CompTIA Network+ N10-009 (N10-009) — Questions 451520

520 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQhard

A network engineer has configured an IPsec site-to-site VPN between two offices. The tunnel is established and shows as active. However, users at the branch office (10.0.1.0/24) cannot reach servers at the main office (192.168.1.0/24). Both routers have the correct VPN policies and firewall rules permitting IPsec traffic. What should the engineer check next?

A.A) That the DNS server addresses are correctly configured
B.B) That the routing tables on both routers include routes to the remote subnet
C.C) That the MTU size is set to 1500 on both ends
D.D) That the SSID is correctly configured on the access points
AnswerB

Correct. Without routes for the remote network pointing to the tunnel interface, traffic will not be sent through the VPN.

Why this answer

The tunnel being active means Phase 1 and Phase 2 of IPsec are established, but traffic still cannot flow because the routers lack routes to the remote subnets. Without a route for 10.0.1.0/24 on the main office router (or 192.168.1.0/24 on the branch router), packets will be dropped or sent out the wrong interface, even though the VPN policy and firewall rules are correct. The engineer must verify that static routes or a dynamic routing protocol (e.g., OSPF over the tunnel) are in place to direct traffic into the IPsec tunnel interface.

Exam trap

Cisco often tests the misconception that a 'green light' tunnel status guarantees traffic flow, but candidates forget that routing is a separate layer that must explicitly direct traffic into the tunnel interface.

How to eliminate wrong answers

Option A is wrong because DNS server addresses affect name resolution, not IP-level reachability; if the tunnel is up and routing is correct, users could still reach servers by IP even with misconfigured DNS. Option C is wrong because an MTU mismatch typically causes fragmentation issues or packet loss, not a complete inability to reach the remote subnet; the tunnel is already established, and MTU problems would manifest as intermittent connectivity or performance degradation, not a total black hole.

452
MCQmedium

A network administrator is configuring a new switch for management access via SSH. Which step must be performed FIRST?

A.Generate RSA key pair.
B.Configure a VTY password.
C.Enable SSH version 2.
D.Configure an IP address on the management VLAN.
AnswerD

Without an IP address, the switch cannot be reached over the network; this is the most fundamental step for remote management.

Why this answer

Before SSH can function, the switch must have an IP address assigned to the management VLAN (typically VLAN 1 or a dedicated management VLAN) so that the switch is reachable over the network. Without this IP configuration, the switch cannot establish the TCP/IP connectivity required for SSH sessions, making it the foundational step that must be performed first.

Exam trap

The trap here is that candidates often assume SSH configuration begins with key generation or version selection, forgetting that the switch must first have an IP address on the management VLAN to be reachable for any remote management protocol.

How to eliminate wrong answers

Option A is wrong because generating an RSA key pair is a prerequisite for SSH encryption, but it cannot be completed until the switch has a hostname and domain name configured (which are not the first step), and more importantly, the switch must be IP-reachable first. Option B is wrong because configuring a VTY password is necessary for remote login, but it is part of the line configuration that occurs after basic network connectivity is established; without an IP address, VTY lines have no transport to listen on. Option C is wrong because enabling SSH version 2 is a security enhancement that requires SSH to already be operational (with RSA keys and IP connectivity), so it cannot be the first step.

453
MCQeasy

A user reports that they cannot access any network resources. The technician runs 'ipconfig' on the workstation and sees that the IP address is 169.254.23.45 with a subnet mask of 255.255.0.0. What is the most likely cause of this issue?

A.The workstation's network cable is unplugged.
B.The DNS server is not responding.
C.The DHCP server is unreachable or not functioning.
D.The workstation has been assigned a static IP address in the wrong subnet.
AnswerC

APIPA addresses are assigned when a DHCP client cannot communicate with a DHCP server. This is the most likely cause.

Why this answer

The IP address 169.254.23.45 with a subnet mask of 255.255.0.0 is an Automatic Private IP Addressing (APIPA) address, which is assigned by the operating system when a DHCP discovery attempt fails. This indicates that the workstation was unable to contact a DHCP server to obtain a valid IP configuration, making an unreachable or non-functioning DHCP server the most likely cause.

Exam trap

The trap here is that candidates often confuse APIPA with a physical connectivity issue, but APIPA specifically indicates that the DHCP process failed, not necessarily that the cable is unplugged.

How to eliminate wrong answers

Option A is wrong because a disconnected network cable would typically result in a 'Media disconnected' message or a '169.254.x.x' address only if the interface is still up, but the primary symptom of a physical disconnect is often a 'Network cable unplugged' notification, not a consistent APIPA address; however, the APIPA address itself is a direct result of DHCP failure, not a cable issue. Option B is wrong because a non-responding DNS server would cause name resolution failures, not the assignment of an APIPA address; the workstation would still obtain a valid IP from DHCP and be able to communicate via IP addresses. Option D is wrong because a static IP in the wrong subnet would show a user-configured address, not the 169.254.x.x range, which is reserved exclusively for APIPA and is not manually assigned.

454
MCQmedium

Users in a small office can access external websites normally, but they cannot reach the internal company wiki server at 192.168.10.25. A technician can successfully ping the server's IP address from a user's workstation. The DNS resolution for the wiki's hostname (wiki.company.local) returns the correct IP. The company's firewall permits HTTP traffic to the server. What is the most likely cause of the issue?

A.The web server service is not running or is listening on a different port
B.The default gateway on the server is misconfigured
C.The user's workstation has a duplicate IP address
D.The DNS cache on the workstation is poisoned
AnswerA

Correct. If the service is not available, the browser cannot establish a TCP connection to the web server, even though network connectivity exists.

Why this answer

Since the technician can successfully ping the server's IP address from the user's workstation, Layer 3 connectivity is confirmed, ruling out routing or gateway issues. DNS resolution returns the correct IP, so name resolution is not the problem. The firewall permits HTTP traffic, so access control is not blocking the connection.

The most likely cause is that the web server service (e.g., Apache, IIS) is not running or is listening on a non-standard port (e.g., 8080 instead of 80), preventing the HTTP request from reaching the service even though the host is reachable.

Exam trap

The trap here is that candidates assume a successful ping implies full application-layer connectivity, but ping uses ICMP (Layer 3) while HTTP uses TCP (Layer 4), so a working ping does not guarantee that the web service is running or reachable on the correct port.

How to eliminate wrong answers

Option B is wrong because a misconfigured default gateway on the server would prevent the server from responding to requests from other subnets, but the technician can successfully ping the server's IP from the user's workstation, indicating that the server's gateway is correctly routing return traffic. Option C is wrong because a duplicate IP address on the user's workstation would cause intermittent connectivity or address conflict errors, but the user can access external websites normally and the ping to the server succeeds, which would not be consistently possible with a duplicate IP. Option D is wrong because DNS cache poisoning would cause the hostname to resolve to an incorrect IP address, but the question states that DNS resolution returns the correct IP (192.168.10.25), so the workstation is resolving the name properly.

455
MCQmedium

A network administrator needs to be notified immediately when a critical switch interface goes down. Which SNMP feature should be configured?

A.Polling
B.Traps
C.Informs
D.Set
AnswerB

Traps are event-driven notifications sent by the device to the management station, providing immediate alerting.

Why this answer

B is correct because SNMP traps are unsolicited messages sent from an SNMP agent to the network management system (NMS) to immediately notify the administrator of a critical event, such as a switch interface going down. Unlike polling, which requires the NMS to periodically request status information, traps provide real-time, event-driven alerts without delay, ensuring the administrator is notified as soon as the interface state changes.

Exam trap

Cisco often tests the distinction between traps and informs, where candidates mistakenly choose informs thinking they are more reliable for critical alerts, but the question emphasizes 'immediately notified,' making the unacknowledged, low-latency trap the correct choice.

How to eliminate wrong answers

Option A is wrong because SNMP polling is a request-response mechanism where the NMS periodically queries the agent for status information, which introduces latency and may not provide immediate notification of a critical interface down event. Option C is wrong because SNMP informs are similar to traps but require an acknowledgment from the NMS, adding overhead and potential delay; while they offer reliability, they are not the simplest or most immediate method for urgent notifications, and traps are the standard choice for critical alerts.

456
MCQmedium

A network administrator wants to be notified immediately when any interface on a core router goes down. The administrator has already configured SNMP community strings on the router. What additional configuration is necessary to receive these notifications?

A.Enable SNMP polling from the NMS at regular intervals.
B.Configure an SNMP trap receiver on the NMS and set the router to send traps to that receiver.
C.Set up syslog to forward log messages to a centralized server.
D.Configure an access control list to allow the NMS to poll the router.
AnswerB

Traps are generated by the device when an event occurs. The administrator must specify the trap destination (IP of the NMS) and enable the relevant traps (e.g., linkUp/linkDown). Without this, the router will not send trap messages.

Why this answer

SNMP traps are unsolicited notifications sent from a managed device (the router) to a Network Management System (NMS) when a specific event occurs, such as an interface going down. Since the administrator already configured SNMP community strings (which provide authentication for SNMP messages), the missing piece is configuring the router to send traps to a specific trap receiver (the NMS) and ensuring the NMS is set up to listen for those traps. Without this trap receiver configuration, the router will not generate or forward the event-driven alerts.

Exam trap

Cisco often tests the distinction between SNMP polling (get requests) and SNMP traps (unsolicited notifications), leading candidates to mistakenly think that enabling polling or syslog is sufficient for immediate event-driven alerts.

How to eliminate wrong answers

Option A is wrong because SNMP polling is a request-response mechanism where the NMS periodically queries the router for data; it does not provide immediate notification when an interface goes down, as the event would only be detected at the next polling interval. Option C is wrong because syslog is a separate logging protocol (UDP 514) used for forwarding system log messages, not SNMP traps; while syslog can indicate interface state changes, it requires different configuration and does not use SNMP community strings or trap receivers.

457
MCQmedium

A technician is troubleshooting a loss of network connectivity for a single workstation. The workstation has a valid IP address but cannot ping its default gateway. The link lights on both the workstation and the switch are solid. Which of the following should the technician check NEXT?

A.The cable integrity with a tester
B.The switch port configuration, such as VLAN assignment
C.The DNS server settings
D.The workstation's ARP cache
AnswerB

The port might be in the wrong VLAN, preventing communication with the gateway. Solid link lights indicate layer 1 is up but layer 2 may be misconfigured.

Why this answer

The workstation has a valid IP address and solid link lights, indicating Layer 1 (physical) and Layer 3 (IP configuration) are functional. The inability to ping the default gateway points to a Layer 2 issue, such as the switch port being in the wrong VLAN or having a misconfigured access/trunk setting. Checking the switch port configuration is the logical next step because VLAN mismatches prevent frames from reaching the gateway's subnet.

Exam trap

Cisco often tests the misconception that solid link lights guarantee full Layer 2 connectivity, when in fact they only indicate carrier detect and electrical synchronization, not correct VLAN membership or spanning-tree port state.

How to eliminate wrong answers

Option A is wrong because solid link lights on both ends already confirm the cable is electrically continuous; a cable tester would be redundant at this stage and would not diagnose a VLAN mismatch. Option C is wrong because DNS server settings are irrelevant to pinging an IP address (the default gateway); DNS is used for name resolution, not Layer 3 reachability.

458
MCQhard

A network engineer needs to connect two switches that are located 450 meters apart. Which combination of fiber optic transceiver and cable type would support the highest data rate over this distance?

A.10GBASE-SR with multimode fiber
B.1000BASE-LX with single-mode fiber
C.10GBASE-LR with single-mode fiber
D.1000BASE-SX with multimode fiber
AnswerC

10GBASE-LR is a 10 Gbps transceiver designed for single-mode fiber with a reach of up to 10 km, easily covering 450 m at full speed.

Why this answer

10GBASE-LR (Long Reach) supports 10 Gbps over single-mode fiber (SMF) up to 10 km, easily covering the 450-meter distance. Single-mode fiber has a smaller core (9 µm) that minimizes modal dispersion, enabling higher data rates over longer distances compared to multimode fiber. This combination provides the highest data rate (10 Gbps) among the options for the given distance.

