0% found this document useful (0 votes)

36 views394 pages

Test Lab

test out of test lab

Uploaded by

ADRIAN ESTEBAN SALTOS SALAZAR

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

36 views394 pages

Test Lab

test out of test lab

Uploaded by

ADRIAN ESTEBAN SALTOS SALAZAR

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

10.2.

4 Connect to a DSL Network

Lab Report
Time Spent: 02:47

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Install the DSL router Show Details

 Connect the computer to the DSL router

 Add a filter between the phone and the phone cable connected to the outlet

EXPLANATION
Complete this lab as follows:

1. Install the DSL router and provide power.

a. Under Shelf, expand Routers.
b. Drag Router, DSL Ethernet to the Workspace area.
Place the router next to the outlets.
c. Above the router, select Back.
d. Under Shelf, expand Cables.
e. Select the Power Adapter.
f. From the Selected Component pane:
Drag the DC Power Connector to the port on the DSL router.
Drag the AC Power Adapter to the wall outlet.

2. Connect the DSL router to the phone line.

a. Under Shelf, select UTP Cable, 2-pair, RJ-11.
b. From the Selected Component pane:
Drag an RJ-11 Connector to the RJ11 port on the router.
Drag the other RJ-11 Connector to a phone port on the wall outlets.

3. Connect the computer to the DSL router.

a. Above the computer, select Back.
b. Under Shelf, select Cat6a Cable, RJ45.
c. From the Selected Component pane:
Drag an RJ45 Shielded Connector to the network port on the computer.
Drag the other unconnected RJ45 Shielded Connector to a network port on the DSL router.

4. When implementing DSL, install a filter between the phone port and each phone.
a. Above the phone, select Back.
b. Under Shelf, expand Filters.
c. Drag the DSL Filter to the phone port.
d. Under Shelf, expand Cables.
e. Select UTP Cable, 2-pair, RJ-11.
f. From the Selected Component pane:
Drag an RJ-11 Connector to the RJ11 port on the filter.
Drag the unconnected RJ-11 Connector to the phone port on the wall outlet.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
10.4.3 Configure a Remote Access VPN

Lab Report
Time Spent: 05:54

Score: 6/6 (100%) Pass Passing Score: 6/6 (100%)

TASK SUMMARY

Required Actions

 Create a new certificate authority certificate Show Details

 Create a new server certificate named CorpNet

 Configure the VPN server Show Details

 Configure the firewall rules Show Details

 Set the OpenVPN server to Remote Access (User Auth)

 Configure the following standard VPN users Show Details

EXPLANATION
While completing this lab, use the following information:

Create and configure the following standard remote VPN users:

Username Password Full Name

blindley L3tM31nNow Brian Lindley

jphillips L3tM31nToo Jacob Phillips

Complete this lab as follows:

1. Sign in to the pfSense management console.

a. In the Username field, enter admin.
b. In the Password field, enter P@ssw0rd (zero).
c. Select SIGN IN or press Enter.
2. Start the VPN wizard and select the authentication backend type.
a. From the pfSense menu bar, select VPN > OpenVPN.
b. From the breadcrumb, select Wizards.
c. Under Select an Authentication Backend Type, make sure Local User Access is selected.
d. Select Next.
3. Create a new certificate authority certificate.
a. For Descriptive Name, enter CorpNet-CA.
b. For Country Code, enter GB.
c. For State, enter Cambridgeshire.
d. For City, enter Woodwalton.
e. For Organization, enter CorpNet.
f. Select Add new CA.
4. Create a new server certificate.
a. For Descriptive Name, enter CorpNet.
b. Verify that all of the previous changes (Country Code, State/Providence, and City) are the same.
3. Use all other default settings.
d. Select Create new Certificate.
5. Configure the VPN server.
a. Under General OpenVPN Server Information:
Use the Interface drop-down menu to select WAN.
Verify that the Protocol is set to UDP on IPv4 only.
For Description, enter CorpNet-VPN.
b. Under Tunnel Settings:
For Tunnel Network, enter [Link]/24.
For Local Network, enter [Link]/24.
For Concurrent Connections, enter 4.
c. Under Client Settings, in DNS Server1, enter [Link].
d. Select Next.
6. Configure the firewall rules.
a. Under Traffic from clients to server, select Firewall Rule.
b. Under Traffic from clients through VPN, select OpenVPN rule.
c. Select Next.
d. Select Finish.
7. Set the OpenVPN server just created to Remote Access (User Auth).
a. For the WAN interface, select the Edit Server icon (pencil).
b. For Server mode, use the drop-down and select Remote Access (User Auth).
c. Scroll to the bottom and select Save.
8. Configure the following Standard VPN users.
a. From the pfSense menu bar, select System > User Manager.
b. Select Add.
c. Configure the User Properties as follows:
Username: Username
Password: Password
Full name: Fullname
d. Scroll to the bottom and select Save.
e. Repeat steps 8b-8d to create the remaining VPN users.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
10.4.5 Configure a VPN Connection iPad

Lab Report
Time Spent: 03:02

Score: 2/2 (100%) Pass Passing Score: 2/2 (100%)

TASK SUMMARY

Required Actions

 Add an L2TP VPN Connection Show Details

 Turn on and connect the VPN

EXPLANATION
Complete this lab as follows:

1. Verify your connection to the Home-Wireless network.

a. Select Settings.
b. Select Wi-Fi.
c. Verify that you are connected to the Home-Wireless network.
2. Configure the IPSec VPN.
a. From the left menu, select General.
b. Scroll down and select VPN.
c. Select Add VPN Configuration.
d. Make sure L2TP is selected.
e. Configure the VPN connection as follows:
Description: CorpNetVPN
Server: [Link]
Account: mbrown
Secret: 1a!2b@3c#4d$
f. Select Save.
3. Turn on the VPN.
a. Under VPN Configuration, for Not Connected, slide the button to ON.
b. Enter L3tM31nN0w (0 = zero) as the password.
c. Select OK.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
11.3.6 Configure Logging on pfSense

Lab Report
Time Spent: 05:04

Score: 5/5 (100%) Pass Passing Score: 5/5 (100%)

TASK SUMMARY

Required Actions & Questions

 Q1: What is the maximum number of logs that can be displayed?

 General settings Show Details

 Enable remote logging

 Configure remote logging Show Details

 Q2: What is the maximum number of logs that can be displayed after configuring the system log
settings?

EXPLANATION
Complete this lab as follows:

1. Sign in to the pfSense Management console.

a. In the Username field, enter admin.
b. In the Password field, enter P@ssw0rd (zero).
c. Select SIGN IN or press Enter.
2. Access the system log settings.
a. From the pfSense menu bar, select Status > System Logs.
b. From the top right, select Answer Questions.
c. Answer Question 1.
3. Configure the general logging options.
a. Under the Status breadcrumb, select Settings.
b. Set the GUI Log Entries field to 25 to show only 25 logs at a time in the GUI.
c. Set the Log file size field to 250000 bytes (250 KB) to set the maximum size of each log file.
4. Configure remote logging.
a. Scroll to the bottom and, under Remote Logging Options, select Enable Remote Logging.
b. Make sure the options are set as follows:
Source address: Default (any)
IP protocol: IPv4
Remote log servers: [Link]
c. For Remote Syslog Contents, select the following:
System Events
Firewall Events
d. Select Save.
5. View the results of the changes made to the number of logs shown.
a. Under the Status breadcrumb, select System.
b. Answer Question 2.
c. Select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
11.3.8 Auditing Device Logs on a Cisco Switch

Lab Report
Time Spent: 02:32

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions

 Enable Logging and the Syslog Aggregator Show Details

 Set RAM Memory Logging to Emergency, Alert, and Critical

 Set Flash Memory Logging to Emergency and Alert

 Copy the running configuration file to the startup configuration file

EXPLANATION
Complete this lab as follows:

1. Access the Log Settings for the switch.

a. From the left menu, expand and select Administration > System Log > Log Settings.
2. Enable Logging and the Syslog Aggregator.
a. For Logging, select Enable.
b. For Syslog Aggregator, select Enable.
3. Configure RAM and Flash Memory Logging.
a. Under RAM Memory Logging:
Select Emergency, Alert, and Critical.
Clear Error, Warning, Notice, Informational, and Debug.
b. Under Flash Memory Logging:
Mark Emergency and Alert.
Clear Critical, Error, Warning, Notice, Informational, and Debug.
c. Select Apply.
4. Copy the running configuration file to the startup configuration file.
a. From the top menu bar, select Save.
b. Under Copy/Save Configuration, select Apply.
c. Select OK.
d. Select Done.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
11.6.9 Configure NIC Teaming

Lab Report
Time Spent: 06:36

Score: 5/5 (100%) Pass Passing Score: 5/5 (100%)

TASK SUMMARY

Required Actions & Questions

 Connect the 4 port NIC to the switch Show Details

 Create the NIC team Show Details

 Q1: What is the connection speed of Ethernet 3, 4, 5, or 6?

 Configure the External network to use NetTeam Show Details

 Q2: What is the connection speed of NetTeam?

EXPLANATION

Complete this lab as follows:

1. Move the network cable from the onboard adapter in the CorpServer to the 4-port NIC in CorpServer.
a. Above the rack, select Back to switch to the back view of the rack.
b. Drag the network cable from the onboard network adapter on CorpServer (the 1U server) to a free port
on the 4-port NIC in CorpServer.
c. Above the rack, select Front to switch to the front view of the rack.
d. Move the other end of the network cable to port 22 on the switch.
2. Connect network cables from the 4-port NIC on CorpServer, to the switch ports 19, 20, and 21.
a. Under Shelf, expand Cables.
b. Select Cat6a Cable, RJ45.
c. From the Selected Component pane, drag an unconnected RJ45 cable to port 19, 20, or 21.
d. Repeat steps 2b-2c for two more cables. Use a port not previously used.
e. Above the rack, select Back.
f. From Partial Connections:
Drag a cable to an open port on the 4-port NIC in CorpServer.
Repeat the previous step until there are no more cables in Partial Connections.

3. Configure the adapter ports as members of a NIC team.

a. On the CorpServer monitor, select Click to view Windows Server 2019.
b. From Server Manager, select Local Server from the menu on the left.
c. Next to NIC Teaming, select Disabled to enable and configure NIC Teaming.
d. From the Teams panel, use the Tasks drop-down list to select New Team.
e. In the Team name field, type NetTeam.
f. Select adapters Ethernet 3 through Ethernet 6 to be included in the team.
g. From the top right, select Answer Questions.
h. Answer Question 1.
i. Minimize the Lab Questions window.
j. From the NIC Teaming window, expand Additional Properties.
k. Configure the additional properties as follows:
Teaming mode: LACP
Load balancing mode: Address Hash
Standby adapter: None (all adapters Active)
l. Select OK to close the NIC Teaming dialog.
m. Close the NIC Teaming window.
4. Configure the Hyper-V Virtual Switch Manager to use the new NIC team for the External network.
a. From Server Manager's menu bar, select Tools > Hyper-V Manager.
b. Right-click CORPSERVER and then select Virtual Switch Manager.
c. Under Virtual Switches, select the External switch for configuration options.
d. Under Connection type, use the External network drop-down to select the Microsoft Network Adapter
Multiplexor Driver.
e. Select OK.
5. Verify the status of the team and your network connection using the Network and Sharing Center.
a. From the system tray, right-click on the network icon and then select Open Network and Sharing
Center.
b. Verify that the vEthernet (External) NIC has an internet connection. Also notice that the network icon in
the system tray shows that the server is connected.
c. To check the connection speed in the Network and Sharing Center, select NetTeam connection on the
right.
d. At the top right, select Answer Questions.
e. Answer Question 2.
f. Select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
11.7.6 Back Up Files with File History

Lab Report
Time Spent: 02:08

Score: 5/5 (100%) Pass Passing Score: 5/5 (100%)

TASK SUMMARY

Required Actions

 Save the backup to the Backup (E:) volume

 Back up files daily

 Keep backup files for 6 months

 Back up the entire Data (D:) volume

 Make a backup now

EXPLANATION

Complete this lab as follows:

1. Access the File History Backup options.

a. Right-click Start and then select Settings.
b. Select Update & Security.
c. From the left pane, select Backup.
2. Configure and run a File History Backup plan.
a. From the right pane, select Add a drive.
b. Select Backup (E:).
c. Under Automatically back up my files, slide the switch to On.
d. Select More options.
e. Under Back up my files, use the drop-down menu to select Daily.
f. Under Keep my backups, use the drop-down menu to select 6 months.
g. Under Back up these folders, select Add a folder.
h. Double-click the Data (D:) volume and then select Choose this folder.
i. Select Back up now.
j. Wait for the backup to complete.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
11.7.8 Recover a File from File History

Lab Report
Time Spent: 03:20

Score: 2/2 (100%) Pass Passing Score: 2/2 (100%)

TASK SUMMARY

Required Actions

 Restore the March 16th at 11:15 AM version of June2020_Issue.jpg

 Restore the March 16th at 12:15 PM version of [Link]

EXPLANATION
Complete this lab as follows:

1. Access the File History options using the Settings app.

a. Right-click Start and then select Settings.
b. Select Update & Security.
c. From the left pane, select Backup.
d. Make sure Automatically back up my files is set to On.
e. Select More options.
f. Scroll to the bottom of the Backup options dialog and select Restore files from a current backup.
g. Maximize the window for better viewing.
2. Restore the June2022_Issue.jpg file.
a. From the bottom of the File History dialog, select the Previous version button (left arrow) to navigate
to the backups captured on Wednesday, March 16, 2022 11:15 AM.
b. Double-click Pictures.
c. Double-click Layouts.
d. Select the June2022_Issue.jpg file.
e. Select the green Restore to original location arrow located at the bottom center.
f. Select Replace the file in the destination.
(The Layouts folder where the file was restored should open.)
g. From the Layouts folder, right-click the June2022_Issue.jpg file and then select Properties.
h. Verify that the file is 115.44 MB in size and was last modified on March 16, 2022 at [Link] AM.
i. Select OK.
j. Close the Layouts window.
3. Restore the [Link] file.
a. In the top left of the File History dialog, select the up arrow to navigate to the Home\Pictures folder.
b. Select the Previous version button at the bottom to navigate to the backups captured on Wednesday,
March 16, 2022 12:15 PM.
c. Double-click Images.
d. Select the [Link] file.
e. Select the green Restore to original location arrow located at the bottom center.
f. Select Replace the file in the destination.
g. Right-click the [Link] file and select Properties.
h. Verify that the file is 1.09 MB in size and was last modified on March 16, 2022 at [Link] PM
i. Select OK.
Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
11.8.3 Allow Remote Desktop Connections

Lab Report
Time Spent: 01:43

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Allow Remote Desktop connections

 Allow Tom Plask to connect using Remote Desktop

 Open the firewall port for Remote Desktop

EXPLANATION
Complete this lab as follows:

1. Configure Office1 to allows connections from Remote Desktop.

a. Right-click Start and select Settings.
b. Maximize the window for better viewing.
c. Select System.
d. From the left pane, select Remote Desktop.
e. Under Enable Remote Desktop, slide the button to the right to enable remote desktop.
f. Select Confirm.
2. Add Tom Plask to the users that will be able to connect to Office1 using a Remote Desktop connection.
a. Under User accounts, click Select users that can remotely access this PC.
b. Select Add.
c. Enter Tom Plask.
d. Select OK to add the user.
e. Select OK to close the dialog.
3. Verify that the firewall ports for Remote Desktop are opened appropriately.
a. From the Settings app, select Home (upper left).
b. Select Update & Security.
c. Select Windows Security.
d. Select Firewall & network protection.
e. Select Allow an app through firewall.
f. Scroll down and verify that Remote Desktop is marked (to open the port).
(The corresponding port is opened or closed automatically when you enable or disable the service in
the system properties).
g. Select Cancel.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
12.3.3 Implement Physical Security

Lab Report
Time Spent: 00:51

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions

 Install the IP security cameras Show Details

 Install the smart card key readers Show Details

 Install the Restricted Access sign on the networking closet door

 Install the visitor log on the lobby desk

EXPLANATION
Complete this lab as follows:

1. Install the IP security cameras:

a. From the Shelf, expand CCTV Cameras.
b. Drag an IP Security Camera from the shelf to the highlighted circle inside the networking closet.
c. Drag an IP Security Camera from the shelf to the highlighted circle just outside the networking closet.
2. Install the smart card key readers:
a. From the Shelf, expand Door Locks.
b. Drag a smart card reader from the shelf to the highlighted location outside the building's front door.
c. Drag a smart card reader from the shelf to the highlighted location outside the networking closet's
door.
3. Install the Restricted Access sign:
a. From the Shelf, expand Restricted Access Signs.
b. Drag the Restricted Access sign from the shelf to the networking closet door.
4. Install the visitor log:
a. From the Shelf, expand Visitor Logs.
b. Drag the visitor log from the shelf to the lobby desk.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
12.4.5 Respond to Social Engineering Exploits

Lab Report
Time Spent: 02:00

Score: 8/8 (100%) Pass Passing Score: 8/8 (100%)

TASK SUMMARY

Required Actions

 Delete the Microsoft Windows Update Center phishing email

 Delete the Jim Haws malicious attachment email

 Delete the Executive Recruiting whaling email

 Delete the Riverdale Estates HOA Online Banking phishing email

 Delete the Grandma White forwarded email hoax

 Delete the Daisy Knudsen spear phishing email

 Delete the Rachelle Hancock malicious attachment email

 Delete the Grandma White forwarded email hoax

EXPLANATION
Complete this lab as follows:

1. Read each email and determine whether the email is legitimate.

2. Delete any emails that are attempts at social engineering.
3. Keep all emails that are safe.
4. The following table list a summary of the results:

Email Diagnosis Action Description

Microsoft
Windows
Notice the various spelling errors and that the
Update Center Phishing Delete
link does not direct you to a Microsoft website.
New Service
Pack

This email appears to be from a colleague.

Jim Haws
Malicious However, why would he fail to respond to your
Re: Lunch Delete
Attachment lunch question and send you a random
Today?
attachment in return?

Whaling uses tailored information to attack

Executive
executives. Clicking the link could install malware
Recruiting Whaling Delete
that would capture sensitive company
Executive Jobs
information.
While this email has an embedded link, it is
Human digitally signed, so you know it actually comes
Resources Safe Keep from your Human Resources department. In
Ethics Video addition, if you hover over the link, you see that
it is a secure link to the corporate web server.

This is a carefully crafted attempt to get your

Riverdale
bank account information. Hover over the link
Estates HOA
Phishing Delete and notice that it does not direct you to your
Payment
credit union website, but to an unknown IP
Pending
address instead.

Grandma White
FW: FW: FW: Any email that asks you to forward it to everyone
Hoax Delete
Virus Attack you know is probably a hoax.
Warning

While this email appears to come from a

colleague, notice that the link points to an
Daisy Knudsen
Spear executable file from a Russian domain name.
Web Site Delete
Phishing This probably is not a message a real colleague
Update
would send. This file will likely infect the
computer with malware.

Rachelle Emails with attachments from random people

Malicious
Hancock Delete who address you as "Dear Friend" are probably
Attachment
Wow!! not safe.

Any email that asks you to forward it to everyone

Grandma White you know is probably a hoax, even if the contents
Free Airline Hoax Delete promise you a prize. In addition, there is no way
Tickets to know how many people the email has been
forwarded to.

Human While this email appears very urgent, it doesn't

Resources ask you to click on anything or run any
IMPORTANT Safe Keep attachments. It does inform you that you need to
NOTICE-Action go a website that you should already know and
Required make sure your courses are complete.

Activities
Committee This email doesn't ask you to click on anything or
Safe Keep
Pumpkin run any attachments.
Contest

Bob Averez This email doesn't ask you to click on anything or

Safe Keep
Presentation run any attachments.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
6.1.7 Configure a Host Firewall

Lab Report
Time Spent: 08:07

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Install the fastest router Show Details

 Configure the Windows Firewall on Dorm-PC Show Details

 Configure the Windows Firewall on Dorm-PC2 Show Details

EXPLANATION
Complete this lab as follows:

On Dorm-PC:

1. Add the fastest router to the workspace and provide power.

a. Under Shelf, expand Routers.
b. Drag Router, 100/1000BaseTX Ethernet to the Workspace.
For convenience, place the router to the left of the wall plate.
c. Above the router, select Back to switch to the back view of the router.
d. Under Shelf, expand Cables and then select Power Adapter, AC to DC.
e. From the Selected Component pane:
Drag the DC Power Connector to the power port on the back of the router.
Drag the AC Power Adapter to the surge protector.

2. Connect the Dorm-PC to the router and internet.

a. Drag the Ethernet cable currently connected to the wall plate (the other end is connected to Dorm-PC)
to a LAN port on the router.
b. Under Shelf, select Cat5e Cable, RJ45.
c. From the Selected Component pane:
Drag an RJ45 Connector to the WAN port on the router.
Drag the unconnected RJ45 Connector to the Ethernet port on the wall plate.
d. (Optional) Above the router, select Front to verify power and network activity lights.
3. Establish a connection to the internet.
a. On the Dorm-PC monitor, select Click to view Windows 10.
b. Right-click Start and select Windows PowerShell (Admin).
c. At the PowerShell prompt, type IPconfig /renew and press Enter to request new TCP/IP information
from the router.
d. In the notification area of the taskbar, right-click the Network icon and select Open Network and
Internet settings. The network information map should indicate an active connection to the Firewall
Network and the internet.
4. From Dorm-PC, turn on the applicable Windows Firewalls.
a. In Network and Internet, in the right pane, scroll down and select Windows Firewall.
b. From the right pane, under Private network, select Turn on.
c. From the right pane, under Public network, select Turn on.
5. Allow a program through the firewall on Dorm-PC.
a. From the Windows Security window, select Allow an app through firewall.
b. Select Change settings.
c. Select Allow another app to configure an exception for an uncommon program.
d. In the Add an app dialog, select SuperBlast from the list.
e. Select Add.
f. For the SuperBlast program, make sure the check mark for the Public profile is not selected.
g. Select OK.

On Dorm-PC2:

1. Connect Dorm-PC2 to the router.

a. From the top left, select Bench to return to the bench view.
b. Above the Dorm-PC2 computer, select Back.
c. Under Shelf, expand Cables.
d. Select a Cat5e Cable, RJ45.
e. From the Selected Component pane:
Drag an RJ45 Connector to the LAN port on the Dorm-PC2 computer.
Drag the unconnected RJ45 Connector to an open LAN port on the router.

2. For Dorm-PC2, request new TCP/IP information from the router.

a. On the Dorm-PC2 monitor, select Click to view Windows 10.
b. Right-click Start and then select Windows PowerShell (Admin).
c. At the PowerShell prompt, type IPconfig.
Notice the connection to the [Link] network.
d. In the notification area of the taskbar, right-click the Network icon and select Open Network and
Internet settings.
The network information map should indicate an active connection to the Firewall Network and the
internet.
3. From Dorm-PC2, turn on the applicable Windows Firewalls.
a. In Network and Internet, in the right pane, scroll down and select Windows Firewall.
b. From the right pane, under Private network, select Turn on.
c. From the right pane, under Public network, select Turn on.
4. Allow the SuperBlast program through the firewall.
a. From the Windows Security window, select Allow an app through firewall.
b. Select Change settings.
c. Select Allow another app to configure an exception for an uncommon program.
d. In the Add an app dialog, select SuperBlast from the list.
e. Select Add.
f. For the SuperBlast program, make sure the check mark for the Public profile is not selected.
g. Select OK.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
6.2.5 Configure Network Security Appliance Access

Lab Report
Time Spent: 03:36

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions

 Change the password for the admin account to P@ssw0rd

 Create and configure a new pfSense user Show Details

 Set a 20-minute session timeout for pfSense

 Enable anti-lockout for HTTP

EXPLANATION
Complete this lab as follows:

1. Access the pfSense management console.

a. From the taskbar, select Google Chrome.
b. Maximize the window for better viewing.
c. In the Google Chrome address bar, enter [Link] and then press Enter.
d. Enter the pfSense sign-in information as follows:
Username: admin
Password: pfsense
e. Select SIGN IN.
2. Change the password for the default (admin) account.
a. From the pfSense menu bar, select System > User Manager.
b. For the admin account, under Actions, select the Edit user icon (pencil).
c. For Password, change to P@ssw0rd (0 = zero).
d. Enter P@ssw0rd in the Confirm Password field.
e. Scroll to the bottom and select Save.
3. Create and configure a new pfSense user.
a. Select Add.
b. Enter lyoung as the username.
c. Enter C@nyouGuess!t in the Password field.
d. Enter C@nyouGuess!t in the Confirm Password field.
e. Enter Liam Young in Full Name field.
f. For Group membership, select admins and then select Move to "Member of" list.
g. Scroll to the bottom and select Save.
4. Set a session timeout for pfSense.
a. Under the System breadcrumb, select Settings.
b. For Session timeout, enter 20.
c. Select Save.
5. Disable the webConfigurator anti-lockout rule for HTTP.
a. From the pfSense menu bar, select System > Advanced.
b. Under webConfigurator, for Protocol, select HTTP.
c. Scroll down and select Anti-lockout to disable the webConfigurator anti-lockout rule.
d. Scroll to the bottom and select Save.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
6.2.6 Configure a Security Appliance

Lab Report
Time Spent: 01:44

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Configure DNS servers Show Details

 Configure WAN settings Show Details

 Add and configure a new gateway Show Details

EXPLANATION
Complete this lab as follows:

1. Access the pfSense management console.

a. Sign in using the following case-sensitive information:
Username: admin
Password: P@ssw0rd (zero).
b. Select SIGN IN or press Enter.
2. Configure the DNS servers.
a. From the pfSense menu bar, select System > General Setup.
b. Under DNS Server Settings, configure the primary DNS server.
Address: [Link]
Hostname: DNS1
Gateway: None
c. Select Add DNS Server to add a secondary DNS server and then configure it.
Address: [Link]
Hostname: DNS2
Gateway: None
d. Scroll to the bottom and select Save.
3. Configure the WAN settings.
a. From pfSense menu bar, select Interfaces > WAN.
b. Under General Configuration, select Enable interface.
c. Use the IPv4 Configuration Type drop-down to select Static IPv4.
d. Under Static IPv4 Configuration, in the IPv4 Address field, use [Link]
e. Use the IPv4 Address subnet drop-down to select 8.
f. Under Static IPv4 Configuration, select Add a new gateway.
g. Configure the gateway settings as follows:
Default: select Default gateway
Gateway name: WANGateway
Gateway IPv4: [Link]
h. Select Add.
i. Scroll to the bottom and select Save.
j. Select Apply Changes.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
6.2.8 Configure a Perimeter Firewall

Lab Report
Time Spent: 04:24

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Create and configure a firewall rule to pass HTTP traffic from the internet to the web
server Show Details

 Create and configure a firewall rule to pass HTTPS traffic from the internet to the web
server Show Details

 Create and configure a firewall rule to pass all traffic from the LAN network to the screened subnet
(DMZ) network Show Details

EXPLANATION
Complete this lab as follows:

1. Sign in to the pfSense management console.

a. In the Username field, enter admin.
b. In the Password field, enter P@ssw0rd (zero).
c. Select SIGN IN or press Enter.
2. Create and configure a firewall rule to pass HTTP traffic from the internet to the web server.
a. From the pfSense menu bar, select Firewall > Rules.
b. Under the Firewall breadcrumb, select DMZ.
c. Select Add (either one).
d. Make sure Action is set to Pass.
e. Under Source, use the drop-down menu to select WAN net.
f. Select Display Advanced.
g. For Source Port Range, use the From drop-down menu to select HTTP (80).
h. Under Destination, use the Destination drop-down menu to select Single host or alias.
i. In the Destination Address field, enter [Link]
j. Using the Destination Port Range drop-down menu, select HTTP (80).
k. Under Extra Options, in the Description field, enter HTTP to DMZ from WAN.
l. Select Save.
m. Select Apply Changes.
3. Create and configure a firewall rule to pass HTTPS traffic from the internet to the web server.
a. For the rule just created, select the Copy icon (two files).
b. Under Source, select Display Advanced.
c. Change the Source Port Range to HTTPS (443).
d. Under Destination, change the Destination Port Range to HTTPS (443).
e. Under Extra Options, change the Description field to HTTPS to DMZ from WAN
f. Select Save.
g. Select Apply Changes.
4. Create and configure a firewall rule to pass all traffic from the LAN network to the DMZ network.
a. Select Add (either one).
b. Make sure Action is set to Pass.
c. For Interface, use the drop-down menu to select LAN.
d. For Protocol, use the drop-down menu to select Any.
e. Under Source, use the drop-down menu to select LAN net.
f. Under Destination, use the drop-down menu to select DMZ net.
g. Under Extra Options, in the Description field, enter LAN to DMZ Any.
h. Select Save.
i. Select Apply Changes.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
6.3.4 Configure a Screened Subnet (DMZ)

Lab Report
Time Spent: 05:08

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Configure an interface for the DMZ Show Details

 Add a firewall rule to the DMZ interface Show Details

 Configure pfSense's DHCP server for the DMZ interface Show Details

EXPLANATION
Complete this lab as follows:

1. Sign into the pfSense management console.

a. Enter admin in the Username field.
b. In the Password field, enter P@ssw0rd (0 = zero).
c. Select SIGN IN or press Enter.
2. Configure an interface for the DMZ.
a. From the pfSense menu bar, select Interfaces > Assignments.
b. Select Add.
c. Select OPT1.
d. Select Enable interface.
e. Change the Description field to DMZ
f. Under General Configuration, use the IPv4 Configuration Type drop-down menu to select Static IPv4.
g. Under Static IPv4 Configuration, change the IPv4 Address field. to [Link]
h. Use the Subnet mask drop-down menu to select 16.
i. Select Save.
j. Select Apply Changes.
k. (Optional) Verify the change as follows:
From the menu bar, select pfsense COMMUNITY EDITION.
Under Interfaces, verify that the DMZ is shown with the correct IP address.

3. Add a firewall rule to the DMZ interface that allows all traffic from the DMZ.
a. From the pfSense menu bar, select Firewall > Rules.
b. Under the Firewall breadcrumb, select DMZ. (Notice that no rules have been created.)
c. Select Add (either one).
d. For the Action field, make sure Pass is selected.
e. For the Interface field, make sure DMZ is selected.
f. For the Protocol, use the drop-down menu to select Any.
g. Under Source, use the drop-down menu to select DMZ net.
h. Under Destination, make sure it is configured for any.
i. Under Extra Options, enter Allow DMZ to any rule as the description.
j. Scroll to the bottom and select Save.
k. Select Apply Changes.
4. Configure pfSense's DHCP server for the DMZ interface.
a. From the menu bar, select Services > DHCP Server.
b. Under the Services breadcrumb, select DMZ.
c. Select Enable to enable DHCP server on the DMZ interface.
d. Configure the Range field as follows:
From: [Link]
To: [Link]
e. Scroll to the bottom and select Save.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
6.4.4 Implement Intrusion Prevention

Lab Report
Time Spent: 05:15

Score: 5/5 (100%) Pass Passing Score: 5/5 (100%)

TASK SUMMARY

Required Actions

 Configure Snort rules Show Details

 Configure Sourcefire OpenAppID Detectors Show Details

 Configure the Rules Update Settings Show Details

 Configure General Settings Show Details

 Configure the Snort Interface settings for the WAN interface Show Details

EXPLANATION

Complete this lab as follows:

1. Sign in to the pfSense management console.

EXPLANATION
Complete this lab as follows:

1. Log in to the Cisco switch.

a. In the Google Chrome URL field, type [Link] and press Enter.
b. Maximize the window for better viewing.
c. In the Username and Password fields, enter cisco (case-sensitive).
d. Select Log In.
2. Assign a static IPv4 address to VLAN 1.
a. From the left navigation pane, expand and select Administration > Management Interface > IPv4
Interface.
b. From the right pane, for IP Address Type, select Static.
c. Configure the IPv4 interface as follows:
IP address: [Link]
Mask: [Link]
Administrative Default Gateway: [Link]
d. Select Apply.
e. Select OK.
The switch will automatically log you out.
3. Log in to the Cisco switch.
a. In the Username and Password fields, enter cisco (case-sensitive).
b. Select Log In.
4. Change the default VLAN ID for the switch to VLAN 16.
a. From the left pane, expand and select VLAN Management > Default VLAN Settings.
b. Set Default VLAN ID After Reboot to 16.
c. Select Apply and then select OK.
5. Save the changes to the switch's startup configuration file.
a. From the upper right of the switch window, select Save.
b. For Source File Name, make sure Running configuration is selected.
c. For Destination File Name, make sure Startup configuration is selected.
d. Select Apply.
e. Select OK.
f. Select Done.
6. Reboot the switch for changes to take effect.
a. From the left pane, expand and select Administration > Reboot.
b. From the right pane, select Reboot.
c. Select OK.
d. Wait for the switch to restart.
e. From the upper right, select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.2.6 Create VLANs - GUI

Lab Report
Time Spent: 06:08

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions

 Create and configure the VLAN Show Details

 Connect the IP cameras to the VLAN and mount the IP cameras to the wall Show Details

 Connect the laptop to the VLAN

 Launch the IP camera-monitoring software and confirm that the IP cameras are online

EXPLANATION
Complete this lab as follows:

1. Log in to the Cisco switch.

a. In the Username and Password fields for the Cisco switch, enter cisco (case-sensitive).
b. Select Log In.
2. Create the IPCameras VLAN.
a. From the Getting Started pane (right), under Initial Setup, select Create VLAN.
b. Select Add.
c. For VLAN ID, enter 2.
d. For VLAN Name, enter IPCameras.
e. Select Apply.
f. Select Close.
3. Configure the IPCameras VLAN ports.
a. From the left pane, under VLAN Management, select Port to VLAN.
b. Using the VLAN ID equals to drop-down menu, select 2.
c. Select Go.
d. For ports GE18 through GE21, use the drop-down menus to select Untagged.
e. Select Apply.
4. Connect the IP camera in the lobby to the VLAN and mount the IP cameras.
a. From the top left, select Floor 1.
b. Under Lobby, select Hardware.
c. Under Shelf, expand CCTV Cameras.
d. Drag the IP Camera (Lobby) to the workspace.
e. Under Workspace, for the IP camera, select Back to switch to the back view of the IP camera.
f. Under Shelf, expand Cables and then select the Cat5e Cable, RJ45 cable.
g. From the Selected Component pane:
Drag an RJ45 Connector to the RJ-45 port on the IP camera wall mount plate.
Drag the unconnected RJ45 Connector to the RJ-45 port on the back of the IP camera.
h. Drag the IP camera to the IP camera wall plate.
5. Connect the IP camera in the Networking Closet to the VLAN and mount the IP cameras.
a. From the top left, select Floor 1.
b. Under Networking Closet, select Hardware.
c. Under Shelf, expand CCTV Cameras.
d. Drag the IP Camera (Networking Closet) to the workspace.
e. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera.
f. Under Shelf, expand Cables and then select the Cat5e Cable, RJ45 cable.
g. From the Selected Component pane:
Drag an RJ45 Connector to the RJ-45 port on the IP camera mount wall plate.
Drag the unconnected RJ45 cable to the RJ-45 port on the back of the IP camera.
h. Drag the IP camera to the IP camera wall plate to mount the IP camera.
6. Connect the DHCP server and laptop to the VLAN.
a. From the Networking Closet, under Shelf, select Cat5e Cable, RJ45.
b. From the Selected Component pane:
Drag an RJ45 Connector to port 21 on the switch.
Drag the unconnected RJ45 Connector to port 21 on the patch panel.

7. Connect IT-Laptop2 to the VLAN.

a. From the top menu, select Floor 1.
b. Under IT Administration, select Hardware.
c. Above IT-Laptop2, select Back to switch to the back view of the laptop.
d. Under Shelf, select Cat5e Cable, RJ45.
e. From the Selected Component pane:
Drag an RJ45 Connector to the RJ-45 port on the laptop.
Drag the unconnected RJ45 Connector to the open RJ-45 port on the wall plate.

To verify that all components are connected, you can change the location to the Network
Closet hardware view. You should see green link/activity lights on ports 18 - 21 of the switch.

8. Launch the IP camera monitoring software.

a. Under the laptop's workspace, select Front.
b. On the IT-Laptop2, select Click to view Windows 10.
c. From the taskbar, select Start.
d. Select IP Cameras.
e. Verify that both cameras are detected on the network.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.2.9 Configure Switch IP Settings - CLI

Lab Report
Time Spent: 05:18

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions & Questions

 Set the IP address for the switch

 Set the default gateway address

 Save the changes Show Details

 Q1: What is the IP address assigned to the FastEthernet0/0 interface on the SFO router?

EXPLANATION
Complete this lab as follows:

1. Find the IP address assigned to the FastEthernet0/0 interface on the SFO router.
a. Select the Branch1 switch.
b. From the Terminal, press Enter to get started.
c. Type enable and press Enter to change to the EXEC or Global Configuration mode.
d. Type show cdp neighbors detail and press Enter.
e. Find the IP address for the SFO router.
f. From the top right, select Answer Questions.
g. Answer the question.
h. Move the question dialog to the side and keep working.
2. Configure the IP address and subnet mask for the Branch1 switch.
a. At the Branch1# prompt, type config t and press Enter.
b. At the Branch1(config)# prompt, type interface vlan1 and press Enter.
c. At the Branch1(config-if)# prompt, type ip address [Link] [Link] and press Enter.
d. At the Branch1(config-if)# prompt, type exit and press Enter.
3. Configure the switch to use the FastEthernet0/0 interface on the SFO router as the default gateway.
a. At the Branch1(config)# prompt, type ip default-gateway routers_IP_address and press Enter.
b. At the Branch1(config)# prompt, type exit and press Enter.
4. Save your changes to the startup-config file.
a. At the Branch1# prompt, type copy run start and press Enter.
b. Press Enter to begin building the configuration.
c. When you see OK, press Enter.
d. From the question dialog, select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.3.12 Configure Port Mirroring

Lab Report
Time Spent: 01:55

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Set port 26 to VLAN1

 Mirror received traffic from port 28 to port 26 Show Details

 Save the changes to the switch's startup configuration file

EXPLANATION
Complete this lab as follows:

1. Log in to the Cisco switch.

a. Maximize the Google Chrome window for better viewing.
b. In the Username and Password fields, enter cisco (case-sensitive).
c. Select Log In.
2. Assign port GE26 to VLAN 1.
a. From the left pane, expand and select VLAN Management > Port VLAN Membership.
b. Select GE26 and then select Join VLAN.
c. From the left pane, under Select VLAN, select 1 (for VLAN 1).
d. Select > to move VLAN 1 from the available pane to the attached VLAN pane.
e. Select Apply and then select Close.
3. Mirror the received traffic from port GE28 to port GE26.
a. From the left pane, expand and select Administration > Diagnostics > Port and VLAN Mirroring.
b. Select Add.
c. For the Destination Port, use the drop-down list to select GE26.
d. For the Source Interface, use the drop-down list to select GE28.
e. For the Type, make sure that Rx only is selected. This allows you to only mirror the incoming packets.
f. Select Apply and then select Close.
4. Save the changes to the switch's startup configuration file.
a. From the upper right of the switch window, select Save.
b. For the Source File Name, make sure Running configuration is selected.
c. For the Destination File Name, make sure Startup configuration is selected.
d. Select Apply.
e. Select OK.
f. Select Done.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.3.14 Configure PoE

Lab Report
Time Spent: 01:32

Score: 5/5 (100%) Pass Passing Score: 5/5 (100%)

TASK SUMMARY

Required Actions & Questions

 Set the PoE Power Mode to Class Limit

 Q1: How many watts of power is the security camera currently using?

 Q2: How many watts of power are available in the switch for PoE devices?

 Configure the PoE priority for port GE23 to be Critical

 Save the changes to the switch's startup configuration file Show Details

EXPLANATION

Complete this lab as follows:

1. Log in to the Cisco switch.

a. Maximize the Google Chrome window for better viewing.
b. In the Username and Password fields, enter cisco (case-sensitive).
c. Select Log In.
2. Set the Power over Ethernet (PoE) switch properties.
a. From the left pane, expand and select Port Management > PoE > Properties.
b. Select Class Limit.
c. Select Apply.
d. From the top right, select Answer Questions.
e. Answer the questions.
f. Minimize the Lab Questions dialog.
3. Configure the PoE priority for port GE23 to be Critical.
a. From the left pane, under PoE, select Settings.
b. From the right pane, select port GE23 and click Edit.
c. For Power Priority Level, select Critical.
d. Select Apply.
e. Select Close.
4. Save the changes to the switch's startup configuration file.
a. From the upper right of the switch window, select Save.
b. For Source File Name, make sure Running configuration is selected.
c. For Destination File Name, make sure Startup configuration is selected.
d. Select Apply.
e. Select OK.
f. Select Done.
5. Score the lab.
a. From the top right, select Answer Questions.
b. Select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.3.4 Configure Trunking

Lab Report
Time Spent: 10:30

Score: 5/5 (100%) Pass Passing Score: 5/5 (100%)

TASK SUMMARY

Required Actions & Questions

 Q1: What is the default Interface VLAN mode?

 Set ports GE1 - GE26 to Access Mode Show Details

 Leave ports GE27 and GE28 set to Trunk, but set the PVID to 2 Show Details

 Add VLANs 22, 44, and 67 to ports 27 & 28 Show Details

 Save and apply your changes

EXPLANATION

Complete this lab as follows:

1. Log in to the CISCO switch.

a. From the taskbar, select Google Chrome.
b. In the URL field, enter [Link] and press Enter.
c. Maximize the window for better viewing.
d. In the Username and Password fields, enter cisco (the password is case sensitive).
e. Select Log In.
2. Examine the switch port defaults.
a. From the left navigation bar, expand and select VLAN Management > Interface Settings.
b. Using the interface shown in the right pane, examine the settings for all ports.

For a detailed view of a single port, you can select Edit.

c. From the upper right, select Answer Questions.

d. Answer Question 1.
e. Minimize the Lab Questions dialog.
3. Set ports GE1 through GE26 to Access Mode.
a. From the Interface Settings pane, select GE1.
b. Select Edit.
c. Maximize the window for better viewing.
d. For Interface VLAN Mode, select Access.
e. Select Apply and then select Close.
f. With GE1 still selected, click Copy Settings.
g. In the to field, type 2-26 and then select Apply.
Notice that under the Interface VLAN Mode column, ports GE1-GE26 are now set to Access.
4. Set the port VLAN ID (PVID) for ports GE27-GE28 to the value of 2.
a. Select the desired port and then select Edit.
b. For the Administrative PVID, enter 2.
c. Select Apply and then Close.
d. Repeat steps 4a - 4c for the second port.
5. Add VLANs 22, 44, and 67 to ports GE27 and GE28.
a. From the left pane, under VLAN Management, select Port VLAN Membership.
b. Select port GE27 and then select Join VLAN.
c. From the new window, hold down the Shift key and select VLANs 22, 44, and 67; then select the >
button to assign the VLANs.
d. Select Apply and then select Close.
e. Repeat steps 5b - 5d for port GE28.
6. Save the changes to the switch's startup configuration file.
a. From the top of the switch window, select Save.
b. For Source File Name, make sure Running configuration is selected.
c. For Destination File Name, make sure Startup configuration is selected.
d. Select Apply.
e. Select OK.
f. Select Done.
7. Score the lab.
a. From the upper right, select Answer Questions.
b. Select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.3.6 Configure Port Aggregation

Lab Report
Time Spent: 04:56

Score: 6/6 (100%) Pass Passing Score: 6/6 (100%)

TASK SUMMARY

Required Actions & Questions

 Create a new Link Aggregation Group (LAG) Show Details

 Configure a new LAG-to-VLAN mode of access

 Join LAG1 to VLAN13

 Q1: What is the current link state for LAG1?

 Q2: What are the active members of LAG1?

 Save the changes to the startup configuration Show Details

EXPLANATION
Complete this lab as follows:

1. Log in to the Cisco switch.

a. In the Username and Password fields, enter cisco (case-sensitive).
b. Select Log In.
2. Create a new Link Aggregation Group (LAG1).
a. From the left pane, expand and select Port Management > Link Aggregation > LAG Management.
b. From the right pane, select LAG 1 and then select Edit.
c. In the LAG Name field, type windows_server.
d. Select LACP to enable the Link Aggregation Control Protocol (LACP).
e. Under Port List, press and hold the Shift key; then select GE1 and GE2.
f. Select > to add the ports to the LAG Members pane.
g. Select Apply.
h. Select Close.
3. Configure LAG1 to the VLAN mode of access.
a. From the left pane, expand and select VLAN Management > Interface Settings.
b. Using the Filter: Interface Type equals to drop-down menu, select LAG and then select Go.
c. Select LAG1 and then select Edit.
d. For Interface VLAN Mode, select Access.
e. Select Apply.
f. Select Close.
4. Join LAG1 to VLAN13.
a. From the left pane, expand and select VLAN Management > Port VLAN Membership.
b. Using the Filter: Interface Type equals to drop-down menu, select LAG and then select Go.
c. Select LAG1 and then select Join VLAN.
d. Under Select VLAN, from the right pane, select 1U and then select < to remove VLAN1.
e. From the left pane, select VLAN13; then select > to add the VLAN to the selected VLANs pane.
f. Select Apply.
g. Select Close.
5. Verify the status of the new LAG1 group.
a. From the left navigation bar, expand and select Port Management > Link Aggregation > LAG
Management.
b. From the top right, select Answer Questions.
c. Answer the questions.
This connection is now ready to use LACP.
d. Minimize the Lab Questions window.
6. Save the changes to the switch's startup configuration file.
a. From the upper right of the switch window, select Save.
b. For Source File Name, make sure Running configuration is selected.
c. For Destination File Name, make sure Startup configuration is selected.
d. Select Apply.
e. Select OK.
f. Select Done.
g. From the top right, select Answer Questions.
h. Select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.3.8 Enable Jumbo Frame Support

Lab Report
Time Spent: 02:07

Score: 5/5 (100%) Pass Passing Score: 5/5 (100%)

TASK SUMMARY

Required Actions & Questions

 Enable Jumbo Frames

 Save configuration changes to switch

 Reboot the switch

 Q1: How many combined Undersize Packets, Oversize Packets, Fragments, Jabbers, and Collisions
are there?

 Q2: True or False: Now that Jumbo Frames is enabled, network devices should also be configured
to use Jumbo Frames or have a frame size larger than 1500 bytes.

