N10-009 Cheat Sheet
Networking Concepts
OSI Model
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Know the seven OSI layers in order, top to bottom
The OSI model stacks seven layers: Application (7), Presentation (6), Session (5), Transport (4), Network (3), Data Link (2), Physical (1). Each layer communicates logically with its peer on the other host and relies on the layer below to deliver. The mnemonics All People Seem To Need Data Processing (7 to 1) and Please Do Not Throw Sausage Pizza Away (1 to 7) fix the order, which is what most OSI questions hinge on.
- Name the PDU and you have pinned the layer
The protocol data unit (PDU) name changes down the stack and identifies the layer outright: bits at Layer 1 Physical, frame at Layer 2 Data Link, packet at Layer 3 Network, segment (TCP) or datagram (UDP) at Layer 4 Transport, and data at Layers 5 to 7. When a stem mentions a frame it is asking about Layer 2; a packet means Layer 3; a segment means Layer 4.
Trap Calling a Layer 3 unit a frame; the frame is the Layer 2 PDU, while Layer 3 carries the packet that the frame wraps.
- Physical (Layer 1) moves raw bits, with no addressing
Layer 1 transmits and receives raw bits as electrical, optical, or radio signals and defines cabling, connectors, pinouts, and signal levels. It has no concept of an address, so devices that only regenerate signal, like hubs and repeaters, are Layer 1 devices. A dead link light, a bad cable, or a wrong connector is a Layer 1 problem.
- Data Link (Layer 2) frames data and uses MAC addresses
Layer 2 packages bits into frames and delivers them across one local link using the 48-bit MAC (media access control) hardware address. Switches, bridges, and NICs operate here, and IEEE 802 standards such as 802.3 Ethernet and 802.11 Wi-Fi define this layer. Layer 2 is commonly split into the LLC and MAC sublayers.
Trap Placing a switch at Layer 3; a standard switch forwards by MAC address at Layer 2, and only a Layer 3 switch additionally routes by IP.
- Network (Layer 3) adds logical IP addressing and routing
Layer 3 assigns logical addresses (IP) and selects a path across multiple networks, which is routing. Its PDU is the packet, and routers and Layer 3 switches operate here, alongside protocols like IP and ICMP. When a question involves an IP address, a default gateway, a subnet mask, or moving between networks, it is testing Layer 3.
Trap Assigning routing to Layer 2; switching forwards within one local link at Layer 2, while routing between separate IP networks is a Layer 3 function.
- Transport (Layer 4) uses ports and picks TCP or UDP
Layer 4 provides end-to-end delivery between processes using port numbers and chooses the reliability model: TCP is connection-oriented with acknowledgements and retransmission, while UDP is connectionless and best-effort with lower overhead. Port-aware firewalls and Layer 4 load balancers act here. A clue that names a port number or a blocked service points to Layer 4.
Trap Treating a port number as a Layer 3 concept; ports live at Layer 4 Transport, while IP addresses are the Layer 3 identifier.
- Session (Layer 5) sets up, manages, and tears down dialogs
Layer 5 opens, maintains, and closes the session between two endpoints, tracking which side may transmit and re-establishing a conversation that drops. It governs the dialog itself rather than the data's format or its routing. On the exam it is the layer associated with establishing and terminating connections at the session level.
- Presentation (Layer 6) handles encoding, compression, and encryption
Layer 6 translates data into a form the application can use: character encoding such as ASCII and Unicode, data compression, and encryption. TLS is commonly placed at the Presentation layer because it encrypts the application data before transport. A question about data format conversion or encryption of the payload points here.
- Application (Layer 7) is the service the user's software touches
Layer 7 provides network services directly to applications: web (HTTP), file transfer (FTP), email (SMTP), and name resolution (DNS) are Layer 7 protocols. Content-aware controls that read the actual payload, such as a next-generation firewall, a proxy, or a web application firewall (WAF), operate here. A clue that inspects a URL, a host header, or a SQL string is Layer 7.
- Encapsulation adds a header per layer on the way down
Sending data runs top-down, and each layer wraps the unit from above in its own header (the Data Link layer also adds a trailer): application data becomes a segment, then a packet, then a frame, then bits. The receiver reverses this as de-encapsulation, stripping exactly one header per layer on the way up until the application reads the original data.
- The header a layer adds is what defines its PDU
Each PDU name corresponds to the header just added: the TCP/UDP header makes a segment at Layer 4, the IP header makes a packet at Layer 3, and the frame header plus trailer makes a frame at Layer 2. Because the headers nest, a packet capture shows them as concentric wrappers around the original application data, outermost being the Layer 2 frame.
- MAC addresses change every hop; IP addresses stay end to end
The Layer 2 frame's source and destination MAC addresses are rewritten by each router for the next link, so they change at every hop, while the Layer 3 packet's source and destination IP addresses remain the same from origin to final destination. This is why a capture along a path shows constant IPs but different MACs on each segment.
Trap Assuming the source MAC stays constant across a routed path; routers rewrite the Layer 2 MAC addresses at every hop, unlike the end-to-end Layer 3 IP addresses.
- Encapsulation overhead is why MTU caps payload size
Every layer's header consumes bytes, so the maximum transmission unit (MTU), the largest payload a link will carry, limits how much application data fits in one packet; standard Ethernet MTU is 1500 bytes. Jumbo frames raise the MTU to about 9000 bytes to reduce per-frame overhead on links that support it. When a packet exceeds the next link's MTU, Layer 3 either fragments it or, with the don't-fragment bit set, drops it and signals back.
- The internet runs the four-layer TCP/IP model, not OSI's seven
OSI is the teaching and troubleshooting reference, but real hosts implement the four-layer TCP/IP (Internet) model defined in RFC 1122: Application, Transport, Internet, and Link (Network Access). IP runs at the Internet layer and TCP or UDP at the Transport layer. Expect to translate a question between the two models rather than assuming they line up layer for layer.
- TCP/IP Application spans OSI Layers 5 to 7
The TCP/IP Application layer collapses the OSI Session, Presentation, and Application layers into one, so session control, encoding, and the application itself all sit together (HTTP, DNS, SMTP). When a stem names the TCP/IP Application layer and asks for the OSI equivalent, the answer is Layers 5 through 7, not Layer 7 alone.
Trap Mapping the TCP/IP Application layer to OSI Layer 7 only; it covers OSI Layers 5, 6, and 7 together.
- TCP/IP Transport equals OSI 4; Internet equals OSI 3
The two clean one-to-one mappings between the models are TCP/IP Transport to OSI Layer 4 (TCP and UDP) and TCP/IP Internet to OSI Layer 3 (IP). These are the pairings most likely to be tested directly because they line up exactly, unlike the collapsed Application and Link layers.
- TCP/IP Link layer spans OSI Layers 1 and 2
The TCP/IP Link layer (also called Network Access or Network Interface) combines the OSI Physical and Data Link layers, covering both framing and physical signaling in one layer with technologies like Ethernet and Wi-Fi. Asked for the OSI equivalent of the TCP/IP Link layer, the answer is Layers 1 and 2 together.
- A firewall's OSI layer depends on what it inspects
Place a firewall by what it examines, not by the word firewall: a packet-filtering or stateful firewall acts on IP addresses and ports at Layers 3 to 4, while a next-generation firewall, proxy, or WAF reads the application payload at Layer 7. The same logic applies to load balancers: Layer 4 when balancing by IP and port, Layer 7 when routing by URL, host header, or cookie.
Trap Calling every firewall a Layer 7 device; a basic packet-filtering or stateful firewall operates only at Layers 3 to 4 and never reads application content.
- Troubleshoot bottom-up, mapping each symptom to a layer
Working the stack from Layer 1 upward isolates a fault to one layer: a cable or link-light fault is Layer 1, a VLAN or switch-loop or MAC-table issue is Layer 2, a wrong gateway or subnet mask or routing problem is Layer 3, a blocked port or firewall rule is Layer 4, and a certificate, encryption, or application error points to Layer 6 or 7. Naming the layer first narrows the tools you reach for.
Networking Appliances
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Concepts
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Ports and Protocols
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A port number plus a transport protocol identifies one service
A 16-bit port number (0 to 65535) sits in the Layer 4 header and tells the receiving host which application a packet belongs to, while the IP address in the Layer 3 header only gets the packet to the host. The full tuple of source IP, destination IP, source port, and destination port pins one conversation to one application, which is why a firewall rule, a packet capture, and an exam stem all key off the destination port. Knowing the well-known port for each service is the core of N10-009 objective 1.4.
- Choose TCP when delivery must be guaranteed
TCP is connection-oriented: it opens with a three-way handshake, numbers bytes so they can be reordered, acknowledges and retransmits losses, and closes with FIN, so anything that must arrive intact rides it. Web (HTTPS 443), email (SMTP 25, IMAP 143), file transfer (FTP 21, SSH/SFTP 22), and remote desktop (RDP 3389) are all TCP. Reach for UDP instead only when the overhead of that reliability would hurt more than an occasional lost packet.
Trap Assuming TCP is always the safer default; for real-time voice or video the retransmission and ordering add latency that degrades the call, where UDP's drop-and-continue behavior is actually correct.
- Choose UDP for real-time or one-shot traffic
UDP is connectionless with no handshake, acknowledgements, or retransmission, which makes it lighter and lower-latency. It fits streaming voice and video, plus single request-and-reply services where building a connection is wasteful: DNS queries (53), DHCP (67/68), TFTP (69), SNMP (161/162), NTP (123), and syslog (514) are all UDP. Any reliability UDP needs must be added by the application itself.
- Ports split into well-known, registered, and ephemeral bands
IANA divides the 0 to 65535 space into three ranges: well-known ports 0 to 1023 for core system services (HTTP 80, SSH 22), registered ports 1024 to 49151 for vendor applications (RDP 3389, MySQL 3306), and dynamic or ephemeral ports 49152 to 65535 that a client picks at random for the source side of an outbound connection. A server listens on a fixed low port; the client dials out from an ephemeral one, and the server replies to that ephemeral port.
Trap Treating the ephemeral range as something the firewall must open inbound; a stateful firewall tracks the outbound flow and permits the return automatically, so no manual ephemeral-range rule is needed.
- DNS uses both UDP 53 and TCP 53
DNS is the classic dual-transport service: it answers ordinary name queries over UDP 53 for speed, but switches to TCP 53 for zone transfers between servers and for any response too large to fit a single UDP datagram. On the exam, a scenario about a secondary server pulling a full zone is testing TCP 53, so 'UDP only' is the wrong-but-tempting answer.
Trap Answering 'DNS uses UDP only'; zone transfers and oversized responses use TCP 53, which a question about secondary-server replication is specifically probing.
- Telnet 23 is cleartext; replace it with SSH 22
Telnet (TCP 23) carries the entire remote-administration session, credentials included, in plaintext, so it must be replaced with SSH (Secure Shell, TCP 22). SSH encrypts the session and also carries SFTP and SCP, so one open port (22) covers encrypted shell and file transfer. When a stem says a management protocol is 'exposing credentials', the answer is SSH 22.
Trap Picking the same insecure protocol on a non-standard port (Telnet on 2323); changing the port does not encrypt the traffic, and the exam wants the named secure protocol, SSH.
5 questions test this
- A network administrator replaces insecure management protocols on all network devices and needs to update firewall rules. After blocking…
- A network technician captures traffic between a workstation and a managed switch on TCP port 23. The capture reveals login credentials…
- A network engineer is hardening network services by replacing insecure protocols with their secure equivalents. Which of the following…
- A security scan discovers that several network switches accept remote management connections over TCP port 23. Which of the following…
- A company policy requires that all remote management, file transfer, directory service, and web traffic must use encrypted protocols. Which…
- HTTP 80 becomes HTTPS 443 with TLS
HTTP (TCP 80) serves web traffic in cleartext; HTTPS (TCP 443) wraps the same HTTP in TLS and listens on its own distinct port so a firewall or analyzer can tell secure from insecure web by port alone. Sending to 443 does not by itself encrypt anything unless TLS is actually negotiated, but the standard secure-web answer is always HTTPS 443.
3 questions test this
- A company security policy requires all web-based management interfaces to use encrypted connections. An administrator discovers a switch…
- A network administrator replaces insecure management protocols on all network devices and needs to update firewall rules. After blocking…
- A company policy requires that all remote management, file transfer, directory service, and web traffic must use encrypted protocols. Which…
- FTP uses 20 and 21; SFTP rides SSH on 22
FTP uses TCP 21 for the control channel and TCP 20 for the data channel, both cleartext. Its secure replacement SFTP is not FTP at all: it is a subsystem of SSH and runs over TCP 22 with no FTP ports, while FTPS is a different beast that wraps FTP in TLS. Confusing SFTP with FTPS, or expecting SFTP on port 21, is a common error.
Trap Assuming SFTP uses an FTP port like 21 or 22 as 'FTP over TLS'; SFTP is SSH File Transfer Protocol on TCP 22, whereas FTPS is the TLS-wrapped FTP variant.
6 questions test this
- A firewall administrator needs to create rules allowing standard FTP traffic to a company file server. Which of the following TCP port…
- A security team mandates that all file transfers must use encryption in transit. Which of the following port numbers should be allowed as a…
- A network administrator configures a firewall to allow FTP access to an external server. Users can connect and authenticate but are unable…
- A company policy requires that all remote management, file transfer, directory service, and web traffic must use encrypted protocols. Which…
- A network administrator needs to allow FTP clients to initiate sessions with an external FTP server. Which of the following ports is used…
- A network administrator is replacing FTP with a secure file transfer solution that operates as a subsystem of SSH. Which of the following…
- SMTP relays on 25; clients submit authenticated mail on 587
SMTP (TCP 25) moves mail between mail servers (server-to-server relay), while TCP 587 is the submission port a mail client uses to send authenticated outbound mail, typically upgrading to encryption with STARTTLS. Many providers block outbound 25 from clients to fight spam, so a user whose mail will not send is usually pointed at 587. Port 465 was historically SMTPS but the exam centers on 25 and 587.
Trap Assuming sending to 587 is automatically encrypted; submission still needs STARTTLS to negotiate TLS, otherwise the session stays in cleartext.
3 questions test this
- A network administrator reviews firewall logs and sees frequent outbound connections from the company email server to remote hosts on TCP…
- A network technician is configuring a firewall to allow outbound email delivery from the corporate mail server. Which of the following…
- Which of the following correctly maps a protocol to its default port number?
- POP3 110 and IMAP 143 secure to 995 and 993
POP3 (TCP 110) downloads mail and typically removes it from the server, while IMAP (TCP 143) keeps mail server-side and syncs folder state across devices. Their TLS-encrypted forms are POP3S on TCP 995 and IMAPS on TCP 993. The 993-versus-995 pair is a favorite distractor because the numbers are adjacent and the roles are easy to swap.
Trap Swapping the secure ports, calling IMAPS 995 and POP3S 993; IMAPS is 993 and POP3S is 995, anchored to their cleartext parents 143 and 110.
- DHCP uses UDP 67 on the server and 68 on the client
DHCP assigns IP configuration dynamically over UDP, with the server on port 67 and the client on port 68. The handshake follows the DORA sequence (Discover, Offer, Request, Acknowledge), and the initial Discover is a broadcast because the client has no address yet. Reversing 67 and 68 is a classic trap, so anchor 67 to the server.
Trap Putting the DHCP server on 68 and the client on 67; the server listens on UDP 67 and the client on UDP 68, not the reverse.
4 questions test this
- A technician is troubleshooting why new clients cannot obtain IP addresses. A firewall rule must be added between the clients and the DHCP…
- After connecting a new workstation to the network, a technician verifies that it automatically received an IP address, subnet mask, default…
- A firewall administrator needs to create rules to allow clients to automatically obtain IP addresses from a DHCP server. Which of the…
- A technician is creating firewall rules for a newly deployed DHCP server. Which of the following correctly describes the transport protocol…
- SNMP polls on UDP 161 and receives traps on UDP 162
SNMP monitors devices over UDP: the manager polls agents on port 161 (get/set requests), and agents push asynchronous alerts to the manager on port 162 (traps). Versions 1 and 2c authenticate only with a cleartext community string, so SNMPv3 is the secure choice because it adds authentication and encryption while staying on the same 161/162 ports.
Trap Believing SNMPv3 moves to a new port for security; v3 keeps UDP 161/162 and gains its protection from the protocol version, not a port change.
4 questions test this
- A network administrator configures a monitoring system to poll switches and routers for interface statistics and CPU utilization. The…
- A network operations center deploys agents on switches and routers that report performance data to a central management station via UDP.…
- A network administrator is configuring a centralized system to poll managed switches every five minutes for bandwidth utilization and error…
- A network administrator configures a managed switch to send unsolicited alert notifications to a management server when an interface goes…
- NTP synchronizes clocks on UDP 123
NTP keeps device clocks in sync over UDP 123, and accurate time is load-bearing far beyond cosmetics: Kerberos authentication rejects tickets when clocks drift past about five minutes, log correlation across devices breaks, and certificate validity windows misfire. A stem about authentication failing org-wide or logs that will not line up is often really an NTP 123 problem.
- LDAP queries on 389; LDAPS adds TLS on 636
LDAP reads and writes directory data (users, groups, computers) over TCP 389 in cleartext, and LDAPS wraps the same protocol in TLS on TCP 636. Directory binds carry credentials, so production directory traffic should use 636. The 389-to-636 pairing is the directory analogue of HTTP-to-HTTPS.
6 questions test this
- An organization needs to encrypt directory service queries between an application server and a domain controller. Which of the following…
- A network engineer must permit traffic through a firewall so that an application can query a centralized directory service for user account…
- A company policy requires that all remote management, file transfer, directory service, and web traffic must use encrypted protocols. Which…
- An administrator is reviewing a packet capture and observes persistent TCP connections on port 389 between client workstations and a domain…
- A network administrator needs to query a service that stores user accounts and organizational data in a hierarchical directory structure.…
- An organization's security policy requires that all directory service queries to the domain controller must be encrypted. Which of the…
- SMB shares files on TCP 445 and must not face the internet
SMB provides Windows file and printer sharing over TCP 445 (modern, direct over TCP/IP; the legacy NetBIOS path used 137 to 139). SMB has a long history of wormable vulnerabilities, so port 445 should be blocked at the perimeter and confined to the internal LAN. A scenario about ransomware spreading laterally often hinges on open SMB 445.
Trap Exposing SMB 445 across a WAN or to the internet for remote file access; it belongs on the trusted LAN, and remote access should go through a VPN instead.
- RDP is TCP 3389 and should never be open raw to the internet
Remote Desktop Protocol gives graphical Windows remote control over TCP 3389. Because it is a high-value target for brute force and exploitation, it should be reached through a VPN or a jump host rather than exposed directly. A stem describing a refused remote-desktop session points at 3389, and one describing a hardening fix points at tunneling it.
4 questions test this
- A security analyst reviewing firewall logs notices repeated inbound connection attempts from external IP addresses on TCP port 3389…
- A user reports being unable to start a remote desktop session to a Windows server. The firewall currently allows inbound traffic only on…
- After a recent firewall policy change, users report they can no longer establish Remote Desktop connections to a Windows server. All other…
- A systems administrator needs to permit remote graphical desktop access to a Windows server through the corporate firewall. Which of the…
- SIP signals VoIP calls on 5060, with TLS on 5061
SIP sets up, modifies, and tears down VoIP calls on port 5060 (plaintext, over UDP or TCP), with SIP over TLS on 5061. SIP only handles the signaling; the actual media stream rides RTP on a separately negotiated UDP port range. A call that connects but has no audio is a media (RTP) problem, not a SIP 5060 signaling problem.
Trap Treating no-audio-on-an-otherwise-connected-call as a SIP 5060 failure; signaling succeeded, so the fault is in the RTP media path, not the SIP port.
5 questions test this
- A VoIP engineer needs to configure firewall rules for SIP signaling on a new phone system. Which of the following correctly identifies the…
- Which of the following protocols operates on port 5060 and supports both TCP and UDP as its transport layer protocol?
