CCNA Network Implementation Questions

75 of 104 questions · Page 1/2 · Network Implementation · Answers revealed

1
MCQeasy

A network technician configures an 802.1Q trunk link between two switches. After the configuration, VLAN 20 traffic is not passing across the trunk, although VLAN 10 traffic works fine. The technician verifies that both switches have VLAN 20 created and that the trunk is up. What is the most likely cause?

A.The native VLAN is mismatched between the switches.
B.VLAN 20 is not included in the allowed VLAN list on the trunk.
C.The trunk port is set to dynamic desirable mode.
D.The encapsulation type is ISL instead of 802.1Q.
AnswerB

By default, trunk ports allow all VLANs, but if an allowed VLAN list is configured, only listed VLANs are forwarded. VLAN 20 is likely missing.

Why this answer

The most likely cause is that VLAN 20 is not included in the allowed VLAN list on the trunk. By default, an 802.1Q trunk allows all VLANs, but if the allowed VLAN list has been manually configured or pruned, VLAN 20 may have been excluded. Since VLAN 10 works, the trunk is operational, and both switches have VLAN 20 created, the issue is specifically that the trunk is not permitting VLAN 20 traffic.

Exam trap

CompTIA often tests the misconception that a native VLAN mismatch is the default cause of VLAN-specific traffic failures, but the real issue is usually the allowed VLAN list being misconfigured or pruned.

How to eliminate wrong answers

Option A is wrong because a native VLAN mismatch would cause control plane issues (e.g., CDP or STP problems) or traffic for the native VLAN to be misdirected, but it would not selectively block only VLAN 20 while allowing VLAN 10. Option C is wrong because dynamic desirable mode is a DTP setting that negotiates trunking; if the trunk is already up and passing VLAN 10 traffic, the trunk mode is not the issue. Option D is wrong because if the encapsulation type were ISL instead of 802.1Q, the trunk would not form or would not pass any VLAN traffic correctly, not just VLAN 20; the question states the trunk is up and VLAN 10 works, so encapsulation is compatible.

2
MCQmedium

A company is deploying a wireless network that must support both 2.4 GHz and 5 GHz frequency bands. Which IEEE 802.11 standard supports both bands and is backward compatible with older devices?

A.A) 802.11b
B.B) 802.11g
C.C) 802.11n
D.D) 802.11ac
AnswerC

802.11n supports both 2.4 GHz and 5 GHz and offers higher throughput than earlier standards.

Why this answer

802.11n (Wi-Fi 4) is the correct answer because it was the first standard to natively support both 2.4 GHz and 5 GHz bands simultaneously, using MIMO (Multiple Input Multiple Output) technology. It also maintains backward compatibility with older 802.11a/b/g devices through mandatory support for legacy modulation schemes (DSSS/CCK for 2.4 GHz and OFDM for 5 GHz).

Exam trap

The trap here is that candidates often confuse 802.11g (which is backward compatible with 802.11b but only 2.4 GHz) with a dual-band standard, or incorrectly assume 802.11ac supports 2.4 GHz because it is often marketed as 'dual-band' in consumer devices, but the IEEE 802.11ac-2013 amendment defines operation only in the 5 GHz band.

How to eliminate wrong answers

Option A (802.11b) is wrong because it operates only in the 2.4 GHz band and supports a maximum data rate of 11 Mbps using DSSS/CCK, with no 5 GHz capability. Option B (802.11g) is wrong because it operates only in the 2.4 GHz band, though it uses OFDM for up to 54 Mbps and is backward compatible with 802.11b, it lacks 5 GHz support. Option D (802.11ac) is wrong because it operates exclusively in the 5 GHz band (with optional 2.4 GHz support only via simultaneous dual-band implementations, but the standard itself is 5 GHz-only) and is not backward compatible with 2.4 GHz-only legacy devices.

3
MCQmedium

A network administrator connects two switches with a trunk link that is configured to allow all VLANs. Workstations in VLAN 10 can communicate across the switches, but workstations in VLAN 20 cannot. Both VLANs are configured on the first switch. What is the most likely cause of the issue?

A.The native VLAN is mismatched on the two switches.
B.VLAN 20 is not created on the second switch.
C.The trunk uses ISL instead of 802.1Q.
D.The default gateway is missing for VLAN 20.
AnswerB

Correct. If VLAN 20 does not exist on the second switch, it will discard frames received on the trunk tagged with VLAN 20. Creating the VLAN on both switches is essential for inter-switch communication.

Why this answer

VLAN 20 is configured on the first switch but not on the second switch. Even though the trunk link allows all VLANs, the second switch must have VLAN 20 created in its VLAN database for traffic to be forwarded. Without the VLAN existing on the second switch, frames tagged for VLAN 20 are dropped at the receiving switch because there is no corresponding VLAN interface or forwarding table entry.

Exam trap

Cisco often tests the misconception that a trunk configured to 'allow all VLANs' automatically makes every VLAN functional across the link, when in fact each switch must have the VLAN defined in its local database for traffic to be processed.

How to eliminate wrong answers

Option A is wrong because a native VLAN mismatch would cause issues with untagged frames (typically management or control traffic), not with specific user VLANs like VLAN 20; both VLANs 10 and 20 are tagged on the trunk, so native VLAN mismatch would not selectively break one VLAN. Option C is wrong because ISL vs. 802.1Q encapsulation mismatch would prevent all VLAN traffic from passing across the trunk, not just VLAN 20; the fact that VLAN 10 works correctly indicates the trunk encapsulation is consistent and functional.

4
MCQhard

A network architect is designing a Software-Defined Networking (SDN) based network. Which of the following components is responsible for making centralized forwarding decisions and communicating those decisions to the physical switches using southbound APIs?

A.Application layer
B.Control layer
C.Data plane
D.East-west interfaces
AnswerB

The control layer (SDN controller) centralizes the control plane and programs switches via southbound APIs, determining how packets should be forwarded.

Why this answer

In SDN architecture, the control layer (also known as the SDN controller) is the centralized entity responsible for making all forwarding decisions. It communicates these decisions to the physical switches via southbound APIs, such as OpenFlow, which program the flow tables in the data plane. This separation of the control plane from the data plane is the fundamental principle of SDN.

Exam trap

The trap here is that candidates confuse the control layer with the data plane, thinking that the physical switches themselves make forwarding decisions, but in SDN the control layer is logically centralized and the switches are simple forwarding devices.

How to eliminate wrong answers

Option A is wrong because the application layer consists of business logic and network services (e.g., load balancers, firewalls) that communicate with the control layer via northbound APIs, not directly with switches. Option C is wrong because the data plane (or forwarding plane) is the part of the switch that actually forwards packets based on flow table entries; it does not make centralized decisions. Option D is wrong because east-west interfaces are used for communication between multiple SDN controllers for synchronization and high availability, not for sending forwarding decisions to physical switches.

5
MCQmedium

A network administrator adds a new server to VLAN 20. The switch port is configured as an access port in VLAN 20, and the server has a correct static IP address in that subnet. However, the server cannot communicate with other devices in the same VLAN. The VLAN exists on the switch and other devices in VLAN 20 are working. What is the most likely cause of this issue?

A.The switch port is configured as a trunk port instead of an access port
B.VLAN 20 is not allowed on the trunk to the router
C.The server does not have a default gateway configured
D.The port is administratively down
AnswerA

A trunk port expects 802.1Q tagged frames; the server sends untagged frames, so the switch may not associate them with VLAN 20, causing communication failure within the VLAN.

Why this answer

The scenario states the switch port is configured as an access port in VLAN 20, but the server cannot communicate with other devices in the same VLAN. If the port were actually configured as a trunk port, it would expect frames to be tagged with a VLAN ID. An untagged frame from the server would be placed into the native VLAN (typically VLAN 1), not VLAN 20, causing a mismatch.

This explains why the server, despite having a correct static IP in VLAN 20's subnet, cannot reach other devices in VLAN 20.

Exam trap

CompTIA often tests the distinction between access and trunk ports by presenting a scenario where a device has correct IP settings but cannot communicate within its VLAN, tempting candidates to blame routing or gateway issues when the real problem is a layer 2 VLAN mismatch caused by trunk mode on an access port.

How to eliminate wrong answers

Option B is wrong because VLAN 20 not being allowed on the trunk to the router would affect inter-VLAN routing, not communication within the same VLAN (which is purely layer 2). Option C is wrong because a default gateway is only needed for communication outside the local subnet; devices in the same VLAN communicate directly via ARP and MAC addresses, so a missing default gateway does not prevent intra-VLAN connectivity. Option D is wrong because if the port were administratively down, the server would have no link at all, and the administrator would likely see a 'down/down' interface status, not a scenario where the server has a static IP but cannot communicate.

6
MCQmedium

A network administrator needs to connect two buildings 2 km apart using single-mode fiber. Which transceiver type should be used?

A.1000BASE-T
B.1000BASE-SX
C.1000BASE-LX
D.10GBASE-SR
AnswerC

1000BASE-LX operates over single-mode fiber and can reach distances of 5 km or more.

Why this answer

1000BASE-LX (Long Wavelength) operates at 1310 nm over single-mode fiber and supports distances up to 5 km (and often up to 10 km with proper link budgets), making it the correct choice for a 2 km link. Single-mode fiber is required for distances beyond 550 m, and 1000BASE-LX is the Gigabit Ethernet standard designed for such single-mode runs.

Exam trap

Cisco often tests the misconception that 1000BASE-SX can be used for long distances because it is a common Gigabit Ethernet standard, but the trap is that SX is strictly for multimode fiber and limited to 550 m, while LX is the correct choice for single-mode runs beyond that distance.

How to eliminate wrong answers

Option A (1000BASE-T) is wrong because it uses twisted-pair copper cabling (Cat5e/Cat6) and is limited to 100 meters, not 2 km. Option B (1000BASE-SX) is wrong because it uses short-wavelength (850 nm) optics designed for multimode fiber, with a maximum reach of only 550 m (and often less at lower-grade multimode). Option D (10GBASE-SR) is wrong because it is a 10 Gigabit Ethernet standard using short-wavelength (850 nm) optics over multimode fiber, limited to about 300-400 meters, and does not match the required 1 Gbps speed or single-mode fiber for a 2 km distance.

7
MCQmedium

A network administrator has just connected a new access switch to the core switch via a trunk port. The administrator configured the trunk port on both switches with the same allowed VLAN list. However, hosts on VLAN 10 connected to the new access switch cannot communicate with hosts on VLAN 10 on the core switch. The trunk is operational and shows up/up. What is the most likely cause?

A.A) VLAN 10 has not been created on the new access switch
B.B) Native VLAN mismatch on the trunk
C.C) Trunk encapsulation mismatch (ISL vs 802.1Q)
D.D) STP is blocking the VLAN 10 traffic on the trunk
AnswerA

Correct. If the VLAN does not exist in the switch's database, the switch will not forward frames for that VLAN, even though the trunk is configured to allow it.

Why this answer

The most likely cause is that VLAN 10 has not been created on the new access switch. Even though the trunk port is up/up and the allowed VLAN list matches, a switch will not forward traffic for a VLAN that does not exist in its local VLAN database. Without the VLAN being created, the switch drops all frames tagged with VLAN 10, preventing communication between hosts on that VLAN across the trunk.

Exam trap

Cisco often tests the misconception that a trunk with matching allowed VLAN lists is sufficient for traffic to pass, but candidates forget that the VLAN must exist in the local VLAN database on both switches for traffic to be forwarded.

How to eliminate wrong answers

Option B is wrong because a native VLAN mismatch would cause control plane issues (e.g., CDP/STP mismatches) but would not specifically block VLAN 10 traffic if both sides have the same allowed VLAN list; the native VLAN is used for untagged frames, not for tagged VLAN 10 traffic. Option C is wrong because modern Cisco switches default to 802.1Q encapsulation and auto-negotiate; an encapsulation mismatch would prevent the trunk from coming up (the port would not show up/up). Option D is wrong because STP blocking on a trunk typically blocks all VLANs or none, and if STP were blocking VLAN 10, the trunk would still show up/up but the specific VLAN would be in a blocking state; however, the question states the trunk is operational, and STP blocking is less likely than the VLAN simply not being created.

8
MCQmedium

A network engineer needs to segment a single physical switch into multiple broadcast domains to improve security and reduce traffic. Which technology should be implemented?

A.Spanning Tree Protocol (STP)
B.Virtual LAN (VLAN)
C.VLAN Trunking Protocol (VTP)
D.Access Control List (ACL)
AnswerB

VLANs create separate broadcast domains on a switch, meeting the requirement.

Why this answer

A VLAN (Virtual LAN) segments a physical switch into multiple isolated broadcast domains at Layer 2. By assigning ports to different VLANs, broadcast traffic is confined to each VLAN, improving security and reducing unnecessary traffic. This directly meets the requirement without requiring additional hardware.

Exam trap

CompTIA often tests the distinction between VLANs (which create broadcast domains) and VTP (which only propagates VLAN information), leading candidates to confuse configuration management with actual segmentation.

How to eliminate wrong answers

Option A is wrong because STP prevents loops in a redundant network but does not create broadcast domains; it manages path redundancy. Option C is wrong because VTP is a Cisco proprietary protocol for synchronizing VLAN configurations across switches, not for segmenting broadcast domains itself. Option D is wrong because ACLs filter traffic based on IP addresses or ports at Layer 3/4, but they do not segment Layer 2 broadcast domains.

9
MCQmedium

A company is deploying VoIP phones and wants to ensure voice packets receive priority over data packets on the network. Which technology should be implemented on the switches and routers?

A.VLAN
B.Quality of Service (QoS)
C.Spanning Tree Protocol (STP)
D.Power over Ethernet (PoE)
AnswerB

QoS can classify and mark voice traffic (e.g., using CoS or DSCP) and give it higher priority in queues, ensuring quality.

Why this answer

Quality of Service (QoS) is the correct technology because it allows network devices to classify, mark, and prioritize voice traffic (e.g., using DSCP EF or CoS 5) over data traffic, ensuring low latency, jitter, and packet loss for VoIP. Switches and routers use QoS queuing mechanisms like LLQ or CBWFQ to guarantee bandwidth for voice packets, which is essential for real-time communications.

Exam trap

Cisco often tests the misconception that VLANs alone provide traffic prioritization, but VLANs only separate traffic; QoS is the actual mechanism for priority handling, and candidates frequently confuse logical separation with performance guarantees.

