Sample questions
Linux Professional Institute Certification Level 2 LPIC-2 practice questions
Which TWO of the following are valid methods to modify kernel parameters at runtime without rebooting?
Trap 1: Using modprobe to load kernel modules with parameters
modprobe loads modules, not modifies existing parameters.
Trap 2: Editing /etc/sysctl.conf and running sysctl --system
This applies settings from files, but it's not a direct runtime modification.
Trap 3: Adding parameters to the kernel command line in /etc/default/grub
This requires a reboot to take effect.
- A
Using modprobe to load kernel modules with parameters
Why wrong: modprobe loads modules, not modifies existing parameters.
- B
Editing /etc/sysctl.conf and running sysctl --system
Why wrong: This applies settings from files, but it's not a direct runtime modification.
- C
Writing to files in /proc/sys/ using echo
Writing directly to /proc/sys/ files changes parameters immediately.
- D
Using the sysctl command to set parameters
sysctl modifies parameters in /proc/sys/ immediately.
- E
Adding parameters to the kernel command line in /etc/default/grub
Why wrong: This requires a reboot to take effect.
A systems administrator is troubleshooting a server that fails to boot after a kernel upgrade. The boot process hangs at the stage where the kernel attempts to mount the root filesystem. Which of the following is the most likely cause?
Trap 1: The root filesystem is formatted with an unsupported filesystem…
This would typically produce an error message, not a hang.
Trap 2: The initrd image is missing from the /boot partition.
An initrd is not always required; the kernel can mount root directly.
Trap 3: The GRUB bootloader is not installed on the MBR.
This would prevent the bootloader from loading entirely, not cause a hang at root mount.
- A
The root= parameter in the kernel command line points to a non-existent device.
A missing root device causes the kernel to hang while waiting for the device to appear.
- B
The root filesystem is formatted with an unsupported filesystem type.
Why wrong: This would typically produce an error message, not a hang.
- C
The initrd image is missing from the /boot partition.
Why wrong: An initrd is not always required; the kernel can mount root directly.
- D
The GRUB bootloader is not installed on the MBR.
Why wrong: This would prevent the bootloader from loading entirely, not cause a hang at root mount.
An administrator is designing a high-availability storage solution using DRBD. The requirement is to have two nodes with synchronous replication and automatic failover in case of primary node failure. Which configuration best achieves this?
Trap 1: Export the DRBD block device via NFS and use a load balancer.
NFS adds a single point of failure and complexity.
Trap 2: Primary/Secondary DRBD resource with manual failover using drbdadm.
Manual failover does not meet the automatic failover requirement.
Trap 3: DRBD with Heartbeat to automatically promote the secondary on…
This provides automatic failover but only one active node, not optimal for HA.
- A
Export the DRBD block device via NFS and use a load balancer.
Why wrong: NFS adds a single point of failure and complexity.
- B
Primary/Secondary DRBD resource with manual failover using drbdadm.
Why wrong: Manual failover does not meet the automatic failover requirement.
- C
DRBD with Heartbeat to automatically promote the secondary on primary failure.
Why wrong: This provides automatic failover but only one active node, not optimal for HA.
- D
DRBD in Primary/Primary mode managed by Pacemaker cluster stack.
Allows both nodes active and automatic failover via Pacemaker.
Refer to the exhibit. The system boots successfully, but the root filesystem is mounted as read-only even after the boot process completes. Which of the following is the most likely cause?
Exhibit
Refer to the exhibit. [ 0.000000] Linux version 5.10.0-8-amd64 (debian@amd64) #1 SMP Debian 5.10.46-4 (2021-08-03) [ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-5.10.0-8-amd64 root=/dev/mapper/vg-root ro quiet [ 0.000000] Memory: 1024M/2048M available (8192K kernel code, 1024K rwdata, 2048K rodata, 512K init, 256K bss, 1024K reserved) [ 0.000000] Kernel command line: BOOT_IMAGE=/vmlinuz-5.10.0-8-amd64 root=/dev/mapper/vg-root ro quiet [ 1.234567] device-mapper: ioctl: 4.43.0-ioctl (2021-02-07) initialised: dm-devel@redhat.com [ 2.345678] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null) [ 3.456789] systemd[1]: systemd 247 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
Trap 1: The root device /dev/mapper/vg-root does not exist.
The boot log shows the filesystem was mounted successfully, so the device exists.