Exam trap

The trap here is that candidates assume 10GBASE-SR is sufficient for 450 meters, but the maximum distance for 10GBASE-SR over OM3 MMF is 300 meters, and over OM4 it is 400 meters—both fall short of 450 meters, making 10GBASE-LR the correct choice for the highest data rate.

How to eliminate wrong answers

Option A is wrong because 10GBASE-SR uses multimode fiber (MMF) with a maximum reach of only 300–400 meters (depending on OM3/OM4 grade), which is insufficient for 450 meters. Option B is wrong because 1000BASE-LX is limited to 1 Gbps, which is a lower data rate than 10 Gbps, even though it can use single-mode fiber for longer distances. Option D is wrong because 1000BASE-SX operates at 1 Gbps over multimode fiber with a maximum distance of 220–550 meters (depending on fiber type), but it offers a lower data rate than 10 Gbps.

459
Drag & Dropmedium

Drag and drop the steps in the DHCP lease process (DORA) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DORA stands for Discover, Offer, Request, Acknowledge.

460
MCQeasy

Which security feature on a switch can prevent an attacker from sending forged ARP messages to redirect traffic?

A.Port security
B.DHCP snooping
C.Dynamic ARP Inspection
D.VLAN segmentation
AnswerC

DAI uses the DHCP snooping binding table to validate ARP packets and drop invalid ones, preventing ARP spoofing.

Why this answer

Dynamic ARP Inspection (DAI) is the correct answer because it validates ARP packets against a trusted database (the DHCP snooping binding table) to ensure that the MAC-to-IP address mapping is legitimate. By intercepting and verifying all ARP requests and replies on untrusted ports, DAI prevents an attacker from sending forged ARP messages to redirect traffic (ARP spoofing).

Exam trap

Cisco often tests the distinction between DHCP snooping (which builds the trust database) and Dynamic ARP Inspection (which uses that database to validate ARP traffic), leading candidates to mistakenly choose DHCP snooping as the direct defense against ARP spoofing.

How to eliminate wrong answers

Option A is wrong because Port Security limits the number of MAC addresses allowed on a switch port and can block unauthorized MACs, but it does not inspect or validate ARP messages, so it cannot prevent ARP spoofing attacks. Option B is wrong because DHCP snooping builds a binding table of legitimate DHCP leases and filters untrusted DHCP messages, but it does not directly inspect ARP traffic; it only provides the database that DAI uses for validation.

461
Matchingmedium

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Why these pairings

These are standard well-known port assignments.

462
MCQmedium

A network administrator is designing a small office network with 40 workstations. The design must ensure that a single cable failure only affects the connected workstation. Which logical topology should the administrator implement?

A.Star
B.Ring
C.Bus
D.Mesh
AnswerA

In a star topology, each device has a dedicated cable to a central switch, so a cable failure only affects that single device.

Why this answer

A star topology connects each workstation directly to a central switch or hub, so a cable failure only affects the single connected workstation, not the rest of the network. This meets the requirement for fault isolation at the workstation level, which is the core design goal in a small office with 40 devices.

Exam trap

CompTIA often tests the distinction between physical and logical topology—candidates may confuse a physical star with a logical bus (e.g., early Ethernet using a hub) and incorrectly assume a cable failure only affects one workstation, but a hub-based star is logically a bus where a collision domain spans all ports, though the physical cable break still isolates only the connected device.

How to eliminate wrong answers

Option B (Ring) is wrong because in a ring topology, each workstation is connected to two neighbors, and a single cable break can disrupt the entire ring unless a dual-ring or self-healing protocol (e.g., FDDI or RPR) is used, which still affects multiple workstations. Option C (Bus) is wrong because a bus topology uses a single shared backbone cable; a break anywhere on the backbone can partition the network and affect all workstations on that segment. Option D (Mesh) is wrong because while a full mesh provides redundancy, a partial mesh still requires multiple connections per workstation, and a single cable failure only affects the directly connected workstation only if the topology is star-based; mesh is typically used for high-availability backbones, not for isolating workstation failures.

463
MCQmedium

A security analyst notices that a web server is receiving a large number of ICMP echo reply packets from many different external hosts. The server did not send any echo requests. Which type of attack is most likely occurring?

A.Smurf attack
B.Ping flood
C.ICMP tunneling
D.Fraggle attack
AnswerA

The Smurf attack uses IP broadcast and spoofing to cause multiple replies to be sent to the victim, creating a flood of ICMP traffic.

Why this answer

A Smurf attack exploits IP broadcast addressing and ICMP. The attacker sends a large number of ICMP echo request packets with a spoofed source IP (the victim's IP) to a network's broadcast address. All hosts on that network then send ICMP echo reply packets to the victim, overwhelming it with traffic.

Since the server never sent any echo requests, the unsolicited flood of echo replies is the hallmark of a Smurf attack.

Exam trap

Cisco often tests the distinction between a Smurf attack (unsolicited replies from many hosts due to a spoofed broadcast request) and a ping flood (direct requests from the attacker to the victim), so candidates mistakenly choose 'ping flood' when they see a flood of ICMP traffic.

How to eliminate wrong answers

Option B (Ping flood) is wrong because a ping flood involves the attacker directly sending a high volume of ICMP echo request packets to the victim, not unsolicited echo replies from many external hosts. Option C (ICMP tunneling) is wrong because ICMP tunneling is a covert channel technique used to encapsulate non-ICMP data (e.g., SSH, DNS) inside ICMP packets for exfiltration or bypassing firewalls, not for generating a flood of unsolicited echo replies.

464
MCQeasy

Which of the following is the primary function of a subnet mask in IPv4 networking?

A.It identifies the default gateway for a subnet
B.It determines the network portion of an IP address
C.It provides encryption for data in transit
D.It maps IP addresses to MAC addresses
AnswerB

By applying the subnet mask (AND operation) to the IP address, the network address is extracted. This is the core purpose of the subnet mask.

Why this answer

The subnet mask's primary function is to distinguish the network portion from the host portion of an IPv4 address. By applying a bitwise AND operation between the IP address and the subnet mask, the network address is derived, which is essential for routing decisions. Without this separation, devices cannot determine whether a destination is local or requires forwarding through a router.

Exam trap

The trap here is that candidates often confuse the subnet mask's role with that of the default gateway, mistakenly thinking the mask itself identifies the router address, when in fact the mask only defines the network/host boundary and has no direct relationship to gateway configuration.

How to eliminate wrong answers

Option A is wrong because the default gateway is identified by a separate configuration parameter (e.g., via DHCP or static assignment), not by the subnet mask; the subnet mask only defines the network boundary. Option C is wrong because encryption for data in transit is provided by protocols such as IPsec, TLS, or SSH, not by the subnet mask, which is a purely logical addressing mechanism with no cryptographic function.

465
MCQmedium

A network engineer is implementing OSPF on a router. All directly connected neighbors are listed with state FULL, but routes from another area are not appearing in the routing table. Which of the following is the most likely cause?

A.The router is not configured with a router ID
B.The router has an ACL blocking inbound OSPF updates
C.The router is configured as an ABR but does not have a virtual-link configured
D.The link-state database is corrupted
AnswerB

An ACL that blocks OSPF protocol traffic (e.g., IP protocol 89) can prevent Type 3 LSAs from being received, causing inter-area routes to be missing while local adjacencies remain.

Why this answer

Option B is correct because an ACL applied to the OSPF process or interface can filter inbound Type 3 LSAs (summary LSAs) from other areas. Even though neighbor adjacencies reach FULL state, the router will not install those inter-area routes into the routing table if the ACL blocks the LSA updates. This explains why directly connected neighbors are fine but routes from another area are missing.

Exam trap

Cisco often tests the misconception that FULL neighbor state guarantees all routes are learned, when in fact ACLs or distribute-lists can filter LSAs without affecting the neighbor relationship.

How to eliminate wrong answers

Option A is wrong because a router ID is required for OSPF to form adjacencies; since neighbors are already in FULL state, a router ID must be present (either configured or automatically selected). Option C is wrong because an ABR does not need a virtual-link to receive routes from another area; virtual-links are only used to connect a non-backbone area to the backbone through a transit area when the backbone is partitioned, not for normal inter-area route propagation.

466
MCQhard

A network administrator is configuring dynamic routing between two routers in the same organization. The routers must support VLSM, converge quickly, and use a metric that is based on bandwidth and delay. Which routing protocol should be configured?

A.RIP
B.OSPF
C.EIGRP
D.BGP
AnswerC

EIGRP is a Cisco proprietary protocol that supports VLSM, converges quickly, and uses bandwidth and delay as the default metric components.

Why this answer

C is correct because EIGRP is a Cisco-proprietary hybrid routing protocol that supports Variable-Length Subnet Masking (VLSM), converges rapidly using the Diffusing Update Algorithm (DUAL), and uses a composite metric that by default includes bandwidth and delay. This makes it ideal for the scenario where both VLSM support and fast convergence are required with a metric based on bandwidth and delay.

Exam trap

The trap here is that candidates often choose OSPF because it is a widely used link-state protocol that supports VLSM and converges quickly, but they overlook the specific requirement for a metric based on both bandwidth and delay, which is unique to EIGRP's default composite metric.

How to eliminate wrong answers

Option A is wrong because RIP (Routing Information Protocol) uses hop count as its metric, not bandwidth and delay, and it does not support VLSM in RIPv1 (RIPv2 does support VLSM but still uses hop count). Option B is wrong because OSPF (Open Shortest Path First) uses cost as its metric, which is typically derived from bandwidth but does not include delay by default, and while it supports VLSM and converges quickly, it does not use a metric based on both bandwidth and delay as specified.

467
MCQeasy

A user reports that they cannot access the internet. The technician tests connectivity: pinging the default gateway succeeds, but pinging a public IP address like 8.8.8.8 fails. Firewall logs show outbound ICMP to 8.8.8.8 is permitted. What is the most likely cause?

A.Incorrect DNS configuration on the workstation
B.Missing default route on the router
C.Duplicate IP address on the local network
D.Proxy server configuration is required
AnswerB

A missing default route means the router does not know where to send packets destined for external networks, causing failure to reach public IPs.

Why this answer

The user can ping the default gateway (local connectivity) but cannot ping a public IP like 8.8.8.8. This indicates that the workstation has a valid route to its local subnet, but the router lacks a default route (0.0.0.0/0) to forward traffic to the internet. Firewall logs confirm outbound ICMP is permitted, so the issue is at Layer 3 routing, not filtering.

Exam trap

CompTIA often tests the distinction between local connectivity (gateway reachable) and internet connectivity (default route missing), trapping candidates who assume DNS or firewall issues when the symptom is a successful ping to the gateway but failure to external IPs.

How to eliminate wrong answers

Option A is wrong because DNS is not involved in ICMP echo requests to an IP address; DNS resolves names to IPs, but the test uses a raw IP (8.8.8.8). Option C is wrong because a duplicate IP address would cause intermittent connectivity or ARP conflicts, not a consistent failure to reach external IPs while the gateway is reachable. Option D is wrong because a proxy server is an application-layer intermediary for HTTP/HTTPS traffic, not required for ICMP or general IP routing; the failure to ping a public IP points to a missing default route, not proxy settings.

468
MCQeasy

A network administrator wants to prevent rogue DHCP servers from offering IP addresses to clients on the network. Which security feature should be enabled on the switches?

A.DHCP snooping
B.Dynamic ARP Inspection (DAI)
C.Port Security
D.IP Source Guard
AnswerA

DHCP snooping examines DHCP traffic and blocks unauthorized DHCP server responses from untrusted ports.

Why this answer

DHCP snooping is the correct security feature because it acts as a firewall between untrusted hosts and trusted DHCP servers. It validates DHCP messages by filtering out responses from unauthorized DHCP servers on untrusted ports, preventing rogue servers from offering IP addresses to clients. This is achieved by building and maintaining a DHCP snooping binding database that tracks valid IP-to-MAC address mappings.

Exam trap

CompTIA often tests the distinction between DHCP snooping and Dynamic ARP Inspection (DAI), where candidates mistakenly choose DAI because they confuse ARP spoofing with rogue DHCP server attacks.

