A contractor connects a personal tablet to a lobby Ethernet jack. The network team wants the device blocked from internal resources until it passes posture checks and only guest access is allowed meanwhile. Which control best fits?

A data loss prevention platform that inspects file transfers.

DLP helps protect data in motion or at rest, but it does not control device admission to the network.

A network intrusion detection system placed inline at the switch.

IDS is mainly for alerting on suspicious traffic, not for enforcing device admission or guest-only placement.

A VPN concentrator that encrypts remote traffic back to headquarters.

VPNs secure remote connectivity, but they do not decide whether a local device may join the wired network.

What does this SY0-701 question test?

Access ports place end devices into a single VLAN.

What is the correct answer to this question?

The correct answer is: Network access control that verifies the device before granting access. — Network access control is the best choice because it enforces endpoint admission policy before devices reach trusted internal networks. NAC can check identity, device health, and compliance status, then place the device into a guest VLAN or quarantine network until it meets requirements. That directly matches the need to block an unmanaged tablet from internal resources while still allowing limited access. Why others are wrong: DLP watches for sensitive data leaving the organization, not for deciding whether a device can connect. IDS can detect malicious traffic but does not typically enforce admission policy. A VPN concentrator protects remote access sessions, but this situation involves a local wired connection and requires network admission control rather than tunneling.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.