Appendix
Answers to Review Questions

Chapter 1: Networking Fundamentals

  1. B. The Ethernet (or IEEE 802.3) protocol at the data link layer uses MAC addresses to identify computers on the local network. MAC addresses are coded into the firmware of physical network interface adapters by the manufacturer. The physical layer deals with signals and is not involved in addressing. The IP protocol at the network layer has its own addressing system. The transport layer protocols are not involved in addressing.
  2. E. ISO developed and published the OSI model to serve as a conceptual model for software and hardware developers. The ITU-T, formerly known as the CCITT, coordinates the development and advancement of international telecommunication networks and services. ANSI is a private organization that administers and coordinates a United States–based standardization and conformity assessment system. The IEEE publishes standards that define data link and physical layer standards. These standards are referred to collectively as the 802 series.
  3. C. Network layer protocols (such as IP) contain headers that specify logical addresses for end system communication and route datagrams across a network. The physical layer defines standards for physical and mechanical characteristics of a network. The data link layer uses media access control (MAC) or hardware addresses, not logical addresses. The transport layer uses port numbers, not logical addresses. Session layer protocols create and maintain a dialogue between end systems. Presentation layer protocols are responsible for the formatting, translation, and presentation of information. The application layer provides an entry point for applications to access the protocol stack and prepare information for transmission across a network.
  4. B, C, D. Before the payload data generated by an application can be transmitted over a TCP/IP network, the system must encapsulate it by applying protocol headers and footers at three layers of the OSI model. The data link layer applies a header and footer to create an Ethernet frame. The network layer applies a header to create an IP datagram. The transport layer applies a TCP or UDP header to create a segment or datagram. The other model layers are involved in the payload transmission process, but they do not encapsulate the payload.
  5. F. The presentation layer implements functions that provide formatting, translation, and presentation of information. No other layers of the OSI model translate and format application data.
  6. D. A router connects networks at the network layer of the OSI model. Proxy servers operate at the application layer. Network interface adapters operate at both the data link and the physical layers. Hubs are physical layer devices.
  7. G. The application layer provides an entry point for applications to access the protocol stack and prepare information for transmission across a network. All other layers of the OSI model reside below this layer and rely on this entry point.
  8. E. The session layer is responsible for creating and maintaining a dialogue between end systems. This dialogue can be a two-way alternate dialogue that requires end systems to take turns transmitting, or it can be a two-way simultaneous dialogue in which either end system can transmit at will. No other layers of the OSI model perform dialogue control between communicating end systems.
  9. B, C. The primary function of a switch is to process packets based on their media access control (MAC) addresses, which makes it a data link layer device. However, many switches can also perform routing functions based on IP addresses, which operate at the network layer.
  10. D. There are two types of transport layer protocols: connection-oriented and connectionless. Connection-oriented protocols guarantee the delivery of data from source to destination by creating a connection between the sender and the receiver before any data is transmitted. Connectionless protocols do not require a connection between end systems in order to pass data. The physical layer does not use connectionless or connection-oriented protocols; it defines standards for transmitting and receiving information over a network. The data link layer provides physical addressing and final packaging of data for transmission. The network layer is responsible for logical addressing and routing. The session layer is responsible for creating and maintaining a dialogue between end systems. The presentation layer is responsible for the formatting, translation, and presentation of information. The application layer provides an entry point for applications to access the protocol stack and prepare information for transmission across a network.
  11. A, B, C. The physical layer of the OSI model is associated with hubs, cables, and network interface adapters. The data link layer is associated with bridges and switches. The network layer is associated with routers. The transport, session, presentation, and application layers are typically not associated with dedicated hardware devices.
  12. B. The only layer with a protocol (such as Ethernet) that adds both a header and a footer is the data link layer. The process of adding the headers and footers is known as data encapsulation. All other protocol layers that encapsulate data add just a header.
  13. C. The Ethernet protocol that handles the addressing, transmission, and reception of frames operates at the data link layer. Each frame includes hardware addresses that identify the sending and receiving systems on the local network. Ethernet uses the CSMA/CD media access control method. Physical layer specifications include the transmission of signals in the form of electrical or light pulses to represent binary code, not frames. CSMA/CA is a data link layer media access control method used by wireless LAN protocols, but not Ethernet.
  14. B. On a TCP/IP network, the Internet Protocol (IP) at the network layer is the protocol responsible for the delivery of data to its final destination. Data link layer protocols are only concerned with communication between devices on a Local Area Network (LAN) or between two points connected by a Wide Area Network (WAN) link. The session and application layers are not involved in the actual delivery of data.
  15. D. Internet Protocol (IP), Internet Control Message Protocol (ICMP), and Internet Group Message Protocol (IGMP) are all network layer protocols. Internet Message Access Protocol (IMAP) is a mail protocol that operates at the application layer.
  16. C. A connection-oriented transport layer protocol, such as Transmission Control Protocol (TCP), provides guaranteed delivery of data for upper layer applications. Connectionless protocols do not guarantee delivery of information and therefore are not a good choice. Guaranteed delivery of information is generally not a function of the data link, network, or application layer.
  17. A. A hub functions only at the physical layer by forwarding all incoming signals out through all of its ports. Bridges and switches operate at the data link layer by selectively propagating incoming data. Routers operate at the network layer by connecting local area networks (LANs) and propagating only the traffic intended for another network, based on IP addresses.
  18. A. The physical layer defines the mechanical and electrical characteristics of the cables used to build a network. The data link layer defines specific network (LAN or WAN) topologies and their characteristics. The physical layer standard that Alice will implement is dependent on the data link layer protocol she selects. The network, transport, and application layers are not concerned with cables and topologies.
  19. E, F. In the TCP/IP suite, the functions of the session layer are primarily implemented in the transport layer protocols: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). The presentation layer functions are often implemented in application layer protocols, although some functions, such as encryption, can also be performed by transport or network layer protocols.
  20. C. Transport layer protocols, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), have header fields that contain the port numbers of the applications that generated the data in the packet and which will receive it. The application, presentation, and network layers do not use port numbers.
  21. E. The correct order of the OSI model layers, from top to bottom, is application, presentation, session, transport, network, data link, physical.
  22. B. Switches and bridges are involved in Local Area Network (LAN) communications only and therefore primarily at the data link layer. They are not primarily associated with the physical, network, or transport layers, although some switches include network layer routing capabilities.
  23. C. Flow control is a process that adjusts the transmission rate of a protocol based on the capability of the receiver. If the receiving system becomes overwhelmed by incoming data, the sender dynamically reduces the transmission rate. In the TCP/IP protocol suite, Transmission Control Protocol (TCP) is responsible for implementing flow control. TCP runs at the transport layer. None of the other layers listed have TCP/IP protocols that provide flow control.
  24. A. The physical layer of the OSI model defines the standards for the physical and mechanical characteristics of a network, such as cabling (copper and fiber), connecting hardware (hubs and switches), and signaling methods (analog and digital). All of the other layers are not involved in the mechanical characteristics of the network.
  25. D. The presentation layer provides a syntax translation service that enables two computers to communicate, despite their use of different bit-encoding methods. This translation service also enables systems using compressed or encrypted data to communicate with each other.
  26. A. The physical layer of the OSI model defines the functions specific to the network medium and the transmission and reception of signals. All of the other layers are implemented in software and do not physically send or receive signals.
  27. B. IP is a connectionless protocol that operates at the network layer of the OSI model. There are no connection-oriented protocols at this layer. The protocols at the transport layer include Transmission Control Protocol (TCP), which is connection-oriented, and User Datagram Protocol (UDP), which is connectionless.
  28. A. An Ethernet network interface adapter functions at the data link layer by encapsulating network layer data for transmission over the network. It provides physical layer functions by providing the connection to the network medium and generating the appropriate signals for transmission. Network interface adapters do not operate at the network, transport, or application layer.
  29. A, B. Hypertext Transfer Protocol (HTTP) and Simple Network Management Protocol (SNMP) operate at the application layer. Internet Control Message Protocol (ICMP) and Internet Group Management Protocol (IGMP) both operate at the network layer. User Datagram Protocol (UDP) operates at the transport layer.
  30. B. The presentation layer of the OSI model is responsible for translating different kinds of syntax, including text-encoding systems, such as EBCDIC and ASCII. The application, session, and physical layers do not perform this function.
  31. D. Internet Control Message Protocol (ICMP) operates at the network layer by sending operational and error messages. It does not encapsulate upper layer protocol data. Internet Protocol (IP) operates at the network layer, but it does encapsulate transport layer protocol data. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are transport layer protocols that encapsulate upper layer protocol data. Address Resolution Protocol (ARP) does not encapsulate upper layer protocol data, but it is a data link layer protocol.
  32. D. The TCP connection establishment exchange is a three-way handshake that uses TCP flags to specify the message type for each frame. The first frame contains a SYN flag from the client; the second frame contains the SYN and ACK flags from the server; and the last frame contains an ACK flag from the client.
  33. C. The MTU is the largest amount of data (in bytes) that a protocol operating at a given layer of the OSI model can transmit in one packet. The MTU does not include any header and footer fields supplied by that protocol. For Ethernet, the maximum frame size is 1518 bytes, which includes 18 bytes of header and footer fields. Therefore, the MTU for Ethernet is 1500 bytes. Protocols operating at other OSI model layers can have different MTUs. For example, the typical MTU for an Internet Protocol (IPv4) implementation is smaller than that of Ethernet.
  34. C. The termination phase of a TCP connection begins when either the client or the server sends a message containing the FIN control bit with a value of 1. The other control bits listed have nothing to do with the connection termination procedure, and there is no END bit.
  35. A. A cable break in a bus topology would split the network into two halves, preventing the nodes on one side of the break from communicating with those on the other. In addition, both halves of the network would be left with one unterminated end, which would prevent the computers on each side of the break from communicating effectively. A cable break in a star or logical ring topology would only interrupt the connection of a single computer to the network. The mesh topology is not often used for LANs, but redundant network connections are a characteristic of mesh networks, which means that a single cable break would have no effect on the network.
  36. D. A wired LAN is a group of computers within a small area, connected by a common network medium. A wired LAN can be configured using a ring, bus, or star topology.
  37. B. A hybrid topology is a network that uses two or more of the basic topologies, connected together so that each workstation can communicate with all of the other workstations. Connecting four switches to a bus topology combines four-star networks in such a way that the workstations are all interconnected. Connecting a single workstation to a star and a bus network enables that workstation to access both networks, but it does not enable other workstations to access both topologies. Four workstations, each with a separate connection to the other three, is a mesh network topology, not a hybrid. Four connected switches expands the star topology, but it does not create a hybrid topology.
  38. B. A Local Area Network (LAN), as the name implies, is a group of computers contained within a small geographic area. WANs (Wide Area Networks) connect LANs that are geographically distant. MANs (Metropolitan Area Networks) are not confined to a small area; they are typically larger than a LAN but smaller than a WAN. A Campus Area Network (CAN) typically includes a group of adjacent buildings, such as those of a corporation or university.
  39. A. WANs (Wide Area Networks) connect LANs that are geographically distant. A LAN (Local Area Network), as the name implies, is a group of computers, not other LANs, and it is contained within a small area. MANs (Metropolitan Area Networks) connect LANs in a single metropolitan area; they are not confined to a small area. A MAN is typically larger than a LAN but smaller than a WAN. A Campus Area Network (CAN) typically includes a group of adjacent buildings, such as those of a corporation or university.
  40. A. A bus topology requires terminating resistors at each end of the bus, to remove signals as they reach the end of the cable and prevent them from reflecting back in the other direction and interfering with newly transmitted signals. Star, ring, and mesh topologies do not require terminating resistors.
  41. D. Virtually all of the new Ethernet networks installed today use the star or the hierarchical star topology, with one or more switches functioning as a cabling nexus.
  42. A. A storage area network (SAN) is a network that is dedicated to carrying traffic between servers and storage devices. A Personal Area Network (PAN) provides communication among devices associated with a single person, such as smartphones. A Wide Area Network (WAN) is a network that connects devices or networks at different geographic locations. A Metropolitan Area Network (MAN) is a type of WAN that connects devices within a limited geographic area.
  43. D. A Software-Defined Wide Area Network (SDWAN) is a technology that automates the configuration of WAN routers based on the current mix of traffic. It is therefore not suitable for use on a PAN. Bluetooth, Z-Wave, and near-field communication (NFC) are all short-range wireless technologies that are capable of providing communications between PAN devices.
  44. A, C. WLANs can use the ad hoc topology, in which devices communicate directly with each other, or the infrastructure topology, in which the wireless devices connect to an access point. The bus and star topologies are used by wired networks only.
  45. A. The first Ethernet networks used a physical layer implementation commonly known as Thick Ethernet or 10Base5. The network used coaxial cable in a bus topology. Later Ethernet standards use twisted pair cable in a star topology. Ethernet has never used a ring or mesh topology.
  46. A, C. A hub or a switch can function as the cabling nexus at the center of an Ethernet star topology. Each of the devices on the network is connected by a cable to a hub or switch. Routers are used to connect networks to each other; they cannot function as the center of a star topology.
  47. C. A mesh topology is one in which every node is directly connected to every other node, therefore providing complete redundancy through the network. In a star topology, each node is connected to a central nexus, providing each with a single path to the rest of the network. In a ring topology, each node is connected to two other nodes, providing two possible paths through the network. In a bus topology, nodes are chained together in a line, providing no redundancy.
  48. A. 10Base2 is the physical layer specification for Thin Ethernet, which uses coaxial cable in a bus topology. 10Base-T, 100Base-TX, and 1000Base-T all use twisted pair cable in a star topology.
  49. B, D. Personal area networks (PANs) connect devices associated with a single person, such as smartphones, and are nearly always wireless. Wireless Local Area Networks (WLANs) are wireless by definition. Wide Area Networks (WANs) typically span long distances and are typically wired, at least in part. Storage area networks (SANs) require high performance levels and are nearly always wired.
  50. B. DWDM has become a popular technology in the construction of metro-optical networks because it addresses some of the scalability and cost restrictions of other optical technologies, such as Synchronous Optical Networks (SONETs). DSL, satellite, and cable providers do not typically use DWDM.
  51. C. A peer-to-peer network calls for each workstation to maintain accounts for authenticating users that access their shared resources. On a client-server network, authentication is centralized. Peer-to-peer networks can be more difficult to administer than client-server networks, but they are not inherently less secure. Peer networks sharing copyrighted content on the Internet are illegal, but it is not illegal to share private resources on a peer-to-peer network. Workstations on a peer-to-peer network are not required to share their resources, but they are capable of it.
  52. D. DSL technology provides higher data rates because it uses frequency ranges that are higher than the standard voice spectrum. DSL connections use 10 kHz and above, whereas the standard voice spectrum uses 300 Hz to 4 kHz. DSL does not use separate control circuits and does not perform CRC functions. Also, DSL technology is strictly digital and does not require an analog-to-digital conversion.
  53. C. Rate-Adaptive Digital Subscriber Line (RADSL) technology can adjust its rate of transmission based on line conditions. High-bit-rate Digital Subscriber Line (HDSL), Very high-rate Digital Subscriber Line (VDSL), and Internet Digital Subscriber Line (IDSL) do not use rate adaptive transmission.
  54. D. CATV networks use broadband signaling, which enables many signals to occupy the same channel. DSL and ISDN do not use broadband signaling. SONET is a physical layer standard that defines fiber-optic connections.
  55. B. For this scenario, the best of the options given is a dedicated leased line connection. This is because the bandwidth requirements are constant, and the data transfer rates are high. To support the 40 Mbps data rate, Ed should recommend a T-3 dedicated leased line, running at 44.735 Mbps. Standard modem connections, CATV, and ADSL connections are all too slow.
  56. D. In this scenario, the best solution is for Ralph to use his existing CATV service for the remote connection. CATV offers faster data rates than standard modem-to-modem service and supports VPN connections. A dedicated fractional T-1 line is expensive and is not typically used for remote user connections. Since Ralph's telephone lines are not run through conduit and the distance to the central office is more than 18,000 feet, he probably cannot use DSL technology, because it requires good-quality lines and close proximity to a central office.
  57. A. PSTN is an analog, circuit-switched network. CATV, DSL, and SONET are all digital networks.
  58. D. In a DSL connection, a signal splitter is needed at the customer site to separate the lower frequency voice range from the higher frequencies used by data traffic. The higher frequency signals are handled at the central office by a DSLAM device. Lower frequency signals carrying voice traffic are handled at the central office by a CODEC device. A signal terminator is not required by DSL.
  59. B, C. There are two factors that affect DSL transmission rates. The first is the distance to the nearest central office, and the second is the condition and quality of the line. For DSL to achieve higher data rates, the site must be close to the central office and use good-quality lines for signal transmission. The other options are not factors relating to DSL transmission.
  60. B. A demarcation point, or demarc, is the place where an outside telecommunications service meets a customer's private network, which is typically where the service enters the building. The demarc is also the place where the responsibility of the network administrator ends. If a problem occurs outside the demarc, it is up to the service provider to fix it. Inside the demarc, it is the network administrator's problem.
  61. B. The word symmetric in Symmetric Digital Subscriber Line (SDSL) means that the service provides equal amounts of bandwidth in both directions. The asymmetric in Asymmetric Digital Subscriber Line (ADSL) means that the service provides more downstream bandwidth than upstream. Cable and satellite services are also asymmetric, providing more bandwidth downstream than upstream.
  62. D. The network interface device (NID) at the demarcation point of a leased line can be a simple RJ-45 jack, but many service providers install smartjacks, which can also provide signal conversion, diagnostic testing, and other capabilities. Punchdown blocks, 110 blocks, and Channel Service Unit/Data Service Units (CSU/DSUs) are all telecommunications components located inside the demarc, on the subscriber's private network.
  63. B, C. ISDN and DSL are both remote access technologies that enable users to transmit voice and data simultaneously. To do this, DSL splits the lower analog frequency (voice) range from the higher digital frequency (data) range, whereas ISDN provides multiple data channels (called B channels) that allow for both voice and data transmissions. Broadband cable television networks can often support simultaneous voice and data communications, but they use Voice over Internet Protocol (VoIP) to carry voice traffic over the Internet, not the PSTN. Dial-up connections and SONET do not support the simultaneous transmission of voice and data.
  64. D. The demarc, or demarcation point, is the place where a service enters the building, and where the service provider's physical layer responsibility ends. The patch panel, the switch, and the firewall are all inside the network, and they are the responsibility of the subscriber.
  65. E. A T-3 leased line connection is the equivalent of 28 T-1 connections. Each T-1 consists of 24 channels, so a T-3 has a total of 672 channels (28 × 24).
  66. C. A T-3 leased line connection is the equivalent of 28 T-1 connections. Each T-1 consists of 24 channels, so a T-3 has a total of 672 channels (28 × 24), for an overall transfer rate of 44.736 Mbps.
  67. B. The Synchronous Optical Networking (SONET) standard defines a base data transfer rate of 51.84 Mbps, which is multiplied at the various optical carrier levels. An OC-3 connection therefore runs at 155.52 Mbps, an OC-12 at 622.08 Mbps and so forth. The Synchronous Digital Hierarchy (SDH) is the European equivalent of SONET. Integrated Services Digital Network (ISDN) is a service that combines voice and data services using the Public Switched Telephone Network (PSTN), and Digital Subscriber Line (DSL) is a remote access technology that enables users to transmit voice and data simultaneously.
  68. B. Multiprotocol Label Switching (MPLS) is a data transfer mechanism that assigns labels to individual packets, and then routes the packets based on those labels. Frame relay, Asynchronous Transfer Mode (ATM), Point-to-Point Protocol over Ethernet (PPPoE), and a Software-Defined Wide Area Network (SDWAN) do not assign labels to packets.
  69. A, C. A Session Initiation Protocol (SIP) trunk provides a connection between the private and public domains of a unified communications network. A Voice over Internet Protocol (VoIP) gateway provides a connection between an IP network and the Public Switched Telephone Network (PSTN). Both of these provide a conduit between a subscriber's private network and the network furnished by a service provider. A Channel Service Unit/Data Service Unit (CSU/DSU) is a device that provides a router on a private network with access to a leased line. A smartjack provides signal conversion, diagnostic testing, and other capabilities to leased line subscribers. A Virtual Private Network (VPN) concentrator is a type of router that enables multiple client systems to access a network from remote locations.
  70. A. Synchronous Digital Hierarchy (SDH) is the European equivalent of SONET. Optical carrier 3 (OC-3) is one of the SONET data rates. E-3 is the European equivalent of the T-3 connection in the United States. Asynchronous Transfer Mode (ATM) is a cell-switched protocol that is designed to carry voice, data, and video traffic by splitting it into uniform 53-byte cells.
  71. B. A Channel Service Unit/Data Service Unit (CSU/DSU) is a device that provides a LAN router on a private network with access to a leased line WAN connection. Quad Small Form-factor Pluggable (QSFP) is a standard for a type of modular transceiver, often used on fiber-optic installations. A Session Initiation Protocol (SIP) trunk provides a connection between the private and public domains of a unified communications network, such as a LAN and the Public Switched Telephone Network (PSTN). An intrusion detection system/intrusion prevention system (IDS/IPS) is a network hardware or software security appliance that detects malicious activity and attempts to block it.
  72. D. A subscription to part of the T-1 leased line is called a fractional T-1 service. This service enables you to purchase some of the 24 DS0 channels in a T-1 connection. An E-1 is the European version of a T-1. A B channel is part of an Integrated Services Digital Network (ISDN) service, not a T-1. An OC-1 is a fiber-optic connection on the Synchronous Optical Network (SONET) service.
  73. B. MPLS is a data-carrying service that is often said to operate between the data link layer and the network layer. It is therefore sometimes called a layer 2.5 protocol. MPLS can be used to carry IP datagrams as well as Ethernet, Asynchronous Transfer Mode (ATM), and Synchronous Optical Network (SONET) traffic.
  74. D. An OC-1 connection provides the fastest transfer rate at 51.84 Mbps. An E-1 connection is 2.048 Mbps. A T-3 is 44.736 Mbps, and a T-1 is 1.544 Mbps.
  75. C. The Data Over Cable Service Interface Specification (DOCSIS) is a telecommunications standard that defines the manner in which data is to be transmitted over a cable television system. DOCSIS does not apply to dial-up modem, Digital Subscriber Line (DSL), or Integrated Services Digital Network (ISDN) connections.
  76. B, C. Frame relay services offer permanent virtual circuits (PVCs) and switched virtual circuits (SVCs). SRV is a resource record type in the Domain Name System (DNS), and an Ultra-Physical Contact (UPC) is a type of fiber-optic cable connector.
  77. C, D. Cable broadband and DSL subscribers typically connect to ISP networks that run Ethernet, but Ethernet has no built-in authentication or encryption mechanisms. PPP has the ability to use external authentication and encryption protocols, so by encapsulating PPP within Ethernet frames, users are able to log on to the ISP network securely. Leased lines, such as T-1s, and Synchronous Optical Network (SONET) connections do not use Ethernet connections, so they have no need for PPPoE.
  78. C. A smartjack is a device located at the demarcation point of a leased line that can provide additional functions, such as signal conversion, diagnostic testing, and other capabilities. A Session Initiation Protocol (SIP) trunk is a connection to a Voice over Internet Protocol (VoIP) service provider. A media converter is a local area networking device that connects different cable types to the same network. An AAAA server provides authentication, authorization, accounting, and auditing services for remote access servers.
  79. D. Frame relay is a packet switching service that uses a single leased line to replace multiple leased lines by multiplexing traffic through a cloud. Asynchronous Transfer Mode (ATM) uses a switched fabric, but it is not referred to as a cloud. A fractional T-1 is part of a leased line that connects two points, so there is no switching involved and no cloud. SONET is a physical layer standard that defines fiber-optic connections; it does not call for switching or use the term cloud.
  80. D. All coaxial-based Ethernet networks, including Thin Ethernet, use a bus topology. All UTP-based Gigabit Ethernet networks use a star topology. Therefore, an upgrade from coaxial to UTP cable must include a change in topology from bus to star.
  81. D. In most virtualization products, when you create multiple virtual machines on one host computer, they can communicate with each other internally using a built-in virtual switching capability. A computer with multiple network adapters can function as a router, but not as a switch. Layer 3 switches can provide virtual routers that connect VLANs together, but not virtual switches. The function that enables VLANs on different switches to communicate is called trunking, not virtual switching.
  82. B. Type I virtualization does not require a host OS, whereas Type II virtualization does. Both Type I and Type II virtualization can use processors with hardware virtualization assistance, but only Type I requires it. The type of virtualization does not impose any limit on the number of virtual machines supported; any limitations are left to the individual implementation. Both Type I and Type II virtualization can share a single processor among virtual machines.
  83. B. You can create Virtual Local Area Networks (VLANs) on a virtual switch, just as you can create them on many physical switches. In most cases, virtual components function just like their physical counterparts. Virtual NICs are components of virtual machines and therefore do not provide functions spanning entire networks. Virtual routers function at the network layer and virtual firewalls at the application layer, so neither of these can host VLANs, which operate at the data link layer.
  84. B. Just like physical network interface cards (NICs), virtual NICs have 6 byte MAC addresses assigned to them, which enable them to be identified by data link layer protocols. Unlike physical NICs, however, it is typically an easy matter to modify a MAC address on a virtual NIC. Virtual switches, like physical switches, are not addressable devices, so they do not have MAC addresses on an unmanaged network. The hypervisor is the component on a host server that makes virtualization possible, so it does not require a MAC address. Virtual firewalls operate at the application layer, so they do not require data link layer MAC addresses. On a managed network, these devices have a MAC address to communicate with the management console, but addresses are not needed on an unmanaged network.
  85. A. The hypervisor is the hardware or software component responsible for managing virtual machines and providing the virtualized hardware environment on which they run. Virtual servers and virtual switches are components that are part of the virtual network infrastructure enabled by the hypervisor. A Virtual Private Network (VPN) concentrator is a type of router that enables multiple remote clients to connect to a network; it has nothing to do with virtual networking.
  86. C. A computer with a hypervisor, on which you can create virtual machines, is referred to as a host. The virtual machines themselves are called guests. Network Attached Storage (NAS) refers to a device containing shared drives that is connected to a network. A Storage Area Network (SAN) is a separate network dedicated to shared storage devices.
  87. A. It is true that virtual switches can have unlimited ports, whereas physical switches are limited to the number of physical ports in the device. Both virtual and physical switches can support Virtual Local Area Networks (VLANs). Virtual switches can forward traffic to the host server. Physical switches do not always include layer 3 (routing) functionality.
  88. E. A virtual firewall is a service or appliance that performs the same functions as a physical network firewall: packet filtering and monitoring. In a virtual environment, firewalls can take the form of software components installed on a guest virtual machine or a hypervisor host system. A firewall can also be incorporated into a virtual switch.
  89. B. Frame relay is a packet switching service that uses a single leased line to replace multiple leased lines by multiplexing traffic through a cloud. The service can create virtual circuits connecting the subscriber's network to multiple destinations, eliminating the need for a dedicated leased line to each remote site. An E-1 is the European equivalent to a T-1 leased line, which does not replace multiple T-1s. Asynchronous Transfer Mode (ATM) is a cell-switching WAN technology, and Point-to-Point Protocol (PPP) is a protocol that provides a data link layer connection between two end systems. Neither is a replacement for multiple T-1s.
  90. D. Network Address Translation (NAT) enables workstations on private networks to access the Internet by substituting a public IP address in packets generated with private addresses. Layer 2 Tunneling Protocol (L2TP), IPsec, and Multipoint Generic Routing Encapsulation (MGRE) are all protocols that encapsulate packets in an encrypted form within another protocol to secure the contents.
  91. B. The NFV specification, published by the European Telecommunications Standards Institute (ETSI), calls for three main components: virtualized network functions (VNFs), which are software-based implementations of standard network services, such as firewalls and load balancers; a Network Functions Virtualization Infrastructure (NFVI), which is the hardware/software environment that hosts the VNFs; and a Network Functions Virtualization-Management And Orchestration (NFV-MANO) framework, which includes the elements required to deploy and administer the NFVI and the VNFs. The Network Functions Virtualization Industry Specification Group (NFV ISG) is the group within ETSI that develops the NFV specifications; it is not one of the three components.
  92. A. The network medium provides the physical connection between networked computers. This connection can be made through a copper-based, fiber-optic, or wireless medium. The network medium is not a protocol, and it does not pass data packets; it only carries signals. The network medium does not process electrical or light pulses and convert them to data; it carries only the signals generated by transceivers.
  93. D. Copper cables use electrical signals to transmit data. Fiber optic is a cable type, not a signal type. Microwave signals cannot be transmitted over copper cable. Infrared signals are used only for wireless networks.
  94. E. The three organizations that collectively developed the T568b document, which defines the standard for a structured cabling system for voice and data communications, are the American National Standards Institute (ANSI), the Telecommunications Industry Association (TIA), and the Electronic Industries Association (EIA). All of the other options are not standards organizations or cabling standards.
  95. D. The cable type and connector used to attach a television set to a CATV network is a coaxial cable with a screw-on F-type connector. Although CATV networks typically use fiber-optic cables and ST connectors for outdoor connections, they do not use fiber for internal connections to television sets. Coaxial cables with BNC connectors are most commonly used for Thin Ethernet LANs, not CATV network connections. Twisted pair cables and RJ-45 connectors are used for Ethernet LANs and telephone networks, but not CATV networks. AUI cables and vampire tap connectors are used for Thick Ethernet networks. Twinaxial cables are used for SATA 3.0 device and 100 Gbit Ethernet connections, but not for CATV connections.
  96. A. The cable type used for Thick Ethernet segments is a coaxial cable called RG-8. RG-58 is used exclusively on Thin Ethernet segments. RJ-45 is a connector type used in twisted pair cabling for data networks. RJ-11 is a connector type used in twisted pair cabling for telecommunications networks.
  97. B. RG-58 coaxial cable is used exclusively for Thin Ethernet segments. RG-8 cable is used for Thick Ethernet segments. RJ-45 is a connector type used in twisted pair cabling for data networks. RJ-11 is a connector type used in twisted pair cabling for telecommunications networks.
  98. A. A 66 block is a type of punchdown block for telephone systems that was first introduced in 1962. By the year 2000, nearly all commercial telephone installations had begun using 110 blocks instead; 110 blocks are still in use, as are smartjacks and patch panels.
  99. C. The Krone LSA-Plus is a proprietary telecommunications connector type commonly used in European installations. The 66 block is an outdated type of punchdown block for U.S. telephone systems. Multipoint Generic Routing Encapsulation (mGRE) is a technique for encapsulating network layer protocols; it is not a type of punchdown block. BIX (Building Industry Cross-connect) is a proprietary U.S. telecommunications connection system.
  100. A, D. RG-6 and RG-59 are 75 ohm cables that are still used for cable television and similar connections. RG-8 and RG-58 are 50 ohm cables that were formerly used for Thick Ethernet and Thin Ethernet, respectively, but are no longer in general use.
  101. A, B, C. Joining an APC to a UPC creates a mismatched connection that generates an extremely high rate of insertion loss (attenuation). APCs do generate more insertion loss than UPCs and less return loss (reflection). It is APCs, not UPCs, that use green boots or bodies on the connectors.
  102. D. Bayonet-Neill-Concelman (BNC) is a type of connector used with coaxial cable. Subscriber Connector (SC), Mechanical Transfer-Registered Jack (MT-RJ), and Straight Tip (ST) are all types of fiber-optic connectors.
  103. C. The Gigabit Interface Converter (GBIC) transceiver standard was first published in 1995 and defines a maximum data transfer rate of 1.25 Gbps. It was rendered all but obsolete by the Small Form-factor Pluggable (SFP) standard, introduced in 2001, which ran at the same maximum speed but was smaller in size. Subsequent variations on the standard, such as SFP+, Quad Small Form-factor Pluggable (QSFP), and QSFP+, defined devices with faster transfer rates.
  104. B. There are two main types of twisted pair wiring used for data communications: Unshielded Twisted Pair (UTP) and Shielded Twisted Pair (STP). Both types can be used in a star topology. UTP and STP cables contain eight copper conductors twisted in four pairs. UTP and STP cables use RJ-45 connectors to connect end systems to switches, patch panels, and wall plates. RG-8 and RG-58 coaxial cable can only be used in a bus topology. Fiber-optic cable can be used in a star topology, but it uses either glass or plastic conductors and does not use RJ-45 connectors.
  105. C. The twists in a twisted pair cable prevent the signals on the different wires from interfering with each other (which is called crosstalk) and also provide resistance to outside electromagnetic interference. The twists have no effect on collisions. The twists cannot completely eliminate the effects of EMI. Twists have nothing to do with the bend radius allowance for the cable.
  106. A. A crimper or crimping tool is a jawed device that has a set of dies in it. Installers use a crimper to squeeze the two halves of an RJ-45 or RJ-11 connector together, with the wires inside securing the connector to the cable. Installers use a splicing tool to splice two cable segments together. There is no tool called a pigtail or a patch.
  107. C. Thin Ethernet networks use a type of 50-ohm coaxial cable called RG-58, which is 0.195 inches in diameter and uses BNC connectors. 75-ohm coaxial cable with F connectors is used for cable television networks, and RG-8 coaxial is the cable that Thick Ethernet networks use.
  108. B, C, E. Thin Ethernet networks use BNC connectors. Thick Ethernet networks use N-type connectors. All Unshielded Twisted Pair (UTP) Ethernet networks use RJ-45 connectors. F-type connectors are used with coaxial cable, typically for cable television installations. DB-9 connectors are commonly used for serial communications ports.
  109. D. Thin Ethernet networks use a type of coaxial cable that runs from each computer to the next one, forming a bus topology. To connect the cable to the network computers, each network interface adapter has a T-connector attached to it, with two additional male BNC connectors, to which you connect two lengths of network cabling.
  110. B, D, E. Fiber-optic cable connectors all function on the same basic principles, but there are a variety of form factors from which to choose, including Straight Tip (ST), Local Connector (LC), and Mechanical Transfer–Registered Jack (MT-RJ). RJ-11 is a twisted pair cable connector, and F connectors are for coaxial cable.
  111. E. Thick Ethernet installations used a type of coaxial cable called RG-8. To connect a node to the network, installers ran a separate cable called an Attachment Unit Interface (AUI) cable from the computer to the RG-8 and connected it using a device called a vampire tap that pierced the sheathing to make contact with the conductors within. All of the other cable types listed use different types of connectors.
  112. D. The cabling nexus in a telecommunications room is called a patch panel. A telepole is a tool used for installing cables. A backbone is a network that connects other Local Area Networks (LANs) together. A demarcation point, or demarc, is the location at which a telecommunication provider's service meets the customer's private network. A fiber distribution panel is used for fiber optic cable, not Unshielded Twisted Pair (UTP), connections.
  113. A, C. Single-mode cables are capable of spanning longer distances than multimode because they have a narrower core diameter, reducing signal dispersion rates. Because the core consists of fewer (typically one or two) strands, single-mode cables are less flexible than multimode and cannot bend around corners as easily, making them more difficult to install. Because they use light impulses rather than electricity, all fiber-optic cables are completely immune to electromagnetic interference.
  114. A, C, D. Voice telephone networks do not have performance requirements as strict as those of data networks, so they are less liable to suffer from crosstalk and other types of interference. As a result, installers often use larger UTP cables for telephone connections. UTP cables are available in configurations containing 25 wire pairs and 100 wire pairs in a single sheath, which enables installers to service multiple users with a single cable. The punchdown blocks for UTP data networks with 8P8C connectors are called 110 blocks. The older standard for punchdown blocks is the 66 block. Rarely used for data networking, 66 blocks are still found in many telephone service installations.
  115. B, C. Single-mode cables have a smaller core filament and can span longer distances than multimode cables. Single-mode cables also use a laser light source, have a larger bend radius, and do not require a ground.
  116. D. Installers use a punchdown block tool to connect the ends of bulk cable runs to jacks in wall plates and patch panels. A crimper or crimping tool is a jawed device that enables installers to squeeze the two halves of an RJ-45 or RJ-11 connector together, securing the connector to the cable. Installers use a splicing tool to splice two cable segments together. There is no tool called a pigtail.
  117. A. Multimode fiber-optic cable best meets the client's needs. Fiber-optic cable supports the required 1000 Mbps data rate and can connect networks that are more than 1000 feet apart. Fiber-optic cable is immune to EMI. Although both multimode and single-mode fiber would meet the corporation's general needs, multimode is best in this scenario because it is less expensive than single-mode fiber. Twisted pair wiring (STP or UTP) meets the data rate and cost requirements but does not support connections longer than 100 meters. Thin coaxial cable does not support the data rate or distances longer than 185 meters.
  118. A, B, C. BNC connectors are used for coaxial Thin Ethernet networks, and N-type connectors with Thick Ethernet. F-type connectors are used for coaxial cable television installations. Straight Tip (ST) connectors are used with fiber-optic cable, and RJ-11 connectors are used for telephone installations.
  119. C. Either CAT6 or CAT6a UTP cable will provide the currently required 1 Gbps data rate, with a migration path to 10 Gbps in the future. The backbone cabling connecting the two LANs needs to be fiber optic, since it exceeds the distance limitations of twisted pair and coaxial cable. CAT5 cable conceivably runs at 1 Gbps; however, it does not run at 10 Gbps.
  120. D. The Thin Ethernet LAN is the network most endangered by the cable break. If a bus network is severed, all of the workstations on it are affected because the cable segments are no longer terminated at one end. The Gigabit Ethernet network uses a star topology, which means that only the one computer using the severed cable could be disconnected from the network. A FDDI double ring network can survive a single cable break without any workstations being affected.
  121. A. You use a punchdown block tool to connect the ends of bulk cable runs to jacks in wall plates and patch panels. The steps of the process are as follows:
    1. Strip some of the sheath off the cable end to expose the wires.
    2. Separate the twisted wire pairs at the ends.
    3. Strip a small amount of insulation off each wire.
    4. Insert the wires into the appropriate contacts in the jack.
    5. Press the bare wire down between the two metal contacts that hold it in place.
    6. Cut off the excess wire that protrudes past the contacts.

