- Which IEEE standard defines the protocol and compatible interconnection for data communication devices using a method of carrier-sensing multiple access with collision detection CSMA/CD?
Correct answer: 802.3
Correct answer: 802.3. Explanation: IEEE 802.3 is a set of standards for Ethernet and defines the protocol and compatible interconnection for data communication devices using a method of carrier-sensing multiple access with collision detection CSMA/CD.
- What type of address is FF02::1?
- A unicast address
- A multicast address
- An anycast address
- A broadcast address
Correct answer: A multicast address
Correct answer: A multicast address. Explanation: FF02::1 is an IPv6 multicast address. IPv6 uses multicast addressing to send packets to a group of interested receivers, which is indicated by the prefix FF02 in the address.
- Which type of cable is used to connect a computer to a switch in a typical Ethernet network?
- Crossover cable
- Straight-through cable
- Rollover cable
- Coaxial cable
Correct answer: Straight-through cable
Correct answer: Straight-through cable. Explanation: In a typical Ethernet network, a straight-through cable is used to connect a computer to a switch. This type of cable has its wires connected identically on both ends.
- What is the primary function of a DHCP relay agent in a network?
- To assign IP addresses to clients
- To forward DHCP messages between clients and servers on different networks
- To filter DHCP traffic based on MAC addresses
- To provide redundancy in case of DHCP server failure
Correct answer: To forward DHCP messages between clients and servers on different networks
Correct answer: To forward DHCP messages between clients and servers on different networks. Explanation: A DHCP relay agent is used to forward DHCP messages between clients and servers when they are not on the same physical subnet. This allows DHCP servers to provide IP configuration to clients on different networks.
- In a network, what is the function of a VLAN?
- To encrypt data packets
- To convert data into electrical signals
- To segment a network into multiple broadcast domains
- To prioritize traffic based on QoS
Correct answer: To segment a network into multiple broadcast domains
Correct answer: To segment a network into multiple broadcast domains. Explanation: A VLAN (Virtual Local Area Network) segments a network into multiple broadcast domains. This separation improves network performance and security by reducing collision and broadcast domains.
- Which protocol is used for securely transferring files over a network and operates on port 22?
Correct answer: SFTP
Correct answer: SFTP. Explanation: SFTP (Secure File Transfer Protocol) operates over SSH (Secure Shell) protocol on port 22. It is used for securely transferring files over a network, providing an encrypted channel for file transfers.
- In the context of wireless networking, what does MIMO technology stand for?
- Multiple Input, Multiple Output
- Modulation Input, Modulation Output
- Management Input, Management Output
- Multiplexing Input, Multiplexing Output
Correct answer: Multiple Input, Multiple Output
Correct answer: Multiple Input, Multiple Output. Explanation: MIMO (Multiple Input, Multiple Output) is a technology used in wireless communications where multiple antennas are used at both the source (transmitter) and the destination (receiver). It is designed to improve communication performance and increase data throughput.
- What type of device is used in networking to forward data only to the port where the destination system is connected?
Correct answer: Switch
Correct answer: Switch. Explanation: A network switch is a device that forwards data only to the specific port where the destination system is connected. Unlike hubs, which broadcast data to all ports, switches increase network efficiency by reducing unnecessary traffic.
- In a network, what is the main function of a protocol analyzer?
- To assign IP addresses
- To boost signal strength
- To analyze and decode network packets
- To manage network configurations
Correct answer: To analyze and decode network packets
Correct answer: To analyze and decode network packets. Explanation: A protocol analyzer, also known as a packet analyzer or network analyzer, is used to capture, analyze, and decode network packets. This tool is essential for diagnosing and resolving network issues, monitoring network traffic, and ensuring efficient network operations.
- What does a 'collision domain' in a network refer to?
- A segment where packet collisions can occur due to shared bandwidth
- A part of the network isolated for security reasons
- A segment where data packets collide due to encryption
- A section of the network with duplicate IP addresses
Correct answer: A segment where packet collisions can occur due to shared bandwidth
Correct answer: A segment where packet collisions can occur due to shared bandwidth. Explanation: A collision domain in networking refers to a network segment where data packets can collide because they share the same physical medium. This is typical in networks with hubs or in early versions of Ethernet.
- In which layer of the OSI model do IP addresses operate?
- Layer 2 - Data Link Layer
- Layer 3 - Network Layer
- Layer 4 - Transport Layer
- Layer 6 - Presentation Layer
Correct answer: Layer 3 - Network Layer
Correct answer: Layer 3 - Network Layer. Explanation: IP addresses operate at the Network Layer (Layer 3) of the OSI model. This layer is responsible for logical addressing and routing, which includes the use of IP addresses to route packets to their destinations.
- What is the primary purpose of a subnet mask in IP networking?
- To encrypt data packets
- To identify the host portion of an IP address
- To determine the network portion of an IP address
- To manage IP routing protocols
Correct answer: To determine the network portion of an IP address
Correct answer: To determine the network portion of an IP address. Explanation: A subnet mask in IP networking is used to determine the network portion of an IP address. It effectively splits the IP address into the network and host portions, which is essential for IP routing and addressing.
- In networking, what is the function of an ARP (Address Resolution Protocol)?
- To translate URLs to IP addresses
- To resolve MAC addresses from IP addresses
- To encrypt data for secure transmission
- To assign IP addresses dynamically
Correct answer: To resolve MAC addresses from IP addresses
Correct answer: To resolve MAC addresses from IP addresses. Explanation: ARP (Address Resolution Protocol) is used in IP networking to map an IP address to its corresponding MAC (Media Access Control) address. This is essential for communication within a local network segment.
- Which wireless encryption standard is considered the most secure as of the latest CompTIA Network+ examination?
Correct answer: WPA3
Correct answer: WPA3. Explanation: As of the latest CompTIA Network+ examination, WPA3 (Wi-Fi Protected Access 3) is considered the most secure wireless encryption standard. It provides stronger security protections and is the successor to WPA2.
- What is the primary purpose of Quality of Service (QoS) in networking?
- To provide data backup and recovery
- To prioritize certain types of network traffic
- To encrypt data for secure communication
- To assign static IP addresses to devices
Correct answer: To prioritize certain types of network traffic
Correct answer: To prioritize certain types of network traffic. Explanation: Quality of Service (QoS) is a feature in networking that prioritizes certain types of traffic over others. This is important in ensuring that time-sensitive data like VoIP and video streaming receive higher priority and bandwidth.
- In the context of networking, what does the term 'latency' refer to?
- The data transfer rate of a network
- The delay in data transmission over a network
- The physical length of the network cables
- The maximum data capacity of a network
Correct answer: The delay in data transmission over a network
Correct answer: The delay in data transmission over a network. Explanation: Latency in networking refers to the time delay in transmitting data over a network. It is the measure of time taken for a packet of data to get from one designated point to another.
- Which protocol is responsible for automatic IP address assignment in a local network?
Correct answer: DHCP
Correct answer: DHCP. Explanation: DHCP (Dynamic Host Configuration Protocol) is responsible for automatically assigning IP addresses to devices in a local network. It simplifies the management of IP addresses in large networks.
- What is the primary purpose of an SNMP (Simple Network Management Protocol) in a network?
- To secure network communications
- To manage network devices and monitor network performance
- To provide email services
- To translate domain names to IP addresses
Correct answer: To manage network devices and monitor network performance
Correct answer: To manage network devices and monitor network performance. Explanation: SNMP (Simple Network Management Protocol) is used for managing devices on IP networks. It monitors network performance, detects network faults, and sometimes configures network devices.
- In networking, what does the term 'unicast' refer to?
- Sending data to all devices in a network
- Sending data from one device to a specific single device
- Sending data to a selected group of devices
- Broadcasting data to devices in different networks
Correct answer: Sending data from one device to a specific single device
Correct answer: Sending data from one device to a specific single device. Explanation: Unicast in networking refers to the sending of data packets from one single source to one single destination. This is the most common form of data transmission on IP networks.
- Which technology allows multiple VLANs to be transported across a single network link?
Correct answer: 802.1Q
Correct answer: 802.1Q. Explanation: IEEE 802.1Q is the networking standard that supports Virtual LANs (VLANs) on an Ethernet network. It allows multiple VLANs to share a single physical network link, which is essential for efficient network design and reducing the number of physical connections required.
- In a network topology, what is the primary function of an aggregation switch?
- To connect end-user devices
- To aggregate connections from access switches
- To provide a core layer routing
- To connect to external networks
Correct answer: To aggregate connections from access switches
Correct answer: To aggregate connections from access switches. Explanation: An aggregation switch, often used in larger networks, primarily functions to consolidate (aggregate) multiple connections from access switches. This is a crucial component in scalable network designs, providing a centralized point for traffic coming from various access switches.
- What is the primary purpose of using HSRP in a network?
- To encrypt data packets
- To balance network load
- To provide redundancy for a default gateway
- To segment network traffic
Correct answer: To provide redundancy for a default gateway
Correct answer: To provide redundancy for a default gateway. Explanation: Hot Standby Router Protocol (HSRP) is used in network environments to provide redundancy for the default gateway. It ensures continuous availability of the network by allowing multiple routers to work in tandem, with one acting as the primary router and others as backups.
- Which protocol is used to prioritize voice traffic in a network, ensuring Quality of Service (QoS)?
Correct answer: 802.1p
Correct answer: 802.1p. Explanation: IEEE 802.1p is a standard for implementing Quality of Service (QoS) in networks. It allows for prioritization of traffic types, such as voice, ensuring that time-sensitive data like VoIP has a higher priority and is less likely to experience delays.
- In the context of wireless networking, what does MIMO technology improve?
- Signal encryption
- Wireless range
- Data throughput
- Frequency modulation
Correct answer: Data throughput
Correct answer: Data throughput. Explanation: Multiple Input Multiple Output (MIMO) technology in wireless communications improves data throughput and capacity. It uses multiple antennas at both the transmitter and receiver to exploit multipath propagation, enhancing the performance of wireless networks.
- What is the primary purpose of the Spanning Tree Protocol (STP) in a network?
- To provide multiple redundant paths
- To prevent routing loops
- To prevent broadcast storms
- To encrypt data frames
Correct answer: To prevent broadcast storms
Correct answer: To prevent broadcast storms. Explanation: Spanning Tree Protocol (STP) is used in network environments to prevent broadcast storms caused by loops. It works by creating a logical spanning tree within a network, shutting down the redundant paths and leaving only a single active path for data traffic.
- Which network device operates at Layer 3 of the OSI model and makes forwarding decisions based on IP addresses?
Correct answer: Router
Correct answer: Router. Explanation: Routers operate at Layer 3 (the Network layer) of the OSI model. They are responsible for forwarding data packets based on their IP addresses, making decisions about the best path for sending the packets through the network.
- In a WAN, what is the main function of a demarcation point?
- To separate the customer equipment from the service provider's equipment
- To connect different network protocols
- To provide data encryption
- To balance network traffic
Correct answer: To separate the customer equipment from the service provider's equipment
Correct answer: To separate the customer equipment from the service provider's equipment. Explanation: A demarcation point in a WAN (Wide Area Network) is the point where the service provider's responsibility ends and the customer's (or end user's) responsibility begins. It is a critical boundary for troubleshooting and determining responsibility for network issues.
- What is the primary purpose of a Virtual Private Network (VPN) concentrator in a network infrastructure?
- To manage multiple VPN connections
- To filter content
- To balance network load
- To encrypt internal network traffic
Correct answer: To manage multiple VPN connections
Correct answer: To manage multiple VPN connections. Explanation: A VPN concentrator is primarily used for creating, managing, and terminating VPN connections. It is designed to handle a large number of VPN tunnels, making it essential for organizations that require secure remote access for numerous users.
- What type of network device is used to connect multiple devices on a Local Area Network (LAN) and operates at the Data Link layer of the OSI model?
- Router
- Switch
- Modem
- Firewall
Correct answer: Switch
Correct answer: Switch. Explanation: A switch is a network device that connects multiple devices on a Local Area Network (LAN) and operates at the Data Link layer (Layer 2) of the OSI model. It uses MAC addresses to forward data to the correct destination within the LAN.
- In a wireless network, what does the term "SSID" stand for?
- Service Set Identifier
- Secure Socket Identifier
- System Signal Identifier
- Serial Service Identification
Correct answer: Service Set Identifier
Correct answer: Service Set Identifier. Explanation: SSID stands for Service Set Identifier. It's a unique name given to a wireless network. Users must know the SSID to connect to the wireless network, as it distinguishes one network from another.
- What is the primary purpose of a load balancer in a network infrastructure?
- To filter network traffic
- To distribute network traffic across multiple servers
- To encrypt data
- To assign IP addresses
Correct answer: To distribute network traffic across multiple servers
Correct answer: To distribute network traffic across multiple servers. Explanation: A load balancer is a device that distributes network or application traffic across multiple servers. This distribution helps to optimize resource use, maximize throughput, reduce latency, and ensure fault-tolerant configurations in high-traffic networks.
- Which of the following is a characteristic of a mesh network topology?
- Single point of failure
- Centralized architecture
- Redundant connections between devices
- Limited node-to-node communication
Correct answer: Redundant connections between devices
Correct answer: Redundant connections between devices. Explanation: In a mesh network topology, each node connects directly to several other nodes. This creates a network with redundant interconnections between network nodes, providing high reliability and fault tolerance.
- What is the function of a WAP (Wireless Access Point) in a wireless network?
- To provide a firewall
- To serve as a bridge between wired and wireless networks
- To assign IP addresses
- To filter content
Correct answer: To serve as a bridge between wired and wireless networks
Correct answer: To serve as a bridge between wired and wireless networks. Explanation: A Wireless Access Point (WAP) acts as a bridge between a wired network and a wireless network. It allows wireless devices to connect to the wired network, facilitating communication and access to network resources.
- In network security, what is the primary purpose of a Unified Threat Management (UTM) device?
- To balance network load
- To manage wireless networks
- To provide multiple security functions
- To allocate network resources
Correct answer: To provide multiple security functions
Correct answer: To provide multiple security functions. Explanation: A Unified Threat Management (UTM) device integrates multiple security functions and services within a single device. This may include firewall, antivirus, intrusion prevention, and content filtering capabilities, offering comprehensive security solutions.
- In network operations, what is the primary purpose of a syslog server?
- To manage network configurations
- To serve as a DHCP server
- To collect and store log files from various network devices
- To monitor network bandwidth usage
Correct answer: To collect and store log files from various network devices
Correct answer: To collect and store log files from various network devices. Explanation: A syslog server in network operations is primarily used for the collection and storage of log files from different network devices. This centralized logging is crucial for monitoring, troubleshooting, and maintaining network security.
- What is the main purpose of a network baseline?
- To serve as a standard for network security
- To define the normal operating parameters of a network
- To provide a backup of network configurations
- To set up initial network configurations
Correct answer: To define the normal operating parameters of a network
Correct answer: To define the normal operating parameters of a network. Explanation: A network baseline defines the normal operating parameters of a network, such as typical bandwidth usage, latency, and throughput. It is used for comparison against future measurements to detect anomalies or changes in network performance.
- What is the primary purpose of a SIEM (Security Information and Event Management) system in network operations?
- Providing real-time analysis of security alerts
- Managing network device configurations
- Monitoring network performance metrics
- Implementing network access control
Correct answer: Providing real-time analysis of security alerts
Correct answer: Providing real-time analysis of security alerts. Explanation: A SIEM system combines security information management (SIM) and security event management (SEM) functions into one security management system. Its primary role is to provide real-time analysis of security alerts generated by network hardware and applications.
- In network operations, what is the main function of a TACACS+ server?
- Encrypting data transmission
- Load balancing traffic
- Managing user authentication and authorization
- Routing network packets
Correct answer: Managing user authentication and authorization
Correct answer: Managing user authentication and authorization. Explanation: TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol used for controlling access to computer networks. It provides centralized validation of users attempting to gain access to a router or NAS (Network Access Server), mainly used for user authentication and authorization.
- What is the primary role of an IDS (Intrusion Detection System) in network security?
- Preventing unauthorized access to network resources
- Encrypting data transmissions
- Detecting and alerting on potential network intrusions
- Managing network device configurations
Correct answer: Detecting and alerting on potential network intrusions
Correct answer: Detecting and alerting on potential network intrusions. Explanation: An IDS (Intrusion Detection System) is primarily used for detecting and alerting on potential intrusions and malicious activities within a network. It monitors network traffic and compares it against a database of known attack signatures or anomalous traffic patterns.
- What is the primary purpose of a Network Time Protocol (NTP) server in a network environment?
- Managing network bandwidth
- Synchronizing the time across network devices
- Providing network security
- Allocating IP addresses
Correct answer: Synchronizing the time across network devices
Correct answer: Synchronizing the time across network devices. Explanation: An NTP server is used to synchronize the clocks of computers and network devices to a standard time source. This is crucial for ensuring accurate timekeeping across a network, which is vital for logging, security, and various network operations.
- Which device is primarily used for filtering and securing network traffic at the perimeter of a network?
Correct answer: Firewall
Correct answer: Firewall. Explanation: Firewalls are devices used for filtering and securing network traffic, typically positioned at the boundary of a network. They are essential for protecting internal network resources from external threats.
- In network operations, what does the term 'failover' refer to?
- The process of balancing load across servers
- The action of replacing a faulty cable
- The automatic switching to a redundant or standby system
- The process of updating network device firmware
Correct answer: The automatic switching to a redundant or standby system
Correct answer: The automatic switching to a redundant or standby system. Explanation: Failover refers to the automatic switching to a redundant or standby system upon the failure of a primary system. This ensures continuous network operations and availability in case of system failures.
- What is the primary purpose of using SNMP traps in network management?
- Configuring network devices
- Encrypting data across the network
- Sending asynchronous alerts to a management station
- Allocating IP addresses dynamically
Correct answer: Sending asynchronous alerts to a management station
Correct answer: Sending asynchronous alerts to a management station. Explanation: SNMP traps are used for sending asynchronous notifications from SNMP agents to a management station. These alerts notify the administrator about significant events or changes in the network device status.
- Which technology is primarily used for securely extending a private network across a public network?
Correct answer: VPN
Correct answer: VPN. Explanation: A Virtual Private Network (VPN) is used for securely extending a private network across a public network, such as the Internet. This allows users to send and receive data across shared or public networks as if their devices were directly connected to the private network.
