors rules out physical-layer issues, and the consistent latency on that specific hop points to a bottleneck at that router's egress interface.

Exam trap

Cisco often tests the distinction between latency caused by congestion (queuing delay) versus packet loss or routing loops, and the trap here is that candidates may assume high latency always indicates a routing loop or firewall inspection, but the varying response times with no errors point specifically to interface congestion.

How to eliminate wrong answers

Option A is wrong because a routing loop would cause packets to be dropped or TTL to expire, resulting in timeouts or unreachable messages, not consistently high latency with varying responses. Option C is wrong because DNS misconfiguration would cause delays in name resolution, not in file transfers that are already using IP addresses or established connections, and traceroute does not rely on DNS for hop latency measurements. Option D is wrong because firewall inspection typically adds a fixed processing delay per packet, not varying queuing delays, and would not cause the latency to be isolated to a single hop with no errors reported on the interface.

388
MCQeasy

Which of the following network topologies connects each node to exactly two other nodes, forming a closed loop?

A.Star
B.Bus
C.Ring
D.Mesh
AnswerC

Ring topology connects each node to exactly two neighbors, forming a continuous loop for data transmission.

Why this answer

In a ring topology, each node is connected to exactly two neighbors, forming a closed loop where data travels in one direction (or sometimes dual-ring for redundancy). This is the only topology among the options that inherently creates a circular path with each node having exactly two connections.

Exam trap

The trap here is that candidates often confuse a logical ring (like Token Ring or FDDI) with a physical star-wired ring, where the wiring appears star-shaped but the logical data path is a ring, leading them to incorrectly select 'Star' because they see a central device.

How to eliminate wrong answers

Option A is wrong because a star topology connects all nodes to a central hub or switch, not to exactly two other nodes. Option B is wrong because a bus topology uses a single shared backbone cable where each node taps into the line, and nodes are not connected in a closed loop. Option D is wrong because a mesh topology (full or partial) connects nodes with multiple redundant paths, and each node typically has more than two connections, not exactly two.

389
MCQhard

An IT security analyst is implementing a solution to detect malware on endpoints by monitoring system calls and file integrity. Which of the following types of controls is being deployed?

A.Host-based Intrusion Detection System (HIDS)
B.Network-based Intrusion Detection System (NIDS)
C.Firewall
D.Virtual Private Network (VPN)
AnswerA

HIDS monitors the host's internals like system calls, logs, and file changes for signs of intrusion or malware.

Why this answer

A Host-based Intrusion Detection System (HIDS) monitors system calls, file integrity, and operating system logs directly on the endpoint. This matches the scenario because the analyst is deploying a solution that detects malware by observing low-level system behavior and verifying file integrity, which are core HIDS functions.

Exam trap

The trap here is that candidates confuse HIDS with NIDS, thinking any 'intrusion detection' must be network-based, but the question's focus on system calls and file integrity clearly points to host-level monitoring.

How to eliminate wrong answers

Option B is wrong because a Network-based Intrusion Detection System (NIDS) monitors network traffic for malicious patterns, not system calls or file integrity on individual endpoints. Option C is wrong because a firewall controls traffic flow based on rules (e.g., IP addresses, ports) and does not monitor system calls or file integrity. Option D is wrong because a Virtual Private Network (VPN) encrypts traffic between endpoints and does not perform intrusion detection or file integrity monitoring.

390
MCQmedium

Which IPv6 address is reserved for loopback?

A.::1
B.::
C.127.0.0.1
D.2000::/3
AnswerA

::1 is the IPv6 loopback address used to send traffic to itself.

Why this answer

The IPv6 loopback address is ::1 (equivalent to 127.0.0.1 in IPv4). It is used by a host to send traffic to itself without any physical network interface involvement, as defined in RFC 4291. This address is not routable and should never appear outside the host.

Exam trap

The trap here is that candidates confuse the unspecified address (::) with the loopback address (::1), or mistakenly apply the IPv4 loopback concept (127.0.0.1) to IPv6 without recognizing the different notation.

How to eliminate wrong answers

Option B (::) is wrong because it represents the unspecified address, used during Duplicate Address Detection (DAD) or as a source address before a valid address is assigned, not for loopback. Option C (127.0.0.1) is wrong because it is the IPv4 loopback address, not an IPv6 address. Option D (2000::/3) is wrong because it is the global unicast address prefix for routable IPv6 addresses, not reserved for loopback.

391
MCQhard

An attacker is launching a DHCP starvation attack by sending a large number of DHCP discover messages with spoofed MAC addresses. This exhausts the DHCP pool and causes legitimate clients to fail to obtain IP addresses. Which security feature should be implemented on the switch to mitigate this attack?

A.Port security
B.DHCP snooping
C.Dynamic ARP Inspection (DAI)
D.802.1X
AnswerB

DHCP snooping includes rate limiting and filters DHCP messages on untrusted ports, effectively preventing DHCP starvation and rogue DHCP servers.

Why this answer

DHCP snooping is the correct mitigation because it filters untrusted DHCP messages on access ports. By default, it only allows DHCP server responses (OFFER, ACK, etc.) on trusted ports (typically uplinks to the legitimate DHCP server) and drops them on untrusted ports, preventing a rogue or spoofed server from replying. Additionally, DHCP snooping builds a DHCP snooping binding table that tracks valid MAC-to-IP address mappings, which can be used to rate-limit DHCP discover messages and detect starvation attacks.

Exam trap

CompTIA often tests DHCP snooping as the answer for DHCP starvation attacks, but candidates confuse it with DAI because both rely on the DHCP snooping binding table, forgetting that DAI only validates ARP packets, not DHCP messages.

How to eliminate wrong answers

Option A is wrong because port security limits the number of MAC addresses learned on a switch port, but it does not inspect or filter DHCP messages; it cannot prevent a flood of DHCP discovers with spoofed MACs from exhausting the DHCP pool. Option C is wrong because Dynamic ARP Inspection (DAI) validates ARP packets using the DHCP snooping binding table to prevent ARP spoofing, but it does not inspect DHCP discover messages or rate-limit them, so it cannot mitigate a DHCP starvation attack. Option D is wrong because 802.1X provides port-based network access control through authentication (e.g., with RADIUS), but it does not filter or rate-limit DHCP traffic; once a client is authenticated, it can still send a flood of DHCP discovers.

392
MCQmedium

An organization has separate VLANs for the HR and Finance departments. Both VLANs use a single Layer 3 switch to route between them. The HR department needs access to a shared printer located in the Finance VLAN, but all other traffic between the VLANs should be blocked. Which of the following should be configured?

A.Configure an ACL on the Layer 3 switch to permit specific traffic between VLANs
B.Place the printer in the HR VLAN
C.Create a separate VLAN for the printer
D.Use a wireless access point to bridge the VLANs
AnswerA

Correct. ACLs on the Layer 3 switch can filter inter-VLAN traffic to allow only the required printer access.

Why this answer

An ACL on the Layer 3 switch can filter inter-VLAN traffic at the routed interface (SVI or routed port). By permitting only the HR subnet’s traffic to the printer’s IP address and denying all other inter-VLAN traffic, you meet the requirement of selective access while blocking everything else. This is the standard method for policy-based segmentation between VLANs.

Exam trap

The trap here is that candidates often think placing the printer in the same VLAN or creating a dedicated VLAN solves the problem, but they overlook that ACLs are the precise tool for granular, policy-based filtering between VLANs on a Layer 3 switch.

How to eliminate wrong answers

Option B is wrong because moving the printer to the HR VLAN would place it in the same broadcast domain as HR, eliminating the need for routing but failing to keep the printer logically separate from Finance; the printer is a shared resource that should remain accessible to HR without being physically or logically relocated. Option C is wrong because creating a separate VLAN for the printer would require additional routing rules and still allow all traffic from HR to that VLAN unless an ACL is applied, making it an unnecessary extra step that does not by itself block other inter-VLAN traffic. Option D is wrong because a wireless access point bridges at Layer 2, not Layer 3, and would merge the VLANs or create a security bypass, violating the requirement to block all other traffic between VLANs.

393
MCQhard

A security analyst discovers that an attacker is sending large numbers of incomplete TCP connection requests to a server, causing the server to run out of resources and stop responding to legitimate requests. Which type of attack is this, and which mitigation should be implemented?

A.SYN flood; enable TCP intercept or SYN cookies
B.Ping flood; implement rate limiting
C.Smurf attack; disable IP-directed broadcasts
D.ARP poisoning; enable dynamic ARP inspection
AnswerA

The attack is a SYN flood. TCP intercept (or SYN cookies) allows the server to manage half-open connections and mitigate resource exhaustion.

Why this answer

This is a SYN flood attack, where the attacker sends a high volume of TCP SYN packets without completing the three-way handshake, exhausting the server's connection queue. Enabling TCP intercept (on Cisco devices) or SYN cookies (RFC 4987) allows the server to validate handshakes before allocating resources, mitigating the attack.

Exam trap

The trap here is that candidates confuse a SYN flood with a ping flood or Smurf attack because all involve flooding, but only SYN floods target the TCP three-way handshake state table.

How to eliminate wrong answers

Option B is wrong because a ping flood uses ICMP Echo Request packets, not TCP connection requests, and rate limiting is a generic mitigation that does not address the specific TCP state exhaustion. Option C is wrong because a Smurf attack amplifies ICMP traffic using IP-directed broadcasts, not incomplete TCP connections, and disabling directed broadcasts does not prevent SYN floods. Option D is wrong because ARP poisoning manipulates Layer 2 address resolution to intercept traffic, not exhaust TCP resources, and dynamic ARP inspection is a mitigation for ARP spoofing, not SYN floods.

394
MCQmedium

A company is setting up a new branch office and needs to connect it to the main office over the internet using a secure VPN. The branch office has a dynamic public IP address. Which type of VPN should be configured?

A.Site-to-site IPsec VPN with static IPs
B.Remote access VPN using SSL
C.Dynamic Multipoint VPN (DMVPN)
D.Policy-based VPN
AnswerC

Correct. DMVPN is designed for hub-and-spoke topologies and can accommodate branch sites with dynamic IP addresses by using mGRE and NHRP.

Why this answer

C is correct because Dynamic Multipoint VPN (DMVPN) is designed to handle sites with dynamic public IP addresses, such as a branch office with a dynamically assigned IP. DMVPN uses mGRE (multipoint Generic Routing Encapsulation) and NHRP (Next Hop Resolution Protocol) to dynamically establish tunnels between spoke routers without requiring static IP configurations on each spoke, making it ideal for this scenario.

Exam trap

The trap here is that candidates often choose site-to-site IPsec VPN (Option A) because it is the most familiar VPN type, failing to recognize that dynamic IPs at the branch require a technology like DMVPN that can handle address changes without manual reconfiguration.

How to eliminate wrong answers

Option A is wrong because site-to-site IPsec VPN with static IPs requires both endpoints to have static public IP addresses; the branch office has a dynamic IP, so this configuration would fail when the IP changes. Option B is wrong because remote access VPN using SSL is designed for individual client-to-site connections (e.g., a single user connecting from a laptop), not for connecting an entire branch office network to the main office network. Option D is wrong because policy-based VPNs (which define traffic selectors based on source/destination subnets) still require static IP addresses or a dynamic IP resolution mechanism; they do not inherently handle dynamic spoke IPs like DMVPN does.

395
MCQeasy

A workstation with IP address 10.0.1.5/24 needs to communicate with a server at 10.0.2.10/24. The workstation's default gateway is configured as 10.0.1.1. Which of the following will the workstation do with the IP packets destined for the server?

