CCNA Network Operations Questions

75 of 104 questions · Page 1/2 · Network Operations · Answers revealed

1
MCQmedium

A network operations center uses SNMP to monitor device health. An administrator needs to retrieve the current CPU utilization from a router. Which SNMP operation is most appropriate?

A.GET
B.SET
C.TRAP
D.INFORM
AnswerA

GET is used to read the value of a managed object, such as CPU utilization.

Why this answer

The SNMP GET operation is used by an NMS (Network Management System) to actively request a specific variable from a managed device, such as the current CPU utilization from a router's OID. This is a poll-based retrieval, making it the correct choice for an administrator who needs to read a single value on demand.

Exam trap

The trap here is confusing event-driven notifications (TRAP/INFORM) with on-demand data retrieval, leading candidates to select TRAP because they associate it with CPU alerts, but the question asks for retrieving current utilization, not waiting for an alert.

How to eliminate wrong answers

Option B (SET) is wrong because SET is used to modify a configuration parameter or write a value on the device, not to read data. Option C (TRAP) is wrong because TRAP is an unsolicited notification sent by the agent to the NMS when a predefined event occurs, not a request for current data. Option D (INFORM) is wrong because INFORM is a confirmed notification (requiring an acknowledgment) sent from the agent to the NMS, also used for event-driven alerts, not for polling a specific value.

2
MCQmedium

A network administrator has configured SNMPv3 on a router to send traps to a central management server. The administrator notices that no traps are being received. The management server is reachable via ping from the router. Which configuration step is most likely missing?

A.Configure the SNMP community string on the router
B.Set the SNMP trap destination IP address on the router
C.Configure SNMPv3 authentication and privacy credentials on both the router and the server
D.Ensure the SNMP agent is enabled on the router
AnswerC

SNMPv3 requires matching authentication and encryption credentials on both ends. Without them, the server will not accept or decrypt traps.

Why this answer

SNMPv3 requires authentication and encryption (privacy) to be configured on both the router and the management server. Without matching credentials, the server will reject or ignore the traps, even if the network path is reachable. This is the most likely missing step because SNMPv3 does not use community strings and relies on security models (authNoPriv, authPriv, or noAuthNoPriv) that must be consistent between endpoints.

Exam trap

CompTIA often tests the misconception that SNMPv3 still requires a community string or that simply setting a trap destination is sufficient, when in fact the security credentials must be explicitly configured and matched on both devices.

How to eliminate wrong answers

Option A is wrong because SNMPv3 does not use community strings; they are only used in SNMPv1/v2c. Option B is wrong because the trap destination IP address must be set, but the question states the management server is reachable via ping, implying basic IP connectivity exists; the missing piece is the security configuration, not the destination. Option D is wrong because the SNMP agent is enabled by default on most Cisco routers and is implied to be working since the router can send other traffic; the issue is specifically with trap authentication, not the agent status.

3
Drag & Dropmedium

Drag and drop the steps to install a new network cable and terminate it with an RJ45 connector (T568B standard) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cable termination requires proper wire order and crimping.

4
MCQeasy

A network administrator needs to maintain a record of all configuration changes made to network switches, including the date, time, and the administrator who made the change. Which document should be used for this purpose?

A.Network topology diagram
B.Baseline configuration report
C.Change management log
D.Incident report
AnswerC

The change management log explicitly records details of each change, including the person, timestamp, and description.

Why this answer

A change management log is the correct document because it is specifically designed to record configuration changes, including the date, time, and the administrator responsible. This log provides an audit trail for network devices, ensuring compliance and facilitating troubleshooting by tracking who made what change and when.

Exam trap

The trap here is that candidates confuse a baseline configuration report with a change log, thinking it records changes, when in fact a baseline is a snapshot of a known good state, not a running history of modifications.

How to eliminate wrong answers

Option A is wrong because a network topology diagram shows the physical or logical layout of devices and connections, not a historical record of configuration changes. Option B is wrong because a baseline configuration report captures the initial or standard configuration state of a device, not a log of subsequent changes. Option D is wrong because an incident report documents security events or network outages, not routine configuration changes made by administrators.

5
MCQeasy

What is the default administrative distance for OSPF routes on a typical Cisco router?

A.90
B.100
C.110
D.120
AnswerC

OSPF uses an AD of 110 by default, making it more trusted than RIP (120) but less than EIGRP (90) and external EIGRP (170).

Why this answer

Option C is correct because the default administrative distance for OSPF routes on a Cisco router is 110. Administrative distance is a trustworthiness metric used to select the best route when multiple routing protocols provide a route to the same destination; a lower value is preferred. OSPF's default AD of 110 is higher than that of static routes (1) and EIGRP (90/170), but lower than RIP (120) and IS-IS (115).

Exam trap

CompTIA often tests the default administrative distances for OSPF, EIGRP, and RIP, and the trap here is confusing OSPF's AD of 110 with EIGRP's AD of 90 or RIP's AD of 120, especially since OSPF is a link-state protocol while EIGRP is a hybrid, leading candidates to misremember the values.

How to eliminate wrong answers

Option A is wrong because 90 is the default administrative distance for internal EIGRP routes, not OSPF. Option B is wrong because 100 is not a default administrative distance for any common routing protocol on Cisco routers; it is sometimes used for iBGP in some implementations but is not the OSPF default. Option D is wrong because 120 is the default administrative distance for RIP routes, not OSPF.

6
MCQmedium

A network engineer needs to securely transfer router configuration files to a central backup server. The backup server supports SCP and TFTP. Which protocol should the engineer use?

A.SCP
B.TFTP
C.HTTP
D.FTP
AnswerA

SCP provides encryption and authentication, securing the configuration file during transfer.

Why this answer

SCP (Secure Copy Protocol) is the correct choice because it encrypts both the authentication and the data transfer using SSH, ensuring confidentiality and integrity of the router configuration files during transit. TFTP, while simple and often used for network device backups, lacks any encryption or authentication, making it insecure for transferring sensitive configuration data over a network.

Exam trap

The trap here is that TFTP is commonly associated with router configuration backups in many study materials, leading candidates to overlook the 'securely' keyword in the question and choose TFTP despite its lack of encryption.

How to eliminate wrong answers

Option B (TFTP) is wrong because it uses UDP port 69 with no encryption or authentication, exposing the configuration files to interception and tampering. Option C (HTTP) is wrong because it transmits data in plaintext over TCP port 80, offering no security for sensitive files. Option D (FTP) is wrong because it sends credentials and data in cleartext over TCP ports 20/21, and even with FTP over TLS (FTPS), it is not as straightforward or commonly supported for router backups as SCP, which leverages the existing SSH infrastructure.

7
MCQmedium

A network administrator is about to implement a QoS policy on a core router. According to change management best practices, which step should the administrator perform FIRST to ensure the policy can be reverted if it causes unexpected issues?

A.Save the running configuration to the startup configuration.
B.Back up the current configuration to an external TFTP or SCP server.
C.Test the QoS policy in a lab environment.
D.Schedule a maintenance window and notify the help desk.
AnswerB

A backup stored externally provides a reliable restore point that is independent of the router's memory. This is the best practice before making major changes.

Why this answer

Option B is correct because, under change management best practices, the first step before implementing any change is to create a reliable backup of the current configuration to an external server (e.g., TFTP, SCP, FTP). This ensures that if the QoS policy causes unexpected issues such as traffic drops or misclassification, the administrator can restore the original configuration exactly as it was, even if the router reboots or the running-config is lost. Saving to startup-config (Option A) would overwrite the known-good baseline, making reversion impossible without a separate backup.

Exam trap

The trap here is that candidates often choose 'Save the running configuration to the startup configuration' (Option A) thinking it preserves the current state, but this actually commits the change permanently, preventing a clean rollback if the new policy fails.

How to eliminate wrong answers

Option A is wrong because saving the running configuration to the startup configuration overwrites the known-good baseline, so if the QoS policy causes issues, the administrator cannot revert to the pre-change state without an external backup. Option C is wrong because testing in a lab environment is a best practice but is not the FIRST step when implementing a change on a production device; the immediate priority is to secure a backup of the current production configuration to enable rollback. Option D is wrong because scheduling a maintenance window and notifying the help desk is an important procedural step but should occur after the backup is completed, as the backup is the technical prerequisite for safe rollback.

8
MCQmedium

A network administrator needs to document the network for auditing purposes. Which type of documentation provides the most detailed information about the physical connections between devices, including cable types and patch panel ports?

A.Logical diagram
B.Network topology map
C.Wiring schematic
D.Asset management database
AnswerC

Wiring schematics provide detailed physical cable paths, including patch panels, ports, and cable types.

Why this answer

A wiring schematic provides the most detailed information about physical connections, including cable types, patch panel ports, and exact pin-to-pin wiring. This level of detail is essential for auditing physical infrastructure, as it documents the actual cabling plant rather than logical or high-level connectivity.

Exam trap

The trap here is that candidates often confuse a network topology map (which shows device interconnections) with a wiring schematic, but the topology map lacks the specific cable type and patch panel port details required for physical-layer auditing.

How to eliminate wrong answers

Option A is wrong because a logical diagram shows IP subnets, VLANs, and routing relationships, not physical cable types or patch panel ports. Option B is wrong because a network topology map typically illustrates the arrangement of devices and links at a high level, but it does not include granular details like cable specifications or patch panel port mappings. Option D is wrong because an asset management database tracks inventory and configuration items (e.g., serial numbers, warranty info) but does not document the physical cabling connections or port-level wiring.

9
MCQmedium

A network administrator needs to be notified immediately when the CPU utilization on a core router exceeds 90%. Which SNMP mechanism should be configured on the router?

A.SNMP get
B.SNMP trap
C.SNMP walk
D.SNMP set
AnswerB

Traps are sent by the device to the NMS when conditions such as high CPU utilization are met.

Why this answer

B is correct because SNMP traps are unsolicited notifications sent from an SNMP agent (the router) to the manager when a predefined condition occurs, such as CPU utilization exceeding 90%. This allows immediate notification without waiting for the manager to poll, which is essential for urgent alerts.

Exam trap

Cisco often tests the distinction between polling (get/walk) and event-driven notifications (trap/inform), and the trap here is that candidates confuse SNMP get with a proactive alert mechanism, forgetting that get requires the manager to initiate the request.

How to eliminate wrong answers

Option A is wrong because SNMP get is a polling mechanism where the manager requests a specific OID value from the agent; it does not provide immediate notification when a threshold is exceeded. Option C is wrong because SNMP walk is used to retrieve a subtree of OIDs sequentially, typically for discovery or bulk data collection, and is not designed for event-driven alerts.

10
MCQeasy

A network technician needs to retrieve the operating system and uptime information from a router for inventory purposes. Which protocol is specifically designed for network management and monitoring?

A.SMTP
B.SNMP
C.HTTP
D.FTP
AnswerB

SNMP is used to manage and monitor network devices, including retrieving system information like OS and uptime via MIB objects.

Why this answer

SNMP (Simple Network Management Protocol) is the standard protocol specifically designed for network management and monitoring. It allows a network management station to query managed devices (like routers) for system information, including operating system version and uptime, via OIDs (Object Identifiers) in the MIB (Management Information Base).

Exam trap

CompTIA often tests that candidates confuse SNMP with other application-layer protocols like HTTP or FTP, assuming any protocol that can 'retrieve information' qualifies, but only SNMP is purpose-built for network management with standardized MIB structures.

How to eliminate wrong answers

Option A (SMTP) is wrong because SMTP (Simple Mail Transfer Protocol) is used for sending email messages, not for network management or retrieving device inventory data. Option C (HTTP) is wrong because HTTP (Hypertext Transfer Protocol) is used for web traffic and is not a dedicated network management protocol; while some devices offer a web interface, it is not designed for standardized, automated monitoring like SNMP. Option D (FTP) is wrong because FTP (File Transfer Protocol) is used for transferring files between systems, not for querying operational status or inventory information from network devices.

11
Drag & Dropmedium

Drag and drop the steps to troubleshoot a network connectivity issue using the OSI model into the correct order (top-down approach).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Top-down troubleshooting starts at the application layer and works down to physical.

12
MCQeasy

A network administrator wants to evaluate the current bandwidth utilization on a core switch to determine if an upgrade is needed. The administrator needs to understand typical usage patterns. Which of the following should the administrator perform first?