    You must repeat the process of punching down for both ends of your internal cable runs.

  122. D. ST, SC, fiber LC, and MT-RJ are all connectors used with fiber-optic cables. F-type connectors are used with coaxial cables.
  123. D, E, F. Category 6a (CAT6a) twisted pair cable is a variant on CAT6 that enables you to create 10GBase-T networks with segments up to 100 meters long. Category 7 (CAT7) cable adds shielding both to the individual wire pairs and to the entire cable, for even greater resistance to crosstalk and noise. CAT7 supports 100-meter 10GBase-T segments as well. CAT8 cable supports bandwidth up to 2 GHz, making it even more suitable for 10GBase-T networks than CAT6a (500 MHz) or CAT7 (600 MHz). CAT5 and CAT5e are not suitable for use with 10GBase-T. You can use CAT6 for 10GBase-T, but it is limited to 55-meter segments.
  124. C, D. The DB-9 and DB-25 connectors were at one time ubiquitous on personal computers, providing peripheral connections to modems, printers, and other devices. They have since been largely eliminated in favor of USB. BNC connectors were used for Thin Ethernet networking, but they have been replaced by Unshielded Twisted Pair (UTP) cable with RJ-45 connectors. RJ-11 connectors are used for telephone connections.
  125. A. CAT3 cable was originally intended for use in voice-grade telephone networks but was later certified for use in data networks. CAT3 cable can support data transfer rates from 4 Mbps up to 100 Mbps (using the now-deprecated 100Base-T4 and 100VG-AnyLAN standards). Although this type of cable could run at 100 Mbps, it was seldom used at speeds greater than 10 Mbps. CAT5 cable was the primary replacement for CAT3, supporting data rates up to 100 Mbps. CAT5e and CAT6 are rated for data rates up to 1 Gbps, as on Gigabit Ethernet networks. CAT6 can even support 10 Gbps transfer rates over shorter distances.
  126. E. Because the company has few employees, a single location, and cost restrictions, the best solution is a star topology with prefabricated twisted pair cabling and an external installation method. The star topology uses a central switch. Prefabricated twisted pair cabling, with the connectors already attached, will keep the cost to a minimum. Since the employees are all located in the same building, with a common wall and a drop ceiling, the external installation method is the best choice. It is not possible to use a bus topology or coaxial cable for Gigabit Ethernet. Ed could use fiber-optic cable in a star topology for Gigabit Ethernet, but it is more difficult and expensive to install. An internal installation, which uses a combination of bulk cable and prefabricated cables, is more expensive than an external installation and is typically used for larger networks.
  127. B, D. The main cable types used in LANs today are multimode fiber optic and unshielded twisted pair. Single-mode fiber optic is used primarily for long-distance Wide Area Network (WAN) connections, and coaxial cable is no longer used for LANs.
  128. B, D, F. Coaxial cable has two conductors within the same sheath that share a common axis. These conductors are surrounded by an outer insulating sheath of either PVC or Teflon. Copper cables carry electrical signals. Only fiber-optic cables carry light pulse signals.
  129. F. All twisted pair Gigabit Ethernet implementations require all four wire pairs to achieve 1000 Mbps transfer rates.
  130. B, C, D. CAT5 cable was the original cable standard intended for transfer rates up to 100 Mbps. CAT5e and CAT6 support 100 Mbps and are also rated for data rates up to 1000 Mbps. All three of these standards also support the 10 Mbps transfer rate. CAT3 can support both 10 and 100 Mbps, but it requires four pairs for 100 Mbps.
  131. A, B, D, E, F. Fiber-optic cable comes in two types: multimode and single-mode. Fiber-optic cables vary in light source (LED or laser), cable grade (glass or plastic), and size of the core conductor. Single-mode uses a higher-grade glass conductor with a laser light source. Multimode fiber uses an LED light source. Both types can use either ST or SC connectors to physically connect end devices to a fiber-optic network. Fiber-optic cable is used to extend networks over long distances. Fiber-optic cables do not use IDC connectors, which are intended for use with Shielded Twisted Pair (STP) cable.
  132. A, D, F. The use of bulk cable with no connectors, wall plates, and rack-mounted patch panels are all characteristics of an internal wiring installation. Internal installations typically cover large geographic areas that require cabling through walls, ceilings, and around other obstacles, making the cabling difficult to move. Solid core wiring is used for longer cable runs, whereas shorter cable runs such as connections from node to wall plate use prefabricated stranded core cables with connectors attached.
  133. B. 40GBase-T is a 40-gigabits-per-second (Gbps) Ethernet specification that calls for 4-pair CAT8 twisted pair cabling for lengths up to 30 meters. 10GBase-T and 100Base-TX do not require CAT8 cable, and 1000Base-SX is a fiber optic standard.
  134. E. Ralph should use a mesh topology with redundant fiber-optic cable runs and an internal installation method. This will meet the requirements for connecting the LANs and providing redundancy and fault tolerance. Fiber-optic cable is immune to electromagnetic interference (EMI) and can span long distances. The internal installation method is most often used in larger networks, where end systems are geographically distant. The star topology will not fulfill the requirements since it provides no redundancy. Twisted pair cable cannot span distances more than 100 meters, and it is highly susceptible to EMI. Coaxial cable cannot span distances more than 500 meters, and it is also susceptible to EMI. The bus topology cannot use twisted pair cabling and does not support cable runs longer than 500 meters.
  135. B. Although the design calls for an archaic technology, a Thin Ethernet network runs at 10 Mbps and can support 20 workstations over a maximum distance of 185 meters, thus achieving the primary goal. However, Thin Ethernet uses copper-based coaxial cable, which is susceptible to EMI, and it uses a bus topology, which is not tolerant of a cable break. Therefore, the solution does not achieve either of the secondary goals.
  136. D. Fiber-optic cable is not more tolerant of cable breaks than UTP. Some fiber-optic networks are fault tolerant, but the Ethernet fiber-optic specifications are not. UTP cables connecting a computer to a switch can be no longer than 100 meters, making 200 meters the maximum distance between two computers. Connecting two buildings with a copper-based cable creates an electrical connection between them, which can be hazardous. Fiber-optic cable does not create an electrical connection. Fiber-optic cable is also unaffected by the EMI generated by manufacturing equipment.
  137. A, B. FLP signals are an enhancement of the Normal Link Pulse (NLP) signals defined in the 10Base-T standard, which verify the integrity of the link. In 100Base-TX, the FLP signals retain that function, but they also enable multispeed devices to negotiate the speed at which they will operate. FLP signals do not indicate collisions or bad frames.
  138. B. The 10GBase-CX4 specification calls for the use of a twinaxial copper cable with segments no longer than 15 meters. The10GBase-LR, 10GBase-ER, 10GBase-LX4, and 10GBase-SR specifications all call for fiber-optic cable.
  139. D. The multispeed network interface adapters in the computers can run at 1 Gbps speed using the existing CAT5 cable, but the 100Base-T switch must be replaced with a 1000Base-T switch. While the network might run better with a cable upgrade, it is not immediately necessary. Replacing the network interface adapters is not necessary because the existing multispeed adapters can run at 1 Gbps if they are connected to a 1000Base-T switch.
  140. C. 1000Base-T is the fastest Ethernet specification that can run on CAT5 UTP cable. 10GBase-T requires at least Category 5e (CAT5e) or Category 6 (CAT6) UTP cable. 100Base-TX can use CAT5 cable, but it runs at one-tenth the speed of 1000Base-T. 1000Base-LX and 1000Base-SX are fiber-optic specifications that cannot run on CAT5 UTP or any copper cable.
  141. B, C, E. The three IEEE 10 Mbps standards for Ethernet are 10Base2, 10Base5, and 10Base-T. 10Base2 is limited to 185-meter segments; 10Base5 is limited to 500-meter segments; and 10Base-T is limited to 100-meter segments. The other options are not valid.
  142. A, D. The first version of DIX Ethernet (Version 1) supported RG-8 thick coaxial cable in a bus topology. Version 2 added support for thin coaxial cable (RG-58) but was still limited to a bus topology. RG-10 and RG-14 are not Ethernet cable types.
  143. D. The best solution in this scenario is to upgrade to 1000Base-T and replace the existing hubs with switches. 1000Base-T provides the fastest transfer speeds supported by the existing cable. Since users are complaining that the network is slow with the existing hubs, it makes sense to replace the shared hub environment with switches that offer dedicated bandwidth on each port. Any solution that does not replace the hubs would not address the users' complaints. 100Base-TX would provide a speed increase, but it runs at ~1/10 the speed of 1000Base-TX. Upgrading to 100Base-FX or 100Base-SX would require the cabling to be replaced with fiber optic, which would be very expensive.
  144. A. Option A is the T568B pinout that Ralph should use when attaching connectors to the cables. Option B is the T568A pinout, which would also work but that Ralph has been instructed not to use. Options C and D are both incorrect and can result in excessive amounts of crosstalk.
  145. B. The plier-like device is a crimper, which cable installers use to attach RJ45 connectors, like those in the bag, to lengths of bulk cable. This is the process of creating patch cables, which are used to connect computers to wall plates and patch panels to switches. The boss is telling Ralph to start making patch cables in 5-foot and 10-foot lengths. You do not use a crimper to attach keystone connectors, and the boss has not given Ralph the tools and components needed to pull cable runs or install a patch panel.
  146. D. The types of wavelength division multiplexing use different spacing of the wavelengths they carry, which enables them to fit different numbers of channels on a single medium. WDM (or BWDM) carries two wavelengths for bidirectional communication. CWDM can carry up to 16 channels and DWDM 40 or 80 (depending on the spacing used). Various amplification technologies (including EFDA and Raman) can expand the amounts of usable wavelength in each type.
  147. B. Network Address Translation (NAT) is a service that enables computers with unregistered IP addresses to access the Internet by substituting a registered address in packets as they pass through a router. The Dynamic Host Configuration Protocol (DHCP) is an IP address allocation service. Domain Name System (DNS) resolves domain and hostnames into IP addresses, and Network Time Protocol (NTP) enables network devices to synchronize their time settings.
  148. C. A dual stack is an IP implementation that includes both IPv4 and IPv6 protocol stacks, operating simultaneously. A computer with two network adapters or connections to two network segments is often called multihomed. A computer with two installed operating systems is called a dual-boot system.
  149. B. NAT works by modifying IP addresses, which are a network layer element. The data link layer is concerned only with communications on the local subnet and is not involved with NAT processing. Because NAT modifies only the IP packet headers, it works with any transport layer protocol. NAT also works with most TCP/IP applications because it operates below the application layer of the OSI model.
  150. C. You cannot extend the IPv4 address beyond its 32-bit size, and you cannot remove bits from the network identifier, or the packets will not be routed properly. You must therefore create a subnet by borrowing bits from the host identifier.
  151. B, C. IPv4 addresses with first byte values from 224 to 239 are Class D addresses, which are reserved for use as multicast addresses. Therefore, you cannot assign 229.6.87.3 to a host. Option C, 103.256.77.4, is an invalid address because the value 256 cannot be represented by an 8-bit binary value. The other options, 1.1.1.1 and 9.34.0.1, are both valid IPv4 addresses.
  152. B. The value after the slash in a Classless Inter-Domain Routing (CIDR) address specifies the number of bits in the network identifier. An IPv4 address has 32 bits, so if 17 bits are allocated to the network identifier, 15 bits are left for the host identifier.
  153. B, E. RFC 1918 defines the private address space as the following ranges:
    • 10.0.0.0–10.255.255.255
    • 172.16.0.0–172.31.255.255
    • 192.168.0.0–192.168.255.255

    Option B, 172:33:19:7, and Option E, 172.15.2.9, both fall outside the specified private Class B range, and are therefore not valid private addresses.

  154. C. To create a network with 8 subnets and 30 hosts per subnet, Alice would have to allocate 3 of the 8 bits in the last octet for subnet identifiers. This would result in a binary value of 11100000 for the last octet in the subnet mask, which converts to a decimal value of 224.
  155. A. A Class A address uses only the first octet as the network identifier, which yields a binary subnet mask of 11111111 00000000 00000000 00000000. In decimal form, the subnet mask is 255.0.0.0. The 255.255.0.0 mask is for Class B addresses, and 255.255.255.0 is for Class C addresses. Option D, 255.255.255.255, is the broadcast address for the current network.
  156. B. According to RFC 3927, when a DHCP client cannot access a DHCP server, APIPA assigns it an address on the 169.254/16 network, the range of addresses for which is 169.254.0.0 to 169.254.255.255.
  157. D. Address 127.0.0.1 is the designated IPv4 local loopback address, and as such, it is reserved. It falls between Class A, which has first octet values from 1 to 126, and Class B, which has first octet values of 128 to 191.
  158. C. The address fe00::c955:c944:acdd:3fcb is correctly formatted for IPv6, with the double colon replacing three blocks of zeroes. Uncompressed, the address would appear as follows: fe00:0000:0000:0000:c955:c944:acdd:3fcb. Option A contains a nonhexadecimal digit. Option B contains only seven 16-bit blocks (and no double colon) instead of the eight required for 128 bits. Option D contains blocks larger than 16 bits.
  159. B. All Class B addresses have first octet values between 128 and 191. The first octet range of a Class A address is 1 to 126, and the Class C first octet range is 192 to 223. Class D addresses have a first octet range of 224 to 239.
  160. A. Variable-length subnet masking (VLSM) describes the process of subnetting an IPv4 network address by assigning an arbitrary number of host bits as subnet bits, providing administrators with great flexibility over the number of subnets created and the number of hosts in each subnet. Automatic Private IP Addressing (APIPA) is the process by which a DHCP client assigns itself an IP address when no DHCP servers are accessible. Virtual Local Area Networks (VLANs) are logical structures used to create separate broadcast domains on a large, switched network. Extended Unique Identifier-64 (EUI-64) is an addressing method used to create IPv6 link local addresses out of media access control (MAC) addresses.
  161. B. The 14-bit prefix indicated in the network address will result in a mask with 14 ones followed by 18 zeroes. Broken into 8-bit blocks, the binary mask value is as follows:

    11111111 11111100 00000000 00000000

    Converted into decimal values, this results in a subnet mask value of 255.252.0.0.

  162. A. In this scenario, the company has a Class C Internet Protocol (IPv4) address, which consists of 24 network bits and 8 host bits. The company wants 10 subnets and 14 hosts per subnet, so Ed must subdivide the 8 host bits into subnet and host bits. He can allocate 4 of the 8 host bits for subnets, enabling him to create up to 16 subnets. This leaves 4 bits for host addresses, enabling Ed to create 14 hosts per subnet.
  163. E. The formula for calculating the number of subnets you can create using a subnet identifier of a given length is 2x, where x is the number of bits in the subnet identifier. Therefore, with a 14-bit subnet, you can conceivably create 214, or 16,384, subnets.
  164. C. In this scenario, the last byte of the IP address assigned to the company must be subdivided into 3 subnet bits and 5 host bits. The 3 subnet bits will give Alice up to 8 subnets, with 5 host bits for up to 30 hosts per subnet. The new subnet mask is 255.255.255.224. The 224 is the decimal equivalent of the binary value 11100000, which represents the 3 subnet bits and the 5 host bits.
  165. D. To convert a MAC address to an Extended Unique Identifier (EUI-64), you split the 6-byte MAC address into two 3-byte halves and insert the 2-byte value FFFE in between, as follows:

    001F9E FFFE FC7AD0

    Then, you change the seventh bit in the first byte, the universal/local bit, from 0 to 1, indicating that this is a locally created address. This results in a binary first byte value of 00000010, which converts to 02 in hexadecimal.

    Finally, you add the IPv6 link local prefix FE80::/10, resulting in the following complete address:

    FE80::021F:9EFF:FEFC:7AD0

    All of the other answers either insert the FFFE bytes in the wrong place or fail to change the universal/local bit.

  166. A. A standard Class B address with a mask of 255.255.0.0 has 16 bits that can be used for subnets and hosts. To get 600 subnets, you must use 10 of the available bits, which gives you up to 1024 subnets. This leaves 6 host bits, which gives you up to 62 hosts per subnet, which exceeds the requirement of 55 requested by the client. Using 9 bits would give you only 510 subnets, while 11 bits would give you 2046 subnets but leave you only 5 bits for a maximum of 30 hosts, which is not enough.
  167. C. The formula for calculating the number of hosts you can create using a host identifier of a given length is 2x–2, where x is the number of bits in the host identifier. You cannot create a host with an address of all zeroes or all ones, which is why you subtract 2. On a network that uses 20 bits for network identification, 12 bits are left for the host identifier. Using those 12 bits, you can create 212–2 or 4,094 host addresses.
  168. B. With a Class B subnet mask of 255.255.248.0, the binary form of the third and fourth bytes is 11111000 00000000. There are 5 subnet bits, providing up to 32 subnets and 11 host bits, providing up to 2046 hosts.
  169. A. The decimal value for 11111111 is 255, the value for 11100000 is 224, and the value for 00000000 is 0, so the mask is 255.255.224.0.
  170. B. With a network address of 192.168.1.32 and 27 mask bits, the subnet mask value is 11111111.11111111.11111111.11100000 in binary form, or 255.255.255.224 in decimal form. This leaves 5 bits for the host identifier. The valid range of host bits is therefore 00001 (1) through 11110 (30). This gives you a range of 192.168.1.32 + 1 (33) through 192.168.1.32 + 30 (62).
  171. C. To calculate the number of host addresses available, Alice must determine the number of host bits in the address, which is 10, raise 2 to that power, and subtract 2 for the network and broadcast addresses, which are unusable for hosts. The formula is therefore 2x–2. 210–2=1022.
  172. B. When a DHCP client cannot access a DHCP server, APIPA assigns it a Class B address using the network address 169.254/16, which yields the address range 169.254.0.0 to 169.254.255.255.
  173. D. Class D addresses are used for multicast transmissions. Class A, Class B, and Class C addresses are used for unicast transmissions. Class E is for experimental use only.
  174. C. The address 10.1.0.253 is a proper address in the private address range 10.0.0.0 to 10.255.255.255. The address 192.167.9.46 falls outside the designated private IP address range, which is 192.168.0.0 to 192.168.255.255, and is therefore not a viable address on a private network. 172.16.255.255 is a broadcast address, which you cannot assign to a host. 225.87.34.1 falls in the Class D multicast address range and cannot be assigned to a single host.
  175. B. The address given uses 20 bits to identify the network, leaving 12 bits for the host identifier. In binary form, therefore, the subnet mask value would be 11111111 11111111 11110000 00000000. The decimal value for 11111111 is 255, and the decimal value for 11110000 is 240. Therefore, the subnet mask is 255.255.240.0.
  176. B. A /28 address leaves 4 bits for the host identifier. To calculate the number of hosts, Ed uses 24–2=14. The first address on the subnet is therefore 192.168.2.33, and the fourteenth is 192.168.2.46.
  177. A. 1.0.0.1 is a legitimate address that falls into Class A. Option B, 127.98.127.0, falls into the range of addresses reserved for use as loopback addresses (127.0.0.1 to 127.255.255.255). Option C, 234.9.76.32, falls into Class D, which is reserved for use as multicast addresses. Option D, 240.65.8.124, is a Class E address; that class is reserved for experimental use.
  178. A. An IPv6 link local address is automatically assigned to each interface. Like Automatic Private IP Addressing (APIPA), it provides communication on the local network only. Global unicast addresses are routable; they are the functional equivalent of IPv4 registered addresses. Site local addresses are the equivalent of private IPv4 addresses. Anycast addresses are designed to transmit to any one host in a multicast group.
  179. A, B. Unlike network address translation, port address translation uses a single public IPv4 address for all of the client workstations. Instead of assigning each workstation a unique address, PAT assigns each workstation a unique port number.
  180. B. Stateless Address Auto-Configuration (SLAAC) is the means by which IPv6 systems self-generate link-local addresses with the prefix fe80::/64, much as IPv4 systems use APIPA to generate addresses. IPv6 systems can use DHCPv6 to obtain stateful (not stateless) addresses. An Extended Unique Identifier (such as EUI-64) is the format for a media access control (MAC) address.
  181. A, D. Teredo and 6to4 are both tunneling protocols that were intended as transitional mechanisms, enabling the encapsulation of IPv6 datagrams within IPv4 packets. IPsec uses tunneling, but it is not used for the encapsulation of IPv6 traffic. Internet Control Message Protocol v6, like its ICMPv4 equivalent, enables routers and hosts to transmit informational and error messages; it does not use tunneling.
  182. A. ICMPv6 hosts generate Router Solicitation messages and transmit them to the All Routers multicast address. Routers respond using Router Advertisement messages, which contain the prefix information that the host uses to generate a link-local address. Hosts do not have to learn the address of the nearest router, because they can use the All Routers multicast. Address conflict detection comes after the host has created a link-local address and does not use Router Solicitation and Router Advertisement messages. Hosts do not use Router Solicitation and Router Advertisement messages to encapsulate IPv4 packets.
  183. B, D. A virtual IP address is an address that does not correspond to a physical network interface. Network Address Translation (NAT) uses virtual public IP addresses as substitutes for the private IP addresses associated with the client hosts. A network interface in a virtual machine is virtual as well, so the IP address associated with that interface must also be virtual. Dynamic Host Configuration Protocol (DHCP) and Automatic Private IP Addressing (APIPA) both can assign IP addresses to physical network interfaces; these addresses are therefore not virtual.
  184. A. A subinterface is a logical (or virtual) network interface associated with a specific physical network interface. Devices (such as routers) can use multiple subinterfaces to connect to different subnets using a single physical network interface adapter. A subinterface is a logical device, so it is not one port on a physical network interface adapter or a physical adapter connected to a subnet. A subinterface is a complete logical interface, not just an IP address.
  185. A. The default port for the Post Office Protocol (POP3) is 110. The default port for the Simple Mail Transfer Protocol (SMTP), the other protocol used by email clients, is 25. Port 143 is the default for the Internet Message Access Protocol (IMAP), a different email mailbox protocol that clients never use with POP3. Port 80 is the default for the Hypertext Transfer Protocol (HTTP), which is not used by POP3 email clients.
  186. D. The File Transfer Protocol (FTP) uses two port numbers. It uses the first, port 21, for a control connection that remains open during the entire client/server session. The second port, 20, is for a data connection that opens only when the protocol is actually transferring a file between the client and the server. Network Time Protocol (NTP), Simple Network Management Protocol (SNMP), and Hypertext Transfer Protocol (HTTP) all use a single port on the server.
  187. C. Ping uses the Internet Control Message Protocol (ICMP) to exchange messages with other systems. ICMP is also used to return error messages to sending systems. The User Datagram Protocol (UDP) and the Transmission Control Protocol (TCP) are both transport layer protocols that carry application layer data; Ping does not use either one. The Internet Group Management Protocol (IGMP) is used to create multicast groups; Ping does not use it.
  188. B. The port numbers specified in a transport layer protocol header identify the application that generated the data in the packet or the application that will receive the data. Port numbers do not identify transport layer protocols, gateways, or proxy servers.
  189. B. The IANA assigns values for well-known port numbers. The IEEE publishes Ethernet standards, among many others. The IETF develops standards for Internet technologies. The ISO developed the Open Systems Interconnection (OSI) model.
  190. C. Port 80 is the default well-known port for HTTP. Port 22 is for the Secure Shell (SSH) protocol, port 20 is for File Transfer Protocol (FTP), and port 443 is for secured HTTP.
  191. D. The well-known port for HTTPS is 443. Port 25 is for the Simple Mail Transfer Protocol (SMTP), port 80 is for unsecured HTTP, and port 110 is for the Post Office Protocol (POP3).
  192. A. The Maximum Segment Size (MSS) field in the TCP Options subheader specifies the size (in bytes) of the largest segment a system can receive. The Window field indicates the amount of data (in bytes) that the receiver can accept. There are no MMS or WinMS fields in a TCP header.
  193. A. The term for an IPv4 address and port number in combination is socket. An Organizationally Unique Identifier (OUI) identifies a manufacturer of networking hardware. A well-known port is a port number assigned to a specific application. A network address is the network identifier part of an IP address. A domain is a group of computers and other resources.
  194. A, B. Internet Control Message Protocol (ICMP) and Internet Group Management Protocol (IGMP) are unusual in that they generate messages that are encapsulated directly within IP datagrams. Nearly all of the other TCP/IP protocols, including Simple Mail Transfer Protocol (SMTP) and Simple Network Management Protocol (SNMP), are encapsulated within one of the transport layer protocols—User Datagram Protocol (UDP) or Transmission Control Protocol (TCP)—which is encapsulated in turn within an IP datagram.
  195. B. The Lightweight Directory Access Protocol (LDAP) is an application layer protocol used for managing and accessing information stored in directory services. Remote Desktop Protocol (RDP) is used to establish a graphical remote control session with another computer. Simple Network Management Protocol (SNMP) is used to carry information gathered by management agents distributed around a network to a central management server. Server Message Block (SMB) is the primary file sharing protocol used by Windows systems.
  196. C, E. SMTP with TLS uses port number 587. POP3 over SSL uses port number 995. Port numbers 25 and 110 are used for SMTP and POP3 without encryption. Port number 995 is used for Internet Message Access Protocol (IMAP) over SSL.
  197. D. The port number 3389 is used by the Remote Desktop Protocol (RDP) and is not involved in SQL communication. Port 1433 is used by SQL Server; 1521 is used by SQLnet; 3306 is used by MySQL.
  198. B. Port number 514 is assigned to syslog, a Unix standard designed to facilitate the transmission of log entries generated by a device or process, such as the sendmail SMTP server, across an IP network to a message collector, called a syslog server. Port number 389 is assigned to the Lightweight Directory Access Protocol (LDAP). Port number 636 is assigned to LDAP over Secure Sockets Layer (SSL). Port number 993 is assigned to Internet Message Access Protocol (IMAP) over SSL.
  199. A. Hypertext Transfer Protocol (HTTP) is the primary protocol used for web client/server communications. Hypertext Markup Language (HTML) is a coding language used to create web content. Simple Mail Transfer Protocol (SMTP) and File Transfer Protocol (FTP) can both be used in web communications, but neither is the primary protocol.
  200. C. The Domain Name System (DNS) is a protocol that computers on a TCP/IP use to resolve host and domain names into the IP addresses they need to communicate. Dynamic Host Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) are both IP address allocation protocols, and Simple Network Management Protocol (SNMP) carries information gathered by agents to a central management console.
  201. B, D. The term datagram is typically used by protocols offering connectionless delivery service. The two main connectionless protocols in the TCP/IP suite are the Internet Protocol (IP) and the User Datagram Protocol (UDP), both of which use the term datagram. Ethernet uses the term frame, and Transmission Control Protocol (TCP) uses segment.
  202. D. The default file sharing protocol used on all Windows operating systems is SMB. HTTP is the native protocol used by web clients and servers. NFS is the native file sharing protocol used on Unix/Linux networks. FTP is a protocol used for transferring files from one system to another. LDAP is a protocol for transmitting directory service information.
  203. A. The receiving host uses the ACK bit to notify the sending host that it has successfully received data. The other control bits are not used to acknowledge receipt of information.
  204. D. Two systems establishing a TCP connection exchange three messages before they begin transmitting data. The exchange of these synchronization messages is referred to as a three-way handshake. The other terms listed are not formally used to describe this exchange.
  205. C, D, E. Dynamic Host Configuration Protocol (DHCP) servers use port numbers 67 and 68. The Trivial File Transfer Protocol (TFTP) uses port number 69. Neither protocol uses port 65 or 66.
  206. B. TCP ports and UDP ports identify the application protocol or process that generated the information in a datagram. Client ports are chosen randomly from the range 1024 through 65,534. Server ports are well-known and are chosen from the range 1 through 1023.
  207. C. Ephemeral client ports are in the range of 49152 through 65535. Well-known TCP and UDP server ports are in the range of 1 through 1023. Registered port numbers are in the range of 1024 to 49151.
  208. A, D, E. UDP is a connectionless transport layer protocol. It has a small, 8-byte header and does not use packet sequencing or acknowledgments.
  209. A, C. FTP uses two ports: one for control messages (port 21) and one for data transfers (port 20). Port 23 is used by Telnet. Port 53 is used by the Domain Name System (DNS). Port 69 is used by the Trivial File Transfer Protocol (TFTP).
  210. C. The User Datagram Protocol (UDP) provides connectionless service at the transport layer. Transmission Control Protocol (TCP) provides connection-oriented service at the transport layer. Hypertext Transfer Protocol (HTTP) is an application layer protocol, and Address Resolution Protocol (ARP) is a data link layer protocol.
  211. D. Well-known TCP and UDP server ports are in the range of 1 through 1023. Registered port numbers are in the range of 1024 to 49151. Ephemeral client ports are in the range of 49152 through 65535.
  212. B, D. Ralph's traffic analysis should show the addition of the Simple Mail Transfer Protocol (SMTP), which handles incoming and outgoing Internet mail, and Internet Message Access Protocol (IMAP), which provides mailboxes for users that store their mail permanently on the server. POP3 is a mailbox protocol that enables users to download their messages and should therefore not be present on the network. SNMP is a network management protocol, and RIP is a routing protocol; neither of these carries email traffic.
  213. F. An ephemeral port number is a temporary port supplied by a client to a server, for use during a single session or transaction. The allowed ephemeral port number values range from 49152 to 65535. The port values below 1024 are reserved for use as well-known ports, and the values from 1024 to 49151 are reserved for ports registered by specific manufacturers for their applications. Of these answers, 50134 is the only value that the client can use as an ephemeral port.
  214. A. The Transmission Control Protocol (TCP) provides connection-oriented service at the transport layer, with guaranteed delivery. The User Datagram Protocol (UDP) provides connectionless service at the transport layer. Hypertext Transfer Protocol (HTTP) operates at the application layer, and Internet Protocol (IP) is a connectionless network layer protocol.
  215. A. ARP relies on broadcast transmissions, which are not routable. It is therefore limited to use on the local subnet. DHCP also relies on broadcasts, but the ability to create DHCP relay agents makes it usable on an entire internetwork. DNS and SMTP do not rely on broadcasts and are therefore not limited to the local subnet.
  216. B. No matter what protocol is used to encrypt a website, you must use the HTTPS:// prefix to access it. HTTP:// is for unencrypted sites, and TLS:// and HTLS:// are nonexistent prefixes.
  217. A, B. Using the prefix HTTPS:// causes a web browser to use a different port number to establish a secure connection to the web server. Security is provided by encrypting all data using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). However, SSL and TLS do not replace HTTP; they just augment it. The HTTPS:// prefix does not affect the IP address used to connect to the server.
  218. D. Because the administrative site is encrypted, you must use the HTTPS:// prefix to access it. Because the administrative site uses the nondefault port number 12354, you must append that number to the server name with a colon.
  219. A. Encapsulating Security Protocol (ESP) is a protocol in the TCP/IP suite that is capable of providing encryption services for IPsec. Authentication Header (AH) provides digital integrity services for IPsec, in the form of a digital signature. Secure Sockets Layer (SSL) is a security protocol that provides encrypted communications between web browsers and servers. MSCHAP is an authentication protocol used by remote access services.
  220. B, C. Authentication Header (AH) is an IPsec protocol that provides authentication and digital integrity services. Encapsulating Security Protocol (ESP) provides encryption services for IPsec. Secure Shell (SSH) is a remote administration tool, and Secure Sockets Layer (SSL) is a security protocol that provides encrypted communications between web browsers and servers.
  221. A. FTP does provide authentication capabilities, but passwords are transmitted over the network in clear text, which is an unacceptable security condition. FTPS adds security in the form of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. SFTP adds Secure Shell (SSH) security. File transfer speed and size limitations are not an issue.
  222. A. FTP provides authentication capabilities, but it transmits passwords over the network in clear text, which is an unacceptable security condition. FTPS adds security in the form of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. SFTP adds Secure Shell (SSH) security. Both of these encrypt authentication passwords before transmitting them. Trivial File Transfer Protocol (TFTP) does not authenticate clients, so it does not transmit passwords at all.
  223. D. Trivial File Transfer Protocol (TFTP) is a simplified version of FTP that does not authenticate clients, so systems booting with PXE can download boot images invisibly after being directed to a TFTP server by the Dynamic Host Configuration Protocol (DHCP). FTP, FTPS, and SFTP all require authentication and other interaction, which would be impractical for use with PXE.
  224. C. Authentication Header (AH) is a protocol in the TCP/IP suite that provides digital integrity services, in the form of a digital signature, which ensures that an incoming packet actually originated from its stated source. Encapsulating Security Protocol (ESP) provides encryption services for IPsec. Secure Sockets Layer (SSL) is a security protocol that provides encrypted communications between web browsers and servers. MSCHAP is an authentication protocol used by remote access services.
  225. A. Secure Sockets Layer (SSL) is the original security protocol for web servers and browsers and the predecessor of Transport Layer Security (TLS). Datagram Transport Layer Security (DTLS) is a protocol that provides the same encryption and other web server/browser security functions as TLS, but for User Datagram Protocol (UDP) traffic. Secure Shell (SSH) is a character-based tool that enables users to execute commands on remote computers. It does not provide web server or browser security.
  226. B. Secure Sockets Layer (SSL) is the original security protocol for web servers and browsers and the predecessor of TLS. It was deprecated in 2015. Secure Shell (SSH) is a character-based tool that enables users to execute commands on remote computers. It does not provide web server or browser security like TLS and DTLS. IPsec is a set of security protocols that provide digital signing, encryption, and other services for network transmissions. It is not specifically designed for web security. Remote Desktop Protocol (RDP) is a component of Remote Desktop Services, a Windows mechanism that enables a client program to connect to a server and control it remotely. RDP is not a web security protocol.
  227. B, D. When a client sends a name resolution query to its DNS server, it uses a recursive request so that the server will take on the responsibility for resolving the name. The only other use of recursive requests is in the case of a forwarder, which is configured to pass that responsibility on to another server. All of the other queries issued by the client's server to the various domain authorities are iterative queries.
  228. A. Most wireless routers are designed to provide connecting workstations with IP addresses and other TCP/IP configuration parameters. Switches and bridges are data link layer devices, and hubs are physical layer devices, none of which are capable of providing clients with network layer IP addresses.
  229. A, E. DHCP and BOOTP are both designed to allocate IP addresses to hosts. The primary difference between the two is that DHCP is capable of dynamic allocation and BOOTP is not. DNS resolves hostnames into IP addresses, and ARP resolves IP addresses into data link layer hardware (or MAC) addresses. FTP is designed to transfer files between systems and has no role in IP address allocation.
  230. D. Like A and AAAA records, Pointer Records (PTRs) contain hostnames and IP addresses, but they are used for reverse name resolution—that is, resolving IP addresses into hostnames. A Mail Exchange (MX) record specifies the mail server that the domain should use. Canonical name (CNAME) records specify aliases for a given hostname. An AAAA resource record maps a hostname to an IPv6 address for name resolution purposes.
  231. A. Dynamic Host Configuration Protocol (DHCP) can dynamically allocate IP addresses to clients and reclaim them when their leases expire. Bootstrap Protocol (BOOTP) and Reverse Address Resolution Protocol (RARP) can allocate addresses automatically or manually, but they cannot reclaim them. DHCP and BOOTP both support relay agents.
  232. A, B, D, E. In a successful DHCP address allocation, the client issues DHCPDISCOVER broadcasts to locate servers, and the servers reply with DHCPOFFER messages containing addresses. Then, the client sends a DHCPREQUEST message to one server accepting an offered address, to which the server replies with a DHCPACK. DHCPNAK messages are only used in unsuccessful transactions, and DHCPRENEW, DHCPRELEASE, and DHCPINFORM messages are not used during the address allocation process.
  233. D, E. In a successful DHCP address renewal transaction, the client issues a DHCPDREQUEST message, and the server replies with a DHCPACK. DHCPNAK messages are only used in unsuccessful transactions, and the other message types are not used during the address renewal process.
  234. A. Reverse Address Resolution Protocol (RARP), Bootstrap Protocol (BOOTP), and Dynamic Host Configuration Protocol (DHCP) are all protocols that are designed to allocate IP addresses to clients. Address Resolution Protocol (ARP), on the other hand, resolves existing IP addresses into data link layer MAC (or hardware) addresses.
  235. A. When a DNS server receives an iterative query, it responds immediately with the best information that it has available, or with an error message. It does not send queries to other servers.
  236. D. The client component of the Domain Name System (DNS) is called the resolver. Requestor is a generic term for any system issuing requests, and only DNS servers can be authorities or forwarders.
  237. C. The DNS Server Addresses parameter contains the addresses of servers that resolve domain names into IP addresses. Windows Internet Name Service (WINS) provides Network Basic Input/Output System (NetBIOS) name resolution. The Default Gateway parameter defines the local router to be used to access other networks. There is no such parameter as Subnet Gateway.
  238. C. Stable is not a DHCP allocation method. DHCP supports three allocation methods: manual, dynamic, and automatic.
  239. B. On a DHCP server, you create a scope that consists of a beginning and an ending IP address. Range, pool, and subnet are not technical terms for DHCP.
  240. B, D. DHCP clients cannot contact servers on different networks to initiate an address assignment. Clients locate DHCP servers by transmitting broadcast messages, and broadcasts are limited to the local network. Relay agents forward the broadcast messages to other networks, enabling the server to assign IP addresses to clients on other subnets. DHCP does not require special licenses. DHCP uses User Datagram Protocol (UDP) transmissions, not TCP.
  241. C. An AAAA resource record maps a hostname to an IPv6 address for name resolution purposes. A Mail Exchange (MX) record specifies the mail server that the domain should use. Pointer Records (PTRs) also contain hostnames and IP addresses, but they are used for reverse name resolution—that is, resolving IP addresses into hostnames. Canonical name (CNAME) records specify aliases for a given hostname.
  242. B. A canonical name (CNAME) resource record specifies an alternative host name (or alias) for a system already registered in the DNS. By creating a CNAME record specifying the www name, the server can be addressed using either NE6 or www. Creating an additional A resource record will cause the server to be recognized using one name or the other, but not both. Modifying the existing A record will change the hostname. PTR resource records are used only for reverse name resolution.
  243. A. The Router option specifies the addresses of routers on the local network, including the default gateway router. The Time Server option specifies the addresses of servers that provide time signals to the network. The Name Server option specifies the addresses of up to 10 name resolution servers (other than DNS servers) on the network. The LPR Server option specifies the addresses of line printer servers on the network.
  244. B. DHCP clients use broadcasts to transmit DHCPDISCOVER messages on the local network. DHCP servers are then required to respond to the broadcasts. DHCP clients cannot use unicast, multicast, or anycast messages to initiate contact with DHCP servers, because they have no way of learning their addresses.
  245. A. The Name Server (NS) resource record identifies the authoritative name servers for a particular DNS zone. Pointer Records (PTRs) are used to resolve IP addresses into hostnames. Mail Exchange (MX) records identify the mail servers for a particular domain. Service Records (SRVs) identify the designated servers for a particular application. The Start of Authority (SOA) record indicates the delegation of a domain's administrative control from its parent domain. A Text (TXT) record associates administrator-supplied text with a zone but performs no other function.
  246. C. On a DHCP server, a reservation is a permanent IP address assignment to a specific MAC address. A scope is a range of IP addresses to be allocated to clients. An exclusion is a range of IP addresses that is to be excluded from a scope. A relay is a component that routes DHCP traffic between networks.
  247. B. Dynamic allocation enables a Dynamic Host Configuration Protocol (DHCP) server to lease IP addresses to clients for a specific time interval. When the lease period expires, the client can renew it, if it is still using the address. If the address is no longer in use when the lease expires, it is returned to the scope of available leases for reallocation. Automatic allocation permanently assigns an IP address from the scope to a client. Manual and static allocation are two terms that describe the allocation of a specific IP address to a specific client.
  248. B. Dynamic DNS (DDNS) is an addition to the DNS standards that eliminates the need for administrators to manually create certain DNS resource records. For example, when a DHCP server allocates an address to a client, DDNS creates a host (A) record containing the hostname of the client and the newly allocated IP address. Reverse name resolution is the process of looking up hostnames based on IP addresses. Automatic allocation is a DHCP process by which IP addresses are permanently assigned to clients. HOSTS is a text-based name resolution method that predates DNS.
  249. C. IP address management (IPAM) is a system for planning, managing, and monitoring the IP address space for an entire enterprise network. IPAM provides links between the Dynamic Host Configuration Protocol (DHCP) and the Domain Name System (DNS) so that each is aware of the naming and addressing changes made by the other. DHCPv6 is an IPv6 version of the DHCP service, which enables it to allocate IPv6 addresses to network clients. HOSTS is a text-based name resolution method for individual systems that predates DNS. Automatic Private IP Addressing (APIPA) is the mechanism that enables a DHCP client to assign itself an address when no DHCP servers are accessible.
  250. D. The term stratum, plus an integer, describes the distance in time of an NTP server from its time source in terms of the NTP server hierarchy. Stratum 0 represents an atomic clock or other precision timekeeping device. Stratum 1 represents an NTP server synchronized to within a few milliseconds of its Stratum 0 time source. Stratum 2 is a server synchronized to a Stratum 1 server, and so on. Layer, path, and iteration are not technical terms used by the NTP.
  251. D. The Network Time Protocol (NTP) is used to synchronize computer clocks. Time signals can be provided by internal servers or time servers on the Internet. The Trivial File Transfer Protocol (TFTP) is used to transfer files between systems without authentication. The Hypertext Transfer Protocol (HTTP) is used to exchange web traffic between clients and servers. The Simple Mail Transfer Protocol (SMTP) is used to transmit email traffic between clients and servers.
  252. D. The topmost layer in the DNS hierarchy is represented by org, which is a top-level domain. mydomain is a second-level domain registered by a particular organization, paris is a subdomain within mydomain, and www is the name of a particular host in the paris.mydomain.org domain.
  253. B. The Default IP Time-to-Live (TTL) option specifies the maximum number of seconds or hops allowed to an IP datagram before a router removes it from the network. This prevents datagrams from circulating endlessly. The Interface Maximum Transmission Unit (MTU) option specifies the maximum size of an IP datagram. The Address Resolution Protocol (ARP) cache timeout specifies how long entries containing the IP address assigned by the server can remain in the cache maintained by a client's ARP implementation. The Transmission Control Protocol (TCP) keepalive interval option specifies the number of seconds that the client should wait before transmitting a keepalive message over a TCP connection.
  254. B, C. The external DNS server should contain records only for the resources that must be accessible from the Internet, such as web servers and public email servers. For security reasons, servers containing sensitive data, such as database servers and domain controllers, should be registered on the internal DNS server.
  255. B. When there are no IP addresses available for lease in a DHCP scope, Automatic Private IP Addressing (APIPA) takes over, and the system self-assigns an address on the 169.254.0.0/16 network. Clients are not assigned a 0.0.0.0 address, nor are their requests forwarded to another DHCP server. Sharing IP addresses is not possible on a TCP/IP network.
  256. B. Decreasing the lease time for the scope will cause abandoned IP addresses to be returned to the scope for reallocation more quickly, which would lessen the chances of exhausting the scope. Increasing the lease time will make scope exhaustion more likely. Installing another DHCP server or creating another scope will have no effect, because the limitation is the number of addresses allocated for the subnet.
  257. A, B, D. DHCP relay, UDP forwarding, and IP helper are all router mechanisms that perform the same task, forwarding broadcast messages on one subnet to a specific IP address on another subnet as a unicast message. This enables DHCP clients to contact DHCP servers on another subnet to obtain IP addresses. Zone transfer is a DNS zone replication mechanism not used by DHCP clients or servers.
  258. D. A zone transfer is a client/server transaction between two DNS servers in which one server requests a copy of the other server's entire zone database, to update its own. None of the other options are used for DNS database replication. Multi-master replication is a technique that enables two systems to exchange database information as needed to update each other. UDP forwarding is a router mechanism used by DHCP to forward broadcast messages on one subnet to a specific IP address on another subnet. An iterative query is a type of DNS message that transfers responsibility for a name lookup to another server.
  259. A, C. iSCSI runs on a standard IP network, and Fibre Channel over Ethernet (FCoE) runs on a standard Ethernet network. Both of these protocols can share a network with LAN traffic, although the use of a Quality of Service (QoS) mechanism is usually recommended. Fibre Channel and InfiniBand both require a dedicated network medium that does not support LAN traffic.
  260. C. Voice over Internet Protocol (VoIP) is a technology for the transmission of voice communications over IP networks; it is not a SAN protocol. Internet Small Computer Systems Interface (iSCSI), Fibre Channel over Ethernet (FCoE), and Fibre Channel are all SAN protocols.
  261. E. The Internet Storage Name Service (iSNS) is an application that provides iSCSI initiators with automated discovery of targets located on the network. iSNS can also function as a discovery service for Fibre Channel devices. Active Directory, Internet Control Message Protocol (ICMP), and Domain Name System (DNS) are not capable of registering iSCSI targets. iWINS does not exist.
  262. D. The current Fibre Channel standard calls for a maximum data transfer rate of 128 gigabits per second (Gbps), for a nominal throughput of 12,800 megabytes per second (MBps).
  263. B. A NAS device is essentially a file server that connects to a network and provides users with access to shared files. A NAS is a single computer, so it cannot be associated with failover clustering. Just a Bunch of Disks (JBOD) is a simple storage array that provides block-level access to data, whereas NAS devices provide file-level access. Redundant Array of Independent Disks (RAID) is a fault tolerance technology that might be implemented in NAS devices, but it is not the device's primary function.
  264. A, D. NAS devices are self-contained file servers that connect directly to a standard IP network. A NAS device provides file-level access to its storage devices and includes an operating system and a filesystem. NAS devices are typically not iSCSI targets.
  265. A, B, D. Because it uses standard Ethernet hardware, Fibre Channel over Ethernet (FCoE) is far less expensive to implement than Fibre Channel, which requires a dedicated fiber-optic network. Because Fibre Channel requires a dedicated network, it cannot coexist with standard IP traffic, whereas FCoE can. Because it is encapsulated in Ethernet frames, FCoE is not routable on IP networks.
  266. A, B, D. Common Internet File System (CIFS), Network File System (NFS), and Hypertext Transfer Protocol (HTTP) are all file sharing protocols supported by many NAS devices. Remote Direct Memory Access (RDMA) provides high-speed network data transfers, but it is not an application layer file sharing protocol.
  267. C. iSCSI does not include its own flow control mechanism. It runs over a TCP connection, which is the protocol responsible for flow control. Because it runs on any IP network, iSCSI traffic is routable, and it is less expensive to implement. Fibre Channel requires a dedicated network using fiber-optic cable. iSCSI traffic can coexist with standard LAN traffic on a single network, although some type of Quality of Service (QoS) mechanism is frequently recommended.
  268. A. InfiniBand is a high-end storage infrastructure technology that provides data transfer rates of up to 2.5 Gbps and scalable support for up to 64,000 devices. It is primarily used in high performance computing environments to replace older bus technologies connecting CPUs to storage arrays. Fibre Channel, Internet Small Computer System Interface (iSCSI), and Fibre Channel over Ethernet (FCoE) are all SAN technologies, but they are more commonly used in Local Area Network (LAN) environments.
  269. A. The client side of an iSCSI implementation is called an initiator. The storage device to which the initiator connects is called a target. Controller and adapter are not terms used for iSCSI clients or servers.
  270. A, B, C. iSCSI runs on a standard IP network; therefore, iSCSI messages are encapsulated using Transmission Control Protocol (TCP) at the transport layer, Internet Protocol (IP) at the network layer, and Ethernet at the data link layer. iSCSI does not use the User Datagram Protocol (UDP).
  271. E. The Fibre Channel standard defines a unique, five-layer protocol stack that does not correspond to the OSI model layers. Therefore, Fibre Channel does not use Ethernet, nor does it use Transmission Control Protocol (TCP), Internet Protocol (IP), User Datagram Protocol (UDP), or any of the other TCP/IP protocols.
  272. B. The Fibre Channel standard defines a five-layer networking stack, with layers numbered FC-0 to FC-4, that does not correspond to the layers of the OSI model. Internet Small Computer System Interface (iSCSI), Point-to-Point Protocol (PPP), and Remote Direct Memory Access (RDMA) all function within the standard OSI model layers.
  273. A. Fibre Channel over Ethernet (FCoE) uses Ethernet frames in place of the bottom two layers (FC0 and FC1) of the Fibre Channel protocol stack. The remaining layers (FC2, FC3, and FC4) use the standard Fibre Channel protocols. FCoE does not use Transmission Control Protocol (TCP), Internet Protocol (IP), User Datagram Protocol (UDP), or any of the other TCP/IP protocols.
  274. A. Ethernet uses jumbo frames to transfer large amounts of data more efficiently. On a packet-switched network, each packet requires header data, which adds to the network's transmission overhead. Splitting large files into a great many small packets can lead to so much overhead that network efficiency is impaired. Ethernet typically restricts frame size to 1500 bytes, but jumbo frames enable Ethernet systems to create frames up to 9000 bytes. Frames are data link layer protocol data units, so Internet Protocol (IP), operating at the network layer, is not involved in creating them. Fibre Channel and iSCSI are specialized storage area networking protocols that do not use jumbo frames.
  275. B. The three-tier hierarchical architecture for datacenters consists of core, distribution, and access layers. The access layer in a datacenter contains servers, the distribution layer contains redundant switch connections, and the core layer provides high-speed transport between the switches. There is no intermediate layer in the architecture.
  276. C. The leaf and spine topology uses a full mesh topology in its two layers of switches. This is more expensive than the three-tier topology, but it reduces latency by requiring the same number of hops in the path between any two routers. The use of software-defined networking provides adaptive path determination without the use of the Spanning Tree Protocol (STP) for layer 2 port blocking.
  277. C. East-west traffic describes traffic flow within the datacenter, while north-south is traffic between devices inside the datacenter and outside devices. The terms east-west and north-south do not pertain to the OSI model layers or to specific devices used.
  278. A. In a typical datacenter topology, racks contain servers that implement applications. A leaf switch at the top of the rack connects the servers in the rack together and also connects to a spine switch that links to the rest of the datacenter. The top-of-rack switches are not classified as backbone, spine, or core devices.
  279. C. In an SDN architecture, the application layer is software, that is, the applications and services running on the network; the control layer is a centralized console through which administrators manage the applications; and the infrastructure layer consists of the switch and router hardware. Core is not one of the SDN layers.
  280. E. The RFC 7426 document defines five planes in the SDN architecture: forwarding, operational, control, management, and application. Infrastructure is not one of the SDN planes.
  281. B, F. In a colocated datacenter, a client houses its own servers and other hardware in a shared third-party facility. Therefore, Ralph's company would own the hardware in a branch office or colocated datacenter. A datacenter in a public cloud is easier to expand than the other options because it is simply a matter of creating additional virtual devices. A colocated datacenter would be less expensive to implement than a branch office datacenter, but the public cloud option would require the smallest initial outlay. The administrators would set up and manage the hardware in a branch office or colocated datacenter, but not in a public cloud datacenter. In a colocated datacenter, Ralph's company would share utility costs with other tenants. A public cloud facility is not necessarily more secure.
  282. A. The Infrastructure as a Service (IaaS) model provides consumers with processing, storage, and networking resources that they can use to install and run operating systems and other software of their choice. Platform as a Service (PaaS) provides consumers with the ability to install applications of their choice on a server installed by the provider. Software as a Service (SaaS) provides consumers with access to specific applications running on the provider's servers. Desktop as a Service (DaaS) provides remote virtualization of the entire workstation desktop, instead of a single application.
  283. C. The Software as a Service (SaaS) model provides consumers with access to a specific application running on the provider's servers. Infrastructure as a Service (IaaS) provides the consumers with processing, storage, and networking resources that they can use to install and run operating systems and other software of their choice. Platform as a Service (PaaS) provides consumers with the ability to install applications of their choice on a server installed by the provider. Desktop as a Service (DaaS) provides remote virtualization of the entire workstation desktop, instead of a single application.
  284. A. The Infrastructure as a Service (IaaS) model provides the consumers with the most control, as the provider furnishes processing, storage, and networking resources that the consumer can use as needed. Platform as a Service (PaaS) provides consumers with the ability to install applications of their choice on a server furnished by the provider, but they have only limited control over the server and no control over the underlying resources. Software as a Service (SaaS) and Desktop as a Service (DaaS) provide consumers with access to a specific application or an entire desktop environment running on the provider's servers, but the consumers have no control over the operating system, the servers, or the underlying resources.
  285. A, D. Infrastructure as a Service (IaaS) provides consumers like Alice with processing, storage, and networking resources that they can use to install and run operating systems and other software of their choice. In the public cloud model, one organization or user functions as the provider, and another organization or user—in this case, Alice—consumes the services of the provider.