A.Send the packets directly to the server using ARP.
B.Send the packets to the default gateway.
C.Send the packets to the DNS server for resolution.
D.Drop the packets because the server is on a different network.
AnswerB

Correct. The workstation identifies the destination is on a different subnet and forwards all traffic to the default gateway for routing.

Why this answer

The workstation's IP address (10.0.1.5/24) and the server's IP address (10.0.2.10/24) are on different subnets (10.0.1.0/24 vs. 10.0.2.0/24). When a host determines that the destination is not on the same local network, it will not attempt direct delivery via ARP. Instead, it forwards the IP packet to its configured default gateway (10.0.1.1), which then routes the packet toward the server's subnet.

Exam trap

The trap here is that candidates mistakenly think a host can ARP for any IP address, even across subnets, or that a host will drop traffic to a different subnet without a router, when in fact the host relies on its default gateway to reach remote networks.

How to eliminate wrong answers

Option A is wrong because ARP is used only to resolve the MAC address of a destination on the same local subnet; since the server is on a different subnet, the workstation will not send an ARP request for the server's IP. Option C is wrong because DNS resolution translates hostnames to IP addresses, but the workstation already knows the server's IP address (10.0.2.10) and does not need DNS for forwarding decisions. Option D is wrong because routers (including the default gateway) are designed to forward packets between different subnets; the workstation does not drop packets destined for a different network—it sends them to the gateway.

396
MCQmedium

An NOC technician receives an alert that latency on a critical WAN link has increased significantly. The technician needs to analyze the latency trend over the past week to identify patterns. Which approach is the most efficient for gathering this historical data?

A.Use SNMP traps to alert on each latency spike
B.Use SNMP polling with a suitable MIB to collect latency metrics at regular intervals
C.Run a continuous ping test and manually log timestamps
D.Use traceroute to identify each hop and measure latency per hop
AnswerB

Polling gathers data at set intervals, which can be stored for trend analysis. This is the standard method for historical performance monitoring.

Why this answer

SNMP polling with a suitable MIB (e.g., IF-MIB for interface statistics or IP-MIB for performance metrics) allows the NOC to collect latency data at regular, configurable intervals over time. This historical data can be stored in a management system and analyzed for trends, making it the most efficient method for identifying patterns in WAN latency over a week. SNMP traps, by contrast, are event-driven and do not provide the continuous, periodic data needed for trend analysis.

Exam trap

The trap here is that candidates confuse SNMP traps (event-driven alerts) with SNMP polling (periodic data collection), assuming traps can provide historical trend data when they are designed only for real-time notifications.

How to eliminate wrong answers

Option A is wrong because SNMP traps are asynchronous alerts triggered by specific events (e.g., threshold crossings), not a method for collecting continuous historical data; they lack the regular interval sampling needed for trend analysis. Option C is wrong because running a continuous ping test and manually logging timestamps is inefficient, error-prone, and does not scale for a week-long analysis; it also lacks automated storage and retrieval. Option D is wrong because traceroute measures per-hop latency at a single point in time and does not provide a continuous historical trend; it is a diagnostic tool for path discovery, not for long-term latency monitoring.

397
MCQeasy

A technician needs to connect two different networks and forward traffic based on IP addresses. Which of the following devices operates at Layer 3 of the OSI model and should be used?

A.Hub
B.Switch
C.Router
D.Bridge
AnswerC

Routers are Layer 3 devices that forward packets based on IP addresses, enabling communication between different networks.

Why this answer

A router operates at Layer 3 (Network layer) of the OSI model and makes forwarding decisions based on IP addresses. It uses routing tables and protocols such as OSPF or BGP to determine the best path for packets between different networks. This makes it the correct device for connecting two distinct networks and forwarding traffic by IP address.

Exam trap

CompTIA often tests the misconception that a 'multilayer switch' can replace a router for all Layer 3 functions, but the question specifically asks for a device that operates at Layer 3 and forwards based on IP addresses, and a standard switch (even a Layer 3 switch) is still primarily a switch; the correct answer is always the router when the context is connecting different networks.

How to eliminate wrong answers

Option A is wrong because a hub operates at Layer 1 (Physical layer) and simply repeats electrical signals to all ports, with no ability to forward traffic based on IP addresses. Option B is wrong because a switch operates primarily at Layer 2 (Data Link layer) and forwards frames based on MAC addresses, not IP addresses; while some switches support Layer 3 routing, a standard switch does not perform IP-based forwarding between different networks. Option D is wrong because a bridge operates at Layer 2 (Data Link layer) and connects two network segments by forwarding frames based on MAC addresses, not IP addresses.

398
MCQhard

A security analyst notices that a user's workstation is sending encrypted DNS queries to an external IP address over TCP port 853. This traffic is being used to establish a covert communication channel to bypass the company's security controls. Which technique is being employed?

A.DNS poisoning
B.DNS tunneling
C.DNS amplification
D.DNS zone transfer
AnswerB

DNS tunneling encapsulates data in DNS queries and responses, often using encryption, to bypass firewalls and exfiltrate data.

Why this answer

DNS tunneling is the correct answer because the analyst observed encrypted DNS queries over TCP port 853 (DNS over TLS) being used to establish a covert communication channel. This technique encapsulates non-DNS data (e.g., command-and-control traffic) within DNS query and response packets, allowing the attacker to bypass security controls by hiding malicious traffic inside legitimate DNS traffic.

Exam trap

The trap here is that candidates may confuse DNS tunneling with DNS poisoning or amplification because all involve DNS abuse, but only tunneling uses DNS as a covert data carrier, not for cache corruption or traffic amplification.

How to eliminate wrong answers

Option A is wrong because DNS poisoning (also known as DNS cache poisoning) involves corrupting a DNS resolver's cache with forged records to redirect users to malicious sites, not establishing a covert channel over encrypted DNS. Option C is wrong because DNS amplification is a volumetric DDoS attack that exploits open resolvers to flood a target with large DNS responses, not a technique for covert communication. Option D is wrong because DNS zone transfer is a legitimate administrative mechanism for replicating DNS zone data between authoritative servers, typically over TCP port 53, and is not used for covert channels.

399
MCQeasy

A network technician is explaining the function of a default gateway to a junior technician. Which of the following best describes the purpose of a default gateway?

A.It connects two different VLANs.
B.It provides DHCP services to the local network.
C.It routes traffic from the local network to external networks.
D.It translates private IP addresses to public IP addresses.
AnswerC

The default gateway is the next-hop router for all traffic destined to networks not in the local routing table. Without it, devices on the local subnet cannot communicate with external IP addresses.

Why this answer

The default gateway is a router or Layer 3 device that serves as the next-hop destination for packets destined to IP addresses outside the local subnet. When a host determines that the destination IP is not on the same network, it forwards the frame to the default gateway's MAC address, which then routes the packet toward the external network. This is defined in RFC 1122 and is essential for any host that needs to communicate beyond its directly connected segment.

Exam trap

CompTIA often tests the misconception that the default gateway performs NAT or DHCP, but the trap here is that candidates confuse the default gateway's routing function with other network services like address translation or dynamic addressing.

How to eliminate wrong answers

Option A is wrong because connecting two different VLANs requires a Layer 3 device (router or multilayer switch) with an interface in each VLAN or using a router-on-a-stick configuration, not a default gateway; the default gateway is a single next-hop address, not a VLAN interconnect. Option B is wrong because DHCP services are provided by a DHCP server (often a dedicated server or a router with DHCP service enabled), not by the default gateway; the default gateway's role is routing, not address assignment. Option D is wrong because translating private IP addresses to public IP addresses is the function of NAT (Network Address Translation), typically performed by a router or firewall, not the default gateway itself; the default gateway is simply the next-hop router for outbound traffic, regardless of whether NAT is applied.

400
MCQeasy

Which of the following network devices operates primarily at Layer 2 of the OSI model and uses MAC addresses to forward data?

A.Hub
B.Switch
C.Router
D.Firewall
AnswerB

A switch forwards frames based on MAC addresses, operating at the data link layer.

Why this answer

A switch operates primarily at Layer 2 (Data Link layer) of the OSI model, forwarding frames based on destination MAC addresses. It builds a MAC address table by learning source MAC addresses from incoming frames and uses this table to make forwarding decisions, reducing collision domains and improving network efficiency.

Exam trap

Cisco often tests the distinction between a switch (Layer 2, MAC-based forwarding) and a router (Layer 3, IP-based forwarding), and the trap here is that candidates may confuse a switch's ability to segment collision domains with routing functionality, or mistakenly think a switch uses IP addresses for forwarding decisions.

How to eliminate wrong answers

Option A is wrong because a hub operates at Layer 1 (Physical layer) and simply repeats electrical signals out all ports, with no MAC address awareness or forwarding logic. Option C is wrong because a router operates at Layer 3 (Network layer) and forwards packets based on IP addresses, not MAC addresses. Option D is wrong because a firewall operates at Layers 3-7 (typically inspecting IP addresses, ports, and application data) and does not forward traffic using MAC addresses as its primary function.

401
MCQeasy

Which of the following protocols is used to automatically assign IP addresses to devices on a network?

A.A) DNS
B.B) DHCP
C.C) ARP
D.D) ICMP
AnswerB

DHCP (Dynamic Host Configuration Protocol) is the correct protocol for automatic IP address assignment.

Why this answer

DHCP (Dynamic Host Configuration Protocol) is the correct answer because it is specifically designed to automatically assign IP addresses and other network configuration parameters (such as subnet mask, default gateway, and DNS servers) to devices on a network. When a client device connects, it sends a DHCP Discover broadcast, and the DHCP server responds with an Offer, followed by a Request and Acknowledgment (DORA process), enabling plug-and-play connectivity.

Exam trap

Cisco often tests the distinction between DHCP (address assignment) and DNS (name resolution), leading candidates to confuse the two because both are essential for network communication, but only DHCP handles automatic IP configuration.

How to eliminate wrong answers

Option A (DNS) is wrong because the Domain Name System resolves human-readable domain names (e.g., www.example.com) to IP addresses; it does not assign IP addresses to devices. Option C (ARP) is wrong because the Address Resolution Protocol maps a known IP address to a MAC address on a local network; it is used for layer 2 communication, not for IP address assignment. Option D (ICMP) is wrong because the Internet Control Message Protocol is used for error reporting and diagnostic functions (e.g., ping, traceroute); it has no role in dynamically assigning IP addresses.

402
MCQmedium

A network engineer is designing a network for a large organization. The engineer needs to ensure that broadcast traffic from one VLAN does not propagate to other VLANs while still allowing inter-VLAN communication. Which of the following devices is required to route between VLANs?

A.Layer 2 switch
B.Router
C.Bridge
D.Firewall
AnswerB

A router (or a Layer 3 switch acting as a router) can forward traffic between VLANs by performing routing at Layer 3.

Why this answer

A router is required to route between VLANs because VLANs segment a Layer 2 broadcast domain, and inter-VLAN communication must occur at Layer 3. The router performs routing by receiving frames tagged with the source VLAN, stripping the tag, making a forwarding decision based on the destination IP, and then re-encapsulating the frame with the destination VLAN tag. This process is often implemented using a router-on-a-stick configuration with 802.1Q trunking.

Exam trap

The trap here is that candidates often confuse a Layer 3 switch with a Layer 2 switch and assume any switch can route between VLANs, but a standard Layer 2 switch lacks the routing engine and IP forwarding table required for inter-VLAN communication.