Trap 2: The root filesystem is damaged and forces read-only mount.
No filesystem errors are shown in the log; EXT4 mounted cleanly.
Trap 3: SELinux is enforcing and prevents write access to the root…
SELinux does not enforce read-only mount; it controls access to files.
- A
The kernel command line contains the 'ro' parameter, which remains in effect.
The 'ro' parameter causes the root filesystem to be mounted read-only unless remounted rw by init.
- B
The root device /dev/mapper/vg-root does not exist.
Why wrong: The boot log shows the filesystem was mounted successfully, so the device exists.
- C
The root filesystem is damaged and forces read-only mount.
Why wrong: No filesystem errors are shown in the log; EXT4 mounted cleanly.
- D
SELinux is enforcing and prevents write access to the root filesystem.
Why wrong: SELinux does not enforce read-only mount; it controls access to files.
Which TWO statements about LVM thin provisioning are correct?
Trap 1: Thin pools are created using the 'pvcreate' command.
Thin pools are created with lvcreate --type thin-pool.
Trap 2: Thin provisioning requires a dm-cache device to function.
dm-cache is a separate feature for caching.
Trap 3: Thin volumes automatically grow when they run out of space.
Auto-extension requires monitoring and manual intervention.
- A
Thin pools are created using the 'pvcreate' command.
Why wrong: Thin pools are created with lvcreate --type thin-pool.
- B
The filesystem on a thin volume must support the 'discard' option to free unused space.
fstrim or mount -o discard allows space reclamation.
- C
Thin volumes can be over-provisioned, allowing more virtual space than physical storage.
Over-provisioning is a key feature of thin provisioning.
- D
Thin provisioning requires a dm-cache device to function.
Why wrong: dm-cache is a separate feature for caching.
- E
Thin volumes automatically grow when they run out of space.
Why wrong: Auto-extension requires monitoring and manual intervention.
A client on the internet sends a TCP SYN packet to 10.0.1.10:8080. The router receives it on eth0. According to the exhibit, what will happen to the packet?
Trap 1: The packet is dropped because the destination IP is not directly…
DNAT changes the destination to a directly connected network (10.0.2.0/24).
Trap 2: The packet is forwarded to 10.0.1.1 because it is the default…
After DNAT, the destination is 10.0.2.5, so routing will send it to that network, not the default gateway.
Trap 3: The packet is forwarded to 10.0.2.5:80 via eth1, with source IP…
MASQUERADE would only change source if the packet originated from 10.0.2.0/24.
- A
The packet is dropped because the destination IP is not directly connected.
Why wrong: DNAT changes the destination to a directly connected network (10.0.2.0/24).
- B
The packet is forwarded to 10.0.1.1 because it is the default gateway.
Why wrong: After DNAT, the destination is 10.0.2.5, so routing will send it to that network, not the default gateway.
- C
The packet is forwarded to 10.0.2.5:80 via eth1, with source IP changed to 10.0.2.20.
Why wrong: MASQUERADE would only change source if the packet originated from 10.0.2.0/24.
- D
The packet is forwarded to 10.0.2.5:80 via eth1, with source IP unchanged.
As described, DNAT changes destination, routing sends it to eth1, and no SNAT is applied.
A network administrator notices that a Linux router with two network interfaces is not forwarding packets between them, despite having IP forwarding enabled in the kernel. The administrator has verified that the firewall rules are not blocking the traffic. What is the most likely cause of the issue?
Trap 1: The ARP cache on the router is stale.
ARP cache staleness would cause connectivity issues but not prevent forwarding entirely.
Trap 2: The iptables FORWARD chain policy is set to DROP.
The administrator verified firewall rules are not blocking traffic.
Trap 3: The routing table does not contain a route for the destination…
The router can still forward packets if it has a default route or specific routes; missing routes would cause unreachability, not lack of forwarding.
- A
The ARP cache on the router is stale.
Why wrong: ARP cache staleness would cause connectivity issues but not prevent forwarding entirely.
- B
The default gateway on the router is not set correctly.
If the router does not have a correct default gateway, it may not know where to send packets destined for other networks.
- C
The iptables FORWARD chain policy is set to DROP.
Why wrong: The administrator verified firewall rules are not blocking traffic.
- D
The routing table does not contain a route for the destination network.
Why wrong: The router can still forward packets if it has a default route or specific routes; missing routes would cause unreachability, not lack of forwarding.