EXPLANATION
Complete this lab as follows:

1. Log in to the CISCO switch.

a. Maximize the Google Chrome window for better viewing.
b. In the Username and Password fields, enter cisco (the password is case sensitive).
c. Select Log In.
2. Enable Jumbo Frames.
a. From the left pane, expand and select Port Management > Port Settings.
b. For Jumbo Frames, select Enable.
c. Select Apply.
3. Save the changes to the switch's startup configuration file.
a. From the upper right of the switch window, select Save.
b. For Source File Name, make sure Running configuration is selected.
c. For Destination File Name, make sure Startup configuration is selected.
d. Select Apply.
e. Select OK.
f. Select Done.
4. Reboot the switch.
a. From the left pane, under Administration, select Reboot.
b. Select Reboot to reboot the switch immediately.
c. Select OK.
5. Log in to the Cisco switch and check switch statistics for any errors.
a. In the Username and Password fields, enter cisco (the password is case sensitive).
b. Select Log In.
c. From the left pane, expand and select Status and Statistics > RMON > Statistics.
d. For Interface, use the drop-down list to select GE28.
e. Review the statistics for Undersize, Oversize, Jabbers, and Collisions.
f. From the top right, select Answer Questions.
g. Answer the questions.
h. Select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.4.10 Secure Access to a Switch 2

Lab Report
Time Spent: 04:25

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions

 Create the GameConsoles ACL

 Create a MAC-based access control Show Details

 Bind the GameConsoles ACL to all of the interfaces Show Details

 Save the configuration

EXPLANATION
While completing this lab, use the following information:

Configure the GameConsoles MAC-based access control entry (ACE) settings as follows:

Destination
Priority Action Source MAC Address
MAC Address

Value: 00041F111111
1 Deny Any
Mask: 000000111111

Value: 005042111111
2 Deny Any
Mask: 000000111111

Value: 000D3A111111
3 Deny Any
Mask: 000000111111

Value: 001315111111
4 Deny Any
Mask: 000000111111

Value: 0009BF111111
5 Deny Any
Mask: 000000111111

Value: 00125A111111
6 Deny Any
Mask: 000000111111

Complete this lab as follows:

1. Create the GameConsoles ACL.

a. From the Getting Started page, under Quick Access, select Create MAC-Based ACL.
b. Select Add.
c. In the ACL Name field, enter GameConsoles.
d. Select Apply and then select Close.
2. Create a MAC-based access control.
a. Select MAC-Based ACE Table.
b. Select Add.
c. Enter the priority.
d. Select the action.
e. For Destination MAC Address, make sure Any is selected.
f. For Source MAC Address, select User Defined.
g. Enter the source MAC address value.
h. Enter the source MAC address mask.
i. Select Apply.
j. Repeat steps 2c–2i for the remaining ACE entries.
k. Select Close.
3. Bind the GameConsoles ACL to all of the interfaces.
a. From the left pane, under Access Control, select ACL Binding (Port).
b. Select GE1.
c. At the bottom of the window, select Edit.
d. Select Select MAC-Based ACL.
e. Select Apply and then select Close.
f. Select Copy Settings.
g. In the Copy configuration's to field, enter 2-30.
h. Select Apply.
4. Save the Configuration.
a. From the top of the window, select Save.
b. Under Source File Name, make sure Running configuration is selected.
c. Under Destination File Name, make sure Startup configuration is selected.
d. Select Apply.
e. Select OK.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.4.6 Disable Switch Ports - GUI

Lab Report
Time Spent: 01:30

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Disable port 15

 Copy GE15 settings to ports 18 and 21-27 Show Details

 Save configuration settings to the startup configuration file Show Details

EXPLANATION
Complete this lab as follows:

1. Log in to the CISCO switch.

a. In the Google Chrome URL field, enter [Link] and press Enter.
b. Maximize the window for better viewing.
c. In the Username and Password fields, enter cisco (case sensitive).
d. Select Log In.
2. Disable port GE15.
a. From the left navigation bar, expand and select Port Management > Port Settings.
b. Select GE15 (port 15) and then select Edit.
c. For Administrative Status, select Down.
d. Select Apply.
e. Select Close.
3. Copy GE15 port settings to ports 18 and 21-27.
a. Select GE15 and then select Copy Settings.
b. Type 18,21-27 in the To: field.
c. Select Apply.
4. Save the changes to the switch's startup configuration file.
a. From the upper right of the switch window, select Save.
b. For Source File Name, make sure Running configuration is selected.
c. For Destination File Name, make sure Startup configuration is selected.
d. Select Apply.
e. Select OK.
f. Select Done.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.4.8 Harden a Switch

Lab Report
Time Spent: 03:11

Score: 2/2 (100%) Pass Passing Score: 2/2 (100%)

TASK SUMMARY

Required Actions

 Disable the unused ports Show Details

 Configure Port Security settings for the used ports Show Details

EXPLANATION
While completing this lab, use the following information:

Unused Ports Used Ports

GE2 GE1
GE7 GE3-GE6
GE9-GE20 GE8
GE25 GE21-GE24
GE27-GE28 GE26

Complete this lab as follows:

1. Shut down the unused ports.

a. Under Initial Setup, select Configure Port Settings.
b. Select the GE2 port.
c. Scroll down and select Edit.
d. For Administrative Status, select Down.
e. Scroll down and select Apply.
f. Select Close.
g. With the GE2 port selected, scroll down and select Copy Settings.
h. In the Copy configuration field, enter the remaining unused ports. Use the examples shown in the UI as
a guide.
i. Select Apply.
From the Port Setting Table in the Port Status column, you can see that all the ports are down now.
2. Configure the Port Security settings.
a. From the left menu, expand and select Security > Port Security.
b. Select the GE1 port.
c. Scroll down and select Edit.
d. For Interface Status, select Lock.
e. For Learning Mode, make sure Classic Lock is selected.
f. For Action on Violation, make sure Discard is selected.
g. Select Apply.
h. Select Close.
i. Scroll down and select Copy Settings.
j. Enter the remaining used ports. Use the examples shown in the UI as a guide.
k. Select Apply.
Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.4.9 Secure Access to a Switch

Lab Report
Time Spent: 04:11

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions

 Create an access profile to restrict management access Show Details

 Add a profile rule

 Set the active access profile

 Save changes to the startup configuration

EXPLANATION
Complete this lab as follows:

1. Create and configure an Access Profile named MgtAccess.

a. From the left pane, expand and select Security > Mgmt Access Method > Access Profiles.
b. Select Add.
c. Enter the Access Profile Name of MgtAccess.
d. Enter the Rule Priority of 1.
e. For Action, select Deny.
f. Select Apply and then select Close.
2. Add a profile rule to the MgtAccess profile.
a. From the left pane, under Security > Mgmt Access Method, select Profile Rules.
b. From the right pane, select the MgtAccess profile and then select Add.
c. Enter a Rule Priority of 2.
d. For Management Method, select HTTP.
e. For Applies to Source IP Address, select User Defined.
f. For IP Address, enter [Link].
g. For Mask, enter a Network Mask of [Link].
h. Select Apply and then select Close.
3. Set the MgtAccess profile as the active access profile.
a. From the left pane, under Security > Mgmt Access Method, select Access Profiles.
b. Use the Active Access Profile drop-down list to select MgtAccess.
c. Select Apply.
d. Select OK.
4. Save the changes to the switch's startup configuration file.
a. At the top, select Save.
b. For Source File Name, make sure Running configuration is selected.
c. For Destination File Name, make sure Startup configuration is selected.
d. Select Apply.
e. Select OK.
Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.5.10 Configure QoS

Lab Report
Time Spent: 15:41

Score: 8/8 (100%) Pass Passing Score: 8/8 (100%)

TASK SUMMARY

Required Actions & Questions

 Create an alias Show Details

 Use the Traffic Shaper wizard for dedicated links using one WAN connection

 Configure the Traffic Shaper Show Details

 Prioritize voice over IP traffic Show Details

 Enable and configure a penalty box Show Details

 Raise and lower the applicable application's priority Show Details

 Q1: How many firewall rules were created?

 Change the port number used for the MSRDP outbound rule

EXPLANATION
Complete this lab as follows:

1. Sign in to the pfSense management console.

a. In the Username field, enter admin.
b. In the Password field, enter P@ssw0rd (0 = zero).
c. Select SIGN IN or press Enter.
2. Create a high bandwidth usage alias.
a. From the pfSense menu bar, select Firewall > Aliases.
b. Select Add.
c. Configure the Properties as follows:
Name: HighBW
Description: High bandwidth users
Type: Host(s)
d. Add the IP addresses of the offending computers to the host(s) configuration as follows:
Under Host(s), in the IP or FQDN field, enter [Link] for Vera's system.
Select Add Host.
In the new IP or FQDN field, enter [Link] for Paul's system.
e. Select Save.
f. Select Apply Changes.
3. Start the Traffic Shaper wizard for dedicated links.
a. From the pfSense menu bar, select Firewall > Traffic Shaper.
b. Under the Firewall bread crumb, select Wizards.
c. Select traffic_shaper_wizard_dedicated.xml.
d. Under Traffic Shaper wizard, in the Enter number of WAN type connections field, enter 1 and then select
Next.
4. Configure the Traffic Shaper.
a. Make sure you are on Step 1 of 8.
b. Using the drop-down menu for the upper Local interface, select GuestWi-Fi.
c. Using the drop-down menu for lower Local interface, make sure PRIQ is selected.
d. For the upper Upload field, enter 8.
e. Using the drop-down menu for the lower Upload field, select Mbit/s.
f. For the top Download field, enter 50.
g. Using the drop-down menu for the lower Download field, select Mbit/s.
h. Select Next.
5. Prioritize voice over IP traffic.
a. Make sure you are on Step 2 of 8.
b. Under Voice over IP, select Enable to prioritize the voice over IP traffic.
c. Under Connection #1 parameters, in the Upload rate field, enter 10.
d. Using the drop-down menu for the top Units, select Mbit/s.
e. For the Download rate, enter 20.
f. Using the drop-down menu for the bottom Units, select Mbit/s.
g. Select Next.
6. Enable and configure a penalty box.
a. Make sure you are on Step 3 of 8.
b. Under Penalty Box, select Enable to enable the penalize IP or alias option.
c. In the Address field, enter HighBW. This is the alias created earlier.
d. For Bandwidth, enter 3.
e. Select Next.
7. Continue to step 6 of 8.
a. For Step 4 of 8, scroll to the bottom and select Next.
b. For Step 5 of 8, scroll to the bottom and select Next.
8. Raise and lower the applicable application's priority.
a. Make sure you are on Step 6 of 8.
b. Under Raise or lower other Applications, select Enable to enable other networking protocols.
c. Under Remote Service / Terminal emulation, use the:
MSRDP drop-down menu to select Higher priority.
VNC drop-down menu to select Higher priority.
d. Under VPN:
Use the PPTP drop-down menu to select Higher priority.
Use the IPSEC drop-down menu to select Higher priority.
e. Scroll to the bottom and select Next.
f. For step 7 of 8, select Finish.
Wait for the reload status to indicate that the rules have been created (look for Done).
9. View the floating rules created for the firewall.
a. Select Firewall > Rules.
b. Under the Firewall breadcrumb, select Floating.
c. From the top right, select Answer Questions.
d. Answer the question and then minimize the question dialog.
10. Change the port number used for the MSRDP outbound rule.
a. For the m_Other MSRDP outbound rule, select the edit icon (pencil).
b. Under Edit Firewall Rule, in the Interface field, select GuestWi-Fi.
c. Under Destination, use the Destination Port Range drop-down menu to select Other.
d. In both Custom fields, enter 3391.
e. Select Save.
f. Select Apply Changes.
g. From the top right, select Answer Questions.
h. Select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
7.6.4 Configure NAT

Lab Report
Time Spent: 06:28

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Configure NAT port forwarding for the administrator's PC Show Details

 Configure NAT port forwarding for the Kali Linux server Show Details

 Configure NAT port forwarding for the web server Show Details

EXPLANATION
Complete this lab as follows:

1. Sign into the pfSense management console.

a. In the Username field, enter admin.
b. In the Password field, enter P@ssw0rd (zero).
c. Select SIGN IN or press Enter.
2. Configure NAT port forwarding for the PC1 computer.
a. From the pfSense menu bar, select Firewall > NAT.
b. Select Add (either one).
c. Configure or verify the following settings:
Interface: LAN
Protocol: TCP
Destination type: LAN address
Destination port range (From and To): MS RDP
Redirect target IP: [Link]
Redirect target port: MS RDP
Description: RDP from LAN to PC1
d. Select Save.
3. Configure NAT port forwarding for the Kali Linux server.
a. Select Add (either one).
b. Configure or verify the following settings:
Interface: LAN
Protocol: TCP
Destination type: LAN address
Destination port range (From and To): SSH
Redirect target IP: [Link]
Redirect target port: SSH
Description: SSH from LAN to Kali
c. Select Save.
4. Configure NAT port forwarding for the web server.
a. Select Add (either one).
b. Configure or verify the following settings:
Interface: LAN
Protocol: TCP
Destination type: LAN address
Destination port range (From and To): Other
Custom (From and To) 5151
Redirect target IP: [Link]
Redirect target port: Other 5151
Description: RDP from LAN to web server using custom port
c. Select Save.
d. Select Apply Changes.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
8.1.3 Configure an iSCSI Target

Lab Report
Time Spent: 02:42

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Create an iSCSI virtual disk Show Details

 Assign a new iSCSI target

 Add CorpFiles16 as an access server

EXPLANATION
Complete this lab as follows:

1. Access the New iSCSI Virtual Disk Wizard.

a. From the left pane of Server Manager, select File and Storage Services.
b. Select iSCSI.
c. In the iSCSI VIRTUAL DISKS panel, use the TASK drop-down to select New iSCSI Virtual Disk.
2. Under Select by volume, select D: and then select Next.
a. Under Server, make sure CorpiSCSI is selected.
b. Under Select by volume, select D: and then select Next.
c. In the Name field, enter iSCSIDisk1 for the virtual disk and then select Next.
d. In the Size field, enter 5 for the virtual disk size and then use its drop-down to select TB.
e. Make sure Dynamically expanding is selected and then select Next.
f. Make sure New iSCSI target is selected and then select Next.
g. In the Name field, enter iSCSITarget1 for the iSCSI target and then select Next.
3. Specify the iSCSI initiator that will access your iSCSI virtual disk.
a. Select Add.
b. Make sure Query initiator computer for ID is selected.
c. For the above option, select Browse to locate the server that will be allowed to access the iSCSI disk.
d. In the Enter the object names to select field, enter the server name and then click OK.
e. Select OK.
f. Select Next.
4. Complete the creation of the virtual disk using the default options.
a. Select Next.
b. Select Create.
c. Select Close.

To view the iSCSI virtual disk and target you just created, expand the Server Manager window.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
8.1.4 Configure an iSCSI Initiator

Lab Report
Time Spent: 02:58

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Connect to the iSCSI target server

 Bring the disk online

 Create a volume with the iSCSI disk Show Details

EXPLANATION
Complete this lab as follows:

1. Access the CorpFiles16 server.

a. From Hyper-V Manager, select CORPSERVER.
b. Maximize the window to view all virtual machines.
c. Double-click CorpFiles16 to connect to the computer.
2. Using the iSCSI Initiator, discover and log on to the target server.
a. From Server Manager on CorpFiles16, select Tools > iSCSI Initiator.
b. In the Target field, enter CorpiSCSI as the target server.
c. Select Quick Connect and verify that a target was added to the Discovered targets pane.
d. Select Done.
e. Select OK to close the iSCSI Initiator Properties window.
3. Bring the iSCSI disk online.
a. From the left pane of Server Manager, select File and Storage Services.
b. Select Disks.
c. Maximize the Server Manager window for better viewing.
d. In the DISKS panel, find the Bus Type column and select the iSCSI disk.
e. Right-click the iSCSI disk and select Bring Online.
f. Select Yes to confirm.
4. Create a new volume for the iSCSI disk.
a. Right-click the iSCSI disk and select New Volume.
b. Click Next to begin the New Volume Wizard.
c. Under Disk, select Disk 2 and then select Next.
d. Make sure the Volume size is using the maximum capacity available and then select Next.
e. Change Drive letter to G and then select Next.
f. Make sure NTFS is selected as the file system.
g. For the Volume label field, use iSCSI as the name of the volume and then select Next.
h. Select Create.
i. After the volume is created, select Close.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
8.2.3 Connect VoIP 1

Lab Report
Time Spent: 05:49

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions

 Connect the IP phone in the Lobby Show Details

 Plug the Exec workstation and monitor into the surge protector

 Connect the IP phone in the Executive Office Show Details

 Ensure that the workstation in the Executive Office is connected to the network and the internet

EXPLANATION
Complete this lab as follows:

1. Connect the IP phone in the Lobby to the network.

a. Under Lobby, select Hardware.
b. Under Shelf, expand Phones.
c. For the IP phone shown, select Details and then select Specifications.
Make note of the port options.
d. Close the IP phone details window.
e. Drag the IP phone to the Workspace.
f. Above the IP phone, select Back to switch to the back view of the phone.
g. Under Shelf, expand Cables.
h. Drag Cat5e Cable, RJ45 to the LAN port on the phone.
i. From the Selected Component pane, drag the unconnected RJ45 Connector to the Ethernet port on
the wall outlet.
j. Under Shelf, select the Power Adapter.
k. From the Select Connector window:
Drag the DC Power Connector to the DC power connector on the phone.
Drag the AC Power Adapter to the wall outlet.
l. Above the IP phone, select Front to switch to the front view of the phone. Confirm that the phone's
display is on.
2. Connect the Exec workstation and its monitor to a surge protector.
a. From the top left, select Floor 1 Overview.
b. Under Executive Office, select Exec.
c. Right-click Start.
d. Select Shut down or sign out > Shut down.
e. Under Shelf, expand Outlets.
f. Drag the Surge Protector to the Workspace.
g. Drag both AC Power plugs from the wall outlet to an open outlet on the surge protector.
h. Select the Surge Protector.
i. From the Selected Component pane, drag the AC Power Connector (Male) to an open plug on the wall
outlet.
3. Connect the IP phone in the Executive Office to the network.
a. Under Shelf, expand Phones.
b. Drag the IP phone to the Workspace.
c. Above the IP phone, select Back to switch to the back view of the phone.
d. Under Shelf, expand Cables.
e. Drag Cat5e Cable, RJ45 to the LAN port on the phone.
f. From the Selected Component pane, drag the unconnected RJ45 Connector to the Ethernet port on
the wall outlet.
g. Above the workstation, select Back to switch to the back view of the workstation.
h. From the Shelf, drag Cat5e Cable, RJ45 to the PC port on the phone.
i. In the Selected Component pane, drag the unconnected RJ45 Connector to the workstation's NIC.
4. Provide power to the IP phone.
a. Under Shelf, select the Power Adapter.
b. From the Selected Component pane:
Drag the DC Power Connector to the back of the phone.
Drag the AC Power Adapter to an open plug on the surge protector.
c. Above the IP phone, select Front to switch to the front view of the phone. Confirm that the phone's
display is on.
5. Power on the workstation and confirm that it has a connection to the network and the internet.
a. Above the workstation, select Front.
b. Select the monitor's power button.
c. Select the computer's power button.
The computer is automatically signed into Windows 10.
d. Right-click Start and then select Settings.
e. Select Network & Internet.
From the Status view, the diagram should indicate an active connection to the [Link] network
and the internet.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
8.2.4 Connect VoIP 2

Lab Report
Time Spent: 01:16

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions

 Disconnect the AC adapter from the IP phone in the Lobby and place it on the Shelf Show Details

 Disconnect the AC adapter from the IP phone in the Executive Office and place it on the
Shelf Show Details

 Add an IP phone to the Support Office Show Details

 Confirm that the Support workstation is connected to the internet

EXPLANATION

Complete this lab as follows:

1. From the Lobby, disconnect the AC/DC adapter from the IP phone and the wall.
a. Under Lobby, select Hardware.
b. Above the IP phone, select Back to switch to the back view of the phone.
c. Drag the DC power connector from the phone to the Shelf.
d. Drag the AC power plug from the wall outlet to the Shelf.
e. Above the IP phone, select Front to switch to the front view of the phone and confirm it is on.
2. From the Executive Office, disconnect the AC/DC adapter from the IP phone and the wall.
a. From the top left, select Floor 1 Overview.
b. Under Executive Office, select Hardware.
c. Above the IP phone, select Back to switch to the back view of the phone.
d. Drag the DC power connector from the phone to the Shelf.
e. Drag the AC power plug from the wall outlet to the Shelf.
f. Above the IP phone, select Front to switch to the front view of the phone and confirm it is on.
3. From the Support Office, connect an IP phone.
a. From the top left, select Floor 1 Overview.
b. Under Support Office, select Hardware.
c. Under Shelf, expand Phones.
d. Drag the IP Phone to the Workspace.
e. Above the IP phone, select Back to switch to the back view of the phone.
f. Above the workstation, select Back to switch to the back view of the workstation.
g. Drag the RJ45 Ethernet cable from the workstation to the LAN port (top port) on the IP phone.
h. Under Shelf, expand Cables and then select Cat5e Cable, RJ45.
i. From the Selected Component pane:
Drag an RJ45 Connector to the PC port on the phone.
Drag the other unconnected RJ45 Connector to the NIC on the workstation.

4. Make sure the Support computer is still connected to the internet.

a. On the Support monitor, select Click to view Linux.
b. From the favorites bar, select Terminal.
c. From the terminal, type ping -c4 [Link] (the ISP) and press Enter.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
8.6.4 Configure Smart Devices

Lab Report
Time Spent: 12:27

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Configure the devices in the Lobby Show Details

 Install and configure the thermostat in the Main Hall Show Details

 Configure the smart devices in Office 1 Show Details

EXPLANATION
While completing this lab, use the following information:

Smart device and pairing codes:

Room Smart Device Pairing Code

Smart Light Switch 6718471173

Smart Lock 6339057209

Lobby
Smart Assistant 4377043770

Lobby Camera 1533705506

Main Hall Smart Thermostat 1753016434

Smart Outlet 1234567890

Office 1
Office Camera 1533705434

Complete this lab as follows:

1. In the TestOut Home app, create rooms for the devices.

a. From the iPad, select TestOut Home.
b. In the left corner, select the hamburger menu icon (3-lines) and then select New Room.
c. In the Room Name field, enter the name of the room.
d. Select Save.
e. Repeat steps 1b–1d to create additional rooms.
2. Configure the devices in the Lobby.
a. Select the arrow (>) on the right side of the screen to move to the Lobby room you created.
b. From the Lobby page, in the right corner, select + to add a smart device to the room.
c. In the Pairing Code field, enter the pairing code for the device you wish to add.
d. Select the smart device.
e. Select Add Device.
f. Repeat steps 2b–2e until you've added all the devices for that room.
g. Select Smart Camera to verify that the camera is working.
h. Select Done.
i. Select Smart Light Switch to turn the light on.
j. Select Smart Lock Switch to lock the doors.
3. Configure the Main Hall smart devices.
a. Select the arrow (>) on the right side of the screen to move to the Main Hall room you created.
b. From the Main Hall page, in the right corner, select + to add a smart device to the room.
c. In the Pairing Code field, enter 1753016434 for the Smart Thermostat device.
d. Select the Smart Thermostat.
e. Select Add Device.
f. Select Smart Thermostat Temperature to modify the temperature.
g. Under Cooling, select Down until the temperature reaches 72 degrees.
h. Select Done.
4. Configure the Office 1 smart devices.
a. Select the arrow (>) on the right side of the screen to move to the Office 1 room you created.
b. From the Office 1 page, in the right corner, select + to add a smart device to the room.
c. In the Pairing Code field, enter the pairing code for the device you wish to add.
d. Select the smart device.
e. Select Add Device.
f. Repeat steps 4b–4e until you've added all the devices for that room.
g. Select Smart Camera to verify that the camera is working.
h. Select Done.
i. Select the Smart Outlet Switch to set it to ON.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
8.6.7 Scan for IoT Devices

Lab Report
Time Spent: 01:28

Score: 5/5 (100%) Pass Passing Score: 5/5 (100%)

TASK SUMMARY

Required Actions & Questions

 Scan [Link]

 Q1: What is the name of the IoT device with the IP address of [Link]?

 Q2: How many issues exist for the device with the IP address of [Link]?

 Search for issues using IP range

 Q3: In the IP address range of [Link] through [Link], which IP addresses had issues?

EXPLANATION

Complete this lab as follows:

1. Run a Security Evaluator report for [Link].

a. From the taskbar, select Security Evaluator.
b. Next to Target, select the Target icon to select a new target.
c. Select IPv4 Address.
d. Enter [Link] as the IP address.
e. Select OK.
f. Next to Status, select the Run/Rerun Security Evaluation icon to run a security evaluation.
g. From the top right, select Answer Questions.
h. Answer Questions 1 and 2.
2. Run a Security Evaluator report for an IP range of [Link] through [Link].
a. From Security Evaluator, select the Target icon to select a new target.
b. Select IPv4 Range.
c. In the left field, type [Link] as the beginning IP address.
d. In the right field, type [Link] as the ending IP address.
e. Select OK.
f. Next to Status, select the Run/Rerun Security Evaluation icon to run a security evaluation.
g. Answer Question 3.
h. Select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.2.5 Create a Home Wireless Network

Lab Report
Time Spent: 05:20

Score: 6/6 (100%) Pass Passing Score: 6/6 (100%)

TASK SUMMARY

Required Actions

 Place the 802.11b/g/n wireless access point on the computer desk

 Connect the wireless access point to the existing router on the rack using a Cat 5e cable

 Provide power to the wireless access point

 On the laptop, slide the wireless switch to turn the integrated wireless network interface card on

 On the laptop, connect to the AC1750 wireless network

 Save the wireless profile on the laptop

EXPLANATION
Complete this lab as follows:

1. Add the wireless access point to the workspace.

a. Under Shelf, expand Wireless Access Points.
b. Drag the Wireless Access Point, 802.11b/g/n wireless access point to the workspace.
For connivance, place the access point next to the existing router.
c. Above the router, select Back to view the back of the router.
d. Above the access point, select Back to view the back of the wireless access point.
2. Connect power to the wireless access point.
a. Under Shelf, expand Cables.
b. Select Power Adapter, AC to DC.
c. From the Selected Component pane:
Drag the DC power connector to the port on the wireless access point.
Drag the AC power adapter end to an empty outlet on the wall outlet or the surge protector.

3. Connect the Ethernet cable to the wireless access point and existing router.
a. Under Shelf, select the Cat6a Cable, RJ45 Ethernet cable.
b. From the Selected Component pane:
Drag an RJ45 Ethernet connector to the back of the access point.
Drag the unconnected RJ45 Ethernet connector to one of the free LAN ports on the router.

4. Configure the homeowner's new laptop to connect to the wireless network.

a. From the front of the laptop, slide the wireless switch to the ON position (right) to enable the
integrated wireless network interface.
b. On the Home-Laptop monitor, select Click to view Windows 10.
c. In the notification area, select the wireless networking icon.
d. Select the AC1750 wireless network.
e. Make sure Connect automatically is selected and then select Connect.
f. Select Yes to make your PC discoverable on the network.

To confirm the connection, right-click the wireless networking icon in the notification area again
and select Open Network & Internet settings. The image on the Status page shows a
connection to the internet.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.2.6 Secure a Home Wireless Network

Lab Report
Time Spent: 05:03

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Change the Wireless Network Name (SSID) to PoliceVan

 Configure the wireless security settings Show Details

 Change the wireless access point's default administrator authentication credentials Show Details

EXPLANATION
Complete this lab as follows:

1. Access, and sign into, the TPLink-AC1750 wireless access point.

a. In the URL field of Google Chrome, enter [Link] and press Enter.
b. Maximize Google Chrome for easier viewing.
c. From the top menu bar, select the Wireless tab.
d. Enter the sign in credentials:
Username: admin
Password: password
e. Select Sign In.
2. Change the Wireless Network Name (SSID) to PoliceVan.
a. Make sure the Wireless submenu of Basic Settings is selected.
b. Under Wireless Interface wlan0, change the Wireless Network Name (SSID) to PoliceVan.
c. Scroll down and select Apply Settings.
3. Configure the wireless security settings.
a. From the submenu bar, select the Wireless Security tab.
b. For Wireless Mode, use the drop-down list to select WPA.
c. Under Networking, select WPA2 Personal.
d. Under WPA Algorithms, select CCMP-128 AES.
e. In the WPA Shared Key field, enter 4WatchingU.
f. (Optional) Select Unmask to verify your new shared key.
g. Scroll to the bottom and select Apply Settings.
4. Change the wireless access point's administration authentication credentials.
a. From the top menu bar, select the Administration tab.
b. Make sure the Management submenu is selected.
c. Change the Router Password settings as follows:
Router Username: @dm1n
Router Password: StayOut! (O is the capital letter O).
Re-enter to confirm: StayOut! (O is the capital letter O).
d. Scroll to the bottom and select Apply Settings.
e. Select Save.
f. Select Reboot Router.
g. When prompted, select Continue.
5. Configure the laptop to connect to the wireless network and save the wireless profile settings.
a. From the top left, select Computer Desk.
b. On the Home-Laptop monitor, select Click to view Windows 10.
c. Select the Network icon.
d. Select PoliceVan.
e. Make sure Connect automatically is selected.
f. Select Connect.
g. Enter 4WatchingU (the passphrase).
h. Select Next.
i. Select Yes to make your PC discoverable on the network.
j. From the Notification area of the taskbar, right-click the network icon and select Network & Internet
settings to confirm the connection.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.2.7 Configure Wireless Profiles

Lab Report
Time Spent: 01:05

Score: 6/6 (100%) Pass Passing Score: 6/6 (100%)

TASK SUMMARY

Required Actions

 Create the wireless profile for the PoliceVan network

 Use WPA2-Personal authentication

 Use AES encryption

 Use 4WatchingU for the security key

 Start the connection automatically if the network is detected

 Delete the out-of-date TrendNet-BGN wireless profile

EXPLANATION
Complete this lab as follows:

1. Manually create the wireless network profile on the laptop.

a. Right-click Start and then select Settings.
b. Select Network & Internet.
c. From the right pane, scroll down and select Network and Sharing Center.
d. Select Set up a new connection or network.
e. Select Manually connect to a wireless network and then click Next.
f. In the Network name field, enter PoliceVan.
g. Use the Security type drop-down menu to select WPA2-Personal.
h. Make sure the Encryption type is set to AES.
i. In the Security Key field, enter 4WatchingU.
j. Make sure Start this connection automatically is selected.
k. Select Connect even if the network is not broadcasting and then click Next.
l. Select Close.
m. Close the Network and Sharing Center.
2. Delete the out-of-date profile.
a. From the Settings app, select Wi-Fi.
b. Select Manage known networks.
c. Select the TrendNet-BGN profile.
d. Select Forget.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.3.7 Design an Indoor Wireless Network

Lab Report
Time Spent: 01:44

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Install an omnidirectional AP in the Lobby

 Install a directional AP on the west wall of the IT Administration office

 Install a directional AP on the east wall of the Networking Closet

EXPLANATION
Only three WAPs are required to complete this lab (one omnidirectional WAP and two directional WAPs).
The following WAP configuration provides adequate coverage and reduces signal emanation.

Complete this lab as follows:

1. Under Shelf, expand Wireless Access Points.

2. Drag the Wireless Access Point (Indoor, omnidirectional Antenna) to the installation area in the Lobby.
3. Drag one Wireless Access Point (Indoor, directional Antenna) to the installation area on the west wall of
the IT Administration office.
4. Drag another Wireless Access Point (Indoor, directional Antenna) to the installation area on the east wall
of the Networking Closet.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.3.8 Design an Outdoor Wireless Network

Lab Report
Time Spent: 02:23

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Install high-gain directional antennae on the roofs Show Details

 Provide better Wi-Fi coverage to Patio A Show Details

 Provide better Wi-Fi coverage to Patio B Show Details

EXPLANATION
Complete this lab as follows:

1. Install the High-gain Antenna (Directional) on buildings A and B.

a. Under Shelf, expand High-gain Antennas.
b. Drag the High-gain Antenna (Directional) to the installation area on the roof of Building A.
c. Drag the remaining High-gain Antenna (Directional) to the installation area on the roof of Building B.
2. Install the wireless access point for buildings A and B.
a. Under Shelf, expand Wireless Access Points.
b. Drag a Wireless Access Point (Outdoor) to the installation area on the roof of Building A.
c. Drag the remaining Wireless Access Point (Outdoor) to the installation area on the roof of Building B.
3. Install the antennas.
a. Under Shelf, expand WAP Antennas.
b. Drag the WAP Antenna (Directional) to one of the installed outdoor WAPs.
c. Drag the remaining WAP Antenna (Directional) to the other installed outdoor WAP.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.4.4 Implement an Enterprise Wireless Network

Lab Report
Time Spent: 02:29

Score: 2/2 (100%) Pass Passing Score: 2/2 (100%)

TASK SUMMARY

Required Actions

 Create the CorpNet WLAN Show Details

 Connect Exec-Laptop to the CorpNet wireless network

EXPLANATION
Complete this lab as follows:

1. Access the Ruckus wireless controller tool.

a. In the Google Chrome URL field, enter [Link] and press Enter.
b. Maximize Google Chrome.
c. Log in to the wireless controller console using:
Admin Name: admin
Password: password.
d. Select Login.
2. Create a WLAN on the wireless controller.
a. Select the Configure tab.
b. From the left menu, select WLANs.
c. Under WLANs, select Create New.
d. In the Name field, use CorpNet Wireless
e. In the ESSID field, use CorpNet
f. For Type, make sure Standard Usage is selected.
g. Under Authentication Options, make sure the Open method is selected.
h. Under Encryption Options/Method, select WPA2.
i. Under Encryption Options/Algorithm, make sure AES is selected.
j. In the Passphrase field, enter @CorpNetWeRSecure!
k. Select OK.
3. Connect the Exec-Laptop to the new wireless network.
a. From the top left, select Floor 1.
b. Under Executive Office, select Exec-Laptop.
c. In the Notification area of the taskbar, select the wireless network icon to view the available networks.
d. Select CorpNet.
e. Select Connect.
f. Enter @CorpNetWeRSecure! for the security key and then select Next.
g. Click Yes to make the computer discoverable on the network. Wait for the connection to be made.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.5.10 Configuring a Captive Portal

Lab Report
Time Spent: 07:13

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions

 Add a Captive Portal zone Show Details

 Enable and configure the Captive Portal Show Details

 Allow a MAC address to pass through the portal

 Allow an IP address to pass through the portal Show Details

EXPLANATION
Complete this lab as follows:

1. Sign in to the pfSense management console.

a. In the Username field, enter admin.
b. In the Password field, enter P@ssw0rd (zero).
c. Select SIGN IN or press Enter.
2. Add a Captive Portal zone.
a. From the pfSense menu bar, select Services > Captive Portal.
b. Select Add.
c. For Zone name, enter Guest_WiFi.
d. For Zone description, enter Zone used for the guest Wi-Fi.
e. Select Save & Continue.
3. Enable and configure the Captive Portal.
a. Under Captive Portal Configuration, select Enable.
b. For Interfaces, select GuestWi-Fi.
c. For Maximum concurrent connections, select 100.
d. For Idle timeout, enter 30.
e. For Hard timeout, enter 120.
f. Scroll down and select Per-user bandwidth restriction.
g. For Default download (Kbit/s), enter 8000.
h. For Default upload (Kbit/s), enter 2500.
i. Under Authentication, use the drop-down menu to select None, don't authenticate users.
j. Scroll to the bottom and select Save.
4. Allow a MAC address to pass through the portal.
a. From the Captive Portal page, select the Edit Zone icon (pencil).
b. Under the Services breadcrumb, select MACs.
c. Select Add.
d. Make sure the Action field is set to Pass.
e. For Mac Address, enter [Link].
f. Select Save.
5. Allow an IP address to pass through the portal.
a. Under the Services breadcrumb, select Allowed IP Addresses.
b. Select Add.
c. For IP Address, enter [Link].
d. Use the IP address drop-down menu to select 16. This sets the subnet mask to [Link].
e. For the Description field, enter Admin's Laptop.
f. Make sure Direction is set to Both.
g. Select Save.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.5.12 Creating a Guest Network for BYOD

Lab Report
Time Spent: 10:30

Score: 4/4 (100%) Pass Passing Score: 4/4 (100%)

TASK SUMMARY

Required Actions

 Create a guest access service Show Details

 Create a guest WLAN Show Details

 Request a guest pass

 Connect to Guest_BYOD from Gst-Lap

EXPLANATION
Complete this lab as follows:

1. Open the Ruckus ZoneDirector.

a. In the Google Chrome URL field, enter [Link] and press Enter.
b. Maximize Google Chrome.
c. Log in using the following information:
Admin Name: WirelessAdmin (case sensitive).
Password: Adminsonly! (case sensitive).
d. Select Login.
2. Set up Guest Access Services.
a. Select the Configure tab.
b. From the left menu, select Guest Access.
c. Under Guest Access Service, select Create New.
d. In the Name field, use Guest_BYOD.
e. For Authentication, make sure Use guest pass authentication is selected.
f. For Terms of Use, select Show terms of use.
g. For Redirection, make sure Redirect to the URL that the user intends to visit is selected.
h. Expand Restricted Subnet Access.
i. Verify that [Link]/16 is listed.
j. Select OK.
3. Create a guest WLAN.
a. From the left menu, select WLANs.
b. Under WLANs, select Create New.
c. In the Name field, use Guest.
d. In the ESSID field, use Guest_BYOD.
e. For Type, select Guest Access.
f. Confirm the following settings are set:
Authentication Options: Open
Encryption Options: None
Guest Access Service: Guest_BYOD
g. For Wireless Client Isolation, select Isolate wireless client traffic from other clients on the same AP.
h. Select OK.
i. Close the Google Chrome browser.
4. Request a guest password.
a. Open a new Google Chrome browser window.
b. Maximize the window for better viewing.
c. In the URL field, enter [Link]/guestpass and press Enter.
d. Log in using the following information:
Admin Name: BYODAdmin (case sensitive).
Password: @dmin1s (case sensitive).
e. Select Log In.
f. In the Full Name field, enter any full name.
g. In the Key field, highlight the key and press Ctrl + C to copy the key.
h. Select Next.
5. Access the wireless Guest Access service from the guest laptop in the lobby.
a. From the top left, select Floor 1.
b. Under Lobby, select Gst-Lap.
c. In the Notification area, select the wireless network icon.
d. Select Guest_BYOD.
e. Select Connect.
f. Select Yes.
The browser opens to the Guest Access login page.
g. In the Guest Pass field, press Ctrl + V to paste the key copied from the Key field.
h. Select Log In.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.5.13 Configure a Secure Email Account on Mobile Device

Lab Report
Time Spent: 02:04

Score: 1/1 (100%) Pass Passing Score: 1/1 (100%)

TASK SUMMARY

Required Actions

 Secure IMAP network communications and authenticate to CorpNet-Wireless Wi-Fi Show Details

EXPLANATION
Complete this lab as follows:

1. Set the email account to use SSL and the secure port 993.
a. Select Settings.
b. From the left menu, select Accounts & Passwords. (You may need to scroll down to see this option.)
c. Under Accounts & Passwords, select Gmail.
d. Under Gmail, select mbrown@[Link].
e. Select Advanced.
f. Slide the button to enable Use SSL.
g. Make sure the server port is set to 993.
h. At the top, select Account.
i. Click Done.
2. Connect to CorpNet Wi-Fi.
a. From the left menu, select Wi-Fi.
b. Select CorpNet.
c. In the Password field, enter @CorpNetWeRSecure!& as the password.
d. Select Join.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.5.7 Secure an Enterprise Wireless Network

Lab Report
Time Spent: 04:55

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Change admin username and password Show Details

 Enable MAC address filtering Show Details

 Configure access controls Show Details

EXPLANATION
To complete this lab, use the following MAC addresses:

[Link]
[Link]
[Link]
[Link]

Complete this lab as follows:

1. Log into the Ruckus Wireless ZoneDirector.

a. In the Google Chrome URL field, type [Link] and press Enter.
b. Log in using the following:
Admin Name: admin
Password: password
c. Select Login.
2. Change the admin's username and password for the Ruckus Wireless ZoneDirector.
a. Select the Administer tab.
b. Ensure Authenticate using the admin name and password is selected.
c. In the Admin Name field, enter WxAdmin
d. Enter password in the Current Password field.
e. In the New Password field, enter ZDAdminsOnly!$ (Note: O is the capital letter O).
f. Enter ZDAdminsOnly!$ in the Confirm New Password field.
g. On the right of the section, select Apply.
3. Enable MAC address filtering.
a. From the top, select the Configure tab.
b. From the left menu, select Access Control.
c. Expand L2-L7 Access Control.
d. Under L2/MAC address Access Control, select Create New.
e. In the Name field, enter Allowed Devices.
f. Under Restriction, make sure Only allow all stations listed below is selected.
g. Enter a MAC address.
h. Select Create New.
i. Repeat steps 3g–3h for each of the remaining MAC address that need to be added to the ACL.
j. Select OK.
4. Configure access controls.
a. Under Access Control, expand Device Access Policy.
b. Select Create New.
c. In the Name field, enter NoGames.
d. Select Create New.
e. Use the OS/Type drop-down menu to select Gaming.
f. Use the Type drop-down menu to select Deny.
g. Under Uplink, ensure Disabled is selected.
h. Under Downlink, ensure Disabled is selected.
i. Select Save.
j. Select OK.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.5.8 Enable Wireless Intrusion Prevention

Lab Report
Time Spent: 00:58

Score: 3/3 (100%) Pass Passing Score: 3/3 (100%)

TASK SUMMARY

Required Actions

 Configure denial-of-service protection Show Details

 Enable wireless intrusion protection Show Details

 Enable rogue DHCP server detection

EXPLANATION
Complete this lab as follows:

1. Configure the wireless controller to protect against denial-of-service (DOS) attacks.

a. From the Ruckus controller, select the Configure tab.
b. From the left menu, select WIPS.
c. From the right pane, select:
Protect my wireless network against excessive wireless requests.
Temporarily block wireless clients with repeated authentication failures.
d. Enter a threshold of 120 seconds.
e. On the right, for this area, select Apply.
2. Configure intrusion detection and prevention.
a. Select Enable report rogue devices.
b. Select Report all rogue devices.
c. Select Protect the network from malicious rogue access points.
d. On the right, for this area, select Apply.
3. Select Enable rogue DHCP server detection and then select Apply.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.6.6 Optimize a Wireless Network

Lab Report
Time Spent: 22:21

Score: 5/5 (100%) Pass Passing Score: 5/5 (100%)

TASK SUMMARY

Required Actions

 Configure Self Healing Show Details

 Configure Background Scanning Show Details

 Configure Load Balancing Show Details

 Configure Band Balancing for 30% on 2.4GHz

 Adjust the AP Power Level Show Details

EXPLANATION

Configure your wireless access points as follows:

1. Configure Self Healing on the wireless network.

a. From the Ruckus ZoneDirector, select the Configure tab.
b. From the left menu, select Services.
c. Under Self Healing, select Automatically adjust AP radio power to optimize coverage when
interference is present.
d. Use the Automatically adjust 2.4GHz channels using drop-down arrow to select Background Scanning.
e. Use the Automatically adjust 5GHz channels using drop-down arrow to select Background Scanning.
f. On the right, select Apply (in the Self Healing pane).
2. Configure Background Scanning.
Under Background Scanning, select Run a background scan on 2.4GHz radio.
Enter 30 seconds.
Select Run a background scan on 5GHz radio.
Enter 30 seconds.
On the right, select Apply.
3. Configure Load Balancing.
Under Load Balancing, select Run load balancing on 2.4GHz radio.
In the Adjacent radio threshold(dB) field, enter 40.
Select Run load balancing on 5GHz radio.
In the Adjacent radio threshold(dB) field, enter 40.
On the right, select Apply.
4. Configure Band Balancing.
a. Under Band Balancing, select Percent of clients on 2.4GHz radio.
b. Enter 30.
c. On the right, select Apply.
5. Adjust the AP Power Level.
a. From the left menu, select Access Points.
b. From the top right, select Exhibit to determine which access points to adjust; then close the exhibit.
c. Under Access Points, select Edit next to the access point to be modified.
d. Under Radio B/G/N(2.4G) next to TX Power, make sure Override Group Config is selected.
e. From the TX Power drop-down list, select -3dB (1/2).
f. Under Radio A/N/AC(5G) next to TX Power, make sure Override Group Config is selected.
g. From the TX Power drop-down list, select -3dB (1/2).
h. Select OK.
i. Repeat steps 5b - 5f for additional access points.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.6.7 Explore Wireless Network Problems

Lab Report
Time Spent: 04:51

Score: 6/6 (100%) Pass Passing Score: 6/6 (100%)

TASK SUMMARY

Required Actions & Questions

 On Office2-Lap, forget the HomeWireless network

 Q1: What is the name of the corporate WLAN?

 Q2: What is the passphrase used for the WLAN security key?

 Q3: To which wireless network is Gst-Lap connected?

 On Gst-Lap, reconnect to the CorpNet wireless network

 On Exec-Lap, slide the wireless switch to ON and connect to the CorpNet wireless network Show
Details

EXPLANATION
Complete this lab as follows:

1. Identify the wireless connections on the Office2-Lap.

a. Under Office 2, select Office2-Lap.
b. In the notification area, select the wireless network icon.
c. Which wireless networks are available to Office2-Lap? Which wireless network is Office2-Lap connected
to?
Available networks are: CorpNet, StarSky, and NetGearWirless.
2. Forget the HomeWireless network on Office2-Lap.
a. Right-click Start and then select Settings.
b. Select Network & Internet.
c. Select Wi-Fi.
d. Select Manage known networks.
e. Which known networks are displayed? CorpNet and HomeWireless.
f. Select HomeWireless.
g. Select Forget.
h. Close the Settings app.
3. View the wireless controller's configuration interface using Google Chrome.
a. From the taskbar, select Google Chrome.
b. In the URL field, enter [Link] and then press Enter.
c. Maximize the window for better viewing.
d. In the Admin Name field, enter admin.
e. In the Password field, enter password.
f. Select Login.
g. Select the Configure tab.
h. From the left menu, select WLANs.
i. Under WLANs, select Edit located in the table under Actions.
j. From the top right, select Answer Questions.
k. Answer Questions 1 and 2.
l. Minimize the Lab Questions dialog.
4. Identify the wireless connections on Gst-Lap.
a. From the top left, select Floor 1 Overview.
b. Under Lobby, select Gst-Lap to switch to laptop located in the lobby.
c. From the top right, select Answer Questions.
d. Move the question dialog to the left.
e. In the notification area, select the wireless network icon.
f. Answer Question 3.
g. Minimize the Lab Questions dialog.
h. Right-click Start and then select Settings.
i. Select Network & Internet.
j. Select Wi-Fi.
k. Select Manage known networks.
l. Which known networks are displayed? CorpNet.
m. In the notification area, select the wireless network icon.
n. Select the CorpNet wireless network name.
o. Select Connect automatically and then click Connect.
Why did Gst-Lap connect without you entering the network security key? It's already a managed/known
network.
5. Identify the wireless connections on Exec-Laptop.
a. From the top left, select Floor 1 Overview.
b. Under Executive Office, select Exec-Laptop.
c. In the notification area, select the wireless network icon (now being shown as an airplane).
d. What wireless networks are available to Exec-Laptop? None.
e. From the top left, select Executive Office to switch to the hardware for of the devices in the executive
office.
f. Examine the position of the wireless switch found in the lower left of the laptop's case.
g. What is the position of this switch? Off.
h. Slide the wireless switch to the On position to turn the wireless network interface card on.
i. On the Exec-Laptop monitor, select Click to view Windows 10 to switch to the operating system.
j. Select the wireless network icon in the notification area to view the available networks.
k. Which wireless networks are available to Exec-Laptop now?
l. Manually connect to the CorpNet wireless network as follows:
i. Select the CorpNet wireless network name.
ii. Select Connect.
iii. Enter @CorpNetWeRSecure!& for the wireless network and then select Next.
Exec-Laptop successfully connected to the CorpNet network.