How to eliminate wrong answers

Option A (VLAN) is wrong because VLANs segment traffic logically but do not provide prioritization; they separate voice and data into different broadcast domains but cannot give voice packets priority over data. Option C (Spanning Tree Protocol) is wrong because STP prevents Layer 2 loops and provides redundancy, but it has no mechanism for traffic prioritization or bandwidth allocation. Option D (Power over Ethernet) is wrong because PoE delivers electrical power to devices like VoIP phones over Ethernet cables, but it does not influence packet forwarding priority or queuing behavior.

10
MCQmedium

An organization uses OSPF as its interior gateway protocol in a multi-area design. After a core router failure, the network takes several seconds to reconverge. Which technology can be implemented to improve convergence speed?

A.Implement LSA throttling
B.Enable OSPF fast hello timers
C.Configure BFD (Bidirectional Forwarding Detection)
D.Convert all areas to stub areas
AnswerC

BFD provides sub-second failure detection, allowing OSPF to converge much faster than with default timers.

Why this answer

BFD provides sub-second failure detection times (as low as 50 ms) independent of the routing protocol, allowing OSPF to reconverge much faster than relying on its default dead timer intervals. By detecting link failures in milliseconds, BFD triggers OSPF to immediately recalculate routes, drastically reducing the convergence delay after a core router failure.

Exam trap

Cisco often tests the distinction between OSPF fast hello timers (which still rely on seconds-based dead intervals) and BFD (which provides true sub-second detection), leading candidates to mistakenly choose fast hello timers as the faster solution.

How to eliminate wrong answers

Option A is wrong because LSA throttling controls the rate at which LSAs are generated and processed, which can reduce CPU load during flapping but does not speed up failure detection or convergence. Option B is wrong because OSPF fast hello timers reduce the hello and dead intervals (e.g., 1-second hello, 3-second dead), which still results in seconds-long detection times, not the sub-second detection that BFD provides. Option D is wrong because converting areas to stub areas restricts the types of LSAs allowed (no Type 5 LSAs), which reduces routing table size but has no effect on failure detection speed or convergence time.

11
MCQhard

A network administrator is configuring OSPF on a router that has interfaces in only one area and does not perform route redistribution. Which OSPF router type best describes this router?

A.Backbone router
B.Internal router
C.Area Border Router (ABR)
D.Autonomous System Boundary Router (ASBR)
AnswerB

An internal router belongs to a single OSPF area (non‑backbone) and does not perform redistribution. This matches the description.

Why this answer

An internal router has all its interfaces in a single OSPF area and does not perform route redistribution. Since the router's interfaces are confined to one area and it does not connect to other routing domains, it fits the definition of an internal router. This type of router maintains a single link-state database for that area and does not generate Type 3 or Type 5 LSAs.

Exam trap

Cisco often tests the distinction between an internal router and an ABR by making candidates assume that any router not in area 0 is an internal router, but the trap is that an ABR must have interfaces in multiple areas, while an internal router has all interfaces in a single area regardless of which area it is.

How to eliminate wrong answers

Option A is wrong because a backbone router must have at least one interface in area 0 (the backbone area), but the question states the router has interfaces in only one area, which could be any area, not necessarily area 0. Option C is wrong because an Area Border Router (ABR) must have interfaces in at least two different areas (one being area 0) and connects those areas, but the router here has interfaces in only one area and does not perform inter-area routing.

12
MCQmedium

A network administrator is creating a new VLAN that will contain 20 devices. The administrator wants to use the most efficient subnet that provides enough usable IP addresses while minimizing waste. Which of the following subnet masks should be used?

A.255.255.255.240 (/28)
B.255.255.255.224 (/27)
C.255.255.255.248 (/29)
D.255.255.255.192 (/26)
AnswerB

A /27 provides 30 usable addresses, which is the smallest subnet that can accommodate 20 hosts.

Why this answer

A /27 subnet mask (255.255.255.224) provides 32 total addresses, of which 30 are usable (2^5 - 2 = 30). This is the most efficient choice for 20 devices because it offers exactly enough usable IPs with minimal waste (only 10 unused addresses), whereas a /28 would provide only 14 usable addresses (insufficient) and a /29 would provide only 6 usable addresses (also insufficient).

Exam trap

The trap here is that candidates often confuse the total number of addresses in a subnet with the number of usable host addresses, forgetting to subtract 2 for the network and broadcast addresses, and may incorrectly select a /28 thinking it provides 16 addresses (when only 14 are usable).

How to eliminate wrong answers

Option A is wrong because 255.255.255.240 (/28) provides only 14 usable addresses (2^4 - 2 = 14), which is insufficient for 20 devices. Option C is wrong because 255.255.255.248 (/29) provides only 6 usable addresses (2^3 - 2 = 6), far too few for the required 20 devices.

13
MCQmedium

A company wants to deploy a wireless network in an office with high-density client requirements. Which 802.11 technology allows multiple antennas to transmit multiple spatial streams to increase throughput?

A.MIMO (Multiple-Input Multiple-Output)
B.OFDM (Orthogonal Frequency Division Multiplexing)
C.DSSS (Direct Sequence Spread Spectrum)
D.CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance)
AnswerA

MIMO uses multiple antennas to send and receive multiple data streams simultaneously, improving capacity and throughput.

Why this answer

MIMO (Multiple-Input Multiple-Output) is the correct technology because it uses multiple antennas at both the transmitter and receiver to send and receive multiple independent spatial streams simultaneously. This spatial multiplexing directly increases data throughput without requiring additional bandwidth or higher modulation, making it ideal for high-density client environments.

Exam trap

The trap here is that candidates confuse OFDM with MIMO because both are associated with 802.11n/ac/ax, but OFDM is a modulation scheme, not a spatial-stream technology; MIMO is the specific antenna-array technique that multiplies throughput via parallel streams.

How to eliminate wrong answers

Option B is wrong because OFDM (Orthogonal Frequency Division Multiplexing) is a modulation technique that divides a channel into multiple orthogonal subcarriers to improve spectral efficiency and combat multipath interference, but it does not use multiple antennas to create spatial streams. Option C is wrong because DSSS (Direct Sequence Spread Spectrum) is an older spread-spectrum technique that spreads a signal over a wider bandwidth using a chipping code, but it cannot transmit multiple spatial streams and offers lower throughput than modern MIMO-based systems.

14
MCQhard

A network engineer is configuring a router to provide IPv6 addressing via SLAAC for hosts on a subnet. The ISP has delegated a prefix 2001:db8:1::/48 and requires the router to advertise a specific prefix 2001:db8:1:1::/64. Which command must be configured on the router's interface to advertise this prefix?

A.ipv6 nd prefix
B.ipv6 address autoconfig
C.ipv6 unicast-routing
D.ipv6 dhcp server
AnswerA

This command configures the prefix to be advertised in Router Advertisements, enabling SLAAC for hosts.

Why this answer

Option A is correct because the 'ipv6 nd prefix' command is used on a router interface to advertise a specific IPv6 prefix in Router Advertisement (RA) messages for Stateless Address Autoconfiguration (SLAAC). This command allows the network engineer to override the default prefix derived from the interface address and explicitly advertise the delegated prefix 2001:db8:1:1::/64 as required by the ISP.

Exam trap

Cisco often tests the distinction between host-side SLAAC commands (like 'ipv6 address autoconfig') and router-side prefix advertisement commands (like 'ipv6 nd prefix'), leading candidates to confuse the device role in the SLAAC process.

How to eliminate wrong answers

Option B is wrong because 'ipv6 address autoconfig' is a host-side command that enables a device to automatically configure its IPv6 address using SLAAC, not a router command to advertise a prefix. Option C is wrong because 'ipv6 unicast-routing' globally enables IPv6 routing on the router, but it does not advertise a specific prefix on an interface; it is a prerequisite for routing, not for prefix advertisement.

15
MCQmedium

A company is implementing a DMZ to host public-facing web and email servers. The DMZ network uses private IP addresses, and the internal network also uses private IP addresses. The company has only one public IP address assigned to the border router's external interface. Which of the following should be configured to allow internet users to access the DMZ servers?

A.Port forwarding to the private IP addresses of the servers.
B.NAT with overload to translate multiple internal addresses to the single public IP.
C.Static NAT mapping each DMZ server to a unique public IP.
D.A VPN tunnel between the DMZ and the internal network.
AnswerA

Correct. Port forwarding translates incoming traffic on specific ports to the appropriate private IP, enabling external access to internal servers.

Why this answer

Port forwarding (often configured as static NAT with a single public IP) allows the border router to forward incoming traffic on specific TCP/UDP ports (e.g., 80 for web, 25 for SMTP) to the private IP addresses of the DMZ servers. Since the company has only one public IP, this is the only way to direct external requests to the correct internal server without requiring multiple public IPs.

Exam trap

The trap here is that candidates confuse PAT (overload NAT) with port forwarding, assuming that PAT alone can handle inbound connections, when in fact PAT only supports outbound-initiated sessions unless explicit port forwarding rules are configured.

How to eliminate wrong answers

Option B is wrong because NAT with overload (PAT) translates multiple internal addresses to a single public IP for outbound traffic, but it does not allow unsolicited inbound connections from the internet to specific private IPs; it only maintains a state table for return traffic. Option C is wrong because static NAT mapping each DMZ server to a unique public IP requires multiple public IP addresses, which the company does not have (only one public IP is available).

16
MCQmedium

A network administrator is implementing a new wireless network that will use WPA2-Enterprise. Which of the following must be configured on the network to support this security method?

A.A RADIUS server
B.A pre-shared key
C.A certificate authority
D.A VPN concentrator
AnswerA

WPA2-Enterprise relies on 802.1X, which requires a RADIUS server to handle authentication.

Why this answer

WPA2-Enterprise uses 802.1X authentication, which requires a RADIUS server to centralize authentication, authorization, and accounting (AAA). The RADIUS server validates user credentials (e.g., against Active Directory or LDAP) and distributes the Pairwise Master Key (PMK) to the access point, enabling per-user, per-session encryption keys. Without a RADIUS server, the enterprise authentication framework cannot function.

Exam trap

The trap here is that candidates confuse WPA2-Enterprise with WPA2-Personal and assume a pre-shared key is required, or they overgeneralize the role of a certificate authority, thinking it is mandatory for all enterprise Wi-Fi deployments when it is only required for specific EAP methods like EAP-TLS.

How to eliminate wrong answers

Option B is wrong because a pre-shared key (PSK) is used in WPA2-Personal, not WPA2-Enterprise; PSK uses a single static key shared among all clients, which lacks the per-user authentication and scalability required in enterprise environments. Option C is wrong because while a certificate authority (CA) may be used to issue server certificates for EAP-TLS or to validate RADIUS server identity, it is not a mandatory component of WPA2-Enterprise; other EAP methods like PEAP-MSCHAPv2 or EAP-TTLS can operate without a CA by using server-side certificates that are self-signed or validated via other means.

17
MCQmedium

A network engineer is installing a WLAN in a warehouse with many metal shelves and racks. During a site survey, the engineer notices significant signal degradation in certain areas. Which wireless propagation phenomenon is most likely causing the issue?

A.Refraction
B.Diffraction
C.Reflection
D.Absorption
AnswerC

Metal surfaces reflect Wi-Fi signals, causing multipath interference and dead spots. This is a common issue in warehouses.

Why this answer

In a warehouse with many metal shelves and racks, the primary cause of signal degradation is reflection. Metal surfaces act as RF reflectors, causing the wireless signal to bounce off them, which leads to multipath interference and dead zones where the signal cancels out or becomes too weak to be usable. This is a common issue in environments with high metal density, as the reflected waves interfere with the direct path signal.

Exam trap

CompTIA often tests the trap where candidates confuse reflection with diffraction, thinking that signal bending around metal edges (diffraction) is the main issue, but in dense metal environments, reflection off flat metal surfaces is the dominant cause of signal degradation and dead zones.

How to eliminate wrong answers

Option A is wrong because refraction involves the bending of radio waves as they pass through media of different densities (e.g., air to glass), which is not the dominant issue with metal shelves. Option B is wrong because diffraction is the bending of waves around obstacles (e.g., edges of shelves), which can cause some signal spread but is not the primary cause of significant degradation from metal surfaces. Option D is wrong because absorption occurs when materials like concrete or water absorb RF energy, but metal primarily reflects rather than absorbs 2.4/5 GHz signals.

18
MCQmedium

A router receives a packet destined for 10.0.0.15. It has the following routes in the routing table: 10.0.0.0/8 via 192.168.1.1, 10.0.0.0/16 via 192.168.2.1, 0.0.0.0/0 via 192.168.3.1. Which route will be used?

A.Default route (0.0.0.0/0)
B.10.0.0.0/16 via 192.168.2.1
C.10.0.0.0/8 via 192.168.1.1
D.None; the packet is dropped
AnswerB

This route has a longer prefix length (16) than the /8 route, and it matches the destination (10.0.0.15 is in 10.0.0.0/16).

Why this answer

The router will use the route 10.0.0.0/16 via 192.168.2.1 because it has the longest prefix match (16 bits) for the destination 10.0.0.15. The /16 route is more specific than the /8 route and the default route, so it is preferred regardless of administrative distance or metric.

Exam trap

The trap here is that candidates often assume administrative distance or metric determines the route selection, but the longest prefix match always takes precedence over these metrics when multiple routes match the destination.

How to eliminate wrong answers

Option A is wrong because the default route (0.0.0.0/0) is only used when no more specific route matches the destination; here, both the /8 and /16 routes match, so the default is not selected. Option C is wrong because although the /8 route matches the destination, the /16 route is a longer prefix match (16 bits vs. 8 bits), and routers always prefer the most specific route in the forwarding table.

19
MCQmedium

A network administrator is connecting two switches and wants to increase the bandwidth between them while also providing redundancy in case one link fails. Which technology should be configured on the switch ports?

A.Spanning Tree Protocol (STP)
B.Link Aggregation Control Protocol (LACP)
C.VLAN trunking (802.1Q)
D.Power over Ethernet (PoE)
AnswerB

LACP negotiates the bundling of physical ports into a single logical link, providing increased throughput and failover.

Why this answer

Link Aggregation Control Protocol (LACP) allows multiple physical links between two switches to be combined into a single logical link, increasing aggregate bandwidth and providing redundancy: if one physical link fails, traffic continues over the remaining links. This directly meets the requirement for both higher bandwidth and link-level fault tolerance.

Exam trap

The trap here is that candidates confuse STP's loop prevention with redundancy, but STP actively blocks redundant links to avoid loops, whereas LACP allows all links to forward traffic simultaneously while still providing failover.