- A VoIP engineer is configuring the perimeter firewall to permit SIP call signaling. Which of the following is the default port number…
- A VoIP administrator is deploying a new phone system and needs to configure firewall rules for call signaling. Which of the following…
- A unified communications team is configuring firewall rules to permit VoIP call setup traffic using Session Initiation Protocol. Which of…
- TFTP is UDP 69 with no authentication
TFTP (Trivial File Transfer Protocol) moves files over UDP 69 with no authentication and no encryption, which is why it is used only on trusted links for tasks like pushing firmware images, loading switch and router configs, or PXE network boot. Its full-featured, authenticated counterpart is FTP or SFTP; TFTP trades every feature for simplicity.
- Syslog ships logs to a collector on UDP 514
Syslog centralizes event and log messages to a collector over UDP 514, the standard way devices feed a central log server or SIEM. Plain UDP syslog is fire-and-forget with no delivery guarantee, so high-assurance deployments may run it over TCP or TLS instead, but the exam default is UDP 514.
- Database services use 1433, 3306, and 5432
The common database ports N10-009 references are Microsoft SQL Server on TCP 1433, MySQL/MariaDB on TCP 3306, and PostgreSQL on TCP 5432, all in the registered range. These should be reachable only from application tiers, never exposed to the internet. They are easy to confuse with one another, so anchor each to its engine.
- A port is a convention, not enforcement
Default ports are agreements, not guarantees: an administrator can run HTTPS on 8443 or SSH on 2222, and malware can listen on any free port. The exam tests the standard assignments, but real defense cannot trust a port alone, which is why deep packet inspection and application-aware firewalls look at content rather than just the port number.
Trap Assuming traffic on TCP 443 must be legitimate HTTPS; the port is only a label, and a stateful or next-gen firewall is needed to confirm what is actually riding it.
Traffic Types
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Transmission Media
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Transceivers and Connectors
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Topologies
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
IPv4 Addressing and Subnetting
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- An IPv4 address is 32 bits in four octets, each 0 to 255
An IPv4 address is a single 32-bit number written as four dotted-decimal octets, where each octet is 8 bits and so holds a value from 0 to 255 (2^8 = 256 values). That is why no octet can be 256 or higher, a detail exam stems use to flag an invalid address. The four octets together give the roughly 4.3 billion (2^32) addresses of the IPv4 space.
- The subnet mask's 1 bits mark the network, its 0 bits mark the host
A subnet mask splits the 32 bits into a network portion (the contiguous, left-aligned 1 bits) and a host portion (the trailing 0 bits). Two addresses are on the same subnet only when their network portions match under the same mask. The mask, not the address alone, is what determines the boundary, so the same address can be in different networks under different masks.
- CIDR /n is just the count of mask 1-bits
CIDR (Classless Inter-Domain Routing) notation writes the prefix length after a slash, and it equals the number of 1 bits in the mask, so /24 is 255.255.255.0 and /26 is 255.255.255.192. Converting between prefix and dotted mask is a frequent first step: each full 255 octet is 8 bits, and a partial octet (128, 192, 224, 240, 248, 252) adds the remaining bits. CIDR lets the prefix be any length from /0 to /32, which is what makes classless, right-sized subnetting possible.
3 questions test this
- A network administrator needs to divide the 172.16.0.0/16 network into exactly 16 equal-sized subnets using FLSM. Which of the following…
- A network engineer is planning IP address allocation and has been assigned a /22 CIDR block. How many usable host addresses are available…
- A network administrator is configuring a router interface and needs to apply a /26 CIDR prefix length. Which of the following subnet masks…
- Usable hosts per subnet is 2^h minus 2
For a subnet with h host bits, the block holds 2^h addresses but the all-zeros host address (the network ID) and the all-ones host address (the broadcast) are reserved, leaving 2^h - 2 assignable hosts. A /24 has 8 host bits, so 254 usable; a /26 has 6, so 62 usable; a /28 has 4, so 14 usable. Forgetting the minus 2 is the single most common host-count error.
Trap Answering 2^h (for example 64 for a /26) as the usable host count; the network and broadcast addresses are not assignable, so it is always 2^h - 2.
8 questions test this
- A network engineer assigns the subnet 192.168.5.0/25 to a new branch office. How many usable host addresses are available on this subnet?
- An administrator is implementing VLSM and needs to create a subnet for a department with 29 workstations. Which of the following subnet…
- A network engineer is planning IP address allocation and has been assigned a /22 CIDR block. How many usable host addresses are available…
- A company requires each subnet to support at least 500 usable host addresses. Which of the following CIDR prefix lengths provides the…
- A network engineer is using VLSM to allocate subnets from 10.10.0.0/24. Segment A requires 55 hosts, and Segment B requires 27 hosts. Which…
- A network engineer is subnetting 192.168.5.0/24 using VLSM and needs one subnet to support 25 hosts. Which of the following subnet masks…
- A technician is assigned the 192.168.5.0/27 subnet for a new branch office. How many usable host addresses are available on this subnet?
- A network administrator needs to divide a Class C network into subnets that each support exactly 30 usable host addresses with no wasted…
- The network address has all host bits 0; the broadcast has all host bits 1
Within any subnet, the first address (all host bits 0) is the network ID and cannot be given to a machine, and the last address (all host bits 1) is the directed broadcast for that subnet and also cannot. The usable host range is every address strictly between them. For 192.168.10.0/26 that means network 192.168.10.0, broadcast 192.168.10.63, and usable 192.168.10.1 through 192.168.10.62.
Trap Assigning the network or broadcast address (the .0 or the all-ones host address) to a NIC; both are reserved and a host configured with either cannot communicate normally.
8 questions test this
- A host is configured with the IP address 192.168.10.130/26. Which of the following is the broadcast address of the subnet this host belongs…
- A technician is documenting the network 172.16.48.0/20 for an IP address management system. Which of the following is the broadcast address…
- A network administrator is documenting the subnet 10.20.48.0/20. Which of the following represents the valid host range for this subnet?
- A host is assigned the IP address 10.1.5.130 with a subnet mask of 255.255.255.128. Which of the following represents the valid host range…
- A network administrator is documenting IP allocations for the subnet 10.0.5.96/27. Which of the following represents the valid host range…
- A network engineer assigns a workstation the IP address 172.16.10.100/26. Which of the following is the broadcast address of this subnet?
- A technician is configuring a workstation with the IP address 192.168.12.200/26. Which of the following is the network address for this…
- A host is assigned the IP address 10.20.30.45/28. Which of the following represents the valid host range for this subnet?
- Find the block size as 256 minus the mask's interesting octet
The magic-number (block-size) method finds subnet boundaries fast: take the mask's interesting octet (the last octet that is not 255) and compute 256 minus it. For /26 the interesting octet is 192, so the block size is 64, and subnets sit at 0, 64, 128, 192. The block size is always a power of two and equals the spacing between consecutive subnets, so you count up in blocks to locate any address.
5 questions test this
- A technician is documenting the network 172.16.48.0/20 for an IP address management system. Which of the following is the broadcast address…
- A network administrator is documenting the subnet 10.20.48.0/20. Which of the following represents the valid host range for this subnet?
- A host is configured with the IP address 10.20.15.200/27. Which of the following is the network address for this subnet?
- A network administrator is documenting IP allocations for the subnet 10.0.5.96/27. Which of the following represents the valid host range…
- A technician reviews a VLSM allocation plan from the 192.168.5.0/24 block and finds four assigned subnets: 192.168.5.0/26, 192.168.5.64/27,…
- Locate a host's subnet by the block it falls into
To find which subnet an address belongs to, count up by the block size until you pass the host octet, then step back one block. For 192.168.10.130/26 the block size is 64, the boundaries are 0, 64, 128, 192, and 130 falls between 128 and 191, so the subnet is 192.168.10.128, the broadcast is 192.168.10.191, and the usable range is 192.168.10.129 to 192.168.10.190. The same three steps work for every prefix.
Trap Reading the broadcast as the next block's network (192.168.10.192) instead of one address below it (192.168.10.191); the broadcast is always block_start + block_size - 1.
9 questions test this
- A host is configured with the IP address 192.168.10.130/26. Which of the following is the broadcast address of the subnet this host belongs…
- A host is configured with the IP address 10.20.15.200/27. Which of the following is the network address for this subnet?
- A host is assigned the IP address 10.1.5.130 with a subnet mask of 255.255.255.128. Which of the following represents the valid host range…
- A network engineer reviews the following VLSM allocations in the IPAM system from the 10.0.1.0/24 block: Subnet 1: 10.0.1.0/26; Subnet 2:…
- A network engineer reviews IPAM records and finds the last allocated subnet is 172.16.1.128/26. A new department needs 25 usable host…
- A network engineer assigns a workstation the IP address 172.16.10.100/26. Which of the following is the broadcast address of this subnet?
- A technician is configuring a workstation with the IP address 192.168.12.200/26. Which of the following is the network address for this…
- A technician reviews a VLSM allocation plan from the 192.168.5.0/24 block and finds four assigned subnets: 192.168.5.0/26, 192.168.5.64/27,…
- A host is assigned the IP address 10.20.30.45/28. Which of the following represents the valid host range for this subnet?
- Size a subnet by the smallest host-bit count that fits
When a stem gives a host requirement and asks for the prefix, find the smallest h where 2^h - 2 meets the need, then the prefix is 32 minus h. A 50-host LAN needs h = 6 (62 usable, a /26) because h = 5 gives only 30 usable. Always round up to the next power of two minus two; choosing the exact power without the minus 2 leaves you two short.
Trap Sizing on 2^h >= need instead of 2^h - 2 >= need; for 30 hosts that wrongly picks a /27 boundary as if 32 fit, when after reserving network and broadcast a /27 holds exactly 30 and 31 hosts would need a /26.
5 questions test this
- An administrator is implementing VLSM and needs to create a subnet for a department with 29 workstations. Which of the following subnet…
- A company requires each subnet to support at least 500 usable host addresses. Which of the following CIDR prefix lengths provides the…
- A network administrator is using VLSM to subdivide 172.16.10.0/24 for four departments requiring 100, 50, 25, and 10 hosts respectively.…
- A network engineer reviews IPAM records and finds the last allocated subnet is 172.16.1.128/26. A new department needs 25 usable host…
- A network engineer is subnetting 192.168.5.0/24 using VLSM and needs one subnet to support 25 hosts. Which of the following subnet masks…
- RFC 1918 reserves 10/8, 172.16/12, and 192.168/16 for private use
RFC 1918 defines three private ranges that are not globally routable: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Hosts inside these ranges must be translated by NAT before reaching the internet, which is why the same private addresses are reused by countless organizations. Any address outside these blocks (and outside the special ranges) is a public address.
- The 172.16.0.0/12 private block ends at 172.31.255.255
The middle RFC 1918 range, 172.16.0.0/12, spans 172.16.0.0 through 172.31.255.255, covering the second octets 16 through 31 only. Addresses like 172.32.0.1 or 172.15.255.1 are public, not private. This boundary is a favorite distractor because the /12 mask is easy to misread as covering all of 172.x.
Trap Treating 172.32.x.x or any 172.x outside 16 to 31 as private; the /12 covers only 172.16.0.0 to 172.31.255.255, so 172.32.0.1 is a public address.
- A 169.254.x.x address means DHCP failed (APIPA)
APIPA (Automatic Private IP Addressing) self-assigns an address from 169.254.0.0/16 when a host requests DHCP and gets no reply. So a 169.254 address is a diagnosis, not a setup: the DHCP server is unreachable, out of leases, or the relay is broken. An APIPA host can reach other APIPA hosts on the same link but has no default gateway, so it cannot reach other subnets or the internet.
Trap Reading a 169.254.x.x address as a valid working configuration; it is a link-local fallback that signals DHCP failure and cannot route off the local segment.
3 questions test this
- A technician reviews IP configurations on four servers in a data center: Server A has 10.0.1.5, Server B has 172.16.10.20, Server C has…
- A technician discovers that a workstation has the address 169.254.200.15 on a segment where an active DHCP server has been verified. Which…
- Several workstations on a network segment have self-assigned addresses in the 169.254.x.x range. The technician confirms the workstations…
- 127.0.0.0/8 is loopback and never leaves the host
The entire 127.0.0.0/8 block is loopback, with 127.0.0.1 the usual address, and any packet sent to it is handled by the local TCP/IP stack rather than the network. Pinging 127.0.0.1 tests whether the host's own networking software works, independent of any cable or NIC. Because the whole /8 is reserved, no loopback address is ever a valid LAN host address.
- The default gateway must be an address inside the host's own subnet
The default gateway is the router interface a host uses for any destination not on its local subnet, and it has to be an address within that subnet to be reachable by ARP. A host with a gateway outside its subnet, or with no gateway, can still talk to local hosts but reaches nothing beyond the subnet, a classic 'can ping local, not remote' troubleshooting stem.
Trap Setting the default gateway to an address outside the host's subnet; the host cannot ARP for it, so off-subnet traffic fails while local traffic still works.
- A /30 gives exactly 2 usable hosts for point-to-point links
A /30 (mask 255.255.255.252) has 2 host bits, so 2^2 - 2 = 2 usable addresses, which is exactly the two ends of a router-to-router or WAN point-to-point link. RFC 3021 also allows /31 on point-to-point links, giving 2 usable addresses with no separate network or broadcast. Using a /30 for these links conserves address space versus a larger prefix.
Trap Reaching for a /29 or larger on a simple point-to-point link; a /30 already provides the only two addresses such a link needs and wastes none.
- Address classes A, B, C use default masks /8, /16, /24
Legacy classful addressing fixes the split by the first octet: Class A (1 to 126) defaults to /8, Class B (128 to 191) to /16, and Class C (192 to 223) to /24. The first octet's leading bits (0 for A, 10 for B, 110 for C) define the class. The exam tests these default masks even though real networks use CIDR, because they explain the reserved ranges and legacy diagrams.
- Class A stops at 126 because 127 is loopback
Class A spans first octets 1 to 126, not 1 to 127, because 127.0.0.0/8 is reserved for loopback and sits between Class A and Class B. The 0.0.0.0 address is also special (meaning 'this host' or 'any'), so it is excluded too. These two carve-outs are exactly the kind of off-by-one the exam targets.
Trap Listing Class A as 1 to 127; 127 is loopback, so Class A is 1 to 126.
- Class D is multicast (224-239) and Class E is reserved (240-255)
First octets 224 through 239 are Class D, the multicast range (224.0.0.0/4), and 240 through 255 are Class E (240.0.0.0/4), reserved and experimental. Neither is assignable to ordinary hosts: a Class D address names a group, and a Class E address is not used on production networks. An exam answer that offers 224.x or 240.x as a host's unicast address is wrong.
Trap Treating a 224.x to 239.x address as a normal host unicast address; that range is Class D multicast (a group address), not assignable to a single host.
- VLSM right-sizes each subnet, largest allocation first
VLSM (Variable Length Subnet Masking) means using different prefix lengths within one parent block so each segment gets only the addresses it needs. Allocate the largest subnet first: from 192.168.1.0/24 a 100-host LAN takes a /25, a 50-host LAN a /26 from the remainder, and a router link a /30. Going largest-first prevents a small subnet from carving up a block a larger one still needs, avoiding fragmentation.
Trap Allocating the smallest subnets first; a /30 placed early can split a contiguous block so no /25 remains for the largest LAN, fragmenting the space.
- Classful sizing wastes addresses; CIDR/VLSM fixes it
Classful allocation forced a network to take a whole class, so a site needing 300 hosts could not fit a Class C (254) and had to claim a Class B (65,534), stranding tens of thousands of addresses. CIDR and VLSM let the prefix be sized to the need, so that same site takes a /23 (510 usable) instead. A question about efficient or conservative allocation always wants a custom CIDR prefix, never a class default.
- 255.255.255.255 is the limited broadcast; 0.0.0.0 means this host or any
Two addresses are special beyond the class ranges: 255.255.255.255 is the limited broadcast, reaching every host on the local segment and never forwarded by a router, and 0.0.0.0 means 'this host' or 'any' (a DHCP client sources its first request from 0.0.0.0, and 0.0.0.0/0 is the default route). Neither is assignable to an interface as a normal unicast address.
- To make a fixed number of equal subnets, borrow enough host bits so 2^n meets the count
Fixed-length subnet masking creates equal-sized subnets by borrowing host bits, where n borrowed bits yield 2^n subnets. Add those borrowed bits to the original prefix to get the new mask: from /24, borrowing 3 bits gives 2^3 = 8 subnets at /27 (255.255.255.224); from /16, borrowing 4 bits gives 16 subnets at /20 (255.255.240.0).
- IPAM centrally tracks allocations so VLSM subnets never overlap
IP Address Management (IPAM) gives a single record of every subnet and address allocation across the network. In a VLSM design with many different-sized subnets, it is what lets administrators see free space and catch an overlap, such as a /28 carved entirely inside an existing /27, before the conflicting assignment is deployed.
Trap Assuming two subnets cannot overlap just because they have different masks; a smaller subnet can sit entirely within a larger one's range, which only allocation tracking reveals.
Network Implementation
Routing Technologies
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Longest-prefix match decides the route before anything else
When more than one route in the table covers a destination, the router forwards out of the most specific one, the route with the longest matching prefix, and this is settled before administrative distance or metric is even looked at. A packet to 10.1.1.5 takes a 10.1.1.0/24 entry over a 10.1.0.0/16 entry over a 0.0.0.0/0 default, because /24 is more specific than /16 which is more specific than /0. A /32 host route therefore beats every shorter prefix no matter how attractive the shorter route's AD or metric looks.
Trap Picking the entry with the lowest administrative distance or best metric when a different entry has a longer prefix; specificity is decided first, so the more specific prefix wins regardless of AD or metric.
- Administrative distance ranks how much a router trusts a route's source
Administrative distance (AD) is a 0 to 255 trust value a router uses to choose between two sources advertising the same prefix, where lower is more trusted. It only arbitrates between sources; it never measures path quality and never travels in an advertisement, so it is local to one router. Once a source wins on AD, that protocol's own metric picks the best path within it.
Trap Treating administrative distance as a path metric; AD only chooses which source to believe for a prefix, while the metric (cost, hops) compares paths inside one protocol.
- Memorize the default administrative distances in order
For the same prefix learned from multiple sources, the router installs the one with the lowest AD: directly connected is 0, static route is 1, external BGP (eBGP) is 20, EIGRP internal is 90, OSPF is 110, RIP is 120, EIGRP external is 170, and internal BGP (iBGP) is 200. The most-tested instance is a static route (1) beating an OSPF-learned route (110) for the same network. These compare only across sources of one prefix, never as path metrics.
Trap Assuming OSPF (AD 110) wins over a static route (AD 1) because OSPF is dynamic and seems smarter; the lower AD wins, so the static route is installed.
- The metric breaks ties only within a single protocol
The protocol metric chooses the best path only after prefix length and administrative distance have already tied, and a lower metric is better. Each protocol measures differently: RIP counts hops, OSPF sums an inverse-bandwidth cost, and EIGRP computes a composite of bandwidth and delay. Comparing metrics across two different protocols is meaningless, which is exactly why AD exists to arbitrate between protocols first.
- Static routing is hand-set, predictable, and silent
A static route is one administrator-entered line mapping a prefix to a next hop, so it uses no CPU or bandwidth advertising itself and is invisible to routing-protocol scans. Its weakness is that it does not react to failure: if the next hop dies the route blackholes traffic unless you add a floating static backup (a higher-AD static that activates only when the primary is gone). It fits small or stub networks and a single Internet exit.
- The default route 0.0.0.0/0 is the gateway of last resort
A default route, written 0.0.0.0/0, matches any destination not covered by a more specific entry and sends it toward the configured next hop, typically the ISP. Because it is the shortest possible prefix (/0), longest-prefix match uses it only when nothing more specific matches. A stub site with one exit usually needs just this single static default plus its connected routes.
- Dynamic routing trades overhead for automatic failover
Dynamic protocols discover neighbors, exchange reachability, and recompute paths on their own when a link changes, so they scale to networks too large to hand-edit and reroute around failures with no human. The cost is CPU, memory, and bandwidth for the protocol's own traffic, plus a larger attack surface (route injection, neighbor spoofing) you mitigate with protocol authentication. Reach for it the moment the network has redundant paths that must fail over or more subnets than you want to track by hand.