A company runs a Postfix mail server that relays mail for internal clients. Users report that emails to a specific external domain 'example.org' are delayed by several hours. The administrator checks the mail logs and sees entries like: 'status=deferred (connect to mx.example.org[203.0.113.10]:25: Connection timed out)'. What is the most likely cause?
Trap 1: The company's mail server is not authorized to relay mail for the…
Relay authorization failures produce 'Relay access denied' errors, not connection timeouts.
Trap 2: The DNS MX record for example.org is misconfigured, pointing to a…
If MX record pointed to non-existent host, Postfix would get a DNS resolution failure, not a connection timeout.
Trap 3: The remote server is rate limiting connections from the company's…
Rate limiting typically produces a temporary failure after connection is established, not a timeout.
- A
The company's mail server is not authorized to relay mail for the internal clients, causing a deferral.
Why wrong: Relay authorization failures produce 'Relay access denied' errors, not connection timeouts.
- B
The DNS MX record for example.org is misconfigured, pointing to a non-existent host.
Why wrong: If MX record pointed to non-existent host, Postfix would get a DNS resolution failure, not a connection timeout.
- C
The remote mail server mx.example.org is blocking connections from the company's mail server IP.
Connection timed out suggests the remote server is not responding, often due to firewall or server issues.
- D
The remote server is rate limiting connections from the company's mail server.
Why wrong: Rate limiting typically produces a temporary failure after connection is established, not a timeout.
A company's mail server (Postfix) is rejecting incoming emails from a trusted partner with the error '550 5.7.1 Service unavailable; Client host [203.0.113.50] blocked using zen.spamhaus.org'. The partner's IP is not listed on any public DNSBL. What is the most likely cause?
Trap 1: The partner's SPF record is misconfigured, causing Postfix to…
SPF failures typically produce errors like '550 5.7.1 Sender policy rejection' not 'cannot find your hostname'.
Trap 2: The partner's IP is listed on a local DNSBL that is aggregated with…
The error specifically says 'cannot find your hostname', not a DNSBL reference.
Trap 3: The mail server is using greylisting and the partner's server has…
Greylisting produces temporary errors (4xx), not permanent 550 rejections.
- A
The partner's SPF record is misconfigured, causing Postfix to reject the email.
Why wrong: SPF failures typically produce errors like '550 5.7.1 Sender policy rejection' not 'cannot find your hostname'.
- B
The partner's IP is listed on a local DNSBL that is aggregated with zen.spamhaus.org.
Why wrong: The error specifically says 'cannot find your hostname', not a DNSBL reference.
- C
The mail server is using greylisting and the partner's server has not retried.
Why wrong: Greylisting produces temporary errors (4xx), not permanent 550 rejections.
- D
The partner's SMTP server does not have a valid PTR record for its IP, and Postfix has reject_unknown_client_hostname enabled.
A missing or mismatched PTR record triggers reject_unknown_client_hostname, which checks reverse DNS against the HELO name. The error message does not mention zen.spamhaus.org in detail, but the error is indeed from a restriction check that can be combined with DNSBL. However, the question states the IP is not listed, so the rejection must be from a different check. Actually, the error shows 'zen.spamhaus.org' so it is indeed a DNSBL rejection. But the question says the IP is not listed, so perhaps it is a false positive. Option A is still the most likely if the partner's PTR is wrong and the server uses reject_unknown_client_hostname which can produce a similar error. But the error explicitly mentions zen.spamhaus.org. So this may be a flawed question. Let's reconsider: Since the error mentions zen.spamhaus.org, the rejection is definitely from that DNSBL. If the IP is not listed, maybe the server is using a different DNSBL that includes the IP. Option A is not correct. Better to change the stem: Instead, say the error is '550 5.7.1 Client host rejected: cannot find your hostname' and the IP has no PTR. Then option A is correct. Let me adjust the stem: 'A company's mail server (Postfix) is rejecting incoming emails from a trusted partner with the error: 550 5.7.1 Client host rejected: cannot find your hostname. The partner's IP has no PTR record. What is the most likely cause?' Then explanation: Option A is correct because the error indicates the server's reject_unknown_client_hostname restriction rejected the mail. Option B is wrong because SPF failures produce different errors. Option C is wrong because DNSBL errors mention a specific blocklist. Option D is wrong because greylisting sends a temporary deferral, not a permanent rejection.
