Try 90 free CompTIA Network+ N10-010 questions across the exam domains, with explanations, then continue with full IT Mastery practice.
This free full-length CompTIA Network+ N10-010 practice exam includes 90 original IT Mastery questions across the exam domains.
Use these questions for self-assessment, scope review, and deciding what to drill next.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some certification vendors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Network+ N10-010 on Web View full CompTIA Network+ N10-010 practice page
| Domain | Weight |
|---|---|
| Networking Concepts | 26% |
| Network Implementation | 18% |
| Network Operations | 20% |
| Network Security | 14% |
| Network Troubleshooting | 22% |
Use this as one diagnostic run. IT Mastery gives you timed mocks, topic drills, analytics, code-reading practice where relevant, and full practice.
Topic: Network Security
A junior network administrator is preparing an incident summary after a remote-access compromise. Evidence shows an attacker sent a phishing email with a link to a fake SSO portal, captured a user’s credentials, and then connected through the company VPN. No unpatched VPN software, published CVE, or unknown software flaw was found. To keep the report precise, which term is the BEST professional description for the phishing link and fake portal?
Options:
A. CVE
B. Vulnerability
C. Attack vector
D. Attack surface
Best answer: C
Explanation: An attack vector is the path or method an attacker uses to reach a target, such as phishing, stolen credentials, exposed remote access, or malicious removable media. In this scenario, the decisive evidence is not a software defect or a named public vulnerability. The attacker’s method was social engineering through a fake SSO portal, followed by VPN access using captured credentials. A vulnerability would be a weakness that could be exploited, a CVE would be a published identifier for a known vulnerability, and attack surface would describe the total set of possible entry points. Precise terminology helps incident reports stay actionable and avoids implying a missing patch or unknown flaw that evidence does not support.
Topic: Networking Concepts
A company is moving several latency-sensitive internal applications to a public cloud. The network team needs a private, dedicated connection from the on-premises data center to the cloud provider with more predictable bandwidth than an Internet-based tunnel. Which connectivity option best meets this requirement?
Options:
A. Site-to-site VPN
B. Cloud interconnect service
C. Non-transitive peering
D. Cloud VPC peering
Best answer: B
Explanation: A cloud interconnect service is designed for private, dedicated connectivity between an organization’s physical network and a cloud provider. It is commonly used when workloads need more predictable bandwidth, lower or more consistent latency, and reduced dependence on the public Internet. A site-to-site VPN can connect on-premises networks to cloud networks, but it typically runs over the Internet and depends on Internet path conditions. Cloud VPC peering connects cloud networks to each other, not an on-premises data center directly. Non-transitive peering describes a routing behavior where one peering relationship does not automatically carry traffic to a third network.
Topic: Network Troubleshooting
A help desk ticket reports choppy VoIP calls each evening while workstation backups run. Monitoring shows the switch uplink to the router is congested during the backup window. The IP phones mark RTP voice packets with DSCP EF, and backups use default best-effort marking. Which configuration is the best first step to reduce voice latency and packet loss without stopping backups?
Options:
A. Enable jumbo frames on the workstation access VLAN
B. Increase the DHCP lease time for all voice VLAN clients
C. Trust phone DSCP markings and prioritize EF traffic on the uplink
D. Add a static route with a lower metric to the backup server
Best answer: C
Explanation: QoS is used when different traffic types compete for limited bandwidth. In this scenario, the uplink is congested and voice traffic is already marked with DSCP EF, which is commonly used for expedited forwarding. Trusting those markings at the appropriate edge and placing EF traffic into a priority queue helps voice packets leave the congested interface ahead of bulk backup traffic. This directly targets latency, jitter, and packet loss for real-time voice while still allowing backups to continue as best-effort traffic. The key is not to make backups faster; it is to protect time-sensitive traffic during congestion.
Topic: Network Troubleshooting
A help desk ticket reports that users on several access switches in one office lost reliable access to file shares and sometimes receive APIPA addresses. The core switch and servers are still up, and no firewall or ISP alarms are present. A technician added a “temporary backup cable” between two access switches 10 minutes before the issue began.
Exhibit: Monitoring summary
Core switch: MAC flapping on VLANs 10 and 20
Access switches: frequent STP topology changes
DHCP server: many repeated DISCOVER messages
Firewall: no deny spikes or link failures
Which action is the BEST professional decision?
Options:
A. Restart the DHCP service and clear active leases
B. Remove the temporary inter-switch cable and verify STP behavior
C. Add static routes for VLAN 10 and VLAN 20
D. Increase the firewall session limit for the office
Best answer: B
Explanation: The evidence points to a Layer 2 loop caused by the added access-switch cable. MAC flapping means the same source MAC address is being learned on different switch ports, which commonly happens when frames loop through redundant paths that are not controlled correctly. Frequent STP topology changes reinforce that the switching layer is unstable. The APIPA addresses and repeated DHCP DISCOVER messages are secondary symptoms: clients cannot reliably complete DHCP because the LAN is unstable. The best professional action is to remove or disable the temporary link, then verify STP or an approved link-aggregation design before restoring redundancy.
Topic: Network Troubleshooting
A network technician is reviewing an outage that started shortly after an approved firewall change. The call center reports that external calls are failing, but internal calls and data access still work. Which action should the technician take next?
Exhibit:
Change ID: CHG-1842
Time applied: 08:55
Scope: Edge firewall voice ACL cleanup
Backout plan: Restore previous ACL if call setup fails
Monitoring at 09:05:
- Call center PSTN calls: failed
- Internal extension calls: successful
- Internet/data access: normal
- Firewall log: DENY udp/5060 from Voice_VLAN to SIP_Provider
Service impact: active customer call queue outage
Options:
A. Escalate immediately to the ISP.
B. Move phones to the data VLAN as a workaround.
C. Start the approved ACL rollback.
D. Document the finding and wait for trends.
Best answer: C
Explanation: Rollback is the best next action when validated evidence ties a service-impacting outage to a recent approved change and the documented backout condition has been met. The exhibit shows external call setup failing after an edge firewall voice ACL change, while internal calling and data access remain normal. The firewall log also shows SIP traffic from the voice VLAN being denied, which directly matches the affected service. Because the change record already defines restoring the previous ACL if call setup fails, the technician should follow that rollback plan and record the evidence in the ticket/change record. Escalation or workaround may be appropriate later if rollback fails or is not authorized, but the documented rollback path comes first here.
Topic: Network Security
A network audit finds that monitoring traffic for an access switch can be read from a packet capture. The NMS must continue collecting interface counters and status. Which change best addresses the exposure shown?
Exhibit: Audit excerpt
Device: SW-Access-12
Service: UDP/161 SNMPv2c
Captured value: community "public-ro"
Data exposed: VLAN names, interface status, counters
Mgmt ACL: permits only NMS 10.20.5.15
Options:
A. Disable SNMP and monitor with ICMP ping only
B. Add a second ACL allowing only the NMS
C. Replace SNMPv2c with SNMPv3 using authentication and privacy
D. Keep SNMPv2c and rotate the community string
Best answer: C
Explanation: SNMPv1 and SNMPv2c use community strings and do not provide modern authentication or encryption for management data. The exhibit shows that the community value and device information were visible in a capture, so simply limiting who can connect does not protect the protocol contents if traffic is observed. SNMPv3 supports stronger security, including authentication and privacy, while still allowing the NMS to poll counters and status. The key hardening action is to move from the legacy non-secure version to the secure version, then disable the older SNMP service.
Topic: Network Operations
A network technician is documenting the cause of a recent branch-office outage. The team is allowed to use AI to speed up analysis, but company policy prohibits entering internal IP addresses, customer names, or full device configurations into public AI systems. The report must be accurate enough for a change review. Which action is the BEST professional decision?
Options:
A. Ask a public AI tool for likely causes without providing evidence, then submit its answer
B. Use the approved private AI tool with sanitized evidence, then verify the summary against logs and diagrams
C. Avoid AI entirely and delay the report until a senior engineer rewrites it manually
D. Paste the full router configuration into a public AI tool to get the most complete report
Best answer: B
Explanation: Acceptable AI use in network operations depends on data handling, approved tools, and verification. In this scenario, AI is permitted, but sensitive operational details cannot be placed into public AI systems. The best approach is to use an approved private or controlled AI tool, remove or mask sensitive details, and then compare the AI-generated analysis with authoritative sources such as logs, tickets, topology diagrams, and change records. AI can assist with summarizing and organizing evidence, but it should not be treated as automatically correct. The key takeaway is to use AI as a productivity aid within policy, not as an unverified authority or a reason to expose confidential network data.
Topic: Network Implementation
A company is redesigning Wi-Fi for its lobby and conference rooms. Review the ticket excerpt and choose the best guest-access design.
Area: lobby + 3 adjacent conference rooms
Peak load: 75 guest devices during events
Current issue: one lobby AP has weak room coverage
Current SSID: Guest-Temp uses staff VLAN 10
Requirement: guests must not reach internal subnets
Requirement: users accept terms in a browser; no guest accounts
Requirement: maintain usable performance while roaming
Options:
A. Controller-managed APs with a captive-portal guest VLAN
B. One high-power AP using the staff VLAN
C. Wireless bridge extending VLAN 10 to the rooms
D. Autonomous APs using the staff RADIUS server
Best answer: A
Explanation: The design needs to solve several guest Wi-Fi requirements at once: coverage across multiple rooms, guest isolation, browser-based acceptance, and reasonable roaming performance. Controller-managed or cloud-managed APs can operate as one extended service set, coordinate channels and power, and support roaming better than a single AP. A dedicated guest VLAN separates guest traffic from the staff VLAN, and firewall or ACL rules can allow Internet access while blocking internal subnets. A captive portal satisfies the browser terms-acceptance requirement without creating individual guest accounts.
Increasing transmit power or extending the staff VLAN may improve signal in one direction, but it does not provide proper isolation or scalable event performance.
Topic: Network Troubleshooting
A branch office reports intermittent access to an internal application after a backup WAN link was enabled between two data centers. The application must stay available, both WAN links must remain usable for failover, and the network team wants the lowest-risk routing change.
Exhibit: Troubleshooting notes
Branch client path to app: Branch -> DC1 firewall -> App VLAN
App server return route to branch: App VLAN -> DC2 WAN -> Branch
DC1 firewall log: Deny TCP packet - no matching session
DNS, DHCP, and server health checks: normal
Which action is the BEST professional decision?
Options:
A. Disable stateful inspection on the DC1 firewall
B. Shut down the DC2 WAN link until maintenance
C. Replace the application DNS record with the DC2 address
D. Adjust routing metrics to keep return traffic through DC1
Best answer: D
Explanation: Stateful firewalls track connection state, so the return path must normally traverse the same firewall that saw the original session. The notes show branch-to-application traffic entering through DC1, but the server’s return route leaves through DC2. DC1 then sees later packets without the expected session and drops them. The best fix is to correct the route preference or metrics so the forward and return paths are symmetric while keeping the alternate WAN link available for failover. Disabling inspection or removing a WAN path would reduce security or availability instead of fixing the routing decision.
Topic: Networking Concepts
A network team is integrating an SDN controller with an internal dashboard. The dashboard must request different combinations of device, interface, and policy fields without downloading full resource objects, and the team wants clients to specify exactly which fields are returned in a single query. Which API style best fits this requirement?
Options:
A. REST
B. GraphQL
C. SNMP
D. SOAP
Best answer: B
Explanation: GraphQL is the best fit when an integration needs flexible, client-defined queries. Instead of calling several fixed endpoints or receiving an entire resource representation, a GraphQL client can ask for exactly the fields it needs, such as selected device, interface, and policy attributes, often in one request. REST is common for network automation APIs and works well with resource-based endpoints, but it typically returns predefined representations from each endpoint. SOAP uses XML-based messages and formal service contracts, which are more rigid than this requirement. SNMP is used for network monitoring and management data, not as the API style described for flexible application integration.
Topic: Network Troubleshooting
A branch office reports intermittent file access and choppy VoIP after a workstation area was moved to a new IDF. The business cannot approve a redesign this quarter, and changes that interrupt users must wait for a 30-minute maintenance window. The ticket requires evidence before replacing equipment.