- Convergence time is the headline difference between protocols
Convergence is the time for every router to agree on new best paths after a topology change, and it separates the protocols sharply: OSPF and EIGRP converge in seconds, while classic RIP can take minutes because it ages routes out slowly. A scenario that stresses fast recovery after a link failure is pointing at a link-state (OSPF) or advanced distance-vector (EIGRP) protocol, not RIP.
- RIP is distance-vector and caps the network at 15 hops
Routing Information Protocol advertises only a destination, a hop count, and a direction, trusting neighbors like rumor, which makes it simple but slow. Its metric is hop count with 16 meaning unreachable (infinity), so the usable network diameter is 15 hops. RIPv2 added subnet masks (classless/VLSM) and multicast updates over RIPv1, but any topology wider than 15 hops needs OSPF or EIGRP instead.
Trap Picking RIP for a large network because it is simple; a route at 16 hops is unreachable, so RIP cannot span more than 15 hops.
- OSPF is link-state, uses cost, and scales with areas
Open Shortest Path First (RFC 2328) has every router flood Link State Advertisements (LSAs) describing its own links, so all routers build an identical map and run Dijkstra to compute shortest paths by cost (lower is better, derived from bandwidth). It scales through areas, a hierarchy where every non-backbone area attaches to the backbone, Area 0, keeping each router's database bounded. It converges fast at the cost of more memory and CPU than RIP.
Trap Assuming OSPF uses hop count like RIP; OSPF's metric is bandwidth-based cost, and an area design must connect every area to Area 0.
- EIGRP is Cisco's advanced distance-vector protocol
Enhanced Interior Gateway Routing Protocol blends distance-vector advertising with link-state-style fast reaction, which is why it is often called hybrid. Its DUAL algorithm precomputes a loop-free backup (the feasible successor) so it can switch on a failure without full recomputation, and its metric is a composite weighted on bandwidth and delay. It converges quickly but historically ran only on Cisco equipment.
- BGP is the path-vector protocol that runs the Internet
Border Gateway Protocol (RFC 4271) advertises the full AS-path, the ordered list of autonomous systems a route crosses, and uses that path plus policy attributes to pick loop-free routes between organizations. It is the only exterior gateway protocol (EGP) in use and rides TCP port 179 for reliable, ordered delivery, unlike the IGPs which carry their own transport. Because its job is policy between networks, it converges deliberately rather than fast.
Trap Running BGP inside a single campus for fast convergence; BGP is for policy between autonomous systems, and an IGP (OSPF or EIGRP) is the right tool inside one AS.
- IGPs route inside one AS; BGP routes between them
An interior gateway protocol (IGP), namely OSPF, RIP, or EIGRP, finds best paths inside a single autonomous system, while an exterior gateway protocol (EGP), in practice only BGP, connects separate autonomous systems. The same BGP runs two ways the exam contrasts: external BGP (eBGP) peers between two different AS numbers, and internal BGP (iBGP) carries those learned routes across routers within one AS. Their trust differs accordingly, eBGP at AD 20 and iBGP at AD 200.
- NAT translates non-routable private addresses to public ones
Network Address Translation rewrites a packet's private RFC 1918 source address (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to a routable public address on the way out, because private addresses are not globally unique and cannot be routed on the Internet. Static NAT maps one private address to one public address permanently to publish an inside server, while dynamic NAT hands out public addresses from a pool to inside hosts on a first-come basis.
6 questions test this
- A data center administrator needs to ensure that an internal mail server always maps to the same public IPv4 address for both inbound and…
- A network administrator needs to configure the border router so that an internal mail server always appears to external hosts using the…
- A company hosts a public-facing email server on the internal network and also needs to provide internet browsing for 300 employees. The ISP…
- A company wants to host an internal web server that must always be accessible from the internet using the same dedicated public IP address.…
- A network engineer needs to ensure that an internal web server at 10.0.5.20 is always reachable from the internet using a specific public…
- A company configures dynamic NAT with a pool of 10 public IP addresses for internet access. After 10 internal hosts establish connections,…
- PAT (NAT overload) lets one public IP serve a whole network
Port Address Translation maps many private hosts to a single public IP by tracking a unique source port per conversation, which is why one residential or office ISP address can serve thousands of devices. It is the everyday default and the answer whenever a stem describes a LAN sharing one public address. Static NAT (one-to-one) and dynamic NAT (a pool) both still need a public IP per simultaneous host, so they do not solve the one-address case.
Trap Choosing static or dynamic NAT when many hosts must share a single public IP; only PAT multiplexes them behind one address by port.
23 questions test this
- When an internal host behind a PAT-enabled router initiates a connection to an external web server, which of the following is recorded in…
- Which of the following allows PAT to differentiate between multiple concurrent sessions from different internal hosts sharing a single…
- A company has 150 workstations that need internet access, but the ISP has assigned only a single public IP address. Which of the following…
- A company has 300 internal hosts but only five public IP addresses. The administrator needs all 300 hosts to access the internet…
- A company with 200 employees has been allocated only two public IP addresses by its ISP. All employees need to access the internet…
- Users on a corporate network report that new internet connections are failing while existing connections continue to function normally. The…
- A company hosts a public-facing email server on the internal network and also needs to provide internet browsing for 300 employees. The ISP…
- A company has been assigned a single public IPv4 address by its ISP and needs to provide simultaneous internet access for 200 internal…
- An internal host at 10.0.0.50 sends a web request through a router configured with PAT. The router's external interface has a public IP of…
- Which of the following best describes an advantage of configuring PAT instead of static NAT for outbound internet access on a corporate…
- A company configures PAT on its border router so that 200 internal hosts share a single public IP address for internet access. Which of the…
- A network technician is reviewing the translation table on a router performing PAT. Which of the following types of information would the…
- A growing company uses dynamic NAT with a pool of 10 public IP addresses, but 200 internal hosts frequently cannot connect when the pool is…
- A technician examines the NAT translation table on a router and sees multiple entries with the same public IP address but different port…
- A small office has 25 workstations that need internet access, but the ISP has provided only a single public IPv4 address. Which of the…
- A technician is reviewing the translation table on a border router configured for PAT. Which of the following combinations of information…
- A company has 200 internal hosts that share a single public IP address for internet access using PAT. Which of the following does the…
- A network engineer reviews the router's NAT translation table and notices that all active entries share the same translated public IP…
- When a router performing PAT receives return traffic from the internet, which of the following does the router examine to forward the…
- A network administrator configures NAT overloading on the edge router so that 100 internal hosts can share a single public IP address for…
- A network engineer reviews the NAT translation table on a border router and observes entries showing different internal IP addresses all…
- A small office has 100 workstations that connect to the internet through a router configured with a single public IP address. Which of the…
- Which of the following best describes how PAT differs from dynamic NAT?
- NAT hides and conserves addresses but is not a firewall
NAT and PAT rewrite addresses to conserve public IPs and obscure the inside topology, but they do not inspect or filter traffic and outbound-initiated sessions still pass freely. Treating NAT as a security control leaves the network unprotected; an actual stateful firewall or ACL is still required alongside the translation.
Trap Relying on NAT or PAT as the network's security boundary; address translation provides no traffic inspection, so a real firewall or ACL is still needed.
- An FHRP gives hosts a redundant virtual gateway IP
A first hop redundancy protocol (FHRP) lets two or more routers share one virtual IP (VIP) and virtual MAC that hosts use as their default gateway, so when the active router fails a standby takes over the VIP within seconds and no host setting changes. This is the answer when a stem asks how to remove the default gateway as a single point of failure without reconfiguring clients. Routing protocols reroute transit paths but do not provide end hosts a redundant gateway address.
Trap Reaching for a dynamic routing protocol to make the default gateway redundant; routing protocols reroute transit paths, but only an FHRP hands hosts a failover virtual gateway IP.
4 questions test this
- A company deploys two routers running HSRP to provide gateway redundancy. The active router experiences a hardware failure. Which of the…
- Which of the following best describes the function of a virtual IP address in a First Hop Redundancy Protocol deployment?
- Two routers are configured with HSRP on a LAN segment. Router A is the active router with a priority of 150, and Router B is the standby…
- A network administrator configures HSRP between two routers so that hosts maintain connectivity if a router fails. Which of the following…
- VRRP is the open FHRP; HSRP and GLBP are Cisco
VRRP (RFC 5798) is the vendor-neutral IETF first hop redundancy protocol for a mixed-vendor environment, while HSRP and GLBP are Cisco proprietary. GLBP additionally load-balances traffic across all routers in the group rather than leaving the standbys idle. Pick VRRP when the question specifies multi-vendor or an open standard; pick HSRP or GLBP when it specifies an all-Cisco network.
4 questions test this
- A company deploying routers from multiple vendors requires an IETF open-standard First Hop Redundancy Protocol. Which of the following…
- A company is deploying default gateway redundancy across a network that contains equipment from multiple vendors. Which of the following…
- A network engineer needs to deploy gateway redundancy in a multi-vendor environment. Which of the following FHRPs is defined as an open…
- A network administrator wants to implement first hop redundancy that distributes client traffic across multiple gateway routers using a…
- Router-on-a-stick uses 802.1Q subinterfaces for inter-VLAN routing
To route between VLANs over a single physical link, a router divides one port into subinterfaces, each tagged for a different VLAN with 802.1Q and assigned that VLAN's gateway IP, so one trunk carries all VLANs to the router and one port routes among them. This pattern is called router-on-a-stick. A Layer 3 switch with switched virtual interfaces does the same job at higher scale and is preferred when port density or throughput matters.
5 questions test this
- A network engineer is implementing inter-VLAN routing using a single physical router interface connected to a switch. Which of the…
- A network engineer needs to enable routing between VLAN 10 and VLAN 20 using a single physical router interface connected to a switch trunk…
- A company has three VLANs on a Layer 2 switch but the router has only one physical interface available for inter-VLAN routing. Which of the…
- A company has VLAN 10, VLAN 20, and VLAN 30 on a single switch. A network engineer connects one router interface to the switch using a…
- A network engineer needs to route traffic between three VLANs using a router with a single physical Ethernet interface connected to a…
- A floating static route is a backup that activates on failure
A floating static route is a static route configured with a deliberately higher administrative distance than the primary path, so it stays out of the table until the preferred route disappears. It gives static routing a manual failover: when the primary next hop or dynamic route is lost, the higher-AD static floats into the table and keeps traffic moving. It is the simple way to add redundancy without running a full dynamic protocol.
- An exhausted dynamic-NAT pool or PAT port range drops new sessions while existing ones survive
Dynamic NAT hands each inside host a public address from a finite pool; once every pool address is in use, further connection attempts fail until a mapping times out or is released. PAT (NAT overload) instead multiplexes many hosts behind one public IP using unique source ports, but each IP offers only about 65,000 ports, so heavy session counts can exhaust the ports and block new outbound sessions even though the WAN link is up. NAT and PAT entries are stateful and are reclaimed automatically after an idle timeout.
Trap Blaming a dead WAN link when an operational interface plus a full translation table points to pool or port exhaustion.
8 questions test this
- Users on a corporate network report that new internet connections are failing while existing connections continue to function normally. The…
- A growing company uses dynamic NAT with a pool of 10 public IP addresses, but 200 internal hosts frequently cannot connect when the pool is…
- A network technician reviews the NAT translation table on a PAT-enabled router and notices that entries are automatically removed after a…
- A company configures dynamic NAT with a pool of three public IP addresses for 100 internal hosts. All three addresses are currently mapped…
- A small office uses dynamic NAT with a pool of four public IP addresses to provide internet access for 30 internal hosts. All four public…
- Users at a small office suddenly lose internet access even though the router's WAN interface is operational. The administrator discovers…
- A company configures dynamic NAT with a pool of 10 public IP addresses for internet access. After 10 internal hosts establish connections,…
- An organization with 5,000 users shares a single public IP address using PAT. Users report that new web sessions fail to load during peak…
- FHRP elects the highest priority; preemption (default on in VRRP, off in HSRP) lets it take back over
First-hop redundancy protocols elect the gateway with the highest configured priority as master/active. Preemption governs whether a higher-priority router that comes online later seizes the role from a current lower-priority master: VRRP enables preemption by default, while HSRP requires it to be turned on explicitly. In VRRP, the priority value 255 is reserved for the router that actually owns the virtual IP address, and that owner always becomes master.
Trap Assuming a higher-priority router always takes over immediately, which only happens when preemption is enabled (it is off by default in HSRP).
4 questions test this
- A network engineer configures VRRP on two routers. Router A is the current Master with a priority of 100. Router B comes online with a…
- A network administrator notices that a VRRP router is operating with a priority value of 255. Which of the following does this value…
- A network engineer configures VRRP on two routers. Router A has a priority of 150 and Router B has a priority of 100. Both routers are…
- In an HSRP configuration, Router A has a priority of 120 and Router B has a priority of 100. Router B is currently the active router. After…
Switching Technologies
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A VLAN is a broadcast domain defined in software, not by wiring
A VLAN (virtual LAN) carves one physical switch into separate broadcast domains by configuration, so two ports on the same switch in different VLANs are isolated and a broadcast in one VLAN never reaches another. The win is segmentation without rewiring: smaller broadcast domains, traffic isolation, and a security boundary you set per port. Because each VLAN is its own broadcast domain, moving traffic between VLANs always takes a Layer 3 hop.
- Adding a VLAN separates departments; connecting them needs Layer 3
VLANs exist to keep broadcast domains apart, so you cannot 'connect' two departments by giving them VLANs; that is the opposite of what VLANs do. To let two VLANs communicate you need inter-VLAN routing on a router (a tagged subinterface per VLAN, 'router on a stick') or, far more commonly, a Layer 3 switch routing between them in hardware. When a stem says two VLANs cannot reach each other, the fix is a Layer 3 device.
Trap Creating another VLAN to make two VLANs communicate; VLANs separate broadcast domains, only a router or Layer 3 switch joins them.
- Access ports carry one VLAN untagged; trunks carry many tagged
An access port belongs to exactly one VLAN and faces an end device that knows nothing of VLANs, so its frames are untagged. A trunk port carries many VLANs over one link between switches (or to a router) and tags each frame so the far end can sort it back. Pick access for a single host, trunk for an inter-switch link that must carry several VLANs.
3 questions test this
- A technician needs to connect a user workstation to a switch so the device communicates only on VLAN 25. Which of the following port types…
- A switch port is configured as an access port and assigned to VLAN 50. Which of the following describes how this port handles outgoing…
- A company has three VLANs on a Layer 2 switch but the router has only one physical interface available for inter-VLAN routing. Which of the…
- 802.1Q inserts a 4-byte tag with a 12-bit VLAN ID (1 to 4094)
IEEE 802.1Q is the VLAN tagging standard: a trunk inserts a 4-byte tag into the Ethernet header carrying a 12-bit VLAN ID, giving a usable range of 1 to 4094 (0 and 4095 are reserved). The tag lets one trunk cable carry dozens of VLANs without mixing them, and it is stripped again as a frame exits onto an access port. Memorize that 802.1Q equals VLAN tagging on the exam.
5 questions test this
- When a frame traverses an 802.1Q trunk port, a tag is inserted into the Ethernet frame. Which of the following is included in the 802.1Q…
- A network engineer needs to enable routing between VLAN 10 and VLAN 20 using a single physical router interface connected to a switch trunk…
- A network technician captures traffic on an 802.1Q trunk and notices additional fields in some Ethernet frames. Which of the following…
- After enabling 802.1Q trunking on a switch-to-switch link, a network administrator observes that the maximum Ethernet frame size on the…
- Which of the following accurately describes how 802.1Q identifies VLAN membership for frames on a trunk link?
- The native VLAN crosses a trunk untagged and both ends must match
On an 802.1Q trunk, one VLAN, the native VLAN, has its frames sent untagged; everything else is tagged. Both trunk ends must agree on the native VLAN, because a mismatch drops untagged frames into the wrong VLAN, leaking traffic and enabling double-tagging VLAN-hopping attacks. Best practice is to set the native VLAN explicitly to an unused VLAN rather than leaving it as VLAN 1.
Trap Leaving the native VLAN mismatched between trunk ends; untagged frames land in the wrong VLAN and open a VLAN-hopping path.
5 questions test this
- A network technician discovers that one end of an 802.1Q trunk is configured with native VLAN 1 while the other end is configured with…
- A network administrator is reviewing the configuration of an 802.1Q trunk link between two switches. Which of the following best describes…
- An administrator configures an 802.1Q trunk between two switches. Frames belonging to one specific VLAN traverse the trunk without a VLAN…
- A network administrator configures an 802.1Q trunk link between two switches. Which of the following describes how native VLAN traffic is…
- Two switches are connected via an 802.1Q trunk link. Switch A has a native VLAN of 1 and Switch B has a native VLAN of 99. Which of the…
- VLAN 1 is the default VLAN and should not carry user or management traffic
Every switch port belongs to VLAN 1 out of the box, so VLAN 1 is the default VLAN. Best practice is to move user traffic to other VLANs and never use VLAN 1 for management, because an attacker who reaches an unconfigured port lands in VLAN 1 by default. Assign ports to purpose-built VLANs and keep VLAN 1 unused.
- A voice VLAN keeps phone traffic separate on a shared access port
A voice VLAN is a dedicated VLAN for IP phones so voice traffic is separated from the data of a PC sharing the same access port. The separation lets QoS prioritize voice and keeps a compromised PC off the voice segment. It is the standard answer when a stem wants phone traffic isolated and prioritized without a second cable run.
- Spanning Tree blocks redundant links so a Layer 2 loop can't form
Ethernet frames have no TTL, so a single frame in a switching loop circulates forever and a broadcast storm saturates every link in seconds. Spanning Tree Protocol (STP, IEEE 802.1D) prevents this by electing a root bridge and putting redundant paths into a blocking state, leaving exactly one active path. The blocked link stays cabled for failover but logically off until needed, so the answer to a storm after adding a redundant link is STP, not removing redundancy.
Trap Removing the redundant link to stop a broadcast storm; the correct fix is to enable Spanning Tree, which keeps the backup link for failover while blocking the loop.
- Lowest bridge ID wins the root election; default priority is 32768
STP elects one root bridge by comparing each switch's bridge ID, which is its bridge priority (default 32768) followed by its MAC address; the lowest bridge ID wins. With equal priorities the switch with the lowest MAC becomes root, so to control which switch is root you lower its priority below 32768. Every other switch then selects its lowest-cost root port toward the root.
5 questions test this
- A network administrator wants to ensure a specific core switch becomes the root bridge in a spanning tree domain. Which of the following…
- Two Layer 2 switches are connected in a switched network running STP. Both switches have been configured with the same bridge priority…
- Three switches running STP are connected in a redundant topology. Switch A has a priority of 24576, Switch B has a priority of 32768, and…
- A network engineer needs to ensure that a specific core switch is elected as the root bridge in a spanning tree domain containing 10…
- A network engineer needs to ensure a specific switch becomes the root bridge for the spanning tree domain. Which of the following actions…
- Switches elect the root and detect loops using BPDUs
BPDUs (Bridge Protocol Data Units) are the control frames Spanning Tree switches exchange to elect the root bridge, compute path costs, and detect loops. A port that should face only a host but starts receiving BPDUs signals that a switch was plugged in where it should not be. BPDU Guard uses exactly that signal to error-disable a PortFast port.
- Classic STP ports walk blocking, listening, learning, forwarding
An 802.1D port passes through four states before carrying data: blocking (BPDUs only), listening (works out the topology, no data, no MAC learning), learning (builds the MAC table, still no data), and forwarding (fully active). Walking listening then learning is why a change takes roughly 30 to 50 seconds to converge and why an access port can sit dark for half a minute after a host boots.