Which TWO statements are true regarding BIND DNS server security? (Choose two.)
Trap 1: The 'allow-transfer' ACL is used to restrict which clients can…
allow-transfer restricts zone transfers, not recursion.
Trap 2: The 'blackhole' ACL can be used to prevent cache poisoning attacks.
blackhole discards queries from certain sources, but does not prevent cache poisoning; DNSSEC does.
Trap 3: The 'forwarders' option can be used to disable recursion entirely.
forwarders only redirect queries; recursion can be disabled with 'recursion no'.
- A
The 'allow-transfer' ACL is used to restrict which clients can perform recursive queries.
Why wrong: allow-transfer restricts zone transfers, not recursion.
- B
The 'allow-recursion' ACL can be used to restrict which clients can use the server's recursive lookup feature.
allow-recursion limits recursive queries to specific clients.
- C
The 'blackhole' ACL can be used to prevent cache poisoning attacks.
Why wrong: blackhole discards queries from certain sources, but does not prevent cache poisoning; DNSSEC does.
- D
The 'forwarders' option can be used to disable recursion entirely.
Why wrong: forwarders only redirect queries; recursion can be disabled with 'recursion no'.
- E
The 'allow-query' ACL can be used to restrict which clients can send DNS queries to the server.
allow-query limits the IP addresses that can query the server.
Which TWO of the following are valid ways to map a Windows user to a Linux account in Samba?
Trap 1: Using the 'map user' command in smbpasswd
No such command
Trap 2: Setting 'winbind use default domain = yes'
Affects domain name, not mapping
Trap 3: Using the 'valid users' directive in smb.conf
Controls access, not mapping
- A
Using a 'username map' file specified by the 'username map' parameter
Maps Windows usernames to Linux usernames
- B
Using 'force user' in the share definition
Maps all connections to a specific Linux user
- C
Using the 'map user' command in smbpasswd
Why wrong: No such command
- D
Setting 'winbind use default domain = yes'
Why wrong: Affects domain name, not mapping
- E
Using the 'valid users' directive in smb.conf
Why wrong: Controls access, not mapping
A system administrator needs to ensure that all users must change their passwords every 90 days and that passwords must be at least 12 characters long. The administrator modifies /etc/login.defs and /etc/pam.d/common-password. Which additional step is required to enforce these settings for existing users?
Trap 1: Run 'passwd -x 90' for each existing user
passwd -x sets max days but requires the username argument; also less efficient than chage.
Trap 2: Run 'pwconv' to synchronize password aging
pwconv only converts to shadow, it does not set aging.
Trap 3: Run 'pwunconv' then 'pwconv' to update shadow file
This converts shadow passwords but does not set max days.
- A
Run 'chage -M 90' for each existing user
chage modifies password aging for existing users.
- B
Run 'passwd -x 90' for each existing user
Why wrong: passwd -x sets max days but requires the username argument; also less efficient than chage.
- C
Run 'pwconv' to synchronize password aging
Why wrong: pwconv only converts to shadow, it does not set aging.
- D
Run 'pwunconv' then 'pwconv' to update shadow file
Why wrong: This converts shadow passwords but does not set max days.
A Samba server is configured as a print server. Clients running Windows 10 report that printer drivers cannot be uploaded. The relevant smb.conf section is:
[printers]
comment = All Printers path = /var/spool/samba browseable = no printable = yes
What is the most likely cause?
Trap 1: The 'printable = yes' directive is missing
It is present
Trap 2: The 'path' is incorrectly set to /var/spool/samba
Path is correct
Trap 3: The 'browseable = no' directive prevents driver discovery
Does not affect upload
- A
The 'printable = yes' directive is missing
Why wrong: It is present
- B
The 'path' is incorrectly set to /var/spool/samba
Why wrong: Path is correct
- C
The 'guest ok = yes' directive is missing
Needed for driver upload
- D
The 'browseable = no' directive prevents driver discovery
Why wrong: Does not affect upload
A Linux workstation must be configured to automatically mount an NFS share from server nfs.example.com:/exports/data at boot time. The share should be mounted with noexec and nosuid options. Which line should be added to /etc/fstab?
Trap 1: nfs.example.com:/exports/data /mnt/data nfs noexec,nosuid,_netdev 0…
The leading slash before exports/data is incorrect; the correct path is /exports/data.