A.Implement QoS policies to prioritize traffic.
B.Collect performance data over a period of time.
C.Upgrade the switch to a higher capacity model.
D.Enable SNMP traps for link down events.
AnswerB

Collecting data over time establishes a baseline of normal utilization, which is the first step in evaluating if an upgrade is needed.

Why this answer

To evaluate bandwidth utilization and determine if an upgrade is needed, the administrator must first establish a baseline of typical usage patterns. This is done by collecting performance data over a period of time (e.g., using SNMP to poll interface counters or NetFlow/sFlow to capture traffic flows) to identify peak loads, average utilization, and trends. Without this historical data, any decision to upgrade or implement QoS would be based on guesswork rather than evidence.

Exam trap

The trap here is that candidates often jump to implementing QoS (Option A) as a quick fix for perceived congestion, but Cisco tests the principle that you must first measure and baseline network performance before making any configuration or hardware changes.

How to eliminate wrong answers

Option A is wrong because implementing QoS policies should be based on observed traffic patterns and performance data; applying QoS without first understanding utilization risks misconfiguring policies that may not address actual congestion or could degrade critical traffic. Option C is wrong because upgrading the switch to a higher capacity model is a reactive and costly action that should only be taken after data collection confirms that current bandwidth is insufficient; performing the upgrade first ignores the need for evidence-based capacity planning.

13
MCQmedium

A network administrator needs to centrally collect and analyze log messages from multiple routers and switches. Which protocol should be used to forward these log messages to a central server?

A.SNMP
B.Syslog
C.SMTP
D.HTTP
AnswerB

Syslog is the standard protocol for forwarding log messages from network devices to a central logging server.

Why this answer

Syslog (B) is the correct protocol because it is specifically designed for centralized logging and event message collection from network devices. It uses UDP port 514 (or TCP 6514 for reliable delivery) to forward log messages from routers and switches to a central syslog server, enabling administrators to collect, analyze, and archive logs from multiple devices in a standardized format.

Exam trap

The trap here is that candidates often confuse SNMP traps with syslog messages, thinking SNMP can replace syslog for log collection, but SNMP traps are structured notifications for specific events, not a general-purpose log forwarding protocol.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) is used for monitoring and managing network devices by polling or receiving traps for specific metrics (e.g., interface status, CPU load), not for forwarding free-form log messages; it lacks the structured logging capabilities of syslog. Option C is wrong because SMTP (Simple Mail Transfer Protocol) is designed for email transmission, not for forwarding system logs; using SMTP would require converting logs into email messages, which is inefficient and not a standard practice for centralized log collection.

14
MCQeasy

A network administrator needs to document the physical placement of devices in a server room, including exact rack location, port labels, and cable connections between patch panels and switches. Which type of diagram is most appropriate?

A.Network topology map
B.Rack diagram
C.Wiring schematic
D.Logical topology diagram
AnswerB

A rack diagram precisely documents the physical arrangement of devices in racks, including ports and cabling.

Why this answer

A rack diagram is specifically designed to document the physical placement of devices in a server room, including exact rack units, port labels, and cable connections between patch panels and switches. This type of diagram provides a visual representation of the physical layout, which is essential for asset management, troubleshooting, and maintenance planning.

Exam trap

The trap here is that candidates confuse a logical topology map (which shows IP subnets and routing) with a physical rack diagram, leading them to choose the topology map when the question explicitly asks for physical placement and cable connections.

How to eliminate wrong answers

Option A is wrong because a network topology map focuses on logical connections and data flow between devices (e.g., IP addressing, routing protocols) rather than physical rack locations and cable details. Option C is wrong because a wiring schematic typically shows electrical circuits and signal paths at a component level, not the physical rack placement or port-to-port cable connections in a structured cabling environment.

15
MCQhard

A network administrator is configuring a monitoring system to collect metrics from network devices. The administrator needs to ensure that the monitoring system can automatically discover the devices and obtain detailed information about their configuration and status, such as interface descriptions and software versions. Which protocol is best suited for this purpose?

A.SNMP
B.LLDP
C.NetFlow
D.Syslog
AnswerA

SNMP (especially with SNMPv2c or v3) allows a management station to query device MIBs for detailed information such as interface descriptions, software versions, and status. It can also be used for discovery by polling known community strings.

Why this answer

SNMP (Simple Network Management Protocol) is the correct choice because it is specifically designed for network management and monitoring. It allows a management system to automatically discover devices (via SNMP walks or queries to MIBs) and retrieve detailed configuration and status information, such as interface descriptions and software versions, by reading OIDs from the device's MIB. This matches the requirement for automatic discovery and detailed data collection.

Exam trap

The trap here is that candidates often confuse LLDP's neighbor discovery capability with SNMP's management and monitoring functionality, mistakenly thinking LLDP can provide detailed device configuration and status information when it only advertises basic identity and capabilities.

How to eliminate wrong answers

Option B (LLDP) is wrong because LLDP is a link-layer discovery protocol used to advertise device identity, capabilities, and neighbors on a local network; it does not provide a mechanism for a monitoring system to poll detailed configuration or status metrics like software versions or interface descriptions. Option C (NetFlow) is wrong because NetFlow is a flow-based traffic accounting and analysis protocol that captures metadata about network flows (e.g., source/destination IPs, ports, packet counts); it is not designed for device discovery or retrieving configuration and status information.

16
MCQeasy

A network administrator needs to schedule a firmware upgrade for a critical router. Which document should be used to formally communicate the change, seek approval, and track the implementation?

A.A) Change management request
B.B) Network diagram
C.C) Service level agreement (SLA)
D.D) Baseline performance report
AnswerA

Correct. A change management request is the standard document for proposing, approving, and tracking changes to network devices.

Why this answer

A change management request is the formal document used to communicate, seek approval, and track the implementation of a firmware upgrade on a critical router. This process ensures that the change is reviewed by stakeholders, risks are assessed, and a rollback plan is documented, which is essential for maintaining network stability and compliance with ITIL or organizational change control policies.

Exam trap

The trap here is that candidates may confuse a change management request with a network diagram or SLA, thinking that documenting the topology or contractual guarantees is sufficient for scheduling and approving a change, but only the formal change management process provides the required approval and tracking trail.

How to eliminate wrong answers

Option B (Network diagram) is wrong because it is a visual representation of the network topology and device interconnections, not a formal process document for requesting or tracking changes. Option C (Service level agreement) is wrong because it defines performance metrics and uptime guarantees between a provider and customer, not a mechanism for scheduling or approving specific operational changes like firmware upgrades.

17
MCQmedium

A network administrator is creating documentation for a new data center. Which type of diagram is BEST for showing the logical relationships between VLANs and their associated subnets?

A.Physical topology diagram
B.Logical topology diagram
C.Wiring diagram
D.Rack elevation diagram
AnswerB

Logical topology diagrams show network segments, virtual LANs, IP addressing schemes, and routing – perfect for documenting VLAN and subnet relationships.

Why this answer

A logical topology diagram is the correct choice because it illustrates how devices communicate across the network, including the mapping of VLANs to their associated IP subnets. This type of diagram abstracts away physical cabling and device locations to focus on Layer 2 and Layer 3 relationships, such as VLAN IDs, subnet masks, and default gateways. It is essential for documenting network segmentation and troubleshooting inter-VLAN routing.

Exam trap

The trap here is that candidates often confuse 'logical topology' with 'physical topology,' assuming that a physical diagram can show VLANs because VLANs are configured on physical switches, but VLANs are a Layer 2 abstraction that must be documented separately.

How to eliminate wrong answers

Option A is wrong because a physical topology diagram shows the physical layout of cables, devices, and ports, not the logical relationships between VLANs and subnets. Option C is wrong because a wiring diagram details the specific cabling paths, patch panels, and termination points, which is irrelevant to VLAN-to-subnet mappings. Option D is wrong because a rack elevation diagram displays the physical placement of equipment in racks, including U positions and power/cooling considerations, but does not convey logical network segmentation.

18
MCQhard

An NOC technician observes that the CPU usage on a core switch has been consistently above 90% for the past hour. Which SNMP operation should the technician use to monitor the CPU load over time with minimal network overhead?

A.SNMP GET
B.SNMP GETNEXT
C.SNMP WALK
D.SNMP TRAP
AnswerD

SNMP traps are unsolicited messages from the agent to the NMS when certain events occur (e.g., CPU threshold exceeded). They reduce overhead because the NMS does not need to poll; the agent sends data only when necessary.

Why this answer

D is correct because SNMP TRAP is an unsolicited notification sent from the agent (the switch) to the NMS, which allows the NOC to receive CPU load alerts only when a threshold is exceeded, minimizing network overhead by avoiding continuous polling. In this scenario, the technician wants to monitor CPU load over time with minimal overhead, and traps provide event-driven reporting rather than periodic requests, reducing bandwidth and processing load on both the switch and the network.

Exam trap

The trap here is that candidates often confuse SNMP TRAP with SNMP GET, assuming that polling is necessary for monitoring, but the question explicitly asks for minimal network overhead, which traps achieve by eliminating the need for repeated requests.

How to eliminate wrong answers

Option A is wrong because SNMP GET is a synchronous request-response operation that polls a single OID, requiring repeated queries to track CPU load over time, which generates significant network overhead and CPU load on the managed device. Option B is wrong because SNMP GETNEXT is used to traverse a MIB tree by retrieving the next OID in sequence, but it still requires repeated polling to monitor a value over time, increasing overhead compared to event-driven traps. Option C is wrong because SNMP WALK performs a series of GETNEXT operations to retrieve a subtree of OIDs, which is even more bandwidth-intensive and CPU-heavy than a single GET, making it unsuitable for minimal-overhead monitoring of a single metric like CPU load.

19
MCQmedium

A network administrator wants to centrally monitor the status of all network devices and receive alerts when an interface goes down. Which protocol and feature combination should the administrator use?

A.SNMP with traps
B.SNMP with polling
C.Syslog with severity levels
D.NetFlow with flow logs
AnswerA

SNMP traps are notifications sent by network devices to an SNMP manager upon events, enabling real-time alerts for interface status changes.

Why this answer

SNMP traps provide unsolicited, asynchronous notifications from network devices to the management station when specific events occur, such as an interface going down. This allows the administrator to receive immediate alerts without continuously polling each device, making it the ideal protocol and feature combination for real-time status monitoring and alerting.

Exam trap

CompTIA often tests the distinction between SNMP traps (event-driven) and SNMP polling (request-response), where candidates mistakenly choose polling because they think it provides continuous monitoring, but traps are the correct choice for immediate alerting on specific events like interface down.

How to eliminate wrong answers

Option B is wrong because SNMP with polling requires the management station to periodically query each device, which introduces latency in detecting interface state changes and increases network overhead, making it unsuitable for immediate alerting. Option C is wrong because Syslog is primarily used for logging event messages with severity levels, but it does not provide a standardized mechanism for real-time alerting on interface status changes; it relies on the management system to parse logs, which can introduce delays. Option D is wrong because NetFlow with flow logs is designed for traffic flow analysis and network performance monitoring, not for tracking device interface operational status or generating alerts on interface state changes.

20
MCQhard

A network administrator configures a router to send syslog messages to a central log server. The administrator can ping the server from the router, but the server is not receiving any logs. What is the most likely cause?

A.The syslog server is using the wrong protocol (TCP instead of UDP)
B.UDP port 514 is blocked between the router and the server
C.The syslog service on the server is not running
D.The router's clock is not synchronized with the server
AnswerB

The router can reach the server (ping works), so the path is up. Syslog relies on UDP 514; if that port is blocked, logs will not be delivered.

Why this answer

Syslog messages are sent via UDP port 514 by default. Since the administrator can ping the server (ICMP works), but no logs arrive, the most likely cause is that a firewall or ACL is blocking UDP port 514 between the router and the server. This is a classic connectivity issue where Layer 3 reachability exists but the specific transport-layer port is filtered.

Exam trap

The trap here is that candidates see 'ping works' and assume full connectivity, forgetting that syslog uses a specific UDP port that may be filtered even when ICMP is permitted.

How to eliminate wrong answers

Option A is wrong because syslog uses UDP by default (RFC 5424), not TCP; while some implementations support TCP, the standard and most common configuration is UDP, and the question does not indicate a TCP-based syslog setup. Option C is wrong because if the syslog service were not running, the administrator would typically see a 'connection refused' or similar error when attempting to send logs, but here the router can ping the server, indicating the server is reachable and the service is likely running; the issue is a blocked port, not a stopped service.