6 questions test this
- A network administrator is migrating from IEEE 802.1D STP to IEEE 802.1w RSTP on the campus network. Which of the following correctly…
- After an indirect link failure, a switch running traditional STP (IEEE 802.1D) takes approximately 50 seconds before a blocked port begins…
- After a topology change in a network running traditional STP (IEEE 802.1D-1998), an administrator observes approximately 50 seconds of…
- A network administrator is comparing spanning tree protocol variants for an upcoming migration. Which of the following port states is used…
- After a link failure in a switched network, users report approximately 50 seconds of downtime before connectivity is restored through a…
- After a direct link failure, a network technician observes that a previously blocked port on a switch running IEEE 802.1D STP takes…
- RSTP (802.1w) converges in about 1 to 2 seconds, not 30 to 50
Rapid Spanning Tree (RSTP, IEEE 802.1w) does the same loop-prevention job as 802.1D but converges in about one to two seconds instead of 30 to 50. It collapses the port states to three (discarding, learning, forwarding) and adds explicit port roles so a standby path is promoted almost instantly. RSTP is the modern default and is backward compatible with 802.1D, so it is the answer when slow STP convergence is the complaint.
7 questions test this
- After a link failure, a network running 802.1D STP takes approximately 50 seconds before traffic begins forwarding over an alternate path.…
- A network administrator is migrating from IEEE 802.1D STP to IEEE 802.1w RSTP on the campus network. Which of the following correctly…
- A network technician is comparing Spanning Tree Protocol variants used in a switched network. Which of the following correctly identifies…
- A network administrator is comparing spanning tree protocol variants for an upcoming migration. Which of the following port states is used…
- After a link failure in a switched network running STP (802.1D), the network takes approximately 30 seconds to reconverge. Which of the…
- A network administrator observes that traffic takes approximately 30 seconds to reconverge after a switch link failure. Which of the…
- Users on a switched network report intermittent outages lasting approximately 50 seconds whenever an upstream link fails. The switches are…
- RSTP port roles add an alternate as a pre-computed backup to the root
RSTP defines four port roles: root (best path to the root bridge), designated (forwarding port on a segment), alternate (a pre-computed backup path to the root), and backup (a backup to a designated port on the same segment). The alternate role is what lets RSTP fail over in seconds: the standby path is already chosen, so it activates without re-running a long timer. This is the structural reason RSTP beats 802.1D on convergence.
4 questions test this
- In an RSTP topology, a switch port receives superior BPDUs from another switch but is not selected as the root port. The port remains in a…
- In a network running RSTP (IEEE 802.1w), a port on a non-root switch has been assigned the alternate port role. Which of the following best…
- A switch running RSTP has two uplink ports connected to different upstream switches. Port Gi0/1 is elected as the root port. Which of the…
- In an RSTP network, a switch port receives superior BPDUs from a neighboring bridge but is not selected as the root port. This port can…
- MSTP (802.1s) maps VLAN groups to separate spanning-tree instances
Multiple Spanning Tree (MSTP, IEEE 802.1s) runs several spanning-tree instances and maps groups of VLANs to different instances. That lets traffic load-share across redundant links, because one instance can forward on a link that another instance blocks, instead of a single tree blocking the same port for every VLAN. It is the answer for a large multi-VLAN network that wants to use its redundant links rather than park them.
9 questions test this
- A network engineer needs to distribute traffic across redundant uplinks so that VLANs 1-25 follow one active path while VLANs 26-50 follow…
- A network engineer needs to enable different groups of VLANs to follow separate active paths across a redundant switch topology for load…
- A network engineer manages a campus network with 50 VLANs and redundant uplinks between distribution switches. The engineer needs different…
- A network engineer notices that all VLAN traffic follows the same Layer 2 path because STP blocks the same ports for every VLAN. Which of…
- A network engineer needs to allow different groups of VLANs to use different active paths through the network. Which of the following…
- A network engineer manages a switched environment with 100 VLANs and needs to balance traffic across redundant links while minimizing…
- Which of the following spanning tree protocols enables an administrator to map multiple VLANs to separate spanning tree instances for…
- A network engineer needs to allow different groups of VLANs to follow separate spanning tree topologies across redundant uplinks to…
- A network engineer manages an enterprise network with 80 VLANs and needs to optimize link utilization while maintaining loop prevention.…
- PortFast skips the STP delay on host ports without disabling STP
On an access port facing a single host there is no switch behind it to form a loop, so the listening/learning wait is pure delay. PortFast moves such an edge port straight to forwarding, eliminating the ~30-second wait, while Spanning Tree keeps protecting the rest of the topology. The right fix for a host port that takes 30 seconds to come up is PortFast, never turning STP off network-wide.
Trap Disabling Spanning Tree to cure a slow-to-link host port; that strips loop protection from the whole topology when PortFast solves it on the one safe port.
- BPDU Guard error-disables a PortFast port that receives a BPDU
BPDU Guard is the safety catch for PortFast: if a port set for PortFast ever receives a BPDU, meaning a switch was plugged in where only a host should be, BPDU Guard error-disables the port. That protects the loop-free topology from a shortcut introduced at the edge. PortFast plus BPDU Guard belong only on edge/host ports, never on a switch-to-switch uplink.
Trap Enabling PortFast on a switch-to-switch uplink; it skips the loop-prevention states on a link where a loop can form, inviting the storm STP exists to stop.
- A duplex mismatch leaves the link up but slow with late collisions
If one end of a link is hard-coded full duplex and the other is left on auto-negotiation, the auto side cannot detect the partner and defaults to half duplex, creating a duplex mismatch. The link stays up, but you see late collisions, CRC/FCS errors, and throughput that craters under load, not a loss of carrier. The fix is to set both ends the same way, ideally both back to auto.
Trap Reading a duplex mismatch as a down link or bad cable; the carrier stays up and the tells are late collisions and falling throughput, not loss of link.
- Standard Ethernet MTU is 1500 bytes; a jumbo frame raises it to 9000
The maximum transmission unit (MTU) is the largest payload a frame carries; standard Ethernet MTU is 1500 bytes. A jumbo frame raises the payload to as much as 9000 bytes to cut per-frame overhead and CPU interrupts for high-volume traffic like iSCSI/NAS storage and backups. Remember the two numbers: 1500 standard, up to 9000 jumbo.
- Jumbo frames must be set to the same MTU on every device in the path
Jumbo frames only work if every switch, NIC, and router along the path is configured for the same larger MTU. A single 1500-byte device in the middle drops the oversized frames, and the symptom looks like intermittent loss or stalled large transfers rather than an obvious error. So enable jumbo frames end to end or not at all.
Trap Setting a 9000-byte MTU on the server but not on the switches between it and the peer; the mismatched middle device silently drops the big frames.
- Auto-negotiation on both ends is the recommended speed/duplex default
Auto-negotiation lets the two ports advertise their speed and duplex capabilities and settle on the best common pair, and leaving both ends on auto is the recommended default. Hard-coding only one end is what creates a duplex mismatch, so the safe practice is matching configuration: both auto, or both manually set to the same speed and duplex.
- Link aggregation with LACP (802.3ad) bonds links without an STP block
Link aggregation under IEEE 802.3ad uses LACP (Link Aggregation Control Protocol) to bond several parallel physical links into one logical link, adding their bandwidth and surviving the loss of a member link. Crucially, STP treats the bundle as one logical port, so the parallel links are not blocked as a loop, which is what would happen if you cabled them without aggregation. It is the answer for more bandwidth between switches without redundancy being blocked.
Trap Cabling two parallel switch links for bandwidth without aggregating them; STP blocks the second as a loop, so you must bundle them with LACP to use both.
- A switch forwards by its MAC address table (CAM table)
A switch forwards frames using its MAC address table (also called the CAM table, for content-addressable memory): it learns the source MAC of each frame and the port it arrived on, then forwards later frames only out the matching port instead of flooding. Entries age out after a timeout. The table is also the target of a MAC flooding attack, which overflows it so the switch fails open and floods all traffic.
- Classic 802.1D STP takes ~50 seconds: 20s max-age plus 15s listening plus 15s learning
With default timers, a blocked port in traditional 802.1D Spanning Tree waits out the 20-second max-age timer after an indirect failure, then transitions through the listening state (15 seconds) and the learning state (15 seconds) before it forwards, totaling about 50 seconds. The listening-plus-learning portion alone (twice the 15-second forward delay) is 30 seconds. This slow convergence is why RSTP (802.1w) was introduced.
Trap Counting only the 30-second forward delay and forgetting the 20-second max-age wait that precedes it after an indirect failure.
5 questions test this
- After an indirect link failure, a switch running traditional STP (IEEE 802.1D) takes approximately 50 seconds before a blocked port begins…
- After a topology change in a network running traditional STP (IEEE 802.1D-1998), an administrator observes approximately 50 seconds of…
- After a link failure in a switched network, users report approximately 50 seconds of downtime before connectivity is restored through a…
- A network administrator observes that traffic takes approximately 30 seconds to reconverge after a switch link failure. Which of the…
- A network administrator is troubleshooting slow failover on a network running IEEE 802.1D STP with default timer values. After a topology…
- Port-security shutdown mode err-disables the port; restrict and protect just drop frames
Port security caps how many (or which) MAC addresses a switch port accepts, defeating MAC-flooding attacks that try to overflow the CAM table from one port. On a violation, shutdown mode error-disables the port and requires manual re-enablement, while restrict and protect modes keep the port up and simply drop the offending traffic (restrict also logs and counts it).
Trap Expecting the default violation action to merely drop traffic, when the default shutdown mode err-disables the entire port.
- Sticky MAC learning auto-records allowed addresses and saves them to the config
Sticky MAC address learning lets port security dynamically learn the MAC of whatever device connects and write it into the running configuration, so an administrator does not have to type each allowed address by hand. Once the configuration is saved, the learned addresses persist through a reboot.
Trap Confusing sticky learning with statically typed secure MACs; sticky is the hands-off option that learns addresses automatically.
Wireless Networks
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Physical Installations
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Operations
Network Documentation
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Life-Cycle Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Change Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Configuration Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Monitoring
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Match the monitoring tool to the question: health, conversations, or content
Pick the monitoring data source by what you need to learn. SNMP answers whether a device is up and how loaded it is, flow data answers who talked to whom and how much, and full packet capture answers what exactly was sent. Reaching for a heavier tool than the question needs wastes storage and time, so when a flow record already shows which two hosts saturate a link, you do not stand up a full capture to learn the same thing.
Trap Running full packet capture to measure traffic volume; flow data answers who-and-how-much at a fraction of the storage cost.
- SNMP is a manager-agent system addressed through the MIB by OID
Simple Network Management Protocol (SNMP) has a manager (the monitoring station) talk to an agent on each managed device. Every readable or settable value lives in the Management Information Base (MIB), a hierarchical catalog, and each value is named by an object identifier (OID), a dotted-number path. Pointing a monitoring tool at a device walks that OID tree to collect counters like interface byte counts.
5 questions test this
- A network technician must use SNMP to query a specific data point, such as interface utilization, from a router. Which of the following…
- An NMS is configured to poll a newly deployed router using SNMP. The NMS successfully receives responses but displays vendor-specific…
- A network technician needs to monitor the number of inbound octets on a specific switch interface using SNMP. The technician must reference…
- A network technician is configuring an NMS to monitor interface statistics on a managed switch. The technician enters a dotted numeric…
- An NMS administrator needs to query a core router for its system uptime using SNMP. Which of the following components uniquely identifies…
- GET polls, SET writes, TRAP and INFORM push events
SNMP uses GET to read a value on a schedule and SET to change one, while the agent uses TRAP to push an unsolicited notification the instant something notable happens, such as an interface going down. A TRAP is fire-and-forget; an INFORM carries the same content but is acknowledged, so the agent resends if the manager does not confirm. The exam tell is direction and trigger: a scheduled status pull is a GET poll, an unsolicited device-down push is a TRAP.
Trap Calling a scheduled, manager-initiated status check a trap; polling is a GET pull, a trap is the agent's unsolicited push.
6 questions test this
- A network device automatically sends an unsolicited notification to the management station each time its running configuration is saved.…
- A network team wants to implement a monitoring strategy where managed devices proactively alert the NMS about critical events such as link…
- A network engineer configures the NMS to request interface statistics from all routers every five minutes. The engineer also needs…
- A managed switch sends an SNMP trap to the NMS indicating a critical interface failure. The NMS then immediately begins querying the switch…
- A network administrator notices the NMS only detects a core switch interface failure when the next five-minute polling cycle occurs. Which…
- A monitoring team configures the NMS to listen for asynchronous alerts from network devices and then automatically sends targeted SNMP…
- Use SNMPv3 because v1 and v2c send the community string in cleartext
SNMPv1 and v2c authenticate only with a community string, a shared secret transmitted in cleartext, so anyone sniffing the segment reads it and can then query or reconfigure the device. SNMPv3 replaces that with the User-based Security Model, adding per-message authentication and encryption (privacy). When a question contrasts the versions or worries about credentials readable on the wire, v3 is the secure answer.
Trap Choosing SNMPv2c for a security-sensitive segment; its community string is sent in cleartext, so only v3 provides authentication and encryption.
7 questions test this
- A security audit reveals that SNMP community strings on network switches are being transmitted in cleartext across the management network.…
- A security auditor discovers that the network monitoring infrastructure uses SNMPv2c with default community strings to manage all devices.…
- A security auditor reports that SNMP community strings are being transmitted in cleartext across the management network, allowing potential…
- During a security audit, an analyst discovers that all network switches are monitored using SNMPv2c with the default 'public' community…
- A security analyst discovers that all managed network devices are configured with the default SNMPv2c community string 'public' for read…
- A network engineer is upgrading SNMP on all managed devices to SNMPv3. The company security policy requires that all management traffic be…
- A security auditor discovers that all network switches are monitored using SNMPv2c with the default 'public' community string. Which of the…
- Flow data is conversation metadata, never payload
A flow record summarizes a conversation as source and destination IP, source and destination port, protocol, byte count, packet count, and timestamps, and deliberately omits the payload. That makes it cheap to store over long windows and ideal for capacity planning, finding top talkers, and spotting anomalies like a host beaconing out or a sudden volume spike. Because it carries no payload, it can never show you what was inside a packet.
Trap Expecting flow data to reveal packet contents; flow records carry only metadata, so payload inspection needs full capture or IDS.
- NetFlow, sFlow, and IPFIX are one category: flow export
Treat the flow family as one tool for the exam. NetFlow is Cisco's original export protocol (v9 the common version), sFlow is a sampling-based alternative that exports every nth packet's header plus interface counters for very low overhead on fast switches, and IPFIX (IP Flow Information Export) is the IETF-standardized, vendor-neutral form built from NetFlow v9. All three export flow metadata and none capture payload.
- IPFIX is the IETF standard version of NetFlow v9
IPFIX (IP Flow Information Export) is the IETF standard for exporting flow data, defined in RFC 7011 and built directly from Cisco's NetFlow v9. It is the vendor-neutral form of the same flow-export idea, so a question asking for the open, standards-based flow protocol points to IPFIX rather than the vendor-specific NetFlow.
- Full packet capture saves every byte at high storage cost
A protocol analyzer (a sniffer) performs full packet capture, saving headers and payload so you can read application content and reconstruct an entire session. That power costs heavy storage and slow search, which forces short retention, so capture is for targeted deep troubleshooting and forensics, not always-on volume monitoring. When the goal is to see the actual contents of the traffic, capture is the only source that shows it.
Trap Picking flow data when the question needs the actual packet contents; flow has no payload, so only full capture reads the bytes.
- Port mirroring (SPAN) copies traffic to the analyzer
To capture traffic that is not addressed to the analyzer itself, you duplicate it with port mirroring, also called a SPAN (Switched Port Analyzer) session, which copies traffic from one or more source ports to the analyzer port. A hardware tap does the same job inline. Without a mirror or tap, a switch only forwards frames to their destination port, so the analyzer would see nothing.
- Syslog centralizes event logs off the originating host
Syslog ships each device's event messages to a central collector, which both protects the records and lets you search every device's events in one place. Centralizing matters for security because a copy already shipped off-host survives an attacker wiping the local logs, and it matters for operations because one query spans the whole network instead of logging into each box.
- Syslog severity runs 0 Emergency to 7 Debug, where lower is worse
Each syslog message carries a severity on a fixed 0-to-7 scale, and the direction is inverted from intuition: 0 is Emergency (system unusable) and 7 is Debug, with Alert, Critical, Error, Warning, Notice, and Informational in between. A filter for severity 3 and below therefore captures Error, Critical, Alert, and Emergency, the messages you actually act on. The separate facility field (values 0 to 23) names which subsystem produced the message.
Trap Treating severity 7 as the most critical; the scale is inverted, so 0 Emergency is most urgent and 7 Debug is least.
- A SIEM aggregates and correlates logs; it is not a sensor
A Security Information and Event Management (SIEM) system provides centralized logging for many log types, ingesting syslog, flow records, and device logs and correlating events across sources into one storyline, for example tying a firewall port scan to a later endpoint alert and a data upload. The SIEM sees the cross-source pattern no single device could, but it does not itself scan for malware or block traffic, which are sensor jobs.
Trap Naming the SIEM as the component that scans for malware or blocks a file; those are sensor jobs, the SIEM only aggregates and correlates.
- Establish a performance baseline before setting alert thresholds
A performance baseline is a recorded picture of normal CPU and memory utilization, interface throughput, error and discard counters, and latency, sampled over time. It is the reference an alert is measured against, because a reading like 70% CPU only means something once you know normal is 20%. Establish the baseline first, then alert on deviation from it; without a baseline a threshold is a guess.
Trap Setting alert thresholds from intuition with no baseline; deviation from recorded normal, not an arbitrary number, is what signals a problem.
4 questions test this
- A network administrator is preparing to upgrade the firmware on several core switches. Which of the following should the administrator…
- After completing a scheduled WAN circuit upgrade, users report no improvement in application response times. Which of the following would…
- After completing a scheduled network change, a technician compares current latency and throughput readings against previously recorded…
- A network team recently upgraded the firmware on several core switches. Users are now reporting intermittent latency issues. Which of the…
- Key performance metrics: utilization, errors, discards, and latency
The core health metrics to watch are CPU and memory utilization, interface bandwidth utilization, interface error and discard (drop) counters, and round-trip latency. Rising error or discard counters on an interface point to a physical or congestion problem, and tracking utilization against the baseline shows whether a link needs upgrading. These are the counters SNMP polling typically collects.
- Streaming telemetry pushes metrics through device APIs
Modern platforms increasingly collect metrics through device APIs as streaming telemetry, where the device pushes fine-grained data continuously instead of waiting to be polled. This complements or replaces scheduled SNMP polling, giving denser, more timely data, and is the answer when a question describes continuous API-driven metric streaming rather than interval polling.
- Flow beats capture for volume; a poll beats a capture for up/down
When two tools could technically work, the exam wants the lighter one that still answers the question. To learn which hosts dominate a link and by how much, flow data answers it without the storage burden of full capture. To confirm a device or interface is up, an SNMP poll or trap answers it without capturing any traffic at all. Capture is reserved for when you genuinely need the payload.
Trap Defaulting to packet capture because it sees everything; its storage and search cost make it the wrong first reach when metadata answers the question.
- SNMP polls on UDP 161 and receives traps on UDP 162
The manager polls agents with GET and SET requests over UDP port 161, and agents push asynchronous trap and inform notifications back to the manager on UDP port 162. A firewall must allow inbound UDP 162 at the NMS for traps to arrive, which is the usual cause of polling working while traps silently vanish.
Trap Swapping the two ports, expecting traps on 161; 161 is for polling, 162 is for the unsolicited notifications.
4 questions test this
- A firewall administrator needs to allow SNMP trap notifications from managed network devices to reach the central NMS server. Which of the…
- A firewall administrator needs to create rules allowing the NMS to poll managed devices and receive asynchronous SNMP alerts. Which of the…
- A firewall administrator needs to allow SNMP monitoring traffic between managed devices and the network management system. The NMS must…
- A network administrator configures managed switches to send SNMP trap notifications to the NMS, but the NMS is not receiving any traps.…
- Syslog forwards log messages on UDP port 514
Standard syslog uses UDP port 514 as its well-known destination port for forwarding event messages to a centralized collector. A firewall rule permitting devices to log centrally must allow UDP 514 inbound to the syslog server.
- SNMPv3 has three security levels: noAuthNoPriv, authNoPriv, authPriv
noAuthNoPriv neither authenticates nor encrypts; authNoPriv verifies the sender's identity but sends the payload in the clear; authPriv both authenticates the sender and encrypts the payload. Match the level to the policy: authentication-only requirements call for authNoPriv, while requirements to also stop eavesdropping call for authPriv.