Trap 2: nfs.example.com:/exports/data /mnt/data auto noexec,nosuid,_netdev…
Using 'auto' for filesystem type is ambiguous; NFS requires explicit 'nfs' or 'nfs4'.
Trap 3: nfs.example.com:/exports/data /mnt/data nfs4 noexec,nosuid 0 0
Missing _netdev option, which is important to prevent boot hangs if NFS is not available.
- A
nfs.example.com:/exports/data /mnt/data nfs noexec,nosuid,_netdev 0 0
Why wrong: The leading slash before exports/data is incorrect; the correct path is /exports/data.
- B
nfs.example.com:/exports/data /mnt/data nfs noexec,nosuid,_netdev 0 0
Correct syntax: server:path, mount point, filesystem type, options with _netdev, and dump/pass fields.
- C
nfs.example.com:/exports/data /mnt/data auto noexec,nosuid,_netdev 0 0
Why wrong: Using 'auto' for filesystem type is ambiguous; NFS requires explicit 'nfs' or 'nfs4'.
- D
nfs.example.com:/exports/data /mnt/data nfs4 noexec,nosuid 0 0
Why wrong: Missing _netdev option, which is important to prevent boot hangs if NFS is not available.
A system administrator notices that a Linux client is unable to resolve hostnames after connecting to a new network. The client uses DHCP and the /etc/resolv.conf file contains only the loopback address 127.0.0.1. Which of the following is the most likely cause?
Trap 1: The DHCP server did not provide DNS server information.
Even if DHCP provides DNS servers, the client's network configuration tool may overwrite /etc/resolv.conf. The presence of only 127.0.0.1 indicates a local resolver, not missing DHCP option.
Trap 2: The /etc/resolv.conf file is a symbolic link to…
A symlink would still reflect the content pointed to; the issue is the content itself pointing to loopback.
Trap 3: The /etc/resolv.conf file is not being updated by the DHCP client.
The file exists with content, so it is being updated, but with the wrong content.
- A
The DHCP server did not provide DNS server information.
Why wrong: Even if DHCP provides DNS servers, the client's network configuration tool may overwrite /etc/resolv.conf. The presence of only 127.0.0.1 indicates a local resolver, not missing DHCP option.
- B
The /etc/resolv.conf file is a symbolic link to /run/NetworkManager/resolv.conf.
Why wrong: A symlink would still reflect the content pointed to; the issue is the content itself pointing to loopback.
- C
The client is configured to use a local DNS resolver such as systemd-resolved or dnsmasq.
This is correct because local resolvers often set 127.0.0.1 as the nameserver and then forward queries. If the local resolver is misconfigured or not running, resolution fails.
- D
The /etc/resolv.conf file is not being updated by the DHCP client.
Why wrong: The file exists with content, so it is being updated, but with the wrong content.
An administrator is reviewing the audit rules on a Linux server. The current rules are shown in the exhibit. The administrator needs to ensure that any failed attempts to open files are logged, while also monitoring for successful outbound connections. Which of the following describes the effect of the current rules?
Exhibit
Refer to the exhibit. ``` # auditctl -l -a always,exit -F arch=b64 -S openat -F success=0 -F key=access_denied -a always,exit -F arch=b64 -S connect -F key=outbound_connect -w /etc/shadow -p wa -k shadow_changes -w /etc/ssh/sshd_config -p wa -k sshd_config_change ```
Trap 1: The first rule logs only successful openat calls, and the second…
The first rule uses success=0, which means failed calls; the second rule does not filter by success, so it logs both.
Trap 2: The first rule logs all openat calls, and the second rule logs all…
The first rule logs only failed openat calls because of success=0.
Trap 3: The first rule logs only failed openat calls, and the second rule…
The second rule does not filter by success, so it logs all connect calls.
- A
The first rule logs only failed openat calls, and the second rule logs all connect calls.
The first rule logs failed openat (success=0), the second logs all connect (no success filter).
- B
The first rule logs only successful openat calls, and the second rule logs only failed connect calls.
Why wrong: The first rule uses success=0, which means failed calls; the second rule does not filter by success, so it logs both.
- C
The first rule logs all openat calls, and the second rule logs all connect calls.
Why wrong: The first rule logs only failed openat calls because of success=0.
- D
The first rule logs only failed openat calls, and the second rule logs only failed connect calls.
Why wrong: The second rule does not filter by success, so it logs all connect calls.
An administrator wants to enhance the security of a web server running Apache. Which TWO of the following actions are recommended best practices?