- Which tool is used for testing reachability of devices in an IP network and diagnosing connectivity issues?
- Nslookup
- Traceroute
- Ping
- Netstat
Correct answer: Ping
Correct answer: ping. Explanation: The ping command is used to test the reachability of devices on an IP network. It helps diagnose connectivity issues by sending ICMP Echo Request messages and waiting for Echo Reply messages.
- What is the purpose of a VLAN Trunking Protocol (VTP) in a switched network?
- Encrypting VLAN traffic
- Managing VLAN configuration across multiple switches
- Assigning IP addresses within a VLAN
- Balancing traffic load among VLANs
Correct answer: Managing VLAN configuration across multiple switches
Correct answer: Managing VLAN configuration across multiple switches. Explanation: VLAN Trunking Protocol (VTP) is used for managing VLAN configuration across multiple switches. It simplifies the management of VLANs by automatically distributing and synchronizing VLAN information within a network of switches.
- In a network, what is the primary function of a RADIUS server?
- Routing data packets
- Centralizing authentication, authorization, and accounting
- Load balancing
- Filtering traffic
Correct answer: Centralizing authentication, authorization, and accounting
Correct answer: Centralizing authentication, authorization, and accounting. Explanation: A RADIUS (Remote Authentication Dial-In User Service) server centralizes the authentication, authorization, and accounting (AAA) for users who connect and use a network service. It is widely used in managing access to network resources.
- Which protocol is primarily used for securely accessing a remote computer or server over a network?
Correct answer: SSH
Correct answer: SSH. Explanation: SSH (Secure Shell) is a protocol used for securely accessing a remote computer or server over a network. It provides a secure channel over an unsecured network in a client-server architecture.
- What is the primary function of 802.1X in a network environment?
- Routing protocol authentication
- Network access control
- Wireless encryption
- Virtual LAN tagging
Correct answer: Network access control
Correct answer: Network access control. Explanation: 802.1X is a network protocol that provides an authentication mechanism for devices wishing to attach to a LAN or WLAN. It is used in network access control, ensuring that only authenticated users and devices can connect to the network.
- Which of the following best describes a Man-in-the-Middle (MitM) attack?
- The attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
- The attacker sends a flood of data packets to a targeted server or network.
- The attacker exploits vulnerabilities in software to gain unauthorized access.
- The attacker attempts to guess or crack passwords to gain system access.
Correct answer: The attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
Correct answer: The attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. Explanation: A Man-in-the-Middle (MitM) attack occurs when an attacker intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other. This type of attack is a significant threat in network security, as it can lead to data breaches, eavesdropping, and session hijacking.
- In network security, what is the primary role of a WAF (Web Application Firewall)?
- Protecting network devices from unauthorized access
- Filtering and monitoring HTTP traffic to and from a web application
- Encrypting data traffic as it travels across the network
- Detecting and preventing wireless network intrusions
Correct answer: Filtering and monitoring HTTP traffic to and from a web application
Correct answer: Filtering and monitoring HTTP traffic to and from a web application. Explanation: A Web Application Firewall (WAF) is specifically designed to monitor, filter, and block HTTP traffic to and from a web application. It helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
- What does the term "DLP" stand for in network security, and what is its primary purpose?
- Data Loss Prevention; preventing data breaches by monitoring, detecting, and blocking sensitive data
- Dynamic Link Protocol; ensuring efficient data transfer in dynamic network environments
- Data Link Protection; securing the physical link layer in network communication
- Distributed Lease Protocol; managing IP address allocation in large networks
Correct answer: Data Loss Prevention; preventing data breaches by monitoring, detecting, and blocking sensitive data
Correct answer: Data Loss Prevention; preventing data breaches by monitoring, detecting, and blocking sensitive data. Explanation: DLP, or Data Loss Prevention, is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP software classifies regulated, confidential, and business-critical data and identifies policy violations typically driven by regulatory compliance such as HIPAA, PCI-DSS, or GDPR.
- In the context of network security, what is the function of an IPS (Intrusion Prevention System)?
- To encrypt data transmissions
- To create virtual private networks
- To monitor and prevent potential network security threats
- To balance network load among multiple servers
Correct answer: To monitor and prevent potential network security threats
Correct answer: To monitor and prevent potential network security threats. Explanation: An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. IPS systems are considered extensions of Intrusion Detection Systems (IDS) because they both monitor network traffic and/or system activities for malicious activity.
- Which protocol is used for securely transmitting log messages over the network to a logging server?
- SNMP
- SMTP
- Syslog over TLS
- FTPS
Correct answer: Syslog over TLS
Correct answer: Syslog over TLS. Explanation: Syslog over TLS (Transport Layer Security) is used to securely transmit log messages over a network to a logging server. This protocol ensures that the log data is encrypted and transmitted securely, protecting it from interception or tampering during transit.
- What is the main purpose of port security in network switches?
- To restrict the number of MAC addresses on a switch port
- To provide encryption for data passing through the port
- To monitor the performance of network ports
- To balance the traffic load across multiple ports
Correct answer: To restrict the number of MAC addresses on a switch port
Correct answer: To restrict the number of MAC addresses on a switch port. Explanation: Port security on network switches is primarily used to restrict the number of valid MAC addresses allowed on a switch port. This security feature prevents unauthorized devices from connecting to the network and protects against MAC address spoofing attacks.
- Which type of network security attack involves overwhelming a service with excessive requests, rendering it unavailable?
- Phishing
- Man-in-the-Middle
- Denial of Service (DoS)
- SQL Injection
Correct answer: Denial of Service (DoS)
Correct answer: Denial of Service (DoS). Explanation: A Denial of Service (DoS) attack is characterized by an attacker sending a large number of requests or malformed packets to a target network service, with the intention of overwhelming it and making it unavailable to legitimate users.
- In network security, what is the primary purpose of VLAN segregation?
- Increasing the speed of the network
- Reducing network traffic congestion
- Separating network segments for security purposes
- Assigning different IP ranges for easier management
Correct answer: Separating network segments for security purposes
Correct answer: Separating network segments for security purposes. Explanation: VLAN segregation is primarily used for separating network segments for security purposes. By dividing a network into VLANs, administrators can control which hosts can communicate with each other, effectively isolating sensitive areas of the network from unauthorized access.
- Which cryptographic protocol is used to secure communication over an insecure network, such as the Internet?
Correct answer: TLS
Correct answer: TLS. Explanation: TLS (Transport Layer Security) is a cryptographic protocol designed to provide communications security over a computer network. Websites use TLS to secure all communications between their servers and web browsers, making it essential for secure data transmission over the Internet.
- What is the main function of a proxy server in a network environment?
- Balancing network load
- Encrypting internal communications
- Acting as an intermediary for requests from clients
- Assigning IP addresses to devices
Correct answer: Acting as an intermediary for requests from clients
Correct answer: Acting as an intermediary for requests from clients. Explanation: A proxy server acts as an intermediary between a client and the internet. It receives requests from clients, forwards these requests to the destination server, and returns the server's response to the client. This can provide additional security, anonymity, and cache functionality.
- In network security, what is the purpose of implementing a honeypot?
- To attract and analyze attempts at unauthorized access
- To encrypt sensitive data
- To distribute network traffic evenly
- To serve as a primary firewall
Correct answer: To attract and analyze attempts at unauthorized access
Correct answer: To attract and analyze attempts at unauthorized access. Explanation: A honeypot in network security is a decoy system designed to attract attackers. By simulating vulnerabilities, it lures in potential attackers, allowing the network administrators to study their activities and improve the network's defenses.
- What is the primary security concern with using outdated network protocols such as Telnet?
- They do not support modern routing techniques.
- They are not compatible with new hardware.
- They transmit data, including credentials, in plaintext.
- They have limited bandwidth capacity.
Correct answer: They transmit data, including credentials, in plaintext.
Correct answer: They transmit data, including credentials, in plaintext. Explanation: The primary security concern with outdated protocols like Telnet is that they transmit data, including login credentials, in plaintext. This lack of encryption makes it easy for attackers to intercept and read the data, posing a significant security risk.
- In the context of network security, what does NAT (Network Address Translation) primarily accomplish?
- Encrypts data leaving the network
- Filters incoming and outgoing traffic
- Translates private IP addresses to a public address
- Blocks unauthorized access to network resources
Correct answer: Translates private IP addresses to a public address
Correct answer: Translates private IP addresses to a public address. Explanation: NAT (Network Address Translation) primarily translates private IP addresses within a local network to a public IP address before the data leaves the network. This allows multiple devices on a private network to share a single public IP address, conserving IP addresses and adding a layer of security.
- Which of the following best describes a Zero Trust security model in networking?
- Trusting all users within the network perimeter
- Only using trusted vendors for network equipment
- Verifying the trust of each user and device, regardless of location
- Using a single, comprehensive firewall for the entire network
Correct answer: Verifying the trust of each user and device, regardless of location
Correct answer: Verifying the trust of each user and device, regardless of location. Explanation: The Zero Trust security model operates on the principle of "never trust, always verify." This means every user and device, whether inside or outside the network's perimeter, must be authenticated and continuously validated for security configuration and posture before being granted or keeping access to applications and data.
- When troubleshooting a network issue, what does a traceroute (or tracert in Windows) command help determine?
- The strength of the wireless signal
- The route packets take to reach a destination
- The amount of traffic on the network
- The speed of the DNS server
Correct answer: The route packets take to reach a destination
Correct answer: The route packets take to reach a destination. Explanation: The traceroute command in Unix/Linux and tracert command in Windows are used to display the route and measure transit delays of packets across a network. It helps in identifying the path taken by packets to reach the destination and any points of failure or delays along this path.
- Which tool would be most effective for identifying the presence of a broadcast storm in a network?
- Network sniffer
- TDR (Time-Domain Reflectometer)
- Multimeter
- Cable tester
Correct answer: Network sniffer
Correct answer: Network sniffer. Explanation: A network sniffer (or packet analyzer) is a software tool that captures and analyzes packets on the network. It can be used effectively to identify excessive broadcast traffic, indicative of a broadcast storm, by capturing and analyzing the patterns of network traffic.
- What does the nslookup or dig command primarily help determine in network troubleshooting?
- Route data packets take to reach their destination
- DNS resolution and record information
- Physical layer problems
- IP address conflicts
Correct answer: DNS resolution and record information
Correct answer: DNS resolution and record information. Explanation: The nslookup and dig commands are used for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or other specific DNS records. They are crucial in troubleshooting DNS resolution issues.
- What is the primary purpose of a TDR (Time-Domain Reflectometer) in network troubleshooting?
- Measuring packet loss
- Testing the strength of wireless signals
- Locating faults in physical cabling
- Analyzing network traffic
Correct answer: Locating faults in physical cabling
Correct answer: Locating faults in physical cabling. Explanation: A TDR (Time-Domain Reflectometer) is used to locate faults in metallic cables (like coaxial cables or twisted pair cables). It works by sending a signal down the cable and measuring reflections to find breaks or other imperfections.
- Which network monitoring tool is used to inspect incoming and outgoing network traffic at the interface level?
- Syslog server
- Packet sniffer
- NetFlow analyzer
- SNMP agent
Correct answer: Packet sniffer
Correct answer: Packet sniffer. Explanation: A packet sniffer is a tool that captures and analyzes network traffic passing through a network interface. It is essential for detailed inspection of packet contents and for diagnosing network problems at a granular level.
- In network troubleshooting, what is the primary function of an OTDR (Optical Time-Domain Reflectometer)?
- Testing the strength of wireless signals
- Analyzing network protocol issues
- Locating faults in fiber optic cables
- Measuring network bandwidth
Correct answer: Locating faults in fiber optic cables
Correct answer: Locating faults in fiber optic cables. Explanation: An OTDR (Optical Time-Domain Reflectometer) is used for identifying faults in fiber optic cables. It works by sending pulses of light down the fiber and measuring the reflected light to find breaks or defects in the fiber.
- What is the primary use of the netstat command in network troubleshooting?
- Displaying active TCP/IP network connections
- Testing connectivity to remote hosts
- Measuring network data transfer speeds
- Configuring network interface parameters
Correct answer: Displaying active TCP/IP network connections
Correct answer: Displaying active TCP/IP network connections. Explanation: The netstat (network statistics) command is used to display active TCP/IP connections, routing tables, interface statistics, masquerade connections, multicast memberships, and more. It's a versatile tool for assessing the state of network connections on a system.
- Which device is used to test the connectivity and signal strength of a wired Ethernet network?
- Protocol analyzer
- Cable certifier
- Spectrum analyzer
- Network probe
Correct answer: Cable certifier
Correct answer: Cable certifier. Explanation: A cable certifier is a device used in network troubleshooting to test the connectivity, signal strength, and quality of wired Ethernet networks. It ensures that the cabling meets certain standards for data transmission.
- When experiencing intermittent network issues, which tool is most effective for monitoring and logging network performance over time?
- Protocol analyzer
- Network baseline
- Syslog server
- SNMP monitor
Correct answer: SNMP monitor
Correct answer: SNMP monitor. Explanation: An SNMP (Simple Network Management Protocol) monitor is used for continuous monitoring and logging network performance data over time. It is particularly effective for identifying and analyzing intermittent network issues, as it provides historical performance data.
- What does the MTR (My Traceroute) tool provide in network troubleshooting?
- It shows the route packets take to reach a destination.
- It tests the connectivity strength of wireless networks.
- It identifies the MAC address conflicts in a network.
- It displays the encryption type used in network communication.
Correct answer: It shows the route packets take to reach a destination.
Correct answer: It shows the route packets take to reach a destination. Explanation: The MTR tool combines the functionality of the traceroute and ping programs in a single network diagnostic tool. It provides information on the route packets take to reach a destination and the response times of each hop.
- Which device is used to monitor and analyze both wired and wireless network traffic in real-time?
- Spectrum analyzer
- Cable tester
- Network probe
- TDR
Correct answer: Network probe
Correct answer: Network probe. Explanation: A network probe is a device or software that monitors and analyzes network traffic, both wired and wireless. It is used to diagnose network issues and to capture and analyze network packets in real-time.
- What is the main purpose of the tcpdump command in network troubleshooting?
- It is used to configure network interfaces.
- It captures and analyzes network packets.
- It displays the TCP/IP configuration settings.
- It tests the connectivity of a TCP/IP network.
Correct answer: It captures and analyzes network packets.
Correct answer: It captures and analyzes network packets. Explanation: tcpdump is a powerful command-line packet analyzer; it lets you capture and interactively browse the traffic running on a computer network. It is used primarily for capturing and analyzing network packets.
- In network troubleshooting, which tool is used to graphically display the interfaces between systems and the paths packets take?
- Network mapper
- Wireshark
- Bandwidth monitor
- Network simulator
Correct answer: Network mapper
Correct answer: Network mapper. Explanation: A network mapper is a tool that graphically displays the network's topology, including the interfaces between systems and the paths that packets take across the network. It is useful in visualizing network layouts for troubleshooting purposes.
- Which tool or feature can be used to compare the performance of a network against established standards and baselines?
- Network sniffer
- Performance monitor
- Network baseline
- Protocol analyzer
Correct answer: Network baseline
Correct answer: Network baseline. Explanation: A network baseline is a set of performance standards and metrics that are established to define the normal working conditions of a network. It is used to compare current network performance against these established norms.
- What is the primary function of a loopback test in network troubleshooting?
- It tests the functionality of network routers.
- It checks the physical health of Ethernet cables.
- It verifies the operation of a network interface card.
- It measures the bandwidth capacity of the network.
Correct answer: It verifies the operation of a network interface card.
Correct answer: It verifies the operation of a network interface card. Explanation: A loopback test in network troubleshooting is primarily used to verify the operation and functionality of a network interface card (NIC) by directing the signal to return to the sending system.
- Which network troubleshooting tool is used to identify the existence and strength of wireless networks?
- Wi-Fi analyzer
- Cable certifier
- Protocol analyzer
- TDR
Correct answer: Wi-Fi analyzer
Correct answer: Wi-Fi analyzer. Explanation: A Wi-Fi analyzer is a tool used for detecting the presence and measuring the strength of wireless networks. It helps in identifying signal strength, interference, and other wireless network characteristics.
- What is the main use of the whois command in network troubleshooting?
- It provides information about domain name registration.
- It tests connectivity to a remote host.
- It displays the route data packets take to reach a destination.
- It identifies network congestion issues.
Correct answer: It provides information about domain name registration.
Correct answer: It provides information about domain name registration. Explanation: The whois command is used in network troubleshooting to query databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system.
- A technician needs to explain where a network switch primarily operates within the OSI reference model. At which layer does a traditional unmanaged Layer 2 switch make its forwarding decisions?
- The Data Link layer, using MAC addresses
- The Physical layer, using electrical signaling
- The Transport layer, using port numbers
- The Network layer, using IP addresses
Correct answer: The Data Link layer, using MAC addresses
A traditional switch operates at the Data Link layer (Layer 2) and forwards frames based on MAC addresses stored in its MAC address table. The Network layer (Layer 3) is where routers make decisions using IP addresses, the Physical layer (Layer 1) only deals with raw signaling and media, and the Transport layer (Layer 4) handles port numbers and segmentation. This is why a switch is described as a Layer 2 device while a router is a Layer 3 device.
- While teaching a fundamentals class, an instructor lists the seven layers of the OSI model from top to bottom. Which sequence is correct?
- Application, Presentation, Session, Transport, Network, Data Link, Physical
- Application, Session, Presentation, Transport, Data Link, Network, Physical
- Physical, Data Link, Network, Transport, Session, Presentation, Application
- Application, Transport, Network, Presentation, Session, Data Link, Physical
Correct answer: Application, Presentation, Session, Transport, Network, Data Link, Physical
The OSI model layers from top (Layer 7) to bottom (Layer 1) are Application, Presentation, Session, Transport, Network, Data Link, Physical. A common mnemonic for top-down is All People Seem To Need Data Processing. Reversing the order or swapping Presentation and Session produces the incorrect sequences shown in the other choices.
- A help-desk ticket says a user cannot reach any website by name, but can reach servers by typing their IP addresses directly. Which network service is most likely failing?