How to eliminate wrong answers

Option B (Dynamic ARP Inspection) is wrong because it validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, not DHCP server impersonation. Option C (Port Security) is wrong because it limits the number of MAC addresses allowed on a switch port to prevent MAC flooding attacks, not DHCP rogue server prevention. Option D (IP Source Guard) is wrong because it filters IP traffic based on the DHCP snooping binding table to prevent IP spoofing, but it does not directly block rogue DHCP server messages.

469
MCQmedium

A network administrator wants to prevent unauthorized devices from connecting to the network through a switch port. Which security feature should be enabled on the switch?

A.802.1X
B.Port security
C.MAC filtering
D.Storm control
AnswerA

802.1X authenticates devices before allowing them to send traffic, providing strong access control.

Why this answer

802.1X is the correct answer because it provides port-based network access control (PNAC) that authenticates devices before granting network access. It uses the Extensible Authentication Protocol (EAP) over LAN (EAPoL) to communicate with a RADIUS server, ensuring only authorized users or devices can connect through the switch port. This prevents unauthorized devices from accessing the network at Layer 2, regardless of MAC address or IP configuration.

Exam trap

The trap here is that candidates confuse port security or MAC filtering with true authentication, but Cisco tests that 802.1X is the only feature that performs per-device authentication against a central server, not just static MAC-based controls.

How to eliminate wrong answers

Option B (Port security) is wrong because it only limits the number of MAC addresses allowed on a port or locks specific MAC addresses, but it does not authenticate devices; an attacker can spoof a permitted MAC address and bypass the restriction. Option C (MAC filtering) is wrong because it is a static access control list based on MAC addresses, which can be easily spoofed and does not provide dynamic authentication or integration with a central identity store like RADIUS.

470
MCQeasy

Which of the following security mechanisms requires a user to authenticate before gaining access to the wired network at a switch port?

A.802.1X
B.Port security
C.ACL
D.MAC authentication
AnswerA

802.1X is a Layer 2 protocol that blocks all traffic until the device authenticates, providing strong access control.

Why this answer

802.1X is a port-based Network Access Control (NAC) standard (IEEE 802.1X) that requires a user or device to authenticate via an authentication server (e.g., RADIUS) before the switch port transitions from an unauthorized to an authorized state, allowing full network access. It uses Extensible Authentication Protocol (EAP) over LAN (EAPoL) to carry authentication messages between the supplicant (client), authenticator (switch), and authentication server. This ensures that only authenticated users can access the wired network at the switch port level.

Exam trap

Cisco often tests the distinction between 802.1X (user authentication) and port security (MAC address filtering), leading candidates to confuse MAC-based restrictions with true authentication mechanisms.

How to eliminate wrong answers

Option B (Port security) is wrong because it restricts access based on MAC addresses, not user authentication; it can be bypassed by spoofing a permitted MAC address and does not involve a user credential challenge. Option C (ACL) is wrong because an Access Control List filters traffic based on IP addresses, ports, or protocols after a device is already connected; it does not enforce user authentication before granting network access. Option D (MAC authentication) is wrong because it authenticates based on the device's MAC address, not a user identity; it is a simpler, less secure method that can be spoofed and does not require interactive user credentials.

471
MCQhard

A network administrator configures a router-on-a-stick to route traffic between VLAN 10 and VLAN 20. Users in each VLAN can communicate within their own VLAN but cannot reach devices in the other VLAN. The router has subinterfaces configured, and the switch port connected to the router is configured as an access port in VLAN 1. What is the most likely cause of the inter-VLAN connectivity failure?

A.The router's subinterfaces are not configured with IP addresses.
B.The switch port connected to the router is not configured as a trunk.
C.The VLANs are not created on the switch.
D.The router's default route is missing.
AnswerB

This is the most likely cause. A trunk port is required to carry frames from multiple VLANs to the router for inter-VLAN routing. An access port only carries a single VLAN, preventing the router from receiving traffic from other VLANs.

Why this answer

The router-on-a-stick design requires the switch port connecting to the router to be configured as a trunk port. This allows the switch to forward frames from multiple VLANs (VLAN 10 and VLAN 20) to the router's subinterfaces, each tagged with the appropriate 802.1Q VLAN ID. When the port is set as an access port in VLAN 1, it only accepts untagged frames from VLAN 1, so the router's subinterfaces for VLAN 10 and VLAN 20 never receive traffic, breaking inter-VLAN routing.

Exam trap

CompTIA often tests the misconception that a router-on-a-stick only needs subinterfaces with IP addresses, leading candidates to overlook the critical requirement that the switch port must be a trunk to carry multiple VLAN tags.

How to eliminate wrong answers

Option A is wrong because subinterfaces must have IP addresses to route, but the question states the router has subinterfaces configured, implying IPs are set; the failure is due to the switch port not trunking, not missing IPs. Option C is wrong because users can communicate within their own VLANs, which proves the VLANs exist on the switch; if VLANs were not created, intra-VLAN communication would also fail. Option D is wrong because a default route is only needed for traffic destined outside the local network; inter-VLAN routing between directly connected subinterfaces uses connected routes, not a default route.

472
MCQmedium

An organization wants to deploy Wi-Fi in a large, open office space. They need high throughput and the ability to support many simultaneous clients, but they are budget-constrained. Which IEEE wireless standard should they choose?

A.802.11ac (Wi-Fi 5)
B.802.11ax (Wi-Fi 6)
C.802.11n (Wi-Fi 4)
D.802.11b (Wi-Fi 1)
AnswerB

Correct. 802.11ax is optimized for dense client environments with improved capacity and throughput, making it the best choice despite budget constraints.

Why this answer

802.11ax (Wi-Fi 6) is the correct choice because it introduces Orthogonal Frequency Division Multiple Access (OFDMA) and MU-MIMO (both uplink and downlink), which significantly improve throughput and capacity in dense environments. It also operates in both 2.4 GHz and 5 GHz bands, providing backward compatibility and better spectrum utilization, all while maintaining cost-effectiveness for large-scale deployments.

Exam trap

CompTIA often tests the misconception that 802.11ac is sufficient for high-density environments, but the trap is that 802.11ac lacks OFDMA and uplink MU-MIMO, which are critical for efficiently handling many simultaneous clients in a budget-constrained deployment.

How to eliminate wrong answers

Option A is wrong because 802.11ac (Wi-Fi 5) operates only in the 5 GHz band and relies solely on OFDM, lacking OFDMA and uplink MU-MIMO, which limits its ability to efficiently handle many simultaneous clients in a dense open office. Option C is wrong because 802.11n (Wi-Fi 4) uses only OFDM and supports only up to 4 spatial streams with a maximum theoretical data rate of 600 Mbps, which is insufficient for high throughput and high client density in a modern large office. Option D is wrong because 802.11b (Wi-Fi 1) is an outdated standard with a maximum data rate of 11 Mbps and uses DSSS, making it completely unsuitable for high throughput or supporting many simultaneous clients.

473
MCQeasy

A company wants to ensure that only devices with known MAC addresses can connect to the guest Wi-Fi network. Which security feature should be configured on the wireless controller?

A.WPA2-Enterprise
B.MAC filtering
C.802.1X
D.WPA3-Personal
AnswerB

MAC filtering restricts network access to clients whose MAC addresses are on an allowed list.

Why this answer

MAC filtering allows the wireless controller to maintain an allowlist of known MAC addresses, so only devices with those addresses can associate with the guest SSID. This directly meets the requirement to restrict access based on MAC addresses without requiring authentication credentials from users.

Exam trap

Cisco often tests the misconception that 802.1X or WPA2-Enterprise can filter by MAC address, but these are authentication protocols for user/device identity, not MAC-based access control.

How to eliminate wrong answers

Option A is wrong because WPA2-Enterprise uses 802.1X/EAP for user-based authentication (e.g., via RADIUS), not MAC address validation, and would require credentials from every guest. Option C is wrong because 802.1X is a port-based authentication framework that relies on credentials or certificates, not MAC addresses, and is typically used for corporate networks, not guest Wi-Fi.

474
MCQmedium

A user reports that they cannot access any network resources. The technician checks the IP configuration and sees that the workstation has an IP address of 169.254.1.5. What is the most likely cause?

A.The DNS server is down
B.The DHCP server is unavailable
C.The default gateway is incorrect
D.The subnet mask is mismatched
AnswerB

An APIPA address indicates DHCP failure, so the DHCP server is likely unreachable.

Why this answer

The IP address 169.254.1.5 is an Automatic Private IP Addressing (APIPA) address (169.254.0.0/16 range), which Windows assigns when a DHCP client fails to receive a lease from a DHCP server. Since the workstation cannot obtain a valid IP configuration, it cannot communicate with any network resources, confirming that the DHCP server is unavailable.

Exam trap

The trap here is that candidates may confuse APIPA with a static IP misconfiguration or assume a DNS issue, but the 169.254.x.x address is a definitive indicator of DHCP failure, not a gateway or subnet problem.

How to eliminate wrong answers

Option A is wrong because a DNS server failure would not prevent the workstation from obtaining an IP address; it would only cause name resolution failures after a valid IP is assigned. Option C is wrong because an incorrect default gateway would still allow the workstation to have a valid IP from DHCP, but traffic to remote subnets would fail; the APIPA address indicates no DHCP lease was obtained. Option D is wrong because a mismatched subnet mask would still require a valid IP from DHCP; the presence of an APIPA address points to DHCP unavailability, not a mask mismatch.

475
MCQmedium

A network administrator notices that a large number of ICMP echo request packets are being sent to the broadcast address of the network from a single host. This is causing performance degradation. Which type of attack is this?

A.ARP spoofing
B.MAC flooding
C.Smurf attack
D.DNS amplification
AnswerC

A Smurf attack uses ICMP echo requests to a broadcast address to create a denial-of-service via amplification.

Why this answer

The smurf attack exploits ICMP by sending echo request packets to a network's broadcast address with a spoofed source IP of the victim. All hosts on the network then reply to the victim, overwhelming it with traffic and causing performance degradation. This matches the scenario of a single host sending ICMP echo requests to the broadcast address.

Exam trap

CompTIA often tests the distinction between amplification attacks (smurf vs. DNS amplification) by focusing on the protocol used (ICMP vs. UDP) and the target address (broadcast vs. open resolver), leading candidates to confuse smurf with DNS amplification if they only remember 'amplification' without the protocol details.

How to eliminate wrong answers

Option A is wrong because ARP spoofing involves sending forged ARP messages to link an attacker's MAC address with a legitimate IP, causing traffic interception, not ICMP broadcast floods. Option B is wrong because MAC flooding targets a switch's CAM table by sending many frames with fake source MAC addresses to force it into fail-open mode, not by using ICMP packets. Option D is wrong because DNS amplification uses small DNS queries with a spoofed source IP to cause large responses from open resolvers, leveraging UDP, not ICMP echo requests to a broadcast address.

476
MCQeasy

A network administrator needs to generate a report of all MAC addresses learned on each switch port to assist with inventory management. Which command-line utility can be used to view the MAC address table on a switch?

A.show mac address-table
B.show running-config
C.show ip interface
D.show vlan
AnswerA

This command lists all dynamic MAC addresses learned on switch ports, along with VLAN and port information.

Why this answer

The 'show mac address-table' command displays the MAC address table (also known as the Content Addressable Memory or CAM table) on a Cisco switch. This table maps each learned MAC address to the specific switch port and VLAN, which is exactly what the administrator needs for inventory management of devices connected to each port.

Exam trap

Cisco often tests the distinction between configuration commands (like 'show running-config') and operational commands (like 'show mac address-table'), leading candidates to mistakenly choose a configuration display command when the question asks for learned MAC address data.

How to eliminate wrong answers

Option B is wrong because 'show running-config' displays the current active configuration of the switch (including VLANs, interfaces, and protocols), but it does not show the dynamically learned MAC address table entries. Option C is wrong because 'show ip interface' displays IP-related interface information such as IP address, subnet mask, and interface status, but it does not show MAC address-to-port mappings.