How to eliminate wrong answers

Option A is wrong because a Layer 2 switch forwards frames based on MAC addresses within the same VLAN and cannot route between VLANs; it would require a Layer 3 switch or an external router to perform inter-VLAN routing. Option C is wrong because a bridge operates at Layer 2 to connect two network segments and does not perform IP routing; it would simply forward broadcast traffic between VLANs if they were on the same bridge domain, defeating the isolation requirement. Option D is wrong because a firewall is a security appliance that filters traffic based on rules and can route in some cases, but it is not the primary device designed for efficient inter-VLAN routing; using a firewall for this purpose would introduce unnecessary latency and complexity compared to a dedicated router or Layer 3 switch.

403
MCQmedium

A security team is deploying a new intrusion detection system (IDS) and wants to analyze all traffic entering and exiting the network without introducing latency or a single point of failure. How should the IDS be connected to the network?

A.Inline between the firewall and the core switch
B.Connected to a network tap or spanned port on the core switch
C.Directly connected to the internet router
D.Connected to the management network
AnswerB

Using a network tap or SPAN port allows the IDS to passively listen to traffic without affecting the data path.

Why this answer

Connecting the IDS to a network tap or a spanned port (SPAN/mirror port) on the core switch allows it to receive a copy of all traffic entering and exiting the network without being in the data path. This passive deployment introduces zero latency because the IDS never forwards or blocks traffic, and it eliminates a single point of failure since the network continues to operate if the IDS fails or is taken offline.

Exam trap

Cisco often tests the distinction between inline (active) and passive (out-of-band) deployments, and the trap here is that candidates mistakenly choose inline placement because they think the IDS must 'see' all traffic by being in the path, ignoring the latency and single-point-of-failure consequences.

How to eliminate wrong answers

Option A is wrong because placing the IDS inline between the firewall and core switch forces all traffic to pass through the device, which introduces latency and creates a single point of failure — if the IDS fails, traffic stops. Option C is wrong because connecting the IDS directly to the internet router would only capture traffic to/from that specific interface, not all network traffic, and it would still be inline if placed in the forwarding path. Option D is wrong because the management network carries only out-of-band administrative traffic, not the production data flows that the IDS needs to analyze.

404
MCQmedium

A network administrator wants to ensure that only authorized devices can access the network on a switch port. The administrator has a list of allowed MAC addresses. Which security feature should be enabled on the switch port?

A.802.1X
B.MAC address filtering
C.Port security
D.VLAN hopping prevention
AnswerC

Port security allows restricting access based on MAC addresses, preventing unauthorized devices.

Why this answer

Port security is the correct feature because it allows the administrator to specify a list of allowed MAC addresses per switch port. When a device with an unauthorized MAC address attempts to connect, the switch can either block the traffic, generate an alert, or disable the port (errdisable state). This directly enforces access control based on the MAC address list provided.

Exam trap

Cisco often tests the distinction between port security and MAC address filtering: candidates mistakenly choose 'MAC address filtering' because it sounds correct, but Cisco expects the exact feature name 'port security' as it is the configured command on a switch port.

How to eliminate wrong answers

Option A is wrong because 802.1X is a port-based authentication protocol that requires a RADIUS server to authenticate users or devices via credentials or certificates, not a static list of MAC addresses. Option B is wrong because MAC address filtering is a general term often used in wireless networks or router ACLs, not a specific Cisco switch feature; on a switch port, the correct implementation is port security, which includes MAC address filtering as a sub-function. Option D is wrong because VLAN hopping prevention (e.g., disabling DTP, setting native VLAN to an unused ID) is a security measure to prevent attackers from jumping between VLANs, not a mechanism to restrict which MAC addresses can access a specific port.

405
Drag & Dropmedium

Drag and drop the steps to set up a wireless network with WPA2-PSK encryption on a SOHO router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Wireless setup includes hardware connection, web access, SSID, security, and save.

406
MCQhard

A security analyst observes that an internal server is sending a large volume of TCP SYN packets to various external IP addresses, but never completing the three-way handshake. This behavior is indicative of which type of attack?

A.Man-in-the-middle attack
B.SYN flood attack
C.DDoS amplification attack
D.Smurf attack
AnswerB

A SYN flood attack is characterized by sending numerous SYN packets without completing the handshake, overwhelming the victim's connection table. The internal server is likely compromised and acting as the attacker.

Why this answer

The correct answer is B. A SYN flood attack occurs when an attacker sends a high volume of TCP SYN packets to a target but never completes the three-way handshake by sending the final ACK. This leaves the target's connection table half-open, consuming resources and potentially exhausting its ability to accept legitimate connections.

The observed behavior—internal server sending many SYN packets without completing the handshake—matches the classic signature of a SYN flood, though typically the attacker spoofs the source IP to avoid response traffic.

Exam trap

CompTIA often tests the distinction between a SYN flood (which uses TCP SYN packets and incomplete handshakes) and a DDoS amplification attack (which uses UDP or other protocols with spoofed sources), so candidates mistakenly choose amplification when they see 'large volume' and 'external IPs' without recognizing the TCP SYN signature.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack involves intercepting and potentially altering communications between two parties, not flooding a target with incomplete TCP handshakes. Option C is wrong because a DDoS amplification attack relies on sending small queries to a vulnerable service (e.g., DNS, NTP) with a spoofed source IP, causing the service to send large responses to the victim; this does not involve TCP SYN packets or incomplete handshakes. Option D is wrong because a Smurf attack uses ICMP echo requests sent to a broadcast address with a spoofed source IP, causing all hosts on the network to reply to the victim; it does not use TCP SYN packets.

407
MCQmedium

A network administrator needs to monitor network traffic to identify which hosts are consuming the most bandwidth. Which of the following tools is BEST suited for this task?

A.NetFlow
B.Syslog server
C.SNMP trap
D.Traceroute
AnswerA

NetFlow analyzes traffic flows and provides detailed usage statistics to identify top talkers and bandwidth hogs.

Why this answer

NetFlow is the best tool for monitoring network traffic to identify bandwidth consumption by hosts because it collects and analyzes IP traffic flow data, providing detailed visibility into source/destination IPs, protocols, and byte counts. Unlike simple interface counters, NetFlow allows an administrator to pinpoint which specific hosts are generating the most traffic, making it ideal for bandwidth usage analysis.

Exam trap

Cisco often tests the distinction between monitoring tools by making candidates confuse SNMP (which polls interface counters for aggregate bandwidth) with NetFlow (which provides per-flow granularity for identifying specific hosts).

How to eliminate wrong answers

Option B (Syslog server) is wrong because it collects and stores log messages from network devices, not traffic flow data or bandwidth usage statistics. Option C (SNMP trap) is wrong because it sends asynchronous alerts for specific events (e.g., link up/down) and does not provide continuous traffic flow analysis or per-host bandwidth consumption. Option D (Traceroute) is wrong because it maps the path packets take between hosts using ICMP or UDP probes, but it does not measure bandwidth usage or identify which hosts are consuming the most traffic.

408
MCQhard

A security analyst discovers that users on the network are receiving ARP replies that map the default gateway IP address to an unknown MAC address. This is causing intermittent connectivity issues. Which type of attack is occurring, and what security feature should be implemented to prevent it?

A.MAC flooding; port security
B.ARP poisoning; Dynamic ARP Inspection (DAI)
C.DHCP starvation; DHCP snooping
D.DNS poisoning; DNSSEC
AnswerB

DAI trusts only ARP responses that match a valid IP-to-MAC binding, preventing ARP spoofing.

Why this answer

This attack is ARP poisoning (also called ARP spoofing), where an attacker sends forged ARP replies to associate the default gateway's IP address with the attacker's MAC address. This allows the attacker to intercept, modify, or drop traffic intended for the gateway. Dynamic ARP Inspection (DAI) prevents this by validating ARP packets against a trusted DHCP snooping binding table, dropping any ARP reply that contains an IP-to-MAC mapping not present in the table.

Exam trap

CompTIA often tests the distinction between Layer 2 attacks (ARP poisoning, MAC flooding) and Layer 3/4 attacks (DHCP starvation, DNS poisoning), so candidates mistakenly choose DHCP starvation or DNS poisoning because they involve 'spoofing' or 'poisoning' without recognizing that the symptom—ARP replies mapping the gateway IP to an unknown MAC—is a direct indicator of ARP manipulation.

How to eliminate wrong answers

Option A is wrong because MAC flooding floods the switch's CAM table with fake MAC addresses to force it into fail-open mode, causing unicast flooding, not ARP reply manipulation; port security limits the number of MAC addresses per port but does not validate ARP mappings. Option C is wrong because DHCP starvation exhausts the DHCP server's IP address pool by sending many fake DHCP requests, preventing legitimate clients from obtaining IPs, not by sending forged ARP replies; DHCP snooping filters untrusted DHCP messages but does not directly inspect ARP packets. Option D is wrong because DNS poisoning corrupts DNS resolver caches to redirect domain names to malicious IPs, not by manipulating ARP replies at Layer 2; DNSSEC adds cryptographic signatures to DNS records but does not operate at the ARP level.

409
MCQmedium

A security analyst discovers that an unauthorized device is sending forged ARP replies, causing other devices to map the default gateway IP address to the attacker's MAC address. Which security feature should be implemented on the switches to prevent this attack?

A.Port security
B.DHCP snooping
C.Dynamic ARP Inspection
D.BPDU guard
AnswerC

DAI specifically inspects ARP messages and blocks invalid ones, directly countering ARP spoofing.

Why this answer

Dynamic ARP Inspection (DAI) is the correct choice because it validates ARP packets on a per-port basis, ensuring that only legitimate ARP replies with correct IP-to-MAC bindings are forwarded. DAI uses a DHCP snooping binding table (or static ARP ACLs) to intercept and verify ARP packets, dropping forged replies that attempt to poison the ARP cache of other devices.

Exam trap

CompTIA often tests the distinction between DHCP snooping (which builds the binding table) and Dynamic ARP Inspection (which uses that table to filter ARP), leading candidates to mistakenly choose DHCP snooping as the direct defense against ARP spoofing.

How to eliminate wrong answers

Option A is wrong because port security limits the number of MAC addresses per port or restricts specific MAC addresses, but it does not inspect the content of ARP messages or prevent ARP spoofing. Option B is wrong because DHCP snooping builds a trusted binding table of IP-to-MAC mappings, but it alone does not filter ARP traffic; it is a prerequisite for DAI, not the direct defense against forged ARP replies. Option D is wrong because BPDU guard is a Spanning Tree Protocol (STP) feature that disables a port if a BPDU is received, protecting against bridge loops, not ARP spoofing attacks.

410
MCQmedium

A new switch is installed in a remote wiring closet. It has been configured with a management IP address of 10.1.2.50/24. The switch is connected via a trunk to the distribution switch, and the management station (10.1.1.0/24) is on a different subnet. The switch cannot be pinged from the management station. The distribution switch has routing to the 10.1.2.0/24 subnet. What is the most likely cause?

A.The management VLAN is not allowed on the trunk.
B.The default gateway is not configured on the new switch.
C.The switch port to the distribution switch is in access mode.
D.The management IP is configured on the wrong VLAN.
AnswerB

The switch must have a default gateway pointing to the distribution switch to route responses to other subnets.

Why this answer

The management station is on subnet 10.1.1.0/24, while the switch's management IP is 10.1.2.50/24. For the switch to reply to pings from a different subnet, it must have a default gateway configured so it knows where to send return traffic. Without a default gateway, the switch will only respond to traffic on its local subnet, making it unreachable from the management station.

Exam trap

Cisco often tests the misconception that a management IP alone is sufficient for remote access, but candidates forget that a default gateway is mandatory for inter-subnet communication, especially when the management station and switch are on different subnets.