Trap Choosing authPriv when the policy asks only to verify the sender; encryption is extra overhead the requirement did not ask for, so authNoPriv is the precise answer.
5 questions test this
- A security audit reveals that SNMP community strings on network switches are being transmitted in cleartext across the management network.…
- A network administrator is configuring SNMPv3 on managed switches. The security policy requires verifying that SNMP messages originate from…
- A security auditor reports that SNMP community strings are being transmitted in cleartext across the management network, allowing potential…
- A network administrator is deploying SNMPv3 to monitor core switches and needs to ensure that SNMP messages are both verified for sender…
- A network engineer is upgrading SNMP on all managed devices to SNMPv3. The company security policy requires that all management traffic be…
- RSPAN carries mirrored traffic between switches over a dedicated VLAN
Remote SPAN extends port mirroring across separate switches by tagging the copied frames into a dedicated RSPAN VLAN. That VLAN must be allowed on every trunk link between the source switch and the switch hosting the analyzer, so the mirror can reach a destination in another wiring closet or building.
- A capture NIC needs promiscuous mode to see mirrored traffic
By default a network adapter discards frames not addressed to its own MAC. Promiscuous mode makes the adapter accept every frame that arrives on the interface, which is required for a protocol analyzer plugged into a SPAN destination port to display the mirrored traffic rather than only its own.
Disaster Recovery
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- RPO is the maximum data loss you can tolerate, measured in time
The recovery point objective (RPO) is the point in time to which data must be recovered after an outage, so it expresses the maximum acceptable data loss as a span of time, not a clock duration of downtime. A one-hour RPO means losing at most the last hour of data is acceptable. It is a target you set in advance, typically during a business impact analysis, not a value measured from equipment.
Trap Reading RPO as how long the system can be down; that is RTO. RPO is about data loss, measured backward from the disaster to the last good backup.
- RPO sets backup frequency: the interval can never exceed the RPO
Because RPO is the most data you can afford to lose, your backup or replication interval must be no longer than the RPO. A one-hour RPO requires backups at least hourly; a near-zero RPO requires continuous replication rather than nightly tape. The tighter the RPO, the more often (and more expensively) you must capture data.
Trap Setting backup frequency from the downtime target (RTO); backup cadence is governed by RPO, the data-loss target.
10 questions test this
- A network administrator must ensure that no more than 30 minutes of transaction data is lost during a disaster. Which of the following…
- A company's disaster recovery plan specifies a 2-hour RPO for its financial database. The current backup strategy runs incremental backups…
- A company requires that its email system can lose no more than 30 minutes of data during a disaster. The backup administrator must…
- A server failure occurs at 3:00 PM. The last successful backup was completed at 10:00 AM. The organization's RPO for this server is 4…
- A company wants to reduce its RPO from 24 hours to 15 minutes for a mission-critical database. Which of the following changes to the backup…
- A company's disaster recovery plan specifies an RPO of 4 hours for a critical database server. Which of the following describes the impact…
- A company's disaster recovery plan specifies an RPO of 4 hours for its financial database. Which of the following backup strategies would…
- An organization has an RPO of 1 hour for its critical database server. Which of the following backup strategies would meet this requirement?
- A junior network administrator is reviewing a disaster recovery plan and asks about the purpose of RPO. Which of the following best…
- A company has established an RPO of 4 hours for its critical file server. The backup team currently performs a single full backup each…
- RTO is the maximum downtime you can tolerate before unacceptable harm
The recovery time objective (RTO) is the overall length of time a system can be in the recovery phase before it negatively impacts the organization's mission. It is the clock that starts when service drops and stops when service is restored, so a four-hour RTO means the business can be down for up to four hours. Like RPO, it is a target you choose, not a measured statistic.
Trap Confusing RTO with how much data can be lost; data loss is RPO. RTO is downtime, measured forward from the disaster to service restored.
- RTO drives the recovery method and the recovery-site tier
A long RTO can be met by restoring from backup tape, but a short RTO cannot wait for a restore and forces faster machinery: a standby site, replicated systems, or automated failover. The shorter the RTO, the more you must pre-stage and the more it costs. This is why RTO, not RPO, points you toward a cold, warm, or hot site.
7 questions test this
- An organization's disaster recovery plan specifies a maximum RTO of 15 minutes for a mission-critical application. Which of the following…
- During a disaster recovery test, restoring the primary application server from backup takes 6 hours. The application's defined RTO is 2…
- An organization requires a disaster recovery solution that restores critical services within minutes of a complete site failure. Which of…
- An organization's SLA requires that its primary application must be restored within 15 minutes after an outage. Which of the following…
- A network engineer must select a disaster recovery solution for a system that requires near-zero data loss and recovery within seconds.…
- An organization requires an RTO of less than five minutes for its mission-critical order processing system. Which of the following disaster…
- A business requires critical network systems to be restored within minutes and with near-zero data loss after a disaster. Which of the…
- RPO and RTO are independent: one governs data, the other governs downtime
RPO and RTO are set separately because they protect different things, and a system can have a tight one and a loose other. A bank may tolerate hours of downtime (loose RTO) but almost no transaction loss (near-zero RPO); a marketing site may tolerate losing a day of edits (loose RPO) but need to be back in minutes (tight RTO). Hold the one-line split: RPO is how much data can we lose, RTO is how long can we be down.
Trap Swapping RPO and RTO, the single most common DR distractor; backups and data loss are RPO, downtime and time-to-restore are RTO.
- RPO and RTO are objectives you set; MTTR and MTBF are properties you measure
The cleanest way to keep the four DR acronyms straight is by origin: RPO and RTO are objectives chosen before any failure, while MTTR and MTBF are statistics calculated after observing real failures. You declare an RTO in a plan, but you cannot declare an MTBF; you compute it from failure history.
Trap Treating MTTR or MTBF as a target you assert in a plan the way you set an RTO; only RPO and RTO are chosen objectives.
- MTTR is the average time to repair a failed component (recoverability)
Mean time to repair (MTTR) is the average time it takes to restore a failed component once it breaks, computed by dividing total repair time by the number of failures. It measures recoverability, so it drives spare-parts inventory, on-call staffing, and whether a vendor's support response is fast enough. A lower MTTR is better and directly helps you meet a tight RTO.
3 questions test this
- A network manager reviews incident reports and calculates that the average time to restore service after equipment failures is 4 hours.…
- During a quarterly review, a network administrator reports that the average time required to restore failed network devices to operation…
- A network engineer documents that a WAN router operates an average of 5,000 hours between failures and requires an average of 2 hours for…
- MTBF is the average operating time between failures (reliability)
Mean time between failures (MTBF) is the average operating time between failures of a repairable system, so a high MTBF means failures are rare. It measures reliability, which is why it drives design choices: which component to buy and when to schedule redundancy or proactive replacement before a part is likely to fail. A higher MTBF is better.
Trap Confusing MTBF (time between failures, reliability) with MTTR (time to repair, recoverability); MTBF answers how reliable, MTTR answers how fast to fix.
3 questions test this
- A network administrator reviews maintenance logs for a distribution switch. Over a 12-month period, the switch accumulated 8,000 hours of…
- After implementing proactive maintenance and upgrading power supplies on a distribution switch, a network administrator observes that the…
- A network engineer documents that a WAN router operates an average of 5,000 hours between failures and requires an average of 2 hours for…
- A cold site has space, power, and cooling but no IT equipment
A cold site is a backup facility with the necessary electrical and physical components (space, power, cooling) but no computer equipment in place. It is the cheapest tier to keep on standby and the slowest to activate, because after the disaster you must install and configure hardware and then load data, so recovery takes days. It fits a long RTO on a tight budget.
- A warm site is partially equipped and needs current data loaded
A warm site is an environmentally conditioned work space partially equipped with information systems and telecommunications gear. Most of the equipment is already there, so you load current data and finish setup before cutting over, which puts recovery in hours. It is the middle of the cost-versus-speed ladder, between a cold and a hot site.
- A hot site is fully operational and ready to take over in minutes
A hot site is a fully operational offsite facility equipped with hardware and software and kept continuously updated, so it mirrors production and can take traffic almost immediately, putting recovery in minutes. It delivers the shortest RTO and is the most expensive tier to run because it duplicates production and stays synchronized.
6 questions test this
- An organization's disaster recovery plan specifies a maximum RTO of 15 minutes for a mission-critical application. Which of the following…
- During a disaster recovery test, restoring the primary application server from backup takes 6 hours. The application's defined RTO is 2…
- An organization requires a disaster recovery solution that restores critical services within minutes of a complete site failure. Which of…
- An organization's SLA requires that its primary application must be restored within 15 minutes after an outage. Which of the following…
- A network engineer must select a disaster recovery solution for a system that requires near-zero data loss and recovery within seconds.…
- A business requires critical network systems to be restored within minutes and with near-zero data loss after a disaster. Which of the…
- Pick the cheapest recovery-site tier that still meets your RTO
The three site types are a deliberate trade of ongoing cost against recovery speed: higher cost buys a lower RTO. The selection rule is to choose the least expensive tier that still satisfies the RTO, not always the fastest one. A near-zero RTO with budget points to a hot site; a long RTO on a tight budget tolerates a cold site; a warm site splits the difference.
Trap Choosing a hot site when a loose RTO and a tight budget would be met by a cold or warm site; the correct tier is the cheapest one that meets the RTO.
- Active-active runs all nodes live, sharing load and surviving a node loss
In an active-active design every node carries live traffic at the same time, so the design both spreads load and survives the loss of a node because survivors absorb the failed node's share. This gives the shortest recovery, often with no perceptible outage, but it is the most expensive and complex because every node must be sized for extra load and kept fully synchronized.
3 questions test this
- An organization requires an RTO of less than five minutes for its mission-critical order processing system. Which of the following disaster…
- A financial services company requires near-zero data loss and near-zero downtime for its transaction processing system. Which of the…
- An organization operates two geographically separated data centers in an active-active disaster recovery configuration. Which of the…
- Active-passive keeps a standby idle until a failover promotes it
In an active-passive design the primary handles all traffic while the secondary stands by idle (or warm) until a failover promotes it to active. It is simpler and cheaper than active-active because the standby does not serve users day to day, but recovery includes the failover delay and the standby's capacity is unused until something breaks. A hot site fronted by automated failover is the active-passive design that gets closest to active-active recovery time.
Trap Assuming active-passive recovers as instantly as active-active; active-passive still incurs the failover delay before the standby takes traffic.
- A tabletop exercise validates the plan by discussion, touching no systems
A tabletop exercise (walkthrough) is a discussion in which the recovery team talks through the plan against a scenario to surface gaps and ambiguities. No systems are touched, so it is the cheapest and safest test and the natural first step, but it only proves the plan reads correctly, not that it actually works under load.
Trap Believing a passed tabletop proves the recovery site works; a discussion only validates the documented plan, not real recovery.
- A simulation models the disaster and response without a real cutover
A simulation exercises procedures and decision-making against a constructed disaster scenario more concretely than a discussion, but without performing a real production cutover. It catches process problems a tabletop misses while still keeping production untouched, so it sits above tabletop and below parallel on the fidelity ladder.
- A parallel test runs the recovery site alongside live production
A parallel test stands the recovery systems up for real and runs them alongside live production, with real data flowing into the recovery environment to confirm it produces correct results. Production stays primary the whole time, so users are never at risk, which makes the parallel test the way to prove the recovery site actually functions without betting the business on it.
- A full failover test actually shifts production to the recovery site
A full failover test (full-interruption test, or cutover) actually moves production to the recovery site exactly as a real disaster would. It is the only test that proves end-to-end recovery including the failover mechanism and real user load, and it is the most disruptive and risky, so it is run rarely, in a maintenance window, with a tested back-out to the primary.
- DR tests climb a fidelity ladder: tabletop, simulation, parallel, full failover
DR plans are exercised on a ladder of increasing realism and risk: tabletop (discuss), simulation (model), parallel (run beside production), then full failover (shift production over). Each rung proves more but disrupts and endangers more, so you start low and climb only as the plan earns trust. Pick the lowest rung that answers the question being asked.
- A documented DR plan is not a tested recovery capability
A written runbook proves nothing about whether recovery actually works; stale documentation, expired credentials, or an undersized replication link surface only when the plan is exercised. Until a parallel or full-failover test runs it end to end, assume the plan has untested gaps, which is why periodic testing is part of disaster recovery rather than an optional extra.
Trap Treating the existence of a polished runbook as proof the plan works; only an end-to-end test (parallel or full failover) demonstrates real recovery.
- Recovery metrics come out of the business impact analysis
RPO and RTO are not picked arbitrarily; they are derived during a business impact analysis (BIA), the exercise that identifies an organization's critical processes and the cost of their disruption over time. The BIA quantifies how much downtime and data loss each process can tolerate, and those tolerances become the RTO and RPO that the rest of the DR plan is built around.
- Availability equals MTBF divided by the sum of MTBF and MTTR
The standard availability percentage is MTBF / (MTBF + MTTR) x 100, where MTBF is the mean time between failures and MTTR is the mean time to repair. Availability rises when you increase MTBF (failures become rarer) and when you decrease MTTR (repairs become faster).
Trap Computing MTBF / MTTR instead of MTBF / (MTBF + MTTR); the denominator is total time, the uptime plus the repair time, not the repair time alone.
4 questions test this
- A network switch has an MTBF of 950 hours and an MTTR of 50 hours. Using the standard availability formula, which of the following is the…
- A network switch has an MTBF of 2,400 hours and an MTTR of 12 hours. Using the standard availability formula, which of the following is the…
- A firewall has an MTBF of 2,000 hours and an MTTR of 2 hours. Using the standard availability formula, which of the following is the…
- A network administrator wants to improve overall network availability using mean-time metrics. Which of the following changes to these…
- Tightening RPO and RTO drives up cost and complexity
Lowering the RPO forces more frequent backups or continuous replication, and lowering the RTO forces faster recovery mechanisms such as hot standby infrastructure. Both moves trade money and operational complexity for less data loss and shorter downtime, so aggressive objectives carry a higher price tag.
Network Services
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Remote Access and Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Security
Logical Security
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Encrypt data in both transit and at rest, they are separate layers
Encryption in transit protects data while it crosses the network and encryption at rest protects it while stored on disk, and the two are independent controls. A system can secure one and leave the other open, so TLS on the wire does nothing for a stolen backup tape, and full-disk encryption does nothing for credentials sniffed off the network. Always confirm which state the scenario is actually leaving exposed.
Trap Assuming TLS or HTTPS also protects stored data; it only covers the wire, so at-rest encryption is still needed on disk and backups.
2 questions test this
- TLS secures application traffic in transit; require 1.2+ and prefer 1.3
TLS is the dominant in-transit protocol, wrapping HTTP into HTTPS and tunneling TLS/SSL VPNs over TCP 443. NIST SP 800-52 Rev. 2 requires servers to support TLS 1.2 as the minimum and to prefer TLS 1.3, while SSL 2.0/3.0 and TLS 1.0/1.1 are obsolete and must not be used. TLS 1.3 completes its handshake in one round trip and makes forward secrecy mandatory.
Trap Allowing TLS 1.0/1.1 or SSL 3.0 as still acceptable; all are deprecated and fail modern configuration baselines.
- PKI binds an identity to a public key through a CA-signed X.509 certificate
Public key infrastructure issues X.509 certificates that pair a public key with a verified identity, and a certificate authority (CA) signs each one. A verifier trusts the certificate because a chain of signatures runs from it, through any intermediate CAs, up to a root CA already in its trust store. This same chain-of-trust model underpins TLS, EAP-TLS, and code signing.
- A keypair splits into a private key you guard and a public key you share
Asymmetric cryptography gives each party a private key kept secret and a public key distributed freely, and an X.509 certificate carries only the public key. Publishing a certificate therefore exposes nothing secret, because the private key never leaves the owner. Anyone can encrypt to or verify a signature from the public key, but only the private-key holder can decrypt or sign.
Trap Believing a published certificate leaks the private key; the certificate contains only the public key, so the private key stays protected.
- AAA is three distinct steps: authentication, authorization, accounting
Identity and access management runs on AAA: authentication proves who you are, authorization decides what you may do, and accounting records what you did. These are separate concerns, and exam answers split along the same lines, so passing authentication does not by itself grant any access. A protocol or control usually targets one or two of the three, not all interchangeably.
Trap Treating successful authentication as authorization; proving identity does not decide what the user is permitted to do.
- MFA needs factors from different categories, not just multiple prompts
Multi-factor authentication combines two or more factors from distinct categories: something you know (password, PIN), something you have (token, smart card, TOTP app), something you are (biometric), and somewhere you are (location). Two factors from the same category are still single-factor, so a password plus a PIN is single-factor because both are things you know, and a fingerprint plus a face scan is single-factor because both are things you are. Count categories, not the number of prompts.
Trap Counting password plus security question as MFA; both are something you know, so it remains single-factor.
3 questions test this
- A security administrator is implementing multi-factor authentication for remote VPN users. Which of the following credential combinations…
- A data center requires two-factor authentication for physical entry. Staff must tap a proximity card and then scan a fingerprint before the…
- A network administrator configures VPN access to require a password and a one-time code from a hardware token. Which of the following…
- TOTP gives a something-you-have factor from a rotating code
A time-based one-time password (TOTP) derives a short code from a shared seed and the current time, rotating roughly every 30 seconds. It supplies a something you have factor without dedicated hardware, since the authenticator app holds the seed. On the exam, a code that changes every 30 seconds from an app is TOTP, a possession factor, not a knowledge factor.
- Geofencing is the somewhere-you-are factor
Geofencing restricts or conditions access based on physical location, enforcing the somewhere you are factor. It can require that a login originate from inside a building, campus, or country before access is granted. It adds context to authentication rather than replacing the identity-proving step.
- Least privilege grants only the access a task requires
Least privilege means giving each user or process only the permissions its job needs and nothing more, which shrinks the blast radius of a compromised account. It is the principle every access-control model rides on, including RBAC, MAC, DAC, and ABAC. Combine it with MFA so a stolen password alone cannot reach much.
- RBAC ties permissions to roles, so access follows job function
Role-based access control (RBAC) assigns permissions to roles and assigns users to roles, so access follows job function rather than being granted per individual. It implements least privilege at scale because adding or removing a person is a role change, not a permission audit. The exam tell is access keyed to a job role.
Trap Confusing RBAC with ABAC; RBAC keys access to job roles, while ABAC decides on contextual attributes like device, time, or location.
4 questions test this
- A company uses NAC to authenticate users on the corporate wireless network and assign them to VLANs based on their organizational role.…
- A company wants its help desk staff to reset user passwords and unlock accounts while preventing them from changing switch or firewall…
- A network administrator needs to ensure that junior technicians can only view device configurations while senior engineers have full…
- A company requires that network administrators have full access to manage switches and routers, while helpdesk staff can only view device…
- Access-control models differ on who controls the policy
MAC is enforced by the system against labels and clearances and cannot be overridden by the owner, DAC lets the resource owner grant access at their discretion (file ACLs), RBAC ties permissions to job roles, and ABAC decides on attributes of the subject, object, action, and environment. The exam tells: system enforces classification and owner cannot override is MAC, owner decides sharing is DAC, access keyed to job function is RBAC, and decision depends on context is ABAC. All four ride on least privilege.
Trap Calling owner-controlled file permissions mandatory access control; owner discretion is DAC, while MAC is system-enforced via labels the owner cannot change.
- SSO lets one authentication serve many applications
Single sign-on (SSO) authenticates the user once and grants access to many applications without re-entering credentials, reducing password fatigue. When the apps span organizations, SSO is federated: an identity provider asserts the user's identity to many service providers. SSO is a convenience and consistency layer over authentication, not an authorization model.
- SAML is the XML standard for enterprise web SSO federation
SAML 2.0, an OASIS standard, is the XML browser-redirect protocol for enterprise web single sign-on. An identity provider authenticates the user and issues a digitally signed assertion that a service provider trusts, carrying authentication plus attributes over HTTPS rather than a dedicated AAA port. Choose SAML when the scenario is one login across many web applications in a federation.