477
MCQmedium

A network administrator needs to power IP phones and wireless access points through the Ethernet cable. Which standard should be supported?

A.802.3af
B.802.11ac
C.802.1X
D.802.3ab
AnswerA

802.3af is the IEEE standard for Power over Ethernet, providing up to 15.4W to powered devices.

Why this answer

The 802.3af standard, also known as Power over Ethernet (PoE), delivers up to 15.4 watts of DC power over twisted-pair Ethernet cabling. This allows devices like IP phones and wireless access points to receive both data and power through a single Ethernet cable, eliminating the need for separate power supplies.

Exam trap

The trap here is confusing the 802.3 family of wired Ethernet standards (which includes PoE) with the 802.11 family of wireless standards (like 802.11ac), leading candidates to mistakenly select a Wi-Fi standard for a power-over-cable requirement.

How to eliminate wrong answers

Option B (802.11ac) is wrong because it is a wireless networking standard that defines Wi-Fi speeds and frequencies (5 GHz band), not a method for delivering power over Ethernet cables. Option C (802.1X) is wrong because it is a port-based network access control protocol used for authentication (e.g., with RADIUS servers), not a power delivery standard.

478
MCQeasy

Which of the following network protocols operates at the Transport layer of the OSI model and provides connection-oriented, reliable data delivery?

A.UDP
B.TCP
C.IP
D.ARP
AnswerB

TCP provides connection-oriented, reliable data delivery with features like flow control, error checking, and retransmission of lost packets.

Why this answer

TCP (Transmission Control Protocol) operates at the Transport layer (Layer 4) of the OSI model and provides connection-oriented, reliable data delivery through mechanisms such as three-way handshake, sequence numbers, acknowledgments, and retransmission of lost segments. This ensures that data is delivered in order and without errors, making TCP the correct choice for the question.

Exam trap

The trap here is that candidates often confuse IP (Network layer) with a transport protocol or mistakenly think UDP provides reliability because it has checksums, but UDP lacks connection setup and retransmission, making TCP the only correct answer for connection-oriented reliable delivery.

How to eliminate wrong answers

Option A (UDP) is wrong because it is a connectionless Transport layer protocol that provides unreliable, best-effort delivery without acknowledgments or retransmissions, making it unsuitable for connection-oriented reliable data delivery. Option C (IP) is wrong because it operates at the Network layer (Layer 3) and is responsible for addressing and routing packets, not for providing transport-layer reliability or connection-oriented service.

479
MCQmedium

A network administrator needs to monitor bandwidth utilization on a router interface in real time. Which of the following protocols is best suited for this purpose?

A.Syslog
B.SNMP polling
C.NetFlow
D.CDP
AnswerB

SNMP polling allows an NMS to query MIB objects like interface utilization counters at regular intervals, making it ideal for real-time bandwidth monitoring.

Why this answer

SNMP polling is the best choice for real-time bandwidth monitoring because it allows the network management system (NMS) to actively query the router's interface MIB (e.g., ifInOctets, ifOutOctets) at short intervals, calculating utilization from the delta between successive polls. This provides near-real-time data without waiting for unsolicited events, making it ideal for live dashboards and threshold alerts.

Exam trap

Cisco often tests SNMP polling vs. NetFlow by framing the question around 'real-time bandwidth utilization,' leading candidates to choose NetFlow because they confuse flow analysis with interface-level utilization, but NetFlow's export delay and flow-based aggregation make it unsuitable for instantaneous per-interface bandwidth monitoring.

How to eliminate wrong answers

Option A (Syslog) is wrong because Syslog is a logging protocol for event messages (e.g., interface up/down, errors) and does not provide periodic bandwidth utilization data; it is asynchronous and not designed for real-time performance monitoring. Option C (NetFlow) is wrong because NetFlow is primarily used for traffic flow analysis (source/destination, protocols, volumes) and not for real-time interface bandwidth utilization; it exports flow records on a per-flow basis with a delay, making it unsuitable for instantaneous utilization monitoring.

480
MCQeasy

A company has a change management policy that requires all network changes to be approved and documented. An administrator needs to replace a faulty switch in the core network. According to best practices, which step should be performed after the replacement is complete?

A.Update the network diagram.
B.Roll back to the previous switch.
C.Notify users of the change.
D.Submit a change request.
AnswerA

Documentation must be updated after any change to maintain accurate records for future troubleshooting and auditing.

Why this answer

Updating the network diagram is the correct step because it ensures that the documentation accurately reflects the new switch's location, model, firmware version, and connections. This aligns with change management best practices, which require that all network changes be documented to maintain an accurate source of truth for troubleshooting, capacity planning, and future changes. Without this update, the diagram becomes stale, leading to potential misconfigurations or delays during incident response.

Exam trap

The trap here is that candidates confuse the operational step of 'notifying users' (which is part of the change communication plan, not the post-implementation step) with the documentation requirement, leading them to select Option C instead of recognizing that updating the network diagram is the critical final step to close the change record.

How to eliminate wrong answers

Option B is wrong because rolling back to the previous switch contradicts the purpose of the replacement—the faulty switch has already been removed and replaced with a working unit; rolling back would reintroduce the fault and violate the change management policy that requires the approved change to be completed. Option C is wrong because notifying users of the change is typically performed before or during the maintenance window (as part of the change plan), not after the replacement is complete; post-replacement, the focus should be on updating documentation and verifying functionality, not user notification.

481
MCQeasy

Which of the following best describes a broadcast domain?

A.All devices connected to the same switch
B.All devices that share the same IP subnet
C.All devices that can receive a broadcast frame from any other device in the network segment
D.All devices that have the same MAC address prefix
AnswerC

This is the precise definition. A broadcast domain consists of all devices that will receive a broadcast frame sent by any device within the same logical boundary.

Why this answer

A broadcast domain is defined as the set of all devices that can receive a broadcast frame (destination MAC FF:FF:FF:FF:FF:FF) sent by any other device within the same network segment. This boundary is typically enforced by Layer 3 devices like routers, which do not forward broadcast frames, whereas Layer 2 switches forward broadcasts out all ports except the receiving port within the same VLAN.

Exam trap

The trap here is that candidates often confuse a broadcast domain with a collision domain or assume all devices on the same switch are in the same broadcast domain, ignoring VLAN segmentation.

How to eliminate wrong answers

Option A is wrong because a single switch can be divided into multiple VLANs, each forming its own broadcast domain; devices on different VLANs on the same switch cannot receive each other's broadcasts. Option B is wrong because multiple IP subnets can exist within the same broadcast domain (e.g., using proxy ARP or unnumbered interfaces), and conversely, a single IP subnet can span multiple broadcast domains if routers are used to segment them. Option D is wrong because MAC address prefixes (OUI) identify the manufacturer, not broadcast domain membership; devices with different OUIs can be in the same broadcast domain, and devices with the same OUI can be in different broadcast domains.

482
MCQhard

A security analyst notices that a network switch is receiving DHCP discover messages from a rogue device offering IP addresses. The rogue device is causing clients to obtain invalid IP addresses and lose network connectivity. Which security feature should be implemented on the switch to prevent this type of attack?

A.Dynamic ARP inspection (DAI)
B.DHCP snooping
C.Port security
D.802.1X authentication
AnswerB

DHCP snooping validates DHCP messages and blocks rogue DHCP servers by only allowing DHCP server messages on trusted ports.

Why this answer

B is correct because DHCP snooping is a security feature that filters untrusted DHCP messages on a switch. It distinguishes between trusted ports (connected to legitimate DHCP servers) and untrusted ports (connected to clients or rogue devices). When a rogue device sends DHCP discover messages offering IP addresses, DHCP snooping on untrusted ports drops those messages, preventing the rogue server from assigning invalid IP addresses.

Exam trap

The trap here is that candidates confuse DHCP snooping with Dynamic ARP Inspection (DAI), but DAI only protects against ARP-based attacks, not rogue DHCP servers, while DHCP snooping directly addresses the described scenario.

How to eliminate wrong answers

Option A is wrong because Dynamic ARP Inspection (DAI) validates ARP packets to prevent ARP spoofing and man-in-the-middle attacks, but it does not filter or block rogue DHCP server messages. Option C is wrong because Port Security limits the number of MAC addresses allowed on a port to prevent MAC flooding attacks, but it does not inspect or block DHCP messages from unauthorized servers.

483
Drag & Dropmedium

Drag and drop the steps for the TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The TCP three-way handshake establishes a connection: SYN, SYN-ACK, ACK.

484
MCQeasy

A network administrator needs to create a subnet that supports exactly 50 hosts. Which subnet mask provides the smallest subnet that meets this requirement?

A.A
B.B
C.C
D.D
AnswerB

/26 provides 62 usable addresses, which is the minimum that supports 50 hosts.

Why this answer

Option B is correct because a /26 subnet mask (255.255.255.192) provides 62 usable host addresses (2^(32-26) - 2 = 64 - 2 = 62), which is the smallest subnet that supports at least 50 hosts. A /27 would only provide 30 usable addresses, which is insufficient.

Exam trap

The trap here is that candidates often forget to subtract 2 for the network and broadcast addresses, leading them to choose a /27 (which has 32 total addresses but only 30 usable) thinking it supports 50 hosts.

How to eliminate wrong answers

Option A is wrong because it represents a /27 subnet mask (255.255.255.224), which provides only 30 usable hosts (2^5 - 2 = 30), insufficient for 50 hosts. Option C is wrong because it represents a /25 subnet mask (255.255.255.128), which provides 126 usable hosts (2^7 - 2 = 126), far more than needed and not the smallest subnet that meets the requirement. Option D is wrong because it represents a /24 subnet mask (255.255.255.0), which provides 254 usable hosts (2^8 - 2 = 254), excessively large and not the smallest option.

485
MCQeasy

A network administrator wants to ensure all network devices have synchronized time for accurate log correlation and security event analysis. Which protocol should be implemented?

A.SNMP
B.NTP
C.FTP
D.HTTP
AnswerB

NTP provides accurate time synchronization over a network, typically using a hierarchy of time servers.

Why this answer

NTP (Network Time Protocol) is the correct choice because it is specifically designed to synchronize clocks across network devices using a hierarchical system of time sources, ensuring millisecond-level accuracy. Accurate time synchronization is critical for correlating logs and security events across multiple devices, as timestamps must match to reconstruct attack timelines or diagnose faults.

Exam trap

Cisco often tests the distinction between NTP for time sync and SNMP for management, so candidates may mistakenly choose SNMP because they associate it with network monitoring and overlook that it does not synchronize clocks.

How to eliminate wrong answers

Option A (SNMP) is wrong because it is used for monitoring and managing network devices via MIBs and traps, not for time synchronization. Option C (FTP) is wrong because it is a file transfer protocol used to move files between hosts, not to synchronize system clocks. Option D (HTTP) is wrong because it is an application-layer protocol for transferring hypertext, and while it can carry time information via headers like Date, it lacks the precision and dedicated synchronization mechanisms of NTP.

486
MCQmedium

A network engineer is configuring a trunk link between two switches to carry VLANs 10, 20, and 30. On Switch A, the port is configured with 'switchport mode trunk' and 'switchport nonegotiate'. On Switch B, the port is left at the default configuration. Which additional configuration is required on Switch B?

A.Set the native VLAN to 1.
B.Enable DTP on Switch B.
C.Manually set the port to trunk mode.
D.Configure the allowed VLAN list.
AnswerC

Since Switch A is set to 'nonegotiate', Switch B must be manually configured as a trunk port (e.g., 'switchport mode trunk') to establish the trunk link.

Why this answer

Switch B is left at default configuration, which on most Cisco switches means the port is in dynamic desirable or dynamic auto mode, relying on DTP to negotiate trunking. Since Switch A has 'switchport nonegotiate' configured, it will not send DTP frames, so Switch B will never receive a negotiation trigger and will remain in access mode. Therefore, the port on Switch B must be manually set to trunk mode with 'switchport mode trunk' to establish the trunk link.

Exam trap

CompTIA often tests the misconception that DTP is always required or that 'switchport nonegotiate' only affects DTP on the local switch, when in fact it prevents the remote switch from ever learning that trunking is desired, forcing a manual configuration on the remote end.