    Platform as a Service (PaaS) provides consumers with the ability to install applications of their choice on a server furnished by the provider. Software as a Service (SaaS) provides consumers with access to a specific application running on the provider's servers. In a private cloud, the same organization that utilizes the cloud services is also the sole owner of the infrastructure that provides those services. A hybrid cloud is a combination of public and private infrastructure so that the consumer organization is only a partial owner of the infrastructure. A community cloud is a private cloud variant intended for specific business communities, such as the medical or legal fields.

  286. B. In a private cloud, the same organization that utilizes the cloud services can also be the sole owner of the infrastructure that provides those services. A private cloud can also be owned by a third party, all or in part. In the public cloud model, one organization functions as the provider, and another organization consumes the services of the provider. A hybrid cloud is a combination of public and private infrastructure so that the consumer organization is only a partial owner of the infrastructure. There is no such thing as an ad hoc cloud model.
  287. B. Cloud bursting is a common term for the offloading of excess traffic from private to public cloud resources when necessary to maintain satisfactory performance levels.
  288. C. Software as a Service (SaaS) provides consumers with access to a specific application running on the provider's servers (in this case, an email service). Consumers have control over some of their email functions, but they have no control over the operating system, the servers, or the underlying resources. The Infrastructure as a Service (IaaS) model provides the consumers with access to processing, storage, and networking resources that the consumer can use as needed. Platform as a Service (PaaS) provides consumers with the ability to install applications of their choice on a server furnished by the provider. Desktop as a Service (DaaS) provides remote virtualization of the entire workstation desktop, instead of a single application.
  289. C. A hybrid cloud consists of both public and private resources. One of its main advantages is that administrators can move services from private to public cloud servers and back again as needed, depending on the current workload. Public cloud resources require authentication, so while they might be less secure than a private cloud, they are not inherently insecure. The term private cloud refers to hardware resources that are owned and operated either by a single organization or a third party, regardless of their location. The various cloud delivery models do not impose specific hardware resource requirements.
  290. B. The Platform as a Service (PaaS) model provides consumers with the ability to install applications of their choice on a server furnished by the provider. Infrastructure as a Service (IaaS) provides the consumers with processing, storage, and networking resources that they can use to install and run operating systems and other software of their choice. Software as a Service (SaaS) provides consumers with access to a specific application running on the provider's servers. Desktop as a Service (DaaS) provides remote virtualization of the entire workstation desktop, instead of a single application.
  291. A, B, C. Multitenancy is a software architecture in which multiple tenants share a single instance of an application running in the cloud. Because tenants share a single application, there is a chance that data could be compromised. Because a single application instance is running in the cloud, the operational overhead is reduced compared to the use of individual virtual machines. Tenants share a finite amount of bandwidth, so the possibility exists for competition to occur, such as when one tenant is the target of a Denial of Service (DoS) attack. Multitenancy does not call for tenants to have individual virtual machines.
  292. D. Infrastructure as Code (IaC) is a method of deploying and configuring cloud-based resources using script files. IaC deployment provides time and cost savings and improved elasticity and scalability by automating the virtual machine deployment process and also ensures a consistent deployment by using the same script for all newly deployed VMs. IaC does not encrypt the virtual machine configuration.
  293. C. A cloud direct connection is a private link between the client's private network and the cloud service provider. This link is independent from any ISP connection used by the client organization for other traffic, so it ensures a consistent bandwidth for the hybrid cloud network. Using a different ISP or a leased line does not replace the entire connection; there are still potential bottlenecks. A VPN can provide better performance than a standard connection and greater security, but it is not as consistent (or as expensive) as a direct cloud connection.