Exhibit: Troubleshooting notes
| Finding | Value |
|---|---|
| Uplink errors | CRC errors increasing |
| Uplink speed/duplex | 100 Mbps half-duplex |
| Expected uplink | 1 Gbps full-duplex |
| Copper run estimate | About 120 meters |
Options:
A. Replace the switching design with MLAG and fiber aggregation
B. Test the uplink cabling and replace it with a standards-compliant run
C. Deploy an SD-WAN overlay to optimize branch traffic
D. Increase VoIP QoS priority on all access ports
Best answer: B
Explanation: The best professional troubleshooting decision is to follow the evidence and stay within a practical Network+ scope. Increasing CRC errors, an unexpected 100 Mbps half-duplex negotiation, and an estimated 120-meter copper run all point to a physical-layer cabling or negotiation issue. Ethernet copper runs are commonly limited to 100 meters for standard twisted-pair links, so testing the cable with an appropriate tool and replacing or rerouting it during the maintenance window addresses the likely root cause while respecting availability and budget constraints. A redesign might be considered later if requirements change, but the immediate troubleshooting action should verify and correct the visible fault.
Topic: Network Operations
A regional clinic has two identical VPN/firewall appliances, two ISP circuits, and redundant uplinks to the core switch. Remote clinics must maintain access to the EHR system if one appliance fails. Current peak traffic is close to the capacity of a single appliance, and operations policy requires automatic failover without manual routing changes. Which design is the BEST professional decision?
Options:
A. Run stress testing on the existing single appliance
B. Deploy an active-active high availability pair
C. Deploy an active-passive high availability pair
D. Replace both appliances with one larger firewall
Best answer: B
Explanation: High availability reduces downtime by providing redundant systems and automatic failover. In this scenario, a single appliance is already near capacity, and the policy requires both appliances to be used during normal operations. An active-active design best matches those constraints because both devices can process traffic while health checks and failover mechanisms keep services available if one member fails. Active-passive HA improves availability, but the standby device does not normally carry production traffic, so it does not satisfy the load-sharing requirement. Stress testing is useful for validating capacity under load, but it is not an availability architecture.
Topic: Networking Concepts
A user reports that a DHCP-configured laptop cannot reach any network resources after moving to a different office. The laptop shows IPv4 address 169.254.18.77/16, no default gateway, and it can successfully ping 127.0.0.1. Which configuration action is the best next step?
Options:
A. Configure DNS to use the laptop’s loopback address
B. Change the client subnet mask to /8
C. Set the default gateway to 127.0.0.1
D. Restore DHCP service or relay for that client VLAN
Best answer: D
Explanation: APIPA addresses in 169.254.0.0/16 are self-assigned when a DHCP client cannot obtain a lease. The missing default gateway also supports a DHCP failure, because APIPA does not provide normal routable network settings. A successful ping to 127.0.0.1 only verifies the local TCP/IP stack on the host; it does not prove the laptop has network connectivity. The best configuration-focused action is to fix DHCP availability for that VLAN, such as the DHCP server, scope, switchport VLAN assignment, or DHCP relay/IP helper path. Loopback addresses are for local host testing, not for gateway or DNS configuration in this scenario.
127.0.0.1 points back to the local host, not a router./8 would not turn an APIPA address into a valid DHCP lease.Topic: Networking Concepts
A technician is assigning IPv4 subnets from 192.168.40.0/24 for a new office. The office needs separate VLANs for Staff (50 hosts), Voice (25 hosts), and Cameras (10 hosts). The plan must avoid overlap and leave unused address space for future VLANs. Which addressing approach best meets these requirements?
Options:
A. Use VLSM with /26, /27, and /28 subnets
B. Place all devices in 192.168.40.0/24
C. Use a /25 subnet for each VLAN
D. Use a /27 subnet for each VLAN
Best answer: A
Explanation: Variable Length Subnet Masking (VLSM) is the best fit when different segments need different host capacities from one larger network. A /26 provides 62 usable addresses, which supports the 50-host Staff VLAN. A /27 provides 30 usable addresses for the 25-host Voice VLAN. A /28 provides 14 usable addresses for the 10-host Cameras VLAN. This keeps each VLAN in its own Layer 3 subnet, avoids overlap, and leaves the rest of the /24 available for future segments. Using one large /24 would not provide separate IP subnets for the VLANs.
/24 fails because it does not create separate IPv4 subnets for the required VLAN segmentation./27 subnets fail because a /27 has only 30 usable addresses, which is too small for 50 Staff hosts./25 subnets fail because a /24 contains only two /25 networks, so it cannot provide three VLAN subnets.Topic: Networking Concepts
A company hosts an internal web application on three identical servers. Users should connect to one internal name, and the network should automatically send each new client session to a healthy server. Which network appliance role best meets this requirement?
Options:
A. Router
B. Firewall
C. Load balancer
D. Proxy server
Best answer: C
Explanation: The core requirement is traffic distribution across multiple servers while presenting one service to users. A load balancer sits in front of backend servers and forwards client sessions based on configured algorithms and server health. This improves availability and capacity for a single application name or virtual IP. A router primarily moves packets between IP networks, a firewall enforces security policy, and a proxy typically represents clients or filters application requests rather than balancing a server pool.
Topic: Network Implementation
A campus access switch has several Layer 2 access ports in user VLANs and a trunk uplink to the distribution switch. The network team wants to manage this switch over SSH using an IP address in VLAN 99. The switch should not convert any user-facing port into a routed port. Which configuration concept best supports this requirement?
Options:
A. Change VLAN 99 to the native VLAN on the trunk
B. Create an SVI for VLAN 99 with a management IP
C. Assign the management IP directly to a user access port
D. Bundle the uplink into an LACP port channel
Best answer: B
Explanation: A switched virtual interface (SVI) is a logical Layer 3 interface associated with a VLAN. For switch management, an SVI lets the switch have an IP address in the management VLAN while its physical ports continue operating as Layer 2 access or trunk ports. If management traffic must come from another subnet, the switch also needs an appropriate default gateway or route, but the key configuration concept is the SVI for the management VLAN. For inter-VLAN routing on a multilayer switch, SVIs can also serve as the default gateways for VLANs.
Topic: Networking Concepts
A company’s current edge firewall allows or denies traffic by source IP, destination IP, protocol, and port. Management now wants to permit approved SaaS applications, block unauthorized file-sharing apps even when they use TCP 443, and detect common web-based attacks without redesigning the LAN. Which solution is the BEST professional decision?
Options:
A. Deploy an IDS sensor on a mirrored switch port
B. Add more traditional ACLs for TCP 80 and TCP 443
C. Replace the edge firewall with an NGFW using application-aware policies
D. Move all SaaS traffic to a separate VLAN
Best answer: C
Explanation: A traditional stateful firewall primarily makes decisions from Layer 3 and Layer 4 information, such as IP addresses, protocols, ports, and connection state. That is not enough when different applications share TCP 443 or try to evade simple port-based rules. A next-generation firewall (NGFW) adds application awareness and deeper traffic inspection, often including IPS features, so it can allow approved SaaS apps while blocking unauthorized applications using the same common ports. Keeping the device at the edge also satisfies the requirement to avoid redesigning the LAN. The key distinction is port-based control versus application-aware inspection.
Topic: Network Security
A company provides a guest wireless network for visitors. A technician discovers that guest clients can ping internal printers and file servers because the guest SSID is bridged to the same VLAN as employee devices. Which configuration best reduces the exposure while still allowing guests to access the internet?
Options:
A. Enable a hidden SSID for the guest network
B. Require a longer guest Wi-Fi passphrase
C. Increase the DHCP lease time for guest clients
D. Map the guest SSID to a separate VLAN with restrictive ACLs
Best answer: D
Explanation: The core defense technique is network segmentation with least-privilege access control. Guest devices should not share the same Layer 2 network as trusted employee devices because that exposes internal resources to untrusted clients. Mapping the guest SSID to its own VLAN separates guest traffic, and ACLs can permit only the required traffic, such as internet-bound access through the firewall, while denying access to internal printers, file servers, and management networks. A stronger passphrase may improve authentication, but it does not control where authenticated guest clients can send traffic. The key takeaway is to combine segmentation with explicit access restrictions for untrusted networks.
Topic: Network Security
A network technician discovers that an unpatched building automation controller uses an insecure management protocol. The controller must remain reachable by the facilities monitoring server, replacement is not funded until next quarter, and security policy requires reducing exposure without disrupting HVAC operations. Which response is the BEST professional decision?
Options:
A. Accept the risk and leave the controller on the user VLAN
B. Avoid the risk by disconnecting the controller immediately
C. Transfer the risk by purchasing cyber insurance only
D. Mitigate by segmenting the controller and limiting access with ACLs
Best answer: D
Explanation: Risk mitigation reduces the likelihood or impact of a known risk without eliminating the business function. In this scenario, the controller cannot be patched or replaced immediately, but it still must support HVAC monitoring. Placing it in a restricted VLAN or segment and allowing only the facilities monitoring server to reach it with ACLs lowers the attack surface while maintaining operations. Risk acceptance would be appropriate only if leadership knowingly chose to tolerate the risk without additional controls. Risk avoidance would remove the risky activity, but disconnecting the controller violates the availability requirement. Risk transfer may offset financial impact, but it does not control network exposure by itself.
Topic: Network Troubleshooting
A technician is troubleshooting a workstation in the Finance VLAN. The workstation can reach the internet but cannot reach a server in another internal VLAN.
Exhibit: Addressing and test output
Finance VLAN expected: 10.20.30.0/24
Finance default gateway: 10.20.30.1
Server VLAN: 10.20.40.0/24
Workstation IP: 10.20.30.77
Subnet mask: 255.255.0.0
Default gateway: 10.20.30.1
Ping 10.20.30.1: success
Ping 8.8.8.8: success
Ping 10.20.40.25: fail
Packet capture: ARP who-has 10.20.40.25 from 10.20.30.77
Which issue is most likely causing the failed internal server connection?
Options:
A. The workstation default gateway is incorrect.
B. The server has a duplicate IP address.
C. The router is missing a default route.
D. The workstation subnet mask is too broad.
Best answer: D
Explanation: The key issue is an incorrect subnet mask on the workstation. Finance is expected to use 10.20.30.0/24, but the workstation has 255.255.0.0, which is /16. With that mask, 10.20.40.25 appears to be on the same local network as 10.20.30.77, so the workstation sends ARP broadcasts for the server instead of forwarding the traffic to 10.20.30.1. The successful ping to the gateway and internet shows the gateway can be reached for truly off-subnet destinations. Correcting the mask to 255.255.255.0 would make the server VLAN off-subnet and cause the workstation to use its default gateway.
Topic: Network Implementation
A company needs temporary Internet connectivity for a remote environmental monitoring site for 6 months. There is no wired ISP service, cellular coverage maps show no usable LTE/5G signal, and there is no nearby building for a line-of-sight bridge. The site only needs low-to-moderate bandwidth for telemetry and remote administration. Which wireless option best fits this requirement?
Options:
A. Satellite Internet link
B. Wi-Fi 6 mesh deployment
C. Point-to-point wireless bridge
D. 5G cellular router
Best answer: A
Explanation: Satellite connectivity is a wireless WAN option for locations where terrestrial services are unavailable or impractical. In this scenario, the site has no wired ISP, no usable LTE/5G signal, and no nearby endpoint for a point-to-point bridge. Satellite can provide Internet access in remote areas as long as the site can install the needed outdoor equipment and has an appropriate view of the sky. Cellular would often be a good temporary or backup WAN option, but it depends on carrier coverage at the location.
Topic: Networking Concepts
A company is adopting Zero Trust for an internal finance application. Employees need access from the office and from home. Contractors may access the app only from managed devices during approved hours. Devices missing required security updates must be blocked. Which approach is the BEST professional decision?
Options:
A. Place the application on a separate VLAN for all VPN users
B. Allow access only from corporate public IP addresses
C. Use context-aware access policies before granting application access
D. Require frequent password changes for all users
Best answer: C
Explanation: Context-aware access is a Zero Trust concept that makes access decisions from more than just username and password. In this scenario, the policy must consider who the user is, whether the device is managed and patched, where the user is connecting from, and whether the request occurs during an approved time window. That allows employees to work from multiple locations while limiting contractors and blocking unhealthy devices. A static network location control, such as a VLAN or source IP rule, cannot express all of these conditions by itself. The key takeaway is that access should be granted per request based on verified context, not assumed trust from network placement.
Topic: Network Troubleshooting
Users in VLAN 20 report intermittent connectivity shortly after a second cable was added between two access switches for redundancy. Which interpretation is best supported by the exhibit?