How to eliminate wrong answers

Option A is wrong because setting the native VLAN to 1 is the default behavior and does not enable trunking; the issue is that Switch B is not in trunk mode at all. Option B is wrong because enabling DTP on Switch B would not help, as Switch A has 'switchport nonegotiate' which disables DTP frame transmission, so no negotiation can occur. Option D is wrong because configuring the allowed VLAN list is only relevant after the port is already in trunk mode; the primary missing configuration is the trunk mode itself.

487
Drag & Dropmedium

Drag and drop the steps to configure a VLAN on a managed switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN creation involves entering config mode, creating the VLAN, and assigning ports.

488
MCQeasy

Which of the following best describes the function of a default gateway on a host?

A.It forwards packets destined for networks other than the local subnet
B.It resolves domain names to IP addresses
C.It assigns IP addresses to devices on the local network
D.It filters traffic based on MAC addresses
AnswerA

Correct. The default gateway provides a route to remote networks.

Why this answer

The default gateway is the router interface on the local subnet that a host uses to send packets destined for IP addresses outside its own subnet. When a host determines that the destination IP is not reachable via ARP on the local link, it forwards the packet to the default gateway's MAC address, which then routes the packet toward the remote network. This is essential for inter-subnet communication in any IP network.

Exam trap

The trap here is that candidates often confuse the default gateway with a DNS server or DHCP server, because in many home networks the same device (the router) performs all three roles, but the exam tests the distinct Layer 3 routing function of the default gateway in isolation.

How to eliminate wrong answers

Option B is wrong because domain name resolution is performed by a DNS server, not the default gateway; the default gateway operates at Layer 3 (IP routing) and has no role in DNS lookups. Option C is wrong because IP address assignment on a local network is typically handled by a DHCP server, which may or may not be the same device as the default gateway, but the function of assigning addresses is not a property of the default gateway itself. Option D is wrong because filtering traffic based on MAC addresses is a Layer 2 function performed by switches or firewall rules, not by the default gateway, which forwards packets based on IP destination addresses.

489
MCQhard

A company wants to ensure that only users who have successfully authenticated Active Directory credentials can access the wired network. The network switches support IEEE 802.1X. Which additional component must be deployed to complete the solution?

A.A RADIUS server
B.A DHCP server
C.A certificate authority
D.A TACACS+ server
AnswerA

RADIUS is the standard authentication server used with 802.1X to validate credentials against an identity source like Active Directory.

Why this answer

IEEE 802.1X port-based authentication requires a RADIUS server to act as the authentication server. The switch (authenticator) forwards the user's credentials to the RADIUS server, which validates them against Active Directory and returns an accept or reject decision. Without a RADIUS server, the switch has no way to verify the user's credentials against the central identity store.

Exam trap

Cisco often tests the distinction between RADIUS (for network access) and TACACS+ (for device administration), leading candidates to mistakenly choose TACACS+ because it is associated with authentication, even though 802.1X specifically requires RADIUS.

How to eliminate wrong answers

Option B is wrong because a DHCP server only assigns IP addresses and does not perform authentication; it cannot validate Active Directory credentials. Option C is wrong because a certificate authority issues digital certificates for certificate-based authentication (e.g., EAP-TLS), but the question specifies that users authenticate with Active Directory credentials, not certificates, and 802.1X can use password-based EAP methods (e.g., PEAP-MSCHAPv2) that do not require a CA. Option D is wrong because TACACS+ is a Cisco-proprietary protocol primarily used for device administration (e.g., authenticating network engineers to switches/routers), not for end-user network access authentication via 802.1X; RADIUS is the standard for network access control.

490
MCQmedium

A network engineer is configuring a Link Aggregation Group (LAG) between two switches. Switch A is set to LACP active mode. Which mode should be configured on Switch B to form the LAG?

A.Passive
B.On
C.Static
D.Auto
AnswerA

LACP passive mode will respond to negotiation requests from the active peer, forming the LAG. This is the correct complementary mode.

Why this answer

LACP active mode initiates negotiation by sending LACP packets, while passive mode responds to those packets without initiating. Since Switch A is set to active, Switch B must be in passive mode to successfully form a Link Aggregation Group (LAG). This combination allows the two switches to exchange LACP frames and agree on the aggregation parameters.

Exam trap

Cisco often tests the distinction between LACP modes (active/passive) and PAgP modes (desirable/auto), leading candidates to mistakenly choose 'Auto' (a PAgP mode) for LACP questions.

How to eliminate wrong answers

Option B (On) is wrong because 'On' refers to static LAG configuration without LACP, which does not use LACP negotiation and cannot interoperate with LACP active mode. Option C (Static) is wrong because it is not a valid LACP mode; static LAGs are configured without LACP and require both sides to be set to 'On'. Option D (Auto) is wrong because 'Auto' is a Cisco proprietary mode for PAgP (Port Aggregation Protocol), not LACP, and would not form a LAG with LACP active mode.

491
MCQeasy

A network administrator needs to update the firmware on a critical core switch. According to change management best practices, which step should be completed FIRST?

A.Test the firmware update in a lab environment
B.Notify all users of a scheduled outage
C.Create a detailed rollback plan
D.Schedule the update during a maintenance window
AnswerA

Testing first ensures the firmware works correctly and any compatibility issues are discovered without affecting production operations.

Why this answer

Before any change is applied to a production network device, the firmware update must first be validated in a controlled lab environment that mirrors the production configuration. This step ensures that the new firmware does not introduce compatibility issues with existing protocols (e.g., spanning-tree, VLAN configurations, or routing protocols like OSPF) and that the update process itself does not cause unexpected behavior. Skipping lab validation risks an outage that could have been prevented, making it the foundational step in change management.

Exam trap

The trap here is that candidates often jump to scheduling the maintenance window (Option D) as the first step, confusing operational logistics with the critical prerequisite of validation, which Cisco emphasizes as the cornerstone of change management.

How to eliminate wrong answers

Option B is wrong because notifying users of a scheduled outage is a communication step that should occur after the update has been tested and approved, not before any validation. Option C is wrong because creating a detailed rollback plan is important but comes after understanding the update's behavior through testing; a rollback plan is useless if the update hasn't been verified to work correctly. Option D is wrong because scheduling the update during a maintenance window is a logistical step that assumes the update is safe to apply, which cannot be known without first testing it in a lab environment.

492
MCQeasy

A network administrator is configuring a new switch in a production environment. The switch must be managed remotely. Which of the following should be configured on the switch's management interface?

A.Default gateway
B.Spanning tree priority
C.VLAN 1 membership
D.Port security
AnswerA

The default gateway allows the management interface to communicate with devices outside its own subnet, which is essential for remote management from another network.

Why this answer

The default gateway is required for remote management because the management interface (often a virtual interface like VLAN 1 or a dedicated management VLAN) needs a route to reach devices on different subnets. Without a default gateway, the switch can only be accessed from hosts within the same subnet, making remote management impossible across routed networks.

Exam trap

The trap here is that candidates often think VLAN 1 membership (Option C) is sufficient for remote management, forgetting that the switch needs a default gateway to route management traffic beyond its local subnet.

How to eliminate wrong answers

Option B is wrong because spanning tree priority is a STP (802.1D) parameter that influences root bridge election and loop prevention, not remote management connectivity. Option C is wrong because VLAN 1 membership is typically the default for the management interface, but it does not provide IP routing; the switch still needs a default gateway to reach remote management hosts. Option D is wrong because port security is a Layer 2 feature that restricts MAC addresses on access ports to prevent unauthorized devices, and it has no role in enabling remote management.

493
MCQeasy

A network administrator needs to connect 10 workstations in a way that each workstation's traffic does not collide with others. Which device should be used to connect these workstations?

A.Hub
B.Switch
C.Router
D.Modem
AnswerB

Correct. Each port on a switch is a separate collision domain, preventing collisions between different workstations.

Why this answer

A switch is the correct device because it operates at Layer 2 of the OSI model, using MAC addresses to forward frames only to the specific destination port. This creates separate collision domains for each connected workstation, ensuring that traffic from one workstation does not collide with traffic from another.

Exam trap

The trap here is that candidates often confuse a hub with a switch, thinking both simply 'connect' devices, but the key differentiator is that a hub creates a single collision domain while a switch creates separate collision domains per port.

How to eliminate wrong answers

Option A is wrong because a hub operates at Layer 1 and simply repeats electrical signals out all ports, forcing all workstations to share a single collision domain — any two devices transmitting simultaneously will cause a collision. Option C is wrong because a router operates at Layer 3 and is designed to forward packets between different IP subnets, not to provide collision-free connectivity within a single broadcast domain; using a router here would be overkill and would not address the Layer 2 collision issue.

494
MCQmedium

A network administrator is configuring a new switch and needs to ensure that log messages are sent to a remote syslog server with a severity level of 'warning' (4) or higher. Which severity level should be set as the trap level on the switch?

A.3 (error)
B.4 (warning)
C.5 (notice)
D.7 (debug)
AnswerB

A trap level of 4 includes all messages with severity 0 through 4, which covers emergency, alert, critical, error, and warning.

Why this answer

Option B is correct because setting the trap level to 4 (warning) on a Cisco switch using the 'logging trap 4' command ensures that syslog messages with a severity of warning (4) and higher (i.e., emergency, alert, critical, error, and warning) are forwarded to the remote syslog server. The severity levels are defined in RFC 5424, where lower numbers indicate higher priority, so level 4 includes all messages from 0 through 4.

Exam trap

Cisco often tests the misconception that setting the trap level to the exact severity number (e.g., 4) means only that severity is sent, when in fact it sends that level and all higher-priority (lower-number) levels.

How to eliminate wrong answers

Option A is wrong because setting the trap level to 3 (error) would only send messages with severity 0 through 3 (emergency through error), which excludes warning (4) messages, failing the requirement to include severity 4. Option C is wrong because setting the trap level to 5 (notice) would send messages with severity 0 through 5, which includes warning (4) but also includes lower-priority notice messages, and more critically, it does not match the exact requirement to set the level to 4; the question asks for the severity level that should be set, not the range that includes it.

495
MCQmedium

Users in a branch office report intermittent connectivity to the corporate data center. A technician runs a continuous ping from a workstation to the data center server and observes packet loss after the third hop. Which command should the technician run next to identify the specific router causing the issue?

A.ping -n 1000 server_ip
B.tracert server_ip
C.nslookup server_ip
D.ipconfig /all
AnswerB

Tracert lists each hop along the path and displays packet loss per hop, allowing the technician to isolate the faulty router.

Why this answer

The technician has already identified packet loss after the third hop using a continuous ping. The next logical step is to use `tracert` (or `traceroute` on Linux) to map the path and pinpoint which router (hop) is dropping packets. This command sends ICMP echo requests with incrementing TTL values, forcing each router along the path to reply with a Time Exceeded message, thereby revealing the specific hop where loss occurs.

Exam trap

The trap here is that candidates often jump to running a longer ping (option A) to confirm loss, but the question already states loss is observed; the correct next step is to isolate the failing hop using `tracert`, not to gather more loss statistics.

How to eliminate wrong answers

Option A is wrong because `ping -n 1000 server_ip` only sends more ICMP echo requests to the destination, which does not reveal the specific router causing the loss; it only confirms that loss exists. Option C is wrong because `nslookup server_ip` is a DNS resolution tool that queries name servers for IP-to-hostname mappings and has no role in identifying router-level packet loss. Option D is wrong because `ipconfig /all` displays local TCP/IP configuration details (IP address, subnet mask, default gateway, DNS servers) and cannot trace the path or identify intermediate routers.

496
MCQmedium

A network administrator wants to implement a protocol to automatically assign IP addresses to devices on the network. Which of the following protocols is used for this purpose?

A.DNS
B.DHCP
C.ARP
D.ICMP
AnswerB

DHCP dynamically assigns IP addresses and other configuration parameters to clients.