6. Score the lab.

a. From the top right, select Answer Questions.
b. Select Score Lab.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
9.6.8 Troubleshoot Wireless Network Problems

Lab Report
Time Spent: 02:19

Score: 1/1 (100%) Pass Passing Score: 1/1 (100%)

TASK SUMMARY

Required Actions

 On Exec-Lap, slide the wireless switch to ON and connect to the CorpNet wireless network Show
Details

EXPLANATION
Complete this lab as follows:

1. Check to see if the ITAdmin computer can connect to the wireless network.
a. Under IT Administration, select ITAdmin.
b. In the Notification Area, select the wireless network icon to view the available networks in order to see
what is being shown on a working computer.
c. Select the CorpNet wireless network.
d. Select Connect.
e. Enter @CorpNetWeRSecure!& for the security key and then select Next.
ITAdmin is now connected to the CorpNet wireless network. Because this computer can connect to the
wireless network, the problem may be limited to only the Exec-Laptop laptop in the Executive Office.
2. Troubleshoot and fix the wireless networking on Exec-Laptop.
a. From the top left, select Floor 1 Overview to switch to Exec-Laptop.
b. Under Executive Office, select Exec-Laptop.
c. In the Notification Area, select the wireless network icon to view the available networks.
Note that there are no wireless networks shown as available for this laptop. Possible causes for this
include:
The wireless network interface card is not turned on (the wireless switch on the exterior of the
laptop is in the OFF position). Since no wireless networks are shown in the list, you must take
additional steps.
The wireless network's SSID is not broadcasting. However, from Step 1, you know that the wireless
access point is broadcasting the SSID.
The wireless access point is not powered on. However, from Step 1, you know that the wireless
access point is powered on.
d. From the top left, select Executive Office to switch to the devices found in the executive office.
e. On the front of the Exec-Laptop, check to see if the switch for the wireless network interface card is in
the On position.
Notice that it is in the OFF position instead.
f. Slide the wireless switch to the On position to turn the wireless network interface card on.
g. On the laptop monitor, select Click to view Windows 10.
h. In the Notification Area, select the wireless network icon to view the available networks. The CorpNet
wireless network is now displayed in the list of available networks.
i. Select the CorpNet wireless network.
j. Select Connect.
k. Enter @CorpNetWeRSecure!& for the security key and then select Next.
Exec-Laptop is now connected to the CorpNet wireless network.

Copyright © 2023 TestOut Corp. Copyright © The Computing Technology Industry Association, Inc. All rights
reserved.
Which of the following is true about a firewall?
Answer

Firewalls protect against email spoofing attacks.

Implicit deny is used to deny permissions to a specific user even when the rest of the
user's group is allowed access.

Host-based firewalls and network-based firewalls can be installed separately, but

they cannot be placed together to provide multiple layers of protection.
Correct Answer:
You must manually specify which traffic you want to allow through the firewall.
Everything else is blocked.

Explanation

By default, most firewalls deny all traffic, which is called implicit deny. You must
manually specify which traffic you want to allow through the firewall. Everything else
is blocked.
Explicit deny is used to deny permissions to a specific user even when the rest of the
user's group is allowed access.
You can use a host-based firewall in addition to a network-based firewall to provide
multiple layers of protection.
Firewalls do not offer protection against all attacks (such as email spoofing attacks).

References

• 6.1.3 Firewall Facts

q_firewalls_fact_01_np6.[Link]

Question 2:
Correct
Which options are you able to set on a firewall? (Select three.)
Answer

Sequence number
Correct Answer:
Packet destination address

Checksum
Correct Answer:
Port number
Digital signature

Acknowledgement number
Correct Answer:
Packet source address

Explanation

Firewalls allow you to set filters by source or destination IP address and port
number. They do not filter by checksum, acknowledgement number, sequence
number, or digital signature.

References

• 6.1.3 Firewall Facts

q_firewalls_filtering_02_np6.[Link]

Question 3:
Correct
You have been given a laptop to use for work. You connect the laptop to your
company network, use the laptop from home, and use it while traveling.
You want to protect the laptop from internet-based attacks.
Which solution should you use?
Answer

VPN concentrator

Proxy server

Network-based firewall
Correct Answer:
Host-based firewall

Explanation

A host-based firewall inspects traffic received by a host. Use a host-based firewall to

protect your computer from attacks when there is no network-based firewall, such as
when you connect to the internet from a public location.
A network-based firewall inspects traffic as it flows between networks. For example,
you can install a network-based firewall on the edge of your private network to
protect your data from internal attacks.
A VPN concentrator is a device connected to the edge of a private network that's
used for remote access VPN connections. Remote clients establish a VPN
connection to the VPN concentrator and are granted access to the private network.
A proxy server is an Application layer firewall that acts as an intermediary between a
secure private network and the public. Access to the public network from the private
network goes through the proxy server.

References

• 6.1.3 Firewall Facts

q_firewalls_host_based_01_np6.[Link]

Question 4:
Correct
Which of the following is true about a network-based firewall?
Answer
Correct Answer:
A network-based firewall is installed at the edge of a private network or network
segment.

A network-based firewall is less expensive and easier to use than host-based

firewalls.

A network-based firewall is installed on a single computer.

A network-based firewall are considered software firewalls.

Explanation

A network-based firewall is installed at the edge of a private network or network

segment.
Network-based firewalls are more expensive and require more configuration than
other types of firewalls, but they are much more robust and secure.
A host-based firewall is installed on a single computer in a network.
Most network-based firewalls are considered hardware firewalls even though they
use a combination of hardware and software.

References

• 6.1.3 Firewall Facts

q_firewalls_network_based_02_np6.[Link]

Question 5:
Correct
How does a proxy server differ from a packet-filtering firewall?
Answer
Correct Answer:
A proxy server operates at the Application layer, while a packet-filtering firewall
operates at the Network layer.

A proxy server is used to create a screened subnet, while a packet-filtering firewall

can only be used with screened subnets.

A proxy server includes filters for the session ID as well as the IP address and port
number.

A proxy server can prevent unknown network attacks, while a packet-filtering firewall
can only prevent known attacks.

Explanation

A proxy server is a device that stands as an intermediary between a secure private

network and the public. A proxy server is an Application layer firewall that is capable
of filtering by information contained within the data portion of a packet (at the
Application layer).
A packet-filtering firewall makes decisions about which network traffic to allow by
examining information in the IP packet header, such as source and destination
addresses, ports, and service protocols. A packet-filtering firewall operates at OSI
Layer 3 (Network layer).
A signature-based IDS uses patterns to detect known attacks, while an anomaly-
based IDS can detect new and unknown attacks.

References

• 6.1.3 Firewall Facts

q_firewalls_proxy_03_np6.[Link]

Question 6:
Correct
Based on the diagram, which type of proxy server is handling the client's request?
Answer

Circuit-level proxy server

Correct Answer:
Reverse proxy server

Open proxy server

Forward proxy server

Explanation

A reverse proxy server handles requests from the internet to an internal network.
Instead of requests for a server going directly to the server, they first go to the
reverse proxy server.
A forward proxy server handles requests from an internal network out to the internet.
An open proxy server is accessible to any user on the internet and is used to forward
requests to and from anywhere on the internet.
A circuit-level proxy server is typically used as a stateful firewall to allow or deny
sessions.

References

• 6.1.3 Firewall Facts

q_firewalls_proxy_05_np6.[Link]

Question 7:
Correct
Which of the following are true about reverse proxy? (Select two.)
Answer
Correct Answer:
Can perform load balancing, authentication, and caching.
Correct Answer:
Handles requests from the internet to a server on a private network.

Clients always know they are using reverse proxy.

Sits between a client computer and the internet.

Handles requests from inside a private network out to the internet.

Explanation

A reverse proxy server handles requests from the internet to a server located inside
a private network. Reverse proxies can perform load balancing, authentication, and
caching.
Reverse proxies often work transparently, meaning clients don't know they are
connected to a reverse proxy.

References

• 6.1.3 Firewall Facts

q_firewalls_reverse_np6.[Link]

Question 8:
Correct
Which device combines multiple security features, such as anti-spam, load-
balancing, and antivirus, into a single network appliance?
Answer
Correct Answer:
Unified Threat Management (UTM)

Next Generation Firewall (NGFW)

Circuit-level gateway

Packet-filtering firewall

Explanation
A Unified Threat Management device combines multiple security features into a
single network appliance. A single UTM device can provide several security features,
including firewall, VPN, anti-spam, antivirus, and load balancing.
A NGFW combines a traditional firewall with an application firewall.
A circuit-level gateway makes decisions about which traffic to allow based on virtual
circuits or sessions.
A packet-filtering firewall allows and blocks network traffic by examining information
in the IP packet.

References

• 6.1.3 Firewall Facts

q_firewalls_utm_01_np6.[Link]

Question 9:
Correct
Which of the following chains is used for incoming connections that aren't delivered
locally?
Answer

Reject

Drop
Correct Answer:
Forward

Output

Explanation

Forward is a chain that's used for incoming connections that aren't delivered locally.
An example is iptables used on a router. The traffic is not destined for the router, but
the router forwards the traffic to the destination device.
Drop is an action that drops the connection.
Reject is an action that does not allow the connection but does send a response
back.
Output is a chain for outgoing connections.

References

• 6.1.6 Linux Firewall Facts

q_linux_firewall_forward_np6.[Link]

Question 10:
Correct
Which of the following does the sudo iptables -F command accomplish?
Answer

Lists all the current rules.

Drops all incoming traffic.

Saves changes to iptables.

Correct Answer:
Clears all the current rules.

Explanation

The sudo iptables -F command clears all the current rules.

The sudo iptables -A INPUT -j DROP command drops all incoming traffic.
The sudo iptables -L command lists all the current rules.
The sudo /sbin/iptables-save command saves changes to iptables.

References

• 6.1.6 Linux Firewall Facts

q_linux_firewall_sudo_np6.[Link]
Your company has an internet connection. You also have a web server and an email
server that you want to make available to your internet users, and you want to create
a screened subnet for these two servers. Which of the following should you use?
Answer

A host-based firewall
Correct Answer:
A network-based firewall

An IDS

An IPS

Explanation

You should use a network-based firewall to create a screened subnet between two
servers.
A host-based firewall inspects traffic that's received by a host. It is not designed for
use on a screened subnet.
An intrusion detection system (IDS) is a special network device that can detect
attacks and suspicious activity. You cannot use an IDS to create a screened subnet.
An active IDS (also called an intrusion protection system, or IPS) performs the
functions of an IDS, but it can also react when security breaches occur.

References

•
6.2.2 Unified Threat Management (UTM) Appliances Facts
q_utm_devices_network_np6.[Link]

Question 2:
Correct
Which of the following combines several layers of security services and network
functions into one piece of hardware?
Answer

Firewall

Circuit-level gateway
Correct Answer:
Unified Threat Management (UTM)

Intrusion detection system (IDS)

Explanation
A Unified Threat Management (UTM) appliance combines several layers of security
services and network functions into one piece of hardware.
An intrusion detection system (IDS) is a special network device that can detect
attacks and suspicious activity.
A circuit-level gateway makes decisions about which traffic to allow based on virtual
circuits or sessions.
A firewall is a software- or hardware-based network security system that allows or
denies network traffic according to a set of rules.

References

• 6.2.2 Unified Threat Management (UTM) Appliances Facts

q_utm_devices_utm_np6.[Link]

Question 3:
Correct
Which of the following are specific to extended Access control lists? (Select two.)
Answer

Identify traffic based on the destination address.

Are used by route maps and VPN filters.

Correct Answer:
Are the most used type of ACL.
Correct Answer:
Use the number ranges 100-199 and 2000-2699.

Should be placed as close to the destination as possible.

Explanation

Standard ACLs:
• Identify traffic based on the destination address.
• Are used by route maps and VPN filters.
• Use the number ranges 1-99 and 1300-1999.
• Should be placed as close to the destination as possible.
Extended ACLs:
• Are the most used type of ACL.
• Are used for access rules that permit or deny traffic through a device.
• Can filter by multiple factors including source protocol, source host name,
destination host name, etc.
• Use the number ranges 100-199 and 2000-2699.
• Should be placed as close to the source as possible.
References

• 6.2.12 Firewall Design and Configuration Facts

q_firewall_design_acl_01_np6.[Link]

Question 4:
Correct
Which of the following describes how access control lists can improve network
security?
Answer
Correct Answer:
An access control list filters traffic based on the IP header information, such as
source or destination IP address, protocol, or socket number.

An access control list identifies traffic that must use authentication or encryption.

An access control list filters traffic based on the frame header, such as source or
destination MAC address.

An access control list looks for patterns of traffic between multiple packets and takes
action to stop detected attacks.

Explanation

An access control list filters traffic based on the IP header information, such as
source or destination IP address, protocol, or socket number. Access control lists are
configured on routers, and they operate on Layer 3 information.
Port security is configured on switches, which filter traffic based on the MAC address
in the frame.
An intrusion detection system (IDS) or intrusion prevention system (IPS) examines
patterns detected across multiple packets. An IPS can take action when a suspicious
pattern of traffic is detected.

References

• 6.2.12 Firewall Design and Configuration Facts

q_firewall_design_acl_07_np6.[Link]

Question 5:
Correct
Your Cisco router has three network interfaces configured.
• S0/1/0 is a WAN interface that is connected to an ISP.
• F0/0 is connected to an Ethernet LAN segment with a network address of
[Link]/24.
• F0/1 is connected to an Ethernet LAN segment with a network address of
[Link]/24.
You have configured an access control list on this router using the following rules:
• deny ip [Link] [Link] any
• deny ip [Link] [Link] any
These rules will be applied to the WAN interface on the router. Your goal is to block
any IP traffic coming in on the WAN interface that has a spoofed source address that
makes it appear to be coming from the two internal networks.
However, when you enable the ACL, you find that no traffic is being allowed through
the WAN interface.
What should you do?
Answer

Use the out parameter instead of the in parameter within each ACL rule.

Apply the access list to the Fa0/1 interface instead of the S0/1/0 interface.
Correct Answer:
Add a permit statement to the bottom of the access list.

Apply the access list to the Fa0/0 interface instead of the S0/1/0 interface.

Explanation

The problem with this access list is that it only contains deny statements. On Cisco
devices, there is an implicit deny any at the end of every access list. You need to
add a permit statement and identify the type of traffic that is allowed.

References

• 6.2.12 Firewall Design and Configuration Facts

q_firewall_design_acl_08_np6.[Link]

Question 6:
Correct
Which of the following are true about routed firewalls? (Select two.)
Answer
Correct Answer:
Counts as a router hop.
Correct Answer:
Supports multiple interfaces.

Internal and external interfaces connect to the same network segment.

Operates at Layer 2.
Easily introduced to an existing network.

Explanation

On a routed firewall, the firewall is also a Layer 3 router. In fact, many hardware
routers include firewall functionality. Transmitting data through this type of firewall
counts as a router hop. A routed firewall usually supports multiple interfaces, each
connected to a different network segment.
A transparent firewall (which is also called a virtual firewall) works differently. It
operates at Layer 2 and is not seen as a router hop by connected devices. Both the
internal and external interfaces on a transparent firewall connect to the same
network segment. Because it is not a router, you can easily introduce a transparent
firewall into an existing network.

References

• 6.2.12 Firewall Design and Configuration Facts

q_firewall_design_fact_03_np6.[Link]

Question 7:
Correct
Which of the following is a firewall function?
Answer

Frame filtering

Encrypting
Correct Answer:
Packet filtering

FTP hosting

Explanation

Firewalls often filter packets by checking each one against a set of administrator-
defined criteria. If a packet is not accepted, it is simply dropped.

References

• 6.2.12 Firewall Design and Configuration Facts

q_firewall_design_packet_01_np6.[Link]

Question 8:
Correct
You have used firewalls to create a screened subnet. You have a web server that
needs to be accessible to internet users. The web server must communicate with a
database server to retrieve product, customer, and order information.
How should you place devices on the network to best protect the servers? (Select
two.)
Answer

Put the database server inside the screened subnet.

Correct Answer:
Put the database server on the private network.

Put the web server on the private network.

Correct Answer:
Put the web server inside the screened subnet.

Put the database server outside the screened subnet.

Explanation

Publicly accessible resources (servers) are placed inside the screened subnet.
Examples of publicly accessible resources include web, FTP, and email servers.
Devices that should not be accessible to public users are placed on the private
network. If you have a public server that communicates with another server (such as
a database server) and that server should not have direct contact with public hosts,
place the server on the private network and allow only traffic from the public server to
cross the inner firewall.

References

• 6.2.12 Firewall Design and Configuration Facts

q_firewall_design_screened_02_np6.[Link]

Question 9:
Correct
Which of the following BEST describes a stateful inspection?
Answer

Offers secure connectivity between many entities and uses encryption to provide an
effective defense against sniffing.

Designed to sit between a host and a web server and communicate with the server
on behalf of the host.

Allows all internal traffic to share a single public IP address when connecting to an
outside entity.
Correct Answer:
Determines the legitimacy of traffic based on the state of the connection from which
the traffic originated.

Explanation

Stateful firewalls, also referred to as stateful multilayer firewalls, determine the

legitimacy of traffic based on the state of the connection from which the traffic
originated. The stateful firewall maintains a state table that tracks the ongoing record
of active connections.
A virtual private network (VPN) is a network that provides secure access to a private
network through a public network or the internet. Virtual private networks offer
secure connectivity between many entities, both internally and remotely. Their use of
encryption provides an effective defense against sniffing.
Network Address Translation (NAT) separates IP addresses into two sets. This
technology allows all internal traffic to share a single public IP address when
connecting to an outside entity.
You can implement a firewall on circuit-level gateways or application-level gateways.
Both of these firewall designs sit between a host and a web server and communicate
with the server on behalf of the host. They can also cache frequently accessed
websites for faster web page loading.

References

• 6.2.12 Firewall Design and Configuration Facts

q_firewall_design_stateful_02_np6.[Link]

Question 10:
Correct
Which of the following are characteristics of a stateless firewall? (Select two.)
Answer

Identify traffic based on the destination address

Should be placed as close to the destination as possible

Allows or denies traffic based on virtual circuits of sessions

Correct Answer:
Allows or denies traffic by examining information in IP packet headers
Correct Answer:
Controls traffic using access control lists, or ACLs.

Explanation
A stateless firewall controls traffic using access control lists, or ACLs. Instead of
analyzing the state of network traffic, stateless firewalls inspect the information
contained in IP packets and compare it to a static list of rules in the ACL. These rules
determine whether to accept or reject IP packets based on the defined criteria. This
criteria can include IP addresses,
port numbers, services, and traffic direction
A stateful firewall allows or denies traffic based on virtual circuits of sessions. A
stateless firewall is also known as a circuit-level proxy or a circuit-level gateway.
Standard ACL:
• Identify traffic based on the destination address.
• Are used by route maps and VPN filters.
• Use the number ranges 1-99 and 1300-1999.
• Should be placed as close to the destination as possible.

References

• 6.2.12 Firewall Design and Configuration Facts

q_firewall_design_stateless_np6.[Link]
Which of the following terms describes a network device that is exposed to attacks
and has been hardened against those attacks?
Answer

Circuit proxy
Correct Answer:
Bastion

Multi-homed

Kernel proxy

Explanation

A bastion, or sacrificial, host is one that's unprotected by a firewall. The term bastion
host is used to describe any device fortified against attack (such as a firewall). A
sacrificial host might be a device intentionally exposed to attack, such as a honeypot.
Circuit proxies and kernel proxies are types of firewall devices.
Multi-homed describes a device with multiple network interface cards.

References

• 6.3.3 Screened Subnet Facts

q_screened_subnet_bastion_np6.[Link]

Question 2:
Correct
How many network interfaces does a dual-homed gateway typically have?
Answer

one
Correct Answer:
three

four

two

Explanation

A dual-homed gateway is a firewall device that typically has three network interfaces.
One is connected to the internet, one is connected to the public subnet, and one is
connected to the private network.
References

• 6.3.3 Screened Subnet Facts

q_screened_subnet_dual_homed_np6.[Link]

Question 3:
Correct
You have a company network that is connected to the internet. You want all users to
have internet access, but you need to protect your private network and users. You
also need to make a web server publicly available to the internet users.
Which solution should you use?
Answer

Use a single firewall. Put the server and the private network behind the firewall.

Use a single firewall. Put the web server in front of the firewall and the private
network behind the firewall.

Use firewalls to create a screened subnet. Place the web server and the private
network inside the screened subnet.
Correct Answer:
Use firewalls to create a screened subnet. Place the web server inside the screened
subnet and the private network behind the screened subnet.

Explanation

A screened subnet is a buffer network (or subnet) that sits between a private network
and an untrusted network, such as the internet. A common configuration uses two
firewalls, with one connected to the public network and one connected to the private
network. Publicly accessible resources (servers) are placed inside the screened
subnet. Examples of publicly accessible resources include web, FTP, or email
servers. Private resources that are not accessible from the internet are placed
behind the screened subnet (behind the inner firewall).
Placing the web server inside the private network would mean opening ports on the
firewall that lead to the private network, which could expose other devices to attacks.
Placing the web server outside the firewall would leave it unprotected.

References

• 6.3.3 Screened Subnet Facts

q_screened_subnet_fact_01_np6.[Link]

Question 4:
Correct
You are managing a network and have used firewalls to create a screened subnet.
You have a web server that internet users need to access. It must communicate with
a database server to retrieve product, customer, and order information.
How should you place devices on the network to best protect the servers? (Select
two.)
Answer
Correct Answer:
Put the web server inside the screened subnet.

Put the database server and the web server inside the screened subnet.
Correct Answer:
Put the database server on the private network.

Put the web server on the private network.

Put the database server inside the screened subnet.

Explanation

Publicly accessible resources (servers) are placed inside the screened subnet.
Examples of publicly accessible resources include web, FTP, or email servers.
Devices that should not be accessible to public users are placed on the private
network. If you have a public server that communicates with another server (such as
a database server), and that server shouldn't have direct contact with public hosts,
place it on the private network and only allow traffic from the public server to cross
the inner firewall. Placing the database server and the web server inside the
screened subnet would not provide the necessary traffic flow.

References

• 6.3.3 Screened Subnet Facts

q_screened_subnet_fact_02_np6.[Link]

Question 5:
Correct
In which of the following situations would you MOST likely implement a screened
subnet?
Answer
Correct Answer:
You want to protect a public web server from attack.

You want to detect and respond to attacks in real time.

You want to encrypt data sent between two hosts using the internet.
You want users to see a single IP address when they access your company network.

Explanation

A screened subnet is a network placed between a private, secured network and the
internet to grant external users access to internally controlled services. In essence, it
serves as a buffer zone for your network.
An intranet is a private network that happens to employ internet information services.
An extranet is a division of a private network that's accessible to a limited number of
users, such as business partners, suppliers, and certain customers.
A padded cell is an intrusion detection countermeasure that's used to delay intruders
enough to record meaningful information about them for discovery and prosecution.

References

• 6.3.3 Screened Subnet Facts

q_screened_subnet_fact_03_np6.[Link]

Question 6:
Correct
Which of the following can serve as a buffer zone between a private, secured
network and an untrusted network?
Answer

Padded cell
Correct Answer:
Screened subnet

Extranet

Intranet

Explanation

A screened subnet is a network that's placed between a private, secured network

and the internet (untrusted network) to grant external users access to internally
controlled services. In essence, it serves as a buffer zone for your network.
An intranet is a private network that happens to employ internet information services.
An extranet is a division of a private network that's accessible to a limited number of
users, such as business partners, suppliers, and certain customers.
A padded cell is an intrusion detection countermeasure that's used to delay intruders
enough to record meaningful information about them for discovery and prosecution.

References
• 6.2.12 Firewall Design and Configuration Facts
• 6.3.1 Screened Subnets
• 6.3.2 Configure a Screened Subnet
• 6.3.3 Screened Subnet Facts
• 12.1.1 Security Concepts
• 12.1.2 Security Concepts Facts
• 12.1.7 Defense in Depth
• 12.1.8 Defense in Depth Facts
q_screened_subnet_fact_04_np6.[Link]

Question 7:
Correct
What do you need to configure on a firewall to allow traffic directed to the public
resources on the screened subnet?
Answer
Correct Answer:
Packet filters

Subnet

VPN

FTP

Explanation

Packet filters on a firewall allow traffic directed to the public resources inside the
screened subnet. Packet filters also prevent unauthorized traffic from reaching the
private network.
A subnet is used to segment a network.
A VPN (virtual private network) provides a secure outside connection to an internal
network's resources. A VPN does not need to be configured on the firewall to allow
traffic to the public resources on the screened subnet.
FTP (File Transfer Protocol) is a protocol that's used to transfer files. You do not
need to configure this on the firewall to allow traffic to the public resources on the
screened subnet.

References

• 6.3.3 Screened Subnet Facts

q_screened_subnet_packet_np6.[Link]

Question 8:
Correct
Which of the following is another name for a firewall that performs router functions?
Answer

Screened subnet
Correct Answer:
Screening router

Screened-host gateway

Dual-homed gateway

Explanation

A firewall performing router functions is considered a screening router. A screening

router is the router that is most external to your network and closest to the internet. It
uses access control lists (ACLs) to filter packets as a form of security.
A dual-homed gateway is a firewall device that typically has three network interfaces.
One is connected to the internet, one is connected to the public subnet, and one is
connected to the private network.
A screened-host gateway resides within the screened subnet, requiring users to
authenticate in order to access resources within the screened subnet or the intranet.
A screened subnet uses two firewalls. The external firewall is connected to the
internet and allows access to public resources. The internal firewall connects the
screened subnet to the private network.

References

• 6.3.3 Screened Subnet Facts

q_screened_subnet_router_01_np6.[Link]

Question 9:
Correct
Which of the following uses access control lists (ACLs) to filter packets as a form of
security?
Answer

Dual-homed gateway

Screened subnet
Correct Answer:
Screened router

Screened-host gateway

Explanation
A screening router is the router that is most external to the network and closest to
the internet. It uses access control lists (ACLs) to filter packets as a form of security.
A dual-homed gateway is a firewall device that typically has three network interfaces.
One is connected to the internet, one is connected to the public subnet, and one is
connected to the private network.
A screened-host gateway resides within the screened subnet, requiring users to
authenticate to access resources within the screened subnet or the intranet.
A screened subnet uses two firewalls. The external firewall is connected to the
internet and allows access to public resources. The internal firewall connects the
screened subnet to the private network.

References

• 6.3.3 Screened Subnet Facts

q_screened_subnet_router_02_np6.[Link]

Question 10:
Correct
Which of the following is the BEST solution to allow access to private resources from
the internet?
Answer
Correct Answer:
VPN

Packet filters

FTP

Subnet

Explanation

A VPN (virtual private network) provides a secure, outside connection to an internal

network's resources. A VPN server can be placed inside the screened subnet.
Internet users have to authenticate to the VPN server to communicate with the
private network. Only communications coming through the VPN server are allowed
through the inner firewall.
Packet filters on a firewall allow traffic directed to the public resources inside the
screened subnet. Packet filters also prevent unauthorized traffic from reaching the
private network. They do not allow access to private resources from the internet.
A subnet is used to segment a network.
File Transfer Protocol (FTP) is a protocol used to transfer files. This does not allow
access to private resources from the internet.

References
• 6.3.3 Screened Subnet Facts
q_screened_subnet_vpn_np6.[Link]
Which IDS method defines a baseline of normal network traffic and then looks for
anything that falls outside of that baseline?
Answer

Misuse detection
Correct Answer:
Anomaly-based

Pattern matching

Port scanner

VPN concentrator

Explanation

A host-based IDS is installed on a single host and monitors all traffic coming into the
host. A host-based IDS can analyze encrypted traffic because the host operating
system decrypts that traffic as it's received.
A network-based IDS is a dedicated device installed on the network. It analyzes all
traffic on the network. It cannot analyze encrypted traffic because the packet's
contents are encrypted so that only the recipient can read them.
A protocol analyzer examines packets on the network, but it cannot look at the
contents of encrypted packets.
A port scanner probes a device to identify open protocol ports.
A VPN concentrator is a device used to establish remote access VPN connections.

References

• 6.4.3 Intrusion Detection and Prevention Facts

q_ids_ips_host_01_np6.[Link]

Question 5:
Correct
Which of the following is true about an intrusion detection system?
Answer

An intrusion detection system maintains an active security role within the network.
Correct Answer:
An intrusion detection system monitors data packets for malicious or unauthorized
traffic.

An intrusion detection system can terminate or restart other processes on the

system.

An intrusion detection system can block malicious activities.

Explanation

An intrusion detection system (IDS) monitors data packets for malicious or

unauthorized traffic. However, an IDS takes no action to stop or prevent the attack. It
maintains a passive, not an active, role in network security. It cannot terminate or
restart other processes, and it cannot block malicious activities.

References

• 6.4.3 Intrusion Detection and Prevention Facts

q_ids_ips_ids_01_np6.[Link]

Question 6:
Correct
You're concerned about attacks directed at your network firewall. You want to be
able to identify and be notified of any attacks. In addition, you want the system to
take immediate action to stop or prevent the attack, if possible.
Which tool should you use?
Answer
Correct Answer:
IPS

IDS

Port scanner

Packet sniffer
Explanation

Use an intrusion prevention system (IPS) to both detect and respond to attacks.
An intrusion detection system (IDS) can detect attacks and send notifications, but it
cannot respond to attacks.
Use a port scanner to check for open ports on a system or a firewall.
Use a packet sniffer to examine packets on your network.

References

• 6.4.3 Intrusion Detection and Prevention Facts

q_ids_ips_ips_01_np6.[Link]

Question 7:
Correct
Which of the following is true about an NIDS?
Answer
Correct Answer:
It detects malicious or unusual incoming and outgoing traffic in real time.

It can analyze fragmented packets.

It can access encrypted data packets.

It can monitor changes that you've made to applications and systems.

Explanation

An NIDS (network-based intrusion detection system) detects malicious or unusual

incoming and outgoing traffic in real time.
An NIDS cannot analyze encrypted data or analyze fragmented packets.
An HIDS (host-based intrusion detection system) can monitor changes that you've
made to applications and systems.

References

• 6.4.3 Intrusion Detection and Prevention Facts

q_ids_ips_nids_01_np6.[Link]

Question 8:
Correct
Which IDS type can alert you to trespassers?
Answer
NIDS

HIDS
Correct Answer:
PIDS

VMIDS

Explanation

A PIDS (perimeter intrusion detection system) can alert you to physical trespassers.
VMIDS, NIDS, and HIDS are IDS types. However, they cannot alert you to physical
trespassers.

References

• 6.4.3 Intrusion Detection and Prevention Facts

q_ids_ips_pids_np6.[Link]

Question 9:
Correct
Which IDS method searches for intrusion or attack attempts by recognizing patterns
or identifying entities listed in a database?
Answer
Correct Answer:
Signature-based IDS

Anomaly analysis-based IDS

Heuristics-based IDS

Stateful inspection-based IDS

Explanation

A signature-based IDS, or pattern matching-based IDS, is a detection system that

searches for intrusion or attack attempts by recognizing patterns that are listed in a
database.
A heuristics-based IDS is able to perform some level of intelligent statistical analysis
of traffic to detect attacks.
Anomaly analysis-based IDSs look for changes in the normal patterns of traffic.
Stateful inspection-based IDSs search for attacks by inspecting packet contents and
associating one packet with another. These searches look for attacks in overall data
streams rather than individual packets.
References

• 6.4.3 Intrusion Detection and Prevention Facts

q_ids_ips_signature_02_np6.[Link]

Question 10:
Correct
You've just installed a new network-based IDS system that uses signature
recognition. What should you do on a regular basis?
Answer

Modify clipping levels.

Check for backdoors.

Correct Answer:
Update the signature files.

Generate a new baseline.

Explanation

Signature recognition (also referred to as pattern matching, dictionary recognition, or

misuse detection) looks for patterns in network traffic and compares them to known
attack patterns called signatures. Signature-based recognition cannot detect
unknown attacks. It can only detect attacks identified by published signature files.
For this reason, it's important to update signature files on a regular basis.
Anomaly recognition (also referred to as behavioral, heuristic, or statistical
recognition) monitors traffic to define a standard activity pattern as normal
functionality. Clipping levels or thresholds identify deviations from that norm. When
the threshold is reached, the system generates an alert or takes an action.

References

• 6.4.3 Intrusion Detection and Prevention Facts

q_ids_ips_signature_04_np6.[Link]
Match each switch management method on the left with its corresponding
characteristics on the right. Each method may be used once, more than once, or not
at all.
Competes with normal network traffic for bandwidth.

In-band management
correct answer:
Uses a dedicated communication channel.

Out-of-band management
correct answer:
Must be encrypted to protect communications from sniffing.

In-band management
correct answer:
Does not compete with normal network traffic for bandwidth.

Out-of-band management
correct answer:
Affected by network outages.

In-band management
correct answer:
Keyboard Instructions

Explanation

You can perform switch management tasks through a network connection by using
the management utilities. This is called in-band management because it uses a
normal network switch connection to perform these tasks. Tools such as Telnet or
SSH provide in-band management. Using the same network connection for both
data and management has several drawbacks. For example:
• You must compete with normal network traffic for bandwidth.
• The network traffic created by the management utilities must be protected
from sniffing to ensure that hackers cannot capture sensitive configuration
information.
• If the network connection is unavailable or if the switch is unresponsive,
you can't perform management tasks.
Out-of-band management, on the other hand, overcomes these problems by using
dedicated communication channels that separate server management traffic from
normal network traffic. With network switches (and routers), you can use console
redirection to redirect console output to a built-in serial or USB console port.

References
• 7.1.4 Switching Facts
q_switching_bands_np6.[Link]

Question 2:
Correct
Which level of the OSI model does a Layer 2 switch operate at?
Answer
Correct Answer:
Data Link layer

Transportation layer

Network layer

Session layer

Explanation

A Layer 2 switch operates at the second layer of the OSI model, which is the Data
Link layer.
A Layer 2 switch does not operate at the fourth or fifth layer of the OSI model, which
are the Transportation and Session layers.
A Layer 3 switch can operate at the second and third layers of the OSI model, which
are the Data Link and Network layers.

References

• 7.1.4 Switching Facts

q_switching_data_link_np6.[Link]

Question 3:
Correct
Which of the following is a device that can send and receive data simultaneously?
Answer

Managed

Unmanaged
Correct Answer:
Full-duplex

Honeypot

Managed switch
correct answer:
Keyboard Instructions

Explanation

You cannot configure the low-end switches available from many retail stores. These
are called unmanaged switches. To implement an unmanaged switch, you simply
plug it in to a power outlet and connect your network devices with UTP cables. While
unmanaged switches are convenient and easy to implement, they lack many of the
advanced management and security features available on managed switches. For
example, managed switches provide port security and support VLANs.

References

• 7.1.4 Switching Facts

q_switching_manage_np6.[Link]

Question 7:
Correct
Which of the following is required to establish a new network switch and configure its
IP address for the first time?
Answer

Client-to-site VPN
Correct Answer:
Out-of-band management

Site-to-site VPN

In-band management

Explanation
Out-of-band management is required when you establish a new network switch and
configure its IP address for the first time.
A client-to-site VPN is a connection where remote clients connect to the server
through the internet and to a LAN behind a server.
In-band management can only be used after the switch has been configured with an
IP address and authentication information through out-of-band management.
A site-to-site VPN is a connection between networks that creates a secure link
through VPN gateways.

References

• 7.1.4 Switching Facts

q_switching_out_of_band_01_np6.[Link]

Question 8:
Correct
Which of the following methods is best to have when a network goes down?
Answer

Site-to-site VPN
Correct Answer:
Out-of-band management

Client-to-site VPN

In-band management

Explanation

Out-of-band management uses a dedicated communication channel that can be

used to reach network nodes even when the network goes down.
In-band management requires no physical connection. If the network goes down, this
method will no longer be connected, either.
A client-to-site VPN is a connection where remote clients connect to the server
through the internet and to a LAN behind the server. If the network goes down, there
will be no connection with a client-to-site VPN.
A site-to-site VPN is a connection between networks that creates a secure link
through VPN gateways. This connection would also be lost if the network goes
down.

References

• 7.1.4 Switching Facts

q_switching_out_of_band_02_np6.[Link]
Question 9:
Correct
Which of the following is a communication device that connects other network
devices through cables and receives and forwards data to a specified destination
within a LAN?
Answer

Router

Hub
Correct Answer:
Switch

Access point

Explanation

A switch is a communication device that connects other network devices through

cables and receives and forwards data to a specified destination within a LAN.
A router is a communication device that connects computer networks and receives
and forwards data through the internet.
A hub is a communication device that connects other devices on a network, but hubs
broadcast all incoming data to all active ports.
An access point is a network connector that provides wireless signals for other
devices.

References

• 7.1.4 Switching Facts

q_switching_switch_02_np6.[Link]

Question 10:
Correct
Which of the following is true about an unmanaged switch?
Answer
Correct Answer:
It can connect to all devices in a small area.

It is capable of VLAN creation.

It supports link aggregation.

It allows port configuration.

Explanation

An unmanaged switch is faster and more economical than a managed switch and
can connect all devices within a small area, like a home or small office.
Managed switches allow VLAN creation for segmentation; unmanaged switches do
not.
Managed switches support link aggregation; unmanaged switches do not.
Managed switches allow port configuration; unmanaged switches do not.

References

• 7.1.4 Switching Facts

q_switching_unmanaged_np6.[Link]
Which of the following is the open standard for tagging Layer 2 frames?
Answer

RFC1918

NDP
Correct Answer:
802.1q

ARP

Explanation

802.1q is the open standard for tagging Layer 2 frames and is used for implementing
trunk porting.
RFC1918 is used to create IP addresses on a private network.
ARP (Address Resolution Protocol) works at Layer 3 to establish the MAC address
that's linked to the gateway's IP address.
NDP (Neighbor Discovery Protocol) works for address resolution with IPv6.

References

• 7.2.2 VLAN Facts

q_vlan_802_1q_np6.[Link]

Question 2:
Correct
Which of the following protocols prescribes what to do when a data channel is in use
on a half-duplex device?
Answer

ARP
Correct Answer:
CSMA/CD

Auto-MDI-X

NDP

Explanation

Carrier Sense Multiple Access/Collision Detection (CSMA/CD) is a protocol used to

prescribe what to do when a data channel is in use on a half-duplex device. Those
steps are to send a jam signal, wait a random amount of time, attempt to resend the
frame, and repeat until the channel is clear and the transmission is complete.
Address Resolution Protocol (ARP) is a protocol used to establish associations
between a MAC address and a given IP address.
Neighbor Discovery Protocol (NDP) is a protocol used for address resolution with
IPv6.
Auto-MDIX, or auto-medium dependent crossover, is a line-sensing port that
automatically decides which type of cable configuration is needed for a connection.

References

• 7.2.2 VLAN Facts

q_vlan_csma_cd_np6.[Link]

q_vlan_switch_02_np6.[Link]

Question 6:
Correct
You run a small network for your business that has a single router connected to the
internet and a single switch. You keep sensitive documents on a computer that you
would like to keep isolated from other computers on the network. Other hosts on the
network should not be able to communicate with this computer through the switch,
but you still need to access the network through the computer.
Which of the following should you use in this situation?
Answer

Spanning Tree

VPN
Correct Answer:
VLAN

Port security

Explanation

You should define virtual LANs (VLANs) on the switch. With a VLAN, a switch port is
associated with a VLAN, and only devices connected to ports that are members of
the same VLAN can communicate with each other. You can use routers to allow
communication between VLANs if necessary.
Use a virtual private network (VPN) to connect two hosts securely through an
unsecure network (such as the internet). VPN tunneling protocols protect data as it
travels through the unsecure network.
Spanning Tree is a switch feature that allows redundant paths between switches.
Port security is a method of requiring authentication before a network connection is
allowed.

References
•7.2.2 VLAN Facts
q_vlan_vlan_01_np6.[Link]

Question 7:
Correct
For which of the following devices does a voice VLAN prioritize traffic?
Answer

Hub

Layer 3 switch

Bridge
Correct Answer:
VoIP phone

Explanation

A VoIP phone is a phone that transmits sound over the internet. It works best when a
voice VLAN is created to prioritize its traffic.
A hub is a device that broadcasts data to every computer that is connected to it.
A Layer 3 switch is a device that can provide all the functions of a Layer 2 switch
along with routing.
A bridge is a device that creates a single network from multiple network segments.

References

• 7.2.2 VLAN Facts

q_vlan_voice_np6.[Link]

Question 8:
Correct
What does the ip address dhcp command allow you to do?
Answer
Correct Answer:
Configure a switch to obtain an IP address from a DHCP server.

Send the DHCP server address for all connected devices.

Configure a switch to act as a DHCP server.

Specify the DHCP relay server for forwarding DHCP packets.

Explanation

• In the learning state, ports do not forward frames but still populate the
MAC address table based on received frames.
• In the blocking state, ports receive BPDUs but do not forward frames.
• In the listening state, all ports are blocked.

References

• 7.3.2 Switch Port Configuration Facts

q_conf_switch_port_state_01_np6.[Link]

Question 2:
Correct
You manage a single subnet with three switches. The switches are connected to
provide redundant paths between themselves.
Which feature prevents switching loops and ensures that there is only a single active
path between any two switches?
Answer

Trunking
Correct Answer:
Spanning Tree

802.1x

PoE
Explanation

Spanning Tree is a protocol on a switch that allows it to maintain multiple paths

between other switches within a subnet. Spanning Tree runs on each switch and is
used to select a single path between any two switches. Without this protocol,
switches that are connected with multiple links would form a switching loop, where
frames are passed back and forth continuously.
802.1x is an authentication protocol used with port security (or port authentication).
Power over Ethernet (PoE) supplies power to end devices through the RJ45
Ethernet switch port.
Trunking identifies ports that are used to carry VLAN traffic between switches. A
trunk port is a member of all VLANs defined on all switches.

References

• 7.3.2 Switch Port Configuration Facts

• 7.3.15 Configure Spanning Tree
q_conf_switch_port_stp_01_np6.[Link]

Question 3:
Correct
You manage a network with two switches. The switches are connected together
through their Gigabit Ethernet uplink ports.
You define VLAN 1 and VLAN 2 on each switch. A device on the first switch in VLAN
1 needs to communicate with a device on the second switch in VLAN 1.
What should you configure to allow communication between these two devices
through the switches?
Answer

Layer 3 switching

Spanning Tree
Correct Answer:
Trunking

Bonding

Explanation

A trunk port connects two switches together.

• Typically, Gigabit Ethernet ports are used for trunk ports, although any
port can be a trunking port.
• A trunk port is a member of all VLANs and carries traffic between the
switches.
• With trunking, frames that are sent over a trunk port are tagged by the first
switch with the VLAN ID so that the receiving switch knows which VLAN
the frame belongs to.
• The trunking protocol describes the format that switches use for tagging
frames with the VLAN ID.
• Because end devices do not understand VLAN tags, the tag is removed
from the frame by the switch before the frame is forwarded to the
destination device.
• VLAN tagging is only used for frames that travel between switches on the
trunk ports.
Use a Layer 3 switch or a router to enable devices in different VLANs to
communicate with each other.
Spanning Tree is a protocol on a switch that allows it to maintain multiple paths
between other switches within a subnet. Spanning Tree runs on each switch and is
used to select a single path between any two switches.
Bonding allows multiple switch ports to be used at the same time to reach a specific
destination.

References

• 7.3.2 Switch Port Configuration Facts

q_conf_switch_port_trunking_03_np6.[Link]

Question 4:
Correct

Computers A and B are on the same VLAN and are separated by two switches as
shown in the exhibit. Computer A sends a frame to Computer B.
Which of the following BEST describes the frame's composition as it travels from A
to B?
Answer

Computer A sends a normal frame. The first switch forwards the frame to the second
switch, where the VLAN ID is appended to the frame and forwarded to Computer B.
Computer A sends a normal frame. The first switch appends a VLAN ID to the frame.
The VLAN ID remains on the frame through the second switch up to Computer B.

Computer A appends a VLAN ID to the frame. It travels from switch to switch and
arrives at Computer B, where it removes the VLAN ID.
Correct Answer:
Computer A sends a normal frame. The first switch appends a VLAN ID to the frame.
The second switch removes the VLAN ID before forwarding it to Computer B.

Explanation

Only switches understand VLAN IDs, who use the IDs for inter-switch traffic. The first
switch appends the VLAN ID, and the second switch removes it.

References

• 7.3.2 Switch Port Configuration Facts

q_conf_switch_port_vlan_id_01_np6.[Link]

Question 5:
Correct
Which of the following BEST describes port aggregation?
Answer
Correct Answer:
Multiple ports linked together and used as a single logical port.

Multiple VLANs traveling through a single port.

IEEE network standard 802.3.

A priority-based flow control that allows you to prioritize network traffic.

Explanation

Multiple ports linked together and used as a single logical port is called link
aggregation.
Multiple VLANs traveling through a single port is called port tagging or port trunking.
The 802.3 IEEE network standard refers to an 802.3 Ethernet network.
The IEEE standard for prioritized flow control is 802.1Qbb. It is not port aggregation
itself.

References
•7.3.10 Switch Port Feature Facts
q_switch_ports_features_aggregation_01_np6.[Link]

Question 6:
Correct
Which of the following BEST describes Ethernet flow control?
Answer

A configuration that allows frames larger than 1,500 bytes to pass through the port
without fragmentation.

A protocol designed to prevent looping in network traffic.

Correct Answer:
A configuration that sends a pause frame to the transmitting device when the
receiving device cannot keep up with the volume of data being sent.

A configuration that allows traffic from multiple VLANs on a single port.

Explanation

Ethernet flow control is a configuration that sends a pause frame to the transmitting
device when the receiving device cannot keep up with the volume of data being sent.
Port tagging is a configuration that allows traffic from multiple VLANs on a single
port.
Setting your network devices' MTU to 9,000 is a configuration that allows frames
larger than 1,500 bytes (known as jumbo frames) to pass through the ports without
fragmentation.
Spanning Tree Protocol is a protocol designed to prevent looping in network traffic.

References

•7.3.10 Switch Port Feature Facts

q_switch_ports_features_flow_control_np6.[Link]

Question 7:
Correct
Which of the following must each device's MTU be set to for jumbo frames to
transverse the network without risk of fragmentation?
Answer

6,000

1,500
3,000
Correct Answer:
9,000

Explanation

The MTU of each device in the network must be set to 9,000 for jumbo frames to
transverse the network without fragmentation.
If a device's MTU is set to 1,500, 3,000, or 6,000, a jumbo frame could be
fragmented.

References

• 7.3.10 Switch Port Feature Facts

q_switch_ports_features_jumbo_np6.[Link]

Question 8:
Correct
Your organization's management wants to monitor all the customer services calls.
The calls are taken on VoIP phones. Which of the following configurations would
BEST help you set up a way to monitor the calls?
Answer
Correct Answer:
Port mirroring

LACP

Spanning Tree Protocol

Priority-based flow control

Explanation

Port mirroring provides copies of packets from a selected port for monitoring and
analysis.
LACP is Link Aggregation Control Protocol. It allows you to link up to eight ports
together to act as a single logical port.
Spanning Tree Protocol is a protocol designed to prevent looping in network traffic.
Priority-based flow control is protocol that allows you to prioritize traffic on your
network by category.