21
MCQeasy

A network administrator needs to ensure that all changes to network devices are properly reviewed, approved, and tracked. Which process should the administrator implement?

A.Change management
B.Incident management
C.Problem management
D.Asset management
AnswerA

Change management formalizes the process for planning, approving, and documenting changes to minimize impact.

Why this answer

Change management is the formal process for requesting, reviewing, approving, implementing, and documenting changes to network devices. It ensures that all modifications are authorized, tracked, and have a rollback plan, which directly meets the requirement for review, approval, and tracking.

Exam trap

CompTIA often tests the distinction between change management (proactive, planned) and incident management (reactive, unplanned), leading candidates to confuse the two when the question emphasizes 'tracking' and 'approval'.

How to eliminate wrong answers

Option B (Incident management) is wrong because it focuses on restoring normal service after an unplanned interruption, not on controlling planned changes. Option C (Problem management) is wrong because it deals with identifying and resolving the root cause of recurring incidents, not with the approval and tracking of intentional modifications. Option D (Asset management) is wrong because it tracks the lifecycle and inventory of hardware/software assets, not the process of making changes to those devices.

22
MCQeasy

A network administrator needs to schedule a firmware upgrade for a critical switch during a maintenance window. After the upgrade is completed and verified, which document should the administrator update to reflect the new firmware version?

A.Incident response plan
B.Network topology diagram
C.Configuration baseline document
D.Change request form
AnswerC

The baseline document includes software versions and configurations; it should be updated after changes to maintain an accurate reference.

Why this answer

The configuration baseline document records the approved configuration of a network device, including firmware versions. After a firmware upgrade is verified, updating this document ensures that the baseline reflects the current, known-good state for change management and troubleshooting. The administrator must update the baseline to maintain configuration consistency and audit compliance.

Exam trap

The trap here is that candidates confuse the configuration baseline document with the network topology diagram, but the topology diagram only shows device interconnections, not the software version running on each device.

How to eliminate wrong answers

Option A is wrong because the incident response plan documents procedures for handling security breaches or network outages, not routine firmware version tracking. Option B is wrong because the network topology diagram shows physical and logical connections between devices, not software or firmware versions.

23
MCQmedium

A network administrator needs to schedule a firmware update for several switches during a maintenance window. Which of the following documents should be updated immediately after the changes are complete?

A.Network diagram
B.Change management request
C.Performance baseline
D.Service level agreement
AnswerB

The change management request documents the planned change, approval, and post-implementation results. Updating it after completion is a key step in the change management process.

Why this answer

The change management request is the correct document to update immediately after completing the firmware update because it serves as the official record that the change was implemented, tested, and closed. This ensures audit compliance, rollback documentation, and approval tracking, which are critical in ITIL-based change management processes. Updating the network diagram or performance baseline may be done later as part of post-change verification, but the change management request must be updated first to formally close the change window.

Exam trap

Cisco often tests the misconception that updating the network diagram is the most immediate post-change task, but the change management request must be updated first to formally close the change window and satisfy audit requirements.

How to eliminate wrong answers

Option A is wrong because the network diagram is a static representation of logical or physical topology and is not the immediate post-change document; it should be updated only after the change is fully verified and stable, not as the first step. Option C is wrong because the performance baseline is a historical reference for normal network behavior and is updated after collecting post-change performance data to compare against the baseline, not immediately upon completion of the firmware update.

24
MCQmedium

A network engineer plans to change the routing protocol configuration on a core router that will affect connectivity to all branches. According to change management best practices, which step should the engineer perform BEFORE implementing the change?

A.Notify all branch users of the upcoming change
B.Create a backout plan to revert the change if necessary
C.Document the current router configuration
D.Schedule the change during a maintenance window
AnswerB

A backout plan is essential for minimizing risk during network changes.

Why this answer

Creating a backout plan is a critical step in change management because it provides a documented procedure to revert the router to its previous operational state if the new routing protocol configuration causes connectivity loss or instability. Without a backout plan, the engineer risks prolonged outages across all branches while troubleshooting or attempting to reconstruct the original configuration from memory or incomplete logs. This aligns with ITIL change management best practices, which prioritize risk mitigation and service continuity.

Exam trap

The trap here is that candidates confuse 'documenting the current configuration' (a preparatory step) with the actual change management requirement to 'create a backout plan,' which is the specific step that ensures the change can be safely undone if it fails.

How to eliminate wrong answers

Option A is wrong because notifying all branch users before the change is a communication step that typically occurs after the change plan is approved and a backout strategy is defined; notifying users prematurely does not mitigate technical risk or provide a recovery mechanism. Option C is wrong because documenting the current router configuration is a prerequisite for creating a backout plan, but it is not the step itself—the backout plan explicitly uses that documentation to define the revert procedure, making documentation a supporting action rather than the primary step required before implementation.

25
MCQeasy

A network monitoring system uses SNMP to poll interface statistics from switches every 5 minutes. This polling is causing high CPU utilization on the switches. Which of the following actions would BEST reduce the CPU load on the switches while still providing monitoring data?

A.Use SNMP traps instead of polling
B.Increase the SNMP community string
C.Disable SNMP on unused interfaces
D.Change the SNMP version to v1
AnswerA

Traps are unsolicited messages sent by the switch only when an event occurs, reducing the need for frequent polling.

Why this answer

SNMP traps are push-based notifications sent by the switch only when a significant event occurs (e.g., link up/down, threshold crossing), eliminating the need for the NMS to poll every 5 minutes. This reduces CPU load because the switch no longer processes periodic GET requests, which require CPU cycles to gather interface statistics from the MIB. Traps still provide monitoring data by alerting the NMS to changes, though they may not offer the same granularity as polling for all counters.

Exam trap

The trap here is that candidates often confuse 'reducing the scope of polling' (like disabling unused interfaces) with 'eliminating the polling mechanism itself,' but the correct answer targets the fundamental shift from pull-based (polling) to push-based (traps) communication to reduce CPU load.

How to eliminate wrong answers

Option B is wrong because increasing the SNMP community string (a shared password for v1/v2c) does not reduce CPU utilization; it only changes authentication credentials and may even increase overhead if the string is longer. Option C is wrong because disabling SNMP on unused interfaces reduces the amount of data that can be polled but does not eliminate the polling requests themselves—the switch still processes GET requests for active interfaces, and the CPU load from polling remains largely unchanged.

26
MCQhard

A network administrator is creating a performance baseline for a new VoIP application. Which metric is most critical to monitor in order to ensure good voice quality for end users?

A.Bandwidth utilization
B.Latency
C.Jitter
D.Packet loss
AnswerB

Voice quality degrades significantly with high latency (over 150 ms). Low latency is essential for natural conversation.

Why this answer

Latency is the most critical metric for VoIP voice quality because it directly impacts the conversational flow. High latency (above 150 ms one-way, per ITU-T G.114) causes noticeable delays that disrupt natural conversation, leading to user dissatisfaction. While jitter and bandwidth are important, latency is the primary factor that degrades the interactive experience.

Exam trap

Cisco often tests the misconception that jitter is the most critical metric because it causes choppy audio, but the trap is that jitter can be corrected with a buffer, whereas latency is a cumulative, uncorrectable delay that directly breaks real-time interactivity.

How to eliminate wrong answers

Option A is wrong because bandwidth utilization, while important for capacity planning, does not directly affect voice quality as long as sufficient bandwidth is available; VoIP codecs like G.711 require only ~64 kbps per call. Option C is wrong because jitter is a variation in packet delay that can be mitigated by a jitter buffer (typically 30-50 ms), whereas latency cannot be buffered without worsening the delay, making it the more fundamental issue.

27
MCQmedium

A network administrator wants to collect performance data from network devices over time and receive alerts when thresholds are exceeded. Which protocol should be used?

A.syslog
B.SNMP
C.NetFlow
D.ICMP
AnswerB

SNMP allows polling of MIB objects and sending traps when thresholds are exceeded.

Why this answer

SNMP (Simple Network Management Protocol) is designed to collect performance data from network devices by polling MIB (Management Information Base) objects and can generate traps or inform requests to send alerts when thresholds are exceeded. This makes it the correct choice for proactive monitoring and threshold-based alerting.

Exam trap

The trap here is that candidates confuse syslog (which can also send alerts via log messages) with SNMP's dedicated alerting mechanism (traps/informs), but syslog lacks the structured polling and MIB-based threshold monitoring that SNMP provides for performance data collection.

How to eliminate wrong answers

Option A is wrong because syslog is a logging protocol used for collecting event messages (RFC 5424), not for polling performance metrics or generating threshold-based alerts. Option C is wrong because NetFlow is a flow-based traffic accounting protocol that exports metadata about network flows (e.g., source/destination IP, ports, protocol) but does not poll device performance counters or send threshold alerts. Option D is wrong because ICMP is a diagnostic and error-reporting protocol (e.g., ping, traceroute) that provides connectivity and reachability checks, not ongoing performance data collection or alerting.

28
MCQmedium

A network administrator needs to collect detailed data about network traffic flows, including source/destination IP addresses, ports, and protocols, to analyze bandwidth usage patterns. Which technology should be used?

A.SNMP
B.NetFlow
C.Syslog
D.ICMP
AnswerB

NetFlow captures metadata about each flow (conversation), including IP addresses, ports, and protocol, enabling detailed traffic analysis.

Why this answer

NetFlow is the correct choice because it is specifically designed to collect detailed metadata about network traffic flows, including source and destination IP addresses, ports, protocols, and byte counts. This granular flow-level data enables administrators to analyze bandwidth usage patterns, identify top talkers, and perform capacity planning. Unlike SNMP, which provides aggregate interface statistics, NetFlow exports flow records that contain the exact fields needed for deep traffic analysis.

Exam trap

Cisco often tests the distinction between SNMP (which provides aggregate interface statistics) and NetFlow (which provides per-flow metadata), and the trap here is that candidates mistakenly choose SNMP because they associate it with bandwidth monitoring, without realizing it lacks the detailed flow-level fields required for the scenario.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) polls counters like interface octets and errors, but it does not capture per-flow details such as source/destination IP addresses, ports, or protocols; it provides only aggregate bandwidth utilization at the interface level. Option C is wrong because Syslog is a logging protocol for event messages and system alerts, not a flow-export technology; it cannot collect or report on traffic flow metadata like IP addresses, ports, or protocols.

29
MCQmedium

An NOC technician observes that the average latency on a critical WAN link has risen sharply. To determine which applications are consuming the most bandwidth and contributing to the latency, which tool should the technician use?

A.A) NetFlow
B.B) SNMP
C.C) Syslog
D.D) Ping
AnswerA

Correct. NetFlow captures traffic flows and allows analysis of bandwidth usage by application, source, and destination.

Why this answer

NetFlow is the correct tool because it provides per-flow traffic analysis, allowing the technician to identify which applications (by protocol and port) are consuming the most bandwidth on the WAN link. Unlike simple bandwidth monitors, NetFlow exports detailed records of source/destination IPs, ports, and byte counts, enabling precise identification of bandwidth-hungry applications contributing to increased latency.

Exam trap

CompTIA often tests the distinction between SNMP (which shows aggregate bandwidth) and NetFlow (which shows per-application bandwidth), leading candidates to mistakenly choose SNMP because they associate it with bandwidth monitoring, even though it cannot identify specific applications.

How to eliminate wrong answers

Option B (SNMP) is wrong because SNMP polls interface counters (e.g., ifInOctets) to show aggregate bandwidth utilization, but it cannot identify individual applications or flows. Option C (Syslog) is wrong because Syslog is a logging protocol for system events and errors, not a traffic analysis tool; it provides no visibility into bandwidth consumption by application. Option D (Ping) is wrong because Ping measures round-trip latency and reachability using ICMP echo requests, but it cannot reveal which applications are using bandwidth or contributing to latency.

30
MCQhard

A network administrator must monitor network devices using SNMP. The security policy mandates strong encryption for both authentication and data integrity. Which SNMP version and security level should be implemented?

A.SNMPv1
B.SNMPv2c
C.SNMPv3 with noAuthNoPriv
D.SNMPv3 with authPriv
AnswerD

Correct. The authPriv security level provides both authentication (HMAC-MD5 or HMAC-SHA) and encryption (DES, 3DES, or AES), fulfilling the requirements.