How to eliminate wrong answers

Option A is wrong because the management VLAN not being allowed on the trunk would prevent all VLAN traffic, including the management VLAN, from reaching the distribution switch, but the question states the distribution switch has routing to 10.1.2.0/24, implying the trunk is functional; the issue is specifically about the switch's ability to route return traffic. Option C is wrong because if the port were in access mode, it would only carry a single VLAN, but the question states it is a trunk, and even if it were access, the switch could still be reachable if the management IP were on that VLAN and a default gateway existed. Option D is wrong because while the management IP could be on the wrong VLAN, the most direct and common cause given the scenario is the missing default gateway; the management IP being on the wrong VLAN would still require a default gateway for inter-subnet communication, and the question does not provide evidence of a VLAN mismatch.

411
MCQmedium

A network administrator needs to replace a core switch that is nearing end-of-life. According to change management best practices, which step should the administrator perform FIRST?

A.A
B.B
C.C
D.D
AnswerD

Submitting a change request is the first step in the formal change management process.

Why this answer

Option D is correct because, according to change management best practices, the first step is to create a detailed change request or plan that documents the scope, risk assessment, rollback procedures, and approval requirements. This ensures all stakeholders review and authorize the replacement before any physical work begins, minimizing network downtime and operational impact.

Exam trap

The trap here is that candidates often confuse the urgency of replacing an end-of-life device with the need to bypass formal change management steps, assuming immediate action is required rather than following the documented approval process.

How to eliminate wrong answers

Option A is wrong because immediately notifying users of an outage before the change is approved violates change management procedures; notification should occur after the change is scheduled and approved. Option B is wrong because ordering the replacement switch before assessing compatibility, configuration requirements, and obtaining change approval can lead to procurement of incorrect hardware or unnecessary delays. Option C is wrong because physically installing the new switch without prior change approval, testing, and rollback planning bypasses the mandatory review and authorization steps, risking unplanned outages.

412
MCQmedium

A network technician is troubleshooting a workstation that is experiencing intermittent connectivity and slow file transfers. The technician has confirmed that the patch cable passes a cable tester, the switch port is not error-disabled, and the workstation's NIC is configured for autonegotiation. The switch port is also set to autonegotiate. Which of the following should the technician check next?

A.The route table on the default gateway
B.The duplex and speed settings on both ends
C.The DNS server configuration
D.The MAC address filtering on the switch
AnswerB

Autonegotiation can fail, resulting in a duplex mismatch where one side runs at half-duplex and the other at full-duplex. This causes collisions and retransmissions, leading to intermittent connectivity and slow transfers.

Why this answer

Option B is correct because intermittent connectivity and slow file transfers, despite a passing cable test and autonegotiation on both ends, strongly indicate a duplex mismatch. When both sides are set to autonegotiate but one side fails to negotiate correctly (e.g., due to a faulty NIC or switch port), they may fall back to half-duplex while the other remains full-duplex, causing collisions, CRC errors, and retransmissions. The technician should verify the actual negotiated duplex and speed on both the workstation NIC and the switch port using commands like 'show interfaces' or NIC driver properties.

Exam trap

Cisco often tests the misconception that if a cable tester passes and autonegotiation is enabled on both ends, the link must be fully functional, but the trap is that autonegotiation can fail silently, resulting in a duplex mismatch that causes the exact symptoms described.

How to eliminate wrong answers

Option A is wrong because the route table on the default gateway affects Layer 3 path selection, not the physical or data-link layer issues causing intermittent connectivity and slow transfers on a local link. Option C is wrong because DNS server configuration impacts name resolution, not throughput or link stability; slow file transfers and intermittent connectivity are symptoms of Layer 1 or Layer 2 problems. Option D is wrong because MAC address filtering on the switch would either block or allow traffic entirely, not cause intermittent connectivity or slow transfers; it does not affect negotiated speed or duplex.

413
MCQmedium

A network administrator needs to monitor network devices using SNMP. The security policy requires that both authentication and data encryption must be enforced for all SNMP operations. Which SNMPv3 security level should be configured?

A.authPriv
B.noAuthNoPriv
C.authNoPriv
D.noAuthPriv
AnswerA

Correct. authPriv provides both authentication (HMAC-MD5 or HMAC-SHA) and encryption (CBC-DES or CFB-AES).

Why this answer

The authPriv security level is correct because it enforces both authentication (via HMAC-MD5 or HMAC-SHA) and data encryption (via DES or AES) for SNMPv3 operations, satisfying the security policy requirement. SNMPv3 defines three security levels: noAuthNoPriv, authNoPriv, and authPriv, with authPriv being the only one that provides both authentication and encryption.

Exam trap

The trap here is that candidates often confuse 'authNoPriv' as sufficient because they think authentication alone meets security requirements, or they invent 'noAuthPriv' as a plausible-sounding option, but SNMPv3 strictly requires authentication before encryption can be applied.

How to eliminate wrong answers

Option B (noAuthNoPriv) is wrong because it provides neither authentication nor encryption, which violates the requirement for both. Option C (authNoPriv) is wrong because it provides authentication but no encryption, failing the data encryption requirement. Option D (noAuthPriv) is wrong because it is not a valid SNMPv3 security level; SNMPv3 does not define a level with encryption without authentication.

414
MCQeasy

A user reports that they cannot access the internet. The network technician checks the workstation's IP configuration and finds the IP address 169.254.15.77. What does this address indicate?

A.The workstation has a static IP address configured.
B.The DHCP server is unreachable.
C.The DNS server is down.
D.The default gateway is misconfigured.
AnswerB

APIPA is used when a DHCP server is not available. The workstation cannot obtain a proper IP address, so it self-assigns an APIPA address. This prevents internet access because APIPA addresses are not routable.

Why this answer

The IP address 169.254.15.77 falls within the Automatic Private IP Addressing (APIPA) range (169.254.0.0/16, per RFC 3927). This address is automatically assigned by the operating system when a DHCP client fails to receive a lease from a DHCP server, indicating that the DHCP server is unreachable or not responding.

Exam trap

The trap here is that candidates often confuse APIPA with a DNS failure or gateway issue, but APIPA specifically indicates a DHCP lease failure, not a problem with higher-layer services like DNS or routing.

How to eliminate wrong answers

Option A is wrong because a static IP address would be manually configured, not an APIPA address; APIPA is only used when no static or DHCP-assigned address is available. Option C is wrong because a DNS server being down would not cause the workstation to obtain an APIPA address; DNS failure would result in name resolution errors, but the workstation would still have a valid IP from DHCP or static configuration. Option D is wrong because a misconfigured default gateway would not trigger APIPA; the workstation would still have a valid DHCP-assigned or static IP, but traffic would fail to route beyond the local subnet.

415
MCQhard

A network administrator needs to analyze bandwidth usage on a WAN link to determine which applications are generating the most traffic. The administrator requires detailed flow-level data including source/destination IP, ports, and protocol. Which technology should be used to collect this information?

A.NetFlow
B.SNMP
C.Syslog
D.ICMP
AnswerA

Correct. NetFlow provides per-flow traffic statistics, enabling application-level bandwidth analysis.

Why this answer

NetFlow is the correct choice because it provides detailed flow-level data, including source and destination IP addresses, ports, and protocols, which is exactly what the administrator needs to analyze bandwidth usage per application on a WAN link. Unlike SNMP or Syslog, NetFlow captures per-flow metadata that allows identification of which applications are generating the most traffic.

Exam trap

The trap here is that candidates often confuse SNMP's interface utilization statistics with the detailed per-flow data that NetFlow provides, leading them to choose SNMP when the question explicitly asks for source/destination IP, ports, and protocol.

How to eliminate wrong answers

Option B (SNMP) is wrong because it provides aggregate interface statistics (e.g., total bytes in/out) and cannot reveal per-flow details like source/destination IP, ports, or protocol. Option C (Syslog) is wrong because it is used for logging system events and error messages, not for capturing network flow data or bandwidth usage by application. Option D (ICMP) is wrong because it is a diagnostic protocol used for error reporting and reachability testing (e.g., ping), and it does not provide any flow-level traffic analysis capabilities.

416
MCQmedium

A network administrator needs to collect traffic flow data from routers and switches to analyze bandwidth usage patterns. Which protocol should be implemented on the devices to export flow data to a collector?

A.SNMP
B.NetFlow
C.ICMP
D.LLDP
AnswerB

Correct. NetFlow is a protocol that captures and exports IP traffic flow information, including source/destination, ports, and byte counts, to a collector for analysis.

Why this answer

NetFlow (or its standards-based equivalent, IPFIX) is the correct protocol because it is specifically designed to export traffic flow metadata—such as source/destination IPs, ports, and byte counts—from routers and switches to a collector for bandwidth usage analysis. SNMP can poll interface counters but does not provide per-flow granularity, making NetFlow the appropriate choice for detailed traffic pattern analysis.

Exam trap

The trap here is that candidates often confuse SNMP's ability to poll interface bandwidth utilization with the need for per-flow granularity, leading them to choose SNMP instead of recognizing that NetFlow is the dedicated protocol for exporting flow data.

How to eliminate wrong answers

Option A (SNMP) is wrong because SNMP is used for polling device statistics (e.g., interface utilization) and does not export flow-level data; it lacks the ability to report per-flow conversations. Option C (ICMP) is wrong because ICMP is a network-layer protocol for error reporting and diagnostics (e.g., ping/traceroute), not for exporting traffic flow records. Option D (LLDP) is wrong because LLDP is a link-layer discovery protocol used to advertise device identity and capabilities to neighbors, not to export flow data to a collector.

417
MCQmedium

An organization needs to connect two buildings that are 2 km apart with a point-to-point wireless link. Which antenna type is BEST suited for this long-distance directional connection?

A.Omni-directional antenna
B.Yagi antenna
C.Patch antenna
D.Parabolic dish antenna
AnswerD

Parabolic dish antennas provide very high gain and narrow beamwidth, making them ideal for long-distance point-to-point wireless bridges.

Why this answer

A parabolic dish antenna is the best choice for a 2 km point-to-point wireless link because it provides a very narrow beamwidth and high gain, focusing the signal in a specific direction to maximize distance and minimize interference. This makes it ideal for long-distance, high-throughput links where precise alignment is possible.

Exam trap

The trap here is that candidates often confuse 'directional' with 'high gain,' assuming a Yagi or patch antenna is sufficient for long distances, but the parabolic dish's superior focus and gain are critical for maintaining signal integrity over 2 km.

How to eliminate wrong answers

Option A is wrong because an omni-directional antenna radiates signal in all directions equally, resulting in low gain and significant signal loss over 2 km, making it unsuitable for long-distance point-to-point links. Option B is wrong because a Yagi antenna, while directional, typically offers moderate gain (e.g., 10-15 dBi) and a wider beamwidth than a parabolic dish, which may not provide sufficient signal strength and focus for a reliable 2 km link. Option C is wrong because a patch antenna (panel antenna) has a broader beamwidth (e.g., 30-90 degrees) and lower gain (e.g., 8-12 dBi) compared to a parabolic dish, making it better suited for shorter distances or sector coverage rather than long-distance point-to-point.

418
MCQeasy

A network administrator notices that log timestamps from different switches are inconsistent, making correlation of events difficult. Which protocol should be implemented to ensure all devices have the same time?

A.SNMP
B.NTP
C.SMTP
D.RIP
AnswerB

NTP synchronizes clocks across network devices, ensuring log timestamps are consistent.

Why this answer

NTP (Network Time Protocol) is the standard protocol used to synchronize clocks across network devices. By configuring all switches to use the same NTP server, timestamps in logs become consistent, enabling accurate correlation of events across the network.

Exam trap

Cisco often tests NTP as the solution for time synchronization, but the trap here is that candidates may confuse SNMP (which can retrieve system uptime or timeticks) as a method to synchronize clocks, whereas SNMP only reads or writes management information, not the system clock itself.