- ARP, which maps IP addresses to MAC addresses
- DHCP, which assigns IP addresses to clients
- NAT, which translates private to public addresses
- DNS, which resolves domain names to IP addresses
Correct answer: DNS, which resolves domain names to IP addresses
DNS (Domain Name System) is the service that translates human-readable domain names such as example.com into the IP addresses computers use to route traffic. If connectivity works by IP but not by name, name resolution (DNS) is the broken piece. DHCP would prevent the host from getting an address at all, NAT failure would block external IP reachability too, and ARP operates only within the local subnet.
- A network administrator must summarize the key difference between IPv4 and IPv6 addressing. Which statement correctly describes the address sizes?
- IPv4 and IPv6 both use 48-bit addresses
- IPv4 uses 32-bit addresses while IPv6 uses 128-bit addresses
- IPv4 uses 32-bit addresses while IPv6 uses 64-bit addresses
- IPv4 uses 64-bit addresses while IPv6 uses 128-bit addresses
Correct answer: IPv4 uses 32-bit addresses while IPv6 uses 128-bit addresses
IPv4 addresses are 32 bits long (written as four dotted-decimal octets such as 192.168.1.1), while IPv6 addresses are 128 bits long (written as eight groups of hexadecimal digits). The vastly larger IPv6 space was designed to overcome IPv4 address exhaustion, providing roughly 340 undecillion addresses. The other pairings misstate the bit lengths.
- A workstation boots and broadcasts a request for network configuration. Which protocol automatically assigns it an IP address, subnet mask, default gateway, and DNS server?
Correct answer: DHCP
DHCP (Dynamic Host Configuration Protocol) automatically leases IP configuration to clients, including the IP address, subnet mask, default gateway, and DNS server settings. DNS resolves names rather than handing out addresses, SNMP is used for monitoring and managing devices, and ICMP carries diagnostic and error messages such as those used by ping. DHCP uses UDP ports 67 (server) and 68 (client).
- A developer is choosing a transport protocol for a real-time voice application where occasional lost packets are acceptable but low latency is critical. Which protocol best fits, and why?
- TCP, because it guarantees ordered, reliable delivery with retransmission
- IP, because it directly carries voice payloads without a transport layer
- UDP, because it is connectionless and has lower overhead than TCP
- ICMP, because it is the fastest protocol for application data
Correct answer: UDP, because it is connectionless and has lower overhead than TCP
UDP (User Datagram Protocol) is connectionless and does not perform handshaking, acknowledgments, or retransmission, giving it lower overhead and latency that suits real-time voice and video. TCP guarantees reliable, ordered delivery but its retransmissions and flow control add delay, making it a poor fit for real-time media. ICMP and IP are not transport-layer protocols for application payloads.
- During a networking lab, a student asks what a MAC address actually identifies. Which description is correct?
- A domain name that maps to a host on the internet
- A port number that identifies an application service
- A 48-bit hardware address burned into a network interface, used at Layer 2
- A 32-bit logical address assigned by DHCP, used at Layer 3
Correct answer: A 48-bit hardware address burned into a network interface, used at Layer 2
A MAC (Media Access Control) address is a 48-bit physical hardware address assigned to a network interface, typically expressed as six hexadecimal pairs such as 00:1A:2B:3C:4D:5E. It operates at the Data Link layer (Layer 2) and is used for frame delivery on the local segment. IP addresses are logical Layer 3 addresses, port numbers identify services, and domain names are resolved by DNS.
- A junior technician confuses MAC addresses with IP addresses. Which statement accurately distinguishes them?
- Both are 32-bit values assigned by DHCP
- A MAC address is a physical Layer 2 identifier tied to hardware, while an IP address is a logical Layer 3 identifier that can change with the network
- A MAC address changes each time a device connects to a new subnet, while an IP address never changes
- A MAC address is a logical address assigned by routers, while an IP address is burned into the NIC
Correct answer: A MAC address is a physical Layer 2 identifier tied to hardware, while an IP address is a logical Layer 3 identifier that can change with the network
A MAC address is a hardware-based Layer 2 identifier that normally stays with the network interface, while an IP address is a logical Layer 3 address that the device receives based on the network it joins and that changes when it moves to a different subnet. Routers forward by IP address, while switches forward by MAC. The reversed and 32-bit-for-both statements are incorrect.
- A subnet mask of 255.255.255.224 is applied to a network. In CIDR notation, what is this prefix length, and how many usable host addresses does each subnet provide?
- /27 with 32 usable hosts
- /26 with 62 usable hosts
- /27 with 30 usable hosts
- /28 with 14 usable hosts
Correct answer: /27 with 30 usable hosts
A mask of 255.255.255.224 sets 27 network bits, which is /27. With 5 host bits remaining, each subnet holds 2 to the 5th power (32) addresses, minus the network and broadcast addresses, leaving 30 usable hosts. A /26 provides 62 usable, a /28 provides 14 usable, and 32 ignores the two reserved addresses.
- A home router lets many internal devices using private addresses share a single public IP for internet access. Which technology makes this possible?
- VLAN (Virtual Local Area Network)
- STP (Spanning Tree Protocol)
- NAT (Network Address Translation)
- DNS (Domain Name System)
Correct answer: NAT (Network Address Translation)
NAT (Network Address Translation) rewrites the source IP address (and with PAT, the port) of outbound packets so that many private hosts can share one public IP address. This both conserves public IPv4 addresses and hides internal addressing. DNS resolves names, VLANs segment a switch into logical broadcast domains, and STP prevents Layer 2 loops.
- A network engineer must run a fiber link across a 30-kilometer campus-to-campus span. Which fiber type and rationale is most appropriate?
- Single-mode fiber, because it uses inexpensive LED light sources for short runs
- Multimode fiber, because its larger core supports the longest distances
- Multimode fiber, because it eliminates modal dispersion over many kilometers
- Single-mode fiber, because its small core carries one light path with low attenuation over long distances
Correct answer: Single-mode fiber, because its small core carries one light path with low attenuation over long distances
Single-mode fiber has a very small core (around 9 microns) that allows a single light path, minimizing modal dispersion and supporting long-distance runs of many kilometers using laser sources. Multimode fiber has a larger core that allows multiple light paths, causing modal dispersion that limits it to shorter distances (typically a few hundred meters). For a 30-km span, single-mode is the correct choice.
- A technician must explain the core functional difference between a switch and a router. Which statement is correct?
- A switch forwards frames within a LAN using MAC addresses, while a router forwards packets between networks using IP addresses
- A switch creates a single broadcast domain per port, while a router extends one broadcast domain across networks
- Both a switch and a router operate only at Layer 1 and repeat signals
- A router forwards frames within a LAN using MAC addresses, while a switch connects different networks using IP addresses
Correct answer: A switch forwards frames within a LAN using MAC addresses, while a router forwards packets between networks using IP addresses
A switch operates at Layer 2 and forwards frames within a local network based on MAC addresses, while a router operates at Layer 3 and forwards packets between separate networks based on IP addresses. Routers also separate broadcast domains, whereas an unmanaged switch is a single broadcast domain. The reversed and Layer-1 descriptions are incorrect.
- An administrator wants the name ftp.example.com to be an alias that always resolves to whatever address www.example.com points to. Which DNS record type accomplishes this?
- MX record
- PTR record
- A record
- CNAME record
Correct answer: CNAME record
A CNAME (Canonical Name) record creates an alias that points one hostname to another hostname, so resolution follows the canonical target wherever it points. An A record maps a name directly to an IPv4 address, an MX record specifies mail servers for a domain, and a PTR record provides reverse lookups from IP to name. Because the CNAME defers to the target, updating the target updates all aliases.
- A DNS administrator sets a TTL value of 300 on a record before a planned IP change. What does this TTL value control?
- The maximum number of router hops the DNS query may traverse
- How long resolvers may cache the record before they must query again, in seconds
- The time the authoritative server waits before deleting the record
- The priority of the record relative to other records of the same type
Correct answer: How long resolvers may cache the record before they must query again, in seconds
In DNS, TTL (Time To Live) is the number of seconds that resolvers are allowed to cache a record before they must re-query the authoritative server. A low TTL such as 300 (five minutes) makes changes propagate quickly, which is why administrators lower it before migrations. The hop-count meaning of TTL applies to the IP packet header, not DNS records, and record priority is set by separate fields such as MX preference.
- Given a /24 network, a technician subnets it into multiple /26 subnets. How many /26 subnets are created and how many usable hosts does each contain?
- 8 subnets with 30 usable hosts each
- 4 subnets with 64 usable hosts each
- 4 subnets with 62 usable hosts each
- 2 subnets with 126 usable hosts each
Correct answer: 4 subnets with 62 usable hosts each
Moving from a /24 to a /26 borrows 2 host bits, creating 2 to the 2nd power (4) subnets. Each /26 has 6 host bits, giving 2 to the 6th power (64) addresses minus the network and broadcast addresses, for 62 usable hosts each. The choice listing 64 forgets to subtract the two reserved addresses.
- A student is asked to summarize the purpose of the OSI model. Which description best captures it?
- A proprietary protocol stack used only by a single vendor
- A physical cabling standard that defines connector pinouts for Ethernet
- A routing protocol that exchanges reachability information between autonomous systems
- A seven-layer conceptual framework that standardizes how network functions are organized so different systems can interoperate
Correct answer: A seven-layer conceptual framework that standardizes how network functions are organized so different systems can interoperate
The OSI (Open Systems Interconnection) model is a seven-layer conceptual framework that breaks networking into standardized functions so that products from different vendors can interoperate and so that problems can be isolated by layer. It is a reference model, not a cabling standard, routing protocol, or proprietary stack. Its layers run from Physical at the bottom to Application at the top.
- An email administrator must publish which servers accept inbound mail for a domain. Which DNS record type does this, and what extra value does it carry?
- An A record, which carries a TTL value to rank mail servers
- A TXT record, which carries the mail server hostname and weight
- A CNAME record, which carries a priority value for mail servers
- An MX record, which carries a preference value to rank mail servers
Correct answer: An MX record, which carries a preference value to rank mail servers
An MX (Mail Exchanger) record identifies the mail servers responsible for receiving email for a domain and includes a preference (priority) value, where a lower number is tried first. A records map names to IPv4 addresses, CNAMEs create aliases (and should not be used as MX targets), and TXT records hold arbitrary text such as SPF policies. The preference value enables mail failover across multiple servers.
- A technician must decide between half-duplex and full-duplex on a link. Which statement correctly contrasts them?
- Full duplex allows simultaneous send and receive, while half duplex allows only one direction at a time
- Both half and full duplex prohibit simultaneous transmission
- Full duplex requires CSMA/CD to manage collisions, while half duplex never has collisions
- Half duplex allows simultaneous send and receive, while full duplex allows only one direction at a time
Correct answer: Full duplex allows simultaneous send and receive, while half duplex allows only one direction at a time
Full duplex permits a device to transmit and receive at the same time, effectively eliminating collisions on the link, while half duplex permits transmission in only one direction at any given moment and historically relied on CSMA/CD to manage collisions. Modern switched Ethernet links typically run full duplex. The choice claiming full duplex needs CSMA/CD reverses the relationship.
- A host needs to send a packet to a destination on a different network. Which configured value tells the host where to forward traffic destined outside its own subnet?
- The subnet mask
- The DNS server address
- The default gateway
- The broadcast address
Correct answer: The default gateway
The default gateway is the IP address of the router interface on the local subnet that a host uses to reach destinations outside its own network. The subnet mask determines which destinations are local versus remote, the DNS server resolves names, and the broadcast address targets all hosts on the local segment. Without a default gateway, a host can communicate locally but cannot reach other networks.
- A DNS zone needs to map the hostname web01.example.com directly to the IPv4 address 198.51.100.20. Which record type is used?
- An A record
- A CNAME record
- An AAAA record
- An NS record
Correct answer: An A record
An A (Address) record maps a hostname directly to an IPv4 address such as 198.51.100.20. An AAAA record performs the same mapping for IPv6 addresses, a CNAME points to another name rather than an address, and an NS record delegates a zone to authoritative name servers. The A record is the most fundamental forward-lookup record in DNS.
- A large internet service provider must exchange routing information with other providers across the global internet between separate autonomous systems. Which routing protocol is designed for this?
- EIGRP (Enhanced Interior Gateway Routing Protocol)
- BGP (Border Gateway Protocol)
- OSPF (Open Shortest Path First)
- RIP (Routing Information Protocol)
Correct answer: BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol) is the path-vector exterior gateway protocol used to exchange routing and reachability information between autonomous systems, making it the routing protocol of the internet backbone. OSPF, RIP, and EIGRP are interior gateway protocols used within a single autonomous system. BGP makes decisions based on policies and AS-path attributes rather than simple metrics like hop count.
- An enterprise wants a link-state interior routing protocol that builds a complete topology map and calculates shortest paths using cost based on bandwidth. Which protocol fits?
- RIP (Routing Information Protocol)
- BGP (Border Gateway Protocol)
- OSPF (Open Shortest Path First)
- NAT (Network Address Translation)
Correct answer: OSPF (Open Shortest Path First)
OSPF (Open Shortest Path First) is a link-state interior gateway protocol that builds a full topology database and uses Dijkstra's shortest-path-first algorithm with a cost metric derived from interface bandwidth. BGP is an exterior path-vector protocol, RIP is a distance-vector protocol limited by hop count, and NAT is not a routing protocol. OSPF converges faster and scales better than RIP in large networks.
- A network architect compares OSPF and BGP. Which statement correctly distinguishes their roles?
- OSPF is an interior gateway protocol used within an autonomous system, while BGP is an exterior gateway protocol used between autonomous systems
- OSPF uses AS-path attributes and policies, while BGP uses link-state cost
- BGP is used within a single LAN, while OSPF connects the global internet
- Both are exterior gateway protocols and cannot be used inside an organization
Correct answer: OSPF is an interior gateway protocol used within an autonomous system, while BGP is an exterior gateway protocol used between autonomous systems
OSPF is an interior gateway protocol (IGP) that routes within a single autonomous system using link-state cost, while BGP is an exterior gateway protocol (EGP) that routes between autonomous systems using path attributes and policy. The reversed description and the claim that both are exterior protocols are incorrect. Organizations commonly run OSPF internally and use BGP only at their internet edge.
- A technician must identify whether the address 172.20.5.10 is routable on the public internet. How should it be classified?
- A public address that is globally routable
- A private RFC 1918 address that is not routable on the public internet
- A loopback address used for local testing only
- An APIPA address assigned when DHCP fails
Correct answer: A private RFC 1918 address that is not routable on the public internet
The address 172.20.5.10 falls within the 172.16.0.0 to 172.31.255.255 range, which is one of the RFC 1918 private address blocks (along with 10.0.0.0/8 and 192.168.0.0/16) and is not routable on the public internet. Such addresses require NAT to reach external networks. Loopback uses 127.0.0.0/8 and APIPA uses 169.254.0.0/16, so neither applies here.
- A host is configured with the IP 172.16.5.130 and a /25 mask. What are the network address and broadcast address for its subnet?
- Network 172.16.5.128 and broadcast 172.16.5.255
- Network 172.16.5.0 and broadcast 172.16.5.127
- Network 172.16.5.130 and broadcast 172.16.5.254
- Network 172.16.5.128 and broadcast 172.16.5.191
Correct answer: Network 172.16.5.128 and broadcast 172.16.5.255
A /25 mask (255.255.255.128) splits the last octet into two blocks of 128 addresses: 0-127 and 128-255. Because 130 falls in the second block, the network address is 172.16.5.128 and the broadcast is 172.16.5.255, with usable hosts 172.16.5.129 through 172.16.5.254. The 0-127 block would apply only to host addresses 1 through 126.
- An organization wants to extend its on-premises data center into a public cloud provider while keeping the cloud resources logically isolated and addressable with its own private IP range. Which cloud connectivity concept provides this isolated, customer-defined network space inside the provider?
- A network time protocol pool
- A virtual private cloud (VPC)
- A demilitarized zone switch
- A spanning tree instance
Correct answer: A virtual private cloud (VPC)
A virtual private cloud (VPC) is the correct concept. A VPC carves out a logically isolated section of a public cloud provider where the customer defines its own private IP address ranges, subnets, and routing, effectively giving the organization a private network inside the provider's infrastructure. This isolation lets cloud resources be addressed and secured as if they were part of the customer's own network. The other choices describe time synchronization, a perimeter network segment, and a loop-prevention protocol, none of which define an isolated cloud network space.
- A company needs a dedicated, private, high-bandwidth link between its on-premises network and its public cloud provider that does not traverse the public internet, to achieve consistent latency for sensitive workloads. Which cloud connectivity option best meets this requirement?
- A public DNS forwarder pointed at the provider
- A standard internet-based site-to-site VPN over a residential link
- A captive portal hosted in the cloud
- A direct connection (private dedicated circuit) to the cloud provider
Correct answer: A direct connection (private dedicated circuit) to the cloud provider
A direct connection, a private dedicated circuit to the cloud provider, is the right answer. This option bypasses the public internet entirely, delivering predictable bandwidth and consistent latency that internet-routed paths cannot guarantee, which is why it suits sensitive or high-throughput workloads. A VPN over a residential link still rides the public internet with variable performance, a DNS forwarder only resolves names, and a captive portal is an authentication page, so none provide a private dedicated path.
- A developer must choose a transport protocol for transferring a financial report file where every byte must arrive intact and in the correct order, even if that adds overhead. Which transport behavior makes one protocol the appropriate choice over the other for this transfer?
- The connection-oriented protocol provides ordered delivery, acknowledgements, and retransmission of lost segments
- The connectionless protocol retransmits any segment that is dropped in transit
- Both protocols enforce identical reliability, so the choice is irrelevant
- The connectionless protocol guarantees in-order delivery without acknowledgements
Correct answer: The connection-oriented protocol provides ordered delivery, acknowledgements, and retransmission of lost segments
The connection-oriented protocol's ordered delivery, acknowledgements, and retransmission of lost segments make it the correct choice. Reliable, in-order, acknowledged delivery is exactly what a file transfer requiring complete data integrity needs, so the connection-oriented transport is selected despite its higher overhead. The connectionless protocol does the opposite, sending data without acknowledgements, ordering guarantees, or retransmission, which is why claims that it guarantees order or retransmits dropped data are incorrect, and the two protocols are clearly not identical in reliability.
- A network engineer is comparing two wireless standards for a new deployment. One older standard operates only in the 2.4 GHz band, while the engineer wants a standard that can also use the 5 GHz band for higher throughput and less interference. Which characteristic correctly distinguishes the higher-throughput option?