Why this answer

SNMPv3 with authPriv is correct because it provides both authentication (to verify the source of messages) and encryption (to ensure data integrity and confidentiality). The security policy mandates strong encryption for both authentication and data integrity, which only the authPriv security level fulfills by using HMAC-SHA/MD5 for authentication and AES/DES for encryption.

Exam trap

Cisco often tests the misconception that SNMPv3 always provides encryption, but candidates must remember that noAuthNoPriv and authNoPriv are valid security levels that do not meet a 'strong encryption' mandate.

How to eliminate wrong answers

Option A is wrong because SNMPv1 uses only community strings for authentication (sent in plaintext) and provides no encryption, failing the strong encryption mandate. Option B is wrong because SNMPv2c also relies on plaintext community strings and lacks any encryption or authentication mechanisms. Option C is wrong because SNMPv3 with noAuthNoPriv provides neither authentication nor encryption, which does not meet the security policy requirements.

31
MCQhard

A network administrator needs to ensure high availability for a critical server that has two network interfaces connected to two different switches. Which configuration should be implemented to provide failover and load balancing at the network layer?

A.Link aggregation (LACP)
B.Virtual IP (VRRP/HSRP)
C.Spanning Tree Protocol (STP)
D.Port mirroring
AnswerB

VRRP/HSRP allows two devices to share a virtual IP address so that if one fails, the other takes over seamlessly, providing network-layer redundancy.

Why this answer

Virtual IP protocols like VRRP or HSRP provide first-hop redundancy by allowing two or more routers (or servers acting as routers) to share a virtual IP address. If the active interface fails, the standby interface takes over the virtual IP, ensuring seamless failover at Layer 3. Additionally, with multiple virtual IP groups, traffic can be load-balanced across the two interfaces, meeting both high-availability and load-balancing requirements at the network layer.

Exam trap

CompTIA often tests the distinction between Layer 2 redundancy (LACP, STP) and Layer 3 redundancy (VRRP/HSRP), leading candidates to choose Link Aggregation because it sounds like 'load balancing' without realizing it operates at a different layer and cannot provide failover across separate switches at the network layer.

How to eliminate wrong answers

Option A is wrong because Link Aggregation (LACP) operates at Layer 2, combining multiple physical links into a single logical link for increased bandwidth and redundancy, but it does not provide Layer 3 failover or load balancing of IP traffic across separate switches—it requires both interfaces to be on the same switch or a stack. Option C is wrong because Spanning Tree Protocol (STP) prevents Layer 2 loops by blocking redundant paths; it does not provide failover or load balancing at the network layer and would actually block one of the two interfaces to avoid loops. Option D is wrong because Port mirroring (SPAN) copies traffic from one port to another for monitoring or analysis purposes; it has no role in failover or load balancing.

32
MCQmedium

A network administrator wants to collect logs from multiple routers and switches to a central server for analysis. Which protocol should be configured on the devices to send logs to the server?

A.SNMP
B.Syslog
C.NetFlow
D.TFTP
AnswerB

Syslog is specifically designed for logging and log collection, making it the correct choice.

Why this answer

Syslog (RFC 5424) is the standard protocol for sending event messages (logs) from network devices like routers and switches to a central log server. It uses UDP port 514 by default (or TCP 6514 for reliable delivery) and allows administrators to collect, store, and analyze system messages from multiple devices in one location.

Exam trap

Cisco often tests the distinction between SNMP traps (event alerts) and syslog (continuous log streaming), leading candidates to mistakenly choose SNMP because they think 'traps' are the same as sending logs.

How to eliminate wrong answers

Option A (SNMP) is wrong because SNMP is used for monitoring and managing device status via MIBs and traps, not for streaming continuous log messages; SNMP traps are event-driven alerts, not a full log collection mechanism. Option C (NetFlow) is wrong because NetFlow is a traffic accounting and flow analysis protocol that exports IP flow statistics (e.g., source/destination IPs, ports, byte counts), not system logs or event messages. Option D (TFTP) is wrong because TFTP is a trivial file transfer protocol used for backing up or restoring device configurations and firmware images, not for sending real-time log data to a server.

33
MCQeasy

A network engineer needs to update the firmware on dozens of access points located across multiple office floors. The APs are managed by a central wireless controller. Which protocol should the controller use to transfer the firmware file to each AP?

A.FTP
B.TFTP
C.HTTP
D.SNMP
AnswerB

TFTP is lightweight and widely supported by network devices for transferring firmware images.

Why this answer

The correct answer is TFTP (Trivial File Transfer Protocol). Wireless LAN controllers (WLCs) use TFTP to push firmware images to lightweight access points (APs) because TFTP is lightweight, connectionless, and requires minimal memory and processing overhead on the AP. This makes it ideal for the simple, one-way file transfer of a firmware binary during the AP boot or upgrade process, where the AP acts as a TFTP client and the controller as the server.

Exam trap

The trap here is that candidates often choose FTP or HTTP because they are more familiar for file transfers, but they overlook that TFTP is the standard protocol used by Cisco wireless controllers for AP firmware upgrades due to its simplicity and low overhead.

How to eliminate wrong answers

Option A (FTP) is wrong because FTP requires a full TCP connection with session management and authentication, which adds unnecessary complexity and overhead for a simple firmware push to dozens of APs; controllers typically do not run an FTP server for AP upgrades. Option C (HTTP) is wrong because HTTP is a web-based protocol that is not natively supported by lightweight APs for firmware downloads; controllers use TFTP or occasionally CAPWAP multicast for image distribution, not HTTP. Option D (SNMP) is wrong because SNMP is a management and monitoring protocol used for reading and writing MIB variables (e.g., configuration changes or status polling), not for bulk file transfer of firmware images.

34
MCQhard

A network administrator scheduled a change window to upgrade the firmware on a core switch. During the upgrade, the switch fails to boot properly. The administrator needs to restore the switch to its previous operational state. Which of the following should the administrator have done before the upgrade to facilitate a successful rollback?

A.Notified all users of the maintenance window.
B.Backed up the current configuration and firmware image.
C.Disconnected all redundant links.
D.Set the switch to boot from an alternative image.
AnswerB

A backup of both the configuration and the firmware image is essential to restore the switch to its exact previous state.

Why this answer

Option B is correct because backing up both the current configuration and the firmware image ensures that the administrator can restore the switch to its exact previous operational state if the upgrade fails. Without a backup of the firmware image, the switch may not have a valid bootable image to revert to, even if the configuration is saved. This is a fundamental prerequisite for any firmware upgrade rollback plan.

Exam trap

The trap here is that candidates often confuse 'backing up the configuration' with 'backing up the firmware image,' assuming a configuration backup alone is sufficient for a full rollback, but without the firmware image the switch may have no bootable OS to load.

How to eliminate wrong answers

Option A is wrong because notifying users of the maintenance window is a communication best practice but does not provide any technical mechanism to restore the switch after a failed boot. Option C is wrong because disconnecting redundant links is a safety measure to prevent loops or traffic disruptions during the upgrade, but it does not preserve the previous firmware or configuration for rollback. Option D is wrong because setting the switch to boot from an alternative image only works if a valid alternative image already exists on the device; without a prior backup, there may be no alternative image available, and this action does not guarantee a rollback to the exact previous state.

35
MCQmedium

A network administrator needs to automatically back up the configuration files of all network devices (routers, switches, firewalls) to a central server every night. The administrator requires the transfer to be encrypted to protect sensitive configuration data. Which protocol should the administrator use to retrieve the configuration files?

A.TFTP
B.FTP
C.SCP
D.HTTP
AnswerC

SCP (Secure Copy) runs over SSH, ensuring encryption and authentication. It is commonly used for secure file transfers in network environments.

Why this answer

SCP (Secure Copy Protocol) uses SSH for encrypted file transfers, making it ideal for securely retrieving configuration files from network devices to a central server. It ensures both authentication and data encryption, protecting sensitive configuration data during transit.

Exam trap

Cisco often tests SCP versus TFTP, where candidates mistakenly choose TFTP because it is simpler and commonly used for backups, but they overlook the encryption requirement specified in the question.

How to eliminate wrong answers

Option A is wrong because TFTP (Trivial File Transfer Protocol) uses UDP port 69 with no encryption or authentication, making it insecure for transferring sensitive configuration files. Option B is wrong because FTP (File Transfer Protocol) transmits data in cleartext, including usernames and passwords, and lacks encryption unless used with FTPS (FTP over SSL/TLS). Option D is wrong because HTTP (Hypertext Transfer Protocol) transmits data in cleartext and does not provide encryption; HTTPS would be required for secure transfers, but it is not listed as an option.

36
MCQmedium

A network administrator has completed a scheduled firmware upgrade on a core switch. After verifying successful operation, which document should the administrator update to reflect the new firmware version?

A.Network logical topology diagram
B.Change management log
C.Rack diagram
D.Inventory management system
AnswerB

The change management log records all network changes, including firmware upgrades, providing an audit trail for compliance and troubleshooting.

Why this answer

The change management log is the correct document to update because it records all modifications to the network, including firmware upgrades, along with details such as the date, reason, and new version. This log ensures compliance with ITIL change management processes and provides an audit trail for troubleshooting and future changes. Updating it after a successful firmware upgrade is a standard operational procedure to maintain accurate change history.

Exam trap

Cisco often tests the distinction between documentation types, and the trap here is that candidates confuse the inventory management system (which tracks hardware assets) with the change management log (which tracks operational changes), leading them to choose D instead of B.

How to eliminate wrong answers

Option A is wrong because a network logical topology diagram shows the logical layout of devices, subnets, and routing protocols, not firmware versions; updating it with firmware details would clutter the diagram and violate its purpose. Option C is wrong because a rack diagram documents physical device placement, rack units, and cabling, not software or firmware versions; it is used for physical asset management, not version tracking. Option D is wrong because an inventory management system tracks hardware assets, serial numbers, and procurement details, but firmware versions are typically not its primary focus; while some systems may include firmware, the change management log is the formal record for documenting changes like firmware upgrades.

37
MCQmedium

A network administrator wants to centrally monitor the bandwidth utilization on a router's serial interface over time. The monitoring tool needs to periodically poll the router for current interface counters. Which protocol should be used for this polling?

A.SNMP
B.Syslog
C.NetFlow
D.ICMP
AnswerA

SNMP uses MIBs to expose interface counters, which a management station can poll (SNMP GET requests) to calculate bandwidth utilization over time.

Why this answer

SNMP (Simple Network Management Protocol) is the correct choice because it is specifically designed for polling network devices to retrieve operational statistics such as interface counters (e.g., ifInOctets, ifOutOctets) from a Management Information Base (MIB). The network administrator can configure an SNMP manager to periodically poll the router's serial interface OIDs, enabling centralized bandwidth utilization monitoring over time.

Exam trap

Cisco often tests the distinction between polling (SNMP) and push-based reporting (Syslog, NetFlow), and the trap here is that candidates confuse NetFlow's flow export capability with simple interface counter polling, or assume Syslog can be used for periodic data retrieval.

How to eliminate wrong answers

Option B (Syslog) is wrong because Syslog is a protocol for event logging and message forwarding, not for polling interface counters; it sends unsolicited log messages from devices to a server. Option C (NetFlow) is wrong because NetFlow is a flow-based traffic accounting and analysis technology that exports detailed IP flow records, not a polling mechanism for simple interface counters. Option D (ICMP) is wrong because ICMP is used for network diagnostics like ping and traceroute, not for retrieving interface utilization data from a router's MIB.

38
MCQmedium

A network administrator needs to upgrade the firmware on a core switch. According to change management best practices, which step should be performed first?

A.Download the new firmware
B.Create a backup of the current configuration
C.Submit a change request
D.Schedule a maintenance window
AnswerC

The first step is to submit a change request for approval.

Why this answer

According to change management best practices, the first step in any network change is to submit a change request (option C). This ensures the proposed firmware upgrade is reviewed, approved, and documented before any technical actions are taken, reducing the risk of unplanned outages and providing a rollback plan. Skipping this step violates ITIL/change management frameworks and can lead to unauthorized changes that impact network stability.