How to eliminate wrong answers

Option A (SNMP) is wrong because it is used for monitoring and managing network devices, not for time synchronization. Option C (SMTP) is wrong because it is a protocol for email transmission, not for clock synchronization. Option D (RIP) is wrong because it is a distance-vector routing protocol used to exchange routing information, not for time synchronization.

419
MCQeasy

A network administrator wants to logically segment a single physical switch into multiple separate broadcast domains without purchasing additional hardware. Which concept should be used?

A.Spanning Tree Protocol (STP)
B.Virtual LAN (VLAN)
C.Subnetting
D.Quality of Service (QoS)
AnswerB

VLANs segment a physical switch into multiple broadcast domains at Layer 2, requiring a router for inter-VLAN communication.

Why this answer

A VLAN logically segments a physical switch into multiple isolated broadcast domains by assigning switch ports to specific VLAN IDs (802.1Q). This prevents broadcast traffic from crossing VLAN boundaries without requiring additional hardware, as each VLAN functions as its own Layer 2 network.

Exam trap

Cisco often tests the misconception that subnetting alone can segment a switch, but subnetting is a Layer 3 concept and does not create separate broadcast domains on a single physical switch without VLANs.

How to eliminate wrong answers

Option A is wrong because STP prevents loops in a redundant switched network by blocking specific ports, but it does not create broadcast domains or segment traffic logically. Option C is wrong because subnetting is a Layer 3 technique used to divide IP address ranges into smaller networks, but it does not segment a single physical switch at Layer 2; VLANs are required for that. Option D is wrong because QoS prioritizes network traffic based on policies (e.g., DSCP or CoS values) but does not isolate broadcast domains or segment the switch.

420
MCQmedium

A company is implementing network access control to ensure only authenticated users can connect to the wired network. Users must authenticate using their domain credentials before gaining full network access. Which standard should be implemented?

A.802.1X
B.802.3af
C.802.11i
D.802.1Q
AnswerA

802.1X provides authentication for devices attempting to connect to a network port, verifying credentials against a central server.

Why this answer

802.1X is the IEEE standard for port-based network access control (PNAC). It uses the Extensible Authentication Protocol (EAP) to authenticate devices attempting to connect to a wired or wireless LAN, requiring valid domain credentials before the switch port grants full network access.

Exam trap

Cisco often tests 802.1X by contrasting it with 802.11i, trapping candidates who confuse wireless security standards with wired port-based access control.

How to eliminate wrong answers

Option B (802.3af) is wrong because it defines Power over Ethernet (PoE) standards for delivering power over twisted-pair cabling, not authentication. Option C (802.11i) is wrong because it specifies security mechanisms for wireless networks (WPA2/AES-CCMP), not wired network access control. Option D (802.1Q) is wrong because it is the standard for VLAN tagging and trunking, not for authenticating users before granting network access.

421
MCQmedium

A security analyst notices that the network has been flooded with packets that have the same source IP address as the company's internal DNS server. This is likely an example of which type of attack?

A.Smurf attack
B.IP spoofing
C.Man-in-the-middle
D.ARP poisoning
AnswerB

IP spoofing involves forging the source IP address in packets to make them appear to come from a trusted source.

Why this answer

IP spoofing is the correct answer because the attacker is forging the source IP address of packets to impersonate the company's internal DNS server. By flooding the network with packets that appear to originate from a trusted internal server, the attacker can bypass security controls, launch reflection attacks, or cause denial of service. This directly matches the scenario where the source IP is falsified to match a legitimate internal host.

Exam trap

CompTIA often tests the distinction between IP spoofing and Smurf attacks, where candidates mistakenly choose Smurf because both involve spoofed source addresses, but Smurf specifically requires ICMP and broadcast amplification, not arbitrary packet flooding with a DNS server's IP.

How to eliminate wrong answers

Option A is wrong because a Smurf attack uses ICMP echo requests sent to a broadcast address with a spoofed victim source IP, causing all hosts on the network to reply to the victim; it does not specifically impersonate a DNS server. Option C is wrong because a man-in-the-middle attack involves intercepting and potentially altering communications between two parties, not flooding the network with packets from a spoofed source IP. Option D is wrong because ARP poisoning manipulates ARP tables to associate a malicious MAC address with a legitimate IP address, enabling traffic interception, but it does not involve flooding with packets having a spoofed source IP.

422
MCQeasy

A network technician sees that the link light on a switch port is not lit, even though the cable is connected to an active device. The port has been tested with a known good cable. Which of the following should the technician do next?

A.Replace the switch
B.Check if the port is administratively disabled
C.Check the VLAN configuration
D.Check the speed/duplex settings
AnswerB

A port that is administratively down will not light up. Use the command 'show interface' or 'show interface status' to verify and then use 'no shutdown' to enable it.

Why this answer

When a link light is off despite a known good cable and an active device, the most likely cause is that the switch port is administratively disabled (shutdown). This is a common Layer 1/2 issue where the interface is configured with the 'shutdown' command, preventing the port from negotiating a link. Checking the interface status with 'show interfaces status' or 'show interfaces [interface]' will confirm if the port is in an 'administratively down' state.

Exam trap

The trap here is that candidates often jump to VLAN or hardware failure (replace the switch) because they forget that an administratively down port is a common Layer 1 misconfiguration that completely prevents link establishment, even with a good cable and active device.

How to eliminate wrong answers

Option A is wrong because replacing the switch is an extreme and premature action; the issue is isolated to a single port, not the entire switch, and a known good cable and active device rule out a global switch failure. Option C is wrong because VLAN configuration affects traffic forwarding (Layer 2), not the physical link state; a misconfigured VLAN would not prevent the link light from lighting up, as link negotiation occurs at Layer 1 independently of VLAN settings.

423
MCQhard

A network engineer is designing a wireless network for a large warehouse with many metal racks and heavy machinery that cause significant RF interference. The network must support a high density of IoT sensors and provide reliable connectivity. Which IEEE wireless standard should the engineer implement to best meet these requirements?

A.802.11ac (Wi-Fi 5)
B.802.11ax (Wi-Fi 6)
C.802.11n (Wi-Fi 4)
D.802.11g (Wi-Fi 3)
AnswerB

802.11ax uses OFDMA and improved MU-MIMO, allowing better handling of many devices and interference. It also supports both 2.4 GHz and 5 GHz bands, providing better coverage in challenging environments.

Why this answer

802.11ax (Wi-Fi 6) is the correct choice because it introduces Orthogonal Frequency Division Multiple Access (OFDMA), which subdivides channels into smaller resource units (RUs) to serve multiple IoT sensors simultaneously, improving efficiency in dense, interference-heavy environments. Additionally, Wi-Fi 6 includes BSS Coloring, which reduces co-channel interference by allowing devices to ignore transmissions from overlapping basic service sets, and Target Wake Time (TWT), which schedules IoT sensor transmissions to conserve battery and reduce contention.

Exam trap

The trap here is that candidates often choose 802.11ac (Wi-Fi 5) because it is widely known for high throughput, but they overlook that 802.11ax's OFDMA and TWT are specifically designed for high-density IoT and interference-heavy environments, not just raw speed.

How to eliminate wrong answers

Option A (802.11ac) is wrong because it uses OFDM only, lacks OFDMA and TWT, and does not handle high-density IoT sensor traffic or RF interference as efficiently as Wi-Fi 6. Option C (802.11n) is wrong because it relies on older MIMO and channel bonding without the advanced interference mitigation and scheduling features of Wi-Fi 6, making it unsuitable for dense IoT deployments in high-interference environments. Option D (802.11g) is wrong because it operates only in the 2.4 GHz band with a maximum data rate of 54 Mbps, lacks MIMO, OFDMA, and any interference-avoidance mechanisms, and cannot support the required density or reliability.

424
MCQhard

A network engineer needs to connect two network segments that use different physical media: one segment uses copper Ethernet and the other uses fiber optic. The device must forward frames based on MAC addresses and must not perform any routing. Which device should the engineer choose?

A.Layer 3 switch
B.Media converter
C.Bridge
D.Router
AnswerC

A bridge operates at Layer 2, can connect different media types, and forwards frames using MAC addresses without routing.

Why this answer

A bridge operates at Layer 2, forwarding frames based on MAC addresses while connecting different physical media (e.g., copper to fiber). It does not perform routing, making it the correct choice for this scenario. Unlike a media converter, a bridge also provides segmentation and collision domain isolation.

Exam trap

CompTIA often tests the distinction between a media converter (Layer 1) and a bridge (Layer 2), leading candidates to choose the media converter because it handles physical media conversion, but they overlook the requirement for MAC address-based forwarding.

How to eliminate wrong answers

Option A is wrong because a Layer 3 switch performs routing at Layer 3 (IP forwarding), which is not required and violates the 'must not perform any routing' constraint. Option B is wrong because a media converter only translates physical layer signals (e.g., copper to fiber) without forwarding frames based on MAC addresses or providing Layer 2 segmentation. Option D is wrong because a router operates at Layer 3, forwarding packets based on IP addresses and performing routing, which is explicitly not allowed.

425
MCQeasy

A network switch is experiencing a high number of collisions on a specific port. The connected device is configured for half-duplex. Which of the following is the most likely cause?

A.The switch port is configured for full-duplex
B.The cable length exceeds 100 meters
C.The device is using an incorrect VLAN
D.The switch port is configured for 1000BASE-T but the device only supports 100BASE-TX
AnswerA

A duplex mismatch (switch full-duplex, device half-duplex) causes excessive collisions because the full-duplex switch transmits without checking for carrier sense, colliding with the half-duplex device's transmissions.

Why this answer

When a switch port is configured for full-duplex but the connected device operates in half-duplex, a duplex mismatch occurs. The switch transmits without checking for collisions (as full-duplex does not use CSMA/CD), while the half-duplex device expects to sense the carrier before sending, leading to collisions on the port. This is the most common cause of excessive collisions on a single switch port.

Exam trap

The trap here is that candidates often assume collisions are always caused by cable length or physical issues, overlooking the duplex mismatch as the primary cause when one side is half-duplex and the other is full-duplex.

How to eliminate wrong answers

Option B is wrong because cable length exceeding 100 meters typically causes attenuation and late collisions or CRC errors, not a high number of standard collisions on a half-duplex link. Option C is wrong because an incorrect VLAN assignment would cause connectivity issues or traffic isolation problems, not physical-layer collisions on the port.

426
MCQmedium

A network administrator wants to monitor network devices using SNMP. The security policy requires both authentication and encryption of SNMP packets. Which SNMP version and security level should be configured?

A.SNMPv2c with a community string
B.SNMPv3 with authNoPriv
C.SNMPv3 with authPriv
D.SNMPv1 with a community string
AnswerC

authPriv provides both authentication (e.g., SHA) and encryption (e.g., AES), satisfying the policy.

Why this answer

SNMPv3 is the only version that supports both authentication and encryption. The security level 'authPriv' enables both authentication (via HMAC-MD5 or HMAC-SHA) and encryption (via CBC-DES or CFB128-AES), meeting the policy requirement. SNMPv1 and SNMPv2c use only plaintext community strings with no security, while 'authNoPriv' provides authentication without encryption.

Exam trap

The trap here is that candidates often confuse 'authNoPriv' with 'authPriv', assuming authentication alone satisfies security requirements, but the question explicitly demands both authentication and encryption.

How to eliminate wrong answers

Option A is wrong because SNMPv2c uses community strings transmitted in plaintext and provides no authentication or encryption. Option B is wrong because SNMPv3 with authNoPriv authenticates packets but does not encrypt them, failing the encryption requirement. Option D is wrong because SNMPv1 uses community strings in plaintext with no security mechanisms at all.