How to eliminate wrong answers

Option A (Spanning Tree Protocol) is wrong because STP prevents loops by blocking redundant links, which would actually disable the extra links rather than using them for increased bandwidth or active redundancy. Option C (VLAN trunking, 802.1Q) is wrong because it tags frames to carry multiple VLANs over a single link but does not combine multiple links for bandwidth or provide link-level redundancy. Option D (Power over Ethernet) is wrong because it delivers electrical power to devices over Ethernet cabling and has no effect on link aggregation or redundancy between switches.

20
MCQmedium

A network administrator is configuring a trunk link between two switches. The link is up, but devices on VLAN 30 cannot communicate across the trunk. Devices on VLAN 10 and 20 can communicate. What should the administrator verify?

A.Ensure the native VLAN is the same on both switches
B.Verify that VLAN 30 is included in the allowed VLAN list on both switches
C.Check the trunk encapsulation type on both switches
D.Confirm that port security is not enabled on the trunk interfaces
AnswerB

Trunk ports can have a configured list of allowed VLANs. If VLAN 30 is not permitted, its traffic will not pass.

Why this answer

The trunk link is operational for VLANs 10 and 20 but not for VLAN 30, which indicates that VLAN 30 is likely not permitted on the trunk. By default, a trunk allows all VLANs, but if an administrator has manually configured an allowed VLAN list, VLAN 30 may have been omitted. Verifying that VLAN 30 is included in the allowed VLAN list on both switches will resolve the issue.

Exam trap

The trap here is that candidates often confuse native VLAN mismatch (which causes spanning-tree or BPDU issues) with a missing allowed VLAN, or they assume encapsulation must be checked even though the trunk is already operational for other VLANs.

How to eliminate wrong answers

Option A is wrong because the native VLAN mismatch would cause issues for untagged traffic (typically VLAN 1 by default), not specifically for a single tagged VLAN like VLAN 30. Option C is wrong because trunk encapsulation type (e.g., 802.1Q vs. ISL) must match for the trunk to form at all; since the link is up and other VLANs work, encapsulation is already compatible.

21
MCQmedium

A network engineer needs to configure a trunk link between two Cisco switches so that only VLANs 10, 20, and 30 are allowed. Which command set will accomplish this?

A.switchport trunk allowed vlan 10,20,30
B.switchport mode trunk
C.switchport trunk native vlan 1
D.switchport trunk encapsulation dot1q
AnswerA

This command explicitly allows only the listed VLANs on the trunk. All other VLANs are denied.

Why this answer

Option A is correct because the 'switchport trunk allowed vlan' command explicitly defines which VLANs are permitted to traverse the trunk link. By specifying '10,20,30', only traffic from those VLANs is forwarded, while all other VLANs are pruned from the trunk. This is the standard method for restricting VLANs on an IEEE 802.1Q trunk between Cisco switches.

Exam trap

CompTIA often tests the distinction between configuring trunk mode ('switchport mode trunk') and restricting VLANs ('switchport trunk allowed vlan'), leading candidates to mistakenly think that setting the interface to trunk alone is sufficient to limit VLAN traffic.

How to eliminate wrong answers

Option B is wrong because 'switchport mode trunk' only sets the interface to trunking mode; it does not restrict which VLANs are allowed, so by default all VLANs (1–4094) are permitted. Option C is wrong because 'switchport trunk native vlan 1' sets the native VLAN for untagged traffic on the trunk, but it does not filter which VLANs are allowed; native VLAN configuration is unrelated to VLAN permission lists. Option D is wrong because 'switchport trunk encapsulation dot1q' specifies the trunking protocol (802.1Q) but does not control which VLANs are permitted; this command is only needed on older switches that support both ISL and 802.1Q.

22
MCQmedium

A network administrator is configuring a router-on-a-stick to route between two VLANs (VLAN 10 and VLAN 20). The router has two subinterfaces: GigabitEthernet0/1.10 with encapsulation dot1Q 10 and IP 10.10.10.1/24, and GigabitEthernet0/1.20 with encapsulation dot1Q 20 and IP 10.10.20.1/24. The switch port connected to the router is configured as an access port in VLAN 10. Hosts in VLAN 10 can ping the router's VLAN 10 interface, but hosts in VLAN 20 cannot ping the router's VLAN 20 interface. What is the most likely cause?

A.The router subinterface for VLAN 20 is not enabled.
B.The switch port connecting to the router should be configured as a trunk.
C.The hosts in VLAN 20 do not have a default gateway configured.
D.The router's VLAN 20 subinterface has an incorrect IP address.
AnswerB

A trunk port carries traffic for multiple VLANs. Since the router uses subinterfaces with 802.1Q encapsulation, the switch must allow tagged frames for both VLANs.

Why this answer

The router-on-a-stick design requires the switch port connecting to the router to be configured as a trunk port, not an access port. An access port only carries traffic for a single VLAN (VLAN 10 in this case), so frames from VLAN 20 are dropped at the switch port before reaching the router. Configuring the port as a trunk with allowed VLANs 10 and 20 would enable the router's subinterfaces to receive and forward traffic for both VLANs.

Exam trap

CompTIA often tests the distinction between access and trunk ports in router-on-a-stick scenarios, trapping candidates who assume that configuring subinterfaces alone is sufficient without ensuring the switch port is set to trunk mode.

How to eliminate wrong answers

Option A is wrong because the subinterface for VLAN 20 is configured with encapsulation dot1Q 20 and an IP address, and there is no indication it is administratively down; the issue is that frames from VLAN 20 never reach the router due to the access port. Option C is wrong because the problem is at Layer 2 connectivity—hosts in VLAN 20 cannot even ping the router's VLAN 20 interface, which is a direct link issue, not a default gateway reachability problem. Option D is wrong because the IP address 10.10.20.1/24 on subinterface GigabitEthernet0/1.20 is correct for VLAN 20; the hosts cannot ping it because the switch port drops their VLAN 20 frames, not because of an IP mismatch.

23
MCQmedium

A network administrator wants to allow wireless clients to seamlessly roam between access points without re-authenticating to the RADIUS server for each transition. Which IEEE standard should be implemented?

A.802.11r
B.802.11k
C.802.11w
D.802.1X
AnswerA

802.11r reduces latency for roaming by allowing key caching.

Why this answer

802.11r, also known as Fast BSS Transition (FT), enables wireless clients to roam between access points without re-authenticating to the RADIUS server by using a cached Pairwise Master Key (PMK) and performing a faster, over-the-air or over-the-DS key exchange. This reduces the time required for roaming handoffs, which is critical for real-time applications like VoIP.

Exam trap

CompTIA often tests the distinction between 802.11k (which helps clients decide where to roam) and 802.11r (which speeds up the actual authentication process), leading candidates to confuse 'neighbor reports' with 'fast roaming authentication'.

How to eliminate wrong answers

Option B (802.11k) is wrong because it provides neighbor report and radio resource measurement information to help clients decide when to roam, but it does not eliminate the need for re-authentication to the RADIUS server. Option C (802.11w) is wrong because it focuses on protecting management frames (e.g., deauthentication and disassociation) from forgery, not on reducing authentication overhead during roaming. Option D (802.1X) is wrong because it is a port-based access control standard that defines the initial authentication process (EAP over RADIUS), but it does not provide a mechanism for fast roaming without re-authentication; in fact, full 802.1X re-authentication would cause the latency that 802.11r aims to avoid.

24
MCQeasy

A network engineer needs to connect two buildings that are 200 meters apart with a 1 Gbps link. The path is outdoors and susceptible to lightning strikes. Which cable type is the most appropriate for this scenario?

A.Cat6a UTP
B.Multimode fiber optic
C.Cat5e UTP
D.Single-mode fiber optic
AnswerB

Multimode fiber (e.g., 1000BASE-SX) supports 1 Gbps over 200m easily, is immune to electrical interference and lightning, and is cost-effective for this distance.

Why this answer

Multimode fiber optic cable is the most appropriate choice because it supports 1 Gbps over distances up to 550 meters (using OM2/OM3 fiber) and is completely immune to electromagnetic interference (EMI) from lightning strikes. Unlike copper cabling, fiber uses light pulses for transmission, so it does not conduct electricity, making it ideal for outdoor runs between buildings where lightning is a risk.

Exam trap

The trap here is that candidates often choose Cat6a UTP because they focus on bandwidth and distance but forget the outdoor lightning risk, assuming that higher-category copper can handle longer distances, when in fact all UTP copper is limited to 100 meters for Ethernet and is conductive.

How to eliminate wrong answers

Option A is wrong because Cat6a UTP is a copper cable that can conduct electrical surges from lightning strikes, posing a safety and equipment damage risk, and its maximum recommended outdoor distance for 1 Gbps is 100 meters, which is insufficient for a 200-meter link without repeaters. Option C is wrong because Cat5e UTP also uses copper conductors, is susceptible to lightning-induced surges, and its maximum distance for 1 Gbps is 100 meters, making it unsuitable for the required 200-meter outdoor run.

25
MCQmedium

A technician installs a new wireless access point that requires 25 watts of power using Power over Ethernet (PoE). The existing switch only supports 802.3af (15.4W per port). What is the most likely result?

A.The access point will power on but may not transmit at full power.
B.The access point will not power on.
C.The switch port will be damaged.
D.The access point will power on and function normally.
AnswerB

The switch provides only 15.4W per port, which is insufficient for the 25W requirement. The AP will not receive enough power to start up.

Why this answer

The existing switch supports only 802.3af (PoE), which provides a maximum of 15.4 watts per port. The access point requires 25 watts, which exceeds the 802.3af power budget. Since the switch cannot deliver the required power, the access point will not power on.

This is a strict power negotiation failure under IEEE 802.3 standards.

Exam trap

The trap here is that candidates often assume a device will 'work at reduced power' or 'negotiate down' when the power requirement exceeds the standard, but PoE standards enforce a strict power classification and will not power a device that cannot be fully supported.

How to eliminate wrong answers

Option A is wrong because if the switch cannot supply the minimum power required by the powered device (PD), the PD will not power on at all; 802.3af does not allow partial power delivery or reduced functionality—it either provides the negotiated power or fails the classification. Option C is wrong because PoE switches have overcurrent protection and will not be damaged by attempting to power a device that requests more power than available; the port simply refuses to supply power or shuts down the power negotiation.

26
MCQmedium

A company is deploying a wireless network in an office where employees move between floors. They want clients to authenticate once and maintain connectivity without re-authenticating when roaming between access points (APs). Which IEEE wireless standard provides this fast roaming capability?

A.802.11r
B.802.11i
C.802.11e
D.802.11n
AnswerA

Correct. 802.11r enables fast roaming by pre-establishing security keys with candidate APs.

Why this answer

802.11r, also known as Fast BSS Transition (FT), enables clients to roam between access points without re-authenticating at each new AP. It achieves this by using a cached Pairwise Master Key (PMK) and a four-way handshake that is optimized to reduce the time required for reassociation, typically completing in under 50 milliseconds. This ensures seamless connectivity for mobile users moving between floors.

Exam trap

Cisco often tests the distinction between 802.11i (security) and 802.11r (fast roaming), so the trap here is confusing the authentication protocol with the roaming optimization standard, leading candidates to pick 802.11i because it deals with keys and handshakes.

How to eliminate wrong answers

Option B (802.11i) is wrong because it defines security mechanisms like WPA2 and the four-way handshake for initial authentication, but it does not include fast roaming optimizations; it requires a full re-authentication on each roam. Option C (802.11e) is wrong because it focuses on Quality of Service (QoS) enhancements, such as WMM and traffic prioritization, not on roaming or authentication speed. Option D (802.11n) is wrong because it specifies high-throughput improvements like MIMO and channel bonding (up to 600 Mbps), with no provisions for fast roaming or reduced re-authentication latency.

27
MCQmedium

A company is implementing a wireless network and needs to support high-density client environments with minimal interference. Which IEEE 802.11 standard operates in the 5 GHz band and provides the highest throughput among the options?

A.802.11ac
B.802.11n
C.802.11g
D.802.11b
AnswerA

Correct. 802.11ac operates exclusively in the 5 GHz band and can achieve multi-gigabit throughput using wider channels, MIMO, and beamforming.

Why this answer

802.11ac (Wi-Fi 5) operates exclusively in the 5 GHz band and supports up to 8 spatial streams, 256-QAM modulation, and channel bonding up to 160 MHz, yielding theoretical throughput exceeding 6.9 Gbps. This makes it the highest-throughput option among the listed standards for high-density environments with minimal interference, as the 5 GHz band offers more non-overlapping channels and less co-channel contention than 2.4 GHz.

Exam trap

The trap here is that candidates often confuse 802.11n as the highest-throughput option because it supports both bands and is widely deployed, but they overlook that 802.11ac is strictly 5 GHz and offers significantly higher throughput through wider channels and higher-order modulation.

How to eliminate wrong answers

Option B (802.11n) is wrong because it operates in both 2.4 GHz and 5 GHz bands but caps at 600 Mbps with 40 MHz channels and 64-QAM, offering lower throughput than 802.11ac. Option C (802.11g) is wrong because it operates only in the 2.4 GHz band with a maximum of 54 Mbps using OFDM, and it suffers from interference from Bluetooth and microwaves. Option D (802.11b) is wrong because it operates only in the 2.4 GHz band with a maximum of 11 Mbps using DSSS, making it obsolete for high-density deployments.

28
MCQhard

An organization uses OSPF as its interior gateway protocol in a multi-area design. After a core router failure, the network takes a long time to reconverge. Which technology can be implemented to improve convergence speed?

A.Use static routes instead of OSPF
B.Increase OSPF hello and dead timers
C.Implement Bidirectional Forwarding Detection (BFD)
D.Configure all routers in a single OSPF area
AnswerC

BFD provides sub-second failure detection, which allows OSPF to converge much faster.

Why this answer

BFD provides sub-second failure detection by sending rapid, lightweight hello packets independently of OSPF's own hello mechanism. When a core router fails, BFD detects the link down in milliseconds and immediately signals OSPF to trigger reconvergence, drastically reducing the time OSPF would otherwise spend waiting for its own dead timer to expire.

Exam trap

CompTIA often tests the misconception that increasing OSPF timers or using a single area speeds up convergence, when in fact BFD is the correct technology for sub-second failure detection without altering OSPF's own protocol timers.

How to eliminate wrong answers

Option A is wrong because static routes lack dynamic adaptability and would require manual intervention to reroute around failures, making convergence slower and operationally impractical in a multi-area OSPF design. Option B is wrong because increasing hello and dead timers would actually slow down failure detection, making reconvergence take even longer, which is the opposite of the desired outcome. Option D is wrong because collapsing all routers into a single OSPF area would eliminate the benefits of hierarchical design (e.g., smaller LSDBs, summarization) and could increase convergence time due to larger link-state databases and more frequent SPF calculations, not improve it.