Exam trap

The trap here is that candidates often confuse operational best practices with technical steps, assuming that backing up the configuration (option B) is always the first action, but change management mandates that formal authorization precedes any technical work, even backups, to ensure proper governance and audit trails.

How to eliminate wrong answers

Option A is wrong because downloading the new firmware before obtaining approval violates change control processes; the firmware should only be obtained after the change is authorized. Option B is wrong because while creating a backup of the current configuration is a critical step, it should occur after the change request is approved and as part of the implementation plan, not as the first step. Option D is wrong because scheduling a maintenance window is a downstream activity that depends on the approved change request and its risk assessment; performing it first would be premature without formal authorization.

39
MCQmedium

A network administrator is preparing to upgrade the firmware on a critical router. Which document should the administrator consult to understand the steps required to minimize downtime and ensure a successful upgrade?

A.SLA
B.Change management plan
C.Network diagram
D.Baseline performance report
AnswerB

The change management plan documents the process for making changes to the network, including risk assessment, detailed steps, testing, approval, and rollback procedures. It is the appropriate resource to ensure a methodical and safe upgrade.

Why this answer

The change management plan documents the approved procedures, rollback steps, and communication protocols for performing maintenance on critical infrastructure. Consulting this plan ensures the administrator follows the organization's predefined steps to minimize downtime and mitigate risks during the firmware upgrade.

Exam trap

The trap here is that candidates confuse a change management plan with a network diagram or SLA, assuming that knowing the topology or contractual uptime is sufficient to perform a safe upgrade, when in fact the procedural steps and rollback strategy are documented only in the change management plan.

How to eliminate wrong answers

Option A is wrong because an SLA (Service Level Agreement) defines uptime guarantees and penalties, not the step-by-step upgrade procedures. Option C is wrong because a network diagram shows physical/logical topology and device connections, but does not contain the operational steps or rollback procedures needed for a firmware upgrade. Option D is wrong because a baseline performance report captures normal traffic and utilization metrics for comparison after a change, but it does not prescribe the upgrade process itself.

40
MCQmedium

A network administrator needs to analyze bandwidth usage by application and identify top talkers on the network. Which protocol or technology should be used to export detailed traffic flow information from routers and switches to a central collector?

A.NetFlow
B.SNMP
C.ICMP
D.SMTP
AnswerA

NetFlow exports flow records that contain information about each traffic flow, enabling detailed bandwidth and application analysis.

Why this answer

NetFlow is the correct choice because it is a Cisco-developed protocol designed specifically to export detailed IP traffic flow information—including source/destination IPs, ports, protocols, and byte counts—from routers and switches to a central collector for bandwidth usage analysis and top talker identification. Unlike simpler monitoring tools, NetFlow provides per-flow granularity, enabling administrators to pinpoint which applications and hosts are consuming the most bandwidth.

Exam trap

Cisco often tests the distinction between SNMP and NetFlow, where candidates mistakenly choose SNMP because they associate it with network monitoring, but SNMP lacks the per-flow granularity needed for top talker and application analysis.

How to eliminate wrong answers

Option B (SNMP) is wrong because SNMP is used for polling device statistics like interface utilization and error counters, but it does not export per-flow traffic details such as application-level data or top talkers; it only provides aggregate interface-level metrics. Option C (ICMP) is wrong because ICMP is a network-layer protocol used for error reporting and diagnostic utilities like ping and traceroute, not for exporting traffic flow records. Option D (SMTP) is wrong because SMTP is an application-layer protocol for email transmission and has no role in network traffic flow export or bandwidth analysis.

41
MCQeasy

A network monitoring tool uses SNMP to collect data from devices. What is the primary purpose of SNMP traps?

A.To allow a manager to poll devices for current status
B.To enable devices to send unsolicited alerts to the management system
C.To encrypt SNMP communications
D.To provide authentication for SNMP messages
AnswerB

Traps are event-driven, unsolicited messages from agents to the manager for alerting purposes.

Why this answer

SNMP traps are unsolicited messages sent by an SNMP agent to the network management system (NMS) to immediately notify it of a significant event, such as a link failure or high CPU utilization. This push mechanism allows the NMS to react in real time without having to poll the device, reducing bandwidth and processing overhead. The correct answer is B because traps are specifically designed for asynchronous alerting, not for polling, encryption, or authentication.

Exam trap

Cisco often tests the distinction between traps (unsolicited, unconfirmed) and informs (confirmed), and candidates mistakenly think traps are used for polling or that they inherently provide security features like encryption or authentication.

How to eliminate wrong answers

Option A is wrong because polling devices for current status is performed using SNMP Get requests (GetRequest, GetNextRequest, GetBulkRequest), not traps; traps are unsolicited alerts sent from the agent to the manager. Option C is wrong because SNMPv3 provides encryption (via the USM module) but traps themselves are not a mechanism for encryption; they are a message type that can be encrypted if SNMPv3 is used. Option D is wrong because authentication for SNMP messages is provided by SNMPv3's User-based Security Model (USM), not by traps; traps are a notification type that can include authenticated data but do not provide authentication themselves.

42
MCQeasy

A network administrator wants to automate the backup of configuration files from multiple routers and switches. Which protocol is commonly used for this purpose and is supported by most network devices?

A.FTP
B.TFTP
C.SFTP
D.HTTP
AnswerB

TFTP is a lightweight, connectionless protocol that is ideal for transferring small files like configuration backups without complex setup.

Why this answer

TFTP (Trivial File Transfer Protocol) is the correct choice because it is a lightweight, connectionless UDP-based protocol (port 69) that is widely supported on network devices like routers and switches for automated configuration backups. Its simplicity and minimal overhead make it ideal for scripting backup operations, even though it lacks security features like authentication or encryption.

Exam trap

Cisco often tests the distinction between TFTP and FTP/SFTP by emphasizing that TFTP is the simplest and most universally supported protocol for automated backups, even though it lacks security, leading candidates to incorrectly choose SFTP for its encryption without considering device support limitations.

How to eliminate wrong answers

Option A is wrong because FTP (File Transfer Protocol) uses TCP (ports 20/21) and requires session establishment and authentication, which adds complexity and is less commonly supported in automated scripts on network devices compared to TFTP. Option C is wrong because SFTP (SSH File Transfer Protocol) runs over SSH (port 22) and provides encryption and authentication, but many older or lower-end network devices do not support SFTP, and it is not the default or most common protocol for simple configuration backups. Option D is wrong because HTTP (Hypertext Transfer Protocol) is typically used for web-based management interfaces and is not a standard protocol for direct device-to-server configuration file transfers; it lacks the lightweight, UDP-based efficiency that TFTP offers for automated backups.

43
MCQmedium

A network administrator wants to be alerted immediately when any interface on a core router goes down. The administrator has already configured SNMP community strings. Which additional configuration is necessary to receive these alerts?

A.A) Configure the router to send SNMP traps to the NMS
B.B) Perform an SNMP walk of the interface OIDs
C.C) Use SNMP get to retrieve interface status periodically
D.D) Configure SNMP set to change interface parameters
AnswerA

Correct. Alerts for interface down events are sent via SNMP traps. The router must be configured with the IP address of the trap receiver (NMS).

Why this answer

SNMP traps are unsolicited notifications sent from the managed device (the router) to the Network Management Station (NMS) when a specific event occurs, such as an interface going down. Since the administrator wants immediate alerts without polling, configuring the router to send SNMP traps to the NMS is the correct approach. The SNMP community strings are already set, so the missing piece is the trap destination and enabling trap generation for interface state changes.

Exam trap

CompTIA often tests the distinction between polling (SNMP get/walk) and event-driven notifications (traps), and candidates mistakenly choose periodic polling (Option C) thinking it provides 'immediate' alerts, not realizing that polling introduces latency and is not truly immediate.

How to eliminate wrong answers

Option B is wrong because an SNMP walk is a polling operation that retrieves all OIDs in a subtree; it does not enable real-time alerts and requires the NMS to initiate the query. Option C is wrong because using SNMP get to periodically retrieve interface status is a polling mechanism, which introduces delay and does not provide immediate notification of an interface down event. Option D is wrong because SNMP set is used to modify configuration parameters on the device, not to receive alerts; it is a write operation, not a notification mechanism.

44
MCQmedium

A network administrator needs to identify which hosts are generating the most traffic on the network and what types of traffic (e.g., HTTP, FTP). Which monitoring technology should be deployed?

A.SNMP
B.NetFlow
C.Syslog
D.ICMP
AnswerB

Correct. NetFlow collects detailed flow data, allowing identification of top talkers, applications, and traffic patterns.

Why this answer

NetFlow is the correct choice because it provides detailed visibility into network traffic flows, including source/destination IPs, ports, protocols, and application-level information (e.g., HTTP, FTP). Unlike SNMP, which only gives aggregate interface statistics, or Syslog, which logs device events, NetFlow captures per-flow metadata that directly answers the question of which hosts are generating the most traffic and what types of traffic they are using.

Exam trap

The trap here is that candidates often confuse SNMP's ability to show interface utilization with the need to identify specific hosts and application types, leading them to pick SNMP when NetFlow is required for per-flow granularity.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) polls counters like interface bytes/packets but does not identify individual hosts or application types—it only shows aggregate bandwidth usage per interface. Option C is wrong because Syslog is a logging protocol for device events (e.g., errors, reboots, security alerts) and does not capture traffic flow data or application-layer details; it cannot identify which hosts are generating traffic or differentiate HTTP from FTP.

45
MCQmedium

A network administrator is setting up SNMPv3 on a router for secure monitoring. Which of the following is required for SNMPv3 authentication?

A.Community string
B.Username and password
C.Encryption key
D.Public key
AnswerB

SNMPv3 authentication requires a username and an authentication password (or passphrase) that is used to generate a hash, verifying the source of the message.

Why this answer

SNMPv3 introduces a security model that requires a username and password (authentication passphrase) for authentication, moving away from the community-string-based model of SNMPv1/v2c. The password is used with an authentication protocol like MD5 or SHA to verify the identity of the manager before allowing access. Without a valid username and password combination, SNMPv3 will reject the request.

Exam trap

The trap here is that candidates confuse the community string (SNMPv1/v2c) with SNMPv3's username/password model, or they mistakenly think an encryption key alone satisfies authentication requirements, when in fact authentication and privacy are configured independently.

How to eliminate wrong answers

Option A is wrong because community strings are used only in SNMPv1 and SNMPv2c for authentication, not in SNMPv3, which uses a user-based security model (USM) defined in RFC 3414. Option C is wrong because an encryption key is used for privacy (encryption of SNMP payloads), not for authentication; authentication and privacy are separate security levels in SNMPv3.

46
MCQmedium

A network technician needs to capture and analyze packets on a specific network segment to identify the source of a performance slowdown. Which tool is best suited for this task?

A.Protocol analyzer (e.g., Wireshark)
B.Port scanner (e.g., Nmap)
C.Ping
D.Traceroute
AnswerA

Protocol analyzers capture raw packets and allow detailed inspection of headers and payloads, ideal for troubleshooting performance issues.

Why this answer

A protocol analyzer like Wireshark is the correct tool because it captures and decodes packets at the data-link layer, allowing the technician to inspect frame headers, IP addresses, TCP/UDP ports, and payload contents on a specific network segment. This deep packet inspection is essential for identifying the root cause of performance slowdowns, such as excessive retransmissions, high latency, or application-layer issues. Unlike other tools, a protocol analyzer provides granular visibility into traffic patterns and protocol behavior.

Exam trap

The trap here is that candidates often confuse a protocol analyzer with a port scanner or a simple connectivity tool, assuming that Ping or Traceroute can provide enough data to diagnose performance slowdowns, when in fact they lack the packet-level detail required for root-cause analysis.

How to eliminate wrong answers

Option B (Port scanner, e.g., Nmap) is wrong because it is designed to discover open ports and services on hosts, not to capture and analyze packets for performance troubleshooting. Option C (Ping) is wrong because it only tests basic reachability and round-trip time using ICMP echo requests, which does not provide packet-level details or capture traffic on a segment. Option D (Traceroute) is wrong because it maps the path packets take to a destination by manipulating TTL values, but it does not capture or analyze the content of packets on a specific network segment.

47
MCQmedium

A network monitoring system alerts that a specific router interface has been flapping (repeatedly going up and down) for the past hour. Which of the following is the MOST likely cause of this behavior?