Why this answer

DHCP (Dynamic Host Configuration Protocol) is the correct answer because it is specifically designed to automatically assign IP addresses and other network configuration parameters (such as subnet mask, default gateway, and DNS servers) to devices on a network. This eliminates the need for manual IP configuration, reducing administrative overhead and preventing address conflicts.

Exam trap

The trap here is that candidates often confuse DNS with DHCP because both are network services that involve IP addresses, but DNS resolves names to addresses while DHCP assigns the addresses themselves.

How to eliminate wrong answers

Option A (DNS) is wrong because DNS (Domain Name System) resolves human-readable domain names to IP addresses, it does not assign IP addresses. Option C (ARP) is wrong because ARP (Address Resolution Protocol) maps a known IP address to a MAC address on a local network, it does not provide automatic IP address assignment. Option D (ICMP) is wrong because ICMP (Internet Control Message Protocol) is used for error reporting and diagnostic functions (e.g., ping, traceroute), not for IP address allocation.

497
MCQeasy

An organization wants to centrally manage and monitor network devices from a single interface. The solution should support auto-discovery, configuration management, and performance monitoring. Which type of system should be deployed?

A.AAA server
B.Network Management System (NMS)
C.SIEM
D.DHCP server
AnswerB

Correct. An NMS like SolarWinds or PRTG provides central monitoring, auto-discovery, configuration management, and performance monitoring for network devices.

Why this answer

A Network Management System (NMS) is the correct choice because it provides a centralized interface for auto-discovery (e.g., via SNMP or CDP/LLDP), configuration management (e.g., using NETCONF or CLI scripting), and performance monitoring (e.g., polling SNMP MIBs or streaming telemetry). This directly matches the requirement for a single-pane-of-glass solution for network device lifecycle management.

Exam trap

CompTIA often tests the distinction between an NMS and a SIEM, where candidates mistakenly choose SIEM because they think 'monitoring' includes security event monitoring, but the question explicitly asks for auto-discovery and configuration management, which are core NMS functions, not SIEM capabilities.

How to eliminate wrong answers

Option A is wrong because an AAA server (e.g., RADIUS or TACACS+) handles authentication, authorization, and accounting for user or device access, not centralized monitoring or configuration management of network devices. Option C is wrong because a SIEM (Security Information and Event Management) system aggregates and correlates security logs and events from multiple sources for threat detection and compliance, not for auto-discovery or performance monitoring of network devices. Option D is wrong because a DHCP server dynamically assigns IP addresses and other network parameters to clients; it does not perform device discovery, configuration management, or performance monitoring.

498
MCQhard

A network engineer is troubleshooting intermittent packet loss on a 10 km single-mode fiber link between two buildings. The link lights are on, but the interface shows a high number of CRC errors. The engineer has cleaned the fiber connectors and replaced the patch cables. What should the engineer check NEXT?

A.Check the transmit/receive optical power levels
B.Check the duplex settings on both ends
C.Verify the cable length is within specifications
D.Adjust the Spanning Tree Protocol priority
AnswerA

Insufficient optical power (signal too weak) can cause CRC errors. Checking power levels verifies the link budget is adequate.

Why this answer

CRC errors on a single-mode fiber link typically indicate physical-layer issues such as excessive attenuation or dispersion. Since cleaning connectors and replacing patch cables did not resolve the problem, the next logical step is to measure the optical power levels at both the transmitter and receiver using an optical power meter. This will confirm whether the received signal is within the acceptable range (e.g., -3 dBm to -20 dBm for 10GBASE-LR) and identify if a damaged transceiver or a splice loss is causing the errors.

Exam trap

The trap here is that candidates often jump to duplex mismatch or cable length issues because those are common in copper troubleshooting, but on long-haul single-mode fiber, optical power levels are the primary suspect when CRC errors persist after cleaning and patching.

How to eliminate wrong answers

Option B is wrong because duplex mismatch is a common cause of CRC errors on copper Ethernet links, but single-mode fiber links (especially at 10 km) almost always use fixed full-duplex settings; auto-negotiation is not used on long-haul fiber, so duplex mismatch is extremely unlikely. Option C is wrong because the cable length is explicitly stated as 10 km, which is well within the typical maximum distance of 10GBASE-LR (10 km) or 1000BASE-LX (5 km, but often extended with better optics); verifying length would not explain CRC errors if the link is already up and within spec.

499
MCQeasy

A network administrator needs to remotely manage multiple routers and switches. The management traffic must be encrypted. Which protocol should be used for the remote terminal sessions?

A.Telnet
B.SSH
C.SNMP
D.HTTP
AnswerB

SSH (Secure Shell) encrypts all management traffic, providing secure remote command-line access.

Why this answer

SSH (Secure Shell) encrypts all traffic, including authentication credentials and session data, making it the correct choice for securely managing routers and switches over a network. Telnet transmits everything in plaintext, while SNMP and HTTP lack the interactive encrypted terminal session required for remote CLI management.

Exam trap

CompTIA often tests the distinction between Telnet and SSH by presenting a scenario that requires encryption, hoping candidates overlook that Telnet offers no security and default to it because of its simplicity or familiarity.

How to eliminate wrong answers

Option A is wrong because Telnet (RFC 854) transmits all data, including passwords, in cleartext, providing no encryption and exposing the session to eavesdropping. Option C is wrong because SNMP (Simple Network Management Protocol) is used for monitoring and collecting device statistics, not for interactive remote terminal sessions; SNMPv3 can encrypt but does not provide a CLI shell. Option D is wrong because HTTP (Hypertext Transfer Protocol) is a web protocol for transferring hypermedia, not for terminal access; HTTPS adds encryption but still does not offer a command-line interface for router/switch management.

500
MCQhard

A security analyst detects that an attacker is sending forged ARP replies to associate the attacker's MAC address with the IP address of the default gateway. What is this attack called?

A.ARP poisoning
B.MAC flooding
C.DHCP snooping
D.DNS spoofing
AnswerA

ARP poisoning directly exploits the ARP protocol by injecting false entries into a target's ARP cache, redirecting traffic destined for the gateway to the attacker.

Why this answer

ARP poisoning (also known as ARP spoofing) is the correct answer because the attacker sends forged ARP replies to associate their MAC address with the IP address of the default gateway. This causes the victim's switch to update its ARP cache with the attacker's MAC for the gateway's IP, enabling man-in-the-middle attacks where the attacker intercepts traffic destined for the gateway.

Exam trap

Cisco often tests the distinction between ARP poisoning (which targets the ARP cache) and MAC flooding (which targets the switch's CAM table), leading candidates to confuse the two because both involve MAC addresses and network attacks.

How to eliminate wrong answers

Option B (MAC flooding) is wrong because MAC flooding overwhelms a switch's CAM table with fake MAC addresses to force it into fail-open mode (hub mode), not by sending forged ARP replies to associate a MAC with a specific IP. Option C (DHCP snooping) is wrong because DHCP snooping is a security feature that filters untrusted DHCP messages to prevent rogue DHCP servers, not an attack that sends forged ARP replies.

501
MCQhard

A network administrator wants to ensure that SNMP traffic between the network monitoring server and managed devices is encrypted and provides authentication of the data origin. Which version of SNMP should be implemented?

A.A: SNMPv1
B.B: SNMPv2c
C.C: SNMPv3
D.D: SNMPv2
AnswerC

SNMPv3 provides both authentication and encryption, meeting the requirements.

Why this answer

SNMPv3 is the correct choice because it provides both encryption (via the AuthPriv security level) and data origin authentication (via the AuthNoPriv or AuthPriv levels). Unlike earlier versions, SNMPv3 includes a security model that ensures confidentiality, integrity, and authentication, meeting the administrator's requirements.

Exam trap

The trap here is that candidates often confuse SNMPv2c's improved efficiency and bulk retrieval (e.g., GetBulk) with security enhancements, but SNMPv2c still lacks encryption and authentication, making SNMPv3 the only viable option for secure SNMP traffic.

How to eliminate wrong answers

Option A is wrong because SNMPv1 uses community strings in plaintext and offers no encryption or authentication of data origin. Option B is wrong because SNMPv2c also relies on plaintext community strings and lacks any security features, despite improving protocol operations. Option D is wrong because SNMPv2 (the original version) was never widely deployed and, like v2c, provides no encryption or authentication; it is essentially a historical footnote.

502
MCQmedium

A security auditor discovers that an unauthorized switch has been connected to an access port in the wiring closet. The rogue switch caused a network loop and disrupted connectivity. Which security feature, if enabled on the access port, would have prevented this by disabling the port when a BPDU is received?

A.BPDU guard
B.Root guard
C.Loop guard
D.UDLD
AnswerA

Correct. BPDU guard disables a port that receives a BPDU, effectively blocking unauthorized switches.

Why this answer

BPDU guard is the correct answer because it is specifically designed to protect against rogue switch connections on access ports. When enabled, if a port receives any Bridge Protocol Data Unit (BPDU), it immediately places the port into an errdisable state, effectively disabling it and preventing a potential network loop. This directly addresses the scenario where an unauthorized switch connected to an access port caused a loop.

Exam trap

CompTIA often tests the distinction between BPDU guard and Root guard, where candidates mistakenly choose Root guard thinking it prevents loops, but Root guard only protects the root bridge election and does not disable a port upon BPDU reception.

How to eliminate wrong answers

Option B (Root guard) is wrong because it does not disable a port upon receiving a BPDU; instead, it prevents a port from becoming a root port by placing it into a root-inconsistent state if a superior BPDU is received, which protects the spanning-tree root bridge placement, not against rogue switches. Option C (Loop guard) is wrong because it prevents alternate or root ports from becoming designated ports in the absence of BPDUs, typically used to detect unidirectional links and prevent loops, but it does not disable a port when a BPDU is received. Option D (UDLD) is wrong because it detects unidirectional links by exchanging proprietary messages and can place a port in errdisable state for unidirectional failures, but it does not react to BPDU reception and is not a direct defense against rogue switches causing loops.

503
MCQmedium

A technician is troubleshooting an intermittent connectivity issue between two switches connected by a fiber optic cable. The link status shows up/down flapping. The technician checks the optical power levels and finds they are within acceptable range. Which of the following is the most likely cause?

A.Dirty fiber connectors
B.Duplex mismatch
C.Speed mismatch
D.VLAN mismatch
AnswerA

Contamination on fiber end faces can cause intermittent signal degradation and link flaps, even if average power readings appear acceptable.

Why this answer

Intermittent link flapping with acceptable optical power levels strongly indicates a physical-layer issue that is not related to signal strength. Dirty fiber connectors cause intermittent signal degradation due to scattering and absorption of light, leading to CRC errors and link flaps even when average power appears normal. Cleaning the connectors is the standard first step in such scenarios.

Exam trap

The trap here is that candidates see 'acceptable optical power levels' and assume the physical layer is fine, overlooking that intermittent physical contamination can cause flapping without dropping the average power below threshold.

How to eliminate wrong answers

Option B (Duplex mismatch) is wrong because duplex mismatch typically causes high error rates and poor performance, but the link usually stays up; it does not cause the link state to flap up/down. Option C (Speed mismatch) is wrong because modern switches auto-negotiate speed, and a speed mismatch would prevent the link from coming up at all, not cause intermittent flapping.

504
MCQhard

Users in a remote office are experiencing slow file transfers to the data center. The network technician runs a traceroute and discovers high latency on a specific hop. The technician pings that hop and gets replies with varying latency. The technician also checks the interface error counters on the router at that hop and finds no errors. What is the most likely cause?

A.Duplex mismatch
B.Incorrect MTU
C.Route flapping
D.CPU overload on the router
AnswerD

High CPU utilization can cause packet queuing delays, leading to variable latency without interface errors.

Why this answer

High latency with varying values (jitter) combined with clean interface error counters points to a router that is overwhelmed by processing demands. When a router's CPU is overloaded, it queues packets for processing, introducing variable delays even though the physical layer shows no errors. This matches the symptom of a specific hop showing latency spikes without CRC or framing errors.

Exam trap

The trap here is that candidates see 'no errors' on the interface and assume the problem must be at a higher layer, but CompTIA often tests that CPU overload can cause latency without any interface errors, misleading those who think clean counters always mean a healthy router.

