Question 1mediummultiple choice
Full question →mediummultiple choiceObjective-mapped
A branch office has users, finance workstations, printers, and IP phones on one flat network. The security team wants to reduce lateral movement if one user PC is compromised, but printers still need to receive print jobs from users. What is the best design change?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Keep one flat network and increase endpoint antivirus scanning frequency.
More scanning may help detection, but it does not create isolation. A flat network still allows easier lateral movement.
B
Best answer
Place finance systems and user devices in separate VLANs and allow only the necessary print and business application traffic through filtering rules.
This design reduces lateral movement by separating high-value systems from general user devices. VLANs create logical segmentation, and targeted filtering permits only the traffic required for printing and approved business flows. It preserves functionality while sharply reducing the number of systems reachable after a compromise.
C
Distractor review
Move all printers into the finance VLAN to avoid managing inter-VLAN rules.
Putting printers inside the finance zone increases exposure to a sensitive network. It simplifies administration at the expense of security.
D
Distractor review
Disable printing so user workstations cannot communicate with any other device.
This is unnecessarily disruptive and would break a core business function. It also fails to address segmentation for other device classes.
Common exam trap
Common exam trap: an active trunk can still block the VLAN you need
A trunk being up does not prove every VLAN is crossing it. Check allowed VLAN lists, native VLAN mismatch, VLAN existence and access-port assignment.
Technical deep dive
How to think about this question
VLAN questions usually combine access-port and trunking clues. The key is to identify whether the issue is local to one switchport, caused by the trunk, or caused by the VLAN not existing where it needs to exist.
KKey Concepts to Remember
- Access ports place end devices into a single VLAN.
- Trunk ports carry multiple VLANs between switches.
- Allowed VLAN lists decide which VLANs can cross a trunk.
- Native VLAN mismatch can create confusing symptoms.
TExam Day Tips
- Use show vlan brief to verify access VLANs.
- Use show interfaces trunk to verify trunk state and allowed VLANs.
- Do not treat every same-VLAN issue as a routing problem.
Related practice questions
Related SY0-701 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Security+ social engineering questions
Practise SY0-701 questions linked to Security+ social engineering questions.
Security+ cryptography practice questions
Practise SY0-701 questions linked to Security+ cryptography.
Security+ IAM questions
Practise SY0-701 questions linked to Security+ IAM questions.
Security+ risk management questions
Practise SY0-701 questions linked to Security+ risk management questions.
Security+ incident response questions
Practise SY0-701 questions linked to Security+ incident response questions.
Security+ malware questions
Practise SY0-701 questions linked to Security+ malware questions.
Security+ vulnerability management questions
Practise SY0-701 questions linked to Security+ vulnerability management questions.
Security+ security operations questions
Practise SY0-701 questions linked to Security+ security operations questions.
Security+ zero trust questions
Practise SY0-701 questions linked to Security+ zero trust questions.
Security+ authentication factors questions
Practise SY0-701 questions linked to Security+ authentication factors questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A backup server encrypts large nightly database exports before sending them to an offsite storage system. The organization has already arranged a secure way to share the secret key between the systems, and performance is a concern because the files are very large. Which encryption approach is the best fit?
Question 2
A baseline review found that standard developer accounts are local administrators, unsigned tools can run from user profile folders, and reimaged systems still end up with unauthorized persistence. Which two changes best improve hardening while preserving developer work? Select two.
Question 3
A billing application has an RTO of 2 hours and an RPO of 30 minutes. The current recovery method requires rebuilding the VM from scratch and then restoring last night's backup, which takes over six hours. Which solution best meets the stated recovery objectives?
Question 4
A branch office has users, finance workstations, and printers on the same LAN. Management wants finance devices isolated from general users while still allowing approved printing and internet access. Which two changes best meet this goal? Select two.
Question 5
A branch office has users, finance workstations, printers, and IP phones on one flat LAN. After a malware outbreak on a user PC, management wants to limit lateral movement without blocking printing or voice traffic. What should the network team implement?
Question 6
A branch office loses power briefly several times each month. Which control best helps keep network equipment running long enough for an orderly shutdown?
FAQ
Questions learners often ask
What does this SY0-701 question test?
Access ports place end devices into a single VLAN.
What is the correct answer to this question?
The correct answer is: Place finance systems and user devices in separate VLANs and allow only the necessary print and business application traffic through filtering rules. — Segmenting the branch office into separate VLANs for users and finance systems is the most effective improvement. Filtering rules can then allow only the minimal print-related or application-specific traffic needed for business operations. This reduces the impact of a workstation compromise by limiting which assets the attacker can directly reach, while still preserving essential services like printing and internal application access. Why others are wrong: Option A improves detection but leaves the network flat, so it does not meaningfully reduce lateral movement. Option C puts low-trust devices closer to sensitive systems, which is backwards. Option D overcorrects by removing a needed business service. The best answer balances containment with operational requirements.
What should I do if I get this SY0-701 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.