References

•7.3.10 Switch Port Feature Facts

q_switch_ports_features_mirroring_np6.[Link]
Question 9:
Correct
You have a large Power over Ethernet flat screen that you are installing in a
conference room that requires 70 watts of power. Which of the following IEEE
standards does your PoE switch need to provide power for the flat screen?
Answer
Correct Answer:
PoE++ Type 4

PoE++ Type 3

PoE+

PoE

Explanation

You would need PoE++ Type 4, which provides up to 71. 3 watts of power.
PoE provides up to 15.4 watts of power and would not be sufficient to power the flat
screen.
PoE+ provides up to 25.5 watts of power and would not be sufficient to power the flat
screen.
PoE++ Type 3 provides up to 51 watts of power and would not be sufficient to power
the flat screen.

References

• 7.3.10 Switch Port Feature Facts

q_switch_ports_features_poe4_np6.[Link]

Question 10:
Correct
Which of the following switch features allows you to configure how the switch's MAC
address table is filled?
Answer

Auto-negotiation

Spanning Tree Protocol

Correct Answer:
Port security

Port mirroring
Explanation

Port security allows you to choose from dynamic locking, static locking, or a
combination of both to fill the MAC address table. This is done to protect the switch
from MAC flooding and other vulnerabilities.
Port mirroring provides copies of packets from a selected port for monitoring and
analysis.
Auto-negotiation is a default setting on Ethernet devices in which connected devices
communicate to select the speed, duplex, and flow control parameters for their
transmissions.

References

• 7.3.10 Switch Port Feature Facts

q_switch_ports_features_security_np6.[Link]
Which of the following scenarios would typically utilize 802.1x authentication?
Answer

Authenticating VPN users through the internet.

Controlling access through a router.

Authenticating remote access clients.

Correct Answer:
Controlling access through a switch.

Explanation

802.1x is an authentication method used on a LAN to allow or deny access based on

a port or network connection. 802.1x is used for port authentication on switches and
requires an authentication server to validate user credentials, which is typically a
RADIUS server.
Remote access authentication is handled by remote access servers or a combination
of remote access servers and a RADIUS server.
You can control VPN connections through remote access servers or through a
special device called a VPN concentrator.

References

• 7.4.2 Switch Security Facts

q_switch_security_802x_02_np6.[Link]

Question 2:
Correct

You have two switches connected together as shown in the following diagram. How
many broadcast domains are in the network?
Answer

Zero

One
Correct Answer:
Two

Four

Five

Explanation

There are two broadcast domains. Each VLAN is in its own broadcast domain.
When you connect devices to a switch, each switch port connection is in its own
collision domain. In this graphic, there are five collision domains.

References

• 7.4.2 Switch Security Facts

q_switch_security_broadcast_01_np6.[Link]

Question 3:
Correct
You are the network administrator for a city library. Throughout the library are
several groups of computers that provide public access to the internet. Supervision
of these computers has been difficult. You've had problems with patrons bringing
personal laptops into the library and disconnecting the network cables from the
library computers to connect their laptops to the internet.
The library computers are in groups of four. Each group of four computers is
connected to a hub that's connected to the library network through an access port on
a switch. You want to restrict access to the network so that only library computers
are permitted connectivity to the internet.
What can you do?
Answer
Correct Answer:
Configure port security on the switch.

Remove the hub and place each library computer on its own access port.

Create static MAC addresses for each computer and associate each address with a
VLAN.

Create a VLAN for each group of four computers.

Explanation
Configuring port security on the switch can restrict access so that only specific MAC
addresses can connect to the configured switch port. This would prevent the laptop
computers from connecting.
Placing each library computer on its own access port would have no effect.
VLANs are used to group broadcast traffic and do not restrict device connectivity as
needed in this scenario.

References

• 7.4.2 Switch Security Facts

q_switch_security_port_02_np6.[Link]

Question 4:
Correct
Which of the following BEST describes an ARP spoofing attack?
Answer

An attack where a frame is manipulated to contain two tags.

An attack that changes the source MAC address on frames.

Correct Answer:
An attack that associates an attacker's MAC address with the IP address of a
victim's device.

An attack in which a switch is flooded with packets, each containing a different

source MAC address.

Explanation

An ARP spoofing attack associates an attacker's MAC address with the IP address
of a victim's device.
MAC flooding is an attack in which a switch is flooded with packets, each containing
a different source MAC address.
MAC spoofing is an attack that changes the source MAC address on frames.
Double tagging is a VLAN hopping attack where a frame is manipulated to contain
two tags.

References

• 7.4.4 Switch Attack Facts

q_switch_attacks_arp_01_np6.[Link]

Question 5:
Correct
Which of the following is a method of VLAN hopping?
Answer

MAC flooding

ARP spoofing
Correct Answer:
Double tagging

MAC spoofing

Explanation

Double tagging is a VLAN hopping method that occurs when an attacker is

connected to a host on one VLAN and the target host is on a VLAN connected to
another switch. In double tagging, the frame is manipulated to include two tags, one
for the first switch and one for the target VLAN's switch.
MAC spoofing is changing the source MAC address on frames. The attacker's
system sends frames with the spoofed MAC address. The switch reads the source
address contained in the frames and associates the MAC address with the port
where the attacker is connected.
ARP spoofing/poisoning associates the attacker's MAC address with the IP address
of the victim's device.
MAC flooding overloads the switch's MAC forwarding table to make the switch
function like a hub.

References

• 7.4.4 Switch Attack Facts

q_switch_attacks_double_np6.[Link]

Question 6:
Correct
Drag each description on the left to the appropriate switch attack type on the right.
ARP spoofing/poisoning

The source device sends frames to the attacker's MAC address instead of to the
correct device.
correct answer:
Dynamic Trunking Protocol

Should be disabled on the switch's end user (access) ports before implementing
the switch configuration in to the network.
correct answer:
MAC flooding
Causes packets to fill up the forwarding table and consumes so much of the
switch's memory that it enters a state called fail open mode.
correct answer:
MAC spoofing

Can be used to hide the identity of the attacker's computer or impersonate another
device on the network.
correct answer:
Keyboard Instructions

Explanation

Common attacks that are perpetrated against switches are MAC flooding, ARP
spoofing/poisoning, and MAC spoofing.
MAC flooding overloads the switch's MAC forwarding table to make the switch
function like a hub. MAC flooding works in the following manner:
• The attacker floods the switch with packets, each containing a different
source MAC address.
• The flood of packets fills up the forwarding table and consumes so much
of the memory in the switch that it causes it to enter in to fail open mode.
While in this mode, all incoming packets are broadcast out of all ports (as
with a hub) instead of just to the correct ports, as per normal operations.
• The attacker captures all the traffic with a protocol analyzer/sniffer.
ARP spoofing/poisoning associates the attacker's MAC address with the IP address
of the victim's device. ARP spoofing works in the following manner:
•When computers send an ARP request for a known IP address's MAC
address, the attacker's system responds with its own MAC address.
• The source device sends frames to the attacker's MAC address instead of
to the correct device.
• Switches are indirectly involved in the attack because they do not verify
the MAC address/IP address association.
MAC spoofing changes the source MAC address on frames sent by the attacker.
• MAC spoofing is typically used to bypass 802.1x port-based security.
• MAC spoofing can be used to bypass wireless MAC filtering.
• MAC spoofing can be used to hide the identity of the attacker's computer
or to impersonate another device on the network.
Dynamic Trunking Protocol (DTP) switches have the ability to automatically detect
trunk ports and negotiate the trunking protocol used between devices. DTP is not
secure and allows unauthorized devices to possibly modify configuration information.
You should disable DTP services on a switch's end user (access) ports before
implementing the switch configuration on the network.

References

• 7.4.4 Switch Attack Facts

q_switch_attacks_level2_np6.[Link]
Question 7:
Correct
An attacker hides his computer's identity by impersonating another device on a
network. Which of the following attacks did the attacker MOST likely perform?
Answer
Correct Answer:
MAC spoofing attack

ARP spoofing attack

VLAN hopping attack

DTP attack

Explanation

In a MAC spoofing attack, an attacker hides his or her computer's identity by

changing the source MAC address on frames to make it look like their computer is
actually a different computer.
A DTP attack is an attack that takes advantage of the Dynamic Trunking Protocol to
allow unauthorized devices on to a network.
An ARP spoofing attack is an attack that associates an attacker's MAC address with
the IP address of a victim's device.
VLAN hopping is an attack focused on gaining access to traffic on another VLAN
without using a router.

References

• 7.4.4 Switch Attack Facts

q_switch_attacks_mac_02_np6.[Link]

Question 8:
Correct
You have just connected four switches as shown in the Exhibit.
Assuming the default switch configuration, how can you force switch C to become
the root bridge?
Answer

Remove link cable 6 from the configuration.

Remove link cables 1 and 6 from the configuration.

Remove link cable 1 from the configuration.

Configure a priority number of 61440 for switch C.

Correct Answer:
Configure a priority number of 4096 for switch C.

Explanation

To force a specific switch to become the root bridge, configure a priority number
lower than the default (32768). The switch with the lowest bridge ID becomes the
root bridge. The bridge ID is composed of two parts, a bridge priority number and the
MAC address assigned to the switch. When the default priority is used for all
switches, the switch with the lowest MAC address becomes the root bridge.

References

• 7.4.4 Switch Attack Facts

q_switch_attacks_root_01_np6.[Link]

Question 9:
Correct
Which of the following switch attacks bypasses the normal functions of a router to
communicate between VLANs and gain unauthorized access to traffic on another
VLAN?
Answer

ARP spoofing

MAC spoofing

Dynamic Trunking Protocol attack

Correct Answer:
Switch spoofing

Explanation

Switch spoofing, also known as VLAN spoofing, is an attack that bypasses the
normal functions of a router to communicate between VLANs and gain unauthorized
access to traffic on another VLAN. It does this by taking advantage of a switch's
default setting called dynamic auto or dynamic desirable. The attacker uses this
function to imitate a trunking switch and gain access to the traffic on multiple VLANs.
VLAN, or switch, spoofing is a method of VLAN hopping.
MAC spoofing is changing the source MAC address on frames. The attacker's
system sends frames with the spoofed MAC address. The switch reads the source
address contained in the frames and associates the MAC address with the port
where the attacker is connected.
ARP spoofing/poisoning associates the attacker's MAC address with the IP address
of a victim's device.
Switches have the ability to automatically detect trunk ports and negotiate the
trunking protocol used between devices. Dynamic Trunking Protocol is not secure
and allows unauthorized devices to modify configuration information.

References

• 7.4.4 Switch Attack Facts

q_switch_attacks_switch_np6.[Link]

Question 10:
Correct
Which of the following attacks manipulates a switch's auto-negotiation setting to
access a virtual local area network that's connected to the same switch as the
attacker's virtual local area network?
Answer

ARP spoofing
MAC spoofing
Correct Answer:
VLAN spoofing

Dynamic Trunking Protocol attack

Explanation

VLAN spoofing manipulates a switch's auto-negotiation setting to access a virtual

local area network that's connected to the same switch as the attacker's virtual local
area network.
A DTP attack is an attack that takes advantage of the Dynamic Trunking Protocol to
allow unauthorized devices on a network.
MAC spoofing is an attack that changes the source MAC address on frames.
An ARP spoofing attack is an attack that associates an attacker's MAC address with
the IP address of a victim's device.

References

• 7.4.4 Switch Attack Facts

q_switch_attacks_vlan_np6.[Link]
Which of the following BEST describes dynamic routing?
Answer

Routing entries are manually added to routing tables.

Routing is done within an autonomous system.

Routing is done between autonomous systems.

Correct Answer:
Routers learn about networks by sharing routing information with each other.

Explanation

In dynamic routing, routers dynamically learn about networks by sharing routing

information with other routers through dynamic routing protocols. Dynamic routing
protocols automatically add entries to the routing table.
Interior routing is done within an autonomous system. With interior routers, you own
and control the router, determine where routers are located, and control the
interfaces that connect the routers to your system.
Static routing entries are manually added to the routing table. Static entries remain in
the routing table until they are manually removed.
Exterior routing is done between autonomous systems. In most organizations,
exterior routing is limited to a single router that connects the organization's network
to the internet via an ISP. This router is often called a border router or an edge
router.

References

• 7.5.2 Routing Facts

q_rounting_dynamic_np6.[Link]

Question 2:
Correct
Jake is a network administrator for a hospital. There is medical equipment that relies
on having uninterrupted internet connectivity. Which of the following types of routing
protocols should Jake focus on to ensure that the hospital's network connectivity
remains reliable?
Answer

Distance vector routing protocols

Link state routing protocols

Interior dynamic routing protocols

Correct Answer:
Exterior dynamic routing protocols

Explanation

Jake should focus on exterior dynamic routing protocols to provide redundancy in

internet connectivity and ensure that the medical equipment is constantly connected
to the internet. BGP (Border Gateway Protocol) is an example of an exterior dynamic
routing protocol.
Interior dynamic routing protocols route paths within an autonomous system and are
not used for connecting to external systems (including to the internet).
Link state routing protocols and distance vector routing protocols are used for routing
within an autonomous system.

References

• 7.5.2 Routing Facts

q_rounting_exterior_np6.[Link]

Question 3:
Correct
Which of the following has the least default administrative distance?
Answer
Correct Answer:
Static route to an IP address

External BGP

OSPF

RIP

Explanation

A static route to an IP address has a default administrative distance of 1. The only

thing that has a lower administrative distance is a connected interface or static route.
When more than one protocol is enabled on a router, each protocol is given an
administrative distance. When the best path is being determined, protocols with a
lower administrative distance are chosen over those with a higher administrative
distance.
External BGP (Border Gateway Protocol) has an administrative distance of 20.
RIP (Routing Information Protocol) has an administrative distance of 120.
OSPF (Open Shortest Path First) has an administrative distance of 110.

References
• 7.5.4 Routing Protocol Characteristics Facts
q_rounting_admin_distance_np6.[Link]

Question 4:
Correct
Under which of the following circumstances might you implement BGP on your
company network and share routes with internet routers?
Answer

If the network has over 15 hops.

If the network is connected to the internet using public addressing.

If the network has over 15 areas and uses IPv6.

Correct Answer:
It divides large networks into areas.
Correct Answer:
It supports IPv6 routing.

It is a classful protocol.

It uses bandwidth and delay for the metric.

Explanation

IS-IS (Intermediate System to Intermediate System) is a link state routing protocol

used for routing within an AS. IS-IS is classless and uses relative link cost for the
metric. Large networks are divided into areas, and IS-IS is best suited for large,
private networks.
A network link is the boundary between one area and another.

References

• 7.5.6 Routing Protocol Facts

q_rounting_protocols_is_is_np6.[Link]

Question 8:
Correct
What are the main differences between the OSPF and IS-IS routing protocols?
Answer
Correct Answer:
OSPF requires an area 0, while IS-IS does not.

OSPF is a classful protocol, while IS-IS is a classless protocol.

OSPF is a link state protocol, while IS-IS is not.

OSPF is an IGP routing protocol, while IS-IS is a BGP routing protocol.

Explanation

Like OSPF, IS-IS uses areas when designing the network. However, IS-IS does not
require an area 0 like OSPF does. Because IS-IS was originally designed for non-IP
protocols, it can more easily support IPv6 routing.
Both OSPF and IS-IS have the following characteristics:
• Both are link state protocols.
• Both are classless protocols, supporting CIDR and VLSM.
• Both are interior gateway protocols that are used within an AS.

References

• 7.5.6 Routing Protocol Facts

q_rounting_protocols_link_state_02_np6.[Link]

Question 9:
Correct
What is the main difference between RIP and RIPv2?
Answer

RIP use hop count for the metric, while RIPv2 uses a relative link cost.

RIP is a distance vector protocol, while RIPv2 is a link state protocol.

RIP has a limit of 15 hops, while RIPv2 increases the hop count limit.
Correct Answer:
RIP is a classful protocol, while RIPv2 is a classless protocol.

Explanation

RIPv1 is a classful protocol, meaning that the subnet mask is not included in routing
updates. With RIP, only the default subnet mask is used to identify networks. RIPv2
is a classless protocol, meaning that the subnet mask is included in routing updates.
RIPv2 supports variable-length subnet masks (VLSM).
Both RIP and RIPv1 are distance vector protocols and use hop count for the metric.
RIP and RIPv2 have a limit of 15 hops between any two networks.

References

• 7.5.6 Routing Protocol Facts

q_rounting_protocols_rip_04_np6.[Link]

Question 10:
Correct
You have only one physical interface but want to connect two IP networks. Which of
the following would allow you to do so?
Answer

A loopback address
Correct Answer:
Subinterfaces

The sticky feature

Virtual IPs

Explanation

You can use subinterfaces to connect two IP networks through one parent physical
interface. Each subinterface is given its own IP information and data can then be
routed from one network to the other through the physical interface.
A loopback address is a special IP address used for diagnostics and for
troubleshooting the TCP/IP stack.
Virtual IPs (VIPs) are IP addresses that are not associated with a single device.
Multiple devices with an internet connection can share a VIP. They are used for one-
to-many Network Address Translation, mobility, and fault tolerance.
The sticky feature is a Cisco port security command that you can enable to
automatically add MAC addresses to the Content Addressable Memory (CAM) table,
or MAC address table.

References

• 7.5.8 Routing High Availability Facts

q_rounting_avail_subinterfaces_np6.[Link]
Which of the following is true about Network Address Translation?
Answer

It cannot forward DNS requests to the internet.

It allows external hosts to initiate communication with internal hosts.

It provides end-device to end-device traceability.

Correct Answer:
It supports up to 5,000 concurrent connections.

Explanation

Hosts on a private network share the IP address of the NAT router. NAT works by
translating private addresses NAT supports up to 5,000 concurrent connections. This
can consume processor and memory resources, but allows one NAT router to
translate for a large network.
Network address translation can forward DNS requests to the internet.

NAT does not provide end-device to end-device traceability, but this also provide
some security to hosts within the private network as their IP addresses are not
shared publicly.
NAT does not allow external hosts to initiate communication with internal hosts. All
communication is through the NAT router.

References

• 7.6.2 NAT Facts

q_nat_5000_np6.[Link]

Question 2:
Correct
Which of the following allows incoming traffic addressed to a specific port to move
through the firewall and be transparently forwarded to a specific host on the private
network?
Answer
Correct Answer:
DNAT

IP masquerade

Dynamic NAT

OSPF
Explanation

DNAT (Destination Network Address Translation) is also called port forwarding and
allows incoming traffic addressed to a specific port to move through the firewall and
be transparently forwarded to a specific host on the private network. Dynamic NAT
automatically maps internal IP addresses with a dynamic port assignment. In this
implementation, many internal private IP addresses are mapped to one public IP
address on the NAT router.
IP masquerade is another name for Dynamic NAT and many-to-one NAT.
OSPF (Open Shortest Path First) is a link-state routing protocol used for routing
within an autonomous system.

References

• 7.6.2 NAT Facts

q_nat_dnat_np6.[Link]

Question 3:
Correct
Which device is NAT typically implemented on?
Answer

AD server

RADIUS server

ISP router
Correct Answer:
Default gateway router

Explanation

NAT is typically implemented on a default gateway router.

You cannot use an AD server, a RADIUS server, or an ISP router to configure NAT.

References

• 7.6.2 NAT Facts

q_nat_gateway_np6.[Link]

Question 4:
Correct
Which of the following NAT implementations maps a single private IP address to a
single public IP address on the NAT router?
Answer
Dynamic NAT

IP masquerade

Many-to-one NAT
Correct Answer:
Static NAT

Explanation

Static NAT maps a single private IP address to a single public IP address on the
NAT router.
IP masquerade and many-to-one NAT are simply different names for Dynamic NAT.
Dynamic NAT automatically maps internal IP addresses with a dynamic port
assignment. In this implementation, many internal private IP addresses are mapped
to one public IP address on the NAT router.

References

• 7.6.2 NAT Facts

q_nat_many_to_one_np6.[Link]

Question 5:
Correct
Which of the following do hosts on a private network share if the network utilizes a
NAT router?
Answer

A physical MAC address

Correct Answer:
A physical IP address

A virtual MAC address

A virtual IP address

Explanation

Hosts on a private network share the NAT router's physical IP address. The NAT
router allows the hosts to share its physical IP address when connecting to the
internet.
Hosts on a private network do not share virtual or physical MAC addresses on a
network that utilizes a NAT router. Each host retains its own MAC address.
Hosts on a private network do not share a virtual IP address on a network that
utilizes a NAT router.

References

•7.6.2 NAT Facts

q_nat_physical_np6.[Link]

Question 6:
Correct
Which of the following is a method that allows you to connect a private network to
the internet without obtaining registered addresses for every host?
Answer

EIGRP

BGP

OSPF
Correct Answer:
NAT

Explanation

Network Address Translation (NAT) is a method that transfers private addresses to a

NAT router's public address. This allows you to connect a private network to the
internet without obtaining registered addresses for every host.
OSPF (Open Shortest Path First) is a dynamic routing protocol that operates within a
single autonomous system.
EIGRP (Enhanced Interior Gateway Routing Protocol) is a dynamic routing protocol
for sharing routing information with other routers on the same autonomous system.
BGP (Border Gateway Protocol) is an exterior gateway protocol that manages the
routing between autonomous systems.

References

• 7.6.2 NAT Facts

q_nat_private_03_np6.[Link]

Question 7:
Correct
Kate, a network administrator, has been tasked with staying within the company
budget. She has a large network and doesn't want to spend more than she needs to
on purchasing and registering multiple public IP addresses for each of the hosts on
her network.
Which of the following methods could help her provide internet access but also keep
costs low and limit the number of registered IP addresses her organization needs to
purchase?
Answer

Use Layer 2 switches.

Use PoE devices.

Correct Answer:
Use Network Address Translation.

Use Layer 3 switches.

Explanation

Using NAT will allow the hosts on Kate's network to be private and to utilize just one
registered public IP address.
Using Layer 2 switches will not impact the public IP address situation.
Using Layer 3 switches would only improve the public IP address situation if NAT
were implemented on them.
Using PoE (Power over Ethernet) devices will not impact the public IP address
situation.

References

• 7.6.2 NAT Facts

q_nat_private_04_np6.[Link]

Question 8:
Correct
Which of the following is NOT one of the IP address ranges defined in RFC 1918
that are commonly used behind a NAT server?
Answer

[Link] to [Link]

[Link] to [Link]
Correct Answer:
[Link] to [Link]

Explanation
[Link] to [Link] is the IP address range assigned to Windows DHCP
clients (if a DHCP server does not assign the client an IP address). This range is
known as the Automatic Private IP Addressing (APIPA) range.
The other three ranges listed in this question are defined as private IP addresses in
RFC 1918, which are commonly used behind a NAT server.

References

• 7.6.2 NAT Facts

q_nat_rfc1918_np6.[Link]

Question 9:
Correct
You are the network administrator for a small company that implements NAT to
access the internet. However, you recently acquired five servers that must be
accessible from outside your network. Your ISP has provided you with five additional
registered IP addresses to support these new servers, but you don't want the public
to access these servers directly. You want to place these servers behind your
firewall on the inside network, yet still allow them to be accessible to the public from
the outside.
Which method of NAT translation should you implement for these servers?
Answer

Restricted

Overloading
Correct Answer:
Static

Dynamic

Explanation

Static translation consistently maps an unregistered IP address to the same

registered IP address on a one-to-one basis. Static NAT is particularly useful when a
device needs to be assigned the same address so it can be accessed from outside
the network. This works well for web servers and other similar devices.
Dynamic translation would not work for these servers because it maps an
unregistered host IP address to any available IP address configured in a pool of one
or more registered IP addresses. Accessing a server assigned one of these
addresses would be nearly impossible because the addresses are still shared by
multiple hosts.

References

• 7.6.2 NAT Facts

q_nat_static_02_np6.[Link]

Question 10:
Correct
In which of the following tables does a NAT router store port numbers and their
associated private IP addresses?
Answer

Routing table

ARP table

MAC address table

Correct Answer:
Translation table

Explanation

A NAT router stores port numbers and their associated private IP addresses in a
translation table. NAT uses this table to know which host to send the incoming traffic
to.
A routing table is for routing packets from one network to another.
A MAC address table is used by Ethernet switches to know where to forward traffic
within a network segment.
An ARP table associates MAC addresses with IP addresses.

References

• 7.6.2 NAT Facts

q_nat_translation_np6.[Link]
Which of the following best describes DHCP scope exhaustion?
Answer

When a DHCP snooping technique is used to drop packets from untrusted DHCP
servers.

When IP address lease times on a DHCP server are shortened.

Correct Answer:
A denial of service from a lack of IP addresses in a DHCP server's pool.

When an attacker adds a second DHCP server to a network and offers IP addresses
to clients wanting to join the network.

Explanation

A denial of service from a lack of IP addresses in a DHCP server's pool is one form
of DHCP scope exhaustion. Another form comes from inefficient IP address
management in which the IP address pool is depleted faster than it can be refilled.
A rogue DCHP server occurs when an attacker adds a second DHCP server to a
network and offers IP addresses to client wanting to join the network. If the network
administrator does not have control over a DHCP server, it is considered a rogue
DHCP server.
Shortening IP address lease times on a DHCP server can help prevent DHCP scope
exhaustion.
DHCP snooping techniques can help protect against rogue DHCP servers.

References

• 7.7.4 Switching and Routing Troubleshooting Facts

q_trouble_switching_routing_dhcp_np6.[Link]

Question 2:
Correct
You have just connected a new computer to your network. The network uses static
IP addressing.
You find that the computer can communicate with hosts on the same subnet, but not
with hosts on a different subnet. No other computers are having issues.
Which of the following configuration values would you MOST likely need to change?
Answer

DNS server
Correct Answer:
Default gateway
Subnet mask

IP address

Explanation

You should check the computer's default gateway setting; this value is used to send
packets to other subnets. If it's incorrect, packets won't be sent to the correct router.
In this scenario, the host can communicate with other hosts on the same subnet,
meaning that the IP address and subnet mask are correctly configured.
The DNS server address is likely not the problem, as name resolution is not
mentioned in the scenario. In addition, if name resolution were a problem, it could
affect access to both local and remote hosts.

References

• 7.7.4 Switching and Routing Troubleshooting Facts

q_trouble_switching_routing_gateway_01_np6.[Link]

Question 3:
Correct
A workstation's network board is currently configured as follows:
• Network Speed = Auto
• Duplexing = Auto
The workstation is experiencing poor network performance, and you suspect that the
network board is incorrectly detecting the network speed and duplex settings. Upon
investigation, you find that it's running at 10 Mbps half-duplex. You know that your
network switch is capable of much faster throughput. To fix this issue, you decide to
manually configure these settings on the workstation.
Before you do so, you need to verify the switch port configuration for the connected
workstation. Given that it's a Cisco switch, which commands can you use on the
switch to show a list of all switch ports and their current settings? (Select two.)
Answer

show interface ethernet counters

show interface switchport

show interface capabilities

Correct Answer:
show interface
Correct Answer:
show running-config interface
Explanation

To view the speed and duplex settings of interfaces on a Cisco switch, you can use
one of the following commands:
• show running-config interface (displays concise summary information)
• show interface (displays extended information)
The show interface capabilities command displays information about interface
capabilities, not the current switch configuration.
The show interface ethernet counters command displays interface statistics.
The show interface switchport command displays VLAN information regarding
switch interfaces.

References

•
7.7.4 Switching and Routing Troubleshooting Facts
q_trouble_switching_routing_interface_np6.[Link]

Question 4:
Correct
Which of the following utilities would you use to view the routing table?
Answer

traceroute

mtr

tracert

dig
Correct Answer:
route

Explanation

Use the route command to display the routing table contents and to add or remove
static routes.
The tracert command uses ICMP packets to test connectivity between devices and
display the path between them. Responses from each hop on the route are
measured three times to provide an accurate representation of how long a packet
takes to reach and be returned by that host.
The mtr command on Linux is a combination of the ping and traceroute commands.
The dig command resolves (looks up) a hostname's IP address.
References

• 7.7.4 Switching and Routing Troubleshooting Facts

q_trouble_switching_routing_route_02_np6.[Link]

Question 5:
Correct
You are unsure if the gateway address is correct for one of your subnetworks
because traffic is not leaving the network. Which of the following tables could you
look at to check if the gateway address is correct?
Answer

ARP table

MAC address table

Correct Answer:
Routing table

State table

Explanation

Routing tables contain gateway address information.

MAC address tables, IP address tables, and state tables do not contain gateway
address information. MAC address tables contain information about source MAC
addresses and destination MAC addresses. ARP tables contain neighbor information
and link MAC addresses to IP addresses. Stateful devices keep track of the state of
network connections, like TCP streams in a state table.

References

• 7.7.4 Switching and Routing Troubleshooting Facts

q_trouble_switching_routing_route_03_np6.[Link]

Question 6:
Correct
Which of the following scenarios would cause a problem in asymmetric routing?
Answer

Using two switches in the traffic flow.

Using a hub in the traffic flow.

Correct Answer:
Using two stateful firewalls in the traffic flow.
Using two routers in the traffic flow.

Explanation

When you have asymmetrical routing, the outbound traffic would go through one
stateful firewall and the inbound traffic would come through the second stateful
firewall. The second firewall would drop the packets because it wouldn't have any
record of them in its state table. That information would be recorded in the first
firewall.
Unless you've specifically programmed a hub as stateful, it would not have problems
with asymmetrical routing.
In general, routers do not have problems with asymmetric routing, regardless of
number.
Switches do not have problems with asymmetric routing, regardless of number.

References

• 7.7.4 Switching and Routing Troubleshooting Facts

q_trouble_switching_routing_stateful_np6.[Link]

Question 7:
Correct
You manage a network with multiple switches. You find that your switches are
experiencing heavy broadcast storms.
Which of the following will help reduce the effects of these broadcast storms?
Answer

Configure each switch with a single trunk port.

Disable auto-duplex detection.

Correct Answer:
Enable Spanning Tree on the switches.

Manually set the speed for each switch port.

Explanation

A broadcast storm is excessive broadcast traffic that renders normal network

communications impossible. Broadcast storms can be caused by switching loops
that cause broadcast traffic to be circulated endlessly or by denial of service (DoS)
attacks. To reduce broadcast storms, you can:
• Run Spanning Tree protocol to prevent switching loops.
• Implement switches with built-in broadcast storm detection, which limits
the bandwidth that broadcast traffic can use.
• Use VLANs to create separate broadcast domains on switches.

References

• 7.7.4 Switching and Routing Troubleshooting Facts

q_trouble_switching_routing_stp_np6.[Link]

Question 8:
Correct
Which of the following can cause broadcast storms?
Answer

q_san_block_level_np6.[Link]

Question 2:
Correct
You manage a network with three dedicated storage devices, as shown in the
diagram. Users on the network see only a single file server.
Which network-based storage technology is being used?
Answer

iSCSI SAN with clustering

Fibre Channel SAN

Correct Answer:
NAS with clustering

NAS

Explanation

A NAS device is an appliance that's dedicated to file storage. With clustering,

multiple NAS devices are grouped together to provide a degree of fault tolerance. To
users on the network, the cluster appears as a single file server. Without clustering,
the NAS devices would appear as three separate file servers.
Because client devices are connected directly to the switch, it cannot be an iSCSI or
Fiber Channel SAN implementation. iSCSI and Fibre Channel SANs both use
special switches to create the SAN fabric that client systems are not connected to
directly.
References

• 8.1.5 SAN Facts

q_san_cluster_np6.[Link]

Question 3:
Correct
Which of the following are the components of a SAN?
Answer

Access switches, SAN fabric, and hosts

Correct Answer:
Hosts, storage, and SAN fabric

SAN fabric, core switches, and the initiator

Distribution switches, targets, and SAN fabric

Explanation

Storage attached networks have hosts (hypervisors), storage on the target servers,
and SAN fabric that consists of the cabling.
Access switches are part of the data center architecture. All SAN storage devices
are called targets. Hosts are servers that have a hypervisor installed. SAN fabric
consists of the cabling and networking hardware that provides the connectivity
between host components and storage components. Distribution layer switches are
mid-tier speed switches. Core layer switches are large modular appliances. The
servers that connect to the shared storage device are called initiators.

References

•
8.1.5 SAN Facts
q_san_components_np6.[Link]

Question 4:
Correct
Match the SAN technology on the left with it's specialization on the right. (Items may
be once, used more that once or not at all.)
iSCSI

No specialized hardware or knowledge.

correct answer:
FC
Requires specialized hardware and knowledge.
correct answer:
FCoE

No specialized hardware, but requires specialized knowledge.

correct answer:
infiniband

Requires specialized hardware and knowledge.

correct answer:
Keyboard Instructions

Explanation

SAN Technology specialization:

• iSCSI - No specialized hardware or knowledge.
• FC - Requires specialized hardware and knowledge.
• FCoE - No specialized hardware, but requires specialized knowledge.
• Infiniband - Requires specialized hardware and knowledge.

References

• 8.1.5 SAN Facts

q_san_connect_np6.[Link]

Question 5:
Correct
Brett has been tasked with creating a new SAN. The company currently has Gigabit
internet, and his CTO wants to use Fibre Channel over Ethernet (FCoE) in the SAN.
Brett tells the CTO that this will not work. Which of the following BEST describes the
problem?
Answer

Fibre Channel over Ethernet is still only conceptual.

Fibre Channel over Ethernet is slower than iSCSI.

Fibre Channel over Ethernet requires all new, specialized equipment.

Correct Answer:
Fibre Channel over Ethernet requires 10 Gigabit internet.

Explanation

The problem is that FCoE requires 10 Gigabit internet.

FCoE is no longer conceptual; it is a current, in-use solution.
FCoE provides faster speeds and lower latency than iSCSI.
FCoE uses standard switches and physical connectors.

References

• 8.1.5 SAN Facts

q_san_fiber_np6.[Link]

Question 6:
Correct
What BEST describes the designed purpose of InfiniBand?
Answer

Cloud platforms

Unlimited 10 Gigabit internet

Correct Answer:
High-performance supercomputers

Jumbo frames

Explanation

InfiniBand was designed for high-performance supercomputers.

Jumbo frames refer to payload sizes that surpass the IEEE MTU (Maximum
Transmission Unit).
Unlimited 10 Gigabit internet is managed via advanced cables and network
appliances.
Cloud platforms are the level of service that cloud customers use.

References

• 8.1.5 SAN Facts

q_san_infiniband_np6.[Link]

Question 7:
Correct
You are in the process of configuring an iSCSI storage area network (SAN) for your
network.
You want to configure a Windows Server system to connect to an iSCSI target
defined on a different server system. You also need to define iSCSI security settings,
including CHAP and IPsec.
Which tool should you use?
Answer
Correct Answer:
iSCSI Initiator

iSCSI option under File and Storage Services in Server Manager

Multipath I/O

Internet Storage Name Service

Explanation

Run the iSCSI Initiator to connect to an iSCSI target defined somewhere on the SAN
fabric. You can also use this utility to define iSCSI security settings, including CHAP
and IPsec.
Internet Storage Name Service (iSNS) servers provide discoverability and zoning for
SAN resources.
Multipath I/O (MPIO) provides support for a storage device's multiple data paths.
Use the iSCSI option under File and Storage Services in Server Manager to define
an iSCSI target on a server.

References

• 8.1.5 SAN Facts

q_san_iscsi_initiator_01_np6.[Link]

Question 8:
Correct
Within an SDN, what is commonly referred to as the brains?
Answer

Initiators

Fabric

Hosts
Correct Answer:
Controllers

Explanation

Controllers are what operate at the control plane and run an SDN.
An initiator is a client that sends iSCSI commands to storage devices within the SAN.
Hosts can refer to many items, such as servers that allow access to the SAN.
Fabric is a layer within a SAN.

References

• 8.1.8 Software-Defined Networking Facts

q_sdn_controllers_np6.[Link]

Question 9:
Correct
Which option BEST describes the third layer in the SDN architecture?
Answer

Control

Management
Correct Answer:
Infrastructure

Application

Explanation

The third layer of SDN is the Infrastructure, or Physical, layer. This is where the
network hardware is located.
The Control layer is the second layer and functions as the brains of the network.
The Application layer is the first layer and contains the applications needed to
program and monitor the network.
The management plane is the interface that admins use to set network parameters.

References

• 8.1.8 Software-Defined Networking Facts

q_sdn_infrastructure_np6.[Link]

Question 10:
Correct
What are the three layers of an SDN?
Answer

Physical, Control, and Virtualized

Correct Answer:
Application, Control, and Infrastructure
Software, Management, and Construction

SaaS, IaaS, and PaaS

Explanation

The three layers of an SDN are the Application, Control, and Infrastructure layers.
The control plane deals with software and management.
Physical is not correct since the top layer deals with applications, and virtualized is
an incorrect term for infrastructure, as some components may be physical.
SaaS, IaaS, and PaaS are cloud service models.

References

• 8.1.8 Software-Defined Networking Facts

q_sdn_layers_np6.[Link]
Which of the following BEST describes the main purpose of the codec used in VoIP?
Answer

An algorithm that exclusively controls sound quality.

An algorithm for external calls to be made over VoIP.

Correct Answer:
An algorithm to compress data in order to save on bandwidth.

An algorithm to control poor quality transmissions.

Explanation

The codec's main purpose is to compress and decompress data to save bandwidth.
External calls are controlled through other hardware, not the codec.
While the codec does help with sound and transmission quality, this is not its main
purpose.

References

• 8.2.2 VoIP Facts

q_voip_codec_np6.[Link]

Question 2:
Correct
Which of the following BEST describes VoIP (Voice over Internet Protocol)?
Answer

A series of protocols optimized for voice (telephone calls) and digital data
transmission through a packet-switched IP network.

A protocol optimized for voice data transmission (telephone calls) through a 5G

switched IP network.
Correct Answer:
A protocol optimized for voice data transmission (telephone calls) through a packet-
switched IP network.

A protocol optimized for voice data transmission (telephone calls) through a wireless
network.

Explanation

VoIP is a protocol that relies on IP networks to carry voice data.

VoIP relies on Ethernet cables to carry voice signals.
VoIP is a protocol solely for voice data. Digital data is sent using different protocols.
5G is a cellular technology, which doesn't require VoIP.

References

• 8.2.2 VoIP Facts

q_voip_description_np6.[Link]

Question 3:
Correct
Which of the following are considered VoIP endpoints?
Answer
Correct Answer:
Hard phones and soft phones

Hard lines and cell phones

Satellite phones and soft phones

Soft phones and PBX

Explanation

Hard phones and soft phones are endpoints for VoIP since both can take calls over
Ethernet cable.
A hardline is a traditional phone that does not use the internet. Cell phones work
through different technology.
A satellite phone uses signals from satellites, not from the internet.
PBX (private branch exchange) is a different piece of equipment; it is not considered
an endpoint.

References

• 8.2.2 VoIP Facts

q_voip_endpoints_np6.[Link]

Question 4:
Correct
Larry is tasked with implementing a VoIP system in the office. He presents his
research to his boss, who wants to use the current traditional hard phones to save
money. What BEST explains why this is not possible?
Answer

Traditional hard phones don't provide conferencing, but VoIP hard lines do.
Regular hard phones only work with SNMP, and VoIP hard phones use UDP and
TCP.

Hard phones don't conform to IEEE 805.3.

Correct Answer:
A traditional hard phone does not have the internal computing parts to accept VoIP
transmissions.

Explanation

VoIP requires a computer to work. VoIP hard phones are, in essence, computers
that understand network protocols.
VoIP hard phones must conform to IEEE 802.3.
Traditional hard phones are not capable of understanding any network protocols,
including SNMP.
Traditional business hard phones have included conferencing for a long time. It is not
a unique feature to VoIP hard phones.

References

• 8.2.2 VoIP Facts

q_voip_hard_phone_np6.[Link]

Question 5:
Correct
Amber, a network administrator, is conducting VoIP training for other IT team
members. Melanie, a new team member, is confused about the difference between
latency and jitter. What is the BEST way to explain the difference?
Answer

Latency is caused by sampling; jitter is not.

Jitter is caused by an inadequate codec.

Latency is the up and down variation in jitter.

Correct Answer:
Jitter is the up and down variation in latency.

Explanation

Jitter is the result of the variance rate in latency.

Jitter is a direct result of latency. Latency is caused by inadequate bandwidth.
Neither latency nor jitter is related to sampling.
A codec is an algorithm that compresses and decompresses voice data packets. It
does not have any bearing on jitter.

References

• 8.2.2 VoIP Facts

q_voip_jitter_01_np6.[Link]

Question 6:
Correct
Dan, a network administrator, gets an email from the CEO. She is upset because
people keep talking over each other on conference calls. Which option BEST
describes Dan's first step to remedy this problem?
Answer

Check to see if the VoIP server is in the cloud.

Check the latency configuration. Latency under 250 milliseconds is not

recommended.

Hold a telephone etiquette training course for upper management.

Correct Answer:
Check the latency configuration. Latency should be set between 75 and 150
milliseconds.

Explanation

You can give VoIP traffic priority on your network. Latency is recommended to be set
between 75 and 150 milliseconds.
Latency should always be below 250 milliseconds. Any higher and call quality
becomes unacceptable.
While having a VoIP server hosted in the cloud increases latency, this doesn't
change the basic problem of the current latency configuration.
Holding a telephone etiquette training course is not within Dan's purview, even
though it is probably warranted.

References

• 8.2.2 VoIP Facts

q_voip_latency_01_np6.[Link]

Question 7:
Correct
Dan, a network administrator, has noticed a consistent increase in bandwidth
consumption since installing a new VoIP system. The increase is outside of the
parameters given by the vendor. What is MOST likely the issue Dan needs to
address?
Answer

The hard phones need to be replaced.

His ISP needs to give him more bandwidth.

VoIP phones should be limited to necessary personnel only.

Correct Answer:
The codec needs to be replaced with a more efficient one.

Explanation

The codec controls compression and decompression, which determines bandwidth.

Dan should replace the basic codec with one that better suits his needs.
It's not a practical solution to limit VoIP usage.
ISPs don't give more bandwidth without a contract and more money. The current
speed would have been considered in the VoIP installation.
VoIP hard phones would not cause an increase in bandwidth usage.

References

• 8.2.2 VoIP Facts

q_voip_qos_03_np6.[Link]

q_voip_unified_np6.[Link]
Which of the following are advantages of virtualization? (Select two.)
Answer

Reduced utilization of hardware resources.

Correct Answer:
Easy system migration to different hardware.

Redundancy of hardware components for fault tolerance.

Correct Answer:
Centralized administration.

Improved detection of host-based attacks.

Explanation

Virtualization allows a single physical machine (known as the host operating system)
to run multiple virtual machines (known as the guest operating systems). The virtual
machines appear to be self-contained and autonomous systems. Advantages of
virtualization include:
• Server consolidation.
• The ability to migrate systems between different hardware.
• Centralized management of multiple systems.
• Increased utilization of hardware resources.
• Isolation of systems and applications.
Disadvantages of virtualization include:
• A compromise in the host system could affect multiple guest systems.
• A failure in a shared hardware resource could affect multiple systems.

References

• 8.3.3 Virtualization Facts

q_virt_advantage_np6.[Link]

Question 2:
Correct
Which hardware components are controlled by the hypervisor?
Answer
Correct Answer:
RAM, CPU, storage

RAM, power supply, motherboard

Storage, CPU, GPU

CPU, storage, power supply

Explanation

RAM, CPU, and storage are controlled by the hypervisor. These are the three
components that all VMs share.
The power supply and motherboard are not controlled by the hypervisor.
The GPU is only for direct usage by the host machine.

References

• 8.3.3 Virtualization Facts

q_virt_components_np6.[Link]

Question 3:
Correct
John is using a host machine with a Type1 hypervisor. He has 40 virtual servers
using unmodified guest OSs. Which type of virtualization BEST describes this
configuration?
Answer

Paravirtualization

Regular Type 2 virtualization

Partial virtualization
Correct Answer:
Full virtualization

Explanation

In full virtualization, the virtual machine completely simulates a real physical host.
This allows most operating systems and applications to run within the virtual
machine without being modified in any way. This is the most common type of
virtualization in use.
Type 2 hypervisors run mostly on laptops or desktop machines.
In partial virtualization, only some of the components of the virtual machine are
virtualized. The guest operating systems use some virtual components and some
real physical hardware components in the actual device where the hypervisor is
running.
In paravirtualization, all guest operating systems running on the hypervisor directly
access various hardware resources in the physical device. The components are not
virtual.

References
• 8.3.3 Virtualization Facts
q_virt_full_02_np6.[Link]

Question 4:
Correct
How many types of full virtualization are there?
Answer

Four

One

Three
Correct Answer:
Two

Explanation

There are two types of full virtualization. They are called software assisted and
hardware assisted.

References

• 8.3.3 Virtualization Facts

q_virt_full_03_np6.[Link]

Question 5:
Correct
In virtualization, what is the role of a hypervisor?
Answer
Correct Answer:
A hypervisor allows virtual machines to interact with the hardware without going
through the host operating system.

A hypervisor is a software implementation that executes programs like a physical

machine.

A hypervisor has the actual hardware in place on the machine, such as the hard disk
drive(s), optical drive, RAM, and motherboard.

A hypervisor is created within the host operating system and simulates a hard disk
for the virtual machine.

Explanation
A hypervisor is a thin layer of software that resides between the virtual operating
system(s) and the hardware. A hypervisor allows virtual machines to interact with the
hardware without going through the host operating system. A hypervisor manages
access to system resources such as:
•CPU
•Storage
•RAM
A physical machine (also known as the host operating system) has the actual
hardware in place on the machine, such as the hard disk drive(s), optical drive, RAM,
motherboard, etc. A virtual machine is a software implementation that executes
programs like a physical machine.
A virtual machine appears to be a self-contained and autonomous system.
A virtual hard disk (VHD) is a file that is created within the host operating system and
simulates a hard disk for the virtual machine.

References

•8.3.3 Virtualization Facts

q_virt_hypervisor_01_np6.[Link]

Question 6:
Correct
Which of the following BEST describes an enterprise-level hypervisor?
Answer

Type 2
Correct Answer:
Type 1

VHD

Explanation

Type 1, or bare metal, is a hypervisor that is installed on enterprise-level servers.

Type 2 is a hypervisor that is installed on a PC or laptop and used on a small scale.
VHD is a virtual hard disk and is used for some virtual machines. It is not a
hypervisor.
A VM is a virtual machine. This is what a hypervisor manages.

References

•8.3.3 Virtualization Facts

q_virt_hypervisor_02_np6.[Link]
Question 7:
Correct
Amber's employer has asked her to research what is needed to best utilize current
assets in creating a scalable network. Amber knows that the company has two very
robust servers. What is her BEST solution?
Answer

Convert the current servers to host servers using Type 2 hypervisors.

Do nothing since everything is moving to the cloud.

Sell the current assets and purchase specially made Type 2 hypervisor servers for
virtualization.
Correct Answer:
Convert the existing servers into host servers for virtualization using a Type 1
hypervisor.

Explanation

She should convert the existing servers into host servers for virtualization using a
Type 1 hypervisor. This has minimal expense and utilizes existing assets.
There are no specially made Type 2 hypervisor servers.
Moving to the cloud is expensive and does not utilize current assets.
Only a Type 1 hypervisor can be used in a bare metal installation. Type 2 only work
on computers that have an OS installed.