A.Faulty transceiver
B.High CPU utilization on the router
C.Incorrect SNMP community string
D.Routing protocol misconfiguration
AnswerA

A faulty SFP or GBIC can cause the interface to lose link sporadically, resulting in flapping.

Why this answer

A faulty transceiver is the most likely cause of interface flapping because physical-layer issues, such as a failing SFP or GBIC, can cause intermittent loss of signal or link synchronization. The router's interface detects the loss of carrier and brings the link down, then re-establishes it when the signal returns, creating a repeated up/down cycle. This is a common hardware failure mode distinct from software or configuration problems.

Exam trap

The trap here is that candidates confuse 'route flapping' (caused by routing protocol issues) with 'interface flapping' (a physical-layer problem), leading them to incorrectly select routing protocol misconfiguration.

How to eliminate wrong answers

Option B is wrong because high CPU utilization on the router can cause slow processing but does not directly cause the physical link state to toggle; it may lead to control-plane issues like dropped routing updates but not interface flapping. Option C is wrong because an incorrect SNMP community string would prevent the monitoring system from polling or receiving traps, but it would not cause the interface itself to go up and down. Option D is wrong because a routing protocol misconfiguration can cause route flapping (routes being advertised and withdrawn) but does not cause the physical interface state to change; the interface remains up while the routing table fluctuates.

48
MCQmedium

A network administrator needs to schedule a firmware upgrade on a core switch during the next maintenance window. According to best practices, which document should the administrator create and have approved before making the change?

A.A network diagram showing the current topology.
B.An incident report detailing previous firmware issues.
C.A change request form with a rollback plan and approval signatures.
D.A baseline performance report from the current firmware version.
AnswerC

A change request is the standard document used in change management. It includes the scope, risk assessment, implementation steps, rollback plan, and requires approval from the change board.

Why this answer

Option C is correct because a change request form with a rollback plan and approval signatures ensures that the firmware upgrade follows the ITIL change management process, which is a best practice for network operations. This document provides a structured approach to assess risks, obtain authorization, and define steps to revert the switch to its previous state if the upgrade fails, minimizing downtime and impact on the network.

Exam trap

The trap here is that candidates confuse operational documents (like diagrams or incident reports) with the formal change management documentation required by ITIL, leading them to overlook the need for a change request with a rollback plan and approval signatures.

How to eliminate wrong answers

Option A is wrong because a network diagram showing the current topology is a reference document for understanding the network layout, but it does not serve as a formal authorization or risk mitigation plan for a change. Option B is wrong because an incident report detailing previous firmware issues is a historical record for troubleshooting, not a forward-looking document that outlines the change procedure, rollback steps, or obtains approval for a scheduled upgrade.

49
MCQmedium

A network administrator wants to configure routers to send syslog messages only for events of severity 'error' (3) or higher (more severe). Which severity level should be set as the trap level?

A.0 (emergencies)
B.3 (errors)
C.2 (critical)
D.4 (warnings)
AnswerB

Correct. Setting the trap level to 3 ensures that all messages with severity 0, 1, 2, and 3 are logged. This matches the requirement of errors and higher severity.

Why this answer

Option B is correct because setting the trap level to 3 (errors) instructs the router to send syslog messages for severity 3 and all numerically lower (more severe) levels (0, 1, 2, 3). This matches the requirement to capture events of severity 'error' (3) or higher severity.

Exam trap

The trap here is that candidates often mistakenly think the trap level filters only that exact severity, when in fact it includes that level and all numerically lower (more severe) levels, leading them to choose a lower number like 2 or 0 instead of the correct 3.

How to eliminate wrong answers

Option A is wrong because setting the trap level to 0 (emergencies) would only send messages for severity 0, missing all events at severity 1, 2, and 3, including the required 'error' events. Option C is wrong because setting the trap level to 2 (critical) would send messages for severities 0, 1, and 2, but would exclude severity 3 (errors), which the administrator explicitly wants to include.

50
MCQeasy

A network administrator is documenting the network topology. Which of the following tools is best suited for creating a diagram that shows the logical connections between network devices?

A.Microsoft Excel
B.Microsoft Visio
C.SNMP
D.Notepad
AnswerB

Visio is a professional diagramming application commonly used to create detailed network topology diagrams, including logical and physical layouts.

Why this answer

Microsoft Visio is the correct tool because it is specifically designed for creating professional network topology diagrams, including logical connections between devices. Unlike general-purpose tools, Visio provides network-specific shapes, templates, and layering capabilities that accurately represent logical relationships such as VLANs, subnets, and routing paths.

Exam trap

The trap here is that candidates confuse SNMP (a monitoring protocol) with a diagramming tool, assuming it can generate topology maps automatically, but SNMP only provides raw data and requires a separate tool like Visio for logical visualization.

How to eliminate wrong answers

Option A is wrong because Microsoft Excel is a spreadsheet application used for data analysis and tabular organization, not for creating network topology diagrams; it lacks network-specific shapes and connection logic. Option C is wrong because SNMP (Simple Network Management Protocol) is a network management protocol used for monitoring and collecting device metrics, not for diagramming logical connections. Option D is wrong because Notepad is a plain text editor with no graphical or diagramming capabilities, making it unsuitable for any visual topology representation.

51
MCQmedium

A network administrator needs to identify which devices are generating the most traffic on a WAN link. The administrator requires detailed flow data including source and destination IP addresses, ports, and protocols. Which technology should be deployed?

A.SNMP polling
B.NetFlow
C.Syslog
D.ICMP
AnswerB

NetFlow records contain flow attributes like IP addresses, ports, and protocol, ideal for traffic analysis.

Why this answer

NetFlow is the correct technology because it provides detailed flow-level data, including source and destination IP addresses, ports, and protocols, which is exactly what the administrator needs to identify which devices are generating the most traffic on a WAN link. Unlike SNMP or Syslog, NetFlow exports metadata about network flows, allowing for granular traffic analysis and bandwidth usage per conversation.

Exam trap

The trap here is that candidates often confuse SNMP's interface utilization data with the detailed per-flow information that only NetFlow provides, leading them to choose SNMP polling when the question explicitly asks for source/destination IPs, ports, and protocols.

How to eliminate wrong answers

Option A is wrong because SNMP polling retrieves aggregate interface statistics (e.g., bytes in/out, packet counts) but does not provide per-flow details like source/destination IPs, ports, or protocols. Option C is wrong because Syslog is used for logging system events and error messages, not for capturing network traffic flow data or bandwidth usage per conversation.

52
MCQmedium

A network administrator needs to analyze bandwidth utilization and application traffic patterns on a WAN link. The administrator requires detailed flow-level data, including source/destination IP addresses, ports, and protocol. Which technology should be deployed?

A.SNMP
B.NetFlow
C.Syslog
D.ICMP
AnswerB

NetFlow exports flow records containing detailed information about each network conversation, ideal for traffic analysis.

Why this answer

NetFlow is the correct choice because it provides detailed flow-level data, including source/destination IP addresses, ports, and protocol information, which is essential for analyzing bandwidth utilization and application traffic patterns on a WAN link. Unlike simpler monitoring tools, NetFlow captures metadata about each network flow, allowing administrators to identify which applications and hosts are consuming bandwidth.

Exam trap

CompTIA often tests the distinction between SNMP and NetFlow, where candidates mistakenly choose SNMP because they think it provides detailed traffic analysis, but SNMP only gives aggregate interface counters, not per-flow data.

How to eliminate wrong answers

Option A (SNMP) is wrong because it provides aggregate interface statistics (e.g., bandwidth utilization, packet counts) but lacks the granular flow-level details such as source/destination IP addresses, ports, and protocols. Option C (Syslog) is wrong because it is used for logging system events and error messages, not for capturing network traffic flow data or bandwidth utilization patterns. Option D (ICMP) is wrong because it is a diagnostic protocol used for error reporting and connectivity testing (e.g., ping, traceroute) and does not provide any flow-level or application-layer traffic analysis.

53
Matchingmedium

Match each network command to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Test reachability and measure round-trip time

Trace the path packets take to a destination

Query DNS for domain name or IP resolution

Display active network connections and listening ports

View and manage IP configuration on Windows

Why these pairings

These are common network troubleshooting commands.

54
MCQmedium

A network technician needs to find which physical patch panel port in the server room connects to a specific office wall jack. Which type of network documentation should the technician consult?

A.Logical topology diagram
B.Cabling diagram
C.Network baseline
D.Rack diagram
AnswerB

Cabling diagrams document the physical cabling infrastructure, including identifiers for patch panels, wall jacks, and cables.

Why this answer

A cabling diagram provides the physical layer (Layer 1) documentation that maps specific patch panel ports to wall jacks, including cable runs, termination points, and labeling. This is exactly what the technician needs to trace the physical connection from the server room patch panel to the office wall jack.

Exam trap

CompTIA often tests the distinction between physical and logical documentation, and the trap here is that candidates confuse a logical topology diagram (which shows data flow) with a cabling diagram (which shows physical connections), leading them to select A instead of B.

How to eliminate wrong answers

Option A is wrong because a logical topology diagram shows Layer 2/3 relationships (e.g., VLANs, IP subnets, routing protocols) and does not include physical port-to-jack mappings. Option C is wrong because a network baseline is a performance benchmark (e.g., throughput, latency, utilization) used for comparison over time, not a physical connectivity map. Option D is wrong because a rack diagram shows the physical layout of equipment within racks (e.g., switch placement, power, cooling) but does not detail cable termination points or wall jack associations.

55
MCQeasy

A network administrator is reviewing syslog messages generated by a switch. The administrator wants to see only the most critical events, such as system failures. Which syslog severity level should be configured as the filter?

A.0 – Emergency
B.1 – Alert
C.4 – Warning
D.7 – Debug
AnswerA

Emergency messages indicate the system is unusable and require immediate attention.

Why this answer

Syslog severity level 0 (Emergency) is the highest severity, indicating system-level failures that render the switch unusable. By filtering for level 0, the administrator ensures only the most critical events, such as kernel panics or hardware failures, are displayed, excluding all less severe messages.

Exam trap

CompTIA often tests the misconception that 'Alert' (level 1) is the highest severity because of its name, but Emergency (level 0) is actually the most critical per the syslog standard.

How to eliminate wrong answers

Option B (Alert) is wrong because severity level 1 indicates immediate action is needed (e.g., critical temperature threshold), but it is not the highest severity and includes events less critical than system failures. Option C (Warning) is wrong because level 4 indicates non-urgent notifications (e.g., configuration changes) that do not represent system failures. Option D (Debug) is wrong because level 7 is the lowest severity, used for detailed debugging information that would flood the log with non-critical data.

56
MCQeasy

A network administrator is investigating reports of slow network performance. Which tool should the administrator use to capture and analyze individual packets to identify the cause of the latency?

A.A
B.B
C.C
D.D
AnswerD

A protocol analyzer captures and displays the contents of packets, enabling detailed troubleshooting of latency issues.

Why this answer

Option D is correct because a packet analyzer (e.g., Wireshark, tcpdump) captures and decodes individual packets, allowing the administrator to inspect frame-level details, identify retransmissions, TCP window scaling issues, or application-layer delays that cause latency. Unlike aggregate monitoring tools, packet analysis provides the granularity needed to pinpoint the exact cause of slow performance.

Exam trap

The trap here is that candidates confuse a packet analyzer with a throughput tester (Option A), assuming that measuring bandwidth alone will reveal latency causes, when in fact packet-level inspection is required to identify retransmissions, windowing issues, or application-layer delays.

How to eliminate wrong answers

Option A is wrong because a bandwidth speed test (e.g., iperf, Ookla) measures throughput but does not capture or analyze individual packets; it only provides aggregate performance metrics. Option B is wrong because a network mapping tool (e.g., Nmap, CDP/LLDP) discovers devices and topology but does not inspect packet contents or latency causes. Option C is wrong because a syslog server collects log messages from devices but does not capture or decode raw packets; it relies on device-generated events, not packet-level analysis.

57
MCQmedium

A network administrator needs to securely transfer backup configuration files from a router to a remote server over the internet. Which protocol should be used?

A.TFTP
B.FTP
C.SCP
D.SNMP
AnswerC

Correct. SCP uses SSH for encryption, providing secure file transfer.