Trap Picking LDAP for cross-organization web SSO; LDAP is the directory store the flow resolves against, while SAML is the federation protocol.
3 questions test this
- A company deploys SAML so that employees authenticate once at a corporate login page and then access multiple cloud applications without…
- A company needs employees to authenticate once with the corporate identity provider and then seamlessly access multiple cloud-based…
- A company deploys SAML-based SSO so employees can access multiple cloud applications using a single login. Which of the following…
- RADIUS does AAA over UDP and encrypts only the password
RADIUS (RFC 2865) runs over UDP using authentication port 1812 and accounting port 1813 (legacy 1645/1646), is cross-vendor, and is the standard authentication server behind 802.1X and wireless access. It encrypts only the User-Password attribute in the packet and combines authentication with authorization in one exchange. That makes it ideal for is this user allowed onto the network but weak for fine-grained per-command control.
Trap Assuming RADIUS encrypts the whole packet; only the User-Password attribute is hidden, leaving the rest in cleartext.
5 questions test this
- An enterprise deploys 802.1X authentication on its switches integrated with a RADIUS server. When employees authenticate, the RADIUS server…
- An organization deploys 802.1X authentication and wants employees from different departments to be automatically placed on separate VLANs…
- After deploying 802.1X on all switch ports, a network engineer wants authenticated users to be dynamically placed into VLANs based on their…
- A hospital uses 802.1X authentication so that clinical staff are dynamically placed on the medical VLAN and administrative staff are placed…
- A firewall administrator needs to permit RADIUS authentication traffic between a wireless controller and the authentication server. Which…
- TACACS+ runs over TCP 49, separates AAA, and obfuscates the whole body
TACACS+ (RFC 8907) runs over TCP port 49, is Cisco-originated, obfuscates the entire packet body, and separates authentication, authorization, and accounting into independent functions. That separation is what lets it authorize and log individual administrator commands, so it is the answer for centralized device-administration control on network gear. Reach for it when per-command authorization or full-payload protection matters.
- RADIUS vs TACACS+: network access vs device administration
RADIUS uses UDP (1812/1813), is cross-vendor, encrypts only the password, and combines authn with authz, fitting 802.1X and wireless network access. TACACS+ uses TCP 49, is Cisco-originated, obfuscates the whole body, and separates the three A's, fitting granular administrator command control on network devices. Match the stem: get-onto-the-network is RADIUS, authorize-each-admin-command is TACACS+.
Trap Choosing RADIUS to authorize individual admin commands; it combines authn/authz and encrypts only the password, so TACACS+ with separated AAA is the fit.
- LDAP is the directory store, not an AAA protocol
LDAP (Lightweight Directory Access Protocol, RFC 4511) holds user and group objects and answers directory lookups; it is not itself an AAA protocol. Plain LDAP listens on TCP 389, and secured over TLS it becomes LDAPS on TCP 636. RADIUS, SAML, and SSO flows commonly resolve identities against an LDAP directory behind the scenes.
Trap Treating LDAP as the single sign-on protocol; it is the backing directory, while SAML or another federation protocol performs the SSO.
- 802.1X authenticates a port or SSID before passing general traffic
IEEE 802.1X is port-based network access control that gates a wired switch port or wireless SSID before an IP address is issued, using a supplicant (client), an authenticator (switch or AP), and an authentication server (typically RADIUS). The supplicant and authenticator exchange EAP over the LAN and the authenticator relays credentials to the RADIUS server. EAP-TLS within this flow uses client certificates for the strongest mutual authentication.
3 questions test this
- An enterprise deploys 802.1X authentication on its switches integrated with a RADIUS server. When employees authenticate, the RADIUS server…
- In an 802.1X port-based network access control deployment, which of the following describes the role of the authenticator?
- In an 802.1X port-based NAC deployment, which of the following is responsible for relaying EAP messages between the endpoint and the RADIUS…
- IPsec secures whole IP packets for VPN tunnels
IPsec protects data in transit at the IP layer and is the classic choice for site-to-site and remote-access VPN tunnels, encrypting whole packets with ESP. A TLS/SSL VPN over TCP 443 is the alternative when you need clientless, NAT-friendly access through firewalls. Pick IPsec for gateway-to-gateway tunnels and a TLS VPN when browser-based or firewall-traversal access is the priority.
- Authorization decides access only after authentication succeeds
Authentication and authorization are sequential and distinct: the system first verifies identity, then a separate step decides what that verified identity may do. A user can be correctly authenticated yet authorized for nothing, and a permission change never re-proves identity. Keeping them separate is why TACACS+ can authorize each command independently of the initial login.
Physical Security
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Deception Technologies
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Terminology
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A vulnerability is the weakness, not the attacker or the payload
A vulnerability is a weakness in a system, security procedure, internal control, or implementation that a threat could exploit or trigger, an unpatched service, a default password, an open port. It is a state of the system, never the actor and never the code thrown at it. Pin this down first because most labeling questions on this topic hinge on separating the weakness from the thing that abuses it.
Trap Calling the crafted input or malware the vulnerability; that payload is the exploit or attack, while the vulnerability is the underlying flaw it abuses.
- A threat is the actor or event with potential to cause harm
A threat is any circumstance, event, or actor with the potential to adversely impact operations, assets, or individuals: a ransomware gang, a malicious insider, a flood, a power failure. It describes the source of possible harm, not the weakness and not the technique. You usually cannot control a threat directly, which is why network controls target the vulnerability side instead.
- An exploit is the technique or code that abuses a vulnerability
An exploit is the actual method, tool, or code a threat uses to take advantage of a vulnerability, a Metasploit module, a crafted SQL string, an oversized buffer-overflow input. It is the action against the system, distinct from both the weakness it targets and the actor running it. If a stem hands you a packet, a script, or a malicious message, that is the exploit, not the vulnerability.
Trap Treating the exploit as the vulnerability; the exploit is the action taken, the vulnerability is the hole it goes through.
4 questions test this
- After a network breach, forensic analysis reveals that the attacker leveraged a publicly available script targeting a known buffer overflow…
- A network administrator reviews an IPS log showing that multiple packets were dropped because they matched signatures for a recently…
- A security researcher publishes proof-of-concept code that leverages an unpatched buffer overflow in a network switch's management…
- An IDS generates an alert indicating that traffic designed to take advantage of a known software flaw was sent to a web server. In security…
- Risk is the likelihood a threat hits a vulnerability times the impact
Risk is a measure of how threatened an asset is, typically a function of the likelihood an event occurs and the adverse impact if it does, so think risk = likelihood x impact. A related shorthand is risk = threat x vulnerability: drive either factor toward zero and realized risk follows. Because it is a product, a single problem often has more than one valid mitigation depending on which factor you attack.
- A threat exploits a vulnerability to realize risk
The four core terms form one causal chain: a threat uses an exploit to abuse a vulnerability, and the outcome is realized risk. Reading a scenario as this chain, rather than four isolated words, tells you exactly which label fits each clause. The same incident can ask you to name the open port, the attacker, the tool, or the business measure.
- Reduce risk by lowering likelihood or impact, not just one
Since risk is likelihood times impact, you can cut it on either axis. Patching, hardening, and segmentation lower the likelihood a threat reaches a vulnerability; redundancy, backups, disaster recovery, and cyber-insurance lower the impact when it does. An exam item offering one defense of each type is testing that you see risk as a two-factor product rather than a single lever.
Trap Assuming only patching reduces risk; adding redundancy or transferring the loss via insurance lowers impact and is equally valid risk reduction.
- The four risk responses are avoid, mitigate, transfer, accept
Once you understand a risk, you choose how to handle it: avoid (stop the risky activity), mitigate or reduce (apply controls, the usual network answer), transfer (shift the financial loss to a third party like an insurer), or accept (formally acknowledge a low or unavoidable risk and proceed). Whatever remains after controls is residual risk. Accepting residual risk is a deliberate, documented decision, not negligence.
Trap Picking an option that promises to eliminate risk entirely; residual risk always remains, so accept or transfer is often the mature, correct answer.
- Confidentiality keeps data secret with encryption and access control
Confidentiality preserves authorized restrictions on access and disclosure, the C in the CIA triad. You enforce it with encryption (in transit and at rest) and access control. A packet sniffer reading a cleartext Telnet password is a confidentiality failure, and the fix is to encrypt the channel by using SSH instead of Telnet.
Trap Mapping eavesdropping to integrity; reading data without changing it breaks confidentiality, while integrity is about unauthorized modification.
- Integrity guards against improper change with hashing and signatures
Integrity guards data against improper modification or destruction and includes non-repudiation and authenticity, the I in the CIA triad. You enforce it with cryptographic hashes (a checksum that changes if any bit changes) and digital signatures. An on-path attacker silently altering a file in transit is an integrity failure, caught because the recomputed hash no longer matches.
Trap Choosing encryption to ensure integrity; encryption protects confidentiality, while a hash or signature is what detects tampering.
- Availability keeps systems reachable with redundancy and DR
Availability ensures timely and reliable access to information and systems, the A in the CIA triad. You enforce it with redundancy, failover, load balancing, backups, and disaster recovery. A DDoS flood that knocks a web server offline is an availability failure, and the answer is capacity, filtering, and redundancy rather than encryption.
Trap Reaching for encryption to fix a DoS outage; encryption protects confidentiality and does nothing for availability, which needs redundancy and filtering.
- Map a security incident to the CIA goal it violates
The exam often names an incident and asks which security goal it broke. Eavesdropping or data leakage is a Confidentiality failure, tampering or a failed checksum is an Integrity failure, and an outage, DoS, or hardware failure is an Availability failure. Reverse it for controls: encryption serves confidentiality, hashing and signatures serve integrity, redundancy and backups serve availability.
- CompTIA folds authenticity and non-repudiation into integrity
Some references extend the CIA triad with Authenticity (data genuinely comes from who it claims) and Non-repudiation (the sender cannot deny sending it), but in CompTIA's model these live inside Integrity. Do not reach for a fourth security goal on a CIA mapping question unless the stem explicitly introduces one.
- AAA is three stages: authentication, authorization, accounting
AAA stands for Authentication, Authorization, and Accounting, three distinct stages. Authentication proves who you are (password, token, certificate, biometric), authorization decides what that proven identity may do (which VLAN, which files, read versus write), and accounting logs what was actually done for audit, forensics, and billing. RADIUS and TACACS+ are the protocols that centralize AAA for network devices.
- Login success but no access is an authorization failure
When a user authenticates fine but cannot reach a resource, they passed authentication and failed authorization. The remediation is a permission, group, or ACL change, not a credential reset. The reverse, being unable to log in at all, is the authentication problem; keep the two stages separate.
Trap Resetting the user's password when they can log in but cannot reach a share; the credentials already worked, so the fix is an authorization change.
- Attack surface is the whole boundary; a vector is one route in
The attack surface is the set of all points on a system's boundary where an attacker could try to enter, affect, or extract data, every open port, exposed service, account, and interface. An attack vector (threat vector) is a single route an intrusion actually takes, such as a phishing email or an exposed RDP port. Hardening shrinks the attack surface so fewer vectors exist.
Trap Using attack surface and attack vector interchangeably; the surface is the aggregate of all entry points, while a vector is one specific path through it.
- A zero-day exploits an unknown flaw, so no patch exists yet
A zero-day is an attack against a previously unknown vulnerability the vendor and public do not yet know about. Because no patch or signature exists, applying the vendor patch is impossible by definition. The correct mitigations are compensating and behavioral controls: segmentation, least privilege, anomaly detection, and virtual patching at an IPS, until a real fix ships.
Trap Selecting apply the vendor patch for a zero-day; no patch exists for an unknown flaw, so the answer is compensating controls until one is released.
- Hardening reduces risk by shrinking the attack surface
Device and network hardening lowers risk by removing reachable weaknesses: close unused ports, disable unnecessary services, change default credentials, and segment the network. Each removed exposure is one fewer vulnerability for a threat to exploit, which is the likelihood side of risk = likelihood x impact. The goal is fewer entry points, not a single perfect control.
1 question tests this
Audits and Compliance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Segmentation
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Attacks
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Match an attack to the control at the layer it abuses
Network+ attack items reduce to one move: name the attack, place it on the OSI stack, and the control usually sits at that same layer. A SYN flood is an L3/L4 availability attack answered upstream, ARP poisoning is an L2 on-path attack answered by Dynamic ARP Inspection, and DNS spoofing is a service attack answered by DNSSEC. The distractors are typically real controls for the wrong layer, so the only way to pick wrong is to misplace the attack.
- DoS and DDoS attack availability, the A of the CIA triad
A denial-of-service exhausts bandwidth, a connection table, or CPU so legitimate users are turned away, attacking availability rather than confidentiality or integrity. A distributed denial-of-service launches the same assault from a botnet of many sources, which is what makes blocking one source IP useless. Recognize it by symptom: the service is reachable for normal load but collapses under flood, with no data theft involved.
Trap Labeling a DDoS as an integrity or confidentiality attack; it degrades availability, and no data is read or altered.
- Mitigate DDoS upstream, because the firewall is the bottleneck
A volumetric DDoS saturates the link itself, so a stateful firewall or single ACL on the edge box is the very thing being overwhelmed and cannot help. The working controls live closer to the source: rate limiting, anti-spoofing filters at the network edge, and a cloud-based scrubbing service that absorbs and cleans traffic before it reaches your link. The exam tell is scale, a distributed attack is never solved by one rule on one device.
Trap Choosing a stateful firewall to stop a volumetric DDoS; it becomes the chokepoint the flood saturates rather than the cure.
- Reflection spoofs the victim's IP; amplification multiplies the reply
In a reflection attack the attacker sends queries to third-party servers with the victim's IP spoofed as the source, so every reply lands on the victim. Amplification is the reflection variant that picks protocols where a small request draws a large response, multiplying the attacker's bandwidth; DNS and NTP are classic amplifiers. The tell that separates these from a plain flood is the spoofed source address and the small-query, large-reply ratio.
Trap Calling reflected/amplified traffic a direct flood from the reflectors; the reflectors are unwitting relays, the spoofed victim IP is what aims the replies.
- A SYN flood drains the half-open connection table
A SYN flood opens many TCP handshakes by sending SYNs but never completing them with the final ACK, so the server's table of half-open connections fills and it refuses new sessions. It targets connection-state capacity rather than raw bandwidth, which is why a low-bandwidth attacker can still take a server offline. Defenses include SYN cookies and connection rate limiting that avoid pinning state until the handshake completes.
- MAC flooding overflows the CAM table so the switch fails open
A switch records which MAC lives on which port in its content-addressable memory (CAM) table; MAC flooding sends a storm of frames with bogus source MACs until that table is full. With nowhere to learn new mappings the switch fails open and floods frames out every port like a hub, letting the attacker see traffic meant for others. The control is port security, which limits how many MAC addresses a port may learn and shuts down or restricts the port past that cap.
Trap Reaching for DHCP snooping or DAI against MAC flooding; those defend ARP/DHCP, whereas a flooded CAM table is answered by port security.
3 questions test this
- After successfully performing a MAC flooding attack against a network switch, which of the following explains why the attacker can capture…
- After a MAC flooding attack successfully fills a switch's CAM table, which of the following best describes the resulting impact on network…
- A network administrator notices that a Layer 2 switch has started forwarding unicast frames to all ports instead of only the intended…
- ARP poisoning is a Layer 2 on-path attack, because ARP has no authentication
ARP maps an IP to a MAC and a host believes any reply it hears, so an attacker can send forged replies claiming the gateway's IP belongs to the attacker's MAC. Victims then send their traffic to the attacker first, which puts the attacker on-path (man-in-the-middle) to read or alter traffic in both directions. Symptoms include the wrong MAC for the gateway and duplicate-IP alarms.
4 questions test this
- A security analyst discovers that multiple hosts on a LAN segment have ARP table entries mapping the default gateway's IP address to an…
- An attacker on a local network sends unsolicited ARP replies that map the default gateway's IP address to the attacker's own MAC address.…
- An attacker on the local network uses ARP spoofing to intercept and read sensitive payroll data being transmitted between a workstation and…
- A security team discovers that an attacker on the local network is intercepting all traffic between users and the default gateway. The ARP…
- Dynamic ARP Inspection needs DHCP snooping to have a binding table
Dynamic ARP Inspection (DAI) stops ARP poisoning by checking every ARP packet on untrusted ports against a trusted IP-to-MAC binding table and dropping forgeries. DAI builds that table from DHCP snooping, so enabling DAI without DHCP snooping leaves it nothing to validate against. The two switch features are deployed together, which is itself a common exam point.
Trap Assuming DAI works standalone; with no DHCP snooping binding table there is no trusted database for DAI to check ARP packets against.
- VLAN double-tagging works only when the access VLAN equals the native VLAN
In a double-tagging VLAN hop the attacker stamps a frame with two 802.1Q tags; the first switch strips the outer tag because it matches the native VLAN and forwards the still-inner-tagged frame onto a trunk, where a second switch delivers it into the target VLAN. The attack is one-way and only succeeds because the attacker's access VLAN is the same as the trunk's native VLAN. The fix is to set the native VLAN to an unused VLAN that no access port belongs to.
Trap Believing double-tagging gives two-way access into the target VLAN; the inner-tagged frame reaches the victim but return traffic has no path back.
- Switch spoofing hops VLANs by negotiating a trunk via DTP
In switch spoofing the attacker's port negotiates a trunk link using the Dynamic Trunking Protocol (DTP), and because a trunk carries every VLAN the attacker then sees them all. The control is to disable DTP and explicitly configure access ports as access mode so they never auto-trunk. Hardening trunking this way, together with moving the native VLAN, closes both VLAN-hopping variants.
Trap Leaving ports on dynamic/auto trunking; an attacker negotiates a trunk via DTP and reaches every VLAN, so disabling DTP is the fix.
3 questions test this
- A network technician discovers that an unauthorized workstation has formed an 802.1Q trunk link with an access layer switch by exploiting…
- A network engineer wants to prevent VLAN hopping attacks caused by switch spoofing on user-facing ports. Which of the following is the most…
- A network administrator wants to prevent attackers from negotiating unauthorized trunk links on access switch ports. Which of the following…
- DNS cache poisoning is fixed by DNSSEC validation
DNS cache poisoning injects a forged record into a resolver's cache so it hands clients a malicious IP for a real hostname, steering every client of that resolver until the bad record expires. DNSSEC defends against it by digitally signing DNS records so a validating resolver can verify origin authenticity and integrity and reject forged answers. Note the scope: DNSSEC authenticates the data, it does not encrypt it, so query confidentiality is a separate problem.
Trap Assuming DNSSEC encrypts DNS traffic for privacy; it provides origin authentication and integrity only, while confidentiality needs DNS over TLS.
- A rogue DHCP server wins by answering first, so use DHCP snooping
DHCP clients accept the first lease offer they receive, so a rogue DHCP server that answers faster than the real one can hand victims a malicious default gateway or DNS server and become on-path. DHCP snooping is the switch control: it marks only the port toward the legitimate DHCP server as trusted and drops server-type DHCP messages (offers and acks) arriving on untrusted access ports. That same snooping binding table is what Dynamic ARP Inspection later relies on.
- An evil twin clones a legitimate SSID to capture clients
A rogue access point is any unsanctioned AP on the network; an evil twin is the specific wireless on-path attack where the attacker broadcasts a legitimate SSID, often at a stronger signal, so clients associate to it and route traffic through the attacker. Detection and prevention use a wireless intrusion prevention system (WIPS) to spot unauthorized radios plus 802.1X so only authenticated devices and users reach the real network. The defense targets authentication and detection, not the airwaves themselves.
Trap Choosing MAC filtering to stop an evil twin; the attacker spoofs an approved MAC, so only mutual authentication (802.1X/WPA3-Enterprise) and WIPS actually defend.
- ARP poisoning, rogue DHCP, and evil twins all lead to one on-path position
On-path (man-in-the-middle) is the position, not a single technique: the attacker sits between two parties and relays traffic while reading or altering it. ARP poisoning, a rogue DHCP gateway, and an evil twin are three different routes to that same position. The control that survives all of them is end-to-end encryption with mutual authentication (TLS, IPsec), because traffic routed through an attacker still cannot be read or silently changed.
