Question 1mediummultiple choice
Full question →mediummultiple choiceObjective-mapped
A hospital is redesigning its wireless network. Guest devices must reach only the internet. Staff laptops need access to internal applications. Medical devices must communicate with a monitoring server but never with guest devices or the broader employee LAN. What design best meets these goals with the least operational complexity?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Place all devices on one flat network and rely on endpoint antivirus for protection.
A flat network makes lateral movement easier and does not enforce separation between trust zones. Antivirus can help on endpoints, but it does not prevent guest systems from reaching internal resources or medical devices from talking to unrelated hosts.
B
Best answer
Create separate VLANs for guest, staff, and medical devices, then enforce traffic rules between them with firewall policies.
This approach provides clean segmentation while keeping administration manageable. Separate VLANs define distinct trust zones, and firewall policies or ACLs control exactly which services can cross boundaries. That lets guest traffic stay internet-only, staff reach approved internal apps, and medical devices communicate only with the monitoring server.
C
Distractor review
Use a single wireless SSID with client isolation enabled and NAT all traffic through one gateway.
Client isolation limits peer-to-peer access on the same wireless segment, but it does not create strong separation between guest, staff, and medical systems. NAT also does not provide the granular policy control needed to restrict medical-device communications.
D
Distractor review
Deploy network access control only at login time and allow all devices onto the same internal subnet afterward.
NAC can help with admission control, but if all devices share the same subnet afterward, they remain able to communicate more broadly than intended. That weakens segmentation and makes policy enforcement much harder.
Common exam trap
Common exam trap: an active trunk can still block the VLAN you need
A trunk being up does not prove every VLAN is crossing it. Check allowed VLAN lists, native VLAN mismatch, VLAN existence and access-port assignment.
Technical deep dive
How to think about this question
VLAN questions usually combine access-port and trunking clues. The key is to identify whether the issue is local to one switchport, caused by the trunk, or caused by the VLAN not existing where it needs to exist.
KKey Concepts to Remember
- Access ports place end devices into a single VLAN.
- Trunk ports carry multiple VLANs between switches.
- Allowed VLAN lists decide which VLANs can cross a trunk.
- Native VLAN mismatch can create confusing symptoms.
TExam Day Tips
- Use show vlan brief to verify access VLANs.
- Use show interfaces trunk to verify trunk state and allowed VLANs.
- Do not treat every same-VLAN issue as a routing problem.
Related practice questions
Related SY0-701 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Security+ social engineering questions
Practise SY0-701 questions linked to Security+ social engineering questions.
Security+ cryptography practice questions
Practise SY0-701 questions linked to Security+ cryptography.
Security+ IAM questions
Practise SY0-701 questions linked to Security+ IAM questions.
Security+ risk management questions
Practise SY0-701 questions linked to Security+ risk management questions.
Security+ incident response questions
Practise SY0-701 questions linked to Security+ incident response questions.
Security+ malware questions
Practise SY0-701 questions linked to Security+ malware questions.
Security+ vulnerability management questions
Practise SY0-701 questions linked to Security+ vulnerability management questions.
Security+ security operations questions
Practise SY0-701 questions linked to Security+ security operations questions.
Security+ zero trust questions
Practise SY0-701 questions linked to Security+ zero trust questions.
Security+ authentication factors questions
Practise SY0-701 questions linked to Security+ authentication factors questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A laptop is suspected of being used in a malware incident. It is still powered on and connected to Wi-Fi. What should the responder do before shutting it down?
Question 2
An employee reports a ransomware note on a file server. The server is still powered on, shares are still being accessed, and management wants service restored as quickly as possible. What should the incident response team do first?
Question 3
An employee reports a ransomware note on a finance laptop. The laptop is still powered on, connected to Wi-Fi, and the user says they were just working in a spreadsheet. Management wants the fastest safe response that also preserves evidence. What should the responder do first?
Question 4
You are handed a company laptop suspected in an insider theft case. Legal says the evidence may be needed in court. Which action best preserves admissibility?
Question 5
A developer wants to reduce the risk of SQL injection in a new customer search form. Which two changes are the best mitigations? Select two.
Question 6
A branch office uses a flat LAN, and a compromise on one user workstation could spread quickly to finance systems. Management wants finance workstations isolated from general users, but finance staff still need access to a central finance application and network printer. What is the best design change?
FAQ
Questions learners often ask
What does this SY0-701 question test?
Access ports place end devices into a single VLAN.
What is the correct answer to this question?
The correct answer is: Create separate VLANs for guest, staff, and medical devices, then enforce traffic rules between them with firewall policies. — The best design is to separate the guest, staff, and medical-device populations into different VLANs and then control cross-zone traffic with firewall policies or ACLs. That gives the hospital a practical segmentation model: guest users get internet-only access, staff devices can reach approved internal services, and medical devices can be limited to a single monitoring server. This is a common, scalable architecture for environments that need isolation without excessive complexity. Why others are wrong: A flat network offers almost no meaningful boundary enforcement. Client isolation and NAT help in narrow cases, but they do not provide strong trust-zone separation. NAC is useful for deciding who can join the network, yet it does not solve post-connect communication control if everything ends up on one subnet.
What should I do if I get this SY0-701 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.