Exhibit: Switch troubleshooting output
Topology: SW1 Gi1/0/23 <--> SW2 Gi1/0/23
SW1 Gi1/0/24 <--> SW2 Gi1/0/24
SW1 log:
MAC address 00:50:56:aa:10:20 in VLAN 20 flapping between Gi1/0/23 and Gi1/0/24
SW1 interface summary:
Gi1/0/23 up/up broadcasts/sec: 18,500 discards: rising
Gi1/0/24 up/up broadcasts/sec: 19,100 discards: rising
SW1 STP VLAN 20:
Gi1/0/23 Designated Forwarding
Gi1/0/24 Designated Forwarding
Options:
A. Unidirectional fiber on one uplink
B. STP failure creating a Layer 2 loop
C. Incorrect default gateway for VLAN 20
D. Native VLAN mismatch on the trunk links
Best answer: B
Explanation: The symptoms point to a switching loop with a broadcast storm. Two parallel Layer 2 links between the same switches are active for VLAN 20, but STP shows both interfaces forwarding instead of blocking one redundant path. The MAC address flapping between the two ports means frames from the same source are being learned on different interfaces, which commonly happens during a Layer 2 loop. The very high broadcast rate and rising discards show the loop is affecting switch performance and user connectivity.
A best next action would be to break the loop or restore correct STP/EtherChannel behavior before further troubleshooting client settings.
Topic: Network Implementation
A small office virtualization host has two 1GbE NICs connected to the same access switch. All hosted VMs must remain in VLAN 30, and the team wants better aggregate backup throughput plus continued connectivity if one cable or switchport fails. There is no budget for 10GbE, and the IP addressing design must not change. What is the best professional decision?
Options:
A. Add static routes between the two NIC subnets
B. Place each NIC in a different VLAN
C. Convert one NIC to an 802.1Q trunk
D. Configure an LACP port channel in VLAN 30
Best answer: D
Explanation: Link aggregation, commonly using LACP, groups multiple physical interfaces into one logical link. In this scenario, it fits because the host needs more aggregate throughput and resilience against a single link failure without changing VLAN membership or IP addressing. The aggregated ports should be configured consistently on the switch and host, and they should remain in VLAN 30 if the host only needs that VLAN.
Link aggregation does not route between subnets and does not replace VLAN segmentation. If traffic needed to move between VLANs, a router or Layer 3 switch interface would still be required.
Topic: Networking Concepts
A manufacturer needs to let three approved suppliers check inventory levels and upload shipping notices. The solution must support daily remote access, require authentication, and prevent suppliers from reaching the internal production network. The company does not want a public customer-facing service. Which network design is the best professional decision?
Options:
A. Allow supplier VPN access to the internal LAN
B. Build an air-gapped supplier network
C. Create an authenticated extranet for the suppliers
D. Place the production network in a DMZ
Best answer: C
Explanation: An extranet best matches this requirement because approved external organizations need controlled, authenticated access to specific business resources. It supports ongoing connectivity for partners without making the service broadly public and without granting access to the internal production network. A DMZ is commonly used to isolate public-facing services from internal systems, but the main requirement here is partner-only collaboration. An air-gapped network would provide strong isolation, but it would not support daily remote access without manual transfer processes. The key distinction is that extranets are designed for limited external partner access, while air gaps are for disconnection and DMZs are for perimeter isolation of exposed services.
Topic: Network Implementation
A company is upgrading the MDF that supports the core switch, firewall, and ISP handoff. The business requirement is to keep connectivity available during utility outages that may last up to 8 hours, with no reboot while backup power starts. Which backup power approach best meets the requirement?
Options:
A. UPS sized for 15 minutes only
B. Standby generator without a UPS
C. UPS sized to bridge to a generator
D. Surge suppressor on each rack PDU
Best answer: C
Explanation: UPS and generator backup serve different availability needs. A UPS provides near-instant battery power when utility power fails, preventing network devices from rebooting during brief outages or while another power source starts. A generator is used for longer runtime, but it usually has a startup and transfer interval. For an MDF that must stay online for up to 8 hours with no reboot during switchover, the best design combines both: the UPS carries the load immediately, then the generator supports extended operation. A UPS alone is typically for short runtime, and a generator alone may not prevent interruption during startup.
Topic: Network Troubleshooting
A technician restored a switch configuration from an older backup. Users can pass traffic, and the NOC jump box can ping the switch management IP, but SSH management fails.
Exhibit:
Jump box: 10.20.5.25
Switch management IP: 10.20.99.11
Baseline: SSH version 2 only; Telnet disabled
Current: SSH version 1 only; management ACL permits 10.20.5.0/24
SSH client message: protocol version mismatch
Which configuration change should the technician make first?
Options:
A. Configure SSH version 2 for management
B. Change the switch management IP
C. Enable Telnet for remote management
D. Permit all source subnets in the ACL
Best answer: A
Explanation: The key troubleshooting facts show that basic reachability is working: the jump box can ping the switch management IP, and the management ACL already permits the jump box subnet. The remaining mismatch is protocol versioning. The baseline requires SSH version 2 only, but the restored configuration is using SSH version 1, which causes the SSH client protocol mismatch. Restoring SSHv2 aligns the device with the management baseline without weakening access controls.
Changing addressing or ACL scope would not fix a protocol-version failure, and enabling Telnet would violate the secure-management baseline.
Topic: Network Troubleshooting
A warehouse reports intermittent Wi-Fi drops during afternoon shifts. Wired devices remain stable, AP event logs show no authentication failures, and the security policy discourages collecting user payloads unless necessary. The network team needs evidence of possible non-Wi-Fi RF interference around the affected aisles. Which tool is the BEST choice?
Options:
A. Packet capture
B. Spectrum analyzer
C. Log collector
D. Packet analyzer
Best answer: B
Explanation: The core decision is the type of evidence needed. The symptoms point to a wireless physical-layer problem: intermittent drops in a specific area, stable wired connectivity, and no authentication errors in AP logs. To investigate non-Wi-Fi RF interference, the team needs visibility into radio frequency activity, channel utilization, noise, and possible interferers such as machinery or cordless devices. A spectrum analyzer is designed for that RF view and also avoids unnecessary user payload collection. Packet-focused tools are useful when the evidence needed is frame, packet, protocol, or application behavior, not raw RF energy. A log collector helps centralize device events, but the existing logs are already not showing the cause.
Topic: Network Operations
A network administrator must restore management access to a distribution switch in an IDF. User traffic is still forwarding, but SSH and HTTPS to the switch management IP time out after a recent management VLAN change. There is no out-of-band management path, and policy forbids enabling insecure remote access or exposing management interfaces to the Internet. What is the BEST professional decision?
Options:
A. Enable Telnet until SSH is restored
B. Open temporary Internet access to the management IP
C. Send an authorized technician to use the local console port
D. Reboot the switch during business hours
Best answer: C
Explanation: Local access is required when the only remote management paths are unavailable or would violate security policy. In this scenario, SSH and HTTPS are unreachable, there is no out-of-band path, and user traffic is still working. The professional choice is to preserve availability and use an authorized local method, such as a console cable and crash cart, to inspect or correct the management configuration. Creating an Internet-exposed management path or using Telnet increases risk, and an unnecessary reboot could disrupt users without addressing the root cause.
Topic: Networking Concepts
A technician is troubleshooting a laptop that cannot open https://intranet.example.com. Other users on the same VLAN can reach the site. Review the exhibit and identify the OSI/TCP/IP layer focus most supported by the evidence.
Exhibit: Laptop checks
ipconfig: 10.20.30.55/24, gateway 10.20.30.1, DNS 10.20.30.10
ping 10.20.30.1: replies received
ping 10.20.30.25: replies received
Test TCP 10.20.30.25:443: open
nslookup intranet.example.com 10.20.30.10: request timed out
Options:
A. Application layer DNS resolution
B. Transport layer TCP session setup
C. Network layer IP routing
D. Data link layer Ethernet framing
Best answer: A
Explanation: The exhibit points to DNS, which is an application-layer protocol in the OSI model and part of the application layer in the TCP/IP model. The laptop has a valid IP configuration, can reach its default gateway, can ping the web server IP, and can open TCP port 443 on that IP. Those checks make Layer 2 local access, Layer 3 routing, and Layer 4 TCP connectivity less likely as the primary issue. The failing nslookup shows the laptop cannot resolve the hostname through the configured DNS server, so troubleshooting should focus on DNS service reachability, DNS server configuration, or name resolution behavior. The key is to match the symptom to the highest failing dependency after lower-layer connectivity has been shown to work.
Topic: Networking Concepts
A software company hosts public documentation, product images, and software update files in one cloud region. Customers worldwide report slow downloads during peak hours. The company wants lower latency, reduced load on the origin servers, and no private connectivity between customer networks and the cloud. Which solution is the BEST professional decision?
Options:
A. Deploy an SD-WAN overlay to customer sites
B. Extend the application VLAN using VXLAN
C. Build site-to-site VPNs to major customers
D. Place the content behind a CDN
Best answer: D
Explanation: A content delivery network (CDN) is appropriate when the goal is to distribute cacheable content, such as images, documentation, videos, or update files, to users across many locations. CDN edge nodes serve copies closer to users, improving download performance and reducing bandwidth and processing load on the origin. The stem specifically says there is no need for private network connectivity between customer networks and the cloud, so private WAN or tunneling options add complexity without solving the content-distribution requirement. The key takeaway is that CDNs optimize public content delivery, while VPN, SD-WAN, and VXLAN focus on connectivity or network extension.
Topic: Network Implementation
A technician is troubleshooting why users connected to SW2 in VLAN 20 cannot reach the default gateway on SW1. The inter-switch link should carry VLANs 10 and 20, with native VLAN 99.
Exhibit: Switchport summary
| Device/Port | Mode | VLAN details |
|---|---|---|
| SW1 Gi1/0/24 | Trunk | Native 99; allowed 10,20,99 |
| SW2 Gi1/0/24 | Access | Access VLAN 20 |
| SW2 Gi1/0/5 | Access | Access VLAN 20 |
Options:
A. Change SW1 Gi1/0/24 to access VLAN 20
B. Configure SW2 Gi1/0/24 as a trunk with native VLAN 99
C. Change SW2 Gi1/0/5 to trunk mode
D. Remove VLAN 99 from the SW1 allowed VLAN list
Best answer: B
Explanation: An inter-switch link that carries multiple VLANs should be configured as a trunk on both ends. In the exhibit, SW1 is trunking VLANs 10 and 20 with native VLAN 99, but SW2’s uplink is configured as an access port in VLAN 20. That mismatch prevents VLAN tagging from working correctly across the link and can block or misplace traffic for VLANs that should traverse the uplink. The best next action is to make SW2’s uplink a trunk and match the native VLAN expected on SW1. Access ports such as SW2 Gi1/0/5 should remain access ports for end-user devices.
Topic: Networking Concepts
A company is opening 12 small branch offices that will use different local ISPs, including fiber, cable, and LTE backup. The network team must deploy sites quickly with minimal on-site configuration, prioritize voice and SaaS traffic, and manage security and routing policies from one console. Which solution is the BEST professional decision?
Options:
A. Order private MPLS circuits for every branch
B. Configure individual static VPN tunnels per site
C. Deploy an SD-WAN solution
D. Deploy an SDN controller for campus switches
Best answer: C
Explanation: SD-WAN is designed for WAN connectivity between sites and cloud services across mixed transports such as broadband, LTE, and private links. In this scenario, the key requirements are fast branch rollout, application-aware path selection for voice and SaaS, and central policy management. Zero-touch provisioning lets branch appliances receive configuration after installation, reducing the need for skilled on-site setup. SDN also uses centralized control, but it is broader and commonly associated with programmable control of data center or campus network devices rather than optimizing branch WAN paths across multiple transports. The deciding feature set points to SD-WAN, not generic SDN or manual VPN design.
Topic: Networking Concepts
A network team stores switch and firewall configuration templates as text files. Two technicians often update the same templates for different change tickets, and the team wants peer review plus a way to identify conflicting edits before deployment. Which source-control practice best meets these requirements?
Options:
A. Edit device configurations directly during the change window
B. Use branches and merge requests in a central repository
C. Have each technician maintain a separate local repository
D. Store the latest approved templates on a shared file server
Best answer: B
Explanation: Source control is useful for network changes because configuration files, IaC templates, and scripts can be versioned, reviewed, and compared before deployment. A central repository gives the team one authoritative place for approved work. Branching lets each technician make changes for a specific ticket without immediately overwriting another technician’s work. A merge or pull request then provides peer review and identifies conflicts when two branches modify the same lines or files. This reduces accidental overwrites and supports change tracking.