29
MCQmedium

A network administrator needs to connect two switches located in separate buildings 150 meters apart. The connection must support 10 Gbps speeds. Which cabling type is most appropriate?

A.Cat6a twisted pair
B.Cat7 twisted pair
C.Multi-mode fiber optic
D.Single-mode fiber optic
AnswerC

Multi-mode fiber with 10GBASE-SR supports 10 Gbps up to 300 meters, making it ideal for this 150-meter link.

Why this answer

Multi-mode fiber optic (MMF) is the most appropriate choice because it supports 10 Gbps speeds over distances up to 300 meters (using OM3 or OM4 fiber) with cost-effective transceivers (e.g., 10GBASE-SR). The 150-meter distance exceeds the 100-meter maximum for twisted-pair copper cabling (Cat6a or Cat7) at 10 Gbps, making fiber the only viable option among the choices.

Exam trap

The trap here is that candidates often assume Cat7 is superior to Cat6a for longer distances, but both are limited to 100 meters for 10GBASE-T, and the question's 150-meter requirement forces the choice to fiber; CompTIA often tests this distance limitation to distinguish copper from fiber solutions.

How to eliminate wrong answers

Option A is wrong because Cat6a twisted pair has a maximum distance of 100 meters for 10GBASE-T, and the 150-meter run exceeds this limit, causing signal degradation. Option B is wrong because Cat7 twisted pair, while rated for higher frequencies, still adheres to the same 100-meter distance limitation for 10GBASE-T as Cat6a; it does not extend the reach for 10 Gbps. Option D is wrong because single-mode fiber optic (SMF) supports 10 Gbps over much longer distances (kilometers) but is overkill and more expensive for a 150-meter link; multi-mode fiber is the cost-effective standard for this distance.

30
MCQmedium

A network engineer is implementing VLANs for a company. The finance department's workstations are connected to switch ports configured as access ports in VLAN 20. The finance server is located in a different building and is connected to a second switch. The two switches are interconnected via a trunk link. What must be configured on the trunk link to allow finance workstations to communicate with the finance server?

A.Allow VLAN 20 on the trunk
B.Set the native VLAN to 20 on both switches
C.Configure the trunk port as an access port in VLAN 20
D.Enable VLAN pruning for all VLANs on the trunk
AnswerA

By default, some trunks may carry only VLAN 1 unless explicitly configured. Adding VLAN 20 to the allowed VLAN list on the trunk ensures that traffic from VLAN 20 can traverse the link.

Why this answer

A trunk link carries traffic for multiple VLANs. By default, all VLANs are allowed on a trunk, but if VLAN 20 is not explicitly permitted, its traffic will be dropped. Configuring 'switchport trunk allowed vlan 20' on both ends ensures that frames tagged with VLAN 20 traverse the trunk, enabling communication between the finance workstations (access ports in VLAN 20) and the finance server.

Exam trap

Cisco often tests the misconception that simply creating a VLAN and assigning access ports is enough for inter-switch communication, when in fact the trunk must explicitly permit that VLAN in its allowed list.

How to eliminate wrong answers

Option B is wrong because setting the native VLAN to 20 on both switches would cause untagged frames to be placed into VLAN 20, but the finance workstations and server are already sending tagged frames (since they are in VLAN 20 and the trunk expects tagged traffic for non-native VLANs); this misconfiguration can lead to VLAN hopping or mismatched VLANs. Option C is wrong because a trunk port cannot be configured as an access port; these are mutually exclusive port modes—an access port belongs to a single VLAN, while a trunk port carries multiple VLANs. Option D is wrong because VLAN pruning (via VTP pruning or manual configuration) removes unused VLANs from the trunk to conserve bandwidth, but enabling pruning for all VLANs would block VLAN 20 traffic if it is not actively used on the other switch, which is not the goal.

31
MCQmedium

A network administrator is connecting two switches to increase bandwidth and provide redundancy. Which technology should be used to combine multiple physical links into a single logical link?

A.Spanning Tree Protocol
B.Link Aggregation Control Protocol
C.VLAN Trunking Protocol
D.Rapid Spanning Tree Protocol
AnswerB

LACP combines multiple physical links into a single logical link, increasing bandwidth and providing failover.

Why this answer

Link Aggregation Control Protocol (LACP) is the correct technology because it allows multiple physical Ethernet links to be combined into a single logical link, increasing aggregate bandwidth and providing redundancy. LACP (IEEE 802.3ad) automatically negotiates and manages the bundling of ports between switches, ensuring that traffic is load-balanced across the member links and that the bundle remains operational even if one physical link fails.

Exam trap

Cisco often tests the misconception that STP or RSTP can be used to increase bandwidth, but the trap here is that STP and RSTP only provide redundancy by blocking ports to prevent loops, not by actively combining links for higher throughput.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) is designed to prevent loops in a network topology by blocking redundant paths, not to combine links for increased bandwidth. Option C is wrong because VLAN Trunking Protocol (VTP) is used to manage VLAN configurations across switches, not to aggregate physical links. Option D is wrong because Rapid Spanning Tree Protocol (RSTP) is an enhancement of STP that provides faster convergence after a topology change, but it still does not bundle links for bandwidth or redundancy.

32
MCQmedium

A network administrator needs to upgrade the backbone link between two switches to fiber optic to eliminate electromagnetic interference. The distance between the switches is 350 meters. Which transceiver type should be used?

A.1000BASE-SX
B.1000BASE-LX
C.1000BASE-CX
D.1000BASE-T
AnswerA

1000BASE-SX operates over multi-mode fiber and supports distances up to 220-550 meters, covering 350 meters.

Why this answer

1000BASE-SX (option A) is correct because it supports distances up to 550 meters over multimode fiber (MMF) at 850 nm wavelength, making it suitable for the 350-meter backbone link. It is designed to eliminate electromagnetic interference (EMI) by using fiber optic cabling, and the distance falls within its maximum reach for common multimode fiber types like OM2 or OM3.

Exam trap

Cisco often tests the distance limitations of fiber transceivers, and the trap here is that candidates might choose 1000BASE-LX because they assume 'longer distance is always better,' overlooking that 1000BASE-SX is the correct, cost-effective choice for the given 350-meter range over multimode fiber.

How to eliminate wrong answers

Option B (1000BASE-LX) is wrong because it is typically used for longer distances (up to 5 km over single-mode fiber or 550 m over multimode fiber with mode conditioning patch cables), but it is overkill for a 350-meter link and more expensive than SX; the question specifies a straightforward upgrade to eliminate EMI, not long-haul requirements. Option C (1000BASE-CX) is wrong because it uses copper twinaxial cabling with a maximum distance of only 25 meters, which cannot reach 350 meters and does not eliminate electromagnetic interference as it is a copper-based solution. Option D (1000BASE-T) is wrong because it operates over twisted-pair copper cabling (Cat5e or higher) with a maximum distance of 100 meters, far short of 350 meters, and it is susceptible to electromagnetic interference, directly contradicting the requirement.

33
MCQeasy

A network engineer needs to connect two devices that are 150 meters apart with a 10 Gbps link. Which cabling type is most suitable?

A.Cat6a UTP
B.Cat7 STP
C.Single-mode fiber
D.Multimode fiber
AnswerC

Single-mode fiber supports 10 Gbps over distances of many kilometers, making it ideal for a 150-meter link.

Why this answer

Single-mode fiber (SMF) is the correct choice because it supports 10 Gbps transmission over distances well beyond 150 meters, typically up to 10 km or more using 10GBASE-LR optics. In contrast, copper cabling like Cat6a or Cat7 is limited to 100 meters for 10GBASE-T, and multimode fiber (MMF) with 10GBASE-SR is limited to about 300-400 meters depending on the fiber grade (e.g., OM3/OM4), but SMF provides the most reliable and future-proof solution for this distance.

Exam trap

The trap here is that candidates often assume multimode fiber is sufficient for any distance under 300 meters, but the exam emphasizes 'most suitable' based on scalability and performance, making single-mode fiber the better choice even for shorter runs when future-proofing is considered.

How to eliminate wrong answers

Option A is wrong because Cat6a UTP supports 10GBASE-T only up to 100 meters, so it cannot reach 150 meters. Option B is wrong because Cat7 STP, while shielded, still adheres to the same 100-meter distance limitation for 10GBASE-T per TIA/EIA standards. Option D is wrong because multimode fiber (e.g., OM3/OM4) with 10GBASE-SR can reach up to 300-400 meters, which technically covers 150 meters, but single-mode fiber is more suitable for this distance due to lower attenuation, higher bandwidth, and better scalability for future upgrades; the question asks for the 'most suitable' cabling type, and SMF is the optimal choice for a 150-meter 10 Gbps link.

34
MCQhard

A network engineer is configuring a new wireless LAN for a high-density environment such as a conference hall. The engineer needs to minimize co-channel interference. Which of the following should be configured on the access points?

A.Increase transmit power
B.Decrease transmit power
C.Decrease beacon interval
D.Implement channel bonding
AnswerB

Decreasing transmit power shrinks cells, allowing more non-overlapping APs and reducing interference.

Why this answer

In a high-density environment like a conference hall, decreasing transmit power on access points reduces the cell size, which allows for more APs to be placed closer together without their coverage areas overlapping excessively. This minimizes co-channel interference by ensuring that APs on the same channel are physically separated, improving overall throughput and client performance.

Exam trap

The trap here is that candidates mistakenly think increasing transmit power improves performance in dense environments, when in fact it exacerbates co-channel interference by creating larger, overlapping cells.

How to eliminate wrong answers

Option A is wrong because increasing transmit power enlarges the coverage cell, causing more overlap between APs on the same channel and worsening co-channel interference. Option C is wrong because decreasing the beacon interval increases the frequency of beacon frames, which adds overhead and can degrade performance, but does not directly address co-channel interference. Option D is wrong because channel bonding (e.g., 40 MHz in 2.4 GHz or 80/160 MHz in 5 GHz) increases the channel width, which reduces the number of non-overlapping channels available and actually increases the likelihood of co-channel interference in dense deployments.

35
MCQmedium

A company wants to increase the bandwidth between two switches without upgrading the existing 1 Gbps copper links. Both switches support 802.3ad. Which technology should be implemented?

A.Link aggregation (LACP)
B.VLAN trunking
C.Port mirroring
D.StackWise
AnswerA

Correct. LACP aggregates multiple physical links into one logical link, increasing overall bandwidth.

Why this answer

Link aggregation using LACP (802.3ad) allows multiple 1 Gbps copper links to be combined into a single logical link, increasing bandwidth between the two switches without upgrading the physical interfaces. Since both switches support 802.3ad, they can negotiate and manage the aggregated link dynamically, providing both increased throughput and link redundancy.

Exam trap

The trap here is that candidates often confuse link aggregation with stacking (StackWise) or VLAN trunking, thinking any multi-link technology increases bandwidth, but only LACP/802.3ad properly combines physical links for higher throughput between two switches.

How to eliminate wrong answers

Option B is wrong because VLAN trunking (802.1Q) is used to carry multiple VLANs over a single link, not to increase bandwidth by combining multiple physical links. Option C is wrong because port mirroring (SPAN) copies traffic from one port to another for monitoring purposes and does not increase bandwidth or aggregate links. Option D is wrong because StackWise is a Cisco proprietary technology for combining multiple switches into a single logical switch, not for aggregating links between two existing switches.

36
MCQmedium

A network administrator is designing a Layer 2 network with redundant links between switches. Which protocol should be implemented to prevent loops in the network?

A.STP (Spanning Tree Protocol)
B.OSPF (Open Shortest Path First)
C.VRRP (Virtual Router Redundancy Protocol)
D.LACP (Link Aggregation Control Protocol)
AnswerA

STP prevents loops by dynamically blocking ports to ensure a single active path between any two network segments.

Why this answer

STP (Spanning Tree Protocol) is the correct choice because it is specifically designed to prevent Layer 2 loops in networks with redundant links. It achieves this by placing redundant switch ports into a blocking state, creating a loop-free logical topology while maintaining physical redundancy for failover.

Exam trap

The trap here is that candidates often confuse STP with VRRP or OSPF because both involve 'redundancy' and 'loop prevention,' but STP is the only protocol that operates at Layer 2 to prevent switching loops.

How to eliminate wrong answers

Option B (OSPF) is wrong because it is a Layer 3 link-state routing protocol used for IP route discovery and loop prevention at the network layer, not for Layer 2 loop prevention. Option C (VRRP) is wrong because it is a First Hop Redundancy Protocol (FHRP) that provides default gateway redundancy by allowing multiple routers to share a virtual IP, not for preventing Layer 2 loops. Option D (LACP) is wrong because it is used to aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, but it does not prevent loops; in fact, LACP itself requires STP to block loops if redundant LACP bundles exist.

37
MCQmedium

A network administrator is configuring a trunk link between a switch and a router to support multiple VLANs. The switch's trunk port is set to dot1q encapsulation. Which configuration must match on the router to ensure proper communication?

A.The IP address of the router interface must be in the same subnet as the management VLAN
B.The subinterface encapsulation must match the switch's native VLAN default
C.The native VLAN on the router subinterface must be consistent with the switch's native VLAN
D.The router must be configured with inter-VLAN routing static routes
AnswerC

Both ends of a trunk must agree on the native VLAN, typically VLAN 1 by default, but it can be changed. Inconsistency can cause miscommunication or security risks.

Why this answer

Option C is correct because the native VLAN on the router subinterface must match the switch's native VLAN to ensure untagged frames are handled consistently. On a dot1q trunk, the native VLAN is the only VLAN whose frames are sent untagged; if the router expects a different native VLAN, it will drop or misclassify those frames, breaking communication for that VLAN.

Exam trap

The trap here is that candidates often confuse 'native VLAN' with 'default VLAN' or think the encapsulation type (dot1q) alone is sufficient, overlooking the critical requirement that the native VLAN must be explicitly matched on both sides of the trunk.

How to eliminate wrong answers

Option A is wrong because the IP address of the router interface does not need to be in the same subnet as the management VLAN; the router subinterface IPs are assigned per VLAN, and the management VLAN is a separate administrative concept. Option B is wrong because the subinterface encapsulation must be set to 'dot1q' (not match the switch's native VLAN default), and the encapsulation command specifies the VLAN ID, not the native VLAN default. Option D is wrong because inter-VLAN routing static routes are not required for a simple router-on-a-stick configuration; the router forwards frames directly between subinterfaces using connected routes derived from the IP addresses configured on each subinterface.