- It is limited to the same three usable channels as the 2.4 GHz band
- It operates only at 6 GHz and cannot use 5 GHz at all
- It abandons radio frequencies entirely in favor of infrared
- It operates in the 5 GHz band, offering more non-overlapping channels and higher data rates than 2.4 GHz-only standards
Correct answer: It operates in the 5 GHz band, offering more non-overlapping channels and higher data rates than 2.4 GHz-only standards
Operating in the 5 GHz band with more non-overlapping channels and higher data rates is the distinguishing characteristic. The 5 GHz band offers many more non-overlapping channels than the crowded 2.4 GHz band, which provides higher throughput and reduced interference for modern deployments. The remaining options are wrong because the standard is not restricted solely to 6 GHz, Wi-Fi uses radio frequencies rather than infrared, and the abundance of channels at 5 GHz is precisely what sets it apart from the roughly three usable non-overlapping channels available in 2.4 GHz.
- A network architect is placing security and traffic appliances in a new design. The architect wants a device that sits in front of the organization's internal web servers, accepts client requests from the internet, and forwards them to back-end servers while hiding the servers' real identities. Which appliance and placement is described?
- A load balancer placed only between two client workstations
- A forward proxy placed in front of the internal clients
- An intrusion prevention sensor placed on an isolated management VLAN
- A reverse proxy placed in front of the internal servers
Correct answer: A reverse proxy placed in front of the internal servers
A reverse proxy placed in front of the internal servers matches the description. A reverse proxy receives inbound client requests from the internet on behalf of back-end servers, forwarding them inward while concealing the servers' real addresses and identities. A forward proxy sits in front of internal clients to broker their outbound requests, which is the opposite direction, while a load balancer placed between two workstations and an isolated IPS sensor do not perform the server-fronting role described.
- A network team must decide where to place a load balancer versus a proxy and at what layer each typically operates. Which statement correctly distinguishes the two appliances?
- A proxy distributes traffic across physical links, while a load balancer resolves domain names
- A load balancer only encrypts wireless frames, while a proxy assigns IP addresses to clients
- Both appliances exclusively forward broadcast frames within a single collision domain
- A load balancer commonly distributes incoming connections across multiple back-end servers at the transport layer, while a proxy mediates requests at the application layer
Correct answer: A load balancer commonly distributes incoming connections across multiple back-end servers at the transport layer, while a proxy mediates requests at the application layer
The correct distinction is that a load balancer commonly distributes incoming connections across multiple back-end servers at the transport layer, while a proxy mediates requests at the application layer. Load balancers spread client connections across a server pool using methods such as round-robin or least-connections to improve availability and scale, whereas proxies intercept and mediate requests at the application layer for caching, filtering, or anonymity. The other statements misassign roles such as wireless encryption, address assignment, broadcast forwarding, and name resolution, which belong to entirely different devices.
- A user opens the list of available wireless networks on a laptop and sees names such as "GuestWiFi" and "CorpNet". What is the term for this human-readable wireless network name that an access point advertises?
- The media access control (MAC) address
- The basic service set identifier (BSSID)
- The service set identifier (SSID)
- The dynamic host configuration scope
Correct answer: The service set identifier (SSID)
The service set identifier (SSID) is the human-readable name, up to 32 characters, that identifies a wireless network and is what users see when choosing a network to join. The BSSID is the MAC address of the access point radio that uniquely identifies the cell, not the friendly name. A MAC address identifies a hardware interface, and a DHCP scope is a pool of IP addresses, neither of which is the advertised network name.
- A network administrator wants all 40 computers in the accounting department to share one broadcast domain regardless of which floor or switch they physically connect to. Which technology accomplishes this segmentation on the existing switches?
- A network address translation (NAT) pool
- A demilitarized zone (DMZ)
- A virtual local area network (VLAN)
- A separate spanning tree instance
Correct answer: A virtual local area network (VLAN)
A virtual local area network (VLAN) logically groups ports and devices into one broadcast domain independent of physical location, so the accounting computers can span multiple switches and floors yet remain in the same Layer 2 segment. A DMZ is a security zone for public-facing servers and NAT translates addresses; neither creates a logical broadcast-domain grouping. Spanning tree prevents loops but does not define membership groups.
- A junior technician asks how a VLAN differs from a subnet. Which statement best describes the relationship between the two?
- A subnet operates at Layer 2 and a VLAN operates at Layer 3
- A VLAN and a subnet are identical concepts at different vendors
- A VLAN is a Layer 2 broadcast-domain boundary while a subnet is a Layer 3 IP-address grouping, and they are typically mapped one-to-one
- A VLAN can only exist if NAT is enabled on the subnet
Correct answer: A VLAN is a Layer 2 broadcast-domain boundary while a subnet is a Layer 3 IP-address grouping, and they are typically mapped one-to-one
A VLAN is a Layer 2 construct that defines a broadcast domain, while a subnet is a Layer 3 construct that defines a range of IP addresses; in most designs each VLAN is mapped to exactly one subnet for clean routing. They are not the same thing operating at the same layer, and a VLAN does not depend on NAT. Confusing their layers is the common error this comparison clarifies.
- A switch port connects to a single desktop that should carry traffic for only one VLAN, untagged. How should this port be configured?
- As a trunk port
- As an access port
- As a routed port
- As a mirror (SPAN) port
Correct answer: As an access port
An access port carries untagged traffic for a single VLAN and is the correct setting for an end device such as a desktop, phone, or printer. A trunk port carries tagged traffic for multiple VLANs and is used between switches or to a router. A routed port operates at Layer 3, and a mirror port copies traffic for analysis, so neither fits a single-VLAN end host.
- Two switches must carry traffic for VLANs 10, 20, and 30 across a single physical cable between them. Which interface configuration is required on both ends of that cable?
- A port configured for PoE pass-through
- A loopback interface
- A trunk port that tags frames for multiple VLANs
- An access port assigned to VLAN 10
Correct answer: A trunk port that tags frames for multiple VLANs
A trunk port carries traffic for multiple VLANs across one link by tagging each frame with its VLAN identifier, which is exactly what is needed to pass VLANs 10, 20, and 30 between switches. An access port belongs to only one VLAN and would not carry the others. PoE supplies power and a loopback is a logical test interface, so neither moves multi-VLAN traffic.
- Which IEEE standard defines the frame-tagging method that inserts a 4-byte VLAN tag containing a 12-bit VLAN identifier into an Ethernet frame?
- 802.1Q
- 802.3af
- 802.11ac
- 802.1X
Correct answer: 802.1Q
802.1Q is the IEEE standard that defines VLAN tagging by inserting a 4-byte tag, including a 12-bit VLAN ID, into the Ethernet header so trunks can distinguish VLANs. 802.1X is port-based network access control for authentication, 802.3af is the original Power over Ethernet standard, and 802.11ac is a Wi-Fi standard, none of which define VLAN tagging.
- On an 802.1Q trunk, frames belonging to one specific VLAN are sent untagged while all other VLANs are tagged. Which trunk feature explains this behavior?
- The voice VLAN
- The native VLAN
- The management VLAN
- The default gateway VLAN
Correct answer: The native VLAN
The native VLAN on an 802.1Q trunk carries its traffic untagged, while every other VLAN on the trunk is tagged; mismatched native VLANs between two switches are a common misconfiguration. A voice VLAN segregates IP-phone traffic, a management VLAN is used for switch administration, and there is no "default gateway VLAN," so none of those describe untagged trunk behavior.
- A campus network has several redundant links between switches to survive cable failures. Which protocol blocks the resulting redundant paths to prevent Layer 2 loops while keeping a backup ready?
- Hot Standby Router Protocol (HSRP)
- Open Shortest Path First (OSPF)
- Link Aggregation Control Protocol (LACP)
- Spanning Tree Protocol (STP)
Correct answer: Spanning Tree Protocol (STP)
Spanning Tree Protocol (STP) prevents Layer 2 switching loops by placing redundant ports into a blocking state, leaving one active path while keeping the others available if the primary fails. OSPF is a Layer 3 routing protocol, HSRP provides gateway redundancy at Layer 3, and LACP bundles links rather than blocking loops, so none of those perform STP's loop-prevention role.
- An administrator bundles four physical 1 Gbps switch ports into one logical 4 Gbps interface to increase bandwidth and provide redundancy between two switches. What is this technique called?
- Spanning tree convergence
- Link aggregation
- Port mirroring
- VLAN trunking
Correct answer: Link aggregation
Link aggregation combines multiple physical interfaces into a single logical link to add bandwidth and provide failover if one member link drops. Port mirroring copies traffic for monitoring, VLAN trunking carries multiple VLANs over one link, and spanning tree convergence is the recalculation of a loop-free topology, none of which bundle links for throughput.
- Which protocol is used to dynamically negotiate and maintain a link aggregation group between two switches so member links are added or removed automatically?
- Address Resolution Protocol (ARP)
- Link Aggregation Control Protocol (LACP)
- Spanning Tree Protocol (STP)
- Cisco Discovery Protocol (CDP)
Correct answer: Link Aggregation Control Protocol (LACP)
Link Aggregation Control Protocol (LACP), standardized as IEEE 802.3ad, dynamically negotiates and maintains a link aggregation group so member links join or leave the bundle automatically based on the exchange of LACP frames. ARP resolves IP to MAC addresses, STP prevents loops, and CDP is a discovery protocol, none of which manage aggregation membership.
- A facilities team must install a ceiling-mounted wireless access point where running a separate electrical outlet is impractical. Which technology lets the single network cable supply both data and electrical power to the AP?
- Multiprotocol Label Switching (MPLS)
- Power over Ethernet (PoE)
- Universal Serial Bus (USB)
- Direct current (DC) injection over fiber
Correct answer: Power over Ethernet (PoE)
Power over Ethernet (PoE) delivers both data and electrical power over a single twisted-pair Ethernet cable, eliminating the need for a nearby outlet at devices like access points, IP phones, and cameras. MPLS is a WAN forwarding technique, USB is a short local bus, and fiber cannot carry electrical power, so none of those power a ceiling AP over the network cable.
- A switch must power an outdoor pan-tilt-zoom camera with a heater that draws roughly 60 watts at the switch port. Which Power over Ethernet standard is required to supply this level of power?
- 802.3af (PoE, Type 1)
- 802.3at (PoE+, Type 2)
- 802.3bt (PoE++, Type 3 or Type 4)
- 802.3az (Energy-Efficient Ethernet)
Correct answer: 802.3bt (PoE++, Type 3 or Type 4)
802.3bt (PoE++) provides up to about 60 watts at the source for Type 3 and up to roughly 90 watts for Type 4, which is needed for a heated PTZ camera. 802.3af supplies only about 15.4 watts and 802.3at about 30 watts, both too little. 802.3az is an energy-saving standard, not a PoE power class.
- A router receives a packet for a destination address that matches no specific entry in its routing table, but a default route is configured. What does the router do with the packet?
- It forwards the packet using the default route (gateway of last resort)
- It floods the packet out every interface
- It stores the packet until a matching route is learned
- It drops the packet and sends no notification
Correct answer: It forwards the packet using the default route (gateway of last resort)
When no specific route matches, the router uses the default route, often written as 0.0.0.0/0 and called the gateway of last resort, to forward the packet toward an upstream device. Routers do not flood unicast packets out all interfaces or buffer them indefinitely; if no default route existed, the packet would be dropped, which is why the default route is configured.
- An administrator views a router's routing table to determine how the device will forward traffic. What information does each routing-table entry primarily provide?
- A destination network and the next hop or exit interface used to reach it
- The MAC address table of every connected switch
- The DHCP lease times for connected clients
- The list of open TCP ports on the router
Correct answer: A destination network and the next hop or exit interface used to reach it
A routing table lists destination networks along with the next-hop address or outgoing interface the router uses to reach each one, plus metrics and the source of the route. It does not contain switch MAC tables, open-port lists, or DHCP lease data, which are maintained by other functions and devices.
- A branch office has one internet connection, and the administrator wants the simplest configuration that does not consume CPU or bandwidth exchanging routing updates. Which approach best fits?
- Border Gateway Protocol (BGP)
- A single static default route
- Open Shortest Path First (OSPF)
- Enhanced Interior Gateway Routing Protocol (EIGRP)
Correct answer: A single static default route
A static default route is the simplest choice for a stub site with one exit, because it is manually configured and exchanges no routing updates, conserving CPU and bandwidth. OSPF, BGP, and EIGRP are dynamic routing protocols that add overhead and complexity that a single-link branch does not need.
- A network engineer is deciding between static and dynamic routing for a growing multi-site network with several redundant paths. Which statement correctly contrasts the two?
- Static routing automatically reroutes around failures, while dynamic routing requires manual updates
- Dynamic routing uses no router CPU or bandwidth, while static routing consumes both
- Dynamic routing automatically adapts to topology changes and failed links, while static routing must be reconfigured manually
- Static routing scales better than dynamic routing in large meshed networks
Correct answer: Dynamic routing automatically adapts to topology changes and failed links, while static routing must be reconfigured manually
Dynamic routing protocols learn and recalculate routes automatically, so they adapt to topology changes and reroute around failed links, whereas static routes are fixed until an administrator edits them. Static routing uses no protocol overhead but does not self-heal and becomes unmanageable at scale, which is the opposite of the incorrect claims.
- A routing table shows two routes to the same network: one learned via OSPF and one learned via a different protocol with a lower administrative distance. Which route does the router install in the forwarding table?
- The route with the longer subnet mask regardless of distance
- The route learned most recently
- The route with the lower administrative distance
- The route with the higher administrative distance
Correct answer: The route with the lower administrative distance
Administrative distance ranks the trustworthiness of route sources, and the router installs the route with the lower administrative distance when the same network is learned from multiple protocols. Subnet-mask length (longest prefix match) decides between routes to different-sized networks, not between identical destinations from different protocols, and recency is not the tiebreaker.
- A wireless designer must choose a band for a high-density office with many devices and frequent interference from neighboring networks. Which statement accurately compares 2.4 GHz and 5 GHz?
- 5 GHz penetrates walls better and travels farther than 2.4 GHz
- 2.4 GHz offers more non-overlapping channels and higher throughput than 5 GHz
- 5 GHz offers more non-overlapping channels and higher throughput but shorter range, while 2.4 GHz has longer range but fewer channels and more interference
- 2.4 GHz and 5 GHz provide the same number of non-overlapping channels
Correct answer: 5 GHz offers more non-overlapping channels and higher throughput but shorter range, while 2.4 GHz has longer range but fewer channels and more interference
5 GHz provides many more non-overlapping channels and higher data rates but covers less distance and penetrates obstacles less well, while 2.4 GHz reaches farther yet has only three non-overlapping channels and far more interference. The claims that 2.4 GHz has more channels or that 5 GHz penetrates walls better reverse the real trade-offs.
- In the 2.4 GHz band using standard 20 MHz channels in North America, which set of channels does not overlap and is recommended to avoid co-channel interference?
- 1, 4, 7, and 10
- 1, 5, and 9
- 2, 7, and 12
- 1, 6, and 11
Correct answer: 1, 6, and 11
Channels 1, 6, and 11 are the only three 20 MHz channels in the 2.4 GHz band that do not overlap, so using them prevents adjacent-channel interference among nearby access points. The other sets place channels too close together, causing the spectra to overlap and degrade performance.
- An organization compares Wi-Fi 5 and Wi-Fi 6 for a dense office full of simultaneous clients. Which improvement is unique to Wi-Fi 6 and helps most in that crowded environment?
- Mandatory removal of MU-MIMO support
- Orthogonal frequency-division multiple access (OFDMA) for efficient simultaneous multi-client service
- Use of the original 802.11b modulation only
- Operation exclusively in the 5 GHz band
Correct answer: Orthogonal frequency-division multiple access (OFDMA) for efficient simultaneous multi-client service
Wi-Fi 6 (802.11ax) introduces OFDMA, which divides channels into resource units so the access point can serve many clients in the same transmission, greatly improving efficiency in high-density settings. Wi-Fi 6 also works in 2.4 GHz, expands rather than removes MU-MIMO, and does not revert to 802.11b modulation, so those statements are incorrect.
- Which list correctly pairs each Wi-Fi generation marketing name with its underlying IEEE 802.11 amendment?
- Wi-Fi 4 = 802.11ac, Wi-Fi 5 = 802.11n, Wi-Fi 6 = 802.11g
- Wi-Fi 4 = 802.11ax, Wi-Fi 5 = 802.11ac, Wi-Fi 6 = 802.11n
- Wi-Fi 4 = 802.11g, Wi-Fi 5 = 802.11ax, Wi-Fi 6 = 802.11ac
- Wi-Fi 4 = 802.11n, Wi-Fi 5 = 802.11ac, Wi-Fi 6 = 802.11ax
Correct answer: Wi-Fi 4 = 802.11n, Wi-Fi 5 = 802.11ac, Wi-Fi 6 = 802.11ax
The Wi-Fi Alliance generation names map as Wi-Fi 4 to 802.11n, Wi-Fi 5 to 802.11ac, and Wi-Fi 6 to 802.11ax, with Wi-Fi 6E extending 802.11ax into 6 GHz. The other pairings scramble these amendments and do not reflect the official naming.
- A technician configures an access point to combine two adjacent 20 MHz channels into a single 40 MHz channel to increase throughput. What is this technique called?
- Band steering
- Channel bonding
- Carrier sense multiple access
- Roaming aggregation
Correct answer: Channel bonding
Channel bonding joins adjacent channels, for example two 20 MHz channels into one 40 MHz channel, to widen the channel and raise data rates, though it leaves fewer non-overlapping channels available. Band steering pushes clients to a preferred band, CSMA is a media-access method, and there is no feature called roaming aggregation, so none of those describe combining channels.
- A network 192.168.40.0/24 is subnetted into /27 networks. A host is assigned the address 192.168.40.100. What is the network (subnet) address for that host?
- 192.168.40.128
- 192.168.40.64
- 192.168.40.100
- 192.168.40.96
Correct answer: 192.168.40.96
With a /27 mask the block size is 32 (256 minus 224), so the subnet boundaries fall at .0, .32, .64, .96, .128, and so on. The address .100 lies between .96 and .127, making the subnet address 192.168.40.96, with .127 as the broadcast and .97 through .126 as usable hosts.