Why this answer

SCP (Secure Copy Protocol) is the correct choice because it provides encrypted file transfers over SSH, ensuring confidentiality and integrity of backup configuration files transmitted over the internet. Unlike TFTP or FTP, SCP authenticates the remote server and encrypts the data in transit, which is essential for secure remote backups.

Exam trap

Cisco often tests the distinction between TFTP (for local, unsecure boot/backup) and SCP (for secure remote transfers), and the trap here is that candidates might choose TFTP because it is commonly used for router backups in lab environments, overlooking the 'over the internet' security requirement.

How to eliminate wrong answers

Option A is wrong because TFTP (Trivial File Transfer Protocol) uses UDP port 69 with no authentication or encryption, making it unsuitable for secure transfers over the internet and typically limited to local LAN bootstrapping. Option B is wrong because FTP (File Transfer Protocol) transmits data and credentials in cleartext over TCP ports 20/21, offering no encryption and exposing the backup files to interception.

58
MCQmedium

A network administrator plans to make a configuration change on a core switch during a maintenance window. According to best practices, which document should the administrator prepare and have approved before making the change?

A.A) Change management request
B.B) Network diagram
C.C) Incident report
D.D) Backup configuration
AnswerA

Correct. A change management request is the formal document that details the planned change, its purpose, impact, testing, and rollback plan. It requires approval before implementation.

Why this answer

A change management request is the correct document because it formalizes the proposed configuration change, including the scope, risk assessment, rollback plan, and approval chain. This ensures that all stakeholders review and authorize the change before implementation, reducing the risk of unintended network outages or security gaps. Best practices from ITIL and Cisco's own change management guidelines mandate this process for any production network device modification.

Exam trap

Cisco often tests the distinction between operational documents (diagrams, reports) and procedural documents (change requests), trapping candidates who confuse a supporting artifact with the required approval document.

How to eliminate wrong answers

Option B (Network diagram) is wrong because a network diagram is a static reference document that shows the current topology and connectivity, not a procedural document for authorizing changes; it may be used during planning but does not require approval for a specific change. Option C (Incident report) is wrong because an incident report documents an event that has already occurred (e.g., an outage or security breach), not a planned change; it is created after the fact, not before a maintenance window.

59
MCQeasy

A network administrator needs to ensure that network device configurations are automatically backed up to a central server. Which protocol is commonly used for secure file transfer of configurations?

A.TFTP
B.FTP
C.SFTP
D.HTTP
AnswerC

SFTP provides secure encrypted file transfers over SSH, ideal for backing up configurations.

Why this answer

SFTP (SSH File Transfer Protocol) is the correct choice because it provides encrypted, secure file transfers over an SSH session, making it ideal for backing up sensitive network device configurations to a central server. Unlike TFTP or FTP, SFTP ensures both authentication and data confidentiality, which is critical for network operations.

Exam trap

The trap here is that candidates often confuse TFTP's simplicity and widespread use in network device booting (e.g., IOS image transfers) with a secure backup solution, overlooking that TFTP lacks any security mechanisms.

How to eliminate wrong answers

Option A (TFTP) is wrong because it uses UDP port 69 with no encryption or authentication, making it insecure for transferring sensitive configuration files over a network. Option B (FTP) is wrong because it transmits data in cleartext, including credentials, and lacks built-in encryption, posing a security risk. Option D (HTTP) is wrong because it is unencrypted and typically used for web traffic, not for secure file transfers of configurations.

60
MCQeasy

A network administrator needs to monitor the health and performance of network devices and receive alerts when link failures occur. Which of the following protocols should be implemented?

A.SNMP
B.SMTP
C.SSH
D.TFTP
AnswerA

SNMP allows monitoring and alerting for network device status and performance.

Why this answer

SNMP (Simple Network Management Protocol) is the correct choice because it is specifically designed to monitor and manage network devices, collect performance metrics, and send traps or notifications when events like link failures occur. SNMP agents on devices report status to a management system, which can generate alerts based on thresholds or trap messages (e.g., linkDown traps per RFC 3418).

Exam trap

The trap here is that candidates often confuse SNMP with SMTP because both can be involved in alerting, but SMTP is only a delivery mechanism for email-based alerts, not the protocol that actually monitors devices and detects link failures.

How to eliminate wrong answers

Option B (SMTP) is wrong because SMTP is a protocol for sending email messages, not for network device monitoring or receiving link failure alerts; it could be used to forward alerts via email but is not the monitoring protocol itself. Option C (SSH) is wrong because SSH provides secure remote command-line access and file transfer, but it lacks the standardized polling, trap, and MIB-based monitoring capabilities required for automated health and performance monitoring. Option D (TFTP) is wrong because TFTP is a trivial file transfer protocol used for tasks like backing up configurations or upgrading firmware, not for monitoring device health or receiving link failure alerts.

61
MCQeasy

A network technician needs to back up the configuration file of a managed switch to a central server on a regular basis. The switch supports a simple and widely used protocol for this purpose. Which of the following protocols should the technician use?

A.A: TFTP
B.B: HTTP
C.C: SNMP
D.D: SSH
AnswerA

TFTP is designed for simple file transfer and is the standard protocol used by network devices for configuration backup.

Why this answer

TFTP (Trivial File Transfer Protocol) is the correct choice because it is a simple, lightweight protocol designed specifically for transferring configuration files to and from network devices like managed switches. It uses UDP port 69 and requires no authentication or complex session setup, making it ideal for automated backup scripts that run on a regular basis. While it lacks security features, its simplicity and widespread support in network equipment firmware make it the standard for this purpose.

Exam trap

CompTIA often tests the distinction between TFTP for simple file transfers and SCP/SSH for secure transfers, leading candidates to choose SSH because they assume security is always required, but the question explicitly asks for a 'simple and widely used protocol' where security is not a stated requirement.

How to eliminate wrong answers

Option B (HTTP) is wrong because HTTP is a web-based protocol typically used for accessing management interfaces via a browser, not for efficient, scriptable file transfers; it adds unnecessary overhead and is not the standard protocol for switch configuration backups. Option C (SNMP) is wrong because SNMP is used for monitoring and managing network devices via MIBs and traps, not for transferring entire configuration files; it lacks the file transfer capability required for backup. Option D (SSH) is wrong because SSH is a secure remote access protocol used for interactive command-line sessions or secure file transfer via SCP/SFTP, but the question specifies a 'simple and widely used protocol,' and SSH is more complex and resource-intensive than TFTP for automated backups.

62
MCQmedium

A network administrator needs to upgrade the firmware on a critical core router. The admin has downloaded the new firmware and verified its checksum. Which of the following should the admin do before proceeding with the installation?

A.Back up the current router configuration
B.Change the management IP address
C.Disable all physical interfaces
D.Remove the old firmware image
AnswerA

A configuration backup allows restoration to the pre-upgrade state if the new firmware causes issues or if rollback is needed.

Why this answer

Before upgrading firmware on a critical core router, backing up the current configuration ensures that if the upgrade fails or causes unexpected behavior, the original operational state can be restored quickly. This is a standard best practice in network operations to minimize downtime and avoid manual reconfiguration of complex routing protocols, ACLs, and interface settings.

Exam trap

The trap here is that candidates assume removing the old firmware frees space and is necessary, but Cisco tests the understanding that the old image should be kept as a fallback to prevent a bricked device if the new firmware fails to boot.

How to eliminate wrong answers

Option B is wrong because changing the management IP address is unnecessary and would disrupt remote access during the upgrade, increasing risk. Option C is wrong because disabling all physical interfaces would cause a complete network outage, which is not required for a firmware upgrade and violates high-availability principles. Option D is wrong because removing the old firmware image before installation is dangerous; if the new firmware fails to load, the router may be left without a bootable image, requiring physical console recovery via ROMmon or TFTP.

63
MCQhard

An organization is implementing a network monitoring solution that uses SNMP. The administrator wants to receive traps from all devices but is concerned about the security of SNMPv1/v2c community strings. Which SNMP version should be used to provide authentication and encryption?

A.SNMPv1
B.SNMPv2c
C.SNMPv3
D.SNMPv4
AnswerC

SNMPv3 provides authentication, integrity, and encryption to protect SNMP traffic.

Why this answer

SNMPv3 is the correct choice because it is the only version of SNMP that provides both authentication and encryption, addressing the security concerns with SNMPv1/v2c community strings. SNMPv3 supports user-based security models (USM) with features like message integrity, authentication, and encryption (e.g., using SHA/MD5 for auth and AES/DES for privacy). This ensures that traps are sent securely, preventing unauthorized access or tampering.

Exam trap

CompTIA often tests the misconception that SNMPv2c offers improved security over SNMPv1, but in reality, both v1 and v2c are equally insecure because they use plaintext community strings, while SNMPv3 is the only version that provides authentication and encryption.

How to eliminate wrong answers

Option A is wrong because SNMPv1 uses plaintext community strings with no authentication or encryption, making it highly insecure. Option B is wrong because SNMPv2c also relies on plaintext community strings and lacks any security enhancements beyond SNMPv1, despite adding new protocol operations like GetBulk. Option D is wrong because SNMPv4 does not exist as a standard; the SNMP protocol versions are v1, v2c, and v3, with v3 being the current secure version.

64
MCQmedium

A network administrator needs to create a diagram that shows the IP addressing scheme, VLAN assignments, and routing protocols used in the network. This diagram will be used for troubleshooting and future planning. Which type of documentation should the administrator create?

A.Physical topology diagram
B.Logical topology diagram
C.Rack elevation diagram
D.Cable management plan
AnswerB

A logical diagram represents the network as seen by the OSI Layer 3, including IP subnets, VLANs, routing protocols, and logical connections.

Why this answer

A logical topology diagram is correct because it documents the IP addressing scheme, VLAN assignments, and routing protocols—abstract elements that define how data flows through the network, independent of physical device locations. This type of diagram is essential for troubleshooting Layer 3 issues and planning changes to the network's logical design.

Exam trap

Cisco often tests the distinction between physical and logical documentation by describing a scenario that mixes physical and logical elements, leading candidates to mistakenly choose a physical topology diagram when the question explicitly asks for IP schemes and VLANs.

How to eliminate wrong answers

Option A is wrong because a physical topology diagram shows the physical layout of devices, cabling, and interconnections, but it does not include IP addressing, VLANs, or routing protocols. Option C is wrong because a rack elevation diagram details the physical placement of equipment in racks, including power and cooling, but it omits logical constructs like IP schemes and routing protocols.

65
MCQeasy

A network technician needs to discover directly connected network devices and their capabilities for documentation purposes. Which protocol should be used?

A.SNMP
B.LLDP
C.ICMP
D.ARP
AnswerB

LLDP enables devices to advertise information about themselves to neighboring devices, making it suitable for discovering directly connected neighbors.

Why this answer

LLDP (Link Layer Discovery Protocol) is the correct choice because it is an IEEE 802.1AB standard protocol specifically designed to discover directly connected network devices and their capabilities, such as system name, port description, VLAN information, and management addresses. Unlike proprietary protocols, LLDP operates at Layer 2 and allows any vendor's equipment to advertise and learn about neighbors without requiring IP connectivity or a management station.

Exam trap

Cisco often tests the trap that candidates confuse LLDP with CDP (Cisco Discovery Protocol), but the question explicitly asks for a protocol to discover directly connected devices and their capabilities, and LLDP is the standards-based answer, while CDP is Cisco-proprietary and not always the correct choice in multi-vendor environments.

How to eliminate wrong answers

Option A (SNMP) is wrong because SNMP is a management protocol used to poll and retrieve MIB data from network devices, but it does not discover directly connected neighbors; it requires prior configuration and IP reachability to the target device. Option C (ICMP) is wrong because ICMP is a diagnostic and error-reporting protocol (e.g., ping, traceroute) that operates at Layer 3 and cannot discover device capabilities or directly connected neighbors at Layer 2.

66
Matchingmedium

Match each cable type to its maximum segment length (Ethernet).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

100 meters

100 meters (55 meters for 10GBASE-T)

Up to 550 meters (depending on standard)

Up to 40 km or more

Why these pairings

These are typical maximum distances for common cabling.

67
MCQeasy

A network administrator is implementing a change management process. Which of the following is the PRIMARY benefit of following this process?

A.It reduces the cost of implementing new hardware
B.It ensures that all network changes are automated
C.It minimizes the impact of changes on network operations and reduces errors
D.It documents the network topology for future reference
AnswerC

The core goal of change management is to manage changes in a controlled manner to prevent outages and errors.