References

Routing protocols are not necessary for routing data between networks.
Correct Answer:
Multiple networks can connect to a single interface.

Explanation

The key advantage to a virtual router is that it can support multiple networks on a
single router interface. A virtual router does this by using a different routing table for
each network. Physical routers are limited to a single network on each interface.
Like physical routers, virtual routers use routing protocols to route data between
networks.
VRRP is used by physical routers to specify backup routers in the case of failure.
Virtual routers do not offer significant performance increases.

References

• 8.4.4 Virtual Networking Facts

q_virt_networking_router_np6.[Link]

Question 4:
Correct
You have configured a virtual network that includes the following virtual components:
• Four virtual machines (Virtual OS1, Virtual OS2, Virtual OS3, and Virtual
OS4)
• One virtual switch
The virtual switch is connected to a physical network to allow the virtual machines to
communicate with the physical machines out on the physical network.
Given the port configuration for the virtual switch and the physical switch in the table
below, click on all of the virtual and physical machines that Virtual OS1 can
communicate with.

Device Port Port Assignment

P1 Virtual Network1
P2 Virtual Network2
P3 Virtual Network1
Virtual Switch
P4 Virtual Network2
Physical Network,
P5
Virtual Network1
P1 Physical Network
P2 Physical Network
Physical Switch P3 Physical Network
P4 Physical Network
P5 Physical Network
Correct answer selectedCorrect answer selectedCorrect answer selectedCorrect
answer selectedCorrect answer selected

Explanation

Virtual OS1 can communicate with the following machines:

• Virtual OS3
• Physical OS1
• Physical OS2
• Physical OS3
• Physical OS4
The virtual switch port configuration allows Virtual OS1 to communicate with
machines on Virtual Network1 and the physical network. P5 on the virtual switch is
configured to allow communication between the virtual and physical machines as if
they were on the same real physical network.
Virtualized networks allow virtual servers and desktops to communicate with each
other, and they also allow communication with network devices out on the physical
network via the host operating system. Virtual networks typically include the following
components:
• Virtual switches, which allow multiple virtual servers and/or desktops to
communicate on virtual network segments and/or the physical network.
Virtual switches are often configured in the hypervisor.
• Virtual network adapters, which are created and assigned to a desktop or
server in the hypervisor. They have the following characteristics:
o Multiple network adapters could be assigned to a single virtual
machine.
o Each network adapter has its own MAC address.
o Each network adapter is configured to connect to only one
network at a time (meaning a virtual network or the physical
network, but not both).
Virtual OS2 and Virtual OS4 belong to Virtual Network2 and are only able to
communicate with each other.

References

•8.4.4 Virtual Networking Facts

q_virt_networking_switch_01_np6.[Link]

Question 5:
Correct
You have configured a virtual network that includes the following virtual components:
• Four virtual machines (Virtual OS1, Virtual OS2, Virtual OS3, and Virtual
OS4)
• One virtual switch
The virtual switch is connected to a physical network to allow the virtual machines to
communicate with the physical machines out on the physical network.
Given the port configuration for the virtual switch and the physical switch in the table
below, click on all of the virtual and physical machines that Virtual OS1 can
communicate with.

Device Port Port Assignment

P1 Virtual Network1
P2 Virtual Network1
Virtual Switch P3 Virtual Network1
P4 Physical Network
P5 Physical Network
P1 Physical Network
P2 Physical Network
Physical Switch P3 Physical Network
P4 Physical Network
P5 Physical Network
Correct answer selectedCorrect answer selected

Explanation

Virtual OS1 can communicate with the following machines:

• Virtual OS2
• Virtual OS3
The virtual switch port configuration allows these three virtual machines to
communicate as if the machines were part of a real physical network. Virtualized
networks allow virtual servers and desktops to communicate with each other and can
also allow communication with network devices out on the physical network via the
host operating system. Virtual networks typically include the following components:
• Virtual switches, which allow multiple virtual servers and/or desktops to
communicate on virtual network segments and/or the physical network.
Virtual switches are often configured in the hypervisor.
• Virtual network adapters, which are created and assigned to a desktop or
server in the hypervisor. They have the following characteristics:
o Multiple network adapters can be assigned to a single virtual
machine.
o Each network adapter has its own MAC address.
o Each network adapter is configured to connect to only one
network at a time (meaning a virtual network or the physical
network, but not both).
Virtual OS4 and all of the other Physical OS machines are configured to
communicate on the physical network.

References

• 8.4.4 Virtual Networking Facts

q_virt_networking_switch_02_np6.[Link]
Question 6:
Correct
You are an application developer. You use a hypervisor with multiple virtual
machines installed to test your applications on various operating system versions
and editions.
Currently, all of your test virtual machines are connected to the production network
through the hypervisor's network interface. You are concerned that the latest
application you are working on could adversely impact other network hosts if errors
exist in the code.
To prevent problems, you decide to isolate the virtual machines from the production
network. However, they still need to be able to communicate directly with each other.
What should you do? (Select two. Each response is one part of the complete
solution.)
Answer

Create a new virtual switch configured for bridged (external) networking.

Disable the switch port that the hypervisor's network interface is connected to.

Disconnect the network cable from the hypervisor's network interface.

Correct Answer:
Create a new virtual switch configured for host-only (internal) networking.

Create MAC address filters on the network switch that block each virtual machine's
virtual network interfaces.
Correct Answer:
Connect the virtual network interfaces in the virtual machines to the virtual switch.

Explanation

To allow the virtual machines to communicate with each other while isolating them
from the production network, complete the following:
• Create a new virtual switch configured for host-only (internal) networking.
• Connect the virtual network interfaces in the virtual machines to the virtual
switch.
Creating a bridged virtual switch would still allow the virtual machines to
communicate on the production network through the hypervisor's network interface.
Disconnecting the hypervisor's network cable, blocking the virtual machine's MAC
addresses, or disabling the hypervisor's switch port would isolate the virtual
machines from the production network, but this would also prevent them from
communicating with each other.

References
• 8.4.4 Virtual Networking Facts
q_virt_networking_switch_03_np6.[Link]

Question 7:
Correct
You are responsible for maintaining Windows workstation operating systems in your
organization. Recently, an update from Microsoft was automatically installed on your
workstations that caused an in-house application to stop working.
To keep this from happening again, you decide to test all updates on a virtual
machine before allowing them to be installed on production workstations.
Currently, none of your test virtual machines has a network connection. However,
they need to be able to connect to the update servers at Microsoft to download and
install updates.
What should you do? (Select two. Each response is one part of the complete
solution.)
Answer

Disable the switch port that the hypervisor's network interface is connected to.
Correct Answer:
Connect the virtual network interfaces in the virtual machines to the virtual switch.

Create a new virtual switch configured for internal networking.

Correct Answer:
Create a new virtual switch configured for bridged (external) networking.

Create a new virtual switch configured for host-only networking.

Explanation

To allow the virtual machines to communicate with the Microsoft update servers on
the internet, complete the following:
• Create a new virtual switch configured for bridged (external) networking.
• Connect the virtual network interfaces in the virtual machines to the virtual
switch.
Creating an internal or host-only virtual switch would not allow the virtual machines
to communicate on the production network through the hypervisor's network
interface. Disabling the hypervisor's switch port would also isolate the virtual
machines from the production network.

References

• 8.4.4 Virtual Networking Facts

q_virt_networking_switch_04_np6.[Link]

Question 8:
Correct
Which component is MOST likely to allow physical and virtual machines to
communicate with each other?
Answer

Virtual desktop

Host operating system

Correct Answer:
Virtual switch

VHD

Explanation

Virtual switches allow multiple virtual servers and/or desktops to communicate on

virtual network segments and/or the physical network. Virtual switches are often
configured in the hypervisor.
A virtual hard disk (VHD) is a file that is created within the host operating system and
simulates a hard disk for the virtual machine.
A physical machine (also known as the host operating system) has the actual
hardware in place on the machine, such as the hard disk drive(s), optical drive, RAM,
motherboard, etc.
A virtual desktop is a virtual machine that's run as a software implementation on a
computer. A virtual desktop executes programs like a physical machine.

References

• 8.4.4 Virtual Networking Facts

q_virt_networking_switch_05_np6.[Link]

Question 9:
Correct
You need to provide DHCP and file sharing services to a physical network. These
services should be deployed using virtualization. Which type of virtualization should
you implement?
Answer
Correct Answer:
Virtual servers

Virtual networks

Network as a Service (NaaS)

Virtual desktops

Explanation

Server virtualization runs multiple instances of a server operating system on a single

physical computer. With server virtualization, you can migrate servers on older
hardware to newer computers or add virtual servers to computers with extra, unused
hardware resources.
Virtual desktops do not provide DHCP services.
Virtual networks allow virtual servers and desktops to communicate with each other,
and they can also allow communication with network devices out on the physical
network via the host operating system.
Network as a Service (NaaS) servers and desktops are virtualized and managed by
a contracted third party.

References

• 8.4.5 Virtualization Implementation Facts

q_virt_implementation_server_np6.[Link]

Question 10:
Correct
Your organization uses a time-keeping application that only runs on Windows 2000
and does not run on newer OS versions. Because of this, there are several Windows
2000 workstations on your network.
Last week, you noticed unusual activity on your network coming from the Windows
2000 workstations. After further examination, you discovered that the Windows 2000
workstations were the victim of a malicious attack and were being used to infiltrate
the network.
You find out that the attackers were able to gain access to the workstations because
of the legacy operating system being used. The organization still needs to use the
Windows 2000 workstations, which need to be connected to the internet, but you
want to make sure the network is protected from future events.
Which solution should you implement to protect the network while also allowing
operations to continue as normal?
Answer

Create a dedicated network for the Windows 2000 workstations that's completely
isolated from the rest of the network, including a separate internet connection.

Install antivirus software on the Windows 2000 workstations and configure Windows
to automatically download and install updates.
Implement a host-based firewall on each Windows 2000 workstation and configure
Windows to automatically download and install updates.
Correct Answer:
Configure VLAN membership so that the Windows 2000 workstations are on their
own VLAN.

Explanation

The best solution is to place the Windows 2000 workstations in their own VLAN. If
you use VLAN network segmentation, the workstations will still have access to the
internet, but network access can be heavily restricted. This greatly reduces the
damage a workstation can cause if it were to become compromised again.
Legacy operating systems, such as Windows 2000, are easy targets for attackers.
This is because legacy operating systems use outdated protocols and have known
exploits.
Installing an antivirus or host-based firewall would do very little to protect the entire
network. In addition, legacy operating system are no longer supported with updates
or patches, so enabling automatic updates would offer no benefit.
Creating a dedicated network for the workstations would affect normal operations
and also increase network management load.

References

• 8.4.5 Virtualization Implementation Facts

q_virt_implementation_vlan_np6.[Link]
Which of the following are true regarding cloud computing? (Select three.)
Answer
Correct Answer:
Cloud computing consists of software, data access, computation, and storage
services provided to clients through the internet.
Correct Answer:
The term cloud is used as a synonym for the internet.
Correct Answer:
Typical cloud computing providers deliver common business applications online.
They are accessed from another web service or software, like a web browser.

Cloud computing requires end user knowledge of the delivery system's physical
location and configuration.

Explanation

Cloud computing does not require end user knowledge of the delivery system's
physical location and configuration. Other cloud computing details include the
following:
• Cloud computing consists of software, data access, computation, and
storage services provided to clients through the internet.
• The term cloud is used as a synonym for the internet. This is based on the
basic cloud drawing used to represent the telephone network
infrastructure and the internet in computer network diagrams.
• Typical cloud computing providers deliver common business applications
online that are accessed from another web service or software, like a web
browser. The software and data are stored on servers.

References

• 8.5.3 Cloud Facts

q_cloud_computing_mp6.[Link]

Question 2:
Correct
Match each description on the left with the appropriate cloud technology on the right.
Public cloud

Provides cloud services to just about anyone.

correct answer:
Private cloud

Provides cloud services to a single organization.

correct answer:
Community cloud

Allows cloud services to be shared by several organizations.

correct answer:
Hybrid cloud

Integrates one cloud service with other cloud services.

correct answer:
Keyboard Instructions

Explanation

Cloud computing can be implemented in several ways:

• A public cloud can be accessed by anyone. Cloud-based computing
resources are made available to the general public by a cloud service
provider. The service provider may or may not require a fee for using
these resources. For example, Google provides many publicly accessible
cloud applications, such as Gmail and Google Docs.
• A private cloud provides resources to a single organization. Access is
restricted to only the users within that organization. An organization
commonly enters into an agreement with a cloud service provider to
provide secure access to their cloud-based resources. The organization's
data is kept separate and secure from any other organization that's using
the same service provider.
• A community cloud is designed to be shared by several organizations.
Access is restricted to only users within the organizations who are sharing
the community cloud infrastructure. Community clouds are commonly
hosted externally by a third party.
• A hybrid cloud is composed of a combination of public, private, and
community cloud resources from different service providers. The goal
behind a hybrid cloud is to expand the functionality of a given cloud
service by integrating it with other cloud services.

References

• 8.5.3 Cloud Facts

q_cloud_deployment_mp6.[Link]

Question 3:
Correct
You were recently hired by a small startup company. The company is in a small
office and has several remote employees.
You have been asked to find a business service that can both accommodate the
company's current size and scale as the company grows. The service needs to
provide adequate storage as well as additional computing power.
Which cloud service model should you use?
Answer

DaaS
Correct Answer:
IaaS

SaaS

PaaS

Explanation

Infrastructure as a Service (IaaS) delivers infrastructure to the client, such as

processing, storage, networks, and virtualized environments. The client deploys and
runs software without purchasing servers, data center space, or network equipment.
Software as a Service (SaaS) delivers software applications to the client either over
the internet or on a local area network.
Platform as a Service (PaaS) delivers everything a developer needs to build an
application on to the cloud infrastructure. The deployment comes without the cost
and complexity of buying and managing the underlying hardware and software
layers.
Data as a Service (DaaS) stores and provides data from a centralized location
without requiring local collection and storage.

References

• 8.5.3 Cloud Facts

q_cloud_iaas_mp6.[Link]

Question 4:
Correct
Which of the following cloud computing solutions delivers software applications to a
client either over the internet or on a local area network?
Answer

DaaS
Correct Answer:
SaaS

PaaS

IaaS

Explanation
Software as a Service (SaaS) delivers software applications to the client either over
the internet or on a local area network.
Infrastructure as a Service (IaaS) delivers infrastructure to the client, such as
processing, storage, networks, and virtualized environments. The client deploys and
runs software without purchasing servers, data center space, or network equipment.
Platform as a Service (PaaS) delivers everything a developer needs to build an
application on to the cloud infrastructure. The deployment comes without the cost
and complexity of buying and managing the underlying hardware and software
layers.
Data as a Service (DaaS) stores and provides data from a centralized location
without requiring local collection and storage.

References

• 8.5.3 Cloud Facts

q_cloud_saas_mp6.[Link]

Question 5:
Correct
Which of the following are benefits that a VPN provides? (Select two.)
Answer

Faster connection

Easy setup

Metering
Correct Answer:
Compatibility
Correct Answer:
Cost savings

Explanation

Benefits provided by VPNs include the following:

• Cost savings - VPNs reduce connectivity costs while increasing remote
connection bandwidth.
• Security - by using appropriate encryption and authentication protocols,
data being transmitted across the VPN can be secured from prying eyes.
• Scalability - because VPNs use the internet, you can add additional users
without adding significant infrastructure.
• Compatibility - you can implement VPNs across many different WAN
types, including broadband technologies.
A faster connection is not a benefit provided by a VPN. VPN connections are usually
a bit slower.
While setting up a VPN isn't necessarily difficult, it does require a few extra steps
and setup. Easy setup and configuration is not considered a benefit of a VPN.
Service metering is an advantage of cloud computing.

References

• 8.5.5 Virtual Private Networks Facts

q_cloud_vpn_benefits_np6.[Link]

Question 6:
Correct
Which of the following provides a VPN gateway that encapsulates and encrypts
outbound traffic from a site and sends the traffic through a VPN tunnel to the VPN
gateway at the target site?
Answer

Remote access VPN

GRE over IPsec

Correct Answer:
Site-to-site IPsec VPN

SSL VPN

Explanation

Site-to-site IPsec VPNs connect networks across an untrusted network, such as the
internet. The VPN gateway encapsulates and encrypts outbound traffic from a site
and sends the traffic through a VPN tunnel to the VPN gateway at the target site.
Clients send and receive normal unencrypted TCP/IP traffic through a VPN gateway.
The receiving VPN gateway strips the headers, decrypts the content, and relays the
packet toward the target host inside its private network.
SSL VPNs use a PKI (public key infrastructure) and digital certificates to authenticate
peers.
GRE over IPsec (Generic Routing Encapsulation over IPsec) does not support
encryption.
Remote access VPNs let remote and mobile users connect to an organizational
network securely.

References

• 8.5.5 Virtual Private Networks Facts

q_cloud_vpn_ipsec_np6.[Link]

Question 7:
Correct
What is a VPN (virtual private network) primarily used for?
Answer
Correct Answer:
Support secure communications over an untrusted network.

Support the distribution of public web documents.

Allow the use of network-attached printers.

Allow remote systems to save on long distance charges.

Explanation

A VPN (virtual private network) is primarily used to support secure communications

over an untrusted network. You can use a VPN over a local area network, across a
WAN connection, over the internet, and even between a client and a server over a
dial-up internet connection.
All of the other items listed in this question are benefits or capabilities that are
secondary to this primary purpose.

References

• 8.5.5 Virtual Private Networks Facts

q_cloud_vpn_secure_np6.[Link]

Question 8:
Correct
IPsec is implemented through two separate protocols. What are these protocols
called? (Select two.)
Answer

EPS
Correct Answer:
ESP

L2TP

SSL
Correct Answer:
AH

Explanation
IPsec is implemented through two separate protocols, which are called
Authentication Header (AH) and Encapsulating Security Payload (ESP). AH provides
authentication and non-repudiation services to verify that the sender is genuine and
that the data was not modified in transit. ESP provides data encryption services for
the data within the packet.
SSL and L2TP are not protocols associated with IPsec.

References

• 8.5.6 IPsec Virtual Private Networks Facts

q_ipsec_vpn_ah_esp_np6.[Link]

Question 9:
Correct
Which other service is IPsec composed of, in addition to AH?
Answer

Extended Authentication Protocol (EAP)

Correct Answer:
Encapsulating Security Payload (ESP)

Advanced Encryption Standard (AES)

Encryption File System (EFS)

Explanation

IPsec is composed of two services, which are called Authentication Header (AH) and
Encapsulating Security Payload (ESP). AH is primarily used for authenticating the
two communication partners in an IPsec link. ESP is primarily used to encrypt and
secure the data transferred between IPsec partners. IPsec employs ISAKMP
(Internet Security Association and Key Management Protocol) for encryption key
management.

References

• 8.5.6 IPsec Virtual Private Networks Facts

q_ipsec_vpn_esp_01_np6.[Link]

Question 10:
Correct
Which of the following are IPsec modes of operation? (Select two.)
Answer
Correct Answer:
Transport mode
Single mode

Secure mode

Multimode
Correct Answer:
Tunnel mode

Explanation

Tunnel mode and transport mode are the two IPsec modes of operation.
Single mode and multimode are types of fiber optic network cable.
Secure mode is a wireless LAN setting.

References

• 8.5.6 IPsec Virtual Private Networks Facts

q_ipsec_vpn_mode_np6.[Link]
What are two major concerns regarding IoT devices? (Select two.)
Answer

Accessibility
Correct Answer:
Privacy

Short life span

Availability
Correct Answer:
Hacking

Explanation

Explanation

Streaming media devices with IoT allow you to play content from a device, such as
your smartphone, to a speaker or TV as long as both are connected to the same
home network. Security systems, such as alarms and locks, can be accessed from
an app on your smartphone. Home appliances, such as refrigerators or washing
machines, can be accessed from an app on your smartphone as well.
Computer monitors are controlled by a computing device (such as a laptop or
desktop) and are an output device that's not normally associated with the IoT.
While headsets can be wirelessly connected to a device (such as a computer,
smartphone, or TV), they normally use Bluetooth instead of the IoT.
Tablets are mobile computing devices that normally use Wi-Fi technology to connect
to the internet and are not normally associated with IoT technology.
Printers can wirelessly connect to a home Wi-Fi network, but they are not normally
associated with IoT technology.

References

• 8.6.3 Internet of Things Facts

q_iot_devices_04_np6.[Link]

Question 5:
Correct
Match each smart device with its description.
Thermostat

Learns from your habits and schedule, allows you to control the climate in your
home remotely, shows you energy consumption in real time, and adjusts itself
depending on ambient conditions.
correct answer:
Switch
Allows you to control hardwired lights, ceiling fans, fireplaces, small appliances,
and garbage disposals.
correct answer:
Bulb

Can change colors, track motion, stream audio over Bluetooth, and double as a
connected camera, but it's only smart when turned on. It doesn't work when turned
off.
correct answer:
Plug

Easy solution for making small appliances (such as lamps, coffee makers, and
toasters) smart.
correct answer:
Security camera

Uses an RF transmitter. May include such features as motion detection, scheduled

recording, remote viewing, and automatic cloud storage.
correct answer:
Door lock

Uses a wireless protocol and a cryptographic key to execute the authorization

process. It can also monitor access and send alerts related to the status of the
device.
correct answer:
Speaker/digital assistant

Uses voice recognition software and activates through a Wake Word or Hot Word.
correct answer:
Keyboard Instructions

Explanation

The following are smart IoT devices and their general characteristics:
• Thermostats learn from your habits and schedule, allow you to control the
climate in your home remotely, show you energy consumption in real time,
and adjust themselves depending on ambient conditions.
• Switches allow you to control hardwired lights, ceiling fans, fireplaces,
small appliances, and garbage disposals.
• Bulbs can change colors, track motion, stream audio over Bluetooth, and
double as a connected camera, but they're only smart when turned on.
They don't work when turned off.
• Plugs are easy solutions for making small appliances (such as lamps,
coffee makers, and toasters) smart.
• Security cameras use an RF transmitter. They may include such features
as motion detection, scheduled recording, remote viewing, and automatic
cloud storage.
• Door locks use a wireless protocol and a cryptographic key to execute the
authorization process. They can also monitor access and send alerts
related to the status of the device.
• Speakers and digital assistants use voice recognition software and
activate through a Wake Word or Hot Word.

References

• 8.6.3 Internet of Things Facts

q_iot_devices_np6.[Link]

Question 6:
Correct
Which frequencies does Zigbee operate on?
Answer

2.4 GHz, 500 MHz, and 818 MHz

Correct Answer:
2.4 GHz, 900 MHz, and 868 MHz

1.4 GHz, 90 MHz, and 500 MHz

2.7 GHz, 400 MHz, and 865 MHz

Explanation

Zigbee is a specification based on IEEE 802.15.4. The WPANs operate on 2.4 GHz,
900 MHz, and 868 MHz frequencies.

References

• 8.6.3 Internet of Things Facts

q_iot_frequencies_np6.[Link]

Question 7:
Correct
Anabel purchased a smart speaker. She connected it to all the smart devices in her
home. Which of the following communication models is she using?
Answer

Device-to-gateway
Device-to-cloud

Back-end data-sharing
Correct Answer:
Device-to-device

Explanation

The device-to-device, or machine-to-machine (M2M), communication model is meant

mostly for systems with devices transferring small data packets to each other at a
very low data rate. The devices could include thermostat, light bulbs, door locks,
CCTV cameras, refrigerators, and wearable devices.
The device-to-gateway model means that the IoT device doesn't directly interact with
the cloud or the client. Instead, the device interacts with an intermediate device, or
gateway, which then contacts the cloud to send and receive data.
The back-end data-sharing model is an expanded version of the device-to-cloud
model. This means the data sent from the IoT device to the cloud can be accessed
by authorized third parties.
The device-to-cloud model means that the devices communicate with the cloud
instead of directly with the end user to send data and receive commands.

References

• 8.6.3 Internet of Things Facts

q_iot_m2m_np6.[Link]

Question 8:
Correct
What is the maximum number of nodes Z-Wave allows on its mesh network?
Answer
Correct Answer:
232

223

231

322

Explanation

Z-Wave allows up to 232 nodes on the mesh network.

References
• 8.6.3 Internet of Things Facts
q_iot_nodes_np6.[Link]

Question 9:
Correct
What are the two protocols used most often with IoT devices? (Select two.)
Answer
Correct Answer:
Zigbee
Correct Answer:
Z-Wave

Zerg

Zensys

Zbot

Explanation

Zigbee and Z-Wave are two radio protocols many IoT devices work with because
they are designed for low-data rate, low-power applications. They link all IoT devices
to form a mesh network.

References

• 8.6.3 Internet of Things Facts

q_iot_protocols_np6.[Link]

Question 10:
Correct
What are the four primary systems of IoT technology?
Answer

Devices, data storage, remote control, and internet

Devices, gateway, sensors, and apps

Devices, sensors, apps, and internet

Correct Answer:
Devices, gateway, data storage, and remote control

Explanation
IoT technology comprises four primary systems: devices, gateway, data storage, and
remote control.
Sensors are hardware included in many IoT devices.
Apps are part of the remote control system.
The internet is part of the gateway and data storage systems.

References

• 8.6.3 Internet of Things Facts

q_iot_systems_np6.[Link]
Which type of communication path-sharing technology do all 802.11 standards for
wireless networking support?
Answer

Token passing

CSMA/CD
Correct Answer:
CSMA/CA

Polling

Explanation

802.11x standards for wireless networking all support the CSMA/CA (Carrier Sense
Multiple Access/Collision Avoidance) type of communication path-sharing
technology. This allows multiple baseband clients to share the same communication
medium. CSMA/CA works as follows:
1. The system asks for permission to transmit.
2. A designated authority (such as a hub, router, or access point), grants
access when the communication medium is free.
3. The system transmits data and waits for an ACK (acknowledgment).
4. If no ACK is received, the data is retransmitted.
Polling is a mechanism where one system is labeled as the primary system. The
primary system polls each secondary system in turn to inquire whether they have
data to transmit.
Token passing is a mechanism that uses a digital pass card. Only the system
holding the token is allowed to communicate.
CSMA/CD (Carrier Sense Multiple Access/Collision Detection) is the technology
used by Ethernet. CSMA/CD works as follows:
1. The system listens for traffic. If the line is clear, the system begins
transmitting.
2. During the transmission, the system listens for collisions.
3. If no collisions are detected, the communication succeeds. If collisions are
detected, an interrupt jam signal is broadcast to stop all transmissions.
Each system waits a random amount of time before starting over at step 1.

References

•
9.1.3 Wireless Architecture Facts
q_wireless_arch_csmaca_np6.[Link]

Question 2:
Correct
Match the wireless signaling method on the left with its definition on the right.
Transfers data over a radio signal by switching channels at random within a larger
frequency band.

FHSS
correct answer:
Makes the transmitted bandwidth signal wider than the data stream needs.

DSSS
correct answer:
Encodes data over a wireless network using non-overlapping channels.

OFDM
correct answer:
Keyboard Instructions

Explanation

Frequency-hopping spread spectrum (FHSS) transfers data over a radio signal by

switching channels at random within a larger frequency band.
Direct-sequence spread spectrum (DSSS) makes the transmitted bandwidth signal
wider than the data stream needs.
Orthogonal Frequency Division Multiplexing (OFDM) encodes data over a wireless
network using non-overlapping channels.

References

• 9.1.3 Wireless Architecture Facts

q_wireless_arch_facts_np6.[Link]

Question 3:
Correct
Which of the following is true of a wireless network SSID?
Answer
Correct Answer:
Groups wireless devices together into the same logical network.

Coordinates all communications between wireless devices.

Enables wireless interconnection of multiple APs.

Is a 48-bit value that identifies an AP.

Explanation
The SSID, also called the network name, groups wireless devices together into the
same logical network.
• All devices on the same network (within the BSS and ESS) must have the
same SSID.
• The SSID is a 32-bit value that's inserted into each frame. The SSID is
case sensitive.
• The SSID is sometimes called the ESSID (extended service set ID) or the
BSSID (basic service set ID). In practice, each term means the same
thing. However, SSIDs, ESSIDs, and BSSIDs are technically different.
An access point (AP) is a device that coordinates all communication between
wireless devices.
The basic service set identifier (BSSID) is a 48-bit value that identifies an AP.
Wireless Distribution System (WDS) is a system that enables wireless
interconnection of multiple APs.

References

• 9.1.4 Wireless Infrastructure Facts

q_wireless_infra_ssid_01_np6.[Link]

Question 4:
Correct
Which wireless networking component is used to connect multiple APs together?
Answer

IBSS
Correct Answer:
WDS

BSS

STA

Explanation

The Wireless Distribution System (WDS) is the backbone or LAN that connects
multiple APs (and BSSs) together.
An IBSS (independent basic service set) is a set of STAs configured in ad hoc mode.
A BSS, or cell, is the smallest unit of a wireless network.
An STA is a wireless NIC in an end device, such as a laptop or wireless PDA. The
term STA often refers to the device itself, not just the NIC.

References

• 9.1.4 Wireless Infrastructure Facts

q_wireless_infra_wds_np6.[Link]

Question 5:
Correct
Your organization uses an 802.11b wireless network. Recently, other tenants
installed the following equipment in your building:
• A wireless television distribution system running at 2.4 GHz.
• A wireless phone system running at 5.8 GHz.
• A wireless phone system running at 900 MHz.
• An 802.11a wireless network running in the 5.725 - 5.850 GHz frequency
range.
• An 802.11j wireless network running in the 4.9 - 5.0 GHz frequency range.
Since this equipment was installed, your wireless network has been experiencing
significant interference. Which system is to blame?
Answer

The 900 MHz wireless phone system

The 5.8 GHz wireless phone system

The 802.11j wireless network

Correct Answer:
The wireless TV system

The 802.11a wireless network

Explanation

Because the 802.11b standard operates within the 2.4 GHz to 2.4835 GHz radio
frequency range, the most likely culprit is the wireless TV distribution system.

References

• 9.1.6 Wireless Standards Facts

q_wireless_standards_24ghz_np6.[Link]

Question 6:
Correct
Which technologies are used by the 802.11ac standard to increase network
bandwidth? (Select two.)
Answer

40 MHz bonded channels

Correct Answer:
160 MHz bonded channels
Data compression
Correct Answer:
Eight MIMO radio streams

Four MIMO radio streams

Explanation

To increase network bandwidth, the 802.11ac standard uses:

• Eight MIMO radio streams
• 160 MHz-wide bonded channels

References

• 9.1.6 Wireless Standards Facts

q_wireless_standards_802_11ac_np6.[Link]

Question 7:
Correct
You are designing an update to your client's wireless network. The existing wireless
network uses 802.11b equipment, which your client complains runs too slowly. She
wants to upgrade the network to run up to 600 Mbps.
Due to budget constraints, your client wants to upgrade only the wireless access
points in the network this year. Next year, she will upgrade the wireless network
boards in her users' workstations. She has also indicated that the system must
continue to function during the transition period.
Which 802.11 standard will work BEST in this situation?
Answer

802.11d
Correct Answer:
802.11n

802.11c

802.11a

802.11b

Explanation

802.11n is the best choice for this client and provides up to 600 Mbps. With 802.11n,
you may have a single device that uses multiple radios (one that can operate at one
frequency and one that can operate on another). Because of this, 802.11n usually
allows compatibility between all 802.11 standards, depending on the specific
implementation.
While 802.11g is compatible with 802.11b, it only provides speeds up to 54 Mbps.

References

• 9.1.6 Wireless Standards Facts

q_wireless_standards_802_11n_02_np6.[Link]

Question 8:
Correct
Which of the following are frequencies defined by 802.11 committees for wireless
networking? (Select two.)
Answer

900 MHz

1.9 GHz
Correct Answer:
2.4 GHz
Correct Answer:
5.75 GHz

10 GHz

Explanation

802.11 specifications for wireless include standards for operating in the 2.4 GHz
range (802.11b, 802.11g, and 802.11n) and the 5.75 GHz range (802.11a and dual-
band devices using 802.11n).

References

• 9.1.6 Wireless Standards Facts

q_wireless_standards_802_11_np6.[Link]

Question 9:
Correct
How many total channels (non-overlapping) are available for 802.11a wireless
networks?
Answer

3
11

12
Correct Answer:
24

Explanation

802.11a wireless uses the 5.75 GHz range, which has a total of 24 channels.
802.11b and 802.11g use the 2.4 GHz range, which has a total of 11 channels in the
US.

References

• 9.1.6 Wireless Standards Facts

q_wireless_standards_channels_01_np6.[Link]

Question 10:
Correct
How many total channels are available for 802.11g wireless networks?
Answer

3
Correct Answer:
11

Explanation

802.11b and 802.11g use the 2.4 GHz range, which has a total of 11 channels in the
US.
802.11a wireless uses the 5.75 GHz range, which has a total of 23 channels.

References

• 9.1.6 Wireless Standards Facts

q_wireless_standards_channels_02_np6.[Link]
You have configured a wireless access point to create a small network and
configured all necessary parameters.
Wireless clients seem to take a long time to find the wireless access point. You want
to reduce the time it takes for the clients to connect.
What should you do?
Answer

Change the channel on the access point to a lower number.

Enable SSID broadcast.

Correct Answer:
Decrease the beacon interval.

Create a wireless profile on the client.

Explanation

A beacon is a frame that the access point sends out periodically. The beacon
announces the access point and the network characteristics (such as the SSID,
supported speeds, and the signaling method used). To improve access times,
decrease the beacon interval.
As long as clients are configured with the SSID, they will be able to locate access
points even if the SSID is not broadcasting in the beacon. The beacon is still sent out
to announce the access point.
Adding the SSID to the beacon does not change how often the beacon is broadcast.

References

• 9.2.2 Wireless Configuration Tasks

q_wireless_conf_beacon_np6.[Link]

Question 2:
Correct
You are an administrator of a growing network. You notice that the network you've
created is broadcasting, but you can't ping systems on different segments. Which
device should you use to fix this issue?
Answer
Correct Answer:
Network bridge

Network hub

Access point
Range extender

Explanation

A network bridge connects different network segments.

A range extender increases the strength of a signal or widens the range that a
network can reach.
An access point is used to broadcast the wireless network so users can access it.
A network hub isn't very common today. This device acts to push data or traffic
through to all connected users. A hub would not be a good tool for connecting
network segments.

References

•9.2.2 Wireless Configuration Tasks

q_wireless_conf_bridge_np6.[Link]

Question 3:
Correct
Which of the following wireless network protection methods prevents the wireless
network name from being broadcast?
Answer

802.1x

MAC filtering
Correct Answer:
SSID broadcast

Shared secret key

Explanation

Wireless access points (WAPs) are transceivers that transmit and receive
information on a wireless network. Each access point has a service set ID (SSID)
that identifies the wireless network. By default, access points broadcast the SSID to
announce their presence and make it easier for clients to find and connect.
MAC address filtering identifies specific MAC addresses that are allowed to access
the wireless access point. Clients with unidentified MAC addresses are not allowed
to connect.
A shared secret key is used with shared key authentication. Users must know the
shared key to connect to the access point. A shared key is also used with WEP as
the encryption key.
802.1x authentication uses usernames and passwords, certificates, or devices such
as smart cards to authenticate wireless clients.

References

• 9.2.2 Wireless Configuration Tasks

q_wireless_conf_broadcast_np6.[Link]

Question 4:
Correct
Which of the following features does WPA2 supply on a wireless network?
Answer

Client-connection refusal based on MAC address

Configure the connection with a pre-shared key and TKIP encryption.

Configure the connection to use 802.1x authentication and TKIP encryption.

Correct Answer:
Configure the connection with a pre-shared key and AES encryption.

Configure the connection to use 802.1x authentication and AES encryption.

Explanation
To connect to a wireless network using WPA2-Personal, you need to use a pre-
shared key for authentication. Advanced Encryption Standard (AES) encryption is
supported by WPA2 and is the strongest encryption method.
WPA and WPA2 designations that include Personal or PSK use a pre-shared key for
authentication.
Methods that include Enterprise use a RADIUS server for authentication and 802.1x
authentication with usernames and passwords.

References

• 9.2.2 Wireless Configuration Tasks

q_wireless_conf_psk_aes_np6.[Link]

Question 8:
Correct
You need to configure a wireless network. You want to use WPA2 Enterprise. Which
of the following components should be part of your design? (Select two.)
Answer

Open authentication

Pre-shared keys

WEP encryption
Correct Answer:
802.1x

TKIP encryption
Correct Answer:
AES encryption

Explanation

To configure WPA2 Enterprise, you need a RADIUS server to support 802.1x

authentication. WPA2 uses AES for encryption.
WPA2-PSK, also called WPA2 Personal, uses pre-shared keys for authentication.
WPA uses TKIP for encryption.

References

• 9.2.2 Wireless Configuration Tasks

q_wireless_conf_wpa2_01_np6.[Link]

Question 9:
Correct
You need to add security for your wireless network. You would like to use the most
secure method.
Which method should you implement?
Answer

WPA

WEP

Kerberos
Correct Answer:
WPA2

Explanation

Wi-Fi Protected Access 2 (WPA2) is currently the most secure wireless security
specification. WPA2 includes specifications for both encryption and authentication.
WPA was an earlier implementation of security specified by the 802.11i committee.
WEP was the original security method for wireless networks. WPA is more secure
than WEP but less secure than WPA2.
Kerberos is an authentication method, not a wireless security method.

References

• 9.2.2 Wireless Configuration Tasks

q_wireless_conf_wpa2_02_np6.[Link]

Question 10:
Correct
You have a small wireless network that uses multiple access points. The network
uses WPA and broadcasts the SSID. WPA2 is not supported by the wireless access
points.
You want to connect a laptop computer to the wireless network. Which of the
following parameters do you need to configure on the laptop? (Select two.)
Answer

BSSID
Correct Answer:
Pre-shared key

Channel
AES encryption
Correct Answer:
TKIP encryption

Explanation

To connect to the wireless network using WPA, you need to use a pre-shared key
and TKIP encryption. A pre-shared key used with WPA is known as WPA-PSK or
WPA Personal.
WPA2 uses AES encryption. The channel is automatically detected by the client. The
basic service set identifier (BSSID) is a 48-bit value that identifies an AP in an
infrastructure network or an STP in an ad hoc network. The client automatically
reads the BSSID and uses it to keep track of APs as they roam between cells.

References

• 9.2.2 Wireless Configuration Tasks

q_wireless_conf_wpa_np6.[Link]
You are designing a wireless network for a client. Your client needs the network to
support a data rate of at least 150 Mbps. In addition, the client already has a wireless
telephone system installed that operates at 2.4 GHz.
Which 802.11 standard works best in this situation?
Answer

802.11g

802.11b
Correct Answer:
802.11n

802.11a

Explanation

802.11n is the best choice for this client.

802.11b and 802.11g both operate in the 2.4 GHz to 2.4835 GHz range, which will
cause interference with the client's wireless phone system.
802.11a operates in the 5.725 GHz to 5.850 GHz frequency range. While this won't
interfere with the phone system, the maximum speed is limited to 54 Mbps.

References

• 9.3.4 Wireless Network Design Facts

q_wireless_design_802_11n_np6.[Link]

Question 2:
Correct
Which of the following uses a 2.4 GHz ISM band, has fast transmission rates, and
has been used for applications like geocaching and health monitors?
Answer

Z-Wave
Correct Answer:
Ant+

802.11ac

NFC

Explanation
Ant+ is generally used to monitor sensor data. It uses a 2.4 GHz ISM band, has fast
transmission rates, and has been used for applications like geocaching and health
monitors.
The Z-Wave protocol is found in the home security and automation market and uses
only a mesh topology. Each attached device acts as a repeater and increases the
network strength. Z-Wave has a low data transfer rate.
NFC (Near Field Communication) is common with mobile pay solutions and
connections like Bluetooth, but NFC has to be within 10 cm or 4 inches from another
device to connect.
802.11ac is a wireless networking standard that offers high-speed data transfer.

References

• 9.3.4 Wireless Network Design Facts

q_wireless_design_ant_np6.[Link]

Question 3:
Correct
You have been hired to design a wireless network for a SOHO environment. You are
currently in the process of gathering network requirements from management.
Which of the following questions should you ask? (Select three.)
Answer
Correct Answer:
Which type of data will be transmitted on the network?

Is there future construction that might affect or disrupt the RF signals?

Correct Answer:
How many devices will need to be supported?
Correct Answer:
Is the size of the business expected to grow in the future?

Where can network hardware be mounted in the building?

Are there microwaves or cordless phones that can cause interference?

What are the zoning and permit requirements?

Explanation

The first thing you do when designing a wireless network is gather network
requirements. Meet with all stakeholders and decision-makers to discuss the
implementations and gather detailed information. For example, you should:
• Identify the intended use of the wireless network.
• Identify the location of wireless service areas.
• Anticipate the number of wireless devices that need to be supported in
each area.
• Discuss future network needs so that you can plan for expansion.
• Discuss data encryption and network security requirements.
You should consider mounting points, interference, zoning and permit requirements,
and future construction during the network design phase. This happens after all
requirements have been gathered.

References

• 9.3.4 Wireless Network Design Facts

q_wireless_design_gathering_np6.[Link]

Question 4:
Correct
Which protocol is well known for its use in the home security and home automation
industry, uses a mesh topology, makes devices act as repeaters, and has a low data
transfer rate?
Answer

802.11ac
Correct Answer:
Z-Wave

Ant+

NFC

Explanation

The Z-Wave protocol is mostly found in the home security and automation market
and uses only a mesh topology. Each attached device acts as a repeater and
increases the network strength. Z-Wave has a low data transfer rate.
Ant+ uses a mesh topology. However, Ant+ is generally used to monitor sensor data.
NFC is common with mobile pay solutions and connections like Bluetooth, but NFC
has to be several inches from another device to connect.
802.11ac is a wireless networking standard that offers high-speed data transfer.

References

• 9.3.4 Wireless Network Design Facts

q_wireless_design_zwave_np6.[Link]

Question 5:
Correct
You have been hired to troubleshoot a wireless connectivity issue for two separate
networks located within a close proximity. Both networks use a WAP from the same
manufacturer, and all settings (with the exception of SSIDs) remain configured to
their defaults.
Which of the following might you suspect is the cause of the connectivity problems?
Answer

There is crosstalk between the RF signals.

Correct Answer:
There are overlapping channels.

The two client systems' SSIDs match.

The two server systems' SSIDs match.

There is WEP overlap.

Explanation

Overlapping wireless networks should use different channels to ensure that they do
not conflict with each other. In this case, each WAP is using the default channel,
which by default, is the same for each one. The solution would be to configure
different channels for each access point.
To configure client connectivity, the wireless client and the access point must share
the same SSID, channel, and WEP encryption strength. In this case, the SSIDs were
changed for each station, so they are not the problem.

References

• 9.3.6 Wireless Site Survey Facts

q_conduct_wireless_survey_channels_np6.[Link]

Question 6:
Correct
Match each wireless term or concept on the left with its associated description on the
right. Each term may be used more than once. (Not all descriptions have a matching
term.)
Compares the Wi-Fi signal level to the level of background radio signals.

Signal-to-noise ratio
correct answer:
Checks channel utilization and identifies sources of RF inference.
Spectrum analysis
correct answer:
Identifies how strong a radio signal is at the receiver.

Received signal level

correct answer:
Keyboard Instructions

Explanation

You should be familiar with the following wireless networking concepts and terms:
• Received signal level (RSL) identifies how strong a radio signal is at the
receiver. The closer you are to the transmitter, the stronger the RSL.
• Signal-to-noise ratio (SNR) compares the wireless signal level to the level
of background noise.
• A spectrum analysis checks channel utilization to identify sources of RF
inference at each location where you plan to deploy an access point.

References

•9.3.6 Wireless Site Survey Facts

q_conduct_wireless_survey_concept_np6.[Link]

Question 7:
Correct
Which of the following should you include in your site survey kit?
Answer
Correct Answer:
A tall ladder

A network bridge

A GPS

Mounting brackets

Explanation

A site survey kit should include:

• Two access points (APs). Bring access points to each location to test the
signal quality and to identify the node density required in each area.
• Two laptops with a network performance measurement utility (such as
Iperf) installed. This allows you to evaluate the network throughput at each
location.
• A tall ladder so you can test each AP at its height or close to its height.
Log the location's GPS coordinates. Use digital photos to document the location and
its surrounding environment.
During a site survey, you don't physically install the access points.
A network bridge connects different network segments. It's not included in a site
survey kit.

References

• 9.3.6 Wireless Site Survey Facts

q_conduct_wireless_survey_ladder_np6.[Link]

Question 8:
Correct
You are concerned that wireless access points might have been deployed within
your organization without authorization.
What should you do? (Select two. Each response is a complete solution.)
Answer

Implement an intrusion detection system (IDS).

Implement a network access control (NAC) solution.

Implement an intrusion prevention system (IPS).

Correct Answer:
Check the MAC addresses of devices that are connected to your wired switch.
Correct Answer:
Conduct a site survey.

Explanation

A rogue host is an unauthorized system that has connected to a wireless network. It

could be an unauthorized wireless device or even an unauthorized wireless access
point that someone connected to a wired network jack. Rogue hosts can be benign
or malicious in nature. Either way, rogue hosts represent a security risk, and you
should detect and subsequently remove them immediately. Four commonly used
techniques for detecting rogue hosts include:
• Use site survey tools to identify hosts and APs.
• Check connected MAC addresses to identify unauthorized hosts.
• Conduct an RF noise analysis to detect a malicious rogue AP that's using
jamming.
• Analyze wireless traffic to identify rogue hosts.
Using an IDS or an IPS would not be effective, as these devices are designed to
protect networks from perimeter attacks.
Rogue APs are internal threats.
You can use a NAC solution to remediate clients that connect to the network, but this
solution doesn't detect rogue APs.

References

• 9.3.6 Wireless Site Survey Facts

q_conduct_wireless_survey_site_02_np6.[Link]

Question 9:
Correct
Which of the following purposes do wireless site surveys fulfill? (Select two.)
Answer
Correct Answer:
Identify the coverage area and preferred placement of access points.
Correct Answer:
Identify existing or potential sources of interference.

Determine the amount of bandwidth required in various locations.

Identify the recommended 100 degree separation angle for alternating access points.

Document existing infrared traffic in the 5.4 GHz spectrum.

Explanation

Wireless site surveys provide layout and design parameters for access point
coverage and placement. Site surveys can also identify rogue access points and
other forms of interference that reduce security and prevent the proper operation of
authorized network devices.
You use radio frequency spectrum and protocol analyzers to conduct these surveys.
As part of bandwidth planning, you determine the amount of bandwidth required in
various locations.

References

• 9.3.6 Wireless Site Survey Facts

q_conduct_wireless_survey_site_np6.[Link]

Question 10:
Correct
Which of the following does an SNR higher than 1:1 indicate?
Answer
Correct Answer:
More signal than noise
No signal

No noise

More noise than signal

Explanation

An SNR higher than 1:1 indicates more signal than noise, which is desirable.

References

• 9.3.6 Wireless Site Survey Facts

q_conduct_wireless_survey_snr_np6.[Link]
Which of the following connects wired or wireless networks together?
Answer
Correct Answer:
Wireless bridge

Hub and spoke

Wireless mesh

Wireless router

Explanation

Wireless bridges are what connect wired or wireless networks together.