Topic: Network Troubleshooting
A technician is troubleshooting a Linux application server after users report that the application is unreachable. The technician has console access and must first verify whether the server is locally listening on the expected TCP port and which process owns the socket. Which tool is the best choice?
Options:
A. netstat
B. tcpdump
C. traceroute
D. nmap
Best answer: A
Explanation: Use a local socket-inspection tool when the first question is whether the service is actually listening on the server. netstat can show listening TCP/UDP sockets, active connections, and, with appropriate privileges/options, the process associated with a port. That directly matches the requirement to verify the local service state before testing paths, firewalls, or remote reachability. If the port is not listening locally, scanning or packet capture will not fix the root issue; the next step would be checking the application service or binding configuration.
traceroute shows the route toward a destination, not local listening sockets.nmap can show exposed ports from another host, but it does not directly identify the local owning process.tcpdump can prove traffic arrival, but it is less direct for confirming a local listening service and process.Topic: Network Implementation
A technician is updating the IDF switch inventory and runs a neighbor-discovery check on an access switch.
Exhibit: Discovery output
| Local port | Protocol | Neighbor ID | Neighbor port | Capability |
|---|---|---|---|---|
| Gi1/0/12 | LLDP | AP-Lobby-01 | eth0 | WLAN AP |
| Gi1/0/24 | CDP | Dist-SW1 | Gi1/0/3 | Switch |
| Gi1/0/25 | LLDP | Phone-14 | port1 | Telephone |
Which interpretation is best supported by the exhibit?
Options:
A. The listed devices are directly connected neighbors on those local ports.
B. The listed devices are allowed VLANs on each switchport trunk.
C. The listed devices are the complete Layer 3 path to each destination.
D. The listed devices are all endpoints learned through the MAC address table.
Best answer: A
Explanation: CDP and LLDP are neighbor-discovery protocols used to improve network visibility and inventory accuracy. They advertise information such as device identity, local and remote ports, and device capability between directly connected devices. In the exhibit, the access switch has learned that an AP, a distribution switch, and an IP phone are attached to specific local interfaces. This helps a technician map physical/logical connections without tracing every cable manually.
These protocols do not replace MAC learning, routing tables, VLAN configuration, or STP decisions. They provide neighbor context for adjacent devices only.
Topic: Network Operations
A network technician is closing an approved change and must update the operational artifact affected by the implementation. Which artifact should be updated based on the exhibit?
Exhibit: Change closeout note
Change ID: CHG-2817
Implemented: Moved VLAN 20 default gateway from SW-D1 to FW-EDGE.
New path: VLAN 20 -> trunk to FW-EDGE -> WAN
Service targets: No change
Vendor/support coverage: No change
Compliance scope: No change
Options:
A. Vendor support matrix
B. Service level agreement
C. Logical network diagram
D. Compliance evidence register
Best answer: C
Explanation: Operational documentation should match the specific impact of a completed network change. The exhibit shows a topology and traffic-flow change: VLAN 20 now uses FW-EDGE as its default gateway and reaches the WAN through a different logical path. That affects the logical network diagram, not service commitments, vendor coverage, or compliance scope. Keeping the diagram current helps troubleshooting, change reviews, and future implementation planning.
Topic: Network Operations
A company adds a redundant Internet circuit and firewall failover at its main office. The technical network diagram and asset inventory have already been updated. The business owner now expects a higher uptime commitment for the hosted customer portal and a shorter restoration target during outages. Which operational artifact should be updated next?
Options:
A. Vendor warranty record
B. Physical rack elevation
C. Acceptable use policy
D. Service-level agreement
Best answer: D
Explanation: Operational documentation should match the type of impact caused by the change. In this scenario, the topology and inventory updates are already complete, but the business expectation for availability and restoration time has changed. Those expectations belong in the service-level agreement (SLA), which defines measurable service commitments such as uptime, response, and recovery targets. If the change had altered device placement, support coverage, or audit scope, a different artifact would be primary. The key is to update the artifact that communicates the new operational commitment to stakeholders.
Topic: Network Operations
A network operations manager is preparing a KRI report from the ticketing system for the next change advisory meeting. Company policy defines the KRI thresholds shown.
| Ticketing KRI | Threshold | Week 1 | Week 2 | Week 3 |
|---|---|---|---|---|
| Emergency change tickets | ≤10% | 8% | 16% | 24% |
| Unapproved implemented changes | 0 | 0 | 2 | 5 |
| Tickets reopened within 7 days | ≤5 | 4 | 6 | 11 |
| P1 acknowledgment time | ≤15 min | 12 min | 13 min | 14 min |
Which interpretation is best supported by the exhibit?
Options:
A. Vendor support is the likely cause of the trend.
B. The ticket queue shows normal risk because Week 1 was compliant.
C. Change-control risk is increasing and needs review.
D. Incident response is missing its P1 acknowledgment target.
Best answer: C
Explanation: KRIs use ticketing data to show operational risk trends, not just individual ticket status. In the exhibit, three change-related indicators worsen over time and exceed their thresholds by Week 3: emergency changes, unapproved implemented changes, and reopened tickets. That pattern suggests a process control issue around change planning, approval, or validation. P1 acknowledgment time stays within the 15-minute target, so incident response acknowledgment is not the main concern shown. The KRI report should drive a change-management review rather than assume the queue is healthy or blame a vendor without supporting evidence.
Topic: Network Operations
A company wants to use an AI tool to detect anomalies in switch syslogs and NetFlow data. The tool must analyze events within seconds, the telemetry includes internal addressing and device names that cannot leave the company network, and the WAN link to cloud services is often congested. Which design is the BEST professional decision?
Options:
A. Place the AI server on the guest wireless network
B. Run the AI tool on administrator laptops
C. Deploy a private AI instance near the log collector
D. Forward raw telemetry to a public AI chatbot
Best answer: C
Explanation: AI workloads can change network requirements because they may need high-throughput data feeds, low latency, controlled access, and protection of sensitive operational data. In this scenario, the telemetry must be analyzed quickly and cannot leave the company network, while the WAN link is already constrained. A private AI instance located close to the log collector reduces WAN dependency, keeps sensitive network metadata under company control, and supports normal network controls such as segmentation, authentication, and logging.
The key takeaway is to match the AI placement and connectivity model to performance and security requirements, not just choose the most convenient AI service.
Topic: Networking Concepts
A technician is connecting an access switch to a distribution switch. Both switches have empty SFP+ uplink slots, and the existing cable path is 80 m of OM3 multimode fiber terminated with LC connectors. The link must run at 10 Gbps. Which transceiver type should the technician install?
Options:
A. 100GBASE-SR4 QSFP28 with MPO connectors
B. 40GBASE-SR4 QSFP+ with MPO connectors
C. 1000BASE-T SFP with RJ-45 connector
D. 10GBASE-SR SFP+ with LC connectors
Best answer: D
Explanation: Transceiver selection must match both the device port type and the media requirement. SFP+ is the common small-form-factor transceiver type for 10 Gbps Ethernet uplinks, while QSFP variants are used for higher-density or higher-speed connections such as 40 Gbps or 100 Gbps. In this scenario, both switches have SFP+ slots, the required speed is 10 Gbps, and the installed cabling is OM3 multimode fiber with LC connectors. A 10GBASE-SR SFP+ transceiver fits those constraints. A QSFP module would not fit an SFP+ slot, and an RJ-45 copper SFP would not use the existing fiber path.
Topic: Network Implementation
A virtualization host has two 10Gb network adapters. The network team wants the host to use both links for aggregated bandwidth and keep connectivity if either access switch fails. The two uplinks must connect to separate physical switches, but the host should see them as one logical link bundle. Which configuration concept best meets the requirement?
Options:
A. LACP bundle to one access switch
B. MLAG between switches with LACP to the host
C. Static link aggregation without switch coordination
D. Spanning Tree Protocol on two access links
Best answer: B
Explanation: MLAG is used when a device needs a link aggregation group spread across two physical switches for redundancy. LACP handles negotiation of the aggregated links, but normal LACP expects all member links to terminate on the same logical switch. With MLAG, the two access switches coordinate so the host can use both 10Gb adapters as one logical bundle and still remain connected if one switch fails. A plain LACP bundle to one switch can aggregate bandwidth, but it does not protect against that switch failing.
Topic: Network Operations
A network administrator is reviewing a monitoring dashboard after users reported slow access to a cloud file-sharing service during the last week. Which interpretation is best supported by the dashboard?
Exhibit: WAN dashboard trend
| Metric (2 p.m.-4 p.m.) | Baseline | Mon | Tue | Wed | Thu | Fri |
|---|---|---|---|---|---|---|
| WAN utilization | 45% | 58% | 71% | 86% | 93% | 95% |
| Packet loss | 0.1% | 0.2% | 0.4% | 1.6% | 2.8% | 3.0% |
| Interface CRC errors | 0 | 0 | 0 | 0 | 0 | 0 |
| Router CPU | 35% | 37% | 39% | 40% | 38% | 39% |
Options:
A. A failing cable is causing physical-layer errors.
B. Router CPU exhaustion is causing packet drops.
C. DNS resolution is intermittently failing.
D. WAN congestion is increasing during the afternoon window.
Best answer: D
Explanation: Trend visibility compares current measurements to a baseline and shows whether conditions are changing over time. In this dashboard, WAN utilization rises from 58% to 95% during the same afternoon window, and packet loss rises with it. That pattern supports a capacity or congestion issue on the WAN path. CRC errors stay at zero, so the evidence does not point to a copper or fiber physical-layer fault. Router CPU also remains close to baseline, so processing overload is not the likely cause. The best operational next step would be to analyze traffic sources, review scheduled transfers, or plan capacity changes for that time window.
Topic: Network Operations
A company is opening a small branch office with 18 employees. Users, printers, and VoIP phones at the branch need continuous access to file and accounting servers at headquarters. Both locations have business Internet links and firewall appliances, and IT wants to avoid configuring VPN software on each workstation. Branch web browsing should continue to use the local Internet link to avoid saturating headquarters. Which approach is BEST?
Options:
A. Deploy client-to-site VPN with split tunneling
B. Configure a site-to-site VPN between the firewalls
C. Force all branch traffic through a full tunnel to headquarters
D. Deploy client-to-site VPN with full tunneling
Best answer: B
Explanation: Site-to-site VPNs are designed to connect entire networks, such as a branch LAN and a headquarters LAN, through secure tunnels between edge devices. That matches the need for shared devices and many users to reach headquarters resources continuously without installing or managing VPN clients on every endpoint. Routing only the headquarters subnets through the tunnel also preserves local Internet breakout for normal branch web traffic, which helps avoid unnecessary bandwidth use at headquarters. Client-to-site VPNs are better for individual remote users, not an always-on office-to-office connection.
Topic: Network Troubleshooting
A branch office added an IPsec VPN tunnel. Users can browse simple sites, but large file transfers and some HTTPS applications time out across the tunnel. Interface counters show no CRC errors, runts, giants, or drops, and both switch ports are 1 Gbps full-duplex.
Test results:
Small ping across VPN: success
Ping with DF bit and 1,472-byte payload: fails
LAN host MTU: 1,500 bytes
Tunnel encapsulation: adds overhead
Which issue is the most likely cause?
Options:
A. MTU too large for the tunnel path
B. Copper cabling fault on the access switch
C. Insufficient PoE budget on the switch
D. Duplex mismatch on the switch ports
Best answer: A
Explanation: This symptom points to an MTU issue. Small packets pass, but larger packets fail when the DF bit prevents fragmentation. IPsec encapsulation adds headers, so a normal 1,500-byte LAN frame may become too large for the path after it enters the tunnel. A common fix is lowering the tunnel or endpoint MTU, or using TCP MSS clamping where appropriate. The clean interface counters and matching 1 Gbps full-duplex settings make physical cabling and duplex problems less likely.
Topic: Network Security
A warehouse has fixed barcode scanners connected to access switch ports. Staff have been unplugging scanners and connecting personal laptops to the same wall jacks. The scanners do not support 802.1X, and the team has no budget for new authentication servers this quarter. Which action is the BEST professional decision to limit unauthorized device attachment on these ports?
Options:
A. Place the scanner ports in a separate VLAN
B. Enable DHCP snooping on the warehouse VLAN
C. Enable port security with one allowed MAC address per scanner port
D. Deploy 802.1X authentication with a new RADIUS server
Best answer: C
Explanation: Port security is a Layer 2 hardening control used to limit which devices can attach to switch access ports. In this scenario, the goal is not broad identity-based access control; it is to stop unauthorized laptops from using known scanner jacks. Because the scanners are fixed and do not support 802.1X, configuring each access port to allow only the scanner’s MAC address, often with a maximum of one MAC address and an appropriate violation action, directly matches the requirement. This is simpler and more practical than adding an authentication infrastructure the devices cannot use. VLAN separation may reduce exposure after a device connects, but it does not prevent the unauthorized attachment itself.