Chapter 2: Network Implementations

  1. D. Radio-frequency identification (RFID) uses tags containing data, frequently embedded in pets, which can be read using electromagnetic fields. Z-wave is a short-range wireless technology, frequently used for home automation. Bluetooth is a short-range wireless protocol, frequently used for computer peripherals and Personal Area Networks (PANs). Near-field communication (NFC) provides wireless communication over ranges of 4 cm or less, and it is often used for payment systems.
  2. A. A key fob that unlocks your car is typically a short-range radio or infrared device that does not use the Internet for its communications. Each of the other examples describes a device with an IP address that uses the Internet to communicate with a controller or monitoring station.
  3. D. A WAP is a device with a wireless transceiver that also connects to a standard cabled network. Wireless computers communicate with the WAP, which forwards their transmissions over the network cable. This is called an infrastructure topology. A star or bus network requires the computers to be physically connected to the network cable, and an ad hoc topology is one in which wireless computers communicate directly with one another.
  4. C. The best choice is to replace the hubs with switches, since the network is relatively small, and cost is an issue. On the existing network, all users share the same 100 Mbps communication channel, and each computer must take turns transmitting. By replacing the hubs with switches, you provide each computer with a dedicated 100 Mbps connection to the switch, while reducing unnecessary traffic and collisions on the network. There is no such thing as a dedicated hub. Splitting the network into two routed LANs is not the best solution, because all users must share information on a constant basis. Also, cost is a factor, and routers are more expensive than switches. Replacing the hubs with a layer 3 switch and defining two VLANs with 20 users each is not a reasonable solution, because layer 3 switches are very expensive.
  5. B. A bridge can split a single network into two collision domains, because it forwards only the packets that are destined for the other side of the bridge. The bridge forwards all broadcast packets, so it maintains a single broadcast domain. A hub maintains a single collision domain and a single broadcast domain. A switch creates a separate collision domain for each port, and a single broadcast domain for the entire network. A router creates two collision domains, but it does not forward broadcasts, so there are two broadcast domains as well. A repeater is a physical layer device that amplifies signals; it does not affect collision domains.
  6. C, E. Broadband routers generally do not function as proxy servers, which are application layer devices used to regulate access to the Internet. They are also typically not Virtual Private Network (VPN) headends, which enable multiple remote VPN clients to connect to the network. Many broadband routers are also WAPs, enabling users to construct a LAN without a complicated and expensive cable installation. Many broadband routers have switched ports for connections to wired devices, such as printers and computers. Most broadband routers use DHCP to assign IP addresses to devices on the private network.
  7. B, C. A repeater is a physical layer device that amplifies the signals entering it and transmits them again. A hub is a physical layer device that propagates incoming signals out through all of its ports. Switches and routers have physical layer elements but are primarily data link and network layer devices, respectively.
  8. C. A modem (modulator/demodulator) is any device that converts analog signals to digital signals and digital signals back to analog signals. The digital device does not have to be a computer, and the analog device does not have to be the PSTN. There are many devices that are incorrectly referred to as modems, such as devices that connect a digital LAN to a digital WAN or all-digital devices that connect computers to the Internet.
  9. C. Replacing routers with switches turns an internetwork into a single large subnet, and VLANs exist as logical elements on top of the switching fabric. Although VLANs are the functional equivalent of network layer subnets, the systems in a single VLAN are still connected by switches, not routers. Bridges connect network segments at the data link layer and selectively forward traffic between the segments. However, bridges do not provide a dedicated connection between two systems like a switch does, and they do not make it possible to convert a large, routed internetwork into a single switched network. Therefore, they have no role in implementing VLANs. Hubs are physical layer devices that propagate all incoming traffic out through all of their ports. Replacing the routers on an internetwork with hubs would create a single shared network with huge amounts of traffic and collisions. Hubs, therefore, do not connect the computers in a VLAN.
  10. A. A firewall is a filter that can prevent dangerous traffic originating on one network from passing through to another network. A device that connects two networks together and forwards traffic between them is a router, not a firewall. A device that enables Internet network clients with private IP addresses to access the Internet is a description of a NAT router or a proxy server, not a firewall. A device that caches Internet data is a proxy server or caching engine, not a firewall.
  11. B. Service-dependent filtering blocks traffic based on the port numbers specified in the transport layer header fields. Because port numbers represent specific applications, you can use them to prevent traffic generated by these applications from reaching a network. IP address filtering operates at the network layer. DPI scans the contents of packets, rather than their headers. NGFW defines a device with advanced protection capabilities; port number scanning is a basic firewall function.
  12. A. A repeater is a physical layer device that regenerates incoming signals and retransmits them. A hub is a type of repeater that receives data through any one of its multiple ports and retransmits the data out through all of its other ports. Bridges and switches are data link layer devices, and routers are network layer devices. None of these three can be described as multiport repeaters.
  13. C. Source route bridging was a technique used on Token Ring (and not Ethernet) networks, in which a Routing Information Field (RIF) in the packet header identified the network segments the packet should follow to reach its destination. Store and forward, transparent, and multiport bridges have all been used on Ethernet networks.
  14. C, D. Most operating systems are capable of functioning as routers or firewalls. To route traffic, the system must have two network connections. A software firewall can be part of a computer's routing functionality, or it can be a stand-alone firewall that protects only the local system. Computers cannot function as hubs or switches, because multiple ports would be required, and standard network adapters do not implement those functions.
  15. D. Service-dependent filtering blocks traffic based on the port numbers specified in the transport layer header fields. Because port numbers represent specific applications, you can use them to prevent traffic generated by these applications from reaching a network. IP address filtering enables you to limit network access to specific computers; it is not service dependent. Filtering based on hardware addresses provides the same basic functionality as IP address filtering, but it is more difficult to spoof hardware addresses than IP addresses. Filtering by protocol identifier enables you to block all traffic using TCP or UDP; it is not service dependent.
  16. C. A personal firewall is an inexpensive way to protect an individual computer from Internet incursions. Installing a hardware firewall is a complex and expensive solution, not suitable for a small network. An IPS is a relatively expensive solution, suitable for larger networks. An IDS is also expensive, and connecting it to a switched port would not enable it to protect the other computers on the network. A port scanner is a device that performs scans on demand. It does not continuously monitor ports, and it does nothing to protect them.
  17. B, C. Hubs operate at the physical layer and switches at the data link layer. Hubs and switches both create a single broadcast domain for all of the connected devices. Switches create a separate collision domain for each connected device, whereas hubs create a single collision domain. There are switches (but not hubs) with network layer (layer 3) functionality.
  18. A, C. STP disables redundant links between switches that can allow packets to circulate endlessly around the network. This is called a bridging loop. As a result of a bridging loop, the network can be flooded with broadcast traffic, which is called a broadcast storm. STP does nothing to prevent late collisions, which is an Ethernet timing problem, or crosstalk, which is a cabling fault.
  19. B, C. A switch is essentially a multiport bridge. Both switches and bridges process incoming packets by scanning their data link layer hardware addresses and forwarding the packets out the port connected to the destination system. The primary difference between them is that switches have many ports, whereas bridges have only two. Hubs and routers are physical layer and network layer devices, respectively, and perform different functions.
  20. B. The five functional levels in a distributed control system such as SCADA are field level, direct control, plant supervisory, production control, and production scheduling. Remote access is not one of the levels.
  21. A. Cut-through switches are fast, because they look at only the first six bytes (the destination Media Access Control, or MAC, address) when forwarding a frame. They do not perform a cyclical redundancy check (CRC) on the entire frame's contents prior to forwarding it out a port leading to the destination. Source route is a bridging technique in which the source host, not the switch, determines the path a frame will take through a network to reach a destination. Store-and-forward switches take in the entire frame and verify its contents by performing a CRC calculation before forwarding it. There is no switch called a destination switch.
  22. B. Switches use Media Access Control (MAC) addresses to identify the ports associated with specific hosts. The switch reads the destination MAC address from each incoming packet and forwards it out through the port associated with that address. Switches are data link layer devices, so they do not use IP addresses or DNS names to forward packets. The Maximum Transmission Unit (MTU) value specifies the maximum size of data link layer frames; the switch does not use it to forward packets.
  23. D. STP operates at the data link layer of the OSI model, so it works with hardware addresses, not IP addresses. Switches use STP to prevent redundant links from causing traffic loops on the network.
  24. E. SOHO multifunction devices typically function as routers connecting the local network to an Internet Service Provider (ISP), switches providing wired connections to host devices, Dynamic Host Configuration Protocol (DHCP) servers assigning IP addresses, Domain Name System (DNS) servers resolving names into IP addresses, Network Address Translation (NAT) routers providing hosts with private IP addresses access to the Internet, and APs providing wireless devices with access to the network. They do not function as hubs.
  25. B. The process by which STP populates its database with information about each port in a switch and designates the ports as forwarding or blocking is called convergence. Assimilation, tree-building, and listening are not terms for STP path evaluation.
  26. A, B. All switches operate at the data link layer of the OSI model, but multilayer switches usually also function as routers, which are network layer devices. They are not usually transport or application layer devices.
  27. C. A firewall that supports stateful packet inspection examines other network and transport layer header fields, looking for patterns that indicate damaging behaviors, such as IP spoofing, SYN floods, and teardrop attacks. Port number filtering is the most commonly used form of packet filtering; it is not the same as stateful packet inspection. Blocking traffic based on IP addresses prevents specific systems from accessing a network; stateful packet inspection is a much more complicated operation. Packet filtering based on protocol identifiers enables you to block TCP traffic; this is not stateful packet inspection.
  28. B. Bridges are data link layer (layer 2) devices. Routing is a network layer (layer 3) function, so it is not a type of bridge. A store-and-forward, or simple, bridge examines each packet and decides whether to forward it to the connected network. A transparent bridge compiles a database of forwarding information, based on the packets it has processed previously. A multiport bridge provides connections to multiple networks; a switch is a type of multiport bridge.
  29. A, C. IDSs can use anomaly-based detection to identify deviations from a known baseline of trustworthiness, or signature-based detection to locate specific malicious byte or instruction sequences. Behavior-based and statistic-based detection are not typical IDS methods.
  30. B. Connecting subnets with routers at the network layer maintains the data link layer administrative boundaries that prevent broadcast transmissions from being propagated throughout the entire internetwork. Switching eliminates those data link layer boundaries, and administrators can use VLANs to simulate them. Because hubs propagate all of the traffic they receive out through all of their ports indiscriminately, they create no administrative boundaries. Firewalls are filtering devices that protect networks against malicious traffic; their functions are not related to VLANs. Switches are essentially multiport bridges that forward incoming traffic only to the device for which it is destined. Therefore, bridges are more closely related to eliminating administrative boundaries than to establishing them.
  31. D. A simple media converter is a physical layer device that can connect different types of network media together, as long as they have the same speed and duplex settings. Because the converter simply retransmits the signals, the single-collision domain is maintained. Bridges and switches are data link layer devices that create multiple-collision domains. Routers are network layer devices that create separate collision and broadcast domains.
  32. B. A switch is a data link layer device that essentially performs the function of a bridge for each device connected to one of its ports. It can therefore be described as a multiport bridge. Routers, hubs, and gateways are devices that operate at the network, physical, and application layers, respectively, so they cannot be described as bridges.
  33. D. A gateway enables two devices using different protocols to communicate by performing translation and conversion services for them. Routers, hubs, and switches all require the same protocol at some of the OSI model layers.
  34. A. Each port on a router defines a separate collision domain. Hubs forward all traffic to all of the connected nodes, so each network segment is a single-collision domain. Routers do not forward broadcasts, so each network segment is also a separate broadcast domain.
  35. A, B, D. Routers are network layer devices that do not forward broadcast messages, so they create separate broadcast domains for each network. Switches do forward broadcasts, forming a single broadcast domain. Routers and switches can communicate using dedicated protocols. As data link layer devices, switches read only hardware addresses from packet frames; routers forward traffic based on the IP addresses in packets' IP headers.
  36. A. Media converters will enable Ralph to join the multimode fiber-optic run to the UTP at both sides of the courtyard while maintaining a single network at minimum cost. Inexpensive small-business hubs and switches cannot join different media together. Routers can join different media, but they are more expensive, and they would separate the installation into three separate networks.
  37. A. If the fifth computer is in a different VLAN from the other four, it would be unable to communicate with them. A switching loop would affect communication between all of the computers, not just the fifth one. An MTU black hole is a condition in which a system is unable to complete the Path MTU Discovery process, due to an intervening firewall. Because these five computers are all on the same LAN, they all have the same MTU, and Path MTU Discovery is not necessary. A virtual router would enable switched computers on different subnets to communicate with each other; it would not prevent them from communicating.
  38. A. Security Information and Event Management (SIEM) systems can function as a central clearinghouse for information gathered by IDSs and other security processes. Next-Generation Firewall (NGFW), Remote Authentication Dial-In User Service (RADIUS), and Voice over IP (VoIP) are not systems that collect IDS information.
  39. A. Hubs are network devices that simply receive signals through one port, electrically enhance them, and transmit them out through another port. Routers, switches, and bridges are capable of reading the signals and processing them, which classifies them as intelligent.
  40. A, B. Adding a router splits the Ethernet LAN into two LANs, creating two separate broadcast domains. Each computer, therefore, has a smaller number of broadcast messages to process. Because the network is split by the router, the amount of unicast traffic on each subnet is reduced.
  41. B. Standard hub ports have a crossover circuit, which ensures that the transmit signals at one end of the connection arrive at the receive pins at the other end. The uplink port in a hub bypasses the crossover circuit, so that two connected hubs do not have crossover circuits that cancel each other out. A connection between a standard port and an uplink port, using a standard cable, results in a single crossover, which is correct wiring. Each of the other solutions results in either two crossovers or no crossovers, which is incorrect.
  42. D, E. By default, a switched LAN consists of a single broadcast domain. To create multiple broadcast domains, you can install routers to split the installation into two or more networks, because routers do not forward broadcasts. The other possibility is to create VLANs in the switches. Each VLAN is a separate broadcast domain. All of the other options would have no effect on the number of broadcast domains on the network.
  43. B. Bridges and switches are data link layer devices that forward frames based on the destination MAC address contained in the frame. They operate in promiscuous mode, listening and processing all frames on each segment, and they build forwarding tables with this information. Forwarding tables are built based on source MAC addresses. Bridges are protocol independent; they are not involved with the upper layer protocols being carried on the LAN. Broadcast domains are defined by network layer devices, not data link layer devices.
  44. C. A switch is best described as a multiport bridge, because it reads the hardware addresses of incoming packets and forwards them out through the port for the destination node. Although a switch does function at layer 2 of the OSI model (the data link layer), it is not a router, which connects networks together at layer 3 (the network layer). Hubs and repeaters are physical layer (layer 1) devices that are not capable of performing the functions of a switch.
  45. E. The IoT consists of devices that are ordinarily passive, but which have been made intelligent by configuring them to participate on an IP network. All of the devices listed are available as “smart” devices that enable remote users to interact with them over the Internet.
  46. C. The main reason why switches improve the efficiency of an Ethernet LAN is that they create a separate collision domain for each switched port, eliminating most collisions. Collisions result in packets having to be retransmitted, so fewer collisions means fewer retransmissions, which improves performance. Switches do not forward packets faster than hubs. Switches do forward broadcast transmissions. Switches do read hardware addresses, not IP addresses.
  47. D. A collision domain is a LAN with a shared network medium, so that two devices transmitting at the same time generate a signal quality error, also known as a collision. Ethernet LANs connected by hubs create a shared medium, whereas switched networks create a separate collision domain for each connected node. Routers create separate collision domains. A group of computers able to receive broadcasts is the definition of a broadcast domain, not a collision domain. Overlong cables can precipitate collisions but do not define a collision domain.
  48. A, C. VoIP uses the terms terminal and endpoint to refer to the device with which users make calls, including computers and telephone handsets. A VoIP gateway is the device that provides the conduit between an IP network and the Public Switched Telephone Network (PSTN). A VoIP private branch exchange (PBX) is a device that switches calls between endpoints on the local IP network and provides access to external Internet lines.
  49. A. Hubs are physical layer devices that amplify and repeat signals out all ports except the one through which the data was received, regardless of the destination. Hubs are used to physically connect end systems to a star topology. Hubs typically provide an internal crossover circuit connection. Uplink ports are used to extend the distance of a star network, forming a hierarchical star.
  50. A, D, E. Routers are network layer devices that use IP addresses to forward frames, not MAC addresses. Routers are protocol dependent. They must support the network layer protocol being routed. As a network layer device, a router defines networks (or LANs) that represent a separate broadcast domain. Routers do not build their routing tables or forward frames using MAC addresses.
  51. A, B. The 100Base-TX specification specifies two hub types: Class I and II. Class I hubs perform signal translation; Class II hubs do not. A network can have only one Class I hub per collision domain; a network can have two Class II hubs per collision domain. The other options do not exist.
  52. C. Routers store and maintain route information in a routing table that is stored in memory, not in a local text file. All of the other statements about routers are true.
  53. D. The firewall is a conduit between the private network and the ISP's network (which provides access to the Internet), through which all traffic must pass. This ensures that the firewall has the opportunity to examine every packet that passes between the private network and the Internet and filter out those that are not authorized. If the firewall was located in the midst of the private internetwork, it would be possible for Internet computers to bypass the firewall and communicate directly with the private systems. Placing the firewall on the far side of the router would put it on the ISP's network, causing it to filter all of the ISP's traffic and not just that destined for the private network. Installing the firewall at the ISP's site would have the same effect as installing it on the far side of the router at the private network site.
  54. A, B. The FTP protocol uses two well-known ports: 20 and 21. A firewall must have both of these ports open to admit FTP traffic. FTP does not require ports 22, 23, or 24.
  55. D. A proxy server is an application layer service, because it receives Internet service requests from client computers, reads the application layer protocol data in each request, and then generates its own request for the same service and transmits it to the Internet server the client specifies. Only an application layer service can read and process the application layer data in network packets. A proxy server cannot be a data link layer device, because it can provide Internet access to an entire internetwork, while the data link layer is concerned with communications on a single subnet. Proxy servers cannot be network layer devices, because the network layer handles all internetwork packets indiscriminately and is unaware of what application generated the data carried inside the packets. The transport layer is not involved in processing application data, so proxy servers cannot be said to function at the transport layer.
  56. B. DPI is a firewall technique that examines the data carried in packets and not just the protocol headers. While traditional firewalls typically do not support DPI, NGFWs often do. Stateful packet inspection, NAT, and VPN support are all features that are commonly supported by traditional firewall products.
  57. C. Content filters are a firewall feature that examines the data inside packets, rather than their origin, to locate objectionable material. They do not scan IP addresses, nor do they detect typical types of malware. Content filters are not implemented in switches.
  58. D. In most cases, a load balancing router works by processing incoming traffic based on rules set by the administrator. The rules can distribute traffic among a group of servers using various criteria, such as each server's current load or response time, or which server is next in a given rotation. Load balancers typically do not use the hardware configuration of the servers to direct traffic since this is a factor that does not change.
  59. C. A VoIP gateway is a device that provides a conduit between an IP network and the Public Switched Telephone Network (PSTN). The gateway enables standard telephones connected to the PSTN to place calls using VoIP services on the Internet. A proxy server is an application layer device that provides web browsers and other client programs to access the Internet. A Virtual Private Network (VPN) headend enables multiple client systems to access a network from remote locations. A unified threat management (UTM) appliance typically performs VPN, firewall, and antivirus functions.
  60. A, C. Network Address Translation (NAT) is a network layer device that converts the private IP addresses of all of a client's transmissions to registered IP address. NAT therefore works for all applications. A proxy server is an application layer device that performs the same type of conversion, but only for specific applications. A Remote Authentication Dial-In User Service (RADIUS) server can provide Authentication, Authorization, Accounting, Auditing (AAAA) services for remote access servers. It does not convert IP addresses. A unified threat management (UTM) appliance typically performs VPN, firewall, and antivirus functions. It too does not convert IP addresses.
  61. A, B, C, E. HVAC sensors can measure temperatures and humidity in climate-controlled areas, such as datacenters; atmospheric pressure in devices like boilers and compressors; and occupancy, to control conditions based on the presence of people. Printers, cameras, door locks, and other physical access control devices are not part of an HVAC system.
  62. B. A Virtual Private Network (VPN) headend is a type of router that enables multiple client systems to access a network from remote locations. Because the device provides an interface between networks, it is considered to be a type of router, not a switch, a gateway, or a bridge.
  63. B. A virtual PBX is an arrangement in which a telephone company provides the PBX services to a customer but maintains the actual hardware at their own facility. The recent emphasis on cloud computing has led to a number of hosted PBX solutions that use Voice over IP (VoIP) to provide services to customers. QoS is a technique for prioritizing traffic by tagging packets based on their content. It is not a virtual PBX technique. The Cache Array Routing Protocol (CARP) enables proxy servers to exchange information; it does not provide virtual PBX services. In round-robin DNS, a DNS server contains multiple resource records for the same server name, each with a different IP address representing one of the computers running the server application. When a client resolves the server name, the DNS server accesses each of the resource records in turn so that each address theoretically receives the same number of visitors. This is not a virtual PBX technology.
  64. C. Proxy servers provide network users with access to Internet services, and the unregistered IP addresses on the client computers protect them from unauthorized access by users on the Internet, which satisfies the first objective. The proxy servers also make it possible for network administrators to regulate users' access to the Internet, which satisfies one of the two secondary objectives. However, the proxy servers cannot assign IP addresses to the client computers, and the plan makes no mention of DHCP or another automatic TCP/IP configuration mechanism. Therefore, the plan does not satisfy the other secondary objective.
  65. A, B. The Control and Provisioning of Wireless Access Points (CAPWAP) protocol and the Lightweight Access Point Protocol (LWAPP) are both protocols that enable wireless controllers to manage and control Access Points (APs). Lightweight Directory Access Protocol (LDAP) is used by directory services, and Point-to-Point Tunneling Protocol (PPTP) is used for virtual private networking.
  66. B. In many enterprise wireless networks, the Access Points (APs) do not run a full operating system and are called thin or lightweight APs. The network also has a device called a wireless controller that performs some of the required tasks and manages the APs. A wireless endpoint is another term for a computer or other device that is a client on the wireless network. Hypervisors and demarcation points have nothing to do with wireless networking. A hypervisor creates and manages Virtual Machines (VMs) on a host server, and a demarcation point is the interface between a private network and an outside telecommunications service.
  67. A. A multilayer switch is a network connectivity device that functions at both layer 2 and layer 3 of the OSI model. At layer 2, the device functions like a normal switch, providing individual collision domains to each connected node and enabling administrators to create multiple VLANs. At layer 3, the device also provides routing capabilities by forwarding packets between the VLANs. Virtual routers, load balancers, and broadband routers are strictly layer 3 devices that can route traffic but cannot create VLANs.
  68. D. A Virtual Private Network (VPN) headend is a type of router that enables multiple client systems to access a network from remote locations. It does not distribute traffic among servers. A load balancer is a type of router that forwards traffic with a single IP address to multiple servers in turn. Round-robin DNS is a technique in which a DNS server resolves a name into several IP addresses, each in turn. A Network Load Balancing (NLB) cluster is a group of servers, all running the same application, that distribute incoming traffic among themselves.
  69. B. A load balancer is a type of router that forwards traffic with a single IP address to multiple servers in turn. In most cases, a load balancing router works by processing incoming traffic based on rules set by the administrator. Because a load balancer works with IP addresses, it is a network layer device. Load balancers are not switches, gateways, or firewalls.
  70. C. Next-Generation Firewalls (NGFWs) expand on the packet filtering capabilities of traditional firewalls by adding features such as DPI and IPSs, as well as inspection of encrypted traffic and antivirus scanning. Remote Authentication Dial-In User Service (RADIUS) servers can provide centralized Authentication, Authorization, Accounting, Auditing (AAAA) services. A CSU/DSU is a device that provides a router on a private network with access to a leased line. A proxy server is an application layer service that receives Internet service requests from client computers, reads the application layer protocol data in each request, and then generates its own request for the same service and transmits it to the Internet server the client specifies.
  71. A. A private branch exchange (PBX) switches internal calls and provides access to external lines. A VoIP PBX performs the same tasks as a traditional PBX. A VoIP gateway is the device that provides the conduit between an IP network and the Public Switched Telephone Network (PSTN). A VoIP endpoint is a device that makes use of the VoIP system, such as a computer or handset. A multilayer switch is a data networking device that includes both switching and routing capabilities.
  72. A. Because the client computers use private IP addresses, they are invisible to the Internet, so users outside the private network cannot see or access them. The proxy server has a public IP address so it can participate in service transactions with Internet servers. If the proxy server used a private IP address, it would not be able to access the Internet directly. If the clients used public IP addresses, they would be visible to the Internet and vulnerable to intrusion.
  73. B, C. To provide clients with Internet access, a NAT or proxy server must have direct access to the Internet, which requires using a registered, or public, IP address. Both NAT and proxy servers function as the middleman in transactions between the client computers on a private network and Internet servers. The NAT or proxy server transmits the client's service request to the Internet server as though it was its own and, after receiving the reply, relays the response back to the client. Because NAT servers function at the network layer, clients can use any application to access the Internet through the server. Proxy servers, however, operate at the application layer and can provide Internet access only to certain types of client applications. Proxy servers are capable of caching web data for later use, because they are application layer devices that read the application layer protocol data in the message packets they receive. NAT servers are network layer processes that forward packets with no knowledge of the application layer information in their contents.
  74. B, C, D. A multilayer switch typically operates at the data link, and network layers, assuming the functions of a switch and a router by using Media Access Control (MAC) addresses at the data link layer (layer 2) and IP addresses at the network layer (layer 3) to forward packets to their appropriate destinations. Some switches also function at the transport layer (layer 4) by distinguishing between User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic and using port numbers to forward packets.
  75. A. Intrusion Detection Systems (IDSs) are designed to monitor network traffic for anomalies and send notifications to administrators. Uninterruptible power supplies (UPSs), Remote Authentication Dial-In User Service (RADIUS) servers, Denial-of-Service (DoS) attacks, and Remote Access Service (RAS) servers all have nothing to do with network monitoring.
  76. C. Packet forwarding is a function typically associated with routers and is not a normal function of a UTM appliance. UTM appliances do typically perform VPN, firewall, and antivirus functions.
  77. B. Port mirroring is a feature found in some switches that takes the form of a special port that runs in promiscuous mode. This means that the switch copies all incoming traffic to that port, as well as to the dedicated destination ports. By connecting an IDS or protocol analyzer to this port, an administrator can access all of the network's traffic. Stateful packet inspection is a firewall feature that enables the device to examine network and transport layer header fields, looking for patterns that indicate damaging behaviors, such as IP spoofing, SYN floods, and teardrop attacks. Trunking is a switch feature that enables administrators to create VLANs that span multiple switches. Service-dependent filtering is a firewall feature that blocks traffic based on transport layer port numbers.
  78. B. ACLs restrict access to network devices by filtering usernames, MAC addresses, IP addresses, or other criteria. Routers, switches, and WAPs all use ACLs to control access to them. Hubs are purely physical layer devices that relay electrical or optical signals. They have no way of controlling access to them.
  79. B. The Default Gateway parameter specifies the address of the local router that the end system should use to access other networks. The WINS Server Addresses and DNS Server Addresses parameters are used to resolve names to IP addresses. There is no such parameter as Subnet Gateway.
  80. A. The figure displays the format for a Routing Information Protocol (RIP) version 1 response packet. The figure does not show the packet format for RIPv2, Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), or Border Gateway Protocol (BGP).
  81. A. EIGRP can support classless IPv4 addresses. It was designed to replace the Interior Gateway Routing Protocol (IGRP), which could not support classless addresses. All of the other options contain true statements.
  82. A, B. Bandwidth throttling is a traffic shaping technique that prevents specified data streams from transmitting too many packets. Rate limiting is a traffic shaping technique that controls the transmission rate of sending systems. A broadcast storm is a type of network switching loop. NAT is a method by which private networks can share registered IP addresses. Neither of these last two is a traffic shaping technique.
  83. D. Quality of Service (QoS) is a general term that refers to various mechanisms for prioritizing network traffic so that applications or data streams requiring a certain level of performance are not negatively affected by lower-priority transmissions. Port forwarding is a routing method that redirects traffic intended for one IP address and port number to another. Dynamic routing is a method by which routing tables are automatically updated with new information as the routing fabric of an internetwork changes. Virtual Local Area Networks (VLANs) are a means for partitioning a broadcast domain into discrete units that are functionally equivalent to physical LANs.
  84. A, D. Routers that are running the RIPv1 routing protocol broadcast their entire routing tables every 30 seconds, regardless of whether there has been a change in the network. RIPv1 does not include the subnet mask in its updates, so it does not support subnetting.
  85. A. Differentiated services (Diffserv) is a mechanism that provides Quality of Service (QoS) on a network by classifying traffic types using a 6-bit value in the differentiated services (DS) field of the IP header. Class of Service (CoS) is a similar mechanism that operates at the data link layer by adding a 3-bit Priority Code Point (PCP) value to the Ethernet frame. Traffic shaping is a means of prioritizing network traffic that typically works by delaying packets at the application layer. Quality of Service (QoS) is an umbrella term that encompasses a variety of network traffic prioritization mechanisms. Administrative distance is a value that routers use to select the most efficient route to a destination.
  86. A, E. Administrators must manually add, modify, or delete static routes when a change in a network occurs. For this reason, static routes are not recommended for use in large internetworks where there are multiple paths to each destination network. Static routes are not automatically added by routing protocols and do not adapt to changes in a network.
  87. A. RIPv1 does not include the subnet mask in its updates. RIPv2 supports subnetting and includes the subnet mask of each network address in its updates. OSPF and BGP both include the subnet mask within their updates.
  88. D. Distance vector protocols rely on hop counts to evaluate the efficiency of routes. Link state protocols use a different type of calculation, usually based on Dijkstra's algorithm. The terms interior gateway protocol and edge gateway protocol do not refer to the method of calculating routing efficiency.
  89. B. A single RIP broadcast packet can include up to 25 routes. If there are more than 25 routes in the computer's routing table, then RIP must generate additional packets.
  90. A, C. OSPF is a link state routing protocol, which means that it does not rely solely on hop counts to measure the relative efficiency of a route. EIGRP is a hybrid protocol that can use link state routing. RIP is a distance vector routing protocol, meaning that it uses hop counts to measure route efficiency. BGP is an exterior gateway protocol that exchanges routing information among autonomous systems using path vectors or distance vectors.
  91. A, B, D. OSPF does support CIDR. All of the other options contain true statements.
  92. A. Convergence is the term for the process by which routers propagate information from their routing tables to other routers on the network using dynamic routing protocols. Distance vectoring, redistribution, and dissemination do not describe this process.
  93. A. RIP is a distance vector protocol, which uses hop counts to measure the efficiency of routes. OSPF, BGP, and IS-IS are all link state protocols, which do not rely on hop counts.
  94. A. Exterior Gateway Protocol (EGP) routes datagrams between autonomous systems. Interior Gateway Protocol (IGP) routes datagrams within an autonomous system. Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) are examples of interior gateway protocols.
  95. D. TTL is a value included in the IPv4 header that specifies the maximum number of hops the packet is allowed on the network. Each router processing the packet reduces the TTL value by one and discards the packet when the value reaches zero. OSPF is a routing protocol. MTU specifies the maximum size of a frame. Administrative distance is a value that routers use to select the most efficient route to a destination.
  96. A, D. The route command was originally created to display a Unix or Linux system's routing table and modify its contents by adding, changing, and deleting static routes. The ip command is part of the iproute2 command-line utility package, which has replaced route in many Unix and Linux distributions. Running ip with the route parameter can manipulate the routing table. The traceroute and ifconfig tools are not commands for manipulating the routing table.