38
MCQmedium

A network administrator is configuring a new WAN link between two offices using MPLS. Which of the following is a characteristic of MPLS?

A.It uses label switching to forward packets
B.It requires a dedicated point-to-point circuit
C.It operates at Layer 7 of the OSI model
D.It encrypts all data in transit
AnswerA

MPLS routers (LSRs) assign and swap labels to route traffic efficiently, independent of IP headers.

Why this answer

MPLS (Multiprotocol Label Switching) operates by attaching short, fixed-length labels to packets at the ingress router. These labels are used by intermediate routers (LSRs) to make forwarding decisions based on the label rather than the IP header, which enables faster switching and traffic engineering. This label-swapping mechanism is the defining characteristic of MPLS, distinguishing it from traditional IP routing.

Exam trap

The trap here is that candidates confuse MPLS with a dedicated leased line or assume it provides security features like encryption, when in fact MPLS is a label-switching technology that operates below Layer 3 and above Layer 2.

How to eliminate wrong answers

Option B is wrong because MPLS does not require a dedicated point-to-point circuit; it can run over any underlying transport (e.g., Ethernet, Frame Relay, ATM) and supports any-to-any connectivity through a shared MPLS backbone. Option C is wrong because MPLS is often described as operating at Layer 2.5 (between Layer 2 and Layer 3), not Layer 7; it does not involve application-layer functions. Option D is wrong because MPLS does not inherently encrypt data; it relies on separate mechanisms like IPsec or MACsec for encryption, and MPLS itself provides no confidentiality.

39
MCQeasy

A company is extending its network to a new building located 200 meters away. The link must support 1 Gbps speeds. Which cabling type should be used?

A.Cat5e
B.Cat6
C.Single-mode fiber
D.Coaxial cable
AnswerC

Single-mode fiber can transmit 1 Gbps over distances far exceeding 200 meters.

Why this answer

Single-mode fiber (SMF) is the correct choice because it supports 1 Gbps speeds over distances far exceeding 200 meters, typically up to 5 km or more using 1000BASE-LX optics. Copper cabling like Cat5e and Cat6 is limited to a maximum segment length of 100 meters for 1 Gbps (1000BASE-T), making them unsuitable for this 200-meter link.

Exam trap

The trap here is that candidates often assume Cat6 can exceed 100 meters because it supports higher frequencies (250 MHz vs. 100 MHz for Cat5e), but the 100-meter distance limit for 1000BASE-T is a physical layer standard constraint, not a cable grade limitation.

How to eliminate wrong answers

Option A (Cat5e) is wrong because its maximum supported distance for 1 Gbps (1000BASE-T) is 100 meters, and the required link is 200 meters. Option B (Cat6) is wrong because, while it supports 1 Gbps, its maximum segment length is also 100 meters for 1000BASE-T, insufficient for 200 meters. Option D (Coaxial cable) is wrong because it is not designed for modern 1 Gbps Ethernet; it is used for legacy broadband or cable TV (e.g., DOCSIS) and lacks the bandwidth and standards support for 1000BASE-T.

40
MCQmedium

A network engineer configures an 802.1Q trunk between two switches. The trunk is up, but VLAN 10 traffic is not passing. The engineer checks and confirms that VLAN 10 exists on both switches. The show interfaces trunk command displays 'allowed VLANs: none'. What is the most likely cause?

A.The trunk encapsulation is not set to dot1q
B.The native VLAN mismatch
C.The allowed VLAN list is empty
D.VLAN 10 is not created on one of the switches
AnswerC

The output explicitly shows 'allowed VLANs: none', meaning no VLANs are permitted on the trunk. The engineer must add VLAN 10 to the allowed list.

Why this answer

The 'show interfaces trunk' output showing 'allowed VLANs: none' explicitly indicates that the allowed VLAN list on the trunk has been manually cleared or set to none, which blocks all VLAN traffic including VLAN 10. Even though VLAN 10 exists on both switches, the trunk port's VLAN filter prevents any frames from being forwarded. This is the most direct cause of the issue.

Exam trap

CompTIA often tests the distinction between 'VLAN not created' and 'VLAN not allowed on trunk' — the trap here is that candidates assume VLAN 10 not passing must mean it doesn't exist on one switch, ignoring that the trunk's allowed VLAN list can independently block traffic even when the VLAN is present on both sides.

How to eliminate wrong answers

Option A is wrong because if the trunk encapsulation were not set to dot1q, the trunk would not form or would use ISL, but the 'show interfaces trunk' output would not display 'allowed VLANs: none'; instead, it would show a different encapsulation error or the trunk would be down. Option B is wrong because a native VLAN mismatch would cause a spanning-tree inconsistency or CDP/STP errors, but it would not result in an empty allowed VLAN list; the allowed VLAN list would still show the default VLAN 1 or configured ranges. Option D is wrong because the engineer confirmed VLAN 10 exists on both switches, so this is not the cause; the 'allowed VLANs: none' output overrides any VLAN existence.

41
MCQeasy

A company is deploying a new wireless network in a warehouse. The network administrator needs to ensure that clients can seamlessly roam between access points without losing connectivity. Which of the following should be configured?

A.A) Same SSID and security settings on all APs
B.B) Different channels per AP to reduce interference
C.C) WPA2-Enterprise with RADIUS authentication
D.D) Mesh topology for AP interconnection
AnswerA

Correct. A common SSID and matching security credentials enable clients to roam seamlessly between APs.

Why this answer

Configuring the same SSID and security settings on all access points (APs) is essential for seamless roaming because clients use the SSID to identify the network and the security credentials to authenticate. When a client moves between APs, it can re-associate without needing to re-authenticate or discover a new network, provided the SSID and security parameters (e.g., PSK or 802.1X configuration) are identical. This ensures a smooth handoff and maintains connectivity during roaming.

Exam trap

The trap here is that candidates often confuse the need for different channels (to avoid interference) with the requirement for seamless roaming, or they assume that enterprise authentication (WPA2-Enterprise) is mandatory for roaming, when in fact the core requirement is simply consistent SSID and security settings across all APs.

How to eliminate wrong answers

Option B is wrong because using different channels per AP is a best practice for reducing co-channel interference, but it does not directly enable seamless roaming; clients can still roam between APs on different channels as long as the SSID and security settings match. Option C is wrong because WPA2-Enterprise with RADIUS authentication enhances security and supports fast roaming via mechanisms like 802.11r, but it is not a requirement for basic seamless roaming; clients can roam seamlessly with WPA2-Personal if the SSID and passphrase are identical across APs. Option D is wrong because a mesh topology for AP interconnection describes how APs communicate with each other (e.g., wireless backhaul), but it does not affect the client-side roaming behavior; clients roam based on SSID and security consistency, not the AP interconnection method.

42
MCQmedium

A network engineer is planning a wireless LAN for an open office with 50 users. To maximize performance by using multiple non-overlapping channels, which frequency band should be primarily used?

A.2.4 GHz
B.5 GHz
C.6 GHz
D.900 MHz
AnswerB

5 GHz provides many non-overlapping channels, allowing better channel planning and reduced interference.

Why this answer

The 5 GHz band is the best choice for maximizing performance in an open office with 50 users because it offers up to 23 non-overlapping channels (using 20 MHz channels) compared to only 3 in the 2.4 GHz band. This allows for better channel reuse, reduced co-channel interference, and higher aggregate throughput in a dense user environment.

Exam trap

Cisco often tests the misconception that more channels always mean better performance, but the trap here is that candidates may overlook client device compatibility and regulatory availability when considering the 6 GHz band, or they may incorrectly assume the 2.4 GHz band's longer range is beneficial for high-density performance.

How to eliminate wrong answers

Option A is wrong because the 2.4 GHz band provides only 3 non-overlapping channels (1, 6, 11), leading to severe co-channel interference and poor performance in a high-density deployment of 50 users. Option C is wrong because while the 6 GHz band (Wi-Fi 6E/7) offers many non-overlapping channels, it is not yet widely supported by all client devices and may not be the primary band for a general deployment; the question asks for the band to be 'primarily used' given current typical enterprise hardware. Option D is wrong because the 900 MHz band is used for low-data-rate, long-range applications (e.g., IoT, SCADA) and lacks the bandwidth and channel count needed for a high-performance wireless LAN serving 50 users.

43
MCQmedium

A network engineer needs to implement a wireless network in a large open-plan office with high client density. The network must provide the fastest possible speeds and efficient handling of many simultaneous connections. Which IEEE 802.11 standard should be used?

A.802.11ac
B.802.11n
C.802.11ax
D.802.11r
AnswerC

802.11ax (Wi-Fi 6) is the latest standard optimized for high-density environments with features like OFDMA, MU-MIMO, and improved modulation, providing the fastest speeds and best efficiency.

Why this answer

802.11ax (Wi-Fi 6) is the correct choice because it introduces Orthogonal Frequency Division Multiple Access (OFDMA) and MU-MIMO (both uplink and downlink), which significantly improve spectral efficiency and capacity in high-density environments. It also supports 1024-QAM modulation for higher data rates, making it ideal for an open-plan office with many simultaneous connections.

Exam trap

The trap here is that candidates often confuse 802.11ac (Wi-Fi 5) as the fastest standard because of its high single-user throughput, but they overlook that 802.11ax (Wi-Fi 6) is specifically designed for high-density, multi-user scenarios with OFDMA and improved MU-MIMO.

How to eliminate wrong answers

Option A is wrong because 802.11ac (Wi-Fi 5) operates only in the 5 GHz band and uses OFDM, which is less efficient than OFDMA for handling many concurrent clients; it lacks the uplink MU-MIMO and OFDMA features needed for high-density environments. Option B is wrong because 802.11n (Wi-Fi 4) is limited to 40 MHz channels, 64-QAM, and only supports up to 4 spatial streams, resulting in lower maximum throughput and poor performance under high client density. Option D is wrong because 802.11r is not a PHY-layer standard for speed or capacity; it is a fast roaming protocol (FT) that reduces authentication latency during handoffs between access points, not a solution for raw throughput or dense client handling.

44
MCQhard

A network administrator is configuring OSPF on routers in a multi-area network. The administrator wants to ensure that a router in area 1 does not learn external routes (Type 5 LSAs) injected by an ASBR in area 0, but it must still learn inter-area routes (Type 3 LSAs). The administrator wants to reduce the routing table size. Which OSPF area type should be configured for area 1?

A.Stub area
B.Totally stubby area
C.Not-so-stubby-area (NSSA)
D.Normal area
AnswerA

A stub area blocks Type 5 LSAs (external routes) but allows Type 3 LSAs (inter-area routes). It also uses a default route for external destinations.

Why this answer

A stub area blocks Type 5 LSAs (external routes) from entering the area while still allowing Type 3 LSAs (inter-area routes). This meets the requirement of preventing external routes from the ASBR in area 0 from being learned by routers in area 1, while still permitting inter-area routing and reducing the routing table size.

Exam trap

Cisco often tests the distinction between stub and totally stubby areas, where candidates mistakenly choose totally stubby when they only need to block external routes but still require inter-area routes.

How to eliminate wrong answers

Option B (Totally stubby area) is wrong because it blocks both Type 5 LSAs and Type 3 LSAs, preventing the router from learning inter-area routes, which violates the requirement. Option C (Not-so-stubby-area, NSSA) is wrong because it allows Type 7 LSAs (external routes) to be imported into the area, which would still permit external route learning, contrary to the requirement. Option D (Normal area) is wrong because it allows all LSA types, including Type 5 LSAs, so the router would learn external routes, failing to reduce the routing table as desired.

45
MCQeasy

A network administrator configures a trunk link between two switches. The link is up, but no traffic from any VLAN is passed between the switches. The administrator verifies that the trunk port is configured correctly on both switches with 'switchport mode trunk' and allowed VLANs. Which of the following is the most likely cause?

A.The native VLAN is different on each switch
B.VLAN 1 has been deleted on one of the switches
C.Spanning Tree Protocol is blocking the trunk link
D.The trunk encapsulation is mismatched
AnswerD

If one switch is configured for ISL encapsulation and the other for 802.1Q, the trunk will not pass traffic because the encapsulation methods are incompatible.

Why this answer

Option D is correct because a trunk link requires both ends to use the same encapsulation protocol—either 802.1Q or ISL. If one switch is set to 'switchport trunk encapsulation dot1q' and the other uses 'isl' (or auto-negotiates to a different type), the frames will be dropped or misinterpreted, preventing any VLAN traffic from passing. The administrator verified 'switchport mode trunk' and allowed VLANs, but encapsulation mismatch is a common oversight that stops all VLAN traffic while keeping the link up.

Exam trap

CompTIA often tests the distinction between 'switchport mode trunk' (which sets the mode) and 'switchport trunk encapsulation' (which sets the protocol), leading candidates to assume that setting the mode alone is sufficient for trunking to work.

How to eliminate wrong answers

Option A is wrong because a native VLAN mismatch would cause traffic on the native VLAN to be misdirected or dropped, but it would not block all VLAN traffic; other tagged VLANs would still pass. Option B is wrong because deleting VLAN 1 on one switch would only affect traffic in VLAN 1; other allowed VLANs would continue to pass over the trunk. Option C is wrong because if Spanning Tree Protocol were blocking the trunk link, the link would show as 'blocking' or 'not forwarding' in STP state, but the question states the link is up, implying STP is not blocking it.

46
MCQmedium

A network administrator is configuring a new switch to carry traffic for multiple VLANs on a single link to a router. Which IEEE standard is used for VLAN tagging on Ethernet trunks?

A.802.3af
B.802.1D
C.802.1Q
D.802.11ac
AnswerC

802.1Q is the standard for VLAN tagging, allowing switches to identify which VLAN a frame belongs to across a trunk link.

Why this answer

802.1Q is the IEEE standard that defines VLAN tagging on Ethernet trunks, inserting a 4-byte tag into the Ethernet frame to identify VLAN membership. This allows multiple VLANs to traverse a single link between a switch and a router, enabling inter-VLAN routing without separate physical interfaces.

Exam trap

Cisco often tests the distinction between 802.1Q (tagging) and 802.1D (STP), leading candidates to confuse VLAN trunking with loop prevention protocols.

How to eliminate wrong answers

Option A is wrong because 802.3af is the IEEE standard for Power over Ethernet (PoE), which delivers power over Ethernet cabling, not VLAN tagging. Option B is wrong because 802.1D is the original IEEE standard for the Spanning Tree Protocol (STP), which prevents loops in a network, not VLAN tagging. Option D is wrong because 802.11ac is a wireless networking standard for Wi-Fi operating in the 5 GHz band, not related to Ethernet VLAN tagging.