427
MCQeasy

Which SNMPv3 security level provides both authentication and encryption?

A.noAuthNoPriv
B.authNoPriv
C.authPriv
D.noAuthPriv
AnswerC

This level provides both authentication (using MD5 or SHA) and encryption (using DES or AES), ensuring data integrity and privacy.

Why this answer

Option C (authPriv) is correct because SNMPv3 defines three security levels: noAuthNoPriv, authNoPriv, and authPriv. The authPriv level provides both authentication (using HMAC-MD5 or HMAC-SHA) and encryption (using CBC-DES or AES) to ensure data integrity, origin verification, and confidentiality. This is the highest security level defined in RFC 3414.

Exam trap

The trap here is that candidates confuse the valid SNMPv3 security levels with the invalid 'noAuthPriv' option, which sounds plausible but is not defined in the standard—CompTIA often tests this by listing it as a distractor to catch those who haven't memorized the exact three levels.

How to eliminate wrong answers

Option A (noAuthNoPriv) is wrong because it provides neither authentication nor encryption, relying only on a community string for trivial access control. Option B (authNoPriv) is wrong because it provides authentication but no encryption, leaving the SNMP payload in cleartext and vulnerable to eavesdropping. Option D (noAuthPriv) is wrong because it is not a valid SNMPv3 security level; encryption without authentication is not defined in RFC 3414, as it would be insecure.

428
MCQmedium

A network administrator needs to connect two switches to allow multiple VLANs to traverse the link. Which protocol should be used to tag frames with VLAN information?

A.STP (Spanning Tree Protocol)
B.802.1Q
C.VTP (VLAN Trunking Protocol)
D.LACP (Link Aggregation Control Protocol)
AnswerB

802.1Q is the standard for VLAN tagging on trunk links, ensuring proper VLAN identification across switches.

Why this answer

802.1Q is the IEEE standard for VLAN tagging, which inserts a 4-byte tag into the Ethernet frame header to identify the VLAN membership of the frame. This allows multiple VLANs to traverse a single trunk link between switches, enabling inter-switch VLAN communication without requiring separate physical links per VLAN.

Exam trap

The trap here is that candidates often confuse VTP (a management protocol) with the actual tagging protocol, assuming VTP handles frame tagging because of the word 'trunking' in its name.

How to eliminate wrong answers

Option A is wrong because STP (Spanning Tree Protocol) is used to prevent loops in a network topology by blocking redundant links, not for tagging frames with VLAN information. Option C is wrong because VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol for synchronizing VLAN databases across switches, but it does not tag frames; it relies on 802.1Q or ISL for actual tagging. Option D is wrong because LACP (Link Aggregation Control Protocol) is used to bundle multiple physical links into a single logical link for increased bandwidth and redundancy, not for VLAN tagging.

429
MCQmedium

A security analyst discovers that an unauthorized device is sending forged ARP replies to poison the ARP caches of other devices on the network. Which security feature should be implemented on the switches to prevent this?

A.Port security
B.DHCP snooping
C.Dynamic ARP Inspection
D.STP BPDU guard
AnswerC

DAI uses the DHCP snooping binding table to validate ARP packets and drop spoofed ones.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets on a per-interface basis by intercepting all ARP requests and replies and verifying that they match entries in the DHCP snooping binding table. If an ARP reply contains a forged IP-to-MAC mapping, DAI drops the packet, preventing ARP cache poisoning. This directly stops the described attack where an unauthorized device sends forged ARP replies.

Exam trap

CompTIA often tests the distinction between DHCP snooping (which builds the trust database) and Dynamic ARP Inspection (which uses that database to filter ARP traffic), leading candidates to mistakenly choose DHCP snooping as the direct solution for ARP spoofing.

How to eliminate wrong answers

Option A is wrong because port security limits the number of MAC addresses on a port or restricts specific MACs, but it does not inspect or validate the content of ARP messages. Option B is wrong because DHCP snooping builds a binding table of trusted DHCP assignments and filters rogue DHCP servers, but it does not validate ARP packets on its own. Option D is wrong because STP BPDU guard protects against rogue bridge protocol data units that could cause spanning tree topology changes, not against forged ARP replies.

430
MCQmedium

A network administrator needs to perform a critical firmware upgrade on a core switch during a maintenance window. Which of the following should the administrator do FIRST before making the change?

A.Test the firmware in a lab environment
B.Notify all users of the planned outage
C.Create a backup of the current switch configuration
D.Submit a change request for approval
AnswerA

Testing in a lab ensures the firmware is compatible and stable before deployment on production hardware, reducing the risk of outages.

Why this answer

Before making any change to a production device, the firmware should first be tested in a lab environment that mirrors the production setup. This validates compatibility with existing hardware, software features, and configurations, preventing unexpected behavior such as boot loops, protocol failures, or hardware incompatibility that could cause extended outages.

Exam trap

CompTIA often tests the principle that testing in a lab environment is the first step in any change process, and the trap here is that candidates mistakenly choose creating a backup (Option C) as the first action, confusing a safety measure with the prerequisite validation step.

How to eliminate wrong answers

Option B is wrong because notifying users of a planned outage is a communication step that should occur after the change is approved and scheduled, not before testing the firmware. Option C is wrong because creating a backup of the current switch configuration is a critical safety step, but it should be performed after testing the firmware in the lab and before applying the upgrade to production; testing first ensures the firmware itself is safe to use. Option D is wrong because submitting a change request for approval is part of the change management process, but the administrator must first validate the firmware in a lab to provide accurate risk assessment and technical details for the request.

431
MCQmedium

A user reports that they cannot access a web server by its URL but can access it by IP address. A technician checks the DNS server and finds it is reachable. What is the most likely cause?

A.Incorrect default gateway
B.DNS resolution failure for that specific record
C.Firewall blocking port 80
D.IP conflict on the user's workstation
AnswerB

The user can reach the server by IP, indicating connectivity is fine. The URL failure points to a DNS problem for that particular record.

Why this answer

The user can access the web server by IP address but not by URL, which indicates that the name-to-IP resolution is failing. Since the DNS server is reachable, the issue is not with network connectivity to the DNS server but rather with the specific DNS record for that web server. This is a classic DNS resolution failure for that specific record, often due to a missing or incorrect A or AAAA record.

Exam trap

The trap here is that candidates often assume a reachable DNS server means DNS is fully functional, but the question specifically tests the distinction between server reachability and record availability.

How to eliminate wrong answers

Option A is wrong because an incorrect default gateway would prevent all traffic from leaving the local subnet, including both IP-based and URL-based access, but the user can access the server by IP, so the gateway is functioning. Option C is wrong because a firewall blocking port 80 would affect both IP-based and URL-based HTTP access, yet the user can reach the server by IP, so the firewall is not the issue. Option D is wrong because an IP conflict on the user's workstation would cause intermittent connectivity or complete loss of network access, not a selective failure where only URL-based access fails.

432
MCQeasy

A network engineer needs to create subnets for four departments, each requiring at least 50 host addresses. The available network is 192.168.1.0/24. Which subnet mask should be used to satisfy the requirements while minimizing wasted addresses?

A./26 (255.255.255.192)
B./25 (255.255.255.128)
C./27 (255.255.255.224)
D./24 (255.255.255.0)
AnswerA

Correct. /26 provides 4 subnets with 62 usable hosts each, fitting the need for 50 hosts per department.

Why this answer

A /26 subnet mask (255.255.255.192) provides 62 usable host addresses per subnet (2^(32-26) - 2 = 62), which meets the requirement of at least 50 hosts per department. With a /24 network, you can create exactly four /26 subnets (192.168.1.0/26, 192.168.1.64/26, 192.168.1.128/26, 192.168.1.192/26), perfectly matching the four departments while minimizing wasted addresses.

Exam trap

The trap here is that candidates often choose /27 because they calculate 2^5 = 32 and forget to subtract 2 for the network and broadcast addresses, mistakenly thinking 32 hosts are available, or they choose /25 because they see it provides more than 50 hosts without realizing it only creates two subnets, not four.

How to eliminate wrong answers

Option B (/25, 255.255.255.128) is wrong because it provides 126 usable host addresses per subnet (2^7 - 2 = 126), which is far more than the required 50, and only yields two subnets from a /24 network, not enough for four departments. Option C (/27, 255.255.255.224) is wrong because it provides only 30 usable host addresses per subnet (2^5 - 2 = 30), which fails to meet the minimum requirement of 50 hosts per department.

433
MCQhard

A network administrator wants to ensure that a critical file server is always reachable via a single IP address, even if the server's NIC fails. The server has a single NIC. Which technique should be used to provide high availability for this IP address?

A.Configure a load balancer in front of multiple servers
B.Implement NIC teaming
C.Use VRRP to create a virtual IP address
D.Use DNS round robin
AnswerC

VRRP allows two devices to share a virtual IP, providing failover if the primary fails.

Why this answer

VRRP (Virtual Router Redundancy Protocol) allows multiple routers or servers to share a virtual IP address, with one acting as the active master and the others as backups. If the active device fails, a backup takes over the virtual IP, ensuring continuous reachability. Since the file server has only one NIC, VRRP can be configured on a pair of routers or Layer 3 switches to provide a virtual IP that points to the server's real IP, but more practically, VRRP is used on the server's default gateway to ensure the server can always reach the network; however, for the server itself to be reachable via a single IP despite NIC failure, you would typically use a load balancer or NIC teaming, but VRRP can also be used to create a virtual IP on a pair of firewalls or routers that forward traffic to the server, making the server appear reachable via that virtual IP even if one path fails.

Exam trap

The trap here is that candidates assume NIC teaming is the only way to provide NIC redundancy, but the question explicitly states the server has a single NIC, making teaming impossible; VRRP is the correct answer because it provides a virtual IP that can be failed over between redundant routers, ensuring the server remains reachable via that IP even if one router or path fails.

How to eliminate wrong answers

Option A is wrong because a load balancer distributes traffic across multiple servers, but the question specifies a single server with a single NIC; load balancing does not provide a single IP address for that one server if its NIC fails. Option B is wrong because NIC teaming requires multiple physical NICs in the server to aggregate or fail over, but the server has only one NIC, making teaming impossible.

434
MCQmedium

A company is deploying a wireless network that requires the highest level of security for client authentication. The network must use a RADIUS server. Which wireless security standard should be implemented?

A.WPA2-Personal
B.WPA3-Enterprise
C.WPA2-Enterprise
D.WPA3-Personal
AnswerB

WPA3-Enterprise provides the highest security with 192-bit encryption and requires a RADIUS server for authentication, meeting the requirement.

Why this answer

WPA3-Enterprise (option B) is correct because it mandates the use of a RADIUS server for 802.1X/EAP authentication and provides the highest level of wireless security, including 192-bit minimum-strength security suite (CNSA Suite) and SAE handshake replacement for the 4-way handshake. This meets the requirement for both RADIUS integration and maximum authentication security.

Exam trap

Cisco often tests the distinction between WPA2-Enterprise and WPA3-Enterprise, where candidates mistakenly choose WPA2-Enterprise because it also uses RADIUS, overlooking that WPA3-Enterprise provides superior security with SAE and mandatory 192-bit encryption.

How to eliminate wrong answers

Option A is wrong because WPA2-Personal uses a pre-shared key (PSK) and does not require a RADIUS server, failing the requirement for RADIUS-based authentication. Option C is wrong because while WPA2-Enterprise does use a RADIUS server, it relies on the older 4-way handshake with TKIP or AES-CCMP and lacks the stronger cryptographic protections of WPA3, such as perfect forward secrecy and mandatory 192-bit security, making it less secure than WPA3-Enterprise.