In a hub-and-spoke configuration, a wireless controller is connected to all APs
through wired links.
Wireless mesh architecture moves some of the network intelligence from the
controller out to the individual access points.
Wireless access points (also called wireless hubs or wireless routers) are the central
connection point for wireless clients.

References

• 9.4.3 Enterprise Wireless Facts

q_enterprise_wireless_bridge_np6.[Link]

Question 2:
Correct
Which of the following functions does a consumer-grade access point combine into a
single device? (Select two.)
Answer

SSID
Correct Answer:
NAT

AES
Correct Answer:
WAP

WPA

Explanation
A consumer-grade access point combines many functions into a single device, such
as a wireless access point (WAP) and a NAT router.
The SSID is the name of the wireless network that is broadcast from an AP.
Wi-Fi Protected Access (WPA) is a security certification program that was developed
by the Wi-Fi Alliance to secure wireless signals between devices.
Advanced Encryption Standard (AES) uses 128-, 192-, and 256-bit key lengths to
encrypt and decrypt block-sized messages that are broadcast over a wireless
transmission.

References

• 9.4.3 Enterprise Wireless Facts

q_enterprise_wireless_consumer_01_np6.[Link]

Question 3:
Correct
Which of the following is a limitation of consumer-grade wireless equipment?
Answer

It operates on 5 GHz channels at 20 MHz wide.

It makes the transmitted bandwidth signal wider than the data stream needs.

APs can quickly re-associate themselves with a different wireless controller.

Correct Answer:
It supports a maximum of 5-10 wireless clients at a time.

Explanation

Consumer-grade wireless equipment work reasonably well in small environments.

However, it has very limited capacity, usually only supporting a maximum of 5-10
wireless clients at a time. If more clients than this connect, the bandwidth for the
entire wireless network is drastically reduced.
With distributed wireless mesh infrastructure, APs can quickly re-associate
themselves with a different wireless controller if the primary controller becomes
unavailable for some reason.
Direct Sequence Spread Spectrum (DSSS) makes the transmitted bandwidth signal
wider than the data stream needs.
Orthogonal Frequency Division Multiplexing (OFDM) operates on 5 GHz channels at
20 MHz wide.

References

• 9.4.3 Enterprise Wireless Facts

q_enterprise_wireless_consumer_02_np6.[Link]
Question 4:
Correct
Which of the following usually provides DHCP services to dynamically assign IP
addressing information to wireless clients and connect the wireless network to the
internal wired network and the internet?
Answer

Bridges

Backhauls
Correct Answer:
Controllers

Access points

Explanation

The controller usually provides DHCP services to dynamically assign IP addressing

information to wireless clients. The controller also connects the wireless network to
the internal wired network and the internet.
Wireless bridges are what connect wired or wireless networks together.
Wireless access points are transceivers that transmit and receive information on a
wireless network.
The link between the access points and the wired network is called the backhaul.
The backhaul allows the wireless access points to communicate with the wired
clients and other wireless clients in a separate BSS.

References

• 9.4.3 Enterprise Wireless Facts

q_enterprise_wireless_controller_01_np6.[Link]

Question 5:
Correct
Which of the following can become a critical point of failure in a large wireless
network infrastructure?
Answer

Access point
Correct Answer:
Controller

Backhaul
Wireless bridge

all APs through a wired link. The individual APs contain very little embedded
intelligence and are sometimes referred to as lightweight wireless access points
(LWAPs).
Newer wireless networks can be deployed using a distributed wireless mesh
architecture. These networks still use a controller, but they move some of the
network intelligence from the controller out to the individual APs.
Wireless bridges are what connect wired or wireless networks together.
Independent APs are standalone APs that negotiate wireless traffic and require that
a device must receive a new Internet Protocol (IP) address every time it moves to a
different AP.

References

• 9.4.3 Enterprise Wireless Facts

q_enterprise_wireless_hub_spoke_np6.[Link]

Question 8:
Correct
Which of the following BEST describes roaming?
Answer
Correct Answer:
The ability to broadcast the same SSID across multiple APs.

A model that connects wired and/or wireless networks.

The name of the wireless network that is broadcasted from an AP.

A deployment model used by newer wireless networks.

Explanation

Roaming is the ability to broadcast the same SSID across multiple APs. This allows
a wireless device to stay on the same network without interruption while moving from
one AP to another.
The SSID is the name of the wireless network that is broadcast from an AP.
A wireless bridge is a model that connects wired and/or wireless networks.
Distributed wireless mesh infrastructure is a deployment model used by newer
wireless networks.

References

• 9.4.3 Enterprise Wireless Facts

q_enterprise_wireless_roaming_01_np6.[Link]

Question 9:
Correct
Your manager has asked you to set up four independent APs and configure them
with the same SSID, channel, and IP subnet. What should you enable to accomplish
this?
Answer

Channel bonding

A basic service set

Correct Answer:
Roaming

A spectrum analyzer

Explanation

In order to enable roaming from one AP to another, the APs must be individually set
up and share the same SSID, channel, and IP subnet.
A spectrum analyzer is a device that displays signal amplitude (strength) as it varies
by signal frequency. The frequency appears on the horizontal axis, and the
amplitude is displayed on the vertical axis.
Channel bonding is used to combine more channels in the 5 GHz band, allowing up
to 160-MHz wide channels.
A basic service set (BSS) is a wireless network that uses only one AP for all devices
to communicate with each other.

References

• 9.4.3 Enterprise Wireless Facts

q_enterprise_wireless_roaming_np6.[Link]

Question 10:
Correct
Match the wireless networking term or concept on the left with its appropriate
description on the right. (Each term may be used once, more than once, or not at
all.)
Moving a wireless device between access points within the same wireless network.

Roaming
correct answer:
Used by Cisco wireless equipment to route frames back and forth between the
wireless network and the wired LAN.

LWAPP
correct answer:
Specifies the number of clients that can utilize the wireless network.

Device density
correct answer:
Automatically partitions a single broadcast domain into multiple VLANs.

VLAN pooling
correct answer:
Connects two wired networks over a Wi-Fi network.

Wireless bridge
correct answer:
The number of useful bits delivered from sender to receiver within a specified
amount of time.

Goodput
correct answer:
Keyboard Instructions

Explanation

You should be familiar with the following wireless networking terms and concepts:
• Device density specifies the number of clients that can utilize the wireless
network.
• Roaming is moving a wireless device between access points within the
same wireless network.
• Lightweight Access Point Protocol (LWAPP) is used by Cisco wireless
equipment to route frames back and forth between the wireless network
and the wired LAN.
• VLAN pooling automatically partitions a single broadcast domain into
multiple VLANs.
• A wireless bridge connects two wired networks over a Wi-Fi network.
• Goodput refers to the number of useful bits delivered from the sender to
the receiver within a specified amount of time.

References

• 9.4.3 Enterprise Wireless Facts

q_enterprise_wireless_terms_np6.[Link]
Which of the following do switches and wireless access points use to control access
through a device?
Answer

Port number filtering

Session filtering

IP address filtering
Correct Answer:
MAC address filtering

Explanation

Both switches and wireless access points are Layer 2 devices, meaning they use the
MAC address to make forwarding decisions. Both devices typically include some
form of security that restricts access based on the MAC address.
Routers and firewalls operate at Layer 3 and can use the IP address or port number
for filtering decisions.
A circuit-level gateway is a firewall that can make forwarding decisions based on the
session information.

References

• 9.5.3 Wireless Security Facts

q_wireless_security_mac_np6.[Link]

Question 2:
Correct
You want to implement 802.1x authentication on your wireless network. Where
would you configure the passwords that will be used for the authentication process?
Answer
Correct Answer:
On a RADIUS server.

On a certificate authority (CA).

On the wireless access point and each wireless device.

On the wireless access point.

Explanation
802.1x authentication uses usernames and passwords, certificates, or devices (such
as smart cards) to authenticate wireless clients. Authentication requests received by
the wireless access point are passed to a RADIUS server that validates the logon
credentials (such as the username and password).
If you're using pre-shared keys for authentication, configure the same key on the
wireless access point and each wireless device. You do need a CA to issue a
certificate to the RADIUS server. The certificate proves the RADIUS server's identity
and can be used to issue certificates to individual clients.

References

• 9.5.3 Wireless Security Facts

q_wireless_security_radius_03_np6.[Link]

Question 3:
Correct
You're replacing a wired business network with an 802.11g wireless network. You
currently use Active Directory on the company network as your directory service. The
new wireless network has multiple wireless access points, and you want to use
WPA2 on the network. What should you do to configure the wireless network?
(Select two.)
Answer

Use shared secret authentication.

Configure devices to run in ad hoc mode.

Correct Answer:
Install a RADIUS server and use 802.1x authentication.
Correct Answer:
Configure devices to run in infrastructure mode.

Use open authentication with MAC address filtering.

Explanation

When you use wireless access points, configure an infrastructure network. Because
you have multiple access points and an existing directory service, you can centralize
authentication by installing a RADIUS server and using 802.1x authentication.
Use ad hoc mode when you need to configure a wireless connection between two
hosts.
Use open authentication with WEP or when you don't want to control access to the
wireless network.
When you can't use 802.1x, use shared secret authentication.

References
• 9.5.3 Wireless Security Facts
q_wireless_security_radius_04_np6.[Link]

Question 4:
Correct
Which of the following wireless security methods uses a common shared key that's
configured on the wireless access point and all wireless clients?
Answer

WPA Enterprise and WPA2 Enterprise

WEP, WPA Personal, WPA Enterprise, WPA2 Personal, and WPA2 Enterprise

WPA Personal and WPA2 Enterprise

Correct Answer:
WEP, WPA Personal, and WPA2 Personal

Explanation

You can use shared key authentication with WEP, WPA, and WPA2. Shared key
authentication with WPA and WPA2 is often called WPA Personal or WPA2
Personal.
WPA Enterprise and WPA2 Enterprise use 802.1x for authentication. 802.1x
authentication uses usernames and passwords, certificates, or devices (such as
smart cards) to authenticate wireless clients.

References

• 9.5.3 Wireless Security Facts

q_wireless_security_shared_key_np6.[Link]

Question 5:
Correct
Which of the following features are supplied by WPA2 on a wireless network?
Answer

A centralized access point for clients

Traffic filtering based on packet characteristics

Correct Answer:
Encryption

Client connection refusals based on MAC address

Explanation

Wi-Fi Protected Access (WPA) provides encryption and user authentication for
wireless networks.
MAC address filtering allows or rejects client connections based on the hardware
address.
A wireless access point (called an AP or WAP) is the central connection point for
wireless clients.
A firewall allows or rejects packets based on packet characteristics (such as
address, port, or protocol type).

References

• 9.5.3 Wireless Security Facts

q_wireless_security_wpa2_01_np6.[Link]

Question 6:
Correct
Which of the following provides security for wireless networks?
Answer

802.11a
Correct Answer:
WPA

WAP

CSMA/CD

Explanation

Wi-Fi Protected Access (WPA) provides encryption and user authentication for
wireless networks. Wired Equivalent Privacy (WEP) also provides security, but WPA
is considered more secure than WEP.
A wireless access point (WAP) is a hardware device (like a switch) that provides
access to the wireless network.
802.11a is a wireless networking standard that defines the signal characteristics for
communicating on a wireless network.
CSMA/CD is a media access control method that controls when a device can
communicate on the network.

References

• 9.5.3 Wireless Security Facts

q_wireless_security_wpa_np6.[Link]
Question 7:
Correct
The owner of a hotel has contracted with you to implement a wireless network to
provide internet access for guests.
The owner has asked that you implement security controls so that only paying
guests are allowed to use the wireless network. She wants guests to be presented
with a login page when they initially connect to the wireless network. After entering a
code provided by the concierge at check-in, guests should then be allowed full
access to the internet. If a user does not provide the correct code, he or she should
not be allowed to access the internet.
What should you do?
Answer
Correct Answer:
Implement a captive portal.

Implement MAC address filtering.

Implement 802.1x authentication using a RADIUS server.

Implement pre-shared key authentication.

Explanation

A captive portal would be the best choice in this scenario. A captive portal requires
wireless network users to abide by certain conditions before they are allowed access
to the wireless network. For example, the captive portal could require them to:
• Agree to an Acceptable Use Policy
• Provide a PIN or password
• Pay for access to the wireless network
• View information or advertisements about the organization providing the
wireless network (such as an airport or hotel)
When a wireless device initially connects to the wireless network, all traffic to or from
that device is blocked until the user opens a browser and accesses the captive portal
web page. After the user provides the appropriate code, traffic is unblocked, and the
host can access the network normally.
MAC address filtering and 802.1x authentication would work from a technical
standpoint, but these would be completely unmanageable in a hotel scenario where
guests come and go every day. Using a pre-shared key would require a degree of
technical expertise on the part of the hotel guests. It could also become problematic
if the key were to be leaked, allowing non-guests to use the wireless network.

References

• 9.5.5 Wireless Attack Facts

q_wireless_attacks_captive_np6.[Link]
Question 8:
Correct
Which of the following measures will make your wireless network invisible to the
casual attacker performing war driving?
Answer

Implement WPA2 Personal.

Correct Answer:
Disable SSID broadcast.

Use a form of authentication other than open authentication.

Change the default SSID.

Explanation

Wireless access points are transceivers that transmit and receive information on a
wireless network. Each access point has a service set ID (SSID) that identifies the
wireless network. By default, access points broadcast the SSID to announce their
presence and make it easy for clients to find and connect to the wireless network.
Turn off SSID broadcast to keep a wireless 802.11x network from being
automatically discovered. When SSID broadcasting is turned off, users must know
the SSID to connect to the wireless network. This helps to prevent casual attackers
from connecting to the network, but any serious hacker with the right tools can still
connect.
Using authentication with WPA or WPA2 helps prevent attackers from connecting to
your wireless network, but this does not hide the network. Changing the default SSID
to a different value does not disable the SSID broadcast.

References

• 9.5.5 Wireless Attack Facts

q_wireless_attacks_disable_np6.[Link]

Question 9:
Correct
Which of the following locations creates the greatest amount of interference for a
wireless access point? (Select two.)
Answer

Near a geofence

In the top floor of a two-story building

Correct Answer:
Near backup generators
Correct Answer:
Near cordless phones

Near DCHP servers

Explanation

Other wireless transmission devices (such as cordless phones, microwaves, or

generators) cause interference for wireless access points.
In general, place access points high up to avoid interference problems caused by
going through building foundations. DHCP servers provide IP information for clients
and do not cause interference.
Geofencing requires users to be in a physical location. Using virtual boundaries, or
fences, can add another layer of security to your network.

References

• 9.5.5 Wireless Attack Facts

q_wireless_attacks_interference_np6.[Link]

Question 10:
Correct
Your company security policy states that wireless networks are not to be used
because of the potential security risk they present.
One day you find that an employee has connected a wireless access point to the
network in his office.
Which type of security risk is this?
Answer

Physical security

Phishing

Social engineering

On-path attack
Correct Answer:
Rogue access point

Explanation
A rogue access point is an unauthorized access point added to a network or an
access point that's configured to mimic a valid access point. Example scenarios
include:
• An attacker or employee with access to the wired network installs a
wireless access point on a free port. The access port then provides a
method for remotely accessing the network.
• An attacker near a valid wireless access point installs an access point with
the same (or similar) SSID. The access point is configured to prompt for
credentials, allowing the attacker to steal those credentials or use them in
an on-path attack to connect to the valid wireless access point.
• An attacker configures a wireless access point in a public location and
then monitors the traffic of those who connect to the access point.
An on-path attack is used to intercept information passing between two
communication partners. A rogue access point might be used to initiate an on-path
attack, but in this case, the rogue access point was connected without malicious
intent.
Social engineering exploits human nature by convincing someone to reveal
information or perform an activity.
Phishing uses an email and a spoofed website to gain sensitive information.

References

• 9.5.5 Wireless Attack Facts

q_wireless_attacks_rogue_np6.[Link]
A user calls to report that she is experiencing intermittent problems while accessing
the wireless network from her laptop computer. While talking to her, you discover
that she is trying to work from the coffee room two floors above the floor where she
normally works.
What is the MOST likely cause of her connectivity problem?
Answer

The user needs a new IP address because she is working on a different floor.

The wireless network access point on the user's normal floor has failed.

The user has not yet rebooted her laptop computer while at her new location.
Correct Answer:
The user is out of the effective range of the wireless access point.

The user has not yet logged off and back on to the network while at her new location.

Explanation

Because the user is only experiencing intermittent problems, the most likely cause is
that she is out of the effective range of the wireless network access point.
All of the other answers listed would be appropriate if the user were unable to
connect to the network at all. However, as the user is experiencing only intermittent
problems, none of the other answers is likely to cure the problem.

References

• 9.6.4 Wireless Network Troubleshooting Facts

q_wireless_comm_trouble_distance_01_np6.[Link]

Question 2:
Correct
A user on your network has been moved to another office down the hall. After the
move, she calls you complaining that she has only occasional network access
through her wireless connection. Which of the following is MOST likely the cause of
the problem?
Answer

The encryption level has been erroneously set back to the default setting.

An SSID mismatch between the client and the server.

An SSID mismatch between the client and the WAP.

Correct Answer:
The client system has moved too far away from the access point.

The client has incorrect WEP settings.

Explanation

In this case, the user had no problems accessing the wireless access point until she
moved to the new office. In some cases, moving a system causes signal loss either
from the increased distance away from the WAP or from unexpected interference by
such things as concrete walls or steel doors. There are several ways to correct the
problem, including reducing the physical distance to the client, using a wireless
amplifier, upgrading the antennae on the wireless devices, or adding another WAP to
the infrastructure.
Because the client could previously access the WAP and still has occasional access,
it is likely that the move was the cause of the problem, not any other configuration
setting.

References

• 9.6.4 Wireless Network Troubleshooting Facts

q_wireless_comm_trouble_distance_02_np6.[Link]

Question 3:
Correct
Your wireless network consists of multiple 802.11n access points that are configured
as follows:
• SSID (hidden): CorpNet
• Security: WPA2-PSK using AES
• Frequency: 5.75 GHz
• Bandwidth per channel: 40 MHz
Because of your facility's unique construction, there are many locations that do not
have a clear line of sight between network clients and access points. As a result,
radio signals are reflected along multiple paths before finally being received. The
result is distorted signals that interfere with each other.
What should you do?
Answer

Switch to RADIUS authentication for wireless clients.

Install directional access points.

Correct Answer:
Implement antenna diversity.

Reduce the power of the access point radio signals.

Explanation

Antenna diversity implements two or more radio antennae to improve the quality and
reliability of a wireless link. In environments where there is no clear line of sight
between transmitter and receiver, the radio signal is reflected along multiple paths
before finally being received. This can introduce phase shifts, time delays,
attenuation, and distortion that interfere with the antenna signal.
You can rectify the situation by implementing antenna diversity two ways:
• Spatial diversity, which uses multiple antennae that are physically
separated from one another.
• Pattern diversity, which uses two or more co-located antennae with
different radiation patterns.
Using a RADIUS authentication solution increases wireless network security, but it
doesn't address the issue of multipath interference. Reducing radio power could help
solve multipath interference issues in some situations, but it may make it worse in
others. This is also true of directional access points.

References

• 9.6.4 Wireless Network Troubleshooting Facts

q_wireless_comm_trouble_diversity_np6.[Link]

Question 4:
Correct
You are troubleshooting a wireless connectivity issue in a small office. You
determine that the 2.4GHz cordless phones used in the office are interfering with the
wireless network transmissions.
If the cordless phones are causing the interference, which of the following wireless
standards could the network be using? (Select two.)
Answer
Correct Answer:
Bluetooth

Infrared

802.11a

802.3a
Correct Answer:
802.11b

Explanation

Both the 802.11b and Bluetooth wireless standards use the 2.4 GHz RF range to
transmit data. Cordless phones that operate at the same frequency can cause
interference on the wireless network. Other devices, such as microwaves and
electrical devices, may also cause interference.
802.11a uses the 5 GHz radio frequency, so this would not be affected by the 2.4
GHz phones used in the office.
Infrared uses a light beam to connect computer and peripheral devices to create a
personal area network (PAN).

References

• 9.6.4 Wireless Network Troubleshooting Facts

q_wireless_comm_trouble_interference_np6.[Link]

Question 5:
Correct
You are implementing a wireless network inside a local office. You require a wireless
link to connect a laptop in the administrator's office directly to a system in the sales
department. In the default configuration, the wireless AP uses a 360-dispersed RF
wave design. After installation, the signal between the two systems is weak, as many
obstacles interfere with it.
Which of the following strategies could you try to increase signal strength?
Answer
Correct Answer:
Replace the omni-directional antenna with a directional antenna.

Increase the RF setting on the client system.

Increase the RF power on the isotropic antenna.

Replace the directional antenna with an omni-directional antenna.

Explanation

A directional antenna is designed to create a narrow, focused signal in a particular

direction. This focused signal provides greater signal strength between two points
and increases the distance that the signal can travel. Because directional antennae
provide a stronger point-to-point connection, they are better equipped to handle
obstacles that may be in the way of the signal.
The default antenna used with this configuration is an omni-directional antenna that
disperses the RF wave in an equal 360-degree pattern. This antenna is commonly
used to provide access to many clients in a radius.

References

• 9.6.4 Wireless Network Troubleshooting Facts

q_wireless_comm_trouble_omni_01_np6.[Link]
Question 6:
Correct
You're setting up a wireless hotspot in a local coffee shop. For best results, you want
to disperse the radio signals evenly throughout the coffee shop.
Which of the following antenna types would you use on the AP to provide a 360-
degree dispersed wave pattern?
Answer
Correct Answer:
Omni-directional

Multi-directional

Directional

Uni-directional

Explanation

An omni-directional antenna provides a 360-degree dispersed wave pattern. In this

configuration, signals are dispersed evenly in all directions, making this antenna well
suited for environments where clients are accessing the network from various
locations, such as coffee shops. A dispersed wireless signal is weaker and,
therefore, is restricted to shorter signal distances.
A directional wireless antenna focuses a signal in a particular direction. The focused
signal allows for greater transmission distances and a stronger signal. Directional
antennae are sometimes used to establish a wireless point-to-point connection
where greater transmission distances are often required.

References

• 9.6.4 Wireless Network Troubleshooting Facts

q_wireless_comm_trouble_omni_02_np6.[Link]

Question 7:
Correct
You need to place a wireless access point in your two-story building while avoiding
interference. Which of the following is the best location for the access point?
Answer
Correct Answer:
On the top floor

In the kitchen area

Near the backup generators

In the basement

Explanation

In general, place access points as high as possible to avoid interference problems

caused by going through building foundations.
Do not place the access point next to sources of interference, such as other wireless
transmitting devices (cordless phones or microwaves) or other sources of
interference (motors or generators).

References

• 9.6.4 Wireless Network Troubleshooting Facts

q_wireless_comm_trouble_placement_01_np6.[Link]

Question 8:
Correct
Which of the following recommendations should you follow when placing access
points to provide wireless access for users within your company building?
Answer

Place access points near outside walls.

Correct Answer:
Place access points above where most clients are.

Place multiple access points in the same area.

Place access points in the basement.

Explanation

Follow a few guidelines for placing wireless access points:

• Devices often get better reception from access points that are above or
below.
• If possible, place access points higher up to avoid interference problems
caused by going through building foundations.
• For security reasons, do not place APs near outside walls. The signal will
extend outside beyond the walls. Placing the AP in the center of the
building decreases the signal range.
• When using multiple access points, place them evenly throughout the
area, taking care to minimize broadcast overlap while ensuring adequate
coverage for all areas.

References
• 9.6.4 Wireless Network Troubleshooting Facts
q_wireless_comm_trouble_placement_02_np6.[Link]

Question 9:
Correct
You have physically added a wireless access point to your network and installed a
wireless networking card in two laptops that run Windows. Neither laptop can find the
network, and you've come to the conclusion that you must manually configure the
wireless access point (WAP).
Which of the following values uniquely identifies the WAP?
Answer

WEP

Channel

Frequency
Correct Answer:
SSID

Explanation

The SSID (service set identifier) identifies the wireless network. All PCs and access
points in a LAN share the same SSID.
WEP (Wired Equivalent Privacy) adds a layer of security to the transmission, while
the channel identifies the frequency that the card and AP communicate on.

References

• 9.6.4 Wireless Network Troubleshooting Facts

q_wireless_comm_trouble_ssid_01_np6.[Link]

Question 10:
Correct
You have decided to conduct a business meeting at a local coffee shop. The coffee
shop you chose has a wireless hotspot for customers who want internet access.
You decide to check your email before the meeting begins. When you open the
browser, you cannot gain internet access. Other customers are using the internet
without problems. You're sure that your laptop's wireless adapter works because you
use a wireless connection at work.
What is the MOST likely cause of the problem?
Answer

Incorrectly configured PPP

Different LAN protocols

An out-of-range WAP
Correct Answer:
A mismatched SSID

Explanation

You must configure a wireless client and access point to use the same SSID. In this
case, the client system was used on a different wireless network and may still be
using that network's SSID. To log onto this network, the system needs to use the
same SSID as the other customers in the coffee shop.
The problem is not with LAN protocols, as TCP/IP is the protocol used on the
internet. There are no other options.
The WAP is not out of range, as other clients are accessing it.
PPP (Point-to-Point Protocol) is not required to make an internet connection.

References

• 9.6.4 Wireless Network Troubleshooting Facts

q_wireless_comm_trouble_ssid_02_np6.[Link]
Which of the following devices is used on a WAN to convert synchronous serial
signals into digital signals?
Answer

Modem

Proxy

IDS
Correct Answer:
CSU/DSU

Explanation

A CSU/DSU (Channel Service Unit/Data Service Unit) is a device that converts the
signal received from the WAN provider into a signal that can be used by equipment
at a customer's site. A CSU/DSU is composed of two separate devices.
•
The CSU terminates the digital signal and provides error correction and
line monitoring.
• The DSU converts the digital data into synchronous serial data for
connection to a router.
A modem converts digital signals to analog signals.
A proxy server is a type of firewall that can filter based on upper-layer data.
An intrusion detection system (IDS) is a special network device that can detect
attacks and suspicious activity.

References

•
10.1.2 WAN Concept Facts
q_wan_concepts_csu_dsu_02_np6.[Link]

Question 2:
Correct
Which of the following is the customer's responsibility to maintain?
Answer

Local loop

CO
Correct Answer:
CPE

PSE
Explanation

Customers are responsible for customer premises equipment (CPE), which is any
equipment at the customer's site.
WAN service providers are responsible for:
• Packet switching exchange (PSE) equipment inside the WAN cloud.
• Central office (CO) equipment that allows access to the PSE.
• Data circuit-terminating equipment (DCE) devices that switch data to the
WAN.
• Local loop wiring that connects the customer to the CO.

References

• 10.1.2 WAN Concept Facts

q_wan_concepts_customer_np6.[Link]

Question 3:
Correct
Which of the following describe the channels and data transfer rates used for ISDN
BRI? (Select two.)
Answer
Correct Answer:
Two B channels operating at 64 Kbps each.
Correct Answer:
One D channel operating at 16 Kbps.

23 B channels operating at 64 Kbps each.

30 B channels operating at 64 Kbps each.

Optical Carrier (OC) is used to specify the speed of fiber optic networks conforming
to the SONET standard. Common OC speeds are:
• OC-1 = 51.85 Mbps
• OC-3 = 155.52 Mbps
• OC-12 = 622.08 Mbps
• OC-24 = 1.244 Gbps
• OC-48 = 2.488 Gbps
• OC-192 = 9.952 Gbps
T3 is 44.736 Mbps.
E3 is 34.368 Mbps.

References

•10.1.2 WAN Concept Facts

q_wan_concepts_oc3_np6.[Link]

Question 6:
Correct
Which network type divides transmitted data into smaller pieces and allows multiple
communications on the network medium?
Answer
Correct Answer:
Packet-switched

Circuit-switched

Managed

Multiplexed
Explanation

A packet-switched network divides data into small units called packets. These
packets are routed by their destination addresses. In a packet-switched network,
multiple hosts can use the network medium at the same time. An Ethernet computer
network is an example of a packet-switched network.
A circuit-switched network uses a dedicated connection between sites.
A multiplexer joins several signals together before they're transmitted.
A managed device is a device that can receive instructions and can return responses
in a network.

References

•10.1.2 WAN Concept Facts

q_wan_concepts_packet_01_np6.[Link]

Question 7:
Correct
When implementing a Multiprotocol Label Switching (MPLS) WAN, which data unit is
managed by the routers at different sites?
Answer
Correct Answer:
Packets

q_wan_concepts_ptsn_02_np6.[Link]

Question 10:
Correct
Which of the following correctly describes the T1 carrier system? (Select two.)
Answer

T1 lines use four pairs of copper wire.

T1 lines use 48 separate channels.

T1 lines have a maximum data rate of 2.4 Gbps.

T1 lines use analog signaling between the customer premise unit and the ISP.
Correct Answer:
T1 lines use two pairs of copper wire.
Correct Answer:
A single T1 channel can transfer data at 64 Kbps.

Explanation

The T1 carrier system consists of 24 separate channels. Each channel provides 64

Kbps of data throughput. A T1 line is traditionally implemented using two pairs of
twisted copper wire where two wires are used for transmission and two wires are
used for reception. Lately, many ISPs provide T1 carrier service using a variety of
network media, including fiber optic cable, coaxial cable, and radio waves.

References

• 10.1.2 WAN Concept Facts

q_wan_concepts_t1_np6.[Link]
Which of the following services is available regardless of whether the telephone
company network is available?
Answer

Dial-up

DSL
Correct Answer:
Cable modem

ISDN

Explanation

A cable modem is a network connectivity service provided by the cable television

service provider. A cable modem operates by adding a bi-directional channel
connected directly to an internet service provider (ISP) through cable TV lines. A
cable modem does not depend on phone lines for the connection.
Dial-up refers to internet access provided over a telephone company's analog
network through modems.
Integrated Services Digital Network (ISDN) is a method for providing digital
connectivity service through a telephone company's network. ISDN can combine
multiple channels consisting of voice and data simultaneously.
DSL is a digital service provided by telephone service providers. All of these
methods operate over regular phone lines.

References

• 10.2.3 Internet Services Facts

q_internet_connectivity_cable_np6.[Link]

Question 2:
Correct
Which type of internet service uses the DOCSIS specification?
Answer
Correct Answer:
Coaxial cable

Fiber optic

Shielded twisted pair

Unshielded twisted pair

Explanation

The Data Over Cable Service Interface Specification (DOCSIS) defines coaxial cable
networking specifications. It is used by cable TV providers to provide internet access
over their existing coaxial cable infrastructure. DOCSIS specifies channel widths and
modulation techniques. It also defines the manner in which the core components of
the network communicate.

References

• 10.2.3 Internet Services Facts

q_internet_connectivity_docsis_np6.[Link]

Question 3:
Correct
Which of the following internet connection technologies requires that the location be
within a limited distance of the telephone company's central office?
Answer

Satellite
Correct Answer:
DSL

Cable modem

Wireless

Explanation

There are several variations of the digital subscriber line (DSL) technology, which
are collectively referred to as xDSL. DSL works over existing telephone company
copper wires. It operates concurrently with regular voice-grade communications by
utilizing higher frequencies unused by voice transmissions. One of the
consequences of splitting the signal in this manner is that DSL must operate within a
fixed distance of the telephone company's network switching equipment.
A cable modem can be provided as a means of internet access from a cable
television company. It will work anywhere within the service area.
Satellite and wireless do not have the same distance limitations as either DSL or a
cable modem.

References

• 10.2.3 Internet Services Facts

q_internet_connectivity_dsl_np6.[Link]

Question 4:
Correct
Which of the following describe the EDGE cellular technology? (Select two.)
Answer
Correct Answer:
Offers speeds of 400 to 1,000 Kbps.

Is an extension to 3G.
Correct Answer:
Is the first internet-compatible technology.

Uses MIMO.

Explanation

The EDGE cellular technology was an intermediary between 2G and 3G networks.

EDGE was the first cellular technology to be truly internet-compatible with speeds of
400 to 1,000 Kbps.
HSPA+, LTE, and 4G networks use MIMO.

References

• 10.2.3 Internet Services Facts

q_internet_connectivity_edge_np6.[Link]

Question 5:
Correct
Which of the following technologies does GSM use to allow multiple connections on
the same frequency?
Answer

Multiple-input, multiple-output
Correct Answer:
Time-division multiple access

Frequency-division multiple access

Dial-up

Explanation

Wireless networks all provide for roaming within a limited area of coverage, but can
be limited by dead spots.
The other forms of networking listed require a cable connection, and are not
designed to allow roaming while using the network connection.

References

• 10.2.3 Internet Services Facts

q_internet_connectivity_wireless_np6.[Link]
Which of the following security functions does CHAP perform?
Answer
Correct Answer:
Periodically verifies the identity of a peer using a three-way handshake.

Allows the use of biometric devices.

Protects usernames.

Links remote systems together.

Explanation

Challenge Handshake Authentication Protocol (CHAP) periodically verifies the

identity of a peer using a three-way handshake. CHAP ensures that the same client
or system exists throughout a communication session by repeatedly and randomly
re-testing the validated system. This test involves the security server sending a
challenge message to the client. The client then performs a one-way hash function
on the challenge and returns the result to the security server. The security server
performs its own function on the challenge and compares its result with the result
received from the client. If they don't match, the session is terminated.
CHAP does provide protection for both passwords and usernames. However, stating
that it only protects usernames is incomplete and, therefore, not the best answer.
CHAP does not link remote systems together. A VPN protocol is needed for that
purpose. CHAP does not function as a device driver or interoperability mechanism
for biometric devices.

References

• 10.3.3 Remote Access Facts

q_remote_access_chap_np6.[Link]

Question 2:
Correct
Which of the following authentication protocols transmits passwords in cleartext and
is considered too unsecure for modern networks?
Answer
Correct Answer:
PAP

EAP

RADIUS

CHAP
Explanation

Password Authentication Protocol (PAP) is considered unsecure because it

transmits password information in cleartext. Anyone who sniffs PAP traffic from a
network can view the password information from a PAP packet with a simple traffic
analyzer.
Challenge Handshake Authentication Protocol (CHAP) uses a three-way handshake
to authenticate users. During this handshake, a hashed value is used to authenticate
the connection. Extensible Authentication Protocol (EAP) is an enhanced
authentication protocol that can use a variety of authentication methods, including
digital certificates and smart cards. Remote Authentication Dial-In User Service
(RADIUS) is an authentication system that allows the centralization of remote user
account management.

References

• 10.3.3 Remote Access Facts

q_remote_access_pap_np6.[Link]

Question 3:
Correct
What does a remote access server use for authorization?
Answer
Correct Answer:
Remote access policies

Usernames and passwords

SLIP or PPP

CHAP or MS-CHAP

Explanation

Authorization is the process of identifying the resources that a user can access over
a remote access connection. Authorization is controlled through the use of network
policies (remote access policies) and access control lists (ACLs). Authorization can
restrict access based on:
• Time of day
• Type of connection (PPP or PPPoE, wired or wireless)
• Location of the resource (specific servers)
Authentication is the process of proving identity. Common protocols used for remote
access authentication include PAP, CHAP, MS-CHAP, or EAP.
Usernames and passwords are used during identification and authentication as
authentication credentials. SLIP and PPP are remote access connection protocols
that are used to establish and negotiate parameters for remote access.
References

• 10.3.3 Remote Access Facts

q_remote_access_policies_np6.[Link]

Question 4:
Correct
What is the primary purpose of RADIUS?
Answer
Correct Answer:
Authenticate remote clients before access to the network is granted.

Control entry-gate access using proximity sensors.

Manage access to a network over a VPN.

Manage RAID fault-tolerant drive configurations.

Explanation

Remote Authentication Dial-In User Service (RADIUS) is primarily used for

authenticating remote clients before access to a network is granted. RADIUS is
based on RFC 2865 and maintains client profiles in a centralized database. RADIUS
offloads the authentication burden for dial-in users from the normal authentication of
local network clients. For environments with a large number of dial-in clients,
RADIUS provides improved security, easier administration, improved logging, and
alleviated performance impact on LAN security systems.

References

• 10.3.3 Remote Access Facts

q_remote_access_radius_np6.[Link]

Question 5:
Correct
Which of the following are methods for providing centralized authentication,
authorization, and accounting for remote access? (Select two.)
Answer
Correct Answer:
TACACS+
Correct Answer:
RADIUS

PKI
EAP

AAA

Explanation

Both RADIUS and TACACS+ are protocols used for centralized authentication,
authorization, and accounting with remote access. Remote access clients send
authentication credentials to remote access servers. Remote access servers are
configured as clients to the RADIUS or TACACS+ servers and forward the
authentication credentials to the servers. The servers maintain a database of users
and policies that control access for multiple remote access servers.
AAA stands for authentication, authorization, and accounting. AAA is a generic term
that describes the functions performed by RADIUS and TACACS+ servers.
A public key infrastructure (PKI) is a system of certificate authorities that issues
certificates. 802.1x is an authentication mechanism for controlling port access.
EAP is an authentication protocol that enables the use of customized authentication
methods.

References

• 10.3.3 Remote Access Facts

q_remote_access_radius_tacacs_02_np6.[Link]

Question 6:
Correct
Which of the following are differences between RADIUS and TACACS+?
Answer

RADIUS encrypts the entire packet contents, while TACACS+ only encrypts the
password.
Correct Answer:
RADIUS combines authentication and authorization into a single function, while
TACACS+ allows these services to be split between different servers.

RADIUS uses TCP, while TACACS+ uses UDP.

RADIUS supports more protocols than TACACS+.

Explanation

TACACS+ provides three protocols (one each for authentication, authorization, and
accounting). This allows each service to be provided by a different server. In
addition, TACACS+:
• Uses TCP.
• Encrypts the entire packet contents.
• Supports more protocol suites than RADIUS.

References

• 10.3.3 Remote Access Facts

q_remote_access_radius_tacacs_np6.[Link]

Question 7:
Correct
Which of the following are characteristics of TACACS+? (Select two.)
Answer
Correct Answer:
Allows three different servers (one each for authentication, authorization, and
accounting).
Correct Answer:
Uses TCP.

Uses UDP.

Can be vulnerable to buffer overflow attacks.

Allows two different servers (one for authentication and authorization and another for
accounting).

Explanation

TACACS+ was originally developed by Cisco for centralized remote access

administration. TACACS+:
• Provides three protocols (one each for authentication, authorization, and
accounting). This allows each service to be provided by a different server.
• Uses TCP.
• Encrypts the entire packet contents.
• Supports more protocol suites than RADIUS.
RADIUS is used by Microsoft servers for centralized remote access administration.
RADIUS:
• Combines authentication and authorization using policies to grant access.
• Uses UDP.
• Encrypts only the password.
• Often uses vendor-specific extensions. RADIUS solutions from different
vendors might not be compatible.
• Uses UDP ports 1812 and 1813 and can be vulnerable to buffer overflow
attacks.

References
• 10.3.3 Remote Access Facts
q_remote_access_tacacs_01_np6.[Link]

Question 8:
Correct
Which of the following is a characteristic of TACACS+?
Answer
Correct Answer:
Encrypts the entire packet, not just authentication packets.

Requires that authentication and authorization are combined in a single server.

Uses UDP ports 1812 and 1813.

Supports only TCP/IP.

Explanation

TACACS+ was originally developed by Cisco for centralized remote access

administration. TACACS+:
• Provides three protocols (one each for authentication, authorization, and
accounting). This allows each service to be provided by a different server.
• Uses TCP port 49.
• Encrypts the entire packet contents, not just authentication packets.
• Supports more protocol suites than RADIUS.
RADIUS is used by Microsoft servers for centralized remote access administration.
RADIUS:
• Combines authentication and authorization using policies to grant access.
• Allows the separation of accounting to different servers. However,
authentication and authorization remain combined on a single server.
• Uses UDP ports 1812 and 1813.
• Uses a challenge/response method for authentication. RADIUS encrypts
only the password using MD5.

References

• 10.3.3 Remote Access Facts

q_remote_access_tacacs_02_np6.[Link]

Question 9:
Correct
Which of the following ports does TACACS use?
Answer

22
Correct Answer:
49

50 and 51

1812 and 1813

3389

Explanation

Terminal Access Controller Access Control System (TACACS) uses port 49 for TCP
and UDP.
Secure Shell (SSH) uses port 22.
IPsec uses protocol numbers 50 and 51.
Remote Authentication Dial-In User Service (RADIUS) uses ports 1812 and 1813.
Remote Desktop Protocol (RDP) uses port 3389.

References

• 10.3.3 Remote Access Facts

q_remote_access_tacacs_03_np6.[Link]

Question 10:
Correct
You often travel away from the office. While traveling, you would like to use a
modem on your laptop computer to connect directly to a server in your office to
access needed files.
You want the connection to be as secure as possible. Which type of connection do
you need?
Answer

Internet
Correct Answer:
Remote access

Virtual private network

Intranet

Explanation

Use a remote access connection to connect directly to a server at a remote location.

You could use a VPN connection through the internet to connect to the server
securely. However, the connection would involve connecting to the internet through a
local ISP and then establishing a VPN connection to the server. While the VPN
connection through the internet is secure, it is not as secure as a direct remote
connection to the server.
An intranet is an internal network that only internal users can access.

References

• 10.3.3 Remote Access Facts

q_remote_access_traveling_np6.[Link]
Which IPSec subprotocol provides data encryption?
Answer

SSL
Correct Answer:
ESP

AES

Explanation

Encapsulating Security Payload (ESP) protocol provides data encryption for IPSec
traffic.
Authentication Header (AH) provides message integrity through authentication,
verifying that data is received unaltered from the trusted destination. AH provides no
privacy and is often combined with ESP to achieve integrity and confidentiality.
Secure Sockets Layer (SSL) has long been used to secure traffic generated by IP
protocols such as HTTP, FTP, and email. SSL can also be used as a VPN solution,
typically in a remote access scenario.
Advanced Encryption Standard (AES) uses variable key length (128-, 192-, or 256-
bit keys) and is resistant to all known attacks. It is computationally more efficient than
3DES.

References

• 10.4.6 VPN Protocol Facts

q_vpn_protocols_esp_01_np6.[Link]

Question 2:
Correct
Which statement BEST describes IPsec when used in tunnel mode?
Answer

The identities of the communicating parties are not protected.

Packets are routed using the original headers, and only the payload is encrypted.
Correct Answer:
The entire data packet, including headers, is encapsulated.

IPsec in tunnel mode may not be used for WAN traffic.

Explanation
When using IPsec in tunnel mode, the entire data packet, including original headers,
is encapsulated. New encrypted packets are created with headers, indicating only
the endpoint addresses. Tunneling protects the identities of the communicating
parties and the original packet contents. Tunneling is frequently used to secure traffic
traveling across insecure public channels, such as the internet. IPsec in tunnel mode
is the most common configuration for gateway-to-gateway communications.
In transport mode, routing is performed using the original headers. Only the packet's
payload is encrypted. Transport mode is primarily used in direct host-to-host
communication outside of a dedicated IPsec gateway/firewall configuration.

References

• 10.4.6 VPN Protocol Facts

q_vpn_protocols_ipsec_np6.[Link]

Question 3:
Correct
Which of the following VPN protocols merged with the deprecated Point-to-Point
Tunneling Protocol (PPTP) to create L2TP?
Answer

IPsec

TLS
Correct Answer:
Layer 2 Forwarding

SSL

Explanation

Layer 2 Forwarding (L2F) is a VPN technology developed by Cisco that merged with
the deprecated Point-to-Point Tunneling Protocol (PPTP) to create L2TP.
Internet Protocol Security (IPsec) provides authentication and encryption and can be
used in conjunction with L2TP or by itself as a VPN solution. IPsec is still considered
very secure.
Secure Sockets Layer (SSL) has long been used to secure traffic generated by other
IP protocols, such as HTTP, FTP, and email. SSL can also be used as a VPN
solution, typically in a remote access scenario.
Transport Layer Security (TLS) works in a similar way to SSL, even though they are
not interoperable.

References

• 10.4.6 VPN Protocol Facts

q_vpn_protocols_pptp_np6.[Link]

Question 4:
Correct
A group of salesmen in your organization would like to access your private network
through the internet while they are traveling. You want to control access to the
private network through a single server.
Which solution should you implement?
Answer

IPS

IDS

DMZ

RADIUS
Correct Answer:
VPN concentrator

Explanation

If you are using a remote access VPN, a server on the edge of a network (called a
VPN concentrator) is configured to accept VPN connections from individual hosts.
Hosts that are allowed to connect using the VPN connection are granted access to
resources on the VPN server or the private network.
A screened subnet is a buffer network that sits between a private network and an
untrusted network (such as the internet). A RADIUS server is used to centralize
authentication, authorization, and accounting for multiple remote access servers.
However, clients still connect to individual remote access servers.
An intrusion detection system (IDS) is a special network device that can detect
attacks and suspicious activity. A passive IDS monitors, logs, and detects security
breaches, but it takes no action to stop or prevent the attack. An active IDS (also
called an intrusion protection system, or IPS) performs the functions of an IDS but
can also react when security breaches occur.

References

• 10.4.7 VPN Facts

q_vpn_concentrator_np6.[Link]

Question 5:
Correct
A salesperson in your organization spends most of her time traveling between
customer sites. After a customer visit, she must complete various managerial tasks,
such as updating your organization's order database.
Because she rarely comes back to the home office, she usually accesses the
network from her notebook computer using Wi-Fi access provided by hotels,
restaurants, and airports.
Many of these locations provide unencrypted public Wi-Fi access, and you are
concerned that sensitive data could be exposed. To remedy this situation, you
decide to configure her notebook to use a VPN when accessing the home network
over an open wireless connection.
Which key steps should you take when implementing this configuration? (Select
two.)
Answer
Correct Answer:
Configure the VPN connection to use IPsec.

Configure the VPN connection to use PPTP.

Configure the browser to send HTTPS requests directly to the Wi-Fi network without
going through the VPN connection.
Correct Answer:
Configure the browser to send HTTPS requests through the VPN connection.

Configure the VPN connection to use MS-CHAPv2.

Explanation

It is generally considered acceptable to use a VPN connection to securely transfer

data over an open Wi-Fi network. As long as strong tunneling ciphers and protocols
are used, the VPN provides sufficient encryption to secure the connection, even
though the wireless network itself is not encrypted. It is recommended that you use
IPsec or SSL to secure the VPN, as these protocols are relatively secure. You
should also configure the browser's HTTPS requests to go through the VPN
connection. To conserve VPN bandwidth and improve latency, many VPN solutions
automatically reroute web browsing traffic through the client's default network
connection instead of through the VPN tunnel. This behavior would result in
HTTP/HTTPS traffic being transmitted over the unsecure open wireless network
instead of though the secure VPN tunnel.
Avoid using PPTP with MS-CHAPv2 in a VPN over open wireless configurations, as
these protocols are no longer considered secure.

References

• 10.4.7 VPN Facts

q_vpn_configure_np6.[Link]
Question 6:
Correct
Which of the following can route Layer 3 protocols across an IP network?
Answer

SSL

IPsec
Correct Answer:
GRE

PPTP

Explanation

Generic Routing Encapsulation (GRE) is a tunneling protocol that creates a tunnel

between two routers. It does this by adding a GRE header and a new IP header to
the original packet.
IPsec, PPTP, and SSL are all authentication protocols that are used to secure
communications.