47
MCQmedium

A network administrator is deploying a wireless network in a warehouse environment with many metal racks. Clients using 802.11ac report strong signal strength but very low throughput. What is the most likely cause?

A.Co-channel interference from neighboring access points
B.Multipath interference caused by signal reflections off metal surfaces
C.The encryption method is set to WEP, which limits throughput
D.Too many clients are connected to the same access point
AnswerB

Metal racks cause reflections, leading to multipath. With strong signal but low throughput, multipath is the classic symptom. 802.11ac uses MIMO to mitigate multipath, but severe multipath can still degrade performance.

Why this answer

In a warehouse with many metal racks, 802.11ac signals reflect off the metal surfaces, creating multiple signal paths that arrive at the receiver at slightly different times. This multipath interference causes phase cancellation and intersymbol interference, which degrades the signal-to-noise ratio and forces the use of lower modulation and coding schemes (MCS), drastically reducing throughput despite strong RSSI.

Exam trap

The trap here is that candidates see 'strong signal strength' and assume the issue is at Layer 2 or higher (co-channel interference, encryption, or client count), but the metal racks create a classic multipath scenario where RSSI is high but SNR is low due to phase cancellation.

How to eliminate wrong answers

Option A is wrong because co-channel interference from neighboring APs would typically cause high retry rates and channel utilization, not strong signal strength with low throughput; the symptom here is specifically multipath, not contention. Option C is wrong because WEP encryption does limit throughput due to its 40-bit RC4 overhead, but it is not used with 802.11ac (which requires WPA2 or WPA3), and the question states clients are using 802.11ac, so WEP is not a valid configuration. Option D is wrong because too many clients per AP would cause contention and airtime fairness issues, but the symptom of strong signal with low throughput points to a physical-layer impairment, not client density.

48
MCQhard

A company is connecting two buildings that are 300 meters apart. The link must support 10 Gbps. Which combination of cable and transceiver should be used?

A.Cat6a UTP with 10GBASE-T
B.Cat5e UTP with 1000BASE-T
C.Single-mode fiber with 10GBASE-LR
D.Multimode fiber with 10GBASE-SR
AnswerC

10GBASE-LR over single-mode fiber supports 10 Gbps up to 10 km, fully satisfying the 300-meter distance.

Why this answer

Option C is correct because single-mode fiber (SMF) with 10GBASE-LR supports 10 Gbps over distances up to 10 km, easily covering the 300-meter requirement. 10GBASE-LR uses 1310 nm laser optics over single-mode fiber, providing low signal loss and high bandwidth for long-reach links.

Exam trap

The trap here is that candidates often assume Cat6a can handle 10 Gbps at any distance, forgetting the 100-meter limitation for twisted-pair copper, or they confuse 10GBASE-LR with 10GBASE-SR, which has a shorter reach on multimode fiber.

How to eliminate wrong answers

Option A is wrong because Cat6a UTP with 10GBASE-T is limited to a maximum distance of 100 meters for 10 Gbps, far short of the required 300 meters. Option B is wrong because Cat5e UTP with 1000BASE-T supports only 1 Gbps, not the required 10 Gbps, and is also limited to 100 meters.

49
MCQeasy

A network engineer needs to install 15 wireless access points that each require 25W of power. The available switch provides PoE+ (802.3at) with a total power budget of 740W. The engineer also needs to connect 10 IP cameras that each require 12W. Which of the following should the engineer verify before proceeding with the installation?

A.The total power consumption of all devices does not exceed the switch's power budget.
B.The switch supports LLDP-MED for power negotiation.
C.All PoE devices are from the same manufacturer.
D.The cable length does not exceed 150 meters.
AnswerA

Correct. Ensuring the combined power draw is within the switch's budget is essential to prevent power failures.

Why this answer

The total power required is 15 APs × 25W + 10 cameras × 12W = 375W + 120W = 495W, which is well below the switch's 740W PoE+ budget. However, the engineer must verify that the cumulative power draw does not exceed the budget, as exceeding it would cause some ports to be denied power or shut down. This is the fundamental prerequisite for any PoE deployment.

Exam trap

The trap here is that candidates may overlook the simple power budget calculation and instead focus on irrelevant details like manufacturer compatibility or cable length limits, but the core requirement is ensuring the total wattage does not exceed the switch's PoE budget.

How to eliminate wrong answers

Option B is wrong because LLDP-MED is used for advanced power negotiation and device discovery, but it is not required for basic PoE+ operation; the switch can deliver power without it. Option C is wrong because PoE is standardized (802.3at), so devices from different manufacturers are fully interoperable as long as they comply with the standard. Option D is wrong because the maximum cable length for Ethernet (100BASE-TX/1000BASE-T) is 100 meters, not 150 meters; exceeding this can cause signal degradation and power loss.

50
MCQmedium

A company is deploying a new wireless network for employee devices and wants to use the most secure encryption method currently available for WPA2/3. Which encryption standard should be used?

A.WEP
B.TKIP
C.AES
D.DES
AnswerC

AES is a strong symmetric encryption algorithm used in WPA2 and WPA3 to provide robust wireless security.

Why this answer

AES (Advanced Encryption Standard) is the most secure encryption method available for WPA2 and WPA3. WPA2 mandates AES-CCMP, and WPA3 uses AES-GCMP, both of which are based on the AES block cipher, providing strong confidentiality and integrity. This makes AES the correct choice for the highest security in modern Wi-Fi deployments.

Exam trap

Cisco often tests the misconception that TKIP is acceptable for WPA2 security, but the trap is that WPA2 mandates AES-CCMP for certification, and TKIP is only a backward-compatible option that should never be used in a secure deployment.

How to eliminate wrong answers

Option A is wrong because WEP (Wired Equivalent Privacy) is an obsolete, deprecated encryption standard that uses the RC4 cipher with a static key, making it trivially vulnerable to attacks like ARP replay and IV collision. Option B is wrong because TKIP (Temporal Key Integrity Protocol) is a legacy encryption method for WPA that also uses RC4 and is vulnerable to attacks such as Beck-Tews and Michael MIC exhaustion; it is not considered secure for modern networks and is not supported in WPA3.

51
MCQmedium

A network engineer is designing a new switched network and needs to ensure that broadcast traffic from one department does not reach another department's workstations. The engineer plans to use VLANs. Which of the following must be configured on the switches to isolate broadcast domains as intended?

A.Configure all switch ports as trunk ports and use VLAN 1 for all departments.
B.Assign each department's workstations to a unique VLAN and configure their switch ports as access ports in that VLAN.
C.Place all workstations in the same VLAN and use a firewall to filter broadcast traffic between departments.
D.Configure each switch port as a trunk and use a different native VLAN for each department.
AnswerB

Access ports belong to a single VLAN, creating separate broadcast domains. This is the correct method to isolate traffic between departments.

Why this answer

VLANs segment a switched network into separate broadcast domains at Layer 2. By assigning each department's workstations to a unique VLAN and configuring their switch ports as access ports in that VLAN, broadcast traffic from one VLAN is confined to that VLAN and cannot reach workstations in another VLAN. This achieves the isolation required without additional filtering devices.

Exam trap

The trap here is that candidates may think a firewall can filter Layer 2 broadcast traffic within the same VLAN, but firewalls operate at Layer 3 and above, so they cannot prevent broadcasts from flooding all ports in a single VLAN.

How to eliminate wrong answers

Option A is wrong because configuring all switch ports as trunk ports and using VLAN 1 for all departments would place all devices in the same broadcast domain (VLAN 1), failing to isolate broadcast traffic between departments. Option C is wrong because placing all workstations in the same VLAN keeps them in a single broadcast domain; a firewall operates at Layer 3 and cannot filter Layer 2 broadcast traffic within the same VLAN, so broadcasts would still reach all workstations.

52
MCQeasy

A small office uses a wireless router that provides both wired and wireless connectivity. The router's LAN IP is 192.168.1.1. A new printer with a static IP of 192.168.1.50 cannot be reached from a laptop obtaining an IP via DHCP. The laptop's IP is 192.168.1.100. Which of the following is the most likely cause?

A.The printer is on a different VLAN
B.The subnet mask is incorrect
C.The default gateway is misconfigured
D.The DHCP scope is exhausted
AnswerB

If the printer is configured with a static subnet mask that is not /24 (e.g., /28 or /25), it will calculate that the laptop's IP is outside its local subnet. It will then try to send traffic to the default gateway instead of directly to the laptop, and if the gateway does not forward it (or the printer's gateway is wrong), communication fails.

Why this answer

The laptop obtains an IP address via DHCP, which typically assigns a subnet mask of 255.255.255.0 for a /24 network. If the printer has a static IP of 192.168.1.50 but is configured with an incorrect subnet mask (e.g., 255.255.255.252), the printer may believe it is on a different subnet than the laptop (192.168.1.100). This prevents the laptop from reaching the printer because the printer will not respond to ARP requests or will send traffic to its default gateway instead of directly to the laptop.

Exam trap

Cisco often tests the misconception that a misconfigured default gateway is the cause of local subnet communication failures, but the trap here is that the default gateway is irrelevant for same-subnet traffic; the real issue is the subnet mask, which determines whether the destination is considered local or remote.

How to eliminate wrong answers

Option A is wrong because there is no mention of VLANs in the scenario; the router is a simple wireless router providing a single LAN segment, and both devices share the same IP subnet (192.168.1.0/24), so a VLAN mismatch would require separate broadcast domains and is not indicated. Option C is wrong because a misconfigured default gateway would affect the printer's ability to reach devices on other subnets or the internet, but it does not prevent communication between two devices on the same subnet; communication within the same subnet relies on ARP and direct MAC-layer delivery, not the default gateway.

53
Matchingmedium

Match each OSI layer to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data Link layer; handles MAC addressing and framing

Network layer; handles routing and logical addressing

Transport layer; handles reliable delivery and flow control

Application layer; provides network services to applications

Why these pairings

These are key layers of the OSI model.

54
MCQmedium

Two switches are connected via a trunk link configured with allowed VLANs 10, 20, and 30. Hosts on VLAN 20 can communicate across the trunk, but hosts on VLAN 30 cannot. Which of the following is the most likely cause?

A.A
B.B
C.C
D.D
AnswerD

If VLAN 30 is only created on one switch, the other switch will not have the VLAN in its database and will drop frames from that VLAN.

Why this answer

Option D is correct because the most likely cause is that VLAN 30 is not allowed on the trunk link. Even though the trunk is configured with allowed VLANs 10, 20, and 30, if VLAN 30 is not present in the allowed VLAN list on one of the switch ports (e.g., due to a missing 'switchport trunk allowed vlan add 30' command or a pruning issue), frames from VLAN 30 will be dropped at the trunk. This explains why hosts on VLAN 20 can communicate while those on VLAN 30 cannot.

Exam trap

The trap here is that candidates often confuse trunk allowed VLAN configuration with native VLAN settings or assume a spanning-tree issue is VLAN-specific, when in fact spanning-tree blocks the entire trunk, not individual VLANs.

How to eliminate wrong answers

Option A is wrong because a misconfigured access port on the switch for VLAN 30 would affect only that specific port, not the trunk link itself; the trunk would still forward VLAN 30 traffic if allowed. Option B is wrong because a native VLAN mismatch on the trunk would cause issues with untagged frames, but VLAN 30 is a tagged VLAN in the allowed list, so it would not be affected by native VLAN problems. Option C is wrong because a spanning-tree blocking state on the trunk would block all VLANs, not just VLAN 30; if the trunk were blocked, VLAN 20 traffic would also fail.

55
MCQmedium

A company is deploying a new wireless network for a small office. The network will consist of three access points. The IT manager wants the APs to automatically coordinate radio frequency settings and client roaming without a dedicated controller. Which technology should be implemented?

A.Mesh network
B.Controller-based wireless
C.Standalone APs
D.Cloud-managed access points
AnswerD

Cloud-managed APs use a cloud controller to handle RF optimization, coordination, and roaming without a local dedicated controller.

Why this answer

Cloud-managed access points (APs) are the correct choice because they can automatically coordinate radio frequency (RF) settings and client roaming without a dedicated on-premises controller. The cloud-based management platform handles channel selection, power adjustment, and fast roaming (e.g., 802.11r/k/v) by communicating with each AP over the internet, making it ideal for a small office with only three APs.

Exam trap

The trap here is that candidates often confuse 'cloud-managed' with 'standalone' APs, assuming that any AP without a local controller must be standalone, but cloud-managed APs use an external controller in the cloud to provide coordinated features.

How to eliminate wrong answers

Option A is wrong because a mesh network is designed for wireless backhaul between APs to extend coverage, not for automatic RF coordination or seamless client roaming without a controller. Option B is wrong because controller-based wireless requires a dedicated hardware or virtual controller on-premises to manage APs, which contradicts the requirement of no dedicated controller. Option C is wrong because standalone APs operate independently and cannot automatically coordinate RF settings or support seamless roaming between multiple APs without a central management system.

56
MCQmedium

A network administrator configures VLAN 10 (Sales) and VLAN 20 (Engineering) on a switch. The switch is connected to a router via a trunk interface for inter-VLAN routing. Users in VLAN 10 can reach the router and external networks, but users in VLAN 20 cannot communicate outside their VLAN. The router's subinterface for VLAN 20 is configured correctly with an IP address and encapsulation dot1Q 20. What is the MOST likely cause of the issue?

A.A: The switchport mode for VLAN 20 is set to access
B.B: VLAN 20 is not allowed on the trunk
C.C: The router needs to be rebooted to apply the subinterface configuration
D.D: The native VLAN on the trunk is misconfigured
AnswerB

If VLAN 20 is pruned or not included in the allowed list on the trunk, frames from VLAN 20 cannot reach the router.

Why this answer

The router's subinterface for VLAN 20 is correctly configured, so the issue lies on the switch side. If VLAN 20 is not explicitly allowed on the trunk interface connecting the switch to the router, frames from VLAN 20 will be dropped by the switch, preventing inter-VLAN routing. The default trunk allowed VLAN list often includes only VLAN 1, so VLAN 20 must be added with the 'switchport trunk allowed vlan add 20' command.

Exam trap

CompTIA often tests the distinction between the router subinterface being correctly configured and the switch trunk not permitting the VLAN, leading candidates to incorrectly suspect the router or native VLAN settings.