435
MCQmedium

A network administrator needs to implement a solution that allows for centralized management of user authentication, authorization, and accounting for network device access. The solution must support encryption of the entire authentication process. Which protocol should be selected?

A.TACACS+
B.RADIUS
C.LDAP
D.Kerberos
AnswerA

TACACS+ encrypts the entire authentication packet (username, password, etc.) and is commonly used for AAA on network devices (routers/switches).

Why this answer

TACACS+ is the correct choice because it separates authentication, authorization, and accounting (AAA) into distinct processes and encrypts the entire authentication payload, including the username, password, and all other traffic between the client and the server. This full-packet encryption ensures that credentials and session details are protected during transit, meeting the requirement for centralized management with encrypted authentication.

Exam trap

Cisco often tests the misconception that RADIUS encrypts all traffic because it uses a shared secret, but the trap is that RADIUS only encrypts the password, not the entire packet, whereas TACACS+ encrypts the full authentication payload.

How to eliminate wrong answers

Option B (RADIUS) is wrong because it encrypts only the password in the Access-Request packet, leaving the username, accounting data, and other attributes in cleartext, which does not satisfy the requirement for encrypting the entire authentication process. Option C (LDAP) is wrong because it is a directory access protocol used for querying and modifying directory services (e.g., user attributes) and does not natively provide AAA functionality or encrypt the entire authentication process; while LDAPS can encrypt the session, it lacks the accounting and authorization separation required for network device access management.

436
MCQmedium

A network administrator is planning a maintenance window to upgrade the firmware on critical switches. Which step should the administrator perform first to ensure minimal downtime?

A.Download the firmware from the vendor website
B.Back up the current configuration and firmware image
C.Notify users of the upcoming maintenance
D.Test the new firmware in a lab environment
AnswerD

Testing in a lab first validates the firmware and reduces the chance of production issues.

Why this answer

Option D is correct because testing the new firmware in a lab environment first validates compatibility and stability without risking production network downtime. This step identifies potential issues such as configuration incompatibilities or hardware-specific bugs before the maintenance window, ensuring a smooth upgrade process.

Exam trap

The trap here is that candidates often choose 'Back up the current configuration and firmware image' as the first step, confusing a critical safety measure with the initial planning phase, but CompTIA emphasizes that validation through testing must precede any changes to production devices.

How to eliminate wrong answers

Option A is wrong because downloading firmware before testing it in a lab could lead to applying untested code directly to production switches, increasing the risk of unexpected failures. Option B is wrong while backing up configuration and firmware is critical, it should be performed after testing the new firmware to ensure the backup is taken from a stable, known-good state before the upgrade. Option C is wrong because notifying users is an operational step that should occur after the technical validation and planning are complete, not as the first step.

437
MCQeasy

Which of the following IPv6 addresses is a valid link-local address?

A.fe80::1
B.2001:db8::1
C.ff02::1
D.10.0.0.1
AnswerA

fe80::/10 is the prefix for link-local addresses; fe80::1 is a common link-local address.

Why this answer

Option A is correct because link-local addresses in IPv6 always start with the prefix fe80::/10, and fe80::1 is a valid example. These addresses are automatically configured on interfaces for local link communication and are not routable beyond the local network segment.

Exam trap

Cisco often tests the distinction between link-local (fe80::/10) and unique local (fc00::/7) or global unicast (2000::/3) addresses, and candidates frequently confuse the fe80 prefix with multicast or documentation ranges.

How to eliminate wrong answers

Option B is wrong because 2001:db8::1 is a documentation prefix (2001:db8::/32) used for examples in RFC 3849, not a link-local address. Option C is wrong because ff02::1 is the all-nodes multicast address (prefix ff00::/8), not a unicast link-local address. Option D is wrong because 10.0.0.1 is an IPv4 private address (RFC 1918), not an IPv6 address at all.

438
MCQmedium

A user reports that they can access the company's internal web server by IP address (10.10.10.100) but cannot access it by its hostname (intranet.company.com). The user's workstation is configured with the correct internal DNS server address. Which of the following should the technician do FIRST?

A.Check the DNS server's A record for intranet.company.com
B.Review the firewall rules on the server
C.Run ipconfig /flushdns on the workstation
D.Verify the default gateway configuration
AnswerA

Since the server is reachable by IP but not by name, the most direct cause is missing or incorrect DNS record for that hostname on the internal DNS server.

Why this answer

The user can reach the server by IP but not by hostname, which indicates a DNS resolution problem. Since the workstation is configured with the correct internal DNS server, the most likely cause is a missing or incorrect A record for intranet.company.com on that DNS server. Checking the A record is the logical first step before other troubleshooting.

Exam trap

Cisco often tests the distinction between connectivity issues (firewall, routing) and name resolution issues; the trap here is that candidates might jump to flushing the DNS cache (Option C) without verifying the authoritative DNS record first.

How to eliminate wrong answers

Option B is wrong because firewall rules affect traffic based on IP addresses and ports, not hostnames; since the user can already access the server by IP, firewall rules are not blocking connectivity. Option C is wrong because flushing the DNS cache (ipconfig /flushdns) only clears locally cached entries, but if the DNS server itself lacks the correct A record, flushing the cache will not resolve the issue.

439
MCQmedium

A network technician is explaining the difference between TCP and UDP to a junior technician. Which of the following correctly identifies a characteristic of TCP but NOT of UDP?

A.It provides connectionless communication with minimal overhead.
B.It supports multicast and broadcast transmissions.
C.It uses a three-way handshake to establish a connection before data transfer.
D.It is commonly used for real-time applications like VoIP and video streaming.
AnswerC

TCP uses a three-way handshake (SYN, SYN-ACK, ACK) to establish a reliable connection. UDP does not have a handshake; it sends data immediately.

Why this answer

TCP is a connection-oriented protocol that uses a three-way handshake (SYN, SYN-ACK, ACK) to establish a reliable connection before any data is transmitted, ensuring ordered delivery and error recovery. UDP, in contrast, is connectionless and sends datagrams without any prior setup, making the three-way handshake a defining characteristic of TCP only.

Exam trap

The trap here is that candidates often confuse the three-way handshake with general connection establishment, forgetting that UDP is stateless and never performs any handshake, while TCP always does before data transfer.

How to eliminate wrong answers

Option A is wrong because connectionless communication with minimal overhead is a characteristic of UDP, not TCP; TCP is connection-oriented and adds overhead for reliability. Option B is wrong because multicast and broadcast transmissions are supported by UDP, while TCP is unicast-only and cannot deliver to multiple destinations simultaneously. Option D is wrong because real-time applications like VoIP and video streaming typically use UDP due to its low latency and tolerance for packet loss, not TCP which would introduce retransmission delays.

440
MCQmedium

A network engineer is planning to connect two switches that are 150 meters apart. The link must support at least 1 Gbps and the budget is limited. Which cable type should be used?

A.Cat6a twisted-pair copper
B.Multimode fiber optic
C.Single-mode fiber optic
D.Cat5e twisted-pair copper
AnswerB

Multimode fiber with 1000BASE-SX transceivers supports 1 Gbps up to 550m (depending on fiber grade). This is sufficient for 150m and is cost-effective.

Why this answer

Multimode fiber optic cable supports 1 Gbps over distances up to 550 meters (OM2) or more, easily covering the 150-meter requirement at a lower cost than single-mode fiber. It is the best choice for this distance and budget because twisted-pair copper (Cat5e/Cat6a) is limited to 100 meters for 1 Gbps, and single-mode fiber is more expensive due to laser-based transceivers.

Exam trap

CompTIA often tests the 100-meter distance limit for twisted-pair copper (Cat5e/Cat6a) at 1 Gbps, and candidates mistakenly assume Cat6a can exceed this due to its higher rating, but the standard still caps it at 100 meters for 1 Gbps.

How to eliminate wrong answers

Option A is wrong because Cat6a twisted-pair copper is limited to 100 meters for 1 Gbps (per TIA/EIA-568 standards), so it cannot reach 150 meters. Option C is wrong because single-mode fiber optic can easily cover 150 meters but is overkill and more expensive than multimode for this distance, making it unsuitable for a limited budget. Option D is wrong because Cat5e twisted-pair copper is also limited to 100 meters for 1 Gbps (per IEEE 802.3ab) and cannot support the 150-meter distance.

441
MCQmedium

A network administrator is troubleshooting communication between two switches connected via a trunk port. The trunk link is up/up, but devices in VLAN 20 cannot communicate across the trunk. The administrator has verified that both switches have VLAN 20 created and that the access ports are configured correctly. Which command should the administrator run on each switch to verify the trunk's allowed VLAN list?

A.show vlan brief
B.show interfaces trunk
C.show running-config interface
D.show mac address-table
AnswerB

Correct. This command displays detailed trunk status, including the allowed VLAN list, native VLAN, and trunking mode, helping to verify if VLAN 20 is allowed.

Why this answer

The 'show interfaces trunk' command displays the trunking status, including the allowed VLAN list on the trunk port. Since the trunk link is up/up but VLAN 20 traffic fails, the most likely cause is that VLAN 20 is not included in the allowed VLAN list on one or both switches. This command directly shows which VLANs are permitted, pruned, or active on the trunk.

Exam trap

Cisco often tests the distinction between 'show vlan brief' (which shows VLAN existence and access port assignments) and 'show interfaces trunk' (which shows trunk-specific VLAN permissions), leading candidates to mistakenly check VLAN existence instead of trunk VLAN filtering.

How to eliminate wrong answers

Option A is wrong because 'show vlan brief' displays all VLANs and their assigned access ports, but it does not show which VLANs are allowed on a trunk port. Option C is wrong because 'show running-config interface' shows the static configuration of the interface, but it may not reflect dynamic changes like VLAN pruning or the actual allowed VLAN list after DTP negotiations; it also does not show the operational trunking status or the list of active VLANs on the trunk.

442
MCQhard

A network engineer is deploying a wireless network using 802.11ac. To allow clients to roam between access points without re-authenticating to the authentication server, which IEEE standard should be implemented?

A.802.1X
B.802.11r
C.802.11i
D.802.11e
AnswerB

802.11r enables fast roaming by using a caching mechanism that allows clients to reassociate quickly without full EAP exchanges.

Why this answer

802.11r, also known as Fast BSS Transition (FT), enables clients to roam between access points using a cached Pairwise Master Key (PMK) without requiring a full 802.1X/EAP re-authentication with the RADIUS server. This reduces roaming latency to under 50 ms, which is critical for voice and video applications.

Exam trap

Cisco often tests the distinction between 802.1X (authentication framework) and 802.11r (fast roaming), leading candidates to mistakenly choose 802.1X because they associate it with 'authentication' without realizing the question specifically asks about avoiding re-authentication during roaming.

How to eliminate wrong answers

Option A is wrong because 802.1X is the port-based authentication framework that handles initial client authentication (e.g., EAP exchange with a RADIUS server), but it does not provide fast roaming mechanisms; without 802.11r, a client must perform a full 802.1X re-authentication at each AP transition. Option C is wrong because 802.11i (WPA2) defines security protocols like CCMP/AES and 4-way handshake key management, but it does not include the fast roaming handshake optimization that 802.11r adds.

443
MCQmedium

A network engineer needs to connect two switches located 400 meters apart. The cable run includes high electromagnetic interference from nearby machinery. The engineer decides to use fiber optic cabling. Which transceiver type and fiber combination should be used to ensure the link reaches 400 meters while remaining cost-effective?