References

• 10.4.7 VPN Facts

q_vpn_gre_np6.[Link]

Question 7:
Correct
Which of the following Network layer protocols provides authentication and
encryption services for IP-based network traffic?
Answer

L2TP

TCP

SSL
Correct Answer:
IPsec

Explanation
IPsec is a security implementation that provides security for all other TCP/IP-based
protocols that operate above the Network layer. IPsec provides authentication
through a protocol called IPsec Authentication Header (AH) and encryption services
through a protocol called IPsec Encapsulating Security Payload (ESP)
Transmission Control Protocol (TCP) is a Transport layer connection-oriented
protocol that provides data transmission services. It is not a secure protocol and
relies on other measures, such as IPsec, to provide security.
Secure Sockets Layer (SSL) is an Application layer protocol that is designed to
secure network traffic from certain other protocols, such as HyperText Transfer
Protocol (HTTP) and Post Office Protocol version 3 (POP3). SSL does not provide
security for protocols lower in the TCP/IP protocol stack, such as TCP and UDP.
Layer 2 Tunneling Protocol (L2TP) is a protocol used to encapsulate Point-to-Point
Protocol (PPP) traffic.

References

• 10.4.7 VPN Facts

q_vpn_ipsec_02_np6.[Link]

Question 8:
Correct
Which of the following purposes is a VPN primarily used for?
Answer
Correct Answer:
Support secured communications over an untrusted network.

Allow remote systems to save on long-distance charges.

Support the distribution of public web documents.

Allow the use of network-attached printers.

Explanation

A VPN (virtual private network) is used primarily to support secured communications

over an untrusted network. A VPN can be used over a local area network, across a
WAN connection, over the internet, and even between a client and server on a dial-
up internet connection. All of the other items listed in this question are benefits or
capabilities that are secondary to this primary purpose.

References

• 10.4.7 VPN Facts

q_vpn_purpose_np6.[Link]

Question 9:
Correct
Which VPN tunnel style routes only certain types of traffic?
Answer

Host-to-host

Site-to-site
Correct Answer:
Split

Full

Explanation

A VPN split tunnel routes only certain types of traffic, usually determined by
destination IP address, through the VPN tunnel. All other traffic is passed through
the normal internet connection.
A full VPN tunnel routes all of a user's network traffic through the VPN tunnel. This
can sometimes send unnecessary traffic.
A site-to-site VPN is a VPN implementation that uses routers on the edge of each
site.
A host-to-host VPN implementation allows an individual host connected to the
internet to establish a VPN connection to another host on the internet.

References

• 10.4.7 VPN Facts

q_vpn_split_np6.[Link]

Question 10:
Correct
Which of the following statements about an SSL VPN are true? (Select two.)
Answer

Encapsulates packets by adding a GRE header.

Correct Answer:
Encrypts the entire communication session.

Uses UDP port 500.

Correct Answer:
Uses port 443.

Uses pre-shared keys for authentication.

Provides message integrity using HMAC.

Explanation

An SSL VPN uses SSL (Secure Sockets Layer) to secure communications. An SSL
VPN:
• Authenticates the server to the client using public key cryptography and
digital certificates.
• Encrypts the entire communication session.
• Uses port 443, which is already open on most firewalls.
IPsec uses pre-shared keys to provide authentication to other protocols. It also uses
HMAC (Hash-Based Message Authentication Code) to provide message integrity
checks.
The GRE tunneling protocol exclusively uses GRE (General Routing Encapsulation)
headers.
Layer 2 Tunneling Protocol (L2TP) uses port 500.

References

• 10.4.7 VPN Facts

q_vpn_ssl_np6.[Link]
What is the definition of bandwidth?
Answer

The calculation of how often bits are damaged in transit due to electromagnetic
interference.

The condition that occurs when a system is unable to keep up with the demands
placed on it.

The speed at which packets travel from source to destination and back.
Correct Answer:
The amount of data that can be transferred from one place to another in a specific
amount of time.

Explanation

Bandwidth is the amount of data that can be transferred from one place to another in
a specific amount of time.
Latency is the speed at which packets travel from source to destination and back.
Error rate is the calculation of how often bits are damaged in transit due to
electromagnetic interference (or other interference).
A bottleneck is the condition that occurs when a system is unable to keep up with the
demands placed on it.

References

• 11.1.2 Performance Metrics

q_performance_metrics_bandwidth_np6.[Link]

Question 2:
Correct
Which of the following is a best practice when establishing a baseline?
Answer

Establish baselines using only specialized tools.

Correct Answer:
Determine baselines over time by analyzing network traffic.

Establish baselines only during the busiest times of the day.

Establish baselines within a network or device's first week of installation.

Explanation
You should determine your baselines by analyzing network traffic. To get a true
picture of your network's activity, you want to collect data over a period of time. You
should monitor different times of day and different times of year (especially if your
organization has notoriously busy or slow periods). You can create baselines
manually, however, there are also tools you can purchase to collect more information
and to possibly create more accurate baselines, if you so choose.

References

•
11.1.2 Performance Metrics
•
11.4.1 Network Monitoring
•
11.4.4 Use Wireshark to Sniff Traffic
•
11.4.5 Monitor Utilization
•
11.4.6 Monitor Interface Statistics
•
11.4.9 Network Monitoring Facts
q_performance_metrics_baseline_np6.[Link]

Question 3:
Correct
Which of the following is the term for when a system is unable to keep up with the
demands placed on it?
Answer

Hard fault

Jitter

Latency
Correct Answer:
Bottleneck

Explanation

A bottleneck occurs when a system is unable to keep up with the demands placed
on it.
Latency, jitters, and hard faults are related to network and device metrics. They do
not occur when a system can't keep up with the demands placed on it.

References

•
11.1.2 Performance Metrics
q_performance_metrics_bottleneck_np6.[Link]

Question 4:
Correct
Which of the following is the term for a calculation of how often bits are damaged in
transit due to electromagnetic interference?
Answer

Bandwidth

Bottleneck

Latency
Correct Answer:
Error rate

Explanation

Error rate is a calculation of how often bits are damaged in transit due to
electromagnetic interference (or other interference).
Latency is the speed at which data packets travel from source to destination and
back.
A bottleneck is the condition that occurs when a system is unable to keep up with the
demands placed on it.
Bandwidth is the amount of data that could be transferred from one place to another
in a specific amount of time.

References

• 11.1.2 Performance Metrics

q_performance_metrics_error_np6.[Link]

Question 5:
Correct
When packets arrive at their destination at different speeds, they sometimes arrive
out of order. What does this cause?
Answer

Dropped packets

Latency

Error rates
Correct Answer:
Jitter

Explanation
When packets arrive at their destination at different speeds, they sometimes arrive
out of order. This causes what's known as jitter.
Latency, dropped packets, and error rates are not caused by out-of-order packets.

References

• 11.1.2 Performance Metrics

q_performance_metrics_jitter_np6.[Link]

Question 6:
Correct
What is the definition of latency?
Answer
Correct Answer:
The speed at which data packets travel from source to destination and back.

The percentage of time that a disk subsystem reads from and writes to a disk.

The percentage of available bandwidth being used.

• 11.1.2 Performance Metrics

q_performance_metrics_processor_01_np6.[Link]

Question 9:
Correct
Which of the following could be to blame if your computer is regularly crashing or
restarting?
Answer

You're dropping packets.

Correct Answer:
The processor is too hot.

You don't have enough memory.

You've run out of bandwidth.

Explanation

An overheated CPU can result in crashing or constant restarts and shutdowns.

Insufficient memory, low bandwidth, or dropped packets can cause delays, but these
do not usually result in crashes and restarts.

References

• 11.1.2 Performance Metrics

q_performance_metrics_processor_02_np6.[Link]

Question 10:
Correct
Where can you check your CPU's temperature?
Answer

Task Manager
Correct Answer:
BIOS
Performance Manager

Device Manager

Explanation

You can check your CPU's temperature in the system BIOS, or you can use third-
party software to monitor and alert you to any extreme temperature spikes.
Although they're useful performance tools, Task Manager, Performance Manager,
and Device Manager can't be used to check your CPU's temperature.

References

• 11.1.2 Performance Metrics

q_performance_metrics_temp_np6.[Link]
Which of the following does an agent send to the manager to confirm the receipt of a
transmission?
Answer

GET
Correct Answer:
Inform

Walk

Alert

Explanation

Informs are sent to the manager to confirm the receipt of a transmission.

Alerts, walk, and GET are all SNMP components, but these are not sent to the
manager to confirm the receipt of a transmission.

References

• 11.2.5 SNMP Facts

q_snmp_inform_np6.[Link]

Question 2:
Correct
What is the name of the computer that queries agents and gathers responses by
sending messages?
Answer

Trap

Agent

MIB
Correct Answer:
Manager

Explanation

The manager queries agents and gathers responses by sending messages.

A trap, MIB (Management Information Base), and agent are all SNMP components.
However, they do not query agents.

References
•11.2.5 SNMP Facts
q_snmp_manager_np6.[Link]

Question 3:
Correct
Because of an unexplained slowdown on your network, you decide to install
monitoring software on several key network hosts to locate the problem. You will
then collect and analyze the data from a central network host.
Which protocol will the software use to detect the problem?
Answer
Correct Answer:
SNMP

•11.2.5 SNMP Facts

q_snmp_string_02_np6.[Link]

Question 6:
Correct
Which protocol uses traps to send notifications from network devices?
Answer

IGMP

ICMP

SMTP
Correct Answer:
SNMP

Explanation

Simple Network Management Protocol (SNMP) lets network hosts exchange

configuration and status information. This information can be gathered by
management software and used to monitor and manage the network. A trap is an
event configured on an agent. When the event occurs, the agent logs details
regarding the event.
SMTP (Simple Mail Transfer Protocol) is used for sending email.
ICMP (Internet Control Message Protocol) is an echo/response protocol that's used
for exchanging simple requests between devices. ICMP does not use traps.
IGMP (Internet Group Management Protocol) is used to send packets to hosts that
are members of a group.

References

• 11.2.5 SNMP Facts

q_snmp_traps_01_np6.[Link]

Question 7:
Correct
When an event occurs, the agent logs details regarding the event. What is this event
called?
Answer
Correct Answer:
Trap

GET

OID

MIB
Explanation

A trap is an event configured on an agent. When the event occurs, the agent logs
details regarding the event.
GET, OIDs, and MIB are SNMP components, but they are not events.

References

• 11.2.5 SNMP Facts

q_snmp_traps_02_np6.[Link]

Question 8:
Correct
You have been using SNMP on your network for monitoring and management, but
you're concerned about the security of this configuration. What should you do to
increase security in this situation?
Answer

Combine SNMP with SSL

Correct Answer:
Implement version 3 of SNMP

Use SSH instead of SNMP

Implement a RADIUS solution

Explanation

Simple Network Management Protocol (SNMP) is a protocol designed for managing

complex networks. SNMP lets network hosts exchange configuration and status
information. The original version of SNMP has several vulnerabilities. For added
security, implement version 3.
SSH (Secure Shell) allows secure interactive control of remote systems but does not
provide the same features as SNMP.
RADIUS controls remote access authentication, authorization, and accounting from a
centralized server.

References

• 11.2.5 SNMP Facts

q_snmp_version3_01_np6.[Link]

Question 9:
Correct
Which of the following improvements to SNMP are included in version 3? (Select
two.)
Answer

Ports 161 and 162 usage

SNMP data transfer through SFTP

Question 3:
Correct
You suspect that a bad video driver is causing a user's system to randomly crash
and reboot. Where would you go to identify and confirm your suspicions?
Answer

Application logs

SIP logs

Syslog
Correct Answer:
Dump files

Explanation

You would choose dump files. Dump files are created when an application, OS, or
other computer function stops abruptly. These files help IT admins perform root
cause analysis and can also give clues as to the crash's origin. This could be
something as commonplace as a bad driver or hardware component. Unfortunately,
though, it may prove to be the result of a malicious act.
Syslog is a protocol that defines how log messages are sent from one device to a
logging server on an IP network. The sending device sends a small text message to
the Syslog receiver (the logging server).
App logs show application access, crashes, updates, and any other relevant
information that could be valuable in doing root cause analysis.
Session Information Protocol (SIP) logs contain key information about where a
phone call was initiated and what the communication's intent was.

References
•11.3.5 Log File Management Facts
q_log_management_dump_np6.[Link]

Question 4:
Correct
Which Syslog severity level indicates a debugging message?
Answer
Correct Answer:
Level 7

Level 3

Level 1

Level 5

Explanation

Level 7 indicates a debugging message.

Level 5 indicates a notification of a normal but significant condition.
Level 3 indicates a non-urgent error that should be addressed when possible.
Level 1 is an alert that indicates the system has encountered serious errors and that
you should take action immediately.

References

• 11.3.5 Log File Management Facts

q_log_management_level_01_np6.[Link]

Question 5:
Correct
Which Syslog level indicates an emergency that could severely impact the system
and cause it to become unusable?
Answer

Level 4

Level 6

Level 2
Correct Answer:
Level 0

Explanation
Level 0 indicates an emergency that could severely impact the system and cause it
to become unusable.
Level 2 indicates a serious errors in secondary subsystem that should be addressed
immediately.
<="" away.="" right="" addressed="" be="" should="" that="" condition="" critical=""
a="" indicates="" 2="" style="margin: 0px;">
Level 4 indicates a warning that could eventually become a problem if not
addressed.
Level 6 indicates an informational message.

References

•11.3.5 Log File Management Facts

q_log_management_level_02_np6.[Link]

Question 6:
Correct
Which of the following is a standard for sending log messages to a central logging
server?
Answer

LC4

Nmap

OVAL
Correct Answer:
Syslog

Explanation

Syslog is a protocol that defines how log messages are sent from one device to a
logging server on an IP network. The sending device sends a small text message to
the Syslog receiver (the logging server).
The Open Vulnerability and Assessment Language (OVAL) is an international
standard for testing, analyzing, and reporting a system's security vulnerabilities.
LC4 (previously called LOphtcrack) is a password cracking tool.
Nmap is a network mapping tool that performs ping and port scans.

References

•11.3.5 Log File Management Facts

q_log_management_syslogs_01_np6.[Link]

Question 7:
Correct
You are concerned that an attacker can gain access to your web server, make
modifications to the system, and alter the log files to hide his or her actions. Which of
the following actions would BEST protect the log files?
Answer

Configure permissions on the log files to prevent access.

Encrypt the log files.

Take a hash of the log files.

Correct Answer:
Use Syslog to send log entries to another server.

Explanation

The best protection is to save log files to a remote server. In this way, system
compromise does not provide access to that system's log files.
Configuring permissions on the log files would allow access for only specified user
accounts. However, if an attacker has gained access to the system, he or she might
also have access to the user accounts that've been given access to the log files.
Encrypting the log files protects the contents from being read, but this does not
prevent the files from being deleted.
Hashing the log files ensures their integrity and that they have not been altered since
they were created.

References

• 11.3.5 Log File Management Facts

q_log_management_syslogs_02_np6.[Link]

Question 8:
Correct
You are the network administrator for a growing business. When you were hired, the
organization was small, and only a single switch and router were required to support
your users. During this time, you monitored log messages from your router and
switch directly from each device's console.
The organization has grown considerably in recent months. Now you manage eight
individual switches and three routers. It's becoming more and more difficult to
monitor these devices and stay on top of issues in a timely manner.
What should you do?
Answer

Hire additional resources to help monitor and manage your network infrastructure.
Use a remote access utility, such as SSH, to access router and switch consoles
remotely.
Correct Answer:
Use Syslog to implement centralized logging.

Consolidate network resources down to one or two switches.

Explanation

In this scenario, a cost-effective option would be to implement centralized logging

with Syslog. By default, routers and switches send all log messages regardless of
severity level directly to the console. If a network contains a small number of
devices, this default configuration is usually manageable. However, on a growing
network, it quickly becomes impractical to visit each device to view log messages.
Instead, you can configure your network devices to redirect logging to a Syslog
server somewhere on the network. By doing this, you can view all the log messages
from all the devices from a single location.
Reducing the number of switches on a growing network is generally not advisable.
Using a remote access utility can help alleviate the issue to an extent. However, you
still have to manually connect to and monitor each individual system.
If the network continues to grow, this option will quickly become unviable. It's not
necessary to hire additional administrators in this scenario.

References

•11.4.2 Protocol Analyzers
•11.4.6 Monitor Interface Statistics
•11.4.7 Configure Netflow on pfSense
•11.4.9 Network Monitoring Facts
q_network_monitoring_analyzer_01_np6.[Link]

Question 2:
Correct
Which of the following conditions can low humidity result in?
Answer

Condensation
Cold air

Warm air
Correct Answer:
Electrostatic discharge

Explanation

Low humidity can result in electrostatic discharge.

High humidity can result in condensation.
In summer, the air is warmer and can hold more moisture. This makes it more
humid. In the winter, the air is cooler and holds less moisture.

References

•
11.4.9 Network Monitoring Facts
q_network_monitoring_electrostatic_np6.[Link]

Question 3:
Correct
You are using a protocol analyzer to capture network traffic. You want to only
capture the frames coming from a specific IP address.
Which of the following can you use to simplify this process?
Answer

Display filters

NIC
Correct Answer:
Capture filters

Switch

Explanation

A capture filter records only the frames that the filter identified. Frames that don't
match the filter criteria aren't captured.
A switch connects multiple computers together in a network. It's not used to capture
specific frames.
A network interface card (NIC) is used to transmit and receive frames addressed to
it. It's not used to capture specific frames.
A display filter shows only the frames that match the filter criteria. Frames that don't
match the filter criteria are still captured but not shown.
References

• 11.4.1 Network Monitoring

• 11.4.2 Protocol Analyzers
• 11.4.6 Monitor Interface Statistics
• 11.4.7 Configure Netflow on pfSense
• 11.4.9 Network Monitoring Facts
q_network_monitoring_filter_np6.[Link]

Question 4:
Correct
Most equipment is cooled by bringing cold air in the front and ducting the heat out
the back. What is the term for where heat is sent?
Answer

Front aisle

Cold aisle
Correct Answer:
Hot aisle

Back aisle

A blackout is generally a longer power outage. The rest of the events are relatively
short durations of less than a few seconds.

References

• 11.4.11 Environmental Monitoring Facts

q_environment_monitoring_blackout_np6.[Link]

Question 8:
Correct
You maintain the network for an industrial manufacturing company. A short-circuit of
a switch in the server room starts an electrical fire.
Which of the following should you use to suppress the fire?
Answer

Water or soda acid

Dry powders
Correct Answer:
Halon or CO2

CO2 or FM200

Explanation

For energized electrical equipment (such as electrical equipment, switches, and

wires), you should use Halon or CO2 to suppress the fire.
For ordinary combustible materials (wood, paper, cloth, plastics, etc.), you should
use water or soda acid to suppress the fire.
For flammable and combustible liquids (petroleum, oil, solvent, alcohol, etc.), you
should use CO2 or FM200 to suppress the fire.
For metal fires (magnesium, titanium, potassium, sodium, etc.), you should use dry
powders to suppress the fire.

References
• 11.4.11 Environmental Monitoring Facts
q_environment_monitoring_positive_np6.[Link]

Question 9:
Correct
Your 24U rack currently houses two 4U server systems. To prevent overheating,
you've installed a rack-mounted environmental monitoring device within the rack.
Currently, the device shows that the temperature within the rack is 70 degrees
Fahrenheit (21 degrees Celsius).
What should you do?
Answer
Correct Answer:
Nothing, the temperature within the rack is within acceptable limits.

Install a humidifier to increase the humidity within the server room.

Install an additional air conditioning unit for the server room.

Reorient the cold aisle within the server room so that it is directed toward the air
conditioner's return duct.

Explanation

The ideal temperature for computing equipment is around 68 degrees Fahrenheit (20
degrees Celsius). Therefore, a reading of 70 degrees Fahrenheit (21 degrees
Celsius) within a server rack is not an issue of concern.
Under the current environmental conditions, installing an additional air conditioning
unit isn't necessary and would be very expensive.
Installing a humidifier in the server room would have no effect on the temperature
within the room and is not warranted given the scenario.
Reorienting the cold aisle within the server room so that it's directed toward the air
conditioner's return duct would likely cause the temperature within the server room to
increase.

References

• 11.4.11 Environmental Monitoring Facts

q_environment_monitoring_temp_01_np6.[Link]

Question 10:
Correct
Which of the following ensures that power is supplied to a server or device during
short power outages?
Answer
Line conditioner
Correct Answer:
Uninterruptible power supply

Backup generator

Surge protector

Explanation

An uninterruptible power supply (UPS) provides continuous power using batteries for
a short period of time. Often, it is paired with a backup generator that can provide
power over a longer time period.
Although a UPS often contains both surge protection and line conditioning, neither
can maintain power during an outage.

References

• 11.4.11 Environmental Monitoring Facts

q_environment_monitoring_ups_01_np6.[Link]
In business continuity planning, what is the primary focus of the scope?
Answer

Company assets

Recovery time objective

Correct Answer:
Business processes

Human life and safety

Explanation

Business processes are the primary focus of the scope within business continuity
planning (BCP).
Company assets are the focus of risk assessment for security policy development,
not BCP.
Human life and safety are considerations for emergency response, not BCP.
Recovery time objective is a consideration of emergency response development, not
BCP.

References

• 11.5.2 Plans and Procedure Facts

q_plan_procedures_business_01_np6.[Link]

Question 2:
Correct
You plan to implement a new security device on your network. Which of the following
policies outlines the process you should follow before you implement that device?
Answer

Service Level Agreement

Correct Answer:
Change Management

Acceptable Use

Resource Allocation

Explanation

A Change Management Policy provides a structured approach to secure company

assets and make changes to those assets. This type of policy:
• Establishes hardware, software, and infrastructure configurations that are
to be deployed universally throughout the corporation.
• Tracks and documents significant changes to the infrastructure.
• Assesses the risk of implementing new processes, hardware, or software.
• Ensures that proper testing and approval processes are followed before
changes are allowed.
An Acceptable Use Policy (AUP) identifies the employees' rights to use company
property, such as internet access and computer equipment, for personal use.
A Resource Allocation Policy outlines how resources are allocated. Resources could
include staffing, technology, or budgets.
Service Level Agreements (SLAs), sometimes called maintenance contracts,
guarantee a network client a certain quality of service from the provider.

References

• 11.5.2 Plans and Procedure Facts

q_plan_procedures_change_01_np6.[Link]

Question 3:
Correct
Which of the following pieces of information are you MOST likely to find in a policy
document?
Answer
Correct Answer:
A requirement for using encrypted communications for web transactions

Steps for completing and validating nightly backups

The IP address assigned to a router interface

Average performance statistics for a router

Explanation

A policy is a document that describes the overall goals and requirements for a
network. A policy identifies what should be done, but it doesn't necessarily define
how the goal is to be reached. In this question, a policy might contain a requirement
that encrypted communications are required for web transactions. The policy does
not state the method that will be deployed, just that encryption is a requirement.
The type of encryption to be used, along with the process for implementing it, would
be included in a procedure document. A procedure is a step-by-step process
outlining how to implement a specific action. As another example, a procedure
document might include steps for completing and validating nightly backups.
You might find the IP address for a device's interface in the configuration
documentation or a network diagram. A baseline is a snapshot of the performance
statistics for your network and devices. A baseline would include a router's average
performance information.

References

• 11.5.2 Plans and Procedure Facts

q_plan_procedures_policy_01_np6.[Link]

Question 4:
Correct
Which of the following information are you MOST likely to find in a procedure
document?
Answer

A record of the repairs made to a specific device

Correct Answer:
Details on how to test and deploy patches

An inventory of the hardware components inside a specific device

The relationship of routers to other routers on the network

Explanation

A procedure is a step-by-step process outlining how to implement a specific action.

For example, you might have a procedure document that identifies how patches are
tested and applied within your network.
Change, or history, documentation keeps track of changes to device or network
configuration. For example, you might record a change in a network interface card or
to a WAN link.
Configuration documentation identifies specific configuration information for a device.
For example, the document might identify the hardware components within a device.
A network diagram shows the logical and/or physical layout of your network. The
network diagram could be a collection of diagrams showing the location and IP
addresses of hubs, switches, routers, and firewalls.

References

• 11.5.2 Plans and Procedure Facts

q_plan_procedures_procedure_np6.[Link]

Question 5:
Correct
Which of the following is a contract in which both parties agree not to share
proprietary or confidential information gathered during the business relationship?
Answer
Correct Answer:
Non-Disclosure Agreement

Non-Compete Agreement

Service Level Agreement

Memorandum of Understanding

Explanation

A Non-Disclosure Agreement (NDA) is a contract in which both parties agree not to

share proprietary or confidential information gathered during the business
relationship.
A Non-Compete Agreement, a Service Level Agreement, and a Memorandum of
Understanding are initiated at the start of a third-party relationship, but they do not
address the sharing of confidential information.

References

• 11.5.5 Documentation and Agreements

• 11.5.6 Documentation and Agreements Facts
q_security_policy_non_disclosure_np6.[Link]

Question 6:
Correct
Which of the following defines an Acceptable Use Agreement?
Answer
Correct Answer:
An agreement that identifies the employees' rights to use company property, such as
internet access and computer equipment, for personal use.

An agreement that outlines the organization's monitoring activities.

A legal contract between the organization and the employee that specifies that the
employee is not to disclose the organization's confidential information.

An agreement that prohibits an employee from working for a competing organization

for a specified time after the employee leaves the organization.

Explanation

An Acceptable Use Agreement identifies the employees' rights to use company

property, such as internet access and computer equipment, for personal use.
A Non-Compete Agreement prohibits an employee from working for a competing
organization for a specified time after the employee leaves the organization.
An Employee Monitoring Agreement outlines the organization's monitoring activities.
A Non-Disclosure Agreement (NDA) is a legal contract between the organization and
the employee that specifies that the employee is not to disclose the organization's
confidential information.

References

• 11.5.6 Documentation and Agreements Facts

q_docs_agreements_aup_np6.question_xml.[Link]

Question 7:
Correct
You want to make sure that the correct ports on a firewall are open or closed. Which
document should you check?
Answer
Correct Answer:
Baseline configurations

Intermediate distribution frame

Wireless site survey

Wiring schematic

Explanation

Baseline configuration documentation identifies specific configuration information for

a device. For example, a configuration document for a firewall might include
information about the IP addresses assigned to each interface and open firewall
ports.
A wiring diagram is a type of network diagram that focuses on the physical
connections between devices.
A site survey ensures that a wireless network performs as desired.
A traditional intermediate distribution frame is a smaller wiring distribution frame or
rack within a building.

References

• 11.5.6 Documentation and Agreements Facts

q_docs_agreements_baseline_01_np6.question_xml.[Link]

Question 8:
Correct
Which of the following provides a layout of all electrical, plumbing, HVAC, and
networking wiring and components?
Answer

Network diagram

Wiring diagram

Rack diagram
Correct Answer:
Floor plan

Explanation

A floor plan provides a layout of all electrical, plumbing, HVAC, and networking
wiring and components.
A rack diagram, network diagram, and wiring diagram provide layouts for networking
infrastructure, but they do not include electrical, plumbing, and HVAC information.

References

• 11.5.6 Documentation and Agreements Facts

q_docs_agreements_floor_plan_np6.question_xml.[Link]

Question 9:
Correct
Which of the following provides information on the subnets within your network,
including the subnet addresses and the routers connecting each subnet?
Answer

Floor plan
Correct Answer:
Network diagram

Wiring diagram

Rack diagram

Explanation

A network diagram includes a layout of the subnets within your network, including
the subnet addresses and the routers connecting each subnet.
A wiring diagram, rack diagram, and floor plan provide information about your
physical network, but they do not include subnet information.
References

• 11.5.6 Documentation and Agreements Facts

q_docs_agreements_network_02_np6.question_xml.[Link]

Question 10:
Correct
Which type of documentation would you consult to find the location of RJ45 wall
jacks and their endpoints in the intermediate distribution closet?
Answer

Baseline
Correct Answer:
Wiring schematic

Procedure

Policy

Explanation

A wiring schematic is a type of network diagram that focuses on the physical

connections between devices. The wiring diagram typically shows:
•The location of drop cables and ports within offices or cubicles.
•The path that wires take between wiring closets and offices.
•A labeling scheme that matches endpoints in offices and cubicles with
specific switch ports or punch down block locations.
A baseline is a record that shows normal network statistics.
A policy is a document that describes the overall goals and requirements for a
network. A policy identifies what should be done, but it doesn't necessarily define
how the goal is to be reached.
A procedure is a step-by-step process outlining how to implement a specific action. A
procedure is guided by goals defined in the policy but goes beyond it by identifying
specific steps that are to be implemented.

References

•
3.6.8 Data Center Device Installation
•
3.6.9 Data Center Device Installation Facts
•
11.5.5 Documentation and Agreements
•
11.5.6 Documentation and Agreements Facts
q_docs_agreements_wiring_01_np6.question_xml.[Link]
You manage your company's website, which uses a cluster of two servers with a
single shared storage device. The shared storage device uses a RAID 1
configuration. Each server has a single connection to the shared storage and a
single connection to your ISP.
You want to provide redundancy so that a failure on a single component doesn't
cause the website to become unavailable. What should you add to your configuration
to accomplish this?
Answer

On each server, add a second network connection to connect the server to the
shared storage device.
Correct Answer:
Connect one server to the internet through a different ISP.

On each server, add a second network connection to the internet.

Reconfigure the disk array in a RAID 1+0 configuration.

Explanation

In this scenario, the ISP is the single point of failure. If the ISP connection goes
down, the website will be unavailable. Connecting one server to a different ISP or
both servers to two ISPs provides redundancy for the connection.
Adding multiple network connections to the shared storage or the same ISP is
unnecessary because if the single network connection on one server fails, the other
server will still be available. Reconfiguring the storage as a RAID 1+0 allows multiple
disk failures, but RAID 1 can sustain a failure on a single disk.

References

• 11.6.3 Redundancy and High Availability Facts

q_redundancy_avail_ips_np6.[Link]

Question 2:
Correct
Why should you store backup media off site?
Answer

To make the restoration process more efficient

To reduce the possibility of theft

Correct Answer:
To prevent the same disaster from affecting both the network and the backup media
To comply with government regulations

Explanation

Backup media should be stored off site to prevent the same disaster from affecting
the network and the backup media. If your primary facility is destroyed, your only
hope of recovery is off site data storage.
Off site storage does not significantly reduce the possibility of media theft because it
can be stolen while in transit or at your storage location.
Off site storage is not a government regulation.
Off site storage does not make the restoration process more efficient because
additional time is spent retrieving backup media from the offsite storage location.

References

• 11.6.3 Redundancy and High Availability Facts

q_redundancy_avail_offsite_np6.[Link]

Question 3:
Correct
In addition to performing regular backups, what must you do to protect your system
from data loss?
Answer
Correct Answer:
Regularly test restoration procedures.

Write-protect all backup media.

Restrict restoration privileges to system administrators.

Store the backup media in an on-site fireproof vault.

Explanation

The only way to ensure that you have protection against data loss is to regularly test
your restoration procedures. This activity reveals whether or not your backup
process functions properly and your restoration and recovery procedures are
accurate.
It's a good idea to store backup media in a fireproof vault, but it's a better idea to
store it off site.
You should restrict restoration privileges to trusted staff to prevent confidentiality
violations. However, this does not address the issue of data loss protection.
Write-protecting backup media provides little real security for the stored data
because anyone can flip the switch on the media to remove the protection.
References

• 11.6.3 Redundancy and High Availability Facts

q_redundancy_avail_restore_np6.[Link]

Question 4:
Correct
You have purchased a solar backup power device to provide temporary electrical
power to critical systems in your data center should the power provided by the
electrical utility company go out. The solar panel array captures sunlight, converts it
into direct current (DC), and stores it in large batteries.
The power supplies on the servers, switches, and routers in your data center require
alternating current (AC) to operate.
Which electrical device should you implement to convert the DC power stored in the
batteries into AC power that can be used in the data center?
Answer
Correct Answer:
Inverter

Capacitor

Transformer

Transistor

Explanation

A power inverter changes direct current (DC) power to alternating current (AC)
power. In this scenario, you can use a power inverter to convert the DC power stored
in the batteries to AC power that your servers, switches, and routers can use in an
emergency.
A transformer is typically used to increase or decrease AC power voltage.
A capacitor temporarily stores an electrical charge. Capacitors are used with the
chips on a computer memory module that store data.
A transistor is used to amplify and switch electrical signals.

References

• 11.6.5 Power Management Facts

q_pwr_prot_inverter_np6.[Link]

Question 5:
Correct
Which of the following is the least effective power loss protection for computer
systems?
Answer

Backup power generator

Secondary power source

Correct Answer:
Surge protector

Uninterruptible power supply

Explanation

A surge protector provides no power loss protection.

A UPS, a secondary power source, and a backup power generator all provide
reasonable protection from power loss.

References

• 11.6.5 Power Management Facts

q_pwr_prot_surge_np6.[Link]

Question 6:
Correct
You are adding a new rack to your data center, which will house two new blade
servers and a new switch. The new servers will be used for virtualization.
The only space you have available in the data center is on the opposite side of the
room from your existing rack, which already houses several servers, a switch, and a
router. You plan to configure a trunk port on each switch and connect them with a
straight-through UTP cable that will run across the floor of the data center.
To protect equipment from power failures, you also plan to install a UPS on the rack
along with redundant power supplies for the server.
Will this configuration work?
Answer

No, you must use a cross-over cable to connect the two switches together.

Yes, this configuration complies with data center best practices.

Correct Answer:
No, you should not run a cable across the data center floor.

No, you must implement the UPS and power supplies on the rack externally.

No, you should not use blade servers for virtualization.

Explanation

In this scenario, running a cable across the data center floor represents a tripping
hazard. It also represents a point of failure, as the cable will be walked on constantly,
resulting in it being kicked out of one or both jacks. It will also likely fail prematurely
due to the excessive wear. A better option would be to run the cable through the
ceiling plenum.
Blade servers work well for virtualization as long as they meet the system
requirements for the hypervisor software. In the early days of networking, crossover
cables were required to uplink two hubs or switches together. However, most
modern switches implement auto-MDIX, which detects whether crossover is required
and automatically configures the interface for you, making a crossover cable
unnecessary. Rack-mounted power supplies and UPS devices are commonly used
in data centers.

References

• 11.6.5 Power Management Facts

q_pwr_prot_ups_01_np6.[Link]

Question 7:
Correct
You are adding a new rack to your data center, which will house two new blade
servers and a new switch. The new servers will be used for file storage and a
database server.
The only space you have available in the data center is on the opposite side of the
room from your existing rack, which already houses several servers, a switch, and a
router. You plan to configure a trunk port on each switch and connect them with a
crossover UTP plenum cable that will run through the suspended tile ceiling in the
data center.
To provide power for the new devices, you had an electrician install several new 20-
amp wall outlets near the new rack. Each device on the rack will be plugged directly
into one of these new wall outlets.
What is wrong with this configuration? (Select two.)
Answer
Correct Answer:
You should implement redundant power supplies for the network devices.
Correct Answer:
You should implement a UPS between the wall outlet and the network devices.

You should not connect networking equipment to a 20-amp wall circuit.

You must use a straight-through cable to connect the two switches together.

You should not run a plenum cable through a suspended tile ceiling.
Explanation

In this scenario, all the devices on the new rack will go down if the power from the
wall outlet fails for some reason (such as a power outage). To prevent this from
happening, you should implement a UPS between the wall outlets and the network
devices. In addition, the power supplies used by computing equipment have finite life
spans and fail frequently. Because these are mission-critical devices, you should
consider implementing redundant power supplies.
Plenum network cabling is specifically designed to run through a suspended tile
ceiling. The space between the suspended tile and the physical ceiling is called a
ceiling plenum.
In the early days of networking, crossover cables were required to uplink two hubs or
switches together. However, most modern switches implement auto-MDIX, which
detects whether crossover is required and automatically configures the interface,
allowing you to use either a crossover or straight-through cable. Using a 20-amp
circuit for networking equipment is considered a data center best practice.
Connecting too many devices to a standard 15-amp wall circuit can overload it and
trip its breaker.

References

• 11.6.5 Power Management Facts

q_pwr_prot_ups_02_np6.[Link]

Question 8:
Correct
Which of the following devices accepts incoming client requests and distributes
those requests to specific servers?
Answer
Correct Answer:
Load balancer

CSU/DSU

Media converter

Caching engine

Explanation

A load balancer is a device that accepts incoming client requests and distributes
those requests to multiple servers. One goal of load balancing is to distribute client
requests evenly between multiple servers to improve performance.
A CSU/DSU (Channel Service Unit/Data Service Unit) is a device that converts the
signal received from the WAN provider into a signal that can be used by equipment
at the customer site. An intrusion prevention system (IPS) can detect and respond to
security events.
A caching engine saves copies of frequently used content, eliminating the need to
download the content each time it's requested.
A media converter converts signals used on one media type (such as twisted-pair
Ethernet) to another media type (such as fiber optic).

References

• 11.6.3 Redundancy and High Availability Facts

• 11.6.11 NIC Teaming Facts
• 11.6.12 Configure a Load Balancing Server
q_nic_teaming_balancer_np6.[Link]

Question 9:
Correct
What is the purpose of using Ethernet bonding? (Select two.)
Answer
Correct Answer:
Provides a failover solution for network adapters

Increases read and write operations between the system bus and network adapters

Provides increased bus speeds

Correct Answer:
Increases network performance

Enables dual remote access (DRA) over a WAN link

Explanation

For a true fault-tolerant strategy, you must consider all system components. Ethernet
bonding (also called adapter teaming) is a fault-tolerant strategy that uses multiple
network adapters configured on a failover solution. In the event of a NIC failure,
other adapters automatically provide link redundancy. Multiple adapters can also
increase performance by distributing the network load between adapters.
Ethernet bonding does not provide increased bus speeds, increase read and write
operations between the system bus and network adapters, or enable dual remote
access (DRA) over a WAN link.

References

• 11.6.3 Redundancy and High Availability Facts

• 11.6.8 Set Up NIC Teaming
• 11.6.10 Configure Linux Network Bonding
• 11.6.11 NIC Teaming Facts
q_nic_teaming_bonding_01_np6.[Link]

Question 10:
Correct
A web server on your network hosts your company's public website. You want to
make sure that a NIC failure on the server does not prevent the website from being
accessible on the internet.
Which solution should you implement?
Answer

QoS
Correct Answer:
Ethernet bonding

Spanning Tree

Traffic shaping

Explanation

Ethernet bonding (also called NIC teaming) logically groups two or more physical
connections to the same network. If one NIC fails, the second NIC with a connection
to the same network can still be used.
Spanning Tree is a protocol on a switch that allows it to maintain multiple paths
within a subnet.
A traffic shaper (also called a bandwidth shaper) is a device that's capable of
modifying the flow of data through a network in response to network traffic
conditions.
Quality of Service (QoS) refers to a set of mechanisms that try to guarantee timely
delivery or minimal delay of important or time-sensitive communications. QoS is
particularly important when you implement Voice over IP (VoIP), Video over IP, or
online gaming, where delay or data loss make the overall experience unacceptable.

References

q_backup_restore_full_differential_01_np6.[Link]

Question 6:
Correct
Your disaster recovery plan (DRP) calls for backup media to be stored at a different
location. The location is a safe deposit box at the local bank. Because of this, the
disaster recovery plan specifies that you must choose a method that uses the least
amount of backup media but also allows you to quickly back up and restore files.
Which backup strategy would BEST meet the DRP's specifications?
Answer

Perform a full backup each day of the week.

Perform a full backup once per week and an incremental backup the other days of
the week.

Perform a full backup once per month and an incremental backup the other days of
the month.
Correct Answer:
Perform a full backup once per week and a differential backup the other days of the
week.

Explanation

Performing a full backup once per week and a differential backup the other days of
the week would best meet this disaster recovery plan's specifications. The full
backup backs up all files, usually to one tape, but the process can be time-
consuming. The differential backup backs up all files since the last full backup.
Performing a full backup each day would meet the requirement of using as few tapes
as possible, but that backup process would be very time-consuming each day.
Performing a full backup once per week and an incremental backup the other days of
the week would be one of the fastest methods for backing up files, but it would
require many tapes to complete the restore. The incremental backup only backs up
files added or changed since the last backup. Because of this, in order to do a
complete restore of the file system, you'd need a tape for each day of the week that
the incremental backup ran.
Performing a full backup once per month and an incremental backup the other days
of the month would be the fastest method to back up files, but it would require many
tapes to complete. This process only backs up files added or changed since the last
backup. Because of this, in order to do a complete restore of the file system, you'd
need a tape for each day of the month that the incremental backup ran.

References

•11.7.3 Data Backup and Storage Facts

q_backup_restore_full_differential_02_np6.[Link]

Question 7:
Correct
Your network uses the following backup strategy. You create:
• Full backups every Sunday night.
• Differential backups Monday night through Saturday night.
On Thursday morning, the storage system fails. How many restore operations would
you need to perform to recover all of the data?
Answer

One
Correct Answer:
Two

Three

Four

Explanation

You would need to perform two restore procedures. You would do the following:
1. Restore the full backup from Sunday.
2. Restore the differential backup from Wednesday.
If you did a full backup every night, you would restore only a single backup
(Wednesday's backup). If you did full backups with incremental backups, you would
restore the last full backup along with each incremental backup.

References

• 11.7.3 Data Backup and Storage Facts

q_backup_restore_full_differential_03_np6.[Link]

Question 8:
Correct
Which of the following are backed up during an incremental backup?
Answer

Only files that are new since the last full or incremental backup.
Only files that have changed since the last full backup.
Correct Answer:
Only files that have changed since the last full or incremental backup.

Only files that have changed since the last full or differential backup.

Explanation

An incremental backup only captures files that have changed since the last full or
incremental backup. The primary attraction to this backup plan is that it requires less
storage space and processing time to complete. Restoration starts from the last full
backup and then requires the loading of each subsequent incremental backup for a
full restoration.

References

• 11.7.3 Data Backup and Storage Facts

q_backup_restore_incremental_01_np6.[Link]

Question 9:
Correct
Your network uses the following backup strategy. You create:
• Full backups every Sunday night.
• Incremental backups Monday night through Saturday night.
On a Thursday morning, the storage system fails. How many restore operations
would you need to perform to recover all of the data?
Answer

One

Two

Three
Correct Answer:
Four

Five

Explanation

In this scenario, you would need to perform the following four restore procedures:
1. Restore the full backup from Sunday.
2. Restore the incremental backup from Monday.
3. Restore the incremental backup from Tuesday.
4. Restore the incremental backup from Wednesday.
If you did a full backup every night, you would restore only a single backup
(Wednesday's backup). If you did full backups with differential backups, you would
restore the last full backup along with the last differential backup.

References

• 11.7.3 Data Backup and Storage Facts

q_backup_restore_incremental_03_np6.[Link]

Question 10:
Correct
Which of the following describe a system image backup?
Answer

A system image does not include operating system files, program files, encrypted
files, files in the Recycle Bin, user profile settings, or temporary files.

A system image includes only specified files and folders backed up to a compressed
file.
Correct Answer:
A system image contains everything on the system volume, including the operating
system, installed programs, drivers, and user data files.

A system image only contains the operating system, installed programs, drivers, and
user profile settings.

Explanation

Explanation

Remote Desktop Gateway (RD Gateway) is a role service that allows users with the
Remote Desktop Connection client and an internet connection to connect on an
internal network.
A Remote Desktop Resource Authorization Policy (RD RAP) identifies the internal
resources that users can access.
A Remote Desktop Connection Authorization Policy (RD CAP) identifies the users
who can establish a connection through the RD Gateway server.
Remote Desktop is a software tool.

References

• 11.8.1 Remote Management

• 11.8.2 Use Remote Desktop
• 11.8.4 Remote Management Facts
q_remote_manage_gateway_np6.[Link]

Question 4:
Correct
You are the desktop administrator for your company. You would like to manage the
computers remotely using a tool with a graphical user interface (GUI).
Which of the following actions can you take to accomplish this?
Answer

Use Telnet to connect to each computer.

Send an assistance invitation.

Run Remote Shell to manage each computer.

Correct Answer:
Establish a Remote Desktop connection to each computer.

Explanation

To remotely manage computers using a graphical user interface, you can use
Remote Desktop to establish a connection to each computer.
Use Remote Shell and Telnet to execute commands on a remote computer.
You initiate a Remote Assistance session by sending an assistance invitation.

References

• 11.8.1 Remote Management

• 11.8.2 Use Remote Desktop
• 11.8.4 Remote Management Facts
q_remote_manage_gui_np6.[Link]

Question 5:
Correct
You manage a server at work that has just been configured with a new application.
Consequently, the server has crashed several times during the last week. You think
that you've resolved the problem, but you'd like to be able to manage the server
remotely just in case more issues occur.
Which of the following protocols should you use for remote management? (Select
two.)
Answer
Correct Answer:
VNC

L2TP
Correct Answer:
ICA
PPP

PPTP

Explanation

Use a remote access protocol to remotely manage devices. A remote access

protocol allows you to interact with a computer's desktop without being present at the
console. There are multiple protocols you can use for remote desktop connections.
• Virtual Network Computing (VNC) was originally designed for UNIX.
Applications that use VNC include RealVNC, TightVNC, UltraVNC, and
Vine Server.
• Independent Computing Architecture (ICA) is the protocol used by Citrix
products (WinFrame and MetaFrame/XenApp).
• Remote Desktop Protocol (RDP) is the protocol developed by Microsoft
and used in Microsoft's Terminal, Remote Desktop, and Remote
Assistance solutions. Aqua Connect has now licensed RDP and created a
version for Mac OS X.
PPP (Point-to-Point Protocol) is a protocol that's used to control remote access. PPP
allows the authentication, authorization, and accounting of remote access
connections.
PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol) are
VPN protocols that provide a secure connection to a destination host or network
through the internet .

References

• 11.8.1 Remote Management

• 11.8.2 Use Remote Desktop
• 11.8.4 Remote Management Facts
q_remote_manage_protocols_np6.[Link]

Question 6:
Correct
Which of the following protocols or services would you associate with Windows
Remote Desktop network traffic?
Answer
Correct Answer:
RDP

WPA

NNTP

RD RAP
Explanation

Remote Desktop Protocol (RDP) is used by Windows Remote Desktop applications,

including Remote Desktop Connection.
A Remote Desktop Resource Authorization Policy (RD RAP) identifies the internal
resources that users can access.
Network News Transport Protocol (NNTP) is used to access newsgroups and
download messages. It is not associated with Windows Terminal.
Wi-Fi Protected Access (WPA) is a security mechanism designed to provide
protection on wireless networks. It is not associated with Windows Terminal.