Topic: Networking Concepts
A network technician is configuring firewall rules for a new voice VLAN. IP phones must register with the IP PBX and set up or tear down calls. Separate rules will handle the actual voice media streams. Which protocol should be allowed for the call-signaling role?
Options:
A. ICMP
B. SIP
C. RDP
D. SMB
Best answer: B
Explanation: Session Initiation Protocol (SIP) is used in VoIP environments for signaling tasks such as registering endpoints, initiating calls, modifying sessions, and ending calls. The stem separates signaling from the actual voice media, which is commonly handled by other real-time media protocols. That makes the required role a SIP role, not a general connectivity or file-access function. SMB supports file and printer sharing, RDP supports remote graphical access to a system, and ICMP is mainly used for network control and diagnostics such as echo requests and error messages.
Topic: Network Implementation
A company is upgrading Wi-Fi in several adjacent training rooms. Each room may have 60 laptops connected during classes, and recent surveys show heavy 2.4 GHz and 5 GHz congestion from nearby tenants. All corporate laptops support Wi-Fi 6E and WPA3-Enterprise. Which wireless configuration best meets the capacity, interference, and security requirements?
Options:
A. 2.4 GHz only with increased transmit power
B. Wireless extenders using WPA2 with TKIP
C. Wi-Fi 5 on 5 GHz with WPA2-Personal
D. Wi-Fi 6E on 6 GHz with WPA3-Enterprise
Best answer: D
Explanation: Wi-Fi 6E extends Wi-Fi 6 capabilities into the 6 GHz band, which provides more available channels and can reduce co-channel interference in dense areas. In this scenario, every corporate laptop supports Wi-Fi 6E, so compatibility is not a blocker. WPA3-Enterprise is also appropriate because the requirement includes enterprise security, typically using centralized authentication rather than a shared personal passphrase. The best fit combines the newer band for capacity with the stronger enterprise security mode.
Topic: Network Operations
A company is refreshing 18 branch access switches. The current models reach end of support in 6 months, each branch requires next-business-day hardware replacement, procurement wants to avoid unnecessary vendor lock-in, and legal requires an NDA before sharing topology diagrams or configuration exports. Which action is the BEST professional decision before approving the change?
Options:
A. Choose the lowest-cost switches and add support contracts after deployment
B. Complete a vendor review covering NDA, licensing, warranty support, and lock-in risk
C. Standardize on a proprietary platform to simplify all future purchases
D. Send diagrams to preferred vendors first to speed up quote turnaround
Best answer: B
Explanation: Vendor management is part of operational change planning, not an afterthought. In this scenario, the organization must validate that the vendor can meet next-business-day replacement needs, confirm which features require licenses or subscriptions, respect the NDA requirement before sharing sensitive network documentation, and evaluate whether the solution creates avoidable lock-in. These checks help prevent hidden costs, unsupported hardware, legal exposure, and future purchasing constraints. The best decision is to complete the vendor-management review before approving the change, then document any risks or exceptions in the change record.
Topic: Network Security
A company is onboarding contractors who need browser access to FinanceApp. Review the access request. Which control change is best supported by the exhibit?
Exhibit: Access request
Users: contractors on personal laptops (BYOD)
Device limit: no company MDM agent permitted
App: FinanceApp, contains EU customer records
Data rule: records and inspection logs must stay in the EU
Current remote control: all web traffic uses a U.S. cloud proxy
Current WLAN: shared PSK, same VLAN as managed laptops
Options:
A. Segment BYOD with NAC and use EU-resident inspection
B. Keep the shared WLAN and rotate the PSK more often
C. Use only contractor group membership for access
D. Route FinanceApp traffic through the U.S. cloud proxy
Best answer: A
Explanation: BYOD and data-locality requirements can change which network controls are appropriate. Personal devices should not be treated like managed corporate endpoints on the same VLAN, especially when the organization cannot install a management agent. A NAC-based or equivalent access-control approach can place BYOD systems into a restricted segment and allow only the required application access. Separately, the EU data-locality requirement means traffic inspection and related logs for FinanceApp cannot be hairpinned through a U.S. proxy. The control selection must satisfy both endpoint trust and data-residency constraints.
Topic: Network Operations
A junior administrator is preparing to deploy a firmware update to all access switches during tonight’s maintenance window. Review the change record.
Exhibit: Change record summary
| Field | Entry |
|---|---|
| Scope | 18 access switches |
| Lab test | Not performed |
| Rollback plan | Not attached |
| Documentation update | Deferred until next week |
| Window | Approved for tonight |
What is the best next action before deployment?
Options:
A. Deploy only to the first switch and document results afterward
B. Deploy during the approved window and monitor for failures
C. Pause the deployment until testing, rollback, and documentation are completed
D. Update the asset inventory after all switches reboot successfully
Best answer: C
Explanation: Software and firmware management should include pre-deployment testing, a rollback plan, and current documentation before changes reach production network devices. The exhibit shows an approved maintenance window, but approval alone does not make the change operationally ready. Updating 18 access switches without validation increases outage risk, and lacking a rollback plan makes recovery slower if the update causes instability or incompatibility. Documentation should also be prepared so support staff know what changed, which devices are affected, and how to respond.
The key takeaway is that change readiness includes more than scheduling; it includes testing, backout planning, and documentation before deployment.
Topic: Network Security
A company finds that the administrative interface of its branch router is reachable from the public Internet. Network administrators still need remote access, but management traffic should not be exposed to arbitrary external hosts. Which configuration choice best meets the requirement?
Options:
A. Require VPN access before allowing SSH or HTTPS management
B. Allow SNMPv2c write access from the Internet
C. Move the web interface to a nonstandard TCP port
D. Enable Telnet only for administrator accounts
Best answer: A
Explanation: Administrative access exposed to the Internet should be protected with both reachability control and secure management protocols. Requiring administrators to connect through a VPN reduces exposure by making the management interface reachable only from authenticated remote users or trusted management networks. Using SSH or HTTPS then encrypts credentials and session data. This is stronger than simply hiding a service on another port, because port changes do not provide authentication, encryption, or meaningful access restriction. The key takeaway is to avoid exposing management services directly and use encrypted protocols through a controlled management path.
Topic: Network Security
A company adds a contractor Wi-Fi network at a warehouse. Contractors must use a web-based inventory application on 10.20.30.50 over HTTPS and must receive DHCP and DNS from internal services. The security team wants to prevent contractor devices from accessing file shares, switch management interfaces, or other internal subnets. Which access-control choice is the BEST professional decision?
Options:
A. Block all contractor traffic to internal networks
B. Segment contractors and apply least-privilege ACLs
C. Use MAC filtering on the contractor SSID
D. Allow contractors to reach the full server subnet
Best answer: B
Explanation: The core decision is least-privilege access control with segmentation. Contractor devices should not share broad access to internal networks, but they still need specific communication for business use. A dedicated VLAN or SSID for contractors, combined with ACL rules, can permit DHCP, DNS, and TCP 443 to 10.20.30.50 while denying file-sharing ports, switch management addresses, and unrelated internal subnets. This addresses the stated risk without breaking the required inventory workflow. Broad subnet access is too permissive, while blocking all internal traffic breaks the application requirement.
Topic: Networking Concepts
A workstation can open https://10.20.30.15 to an internal web server, and the TCP connection to port 443 succeeds. The same workstation cannot open https://intranet.example.com. Other IP-based connectivity from the workstation works. Which configuration focus best matches the protocol behavior and layer involved?
Options:
A. Check the switch access VLAN
B. Check the default gateway setting
C. Check the TCP window size
D. Check the DNS resolver settings
Best answer: D
Explanation: The symptom separates name resolution from IP reachability. The workstation can reach the server by IP address and complete HTTPS on TCP 443, so the lower layers needed for routing, switching, and the transport connection are already working for this path. The failure appears only when the hostname is used, which points to DNS. DNS is handled at the TCP/IP Application layer and maps to the OSI Application layer for troubleshooting focus. The best configuration focus is the client DNS resolver configuration, such as the DNS server assigned to the workstation or the DNS search/lookup behavior.
A gateway or VLAN issue would usually affect IP reachability, not only hostname-based access.
Topic: Network Implementation
An access switch port will connect a ceiling-mounted wireless AP. The AP has no local power outlet, supports 1 Gbps Ethernet, and the operations team wants the switch to automatically stop forwarding on the port if it detects a serious port fault such as a loop or excessive link errors. Which switchport configuration concept best meets these requirements?
Options:
A. Enable PoE, force half-duplex, and keep error-disable detection enabled.
B. Enable PoE, use full-duplex, and disable error-disable detection.
C. Disable PoE, use full-duplex, and keep error-disable detection enabled.
D. Enable PoE, use full-duplex, and keep error-disable detection enabled.
Best answer: D
Explanation: A switchport for a ceiling AP commonly needs PoE so the switch can supply power over the Ethernet cable. For a modern 1 Gbps Ethernet connection, full-duplex is expected because both ends can transmit and receive at the same time without collision behavior. Error-disable detection is a protective switch behavior that can place a port into a disabled state when the switch detects certain serious conditions, such as loop-related events or excessive errors. The best configuration matches all three requirements: power the AP, support full-duplex data operation, and allow the switch to shut down the port when a serious fault is detected.
Topic: Network Security
A company hosts a customer portal on a server in a DMZ. Internet users must access the portal with HTTPS, and administrators must manage the server with SSH only from the VPN management subnet 10.20.30.0/24. A scan shows TCP ports 21, 22, 23, 80, and 443 open to the Internet. Which configuration best reduces attack surface while preserving required service?
Options:
A. Allow Internet HTTPS, allow SSH from 10.20.30.0/24, and block FTP, Telnet, and HTTP
B. Block all inbound traffic from the Internet to the DMZ server
C. Allow HTTPS and HTTP from the Internet for user convenience
D. Allow all scanned ports but require stronger administrator passwords
Best answer: A
Explanation: Hardening should reduce exposed services without breaking required business functions. In this scenario, the portal needs HTTPS from the Internet, and administration needs SSH only from a specific VPN management subnet. FTP, Telnet, and HTTP are not required and increase the attack surface, especially because Telnet and FTP are insecure legacy protocols. Restricting SSH by source subnet also limits management exposure. The key is least functionality: permit only the needed protocols from the needed sources, and deny everything else.
Topic: Network Implementation
A company is refreshing Wi-Fi at a two-floor office with 18 access points. The network team wants the deployment mode that best matches the management requirements shown.
Exhibit:
| Requirement | Detail |
|---|---|
| Configuration | Push SSIDs and security settings centrally |
| Monitoring | View AP health from one dashboard |
| Operations | Avoid logging in to each AP for changes |
| Scale | Add more APs next quarter |
Which access point deployment mode should the team choose?
Options:
A. Wireless extenders using repeated SSIDs
B. Ad hoc wireless clients without infrastructure APs
C. Autonomous access points managed individually
D. Lightweight access points with a controller
Best answer: D
Explanation: Lightweight AP deployment fits environments where many APs need centralized management. In this model, APs handle radio access while a controller or cloud platform manages SSIDs, security policy, firmware, monitoring, and operational changes. The exhibit emphasizes central pushes, one dashboard, and avoiding per-AP logins, which are classic reasons to use lightweight APs. Autonomous APs can work well in very small or isolated deployments, but each AP is configured and managed more independently. The key distinction is management model: centralized control favors lightweight APs, while standalone management favors autonomous APs.
Topic: Networking Concepts
A company is redesigning its campus network before opening a second building. The current network has 8 access switches, but the design must support about 40 access switches within a year. The network team wants clear separation between user access, inter-VLAN routing/policy enforcement, and high-speed backbone connectivity, while keeping operations manageable for a small IT staff. Which architecture is the BEST professional decision?
Options:
A. Use a two-tier collapsed-core architecture
B. Connect all access switches in a Layer 2 mesh
C. Use one large switch for all buildings
D. Use a three-tier campus architecture
Best answer: D
Explanation: Two-tier and three-tier architectures differ mainly in scale, role separation, and operational complexity. A two-tier or collapsed-core design combines distribution and core functions, which is simpler and often appropriate for smaller sites. In this scenario, the expected growth to about 40 access switches and the need to separate user access, policy/routing, and backbone connectivity point to a three-tier design. The access layer connects endpoints, the distribution layer aggregates access switches and applies policies, and the core provides fast transport between distribution blocks. The tradeoff is more devices and design complexity, but it better matches the stated growth and separation requirements.