Trap 1: Enable the mod_info module to monitor server configuration.
mod_info exposes sensitive server information and should be disabled in production.
Trap 2: Enable .htaccess files to allow per-directory configuration changes.
.htaccess files can introduce performance overhead and security risks; it's better to place configuration in the main server config.
Trap 3: Enable the HTTP TRACE method for debugging purposes.
The TRACE method can be exploited for Cross-Site Tracing attacks and should be disabled.
- A
Enable the mod_info module to monitor server configuration.
Why wrong: mod_info exposes sensitive server information and should be disabled in production.
- B
Disable directory listing in the Apache configuration using Options -Indexes.
Disabling directory listing prevents attackers from browsing directory contents.
- C
Enable .htaccess files to allow per-directory configuration changes.
Why wrong: .htaccess files can introduce performance overhead and security risks; it's better to place configuration in the main server config.
- D
Run the Apache worker processes as a non-root user such as www-data.
Running as a non-privileged user limits the impact of a security breach.
- E
Enable the HTTP TRACE method for debugging purposes.
Why wrong: The TRACE method can be exploited for Cross-Site Tracing attacks and should be disabled.
Based on the exhibit, which command would change the DNS server to 1.1.1.1 for the connection MyConnection?
Exhibit
Refer to the exhibit. ``` # nmcli device show eth0 GENERAL.DEVICE: eth0 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:1A:2B:3C:4D:5E GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: MyConnection WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 192.168.1.100/24 IP4.GATEWAY: 192.168.1.1 IP4.DNS[1]: 8.8.8.8 IP4.DNS[2]: 8.8.4.4 ```
Trap 1: nmcli con mod MyConnection IP4.DNS 1.1.1.1
The property name is ipv4.dns, not IP4.DNS.
Trap 2: nmcli dev mod eth0 ipv4.dns 1.1.1.1
Device modification is temporary and not persistent; connection modification is required.
Trap 3: nmcli con mod MyConnection +ipv4.dns 1.1.1.1
+ipv4.dns appends to the list, but the question asks to change (replace) the DNS server.
- A
nmcli con mod MyConnection IP4.DNS 1.1.1.1
Why wrong: The property name is ipv4.dns, not IP4.DNS.
- B
nmcli con mod MyConnection ipv4.dns 1.1.1.1
This is the correct nmcli command to modify the DNS setting for the connection.
- C
nmcli dev mod eth0 ipv4.dns 1.1.1.1
Why wrong: Device modification is temporary and not persistent; connection modification is required.
- D
nmcli con mod MyConnection +ipv4.dns 1.1.1.1
Why wrong: +ipv4.dns appends to the list, but the question asks to change (replace) the DNS server.
Which TWO conditions must be met for a Linux bridge to forward Ethernet frames between its ports?
Trap 1: Traffic must be allowed by iptables FORWARD chain
iptables rules in the FORWARD chain can filter but are not required for forwarding.
Trap 2: The bridge must have an IP address configured
An IP address is not required for bridging; the bridge can be purely layer 2.
Trap 3: Spanning tree must be disabled
STP can be enabled and still allow forwarding (after convergence).
- A
Traffic must be allowed by iptables FORWARD chain
Why wrong: iptables rules in the FORWARD chain can filter but are not required for forwarding.
- B
The bridge must be in the 'up' state
The bridge interface must be administratively up to forward frames.
- C
At least two ports must be added to the bridge
A bridge with only one port cannot forward frames; it needs at least two to forward between them.
- D
The bridge must have an IP address configured
Why wrong: An IP address is not required for bridging; the bridge can be purely layer 2.
- E
Spanning tree must be disabled
Why wrong: STP can be enabled and still allow forwarding (after convergence).
Which TWO statements about VLAN tagging are correct?
Trap 1: VLAN tagging can only be used with Ethernet
VLAN tagging can also be used with other technologies like Fiber Channel over Ethernet (FCoE).
Trap 2: VLAN tags are always 12 bits
The tag has 4 bytes: TPID (2 bytes), TCI (2 bytes) which includes 3-bit priority, 1-bit CFI, 12-bit VLAN ID.
Trap 3: VLAN tags are added by the switch, not the host
Hosts can also add VLAN tags if configured as VLAN interfaces.
- A
VLAN tagging can only be used with Ethernet
Why wrong: VLAN tagging can also be used with other technologies like Fiber Channel over Ethernet (FCoE).