References

•
11.8.1 Remote Management
•
11.8.2 Use Remote Desktop
•
11.8.4 Remote Management Facts
q_remote_manage_rdp_01_np6.[Link]

Question 7:
Correct
You are in the middle of a big project at work. All of your work files are on a server at
the office. You want to be able to access the server desktop, open and edit files,
save the files on the server, and print files to a printer that's connected to a computer
at home.
Which protocol should you use?
Answer
Correct Answer:
RDP

SSH

Telnet

FTP

Explanation

To access the server's desktop, use Remote Desktop Protocol (RDP). RDP is
Microsoft's own remote access protocol, but other available protocols include VNC
and ICA. With this remote desktop solution, you can access a device's desktop and
work with applications and files on that device. Device redirection allows you to
redirect sound, drives, or printing at the remote computer to your local computer.
Telnet and SSH are command line utilities used for remote management.
FTP (File Transfer Protocol) is used for file transfer. While you might use this
protocol to transfer files, it does not give you access to a remote system's desktop.
References

• 11.8.1 Remote Management

• 11.8.2 Use Remote Desktop
• 11.8.4 Remote Management Facts
q_remote_manage_rdp_02_np6.[Link]

Question 8:
Correct
You just deployed a new Cisco router that connects several network segments in
your organization.
The router is physically located in a server room that requires an ID card for access.
You backed up the router configuration to a remote location with an encrypted file.
You access the router configuration interface from your notebook computer using a
Telnet client with the username admin and the password admin. You used the MD5
hashing algorithm to protect the password.
What else should you do to increase the security of this device? (Select two.)
Answer

Use TFTP to back up the router configuration to a remote location.

Correct Answer:
Use an SSH client to access the router configuration.
Correct Answer:
Change the default administrative username and password.

Use a web browser to access the router configuration using an HTTP connection.

Use encrypted Type 7 passwords.

Explanation

In this scenario, you need to address the following two key security issues:
• You should use an SSH (Secure Shell) client to access the router
configuration. Telnet transfers data over the network connection in
cleartext, exposing sensitive data to sniffing.
• You should change the default administrative username and password.
Default usernames and passwords are readily available from websites on
the internet.
Encrypted Type 7 passwords on a Cisco device are less secure than those protected
with MD5.
Using HTTP and TFTP (Trivial File Transfer Protocol) to manage the router
configuration could expose sensitive information to sniffers, as they transmit data in
cleartext.

References
• 11.8.1 Remote Management
• 11.8.2 Use Remote Desktop
• 11.8.4 Remote Management Facts
q_remote_manage_ssh_01_np6.[Link]

Question 9:
Correct
Which of the following is a protocol used for terminal emulation?
Answer

RDP

ICA
Correct Answer:
SSH

VNC

Explanation

Most administrators use Secure Shell (SSH) for terminal emulation.

VNC, ICA, and RDP are remote access protocols.

References

• 11.8.1 Remote Management

• 11.8.2 Use Remote Desktop
• 11.8.4 Remote Management Facts
q_remote_manage_ssh_02_np6.[Link]

Question 10:
Correct
Which of the following remote protocols was originally designed for UNIX?
Answer

VPN

RDP

ICA
Correct Answer:
VNC

Explanation
Virtual Network Computing (VNC) was originally designed for UNIX.
ICA, VPN, and RDP are remote desktop protocols. However, they were not originally
designed for UNIX.
You can use a virtual private network (VPN) for remote access, but it is not a
protocol that was originally designed for UNIX.

References

• 11.8.4 Remote Management Facts

q_remote_manage_vnc_np6.[Link]
Which of the following BEST describes an inside attacker?
Answer
Correct Answer:
An unintentional threat actor (the most common threat).

An attacker with lots of resources and money at their disposal.

A good individual who tries to help a company see their vulnerabilities.

SSH (Secure Shell) is a secure and acceptable alternative to Telnet. SSH allows
secure interactive control of remote systems. SSH uses RSA public key
cryptography for both connection and authentication. SSH also uses the IDEA
algorithm for encryption by default but is able to use Blowfish and DES as well.
Remote Desktop, while a remote control mechanism, is limited to a few versions of
Windows and is not very secure.
Point-to-Point Protocol (PPP) and Serial Line Interface Protocol (SLIP) are not
remote access authentication protocols. They are used to establish a connection, not
provide authentication.

References

• 12.1.6 Secure Protocol Facts

q_secure_protocols_ssh_01_np6.[Link]

Question 4:
Correct
Which of the following protocols can you use to securely manage a network device
from a remote connection?
Answer

Telnet

SFTP

TLS
Correct Answer:
SSH

Explanation

SSH allows secure interactive control of remote systems. It is a secure and

acceptable alternative to Telnet.
SFTP (Secure File Transfer Protocol) uses Secure Shell (SSH) to secure data
transfers.
TLS (Transport Layer Security) ensures that messages being transmitted on the
internet are private and tamper-proof. TLS is often used to add security to other
protocols.

References

•
12.1.6 Secure Protocol Facts
q_secure_protocols_ssh_02_np6.[Link]

Question 5:
Correct
Which protocol does HTTPS use to offer greater security for web transactions?
Answer

CHAP

PAP

IPsec
Correct Answer:
SSL

Explanation
HTTPS (HyperText Transfer Protocol Secure) uses Secure Sockets Layer (SSL) to
offer greater security for web transactions.
IPsec uses HMAC (Hash-Based Message Authentication Code) to provide message
integrity checks.
Password Authentication Protocol (PAP) transmits login credentials in cleartext.
Challenge Handshake Authentication Protocol (CHAP) protects login credentials
using a hash and allows periodic re-authentication.

References

•12.1.6 Secure Protocol Facts

q_secure_protocols_ssl_01_np6.[Link]

Question 6:
Correct
You want to allow traveling users to connect to your private network through the
internet. Users will connect from various locations, including airports, hotels, and
public access points (like coffee shops and libraries). As such, you won't be able to
configure the firewalls that might be controlling access to the internet in these
locations.
Which of the following protocols is MOST likely to be allowed through the widest
number of firewalls?
Answer

PPTP

L2TP
Correct Answer:
SSL

IPsec

Explanation

Ports must be open on firewalls to allow VPN protocols. For this reason, using SSL
(Secure Sockets Layer) for a VPN often works through firewalls when other solutions
do not because SSL uses port 443, which is a port that's often already open to allow
HTTPS traffic. In addition, some NAT (Network Address Translation) solutions do not
work well with VPN connections.
PPTP (Point-to-Point Tunneling Protocol) uses port 1723. L2TP (Layer 2 Tunneling
Protocol) uses ports 1701 and 500. IPsec uses UDP port 500 for IKE (Internet Key
Exchange).

References
•
12.1.6 Secure Protocol Facts
q_secure_protocols_ssl_02_np6.[Link]

Question 7:
Correct
Which of the following protocols are often added to other protocols to provide secure
data transmission? (Select two.)
Answer

SMTP

HTTPS

SNMP
Correct Answer:
SSL
Correct Answer:
TLS

Explanation

Both Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols
that are used with other protocols to add security. In addition, you can use Secure
Shell (SSH) to add security when using unsecure protocols.
HTTPS (HyperText Transfer Protocol Secure) is the secure form of HTTP that uses
SSL. SMTP (Simple Mail Transfer Protocol) is used for sending email. SNMP
(Simple Network Management Protocol) is for network management tasks.

References

•
12.1.6 Secure Protocol Facts
q_secure_protocols_ssl_tls_np6.[Link]

Question 8:
Correct
Which of the following intrusion detection and prevention systems uses fake
resources to entice intruders by displaying a vulnerability, configuration flaw, or
valuable data?
Answer

Botnet
Correct Answer:
Honeypot
Trojan horse

Zombie

Explanation

A honeypot is a device or virtual machine that entices intruders by displaying a

vulnerability, displaying a configuration flaw, or appearing to contain valuable data.
A Trojan horse is a malicious program that is disguised as legitimate or desirable
software.
A zombie is a computer that's infected with malware and that allows remote software
updates and control by a command and control center (called a zombie master).
A botnet refers to a group of zombie computers that are commanded from a central
control infrastructure.

References

• 12.1.8 Defense in Depth Facts

q_defense_depth_honeypot_01_np6.[Link]

Question 9:
Correct
Creating fake resources such as honeypots, honeynets, and tarpits fulfills which of
the following main intrusion detection and prevention goals? (Select two.)
Answer

Entices attackers to reveal their IDS signatures, which can then be matched to
known attack patterns.

Detects anomalous behavior that varies from standard activity patterns, also referred
to as heuristic recognition.
Correct Answer:
Offers attackers a target that occupies their time and attention while distracting them
from valid resources.
Correct Answer:
Reveals information about an attacker's methods and gathers evidence for
identification or prosecution purposes.

Lures attackers into a non-critical network segment where their actions are passively
monitored and logged, after which their connection is simply dropped.

Detects attacks that are unique to the services on valid system resources and
monitors application activity.
Explanation

By using honeypots, honeynets, and tarpits, you can fulfill the following intrusion
detection and protection goals:
• Attackers are offered targets that will occupy their time and attention,
distracting them from valid resources.
• You can observe attackers and gather information about their attack
methods or gather evidence for identification or prosecution purposes.

References

• 12.1.8 Defense in Depth Facts

q_defense_depth_honeypot_02_np6.[Link]

Question 10:
Correct
Members of the sales team use laptops to connect to the company network. While
traveling, they connect their laptops to the internet through airport and hotel
networks.
You are concerned that these computers will pick up viruses that could spread to
your private network. You would like to implement a solution that prevents the
laptops from connecting to your network unless antivirus software and the latest
operating system patches have been installed.
Which solution should you use?
Answer

VLAN

q_risk_management_quantitative_np6.[Link]

Question 3:
Correct
What is the main difference between vulnerability scanning and penetration testing?
Answer

Vulnerability scanning uses approved methods and tools; penetration testing uses
hacking tools.

Vulnerability scanning is performed with a detailed knowledge of the system;

penetration testing starts with no knowledge of the system.

The goal of vulnerability scanning is to identify potential weaknesses; the goal of

penetration testing is to attack a system.
Correct Answer:
Vulnerability scanning is performed within the security perimeter; penetration testing
is performed outside of the security perimeter.

Explanation

Penetration testing simulates an actual attack on the network and is conducted from
outside the organization's security perimeter. Vulnerability scanning is typically
performed internally by users with administrative access to the system.
The goal of both vulnerability scanning and penetration testing is to identify the
effectiveness of security measures and identify weaknesses that can be fixed. While
some penetration testing is performed with no knowledge of the network, penetration
testing could be performed by testers with detailed information about the systems.
Both vulnerability scanning and penetration testing can use similar tools, although
you should avoid illegal tools in both activities.

References
• 12.2.4 Penetration Testing Facts
q_pen_test_differences_np6.[Link]

Question 4:
Correct
A security administrator is conducting a penetration test on a network. She connects
a notebook system running Linux to the wireless network and then uses Nmap to
probe various network hosts to see which operating system they are running.
Which process did the administrator use for the penetration test in this scenario?
Answer

Network enumeration

Passive fingerprinting

Firewalking
Correct Answer:
Active fingerprinting

Explanation

The administrator in this scenario used active fingerprinting. Active fingerprinting is a

form of system enumeration that is designed to gain as much information about a
specific computer as possible. It identifies operating systems based upon ICMP
message quoting characteristics. Portions of an original ICMP request are repeated
(or quoted) within the response, and each operating system quotes this information
back in a slightly different manner. Active fingerprinting can determine the operating
system and even the patch level.
Passive fingerprinting works in much the same manner as active fingerprinting.
However, this technique does not utilize active probes of specific systems. Network
enumeration (also called network mapping) involves a thorough and systematic
discovery of as much of the corporate network as possible, using:
• Social engineering
• Wardriving
• War dialing
• Banner grabbing
• Firewalking
Firewalking uses traceroute techniques to discover which services can pass through
a firewall or a router. Hping and Firewalk are common firewalking tools.

References

• 12.2.4 Penetration Testing Facts

q_pen_test_fingerprinting_01_np6.[Link]

Question 5:
Correct
Drag each penetration test characteristic on the left to the appropriate penetration
test name on the right.
Known test

The tester has detailed information about the target system prior to starting the
test.
correct answer:
Partially known test

The tester has the same amount of information that would be available to a typical
insider in the organization.
correct answer:
Unknown test

The tester has no prior knowledge of the target system.

correct answer:
Single-blind test

Either the attacker has prior knowledge about the target system or the
administrator knows that the test is being performed.
correct answer:
Double-blind test

The tester does not have prior information about the system, and the administrator
has no knowledge that the test is being performed.
correct answer:
Keyboard Instructions

Explanation

Penetration testing is classified by the knowledge that the attacker and system
personnel have prior to the attack.
• In an unknown test, the tester has no prior knowledge of the target
system.
• In a known test, the tester has detailed information prior to starting the
test.
• In a partially known test, the tester has the same amount of information
that would be available to a typical insider in the organization.
• In a single-blind test, one side has advanced knowledge. Either the
attacker has prior knowledge about the target system or the defender has
knowledge about the impending attack.
• In a double-blind test, the penetration tester does not have prior
information about the system, and the network administrator has no
knowledge that the test is being performed. A double-blind test provides
more accurate information about a system's security.

References

• 12.2.4 Penetration Testing Facts

q_pen_test_types_np6.[Link]

Question 6:
Correct
Which SIEM component is responsible for gathering all event logs from configured
devices and securely sending them to the SIEM system?
Answer
Correct Answer:
Collectors

Security automation

Data handling

SIEM alerts

Explanation

Collectors are responsible for gathering all event logs from configured devices and
securely sending them to the Security Information and Event Management (SIEM)
system. Collectors are basically the middleman between devices and the SIEM
system.
The data handling component receives the data from the collectors and then reads,
analyzes, and separates the data into different categories.
SIEM alerts are responsible for triggering alerts if any data exceeds the established
thresholds.
Security automation is a feature of a SOAR system.

References

• 12.2.6 Security Information and Event Management Facts

q_siem_collector_np6.[Link]

Question 7:
Correct
Which of the following Security Orchestration, Automation, and Response (SOAR)
system components helps to document the processes and procedures that are to be
used by a human during a manual intervention?
Answer
Orchestration

Runbook

Response
Correct Answer:
Playbook

Explanation

Playbooks are linear checklists of required steps and actions that are to be taken to
respond to an alert. While playbooks do support automated actions, they are often
used to document the processes and procedures that are to be used by a human
during a manual intervention.
Runbooks consist of a series of conditional steps to perform actions, such as
sending notifications or threat containment. They are not used to document the
processes and procedures for a manual intervention.
The Orchestration component of the Security Orchestration, Automation, and
Response (SOAR) system is responsible for gathering data and information from
across the network. This is not used to document the processes and procedures for
a manual intervention.
The Response component of a SOAR system allows the system to automatically
take actions against threats. It is not used to document the processes and
procedures for a manual intervention.

References

• 12.2.6 Security Information and Event Management Facts

q_siem_playbook_np6.[Link]

Question 8:
Correct
You want to make sure that a set of servers only accepts traffic for specific network
services. You have verified that the servers are only running the necessary services,
but you also want to make sure that the servers do not accept packets sent to those
services.
Which tool should you use?
Answer

Packet sniffer
Correct Answer:
Port scanner
IDS

System logs

IPS

Explanation

Use a port scanner to check for open ports on a system or firewall. Compare the list
of open ports with the list of ports allowed by your Network Design and Security
Policy. Typically, a port is open when a service starts or is configured on a device.
Open ports for unused services expose the server to attacks directed at that port.
Use a packet sniffer to examine packets on a network. With a packet sniffer, you can
identify packets directed toward specific ports, but you won't be able to tell if those
ports are open. Examine system logs to look for events that have happened on your
system. These events might include a service starting up, but this would not likely
reflect open ports.
An intrusion detection system (IDS) is a special network device that can detect
attacks and suspicious activity. A passive IDS monitors, logs, and detects security
breaches, but it takes no action to stop or prevent an attack. An active IDS (also
called an intrusion protection system, or IPS) performs the functions of an IDS but
can also react when security breaches occur.

References

• 12.2.6 Security Information and Event Management Facts

q_siem_port_np6.[Link]

Question 9:
Correct
A security administrator logs on to a Windows server on her organization's network.
Then she runs a vulnerability scan on that server.
Which type of scan did she conduct in this scenario?
Answer

Non-credentialed scan

Non-intrusive scan

Intrusive scan
Correct Answer:
Credentialed scan

Explanation
In a credentialed scan, the security administrator authenticates to the system prior to
starting the scan. A credentialed scan usually provides detailed information about
potential vulnerabilities. For example, a credentialed scan of a Windows workstation
allows you to probe the Registry for security vulnerabilities.
With a non-credentialed scan, the security administrator does not authenticate to the
system prior to running the scan.
A non-intrusive scan is the most common type of scan you will see performed. It
looks for vulnerabilities and gives you a report on what it found.
An intrusive scan finds a potential vulnerability and then actively attempts to exploit
it.

References

• 12.2.9 Vulnerability Assessment Facts

q_vulnerability_assessment_cred_np6.[Link]

Question 10:
Correct
You want to be able to identify the services running on a set of servers on your
network. Which tool would BEST give you the information you need?
Answer

Port scanner

Network mapper

Protocol analyzer
Correct Answer:
Vulnerability scanner

Explanation

Use a vulnerability scanner to gather information about systems, such as the running
applications or services. A vulnerability scanner often combines functions found in
other tools and can perform additional functions, such as identifying open firewall
ports, missing patches, and default or blank passwords.
A port scanner is a tool that probes systems for open ports. A port scanner tells you
which ports are open in the firewall, but it cannot identify services running on a
server if the firewall port has been closed.
A network mapper is a tool that can discover devices on a network and show those
devices in a graphical representation. Network mappers typically use a ping scan to
discover devices and a port scanner to identify open ports on those devices.
Use a protocol analyzer to identify traffic that is sent on the network medium and
traffic sources. Services could still be running on a server that do not generate the
network traffic that a protocol analyzer would catch.
References

• 12.2.9 Vulnerability Assessment Facts

q_vulnerability_assessment_scanner_np6.[Link]
Five salespeople work out of your office. They frequently leave their laptops on the
desks in their cubicles. You are concerned that someone might walk by and take one
of these laptops.
Which of the following is the BEST way to address your concerns?
Answer

Encrypt all company data on the hard drives.

Require strong passwords in the Local Security Policy.

Correct Answer:
Use cable locks to chain the laptops to the desks.

Implement screensaver passwords.

Explanation

The main concern, in this case, is with laptops being stolen. The best protection
against physical theft is to secure the laptops in place using a cable lock.
Requiring strong passwords or using encryption might prevent unauthorized users
from accessing data on the laptops, but this does not prevent physical theft.

References

• 12.3.2 Physical Security Facts

q_physical_security_cable_locks_np6.[Link]

Question 2:
Correct
What is the primary benefit of CCTV?
Answer

Provides a corrective control.

Correct Answer:
Expands the area visible to security guards.

Increases security protection throughout an environment.

Reduces the need for locks and sensors on doors.

Explanation

A primary benefit of CCTV is that it expands the area visible to security guards. This
helps fewer guards oversee and monitor a larger area.
CCTV does not reduce the need for locks and sensors on doors.
CCTV does not provide a corrective control (it is a preventative, deterrent, or
detective control).
CCTV does not increase security protection throughout an environment. It only does
so in the area where it is aimed.

References

• 12.3.2 Physical Security Facts

q_physical_security_cctv_01_np6.[Link]

Question 3:
Correct
Which of the following CCTV types would you use in areas with little or no light?
Answer

C-mount

A camera with a high LUX rating

PTZ
Correct Answer:
Infrared

Explanation

Infrared cameras can record images in little or no light.

LUX is a measure of sensitivity to light. The lower the number, the less light is
needed for a clear image. Infrared cameras have a low LUX rating, meaning that
little light is needed.
A C-mount camera has interchangeable lenses and is typically rectangular in shape.
A pan tilt zoom (PTZ) camera lets you dynamically move the camera and zoom in on
specific areas.

References

• 12.3.2 Physical Security Facts

q_physical_security_cctv_05_np6.[Link]

Question 4:
Correct
Match each physical security control on the left with an appropriate example of that
control on the right. Each security control may be used once, more than once, or not
at all.
Hardened carrier
Protected cable distribution
correct answer:
Biometric authentication

Door locks
correct answer:
Barricades

Perimeter barrier
correct answer:
Emergency escape plans

Safety
correct answer:
Alarmed carrier

Protected cable distribution

correct answer:
Anti-passback system

Physical access control

correct answer:
Emergency lighting

Safety
correct answer:
Exterior floodlights

Perimeter barrier
correct answer:
Keyboard Instructions

Explanation

Physical security controls and their functions include the following:

• Perimeter barriers secure the building perimeter and restrict access to
secure entry points. Examples include barricades and floodlights.
• Door locks allow access only to those with the proper key. For example, a
biometric authentication system requires an individual to submit to a
fingerprint or retina scan before a door is unlocked.
• Physical access controls are implemented inside the facility to control who
can go where. For example, an anti-passback system prevents a card
holder from passing their card back to someone else.
• Safety controls help employees and visitors remain safe while on site. For
example, consider devising escape plans that utilize the best escape
routes for each area in your organization. In addition, emergency lighting
should be implemented that runs on protected power and automatically
switches on when the main power goes off.
• A protected distribution system (PDS) encases network cabling within a
carrier. This enables data to be securely transferred through an area of
lower security. In a hardened carrier PDS, network cabling is run within
metal conduit. In an alarmed carrier PDS, an electronic alarm system is
used to detect attempts to compromise the carrier and access the cable
within it.

References

• 12.3.2 Physical Security Facts

q_physical_security_controls_np6.[Link]

Question 5:
Correct
You want to use CCTV as a preventative security measure. Which of the following is
a requirement for your plan?
Answer

Low LUX or infrared camera

Sufficient lighting

PTZ camera
Correct Answer:
Security guards

Explanation

When used in a preventative way, you must have a guard or other person available
who monitors one or more cameras. Only a security guard can interpret what the
camera sees to make appropriate security decisions.
Even with sufficient lighting on a low-LUX or infrared camera, cameras are not a
useful preventative measure without a security guard present to interpret images and
make security decisions.
A pan tilt zoom (PTZ) camera lets you dynamically move the camera and zoom in on
specific areas.

References

• 12.3.2 Physical Security Facts

q_physical_security_guards_np6.[Link]
Question 6:
Correct
Which of the following is the MOST important way to prevent console access to a
network switch?
Answer

Disconnect the console cable when not in use.

Correct Answer:
Keep the switch in a room that is locked by a keypad.

Set the console and enable secret passwords.

Implement an access list to prevent console connections.

Explanation

To control access to the switch console, you must keep it in a locked room. A
console connection can only be established with a direct physical connection to the
device. If the switch is in a locked room, only those with access will be able to make
a console connection. In addition, even if you had set console passwords, users with
physical access to the device could perform password recovery and gain access.

References

• 12.3.2 Physical Security Facts

q_physical_security_keypad_np6.[Link]

Question 7:
Correct
Which of the following controls is an example of a physical access control method?
Answer

Passwords

Access control lists with permissions

Smart cards

New hire background checks

Correct Answer:
Locks on doors

Explanation
Locks on doors is an example of a physical access control method. Physical controls
restrict or control physical access.
Passwords, access control lists, and smart cards are all examples of technical
controls. Even though a smart card is a physical object, the card by itself is part of a
technical implementation. Requiring background checks for hiring is an example of a
policy or an administrative control.

References

• 12.3.2 Physical Security Facts

q_physical_security_locks_02_np6.[Link]

Question 8:
Correct
Which of the following can you use to stop piggybacking from occurring at a front
entrance where employees swipe smart cards to gain entry?
Answer

Install security cameras.

Correct Answer:
Deploy a mantrap.

Use weight scales.

Use key locks rather than electronic locks.

Explanation

Piggybacking is the activity where an authorized or unauthorized individual gains

entry into a secured area by exploiting the credentials of a prior person. Often, the
first person will authenticate, unlock the door, and then hold it open for the next
person to enter without forcing them to authenticate separately. You can stop
piggybacking with a mantrap. A mantrap is a single-person room with two doors and
often includes a scale to prevent piggybacking. It requires proper authentication
before unlocking the inner door to allow authorized personal into a secured area.
Those who fail to properly authenticate are held captive until authorities respond.
A security camera may deter piggybacking, but does not directly stop it. Using weight
scales inside a mantrap will stop piggybacking, but they are not useful or effective
without the mantrap. The use of conventional keys as opposed to electronic locks
does little to prevent piggybacking and may actually make piggybacking more
prevalent.

References

• 12.3.2 Physical Security Facts

q_physical_security_piggyback_np6.[Link]
Question 9:
Correct
You are an IT consultant and are visiting a new client's site to become familiar with
their network. As you walk around their facility, you note the following:
• When you enter the facility, a receptionist greets you and directs you down
the hallway to the office manager's cubicle. The receptionist uses a
notebook system that is secured to her desk with a cable lock.
• The office manager informs you that the organization's servers are kept in
a locked closet. Only she has the key to the closet. When you arrive on
site, you will be required to get the key from her to access the closet.
• She informs you that server backups are configured to run each night. A
rotation of external USB hard disks are used as the backup media.
• You notice the organization's network switch is kept in an empty cubicle
adjacent to the office manager's workspace.
• You notice that a router/firewall-content filter all-in-one device has been
implemented in the server closet to protect the internal network from
external attacks.
Which security-related recommendations should you make to this client? (Select
two.)
Answer
Correct Answer:
Relocate the switch to the locked server closet.

Replace the USB hard disks used for server backups with a tape drive.
Correct Answer:
Control access to the work area with locking doors and card readers.

Use separate dedicated network perimeter security devices instead of an all-in-one

device.

Replace the key lock on the server closet with a card reader.

Explanation

In this scenario, you should recommend the client make the following changes:
• Relocate the switch to the locked server closet. Keeping it in a cubicle
could allow an attacker to configure port mirroring on the switch and
capture network traffic.
• Control access to the work area with locking doors and card readers.
Controlling access to the building is critical for preventing unauthorized
people from gaining access to computers. In this scenario, you were able
to walk unescorted into the work area without any kind of physical access
control other than the receptionist.
Because the office manager will control who has access to the server closet key, it
isn't necessary to implement a card reader on the server closet door. Using tape
drives instead of hard disks wouldn't increase the security of the backups. Using
separate perimeter security devices instead of an all-in-one device would be unlikely
to increase network security.

References

• 12.3.2 Physical Security Facts

q_physical_security_solutions_02_np6.[Link]

Question 10:
Correct
Which of the following is a secure doorway that can be used with a mantrap to allow
an easy exit but actively prevents re-entrance through the exit portal?
Answer

Electronic access control doors

Egress mantraps

Locked doors with interior unlock push bars

Correct Answer:
Turnstiles

Explanation

Turnstiles allow an easy exit from a secured environment but actively prevent re-
entrance through the exit portal. Turnstiles are a common exit portal used with
entrance portal mantraps. A turnstile can't be used to enter into a secured facility, as
it only functions in one direction.
Egress mantraps are not easy exit portals. Plus, they are a tremendously
unnecessary expense and administrative burden. Any form of door, including self-
locking doors with push bars or credential readers, can be hijacked to allow an
outsider to enter.

References

• 12.3.2 Physical Security Facts

q_physical_security_turnstiles_np6.[Link]
An organization's receptionist received a phone call from an individual claiming to be
a partner in a high-level project and requesting sensitive information. Which type of
social engineering is this individual engaging in?
Answer

Commitment
Correct Answer:
Authority

Persuasive

Social validation

Explanation

Authority social engineering entails an attacker either lying about having authority or
using their high status in a company to force victims to perform actions that exceed
their authorization level.
Persuasive social engineering entails an attacker convincing a person to give them
information or access that he or she shouldn't.
Social validation entails an attacker using peer pressure to coerce someone else to
bend rules or give information he or she shouldn't.
Commitment social engineering entails convincing someone to buy into an overall
idea and then demanding or including further specifics that were not presented up
front.

References

• 12.4.2 Social Engineering Facts

q_social_engineering_authority_np6.[Link]

Question 2:
Correct
What is the primary countermeasure to social engineering?
Answer

A written security policy

Heavy management oversight

Traffic filters
Correct Answer:
Awareness
Explanation

The primary countermeasure to social engineering is awareness. If users are

unaware of the necessity for security and are not properly trained, they are
vulnerable to numerous social engineering exploits. Awareness training focused on
preventing social engineering should include methods for authenticating personnel
over the phone, assigning classification levels to information and activities, and
educating your personnel on which information should not be distributed.
A written security policy is a countermeasure against social engineering, but without
awareness training, it is useless. Heavy management oversight may provide some
safeguards that protect users from social engineering, but management is less
effective than awareness. Traffic filters are not countermeasures for social
engineering because they do not focus on solving the human problem inherent in
social engineering attacks.

References

• 12.4.2 Social Engineering Facts

q_social_engineering_awareness_np6.[Link]

Question 3:
Correct
Match each social engineering description on the left with the appropriate attack type
on the right.
Phishing

An attacker sends an email pretending to be from a trusted organization, asking

users to access a website to verify personal information.
correct answer:
Whaling

An attacker gathers personal information about the target individual, who is a CEO.
correct answer:
Spear phishing

An attacker gathers personal information about the target individual in an

organization.
correct answer:
Dumpster diving

An attacker searches through an organization's trash for sensitive information.

correct answer:
Piggybacking
An attacker enters a secure building by following an authorized employee through
a secure door without providing identification.
correct answer:
Vishing

An attacker uses a telephone to convince target individuals to reveal their credit

card information.
correct answer:
Keyboard Instructions

Explanation

Specific social engineering attacks include the following:

Dumpster Diving
Dumpster diving is the process of looking in the trash for sensitive information that
has not been properly disposed of.
Tailgating and Piggybacking
Piggybacking and tailgating refer to an attacker entering a secure building by
following an authorized employee through a secure door and not providing
identification. Piggybacking usually implies consent from the authorized employee,
whereas tailgating implies no consent from the authorized employee.
Phishing
A phishing scam is an email pretending to be from a trusted organization, asking the
user to verify personal information or send money. In a phishing attack:
• A fraudulent message that appears to be legitimate is sent to a target.
• The message requests that the target visit a fraudulent website (which
also appears to be legitimate). Graphics, links, and websites look almost
identical to the legitimate websites they are trying to represent.
• The fraudulent website requests that the victim provide sensitive
information, such as an account number and password.
Below are descriptions of common phishing scams.
• A rock phish kit is a fake website that imitates a real website (such as
banks, PayPal, eBay, and Amazon). Phishing emails direct you to the fake
website to enter account information. A single server can host multiple
fake sites using multiple registered DNS names. These sites can be set up
and taken down rapidly to avoid detection.
• A Nigerian scam, also known as a 419 scam, involves emails that request
a small amount of money to help transfer funds from a foreign country. For
your assistance, you are to receive a reward for a much larger amount of
money that will be sent to you at a later date.
• In spear phishing, attackers gather information about the victim, such as
which online banks they use. They then send phishing emails for the
specific bank. Spear phishing's goal is to gain access to information that
will allow the attacker to gain commercial advantage or commit fraud.
Spear phishing frequently involves sending seemingly genuine emails to
all employees or members of specific teams.
• Whaling is another form of phishing that is targeted toward senior
executives and high-profile victims.
• Vishing is similar to phishing. But instead of an email, the attacker uses
Voice over IP (VoIP) to gain sensitive information. The term is a
combination of voice and phishing.

References

• 12.4.2 Social Engineering Facts

q_social_engineering_definition_01_np6.[Link]

Question 4:
Correct
What is the definition of any attack involving human interaction of some kind?
Answer

Attacker manipulation

An authorized hacker
Correct Answer:
Social engineering

An opportunistic attack

Explanation

Social engineering refers to any attack involving human interaction of some kind.
Attackers who use social engineering try to convince a victim to perform actions or
give out information they wouldn't under normal circumstances.
An opportunistic attack is typically automated and involves scanning a wide range of
systems for known vulnerabilities, such as old software, exposed ports, poorly
secured networks, and default configurations.
An authorized hacker helps companies find vulnerabilities in their security
infrastructure.
Social engineers are master manipulators and use multiple tactics on their victims.

References

• 12.4.2 Social Engineering Facts

q_social_engineering_definition_02_np6.[Link]

Question 5:
Correct
Dumpster diving is a low-tech way of gathering information that may be useful for
gaining unauthorized access or as a starting point for more advanced attacks. How
can a company reduce the risk associated with dumpster diving?
Answer

Mandate the use of Integrated Windows Authentication.

Secure all terminals with screensaver passwords.

Create a strong password policy.

Correct Answer:
Establish and enforce a document destruction policy.

Explanation

Dumpster diving is best addressed with a Document Destruction Policy. All sensitive
documents should be shredded or burned, and employees should be trained on the
proper use of disposal equipment and the policies governing the disposal of sensitive
information.
A strong password policy, authentication types, and screensaver passwords are not
enough to prevent the risks associated with dumpster diving. Username and
password complexity efforts are wasted if employees document and dispose of this
information in an unsecure fashion.

References

• 12.4.2 Social Engineering Facts

q_social_engineering_dumpster_diving_np6.[Link]

Question 6:
Correct
You have just received a generic-looking email that is addressed as coming from the
administrator of your company. The email says that as part of a system upgrade, you
need enter your username and password in a new website so you can manage your
email and spam using the new service.
What should you do?
Answer

Open a web browser, type in the URL included in the email, and follow the directions
to enter your login credentials.
Correct Answer:
Verify that the email was sent by the administrator and that this new service is
legitimate.

Delete the email.

Click on the link in the email and follow the directions to enter your login information.

Click on the link in the email and look for company graphics or information before
you enter the login information.

Explanation

You should verify that the email is legitimate and has come from your administrator.
It is possible that the network administrator has signed up for a new service. If you
ignore the message or delete it, you might not get the benefits the company has
signed up for. However, the email might be a phishing attack. An attacker might be
trying to capture personal information. By verifying the email with the administrator,
you will be able to tell if it is legitimate.

References

• 12.4.2 Social Engineering Facts

q_social_engineering_email_01_np6.[Link]

Question 7:
Correct
Which of the following is a common social engineering attack?
Answer

Distributing false information about your organization's financial status.

Logging on with stolen credentials.

Correct Answer:
Hoax virus information emails.

Using a sniffer to capture network traffic.

Explanation

Hoax virus information emails are a form of social engineering attack. This type of
attack preys on email recipients who are fearful and will believe most information if it
is presented in a professional manner. All too often, the victims of these attacks fail
to double-check the information or instructions with a reputable third-party antivirus
software vendor before implementing the recommendations. Usually, these hoax
messages instruct the reader to delete key system files or download Trojan horses.
Social engineering relies on the trusting nature of individuals to incentivize them to
take an action or allow an unauthorized action.

References
• 12.4.2 Social Engineering Facts
q_social_engineering_hoax_np6.[Link]

Question 8:
Correct
On your way into the back entrance of your work building one morning, a man
dressed as a plumber asks you to let him in so he can fix the restroom. What should
you do?
Answer

Tell him no and quickly close the door.

Correct Answer:
Direct him to the front entrance and instruct him to check in with the receptionist.

Let him in and help him find the restroom. Then let him work.

Let him in.

Explanation

You should direct him to the front entrance where he can check in with the proper
authorities in your organization. Letting him in without knowing if he should be there
could compromise security. Turning him away would be unprofessional.

References

• 12.4.2 Social Engineering Facts

q_social_engineering_piggybacking_np6.[Link]

Question 9:
Correct
Which of the following are examples of social engineering attacks? (Select two.)
Answer

Port scanning
Correct Answer:
Dumpster diving
Correct Answer:
Shoulder surfing

Impersonation

War dialing
Explanation

Social engineering leverages human nature. Internal employees are often the targets
of trickery, and false trust can quickly lead to a serious breach of information
security. Shoulder surfing and dumpster diving are examples of social engineering.
Shoulder surfing is the act of looking over an authorized user's shoulder in hopes of
obtaining an access code or credentials. Social engineers often employ keystroke
loggers to capture usernames and passwords. These low-tech attack methods are
often the first course of action that a hacker pursues.
Port scanning and war dialing are technical attacks that seek to take advantage of
vulnerabilities in systems or networks.
Impersonation is pretending to be trustworthy and having a legitimate reason for
approaching the target. This is done with the purpose of asking for sensitive
information or access to protected systems.

References

• 12.4.2 Social Engineering Facts

q_social_engineering_shoulder_01_np6.[Link]

Question 10:
Correct
A senior executive reports that she received a suspicious email concerning a
sensitive internal project that is behind production. The email was sent from
someone she doesn't know, and he is asking for immediate clarification on several of
the project's details so the project can get back on schedule.
Which type of attack BEST describes the scenario?
Answer
Correct Answer:
Whaling

MAC spoofing

Masquerading

Passive

Explanation

Whaling is a form of social engineering attack that targets senior executives and
high-profile victims. Social engineering is an attack that exploits human nature by
convincing someone to reveal information or perform an activity.
Masquerading is convincing personnel to grant access to sensitive information or
protected systems by pretending to be someone who is authorized and/or requires
that access. Passive social engineering attacks take advantage of the unintentional
actions of others to gather information or gain access to a secure facility. MAC
spoofing is changing the source MAC address on frames sent by the attacker. MAC
spoofing can be used to hide the identity of the attacker's computer or to
impersonate another device on the network.

References

• 12.4.2 Social Engineering Facts

q_social_engineering_whaling_np6.[Link]

Lab - Analysis On Management Plane
No ratings yet
Lab - Analysis On Management Plane
14 pages
5.5.2 Lab - Configure and Verify Extended IPv4 ACLs - AGL - Modifierad För PT
No ratings yet
5.5.2 Lab - Configure and Verify Extended IPv4 ACLs - AGL - Modifierad För PT
5 pages
Configuring The Pfsense Firewall
No ratings yet
Configuring The Pfsense Firewall
24 pages
HP Network Simulator: Lab 1 - Basic Management System
No ratings yet
HP Network Simulator: Lab 1 - Basic Management System
9 pages
ASA 5506 10-3-1-2 Lab D - Configure AnyConnect Remote Access SSL VPN Using ASDM
100% (1)
ASA 5506 10-3-1-2 Lab D - Configure AnyConnect Remote Access SSL VPN Using ASDM
31 pages
8.7.1.3 Lab - (Optional) Configuring A Remote Access VPN Server and Client - Instructor
No ratings yet
8.7.1.3 Lab - (Optional) Configuring A Remote Access VPN Server and Client - Instructor
30 pages
Network Security Lab Guide
No ratings yet
Network Security Lab Guide
10 pages
Lab 8
No ratings yet
Lab 8
10 pages
Setting Up VPN On Windows 2000
No ratings yet
Setting Up VPN On Windows 2000
34 pages
11.2.4.6 Lab - Securing Network Devices
No ratings yet
11.2.4.6 Lab - Securing Network Devices
8 pages
Pra 11
No ratings yet
Pra 11
7 pages
PT Script
No ratings yet
PT Script
5 pages
8.7.1.2 Lab - Configuring A Remote Access VPN Server and Client - Instructor
No ratings yet
8.7.1.2 Lab - Configuring A Remote Access VPN Server and Client - Instructor
37 pages
ITNB02 11.2.4.6 Securing Network Devices
No ratings yet
ITNB02 11.2.4.6 Securing Network Devices
8 pages
ITNE2005LAB6-SecuringLocalArea
No ratings yet
ITNE2005LAB6-SecuringLocalArea
27 pages
OpenVPN Setup with pfSense & OpenWRT
No ratings yet
OpenVPN Setup with pfSense & OpenWRT
6 pages
Network Security for Layer 2 Switches
No ratings yet
Network Security for Layer 2 Switches
38 pages
Configuring Extended ACLs Lab Guide
No ratings yet
Configuring Extended ACLs Lab Guide
9 pages
Lab1 HP
No ratings yet
Lab1 HP
9 pages
16.4.7 Lab - Configure Network Devices With SSH
No ratings yet
16.4.7 Lab - Configure Network Devices With SSH
7 pages
How To Setup Yealink With OpenVPN With FreePBX
No ratings yet
How To Setup Yealink With OpenVPN With FreePBX
17 pages
AD1021730
No ratings yet
AD1021730
20 pages
11.2.4.6 Lab - Securing Network Devices
No ratings yet
11.2.4.6 Lab - Securing Network Devices
8 pages
How To Configure PfSense
100% (1)
How To Configure PfSense
15 pages
Infocomtech4 Skills Exam1 Syntax 2
No ratings yet
Infocomtech4 Skills Exam1 Syntax 2
8 pages
HackerPimps WRT
No ratings yet
HackerPimps WRT
70 pages
SDN Practical
No ratings yet
SDN Practical
72 pages
9.3.2.13 Lab - Configuring and Verifying Extended ACLs
86% (14)
9.3.2.13 Lab - Configuring and Verifying Extended ACLs
8 pages
9 3 2 13 Lab Configuring and Verifying Extended ACLs PDF
No ratings yet
9 3 2 13 Lab Configuring and Verifying Extended ACLs PDF
8 pages
9.3.2.13 Lab - Configuring and Verifying Extended ACLs
No ratings yet
9.3.2.13 Lab - Configuring and Verifying Extended ACLs
8 pages
Lab Asgn CN
No ratings yet
Lab Asgn CN
9 pages
5.5.2 Lab - Configure and Verify Extended IPv4 ACLs
0% (1)
5.5.2 Lab - Configure and Verify Extended IPv4 ACLs
5 pages
Devoir A Comicile Partie 2 Security Comprehensive
No ratings yet
Devoir A Comicile Partie 2 Security Comprehensive
18 pages
Lab 1 - Basic Switch Setup
No ratings yet
Lab 1 - Basic Switch Setup
4 pages
Fortigate Infra 6.2 Lab Guide
No ratings yet
Fortigate Infra 6.2 Lab Guide
143 pages
Network and Provisioning VR4 04 GGS-000393-01E NW-SYS-PROV
100% (1)
Network and Provisioning VR4 04 GGS-000393-01E NW-SYS-PROV
600 pages
CCNA Security Challenge Lab Guide
No ratings yet
CCNA Security Challenge Lab Guide
9 pages
Telnet
No ratings yet
Telnet
5 pages
19mid0014 VL2022230103959 Ast02
No ratings yet
19mid0014 VL2022230103959 Ast02
16 pages
CCNA Security v1.1 ASA Lab Videos
0% (1)
CCNA Security v1.1 ASA Lab Videos
1 page
GH Programming Lab Manual CN 2022-23
No ratings yet
GH Programming Lab Manual CN 2022-23
40 pages
Securing Network Devices in CCNA
No ratings yet
Securing Network Devices in CCNA
14 pages
CCNA2 Lab 4 2 2 en
No ratings yet
CCNA2 Lab 4 2 2 en
5 pages
5.5.2 Lab - Configure and Verify Extended IPv4 ACLs Submission Document
No ratings yet
5.5.2 Lab - Configure and Verify Extended IPv4 ACLs Submission Document
22 pages
Tutus Demo Tele System Manual
No ratings yet
Tutus Demo Tele System Manual
8 pages
11.2.4.8 Lab - Securing Network Devices
60% (5)
11.2.4.8 Lab - Securing Network Devices
8 pages
5.5.2 Lab - Configure and Verify Extended Ipv4 Acls PDF
No ratings yet
5.5.2 Lab - Configure and Verify Extended Ipv4 Acls PDF
5 pages
Packet Tracer - Lab 1 Basic Switch Setup
No ratings yet
Packet Tracer - Lab 1 Basic Switch Setup
3 pages
Cyber Security Record Outputs
No ratings yet
Cyber Security Record Outputs
8 pages
Fortigate-SSLVPN's FortiOS Handbook 4.0 MR1a
No ratings yet
Fortigate-SSLVPN's FortiOS Handbook 4.0 MR1a
106 pages
Telnet Client-Server Configuration Guide
No ratings yet
Telnet Client-Server Configuration Guide
13 pages
PfSense FW-7551 Quick Start Guide 7-18-14
No ratings yet
PfSense FW-7551 Quick Start Guide 7-18-14
15 pages
P2 - ACls (Seemeen Patel-CS23016)
No ratings yet
P2 - ACls (Seemeen Patel-CS23016)
19 pages
Palo Alto Networks-Lab1-2
No ratings yet
Palo Alto Networks-Lab1-2
22 pages
Data Structures Question Bank
No ratings yet
Data Structures Question Bank
302 pages
Intel x86 Microprocessor Interfacing
No ratings yet
Intel x86 Microprocessor Interfacing
26 pages
Automate Pro/ENGINEER Easily
No ratings yet
Automate Pro/ENGINEER Easily
41 pages
Stock Maintenance System Requirements
No ratings yet
Stock Maintenance System Requirements
29 pages
Computer Storage Devices Guide
No ratings yet
Computer Storage Devices Guide
13 pages
Line Following Robot Project Report
No ratings yet
Line Following Robot Project Report
3 pages
CAT Paper 2 Summary
No ratings yet
CAT Paper 2 Summary
3 pages
ICS Triplex-8000 Series
100% (1)
ICS Triplex-8000 Series
33 pages
ETI063 - Analogue IC Design Laboratory Manual
No ratings yet
ETI063 - Analogue IC Design Laboratory Manual
35 pages
Troubleshoot RIO
No ratings yet
Troubleshoot RIO
26 pages
Surfboard svg6582
No ratings yet
Surfboard svg6582
37 pages
IL2206 L04 IO Programming
No ratings yet
IL2206 L04 IO Programming
36 pages
INPROC-2017-60 - Cyber-Physical System Control Via Industrial Protocol OPC UA
No ratings yet
INPROC-2017-60 - Cyber-Physical System Control Via Industrial Protocol OPC UA
6 pages
C Programming Quiz Questions and Answers
No ratings yet
C Programming Quiz Questions and Answers
37 pages
Annex XIV - UNFPA Client Order Tracking Application
No ratings yet
Annex XIV - UNFPA Client Order Tracking Application
45 pages
Class - Analog CMOS Design & Tech - Part-12
No ratings yet
Class - Analog CMOS Design & Tech - Part-12
15 pages
Understanding Encapsulation and Class Diagrams
No ratings yet
Understanding Encapsulation and Class Diagrams
4 pages
CB3S Module Datasheet - Tuya Developer Platform - Tuya Developer Platform
No ratings yet
CB3S Module Datasheet - Tuya Developer Platform - Tuya Developer Platform
34 pages
A Unbrick Instructions X2 X2pro
No ratings yet
A Unbrick Instructions X2 X2pro
9 pages
Fresco Maven
0% (1)
Fresco Maven
2 pages
Placa Baza ASRock 75Dual-880Pro
No ratings yet
Placa Baza ASRock 75Dual-880Pro
42 pages
Smart Classroom IR Sensor Project
No ratings yet
Smart Classroom IR Sensor Project
38 pages
Parking Management System Case Study
No ratings yet
Parking Management System Case Study
11 pages
PHP-Java Bridge Connection Guide
No ratings yet
PHP-Java Bridge Connection Guide
2 pages
Question Bank of Microsoft Office
No ratings yet
Question Bank of Microsoft Office
90 pages
Driver Installation Guide: Models Supported: CF-19 (5/6)
No ratings yet
Driver Installation Guide: Models Supported: CF-19 (5/6)
3 pages
Electronic Mosquito Repellent Circuit Diagram Using IC 555
No ratings yet
Electronic Mosquito Repellent Circuit Diagram Using IC 555
11 pages
Static Timing Analysis
No ratings yet
Static Timing Analysis
54 pages
CFAH1602B-NGG-JPV LCD Module Specs
No ratings yet
CFAH1602B-NGG-JPV LCD Module Specs
19 pages
Professional Scrum Developer Course Syllabus (Centare)
0% (1)
Professional Scrum Developer Course Syllabus (Centare)
7 pages