Topic: Network Security
A company already uses TLS for all client-to-server connections and full-disk encryption on its database servers. A new requirement says sensitive customer records must also be protected while the application is actively processing them in memory on a shared virtualization platform. Which encryption protection best addresses this remaining exposure?
Options:
A. Require HTTPS for the application login page
B. Enable confidential computing or memory encryption
C. Encrypt database backups before off-site storage
D. Store password hashes with a stronger algorithm
Best answer: B
Explanation: Encryption protections map to the state of the data. Data in transit is protected while crossing a network, commonly with TLS-based protocols such as HTTPS. Data at rest is protected when stored on disks, databases, or backups, often with disk, volume, file, or backup encryption. Data in use is the harder case: the data is being processed in memory by an application or CPU. For that exposure, technologies such as confidential computing, trusted execution environments, or memory encryption are used to reduce exposure on shared or potentially untrusted infrastructure. In this scenario, transit and storage protections are already in place, so the remaining gap is active processing in memory.
Topic: Network Security
A network team discovers that a legacy monitoring server still requires an insecure management protocol. The application cannot be retired for 60 days, so the team places the server in a restricted management VLAN, allows access only from the jump box, and opens a replacement ticket. Which risk response does this decision represent?
Options:
A. Risk transfer
B. Risk mitigation
C. Risk acceptance
D. Risk avoidance
Best answer: B
Explanation: Risk mitigation means applying controls to reduce the likelihood or impact of a risk without eliminating the risky activity entirely. In this scenario, the insecure protocol still exists for a limited time, but segmentation, jump-box-only access, and a planned replacement reduce exposure. That makes the response mitigation, not acceptance, because the team is actively changing the environment to lower risk. It is also not avoidance, because the service is not being discontinued immediately. Transfer would involve shifting financial or operational impact to another party, such as insurance or a managed service contract.
Topic: Network Operations
A regional healthcare provider is selecting a disaster recovery site for its network operations systems. Use the requirements exhibit to identify the best site type.
| Requirement | Detail |
|---|---|
| Recovery time | Service restored in under 2 hours |
| Data loss | Minimal, using continuous replication |
| Cost constraint | Highest recurring cost is acceptable |
| Standby state | Systems must be ready for immediate failover |
Which availability option best matches these requirements?
Options:
A. Warm site
B. Mobile site
C. Cold site
D. Hot site
Best answer: D
Explanation: Disaster recovery site selection balances recovery speed against cost. A hot site has equipment, connectivity, and replicated data already in place, so it supports the fastest recovery but has the highest ongoing cost. The exhibit requires service restoration in under 2 hours, minimal data loss, continuous replication, and an acceptable high recurring cost. Those constraints point to a hot site rather than a lower-cost standby option.
Warm and cold sites reduce cost but take longer to bring online. A mobile site is useful for temporary relocation, but it is not the best match for immediate failover with continuous replication.
Topic: Network Operations
A junior network administrator reviews overnight operations alerts for a network segment that stores regulated customer data. Which process should be triggered first based on the exhibit?
| Time | Source | Alert detail |
|---|---|---|
| 02:13 | Firewall | 12 GB outbound to unknown Internet host |
| 02:14 | VPN | Disabled contractor account accepted |
| 02:17 | Backup | Nightly backup completed successfully |
| 02:20 | Change log | No approved change window |
Options:
A. Start an unscheduled full backup
B. Initiate the incident response procedure
C. Perform the monthly compliance check
D. Update the network topology diagram
Best answer: B
Explanation: Incident response should be triggered when monitoring shows signs of a security event that may affect confidentiality, integrity, or availability. In this exhibit, a disabled contractor VPN account was accepted, a large outbound transfer went to an unknown Internet host, and there was no approved change window. Those facts point to possible compromised access and data exfiltration from a regulated-data segment. The successful backup is useful information, but it does not make the event a backup procedure issue. Compliance checks may follow later to document impact or control failures, but containment and investigation come first.
Topic: Network Operations
A company needs remote management for branch routers and switches. Administrators must be able to troubleshoot devices even when the production WAN or routing configuration is broken. The security team requires strong access control and no direct management exposure to the public Internet. Which management approach best meets these requirements?
Options:
A. Use an out-of-band console server behind VPN and MFA
B. Permit SSH to each device from the Internet
C. Manage devices only through the production VLAN
D. Disable remote management and require on-site access
Best answer: A
Explanation: Out-of-band management separates administrative access from the production data path. A console server or dedicated management network can still reach device consoles when routing, VLANs, ACLs, or WAN connectivity are misconfigured. Placing that access behind a VPN and MFA limits who can reach the management plane and avoids exposing device management services directly to the Internet. In-band management can be useful during normal operations, but it depends on the same network being troubleshot. The key balance is protected remote access plus an alternate path for recovery.
Topic: Networking Concepts
A network technician is reviewing a proposed site-to-site connection between a branch office and headquarters. Which interpretation is supported by the exhibit?
Exhibit: Tunnel summary
Goal: Protect private traffic across the Internet
Need: Carry OSPF updates and IPv4 application traffic
Outer path: public Internet
Negotiation: IKEv2 established
IPSec: ESP with AES enabled
GRE: enabled between tunnel endpoints
AH: not enabled
Options:
A. GRE encrypts the traffic, while ESP only identifies the tunnel endpoints.
B. AH encrypts the payload, while GRE provides key exchange for IPSec.
C. IKE negotiates the tunnel, ESP protects it, and GRE carries routable encapsulated traffic.
D. IKE carries the application traffic after ESP builds the routing tunnel.
Best answer: C
Explanation: IPSec is commonly used to protect traffic across untrusted networks, and IKE negotiates the security associations and keying material that IPSec uses. ESP is the IPSec component that can provide confidentiality through encryption and also integrity/authentication. GRE is different: it encapsulates traffic, which can help carry routing protocols or nonstandard traffic types across a point-to-point tunnel, but GRE does not encrypt by itself. In this exhibit, GRE handles encapsulation for OSPF and IPv4 traffic, while ESP protects that encapsulated traffic over the Internet. AH is not enabled and, even when used, AH provides integrity/authentication rather than payload encryption. The key distinction is protection with IPSec ESP versus encapsulation with GRE.
Topic: Networking Concepts
A company is connecting six small branch offices to a data center. Requirements: all Internet-bound and inter-branch traffic must pass through the data center firewall, branch sites should not have direct links to each other, and the WAN design should minimize circuit costs and simplify management. Which topology is the best fit?
Options:
A. Full mesh
B. Spine-and-leaf
C. Star
D. Hub-and-spoke
Best answer: D
Explanation: A hub-and-spoke topology uses a central hub site that connects to multiple spoke sites. In this scenario, the data center is the hub, and each branch is a spoke. This design supports centralized firewall inspection, simpler WAN management, and lower circuit count than a mesh because branches do not need direct links to each other. A star can look similar physically, but in Network+ topology discussions, hub-and-spoke is the more precise WAN design term when remote sites connect through a central site for routing and policy enforcement. The key takeaway is that the traffic-flow requirement points to hub-and-spoke, not just the visual shape.
Topic: Network Security
A network technician is reviewing why managed laptops show a certificate warning for an internal HTTPS admin portal. The portal is reachable, and the warning appears before login.
Exhibit: Certificate check
URL: https://netadmin.corp.example
Certificate subject: CN=netadmin.corp.example
Certificate issuer: CN=netadmin.corp.example
Chain status: Self-signed certificate
Client trust store: Corp-Root-CA installed
Hostname check: Passed
Validity dates: Current
Which interpretation is best supported by the exhibit?
Options:
A. The portal URL does not match the certificate subject
B. The certificate is expired and must be renewed
C. The portal certificate is not issued by a trusted authority
D. HTTPS encryption is disabled on the portal
Best answer: C
Explanation: PKI trust depends on whether a certificate chains back to a certificate authority that the client trusts. In the exhibit, the certificate subject and issuer are the same, and the chain status says self-signed certificate. The client trusts Corp-Root-CA, but the displayed certificate was not issued by that CA, so users receive a trust warning even though the hostname and validity dates are acceptable. A common fix is to install a certificate issued by the organization’s trusted CA or properly distribute the intended trust anchor through managed policy.
Topic: Network Troubleshooting
A branch office reports slow access to a file server at headquarters every night during the backup window. The WAN link must stay available, and the security team does not want packet payloads captured unless necessary. The network team suspects one or two hosts are consuming most of the bandwidth. Which tool or protocol is the BEST choice to validate the suspicion with the least disruption?
Options:
A. NetFlow or IPFIX on the WAN router
B. Nmap scan of the headquarters subnet
C. Packet capture from an inline network tap
D. Continuous traceroute from a branch workstation
Best answer: A
Explanation: NetFlow or IPFIX is the best fit when the goal is to validate who is using bandwidth and how much traffic is crossing a link. Flow telemetry summarizes conversations, protocols, byte counts, and endpoints from a router or switch, so it can identify top talkers during the backup window without taking the WAN link down. It also avoids collecting full packet payloads, which aligns with the security constraint. A packet capture may be useful later if packet-level details are needed, but it is more invasive from a privacy and data-volume perspective. Start with flow data when the suspected issue is bandwidth consumption by specific hosts.
Topic: Networking Concepts
A company hosts an internal web application on three identical servers. Users should connect to one stable application address, and the network device should send new sessions only to servers that pass health checks. Which appliance function should be configured?
Options:
A. Packet filtering firewall
B. Load balancing
C. Layer 3 routing
D. Forward proxy
Best answer: B
Explanation: The decisive function is load balancing. A load balancer sits in front of multiple servers, provides a virtual service address, checks backend server health, and distributes client connections only to available servers. The similar device labels can be distracting because firewalls, proxies, and routers may all sit near application traffic, but their core functions are different. A firewall enforces allow or deny policy, a forward proxy represents internal clients to external services, and a router forwards packets between networks. The key clue is one stable application address with health-aware distribution across several identical servers.
Topic: Network Implementation
A network technician is wiring a new office floor. Each desk has a copper wall jack that runs back to the floor’s telecom room. The technician needs a fixed termination point so short patch cords can connect selected desk runs to access switch ports without reterminating the building cabling. Which component should be installed?
Options:
A. Fiber distribution panel
B. Demarcation point
C. MDF
D. Patch panel
Best answer: D
Explanation: A patch panel is the structured cabling termination point used in an IDF or MDF for horizontal copper runs from wall jacks. The permanent cable is punched down or terminated on the panel, and short patch cords connect those ports to switch ports. This preserves the installed cabling and makes moves, adds, and changes easier. A fiber distribution panel serves a similar organization role for fiber strands, but the requirement specifies copper desk drops. An MDF is a main telecom space, not the termination component itself, and the demarcation point is where provider responsibility transitions to the customer. The key is to match the requirement to a component, not a room or service boundary.
Topic: Network Operations
A technician is reviewing a recurring wireless outage ticket and must choose the lowest-risk supported maintenance action.
Exhibit: Ticket and asset note
Issue: Barcode scanners disconnect near AP-17 and AP-18 every 20-30 minutes.
Devices: AP-17, AP-18 - supported hardware models
Current software: AP firmware 3.1.8
Vendor notice: 3.1.8 has a client reconnect bug during high roaming.
Fix: Firmware 3.1.10 maintenance release resolves the bug.
Change status: Backups complete; approved window is Sunday 01:00-03:00.
Which action is best supported by the exhibit?
Options:
A. Replace the APs because the hardware is unsupported.
B. Upgrade the operating system on the technician laptop.
C. Apply routine patches to the inventory server first.
D. Install firmware 3.1.10 on the affected APs during the window.
Best answer: D
Explanation: Firmware updates are the correct action when the defect is in embedded device software, such as wireless AP firmware. The exhibit shows a specific vendor notice for firmware 3.1.8, a supported maintenance release that fixes the reconnect bug, and an approved change window with backups complete. That combination reduces operational risk while preserving vendor supportability. An OS update would fit an endpoint or server operating system issue, and a general patch would fit unrelated software maintenance. Here, the affected assets are supported APs and the vendor-provided firmware fix addresses the exact symptom.