  97. A. Routers that use OSPF transmit the speed of each network interface with the other OSPF routers in the network. This enables the routers to evaluate the cost of various routes through the network and transmit packets using the route with the smallest cost value. The routers do not need to share information about the data link layer protocols or network media they use or their IP addresses.
  98. B. BGP is a path vector routing protocol, not a link state routing protocol. All of the other options contain true statements.
  99. A. The default route in an IPv4 routing table always has a destination address of 0.0.0.0. The other destinations are found in a routing table, but they are not the default route destination.
  100. A. The figure displays the format for a Routing Information Protocol version 2 response packet. The figure does not show the packet format for RIPv1, Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), or Border Gateway Protocol (BGP).
  101. D. The Border Gateway Protocol (BGP) is a highly scalable protocol used for routing both on private autonomous systems, where it is known as the Internal Border Gateway Protocol (iBGP) and maintains full mesh communication among all of the routers, and on the Internet, where it is known as the External Border Gateway Protocol (eBGP). Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Enhanced Interior Gateway Routing Protocol (EIGRP) do not have interior and exterior designations.
  102. A, B. The Internet Protocol (IP) in both of its versions (IPv4 and IPv6) includes a TTL field in its message header that limits the number of times a packet can be routed on a network. Each router processing the packet reduces the TTL value by one until it reaches zero, after which it is discarded. The Internet Control Message Protocol (ICMP) and the Internet Group Management Protocol (IGMP) do not have a TTL field.
  103. B. WAN optimization is not a form of traffic shaping, because it compresses data streams and transmits incremental file updates. Traffic shaping uses techniques like rate limiting, bandwidth throttling, and self-limiting to delay the transmission of specific types of data packets to optimize network performance.
  104. A. Distributed switching describes a hierarchical switching architecture in which remote switches (departmental switches in this case) handle most of the network traffic, with a host switch used only for traffic between the remote locations. Port forwarding is a routing method that redirects traffic intended for one IP address and port number to another. Traffic shaping is a series of techniques that optimize the allocation of network bandwidth. Neighbor discovery is an IPv6 technique used to find addresses of devices and services on the local network. Flow control is a technique for regulating a system's transmission speed.
  105. A. All half-duplex port connections on a store-and-forward switch represent a different collision domain. Full-duplex connections are not subject to collisions, so they do not define separate collision domains.
  106. C. A Media Access Control (MAC) address is a 6-byte hexadecimal value, with the bytes separated by colons, as in 00:1A:6B:31:9A:4E. Option A, 10.124.25.43, is all decimals and uses periods; this is an IPv4 address. Option B, FF:FF:FF:FF:FF:FF, is a valid MAC address, but this value is reserved for use as a broadcast address. Option D, 03:AE:16:3H:5B:11, is not a valid hexadecimal address, which should contain only numerals and the letters A to F. Option E, fe80::89a5:9e4d:a9d0:9ed7, is too long for a MAC address; this is a valid IPv6 address.
  107. B. The Spanning Tree Protocol (STP) prevents packets from endlessly looping from switch to switch due to redundant links. Creating redundant links is a good preventive against switch failure, but packets transmitted over multiple links can circulate from switch to switch infinitely. STP creates a database of switching links and shuts down the redundant ones until they are needed. Routing Information Protocol (RIP) propagates routing table information. A Virtual Local Area Network (VLAN) is an organizational tool that operates within switches by creating multiple broadcast domains. Network Address Translation (NAT) is a routing method that enables private networks to share registered IP addresses. Address Resolution Protocol (ARP) is a protocol that discovers a system's MAC address by broadcasting its IPv4 address.
  108. A, B. When connecting an MDI port to an Auto-MDI-X port, it is possible to use either a straight-through or a crossover cable because the Auto-MDI-X port can self-adjust to implement the necessary crossover circuit if it is needed. MDI and Auto-MDI-X ports are used only with twisted pair cables, so there is no need for coaxial or fiber optic cables.
  109. B. The Neighbor Discovery Protocol (NDP) is a network layer protocol that defines five new Internet Control Message Protocol version 6 (ICMPv6) packet types, which enable IPv6 systems to locate resources on the network, such as routers and DNS servers, as well as autoconfigure and detect duplicate IPv6 addresses. Border Gateway Protocol (BGP) is an exterior gateway protocol that is designed to exchange routing information among autonomous systems. Open Shortest Path First (OSPF) is a link state routing protocol that enables routers to exchange routing table information. Power over Ethernet (PoE) is a general term for standards defining mechanisms for power delivery over Ethernet cables, along with data signals.
  110. B. IEEE 802.1Q is a standard defining a mechanism (called Ethernet trunking by some manufacturers) that identifies the Virtual Local Area Network (VLAN) to which a packet belongs by inserting an extra 32-bit field into its Ethernet frame. IEEE 802.1P is a standard that defines a mechanism for implementing Quality of Service (QoS) at the data link layer by adding a 3-bit field into Ethernet frames. IEEE 802.1X is a standard defining an authentication mechanism called Port-based Network Access Control (PNAC). IEEE 802.1AB is a standard defining the Link Layer Discovery Protocol (LLDP). IEEE 802.1AX is a specification for the Link Aggregation Control Protocol (LACP), which is a mechanism for combining physical ports into a single logical channel.
  111. C. Stations on a CSMA/CD network first check the medium to see if it is idle. If they detect an idle medium, they begin transmitting. If two or more devices transmit at the same time, a collision occurs. Immediately after a collision occurs, the two stations involved stop transmitting. After that, they send out a jam signal. Then, the two stations back off for a random interval, and the transmission process begins again.
  112. A. For CSMA/CD to function properly, a system must detect a packet collision while it is transmitting the packet. If cable segments are too long, the packet might leave the transmitting system before the collision is detected, resulting in a late collision, which cannot be retransmitted. Incorrect pinouts, too many systems, and excessive collisions typically will not prevent the collision detection system from occurring.
  113. B. After transmitting their jam signals, the two systems wait for a randomized interval. This is to prevent them from retransmitting their packets at the same time, resulting in another collision. It is not necessary for the systems to reassemble, rebuffer, or recalculate checksums for their packets.
  114. C. Replacing routers with switches turns an internetwork into a single large subnet, and Virtual Local Area Networks (VLANs) exist as logical elements on top of the switching fabric. Although VLANs are the functional equivalent of network layer subnets, the systems in a single VLAN are still physically connected by switches, not routers. Bridges connect network segments at the data link layer and selectively forward traffic between the segments. However, bridges do not provide a dedicated connection between two systems like a switch does, and they do not make it possible to convert a large, routed internetwork into a single switched network. Therefore, they have no role in implementing VLANs. Hubs are physical layer devices that propagate all incoming traffic out through all of their ports. Replacing the routers on an internetwork with hubs would create a single shared broadcast domain with huge amounts of traffic and many collisions. Hubs, therefore, do not connect the computers in a VLAN.
  115. A. Collisions are a normal occurrence on an Ethernet network; they occur when two nodes transmit at exactly the same time. There need not be a network fault for collisions to occur. When collisions occur, the nodes involved retransmit their packets so that no data is lost. Collisions are a phenomenon of data link layer protocols; they have nothing to do with IP addresses, which are network layer constructs.
  116. D. Collisions are a normal occurrence on an Ethernet network, but late collisions are not normal. Late collisions occur when two packets collide after one or more finishes transmitting. Packet retransmissions, collision detection, and jam signals are all normal occurrences on an Ethernet network.
  117. B. Connecting subnets with routers at the network layer maintains the data link layer administrative boundaries that prevent broadcast transmissions from being propagated throughout the entire internetwork. Switching eliminates those data link layer boundaries, and administrators can use Virtual Local Area Networks (VLANs) to simulate them. Because hubs propagate all of the traffic they receive out through all of their ports indiscriminately, they create no administrative boundaries. Domains are logical groups of network devices defined by the Domain Name System (DNS). Their functions are not related to VLANs in any way. Switches are essentially multiport bridges that forward incoming traffic only to the device for which it is destined. Therefore, bridges are more closely related to eliminating administrative boundaries than to establishing them.
  118. B, D. The computers in a single Virtual Local Area Network (VLAN) can be located anywhere on a switched network, irrespective of the switches' physical configuration. A broadcast message generated by a computer in a VLAN is transmitted to all of the other computers in that VLAN only, just as if the systems were physically located on a separate LAN or subnet. Unicast transmissions between computers on a switched network do not require VLANs, because the switches create what amounts to a direct connection between the two systems. VLANs are needed only for communication processes that require the use of broadcasts, which if transmitted without VLANs, would flood the network. Even though they are a purely logical construction, VLANs function just like physical subnets and require routers for communication between them. Routing capabilities are often integrated into switches to enable communication between VLANs.
  119. A, D. Every network device has a unique hardware address coded into its network interface adapter, and administrators can use these addresses to select the devices that will be part of a specific Virtual Local Area Network (VLAN). When VLANs are implemented inside the switch, selecting the ports to which specific computers are attached is a simple way to identify the computers in a particular VLAN. IP addresses are layer 3 (network layer) constructs, so they do not apply to layer 2 (data link layer) devices like switches. Although DNS names do uniquely identify computers on a network, DNS is an application layer process and has nothing to do with the switching and routing processes, which occur at the data link and network layers. Therefore, you cannot use DNS names to identify the computers in a VLAN.
  120. C. VLANs are data link layer Local Area Networks (LANs) defined within switches. Only devices (and users) connected to ports belonging to the same VLAN can communicate with each other until a layer 3 device, such as a router or a layer 3 switch, is added to the network. Re-creating and reconfiguring the VLANs will not correct this problem. Traffic filters are usually implemented on routers. VLANs do not have to use the same data link protocol.
  121. D. Ethernet uses jumbo frames at the data link layer to transfer large amounts of data more efficiently. Ethernet typically restricts frame size to 1500 bytes, but jumbo frames enable Ethernet systems to create frames up to 9000 bytes. Frames are protocol data units associated only with the data link layer, so they do not apply to the network, transport, or application layer.
  122. C, D. Home and small office networks typically consist of a single subnet and require only a basic switch without the advanced Virtual Local Area Network (VLAN) capabilities that enable administrators to create separate subnets. Most home and small office networks have a Dynamic Host Configuration Protocol (DHCP) server that assigns IP addresses and other TCP/IP configuration settings to clients. The DHCP server can be integrated into a broadband router or another Internet access sharing solution. Most home and small office networks support Network Address Translation (NAT), enabling them to use private IP addresses and still access the Internet. 10GBase-T is the designation for UTP-based 10 Gigabit Ethernet, which is an advanced standard for network interface adapters often found in servers.
  123. A, B. To join ports on different switches into one VLAN, you designate a trunk port on each switch for the traffic between switches. Initially, the native VLAN uses the default VLAN1 for trunk traffic, and that traffic is left untagged. Untagged traffic is susceptible to attacks using double-tagged packets. When you configure the native VLAN to use tagging, this makes it impervious to double-tagging. Changing the native VLAN does not create root guards or Bridge Protocol Data Unit (BPDU) guards, and all traffic continues to be switched, not routed.
  124. C. The IEEE 802.1q protocol is responsible for VLAN tagging, a procedure that enables network switches to support VLANs. Through the insertion of VLAN identifier tags into frames, switches can determine which VLAN each packet is destined for and forward it to the correct ports. IEEE 802.3x is one of the standards for wired Ethernet networks. IEEE 802.1X is a standard that defines a Port-based Network Access Control (PNAC) mechanism used for authentication on wireless and other networks. IEEE 802.11ac is a standard defining the physical and data link layer protocols for wireless networks.
  125. B. When in-band switch management traffic, such as that generated by a Secure Shell (SSH) connection to a switch, uses the native VLAN, it is untagged by default. This is because the native VLAN is at first the default VLAN1, which is not tagged by the 802.1q protocol, leaving it open to certain types of double-tagging attacks. When you tag the native VLAN traffic, it is rendered immune to double-tagging. The default VLAN cannot be renamed, and SSH traffic is already encrypted by the sending workstation. Changing the native VLAN does not move the management traffic off that VLAN, although many authorities advocate the creation of a separate VLAN dedicated to in-band management traffic.
  126. D. Ethernet implementations, such as 100Base-TX, which use separate wire pairs for transmitting and receiving data, require a crossover circuit to ensure that the transmit pins on each end of a connection are wired to the receive pins at the other end. This crossover circuit can be implemented in a patch cable—called a crossover cable—or by a switch port. Switches with auto-medium-dependent interface crossover (MDI-X) ports can detect the need for a crossover circuit and implement it automatically in the port. This eliminates the need for crossover cables. Auto-medium-dependent interface crossover (MDI-X) ports do not eliminate the need for 8P8C connectors, connections between switches, or straight-through cables.
  127. B. When connecting an MDI port to an MDI-X port, the necessary crossover circuit is implemented in the MDI-X port. Therefore, the connection needs a straight-through cable, and there is no need for a crossover cable. MDI and MDI-X ports are used only with twisted pair cables, so there is no need for coaxial or fiber optic cables.
  128. C. When implemented in an Ethernet switch, port security uses port-by-port MAC address filtering to allow only one MAC address to access each switch port. Blacklisting blocks the MAC addresses on the list from using all of the ports on the switch. Whitelisting allows the listed MAC addresses to use any port on the switch. MAC address spoofing is a method for defeating port security, blacklists, or whitelists.
  129. D. When transmitting voice traffic on a network along with data traffic, the voice traffic should have priority, to ensure the quality of the stream. Separating data and voice traffic on separate VLANs enables switches to assign voice traffic a higher priority by applying appropriate tags to the voice packets. Separate VLANs are not needed to prevent packet conflicts or to encrypt either voice or data packets.
  130. C. The Transmission Control Protocol (TCP) protocol uses a flow control technique in which the receiving system creates a window of a specific size and allows the transmitting system to send packets until that window is full. When the window is full, the sender stops transmitting. The receiver then sends back an acknowledgment packet that specifies the next packet it expects to receive from the sender. The User Datagram Protocol (UDP), Hypertext Transfer Protocol (HTTP), and Domain Name System (DNS) do not use the sliding window technique or any other form of flow control.
  131. B. The Alternative B PoE variant can use the spare wire pair in a CAT 5 or better 10Base-T or 100Base-TX cable to supply power to connected devices. The Alternative A and 4PPoE variants cannot use the spare wire pair in this manner; they supply power using the wire pairs that carry data at the same time. For Gigabit Ethernet or faster installations, Alternative B is also capable of using the data wire pairs.
  132. C. Whitelisting is the process of using MAC filtering to specify the hardware addresses of devices that are permitted to access a wireless network. Blacklisting, by contrast, is making a list of addresses that are denied access to the network.
  133. A, B. Bridge Protocol Data Units (BPDUs) are messages that switches running the STP exchange to learn about the available paths through a switched network and the states of other switches. Switches should only receive BPDUs through ports that are connected to other switches. BPDU guard is a feature that prevents BPDU messages from arriving through ports connected to end systems, such as computers, thus preventing an attacker from manipulating the STP topology. A root guard affects the behavior of the STP by enforcing the selection of root bridge ports on a switched network. Without root guards, there is no way for administrators to enforce the topology of a network with a redundant switching fabric.
  134. A. The IEEE 802.11ac standard, like all of the wireless LAN standards in the 802.11 working group, uses CSMA/CA for MAC. The 802.1X standard defines an authentication mechanism and does not require a MAC mechanism. The IEEE 802.3 (Ethernet) standard uses Carrier-Sense Multiple Access with Collision Detection (CSMA/CD).
  135. C. An infrastructure topology uses a Wireless Access Point (WAP) to connect wireless devices to a wired network. An ad hoc topology connects wireless devices to each other, without connecting to a wired network. The star and bus topologies do not support wireless devices.
  136. D. An ad hoc topology describes wireless computers that communicate directly with each other, without the need for any hardware other than their wireless network adapters. The ad hoc topology therefore does not require a router, an Internet connection, an Access Point (AP), or a special antenna.
  137. A, E. IEEE 802.11b, 802.11g, 802.11n, and 802.11ax networks can use the 2.4 GHz frequency band for their transmissions, which can experience interference from a wireless telephone using the same frequency. IEEE 802.11a and IEEE 802.11ac, however, use the 5 GHz band, which will not experience interference from a 2.4 GHz phone.
  138. B. IEEE 802.11g supports transmission speeds up to 54 Mbps, and it is backward compatible with 802.11b equipment. IEEE 802.11 cannot run at 54 Mbps, and while 802.11a can, it is not compatible with 802.11b. IEEE 802.11n cannot run at 54 Mbps, though it can run at faster speeds. Bluetooth is not compatible with any of the IEEE 802.11 standards.
  139. C, D, E. The IEEE 802.11n, 802.11ac, and 802.11ax standards include MIMO, which enables them to effectively multiplex signals using multiple antennae. This capability was first introduced in the 802.11n standard, so the 802.11a and 802.11b/g standards do not support it.
  140. C. Time Division Multiple Access (TDMA) is a communication technique that splits a frequency into multiple time slots, enabling it to carry multiple data streams. Commonly used in 2G cellular systems, the major U.S. carriers no longer use it in their 3G systems. Code Division Multiple Access (CDMA), Global System for Mobile Communications (GSM), and Long-Term Evolution (LTE) are alternative communications techniques that are currently used by the major U.S. cellular carriers.
  141. B. The IEEE 802.11b standard calls for DSSS signal modulation. All of the other standards listed call for Orthogonal Frequency-Division Multiplexing (OFDM) encoding.
  142. D. By placing a unidirectional antenna against an outside wall, you can limit network access to users inside the structure. Unidirectional antennae provide greater signal strength than omnidirectional antennae, enabling their signals to penetrate more interior walls. It is possible to focus a unidirectional antenna to a wider or narrower signal pattern.
  143. B. The IEEE 802.11n and 802.11ac standards support a transmission technique called Multiple Input, Multiple Output (MIMO), which combines the bandwidth of multiple data streams to achieve greater throughput. IEEE 802.11n and 802.11ac do use the 5 GHz band, but this in itself does not yield greater transmission speeds. The specified standards do not call for the use of DSSS modulation, nor do they sacrifice range for speed. In fact, 802.11n and 802.11ac networks can achieve greater ranges than the previous technologies.
  144. A, C, D. The 5 GHz frequency has 23 channels available in the United States, while the 2.4 GHz frequency has only 11. Many household devices, such as cordless telephones, use the 2.4 GHz frequency band, but relatively few devices use the 5 GHz band. Higher frequencies typically support faster transmission speeds, because with all other conditions equal, they can carry more data in the same amount of time. The 5 GHz frequency typically has a shorter range than 2.4 GHz, because it is less able to penetrate barriers.
  145. A, C. Upgrading the devices to 802.11n will enable them to use the 5 GHz band and evade the traffic generated by the surrounding networks. Configuring the devices to use the 5 GHz band will provide many more channels to choose from and will avoid the interference from the surrounding 2.4 GHz networks. The type of encryption that a wireless network uses has no bearing on the ability of the devices to avoid the interference generated by surrounding networks. Suppressing SSID broadcasts will not help the devices to connect to the network. Upgrading the firmware on the devices is not likely to have any effect on the connection problems when they are the result of interference from other networks.
  146. C. The 802.11ac standard defines a wireless LAN running at a speed of up to 1.3 gigabits per second (Gbps). None of the other ratified 802.11 standards call for speeds beyond 600 megabits per second (Mbps). No currently ratified standard enables speeds of 2.6 Gbps.
  147. D. The Multiple Input, Multiple Output (MIMO) technology introduced in the IEEE 802.11n standard enables wireless devices to transmit and receive signals using multiple antennae simultaneously. The Multiuser MIMO (MU-MIMO) variant defined in the 802.11ac standard advances this technique by enabling wireless devices to transmit multiple frames to different users simultaneously, using multiple antennae. Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA) is a Media Access Control (MAC) mechanism used by all 802.11 networks. Channel bonding is a wireless networking technique that combines channels to increase bandwidth.
  148. A. Wireless LAN regulations call for 22 MHz channels in the 2.4 GHz band that are spaced 5 MHz apart, which means that they overlap. Channels 1, 6, and 11 are the only three channels that are distant enough from each other not to overlap. Therefore, they do not interfere with each other. Channels 1, 6, and 11 do not differ from the other channels in their bandwidth or their transmission range. Each wireless device can be set to use only one channel. Therefore, channels 1, 6, and 11 cannot all be the default setting.
  149. C. Wireless networks using equipment based on the IEEE 802.11n standard can span indoor distances of up to 175 feet at speeds up to 600 Mbps. An 802.11ac network can run at faster speeds—up to 1.3 Gbps—but it is limited to approximately 115-foot distances. Networks using 802.11g equipment can span 150 feet, but they run at only a maximum of 54 Mbps. An 802.11a network cannot span more than 75 feet, and it runs at no more than 54 Mbps.
  150. A. Multiple Input, Multiple Output (MIMO) calls for the use of two or more antennae, enabling wireless devices to effectively multiplex signals, thereby increasing their transmission speeds. Time Division Multiple Access (TDMA) is a communication technique that splits a frequency into multiple time slots, enabling it to carry multiple data streams. A Personal Area Network (PAN) provides communication among devices associated with a single person, such as smartphones. Ant+ is a wireless protocol that is typically used to monitor data gathered by sensors, such as those in cardiac pacemakers.
  151. D. Using a technique called channel bonding, the 802.11ac standard defines the combination of up to eight 20 MHz channels, for a total possible channel width of 160 MHz. The 802.11n standard can bond up to two channels, for a 40 MHz width. Earlier standards are limited to a single 20 MHz channel.
  152. A, E. The IEEE 802.11a and IEEE 802.11ac standards can use the 5 GHz band only. IEEE 802.11b and IEEE 802.11g can use the 2.4 GHz band only. IEEE 802.11n can use either the 2.4 or 5 GHz band.
  153. B. The IEEE 802.11ac standard provides the greatest possible throughput, at up to 1.3 Gbps. The 802.11n standard runs at speeds up to 600 Mbps. The 802.11a and 802.11g standards run at up to 54 Mbps. The 802.11b standard runs at up to 11 Mbps.
  154. D. Only the 802.11n standard defines wireless LAN devices that can support both 2.4 GHz and 5 GHz frequencies. The 802.11a and 802.11ac standards use only 5 GHz, and the 802.11b and 802.11g standards use only 2.4 GHz.
  155. C. The 802.11ac standard supports Multiple Input, Multiple Output (MIMO) through the use of up to eight antennae on a single device. 802.11n is the only earlier 802.11 standard that supports MIMO, but it can only use a maximum of four antennae.
  156. C. The Service Set Identifier (SSID) is the name that you use when connecting to a wireless network. A Basic Service Set (BSS) refers to the wireless network itself, consisting of a single AP and a number of clients. An Extended Service Set (ESS) consists of two or more BSSs, using multiple APs. The Basic Service Set Identifier (BSSID) is the MAC address of the Access Point associated with a BSS.
  157. A, B. Devices conforming to the IEEE 802.11a and 802.11g standards can only use a single 20 MHz channel. IEEE 802.n devices can use channel bonding to join two channels together and achieve an aggregate channel width of 40 MHz. IEEE 802.11ac devices can bond up to eight channels, for an aggregate width of 160 MHz.
  158. A. Wireless range extenders are physical layer devices that receive signals from Wireless Access Points (WAPs) and network adapters and retransmit them, enabling devices to connect that are farther apart than the network would normally support. Because the extenders do not process the packets in any way, but just retransmit the signals, they do not operate at any layer above the physical.
  159. C. WPA2 is the most secure of the wireless protocols, providing the greatest degree of network device hardening. WiFi Protected Access (WPA) was created to replace the insecure Wired Equivalent Privacy (WEP) protocol, and WPA2 was created to replace the Temporal Key Integrity Protocol (TKIP) used in the first version of WPA with Advanced Encryption Standard (AES). Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages.
  160. B. WPA was created to replace the insecure Wired Equivalent Privacy (WEP) protocol and used Temporal Key Integrity Protocol (TKIP) with the RC4 cipher for encryption. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) with Advanced Encryption Standard (AES) is an encryption protocol that is used with the WiFi Protected Access II (WPA2) security protocol. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. EAP is used on wireless networks and point-to-point connections and supports dozens of different authentication methods, including Transport Layer Security (TLS). It is not the encryption protocol used with WPA. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide AAA services for networks with many routers and switches.
  161. B. WiFi Protected Access (WPA) was created to replace the insecure Wired Equivalent Privacy (WEP) protocol and used the Temporal Key Integrity Protocol (TKIP) with the RC4 cipher. WPA was replaced by WPA2, which uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) with Advanced Encryption Standard (AES) for encryption. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages.
  162. A. WiFi Protected Access (WPA) is a wireless security protocol that was designed to replace the increasingly vulnerable Wired Equivalent Privacy (WEP). WPA added an encryption protocol called Temporal Key Integrity Protocol (TKIP). This too became vulnerable, and WPA2 was introduced, which replaced TKIP with the stronger CCMP-Advanced Encryption Standard (CCMP-AES). Extensible Authentication Protocol and 802.1X do not provide encryption.
  163. D. TKIP augments the existing WEP encryption key, making it longer, enabling it to be changed for every packet, and enabling WPA to be deployed without replacing network adapter or Access Point (AP) hardware. TKIP does continue to support the use of PSKs.
  164. B. To use the WPA2 protocol with a PSK, the client and the Access Point (AP) must both be configured with the same passphrase. The base key, the serial number, and the MAC address are all components that WPA2 uses to generate the encryption key for each packet.
  165. C. A replay attack is one in which an attacker utilizes the encryption key found in a previously captured packet to gain access to the network. Because TKIP generates a unique encryption key for every packet, it prevents this type of attack from being successful.
  166. C. WiFi Protected Access (WPA) is a wireless security protocol that was designed to replace the increasingly vulnerable Wired Equivalent Privacy (WEP). WPA added an encryption protocol called Temporal Key Integrity Protocol (TKIP). This too became vulnerable, and WPA2 was introduced, which replaced TKIP with CCMP-Advanced Encryption Standard (CCMP-AES).
  167. A. Wired Equivalent Privacy (WEP) was the first wireless LAN security protocol to achieve widespread use in commercial products. This protocol was soon found to be vulnerable to attack, and it was replaced by WiFi Protected Access (WPA), which added a stronger encryption protocol called Temporal Key Integrity Protocol (TKIP). This too became vulnerable, and WPA2 was introduced, which replaced TKIP with a different type of encryption, called CCMP-Advanced Encryption Standard (CCMP-AES).
  168. A. WPA2 adds Counter Mode Cipher Block Chaining Message Authentication Code Protocol - Advanced Encryption Standard (CCMP-AES), a new symmetric key encryption algorithm that strengthens the protocol's security. Multiple-input and multiple-output (MIMO) is a multiplexing technology added to the IEEE 802.11n standard, not to WPA2. Wired Equivalent Protocol (WEP) is the predecessor to WPA; it is not part of WPA2. Temporal Key Integrity Protocol (TKIP) is the encryption algorithm used in the first version of WPA; it was not added in the second version.
  169. B. WiFi Protected Access 2 (WPA2) will provide the maximum security for the wireless network, in part because it uses long encryption keys that change frequently. Wired Equivalent Privacy (WEP) has a number of vulnerabilities, including short, unchanging encryption keys, that make it less secure than WPA. IPsec is a network layer security standard that does not provide the security needed for IEEE 802.11 wireless networks. Transport Layer Security (TLS) is a protocol that encrypts data exchanged by web servers and clients at the application layer. It does not provide adequate security for wireless LANs. Layer 2 Tunneling Protocol (L2TP) is a virtual private networking protocol; it does not provide adequate security for wireless networks.
  170. C. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) with Advanced Encryption Standard (AES) is an encryption protocol that is used with the WiFi Protected Access II security protocol. WPA was created to replace the insecure Wired Equivalent Privacy (WEP) protocol, and WPA2 was created to replace the Temporal Key Integrity Protocol (TKIP) used in the first version of WPA. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages.
  171. A. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) with Advanced Encryption Standard (AES) is an encryption protocol that is used with the WiFi Protected Access II (WPA2) security protocol. WPA was created to replace the insecure Wired Equivalent Privacy (WEP) protocol, and WPA2 was created to replace the Temporal Key Integrity Protocol (TKIP) used in the first version of WPA. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. EAP is used on wireless networks and point-to-point connections and supports dozens of different authentication methods, including Transport Layer Security (TLS). It is not the encryption protocol used with WPA2. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide AAA services for networks with many routers and switches.
  172. C. Wired Equivalent Protocol (WEP) and WiFi Protected Access II (WPA2) are both wireless security protocols that control access to the network and provide encryption, using protocols like Advanced Encryption Standard (AES). These protocols do not provide authentication services, however. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. Its many variants provide support for the use of smartcards and other authentication factors, such as biometrics, in addition to traditional passwords.
  173. C, D. WPA-Enterprise, also known as WPA-802.1X, can use the Extensible Authentication Protocol (EAP) to support various types of authentication factors and requires a Remote Authentication Dial-In User Service (RADIUS) server. WPA-Personal, also known as WPA-PSK (Pre-Shared Key), is intended for small networks and does not require RADIUS.
  174. A. WPA-Personal, also known as WPA-PSK, is intended for small networks and requires a PSK. WPA-Enterprise, also known as WPA-802.1X, uses the Extensible Authentication Protocol (EAP) to support various types of authentication factors and requires a Remote Authentication Dial-In User Service (RADIUS) server.
  175. A. TKIP uses the RC4 stream cipher for its encryption. Advanced Encryption Standard (AES) is used with CCMP on version 2 of the WiFi Protected Access (WPA2) security protocol, not version 1 (WPA), which uses TKIP. Secure Hash Algorithm (SHA) is a file hashing algorithm, not used for wireless network encryption.
  176. C. CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol), is based on the Advanced Encryption Standard (AES) and is the encryption protocol used with the WiFi Protected Access II (WPA2) security protocol on wireless networks. CCMP is not used with version 1 of the WPA protocol or with Wired Equivalent Privacy. 802.1X is an authentication protocol, not used for encryption.
  177. C. CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) is based on the Advanced Encryption Standard (AES) and is the encryption protocol used with the WiFi Protected Access II (WPA2) security protocol on wireless networks. CCMP is not based on the Temporal Key Integrity Protocol (TKIP), which uses RC4 as its stream cipher. 802.1X is an authentication protocol, not used for encryption.
  178. D. An SSID that is not broadcast is not detectable by clients, so you must type it in manually. Security protocols are also not detectable, so you must configure the clients to use the same protocol you selected on the client.
  179. A. Wired Equivalent Privacy (WEP) was one of the first commercially available security protocols for wireless LANs, but it was soon found to be easily penetrated and was replaced by WiFi Protected Access (WPA) and then WPA2. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages.
  180. B. WPA uses the Temporal Key Integrity Protocol (TKIP) for encryption. It does not use Advanced Encryption Standard (AES), which eventually replaced TKIP in WPA2. Secure Hash Algorithm (SHA) and Message Digest 5 (MD5) are both file hashing algorithms, not used for wireless network encryption.
  181. B. Wired Equivalent Privacy (WEP), which was one of the first commercially successful security protocols for wireless LANs, enabled administrators to choose between open and shared key authentication. The open option enabled clients to connect to the network with an incorrect key. The shared option required the correct key, but it also exposed the key to potential intruders. The correct option is to not use WEP at all, as it was easily penetrated and subsequently replaced by WiFi Protected Access (WPA) and then WPA2. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. None of the other three provides a choice between open and shared key options.
  182. B. WiFi Protected Access (WPA) is a wireless security protocol that was designed to replace the increasingly vulnerable Wired Equivalent Privacy (WEP). WPA added an encryption protocol called Temporal Key Integrity Protocol (TKIP). This too became vulnerable, and WPA2 was introduced, which replaced TKIP with an Advanced Encryption Standard protocol (CCMP-AES).
  183. D. Open System Authentication enables any user to connect to the wireless network without a password, which actually increases the security of the protocol. This is because most WEP implementations use the same secret key for both authentication and encryption. An intruder that captures the key during the authentication process might therefore penetrate the data encryption system as well. By not using the key for authentication, you reduce the chances of the encryption being compromised. The use of short, 40-bit encryption keys was mandated at the time by U.S. export restrictions. Later protocols used keys at least 128 bits long. The initialization vector (IV) is a randomized value appended to the shared secret to ensure that the cipher never encrypts two packets with the same key. The relatively short IV that WEP uses results in a reasonable probability of key duplication, if an attacker captured a sufficient number of packets. Shared secrets that do not change provide attackers with more time to crack them. The lack of a mechanism to automatically change WEP shared secrets weakened the protocol considerably.
  184. C. WPA2 was introduced when the earlier version of WiFi Protected Access (WPA) was determined to be increasingly vulnerable to attack. WPA used an encryption protocol called Temporal Key Integrity Protocol (TKIP). WPA2 replaced TKIP with an Advanced Encryption Standard (CCMP-AES) protocol.
  185. B. Wired Equivalent Privacy (WEP) was one of the first commercially available security protocols for wireless LANs. WEP requires 24 bits of the encryption key for the initialization vector, substantially weakening the encryption. WEP was soon found to be easily penetrated and was replaced by WiFi Protected Access (WPA) and then WPA2. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages.
  186. B, C, D. Roaming from one AP to another without interruption requires that the APs all use the same SSID, the same security protocol, and the same passphrase. The APs will not function properly if they have the same IP address.
  187. D. The 5G cellular network specification calls for maximum theoretical download speeds of 10 gigabits per second, although the actual speed realized will be less.
  188. A, B. 5G networks can operate on three frequency bands—low, medium, and high—with the high frequencies having the fastest speeds and reduced range. 4G devices cannot function on 5G networks.
  189. C. IEEE 802.1X is a standard that defines a port-based Network Access Control (PNAC) mechanism used for authentication on wireless and other networks. IEEE 802.11ac and 802.11n are standards defining the physical and data link layer protocols for wireless networks. IEEE 802.3x is one of the standards for wired Ethernet networks.
  190. A, D. Disabling SSID broadcasting prevents a wireless network from appearing to clients. The clients must specify the SSID to which they want to connect. MAC address filtering is a form of Access Control List (ACL) that is maintained in the AP and contains the addresses of devices that are to be permitted to access the network. Both of these mechanisms make it more difficult for unauthorized devices to connect to the Access Point (AP). Kerberos is an authentication protocol used by Active Directory, and relocating the AP to a DMZ will not resolve the problem.
  191. D. WAPs use the layer 2 MAC addresses coded into devices in their ACLs. Usernames, IP addresses, and device names can easily be impersonated.
  192. A, B. There are two methods for identifying packets carrying voice traffic: by recognizing the MAC address of the sending system as a voice device, and by recognizing packets that have already been tagged as voice VLAN traffic. It is not possible to identify voice traffic using IP addresses or DNS names.