How to eliminate wrong answers

Option A is wrong because if the switchport mode for VLAN 20 were set to access, the port would be an access port in VLAN 20, which would still allow communication within VLAN 20 but would not affect trunking to the router; the issue is about inter-VLAN routing across the trunk. Option C is wrong because rebooting the router is unnecessary; subinterface configurations take effect immediately after being applied and do not require a reboot. Option D is wrong because the native VLAN misconfiguration would affect untagged traffic on the trunk, but the problem is specific to VLAN 20's tagged traffic not being allowed, not the native VLAN.

57
MCQhard

A network engineer has established an IPsec VPN tunnel between a branch office (10.0.0.0/24) and the main office (192.168.10.0/24). The tunnel shows as up and active, but users at the branch office cannot ping the main office server at 192.168.10.10. The main office can ping the branch office gateway successfully. What is the most likely cause of this issue?

A.Mismatched encryption algorithms between the two VPN peers
B.Incorrect static route on the branch router for the 192.168.10.0/24 network
C.Firewall on the main office server blocking ICMP
D.Incorrect IKE authentication settings
AnswerB

A route pointing to the tunnel interface or the remote VPN peer is necessary for traffic from the branch to reach the main office LAN.

Why this answer

The tunnel is up and active, and the main office can ping the branch office gateway, which confirms that Phase 1 and Phase 2 of IPsec are correctly negotiated and that the tunnel is passing traffic from the main office toward the branch. However, branch users cannot reach 192.168.10.10, indicating that return traffic from the branch is not being routed into the tunnel. The most likely cause is that the branch router lacks a static route for 192.168.10.0/24 pointing to the tunnel interface (or the IPsec virtual interface), so packets from the branch destined for the main office are sent out the wrong interface or dropped instead of being encrypted and forwarded through the VPN.

Exam trap

Cisco often tests the distinction between a tunnel being 'up' (IPsec SAs established) and traffic actually flowing correctly, leading candidates to incorrectly assume that a working tunnel guarantees bidirectional reachability without verifying routing or crypto ACLs.

How to eliminate wrong answers

Option A is wrong because mismatched encryption algorithms would prevent the IPsec tunnel from establishing or staying up; the tunnel is reported as up and active, so Phase 2 parameters (including encryption algorithms) must match. Option C is wrong because the main office can ping the branch office gateway successfully, which proves that ICMP traffic is not being blocked by a firewall on the main office server; the issue is one-way reachability from the branch, not a blanket ICMP block.

58
MCQmedium

An OSPF network uses a multi-access segment with four routers. All router interfaces have the default OSPF priority of 1. Which router becomes the Designated Router (DR)?

A.The router with the highest router ID
B.The router with the lowest IP address on the segment
C.The router with the highest bandwidth on the connecting interface
D.The router with the oldest uptime
AnswerA

Correct. When priorities are equal, the highest router ID determines the DR.

Why this answer

In an OSPF multi-access network, the Designated Router (DR) is elected based on the highest OSPF priority value, with a tie-breaking mechanism using the highest Router ID. Since all routers have the default priority of 1, the router with the highest Router ID wins the DR election. This ensures a stable topology for reducing LSA flooding and adjacency overhead.

Exam trap

The trap here is that candidates often confuse the DR election tie-breaker with the OSPF route selection metric (cost/bandwidth) or assume the lowest IP address is used, but the actual tie-breaker is the highest Router ID after priority.

How to eliminate wrong answers

Option B is wrong because the DR election does not consider the IP address on the segment; the tie-breaker after priority is the highest Router ID, not the lowest IP address. Option C is wrong because interface bandwidth is irrelevant to OSPF DR election; OSPF uses priority and Router ID, not bandwidth or cost, for this election.

59
MCQmedium

A network administrator needs to connect two switches that are 80 meters apart using UTP cabling and achieve 1 Gbps speed. The administrator has Cat5e and Cat6 cables available. Which standard should be used?

A.1000BASE-T
B.1000BASE-LX
C.10GBASE-T
D.100BASE-TX
AnswerA

1000BASE-T supports 1 Gbps over UTP up to 100 meters, suitable for this distance.

Why this answer

1000BASE-T (IEEE 802.3ab) is the correct standard because it supports 1 Gbps over Cat5e or Cat6 UTP cabling at distances up to 100 meters. With 80 meters between switches, both cable types are well within the 100-meter reach, and 1000BASE-T is designed specifically for twisted-pair copper at this speed.

Exam trap

The trap here is that candidates may choose 10GBASE-T because they see Cat6 available, forgetting that Cat6 only supports 10GBASE-T up to 55 meters and Cat5e not at all, while 1000BASE-T is the correct match for 1 Gbps over UTP at 80 meters.

How to eliminate wrong answers

Option B (1000BASE-LX) is wrong because it uses single-mode or multimode fiber optic cabling, not UTP, and requires a fiber transceiver. Option C (10GBASE-T) is wrong because it requires Cat6a or Cat7 cabling for 10 Gbps over 80 meters; Cat5e cannot support 10GBASE-T at any distance, and Cat6 is limited to 55 meters for 10GBASE-T. Option D (100BASE-TX) is wrong because it only supports 100 Mbps, not the required 1 Gbps, even though it works over Cat5e/Cat6 UTP.

60
MCQmedium

A company has deployed a WPA2-Enterprise wireless network. Users report that they cannot authenticate. The RADIUS server logs show that authentication attempts are received but no responses are sent back to the wireless controller. The wireless controller and RADIUS server are on different subnets, separated by a firewall. Which of the following is the MOST likely cause?

A.The wireless clients do not support the correct EAP method.
B.The firewall is blocking RADIUS traffic on UDP ports 1812 and 1813.
C.The RADIUS server is not in the same broadcast domain as the wireless controller.
D.The SSID is not being broadcast.
AnswerB

RADIUS uses specific UDP ports. If these are blocked, the RADIUS server cannot send back authentication responses, causing authentication to time out.

Why this answer

The RADIUS server logs show authentication attempts are received but no responses are sent back, indicating the request reached the server but the reply is being dropped. Since the wireless controller and RADIUS server are on different subnets separated by a firewall, the most likely cause is that the firewall is blocking the return RADIUS traffic. RADIUS uses UDP ports 1812 for authentication and 1813 for accounting, and these must be open in both directions for successful communication.

Exam trap

The trap here is that candidates often assume the issue is with client configuration (EAP method) or layer 2 connectivity (broadcast domain), when the symptom of 'requests received but no responses sent' points directly to a firewall blocking the return path, a classic network-layer troubleshooting scenario.

How to eliminate wrong answers

Option A is wrong because if the wireless clients did not support the correct EAP method, the RADIUS server would typically send a rejection or challenge response, not simply fail to send any response at all; the server logs show requests are received, so the issue is at the network layer, not the client configuration. Option C is wrong because RADIUS operates at the application layer and does not require the server and controller to be in the same broadcast domain; they can communicate across subnets via routed paths, and the firewall is the specific point of failure indicated by the symptom of no responses being sent back.

61
MCQmedium

A switch port is configured as a trunk with native VLAN 99. When a frame tagged with VLAN 99 is received on the trunk, the switch displays an error. What is the most likely issue?

A.The trunk is using 802.1Q encapsulation and the remote switch expects ISL
B.The remote switch is sending frames on VLAN 99 as untagged
C.The remote switch is tagging frames on the native VLAN
D.The allowed VLAN list does not include VLAN 99
AnswerC

When a trunk is configured with native VLAN 99, frames for that VLAN should be sent untagged. If the remote switch sends them tagged, the receiving switch may log errors or drop the frames because it expects untagged frames for the native VLAN.

Why this answer

The native VLAN is the VLAN that carries untagged traffic on an 802.1Q trunk. By design, frames belonging to the native VLAN should be sent untagged. When a switch receives a frame tagged with the native VLAN ID (VLAN 99), it indicates a mismatch in native VLAN configuration between the two ends of the trunk.

The switch logs an error because it expects native VLAN frames to be untagged, but the remote switch is incorrectly tagging them.

Exam trap

Cisco often tests the misconception that native VLAN frames are always tagged, when in fact they must remain untagged on an 802.1Q trunk, and the error occurs because the remote switch is tagging them.

How to eliminate wrong answers

Option A is wrong because 802.1Q is the only encapsulation supported on modern Cisco switches for trunking; ISL is a legacy Cisco-proprietary protocol that is not used in current networks, and a mismatch would cause the trunk to fail entirely, not just produce an error on native VLAN frames. Option B is wrong because if the remote switch were sending frames on VLAN 99 as untagged, the local switch would accept them normally as native VLAN traffic without generating an error; the error occurs precisely because the frames are tagged when they should be untagged.

62
MCQmedium

A network engineer needs to add a new switch to an existing network. The switch must be configured to support VLANs and trunking. The engineer connects the switch to the existing network via a trunk port. After configuration, the VLANs on the new switch are not receiving traffic from the core network. The core switch shows the trunk is up but no VLANs are allowed. What is the most likely cause?

A.The native VLAN mismatch
B.The trunk encapsulation is not set to 802.1Q
C.The allowed VLAN list on the trunk does not include the desired VLANs
D.The switch port mode is set to access
AnswerC

The allowed VLAN list explicitly controls which VLANs are permitted on the trunk. If the desired VLANs are not in the allowed list, their traffic will be dropped.

Why this answer

The core switch shows the trunk is up but no VLANs are allowed, which directly indicates that the allowed VLAN list on the trunk port does not include the desired VLANs. By default, a trunk port permits all VLANs, but if an administrator explicitly restricts the allowed VLAN list (e.g., with the 'switchport trunk allowed vlan' command), only those VLANs are forwarded. Since the new switch is not receiving traffic, the core switch's trunk likely has an empty or incorrect allowed VLAN list, preventing the desired VLAN traffic from crossing the trunk.

Exam trap

Cisco often tests the misconception that a trunk being 'up/up' means all VLANs are automatically allowed, when in fact the allowed VLAN list can be explicitly restricted or cleared, causing traffic loss without any physical or encapsulation issues.

How to eliminate wrong answers

Option A is wrong because a native VLAN mismatch would cause control plane issues (e.g., CDP/STP problems) or traffic being placed in the wrong VLAN, but it would not cause the trunk to show 'no VLANs are allowed' — the allowed VLAN list would still be present. Option B is wrong because if the trunk encapsulation were not set to 802.1Q, the trunk would likely not come up at all (e.g., Cisco switches default to 'negotiate' or require 'switchport trunk encapsulation dot1q'), and the core switch would not show the trunk as 'up' with a VLAN list issue; the problem statement explicitly says the trunk is up, so encapsulation is correctly configured.

63
MCQmedium

A small office has multiple devices that need internet access but the ISP provides only a single public IPv4 address. Which network address translation (NAT) technique is most appropriate to allow all internal hosts to share that one public address?

A.Static NAT
B.Dynamic NAT
C.PAT (Port Address Translation)
D.IP masquerading
AnswerC

PAT uses ports to differentiate between sessions from different hosts, allowing a single public IP address to serve many internal devices simultaneously.

Why this answer

PAT (Port Address Translation), also known as NAT overload, is the correct choice because it allows multiple internal hosts to share a single public IPv4 address by mapping each unique internal IP:port combination to a different source port on the public address. This is the only NAT technique that provides many-to-one address translation, which is exactly what a small office with more devices than public IPs requires.

Exam trap

Cisco often tests the distinction between Dynamic NAT and PAT by presenting a scenario with a single public IP, where candidates mistakenly choose Dynamic NAT because they confuse 'dynamic' with 'shared,' not realizing Dynamic NAT still requires a pool of public IPs.

How to eliminate wrong answers

Option A is wrong because Static NAT provides a one-to-one mapping between a private IP and a public IP, which would require a separate public IP for each internal host and does not allow sharing of a single public address. Option B is wrong because Dynamic NAT maps private IPs to a pool of public IPs on a first-come, first-served basis, but it still requires as many public IPs as the number of simultaneous translations needed, so it cannot support multiple hosts with only one public IP.

64
MCQmedium

A network administrator is setting up a new branch office that will connect to the main headquarters over the Internet. The connection must be encrypted and allow the branch to access internal resources as if they were directly connected. Which of the following VPN types is BEST suited for this site-to-site connection?

A.IPsec
B.SSL VPN
C.PPTP
D.L2TP
AnswerA

IPsec (Internet Protocol Security) is designed for site-to-site VPNs and offers strong encryption and authentication. It is widely used for branch connections.

Why this answer

IPsec is the correct choice because it is specifically designed for site-to-site VPNs, providing encryption and authentication at the IP layer to create a secure tunnel between two networks. This allows the branch office to access internal resources at headquarters as if they were directly connected, using a gateway-to-gateway model that encrypts all traffic between the sites.

Exam trap

Cisco often tests the distinction between remote-access VPNs (SSL VPN) and site-to-site VPNs (IPsec), where candidates mistakenly choose SSL VPN because it is commonly used for client-based access, but it lacks the full network-layer bridging required for a branch office to appear directly connected.

How to eliminate wrong answers

Option B (SSL VPN) is wrong because it is primarily a remote-access VPN that operates at the application layer, typically providing per-application access via a web browser or client, and is not optimized for full network-layer connectivity between two sites. Option C (PPTP) is wrong because it uses outdated encryption (MPPE) and authentication protocols (PAP, CHAP) that are considered insecure and deprecated in modern networks, making it unsuitable for a secure site-to-site connection.

65
MCQmedium

A network engineer needs to deploy a new wireless network in a large office with many cubicles. The goal is to provide high throughput and support multiple simultaneous users. Which IEEE standard should be implemented?

A.802.11ac
B.802.11n
C.802.11b
D.802.11g
AnswerA

802.11ac provides high throughput, supports multiple users via MU-MIMO, and is suitable for high-density office environments.

Why this answer

802.11ac (Wi-Fi 5) operates exclusively in the 5 GHz band, uses wider 80 MHz or 160 MHz channels, and supports MU-MIMO (Multi-User Multiple Input Multiple Output) to deliver high throughput and efficient handling of multiple simultaneous users in a dense office environment. This makes it the best choice among the options for a modern, high-capacity wireless deployment.

Exam trap

The trap here is that candidates often choose 802.11n because it supports MIMO and dual-band operation, overlooking that 802.11ac's MU-MIMO and wider channels provide significantly better performance for multiple simultaneous users in a dense environment.