How to eliminate wrong answers

Option A is wrong because a duplex mismatch would cause a high number of CRC errors, runts, or late collisions on the interface counters, which the technician confirmed as clean. Option B is wrong because an incorrect MTU would cause fragmentation or packet drops, typically visible as input errors or discards on the interface, not variable latency without errors. Option C is wrong because route flapping would cause intermittent reachability or path changes, not consistent high latency with jitter on a single hop; it would also be visible in routing table updates or syslog messages.

505
MCQeasy

At which OSI layer does a router primarily operate to make forwarding decisions based on IP addresses?

A.Layer 1 (Physical)
B.Layer 2 (Data Link)
C.Layer 3 (Network)
D.Layer 4 (Transport)
AnswerC

The Network layer handles logical addressing (IP) and routing decisions.

Why this answer

A router primarily operates at Layer 3 (Network) of the OSI model because it uses logical IP addresses (e.g., IPv4 or IPv6) to make forwarding decisions. The router examines the destination IP address in the packet header, performs a longest-prefix match against its routing table, and determines the next-hop interface. This layer is responsible for end-to-end delivery and path selection across multiple networks.

Exam trap

CompTIA often tests the misconception that routers operate at Layer 2 because they forward frames, but the key distinction is that routers make forwarding decisions based on Layer 3 IP addresses, not Layer 2 MAC addresses.

How to eliminate wrong answers

Option A is wrong because Layer 1 (Physical) deals with raw bit transmission over physical media (e.g., cables, signals) and does not interpret IP addresses or make forwarding decisions. Option B is wrong because Layer 2 (Data Link) uses MAC addresses for forwarding within a single broadcast domain (e.g., switches) and cannot route between different IP subnets. Option D is wrong because Layer 4 (Transport) handles end-to-end communication, segmentation, and port numbers (e.g., TCP/UDP), not IP-based routing decisions.

506
MCQhard

A network administrator needs to automate the backup of router configuration files to a remote server over the internet. The backup must be encrypted and authenticated. Which protocol should the administrator use in the automated script?

A.TFTP
B.FTP
C.SCP
D.HTTP
AnswerC

SCP uses SSH for encryption and authentication, providing secure file transfer, and is commonly supported on network equipment for automated backups.

Why this answer

SCP (Secure Copy Protocol) is the correct choice because it provides both encryption and authentication by operating over SSH (Secure Shell), which encrypts the entire session and verifies the server's identity using public-key cryptography. This makes it suitable for automating secure backups of router configuration files to a remote server over the internet, as it supports scripting with tools like expect or SSH keys without interactive password prompts.

Exam trap

Cisco often tests the distinction between secure and insecure file transfer protocols, and the trap here is that candidates may confuse FTP with SFTP or FTPS, assuming FTP itself provides encryption, or they may choose TFTP because it is commonly used for router backups in lab environments, forgetting that the question specifies 'over the internet' and requires encryption and authentication.

How to eliminate wrong answers

Option A is wrong because TFTP (Trivial File Transfer Protocol) uses UDP port 69 and provides no encryption or authentication, making it insecure for transfers over the internet and typically restricted to local LAN environments for tasks like IOS image updates. Option B is wrong because FTP (File Transfer Protocol) transmits data and credentials in cleartext over TCP ports 20/21, offering no native encryption or authentication mechanisms, and while FTPS or SFTP add security, plain FTP does not meet the encrypted and authenticated requirement.

507
MCQmedium

A network administrator is installing cable in a plenum space (an area used for air circulation, such as above a drop ceiling). Which cable type is required by most building codes for such an installation?

A.PVC-jacketed cable
B.Riser-rated cable
C.Plenum-rated cable
D.Low Smoke Zero Halogen (LSZH) cable
AnswerC

Plenum-rated cables are specifically manufactured with low-smoke, fire-retardant materials to meet building codes for installation in air-handling spaces.

Why this answer

Plenum-rated cable is required by most building codes (e.g., NFPA 70, National Electrical Code) for installation in plenum spaces because it is constructed with fire-retardant materials, such as FEP or PFA, that produce minimal smoke and are self-extinguishing. This prevents toxic fumes and flames from spreading through air-handling areas, ensuring safety in case of a fire. Standard PVC-jacketed cable would release hazardous smoke and support flame propagation, making it illegal in plenum spaces.

Exam trap

The trap here is that candidates often confuse 'plenum-rated' with 'riser-rated' or 'LSZH', assuming any low-smoke cable suffices, but the exam specifically tests that only CMP meets the fire and smoke spread requirements for plenum spaces as defined by the NEC.

How to eliminate wrong answers

Option A is wrong because PVC-jacketed cable is not fire-retardant; it emits dense, toxic smoke and can propagate flames, making it unsafe and prohibited in plenum spaces by building codes. Option B is wrong because riser-rated cable (CMR) is designed for vertical runs between floors, not for air-handling spaces; it lacks the low-smoke, self-extinguishing properties required for plenum environments. Option D is wrong because LSZH cable, while low-smoke and halogen-free, is not specifically fire-retardant or self-extinguishing to the degree required by plenum codes; it is often used in confined spaces like trains or tunnels, but plenum-rated cable (CMP) is the specific standard mandated for air-handling spaces.

508
MCQmedium

A technician is troubleshooting a wireless network that experiences intermittent disconnections. A spectrum analysis shows channel utilization consistently above 80% on the 2.4 GHz band. Which of the following is the most likely cause?

A.Too many access points are configured on the same or overlapping channels
B.Access point output power is too high
C.Microwave ovens are interfering with the wireless signal
D.Client devices have weak signal strength
AnswerA

Excessive APs on the same channel cause co-channel interference, leading to high utilization and intermittent connectivity.

Why this answer

A is correct because consistently high channel utilization above 80% on the 2.4 GHz band indicates co-channel or adjacent-channel interference, typically caused by too many access points (APs) operating on the same or overlapping channels (e.g., channels 1, 6, and 11 are non-overlapping in 802.11b/g/n). This leads to excessive contention, increased retransmissions, and intermittent disconnections as stations wait for clear channel access via CSMA/CA.

Exam trap

The trap here is that candidates often attribute high channel utilization solely to non-Wi-Fi interference (like microwaves) or power settings, but the exam expects you to recognize that persistent >80% utilization in the 2.4 GHz band is almost always due to overlapping APs on the same or adjacent channels, not transient interference sources.

How to eliminate wrong answers

Option B is wrong because excessively high AP output power can cause signal overlap and increase co-channel interference, but the primary symptom of high channel utilization is not directly caused by power alone—it is the number of APs on overlapping channels that saturates the medium. Option C is wrong because while microwave ovens can cause intermittent interference on the 2.4 GHz band (typically around channel 7), they produce bursty, non-constant interference and would not consistently maintain channel utilization above 80%; the steady high utilization points to persistent overlapping APs, not a household appliance.

509
MCQeasy

Which of the following devices operates at Layer 3 of the OSI model and makes forwarding decisions based on destination IP addresses?

A.Switch
B.Bridge
C.Router
D.Hub
AnswerC

A router routes packets based on Layer 3 IP addresses and maintains a routing table.

Why this answer

A router operates at Layer 3 (Network layer) of the OSI model and uses the destination IP address in the packet header to make forwarding decisions. It maintains a routing table (e.g., via OSPF, EIGRP, or static routes) to determine the next-hop interface for each packet, enabling communication between different subnets or VLANs.

Exam trap

The trap here is that candidates often confuse a Layer 3 switch with a router, but the question specifies a device that makes forwarding decisions based on destination IP addresses, which is the defining function of a router, not a switch (even a multilayer switch still uses MAC addresses for most forwarding unless explicitly configured for routing).

How to eliminate wrong answers

Option A is wrong because a switch operates primarily at Layer 2 (Data Link layer) and forwards frames based on destination MAC addresses, not IP addresses. Option B is wrong because a bridge also operates at Layer 2, connecting two network segments and forwarding frames using MAC addresses, not IP addresses. Option D is wrong because a hub operates at Layer 1 (Physical layer) and simply repeats electrical signals out all ports without any intelligence to make forwarding decisions based on IP or MAC addresses.

510
MCQeasy

A network administrator needs to ensure that in the event of a switch failure, the switch can be replaced and brought online with minimal downtime. Which of the following tasks should the administrator perform regularly?

A.Perform a firmware upgrade on all switches
B.Back up the configuration files of all switches
C.Monitor the switch's CPU utilization
D.Create a network performance baseline
AnswerB

Regular configuration backups allow the administrator to quickly restore the settings to a replacement switch.

Why this answer

Regularly backing up the configuration files of all switches ensures that when a failed switch is replaced, the exact configuration can be restored quickly, minimizing downtime. This is a core best practice in network operations because a replacement switch typically ships with factory defaults and requires the original configuration to resume normal operations. Without a recent backup, the administrator would have to reconfigure the switch manually, leading to extended outage and potential human error.

Exam trap

CompTIA often tests the distinction between proactive maintenance tasks (like firmware upgrades or monitoring) and disaster recovery tasks (like configuration backups), leading candidates to choose firmware upgrades because they associate 'minimizing downtime' with keeping software current, when in fact the backup directly enables rapid replacement.

How to eliminate wrong answers

Option A is wrong because performing firmware upgrades on all switches is a proactive maintenance task that can introduce new features or security patches, but it does not directly address the need to restore a failed switch's configuration; a firmware upgrade does not preserve or restore the switch's running configuration. Option C is wrong because monitoring the switch's CPU utilization is a performance monitoring task that helps detect issues like high traffic or control plane overload, but it does not provide any mechanism to restore configuration after a hardware failure. Option D is wrong because creating a network performance baseline establishes normal performance metrics for comparison, which is useful for troubleshooting performance degradation but does not enable rapid restoration of a failed switch's configuration.

511
MCQmedium

A network administrator is configuring Quality of Service (QoS) on a router to prioritize voice traffic. Which of the following fields should be used to mark packets for classification and prioritization?

A.Source IP address
B.DSCP
C.Source port number
D.MAC address
AnswerB

DSCP is a 6-bit field in the IP header used for packet classification and prioritization in QoS. It allows consistent priority handling across the network.

Why this answer

DSCP (Differentiated Services Code Point) is the correct field because it is a 6-bit value in the IP header used to mark packets for QoS classification and prioritization, as defined in RFC 2474. Voice traffic typically uses DSCP EF (Expedited Forwarding, value 46) to ensure low latency and jitter, making it the standard choice for QoS marking on routers.

Exam trap

The trap here is that candidates confuse classification (using source IP, port, or MAC to identify traffic) with marking (setting a QoS field like DSCP or CoS), leading them to choose a valid classification method instead of the actual marking field required by the question.

How to eliminate wrong answers

Option A is wrong because the source IP address identifies the sender but does not provide a standardized QoS marking field; it can be used for classification via ACLs but not for packet marking. Option C is wrong because the source port number can identify voice traffic (e.g., UDP port 5060 for SIP) but is not a field within the packet header used for QoS marking; it is used for classification, not for setting a priority value. Option D is wrong because the MAC address is a Layer 2 identifier and is not used for QoS marking in IP networks; while CoS (Class of Service) can mark frames at Layer 2, the question specifies a router and IP-based marking, where DSCP is the appropriate field.

512
MCQeasy

Which protocol is used to resolve a known IP address to a corresponding MAC address on a local network?

A.ARP
B.DNS
C.DHCP
D.ICMP
AnswerA

ARP (Address Resolution Protocol) maps IPv4 addresses to MAC addresses. It is essential for local network communication.

Why this answer

ARP (Address Resolution Protocol) is used to resolve a known IP address to its corresponding MAC address on a local network. When a host needs to send a frame to another host on the same subnet, it broadcasts an ARP request containing the target IP; the host with that IP responds with its MAC address, which is then cached for future use.

Exam trap

The trap here is confusing ARP with DNS, as both involve 'resolution,' but DNS resolves names to IPs (Layer 3) while ARP resolves IPs to MACs (Layer 2), and candidates often forget ARP operates only within a local broadcast domain.