- An administrator must create at least 30 subnets from the block 172.16.8.0/24, with each subnet supporting at least 4 usable hosts. Which subnet mask meets both requirements with the least waste?
- /30 (255.255.255.252)
- /28 (255.255.255.240)
- /27 (255.255.255.224)
- /29 (255.255.255.248)
Correct answer: /29 (255.255.255.248)
A /29 mask borrows 5 host bits, yielding 32 subnets (2 to the 5th) and 6 usable hosts each (2 to the 3rd minus 2), which satisfies both the 30-subnet and 4-host minimums. A /28 produces only 16 subnets (too few), a /30 gives just 2 usable hosts, and a /27 produces only 8 subnets, so /29 is the correct fit.
- A point-to-point link between two routers needs the smallest classful-style subnet that still provides two usable host addresses. Which prefix length should be used?
Correct answer: /30
A /30 mask provides exactly 4 addresses, 2 of which are usable hosts (with one network and one broadcast address), making it the standard choice for a two-router point-to-point link. A /29 wastes addresses with 6 hosts, a /32 is a single host, and although /31 is valid for point-to-point under RFC 3021, the conventional answer that still includes usable host addressing is /30.
- An engineer must divide 10.0.0.0/24 into four equally sized subnets for four departments. Which mask creates exactly four subnets, and how many usable hosts does each provide?
- /27 (255.255.255.224), 30 usable hosts each
- /28 (255.255.255.240), 14 usable hosts each
- /26 (255.255.255.192), 62 usable hosts each
- /25 (255.255.255.128), 126 usable hosts each
Correct answer: /26 (255.255.255.192), 62 usable hosts each
Borrowing 2 bits creates a /26 mask, which yields 4 subnets (2 to the 2nd) of 64 addresses each, or 62 usable hosts (64 minus 2) per subnet: 10.0.0.0, 10.0.0.64, 10.0.0.128, and 10.0.0.192. A /25 makes only 2 subnets, while /27 and /28 create 8 and 16 subnets respectively, so they do not split the block into exactly four.
- A device is configured with the address 10.10.10.20 and subnet mask 255.255.255.240. What is the broadcast address for this host's subnet?
- 10.10.10.32
- 10.10.10.16
- 10.10.10.15
- 10.10.10.31
Correct answer: 10.10.10.31
The mask 255.255.255.240 is a /28 with a block size of 16, so the subnets begin at .0, .16, .32, and so on. The address .20 falls in the .16 subnet (network 10.10.10.16), making the broadcast address 10.10.10.31 and the usable range .17 through .30.
- An installer must run a copper cable for a new 10GBASE-T link that needs to reach the full 100-meter channel distance. Which cabling category is the minimum recommended choice?
- Category 5e
- Category 6A
- Category 6 (limited to 55 meters for 10GBASE-T)
- Category 3
Correct answer: Category 6A
Category 6A is the minimum copper category that supports 10GBASE-T across the full 100-meter channel. Category 6 can carry 10 Gbps but only up to about 55 meters under good conditions, Category 5e tops out at 1 Gbps, and Category 3 is legacy voice-grade cabling, so 6A is the correct choice for the full distance.
- A technician must terminate a fiber run into a transceiver using a small connector that holds two fibers in one rectangular housing to conserve panel space. Which fiber connector fits this description?
- LC (Lucent/Local Connector)
- ST (Straight Tip)
- RJ45
- SC (Subscriber Connector)
Correct answer: LC (Lucent/Local Connector)
The LC connector is a small form-factor fiber connector commonly used in duplex pairs within one compact housing, making it ideal for high-density panels and SFP transceivers. ST uses a bayonet twist-lock and SC is a larger push-pull connector, both bulkier, while RJ45 is a copper connector, so the LC best matches a compact dual-fiber termination.
- A wireless controller manages several access points that all broadcast the same SSID so clients roam seamlessly between them. What is this collection of coordinated APs sharing one SSID called?
- A basic service set (BSS)
- An extended service set (ESS)
- An independent basic service set (IBSS)
- A distribution system frame check
Correct answer: An extended service set (ESS)
An extended service set (ESS) is two or more access points sharing the same SSID and connected through a distribution system, allowing clients to roam between cells without losing the connection. A single AP cell is a basic service set (BSS), an IBSS is an ad-hoc network with no AP, so neither describes multiple coordinated APs under one SSID.
- A managed-services contract states the provider must keep a customer's internet circuit available 99.9 percent of the time each month and respond to outages within one hour. Which document defines these measurable commitments between the provider and the customer?
- Service-level agreement
- Change management plan
- Memorandum of understanding
- Acceptable use policy
Correct answer: Service-level agreement
A service-level agreement (SLA) defines the measurable commitments a provider makes to a customer, such as uptime percentages, response times, and remediation targets, along with penalties for missing them. A memorandum of understanding records general intent without enforceable metrics, and an acceptable use policy governs how users may use resources rather than provider performance.
- An SLA promises 99.9 percent monthly availability for a service. Roughly how much total downtime per 30-day month does that allowance permit?
- About 43 minutes
- About 22 minutes
- About 4 hours
- About 7 hours
Correct answer: About 43 minutes
About 43 minutes is correct: a 30-day month is 43,200 minutes, and 0.1 percent of that is 43.2 minutes of allowable downtime. The 22-minute figure would correspond to a stricter 99.95 percent tier, while 4 to 7 hours reflects the looser 99 percent (two nines) range.
- A network team wants automated alerts when a router's CPU utilization crosses a threshold, plus the ability to poll interface counters from a central management station. Which protocol is designed for this device monitoring and management?
Correct answer: SNMP
SNMP (Simple Network Management Protocol) is the standard for monitoring and managing network devices: a manager polls agents for data held in the device MIB, and agents can send unsolicited trap or inform messages when thresholds are crossed. SMTP carries email, SFTP transfers files securely, and SIP sets up VoIP sessions.
- A security review flags that the organization is still using SNMPv2c across its switches. Which improvement does SNMPv3 add that SNMPv2c lacks?
- Authentication and encryption of management traffic
- The ability to send trap messages
- Support for polling interface counters
- Use of a community string for access
Correct answer: Authentication and encryption of management traffic
SNMPv3 adds authentication and encryption (confidentiality and integrity) to management traffic, which SNMPv2c lacks. SNMPv2c relies on plaintext community strings sent in the clear, so it offers no real security. Polling counters and sending traps existed in earlier versions, and community strings are the weakness v3 replaces, not an upgrade.
- After correlating logs across several devices, an engineer finds the timestamps are minutes apart, making it impossible to reconstruct the order of events. Which protocol should be deployed to keep all device clocks synchronized?
Correct answer: NTP
NTP (Network Time Protocol) synchronizes the clocks of network devices to a common, accurate time source, which is essential so that log timestamps line up across systems for troubleshooting and forensics. DNS resolves names, DHCP assigns addresses, and LDAP provides directory services, none of which set device time.
- In an NTP hierarchy, a server that takes its time directly from a GPS or atomic reference clock is described by which stratum value?
- Stratum 0
- Stratum 2
- Stratum 16
- Stratum 1
Correct answer: Stratum 1
A stratum 1 server is one synchronized directly to a reference clock and is the most authoritative NTP server on a network. Stratum 0 refers to the reference clock device itself (the GPS or atomic source), not an NTP server, and stratum 16 indicates an unsynchronized clock.
- A VoIP rollout suffers from choppy calls during busy periods even though raw bandwidth is available, because voice packets queue behind large file transfers. Which capability prioritizes the time-sensitive voice traffic to fix this?
- Link aggregation
- Quality of service
- Spanning Tree Protocol
- Network address translation
Correct answer: Quality of service
Quality of service (QoS) classifies and prioritizes traffic so latency-sensitive flows such as voice and video are forwarded ahead of bulk data during congestion, reducing jitter and delay. NAT translates addresses, STP prevents switching loops, and link aggregation bundles physical links for bandwidth or redundancy, none of which prioritize specific traffic types.
- A network administrator marks voice packets with a DSCP value so downstream routers give them priority handling. At which layer of the protocol stack does Differentiated Services Code Point marking occur?
- In the application payload at Layer 7
- In the TCP header at Layer 4
- In the Ethernet frame header at Layer 2
- In the IP header at Layer 3
Correct answer: In the IP header at Layer 3
DSCP marking lives in the Differentiated Services field of the IP header at Layer 3, so the priority marking is preserved as packets are routed across networks. The 802.1p priority field is the Layer 2 equivalent inside the Ethernet frame, but DSCP itself is a Layer 3 marking carried in the IP header.
- An organization wants every router, switch, and firewall to forward its event messages to one central collector for storage and analysis. Which protocol is purpose-built to send these event messages to a central logging server?
Correct answer: Syslog
Syslog is the standard protocol for sending event and log messages from network devices to a centralized logging server, where they can be stored, searched, and correlated. NetFlow exports traffic-flow statistics rather than event logs, SNMP focuses on device monitoring and traps, and TFTP is a simple file-transfer protocol.
- While tuning a syslog collector, an engineer wants to capture only messages indicating actual failures and worse, filtering out routine informational entries. Which syslog severity level represents a normal informational message, the lowest-priority category to filter out?
- Informational
- Error
- Warning
- Emergency
Correct answer: Informational
Informational is the correct answer: syslog defines severity levels 0 through 7, where lower numbers are more severe (0 Emergency, 3 Error, 4 Warning), and level 6 Informational represents routine, non-failure messages. Filtering to show only errors and above means excluding informational and debug entries.
- A company's disaster-recovery plan specifies that operations must be fully restored within four hours of a major outage. Which metric does that four-hour target represent?
- Mean time between failures
- Recovery point objective
- Recovery time objective
- Mean time to repair
Correct answer: Recovery time objective
The recovery time objective (RTO) is the maximum acceptable time to restore service after an outage, so a four-hour restoration target is an RTO. The recovery point objective (RPO) instead measures the maximum tolerable amount of data loss expressed as a point in time, while MTBF and MTTR describe hardware reliability and repair averages.
- A backup strategy states the business can tolerate losing at most 15 minutes of data if a database fails. Which disaster-recovery metric does the 15-minute window define?
- Mean time to repair
- Recovery point objective
- Mean time between failures
- Recovery time objective
Correct answer: Recovery point objective
The recovery point objective (RPO) defines the maximum acceptable amount of data loss measured backward in time from an incident, so a 15-minute tolerance is an RPO and would require backups or replication at least that frequently. RTO measures restoration time, not data loss, and the mean-time metrics describe reliability rather than data tolerance.
- An organization budgets for an inexpensive recovery facility that provides space, power, and cooling but no installed servers or current data, requiring equipment and backups to be brought in after a disaster. Which type of recovery site is this?
- Warm site
- Cloud site
- Hot site
- Cold site
Correct answer: Cold site
A cold site provides the physical facility, power, and cooling but no preconfigured equipment or live data, making it the cheapest option with the longest recovery time. A hot site is a fully operational, continuously updated replica ready almost immediately, and a warm site sits between the two with some hardware in place but data that must still be restored.
- Two firewalls are deployed so that both forward production traffic simultaneously and share the load, with either able to carry the full load if its partner fails. Which high-availability configuration is described?
- Active-active
- Cold standby
- Round-robin DNS
- Active-passive
Correct answer: Active-active
An active-active configuration has both devices online and handling traffic at the same time, sharing the load and providing immediate continuity if one fails. Active-passive keeps the secondary idle until the primary fails, cold standby requires powering on and configuring a spare, and round-robin DNS distributes name lookups rather than providing device-level failover.
- A network designer deploys two routers sharing a single virtual IP so that hosts always have a working default gateway even if one router fails. Which category of protocol provides this gateway redundancy?
- First hop redundancy protocol
- Spanning tree protocol
- Border gateway protocol
- Link aggregation control protocol
Correct answer: First hop redundancy protocol
A first hop redundancy protocol (FHRP), such as VRRP, provides default-gateway redundancy by letting multiple routers share a virtual IP and MAC so hosts keep reaching the gateway after a failure. Spanning tree prevents Layer 2 loops, LACP bundles links, and BGP is an exterior routing protocol, none of which provide gateway failover.
- Which open-standard first hop redundancy protocol allows routers from different vendors to back up a shared virtual gateway address?
Correct answer: VRRP
VRRP (Virtual Router Redundancy Protocol) is the open, vendor-neutral standard for gateway redundancy, making it appropriate in mixed-vendor environments. HSRP and GLBP are Cisco-proprietary alternatives, and STP is a loop-prevention protocol unrelated to gateway redundancy.
- A team is building documentation that shows the IP addressing scheme, VLANs, and Layer 3 routing relationships between subnets, ignoring exact cable runs and rack positions. Which type of diagram best fits this purpose?
- Rack diagram
- Logical network diagram
- Wiring schematic
- Physical network diagram
Correct answer: Logical network diagram
A logical network diagram depicts how the network functions, showing IP subnets, VLANs, and routing relationships rather than the exact physical placement of cables and hardware. A physical diagram and rack diagram document where equipment and cabling physically reside, and a wiring schematic details individual cable terminations.
- After expanding wireless coverage, a network admin produces a color-coded map overlaid on the floor plan showing signal strength in every area. What is this deliverable called?
- Rack diagram
- Wireless heat map
- Cable map
- Asset inventory
Correct answer: Wireless heat map
A wireless heat map (the output of a site survey) overlays measured signal strength onto a floor plan, revealing coverage, dead zones, and overlap so access points can be placed correctly. A rack diagram shows equipment in a rack, a cable map traces physical connections, and an asset inventory lists owned hardware and software.
- An auditor asks for a single source of truth tracking which IP addresses and subnets are assigned, reserved, or free across the enterprise. Which system or practice provides this?
Correct answer: IPAM
IPAM (IP address management) is the practice and tooling for centrally planning, tracking, and managing IP address space, subnets, and related DNS and DHCP records. DHCP snooping is a switch security feature, SNMP is for device monitoring, and NAT translates addresses rather than inventorying them.
- Before deploying a new VoIP system, an administrator records several days of current traffic levels, latency, and utilization to define what normal looks like. What is this reference measurement called?
- A baseline
- A change request
- An SLA
- A heat map
Correct answer: A baseline
A baseline is a documented snapshot of normal performance metrics, such as utilization, latency, and traffic volume, used later to detect deviations and gauge the impact of changes. A heat map shows wireless coverage, a change request authorizes modifications, and an SLA defines service commitments rather than measured normals.
- A monitoring platform exports records summarizing source and destination addresses, ports, and byte counts for conversations traversing a router, so analysts can see which applications consume the most bandwidth. Which technology provides this traffic-flow data?
- Port mirroring
- Syslog
- Flow data such as NetFlow
- SNMP traps
Correct answer: Flow data such as NetFlow
Flow data such as NetFlow exports per-conversation summaries (source, destination, ports, protocol, and byte and packet counts), giving visibility into top talkers and application bandwidth use. Syslog carries event messages, SNMP traps signal threshold events, and port mirroring copies full packets to an analyzer rather than summarizing flows.
- An engineer must copy every packet on a busy switch port to a separate analyzer port for deep packet inspection during troubleshooting. Which switch feature accomplishes this?
- Spanning tree
- Port mirroring (SPAN)
- Port security
- Power over Ethernet
Correct answer: Port mirroring (SPAN)
Port mirroring, also called SPAN, copies traffic from one or more source ports to a designated destination port where a protocol analyzer can capture and inspect it. Port security limits which MAC addresses may use a port, spanning tree prevents loops, and Power over Ethernet supplies power, none of which duplicate traffic for capture.
- A change request to upgrade core switch firmware includes a documented set of steps to revert to the prior version if the upgrade causes problems. What is this part of the change plan called?
- A baseline configuration
- A risk acceptance
- An SLA
- A rollback plan
Correct answer: A rollback plan
A rollback plan (or back-out plan) documents how to return a system to its previous working state if a change fails, and it is a standard required element of formal change management. A baseline configuration is a known-good reference config, an SLA defines service commitments, and risk acceptance is a decision to tolerate a risk rather than a recovery procedure.
- A vendor announces that a switch model will no longer receive security patches or technical assistance after a certain date, although it can still function. Which life-cycle term describes that date?
- End-of-support
- Decommissioning
- End-of-life
- Mean time between failures
Correct answer: End-of-support
End-of-support (EOS) is the date after which a vendor stops providing patches and technical assistance for a product, making continued use a security risk even if the device still runs. End-of-life in N10-009 terminology marks when a manufacturer stops developing or enhancing a product (but may still provide some support), and decommissioning is the act of formally retiring and removing equipment from service.
- A network device's reliability data lists an average operational time of 80,000 hours before a repairable hardware failure occurs. Which metric does this figure represent?
- Recovery time objective
- Mean time between failures
- Recovery point objective
- Mean time to repair
Correct answer: Mean time between failures
Mean time between failures (MTBF) is the average operating time expected between repairable failures of a device, used to predict reliability and plan redundancy. Mean time to repair (MTTR) instead averages how long a repair takes, while RTO and RPO are disaster-recovery planning targets rather than hardware reliability figures.
- An organization keeps a known-good reference configuration for each switch model, sometimes called a golden configuration, so that any device can be quickly restored or audited against the standard. Which discipline does this practice belong to?
- Incident response
- Quality of service
- Network address translation
- Configuration management
Correct answer: Configuration management
Maintaining a baseline or golden reference configuration and comparing devices against it is a core part of configuration management, which controls and standardizes device settings. Incident response handles security events, QoS prioritizes traffic, and NAT translates addresses, none of which govern standardized device configurations.
- A backup design replicates data to a recovery facility continuously and keeps duplicate, ready-to-run equipment powered on, enabling near-immediate failover after a disaster. Which site type and trade-off does this describe?
- A mobile site, temporary trailer-based recovery
- A hot site, highest cost and fastest recovery
- A warm site, moderate cost with data that must be restored
- A cold site, lowest cost and slowest recovery
Correct answer: A hot site, highest cost and fastest recovery
A hot site keeps equipment running and data continuously replicated so failover is nearly immediate, which makes it the fastest to recover and the most expensive to maintain. A cold site is cheapest but slowest because it has no equipment or data ready, and a warm site falls in between with some hardware but data that still needs restoring.
- A monitoring server is configured so devices send unsolicited alerts the moment an interface goes down, rather than waiting for the next scheduled poll. Which SNMP mechanism delivers these immediate, device-initiated notifications?