Chapter 3: Network Operations

  1. A, E. An SNMP-based network management system consists of three components: a management console software product installed on a network computer, agents installed on the devices you want to manage, and MIBs for each of the agents. Because the switches support SNMP management and already have agents, they have MIBs also. Therefore, all you have to do is purchase the network management software and install the console on a network computer.
  2. A, C. SNMP version 1, the original version, used an unencrypted community string. SNMPv2 added better security, but it was not backward compatible with the version 1 community string. A revised version, SNMP2c, added backward compatibility. SNMPv3, the one most often seen today, includes more advanced security and does not use a community string.
  3. B, C. SNMP is not the name of a network management product; it is just the name of the protocol that provides a framework for the interaction of the various components in a network management product. SNMPv1 uses a community string, but SNMPv2 does not. The interim version SNMPv2c retains the community string from version 1 in place of the new version 2 security system. When you see a network interface adapter, switch, router, access point, or other device that purports to be managed or that claims to have network management capabilities, this usually means that the device includes an SNMP agent. Most of today's network management products do support SNMPv3. In addition, many network management products that implement SNMPv3 also include support for the earlier, unprotected versions, such as SNMPv1 and SNMPv2c.
  4. C. The utility shown in the figure is the Windows Event Viewer, which displays the contents of the system, application, setup, and security logs, as well as others.
  5. A. Syslog is a standard designed to facilitate the transmission of log entries generated by a device or process, such as the sendmail Simple Network Management Protocol (SMTP) server, across an Internet Protocol (IP) network to a message collector, called a syslog server. Netstat is a program that displays status information about a system's network connections; it does not provide logging services. SNMP is a protocol that carries network management information from agents to a central console; it was not created specifically for sendmail. The Cache Array Routing Protocol (CARP) enables proxy servers to exchange information; it does not provide logging services.
  6. A. The best solution is to implement Simple Network Management Protocol (SNMP). This includes a management console, agents, and Management Information Bases (MIBs). SNMP allows you to track statistical network information (historical and current) and produce reports for baseline analysis and troubleshooting. Some SNMP products also allow you to track software distribution and metering. Protocol analyzers are best used for troubleshooting problems in real time and are not used for software distribution and metering. Performance Monitor is a tool that allows you to track performance statistics for one system at a time and does not include software distribution and metering. There is no such product as a network traffic monitor.
  7. A. Security Information and Event Management (SIEM) is a product that combines two technologies: security event management (SEM) and security information management (SIM). Together, the two provide a combined solution for gathering and analyzing information about a network's security events. Simple Network Management Protocol (SNMP) is a technology that gathers information about managed devices.
  8. C, D. Security Information and Event Management (SIEM) is a product type that combines two technologies: security event management (SEM) and security information management (SIM). Together, the two provide a combined solution for gathering and analyzing information about a network's security events. Simple Network Management Protocol (SNMP) is a technology that gathers information about managed devices. Syslog is a standard designed to facilitate the transmission of log entries generated by a device or process, such as the sendmail Simple Network Management Protocol (SMTP) server, across an Internet Protocol (IP) network to a message collector, called a syslog server. Neither SNMP nor syslog capabilities are typically included in SIEM products.
  9. D. A protocol analyzer provides information about network traffic; it does not interpret web server logs. Most web servers maintain logs that track the Internet Protocol (IP) addresses and other information about all hits and visits. The logs are stored as text files and contain a great deal of information, but in their raw form, they are difficult to interpret. Therefore, it is common practice to use a traffic analysis application that reads the log files and displays their contents in a more user-friendly form, such as tables and graphs.
  10. B. A baseline is a record of a system's performance under real-world operating conditions, captured for later comparison as conditions change. The workload during a baseline capture should be genuine, not simulated or estimated.
  11. B. If a server is using all of its network bandwidth, then the most logical solution is to add more. You can do this by installing a second network adapter and connecting it to a different subnet. The other solutions could conceivably address the problem, but their success is less likely.
  12. A. Performance monitoring utilities typically provide statistics on the Central Processing Unit (CPU), memory, network, and disk usage, but not computer temperature monitoring.
  13. A. Every syslog message includes a single-digit severity code. Code 0 is the most severe, indicating an emergency that has rendered the system unusable. Severity code 1 is an alert message, indicating that immediate action is needed. Severity code 2 is a critical condition message, and code 3 is an error condition. Code 4 is a warning message.
  14. B. Every syslog message includes a single-digit severity code. Severity code 1 is an alert message, indicating that immediate action is needed. Code 0 is the most severe, indicating an emergency that has rendered the system unusable. Severity code 2 is a critical condition message, and code 3 is an error condition. Code 4 is a warning message.
  15. D. Every syslog message includes a single-digit severity code. Code 6 indicates that the message is purely informational. Code 0 is the most severe, indicating an emergency that has rendered the system unusable. Severity code 2 is a critical condition message, and code 4 is a warning message. Code 7 is used strictly for debugging.
  16. D. Messages that SNMP agents send to consoles when an event needing attention occurs are called traps. Alerts and notifications are terms for the messages that the console sends to administrators. A ping is an Internet Control Message Protocol (ICMP) echo request message sent from one TCP/IP computer to another.
  17. D. The term rollback refers to the process of uninstalling or downgrading an update patch; it has nothing to do with monitoring a network interface. An interface monitor does typically display the number of transmission errors that occur on an interface, the amount of the available bandwidth that the interface is using, and the number of packets that have been dropped due to errors or discards.
  18. B, C. The packet drops displayed by an interface monitor are caused by errors, such as malformed or unreadable packets, or discards, which are packets that are dropped because they are destined for another interface. Resets and overflows are not reasons for packet drops.
  19. D. Performance baselines characterize hardware performance, so the OS update history would be of little or no use for future comparisons. A baseline typically consists of CPU, memory, disk, and network performance statistics.
  20. C, D. Logs frequently contain sensitive information, so securing them with the appropriate permissions is an essential part of log management. Logs also can grow to overwhelm the storage medium on which they are stored, so cycling is a technique for managing log size by configuring it to delete the oldest record each time a new one is added. Rollback and utilization are not log management tasks.
  21. B. In SIEM, forensic analysis is a process of searching logs on multiple computers for specific information based on set criteria and time periods. Data aggregation is a process of consolidating log information from multiple sources. Correlation is the process of linking logged events with common attributes together. Retention is the long-term storage of log data.
  22. A. In SIEM, data aggregation is a process of consolidating log information from multiple sources. Forensic analysis is a process of searching logs on multiple computers for specific information based on set criteria and time periods. Correlation is the process of linking logged events with common attributes together. Retention is the long-term storage of log data.
  23. C. When individual packets in a data stream are delayed, the resulting connectivity problem is called jitter. Although this condition might not cause problems for asynchronous applications, real-time communications, such as Voice over Internet Protocol (VoIP) or streaming video, can suffer interruptions, from which the phenomenon gets its name. Latency describes a generalized delay in network transmissions, not individual packet delays. Attenuation is the weakening of a signal as it travels through a network medium. A bottleneck is a condition in which all traffic is delayed, due to a faulty or inadequate component.
  24. A, B, C, D. All of these occurrences are malfunctions on a full-duplex Ethernet network. Runt frames occur when a network interface generates packets that are smaller than the 64-byte minimum allowable length. Giants occur when frames are larger than the 1518-byte maximum allowable length. Collisions are normal on a half-duplex network, but on a full-duplex network, collisions are considered to be malfunctions. Late collisions occur when network cables are too long.
  25. B, C. Jitter is a connectivity problem on wired networks that is caused by individual packets that are delayed due to network congestion, different routing, or queuing problems. When individual packets in a data stream are delayed, the resulting connectivity problem is called jitter. While this condition might not cause problems for asynchronous applications, such as email and instant messaging, real-time communications, such as Voice over Internet Protocol (VoIP) or streaming video, can suffer intermittent interruptions, from which the phenomenon gets its name.
  26. A. Syslog is a standard designed to facilitate the transmission of log entries generated by a device or process, such as the sendmail SMTP server, across an Internet Protocol (IP) network to a message collector, called a syslog server. Network Monitor (Netmon) is a protocol analyzer. Netstat is a program that displays status information about a system's network connections. Top is a utility to display system processes. None of these provide logging services.
  27. A. System logs document the server's startup activities and the ongoing status of its services and device drivers. When a problem occurs or the server's status changes, the system logs can provide information about what happened and when.
  28. D. On a Windows system, information about services, including successful service starts and failures, is recorded in the System event log. The Application, Security, and Setup logs typically do not contain this type of information.
  29. A. Performance Monitor is a Windows application that can create logs of specific system and network performance statistics over extended periods. Such a log created on a new computer can function as a baseline for future troubleshooting. Event Viewer is a Windows application for displaying system log files; it cannot create a performance baseline. Syslog is a log compilation program originally created for Unix systems; it does not create performance baselines. Network Monitor is a protocol analyzer. Although it can capture a traffic sample that can function as a reference for future troubleshooting efforts, this ability cannot be called a performance baseline.
  30. B. Humidity prevents the buildup of static electricity that can cause discharges that damage equipment. Humidity levels of 50 percent or lower can cause equipment to be susceptible to electrostatic shock.
  31. C. When you enable audit policies on Windows systems, you can specify whether to audit successful or failed events (or both), including access attempts. This audit information is recorded in the Security event log. The System, Application, and Setup events logs typically do not record both successful and failed access attempts.
  32. C. A Management Information Base (MIB) is the database on an SNMP console where all of the information gathered from the network is stored. A trap is an alert message that SNMP agents send to the network management console. Syslog is a standard for message logging components. Security Information and Event Management (SIEM) is a combination tool that uses information gathered from logs and network devices to provide a real-time analysis of the network's security condition.
  33. A. Runts and giants are typically the result of a network interface adapter malfunction. Runt frames occur on an Ethernet network when a network interface generates packets that are smaller than the 64-byte minimum allowable length. Giants occur when frames are larger than the 1518-byte maximum allowable length. Collisions are normal on a half-duplex network, but runts and giants are not. Late collisions occur when network cables are too long. Electromagnetic interference is a likely cause of Cyclic Redundancy Check (CRC) errors, but not runts and giants.
  34. C. Electromagnetic interference is the likely cause of CRC errors. A network interface adapter malfunction can cause runts and giant frames. Collisions are normal on a half-duplex network, but CRC errors are not. Late collisions occur when network cables are too long, but they do not cause CRC errors.
  35. C. The netstat utility can display the incoming and outgoing packets for a specific network interface, as well as other statistics, depending on the operating system. Top and ifconfig are Unix/Linux utilities, and Nbtstat is a Windows tool.
  36. B. Netflow is a network traffic monitoring feature first introduced in Cisco routers in 1996. Netmon, Netstat, and Nbtstat are all operating system utilities, not router features.
  37. E. Jumbo frames is a feature supported by some Ethernet implementations that enable frames to exceed the 1500-byte maximum data payload defined in the IEEE 802.3 standard. Runt frames, giant frames, Cyclical Redundancy Check (CRC) errors, and encapsulation errors are all types of errors typically reported in network interface diagnostics.
  38. D. Cyclical Redundancy Checks (CRCs) are faults that occur when data does not arrive at its destination in the same state as when it was sent; they are not Simple Network Management Protocol (SNMP) components. Management Information Bases (MIBs), traps, and Object Identifiers (OIDs) are all components of a Simple Network Management Protocol (SNMP) implementation.
  39. C. Unless there is a specific known threat at the datacenter location, radon is not one of the environmental factors that typically can affect equipment uptime and that needs to be monitored. Temperature, humidity, flooding, and static electricity, however, are factors that should be monitored in a datacenter, as variations of these elements can result in equipment damage and downtime.
  40. A, D. Link states and Dijkstra's algorithm are used by link state routing protocols, such as Open Shortest Path First (OSPF) and Intermediate System – Intermediate System (IS – IS). Routing Information Protocol (RIP) and Enhanced Interior Gateway Routing Protocol (EIGRP) are distance vector protocols, which do not use link states. Border Gateway Protocol (BGP) is a distance vector protocol and an exterior (not interior) gateway protocol.
  41. A. A network map is a depiction of network devices, not drawn to scale, with additional information added, such as IP addresses and link speeds. In most cases, network maps are automatically created by a software product, such as Nmap, that scans the network and creates a display from the information it discovers. The term network diagram is most often used to refer to a manually created document containing pictograms of network devices, with lines representing the connections between them. The diagram might be roughly similar to the actual layout of the site, but it is usually not drawn to scale. A cable diagram is a precise depiction of the cable runs installed in a site. Often drawn on an architect's floor plan or blueprint, the cable diagram enables network administrators to locate specific cables and troubleshoot connectivity problems. A Management Information Base (MIB) is a component of a network management system that is based on the Simple Network Management Protocol (SNMP) and contains information about only one device; it does not depict all of the devices on the network.
  42. C. A cable diagram is a precise depiction of the cable runs installed in a site. Often drawn on an architect's floor plan or blueprint, the cable diagram enables network administrators to locate specific cables and troubleshoot connectivity problems. A network map is a depiction of network devices, not drawn to scale, with additional information added, such as IP addresses and link speeds. In most cases, network maps are automatically created by a software product, such as Nmap, that scans the network and creates a display from the information it discovers. The term network diagram is most often used to refer to a manually created document containing pictograms of network devices, with lines representing the connections between them. The diagram might be roughly similar to the actual layout of the site, but it is usually not drawn to scale. A Management Information Base (MIB) is a component of a network management system that is based on the Simple Network Management Protocol (SNMP) and contains information about only one device; it does not depict all of the devices on the network.
  43. C. Devices designed to fit into IT equipment racks typically have heights measured in units. One unit equals 1.75 inches. Most rack-mounted devices are one (1U), two (2U), or four units (4U) tall.
  44. A. A reputable cable installer should supply a cable diagram that indicates the locations of all the cable runs on a plan or blueprint of the site. You should be able to use this to determine which ports go with which wall plates. A busy cable installer is unlikely to remember specific details about an installation performed years ago. Using a tone generator and locator is an effective way to associate ports and wall plates, but it can be incredibly time consuming and is certainly not the easiest method. A cable certifier can test the cable run for faults, measure its length, and perform other tests, but it cannot specify which wall plate goes with which port, unless you entered that information yourself earlier.
  45. B. ISO 19770 is a family of IT Asset Management (ITAM) standards that defines procedures and technology for the management of software and related assets in a corporate infrastructure. ISO 19770-2 defines the creation and use of SWID tags, which are XML files containing management and identification information about a specific software product. The other standards define other ITAM elements, such as compliance with corporate governance (ISO 19770-1) and resource utilization measurement (ISO 19770-4).
  46. A, C. A large enterprise network will—at minimum—have demarcation points for telephone services and a connection to an Internet Service Provider's (ISP's) network. In many cases, these services will enter the building in the same equipment room that houses the backbone switch. This room is then called the Main Distribution Frame (MDF). An Intermediate Distribution Frame (IDF) is the location of localized telecommunications equipment such as the interface between the horizontal cabling and the backbone. Mean Time Between Failure (MTBF) and Remote Desktop Protocol (RDP) are not locations of network wiring.
  47. C. Rack diagrams use vertical measurement called units, each of which is 1.75 inches. Most rack-mounted devices are one (1U), two (2U), or four units (4U) tall.
  48. A. The symbol shown in the figure represents a network switch. It is not a router, a hub, or a gateway.
  49. A, C. A physical diagram, in this case, represents the actual physical locations of the cable drops connected to the patch panels. A logical diagram uses artificial divisions that correspond to the organization of the company.
  50. C. IDF diagrams should be based on an architect's plan whenever possible so that actual lengths and locations of cable runs can be documented. In situations where an architect's plan is not available, a detailed sketch, drawn to scale, can be acceptable. Photographs, models, and reports are impractical for this purpose.
  51. A, B, C. MDF and IDF documentation should take into account the power sources available at the locations, the HVAC equipment needed to keep the temperature and humidity levels under control, and the distances the cable runs must span. This type of documentation is typically used for installation and troubleshooting purposes, so the costs of components and services are unnecessary and can be covered elsewhere.
  52. C. Patch panel ports and wall plates should be labeled when the cable runs are attached to them. Labeling them at any earlier time can result in cable runs being connected incorrectly.
  53. A. A large enterprise network will—at minimum—have demarcation points for telephone services and a connection to an Internet Service Provider's (ISP's) network. In many cases, these services will enter the building in the same equipment room that houses the backbone switch. This room is then called the Main Distribution Frame (MDF). An Intermediate Distribution Frame (IDF) is the location of localized telecommunications equipment such as the interface between the horizontal cabling and the backbone. Mean Time Between Failure (MTBF), Remote Desktop Protocol (RDP), and Memorandum of Understanding (MOU) are not locations of network wiring.
  54. A, B, C, D. A change management team typically requires thorough documentation for all requested changes, specifying exactly what is needed; how the change will affect the current workflow, both to the direct recipients of the change and the rest of the organization; and what ramifications might come from the change.
  55. B. A single rack unit is 1.75 inches, or 44.5 mm. Option A, 1.721 inches, is the height used for many components that are one rack unit tall, leaving a small space between components for easy insertion and removal.
  56. A, C. The change management team is usually not responsible for tasks directly involved in the implementation of the changes they approve. Therefore, they would not be the ones to notify users exactly when the change will take place or document the procedure afterward. They would, however, be responsible for providing a maintenance window, during which the change must occur, and authorizing any downtime that would be needed.
  57. E. ISO 19770 is a family of IT Asset Management (ITAM) standards that defines procedures and technology for the management of software and related assets in a corporate infrastructure. ISO 19770-5 provides a general overview of the functions provided by the standards and their benefits to an IT infrastructure. The other standards define other ITAM elements, such as compliance with corporate governance (ISO 19770-1), creation and use of software ID (SWID) tags (ISO 19770-2), and resource utilization measurement (ISO 19770-4).
  58. D. The standard unit height for IT equipment racks is 1.75 inches, which is the equivalent of one unit. Four units would therefore be 7 inches.
  59. D. The main purpose of a wiring schematic is to indicate where cables are located in walls and ceilings. A physical network diagram identifies all of the physical devices and how they connect together. Asset management is the identification, documentation, and tracking of all network assets, including computers, routers, switches, and so on. A logical network diagram contains addresses, firewall configurations, Access Control Lists (ACLs), and other logical elements of the network configuration.
  60. B, D. A physical network diagram identifies all of the physical devices and how they connect together. A logical network diagram contains IP addresses, firewall configurations, Access Control Lists (ACLs), and other logical elements of the network configuration. Both physical and logical network diagrams can be created automatically or manually. It is the physical network diagram that contains the information needed to rebuild the network from scratch.
  61. B. The symbol shown in the figure represents a network router. It is not a switch, a hub, or a gateway.
  62. C. An Intermediate Distribution Frame (IDF) is the location of localized telecommunications equipment such as the interface between a horizontal network, which connects to workstations and other user devices, and the network backbone. A large enterprise network will typically have demarcation points for telephone services and a connection to an Internet Service Provider's (ISP's) network. In many cases, these services will enter the building in the same equipment room that houses the backbone switch. This room is then called the Main Distribution Frame (MDF). Mean Time Between Failure (MTBF), Service Level Agreements (SLAs), and Memoranda of Understanding (MOUs) are not locations of network wiring.
  63. C. The standard width of an equipment rack in a data center is 19 inches. Network hardware manufacturers use this width when designing rack-mountable components.
  64. C. The symbol shown in the figure represents a network hub. It is not a switch, a router, or a gateway.
  65. A. Datacenters typically mount components in racks, 19-inch-wide and approximately 6-foot-tall frameworks in which many networking components are specifically designed to fit. A rack diagram is a depiction of one or more racks, ruled out in standardized 1.752-inch rack units, and showing the exact location of each piece of equipment mounted in the rack. Network maps, wiring schematics, and logical diagrams are documents that define the relationships between components, not their precise locations. A business continuity plan describes the organization's disaster prevention and recovery policies. An audit and assessment report is a document—often prepared by a third party—that summarizes the organization's security posture.
  66. B. Network diagrams typically specify device types and connections, but network maps can also include IP addresses, link speeds, and other information. Network maps diagram the relationships between devices, and provide information about the links that connect them, but they are not drawn to scale and usually do not indicate the exact location of each device. Although universal accessibility would be desirable, there are individuals who should not have access to network maps and other documentation, including temporary employees and computer users not involved in IT work. A network map includes all networking devices, not just cable runs and endpoints.
  67. B. A Material Safety Data Sheet (MSDS) is a document created by manufacturers of chemical, electrical, and mechanical products, specifying the potential dangers and risks associated with them, particularly in regard to exposure or fire. A properly documented network should have MSDS documents on file for all of the chemical and hardware products used to build and maintain it. MSDSs can be obtained from the manufacturer or the Environmental Protection Agency (EPA). Electrostatic discharges (ESDs), Non-Disclosure Agreements (NDAs), Bring Your Own Device (BYOD) policies, and standard operating procedures (SOPs) are not concerned with the chemical composition of cleaning compounds.
  68. D. A privileged user agreement specifies the abilities and limitations of users with respect to the administrative accounts and other privileges they have been granted. Remote access policies specify when and how users are permitted to access the company network from remote locations. A Service Level Agreement (SLA) is a contract between a provider and a subscriber that specifies the guaranteed availability of the service. Acceptable Use Policies (AUPs) specify whether and how employees can utilize company-owned hardware and software resources.
  69. A. Remote access policies specify when and how users are permitted to access the company network from remote locations. A Service Level Agreement (SLA) is a contract between a provider and a subscriber that specifies the guaranteed availability of the service. Acceptable Use Policies (AUPs) specify whether and how employees can utilize company-owned hardware and software resources. A privileged user agreement specifies the abilities and limitations of users with respect to the administrative accounts and other privileges they have been granted.
  70. B. Acceptable Use Policies (AUPs) specify whether and how employees can utilize company-owned hardware and software resources. AUPs typically specify what personal work employees can perform, what hardware and software they can install, and what levels of privacy they are permitted when using company equipment. A Service Level Agreement (SLA) is a contract between a provider and a subscriber. A Non-Disclosure Agreement (NDA) specifies what company information employees are permitted to discuss outside the company. A Bring Your Own Device (BYOD) policy specifies how employees can connect their personal devices to the company network.
  71. D. A Bring Your Own Device (BYOD) policy specifies the personal electronics that employees are permitted to use on the company network and documents the procedures for connecting and securing them. A Service Level Agreement (SLA) is a contract between a provider and a subscriber that specifies the percentage of time that the contracted services are available. Acceptable Use Policies (AUPs) specify whether and how employees can utilize company-owned hardware and software resources. A Non-Disclosure Agreement (NDA) specifies what company information employees are permitted to discuss outside the company.
  72. C. A Non-Disclosure agreement (NDA) specifies what company information employees are permitted to discuss outside the company. A Service Level Agreement (SLA) is a contract between a provider and a subscriber that specifies the percentage of time that the contracted services are available. Acceptable Use Policies (AUPs) specify whether and how employees can utilize company-owned hardware and software resources. A Memorandum of Understanding (MOU) is a document outlining an agreement between two parties that precedes the signing of a contract. A Bring Your Own Device (BYOD) policy specifies the personal electronics that employees are permitted to use on the company network and documents the procedures for connecting and securing them.
  73. A, B, C, D. The longer the password, the more difficult it is to guess. Corporate policies typically require passwords of a minimum length. A larger character set also makes a password more difficult to guess, so requiring upper- and lowercase, numeric, and special characters is common. Changing passwords forces the attack process to start over, so policies typically require frequent password changes and prevent users from reusing passwords.
  74. C. Requiring unique passwords can prevent users from thwarting a password change policy by reusing the same passwords over and over. Password length, password character sets, and password change interval maximums can do nothing to thwart a frequent password change policy.
  75. A, C, D. Account lockout threshold specifies the number of incorrect logon attempts that are allowed before the account is locked out. Account lockout duration is the amount of time that an account remains locked out. Reset account lockout threshold counter specifies the amount of time before the number of incorrect attempts is reset to zero. Account lockout policies typically do not include a setting that regulates the amount of time allowed between logon attempts.
  76. B. Account lockouts limit the number of incorrect passwords that a user can enter. This prevents intruders from using a brute force attack to crack the account by trying password after password. After a specified number of incorrect tries, the account is locked for a specified length of time or until an administrator unlocks it.
  77. C, D. Data in motion and data in transit are the terms used to describe network traffic. Data in use describes endpoint actions, and data at rest describes data storage.
  78. A. Data in use is the data loss prevention term used to describe endpoint access, such as a user loading data into an application. Data in motion is the term used to describe network traffic. Data at rest describes data storage. Data in process is not one of the standard data loss prevention terms.
  79. B. Data at rest describes data that is currently in storage while not in use. Data in motion is the term used to describe network traffic. Data in use describes endpoint actions working with the data, and data on disk is not one of the standard data loss prevention terms.
  80. A. Data online is not one of the standard data loss prevention terms. Data at rest is a data loss prevention term that describes data that is currently in storage while not in use. Data in motion is the term used to describe network traffic. Data in use describes endpoint actions.
  81. D. On-boarding and off-boarding are identity management processes in which users are added or removed from an organization's identity and access management (IAM) system. This grants new users the privileges they need to use the network, modifies their privileges if they change positions, and revokes privileges when they leave the company. On-boarding and off-boarding are not data loss prevention, incident response, inventory management, disaster recovery, or business continuity processes.
  82. C. On-boarding and off-boarding are identity management processes in which users are added or removed from an organization's identity and access management (IAM) system. Off-boarding revokes a user's privileges when he or she leaves the company. The term off-boarding does not refer to cluster management, disconnecting a switch, or retiring workstations.
  83. A. After a change is requested, approved, scheduled, and performed, everyone involved should be notified, and the entire process should be documented for future reference.
  84. B, C, D. The U.S. government controls exports of sensitive software and other technology as a means to maintain national security interests and foreign policy agreements. Three U.S. agencies have the authority to issue export licenses: the Department of State, the Department of Commerce, and the Department of the Treasury. Individual software developers do not have the authority to impose their own export controls.
  85. B. While incident response policies might include the process of responding to an incident and identifying and documenting its cause, the primary function of incident response policies is to ensure that the same incident does not happen again.
  86. D. Material Safety Data Sheets (MSDSs) are documents created by manufacturers of chemical, electrical, and mechanical products, which specify the potential risks and dangers associated with them, particularly in regard to flammability and the possibility of toxic outgassing. A properly documented network should have MSDS documents on file for all of the chemical and hardware products used to build and maintain it. MSDSs can be obtained from the manufacturers or the Environmental Protection Agency (EPA). Electrostatic discharges (ESDs), Non-Disclosure Agreements (NDAs), and Bring Your Own Device (BYOD) policies are not concerned with the dangers inherent in building contents.
  87. D. Software and hardware upgrades are typically not part of an AUP, because they are handled by the company's IT personnel. An AUP for a company typically includes a clause indicating that users have no right to privacy for anything they do using the company's computers, including email and data storage. An AUP usually specifies that the company is the sole owner of the computer equipment and any proprietary company information stored on it or available through it. The AUP also prohibits the use of its computers or network for any illegal practices, typically including spamming, hacking, or malware introduction or development.
  88. A, B. Clauses regarding company property, including the copyrights and patents for the work performed for the company, typically do appear in an AUP but not in the privacy clause. This information would be more likely to appear in an ownership clause. The privacy clause commonly explains that the company has the right to access and monitor anything stored on its computers.
  89. D. Once a network infrastructure has been partially or completely destroyed, it is no longer a matter of incident response; the responsibility passes over to the disaster recovery plan, which requires a different set of policies. Stopping, containing, and remediating an incident are all considered incident response policies.
  90. A, B, D. Attacks, hardware failures, and crashes are all events that can be addressed by incident response policies that define what is to be done to analyze and remediate the problem. An electrical fire is typically not something that would be addressed by an IT department's incident response team; it is a job for trained firefighters. Once the fire is out, the company's response falls under the heading of disaster recovery.
  91. B. The process of adding a user's personal device and allowing it to access the company network is called on-boarding. Removing the personal device from the network would be called off-boarding. In-band and out-of-band are terms defining methods for gaining administrative access to a managed network device.
  92. C. A fail closed policy for the datacenter specifies that any open doors should lock themselves in the event of an emergency. To support this policy, the datacenter will have to have a self-contained fire suppression system, which uses devices such as fire detectors and oxygen-displacing gas systems.
  93. B, C, D, E. While securing the area to prevent contamination of evidence, documenting the scene with photographs or video, collecting any evidence that might be visible, and cooperating with the authorities are tasks that are likely to be in the company's incident response policy. Turning off the server most certainly would not, because this could disturb or delete evidence of the crime.
  94. A. Although all of the options are characteristics of a strong password, the definition of a complex password is one that expands the available character set by using a mixture of upper- and lowercase letters, numerals, and symbols. The larger the character set used to create passwords, the more difficult they are to guess.
  95. A. A history requirement in a password policy prevents users from specifying any one of their most recently used passwords. Although creating passwords using the names of relatives and historical figures is not recommended, it is not something that is easy to prevent. Each user maintains his or her own password history; there is no conflict with the passwords of other users.
  96. C. A brute-force password attack is one in which the perpetrator tries as many passwords as possible in an effort to guess or deduce the right one. Account lockout policies are intended to prevent this type of attack by limiting the number of incorrect password attempts.
  97. A, B, D. A brute-force password attack is one in which the perpetrator tries as many passwords as possible in an effort to guess or deduce the right one. Password length and complexity policies produce passwords that are harder to guess, making the attack statistically less likely to succeed. Account lockout policies are intended to prevent brute-force attacks by limiting the number of incorrect password attempts. Password history policies do not help to prevent brute-force attacks.
  98. C. An IT asset disposal policy typically includes procedures to be performed on assets that have reached the end of their system life cycle and that are ready for final processing. This includes the wiping of all data, the completion of inventory records, and the possible recycling of the asset. The policy assumes that all data requiring preservation has already been preserved before the asset is submitted for disposal. Therefore, data preservation procedures are not needed at this phase.
  99. A. A Service Level Agreement (SLA) is a contract between a provider and a subscriber that specifies the percentage of time that the contracted services are available. Acceptable Use Policies (AUPs) specify whether and how employees can utilize company-owned hardware and software resources. A Non-Disclosure Agreement (NDA) specifies what company information employees are permitted to discuss outside the company. A Bring Your Own Device (BYOD) policy specifies the personal electronics that employees are permitted to use on the company network and documents the procedures for connecting and securing them.
  100. D. An ISP provides subscribers with access to the Internet. The applications that the subscriber uses on the internet are typically not part of the SLA. An SLA does typically specify exactly what services the ISP will supply, what equipment the ISP will provide, and the technical support services the ISP will furnish as part of the agreement.
  101. A. A Service Level Agreement (SLA) is a contract between a provider and a subscriber that specifies the percentage of time that the contracted services are available. Mean Time Between Failure (MTBF) is a hardware specification that estimates how long a particular component can be expected to function. Acceptable Use Policies (AUPs) specify whether and how employees can utilize company-owned hardware and software resources. Mean Time to Repair (MTTR) specifies the average time it will take to repair a specific hardware company when it malfunctions.
  102. A, B, D. The technical support clause of an SLA typically defines the type of support that the provider will furnish, the time service for support, and the amount of support that is included in the contract, as well as the cost for additional support. An SLA will typically guarantee service ability in the form of a percentage, but this refers to problems at the provider's end and is not a customer technical support matter.
  103. A. Traffic shaping is a technique for prioritizing packets by buffering packets that are not time sensitive for later transmission. You can use this technique to give VoIP packets priority over other types of traffic. Load balancing can conceivably improve the performance of a server, but it cannot help to relieve traffic congestion on the Internet link. The traffic congestion is on the Internet connection, not the LAN, so upgrading to Gigabit Ethernet will not help. SNMP is a protocol used by network management products; it will not relieve the traffic congestion problem.
  104. B. A server with dual power supplies can run in one of two modes: redundant or combined. In redundant mode, both power supplies are capable of providing 100 percent of the power needed by the server. Therefore, the server can continue to run if one power supply fails, making it fault tolerant. In combined mode, both power supplies are needed to provide the server's needs, so a failure of one power supply will bring the server down. Individual mode and hot backup mode are not terms used for this purpose.
  105. C. If a server is connected to two building circuits, it can continue to function if the breaker for one circuit trips and remains uncorrected. All of the other options will bring the server down unless additional redundancies are in place.
  106. C. Windows Server Backup cannot back up data to magnetic tape drives. However, it can back up to local hard disks, optical disks, and remote shares.
  107. C. RAID is a technology for storing data on multiple hard disk drives, providing fault tolerance, increased performance, or both. The various RAID levels provide different levels of functionality and have different hardware requirements. RAID 5 combines disk striping with distributed storage of parity information, which provides fault tolerance. The parity information enables the array to rebuild a disk whose data has been lost. RAID 0 uses data striping only (blocks written to each disk in turn), which does not provide any form of fault tolerance. RAID 1 provides fault tolerance through disk mirroring. RAID 10 creates fault-tolerant mirrored stripe sets.
  108. B. Power redundancy is a general term describing any fault tolerance mechanism that enables equipment to continue functioning when one source of power fails. A UPS is a device that uses battery power, not a generator. The term dual power supplies refers to the power supply units inside a computer, not a separate generator. The term redundant circuits refers to multiple connections to the building's main power, not to a generator.
  109. C. Redundant Array of Independent Disks (RAID) is a technology for storing data on multiple hard disk drives, providing fault tolerance, increased performance, or both. The various RAID levels provide different levels of functionality and have different hardware requirements. RAID 5 combines disk striping (blocks written to each disk in turn) with distributed storage of parity information, for fault tolerance. RAID 0 provides data striping only. RAID 1 provides disk mirroring. RAID 10 creates mirrored stripe sets.
  110. C. Mean Time Between Failures (MTBF) is a hardware specification used to predict the approximate lifetime of a component. It does not refer to any type of fault tolerance mechanism. Port aggregation, clustering, and Uninterruptible Power Supplies (UPSs) are all mechanisms that provide fault tolerance in the event of network adapter, server, and power failures, respectively.
  111. B. Load balancing is a method of distributing incoming traffic among multiple servers. Network Address Translation (NAT) is a routing mechanism that enables computers on a private network to share one or more public Internet Protocol (IP) addresses. It is therefore not a load balancing method. Domain Name System (DNS) round-robin, multilayer switching, and content switching are all mechanisms that enable a server cluster to share client traffic.
  112. A. A content switch is an application layer device, which is what renders it capable of reading the incoming Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) messages. HTTP is an application layer protocol. Multilayer switches do not operate above the transport layer. Failover clustering and (DNS) round-robin are both techniques for distributing incoming traffic without actually processing it.
  113. B, D. It is an online UPS that runs devices using battery power all the time so that there is no gap to the power supplied to devices during a failure. It is a standby UPS that switches devices to battery power during a main power failure. Both online and standby UPSs provide only enough power for an orderly shutdown of the devices.
  114. B. Online UPSs run devices from the battery all the time, while simultaneously keeping the battery charged. There is therefore no switchover gap when a power failure occurs. Online UPSs do not necessarily run longer than standby UPSs, nor do they provide more protection again power spikes and sags. Both online and standby UPSs can be managed devices.
  115. A, B, D, E. Bonding, link aggregation, port aggregation, and Network Interface Card (NIC) teaming are all terms for the same basic technology, in which the bandwidth of multiple network adapter connections is joined to speed up transmissions. The technology also enables the network communication to continue if one of the adapters should be disconnected. Clustering refers to combining servers into a single unit, not network adapters.
  116. B. In a network load balancing cluster, each computer is referred to as a host. Other types of clusters use other terms. For example, in a failover cluster, each computer is called a node. The terms server and box are not used in clustering.
  117. C. Highly available systems often have redundant failover components that enable them to continue operating even after a failure of a router, switch, hard disk, server, or other component. Backups, snapshots, and cold sites can all contribute to a system's high availability, but they do not function automatically.
  118. A. Redundant Array of Independent Disks (RAID) is a technology for storing data on multiple hard disk drives, providing fault tolerance, increased performance, or both. The various RAID levels provide different levels of functionality and have different hardware requirements. RAID 0 uses data striping only (blocks written to each disk in turn), which does not provide any form of fault tolerance. RAID 1 provides disk mirroring, RAID 5 combines disk striping with distributed storage of parity information, and RAID 10 creates mirrored stripe sets—these three levels all provide fault tolerance.
  119. A, B. A high availability virtual IP address implementation is when multiple servers are identified by a single address, enabling all of the servers to receive incoming client traffic. In the case of server clustering and network load balancing arrangements, the cluster itself has a unique name and IP address, separate from those of the individual servers. Clients address themselves to the cluster, not to one of the servers in the cluster. NAT is not a high availability technology, and NIC teaming does not use virtual IP addresses.
  120. C. Cold, warm, and hot backup sites differ in the hardware and software they have installed. A cold site is just a space at a remote location. The hardware and software must be procured and installed before the network can be restored. It is therefore the least expensive and takes the most time. A warm site has hardware in place that must be installed and configured. A hot site has all of the necessary hardware already installed, configured, and ready to go in the event of a disaster. A warm site is more expensive than a cold site, and a hot site is the most expensive and takes the least amount of time to be made operational.
  121. D. A cloud site is the least expensive to implement. Cold, warm, and hot backup sites differ in the hardware and software they have installed, but they all require the maintenance of a facility for a new datacenter. A cold site is just a space at a remote location. The hardware and software must be procured and installed before the network can be restored. It is therefore the least expensive of the cold, warm, and hot options and takes the most time. A warm site has hardware in place that must be installed and configured. A hot site has all of the necessary hardware already installed, configured, and ready to go in the event of a disaster. A warm site is more expensive than a cold site, and a hot site is the most expensive and takes the least amount of time to be made operational. A cloud site is a virtual facility maintained with a cloud service provider. The cloud site does not require physical space or physical hardware, so it is therefore the least expensive.
  122. B. The Recovery Time Objective (RTO) specifies the amount of time needed to restore a server from the most recent backup if it should fail. This time interval depends on the amount of data involved and the speed of the backup medium. A Recovery Point Objective (RPO) specifies how much data is likely to be lost if a restore from backups should be necessary. This figure is based on the frequency of the backups and the amount of new data generated by the system. Business contingency planning (BCP) is an umbrella term for procedures enacted to keep the organization functioning in the event of a disaster. A Management Information Base (MIB) is a database used by Simple Network Management Protocol (SNMP) systems.
  123. B. Mean Time to Failure (MTTF) refers to devices that will eventually fail once and then be discarded, rather than repaired. Mean Time Between Failure (MTBF), Mean Time to Repair (MTTR), and Mean Down Time (MDT) all refer to devices that will eventually fail and then be repaired and reused.
  124. A, D. If one of the server's power supplies fails, the other will continue to function. If the building's backup generator fails, the server will continue to run as long as the building still has outside power. If the UPS fails, the server will go down. If the breaker for the building power circuit trips, the server will run only as long as the UPS battery holds out.
  125. B. UPSs can provide servers with battery backup power, but usually only for a few minutes, so that the servers can be powered down safely, without the potential for data corruption or loss. UPSs cannot keep servers running for two hours. UPSs can protect against power spikes, but that is not their primary function. A computer power supply failure will bring a server down, regardless of the presence of a UPS.
  126. A, B, D. If one of the server's power supplies fails, the other will continue to function. If the UPS fails, the server will continue to use the power supply plugged into the wall socket. If the building's backup generator fails, the server will continue to run as long as the building still has outside power. If the breaker for the building power circuit trips, the server will run only as long as the UPS battery holds out.
  127. A, B, C, D. If one of the server's power supplies fails, the other will continue to function. If one of the UPSs fails, the server will continue to run using the other. If one of the building power circuit breakers trips, the server will continue to run using the other one. If the building's backup generator fails, the server will continue to run as long as the building still has outside power.
  128. C. The archive bit that backup software uses to perform incremental and differential jobs is a file attribute, so this is the most commonly used filter type. It is possible to filter files based on their names, their extensions, and their size, but these are not used as often as the archive file attribute.
  129. A. Cold, warm, and hot backup sites differ in the hardware and software they have installed. A cold site is just a space at a remote location. The hardware and software must be procured and installed before the network can be restored. It is therefore the least expensive. A warm site has hardware in place that must be installed and configured. A hot site has all of the necessary hardware installed and configured. A warm site is more expensive than a cold site, and a hot site is the most expensive.
  130. D. Load balancing refers to the distribution of traffic between two or more channels. Port aggregation combines ports into a single logical channel with a single Media Access Control (MAC) address and provides greater throughput. Port aggregation also provides fault tolerance in the event of a port failure.
  131. D. A cluster is a group of computers configured with the same application that function as a single unit. The cluster can function as a fault tolerance mechanism by failing over from one server to the next, when necessary, or provide load balancing by distributing traffic among the servers.
  132. B. NIC teaming enables you to combine the functionality of two Network Interface Cards (NIC) in one connection. However, when you configure a NIC team to use an active/passive configuration, one of the network adapters remains idle and functions as a fault tolerance mechanism. If the other NIC should fail, the passive NIC becomes active. In this configuration, NIC teaming does not provide load balancing, server clustering, or traffic shaping.
  133. D. Redundant Array of Independent Disks (RAID) level 1 is a fault tolerance mechanism that is also known as disk mirroring. A storage subsystem writes data to two or more disks at the same time so that if a disk fails, the data remains available. Because data is written to the disks at the same time, this RAID level does not provide load balancing. NIC teaming balances a network traffic load among two or more Network Interface Cards (NICs), whereas server clustering and Domain Name Service (DNS) round-robin balance a traffic load among multiple servers.
  134. D. Cold, warm, and hot backup sites are a disaster recovery mechanism that enables a network to be activated at a remote location when a catastrophe occurs. The temperature refers to the sites readiness to assume the role of the network. A cold site is just a space at a remote location. The hardware and software must be procured and installed before the network can be restored. A warm site has hardware in place that must be installed and configured. It takes less time to restore the network than at a cold site, but more than at a hot site. A hot site has all of the necessary hardware installed and configured. The network can go live as soon as the most recent data is restored.
  135. A. Mean Time Between Failure (MTBF) specifies how long you can expect a device to run before it malfunctions. For a hard disk, this specification indicates the life expectancy of the device. A Service Level Agreement (SLA) and an Acceptable Use Policy (AUP) are not specifications associated with hard disk drives. Mean Time to Repair (MTTR) can conceivably be specified for a hard disk, but hard disk drives in a RAID array are typically replaced, not repaired.
  136. B, D. Redundant Array of Independent Disks (RAID) is a technology for storing data on multiple hard disk drives, providing fault tolerance, increased performance, or both. The various RAID levels provide different levels of functionality and have different hardware requirements. RAID 1 provides disk mirroring, and RAID 10 creates mirrored stripe sets. Both provide fault tolerance by maintaining two copies of every stored file, for a usable disk space percentage of 50 percent. Some mirroring configurations store more than two copies of each file, for even less usable space. RAID 0 provides data striping only, with no fault tolerance. RAID 5 combines disk striping (blocks written to each disk in turn) with distributed storage of parity information, for fault tolerance with a usable disk space percentage of at least 66 percent.
  137. D. Disk mirroring and disk duplexing both use multiple hard disk drives to store duplicate copies of all data. However, disk duplexing calls for each disk to be connected to a separate controller so that the data remains available despite a disk failure or a disk controller failure.
  138. B. Redundant Array of Independent Disks (RAID) is a technology for storing data on multiple hard disk drives, providing fault tolerance, increased performance, or both. The various RAID levels provide different levels of functionality and have different hardware requirements. RAID 1 provides disk mirroring for fault tolerance and requires two or more disk drives. RAID 0 provides data striping only, with no fault tolerance. RAID 5 combines disk striping (blocks written to each disk in turn) with distributed storage of parity information for fault tolerance, but it requires a minimum of three disk drives. RAID 10 creates mirrored stripe sets and requires at least four disk drives.
  139. B, D. Redundant Array of Independent Disks (RAID) is a technology for storing data on multiple hard disk drives, providing fault tolerance, increased performance, or both. The various RAID levels provide different levels of functionality and have different hardware requirements. RAID 1 and RAID 10 both use disk mirroring to provide fault tolerance, which does not require parity data. RAID 0 uses data striping only (blocks written to each disk in turn), which does not provide any form of fault tolerance. RAID 5 combines disk striping with distributed storage of parity information.
  140. C. Differential backups use the archive bit to determine which target files to back up. However, a differential backup does not reset the archive bit. Full backups do not pay attention to the archive bit, because they back up all of the files. A full backup, however, does clear the archive bit after the job is completed. Incremental backups also use the archive bit to determine which files have changed since the previous backup job. The primary difference between an incremental and a differential job, however, is that incremental backups clear the archive bit so that unchanged files are not backed up. There is no such thing as a supplemental backup job.
  141. C. The generational media rotation system uses the terms grandfather, father, and son to refer to backup jobs that are run monthly, weekly, and daily. The jobs can be full, incremental, or differential, and the terms have nothing to do with whether the backup medium is a hard disk, optical, or any type of tape drive.
  142. A, C. Windows Server Backup can perform full backups and incremental backups. It does not support differential backups, and there is no backup job called a supplemental.
  143. A. A snapshot is a read-only copy of a data set taken at a specific moment in time. By creating a snapshot and then backing it up, you can be sure that no data corruption has occurred due to version skew. A hot site is an alternative network location in which all hardware and software is installed and ready. Incrementals and differentials are types of backup jobs.
  144. D. Version skew can occur when a data set changes while a system backup is running. A file written to a directory that has already been backed up will not appear on the backup media, even though the job might still be running. This can result in unprotected files, or worse, data corruption. A snapshot is a read-only copy of a data set taken at a specific moment in time. By creating a snapshot and then backing it up, you can be sure that no data corruption has occurred due to version skew. Incrementals and differentials are types of backup jobs, and iteration is not a specific storage technology.
  145. C. An incremental backup is a job that backs up all of the files that have changed since the last backup of any kind. Therefore, to restore a system that failed on Monday at noon, you would have to restore the most recent full backup from the previous Wednesday and the incrementals from Thursday, Friday, Saturday, and Sunday.
  146. B. An autochanger is a robotic device containing one or more removable media drives, such as magnetic tape or optical disk drives. The robotic mechanism inserts and removes media cartridges automatically so that a backup job can span multiple cartridges, increasing its overall capacity.
  147. D. An incremental backup is a job that backs up all of the files that have changed since the last backup of any kind. Therefore, to restore a system that failed on Tuesday at noon, you would have to restore the most recent full backup from the previous Saturday and the incrementals from Sunday, Monday, and Tuesday morning.
  148. B. A differential backup is a job that backs up all the files that have changed since the last full backup. Therefore, to restore a system that failed on Tuesday at noon, you would have to restore the most recent full backup from the previous Wednesday and the most recent differential from Monday.
  149. C. Data is stored on tape drives in a linear fashion. Once you write backup data to a tape, you cannot selectively replace individual files. When you perform a restore job, you might have to restore the most recent full backup, followed by incremental backups, which overwrites some of the full backup files with newer ones. Hard disk drives are random access devices, meaning that individual files can be written to and read from any location on the disk. When you perform incremental backup jobs to a hard disk, the software can restore data using any version of each file that is available. Data capacity, transfer speed, and block size are not relevant.
  150. C. Simple Network Monitoring Protocol (SNMP) is a means of tracking the performance and functionality of network components. Software or firmware components called agents are embedded in network devices and communicate with a central monitoring console. SNMP does not provide fault tolerance. An Uninterruptible Power Supply (UPS) is a battery backup device that enables a computer to continue functioning in the event of a power failure. Redundant Array of Independent Disks (RAID) level 1 is a disk mirroring mechanism that provides fault tolerance by maintaining duplicate copies of all stored data. Clustering is a mechanism by which multiple servers function as a single unit, running the same application, so that if a server should fail, the others continue to function.
  151. B. A PDU for a datacenter performs the same basic function as an office power strip, but it typically has a larger power input. It does not necessarily have more outlets or a larger power output.
  152. A, D. A backup of a firewall's state includes its configuration as well as other elements, such as templates and policies. The state therefore contains more data than the configuration.
  153. D. Hydrofluorocarbon (HFC) 125 is a heat-absorbing gas that is frequently used for fire suppression systems. Many large datacenters include HFC-125 total flooding fire suppression systems because the products resulting from the flame retardation process are less toxic than carbon dioxide and do not damage electric and electronic equipment as water and foam do.
  154. A, B, D. CMR is a technique in which routers transmit data packets using multiple routes to the destination. This provides load balancing and improved performance by spreading the transmission among multiple paths and a measure of fault tolerance because a failure of one route only endangers part of the data. Data encapsulation is not involved in the CMR process.
  155. C. FHRPs provide a fault tolerant default gateway for network hosts by automatically failing over to an alternative router address in the event of a router failure. Protocols such as Virtual Router Redundancy Protocol (VRRP) and Hot Standby Router Protocol (HSRP) create a virtual router that hosts use for their default gateway. The virtual router contains the addresses of multiple physical routers, to which it sends packets transmitted by the hosts. This provides fault tolerance in the event that a router fails, and in some cases provides load balancing as well. FHRPs do not affect the hosts' IP addresses, subnet masks, or DNS server addresses.
  156. D. FHRPs provide a fault tolerant default gateway for network hosts by automatically failing over to an alternative router address in the event of a router failure. The Reverse Address Resolution Protocol (RARP) is a deprecated Internet Protocol (IP) address assignment protocol; it is not an FHRP. Common Address Redundancy Protocol (CARP), Virtual Router Redundancy Protocol (VRRP), and Hot Standby Router Protocol (HSRP) are all FHRPs.
  157. C. This redundant switch arrangement can result in broadcast storms, which are caused by packets being read by multiple switches as originating on different networks. The result is endless circulation of packets from switch to switch.
  158. A, B, D. Configuring the router to split incoming packets between the two firewalls provides load balancing and a resulting performance increase. If one firewall should fail, the parallel arrangement enables the other one to take over the processing of all incoming packets, providing fault tolerance. Two firewalls in parallel does not provide additional security.
  159. A, D. In an active-active configuration, servers can balance the incoming client load between them. Because the active servers are all servicing clients, the overall performance of the cluster is increased. Both active-active and active-passive configurations provide fault tolerance. Data encapsulation is not a factor in either configuration.
  160. D. Access to the Internet can be interrupted by a failure on the Internet Service Provider's (ISP's) network, by a failure on the Wide Area Network (WAN) provider's network, or by a router failure on the local network. Building redundancy into all of these elements is the best way to ensure continuous access to the Internet.