A.Single-mode fiber with 1000BASE-LX transceivers
B.Multimode fiber with 1000BASE-SX transceivers
C.Multimode fiber with 10GBASE-SR transceivers
D.Single-mode fiber with 1000BASE-EX transceivers
AnswerB

1000BASE-SX over multimode fiber supports distances up to 550 meters, making it suitable and cost-effective for 400m.

Why this answer

Option B is correct because 1000BASE-SX transceivers over multimode fiber (typically OM2 or OM3) can reliably reach 400 meters at 1 Gbps, and this combination is cost-effective for short-to-medium distances. Multimode fiber uses a larger core that is cheaper to terminate and pair with lower-cost VCSEL-based SX optics, making it ideal for runs under 550 meters in environments with high EMI.

Exam trap

Cisco often tests the misconception that single-mode fiber is always superior or necessary for any distance over 100 meters, but the trap here is ignoring the cost-effectiveness requirement and assuming LX is the only option for 400 meters, when SX over multimode is both sufficient and cheaper.

How to eliminate wrong answers

Option A is wrong because single-mode fiber with 1000BASE-LX transceivers can easily reach 400 meters, but it is not the most cost-effective choice for this distance; single-mode optics and fiber are more expensive than multimode alternatives, and LX transceivers are typically used for longer distances (up to 5–10 km). Option C is wrong because 10GBASE-SR transceivers over multimode fiber can also reach 400 meters (especially with OM3/OM4), but the question specifies a cost-effective solution for a 1 Gbps link, and 10GBASE-SR optics and supporting hardware are significantly more expensive than 1000BASE-SX, making it overkill for the required bandwidth.

444
MCQmedium

A network engineer is designing a subnet for a department that requires exactly 50 usable host addresses. Which subnet mask provides the minimum number of usable host addresses while still accommodating the requirement?

A./26
B./27
C./28
D./25
AnswerA

A /26 provides 64 total addresses (62 usable), which is the smallest subnet that can accommodate 50 hosts.

Why this answer

A /26 subnet mask (255.255.255.192) provides 2^(32-26) = 64 total addresses, of which 62 are usable (subtracting network and broadcast addresses). This is the smallest subnet that meets the requirement of exactly 50 usable hosts, as /27 yields only 30 usable addresses and /28 yields only 14, while /25 provides 126 usable addresses, which is more than necessary.

Exam trap

CompTIA often tests the confusion between total addresses and usable addresses, where candidates mistakenly think a /27 (32 total addresses) can support 50 hosts, or they forget to subtract the network and broadcast addresses from the total.

How to eliminate wrong answers

Option B (/27) is wrong because it provides only 2^(32-27) = 32 total addresses, yielding 30 usable hosts, which is insufficient for 50 hosts. Option C (/28) is wrong because it provides only 2^(32-28) = 16 total addresses, yielding 14 usable hosts, far below the requirement. Option D (/25) is wrong because it provides 2^(32-25) = 128 total addresses, yielding 126 usable hosts, which exceeds the requirement and is not the minimum subnet that accommodates 50 hosts.

445
MCQeasy

A network switch forwards frames based on which address?

A.MAC address
B.IP address
C.Port number
D.Domain name
AnswerA

Correct. Switches use MAC addresses to forward frames within the same local network.

Why this answer

A network switch operates at Layer 2 (Data Link Layer) of the OSI model and uses MAC addresses to make forwarding decisions. When a frame arrives, the switch examines the destination MAC address, looks it up in its MAC address table (CAM table), and forwards the frame only to the port associated with that MAC address, reducing collision domains and improving network efficiency.

Exam trap

CompTIA often tests the distinction between Layer 2 switching (MAC addresses) and Layer 3 routing (IP addresses), and the trap here is that candidates mistakenly associate 'forwarding' with IP addresses because they think of routers, forgetting that the question specifically asks about a switch.

How to eliminate wrong answers

Option B (IP address) is wrong because IP addresses are used by routers (Layer 3 devices) for packet forwarding, not by switches; switches do not examine IP headers unless they are multilayer switches with routing enabled. Option C (Port number) is wrong because port numbers are used by transport layer protocols (TCP/UDP) to identify specific applications or services, and switches do not inspect Layer 4 headers. Option D (Domain name) is wrong because domain names are resolved to IP addresses by DNS (Application Layer) and are never used by switches for frame forwarding.

446
MCQmedium

A company has just installed a new fiber optic connection between two buildings 2 km apart. The connection is using multimode fiber. However, the signal is too weak at the receiving end. What is the most likely cause?

A.Attenuation due to distance
B.Electromagnetic interference
C.Incorrect termination
D.Crosstalk
AnswerA

Multimode fiber has a maximum effective distance that varies by speed but is generally under 1 km for higher data rates. 2 km exceeds that limit, causing significant signal loss (attenuation).

Why this answer

Multimode fiber (MMF) is designed for shorter distances, typically up to 550 meters for 10 Gbps (OM3/OM4) and up to 2 km only for lower speeds like 100 Mbps or 1 Gbps using older OM1/OM2 fiber. At 2 km, the signal attenuation exceeds the power budget of the MMF link, causing a weak signal at the receiver. Single-mode fiber (SMF) would be required for reliable transmission over this distance.

Exam trap

CompTIA often tests the misconception that fiber is immune to all distance limitations, but the trap here is that multimode fiber has strict distance limits due to modal dispersion and higher attenuation, unlike single-mode fiber which can span 2 km easily.

How to eliminate wrong answers

Option B is wrong because electromagnetic interference (EMI) does not affect fiber optic cables, as they transmit light, not electrical signals; fiber is immune to EMI. Option C is wrong because incorrect termination would typically cause a complete loss of signal or high reflectance (e.g., due to poor polishing or misalignment), not a weak but present signal; the symptom described points to distance-related attenuation, not a termination fault.

447
MCQeasy

A network administrator receives an automated alert from the network monitoring system indicating that the bandwidth utilization on a specific switch port has exceeded the threshold for the past 10 minutes. According to best practices for network operations, what should the administrator do FIRST?

A.Immediately block the port to prevent potential network congestion from affecting other users.
B.Check the monitoring system logs to identify the traffic source and destination.
C.Reboot the switch to clear any temporary errors that might be causing the alert.
D.Increase the bandwidth on the port to accommodate the higher traffic load.
AnswerB

Reviewing logs provides context on what is causing the high utilization, enabling informed decision-making about subsequent actions.

Why this answer

Option B is correct because the first step in responding to a bandwidth utilization alert is to investigate the traffic causing the spike. Checking the monitoring system logs allows the administrator to identify the source and destination of the traffic, which is essential for determining whether the utilization is legitimate (e.g., a backup or large file transfer) or malicious (e.g., a DoS attack). This aligns with the network operations best practice of 'verify before acting' to avoid unnecessary disruptions.

Exam trap

The trap here is that candidates panic and choose 'immediately block the port' (Option A) thinking it's a proactive security measure, but Cisco tests the principle that network operations require analysis before action to avoid disrupting legitimate traffic.

How to eliminate wrong answers

Option A is wrong because immediately blocking the port violates the principle of least disruption and could interrupt legitimate business-critical traffic without any analysis; a better approach is to first identify the traffic and then apply ACLs or QoS if needed. Option C is wrong because rebooting the switch is a drastic, non-targeted action that clears all port statistics and active sessions, potentially losing forensic data and causing unnecessary downtime; the alert is about bandwidth utilization, not a hardware or software error that a reboot would fix.

448
MCQeasy

A network switch that forwards frames based on MAC addresses operates at which layer of the OSI model?

A.Physical
B.Data Link
C.Network
D.Transport
AnswerB

Switches make forwarding decisions based on MAC addresses, which is a Layer 2 function.

Why this answer

A network switch that forwards frames based on MAC addresses operates at Layer 2, the Data Link layer. This layer is responsible for node-to-node data transfer and error detection using MAC addresses, as defined by IEEE 802 standards. Switches build a MAC address table by learning source MAC addresses from incoming frames and use this table to make forwarding decisions.

Exam trap

Cisco often tests the misconception that switches operate at Layer 3 because they can be configured with IP addresses for management (e.g., SVI), but the core frame-forwarding function remains at Layer 2 using MAC addresses.

How to eliminate wrong answers

Option A is wrong because the Physical layer (Layer 1) deals with raw bit transmission over physical media, such as electrical signals, light pulses, or radio waves, and does not interpret MAC addresses or frames. Option C is wrong because the Network layer (Layer 3) uses logical addressing (e.g., IP addresses) for routing packets between networks, not MAC addresses for frame forwarding within a local network.

449
MCQmedium

Users in VLAN 10 cannot obtain IP addresses from a DHCP server located in VLAN 20. The router has an ip helper-address configured on VLAN 10 interface pointing to the DHCP server. Users can ping the DHCP server IP from the router. However, users are receiving APIPA addresses. What is the most likely cause?

A.The DHCP server is not reachable from the router
B.The DHCP server scope does not include the VLAN 10 subnet
C.The router's ip helper-address is configured incorrectly
D.The switch ports are not configured for VLAN 10
AnswerB

Even if the DHCP server receives the request, it will not offer an IP address if it has no scope configured for the subnet of the requesting client (VLAN 10).

Why this answer

The correct answer is B because the DHCP server must have a scope configured for the subnet of the requesting clients (VLAN 10) to assign IP addresses from that range. Since users receive APIPA addresses (169.254.x.x), the DHCP discovery process is failing, which typically occurs when the server receives the request via the ip helper-address but has no matching scope for VLAN 10. The router's ability to ping the server confirms Layer 3 reachability, isolating the issue to the server's scope configuration.

Exam trap

Cisco often tests the misconception that a successful ping from the router to the DHCP server guarantees DHCP functionality, but the trap here is that the ip helper-address only relays the request; the server must still have a scope for the client's subnet to assign an address.

How to eliminate wrong answers

Option A is wrong because the router can ping the DHCP server IP, proving the server is reachable at Layer 3, so the DHCP server is not unreachable. Option C is wrong because the ip helper-address is correctly configured on the VLAN 10 interface and points to the DHCP server, as evidenced by the router forwarding DHCP broadcasts; if it were misconfigured, DHCP requests would not reach the server at all. Option D is wrong because switch ports not being configured for VLAN 10 would prevent users from communicating with the router or any network device, but users are obtaining APIPA addresses, indicating they are connected to the network and attempting DHCP, so the ports are correctly assigned.

450
MCQmedium

A network administrator is configuring a syslog server to receive logs from network devices. The administrator wants to capture all messages with a severity level of 'critical' (2) and higher (more severe). What severity threshold should be set on the devices?

A.0 (emergency)
B.1 (alert)
C.2 (critical)
D.3 (error)
AnswerC

By setting the threshold to 2/critical, the device will send all messages with severity 0 (emergency), 1 (alert), and 2 (critical).

Why this answer

Syslog severity levels are numbered 0 (most severe) through 7 (least severe). When you set a severity threshold on a device, it captures messages at that level and all lower-numbered (more severe) levels. To capture 'critical' (2) and higher (i.e., levels 0, 1, and 2), you must set the threshold to 2.

Option C is correct because level 2 includes itself and all more severe levels (0 and 1).

Exam trap

The trap here is that candidates often think setting a threshold of 2 captures only level 2 messages, but in syslog, the threshold includes all lower-numbered (more severe) levels as well.

How to eliminate wrong answers

Option A is wrong because setting a threshold of 0 (emergency) would only capture messages at level 0, missing critical (2) and alert (1) messages. Option B is wrong because setting a threshold of 1 (alert) would capture levels 0 and 1 but exclude level 2 (critical). Option D is wrong because setting a threshold of 3 (error) would capture levels 0–3, which includes less severe messages (error) than desired, and the question specifically requires only critical and higher.

Page 5

Page 6 of 7

Page 7

All pages