- A GET request
- A trap
- A walk
- A community string
Correct answer: A trap
A trap is an unsolicited, agent-initiated SNMP message that notifies the manager of an event such as an interface failure as soon as it happens, instead of waiting for polling. A GET request and a walk are manager-initiated polling operations, and a community string is the credential used in SNMPv1 and v2c, not a notification type.
- A network administrator wants to block all inbound traffic from a specific subnet while permitting everything else, and applies an ordered list of permit and deny rules to a router interface. What security control is being described?
- A demilitarized zone (DMZ)
- A host-based intrusion detection system
- A network address translation (NAT) pool
- An access control list (ACL)
Correct answer: An access control list (ACL)
An access control list (ACL) is the control being described. An ACL is an ordered set of permit and deny rules, evaluated top to bottom, that filters traffic based on attributes such as source and destination IP address, port, and protocol; the first matching rule is applied, and most implementations end with an implicit deny. A DMZ is a network segment, not a rule list, so it does not perform the rule-by-rule filtering described here.
- An organization places its public-facing web and email servers on a separate network segment positioned between the internet-facing firewall and the internal LAN, so that external users can reach those servers without being granted any path into the internal network. What is this segment called?
- A default gateway
- A demilitarized zone (DMZ), also called a screened subnet
- A broadcast domain
- A virtual LAN trunk
Correct answer: A demilitarized zone (DMZ), also called a screened subnet
This segment is a demilitarized zone (DMZ), also called a screened subnet. A DMZ isolates internet-accessible servers in a perimeter network so that compromise of a public server does not give an attacker direct access to internal resources; firewall rules permit external traffic to reach the DMZ but block traffic from the DMZ into the trusted internal LAN. A VLAN trunk merely carries multiple VLANs over one link and does not by itself define this perimeter-isolation role.
- A security analyst notices that the perimeter firewall permits inbound TCP packets with the ACK flag set even when no internal host initiated the session, allowing attackers to probe internal hosts. The analyst wants a firewall that tracks each connection in a state table and only allows return traffic that matches an existing session. Which firewall type meets this requirement?
- A stateless firewall
- A stateful firewall
- A content filter
- A proxy ARP gateway
Correct answer: A stateful firewall
A stateful firewall meets the requirement. A stateful firewall maintains a state table tracking active connections (source and destination IP, ports, and protocol) and permits inbound return traffic only when it matches an established, internally initiated session, so unsolicited ACK packets are dropped. A stateless firewall evaluates each packet independently against static rules and has no memory of prior packets, which is exactly why crafted ACK packets can slip past it.
- A hospital encrypts patient records so that only clinicians with the proper key can read them, and unauthorized staff who access the database see only ciphertext. Which element of the CIA triad does this control most directly support?
- Availability
- Integrity
- Accountability
- Confidentiality
Correct answer: Confidentiality
This control supports confidentiality. Confidentiality ensures that information is disclosed only to authorized parties, and encryption enforces it by rendering data unreadable to anyone lacking the decryption key. Integrity is concerned with proving data has not been altered, which encryption alone does not guarantee, so it is not the primary goal here.
- A backup system computes a hash of each archived file and re-checks it on restore so administrators can prove the file was not modified while in storage. Which element of the CIA triad does this hashing practice primarily protect?
- Confidentiality
- Availability
- Integrity
- Non-repudiation
Correct answer: Integrity
This practice primarily protects integrity. Integrity assures that data has not been altered or corrupted, and a hash that matches on restore demonstrates the bytes are unchanged. Confidentiality is about keeping data secret rather than detecting modification, so it is not what hashing verifies here.
- A company deploys redundant power supplies, clustered servers, and a failover internet link specifically so that critical applications stay reachable during a component failure. Which element of the CIA triad are these measures designed to uphold?
- Integrity
- Availability
- Confidentiality
- Authentication
Correct answer: Availability
These measures uphold availability. Availability ensures authorized users can reach systems and data when needed, and redundancy plus failover directly counter outages that would deny access. Confidentiality and integrity address secrecy and accuracy of data rather than keeping the service reachable, so they are not the focus of redundant hardware.
- After a security review, an organization configures every employee account to grant only the specific permissions required for that person's job and nothing more. Which security principle is being applied?
- Defense in depth
- Implicit trust
- Separation of broadcast domains
- Least privilege
Correct answer: Least privilege
This is least privilege, which dictates that each user, service, or process receives only the minimum access necessary to perform its function. Limiting permissions shrinks the damage an attacker can do with a compromised account. Defense in depth refers to layering multiple controls rather than scoping individual account permissions, so it does not describe this specific practice.
- A network designer protects a data center with a perimeter firewall, internal segmentation, host antivirus, intrusion detection, and access controls, so that bypassing any single safeguard still leaves an attacker facing others. Which design strategy does this layering represent?
- MAC address filtering
- Defense in depth
- A single screened subnet
- Zero trust authentication
Correct answer: Defense in depth
This layering represents defense in depth, the strategy of stacking multiple independent controls so that the failure of one does not expose the whole environment. The value comes from redundancy across diverse safeguards. A screened subnet is just one perimeter control, not the multi-layer philosophy described.
- A network running WPA3-Personal replaces the older pre-shared-key handshake with a method that performs a mutual authentication and key exchange resistant to offline dictionary attacks, even when users choose weak passwords. What is the name of this handshake?
- Temporal Key Integrity Protocol (TKIP)
- Simultaneous Authentication of Equals (SAE)
- Extensible Authentication Protocol over LAN (EAPOL only)
- Wired Equivalent Privacy (WEP)
Correct answer: Simultaneous Authentication of Equals (SAE)
This handshake is Simultaneous Authentication of Equals (SAE), the dragonfly-based key exchange WPA3-Personal uses in place of the WPA2 four-way pre-shared-key handshake. Because SAE never transmits material an attacker can capture and crack offline, it defeats the offline dictionary attacks that threatened WPA2-PSK. TKIP is a deprecated WPA encryption protocol, not an authentication handshake, so it does not apply.
- Compared with WPA2-Personal, what specific advantage does WPA3-Personal's SAE handshake provide if an attacker captures the wireless association exchange?
- SAE disables encryption to speed up the handshake, so no key material exists
- The captured exchange reveals the passphrase in plaintext, but only briefly
- SAE replaces the passphrase with the device MAC address, eliminating passwords
- The captured exchange cannot be used to crack the passphrase offline, because SAE does not expose crackable key material
Correct answer: The captured exchange cannot be used to crack the passphrase offline, because SAE does not expose crackable key material
The advantage is that a captured SAE exchange cannot be used to crack the passphrase offline, because SAE does not transmit hashed or derivable key material the way the WPA2 four-way handshake does. This forward-secrecy property means each session's keys stay protected even if the passphrase is later learned. The claim that SAE disables encryption is false; SAE strengthens, not removes, protection.
- An attacker on an access port crafts an Ethernet frame with two stacked 802.1Q tags. The first switch strips the outer tag matching its native VLAN and forwards the frame, which now carries the inner tag, onto a trunk so it lands in a VLAN the attacker should not reach. Which attack is this, and what is the primary mitigation?
- An evil twin attack, mitigated by hiding the SSID
- A MAC flooding attack, mitigated by disabling ARP
- A double-tagging VLAN hopping attack, mitigated by not using the native VLAN for user traffic and explicitly tagging the native VLAN on trunks
- A rogue DHCP attack, mitigated by static routing
Correct answer: A double-tagging VLAN hopping attack, mitigated by not using the native VLAN for user traffic and explicitly tagging the native VLAN on trunks
This is a double-tagging VLAN hopping attack. It abuses the fact that a switch removes only the outer tag matching its native VLAN, leaving the inner tag to carry the frame into another VLAN across a trunk. The standard mitigation is to keep user ports off the native VLAN and force native-VLAN tagging on trunks so the outer tag is never silently stripped. Disabling ARP does not address tag manipulation, so the MAC flooding answer is wrong.
- A penetration tester connects a laptop to an unused wall jack and sends DTP negotiation frames, causing the switch port to form a trunk so the tester's device receives traffic for many VLANs. Which form of VLAN hopping is this, and what hardening step prevents it?
- Double tagging, prevented by enabling jumbo frames
- Switch spoofing, prevented by disabling DTP and statically configuring access ports as non-negotiating
- DNS poisoning, prevented by DNSSEC
- ARP poisoning, prevented by port mirroring
Correct answer: Switch spoofing, prevented by disabling DTP and statically configuring access ports as non-negotiating
This is switch spoofing, where an attacker impersonates a switch by negotiating a trunk via Dynamic Trunking Protocol so the port carries multiple VLANs. The fix is to disable DTP and hard-set user-facing ports to access mode so they never negotiate trunking. ARP poisoning and DNS poisoning are unrelated attack classes, so their mitigations do not apply.
- On a shared LAN segment, an attacker continuously sends forged ARP replies that map the default gateway's IP address to the attacker's own MAC address, so victims' traffic flows through the attacker before reaching the gateway. What is this attack called and what role does the attacker now hold?
- DNS poisoning, placing the attacker on a rogue resolver
- ARP poisoning, placing the attacker in an on-path (man-in-the-middle) position
- MAC flooding, placing the attacker in promiscuous broadcast mode
- A deauthentication attack, placing the attacker on a rogue AP
Correct answer: ARP poisoning, placing the attacker in an on-path (man-in-the-middle) position
This is ARP poisoning, which corrupts hosts' ARP caches so the gateway's IP resolves to the attacker's MAC address. Because victim traffic is steered through the attacker en route to its real destination, the attacker gains an on-path (man-in-the-middle) position to intercept or alter it. MAC flooding overwhelms a switch's address table rather than redirecting one host's gateway mapping, so it does not match.
- Users on one subnet are being redirected to a fraudulent banking site even though they typed the correct domain name. Investigation shows forged responses inserted into the resolver's cache so the legitimate hostname resolves to an attacker-controlled IP address. Which attack is occurring?
- 802.1Q double tagging
- DNS cache poisoning
- A MAC flooding attack on the access switch
- A rogue DHCP server handing out bad gateways
Correct answer: DNS cache poisoning
This is DNS cache poisoning, in which forged records are injected into a DNS resolver's cache so a valid hostname resolves to a malicious address. Users typing the correct name are silently sent to the attacker's server. A rogue DHCP server would hand out incorrect IP configuration rather than corrupt name-to-address resolution, so it is a different attack.
- Shortly after a guest plugs an unauthorized device into a conference-room jack, clients across the VLAN begin receiving IP leases pointing to a wrong default gateway and an attacker-controlled DNS server. Which threat best explains this, and which switch feature is designed to stop it?
- A rogue DHCP server, stopped by DHCP snooping that permits server replies only on trusted ports
- A deauthentication flood, stopped by 802.11w
- An on-path TLS downgrade, stopped by HSTS
- A VLAN double-tagging attack, stopped by jumbo frames
Correct answer: A rogue DHCP server, stopped by DHCP snooping that permits server replies only on trusted ports
This is a rogue DHCP server: an unauthorized device answering DHCP requests with bad gateway and DNS settings to misdirect clients. DHCP snooping mitigates it by classifying ports as trusted or untrusted and dropping DHCP server replies that arrive on untrusted ports. 802.11w protects management frames against deauthentication, which is a separate wireless problem.
- A switch port configured with port security is set so that if an unauthorized MAC address appears, the port immediately shuts down into an error-disabled state and logs the event. Which port-security violation mode is in use?
- Sticky learning
- Protect mode
- Restrict mode
- Shutdown mode
Correct answer: Shutdown mode
This is shutdown mode, the most aggressive port-security violation response, which disables the port (placing it in an err-disabled state) and generates a log entry when a violation occurs. Protect mode silently drops the offending traffic without disabling the port or logging, so it does not match the described behavior of shutting the port down.
- A network uses 802.1X to control who may connect to switch ports. In this framework, what are the three roles, and which device functions as the authenticator?
- The firewall, the proxy, and the load balancer; the proxy is the authenticator
- The supplicant (client), the authenticator (the switch or access point), and the authentication server (often RADIUS); the switch is the authenticator
- The DNS server, the DHCP server, and the client; the DHCP server is the authenticator
- The supplicant (the RADIUS server), the authenticator (the client), and the gateway; the client is the authenticator
Correct answer: The supplicant (client), the authenticator (the switch or access point), and the authentication server (often RADIUS); the switch is the authenticator
In 802.1X the three roles are the supplicant (the connecting client), the authenticator (the switch port or wireless access point that gates access), and the authentication server (commonly RADIUS) that validates credentials. The switch or access point is the authenticator because it controls the port and relays credentials between supplicant and server. The option naming the RADIUS server as the supplicant reverses the roles and is incorrect.
- An enterprise issues each VPN gateway and web server a digital certificate signed by an internal certificate authority, and plans how those certificates are generated, distributed, renewed before expiration, and revoked when compromised. What is this overall practice called?
- Port security configuration
- DHCP scope assignment
- Key and certificate management (PKI lifecycle management)
- Native VLAN tagging
Correct answer: Key and certificate management (PKI lifecycle management)
This is key and certificate management, the PKI lifecycle of issuing, distributing, renewing, and revoking keys and certificates through a certificate authority. Managing expiration and revocation is essential so that trusted credentials remain valid and compromised ones are quickly invalidated. Port security restricts MAC addresses on a switch port and has nothing to do with certificate lifecycles.
- A technician opens a trouble ticket and begins by interviewing the affected user, asking what changed recently and reproducing the reported symptom. Which step of the CompTIA Network+ troubleshooting methodology is the technician performing?
- Establish a theory of probable cause
- Verify full system functionality
- Identify the problem
- Implement the solution or escalate
Correct answer: Identify the problem
This is the Identify the problem step. The first phase of the CompTIA methodology focuses on gathering information, questioning users, identifying symptoms, determining whether anything has changed, and duplicating the problem if possible. Establishing a theory of probable cause comes only after the problem and its symptoms are fully understood.
- After confirming a theory that a misconfigured DHCP scope is causing address conflicts, a technician resolves the issue, then re-tests printing, file shares, and internet access for the affected users. Which methodology step does this re-testing represent?
- Establish a plan of action to resolve the problem
- Verify full system functionality and, if applicable, implement preventive measures
- Document findings, actions, and outcomes
- Test the theory to determine the cause
Correct answer: Verify full system functionality and, if applicable, implement preventive measures
This is Verify full system functionality and, if applicable, implement preventive measures. After implementing a fix, the methodology requires confirming the entire affected system works as expected before closing the ticket. Documenting findings is the final step and occurs after verification, not in place of it.
- A technician suspects a single switch is the source of a problem and decides to start checking at the OSI Physical layer, working upward toward the Application layer. Which troubleshooting approach best describes this?
- Escalation to a higher tier
- Bottom-to-top OSI approach
- Divide and conquer
- Top-to-bottom OSI approach
Correct answer: Bottom-to-top OSI approach
This is the bottom-to-top OSI approach, which begins at Layer 1 (Physical) and moves upward. The top-to-bottom approach is the reverse, starting at the Application layer. Divide and conquer starts in the middle of the stack and moves in whichever direction the evidence suggests.
- During the troubleshooting process, a technician's first theory about the cause is disproven by testing. According to the CompTIA methodology, what are the two acceptable next actions?
- Reboot all affected devices and re-test
- Establish a new theory or escalate to the next tier
- Verify full system functionality
- Immediately document findings and close the ticket
Correct answer: Establish a new theory or escalate to the next tier
The correct action is to establish a new theory or escalate. The methodology states that if testing does not confirm the theory, the technician must reestablish a new theory of probable cause or escalate the issue. Closing the ticket or verifying functionality is premature when the root cause has not yet been confirmed.
- A user reports choppy audio and brief gaps during VoIP calls, even though file downloads complete at full speed. The variation in delay between consecutive voice packets arriving at the phone is the likely cause. What is this variation called?
- Packet loss
- Attenuation
- Crosstalk
- Jitter
Correct answer: Jitter
Jitter is the variation in the delay between when packets are sent and when they arrive. High jitter makes packets arrive in irregular clumps, producing the clicks, gaps, and stuttering heard in real-time voice and video. Attenuation is signal weakening over distance and would not specifically cause timing irregularities in otherwise-delivered packets.
- A network monitoring tool reports that 4 percent of packets sent across a WAN link never reach their destination, with no corresponding corruption errors. What networking issue is described, and what is its most common cause?
- Packet loss, commonly caused by network congestion filling buffers or an outage along the path
- Latency, commonly caused by routing changes
- Jitter, commonly caused by variable queuing delays
- Attenuation, commonly caused by excessive cable length
Correct answer: Packet loss, commonly caused by network congestion filling buffers or an outage along the path
This describes packet loss, which occurs when packets are dropped for reasons other than data corruption. The most common causes are network congestion that fills router or switch buffers and outages somewhere along the transmission path. Jitter concerns delay variation rather than packets being dropped entirely.
- A technician runs a cable a distance well beyond the 100-meter limit for a Category 6 copper Ethernet link, and devices at the far end experience errors and reduced throughput. The gradual weakening of the electrical signal as it travels the length of the cable is responsible. What is this phenomenon called?
- Crosstalk
- Jitter
- Echo
- Attenuation
Correct answer: Attenuation
Attenuation is the degradation or weakening of a signal as it traverses a cable. Copper attenuates more quickly than fiber-optic cabling, which is why copper Ethernet runs are limited to about 100 meters. Crosstalk involves signal bleed between adjacent wires rather than the loss of strength over distance.
- While certifying a UTP cable run, a technician measures unwanted signal bleeding from one wire pair into an adjacent pair within the same cable. What is this interference called?
- Jitter
- Latency
- Crosstalk
- Attenuation
Correct answer: Crosstalk
Crosstalk is the coupling of a signal from one wire or pair into an adjacent one within the same cable. Twisting the pairs together (as in twisted-pair cabling) reduces crosstalk. Attenuation describes signal loss along a run, not interference between neighboring conductors.
- A wireless client's utility reports an RSSI of -45 dBm. What does this value indicate about the received signal, and roughly how good is it?