- Social engineering attacks the person, so no network device stops it
Social engineering is deception that gets a person to reveal information or grant access by abusing trust, and it never touches the network on the way in, so firewalls, IPS, and ACLs do nothing against it. The defenses are people and process: security awareness training, verification procedures, and physical controls. When a stem describes a human being tricked into giving up access, the answer is a human or physical control.
Trap Offering TLS, a VPN, or a firewall against phishing or tailgating; those protect packets and ports, not the person the attacker is manipulating.
- Phishing is the email channel; spear/vishing/smishing change aim or medium
Phishing is fraudulent email, or a cloned web page, that lures a victim into clicking a link, opening an attachment, or entering credentials; NIST calls it a digital form of social engineering. Variants are distinguished by aim and channel: spear phishing targets a named individual, vishing uses voice calls, and smishing uses SMS. Match the stem on channel and targeting rather than treating them as interchangeable.
Trap Labeling a targeted phone-call scam as phishing; voice phishing is vishing, and a scam aimed at one named person is spear phishing.
- Dumpster diving, shoulder surfing, and tailgating each have a physical fix
These social-engineering techniques bypass technical controls physically: dumpster diving recovers sensitive data from discarded paper or hardware, shoulder surfing reads a screen or keypad over someone's shoulder, and tailgating (piggybacking) follows an authorized person through a secured door. Each fix is physical or procedural: shredding and secure disposal, privacy screens and shielded PIN entry, and a mantrap (access-control vestibule) with guards. The control never lives in the network stack.
Trap Treating tailgating as a network problem; following someone through a door is defeated by a mantrap and badge discipline, not by any switch or firewall setting.
- Spoofing forges what a machine trusts; social engineering forges what a person trusts
Spoofing fakes an address or identity a system relies on, such as a forged source IP, ARP reply, or SSID, so a machine is fooled. Social engineering fakes a story a person relies on, such as a convincing email or a confident stranger at the door. Use this split to choose the control family: spoofing is countered with technical validation (DAI, DNSSEC, 802.1X), social engineering with training and physical procedure.
Security Hardening and Defense
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Troubleshooting
Troubleshooting Methodology
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Know CompTIA's seven troubleshooting steps in exact order
The methodology is a fixed sequence: (1) identify the problem, (2) establish a theory of probable cause, (3) test the theory to determine the cause, (4) establish a plan of action and identify potential effects, (5) implement the solution or escalate, (6) verify full system functionality and implement preventive measures, (7) document findings, actions, outcomes, and lessons learned. The order is the most-tested property, because most questions ask which step comes next or where a described action belongs.
Trap Reordering implement (step 5) before plan of action (step 4); you always plan the change and its effects before applying it.
- Investigation finishes before action: steps 1-3 then 4-7
Steps 1 to 3 are the investigation (identify, theory, test) and steps 4 to 7 are the action (plan, implement, verify, document). The dividing line is a confirmed cause: you never plan or implement a change until a test has proven the theory. Treat any stem that has someone changing configuration before testing as out of order.
Trap Acting on a theory before testing it; an unproven theory sends you back to step 2, never forward to a fix.
- Step 1 is information gathering, not fixing
Identifying the problem covers six activities: gather information from logs and error messages, question users, identify symptoms, determine if anything has changed, duplicate the problem, and approach multiple problems individually. No change is made at this step; its job is to define what is actually broken and how to reproduce it before any theory is formed.
- "Did anything change?" is the highest-yield first question
A network that worked yesterday and fails today almost always broke because of a recent change: a config push, a firmware update, a new device, an expired certificate, or a swapped cable. Determining what changed, by asking users and checking change records, points at the cause faster than any other single activity, which is why CompTIA names it explicitly inside step 1.
Trap Placing "determine if anything changed" under establish a theory (step 2); it is an information-gathering activity inside identify the problem (step 1).
- Duplicate the problem before you spend effort on it
Duplicating the problem proves the symptom is real and reproducible, and it hands you a repeatable test you can rerun after a fix to confirm it worked. If you cannot reproduce a reported fault, you have not yet defined the problem and should keep gathering information rather than guessing at a cause.
- Treat multiple reported faults as separate problems
When a user lists several complaints, approach each as its own problem with its own cause rather than forcing them into one root cause. Bundling unrelated symptoms invents a single fault that does not exist and sends you chasing it, where solving them individually keeps each diagnosis tractable.
Trap Assuming several simultaneous symptoms must share one root cause; unrelated faults solved as one waste time on a phantom cause.
- A theory is a guess; a test is what confirms the cause
Step 2 establishes a theory of probable cause and step 3 tests it to determine the actual cause. The two are deliberately separate because describing a likely cause is not the same as proving it. Question the obvious first (unplugged cable, disabled interface, wrong subnet mask) before reaching for exotic explanations.
Trap Treating the step 2 theory as the confirmed cause and skipping step 3; the cause is not established until a test confirms it.
- After testing, a confirmed theory advances; a disproven one loops or escalates
If the test confirms the theory, proceed to step 4 and plan the fix. If it does not confirm the theory, either re-establish a new theory (return to step 2) or escalate when the problem exceeds your knowledge, access, or authority. A failed test never licenses you to start making changes.
Trap Beginning to change configuration after a test disproves your theory; a disproven theory returns you to step 2 for a new one.
- For layered problems, work the OSI stack top-to-bottom or bottom-to-top
CompTIA's guidance for layered technologies is to consider multiple approaches, including working the OSI model top-to-bottom or bottom-to-top, so the search is systematic instead of random. This keeps step 2 disciplined: you eliminate layers in order rather than jumping between unrelated guesses.
- Bottom-up starts at Layer 1 for suspected physical faults
The bottom-up approach starts at the physical layer (Layer 1) and works upward through the OSI stack. Reach for it when the symptom points at hardware or media: no link light, a dead port, a damaged or wrong cable, or a powered-off device. It wastes time when lower-layer connectivity is already proven good.
- Top-down starts at Layer 7 for application-level complaints
The top-down approach starts at the application layer (Layer 7) and works downward. It fits a complaint about a specific service or app when the host plainly has network connectivity, for example a web app that fails even though the user can ping the server. Choosing it avoids re-checking lower layers that are already known good.
- Divide-and-conquer halves the layer search each test
Divide-and-conquer starts in the middle of the OSI stack (often the network or transport layer) and uses each test to eliminate half the remaining layers. A successful ping, for instance, confirms Layers 1 to 3 in one test and lets you focus upward. It is fastest when you have no strong starting hypothesis about which layer holds the fault.
Trap Calling a fixed Layer-1-upward sweep "divide-and-conquer"; that is bottom-up, while divide-and-conquer starts mid-stack and halves the search each test.
- Follow-the-path traces traffic hop by hop across devices
The follow-the-path approach traces the traffic from source to destination, checking each switch, router, and firewall along the route to find where the path breaks. Reach for it when connectivity fails across multiple devices or network segments rather than at a single host, because the break is somewhere along the route, not on one endpoint.
Trap Reaching for top-down or bottom-up on a single host when the fault spans the route between hosts; a multi-device path break is what follow-the-path is for.
- The four approaches are tactics inside step 2, not extra steps
Top-down, bottom-up, divide-and-conquer, and follow-the-path describe how to form and order theories within step 2 (establish a theory). They are not additional steps in the seven-step method, so a question asking for the methodology's steps never lists them.
Trap Listing a search approach such as top-down or follow-the-path as one of the seven methodology steps; the seven steps are fixed and these are tactics within step 2.
- Plan of action also identifies the potential effects of the fix
Step 4 is not just deciding what to change; it explicitly identifies the potential effects of that change, including the blast radius if it goes wrong. This is where change management lives for a non-trivial fix: a change request, a rollback plan, and a maintenance window so resolving one problem does not cause a new outage.
Trap Assuming identifying potential effects happens at verification (step 6); the effects of a change are weighed in the plan (step 4), before it is applied.
- Escalate when a fix exceeds your access, authority, or skill
Step 5 is implement the solution or escalate as necessary, and escalation is a legitimate outcome, not a failure. Hand the problem to another team, a vendor, or a carrier when the resolution needs access, approval, or expertise you do not have. Escalation can also occur at step 3 if testing reveals the issue sits outside your control.
Trap Forcing an unauthorized or risky change rather than escalating; when a fix is beyond your access, authority, or skill, escalation is the correct step-5 action.
- Verify full system functionality end to end, as the user sees it
Step 6 confirms the problem is gone as the end user experiences it, not merely that the device you touched responds. "Full system functionality" means end to end, so a partial check on one component can let a residual fault ship. This step also implements preventive measures so the same fault does not recur.
Trap Confirming only that the device you changed responds; verification must prove the user's full workflow works, or a residual fault survives.
- Implement does not equal verify; they are separate steps
Applying a change (step 5) is not evidence that the change fixed the problem; verification (step 6) is a distinct step that proves it. The exam routinely offers "implement" as a distractor for "verify" and vice versa, so map the action precisely: applying the fix is step 5, confirming it worked is step 6.
Trap Picking implement (step 5) when the stem describes confirming the fix worked; confirming functionality is verify (step 6).
- Preventive measures belong to step 6, not a separate step
Implementing preventive measures (replacing a marginal cable instead of reseating it, saving a running config so it survives a reboot, adding monitoring on the failure point) is part of step 6, verify full system functionality. It stops the same fault from recurring rather than just clearing the current symptom.
- Documentation is the final graded step, not optional cleanup
Step 7 documents findings, actions, outcomes, and lessons learned. It feeds the knowledge base and change records that make the next similar incident faster to diagnose, and it is a required step in the method. A fix is not complete until it is written down, even when the symptom is already gone.
Trap Treating documentation as optional once the problem is fixed; step 7 is part of the methodology, and skipping it forces the next technician to rediagnose from scratch.
- Match an action to its step by the verb in the stem
Many methodology items describe one activity and ask which step it is. Map the verb: gathering information or questioning users is step 1, guessing a cause is step 2, swapping a cable to confirm is step 3, deciding what to change is step 4, applying it is step 5, confirming end-to-end is step 6, and writing it up is step 7.
- The next step after a confirmed test is plan, not implement
When a stem says the technician has just tested and confirmed the cause and asks for the next step, the answer is step 4 (establish a plan of action and identify potential effects), not step 5 (implement). Jumping straight to implementing skips the plan, which is exactly the ordering error these questions probe.
Trap Choosing implement the solution as the step right after confirming the cause; the immediate next step is plan of action (step 4).
- No SYN-ACK means blocked; an immediate RST,ACK means no listener
In a capture, a client SYN that gets no SYN-ACK at all means the request never reached a responding service: the host is down, the service is not running, or a firewall is silently dropping the traffic. By contrast, an immediate RST,ACK in reply to the SYN means the host is up and its TCP stack actively refused the connection because nothing is listening on that port. The difference between silence and a reset tells you blocked-or-down versus port-closed.
Trap Treating an immediate RST,ACK the same as no reply, when a reset is an active refusal from a reachable host and silence suggests a drop or a down service.
4 questions test this
- A network technician uses Wireshark to investigate intermittent connection timeouts to an internal HTTPS server. The capture shows repeated…
- A technician is using Wireshark to troubleshoot a failed HTTPS connection. The capture shows the client sending a TCP SYN to port 443, and…
- A technician runs netstat -an on a workstation and observes numerous connections in the SYN_SENT state to a single remote IP address on…
- A technician captures traffic with Wireshark and observes a client sending a TCP SYN to a server on port 443. The server immediately…
Cabling and Physical Issues
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Services Issues
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Performance Issues
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Troubleshooting Tools
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Name the layer before you pick a tool
Decide first whether a symptom is physical (Layer 1) or logical (Layer 3 and above), because that one split eliminates most wrong-tool answers. A dead cable, a port that will not light, or a powered device that will not boot is physical and needs a hardware tool like a cable tester, TDR, or toner probe. Reachability, addressing, name resolution, and routing are logical and need a command-line tool like ping, traceroute, nslookup, or ipconfig.
- ping tests reachability, traceroute tests the path
ping sends ICMP echo requests and reports whether a host answers plus the round-trip latency and loss, so it answers "is it alive and how cleanly." traceroute (tracert on Windows) reports every router hop to the destination and where the path breaks or slows, so it answers "which hop is responsible." Confirm the destination is alive with ping first, then switch to traceroute once you know it is unreachable or slow.
Trap Reaching for traceroute to test whether a host is simply up; that wastes time mapping hops when one ping already answers the liveness question.
11 questions test this
- A technician runs tracert to a remote application server and sees RTT values of 2ms, 5ms, 8ms, and 9ms for hops 1 through 4, while hops 5…
- A technician runs tracert to diagnose slow connectivity to a remote server and observes the following: Hop 1 at 1ms (192.168.1.1), Hop 2 at…
- A user cannot browse to www.company.com but can access the site using its IP address. The technician runs nslookup www.company.com and…
- A network technician runs tracert to a remote server and observes that round-trip times are consistently 10-13ms through hop 3 but jump to…
- A network technician runs tracert to a remote server and observes RTT values of 1ms at hop 1, 5ms at hop 2, 88ms at hop 3, 90ms at hop 4,…
- A technician runs tracert to a remote server. Hops 1 and 2 show round-trip times of approximately 2ms and 8ms respectively. At hop 3, the…
- A user cannot reach a remote server at 203.0.113.50. A technician confirms that pinging the default gateway at 192.168.1.1 succeeds but…
- A network engineer reviews traceroute output and observes these average RTT values: Hop 1: 2ms, Hop 2: 5ms, Hop 3: 8ms, Hop 4: 120ms, Hop…
- A network technician runs tracert to a remote server and observes the following RTT pattern: hops 1-3 show RTT values between 10ms and…
- A network technician runs 'tracert' to a remote server and observes that the first four hops respond with latency under 5ms. Beginning at…
- A technician runs tracert to a remote server and observes the following RTT values: hop 1 = 3ms, hop 2 = 12ms, hop 3 = 118ms, hop 4 =…
- A failed ping is not proof a host is down
Many firewalls drop ICMP while still passing real application traffic, so a host that will not answer ping can still be serving on its TCP ports. When ping fails, confirm with a TCP port test, telnet or nc (netcat) to the service port, before declaring the host unreachable. A successful port test with a failed ping means ICMP is filtered, not that the service is down.
Trap Concluding a server is down from a failed ping alone, when the firewall is only dropping ICMP and the service port is still open.
- A silent traceroute hop is usually rate-limiting, not a failure
traceroute works by raising the IP TTL one step at a time so each router returns an ICMP Time Exceeded, but routers commonly rate-limit or deprioritize that ICMP. A single middle hop showing asterisks while later hops still answer is that router quietly throttling, not a break. Read the path by the last hop that answers normally and the first that does not, not by one silent hop in the middle.
Trap Treating an asterisk on one middle hop as the point of failure, when later hops still respond and the gap is just ICMP rate-limiting.
10 questions test this
- A technician runs tracert to a remote server and notices that hops 5 and 6 display three asterisks (*) for each probe, but the remaining…
- A technician is diagnosing intermittent latency to a web server. Which of the following describes how traceroute discovers each hop along…
- A network technician runs tracert to a remote web server. The output shows successful responses at hops 1 through 4, rows of asterisks (* *…
- A network technician runs the tracert command to diagnose slow connectivity to a remote server and receives RTT values along with the IP…
- A network administrator runs tracert to a remote server. The output shows normal responses at hops 1 and 2, then displays asterisks (* * *)…
- A technician runs tracert to a remote server. Hops 1 through 5 show response times under 20ms. Hop 6 displays asterisks (* * *). Hops 7…
- A technician runs tracert to a remote server and observes the following output: Hop 1: 1ms 1ms 1ms 10.0.0.1, Hop 2: * * * Request timed…
- A technician runs tracert to a remote server. Several intermediate hops display '* * * Request timed out' while the final destination…
- Which of the following ICMP message types allows traceroute to identify each intermediate router along the path to a destination?
- A technician runs tracert to a remote web server. Hops 1 through 4 and hops 8 through 12 display valid IP addresses and response times, but…
- Use nslookup or dig when a name fails but the IP works
When a site loads by IP address but not by name, the fault is name resolution, and nslookup (cross-platform) or dig (more detailed, on Linux and macOS) query a DNS server directly to prove it. They show which server answered and what record came back, separating a DNS problem from a connectivity problem in one command. You can also aim them at a specific resolver to test whether one server is stale while another is correct.
Trap Pinging the hostname to diagnose a name failure; ping by name blends DNS and connectivity, so it confirms something is wrong but never that DNS specifically is the cause.
11 questions test this
- A user reports that browsing to www.example.com fails, but accessing the same server by its IP address works. The technician runs nslookup…
- A user cannot browse to a company intranet site. A technician pings the site at its known IP address of 192.168.5.10 and receives…
- Users report they cannot access a web application by hostname, but they can reach it by IP address. The technician runs 'nslookup…
- A user can access a web application by entering its IP address in the browser but receives an error when typing the hostname. The…
- A technician is troubleshooting a DNS resolution issue and runs 'dig www.company.com @8.8.8.8' from a workstation. The response returns the…
- A user cannot browse to www.company.com but can successfully ping the web server IP address at 203.0.113.10. Which of the following…
- A user reports being unable to browse to www.example.com but can successfully reach the site by entering its IP address directly in the web…
- A network administrator suspects that MX records are misconfigured, causing email delivery failures for the company domain. Which of the…
- A user can reach a web server by entering its IP address 10.5.10.20 in the browser but receives an error when browsing to www.company.com.…
- A user can reach an internal server at 192.168.1.50 by IP address but cannot access it by hostname. A technician runs nslookup…
- A user cannot browse to www.example.com. The technician successfully pings the default gateway and successfully pings the web server at…
- ipconfig reads the local IP config; 169.254 means DHCP failed
ipconfig (Windows) and ifconfig or ip (Linux and macOS) print the interface's address, subnet mask, default gateway, and DNS servers, the first stop for a "my machine cannot get anywhere" report. An address in the 169.254.0.0/16 range is an APIPA (Automatic Private IP Addressing) link-local address, which a host assigns itself only after asking for a DHCP lease and getting no reply. So an APIPA address means the DHCP server is unreachable or its pool is exhausted, not that DNS or routing is broken.
Trap Reading a 169.254.x.x address as a DNS or gateway problem; it is the specific signature of a failed DHCP lease.
- netstat shows a host's own ports and connections
netstat lists the local host's active TCP and UDP connections and the ports it is listening on, a view only the host itself can give. Use it to confirm a service is actually bound and listening (for example a web server on port 443) and to see which remote hosts a machine is talking to. It is the local counterpart to nmap, which scans ports from across the network.
6 questions test this
- A technician runs netstat -an on a web server and observes that port 80 is in a LISTENING state, but port 443 does not appear anywhere in…
- Users report they cannot connect to a company intranet site hosted on a server at 10.0.5.10. A technician can successfully ping the server…
- A server administrator installs a new HTTPS-based application, but remote users report they cannot connect to the service. The…
- Users report they cannot access the company HTTPS portal. A network administrator runs netstat -an on the web server and observes no entry…
- Users report they cannot connect to a company web application. A technician runs netstat -an on the application server and does not see…
- A technician suspects an unauthorized application is running on a server. Which of the following commands will display all active and…
- arp shows the IP-to-MAC cache for the local segment
arp displays and edits the host's Address Resolution Protocol cache, the table mapping IPv4 addresses to MAC addresses on the local broadcast domain. It is the tool for a suspected duplicate IP or a stale or poisoned mapping: if two hosts claim one address, or an entry points at the wrong MAC, arp shows it. ARP only works within the local segment, so an entry for an off-subnet host shows the default gateway's MAC, not the remote host's.
Trap Expecting an arp entry to show a remote off-subnet host's MAC; ARP is local-only, so it returns the gateway's MAC for anything off the segment.