Chapter 4: Network Security

  1. B, E, F. Servers that must be accessible both from the internal network and from the Internet are typically located in an area of the enterprise called a screened subnet, a perimeter network, or a demilitarized zone (DMZ). This area is separated from both the Internet and the internal network by firewalls, which prevents unauthorized Internet users from accessing the internal network. Intranet is another term for the internal network. Edge Gateway Protocol (EGP) is a type of routing protocol, and stateless is a type of firewall; neither apply to this definition.
  2. C. Windows networks that use AD DS authenticate clients using the Kerberos protocol, in part because it never transmits passwords over the network, even in encrypted form. Remote Authentication Dial-In User Service (RADIUS) is an authentication, authorization, and accounting service for remote users connecting to a network. Windows does not use it for internal clients. WiFi Protected Access 2 (WPA2) is a security protocol used by wireless Local Area Network (LAN networks. It is not used for AD DS authentication. Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is a remote authentication protocol that AD DS networks do not use for internal clients.
  3. C, D. Multifactor authentication combines two or more authentication methods and reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. A password and a retinal scan is an example of a multifactor authentication system. A smartcard and a PIN, which is the equivalent of a password, is an example of multifactor authentication because it requires users to supply something they know and something they have. Multifactor authentication refers to the proofs of identity a system requires, not the number of servers used to implement the system. Therefore, the use of a Remote Authentication Dial-In User Service (RADIUS) server is not an example of multifactor authentication. A system that requires two passwords is not an example of multifactor authentication, because an attacker can compromise one password as easily as two. A multifactor authentication system requires two different forms of authentication.
  4. A. The Extensible Authentication Protocol (EAP) is the only Windows remote authentication protocol that supports the use of authentication methods other than passwords, such as smartcards. MS-CHAPv2 is a strong remote access authentication protocol, but it supports password authentication only. Users cannot use smartcards. The Challenge Handshake Authentication Protocol (CHAP) is a relatively weak authentication protocol that does not support the use of smartcards. The Password Authentication Protocol (PAP) supports only cleartext passwords, not smartcards.
  5. B. Multifactor authentication combines two or more authentication methods, requiring a user to supply multiple credentials. This reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. The term multifactor does not refer to the number of resources, devices, or groups with which the user is associated.
  6. C, D. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected. Authentication is the confirmation of a user's identity, and authorization defines the type of access granted to authenticated users.
  7. A. Authentication is the process of confirming a user's identity. Passwords are one of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected.
  8. A. Authentication is the process of confirming a user's identity. Fingerprints and other biometric readers are one of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected.
  9. A. Kerberos is a security protocol used by Active Directory that employs a system of tickets to authenticate users and other network entities without the need to transmit credentials over the network. IEEE 802.1X does authenticate by transmitting credentials. Temporal Key Integrity Protocol (TKIP) and Lightweight Directory Access Protocol (LDAP) are not authentication protocols.
  10. C. Auditing of authentication activities can record both successful and unsuccessful logon attempts. Large numbers of logon failures can indicate attempts to crack passwords. Auditing tracks the time of authentication attempts, sometimes enabling you to detect off-hours logons that indicate an intrusion. Auditing does not record the passwords specified during authentications, so it cannot identify patterns of unsuccessful guesses.
  11. A. Authentication is the process of confirming a user's identity. Smartcards are one of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected.
  12. A. Multifactor authentication combines two or more authentication methods and reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. A password (something you know) and a retinal scan (something you are) is an example of a multifactor authentication system. A smartcard and a PIN, which is the equivalent of a password, is another example of multifactor authentication because it requires users to supply something they know and something they have. Multisegment, multimetric, and multifiltered are not applicable terms in this context.
  13. A. Network Access Control (NAC) is a mechanism that defines standards of equipment and configuration that systems must meet before they can connect to the network. Lightweight Directory Access Protocol (LDAP) provides communication between directory service entities. Remote Authentication Dial-In User Service (RADIUS) is an authentication, authorization, and accounting service for remote users connecting to a network. Temporal Key Integrity Protocol (TKIP) with the RC4 cipher is an encryption protocol used on wireless networks running the WiFi Protected Access (WPA) security protocol.
  14. C. SSO uses one set of credentials and requires the user to supply them only once to gain access to multiple resources. Same sign-on also uses a single set of credentials, with one password, but the user must perform individual logons for each resource. Neither SSO nor same sign-on calls for multifactor authentication.
  15. C. Biometrics is a type of authentication factor that uses a physical characteristic that uniquely identifies an individual, such as a fingerprint or a retinal pattern. Biometrics is therefore best described as something you are, as opposed to something you know, something you have, or something you do.
  16. B. Something you have refers to a physical possession that serves to identify a user, such as a smartcard. This type of authentication is typically used as part of a multifactor authentication procedure because a smartcard or other physical possession can be lost or stolen. A fingerprint would be considered something you are, a password is something you know, and a finger gesture is something you do.
  17. D. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide Authentication, Authorization, and Accounting (AAA) services for networks with many routers and switches, enabling administrators to access them with a single set of credentials. It was not designed to provide AAA services for wireless networks, Active Directory, or remote dial-in users.
  18. B, C. A PIN, like a password, is something you know, and a thumbprint, or any other biometric factor, is something you are. An example of something you have would be a smartcard, and an example of something you do would be a finger gesture.
  19. D. The act of drawing on the screen with your finger is a gesture, which is an example of something you do. A PIN or a password is something you know; a thumbprint, or any other biometric factor, is something you are; and a smartcard is an example of something you have.
  20. D. Something you do refers to a physical action performed by a user, such as a finger gesture, which helps to confirm his or her identity. This type of authentication is often used as part of a multifactor authentication procedure because a gesture or other action can be imitated. A fingerprint would be considered something you are, a password is something you know, and a smartcard is something you have.
  21. C. Something you know refers to information you supply during the authentication process, such as a password or PIN. This is the most common type of authentication factor because it cannot be lost or stolen unless the user violates security policies. A fingerprint would be considered something you are, a finger gesture is something you do, and a smartcard is something you have.
  22. A. Something you are refers to a physical characteristic that uniquely identifies an individual, such as a fingerprint or other form of biometric. This type of authentication is often used as part of a multifactor authentication procedure because a biometric element can conceivably be compromised. A finger gesture would be considered something you do, a password is something you know, and a smartcard is something you have.
  23. B. NAC is a set of policies that define security requirements that clients must meet before they are permitted to connect to a network. 802.1X is a basic implementation of NAC. Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are Authentication, Authorization, and Accounting (AAA) services. They are not NAC implementations themselves, although they can play a part in their deployment. Lightweight Directory Access Protocol (LDAP) provides directory service communications.
  24. C. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a Remote Authentication Dial-In User Service (RADIUS) implementation that verifies the supplicant's identity. There is no party to the transaction called an authorizing agent.
  25. D. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a Remote Authentication Dial-In User Service (RADIUS) implementation that verifies the supplicant's identity. The supplicant is not involved in issuing certificates.
  26. C. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a Remote Authentication Dial-In User Service (RADIUS) implementation that verifies the supplicant's identity. The authenticator is not involved in issuing certificates.
  27. C. The authentication server role is typically performed by a Remote Authentication Dial-In User Service (RADIUS) server. In an 802.1X transaction, the supplicant is the client attempting to connect to the network, the authenticator is a switch or access point to which the supplicant is requesting access, and the authentication server verifies the client's identity.
  28. B, C. Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are both services that provide networks with AAA. 802.1X provides only authentication, and Lightweight Directory Access Protocol (LDAP) provides communication between directory service entities.
  29. A. Remote Authentication Dial-In User Service (RADIUS) was originally conceived to provide AAA services for Internet Service Providers (ISPs), which at one time ran networks with hundreds of modems providing dial-up access to subscribers. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol that was designed to provide AAA services for networks with many routers and switches, but not for dial-up connections. Kerberos and Lightweight Directory Access Protocol (LDAP) are not AAA services.
  30. A. Remote Authentication Dial-In User Service (RADIUS) uses User Datagram Protocol (UDP) ports 1812 and 1813 or 1645 and 1646 for authentication, whereas Terminal Access Controller Access Control System Plus (TACACS+) uses Transmission Control Protocol (TCP) port 49.
  31. B. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide AAA services for networks with many routers and switches, enabling administrators to access them with a single set of credentials. Remote Authentication Dial-In User Service (RADIUS) provides AAA services, but not for routers and switches. Kerberos and Lightweight Directory Access Protocol (LDAP) are not AAA services.
  32. C. Authorization is the process of determining what resources a user can access on a network. Typically, this is done by assessing the user's group memberships. Authentication is the process of confirming a user's identity. Accounting is the process of tracking a user's network activity. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.
  33. A. Authentication is the process of confirming a user's identity by checking credentials, such as passwords, ID cards, or fingerprints. Authorization is the process of determining what resources a user can access on a network. Accounting is the process of tracking a user's network activity. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.
  34. B. Accounting is the process of tracking a user's network activity, such as when the user logged on and logged off and what resources the user accessed. Authentication is the process of confirming a user's identity by checking credentials. Authorization is the process of determining what resources a user can access on a network. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.
  35. B, D. In a public key infrastructure, data encrypted with a user's public key can only be decrypted with the user's private key, and data encrypted with a user's private key can only be decrypted with the user's public key. This enables the system to provide both message encryption and nonrepudiation. If data encrypted with a user's public key could be decrypted with that same public key, the system would provide no security at all. If data encrypted with a user's private key could be decrypted with that same private key, the user could only send secure messages to him- or herself.
  36. A. A Remote Authentication Dial-In User Service (RADIUS) server can provide Authentication, Authorization, and Accounting (AAA) services for remote access servers. Intrusion Detection Systems (IDSs), Next-Generation Firewalls (NGFWs), and Network Attached Storage (NAS) devices do not provide authentication services.
  37. B. The Integrity element of the CIA triad prevents data from being modified by unauthorized users. Confidentiality is protection against unauthorized viewing of data. Availability provides users with access to the data they need.
  38. C. Systems that use local authentication have user accounts stored on the computer, enabling users to log on without the need for any network communication. Systems that use Remote Authentication Dial-In User Service (RADIUS) or Kerberos for authentication require network communication. A password and a retinal scan is an example of a multifactor authentication system, which might or might not be local.
  39. B. A honeypot is a computer configured to function as bait for attackers, causing them to waste their time penetrating a resource that provides no significant access. A demilitarized zone (DMZ) is the part of a network where administrators locate servers that must be accessible from the Internet. A root guard provides protection to switch ports. Spoofing is an attack technique in which an intruder modifies packets to assume the appearance of another user or computer.
  40. A. A honeypot or honeynet is a type of mitigation technique that takes the form of a computer or network configured to function as bait for attackers, causing them to waste their time penetrating a resource that provides no significant access.
  41. D. Penetration testing is when an outside consultant is engaged to attempt an unauthorized access to protected network resources. Testing by an internal administrator familiar with the security barriers would not be a valid test. While having a consultant examine the network's security from within can be useful, this is not a penetration test. Computers or networks that are alluring targets for intruders are called honeypots or honeynets.
  42. C, D. A network segment that is separated from the internal network by a firewall and exposed to the Internet is called a screened subnet, a demilitarized zone (DMZ), or a perimeter network. Administrators typically use a screened subnet for servers that must be accessible by outside users, such as web and email servers. For security reasons, domain controllers and Dynamic Host Configuration Protocol (DHCP) servers should be located on internal network segments.
  43. B. A vulnerability is a weakness, whether in software or hardware, of which an exploit is designed to take advantage. Neither term is specific to hardware or software.
  44. A. Security Information and Event Management (SIEM) is a product that combines two technologies: security event management (SEM) and security information management (SIM). Together, the two provide a combined solution for gathering and analyzing information about a network's security events. Simple Network Management Protocol (SNMP) is a technology that gathers information about managed devices. SEIM and SEM/SIM are not correct abbreviations for Security Information and Event Management.
  45. B. Your supervisor's concern is that the disgruntled technician might take advantage of his access to devices and facilities to sabotage the network. When an individual takes advantage of information gathered during his or her employment, it is called an internal (or insider) threat. An external threat is one originating from a non-employee. Social engineering is a form of attack in which an innocent user is persuaded by an attacker to provide sensitive information via email or telephone. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks.
  46. C. A zero-day vulnerability is a serious software problem with a potential for exploitation in a newly released software product. The vulnerability has not yet been discovered, addressed, or patched by the software's developer, but it has been discovered by potential attackers. A zero-day vulnerability is one that has not yet been patched or fixed.
  47. B. The Common Vulnerabilities and Exposures (CVE) database is a resource that assigns identifier numbers to known security issues found in software products. By searching the database, Ralph can learn about the vulnerabilities that have already been found in the products he is evaluating. The Confidentiality - Integrity - Availability (CIA) triad lists important information security concepts, but it does not provide information about specific products. Stock Keeping Units (SKU) are product identifiers that do not involve security issues. Security Information and Event Management (SIEM) is a product that gathers and analyzes information about a network's security events, but it would not help Ralph discover vulnerabilities in the products he is evaluating.
  48. C. Role-based access control works by assigning permissions to specific jobs or job roles. Each new user can then be associated with a role and receive the necessary permissions automatically. When a user leaves a job, removing them from their role revokes the permissions associated with it. Least privilege, zero trust, and defense in depth are all theoretical security concepts, but they are not descriptive of Alice's practice in this regard.
  49. C. Least privilege is the practice of only providing users with the permissions they need to perform their designated tasks and no more. For her standard activities, Alice is given an account that does not have administrative permissions, because she does not need those permissions to perform standard tasks. The administrative account has the additional permissions needed for Alice to perform administrative tasks. The intention is for Alice to use that account only for those administrative tasks. Zero-day is a type of vulnerability; multifactor authentication calls for users to supply two identifying factors; defense in depth refers to the use of multiple security mechanisms to provide additional protection. None of these three options refers to the use of multiple user accounts.
  50. D. Lateral movement is when a user gains basic access to a network by legitimate means and then uses it to gain unauthorized access to other resources inside the network. A zero trust provides full protection for all sensitive resources, even from users already inside the network. A zero trust architecture does not protect against zero-day vulnerabilities, which are exploits in software; external threats; or deauthentication, which is a type of Denial-of-Service (DoS) attack.
  51. E. Social engineering is a means for gaining unauthorized access to a network by convincing users to disclose passwords or other sensitive information; it is not part of a defense in depth strategy. Defense in depth can include physical protection, such as access control vestibules; division of resources using network segmentation, separation of duties, or screened subnets; and deceptive lures, such as honeypots.
  52. A, C. A threat assessment should estimate the potential severity of a threat, such as the damage that the loss of a specific resource can cause to the organization. The assessment should also estimate the likelihood of a particular threat occurring, as the organization will have to devote more attention to the more likely threats. An assessment of the organization's current posture (or status) with regard to a specific threat and the mitigation techniques used to counter it are both elements that come later in the risk management process, after the threat assessment has been completed.
  53. B. A process assessment is an examination of an existing procedure to determine its compliance with a specific set of goals that can include cost, quality, and timeliness. A vendor assessment is an examination of the organization's relationship with a specific business partner. Business assessment and risk assessment are more general terms that can include process assessments.
  54. B. Ransomware is a type of attack in which a user's access to his or her data is blocked unless a certain amount of money is paid to the attacker. The blockages can vary from simple screen locks to data encryption. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. Denial-of-Service (DoS) is a type of attack that overwhelms a computer with traffic, preventing it from functioning properly. Address Resolution Protocol (ARP) poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches.
  55. A, C. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else. One way of doing this is to modify the Media Access Control (MAC) address in the packets to one that is approved by the MAC filter. An on-pass (or man-in-the-middle) attack is one in which an attacker intercepts network traffic, reads the traffic, and can even modify it before sending it on to the destination. Denial-of-Service (DoS) is a type of attack that overwhelms a computer with traffic, preventing it from functioning properly, whereas a logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Neither of these last two involves modifying network packets.
  56. C. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Social engineering is the practice of obtaining sensitive data by manipulating legitimate users, such as by pretending to be someone with a genuine need for that data. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. An evil twin is a fraudulent access point on a wireless network that mimics the Service Set Identifier (SSID) of a legitimate access point, in the hope of luring in users.
  57. B, C. Configuring the access point not to broadcast its Service Set Identifier (SSID) will prevent an unsophisticated war driving attacker from seeing the network. Configuring your equipment to use WiFi Protected Access II (WPA2) security will make it difficult for a war driver who detects your network to connect to it. The SSID is just an identifier; its length has no effect on security. Wired Equivalent Privacy (WEP) is a security protocol that has been found to have serious weaknesses.
  58. B. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. When a war driver locates a wireless network and marks it for other attackers, it is called war chalking. There are no such attacks as war tagging and war signing.
  59. B. Bluesnarfing is an attack in which an intruder connects to a wireless device using Bluetooth, for the purpose of stealing information. Bluejacking is the process of sending unsolicited messages to a device using Bluetooth. The other options do not exist.
  60. D. Although a DoS attack typically involves traffic flooding, any attack that prevents a server from functioning can be called a DoS attack. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning. This can be a physical attack that actually damages the hardware, or the attacker can disable the server by altering its software or configuration settings. Flood-based attacks include the Distributed Denial-of-Service (DDoS) attack, one in which the attacker uses hundreds or thousands of computers controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target.
  61. B. Distributed Denial-of-Service (DDoS) attacks use hundreds or thousands of computers that have been infected with malware, called bots or zombies, to flood a target server with traffic in an attempt to overwhelm it and prevent it from functioning. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. Neither attack type causes a computer to flood itself.
  62. A. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. Reflective and distributed DoS attacks use other computers to flood a target with traffic. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. A Distributed Denial-of-Service (DDoS) attack is one in which the attacker uses a botnet consisting of hundreds or thousands of computers, controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
  63. A, B, C. A brute-force attack is one in which an attacker uses repeated guesses to find a password, an open port, or some other type of sensitive data. A Denial-of-Service (DoS) attack floods a target server with traffic so that it is unable to function normally. While both of these attack types can be mounted using specialized software, they can also be the work of a lone attacker using nothing more than the tools provided on a standard workstation. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. It requires nothing more than a telephone or an email client. Phishing is the term for an attack that uses bogus emails or websites designed to infect users with some type of malware.
  64. B, C. Deauthentication is a type of Denial-of-Service (DoS) attack in which the attacker targets a wireless client by sending a deauthentication frame that causes the client to be disconnected from the network. The object of the attack is often to compel the client to connect to a rogue access point called an evil twin. An evil twin is a fraudulent access point on a wireless network that mimics the Service Set Identifier (SSID) of a legitimate access point, in the hope of luring in users. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Address Resolution Protocol (ARP) poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches. Neither of these last two is specifically targeted at wireless clients.
  65. A. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. No software or hardware solution can prevent it; the only way is to educate users on the potential dangers and establish policies that inform users what to do when they experience a social engineering attempt. Social engineering is not a virus or other form of malware, so an antivirus product has no effect against it. Social engineering is not implemented in network traffic, so a firewall cannot filter it. Social engineering is not implemented in network traffic, so IPSec cannot protect it.
  66. B, C. Reflective and distributed DoS attacks use other computers to flood a target with traffic. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as DNS servers, causing them to send a flood of responses to the target. A Distributed Denial-of-Service (DDoS) attack is one in which the attacker uses hundreds or thousands of computers, controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
  67. C. Virtual Area Network (VLAN) hopping is a method for sending commands to switches to transfer a port from one VLAN to another. This can enable the attacker to connect his or her device to a potentially sensitive VLAN. VLAN hopping does not modify the switch's patch panel connections, only its VLAN assignments. It is not possible to rename a switch's default VLAN. VLAN hopping does not enable an attacker to change a switch's native VLAN.
  68. B, D. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. It therefore requires nothing more than a vehicle and a wireless-equipped computer. The term driving in war driving refers to driving a vehicle, not a screw; a screwdriver is therefore not required. War driving uses a wireless computer or other device to scan for open networks; a telephone is therefore not required. War driving is a means for locating unprotected networks; it does not require a credit card number, nor does it involve stealing them.
  69. A. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else. One way of doing this is to modify the Media Access Control (MAC) address in the packets to one that is approved by the MAC filter. Brute-force is the method of repeated guessing, which is impractical with MAC addresses. A Domain Name System (DNS) works with IP addresses, not MAC addresses. War driving is the process of looking for unprotected Wireless Access Points (WAPs).
  70. C. A Distributed Denial-of-Service (DDoS) attack is one in which the attacker uses hundreds or thousands of computers, controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
  71. A. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. A Distributed Denial-of-Service (DDoS) attack is one in which the attacker uses hundreds or thousands of computers, controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
  72. A, D. Smurf attacks rely on routers to forward broadcast traffic. Routers no longer forward broadcast messages, so smurf attacks have been rendered ineffective. In the same way, Virtual Area Network (VLAN) hopping, which is a method for sending commands to switches to transfer a port from one VLAN to another, is rarely seen because switches are now designed to prevent them. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Phishing is the term for a bogus email or website designed to infect users with some type of malware. Both of these are still commonly used attack types.
  73. D. Although DoS attacks typically involve traffic flooding, any attack that prevents a server from functioning can be called a DoS attack. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning. This can be a physical attack that damages the hardware, or the attacker can disable the server by altering its software or configuration settings. A Distributed Denial-of-Service (DDoS) attack is one in which the attacker uses hundreds or thousands of computers, controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target.
  74. C. Distributed Denial-of-Service (DDoS) attacks use hundreds or thousands of computers that have been infected with malware, called bots or zombies, to flood a target server with traffic, in an attempt to overwhelm it and prevent it from functioning. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. A reflective attack does not require infected computers; it takes advantage of the servers' native functions. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
  75. D. Domain Name System (DNS) poisoning is a type of attack in which an attacker adds fraudulent information into the cache of a DNS server. Then, when a client attempts to resolve the name of a website or other server, the DNS server supplies the incorrect IP address, causing the client to access the attacker's server instead. An evil twin is a rogue Wireless Access Point (WAP) on a network. Address Resolution Protocol (ARP) poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches, which can interfere with the resolution of IP addresses into Media Access Control (MAC) addresses on a local level. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else.
  76. B. Domain Name System (DNS) poisoning is a type of attack in which an attacker adds fraudulent information into the cache of a DNS server. This can interfere with the name resolution process by causing a DNS server to supply the incorrect IP address for a specified name. The process of resolving an IP address into a Media Access Control (MAC) address can be interfered with by Address Resolution (ARP) poisoning. DNS has nothing to do with passwords or switching.
  77. C. A vulnerability is a potential weakness in a system that an attacker can use to his or her advantage. An exploit is a hardware or software element that is designed to take advantage of a vulnerability. A mitigation is a form of defense against attacks on system security. A honeypot is a computer configured to function as bait for attackers, causing them to waste their time penetrating a resource that provides no significant access.
  78. D. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. The terminated administrator might have created code designed to trigger the deletions after the administrator's departure from the company. Social engineering is a form of attack in which an innocent user is persuaded by an attacker to provide sensitive information via email or telephone. The Address Resolution Protocol (ARP) is responsible for resolving IP addresses into Media Access Control (MAC) addresses. ARP poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches. An evil twin is a fraudulent access point on a wireless network.
  79. B, C. Address Resolution Protocol (ARP) poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches. This can enable an attacker to intercept traffic intended for another system. In an on-path (man-in-the-middle) attack, the attacker can read the intercepted traffic and even modify it before sending it on to the destination. In a session hijacking attack, the attacker can use the intercepted traffic to obtain authentication information, including passwords. An evil twin is a fraudulent access point on a wireless network. Social engineering is a form of attack in which an innocent user is persuaded by an attacker to provide sensitive information via email or telephone.
  80. B. A replay attack is one in which an attacker utilizes the information found in previously captured packets to gain access to a secured resource. In many cases, the captured packets contain authentication data. In this way, the attacker can make use of captured passwords, even when they are encrypted and cannot be displayed. The other options all describe valid attack methodologies, but they are not called replay attacks.
  81. B. This is a classic example of a phishing scam. In all likelihood, the link in the email Ed received has taken him not to the real website of his bank, but rather a duplicate created by an attacker. By supplying his logon credentials, he is in effect giving them to the attacker, who can now gain access to his real bank account. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else.
  82. A, C, D. An evil twin is a fraudulent access point on a wireless network that mimics the Service Set Identifier (SSID) of a legitimate access point, in the hope of luring in users. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. Deauthentication is a type of Denial-of-Service (DoS) attack in which the attacker targets a wireless client by sending a deauthentication frame that causes the client to be disconnected from the network. Phishing is an attack type that is targeted at all users, not just wireless ones.
  83. C, D. A DoS attack is one designed to prevent a target from fulfilling its function. While ping floods are a common form of server DoS attacks, physically damaging the server hardware also prevents it from performing its function. Therefore, this too is a type of DoS attack. Capturing packets and rogue access points are not typically described as DoS attacks.
  84. A. A zombie (or bot) is a computer that has been infected by malware—usually some form of Trojan—which an attacker can control remotely, causing the computer to flood a target system with traffic. An attack using multiple zombies is known as a Distributed Denial-of-Service (DDoS) attack. The other options are not examples of zombies.
  85. C. Ransomware is a type of attack in which a user's access to his or her computer or data is blocked unless a certain amount of money is paid to the attacker. The blockages can vary from simple screen locks to data encryption.
  86. B. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. No computer equipment is required, and no software or hardware solution can prevent it; the only way is to educate users on the potential dangers and establish policies that inform users what to do when they experience a social engineering attempt. Denial-of-Service (DoS) is a type of attack that overwhelms a computer with traffic, preventing it from functioning properly. A brute-force or dictionary attack is one in which an attacker uses repeated guesses to find a password, an open port, or some other type of sensitive data. Phishing is the term for a bogus email or website designed to infect users with some type of malware.
  87. B. A brute-force attack (also called a dictionary attack) is one in which an attacker uses repeated guesses to find a password, an open port, or some other type of sensitive data. Brute-force does not refer to a physical attack. Flooding a server with traffic created by zombies is a Distributed Denial-of-Service (DDoS) attack. Deploying an unauthorized access point is an evil twin attack.
  88. A. An evil twin is a fraudulent access point on a wireless network, which an intruder can use to obtain passwords and other sensitive information transmitted by users. War driving is the term for seeking out open wireless networks. Social engineering is a form of attack in which an innocent user is persuaded by an attacker to provide sensitive information via email or telephone. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else.
  89. C. Social engineering is the term for a type of attack in which a smooth-talking intruder contacts a user and convinces him or her to disclose sensitive information, such as account passwords. An on-path (man-in-the-middle) attack is one in which an attacker intercepts network traffic, reads the traffic, and can even modify it before sending it on to the destination. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else. An evil twin is a fraudulent access point on a wireless network.
  90. B. Operating system updates and patches are frequently released to address newly discovered exploits that make computers vulnerable to malware infestation. Applying updates on a regular basis can help to mitigate the impact of malware. Updates and patches typically cannot mitigate Denial of Service (DoS) attacks, and they have no effect on nontechnical dangers such as social engineering or dangers that apply to switches, such as port security hazards.
  91. D. The term social engineering refers to various methods that attackers can use to gain access to secured resources by manipulating authorized users, either physically or digitally. An evil twin is a rogue access point deliberately connected to the network for malicious purposes, so it is not a form of social engineering. Piggybacking and tailgating typically refer to the practice of closely following an authorized individual through a physical security barrier, such as a locked door or a guarded entrance. Shoulder surfing is a method of gathering sensitive information by passing behind a user and looking at their monitor. Phishing is a digital form of social engineering in which a user is duped into disclosing sensitive information by a faked email or other communication.
  92. B. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. EAP is used on wireless networks and point-to-point connections and supports dozens of different authentication methods. WiFi Protected Access (WPA) is a wireless encryption standard. Temporal Key Integrity Protocol (TKIP) is an encryption algorithm. Transport Layer Security (TLS) is an encryption protocol used for Internet communications.
  93. A. Extensible Authentication Protocol (EAP) and 802.1X are both components of an authentication mechanism used on many wireless networks. EAP and 802.1X do not themselves provide authorization, encryption, or accounting services.
  94. A, B. Protected Extended Authentication Protocol (PEAP) encapsulates EAP inside a Transport Layer Security (TLS) tunnel. Flexible Authentication via Secure Tunneling (FAST) also establishes a TLS tunnel to protect user credential transmissions. EAP-TLS uses TLS for encryption, but not for tunneling. EAP-PSK uses a preshared key to provide an authentication process that does not use encryption.
  95. C. Geofencing is the generic term for a technology that limits access to a network or other resource based on the client's location. In wireless networking, geofencing is intended to prevent unauthorized clients outside the facility from connecting to the network. Local authentication is an application or service that triggers an authentication request to which the user must respond before access is granted. Port security is a method for protecting access to switch ports. Motion detection is a system designed to trigger a notification or alarm when an individual trespasses in a protected area.
  96. A. Geofencing is a mechanism that is intended to prevent unauthorized clients outside the facility from connecting to the network. The mechanism can take the form of a signal strength or power level requirement, a GPS location requirement, or strategic placement of the antennae for wireless access points. The other options listed are not descriptions of typical geofencing technologies.
  97. C. As part of a public key infrastructure (PKI), digital certificates are associated with a key pair, consisting of a public key and a private key. The certificate is issued to a person or computer as proof of its identity. A signature does not associate a person or computer with a key pair. An exploit is a hardware or software element that is designed to take advantage of a vulnerability. Resource records are associated with the Domain Name System (DNS).
  98. A, D. The Protected Extensible Authentication Protocol (PEAP) and EAP Flexible Authentication via Secure Tunneling (EAP-FAST) both use TLS tunneling to secure authentication transmissions. EAP Password (EAP-PWD) and EAP-MP5 do not use TLS for tunneling or any other purpose.
  99. A, B, C, E. Encryption, authentication, Media Access Control (MAC) filtering, and antenna placement are all techniques for hardening a wireless network against attack. Social engineering is a type of attack in which an intruder contacts a user and convinces him or her to disclose sensitive information, such as account passwords; it is not specifically associated with wireless networks.
  100. A. There are no policies that can prevent users from creating easily guessed passwords. The only action that can help is to educate users on the fact that attackers are frequently able to guess passwords by using information such as familiar names and dates. Forcing more frequent password changes would not compel users to alter their method for choosing passwords, nor would increasing the password history value. Assigning random passwords would address the issue, but user complaints and forgotten passwords would likely create greater problems than it would solve.
  101. A, C, D. Access points, switches, and routers all require authentication to access their administrative interfaces, and most have a standard username and password configured at the factory. The purchaser can modify the default credentials, but many people fail to do so. Windows servers do not have default credentials assigned; the installer is prompted to specify an Administrator password during the setup process.
  102. A, D. Secure Shell (SSH) and Telnet are both remote terminal programs, but Telnet passes instructions (including passwords) in cleartext, whereas SSH is encrypted. Hypertext Transfer Protocol Secure (HTTPS) is the encrypted version of Hypertext Transfer Protocol (HTTP). In both of these cases, the suggested substitute is more secure. However, Temporal Key Integrity Protocol (TKIP) provides less secure encryption than Advanced Encryption Standard (AES), and Wired Equivalent Protocol (WEP) is less secure than WiFi Protected Access 2 (WPA2).
  103. B, C. Servers and switches are both devices on which unused ports can be a security hazard, but they use the term port differently. Servers have application layer ports that permit specific types of service traffic to enter the server. Switches have ports to which administrators can connect computers and other devices. Both can provide attackers with unauthorized access to the device. It is not possible to disable hub ports, and the Wireless Access Points (WAPs) used on enterprise networks typically have only a single port.
  104. B. Disabling SSID broadcasts is a way of hiding the presence of a wireless network, but if an intruder knows that a network is there, it is a simple matter to capture packets transmitted by the wireless devices and read the SSID from them. It is not possible to connect to a wireless network without the SSID. SSIDs are set by the administrator of the access point; they are not printed on the device's label. SSIDs can be found relatively easily but guessing them is no easier than guessing a password.
  105. C. Upgrading the UEFI or BIOS firmware on a server typically does not enhance its security, so it cannot be considered a form of server hardening. Disabling services and ports that are not in use reduces the attack surface of a server, and creating privileged user accounts reduces the chance that privileged accounts will be compromised. Therefore, these are all forms of server hardening.
  106. A, D. If there is no way for unauthorized people to access the datacenter, then there is no danger of someone plugging a device into a port that is left enabled. If the switch uses an Access Control List (ACL) that specifies the Media Access Control (MAC) addresses of systems permitted to connect to it, then there is no need to disable unused ports. However, disabling the ports is probably far easier than creating and maintaining the ACL. Ports that are not patched in can still be compromised at the switch location. Enabling ports is not difficult, so accommodating new users is not a valid reason for leaving them enabled.
  107. D. The “Passwords must meet complexity requirements” policy includes a provision that new passwords cannot include the user's account name or full name. If the full name is delimited by spaces or punctuation, the individual words cannot appear in the password either. The other options do not prevent the use of common passwords.
  108. D. Deauthentication is a type of Denial-of-Service (DoS) attack in which the attacker targets a wireless client by sending a deauthentication frame that causes the client to be disconnected from the network. It is therefore not a method for hardening an access point. Upgrading the device's firmware to apply security fixes, changing the default administrative credentials applied at the factory, and frequent Pre-Shared Key (PSK) changes are all means of hardening the security of an access point.
  109. C. Network hardening is a term used to describe any method of making it more difficult for intruders to penetrate. In many cases, network hardening techniques are based on education rather than technology. Compelling users to create passwords that are difficult to guess is one example of this. Mitigation techniques are methods for reducing the severity of an attack. Multifactor authentication calls for the use of two different identity confirmation mechanisms, such as a password and a fingerprint. Access control is a technique for creating a list of approved users or systems.
  110. A, B. Administrator is the default administrative user account in Windows, and root is the administrative account in Linux. Control and admin are not privileged user accounts provided with the operating systems.
  111. B, D. Virtual Local Area Networks (VLANs) can be used to isolate systems on a separate network segment. A demilitarized zone (DMZ), also called a screened subnet or a perimeter network, is a network segment accessible from the Internet and separated from the internal network by a firewall. Both of these are methods for isolating systems to prevent security breaches from spreading beyond their bounds. Access Control Lists (ACLs) and Network Access Control (NAC) are both methods for enhancing network security, but they are not segmentation methods.
  112. D. Dynamic Host Configuration Protocol (DHCP) snooping is a feature found in some network switches that prevents rogue DHCP servers from assigning IP addresses to clients. It can also detect when DHCP release or decline messages arrive over a port other than the one on which the DHCP transaction originated. The other options are all techniques that are applicable to servers.
  113. B. ACLs define the type of access granted to authenticated users. This process is known as authorization. Authentication is the confirmation of a user's identity. Accounting and auditing are both methods of tracking and recording a user's activities on a network.
  114. C. Role separation is the practice of creating a different virtual server for each server role or application. In addition to providing other benefits as well, this forces intruders to mount attacks on multiple servers to disable an entire network. Geofencing is a technique for limiting access to a wireless network. Network segmentation describes the process of creating multiple Virtual Local Area Networks (VLANs) or deploying firewalls to isolate part of a network. VLAN hopping is a type of attack in which an intruder sends command messages to a switch to transfer a port from one VLAN to another.
  115. B. Role separation is the practice of creating a different virtual server for each server role or application. In addition to providing other benefits as well, this forces intruders to mount attacks on multiple servers to disable an entire network. Switches, routers, and access points do not use this technique.
  116. D. An implicit deny is a policy that denies access to a resource by default, without a rule defining that denial. Creating a new rule denying access is an explicit deny. If anyone was able to access the server remotely by default, that would be an implicit allow. An explicit allow is a rule granting specific users remote access.
  117. A. Dynamic Host Configuration Protocol (DHCP) snooping is a process in which the switch examines DHCP traffic to determine the IP addresses that DHCP servers have assigned to specific MAC addresses. DAI detects ARP poisoning attempts by comparing the IP-and-MAC address pairs in ARP packets with those in the DHCP snooping table it has compiled. The switch then discards packets with address pairs that do not match. Secure SNMP Secure Network Protocol (SNP), Domain Name Server (DNS) name resolution, and Neighbor Discovery Protocol (NDP) are not used to implement DAI.
  118. D. Dynamic Host Configuration Protocol (DHCP) snooping is a feature found in some network switches that prevents rogue DHCP servers from assigning IP addresses to clients. It can also detect when DHCP release or decline messages arrive over a port other than the one on which the DHCP transaction originated. Although DHCP snooping can prevent DHCP clients from being assigned an incorrect IP address, it does not directly prevent the poisoning of Domain Name System (DNS) server caches with erroneous information.
  119. A. Although DHCP is an application layer service that uses the User Datagram Protocol (UDP) transport layer protocol to assign network layer IP addresses, DHCP snooping is a data link layer process in which a network switch examines incoming DHCP traffic to determine whether it originates from an authorized server and is arriving over the correct port.
  120. C. By flooding a switch with packets containing many different false Media Access Control (MAC) addresses, an attacker can cause the legitimate entries in the switch's MAC table to be aged out of the device and replaced with bogus entries. When the destinations of incoming packets are not found in the table, the switch broadcasts them throughout the network, where they can be more readily captured and compromised. A flood guard is a mechanism that prevents confirmed MAC addresses in the table from being replaced. A flood guard in a switch cannot protect against Domain Name System (DNS) poisoning, war driving, or evil twin attacks.
  121. B. A root guard affects the behavior of the Spanning Tree Protocol (STP) by enforcing the selection of root bridge ports on a switched network. Without root guards, there is no way for administrators to enforce the topology of a network with a redundant switching fabric. Root guards do not affect the Extensible Authentication Protocol (EAP), the Lightweight Directory Access Protocol (LDAP), or the Address Resolution Protocol (ARP).
  122. A. File integrity monitoring (FIM) is a process that typically consists of a comparison of files in their current state to a known baseline copy stored elsewhere. The comparison can be direct, or it could involve the calculation of checksums or other types of file hashes. The object of the comparison is to detect changes in documents, both in content and in sensitive areas, such as credentials, privileges, and security settings, which might indicate the presence of a potential or actual security breach. Role separation applies to the deployment of applications on servers. Deauthentication is a type of wireless network attack. Tamper detection is a term used to describe a physical security measure for hardware. Router Advertisement (RA) guard is a feature found on certain switches that prevents the misuse of RA messages to redirect traffic.
  123. C. Digital signatures can be used for the following functions: authentication, to confirm that data originated from a specific individual; nonrepudiation, to prevent the sender from denying the data's origin; and integrity, to confirm that the data has not been modified in transit. Segmentation is not a function of digital signatures.
  124. A, B, C. Because only Ralph possesses the private key, only he could have signed and encrypted it. Although it is possible for someone other than Alice to have decrypted the document while it was in transit, using Ralph's public key, that individual could not have modified it and encrypted it again.
  125. B, D. Because anyone can obtain Ralph's public key, the document could have been created and encrypted by anyone. However, because only Ralph possesses the private key that can decrypt the document, he can be sure that no one else has opened it while it was in transit.
  126. A. Firmware is a type of software permanently written to the memory built into a hardware device. A firmware patch overrides the read-only nature of this memory to update the software. Driver updates, feature updates, and vulnerability patches are typically applied to software products, such as applications and operating systems.
  127. A. A patch is a relatively small update that is designed to address a specific issue, often a security exploit or vulnerability. Patches do not add features or new capabilities; they are fixes targeted at a specific area of the software. Updates, upgrades, and service packs are larger packages that might include new features and/or many different fixes.
  128. C. Rolling back, the process of uninstalling a patch to revert to the previous version of the software, is not part of the patch evaluation process. The evaluation process for new patches in a corporate environment usually consists of a research stage, in which you examine the need and purpose for the patch; a testing stage, in which you install the patch on a lab machine; and a backup of the production systems to which you will apply the patch.
  129. D. Rollback is a term used in change management to describe the process of reversing a change that has been made, to restore the original configuration. In the case of patch management, a rollback is the process of uninstalling a recently installed software update. The terms backslide, downgrade, and reset are not used to describe this procedure.
  130. D. MAC address filtering enables administrators to configure an access point to allow only devices with specific addresses to connect; all other traffic is rejected. Access points broadcast their presence using a Service Set Identifier (SSID), not a MAC address. MAC address filtering protects WLANs when implemented in an access point, not a firewall. MAC address filtering does not call for the modification of addresses in network packets. MAC filtering does not isolate clients from the network.
  131. D. Geofencing is the generic term for a technology that limits access to a network or other resource based on the client's location. It is therefore best described as somewhere you are. A finger gesture would be considered something you do, a password is something you know, and a smartcard is something you have.
  132. A. Wireless Access Points (WAPs) typically include the ability to maintain an Access Control List (ACL), which specifies the Media Access Control (MAC) addresses of devices that are permitted to connect to the wireless network. The technique is known as MAC address filtering. Remote Authentication Dial-In User Service (RADIUS) servers, domain controllers, and smartcards typically do not include MAC filtering capabilities.
  133. A, C. NTFS files and folders all have ACLs, which contain Access Control Entries (ACEs) that specify the users and groups that can access them and the specific permissions they have been granted. Wireless Access Points (WAPs) have ACLs that contain Media Access Control (MAC) addresses of the devices that are permitted to connect to the wireless network. Lightweight Directory Access Protocol (LDAP) and Kerberos are protocols that provide directory service communication and authentication, respectively. Neither one uses ACLs.
  134. A. Media Access Control (MAC) filtering takes the form of an Access Control List (ACL) on the wireless network's access points, listing the MAC addresses of all the devices that are to be permitted to access the network. If the MAC address of Alice's laptop is not included in the ACL, she will be unable to connect to the network. Alice has been given the SSID of the network, so she should be able to connect, even if the access points are not broadcasting the SSID. Geofencing is intended to prevent users outside the office from accessing the network, so this should not be the problem. Alice has been given the passphrase for the network, so she should be able to configure WiFi Protect Access 2 (WPA2) on her laptop. Alice is not using a separate guest network, so this is not preventing her from connecting.
  135. B. A captive portal is a web page displayed to a user who is attempting to access a public wireless network. The user typically must supply credentials, provide payment, or accept a user agreement before access is granted. A captive portal does not refer to a switch port, a secured entryway to a room, or a type of extortionate computer attack.
  136. A. A web page that prompts users for payment, authentication, or acceptance of a EULA is a captive portal. Ransomware is a type of attack that extorts payment. Port security and root guards are methods for protecting access to switch ports.
  137. B. Port isolation, also known as Private Virtual Local Area Network (VLAN), is a feature in some switches that enables administrators to restrict selected ports to a given uplink, essentially creating a separate, secondary VLAN that is isolated from the switch's default, primary VLAN. Screened subnets (also called perimeter networks or demilitarized zones [DMZs]), frame relay, and VPNs are not switching techniques.
  138. B, C. Because many IoT devices are mobile or located in unprotected areas, a firewall is not a viable protection mechanism for all of them, nor is the practice of placing them on separate network segments. Network security mechanisms such as access control policies and centralized gateways providing authentication and authorization could conceivably be incorporated into a general IoT security standard.
  139. B, D. The default Virtual Local Area Network (VLAN) on most switches has the ID VLAN 1, not VLAN 0, and it cannot be renamed or deleted. The default VLAN does not have to be created by the administrator; it is the one to which all ports are assigned in the default configuration.
  140. D. Control plane policing uses Quality of Service (QoS) policies to block, allow, or impose rate limits on the traffic processed by the router or switch. Internet Protocol Security (IPSec) is a network layer security mechanism that encrypts or authenticates traffic. 802.1X is a network authentication mechanism. Router Advertisement (RA) Guard is a feature found on certain switches that prevents the misuse of RA messages to redirect traffic. Virtual Local Area Network (VLAN) hopping is a method for sending commands to switches to transfer a port from one VLAN to another.
  141. B. VPN typically enables remote clients to connect to a VPN router at a central site, much like the star topology of a Local Area Network (LAN), in which computers are all connected to a central switch. Dynamic Multipoint Virtual Private Network (DMVPN) is a technology that creates a mesh topology between the remote VPN sites, enabling the remote sites to connect directly to each other, rather than to the central VPN server. A VPN concentrator is a type of router that enables multiple client systems to access a network from remote locations. A Session Initiation Protocol (SIP) trunk provides a connection between the private and public domains of a unified communications network. Multiprotocol Label Switching (MPLS) is a data transfer mechanism that assigns labels to individual packets, and then routes the packets based on those labels. Clientless VPN creates an encrypted tunnel to a server using a browser, without the need to install additional client software.
  142. C. Point-to-Point Tunneling Protocol (PPTP) is considered to be obsolete for VPN use because of several serious security vulnerabilities that have been found in it. IPSec, Layer 2 Tunneling Protocol (L2TP), and Secure Sockets Layer/Transport Layer Security (SSL/TLS) are all still in use.
  143. C. Layer 2 Tunneling Protocol (L2TP) is used to create the tunnel forming a VPN connection, but it does not encrypt the traffic passing through the tunnel. To do this, it requires a separate protocol that provides encryption, such as Internet Protocol Security (IPSec). Point-to-Point Tunneling Protocol (PPTP) and Secure Sockets Layer (SSL) are both capable of encrypting tunneled traffic.
  144. A, B, C. Although the computers do not have to use hardware made by the same manufacturer, both must use the same basic type of WAN connection, such as a leased line, a modem and PSTN line, or an Internet connection. Both of the computers must also use the same data link layer protocol, such as PPP, to establish a remote network connection. Most remote network connections use some form of authentication mechanism, even if it is nothing more than the exchange of a username and cleartext password. To establish the remote network connection, both computers must be configured to use the same type of authentication, even if it is no authentication at all. As long as all of the other elements are in place, such as the physical layer connection and the protocols, there is no need for both of the computers involved in a remote network connection to be running the same operating system.
  145. C. Secure Shell (SSH) is a character-based tool that enables users to execute commands on remote computers. It does not provide web server/browser security. Secure Sockets Layer (SSL) is a security protocol that provides encrypted communications between web browsers and servers. Transport Layer Security (TLS) is an updated security protocol that is designed to replace SSL. Datagram Transport Layer Security (DTLS) is a security protocol that provides the same basic functions as TLS, but for User Datagram Protocol (UDP) traffic.
  146. D. An extranet VPN is designed to provide clients, vendors, and other outside partners with the ability to connect to your corporate network with limited access. A host-to-site VPN is a remote access solution, enabling users to access the corporate network from home or while traveling. A site-to-site VPN enables a branch office to connect to the home office using the Internet rather a more expensive Wide Area Network (WAN) connection. A host-to-host VPN enables two individual users to establish a protected connection to each other.
  147. B. Trivial File Transfer Protocol (TFTP) is typically used to download boot image files to computers performing a Preboot Execution Environment (PXE) startup. It is not used for remote control. Remote Desktop Protocol (RDP) is used by Remote Desktop Services in Windows to provide clients with graphical control over servers at remote locations. Secure Shell (SSH) and Telnet are both character-based tools that enable users to execute commands on remote computers.
  148. A. RDP is a component of Remote Desktop Services, a Windows mechanism that enables a client program to connect to a server and control it remotely. RDP does not carry actual application data; it just transfers keystrokes, mouse movements, and graphic display information. Because the client program does not participate in the application computing on the server, it is known as a thin client. RDP does not provide clientless virtual private networking, encrypted tunneling, or unauthenticated file transfers.
  149. B. A site-to-site VPN enables one network to connect to another, enabling users on both networks to access resources on the other one. This is usually a more economical solution for branch office connections than a Wide Area Network (WAN) link. A host-to-site VPN is a remote access solution, enabling users to access the corporate network from home or while traveling. A host-to-host VPN enables two individual users to establish a protected connection to each other. An extranet VPN is designed to provide clients, vendors, and other outside partners with the ability to connect to a corporate network with limited access.
  150. C. EAP is the only authentication protocol included with Windows 10 that supports hardware-based authentication, so this is the only viable option. PAP transmits passwords in cleartext and is therefore not a viable option, as is CHAP, because it must store passwords using reversible encryption. MSCHAPv2 provides sufficient password protection but does not support the hardware-based authentication needed for smartcard use.
  151. B, C. Remote Desktop Protocol (RDP) is a component of Remote Desktop Services, a Windows mechanism that enables a client program to connect to a server and control it remotely. RDP does not carry actual application data; it just transfers keystrokes, mouse movements, and graphic display information. Virtual Network Computing (VNC) is a similar desktop sharing system that is platform independent and open source. Secure Shell (SSH) and Telnet are character-based remote control solutions.
  152. D. The term virtual desktop does not refer to a projection device that can display a computer desktop on a screen. A virtual desktop can be a realization of a computer monitor in a virtual reality environment; a virtualized desktop larger than the monitor, which users can scroll to view all parts of the display; or a cloud-based service provided by Microsoft Azure that provides users with access to their desktops using remote devices.
  153. A, B, C. RDP is a component of Remote Desktop Services, a Windows mechanism that enables a client program to connect to a server and control it remotely. RDP does not carry actual application data; it just transfers keystrokes, mouse movements, and graphic display information.
  154. A, B, C. VNC is a graphical desktop sharing system that uses a protocol called Remote Frame Buffer (RFB) to connect a client to a server and control it remotely. VNC does not transmit actual application data; it just transfers keystrokes, mouse movements, and graphic display information.
  155. A, C. Telnet is a character-based remote-control protocol and application that is available on virtually all computing platforms. Because it is strictly character based, Telnet clients transmit only keystrokes and receive only character-based display information from the server.
  156. C. Remote Desktop Gateway is a Windows Server role that enables remote users outside the network to establish a Remote Desktop Protocol (RDP) connection without the need for a Virtual Private Network (VPN) connection. The gateway does not provide multiple Remote Desktop client access to one workstation, Remote Desktop client access to multiple workstations, or access to workstations without a Remote Desktop client.
  157. B, C. Out-of-band management uses a dedicated channel to devices on the network. This means that the device to be managed does not require an IP address. The channel provides access to the BIOS or UEFI firmware and makes it possible to reinstall the operating system on a remote computer. Telnet, SSH, and VNC are not out-of-band management tools.
  158. C. Out-of-band management refers to the use of an alternative communications channel to a network device. The channel can be a modem connection, a direct cable connection, a wireless or cellular connection, or a dedicated Ethernet connection.
  159. A, C, D, F. A computer requires four components to establish a remote connection. First, a physical-layer Wide Area Network (WAN) connection is needed. Second, the two systems must share common protocols from the data link layer and above. Third, if TCP/IP is being used to establish a remote session, then TCP/IP parameters must be configured on the systems. Fourth, host and remote software are needed. The remote client must have software that enables it to establish a remote session, and the server must have software that enables it to receive and grant remote sessions. Microsoft RAS supports both client and server remote access software; however, this is not a required component since other types of software can be used. PPTP is a tunneling protocol and is not a required component for establishing a remote session.
  160. B. When users connect to a remote network using VPN, they become a participant on that network, which includes using the remote network's Internet connection. Therefore, when a user opens a browser, the application passes the user's requests through the VPN tunnel to the remote server, which uses the default gateway and Internet connection at the remote site to connect to the desired address. This is inherently slower than connecting the browser directly to the Internet from the client computer.
  161. D. A site-to-site VPN connection connects two remote Local Area Networks (LANs) together, enabling users on either network to access the other one. The typical configuration would consist of two VPN concentrators, one at each site, functioning as the endpoints of the connection.
  162. C. A client-to-site VPN connection connects a single workstation to a remote Local Area Network (LAN), enabling the workstation user to access the remote network's resources. The typical configuration would consist of a standalone workstation and a VPN concentrator at the network site functioning as the endpoints of the connection.
  163. B, C. The two most common types of TLS/SSL VPN connection are TLS/SSL portals, which provide users with access to selected remote network resources through a standard website, and TLS/SSL tunnels, which require the client web browser to run an active control, typically using Java or Flash. TLS/SSL client and TLS/SSL gateway are not common TLS/SSL VPN connections.
  164. A. A host-to-host VPN connection connects two individual workstations at different locations, enabling the users on each workstation to access the other one through a secure tunnel. The typical configuration would consist of two workstations, one at each site, functioning as the endpoints of the connection.
  165. A. The term out-of-band is used to describe any type of management access to a device that does not go through the production network. Plugging a laptop into the console port avoids the network, so it is considered to be an example of out-of-band management. In-band management describes an access method that goes through the production network. Client-to-site is a type of Virtual Private Network (VPN) connection, and Bring Your Own Device (BYOD) is a policy defining whether and how users are permitted to connect their personal devices to the network.
  166. A, B. Because the two endpoints of a VPN are connecting to local Internet Service Providers (ISPs), the ongoing connection costs are typically much less than a long-distance WAN connection. However, in most cases, a VPN is slower because it is affected by Internet bandwidth use and other factors. VPN connections are not inherently less secure than WANs, and they are not necessarily more difficult to maintain.
  167. B, C, D. Any method of connecting to a router, switch, or other managed device that does not use the production network is considered to be out-of-band management. This includes connecting a computer or terminal directly to the device, using a point-to-point modem connection, or consolidating dedicated ports on all of the devices by connecting them to an isolated switch. Logging on remotely using a workstation on the production network would be considered in-band management.
  168. C. VNC supports many operating systems, can run through a web browser, and is free. However, it is not any faster than the competing products.
  169. A. Telnet (TELetype NETwork) was the first TCP/IP terminal emulation program, but it is rarely used today because of its limitations. It is character-based only, and it transmits all data as cleartext, which is insecure. Secure Shell (SSH) addresses the security problem, but it too is character-based. Windows Terminal Services and Virtual Network Computing (VNC) were both created to provide graphical terminal emulation.
  170. A, C, D. Tunneling is the process of encapsulating a data packet within another packet. The system then encrypts the entire data packet. Message integrity enables the recipient to detect any data tampering. Authentication ensures that only the intended recipient can access the data. There is no applicable technique called socketing.
  171. B, C. A basic VPN typically uses full tunneling, in which all of the system's network traffic is encapsulated and encrypted for transmission. Split tunneling is a variation of this method in which only part of the system's traffic uses the VPN connection; the rest is transmitted over the network in the normal manner. Administrators can select which applications and devices use the VPN. Split tunneling can conserve Internet bandwidth used by the VPN and provide access to local services without the need for encapsulation. Split tunneling does not provide additional data integrity protection or improved performance through multiplexing.
  172. C. Telnet transmits keystrokes in cleartext, including usernames and passwords. It is therefore insecure. Secure Shell (SSH) improves on the performance of Telnet by encrypting the passwords and other data it transmits over the network. Like Telnet, SSH is free and does not support graphical terminal emulation. SSH is also no faster than Telnet.
  173. A. RDP is the client/server protocol created for use with Windows Terminal Services, now known as Remote Desktop Services. It is not used with VNC, Citrix products, or Telnet.
  174. B, C. In this scenario, each user wants the fastest service available to connect to the corporate network over a VPN connection. Of all the services listed here, the only ones that will meet this requirement are DSL and CATV Internet. CATV and DSL Internet connections support high data rates and can be used to connect using a VPN tunnel, so they meet the speed requirement. Each user can use his or her existing CATV connection or use an existing telephone line to install DSL. Once the line is installed, each user needs to install and configure a VPN client on his or her computer and configure it to use L2TP and IPSec. Modem connections are slow—the maximum upstream speed is 33.6 Kbps, and the downstream is 56 Kbps. ISDN's maximum transfer rate for Basic Rate Interface (BRI) is 128 Kbps.
  175. D. Extensible Authentication Protocol (EAP) is a shell protocol used with Point-to-Point Protocol (PPP), which enables systems to support various types of authentication mechanisms. The primary advantage of EAP is that it enables a computer to use mechanisms other than passwords for authentication, including public key certificates, smartcards, badge readers, and biometric devices, such as fingerprint scanners. Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) support only password authentication. Point-to-Point Tunneling Protocol (PPTP) is a Virtual Private Network (VPN) protocol, not an authentication protocol.
  176. C. The technology that uses human physical characteristics to authenticate users is called biometrics. Biometric devices can identify users based on fingerprints, retinal pattern, voice prints, and other characteristics.
  177. A. Bar coding the new computers enables the IT department to record their locations, status, and conditions throughout their life cycle, a process known as asset tracking. Bar codes are not used for tamper detection and device hardening. Port security refers to switches, not computers.
  178. C. An insider threat by definition originates with an authorized user. Smartcards, motion detection, and biometrics will only detect the presence of someone who is authorized to enter sensitive areas. Video surveillance, however, can track the activities of anyone, authorized or not.
  179. D. The terms fail close and fail open refer to the default position of an electric or electronic door lock when there is a power failure. Security is often a trade-off with safety, and in the event that an emergency occurs, cutting off power, whether secured doors are permanently locked or left permanently open, is a critical factor. These terms do not apply to motion detectors or video cameras. A honeypot is a computer configured to lure potential attackers; it is not a physical security mechanism.
  180. F. Smart lockers are available with a wide variety of authentication mechanisms, ranging from relatively unsecure PINs, Near Field Communication (NFC), and Bluetooth devices; to high-security biometric scans and radio-frequency identification (RFID) tags.
  181. A, C. Closed-circuit television cameras are part of a self-contained system in which the cameras feed their signals to dedicated monitors, usually located in a security center. IP cameras are standalone devices that transmit signals to a wireless access point. While CCTV cameras can only be monitored by users in the security center, or another designated location, IP cameras can be monitored by any authorized user with a web browser. Lightweight Directory Access Protocol (LDAP) is a directory services protocol, and Network Access Control (NAC) is a service; neither one is a type of video surveillance device.
  182. A. Social engineering is the practice of obtaining sensitive data by manipulating legitimate users, such as by pretending to be someone with a genuine need for that data. Because it is not a technological vulnerability, the only means of preventing this type of attack is to educate and train users to recognize potential threats. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. An evil twin is a fraudulent access point on a wireless network that mimics the Service Set Identifier (SSID) of a legitimate access point, in the hope of luring in users.
  183. C. A door that is configured to fail open reverts to its unsecured state—open—when an emergency occurs. This must be a carefully considered decision, as it can be a potential security hazard. However, configuring the door to fail closed is a potential safety hazard in the event of a fire or other disaster.
  184. C. The technology that uses human physical characteristics to authenticate users is called biometrics. Biometric devices can identify users based on fingerprints, retinal pattern, voice prints, and other characteristics.
  185. A, B, C. Biometric scans, identification badges, and key fobs are all means of distinguishing authorized from unauthorized personnel. Motion detection cannot make this distinction.
  186. A. Video surveillance can monitor all activities of users in a sensitive area. With properly placed equipment, event-specific actions, such as commands entered in a computer, can be monitored. Identification badges, key fobs, motion detection, and locking cabinets can indicate the presence of individuals in a sensitive area, but they cannot monitor specific activities.
  187. A, C, E. A radio-frequency identification (RFID) device is a small chip that can be electronically detected by a nearby reader. The chip can contain small amounts of data, such as the authentication credentials needed to grant an individual access to a secured area. Key fobs, proximity cards (prox cards), and smart lockers can use RFIDs to enable users to unlock a door by waving the device near a reader. Keycard locks typically require the card to be inserted into a reader and typically use magnetic strips to store data. Cypher locks rely on data supplied by the user—that is, the combination numbers.
  188. B, D. Possession of the key fob is something you have, but the key fob could be lost or stolen, so its security is confirmed by entering a PIN, something you know. Unless the user both lost the key fob and shared the PIN, the device remains secure.
  189. A, C. Key fobs and proximity cards (prox cards) often use radio-frequency identification (RFID) devices to enable users to unlock a door by waving the device near a reader. Keycard locks typically use magnetic strips to store data and require the card to be physically inserted into a reader. Cypher locks rely on data manually supplied by the user—that is, the combination numbers.
  190. B, D. Video surveillance can conceivably prevent an evil twin attack, which takes the form of a rogue access point deliberately connected to the network for malicious purposes. Video surveillance can also help to prevent insider threats by monitoring the activities of authorized users. Video surveillance cannot prevent social engineering, which involves nothing more than communicating with people, or brute-force attacks, which are usually performed remotely.
  191. D. When a false positive occurs during a biometric authentication, a user who should not be granted access to the secured device or location is granted access. A false negative is when a user who should be granted access is denied access.
  192. A. All of the mechanisms listed are designed to make any attempts to tamper with or physically compromise the hardware devices immediately evident. This is therefore a form of tamper detection. Asset tracking is for locating and identifying hardware. Geofencing is a wireless networking technique for limiting access to a network. Port security refers to network switch ports.
  193. C. The technology that uses human physical characteristics to authenticate users is called biometrics. Biometric devices can identify users based on fingerprints, retinal pattern, voice prints, and other characteristics.
  194. D. A tailgater is a type of intruder who enters a secure area by closely following an authorized user. Most people are polite enough to hold the door open for the next person without knowing if they are authorized to enter. A tailgater is therefore not an intrusion prevention mechanism. Identification badges, locks, and key fobs are methods of preventing intrusions.
  195. A. Identification badges, key fobs, and access control vestibules (mantraps) are all physical security mechanisms, in that they prevent unauthorized personnel from entering sensitive areas, such as datacenters. These mechanisms are not used for data file security, asset tracking, or switch port security.
  196. C, D. Biometrics and smartcards are both means of preventing intrusions, whereas motion detection and video surveillance are mechanisms for detecting them.
  197. B. A door that is configured to fail closed reverts to its secured state—locked—when an emergency occurs. This must be a carefully considered decision, since it can be a potential safety hazard in the event of a fire or other disaster. However, configuring the door to fail open is a potential security hazard.
  198. B. An entrance arrangement in which people must close one door before they can open the next one is called an access control vestibule or mantrap. Security personnel can evaluate potential entrants while they are in the vestibule and detain attempted intruders there.
  199. A, D. Deleting files on a hard disk drive leaves them available for retrieval, even though they appear to be gone. A disk wipe utility deletes all of the files on the hard drive and then overwrites the entire disk with zeroes, rendering all files unretrievable. Ralph can then reinstall the operating system to prepare the computer for sale. Performing these two steps eliminates the need to uninstall applications, delete data files manually, or perform a factory reset.
  200. C. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol that was designed to provide AAA services for networks with many routers and switches. AAA stands for Authentication, Authorization, and Accounting, but not administration.