- A very weak signal, because more negative dBm values indicate stronger reception
- An unusable signal that requires immediate channel reassignment
- A very strong, excellent signal, because RSSI is measured on a negative dBm scale where values closer to zero are stronger
- A measurement of throughput in megabits per second, not signal strength
Correct answer: A very strong, excellent signal, because RSSI is measured on a negative dBm scale where values closer to zero are stronger
An RSSI of -45 dBm is a very strong, excellent signal. RSSI (Received Signal Strength Indicator) is expressed in dBm on a negative scale, so values closer to zero (such as -45) are stronger than more negative values (such as -80). It measures received signal power, not data throughput.
- A help-desk technician needs to test basic reachability to a remote server and measure round-trip time, but does not need to see the path taken. Which command-line utility is the most appropriate first choice?
- Ping
- Traceroute
- Nslookup
- Netstat
Correct answer: Ping
ping is the appropriate tool because it sends ICMP echo requests to a target and reports whether replies are received along with round-trip time. traceroute also uses reachability testing but is designed to reveal each hop along the path, which is more than this task requires. nslookup resolves DNS names rather than testing connectivity.
- What is the key functional difference between ping and traceroute?
- Ping resolves hostnames to IP addresses while traceroute resolves IP addresses to MAC addresses
- Ping tests end-to-end reachability and round-trip time to one destination, while traceroute reveals each router hop along the path to that destination
- Ping operates at Layer 2 while traceroute operates at Layer 7
- Ping shows every hop along a path, while traceroute only confirms the final destination is reachable
Correct answer: Ping tests end-to-end reachability and round-trip time to one destination, while traceroute reveals each router hop along the path to that destination
ping tests end-to-end reachability and round-trip time to a single destination, while traceroute maps the sequence of router hops between source and destination. traceroute does this by sending packets with incrementing Time To Live (TTL) values so each successive router along the path returns an ICMP time-exceeded message. The reverse description, where ping shows hops, is incorrect.
- A technician wants to identify where along a path traffic to a remote host is being delayed or dropped, listing each intermediate router. How does traceroute accomplish this?
- It queries the local DNS server for the route table to the destination
- It establishes a TCP session with every router and reads each one's configuration
- It sends packets with incrementing TTL values so each router along the path decrements the TTL to zero and returns an ICMP time-exceeded message
- It floods the network with ARP requests and records every device that replies
Correct answer: It sends packets with incrementing TTL values so each router along the path decrements the TTL to zero and returns an ICMP time-exceeded message
traceroute works by sending packets with a Time To Live (TTL) that starts at 1 and increments by one for each round. Each router that receives a packet decrements the TTL; when the TTL reaches zero, that router discards the packet and returns an ICMP time-exceeded message, revealing its address and the round-trip time to that hop. This is why traceroute can list each intermediate router in order.
- A Windows technician needs to view a workstation's current IPv4 address, subnet mask, and default gateway during troubleshooting. Which command should be used?
- Netstat
- Ipconfig
- Arp
- Ifconfig
Correct answer: Ipconfig
ipconfig is the Windows command that displays a host's IP configuration, including IPv4 address, subnet mask, and default gateway. ifconfig serves a similar role on older Unix and Linux systems. netstat lists active connections and listening ports rather than interface addressing.
- A technician resolved a DNS misconfiguration but discovers the workstation still resolves the old, incorrect IP address from its local cache. Which command most directly addresses this on a Windows host?
- Netstat -an
- Arp -a
- Nslookup -debug
- Ipconfig /flushdns
Correct answer: Ipconfig /flushdns
ipconfig /flushdns clears the local DNS resolver cache so the host performs a fresh lookup rather than returning stale cached records. arp -a displays the ARP cache of IP-to-MAC mappings, which is unrelated to DNS resolution. The stale cache, not the server, is the remaining problem here.
- A technician needs to confirm which IP address a hostname resolves to and verify that the DNS server is answering queries correctly. Which tool is purpose-built for this?
- Tcpdump
- Ipconfig
- Nslookup or dig
- Arp
Correct answer: Nslookup or dig
nslookup (and the Unix/Linux equivalent dig) are designed to query DNS servers and return the records associated with a hostname, making them the right tools to verify name resolution. tcpdump captures raw packets and arp shows IP-to-MAC mappings; neither directly queries a DNS server for a record.
- After a workstation cannot reach a host on its own subnet, a technician suspects a stale or incorrect IP-to-MAC mapping. Which command displays the local table of IP-to-MAC address mappings?
- Route print
- Arp -a
- Traceroute
- Nslookup
Correct answer: Arp -a
arp -a displays the ARP cache, the table of IP-to-MAC address mappings the host has learned on its local network segment. A stale or incorrect entry can prevent local communication even when addressing and cabling are correct. nslookup queries DNS names and does not show MAC mappings.
- A technician needs to see all active TCP connections and listening ports on a server suspected of running an unauthorized service. Which utility provides this information?
Correct answer: Netstat
netstat displays active network connections, listening ports, and protocol statistics, making it the right tool to spot unexpected listeners or sessions on a host. ping and traceroute test reachability and path, and arp shows local IP-to-MAC mappings; none of these enumerate listening ports.
- A security analyst needs to capture and inspect the actual packet contents crossing a Linux server's interface to diagnose a protocol-level problem. Which command-line tool is most appropriate?
- Ipconfig
- Tcpdump
- Nslookup
- Arp
Correct answer: Tcpdump
tcpdump is a command-line packet capture and analysis tool that records traffic on an interface for inspection, which is exactly what protocol-level troubleshooting requires. ipconfig only shows interface configuration, and nslookup only queries DNS, so neither can reveal packet payloads.
- A technician needs to map which switch port a server is connected to and what device sits on the other end of a link, using information advertised by the directly connected switch. Which protocols provide this neighbor-discovery information?
- LLDP or CDP
- SMTP or FTP
- SNMP or syslog
- NTP or DHCP
Correct answer: LLDP or CDP
LLDP (Link Layer Discovery Protocol) and the Cisco-proprietary CDP (Cisco Discovery Protocol) let directly connected devices advertise their identity, capabilities, and port information, which helps map physical topology during troubleshooting. SNMP and syslog support monitoring and logging but do not perform link-level neighbor discovery.
- Wireless users in one corner of an office report intermittent disconnects. A technician wants to view channel utilization, overlapping access points, and signal strength on each band. Which tool is the best fit?
- Cable tester
- Toner probe
- Wi-Fi analyzer
- Loopback plug
Correct answer: Wi-Fi analyzer
A Wi-Fi analyzer surveys the wireless environment, showing channel usage, co-channel and adjacent-channel interference, and per-AP signal strength, which is ideal for diagnosing wireless coverage and interference problems. A cable tester evaluates physical copper or fiber runs and cannot assess RF conditions.
- After terminating several new Ethernet drops, a technician needs to confirm each pair is connected to the correct pin and that there are no opens, shorts, or miswires. Which tool verifies this?
- Spectrum analyzer
- Wi-Fi analyzer
- Cable tester
- Protocol analyzer
Correct answer: Cable tester
A cable tester checks the physical integrity and wiring of a copper run, detecting opens, shorts, reversed or split pairs, and mismatched pinouts. A Wi-Fi analyzer addresses wireless RF issues and cannot validate the pin-to-pin continuity of a wired cable.
- Two newly created twisted-pair patch cables fail an end-to-end test: the technician finds that pairs are landed in different pin orders on each end, even though continuity exists on all eight conductors. What is the most likely fault?
- Excessive attenuation from a run longer than 100 meters
- Severe electromagnetic interference from nearby power lines
- A duplex mismatch between the connected interfaces
- A wiring standard mismatch, with one end terminated to T568A and the other to T568B
Correct answer: A wiring standard mismatch, with one end terminated to T568A and the other to T568B
The fault is a wiring standard mismatch, where one connector follows T568A pinout and the other follows T568B. Because all conductors have continuity but in a swapped pair order, the cable behaves as an unintended crossover rather than a straight-through. Attenuation and EMI degrade signals but would not cause a consistent pin-order difference between ends.
- Users on a gigabit link complain of slow transfers and high error counts. The interface shows a large number of late collisions and CRC errors. What configuration problem most commonly produces this symptom?
- A DNS server outage affecting name resolution
- An incorrect default gateway on both hosts
- An RSSI value that is too close to zero
- A duplex mismatch, where one side is set to full duplex and the other to half duplex
Correct answer: A duplex mismatch, where one side is set to full duplex and the other to half duplex
A duplex mismatch is the most common cause, occurring when one end of a link operates at full duplex while the other operates at half duplex. The half-duplex side detects collisions for traffic the full-duplex side sends continuously, producing late collisions, CRC errors, and degraded throughput. A wrong gateway or DNS outage would block or misroute traffic rather than generate collision and CRC errors on an established link.
- A fiber-optic run between two buildings shows very low light levels at the receiving transceiver and an unstable link. The cables and connectors are intact. Which physical-layer issue is the most likely cause specific to fiber?
- Crosstalk between the transmit and receive strands
- A duplex mismatch on the optical interface
- Electromagnetic interference from adjacent power conduits
- A fiber type or mode mismatch, such as connecting single-mode and multimode fiber or mismatched connector polish
Correct answer: A fiber type or mode mismatch, such as connecting single-mode and multimode fiber or mismatched connector polish
The most likely cause is a fiber mismatch, such as joining single-mode and multimode fiber or using mismatched transceivers, which produces severe optical loss and unstable links. Fiber is immune to electromagnetic interference and crosstalk because it carries light rather than electrical signals, so those copper-specific problems do not apply here.
- A technician troubleshooting interference on copper cabling near an industrial motor recalls that this type of interference affects copper but not fiber. What is this interference called, and why is fiber immune?
- Crosstalk; fiber is immune because it uses a single strand
- Attenuation; fiber is immune because it has no length limit
- Electromagnetic interference (EMI); fiber carries light rather than electrical current, so external electromagnetic fields do not couple into it
- Jitter; fiber is immune because it has no buffers
Correct answer: Electromagnetic interference (EMI); fiber carries light rather than electrical current, so external electromagnetic fields do not couple into it
This is electromagnetic interference (EMI), sometimes called radio frequency interference, which is caused by the electromagnetic field of a nearby source affecting an electrical circuit. Fiber-optic cabling is immune because it transmits data as light through glass or plastic rather than as electrical current, so no electromagnetic coupling occurs. Attenuation and jitter are unrelated to EMI immunity.
- A user reports that web pages load but feel sluggish, and a ping to the server shows consistently high round-trip times of around 350 ms with no dropped replies. Which performance issue is most directly indicated?
- An incorrect subnet mask
- High latency
- Packet loss
- A duplex mismatch
Correct answer: High latency
High latency is indicated because the round-trip time is consistently large while no replies are lost. Latency is the delay a packet experiences traversing the network; high values make interactive traffic feel sluggish even when delivery is reliable. Packet loss would show missing replies, and a subnet mask error would typically break reachability rather than merely slow it.
- A new VoIP deployment suffers from both dropped audio and inconsistent call quality. A technician confirms the link is congested during peak hours, with full buffers on the WAN router. Which two performance symptoms is this congestion most likely to produce together?
- Packet loss and increased jitter as buffers fill and drain unevenly
- Reduced RSSI and channel overlap on the wireless network
- Attenuation and crosstalk on the copper runs
- A wiring standard mismatch and a duplex mismatch
Correct answer: Packet loss and increased jitter as buffers fill and drain unevenly
Congestion that fills router buffers produces packet loss when buffers overflow and increased jitter as queuing delay varies while buffers fill and drain, both of which degrade real-time VoIP. Attenuation, crosstalk, RSSI, and wiring or duplex faults are physical-layer or wireless issues unrelated to WAN buffer congestion.
- A web client establishes an unencrypted connection to a web server to retrieve a standard HTML page. Which well-known TCP port does plaintext HTTP traffic use by default?
- Port 443
- Port 80
- Port 25
- Port 53
Correct answer: Port 80
Correct answer: Port 80. Explanation: Plaintext HTTP uses well-known TCP port 80 by default. Port 443 is reserved for HTTPS (HTTP over TLS), port 25 is used by SMTP for email relay, and port 53 is used by DNS for name resolution.
- A network administrator configures separate broadcast domains on a single physical switch so that the accounting and engineering departments cannot see each other's broadcast traffic, without adding more hardware. Which technology accomplishes this logical segmentation?
- A VLAN
- A collision domain
- A spanning tree
- A subnet mask alone
Correct answer: A VLAN
Correct answer: A VLAN. Explanation: A VLAN (virtual LAN) logically segments a single physical switch into multiple separate broadcast domains, isolating departments without additional hardware. A collision domain relates to Layer 1/2 contention, spanning tree prevents switching loops, and a subnet mask alone defines Layer 3 boundaries but does not by itself create separate broadcast domains on a switch.
- An organization adopts a network architecture that decouples the control plane from the data plane, allowing a centralized controller to program forwarding behavior across many devices programmatically. Which concept describes this approach?
- Software-defined networking (SDN)
- Spanning Tree Protocol
- Network Address Translation
- Power over Ethernet
Correct answer: Software-defined networking (SDN)
Correct answer: Software-defined networking (SDN). Explanation: SDN decouples the control plane from the data plane and uses a centralized controller to program forwarding decisions across the network programmatically. Spanning Tree Protocol prevents Layer 2 loops, NAT translates addresses at the network edge, and Power over Ethernet delivers electrical power over data cabling.
- A student maps the four layers of the TCP/IP model. Which layer of the TCP/IP model contains both TCP and UDP?
- The Application layer
- The Internet layer
- The Transport layer
- The Link layer
Correct answer: The Transport layer
Correct answer: The Transport layer. Explanation: In the TCP/IP model, both TCP and UDP reside at the Transport layer, which handles end-to-end delivery and port-based multiplexing. The Application layer holds protocols like HTTP and DNS, the Internet layer carries IP, and the Link layer covers physical and data-link functions such as Ethernet.
- An IPv6 host generates its own global unicast address by combining a router-advertised prefix with an interface identifier, without using a DHCP server. Which IPv6 mechanism is being used?
- Stateless Address Autoconfiguration (SLAAC)
- Reverse ARP
- APIPA
- Static addressing
Correct answer: Stateless Address Autoconfiguration (SLAAC)
Correct answer: Stateless Address Autoconfiguration (SLAAC). Explanation: SLAAC lets an IPv6 host self-configure a global unicast address by combining a prefix learned from router advertisements with an interface identifier, requiring no DHCP server. Reverse ARP is a legacy IPv4 method, APIPA assigns link-local IPv4 169.254.x.x addresses, and static addressing is configured manually.
- A content delivery provider advertises the same IP address from multiple geographic locations so that client requests are routed to the nearest available server. Which IP addressing/traffic delivery method describes sending to the nearest member of a group sharing one address?
- Broadcast
- Multicast
- Anycast
- Unicast
Correct answer: Anycast
Correct answer: Anycast. Explanation: Anycast assigns one address to multiple nodes, and routing delivers traffic to the nearest (lowest-cost) member, which is exactly how CDNs distribute requests. Broadcast sends to all hosts on a segment, multicast sends to a subscribed group, and unicast sends to a single specific host.
- A technician must allow a secure, encrypted remote desktop session to a Windows server. Which port does the Remote Desktop Protocol (RDP) use by default?
- Port 3389
- Port 23
- Port 161
- Port 389
Correct answer: Port 3389
Correct answer: Port 3389. Explanation: The Remote Desktop Protocol (RDP) uses TCP port 3389 by default for remote graphical sessions to Windows systems. Port 23 is used by the insecure Telnet protocol, port 161 is used by SNMP for device management, and port 389 is used by LDAP for directory queries.
- A network designer connects every workstation to a single central switch so that each device has its own dedicated cable run to that switch. Which physical network topology is described?
- Bus topology
- Ring topology
- Star topology
- Full mesh topology
Correct answer: Star topology
Correct answer: Star topology. Explanation: A star topology connects each device by its own cable to a central device such as a switch, which is the dominant layout in modern Ethernet LANs. A bus shares one backbone cable, a ring passes traffic device to device in a loop, and a full mesh directly interconnects every node with every other node.
- A team uses version-controlled configuration files and automation tools to provision and manage network device configurations consistently and repeatably, rather than configuring each device by hand. Which practice does this describe?
- Infrastructure as code (IaC)
- Port mirroring
- Time-division multiplexing
- Spanning tree
Correct answer: Infrastructure as code (IaC)
Correct answer: Infrastructure as code (IaC). Explanation: Infrastructure as code uses version-controlled, machine-readable definition files and automation to provision and manage configurations consistently and repeatably. Port mirroring copies traffic for monitoring, time-division multiplexing shares a channel across time slots, and spanning tree is a loop-prevention protocol.
- A technician compares how many collision domains and broadcast domains exist on an Ethernet switch that has no VLANs configured. For such a switch, which statement is correct?
- Each switch port is its own collision domain, but all ports share one broadcast domain
- All ports share one collision domain and one broadcast domain
- Each port is its own broadcast domain, but all ports share one collision domain
- Each port is both its own collision domain and its own broadcast domain
Correct answer: Each switch port is its own collision domain, but all ports share one broadcast domain
Correct answer: Each switch port is its own collision domain, but all ports share one broadcast domain. Explanation: A switch separates collision domains per port (microsegmentation), yet without VLANs all ports remain in a single broadcast domain. A hub, by contrast, would place all ports in one shared collision domain, and creating separate broadcast domains per group requires VLANs or routing.
- DHCP clients sit on VLAN 30, while the DHCP server is on a different subnet reachable through a router. Broadcast DHCP DISCOVER messages cannot cross the router. What should the administrator configure on the router's VLAN 30 interface so clients can obtain addresses from the remote server?
- A DHCP relay agent (IP helper) pointing to the server's unicast address
- A static default route to the DHCP server
- An access control list permitting broadcast traffic
- A second DHCP scope on the router's loopback interface
Correct answer: A DHCP relay agent (IP helper) pointing to the server's unicast address
Configuring a DHCP relay agent (IP helper) is correct. Because routers do not forward broadcasts, the relay agent intercepts the client's broadcast DISCOVER on VLAN 30 and forwards it as a unicast to the remote DHCP server's address, then returns the offer to the client. A static route only handles routing of already-routable packets, an ACL does not convert broadcast to unicast across subnets, and a loopback scope does not relay client broadcasts.
- A monitoring system queries each network device at fixed 60-second intervals to retrieve interface counters and CPU statistics. Which SNMP operation describes this regularly scheduled request-and-response data collection?