How to eliminate wrong answers

Option B (DNS) is wrong because DNS resolves domain names to IP addresses, not IP addresses to MAC addresses. Option C (DHCP) is wrong because DHCP assigns IP addresses dynamically and provides configuration parameters like subnet mask and default gateway, but does not perform MAC-to-IP resolution. Option D (ICMP) is wrong because ICMP is used for error reporting and diagnostic functions (e.g., ping, traceroute), not for address resolution.

513
MCQeasy

A network technician needs to connect two switches to support multiple VLANs between them. The technician wants to use a single link to carry traffic for all VLANs. Which protocol should be used to tag frames with VLAN information?

A.802.1Q
B.802.1X
C.802.11
D.802.3
AnswerA

Correct. 802.1Q is the standard for VLAN tagging on trunk links.

Why this answer

802.1Q is the IEEE standard for VLAN tagging, which inserts a 4-byte tag into the Ethernet frame header to identify the VLAN membership of the frame. This allows a single trunk link between two switches to carry traffic for multiple VLANs by tagging each frame with its corresponding VLAN ID (1-4094).

Exam trap

The trap here is that candidates often confuse 802.1Q (VLAN tagging) with 802.1X (port authentication) because of the similar numbering, or they assume 802.3 handles VLANs since it is the base Ethernet standard.

How to eliminate wrong answers

Option B (802.1X) is wrong because it is a port-based Network Access Control (NAC) protocol used for authentication, not for VLAN tagging. Option C (802.11) is wrong because it is a set of standards for wireless LANs (Wi-Fi), not for tagging frames on wired Ethernet trunk links. Option D (802.3) is wrong because it defines the physical and data-link layer specifications for Ethernet (e.g., frame format, cabling), but does not include VLAN tagging functionality.

514
MCQmedium

A user can access a website by its IP address (e.g., 203.0.113.5) but cannot access it by its domain name (example.com). Other users on the same subnet can access the website by domain name. Which of the following should the technician check FIRST?

A.A
B.B
C.C
D.D
AnswerA

A misconfigured hosts file on the local workstation can prevent successful DNS resolution for that machine.

Why this answer

The issue is isolated to a single user who can reach the website by IP but not by domain name, while other users on the same subnet have no problem. This points to a client-side DNS resolution failure, most likely a misconfigured or missing DNS server address in the user's network settings. The technician should first check the user's DNS configuration (e.g., `ipconfig /all` on Windows or `cat /etc/resolv.conf` on Linux) to ensure it points to a valid DNS server.

Exam trap

The trap here is that candidates often jump to checking the DNS server or website records globally, forgetting that the problem is isolated to one client, which clearly indicates a client-side configuration issue rather than a server or infrastructure problem.

How to eliminate wrong answers

Option B (check the website's DNS records) is wrong because other users on the same subnet can resolve the domain name, proving the DNS records for example.com are correctly configured and reachable from that subnet. Option C (check the default gateway) is wrong because the user can access the website by IP address, which confirms IP routing and the default gateway are functioning correctly; the problem is name resolution, not layer-3 connectivity.

515
MCQeasy

Which of the following best describes the primary function of the transport layer in the OSI model?

A.Routing packets across networks
B.Providing end-to-end communication and data flow control
C.Encoding data into electrical signals
D.Determining the best path for data transmission
AnswerB

This is correct. The transport layer (Layer 4) manages end-to-end connections, segmenting data, controlling flow, and ensuring reliable delivery.

Why this answer

The transport layer (Layer 4) is responsible for end-to-end communication between hosts, including segmentation, reassembly, and flow control. Protocols like TCP use windowing and acknowledgments to manage data flow, ensuring reliable delivery. This distinguishes it from lower layers that handle routing or physical signaling.

Exam trap

CompTIA often tests the confusion between the transport layer's end-to-end delivery and the network layer's path determination, leading candidates to incorrectly select routing-related options like A or D.

How to eliminate wrong answers

Option A is wrong because routing packets across networks is a function of the network layer (Layer 3), handled by protocols like IP and routing protocols such as OSPF or BGP. Option C is wrong because encoding data into electrical signals is the role of the physical layer (Layer 1), which deals with bit transmission over media like copper or fiber. Option D is wrong because determining the best path for data transmission is also a network layer function, performed by routers using routing tables and metrics like hop count or cost.

516
MCQeasy

A network administrator is creating a standard operating procedure for firmware upgrades. Which step should be performed FIRST according to best practices?

A.Schedule the upgrade during a maintenance window
B.Back up the current configuration
C.Test the firmware in a lab environment
D.Notify users of the planned outage
AnswerC

Testing the firmware in a lab first helps identify issues before affecting the production environment.

Why this answer

According to best practices for firmware upgrades, the first step should always be to test the new firmware in a non-production lab environment that mirrors the production setup. This validates compatibility, identifies potential bugs, and ensures the upgrade process works without risking network downtime or data loss. Only after successful lab testing should you proceed to backup the current configuration and schedule the upgrade during a maintenance window.

Exam trap

Cisco often tests the misconception that backing up the configuration is the first step, but best practices dictate that testing in a lab environment takes precedence to avoid deploying untested firmware that could render the device inoperable.

How to eliminate wrong answers

Option A is wrong because scheduling the upgrade during a maintenance window is an operational step that should occur after the firmware has been validated in a lab; performing it first risks deploying untested firmware that could cause outages. Option B is wrong because backing up the current configuration is a critical safety step, but it should be done after lab testing and before the actual upgrade, not as the very first step—testing first prevents the need to restore from backup due to a failed upgrade.

517
MCQhard

Users in a remote branch office report that they cannot access the company's cloud-based applications. The network administrator notices that the edge router's WAN interface is up but the branch's default route points to a next-hop IP that is unreachable. The administrator can ping the ISP's gateway IP from the router. What is the most likely cause?

A.The routing protocol is not redistributing the default route
B.The static default route has an incorrect next-hop IP
C.The WAN interface is administratively down
D.The firewall is blocking traffic to the cloud
AnswerB

If the next-hop IP in the static route is incorrect or the interface is down, traffic cannot be forwarded even though the WAN interface is up and the ISP gateway is reachable via another path.

Why this answer

The correct answer is B because the scenario describes a static default route configured with a next-hop IP that is unreachable. The WAN interface is up and the ISP gateway is reachable (as confirmed by the ping), but the router cannot forward traffic to the cloud because the static route points to an incorrect next-hop address. This is a classic static route misconfiguration where the next-hop IP does not match the ISP gateway or is not in the directly connected subnet.

Exam trap

CompTIA often tests the distinction between a WAN interface being up and the default route's next-hop being reachable; candidates mistakenly assume that if the interface is up and the ISP gateway is pingable, the default route must be correct, but the next-hop IP configured in the static route could be a different, unreachable address.

How to eliminate wrong answers

Option A is wrong because the issue is not about routing protocol redistribution; the branch uses a static default route, not a dynamic routing protocol, so redistribution is irrelevant. Option C is wrong because the WAN interface is explicitly stated as up, and an administratively down interface would show as 'down' or 'administratively down' in the show interfaces output. Option D is wrong because the firewall blocking traffic would not cause the router to have an unreachable next-hop; the ping to the ISP gateway succeeds, indicating Layer 3 connectivity is intact, and the problem is at the routing table level.

518
MCQmedium

A network administrator is preparing documentation for a new branch office. The administrator needs a diagram that shows the logical relationships between network devices and how VLANs are trunked over inter-switch links. Which type of document should be created?

A.Network baseline
B.Wiring diagram
C.Physical topology diagram
D.Logical topology diagram
AnswerD

A logical topology diagram displays addressing, VLANs, and routing paths, making it ideal for showing trunk links and VLAN assignments.

Why this answer

A logical topology diagram is the correct choice because it illustrates how devices communicate across the network, including VLAN assignments and trunk links (e.g., 802.1Q tagging) between switches. This diagram abstracts physical locations to show Layer 2 and Layer 3 relationships, such as which VLANs traverse which inter-switch links, making it ideal for documenting VLAN trunking and logical connectivity.

Exam trap

The trap here is that candidates confuse 'physical topology' with 'logical topology,' assuming that a physical diagram can show VLAN trunking, but physical diagrams only depict hardware connections, not the logical VLAN paths or trunking relationships.

How to eliminate wrong answers

Option A is wrong because a network baseline is a performance benchmark (e.g., throughput, latency) used for comparison over time, not a diagram showing VLAN trunking relationships. Option B is wrong because a wiring diagram details physical cable runs, patch panel connections, and pinouts (e.g., T568A/B), not logical VLAN or trunking information. Option C is wrong because a physical topology diagram maps device locations, cable types, and port numbers, but it does not represent logical constructs like VLANs or trunking protocols (e.g., DTP or 802.1Q).

519
MCQeasy

A network administrator is troubleshooting a connectivity issue and suspects the problem is related to the physical cabling. At which layer of the OSI model should the administrator begin their investigation?

A.Transport layer
B.Data Link layer
C.Physical layer
D.Network layer
AnswerC

The Physical layer defines the electrical, mechanical, and procedural interface to the transmission medium, making it the correct layer for cabling issues.

Why this answer

The Physical layer (Layer 1) is the correct starting point because the administrator suspects the problem is related to physical cabling. The Physical layer defines the electrical, mechanical, and procedural specifications for transmitting raw bits over a physical medium, such as copper or fiber optic cables. Troubleshooting at this layer involves checking for cable faults, signal degradation, or improper termination before moving up the OSI stack.

Exam trap

The trap here is that candidates often jump to the Data Link layer (Layer 2) because they associate 'connectivity issues' with MAC addresses or switching, forgetting that physical cabling faults must be ruled out first at Layer 1.

How to eliminate wrong answers

Option A is wrong because the Transport layer (Layer 4) handles end-to-end communication, segmentation, and flow control (e.g., TCP/UDP), not physical cabling issues. Option B is wrong because the Data Link layer (Layer 2) manages framing, MAC addressing, and error detection (e.g., Ethernet frames, switches), but it assumes the physical medium is functioning correctly; cabling faults are a Layer 1 concern.

520
MCQmedium

A user reports that they can access the internet but cannot access the company's internal web application at https://intranet.company.local. The technician can ping the server's IP address (192.168.10.50) successfully from the user's workstation. However, when the technician runs 'nslookup intranet.company.local', it returns 'Non-existent domain'. What is the most likely cause?

A.The web server is not running on port 443.
B.The client's DNS server does not have a record for the internal domain.
C.A firewall is blocking traffic to the internal web server.
D.The hostname is misspelled in the browser.
AnswerB

A 'Non-existent domain' response from nslookup means the DNS server cannot find the A or CNAME record for that hostname, which is the most likely cause.

Why this answer

The user can access the internet and ping the server's IP address, which confirms Layer 3 connectivity and that the web server is reachable. However, 'nslookup intranet.company.local' returns 'Non-existent domain', indicating that the DNS server used by the client does not have an A or CNAME record for that internal hostname. Since the browser relies on DNS resolution to translate the FQDN to an IP address, the failure to resolve the name prevents the web application from loading, even though the server itself is online and reachable.

Exam trap

CompTIA often tests the distinction between connectivity (ping) and name resolution (nslookup), trapping candidates who assume that successful ping to an IP means the web application should work, ignoring that DNS failure prevents the browser from even initiating the HTTP request.

How to eliminate wrong answers

Option A is wrong because the technician can ping the server's IP successfully, proving the server is online and reachable at Layer 3; if the web server were not running on port 443, the browser would still attempt a TCP handshake and likely receive a connection refused or timeout, but the DNS failure would still block the request from even reaching that stage. Option C is wrong because a firewall blocking traffic to the internal web server would prevent the ping from succeeding (ICMP is often blocked or permitted separately), and the successful ping indicates that IP-level communication is not being filtered; moreover, the DNS resolution failure is the immediate symptom. Option D is wrong because the technician used 'nslookup' with the exact hostname 'intranet.company.local', which returned 'Non-existent domain'; a misspelling in the browser would not affect the nslookup result, and the nslookup failure confirms the DNS record is missing regardless of browser input.

Page 6

Page 7 of 7

All pages