Topic: Network Security
A firewall ACL is processed top to bottom with first-match behavior and an implicit deny at the end. A partner host 203.0.113.50 must reach only the internal SFTP server 10.20.30.10 on TCP port 22. Existing blocks for the partner subnet must remain in place.
| Order | Action | Source | Destination | Service |
|---|---|---|---|---|
| 10 | allow | any | 10.20.30.20 | HTTPS |
| 20 | deny | 203.0.113.0/24 | any | any |
| 30 | deny | any | any | any |
Which ACL change is the best professional decision?
Options:
A. Replace rule 20 with an allow from 203.0.113.0/24 to TCP 22
B. Insert an allow for 203.0.113.50 to 10.20.30.10 TCP 22 before rule 20
C. Append an allow for 203.0.113.50 to 10.20.30.10 TCP 22 after rule 30
D. Remove rule 20 and rely on the implicit deny
Best answer: B
Explanation: ACL rule order matters because many firewalls evaluate rules from the top down and stop at the first match. The existing deny for 203.0.113.0/24 would block the partner host before any later allow rule could apply. The safest change is to add a narrow permit for the exact source host, destination server, and TCP port 22 above the broader subnet deny. That satisfies the access request while preserving the policy that blocks the rest of the partner subnet. A broader allow or removing the deny would weaken segmentation unnecessarily.
Topic: Network Troubleshooting
A network technician is investigating periodic bandwidth spikes on the WAN link between a branch office and the data center. Endpoint logs show no malware alerts, but users report slow SaaS and file-share access during the spikes. The security team does not want payloads captured, and the routers already support flow export to a central collector. What is the BEST professional decision?
Options:
A. Install endpoint monitoring agents on affected laptops
B. Enable NetFlow export on the WAN routers
C. Place a network tap and capture all packet contents
D. Review only the file-share server event logs
Best answer: B
Explanation: NetFlow is a better fit when the goal is to identify who is talking to whom, how much traffic is flowing, and which protocols or ports are involved across a routed link. In this case, endpoint-only evidence is incomplete because the symptom is a WAN bandwidth spike that affects multiple services. Full packet capture from a tap could provide deep detail, but it would collect payloads the security team does not want and is more intrusive to store and analyze. Flow records give broad network visibility with lower storage and privacy impact.
The key takeaway is to match the tool to the visibility need: use NetFlow for traffic patterns and taps for packet-level evidence.
Topic: Network Implementation
A branch router is expected to send traffic for the data center host 10.20.30.25 over the MPLS link. Users report the traffic is instead taking the backup VPN path.
Exhibit: Branch router route table excerpt
| Destination | Next hop | Route source |
|---|---|---|
10.20.30.0/24 | 203.0.113.2 | OSPF over backup VPN |
10.20.0.0/16 | 172.16.1.2 | Static over MPLS |
0.0.0.0/0 | 198.51.100.1 | Static Internet default |
Which interpretation best explains the unexpected path?
Options:
A. The MPLS static route has a lower administrative distance.
B. The backup VPN is advertising a more specific route.
C. PAT is translating the destination to the backup VPN next hop.
D. The Internet default route is overriding both data center routes.
Best answer: B
Explanation: Route lookup uses longest-prefix match for the destination address. The host 10.20.30.25 matches both 10.20.30.0/24 and 10.20.0.0/16, but the /24 is more specific, so the router forwards traffic to 203.0.113.2 over the backup VPN. Administrative distance matters when choosing between competing routes to the same prefix, not when a more specific installed route also matches the destination. The likely issue is an unintended or undesired route announcement for 10.20.30.0/24 over the backup path.
/16, not the same prefix as the VPN /24.Topic: Network Troubleshooting
A branch office reports that wired PCs on the data VLAN can sometimes reach internal apps, IP phones are failing to register, and quarantined devices cannot reach the remediation portal after an IDF switch was replaced last night. Security policy prohibits disabling NAC, and the site must remain open with a minimal, documented change.
Exhibit: Troubleshooting notes
Access design: data VLAN 20, voice VLAN 30, quarantine VLAN 90 via 802.1X
Uplink Gi1/0/48: up, mode access, access VLAN 20, trunk VLANs none
DHCP server: VLAN 20 normal; no requests seen from VLAN 30 or VLAN 90
DHCP scopes: free leases available
NAC dashboard: authentication succeeds; some devices assigned to VLAN 90
WAN monitoring: utilization normal; internal app servers healthy
Which troubleshooting conclusion is the BEST professional decision?
Options:
A. DHCP for VLANs 30 and 90 is down; restart DHCP and create temporary exclusions.
B. The replacement switch uplink has trunk configuration drift; restore the approved trunk, VLANs, and QoS, then validate services.
C. NAC is blocking the site; disable 802.1X until endpoints can reach applications.
D. WAN congestion is the primary cause; prioritize application traffic and request more bandwidth.
Best answer: B
Explanation: The evidence points to configuration drift on the replacement switch uplink. The port is up, but it is operating as an access port in VLAN 20 instead of an 802.1Q trunk carrying the data, voice, and quarantine VLANs. That explains why VLAN 20 partly works, why phones in VLAN 30 are not reaching DHCP, and why NAC can authenticate users but VLAN 90 traffic cannot reach the remediation portal. WAN and server health checks reduce the likelihood of an upstream performance issue. The professional response is a minimal, documented correction that restores the approved trunk, allowed VLANs, and any required QoS policy, followed by validation of DHCP, NAC assignment, phone registration, and application access.
Topic: Networking Concepts
A company is connecting an MDF to a new warehouse 600 meters away across the same campus. The link must support 10 Gbps, run through outdoor underground conduit, and pass near heavy electrical equipment. Seasonal moisture and temperature swings are expected. The project budget allows for higher-cost optics if they reduce risk. Which media choice best meets these requirements?
Options:
A. OM3 multimode fiber with standard transceivers
B. Outdoor-rated single-mode fiber with appropriate optics
C. Point-to-point Wi-Fi bridge
D. Cat 6A copper in shielded conduit
Best answer: B
Explanation: Single-mode fiber is the strongest fit for a 600-meter campus link that needs 10 Gbps and must tolerate electrical interference and outdoor environmental conditions. Fiber does not conduct electricity and is immune to electromagnetic interference from nearby heavy equipment. Single-mode fiber also provides much longer reach than copper and typically more distance margin than multimode at higher speeds. Because the stem says the budget supports higher-cost optics, the extra cost of single-mode transceivers is justified by the distance, bandwidth, and risk reduction. The cable should also be outdoor-rated for conduit moisture and temperature exposure.
Topic: Network Troubleshooting
A junior technician receives several reports from one floor: slow file transfers, choppy VoIP calls, and occasional application disconnects. The help desk suspects DNS, DHCP, or the WAN. You must avoid unnecessary outages during business hours and act only on validated evidence.
Exhibit: Current checks
| Check | Result |
|---|---|
| DHCP scope | 35% available |
| DNS lookup from affected PC | Successful, 12 ms |
| WAN monitoring | No loss, normal latency |
| Access switch uplink | CRC errors increasing rapidly |
Options:
A. Reboot the access switch immediately
B. Inspect and replace the access switch uplink cable or transceiver
C. Increase the DHCP scope size
D. Escalate the issue to the WAN provider
Best answer: B
Explanation: Evidence-based troubleshooting means acting on the symptom that is supported by observed data, not on every reported possibility. The affected users are all on one floor, and the access switch uplink shows rapidly increasing CRC errors. CRC errors commonly indicate a Layer 1 issue such as a bad cable, dirty or failing fiber connection, faulty transceiver, or speed/duplex-related physical problem. DHCP, DNS, and WAN checks are normal, so changing those areas would not match the evidence. Because business-hours availability matters, a targeted inspection or replacement of the uplink media is lower risk than rebooting network equipment.
Topic: Network Operations
A network administrator wants AI assistance summarizing firewall logs and proposed ACL changes for an outage review. Which action best follows the evidence in the ticket?
Exhibit: AI use ticket
Data involved: internal IPs, firewall rules, VPN usernames
Policy: Do not paste sensitive network data into public AI tools
Approved option: private AI workspace with SSO, RBAC, audit logging
Requirement: retain data inside the organization-approved environment
Options:
A. Disable AI use and perform no review
B. Paste the logs into a public AI tool with names removed
C. Use the private AI workspace after access is verified
D. Email the logs to a personal account for AI review
Best answer: C
Explanation: Public AI systems can expose entered data outside the organization’s controlled environment, so they are not appropriate when logs, firewall rules, VPN usernames, or internal addressing are sensitive. The exhibit identifies an approved private AI workspace with SSO, RBAC, and audit logging, which supports access control and policy enforcement. The best action is to use that approved private environment only after confirming the administrator has the proper access. Redacting a few fields may not remove all sensitive network context, and personal accounts bypass organizational controls.
Topic: Networking Concepts
A company is opening a small branch office. The ISP provides native IPv6 and only one public IPv4 address. Company policy says new client VLANs should be IPv6-only where practical, but users must still reach IPv4-only Internet sites. Client devices support IPv6, and no inbound connections to branch clients are required. Which design is the best professional decision?
Options:
A. Deploy dual stack on all client VLANs
B. Use SLAAC with DNS64/NAT64 at the edge
C. Assign public IPv4 addresses to clients
D. Tunnel IPv6 through the ISP over IPv4
Best answer: B
Explanation: IPv6-only client VLANs with SLAAC meet the manageability and addressing goals because hosts can automatically configure IPv6 addresses from router advertisements. DNS64/NAT64 addresses the compatibility requirement by allowing IPv6-only clients to initiate connections to IPv4-only Internet services through a translation gateway. This design also conserves the single public IPv4 address and fits the stated lack of inbound access requirements. Dual stack can be useful during migrations, but it keeps IPv4 on every client VLAN and adds operational overhead. Tunneling is mainly for carrying IPv6 across an IPv4-only path, which is not needed when the ISP already provides native IPv6.
Topic: Network Troubleshooting
A junior network technician is triaging several new reports that the Finance VLAN cannot reach the ERP application. Switches are reachable, the ERP server is online, and other VLANs can reach the application.
Exhibit: Ticket history excerpt
| Time | Note |
|---|---|
| 08:20 | Firewall cleanup maintenance completed |
| 08:32 | First Finance VLAN ERP ticket opened |
| 08:40 | NOC linked tickets to change CHG-1842 |
| 08:45 | No cabling or wireless changes reported |
Which operational artifact should the technician review first?
Options:
A. Firewall vendor warranty record
B. Approved change record for CHG-1842
C. Current physical cabling diagram
D. Wireless heat map for the office
Best answer: B
Explanation: Ticket history can point the troubleshooting process toward the operational artifact most likely to explain a new issue. Here, the outage started shortly after firewall maintenance, and the NOC linked the affected tickets to CHG-1842. The approved change record should show what was changed, which systems or VLANs were in scope, who performed the work, validation steps, and any rollback procedure. Reviewing it first is faster and safer than guessing at device configuration changes.
The key takeaway is to use documentation and ticket context to guide troubleshooting before making new changes.
Topic: Network Troubleshooting
A technician is troubleshooting a desk phone after an access switch replacement. The attached PC works normally, but the phone has choppy audio during calls and is in the wrong subnet compared with other phones.
Exhibit: Port and phone status
Switchport: Gi1/0/18
Admin mode: access
Access VLAN: 10 (DATA)
Voice VLAN: none
LLDP-MED: disabled
QoS trust: disabled
MAC address table:
Phone MAC -> VLAN 10
PC MAC -> VLAN 10
Working phone subnet: 10.30.20.0/24 (VOICE)
Problem phone IP: 10.30.10.57/24 (DATA)
Which issue is most likely supported by the exhibit?
Options:
A. Blocked RTP ports on the firewall
B. Missing voice VLAN assignment
C. Codec mismatch between endpoints
D. NTP drift on the phone
Best answer: B
Explanation: The exhibit points to a VLAN assignment problem. The switchport is configured only for the data VLAN, has no voice VLAN, and LLDP-MED is disabled, so the phone is not being instructed to place voice traffic in the voice VLAN. The MAC table confirms that both the phone and PC are in VLAN 10, and the phone received a data-subnet address instead of the expected voice-subnet address. That can also prevent normal voice QoS treatment, which may contribute to jitter or choppy audio. The best next step would be to configure the correct voice VLAN and phone discovery/tagging behavior on the access port.
Topic: Network Troubleshooting
A warehouse PTZ camera reboots when its infrared LEDs turn on and sometimes drops link. The existing Cat6 run from the access switch to the camera measures 118 m end to end. The camera requires 22 W and supports 802.3at PoE+. The current switch supports only 802.3af PoE. Company policy also requires managed infrastructure in locked spaces. Which action is the BEST professional decision?