- Polling
- Trapping
- Flooding
- Mirroring
Correct answer: Polling
Correct answer: Polling. Polling is the SNMP method where the network management station periodically sends Get requests to each managed device to retrieve values such as interface counters and CPU statistics. Trapping is the opposite model, in which the device sends unsolicited messages to the manager when an event occurs, so it is not a scheduled query. Flooding describes forwarding frames out all ports and is unrelated to SNMP. Mirroring copies traffic to an analyzer port and is not a data-collection query method.
- An engineer needs to look up the specific numeric identifier that represents the 'interface inbound errors' counter inside a device's SNMP management information base. Which term describes that numeric identifier?
- OID (object identifier)
- TTL
- MAC address
- ASN (autonomous system number)
Correct answer: OID (object identifier)
Correct answer: OID (object identifier). An OID is the dotted-decimal numeric path that uniquely identifies each managed object, such as an interface error counter, within the SNMP MIB hierarchy. A TTL is a time-to-live value used in DNS records or IP packet hop limits, not an SNMP object reference. A MAC address identifies a network interface at Layer 2 and is not an SNMP identifier. An ASN identifies an autonomous system in BGP routing and has nothing to do with the MIB.
- A network team reviews a captured device log and sees that every event message carries a numeric severity level, where lower numbers indicate more urgent conditions. According to standard logging severity ordering, which level represents the most severe condition?
- 7 (Debug)
- 5 (Notice)
- 6 (Informational)
- 0 (Emergency)
Correct answer: 0 (Emergency)
Correct answer: 0 (Emergency). In the standard syslog severity scale, level 0 (Emergency) is the most critical, signaling that the system is unusable, and severity rises as the number decreases. Level 5 (Notice) flags normal but significant conditions and is far less urgent. Level 6 (Informational) is routine operational messaging. Level 7 (Debug) is the least severe, used only for detailed troubleshooting output.
- An administrator notices that several switches have drifted from the approved standard build, with extra VLANs and inconsistent settings that no one documented. Which network-operations practice is designed to prevent this kind of unapproved deviation from the baseline build?
- Load balancing
- Configuration management
- Port mirroring
- Quality of service tagging
Correct answer: Configuration management
Correct answer: Configuration management. Configuration management establishes approved standard configurations and detects or remediates configuration drift, keeping devices aligned with the documented baseline. Load balancing distributes traffic across resources and does not govern device build consistency. Port mirroring copies traffic for analysis and has no role in enforcing standards. Quality of service tagging prioritizes traffic and is unrelated to controlling configuration drift.
- Before a major firmware upgrade, a change-management board reviews the proposed work, the risk assessment, the implementation steps, and the rollback procedure, then formally approves the change for a scheduled maintenance window. What is the primary purpose of this formal review and approval process?
- To assign IP addresses to new devices automatically
- To encrypt management traffic to the devices
- To reduce the risk and unplanned impact of changes to production systems
- To translate hostnames into IP addresses
Correct answer: To reduce the risk and unplanned impact of changes to production systems
Correct answer: To reduce the risk and unplanned impact of changes to production systems. A change-management process exists so that proposed modifications are reviewed, risk-assessed, scheduled, and given a rollback plan before they touch production, minimizing outages and surprises. It does not assign IP addresses, which is a DHCP function. It does not encrypt management traffic, which is handled by protocols like SSH. It does not translate hostnames, which is the role of DNS.
- A capacity-planning team wants to know which applications consume the most bandwidth on a WAN link without capturing full packet payloads. They enable a flow-export feature that summarizes conversations by source, destination, ports, and byte counts. Which technology are they using?
- Reverse DNS lookups
- SNMP traps
- Spanning Tree Protocol
- NetFlow / flow-based monitoring
Correct answer: NetFlow / flow-based monitoring
Correct answer: NetFlow / flow-based monitoring. Flow monitoring such as NetFlow exports metadata about each conversation, including addresses, ports, and byte counts, making it ideal for bandwidth and application analysis without storing full payloads. SNMP traps send single event alerts and do not summarize traffic flows. Spanning Tree Protocol prevents Layer 2 loops and provides no usage statistics. Reverse DNS lookups map IP addresses to names and reveal nothing about bandwidth consumption.
- A data-center operations team installs sensors that report rack temperature and relative humidity to the monitoring platform so they can react before equipment overheats. These devices are best categorized as which type of monitoring?
- Environmental monitoring
- Application monitoring
- Flow monitoring
- Bandwidth monitoring
Correct answer: Environmental monitoring
Correct answer: Environmental monitoring. Environmental monitoring tracks physical conditions such as temperature and humidity in equipment areas so staff can prevent heat-related failures. Application monitoring watches software performance and availability, not physical conditions. Flow monitoring summarizes network traffic conversations, not the facility environment. Bandwidth monitoring measures link utilization and likewise says nothing about rack temperature or humidity.
- An operations engineer wants to confirm a device clock is synchronized and notes that its NTP source is described as stratum 1, while the device itself is stratum 2. What does the device's stratum 2 designation indicate?
- It is the most accurate possible reference clock
- It is one hop away from a reference clock source
- It cannot be used as a time source by other devices
- It is completely unsynchronized to any source
Correct answer: It is one hop away from a reference clock source
Correct answer: It is one hop away from a reference clock source. In NTP, stratum counts distance from the authoritative reference: a stratum 1 server is directly attached to a reference clock, and a stratum 2 device synchronizes from a stratum 1 server, placing it one hop away. It is not itself the most accurate reference, since that role belongs to stratum 0 reference clocks and the stratum 1 servers attached to them. It can still serve time to higher-numbered strata, so it is usable as a source. It is synchronized, not unsynchronized, because it is drawing time from a valid upstream server.
- A network engineer must enable forensic analysis by directing an external IP address to resolve back to its registered hostname for log enrichment. Which DNS record type performs this address-to-name resolution?
- MX record
- A record
- PTR record
- TXT record
Correct answer: PTR record
Correct answer: PTR record. A PTR (pointer) record provides reverse DNS by mapping an IP address back to a hostname, which is exactly what log enrichment and forensic checks rely on. An A record does the opposite by mapping a hostname to an IPv4 address. An MX record identifies mail servers that accept inbound mail for a domain. A TXT record stores arbitrary text such as SPF or verification strings and does not resolve addresses to names.
- An operations group wants to track every network asset from purchase, through deployment and maintenance, to eventual decommissioning and disposal, so that aging hardware is replaced before it becomes a reliability or security liability. Which network-operations discipline does this describe?
- Network Address Translation
- Quality of service
- Spanning Tree Protocol
- Asset and life-cycle management
Correct answer: Asset and life-cycle management
Correct answer: Asset and life-cycle management. Life-cycle management tracks hardware from acquisition through deployment, maintenance, and disposal so devices are refreshed before reaching end-of-life risk. Quality of service prioritizes traffic types and does not track asset stages. Spanning Tree Protocol prevents switching loops and has no asset-tracking role. Network Address Translation rewrites IP addresses at a boundary and is unrelated to managing device life cycles.
- A monitoring dashboard shows that a single 1 Gbps uplink has averaged 92 percent utilization during business hours for the past month, with frequent peaks at 100 percent. Based on this trend data, which network-operations action is most appropriate?
- Disable logging on the connected switch
- Plan to upgrade or add capacity on the saturated uplink
- Shorten the DNS TTL on all records
- Replace the uplink's PTR record
Correct answer: Plan to upgrade or add capacity on the saturated uplink
Correct answer: Plan to upgrade or add capacity on the saturated uplink. Sustained utilization near 90 to 100 percent indicates the link is a bottleneck, and capacity planning calls for upgrading bandwidth or adding links before performance degrades. Disabling logging would remove visibility and does nothing to relieve congestion. Shortening DNS TTL affects name-resolution caching, not link throughput. Replacing a PTR record changes reverse name resolution and has no effect on uplink saturation.
- A SOC analyst correlates a sudden interface-down syslog message, an SNMP trap, and a NetFlow drop to confirm a fiber cut on a core link. Combining multiple monitoring data sources to validate and contextualize a single event is best described as what?
- Load balancing
- Port mirroring
- Log and event correlation
- Address translation
Correct answer: Log and event correlation
Correct answer: Log and event correlation. Event correlation is the practice of combining and cross-referencing data from multiple monitoring sources, such as syslog, SNMP traps, and flow data, to validate and pinpoint the root cause of an incident. Port mirroring copies traffic to an analyzer and is only one data feed, not the correlation process. Load balancing distributes traffic across resources and is unrelated to analysis. Address translation rewrites IP addresses and plays no part in correlating monitoring events.
- A technician finds and fixes a faulty switch uplink, then writes a description of the symptom, the verified cause, and the corrective steps into the ticketing system before closing the case. Which final step of the CompTIA Network+ troubleshooting methodology is being performed?
- Document findings, actions, and outcomes
- Establish a theory of probable cause
- Verify full system functionality
- Implement the solution
Correct answer: Document findings, actions, and outcomes
Documenting findings, actions, and outcomes is correct because recording the symptom, the confirmed cause, and the corrective steps after the fix is the final methodology step, which builds a knowledge base for future issues. Establishing a theory and implementing the solution occur earlier, and verifying full system functionality happens just before documentation, not as the act of writing the record.
- A technician suspects a connectivity problem lies somewhere between a client and a remote server. Rather than checking layer by layer, the technician tests at the middle of the path first and then narrows toward either the client or the server based on the result. Which troubleshooting approach is this?
- Top-to-bottom OSI
- Divide and conquer
- Bottom-to-top OSI
- Spanning tree convergence
Correct answer: Divide and conquer
Divide and conquer is correct because the technician begins testing at the middle of the path and uses each result to eliminate half of the possibilities, quickly isolating the fault. Top-to-bottom and bottom-to-top are sequential OSI-layer approaches that start at one end rather than the middle, and spanning tree convergence is an unrelated switching process.
- Several VoIP phones and PCs across a building suddenly fail to obtain IP addresses, while devices configured with static addresses continue to work normally. Logs show legitimate clients receiving addresses from an unexpected server. What is the most likely cause?
- A switching loop is flooding the network
- DNS resolution has failed on the clients
- A rogue DHCP server is leasing incorrect addresses
- The default gateway has an incorrect subnet mask
Correct answer: A rogue DHCP server is leasing incorrect addresses
A rogue DHCP server is correct because dynamic clients failing while static clients keep working, combined with leases coming from an unexpected server, points to an unauthorized DHCP server handing out bad configuration. A switching loop would degrade all traffic broadly, DNS failure would not stop address assignment, and a gateway subnet mask error would not explain leases arriving from an unexpected server.
- A user can reach hosts on the local subnet but cannot reach any device on other subnets or the internet. The workstation's IP address and subnet mask are valid for its VLAN. Which misconfiguration most directly explains this behavior?
- A duplicate MAC address on the switch
- An expired DNS cache entry
- A blocked spanning tree port
- An incorrect or missing default gateway
Correct answer: An incorrect or missing default gateway
An incorrect or missing default gateway is correct because local-subnet communication works without a gateway, but all traffic destined for other subnets must be forwarded through the default gateway, so a wrong or absent gateway isolates the host to its own subnet. A duplicate MAC, an expired DNS entry, or a blocked spanning tree port would not produce the clean local-works/remote-fails pattern.
- Two workstations on the same subnet intermittently lose connectivity, and Windows displays an address-conflict warning on one of them. Both machines were manually assigned the same IPv4 address. What is this condition called?
- Duplicate IP address
- Address pool exhaustion
- Asymmetric routing
- DNS poisoning
Correct answer: Duplicate IP address
Duplicate IP address is correct because two hosts statically assigned the same IPv4 address produce conflict warnings and intermittent connectivity as the network cannot reliably map the address to one machine. Address pool exhaustion involves running out of DHCP leases, asymmetric routing concerns differing forward and return paths, and DNS poisoning corrupts name resolution rather than causing an IP conflict.
- A DHCP server stops issuing new leases and recently connected devices fail to get addresses, even though the scope and server are healthy. Investigation shows every address in the configured range is already leased. What problem is occurring?
- A duplicate default gateway
- DHCP scope (address pool) exhaustion
- An incorrect DNS suffix
- Crosstalk on the server uplink
Correct answer: DHCP scope (address pool) exhaustion
DHCP scope exhaustion is correct because new clients fail to obtain addresses specifically when all addresses in the configured pool are already leased, leaving none available to assign. A duplicate gateway, an incorrect DNS suffix, and crosstalk would not present as a healthy scope with no free addresses remaining.
- A technician needs to copy all traffic passing through several switch ports to a single monitoring port so a protocol analyzer can capture it without inline taps. Which switch feature provides this?
- Port security
- Power over Ethernet
- Port mirroring (SPAN)
- Spanning Tree Protocol
Correct answer: Port mirroring (SPAN)
Port mirroring, also called SPAN, is correct because it copies traffic from one or more source ports to a designated destination port where an analyzer can capture it without breaking the link. Port security restricts which MAC addresses may use a port, Power over Ethernet delivers electrical power, and Spanning Tree Protocol prevents switching loops, none of which duplicate traffic for monitoring.
- In a wiring closet, a technician needs to identify which unlabeled cable in a large bundle terminates at a specific wall jack. Which tool pair is purpose-built to trace and locate that individual cable?
- A loopback plug and multimeter
- An OTDR and light meter
- A spectrum analyzer and Wi-Fi scanner
- A tone generator and inductive probe (toner probe)
Correct answer: A tone generator and inductive probe (toner probe)
A tone generator and inductive probe is correct because the generator places an audible tone on the target cable and the probe detects that tone along the bundle, letting the technician pinpoint the matching cable. A loopback plug tests interfaces, an OTDR and light meter measure fiber characteristics, and a spectrum analyzer and Wi-Fi scanner address wireless interference, none of which trace a specific copper run.
- A technician certifying a fiber link must confirm that the total optical loss across connectors, splices, and cable length stays within the manufacturer's acceptable limit. Which measurement, expressed in decibels, must be compared against that limit?
- The link's optical loss (dB loss) budget
- The cable's near-end crosstalk value
- The interface's collision domain size
- The fiber's maximum transmission unit
Correct answer: The link's optical loss (dB loss) budget
The optical loss budget is correct because a fiber link is certified by measuring total signal loss in decibels and confirming it falls within the maximum allowable loss for that run. Near-end crosstalk applies to copper, collision domain size relates to shared Ethernet segments, and maximum transmission unit is a frame-size setting, none of which express fiber loss in decibels.
- A fiber connection that previously worked now shows degraded signal and errors after a patch panel was serviced. The cable tests fine end to end, but inspection reveals contamination on the connector end face. What is the most likely cause of the degraded signal?
- Electromagnetic interference on the fiber
- A dirty fiber connector end face
- A duplex mismatch on the transceivers
- Excessive crosstalk between strands
Correct answer: A dirty fiber connector end face
A dirty fiber connector end face is correct because contamination such as dust or oil on the polished end face scatters and blocks light, degrading the signal even when the cable itself is intact. Fiber is immune to electromagnetic interference, duplex mismatch is a copper Ethernet negotiation issue, and crosstalk is a copper phenomenon, so none of those explain a contaminated connector.
- After a technician swaps a workstation's straight-through cable but the link still will not come up to a switch, the technician recalls modern switches negotiate the correct transmit and receive pin assignments automatically. Which feature performs this automatic crossover?
- Auto-negotiation of duplex only
- Spanning Tree Protocol
- Auto-MDI-X
- Quality of Service tagging
Correct answer: Auto-MDI-X
Auto-MDI-X is correct because it automatically detects and adjusts the transmit and receive pin assignments, eliminating the need for crossover cables between like devices. Duplex auto-negotiation sets half or full duplex rather than pinouts, Spanning Tree prevents loops, and Quality of Service prioritizes traffic, so none of those handle automatic crossover.
- On a wireless network, clients near a busy access point experience slow throughput even though signal strength is strong. Analysis shows nearby access points and a microwave operating on the same frequency. Which metric best captures how usable the signal is relative to background interference?
- Received signal strength indicator alone
- Maximum transmission unit
- Time to live
- Signal-to-noise ratio (SNR)
Correct answer: Signal-to-noise ratio (SNR)
Signal-to-noise ratio is correct because it compares the wanted signal level against background noise and interference, which is exactly why strong signal can still perform poorly when noise is high. Received signal strength alone ignores noise, maximum transmission unit is a frame-size value, and time to live is a packet hop limit, so none of those describe usability against interference.
- A wireless survey of a 2.4 GHz deployment shows three access points in range using channels 3, 6, and 9, and users report degraded performance. Which configuration practice resolves the overlapping-channel interference?
- Use the non-overlapping channels 1, 6, and 11
- Set all access points to the same channel
- Disable auto-MDI-X on the access points
- Lower the MTU on each access point
Correct answer: Use the non-overlapping channels 1, 6, and 11
Using channels 1, 6, and 11 is correct because those are the only non-overlapping channels in the 2.4 GHz band, so assigning them to neighboring access points eliminates co-channel and adjacent-channel interference. Setting every access point to the same channel maximizes contention, auto-MDI-X is a wired pinout feature, and lowering MTU does not address channel overlap.
- A technician needs to view and modify the local IP routing table on a Windows workstation to confirm which gateway is being used for a specific destination network during troubleshooting. Which command displays the host's routing table entries?
- Arp -a
- Route print
- Nslookup
- Ipconfig /flushdns
Correct answer: Route print
The route print command is correct because it displays the local IPv4 and IPv6 routing table, showing destination networks and the gateways used to reach them. The arp command shows IP-to-MAC mappings, nslookup queries DNS, and ipconfig /flushdns clears the DNS resolver cache, so none of those reveal routing-table entries.
- Reachability to a remote server fails intermittently, and a traceroute shows the path changing between attempts, with replies sometimes never returning even though the forward path succeeds. The forward and return traffic appear to follow different routes. What condition is most likely described?
- A duplicate IP address
- Attenuation on the local cable
- Asymmetric routing
- DHCP scope exhaustion
Correct answer: Asymmetric routing
Asymmetric routing is correct because traffic taking one path outbound and a different path on return, causing inconsistent traceroutes and dropped replies, is the defining behavior of asymmetric routing and can break stateful filtering along the way. A duplicate IP causes local conflicts, attenuation weakens a single cable's signal, and DHCP exhaustion prevents address assignment, none of which explain differing forward and return paths.