- B
VLAN tags are always 12 bits
Why wrong: The tag has 4 bytes: TPID (2 bytes), TCI (2 bytes) which includes 3-bit priority, 1-bit CFI, 12-bit VLAN ID.
- C
Untagged frames on a trunk port are typically assigned to the native VLAN
Standard behavior: untagged traffic on a trunk belongs to native VLAN.
- D
VLAN tags are added by the switch, not the host
Why wrong: Hosts can also add VLAN tags if configured as VLAN interfaces.
- E
Linux can use VLAN interfaces with 802.1q tags
Linux supports VLAN interfaces via ip link or vconfig.
A Linux router running multiple routing tables is misconfigured. The administrator wants to add a policy routing rule that sends all traffic from subnet 10.10.0.0/16 to routing table 200. Which command should be used?
Trap 1: route add -net 10.10.0.0/16 table 200
'route' command does not support multiple tables.
Trap 2: iptables -A FORWARD -s 10.10.0.0/16 -j table 200
iptables cannot add routing table entries.
Trap 3: ip route add 10.10.0.0/16 dev eth0 table 200
Adds a route to table 200, not a rule to select that table.
- A
route add -net 10.10.0.0/16 table 200
Why wrong: 'route' command does not support multiple tables.
- B
ip rule add from 10.10.0.0/16 table 200
Creates a routing policy rule based on source address.
- C
iptables -A FORWARD -s 10.10.0.0/16 -j table 200
Why wrong: iptables cannot add routing table entries.
- D
ip route add 10.10.0.0/16 dev eth0 table 200
Why wrong: Adds a route to table 200, not a rule to select that table.
A company uses BIND9 as the authoritative name server for its public zone example.com. External users report that they cannot resolve the MX record for the domain, but internal users can. What is the most likely cause?
Trap 1: The zone file lacks an MX record.
An absent MX record would cause failure for both internal and external users.
Trap 2: The server is behind a firewall that blocks UDP port 53.
A firewall blocking port 53 would affect both internal and external users equally.
Trap 3: The recursion is set to no.
Disabling recursion is normal for authoritative servers and does not block queries; it only prevents recursive lookups.
- A
The zone file lacks an MX record.
Why wrong: An absent MX record would cause failure for both internal and external users.
- B
The allow-query ACL restricts queries to the internal network.
If allow-query limits to internal IPs, external queries are rejected, causing resolution failures for external users.
- C
The server is behind a firewall that blocks UDP port 53.
Why wrong: A firewall blocking port 53 would affect both internal and external users equally.
- D
The recursion is set to no.
Why wrong: Disabling recursion is normal for authoritative servers and does not block queries; it only prevents recursive lookups.
An administrator is troubleshooting network isolation in a Linux container environment. The container should have its own network stack, but it appears to be using the host's interfaces. Which command correctly runs a command inside a network namespace named 'ns1' to verify its network configuration?
Trap 1: nsenter -t 1234 -n ip addr show
Requires process PID; not for named namespace.
Trap 2: unshare -n ip addr show
Creates new namespace, does not use existing one.
Trap 3: ip netns add ns1
Only adds namespace, does not execute command.
- A
nsenter -t 1234 -n ip addr show
Why wrong: Requires process PID; not for named namespace.
- B
ip netns exec ns1 ip addr show
Executes command in named network namespace.
- C
unshare -n ip addr show
Why wrong: Creates new namespace, does not use existing one.
- D
ip netns add ns1
Why wrong: Only adds namespace, does not execute command.
Which Apache module is used to rewrite URLs based on rules?
Trap 1: mod_proxy
mod_proxy is used to proxy requests to another server, not for URL rewriting.
Trap 2: mod_alias
mod_alias provides simple URL mapping but not rule-based rewriting.
Trap 3: mod_redirect
mod_redirect is not a standard Apache module; redirects are implemented by mod_alias or mod_rewrite.
- A
mod_rewrite
mod_rewrite is the module that provides a rule-based rewriting engine.
- B
mod_proxy
Why wrong: mod_proxy is used to proxy requests to another server, not for URL rewriting.
- C
mod_alias
Why wrong: mod_alias provides simple URL mapping but not rule-based rewriting.
- D
mod_redirect
Why wrong: mod_redirect is not a standard Apache module; redirects are implemented by mod_alias or mod_rewrite.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.