How to eliminate wrong answers

Option B (802.11n) is wrong because while it supports MIMO and can operate in both 2.4 GHz and 5 GHz bands, its maximum channel width is 40 MHz and it does not support MU-MIMO, resulting in lower aggregate throughput and less efficient handling of multiple simultaneous users compared to 802.11ac. Option C (802.11b) is wrong because it is an outdated standard limited to 2.4 GHz, a maximum data rate of 11 Mbps, and no MIMO or OFDM support, making it completely unsuitable for high throughput and multi-user scenarios. Option D (802.11g) is wrong because although it operates in 2.4 GHz and supports OFDM with a maximum data rate of 54 Mbps, it lacks MIMO, MU-MIMO, and wider channel bonding, so it cannot provide the high throughput or simultaneous user capacity required in a dense cubicle office.

66
MCQmedium

A network technician installs a new 802.3at (PoE+) access point in a warehouse. The AP is connected via a 200-foot Cat5e cable to a switch that only supports 802.3af (PoE). The AP powers on but experiences intermittent connectivity drops. What is the most likely cause?

A.The cable length exceeds the maximum allowed for PoE
B.The AP is not receiving enough power from the switch
C.Duplex mismatch between the AP and the switch
D.Radio frequency interference from warehouse equipment
AnswerB

The AP requires PoE+ (802.3at), but the switch only provides PoE (802.3af). The insufficient power can cause the AP to function erratically.

Why this answer

The switch only supports 802.3af (PoE), which provides a maximum of 15.4 watts per port, while the 802.3at (PoE+) access point requires up to 25.5 watts to operate reliably. The AP powers on because it can negotiate 802.3af power, but under load (e.g., transmitting at higher power or using multiple radios), it draws more current than the switch can supply, causing voltage droop and intermittent resets or link drops. This is a classic power budget mismatch scenario.

Exam trap

The trap here is that candidates see the AP powers on and assume power is sufficient, overlooking that 802.3at devices can operate at reduced functionality on 802.3af but will fail under higher load, leading them to incorrectly blame cable length or RF interference instead of the power budget mismatch.

How to eliminate wrong answers

Option A is wrong because the maximum cable length for Ethernet (including PoE) is 100 meters (328 feet), and the 200-foot cable is well within that limit; excessive length would cause signal attenuation, not intermittent power-related drops. Option C is wrong because duplex mismatch typically causes constant CRC errors and collisions, not intermittent connectivity drops that correlate with power draw; the AP and switch would still negotiate speed/duplex via auto-negotiation. Option D is wrong because RF interference would manifest as packet loss or retransmissions at the wireless layer, not as wired link drops or power failures; the AP would remain powered and connected to the switch.

67
Matchingmedium

Match each network service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automatically assigns IP addresses to devices

Resolves domain names to IP addresses

Translates private IP addresses to a public IP

Monitors and manages network devices

Why these pairings

These are common network services.

68
MCQmedium

A network administrator is configuring an IEEE 802.1Q trunk between two switches. Which of the following must match on both ends for the trunk to function correctly?

A.The native VLAN ID
B.The trunk port speed and duplex
C.The encapsulation type
D.The allowed VLAN list
AnswerA

A mismatched native VLAN can cause traffic on the untagged VLAN to be placed in the wrong VLAN on the other switch.

Why this answer

For an IEEE 802.1Q trunk to function correctly, the native VLAN ID must match on both ends. The native VLAN is the VLAN that carries untagged traffic across the trunk; if the IDs differ, frames from one switch's native VLAN will be placed into a different VLAN on the other switch, causing traffic misrouting and potential layer 2 loops. This is a fundamental requirement of the 802.1Q standard, and mismatched native VLANs are a common source of trunk failures.

Exam trap

The trap here is that candidates often confuse the requirement for matching native VLANs with the need for matching encapsulation type, mistakenly thinking that both ends must be set to 'dot1q' when in fact 802.1Q is the default and only option for modern trunks, making the native VLAN the critical matching parameter.

How to eliminate wrong answers

Option B is wrong because trunk port speed and duplex do not need to match for 802.1Q trunking to function; while mismatched speed/duplex can cause performance issues or link flaps, they are not a requirement for the trunk protocol itself. Option C is wrong because encapsulation type is not a configurable option on modern switches for 802.1Q trunks—802.1Q is the only encapsulation used for dot1q trunks, whereas the older ISL (Inter-Switch Link) encapsulation is Cisco-proprietary and deprecated; the question specifies IEEE 802.1Q, so encapsulation is fixed and not a variable that needs matching.

69
MCQmedium

A company is implementing a new wireless network for employees. The network must support seamless roaming between access points. Which protocol should be configured on the wireless controller?

A.802.1X
B.802.11r
C.802.11n
D.802.3af
AnswerB

802.11r, also known as Fast BSS Transition, reduces the time required for a client to transition between APs by caching keying information, enabling seamless roaming.

Why this answer

802.11r, also known as Fast BSS Transition (FT), enables seamless roaming by allowing a client to authenticate and derive encryption keys with a new access point before or during the reassociation process, reducing the time-sensitive handshake overhead. This is essential for real-time applications like VoIP or video calls where roaming delays must be under 50 ms to avoid perceptible drops.

Exam trap

The trap here is that candidates often confuse 802.1X (authentication) with 802.11r (fast roaming), assuming that any security-related protocol must handle roaming, when in fact 802.1X adds latency rather than reducing it.

How to eliminate wrong answers

Option A is wrong because 802.1X is a port-based network access control standard used for authentication (e.g., with RADIUS), not a roaming protocol; it does not accelerate handoffs between APs. Option C is wrong because 802.11n is a physical layer and MAC enhancement standard that increases throughput via MIMO and channel bonding, but it has no mechanism for reducing roaming latency or managing fast transitions.

70
MCQmedium

A network technician is installing a new wireless access point in a warehouse. The AP requires PoE+ (802.3at) for full operation. The technician connects the AP using a Cat5e cable run of 200 feet to a switch that only supports 802.3af (PoE). The AP powers on but has intermittent connectivity issues. What is the most likely cause?

A.The cable length exceeds the maximum for PoE
B.The switch does not support the required PoE standard
C.The AP is experiencing interference from metal racks
D.The AP is configured with the wrong SSID
AnswerB

The AP requires 802.3at (PoE+ providing up to 30W), but the switch only provides 802.3af (up to 15.4W). Insufficient power can cause erratic behavior and connectivity drops.

Why this answer

The switch only supports 802.3af (PoE), which provides up to 15.4W per port, while the AP requires 802.3at (PoE+) for full operation, which supplies up to 30W. Although the AP powers on, it may not receive sufficient power to operate all radios or features, leading to intermittent connectivity issues. The cable length of 200 feet is within the 100-meter (328-foot) limit for Cat5e, so length is not the problem.

Exam trap

The trap here is that candidates assume the AP powers on means it is fully operational, but Cisco often tests the nuance that PoE+ devices may partially power up with PoE, only to exhibit intermittent issues due to insufficient power budget.

How to eliminate wrong answers

Option A is wrong because the maximum cable length for Ethernet (including PoE) is 100 meters (328 feet), and 200 feet (approximately 61 meters) is well within that limit, so cable length does not cause the issue. Option C is wrong because while metal racks can cause RF interference, the question states the AP powers on and has intermittent connectivity, which is more consistent with power negotiation issues than with interference; interference would typically cause poor signal quality or disconnections, not power-related symptoms.

71
MCQmedium

A network engineer is designing a data center network and needs to ensure high availability for the core switches. Which technology allows multiple physical switches to be combined into a single logical switch to simplify management and improve redundancy?

A.Spanning Tree Protocol (STP)
B.Switch stacking
C.EtherChannel
D.Virtual Router Redundancy Protocol (VRRP)
AnswerB

Stacking combines multiple switches via dedicated stacking ports to act as one logical switch with a single management IP.

Why this answer

Switch stacking combines multiple physical switches into a single logical unit, sharing a common control plane and management interface. This simplifies configuration and provides redundancy because if one switch in the stack fails, the remaining switches continue forwarding traffic without requiring STP convergence.

Exam trap

Cisco often tests the distinction between EtherChannel (link aggregation) and stacking (switch aggregation), so the trap here is confusing a technology that bundles links with one that bundles entire switches.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) prevents loops in redundant topologies by blocking ports, but it does not combine switches into a single logical device; it operates on individual switches and requires convergence time. Option C is wrong because EtherChannel bundles multiple physical links between two switches into a single logical link for increased bandwidth and redundancy, but it does not merge the switches themselves into a single logical switch.

72
MCQmedium

A network engineer is designing an OSPF network for a large enterprise. To reduce the size of routing tables and limit the propagation of external routes, the engineer wants to use a special area that blocks Type 5 LSAs but still allows inter-area routes via a default route. Which type of OSPF area should be configured?

A.Backbone area 0
B.Standard area
C.Stub area
D.Totally stubby area
AnswerC

A stub area blocks Type 5 LSAs (AS external routes) and injects a default route instead, reducing routing table size and external route propagation.

Why this answer

A stub area blocks Type 5 LSAs (external routes) from entering the area, forcing the area border router (ABR) to inject a default route (0.0.0.0/0) for reaching external destinations. This reduces the routing table size while still allowing inter-area routes (Type 3 LSAs) to propagate, exactly matching the requirement.

Exam trap

CompTIA often tests the distinction between stub and totally stubby areas, where candidates mistakenly choose 'totally stubby' because they think it blocks more routes, but the question explicitly requires inter-area routes to still be allowed, which only a stub area provides.

How to eliminate wrong answers

Option A is wrong because the backbone area (area 0) is the core of OSPF and does not block any LSA types; it must carry all routes, including external ones. Option B is wrong because a standard area accepts all LSA types (Type 1, 2, 3, 4, 5), so it does not reduce routing table size or block Type 5 LSAs. Option D is wrong because a totally stubby area blocks both Type 5 and Type 3 LSAs, relying entirely on a default route for both inter-area and external destinations, which is more restrictive than the requirement (which still allows inter-area routes).

73
MCQhard

A company wants to deploy a wireless network for employee devices using the highest security standard. The network will use a RADIUS server for authentication. Which authentication method should be configured?

A.WPA3-SAE
B.802.1X/EAP
C.WPA2-PSK
D.WEP with RADIUS
AnswerB

802.1X/EAP provides centralized authentication using a RADIUS server, supporting various EAP methods (e.g., EAP-TLS, PEAP) for strong, per-user security.

Why this answer

B is correct because 802.1X/EAP is the only option that provides enterprise-grade authentication using a RADIUS server. It requires each user to present unique credentials (e.g., username/password or certificate), which are verified by the RADIUS server before granting network access. This meets the requirement for the highest security standard in a corporate environment.

Exam trap

The trap here is that candidates confuse WPA3-SAE (which is indeed more secure than WPA2-PSK) with enterprise authentication, but SAE still uses a shared passphrase and cannot integrate with a RADIUS server for per-user authentication.

How to eliminate wrong answers

Option A is wrong because WPA3-SAE (Simultaneous Authentication of Equals) is a personal/PSK mode designed for home or small networks; it uses a pre-shared passphrase rather than per-user authentication via a RADIUS server. Option C is wrong because WPA2-PSK also relies on a single pre-shared key for all devices, lacks individual user authentication, and is vulnerable to dictionary attacks and key compromise, making it unsuitable for enterprise security requirements.

74
MCQmedium

A network administrator connects a new access switch to the core switch via a trunk port. Both switches have the same VLAN database, and the trunk is configured to allow all VLANs. However, hosts on VLAN 10 connected to the new access switch cannot communicate with hosts on VLAN 10 on the core switch. The administrator verifies that the access ports for VLAN 10 are correctly configured and that the trunk link status is up/up. Which of the following is the most likely cause?

A.The trunk port is in an err-disabled state.
B.The native VLAN on the trunk port is different on the two switches.
C.The switchport mode is not set to trunk on one side.
D.The spanning-tree protocol is blocking VLAN 10 on the trunk.
AnswerB

A native VLAN mismatch can cause untagged frames to be placed into different VLANs on each switch. This can prevent communication even if the allowed VLAN list is correct. The administrator should verify that the native VLAN is the same on both ends.

Why this answer

When the native VLAN (typically VLAN 1 by default) is mismatched on a trunk link, the switches will not properly tag frames for that VLAN. Since VLAN 10 is not the native VLAN, a native VLAN mismatch does not directly block VLAN 10 traffic; however, the scenario states that both switches have the same VLAN database and the trunk allows all VLANs, so the most likely cause is a native VLAN mismatch that can cause control plane issues or miscommunication. In practice, a native VLAN mismatch can lead to VLAN 10 hosts being unable to communicate because the switches may place the native VLAN frames into different VLANs, disrupting Layer 2 connectivity for all VLANs including VLAN 10.

Exam trap

The trap here is that candidates often assume a native VLAN mismatch only affects the native VLAN itself, but it actually disrupts Layer 2 communication for all VLANs because the switches misclassify untagged frames and can cause spanning-tree inconsistencies.

How to eliminate wrong answers

Option A is wrong because an err-disabled state would cause the trunk port to show as down/down or err-disabled, not up/up as verified by the administrator. Option C is wrong because if the switchport mode were not set to trunk on one side, the trunk link would not be up/up; it would likely be in a dynamic desirable/auto mismatch state or show as an access port, and the administrator has already verified the trunk link status is up/up.

75
MCQmedium

A network administrator is configuring a trunk port between two switches. Both switches have been set with native VLAN 99. However, traffic from some VLANs is not passing over the trunk. What should the administrator verify?

A.The VTP domain name matches on both switches.
B.The allowed VLAN list on the trunk port.
C.The speed and duplex settings are identical.
D.The spanning tree protocol is disabled.
AnswerB

By default, trunk ports allow all VLANs, but administrators sometimes restrict the allowed VLAN list. If a VLAN is not in the allowed list, its traffic will not pass.

Why this answer

The trunk port's allowed VLAN list explicitly controls which VLANs are permitted to traverse the link. Even when both switches agree on the native VLAN (99), if a particular VLAN is not included in the allowed list on either side, its traffic will be dropped. This is a common misconfiguration that prevents specific VLAN traffic from passing over the trunk.

Exam trap

Cisco often tests the misconception that native VLAN mismatch is the only cause of trunk issues, but here the native VLAN matches, so candidates might overlook the allowed VLAN list as the root cause.

How to eliminate wrong answers

Option A is wrong because VTP (VLAN Trunking Protocol) domain name matching is only required if VTP is used to synchronize VLAN databases, but trunk operation itself does not depend on VTP; the question describes a scenario where VLANs exist on both switches, so VTP is irrelevant. Option C is wrong because speed and duplex mismatches would cause link-level errors or the port to not come up at all, not selectively block traffic from some VLANs while allowing others.

Page 1 of 2 · 104 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Implementation questions.