Options:
A. Add an unmanaged PoE extender above the ceiling
B. Force the port to 100 Mbps full duplex
C. Install a locked intermediate IDF with a managed PoE+ switch
D. Replace the switch with a higher-wattage 802.3bt model
Best answer: C
Explanation: This problem has two separate physical-layer constraints: the copper Ethernet run is longer than the 100 m supported distance, and the camera needs more power than 802.3af can reliably provide. A managed PoE+ switch in a locked intermediate IDF addresses both issues: it shortens the copper segment to a supported length and provides 802.3at power for the 22 W camera. It also satisfies the operational policy for managed equipment in secured spaces. Simply increasing available PoE wattage at the original switch would not fix the excessive cable length.
Topic: Network Operations
A regional clinic relies on a hosted EHR application over its Internet connection. Offsite backups and server restoration procedures are already documented. Management’s immediate goal is to keep users connected during a routine ISP outage with minimal manual intervention. The budget supports one additional connectivity service, but not a second facility. Which recommendation is the BEST professional decision?
Options:
A. Create a cold-site recovery contract
B. Add a second ISP circuit with automatic failover
C. Write a server rebuild runbook
D. Increase the offsite backup retention period
Best answer: B
Explanation: Business continuity focuses on keeping essential operations available during disruptions, while disaster recovery focuses on restoring systems after a major failure or disaster. In this scenario, the clinic already has restoration procedures and backups, and the stated need is continuous access to a hosted application during an ISP outage. A redundant Internet circuit with automatic failover directly addresses that availability requirement without adding unnecessary facilities or recovery scope. DR items such as cold sites, rebuild runbooks, and backup retention help after services are lost, but they do not best satisfy the requirement to keep users connected during the outage.
Topic: Networking Concepts
A technician captures the following packets while a workstation first tries to reach its default gateway. What network meaning is supported by the exhibit?
Exhibit: Packet summary
Source IP Destination Protocol Info
192.168.10.45 Broadcast ARP Who has 192.168.10.1? Tell 192.168.10.45
192.168.10.1 192.168.10.45 ARP 192.168.10.1 is at 00:25:90:ab:4c:10
Options:
A. Translating a hostname to an IP address
B. Resolving an IPv4 address to a MAC address
C. Assigning an IP address and default gateway
D. Testing reachability with echo messages
Best answer: B
Explanation: The exhibit shows ARP, which is used on IPv4 networks to discover the MAC address associated with a local IP address. The workstation already knows the gateway IP address, 192.168.10.1, but needs the gateway’s Layer 2 address before it can build an Ethernet frame for the next hop. The broadcast request asks who owns that IP, and the reply provides the MAC address. This is different from DHCP assigning addressing settings, DNS resolving names, or ICMP testing connectivity.
Topic: Networking Concepts
A technician captures the same HTTPS connection before and after router R1. R1 is only routing between subnets; it is not performing NAT, proxying, or TLS inspection. Based on the exhibit, which interpretation of the encapsulation process is supported?
Path: Client -> SW1 -> R1 -> R2 -> Web server
Capture A: Client VLAN, entering R1
Ethernet: src MAC PC1, dst MAC R1-G0/0
IP: src 10.10.10.25, dst 10.20.20.50
TCP: src port 51544, dst port 443
Capture B: Transit link, leaving R1
Ethernet: src MAC R1-G0/1, dst MAC R2-G0/0
IP: src 10.10.10.25, dst 10.20.20.50
TCP: src port 51544, dst port 443
Options:
A. R1 terminated the TCP segment and created a new TCP session.
B. R1 changed both IP addresses during decapsulation.
C. R1 switched the original Ethernet frame unchanged toward R2.
D. R1 removed the inbound Ethernet header and added a new one.
Best answer: D
Explanation: A router decapsulates the incoming Layer 2 frame enough to inspect the Layer 3 packet, uses the destination IP address to choose the next hop, and then re-encapsulates the packet in a new Layer 2 frame for the outgoing link. In the exhibit, the Ethernet source and destination MAC addresses change from the client-side link to the transit link. The IP source/destination and TCP ports remain the same because R1 is only routing, not performing NAT or proxying. The key takeaway is that frames are local to a link, while IP packets are forwarded across routed networks.
Topic: Network Implementation
A clinic is installing a 1U access switch and a 1U patch panel for a new exam-room wing. The devices must be physically secure, serviceable, reachable for local management during outages, and connected with clean cable routing. Which placement best meets the requirements?
Exhibit: Candidate locations
| Location | Installation notes |
|---|---|
| MDF rack | Lockable 19-inch rack; 4U open; front/rear clearance; ladder rack; crash-cart space |
| Hall ceiling void | Near cable bundle; not lockable; limited clearance; no stable work surface |
| Reception cabinet | Lockable; shallow shelves; blocked rear airflow; no cable managers |
| Storage wall shelf | Lockable room; open shelf; cables would cross walkway |
Options:
A. Install both devices in the MDF rack.
B. Place both devices on the storage wall shelf.
C. Mount both devices in the hall ceiling void.
D. Place both devices in the reception cabinet.
Best answer: A
Explanation: Device placement in telecom spaces should support secure access, proper mounting, ventilation clearance, local management, and organized cable routing. The MDF rack is the only location shown with a lockable 19-inch rack, enough open rack space for the 1U switch and 1U patch panel, front and rear service clearance, a ladder rack for cable management, and crash-cart space for console access. That combination makes it suitable for a network access switch and patch panel serving horizontal cabling.
A nearby location is not automatically better if it lacks lockability, airflow, stable mounting, or safe cable paths.
Topic: Network Implementation
A technician created a port channel between two switches to increase uplink capacity and provide redundancy. Users in VLAN 10 still cannot reach a server in VLAN 20.
Exhibit: Switch link summary
| Item | Status |
|---|---|
| Access-SW to Dist-SW | Po1 using Gi1/0/1-2 |
Po1 mode | LACP trunk, up |
VLANs allowed on Po1 | 10, 20 |
| VLAN 10 gateway | Not configured |
| VLAN 20 gateway | Not configured |
Which interpretation is best supported by the exhibit?
Options:
A. The port channel works, but inter-VLAN routing is still missing.
B. Changing Po1 to an access port will route between VLANs.
C. Adding more links to Po1 will enable VLAN 10-to-20 traffic.
D. Removing VLAN 20 from the trunk will restore connectivity.
Best answer: A
Explanation: Link aggregation, such as LACP, combines multiple physical switch links into one logical link. This can improve total uplink capacity and keep the connection available if one member link fails. In the exhibit, the port channel is up and carries VLANs 10 and 20 as a trunk, so the Layer 2 uplink is not the missing piece. The failed communication is between different IP subnets/VLANs, and the exhibit shows no gateway configured for either VLAN. That requires inter-VLAN routing through an SVI, router-on-a-stick, multilayer switch, or firewall interface. A port channel can carry VLAN traffic, but it does not replace Layer 3 routing.
Topic: Network Troubleshooting
A technician is troubleshooting a VM that lost network access after being moved to a different virtualization host. The VM can ping another VM on the same host and VLAN, but it cannot ping its default gateway.
Exhibit: Host and guest network settings
| Item | Current value |
|---|---|
| Guest IP / gateway | 10.30.5.25/24 / 10.30.5.1 |
| VM vNIC state | Connected |
| Port group | Servers-VLAN30 |
| Port group VLAN ID | 30 |
| vSwitch physical uplinks | None |
| Unassigned host NIC | vmnic1, link up |
Options:
A. Reconnect the VM vNIC to the same port group
B. Disable VLAN tagging on the port group
C. Change the guest default gateway to 10.30.5.25
D. Attach a host NIC uplink to the vSwitch
Best answer: D
Explanation: The exhibit points to a virtualization host networking problem, not a guest IP problem. The VM can communicate with another VM on the same host and VLAN, so its vNIC is connected and local virtual switching is working. However, traffic to the default gateway must leave the host through a physical NIC uplink. Because the vSwitch has no physical uplinks assigned, frames cannot reach the upstream switch or gateway. Assigning the linked host NIC to the production vSwitch, with the correct upstream switch configuration, restores off-host connectivity.
Topic: Network Operations
A company is reviewing remote management access for network devices and servers. The security requirement is to allow off-site administrators and vendors to manage internal systems only through a hardened DMZ host, using encrypted management protocols.
Exhibit: Current firewall management rules
| Source | Destination | Port/Protocol | Action |
|---|---|---|---|
| Internet | Bastion-01 | TCP 22 (SSH) | Allow |
| Internet | Core-SW1 | TCP 22 (SSH) | Allow |
| Bastion-01 | Core-SW1 | TCP 22 (SSH) | Allow |
| Bastion-01 | FW-MGMT | TCP 443 (HTTPS) | Allow |
| Bastion-01 | WIN-ADMIN | TCP 3389 (RDP) | Allow |
Which change best satisfies the requirement?
Options:
A. Remove direct Internet SSH to Core-SW1
B. Allow Internet RDP directly to WIN-ADMIN
C. Replace HTTPS to FW-MGMT with HTTP
D. Replace SSH access to Core-SW1 with Telnet
Best answer: A
Explanation: A bastion host is a hardened system placed at a controlled network boundary, often in a DMZ, to broker administrative access into internal systems. In this exhibit, SSH to Bastion-01 from the Internet is acceptable if properly secured, and the bastion can then use SSH, HTTPS, or RDP to manage internal devices and servers. The issue is the direct Internet rule to Core-SW1 over SSH. SSH is encrypted, but the requirement says management must occur only through the hardened DMZ host. Removing that rule forces administrators and vendors to connect to Bastion-01 first, then manage Core-SW1 from there. The key takeaway is that encrypted management protocols still need the correct access path.
Topic: Network Implementation
A company is upgrading Wi-Fi in a high-density training center. New employee laptops support Wi-Fi 6E and WPA3-Enterprise, but several shared scanners only support 5 GHz Wi-Fi 5 with WPA2-Enterprise. Security policy requires the employee WLAN to use the strongest supported encryption and not be weakened for legacy devices. Which configuration is the best professional decision?
Options:
A. Use a 2.4 GHz WPA2-Personal SSID for the scanners and employees
B. Use a 6 GHz WPA3-Enterprise employee SSID and a separate 5 GHz WPA2-Enterprise scanner SSID
C. Use one 5 GHz WPA2-Enterprise SSID for all devices
D. Use one 6 GHz WPA3-Enterprise SSID for all devices
Best answer: B
Explanation: Wi-Fi design should match the requirements for capacity, security, and client compatibility. Wi-Fi 6E uses the 6 GHz band, which helps high-density environments by adding spectrum and reducing congestion for compatible clients. WPA3-Enterprise satisfies the stronger employee security requirement. Because the scanners do not support 6 GHz or WPA3, they need a separate compatible WLAN rather than weakening the employee WLAN. A separate 5 GHz WPA2-Enterprise SSID keeps the legacy devices working while maintaining stronger security for employee laptops.
Topic: Network Troubleshooting
A branch office reports that most IP phones stopped registering after a switch refresh. Data clients on the same access switches can browse internal sites. The voice system uses certificate-based SIP/TLS, and the operations policy requires the least disruptive change during business hours.
Evidence:
| Check | Result |
|---|---|
| Phone DHCP lease | Valid voice VLAN address and gateway |
| DHCP option 42 | Old NTP server address |
| Phone clock | January 1, 2000 |
| DNS for call server | Resolves correctly |
| Traceroute to call server | Completes |
Which action is the BEST professional decision?
Options:
A. Move phones to the data VLAN to bypass NAC
B. Add a broad firewall allow rule for SIP and RTP
C. Change the call server DNS record to a new address
D. Correct DHCP NTP option and renew affected phones
Best answer: D
Explanation: The evidence points to a service-layer dependency problem, not a basic routing or DNS failure. The phones have valid DHCP leases, the correct voice VLAN gateway, successful DNS resolution, and a completed route to the call server. The conflicting clue is time: DHCP option 42 is handing out an old NTP server, and the phones show a default date. Certificate-based SIP/TLS registration depends on accurate time to validate certificate validity periods. The least disruptive troubleshooting path is to correct the NTP option, renew or restart affected phones, and then retest registration. Opening firewall rules or changing DNS would ignore the evidence and add unnecessary risk.
Use the CompTIA Network+ N10-010 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Network+ N10-010 on Web View CompTIA Network+ N10-010 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.