6 questions test this
- A technician can successfully ping the default gateway at 10.10.1.1 but receives 'Destination Host Unreachable' when pinging a file server…
- A network administrator suspects an on-path attack is occurring on the local subnet and wants to verify that the default gateway MAC…
- A security analyst runs arp -a on a workstation and notices the default gateway at 10.0.1.1 is mapped to MAC address AA-BB-CC-DD-EE-FF. The…
- A technician suspects a duplicate IP address conflict after a user reports intermittent connectivity to a file server at 10.1.1.50 on the…
- A security analyst suspects an ARP spoofing attack on the network after users report intermittent connectivity issues. Which of the…
- Users on a LAN report intermittent connectivity loss and redirection to suspicious websites. A technician runs arp -a on an affected…
- nmap maps which ports a remote host exposes
nmap scans a remote target or a whole subnet to report which hosts are up and which ports they expose, answering "what services does this host offer" from across the network. For a single quick check you do not need a full scan: a telnet or nc connection to one host and port simply succeeds or refuses. Reach for nmap when you must discover the service footprint, and for the one-port test when you just need to confirm a single port is reachable.
- A protocol analyzer is the last resort, not the first
A protocol analyzer (packet sniffer) such as Wireshark or the command-line tcpdump captures frames and decodes them field by field, so it can answer almost any question about what a host sent or received. That power costs time and expertise, so it belongs at the end of the workflow, after cheaper tools have narrowed the problem. Reach for it only when you must read the protocol exchange itself, such as a TLS handshake that fails partway, a DHCP request that gets no offer, or a retransmission storm.
Trap Capturing packets to answer a question ping or traceroute already settles; the analyzer is for protocol-level mysteries, not basic reachability.
- Capturing on a switch needs port mirroring
A switch forwards unicast frames only to the destination port, so a protocol analyzer plugged into one port sees only its own traffic plus broadcasts. To capture another port's traffic you configure port mirroring (a SPAN port), which copies frames from one or more ports to the monitoring port. Capturing also normally requires the analyzer's NIC in promiscuous mode so it accepts frames addressed to other hosts.
Trap Expecting a packet capture on a switched network to see every host's traffic by default; without a mirror or SPAN port the switch never forwards it to the analyzer.
8 questions test this
- A technician needs to use Wireshark to capture traffic between an application server and its clients on a managed switch. Which of the…
- A network engineer needs to capture traffic from a specific switch port using a protocol analyzer to diagnose packet loss on the segment.…
- A network administrator needs to use Wireshark on a dedicated workstation to capture traffic between two servers connected to a managed…
- A network engineer needs to capture all traffic passing through a congested switch port to analyze packet loss using a protocol analyzer.…
- A network administrator needs to inspect the full contents of HTTP traffic traversing a switch to diagnose intermittent application-layer…
- A technician needs to use Wireshark to capture traffic between a database server and a web server to diagnose intermittent application…
- A network technician needs to capture traffic with Wireshark between a server and multiple clients on a switched network. Which of the…
- A network technician needs to use a protocol analyzer to capture all traffic traversing a congested uplink port on a managed switch. Which…
- A wiremap cable tester proves continuity and pinout
A wiremap cable tester lights each conductor in turn to prove opens (a broken conductor), shorts (two conductors touching), reversed pairs, transposed pairs, and split pairs on a copper run. It is the right tool the instant you suspect a bad termination or a miswired patch. It only proves the copper is good, though, and says nothing about VLANs, routing, or any logical fault, so once continuity passes, move up to the command-line tools.
2 questions test this
- TDR locates copper faults; OTDR locates fiber faults
When a cable tests bad or intermittent and you need to know where along a long run the fault is, a reflectometer reports the distance to it. A time-domain reflectometer (TDR) pulses copper and times the reflection from a break or short; an optical time-domain reflectometer (OTDR) does the same for fiber, reporting distance to a break, splice, or high-loss bend. The pairing to memorize is TDR for copper, OTDR for fiber.
Trap Using a copper TDR on a fiber run (or an OTDR on copper); the medium decides the instrument, TDR for copper and OTDR for fiber.
11 questions test this
- A technician uses a TDR to test a cable run that should be 80 meters long. The device indicates a fault at 25 meters from the connection…
- A network technician runs a TDR test on a Cat6 cable expected to reach a wall jack 75 meters away. The TDR displays a significant impedance…
- A technician needs to locate a break in a Cat6 cable installed inside a wall. A basic cable tester confirmed an open fault on two pairs but…
- A technician is troubleshooting an Ethernet cable that runs through walls and ceiling spaces to a patch panel 55 meters away. A cable…
- A technician connects a TDR to a copper Ethernet cable that should terminate at a patch panel 80 meters away. The TDR reports a fault at 40…
- A technician is troubleshooting intermittent connectivity on a Cat6 cable run installed inside a wall. A basic cable tester confirms a…
- A technician needs to determine the exact location of a break in a copper network cable that runs through a ceiling plenum. The cable is…
- A network technician discovers that a conference room has no connectivity. A basic continuity test confirms the horizontal cable run…
- A technician uses a TDR on a newly installed 90-meter cable run and observes a large reflected pulse at 55 meters. The cable was installed…
- A technician needs to determine the exact distance to a break in a copper network cable that runs through an inaccessible ceiling space.…
- A technician needs to locate the exact distance to a suspected cable break inside a sealed conduit that is inaccessible for visual…
- A toner probe locates an unlabeled cable
A toner probe is a two-piece tool: a tone generator clipped to one end injects an audible signal, and an inductive probe waved over a bundle at the far end finds the cable carrying that tone. It is the tool for the specific job of locating or labeling an unmarked cable in a crowded patch panel or wiring closet. No tester or analyzer does this job; only the toner probe traces one physical cable through a bundle.
- A light meter verifies fiber is within its dB loss budget
Fiber health is measured as optical loss in decibels, and a light meter (optical power meter) reads the power arriving at the far end of a run. A reading outside the link's loss budget means the run is too long for the optic, a connector is dirty, or the fiber is bent past its minimum radius. Use the light meter to confirm a fiber link carries enough signal; use an OTDR when you also need the distance to the fault.
- A loopback plug proves a port works but never locates a break
A loopback plug folds a port's transmit pins back into its receive pins so the port talks to itself, proving a NIC or switch port can send and receive. It confirms the port hardware is functional, which is useful to rule the port in or out. It never locates a cable fault or measures distance, so reaching for it to find where a cable is broken is the classic loopback distractor.
Trap Choosing a loopback plug to locate a cable break; it only tests that a port can transmit and receive, not where the wire is faulted.
4 questions test this
- A technician suspects a faulty switch port is causing connectivity issues. After inserting a loopback plug into the port, a diagnostic test…
- A technician connects a loopback plug to a switch port and runs a diagnostic test, but the port fails to detect the loopback. All other…
- A technician suspects that a switch port may have a hardware failure and wants to verify whether the port can both transmit and receive…
- A technician inserts a loopback plug into a workstation NIC and the loopback test completes successfully. The technician then connects the…
- A Wi-Fi analyzer reads 802.11 channels and signal
A Wi-Fi analyzer scans the wireless bands and reports the access points in range, the channel each uses, and the signal strength a client sees, so it is the tool for wireless that is slow or dropping. It exposes co-channel and adjacent-channel interference (too many APs sharing or overlapping a channel) and weak signal, pointing to a fix of non-overlapping channels or moving the AP. The 2.4 GHz band has only three non-overlapping channels (1, 6, 11), which is why crowded 2.4 GHz cells interfere so easily.
- A spectrum analyzer finds non-Wi-Fi RF interference
A Wi-Fi analyzer only sees 802.11 traffic, so when the interference comes from a microwave oven, cordless phone, or Bluetooth device rather than another access point, it shows nothing. A spectrum analyzer reads raw radio energy across a band and reveals those non-Wi-Fi sources. The distinction the exam draws is that a Wi-Fi analyzer reads the 802.11 network while a spectrum analyzer reads the RF spectrum itself.
Trap Using a Wi-Fi analyzer to chase interference from a microwave or cordless phone; it only sees 802.11, so non-Wi-Fi RF needs a spectrum analyzer.
- Run reachability tools in order: ping, then traceroute, then nslookup/dig
The fast triage for a "the internet is down" report is to run three command-line tools in sequence, each answering one question. ping asks whether the destination is alive and how cleanly; traceroute asks which hop breaks once ping says it is unreachable or slow; nslookup or dig asks whether the name resolves when a site works by IP but not by name. Running them host-outward narrows the fault quickly without jumping to a packet capture.
- tcpdump -w writes raw packets to a pcap file for Wireshark
The tcpdump -w flag saves captured packets in raw pcap binary form to a file instead of printing them, and the file opens directly in Wireshark or reads back with tcpdump -r. Combine it with -i to pick the interface and a trailing BPF expression to limit what is captured, for example tcpdump -i eth0 -w capture.pcap port 80 to save only HTTP traffic.
Trap Using -r or a display option to save a capture, when -w is the flag that writes the pcap file.
4 questions test this
- A technician needs to capture traffic on a Linux server and save it to a file for later analysis in Wireshark. Which of the following…
- A network technician needs to capture traffic on a Linux server and save it to a file for later analysis in Wireshark. Which of the…
- A technician runs the following command on a Linux server: tcpdump -i eth0 -w /tmp/capture.pcap port 80. Which of the following best…
- A network technician needs to capture traffic on a headless Linux server and save the raw packets to a file for later analysis in…
- Capture filters limit what is recorded; display filters limit what is shown
A Wireshark capture filter uses BPF syntax and decides which packets get written at capture time, so it is the way to shrink the file on a busy network, written like host 10.1.1.50 or port 53. A display filter uses Wireshark's own syntax and only changes what is shown from an already-saved capture, written like ip.src == 192.168.1.100, ip.addr == 10.1.1.50 and tcp.port == 443, or dns.flags.response == 1. The two syntaxes are different and serve different stages.
Trap Expecting a display filter to reduce the capture file size, when only a capture filter limits what is recorded and a display filter just hides already-captured packets.
6 questions test this
- A technician is analyzing a large Wireshark capture and needs to display only traffic originating from IP address 192.168.1.100. Which of…
- A network administrator wants to use Wireshark to capture only traffic to and from a specific server at 10.1.1.50 in order to reduce the…
- A technician runs the command 'tcpdump -i eth0 -w /tmp/dns.pcap port 53' on a server and later opens the resulting file in Wireshark. The…
- A network technician is capturing traffic on a busy production network using Wireshark to troubleshoot a DNS issue. The technician wants to…
- A technician runs the following command on a Linux server: tcpdump -i eth0 -w /tmp/capture.pcap port 80. Which of the following best…
- A network administrator is using Wireshark to isolate HTTPS traffic to and from a web server at 10.1.1.50. Which of the following display…
- Follow TCP Stream isolates a conversation; Protocol Hierarchy summarizes the capture
Follow TCP Stream pulls every packet of a single TCP conversation together by applying a stream-index filter and reconstructs the application-layer exchange between the two endpoints. Statistics, Protocol Hierarchy instead gives a tree of every protocol seen with packet counts and percentages, which is the fast way to spot an unexpected or unauthorized protocol across a large capture.
Trap Reaching for Follow TCP Stream to survey which protocols appeared, when Protocol Hierarchy is the capture-wide breakdown and Follow Stream drills into one conversation.
3 questions test this
- A network administrator is reviewing a Wireshark capture that contains thousands of packets from multiple sessions. The administrator needs…
- While investigating suspected unauthorized network activity, an administrator opens a packet capture in Wireshark and navigates to…
- After a security incident, a network administrator opens a large Wireshark capture to quickly determine which protocols were active on the…
- On a TDR an open reflects positive, a short reflects negative
A time-domain reflectometer sends a pulse and reads reflections from impedance changes, with the delay giving the distance to the fault. An open circuit, a break or disconnection, is high impedance and returns an in-phase positive upward spike. A short between conductors is low impedance and returns an inverted negative reflection. A localized impedance change without a full open or short, such as a kink, crush, or crimp, shows as a sharp anomaly at that distance even when a basic wiremap still passes.
Trap Reading a positive TDR spike as a short, when the in-phase upward reflection is an open and the inverted reflection is the short.
7 questions test this
- A technician uses a TDR to test a copper cable run and observes an inverted reflection at approximately 30 meters from the test point.…
- A technician uses a TDR on a newly installed 90-meter cable run and observes a large reflected pulse at 55 meters. The cable was installed…
- A technician connects a TDR to a copper cable run and observes a large upward spike in the reflected signal at 47 meters along the cable.…
- A technician runs a TDR test on a 75-meter Cat6 cable and observes a reflected impedance spike at 30 meters. The cable passes a basic…
- A technician connects a TDR to a Cat6 cable that passes a basic wire map test but experiences intermittent CRC errors. The TDR displays a…
- A TDR test on a copper cable run shows a sharp upward impedance spike at 28 meters along a 90-meter cable. Which of the following faults…
- A TDR test on a copper network cable displays a sharp positive reflection spike at approximately 35 meters from the test end. Which of the…
- pathping computes per-hop loss to find which router drops packets
Pathping first traces the route, then sends repeated probes to every hop over a sustained period and reports per-hop and per-link latency and packet-loss percentages. That makes it the right tool for intermittent slowness where connectivity is never fully lost: it pinpoints which specific router or link along the path is dropping the most packets, which a single traceroute or ping cannot do.
Trap Using a one-shot traceroute to find an intermittent packet-dropping hop, when pathping is what accumulates per-hop loss statistics over time.
4 questions test this
- A network administrator needs to determine which specific router along a path is dropping the highest percentage of forwarded packets.…
- A technician has end-to-end connectivity to a remote site but users report intermittent slowness. The technician needs to identify which…
- A technician runs pathping to a remote host. The per-link statistics show 0% packet loss on all links except the link between hop 3 and hop…
- Users at a branch office report intermittent slowness when accessing a cloud application, but connectivity is never fully lost. Which of…
- Read a traceroute by where replies stop, repeat, or jump in time
Traceroute output is diagnostic by pattern. Hops that reply normally then turn into all-timeouts mark the failure at or just beyond the last responding hop. The same two addresses alternating across many hops until the max hop count is a routing loop, where packets bounce until the TTL expires. A sudden large latency jump between two hops, with later hops staying near that level, locates the added delay on the link between those two hops.
Trap Blaming the hop that times out, when the fault is at or just past the last hop that actually replied.
13 questions test this
- A technician runs traceroute to a remote server and observes the same two router IP addresses alternating across successive hops until the…
- A technician runs tracert to a remote application server and sees RTT values of 2ms, 5ms, 8ms, and 9ms for hops 1 through 4, while hops 5…
- A technician runs tracert to diagnose slow connectivity to a remote server and observes the following: Hop 1 at 1ms (192.168.1.1), Hop 2 at…
- A technician is troubleshooting a user's inability to reach a remote server. The technician runs tracert and observes that hops 1 through 3…
- A network technician troubleshooting slow application response times runs tracert. The output shows hop 1 at 2ms, hop 2 at 6ms, hop 3 at…
- A network technician runs tracert to a remote server and observes that round-trip times are consistently 10-13ms through hop 3 but jump to…
- A network technician runs tracert to a remote server and observes RTT values of 1ms at hop 1, 5ms at hop 2, 88ms at hop 3, 90ms at hop 4,…
- A technician runs tracert to a remote server. Hops 1 and 2 show round-trip times of approximately 2ms and 8ms respectively. At hop 3, the…
- A network engineer reviews traceroute output and observes these average RTT values: Hop 1: 2ms, Hop 2: 5ms, Hop 3: 8ms, Hop 4: 120ms, Hop…
- A network technician runs tracert to a remote server and observes the following RTT pattern: hops 1-3 show RTT values between 10ms and…
- A network technician runs 'tracert' to a remote server and observes that the first four hops respond with latency under 5ms. Beginning at…
- A technician runs tracert to a remote server and observes the following RTT values: hop 1 = 3ms, hop 2 = 12ms, hop 3 = 118ms, hop 4 =…
- A network technician runs traceroute to diagnose why a workstation cannot reach a server at 203.0.113.50. The output shows hops 5 through…
- netstat -ano maps listening ports to owning process IDs and shows socket states
On Windows, netstat -ano lists all connections and listening ports (-a) numerically (-n) with the owning process ID (-o), so it ties a port like 443 to the exact process serving it. The connection state column is itself diagnostic: many SYN_SENT entries to one host mean the remote end is not answering, and many CLOSE_WAIT entries mean the local application received the client's FIN but never closed its sockets, an application-level socket leak.
Trap Reading CLOSE_WAIT pileups as the remote side hanging, when CLOSE_WAIT means the local application failed to close its half of the connection.
5 questions test this
- A network administrator needs to determine which process on a Windows server is listening on TCP port 443 to investigate a potentially…
- A security technician needs to identify which processes on a Windows server are actively listening for inbound network connections. Which…
- A technician suspects an unauthorized application is running on a server. Which of the following commands will display all active and…
- A technician runs netstat -an on a workstation and observes numerous connections in the SYN_SENT state to a single remote IP address on…
- A server administrator investigates why a web application intermittently refuses new connections. Running netstat -an reveals hundreds of…
- A centralized syslog server correlates timestamped events across devices
A centralized syslog server aggregates timestamped log messages from every network device into one place, which is what lets you correlate the timing of events, an interface flapping, a device rebooting, a spanning tree reconverging, across multiple switches and routers at once. It is the right approach for intermittent, multi-device problems where you need to line up when things happened. Syslog severity runs 0 Emergency to 7 Debug, with level 4 meaning Warning.
Trap Logging into each device one at a time to chase an intermittent multi-device fault, when centralized syslog lines the events up on a single timeline.
7 questions test this
- Users report intermittent network outages lasting several seconds at random intervals throughout the day. A network engineer suspects a…
- A network technician is troubleshooting an intermittent service disruption that affected multiple switches simultaneously. Which of the…
- Users in multiple buildings report intermittent connectivity loss at random times throughout the day. A technician suspects a recurring…
- Users report that a business application becomes unreachable for several minutes at random intervals. The network team suspects a flapping…
- While troubleshooting intermittent connectivity issues on a core router, a network administrator reviews the syslog output and sees a…
- Users report brief intermittent network outages. A network administrator suspects spanning tree reconvergence events may be affecting…
- Multiple departments report intermittent connectivity failures to various internal services at unpredictable times. The network team…
- An RJ45 loopback plug wires pin 1 to 3 and pin 2 to 6
An RJ45 Ethernet loopback plug connects the transmit pair, pins 1 and 2, to the receive pair, pins 3 and 6, so data the port sends loops straight back into its own receive circuit to confirm the port transmits and receives. It proves a port works but, having no run of cable, it can never locate a break or a distance fault.
Trap Expecting a loopback plug to find where a cable is broken, when it only validates the local port and cannot locate a fault along a run.
- A visual fault locator pinpoints a fiber bend or break by escaping red light
A visual fault locator injects bright visible red light, typically around 650 nm, into a fiber, and at a sharp bend, crack, or break the light escapes through the jacket and is visible to the eye, so the technician can walk the run and pin down the exact fault location. It is the quick visual tool for locating a physical fiber fault, distinct from an OTDR's distance trace or a light meter's loss measurement.
Trap Reaching for a light meter to locate a fiber bend, when a light meter only measures end-to-end loss and the VFL shows the physical fault point.
- Read nslookup output to separate a wrong server from a dead resolver
nslookup's first lines name the DNS server it queried, so when only one workstation cannot resolve internal names and that server is an external public resolver, the host is simply pointed at the wrong DNS server. A reply of DNS request timed out means the configured server did not answer, and the next isolating step is to ping that server's IP to test reachability. A Non-authoritative answer is normal: the response came from a caching resolver rather than the zone's authoritative server.
Trap Treating a Non-authoritative answer as an error, when it just means the answer came from a cache and is the expected result of recursive resolution.
5 questions test this
- A user reports that browsing to www.example.com fails, but accessing the same server by its IP address works. The technician runs nslookup…
- Users report they cannot access a web application by hostname, but they can reach it by IP address. The technician runs 'nslookup…
- A user cannot browse to www.company.com but can access the site using its IP address. The technician runs nslookup www.company.com and…
- A technician runs nslookup to resolve an external website hostname and receives a 'Non-authoritative answer' in the output. Which of the…
- A user cannot access an internal web application by hostname, but other users on the same subnet can. A technician runs nslookup on the…