Why this answer

The primary benefit of a change management process is to minimize the impact of changes on network operations and reduce errors. By requiring documented planning, approval, and rollback procedures, change management ensures that modifications are reviewed and tested before implementation, which directly reduces the risk of misconfigurations and unplanned outages.

Exam trap

The trap here is that candidates confuse the procedural benefit of reducing errors with cost savings or automation, but the CompTIA N10-009 exam specifically tests that change management's core purpose is operational stability and risk mitigation, not financial or automation outcomes.

How to eliminate wrong answers

Option A is wrong because change management does not directly reduce hardware costs; it focuses on procedural control, not procurement savings. Option B is wrong because change management does not mandate automation; it is a procedural framework that can be applied to both manual and automated changes, and automation is a separate operational goal.

68
MCQmedium

A network administrator needs to identify which application protocols are consuming the most bandwidth on the company WAN link. Which of the following tools should the administrator use?

A.NetFlow analyzer
B.Packet sniffer (e.g., tcpdump)
C.Port scanner (e.g., Nmap)
D.Bandwidth speed test
AnswerA

NetFlow collects flow records that show application-level details such as protocol and port numbers, enabling bandwidth usage analysis per application.

Why this answer

A NetFlow analyzer is the correct tool because it collects flow-level metadata (e.g., source/destination IPs, ports, protocol, and byte counts) from routers or switches, enabling the administrator to identify which application protocols (via port/protocol analysis) are consuming the most bandwidth over time. Unlike packet-level tools, NetFlow provides aggregated traffic statistics without storing full packet payloads, making it efficient for long-term WAN bandwidth monitoring.

Exam trap

Cisco often tests the distinction between flow-based monitoring (NetFlow) and packet-level analysis (sniffers), trapping candidates who think a packet sniffer is the best tool for long-term bandwidth usage by application, when in fact it is too resource-intensive and lacks built-in aggregation for that purpose.

How to eliminate wrong answers

Option B (Packet sniffer, e.g., tcpdump) is wrong because it captures full packet payloads in real time, which is impractical for sustained WAN link analysis due to high storage and processing overhead, and it does not natively aggregate bandwidth usage by application protocol. Option C (Port scanner, e.g., Nmap) is wrong because it is designed to probe for open ports and services on hosts, not to measure ongoing bandwidth consumption or application protocol usage on a network link.

69
MCQmedium

A network administrator wants to collect and analyze logs from multiple network devices in a central location. Which of the following protocols should be used?

A.SNMP
B.Syslog
C.SMTP
D.FTP
AnswerB

Syslog is a protocol specifically for transporting log messages over IP networks. It allows devices to send logs to a centralized server for storage and analysis.

Why this answer

Syslog is the correct protocol because it is specifically designed for centralized log collection and analysis from network devices. It uses UDP port 514 (or TCP 6514 for reliable delivery) to send event messages from routers, switches, and firewalls to a central syslog server, enabling administrators to aggregate and review logs for troubleshooting and security monitoring.

Exam trap

The trap here is that candidates confuse SNMP traps (which are unsolicited alerts about device conditions) with syslog messages, but SNMP traps are for specific events like link up/down, not for general log collection, while syslog is the standard for aggregating all log entries.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) is used for monitoring and managing device status and performance metrics via MIBs and OIDs, not for collecting and analyzing log messages; it polls for data like CPU load or interface errors, not event logs. Option C is wrong because SMTP (Simple Mail Transfer Protocol) is used for sending email messages between mail servers, not for centralized log collection from network devices; it lacks the structured log format and transport mechanisms needed for syslog aggregation.

70
MCQmedium

A network engineer plans to change the routing protocol configuration on a core router that will affect all branch connectivity. According to change management best practices, which step should the engineer perform BEFORE implementing the change?

A.Implement the change during business hours to ensure staff availability
B.Create a detailed rollback plan
C.Notify all users after the change is complete
D.Test the change directly on the production router
AnswerB

A rollback plan ensures that the change can be safely reversed if something goes wrong, a key part of change management.

Why this answer

Creating a detailed rollback plan is a fundamental change management best practice because it ensures that if the routing protocol reconfiguration (e.g., switching from EIGRP to OSPF or modifying redistribution) causes connectivity loss to all branches, the engineer can revert to the previous configuration quickly and safely. Without a rollback plan, a failed change could result in prolonged network downtime while troubleshooting from scratch, violating the principle of minimizing business impact. This step is performed before implementation to predefine the exact commands or backup configuration needed to restore the original routing state.

Exam trap

The trap here is that candidates may confuse 'notify users after the change' with a valid communication step, but change management requires prior notification and approval, not post-change notification.

How to eliminate wrong answers

Option A is wrong because implementing the change during business hours increases the risk of disrupting production traffic; change management best practices typically schedule changes during maintenance windows to minimize user impact. Option C is wrong because notifying users after the change is complete violates the change management principle of proactive communication; users and stakeholders should be notified before the change to set expectations and allow for contingency planning.

71
MCQeasy

A network technician notices a high volume of broadcast traffic on a flat network. Which device will best reduce the size of the broadcast domain?

A.Hub
B.Switch
C.Router
D.Bridge
AnswerC

Routers operate at Layer 3 and do not forward broadcasts by default. By creating separate subnets and using a router, broadcast traffic is confined to each subnet.

Why this answer

A router is the correct choice because it operates at Layer 3 and uses IP subnetting to segment a network into separate broadcast domains. By default, routers do not forward broadcast traffic (e.g., ARP requests sent to 255.255.255.255 or subnet-directed broadcasts) between interfaces, thus reducing the scope of broadcast propagation.

Exam trap

The trap here is that candidates often confuse broadcast domains with collision domains, incorrectly assuming that a switch reduces broadcast domains because it reduces collision domains, but a switch only segments collision domains while leaving broadcast domains intact.

How to eliminate wrong answers

Option A is wrong because a hub operates at Layer 1 and simply repeats electrical signals out all ports, creating a single collision domain and a single broadcast domain—it cannot reduce broadcast traffic. Option B is wrong because a switch operates at Layer 2 and, while it segments collision domains per port, it still forwards broadcast frames (destination MAC FF:FF:FF:FF:FF:FF) out all ports within the same VLAN, so it does not reduce the size of the broadcast domain.

72
MCQmedium

A network administrator wants to centrally collect and analyze event logs from routers, switches, and firewalls. Which protocol is most commonly used for sending log messages from network devices to a central log server?

A.SNMP
B.Syslog
C.NetFlow
D.ICMP
AnswerB

Syslog is the de facto standard for logging messages from network devices. It allows administrators to forward logs to a central server for analysis and archiving.

Why this answer

Syslog (RFC 5424) is the standard protocol for sending event messages from network devices like routers, switches, and firewalls to a central log server. It uses UDP port 514 by default and provides a structured format with facility codes and severity levels, enabling centralized collection and analysis of logs. This makes it the most commonly used protocol for this purpose.

Exam trap

Cisco often tests the distinction between Syslog (for event logs) and SNMP traps (for alerts/status changes), leading candidates to mistakenly choose SNMP because both involve sending data from devices to a server.

How to eliminate wrong answers

Option A is wrong because SNMP (Simple Network Management Protocol) is used for monitoring and managing device status via polling and traps, not for sending detailed event logs; it collects metrics like CPU load or interface errors, not syslog messages. Option C is wrong because NetFlow is a traffic accounting protocol that exports IP flow metadata (e.g., source/destination IPs, ports, packet counts) for network traffic analysis, not event logs from device operations.

73
MCQhard

A network administrator has configured a router to send syslog messages to a server with the command 'logging trap 4'. The administrator notices that the syslog server is receiving messages with severity levels 0, 1, and 2. Which of the following best explains why these messages are being received?

A.The 'trap' level indicates the minimum severity; only messages with severity 4 and above are sent.
B.The router is misconfigured and sending all messages regardless of the trap level.
C.Syslog severity levels are reversed; lower numbers indicate higher urgency, so trap 4 includes levels 0-4.
D.The syslog server is configured to accept only levels 0-2, so it filters out the others.
AnswerC

Correct. Lower severity numbers (0) are more critical, and 'logging trap 4' instructs the router to send messages with severity 0 through 4.

Why this answer

C is correct because in syslog, severity levels are inverted: lower numbers indicate higher urgency (0=emergency, 1=alert, 2=critical). The command 'logging trap 4' sets a threshold that includes all messages with a severity level of 4 or lower (i.e., more urgent), so levels 0, 1, and 2 are included. This is defined in RFC 5424 and is standard behavior on Cisco IOS devices.

Exam trap

Cisco often tests the inverted nature of syslog severity levels, where the trap level is a maximum threshold (inclusive of all lower numbers), not a minimum, causing candidates to incorrectly assume that higher numbers are more severe.

How to eliminate wrong answers

Option A is wrong because it incorrectly states that the trap level indicates the minimum severity and only sends messages with severity 4 and above; in reality, the trap level sets the maximum severity number allowed, so lower numbers (higher urgency) are included. Option B is wrong because the router is not misconfigured; the behavior is correct per syslog standards, and the administrator is seeing the expected messages for the configured trap level.

74
MCQmedium

An NOC technician receives an alert that latency on a critical WAN link has increased significantly. The technician needs to analyze the latency trend over the past week to identify patterns. Which approach is the most efficient for gathering this historical data?

A.Use SNMP traps to alert on each latency spike
B.Use SNMP polling with a suitable MIB to collect latency metrics at regular intervals
C.Run a continuous ping test and manually log timestamps
D.Use traceroute to identify each hop and measure latency per hop
AnswerB

Polling gathers data at set intervals, which can be stored for trend analysis. This is the standard method for historical performance monitoring.

Why this answer

SNMP polling with a suitable MIB (e.g., IF-MIB for interface statistics or IP-MIB for performance metrics) allows the NOC to collect latency data at regular, configurable intervals over time. This historical data can be stored in a management system and analyzed for trends, making it the most efficient method for identifying patterns in WAN latency over a week. SNMP traps, by contrast, are event-driven and do not provide the continuous, periodic data needed for trend analysis.

Exam trap

The trap here is that candidates confuse SNMP traps (event-driven alerts) with SNMP polling (periodic data collection), assuming traps can provide historical trend data when they are designed only for real-time notifications.

How to eliminate wrong answers

Option A is wrong because SNMP traps are asynchronous alerts triggered by specific events (e.g., threshold crossings), not a method for collecting continuous historical data; they lack the regular interval sampling needed for trend analysis. Option C is wrong because running a continuous ping test and manually logging timestamps is inefficient, error-prone, and does not scale for a week-long analysis; it also lacks automated storage and retrieval. Option D is wrong because traceroute measures per-hop latency at a single point in time and does not provide a continuous historical trend; it is a diagnostic tool for path discovery, not for long-term latency monitoring.

75
MCQmedium

A network administrator needs to monitor network traffic to identify which hosts are consuming the most bandwidth. Which of the following tools is BEST suited for this task?

A.NetFlow
B.Syslog server
C.SNMP trap
D.Traceroute
AnswerA

NetFlow analyzes traffic flows and provides detailed usage statistics to identify top talkers and bandwidth hogs.

Why this answer

NetFlow is the best tool for monitoring network traffic to identify bandwidth consumption by hosts because it collects and analyzes IP traffic flow data, providing detailed visibility into source/destination IPs, protocols, and byte counts. Unlike simple interface counters, NetFlow allows an administrator to pinpoint which specific hosts are generating the most traffic, making it ideal for bandwidth usage analysis.

Exam trap

Cisco often tests the distinction between monitoring tools by making candidates confuse SNMP (which polls interface counters for aggregate bandwidth) with NetFlow (which provides per-flow granularity for identifying specific hosts).

How to eliminate wrong answers

Option B (Syslog server) is wrong because it collects and stores log messages from network devices, not traffic flow data or bandwidth usage statistics. Option C (SNMP trap) is wrong because it sends asynchronous alerts for specific events (e.g., link up/down) and does not provide continuous traffic flow analysis or per-host bandwidth consumption. Option D (Traceroute) is wrong because it maps the path packets take between hosts using ICMP or UDP probes, but it does not measure bandwidth usage or identify which hosts are consuming the most traffic.

Page 1 of 2 · 104 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Operations questions.