Chapter 5: Network Troubleshooting

  1. A. The first step in troubleshooting is to identify the problem by establishing symptoms related to the network issue being reported. In this step, problems are typically reported as trouble tickets, which are prioritized based on the severity of the problem. You complete the other steps after the trouble ticket has been prioritized and is being investigated.
  2. C. A systemwide error is a problem that renders an individual user's system (computer) completely unusable. All the other problems listed would affect more than one system or user.
  3. D. Any problem that affects all the users on the network is a networkwide problem and should be given the highest priority. An example of this would be a problem with an Internet router. All other problems listed do not affect the entire network.
  4. B. In this scenario, only one user is reporting a problem. Therefore, the likeliest next step is to perform the same task on another computer attached to the same segment. If Ed can perform the task successfully, the problem most likely lies within the user's computer or the connection to the switch. Since no other users are reporting the same problem, the server and switches on the network are probably up and functioning. Checking the router is not necessary since the user and server are on the same network.
  5. A. The first step in troubleshooting is to identify the problem by establishing symptoms related to the network problem being reported. In this step, you ask the user many questions to identify and define the symptoms of the problem and prioritize the trouble ticket. Although you might continue to ask the user questions throughout the troubleshooting process, this is typically associated with the first step of the troubleshooting process.
  6. C. After identifying the problem, the next step is to establish a theory for the probable cause of the problem. After that, you can test your theory, establish a plan of action, implement a solution, verify the functionality of the system, and document the entire process.
  7. B. The second step in troubleshooting is to attempt to duplicate a problem and develop a theory of its probable cause. As you troubleshoot a problem, you then test your theory to confirm your findings. You complete the other troubleshooting steps after the specific cause has been identified.
  8. D. Replacing components by guesswork could resolve the problem through chance, but it would more likely be a waste of time and hardware. When Ralph's first theory is disproven, the next logical step would be to devise another theory. This could conceivably involve reinterviewing the users or escalating the issue to a senior technician. If the theory had been confirmed, the next step would be to devise a plan of action to resolve the problem.
  9. C. In troubleshooting, one of the first steps in the process of identifying the problem is to question the obvious, such as whether the computer is plugged in or switched on. It would be unlikely that the user would know her computer's IP address or what updates had been installed when the screen is blank. Questioning whether other people have used the computer might come up later, but it will be little help at this stage of the troubleshooting process.
  10. B. If a problem lies within a specific server or other network component that prevents many users from working, it is a shared resource problem. A problem that lies within resources that provide services to the entire network is a networkwide problem. Systemwide problems put a specific computer out of commission, preventing a user from getting any work done. An application problem is a problem that affects only a single user's access to a device or application.
  11. A. Since only one user is reporting the problem, and he had admitted to making changes to his IP configuration, Alice should probably start by checking the configuration using the ipconfig command. If the router, DNS server, or WINS server were causing the problem, more than one user would be experiencing difficulties.
  12. A. Since only one user is reporting the problem, the user's computer and its configuration are the likeliest suspect components. A DNS, proxy, or router problem would affect more than one user.
  13. C. Alice is using a top-to-bottom approach, based on the Open Systems Interconnection (OSI) reference model. She begins at the top of the model (the application layer) by checking the system's email capabilities, and then proceeds downwards to check the computer's IP configuration (at the network layer), the local network connectivity (the data link layer), and the computer's cables (the physical layer). A bottom-to-top approach would begin with the cables. The divide-and-conquer approach and questioning the obvious would not involve the steps Alice took in the order that she took them.
  14. A. There are many possible causes for the problem that are more likely than a router configuration error, so this is not something Alice would check first. Asking if the user can access the local network attempts to isolate the problem. If she cannot, the problem could be in her computer; if she can, then the problem lies somewhere in the Internet access infrastructure. If other users are experiencing the problem, then the issue should receive a higher priority, and Alice knows that the problem does not lie in the user's computer. While it might not be the first thing she checks, it is a political reality that higher ranking users often get preferential treatment.
  15. B. Documenting everything you discover and everything you do is a crucial part of the troubleshooting method that must begin before you take any other action whatsoever. However, it appears as the last step in the troubleshooting methodology.
  16. E. The first step in troubleshooting involves identifying the problem and creating a trouble ticket. You complete the other troubleshooting steps after the trouble ticket has been prioritized.
  17. D. During the troubleshooting process, you must establish whether anything has changed. This typically involves asking the user whether any new or existing hardware or software has been installed or reconfigured.
  18. C. After you have established a theory of probable cause, you can try to test the theory by replacing hardware components one by one until you find the faulty device.
  19. D, F. Verifying that a router is functioning and forwarding traffic and verifying that a client's IP configuration is correct are not considered general troubleshooting steps. You might perform these two steps as a subset of general troubleshooting steps.
  20. A, C. When a network problem or incident is reported, documentation begins. Proper documentation makes it easier for a first-tier support technician to prioritize and to escalate the call to senior technicians, if necessary.
  21. B, D. When establishing priorities, networkwide problems take precedence over departmental problems, and problems with shared resources take precedence over individual desktop problems.
  22. A, B, D. First-tier technicians are generally less experienced than second-tier technicians. First-tier technicians are the first point of contact for users. They receive and prioritize help desk calls and escalate problems to second-tier technicians, if necessary. First-tier technicians generally handle individual desktop problems, whereas second-tier technicians troubleshoot mission-critical network components such as routers and switches.
  23. C. A problem that affects the entire network should be given highest priority. This includes a mission-critical backbone router. Problems that affect multiple LANs or an entire department are generally given the next highest priority. An application problem that affects a shared application server on a LAN should be given the next highest priority. A problem with a single user's computer should be given the lowest priority if the other problems have been reported.
  24. B. A problem that affects the entire network should be given highest priority. This includes a mission-critical backbone router. Problems that affect multiple LANs or an entire department are generally given the next highest priority. An application problem that affects a shared application server on a LAN should be given the next highest priority. A problem with a single user's computer should be given the lowest priority if the other problems have been reported.
  25. D. After you identify a problem and establish and test a theory of its probable cause, you must create a plan of action to resolve the problem and identify any potential effects (positive or negative) your solution might have. Then, you implement your solution, test the results, and finish documenting the incident.
  26. G. The last step of the troubleshooting process is to document the solution and explain to the user what happened and why. In reality, documentation should begin when the problem is reported, and the documentation should be updated throughout the troubleshooting process.
  27. A, D. The first stage of the troubleshooting process calls for Alice to identify the problem by gathering information. Learning about who is reporting the problem and what has changed since the server was last accessible can provide Alice with information that could help her determine whether the problem is located in the users' workstations, somewhere in the network, or in the server itself. The other options are intended to test a theory about a probable cause, a troubleshooting stage that comes later.
  28. A. Because the multiple problems seem to be unrelated, Alice should handle them individually by creating a separate trouble ticket for each one and prioritizing each one. None of the problems seem to be severe enough to warrant escalation, nor should it be necessary to replace the computer. While it would be possible to send a technician to address all of the problems at once, it would be more efficient to assign each its own priority and handle it like any other trouble call.
  29. B. The first phase of the troubleshooting process is gathering information. Learning whether the printer is accessible over the network can help Alice to isolate the location of the problem and develop a theory of probable cause. Installing drivers, checking switches, and upgrading firmware are all part of a later phase in the troubleshooting process: testing a theory to determine the cause of the problem.
  30. A. A wiremap tester consists of a main unit that connects to all eight wires of a UTP cable at once and a loopback device that you connect to the other end, enabling you to test all of the wires at once. A wiremap tester can detect opens and shorts, as well as transposed wires. However, it cannot detect split pairs because, in that fault, the pins are properly connected.
  31. D. The first and most essential test that installers must perform on every cable run is a continuity test, which ensures that each wire on both ends of the cable is connected to the correct pin and only the correct pin. If a pin on one end of a cable run is connected to two or more pins on the other end, the cable has a short circuit.
  32. A. A rollover cable is a type of null modem cable, usually flat and light blue in color, with the pinouts reversed on either end, to enable a terminal to communicate with a router or switch through the device's dedicated console port. None of the other options are suitable for this purpose. A straight through cable is the standard network cable used to connect a computer to a switch. A crossover cable is designed to connect two network adapters directly. A plenum cable is a type of cable intended for use within air spaces and has an outer sheath that does not produce toxic fumes when it burns. A shielded cable is intended to protect signals from electromagnetic interference. A tap is a device used to branch a coaxial cable to two devices.
  33. A. A straight through cable is the standard network patch cable used to connect a computer to a wall plate. A crossover cable is designed to connect two network adapters directly. A rollover cable is used to enable a terminal to communicate with a router or switch through the device's console port. A plenum cable is a type of cable intended for use within air spaces that has an outer sheath that does not produce toxic fumes when it burns.
  34. C. The technique that provides this capability is called time-domain reflectometry (TDR). The tester transmits a signal over the cable and measures how long it takes for a reflection of the signal to return from the other end. Using this information and the cable's nominal velocity of propagation (NVP)—a specification supplied by the cable manufacturer—the device can calculate the length of a cable run. The other devices listed do not work in this way.
  35. B. A short circuit is a wiring fault indicating that a pin at one end of a cable run is connected to two pins at the other end. To correct the problem, you must replace the connector with the faulty wiring. None of the other suggestions are solutions for a wiring fault.
  36. C. All of the suggested tools are capable of associating wall plates with the correct patch panel ports, but the tone generator and locator is by far the most inexpensive solution.
  37. D. Telephone cable technicians have their own specialized tools, such as the butt set, a one-piece telephone handset with alligator clips that enables its operator to connect to a line anywhere that the cables are accessible.
  38. B, D. The punchdown tool is critical to this operation. In one motion, the tool strips the insulation off of the wire, presses it down into the connector, and cuts off the excess at the end. A wire stripper simplifies the task of preparing the cable for the connection process. A crimper is used only for attaching connectors to patch cables. Pigtail splicers and fusion splicers are used only on fiber-optic networks.
  39. A. An optical loss test set (OLTS) identifies signal loss in fiber-optic cabling. A time-domain reflectometer (TDR) measures electrical signals in copper-based cabling, not light signals. Tone generator and locator tools and wiremap testers are used in copper-based cabling installations, not fiber-optic cabling.
  40. B. You can use a cable certifier to identify a variety of cable performance characteristics, typically including cabling lengths, signal attenuation, crosstalk, propagation delay, delay skew, and return loss, in addition to providing all the functionality of a wiremap tester. The other tools listed are dedicated to a single testing modality and do not test for crosstalk.
  41. B. Plenum cable is a type of cable intended for use within building air spaces (called plenums) that has an outer sheath that is more resistant to high temperatures and does not produce toxic fumes when it burns. The use of plenum cable has no effect on EMI or the type of traffic on the cable, nor is it required for low temperature areas.
  42. D. An Optical Time Domain Reflectometer (OTDR) is a device that transmits light pulses over a fiber-optic network and measures the time interval and strength of the returning pulse, to measure the length of the cable run. An OTDR can be used to locate fiber-optic cable breaks, as well as characterize a cable run's reflectance, optical return loss, and other characteristics. Multimeters, tone generators, and wiremap testers are all devices that work only with copper networks.
  43. C. A butt set is a one-piece telephone handset with alligator clips that enables its operator to connect to a telephone line anywhere that the cables are accessible. They are used by telephone cable technicians, but generally not by installers of network data cables. The other options are all standard tools used by data networking cable installers.
  44. B. A crimper is a plier-like device that cable installers use to create patch cables by attaching RJ45 connectors to lengths of bulk cable. Installers use a punchdown tool, not a crimper, to attach a cable end to a keystone connector. It is not always necessary to purchase a crimper for each cable type. Some crimpers are designed for a single cable/connector combination, but there are many that have replaceable bits, supporting a variety of cables and connectors. Making patch cables yourself can represent a false economy. Buying bulk cable and connectors and making patch cables yourself can conceivably be cheaper than purchasing prefabricated cables. However, when you factor in the time needed to attach the connectors, the learning curve required to attach the connectors correctly, and the failure rate requiring the re-application of connectors, it might be more economical to purchase prefabricated patch cables in quantity instead.
  45. A, C. Cable certifiers can detect all of the faults that tone generators and wiremap testers can detect, and they can do a great deal more, such as specify whether a cable run meets the performance specifications defined in a cable standard. When testing a new cable type, the specifications defined in the cable standard must be added to the device. Cable certifiers are far more expensive than most other cable testing solutions. Cable certifiers are available that support various cable media, including copper and fiber optic.
  46. C, D. Alice can use a tone generator and locator or a wiremap tester to identify and test cable connections. By connecting the tone generator or the remote wiremap unit to one end of a cable run, she can use the locator or the master wiremap unit to find the other end. This can enable her to identify a starting point and an ending point for a cable run. A loopback adapter is used to test the transmission and reception capabilities of a port. A packet sniffer captures and analyzes network traffic; it cannot identify cables.
  47. B, D. A crimper is a device used for attaching connectors to patch cables. A wire stripper, while not essential to the process, can simplify the task of preparing the cable. A punchdown tool is used for attaching keystone connectors to cable ends, for use in wall plates and patch panels. A standard set of pliers is not used in the process of attaching connectors.
  48. B. Crimpers and punchdown tools are relatively simple and inexpensive mechanical devices that cable installers use to connect bulk cable to connectors. A wiremap tester is an electronic device for cable testing, but it is still relatively simple. A cable certifier is a complex electronic device that can perform a battery of tests on a cable run, confirm that the cable conforms to the required wiring standards, and maintain records of the testing procedure. Cable certifiers are by far the most expensive of the devices listed.
  49. C. The device shown in the figure is a multimeter, which is used to measure the electric current on a copper conductor, such as an Unshielded Twisted Pair (UTP) network. This tool is not capable of performing any of the tasks described in the other options.
  50. B. The device shown in the figure is a punchdown tool, used to connect Unshielded Twisted Pair (UTP) cable ends to the keystone connectors used in modular wall plates and patch panels. After lining up the individual wires in the cable with the connector, one uses the tool to press each wire into its slot. The tool also cuts the wire sheath to make an electrical contact and trims the end of the wire. This tool is not capable of performing any of the tasks described in the other options.
  51. A. The device shown in the figure is a tone generator and locator, used to test Unshielded Twisted Pair (UTP) wiring and detect certain basic wiring faults. This tool is not capable of performing any of the tasks described in the other options.
  52. B. The device shown in the figure is a crimper, which is used to create patch cables by attaching connectors to both ends of a relatively short length of bulk cable. This tool is not capable of performing any of the tasks described in the other options.
  53. A. The device shown in the figure is a butt set, a basic tool of telephone installers and line workers. By connecting the clips to pins in a punchdown block, you can access telephone circuits in order to test them or place telephone calls.
  54. B, C. A crimper is a plier-like tool that cable installers use to attach RJ45 connectors to patch cables. A punchdown tool is a tool that cable installers use to attach keystone connectors to cable ends, for use in wall plates and patch panels. A telepole is a device used to run cables through walls, floors, and ceilings, but since the cable runs have already been pulled, Ralph will not need this tool. A pigtail splicer is a tool used only in fiber-optic cable installations.
  55. A. The failure to detect a tone on a wire indicates that there is either a break in the wire somewhere inside the cable or a bad connection with the pin in one or both connectors. This condition is called an open circuit. A short is when a wire is connected to two or more pins at one end of the cable. A split pair is a connection in which two wires are incorrectly mapped in exactly the same way on both ends of the cable. Crosstalk is a type of interference caused by signals on one wire bleeding over to other wires.
  56. B. A short is when a wire is connected to two or more pins at one end of the cable or when the conductors of two or more wires are touching inside the cable. This would cause a tone applied to a single pin at one end to be heard on multiple pins at the other end. An open circuit would manifest as a failure to detect a tone on a wire, indicating that there is either a break in the wire somewhere inside the cable or a bad connection with the pin in one or both connectors. A split pair is a connection in which two wires are incorrectly mapped in exactly the same way on both ends of the cable. Crosstalk is a type of interference caused by signals on one wire bleeding over to other wires.
  57. C. A split pair is a connection in which two wires are incorrectly mapped in exactly the same way on both ends of the cable. Each pin on one end of the cable is correctly wired to the corresponding pin at the other end, but the wires inside the cable used to make the connections are incorrect. In a properly wired connection, each twisted pair should contain a signal wire and a ground wire. In a split pair, it is possible to have two signal wires twisted together as a pair. This can generate excessive amounts of crosstalk, corrupting both of the signals involved. Because all of the pins are connected properly, a tone generator and locator cannot detect this fault. An open circuit would manifest as a failure to detect a tone on a wire, indicating that there is either a break in the wire somewhere inside the cable or a bad connection with the pin in one or both connectors. A short is when a wire is connected to two or more pins at one end of the cable or when the conductors of two or more wires are touching inside the cable. Transposed pairs is a fault in which both of the wires in a pair are connected to the wrong pins at one end of the cable. All three of these faults are detectable with a tone generator and locator.
  58. C. A split pair is a connection in which two wires are incorrectly mapped in exactly the same way on both ends of the cable. Each pin on one end of the cable is correctly wired to the corresponding pin at the other end, but the wires inside the cable used to make the connections are incorrect. In a properly wired connection, each twisted pair should contain a signal wire and a ground wire. In a split pair, it is possible to have two signal wires twisted together as a pair. This can generate excessive amounts of crosstalk, corrupting both of the signals involved. Open circuits, shorts, and transposed pairs interfere with cable performance but do not make it more susceptible to crosstalk.
  59. D. A split pair is a connection in which two wires are incorrectly mapped in exactly the same way on both ends of the cable. Each pin on one end of the cable is correctly wired to the corresponding pin at the other end, but the wires inside the cable used to make the connections are incorrect. In a properly wired connection, each twisted pair should contain a signal wire and a ground wire. In a split pair, it is possible to have two signal wires twisted together as a pair. This can generate excessive amounts of crosstalk, corrupting both of the signals involved. Because all of the pins are connected properly, a tone generator and locator cannot detect this fault, and neither can a wiremap tester or a multimeter. However, a cable certifier is a highly sophisticated electronic device that can detect all types of cable faults, including split pairs, as well as measure cable performance characteristics.
  60. C, D. A time-domain reflectometer (TDR) is a device that determines the length of a cable by transmitting a signal at one end and measuring how long it takes for a reflection of the signal to return from the other end. Using this information and the cable's nominal velocity of propagation (NVP)—a specification supplied by the cable manufacturer—the device can calculate the length of a cable run. In a cable with a break in its length, a TDR calculates the length of the cable up to the break. Cable certifiers typically have time-domain reflectometry capabilities integrated into the unit. A tone generator and locator or a multimeter cannot locate a cable break.
  61. C. Of the options provided, the only possible source of the problem is that the cable runs are using a cable type not rated for Gigabit Ethernet. Some older buildings might still have Category 3 cable installed, which was used in the original twisted-pair Ethernet specification. Cat 3 is unsuitable for use with Gigabit Ethernet in many ways and can result in the poor performance that Alice is experiencing. A cable installation with runs wired using different pinout standards will not affect performance as long as each run uses the same pinouts at both ends. Gigabit Ethernet will not function at all if only two wire pairs are connected. The transceivers are located in the equipment that Alice's company brought from the old location, so they are not mismatched.
  62. B. Ralph can use a tone generator and locator to locate the correct cable associated with each office connection. By connecting the tone generator to one end of a cable run, he can use the locator to find the other end. A cable certifier identifies a variety of cable performance characteristics, typically including cabling length, signal attenuation, and crosstalk. An Optical Time Domain Reflectometer (OTDR) is a device for measuring the lengths and other characteristics of fiber-optic cables. A multimeter is a device for measuring the electric current on a copper cable.
  63. B. An optical loss test set (OLTS) is the term for the combination of an optical light source and an optical power meter. The optical power meter by itself cannot be used to test the cable runs when there are no devices connected to them. An Optical Time Domain Reflectometer (OTDR) is a device for measuring the lengths and other characteristics of fiber-optic cables. A multimeter is a device for measuring the electric current on a copper cable.
  64. C. A split pair is a connection in which two wires are incorrectly mapped in exactly the same way on both ends of the cable. In a properly wired connection, each twisted pair should contain a colored signal wire and a striped ground wire. In a split pair, it is possible to have two signal wires twisted together as a pair. This can generate excessive amounts of crosstalk, corrupting both of the signals involved. Because all of the pins are connected properly, a tone generator and locator cannot detect this fault. An open circuit would manifest as a failure to detect a tone on a wire, indicating that there is either a break in the wire or a bad connection in one or both connectors. A short is when a wire is connected to two or more pins or when the conductors of two or more wires are touching. Transposed pairs is a fault in which both of the wires in a pair are connected to the wrong pins at one end of the cable. All three of these faults are detectable with a tone generator and locator.
  65. C. Attenuation is the weakening of a signal as it travels long distances, whether on a wired or wireless medium. The longer the transmission distance, the more the signal weakens. Absorption is the tendency of a wireless signal to change as it passes through different materials. Latency is a measurement of the time it takes for a signal to travel from its source to its destination. Crosstalk is a type of interference that occurs on wired networks when a signal bleeds over to an adjacent wire.
  66. B, C. Dirt on fiber-optic cable connectors can reduce the strength of the signal, resulting in decibel loss. Excessive cable length can result in greater attenuation and weaker signals due to the decibel loss. Electromagnetic interference and signal crosstalk are both factors that can affect copper cable transmissions, but not fiber optic.
  67. A, B, C. There should be no collisions at all on a full-duplex network, so collisions indicate that at least one side of the connection is trying to operate in half-duplex mode. Ethernet running over twisted-pair cable, in its original half-duplex mode, detects collisions by looking for data on the transmit and receive pins at the same time. In full-duplex mode, data is supposed to be transmitted and received at the same time. In a duplex mismatch, in which one side of a connection is configured to use full duplex and the other end is configured to use half duplex, the full-duplex communications originating from one side look like collisions to the half-duplex side. The half-duplex adapter transmits a jam signal as a result of each collision, which causes the full-duplex side to receive an incomplete or damaged frame, which are perceived as runts or through Cyclic Redundancy Check (CRC) errors. Both sides then start to retransmit frames in a continuing cycle, causing network performance to diminish. Ping tests do not detect a duplex mismatch, because ping only transmits a small amount of data in one direction at a time. The mismatch only becomes apparent when the systems transmit large amounts of data.
  68. B, D, E. A speed mismatch on a wired network only occurs when two devices are configured to use a specific transmission speed and those speeds are different. In that case, network communication stops. For network communication to occur on a twisted-pair network, transmit (TX) pins must be connected to receive (RX) pins. If the connections are reversed, no communication occurs. If the switch port to which a computer is connected is bad, there will be no network communication. Bottlenecks and duplex mismatches will slow down network communications, but they will not stop them completely.
  69. A, C. A bottleneck is a component involved in a network connection that is not functioning correctly, causing a traffic slowdown that affects the entire network. A duplex mismatch occurs when one side of a connection is configured to use full duplex and the other end is configured to use half duplex. When this occurs, the full-duplex communications on the one side look like collisions to the half-duplex side. The half-duplex adapter transmits a jam signal as a result of each collision, which causes the full-duplex side to receive an incomplete frame. Both sides then start to retransmit frames in a continuing cycle, causing network performance to diminish drastically. A speed mismatch or a Transmit and Receive (TX/RX) reversal will stop network communication completely.
  70. B. Attenuation is the weakening of a signal as it travels long distances, whether on a wired or wireless medium. The longer the transmission distance, the more the signal weakens. Cable length specifications are designed in part to prevent signals from attenuating to the point at which they are unviable. Jitter, crosstalk, and electromagnetic interference (EMI) are all conditions that can affect the performance of a wired network, but they are not directly related to the length of the cable.
  71. B, C. The Gigabit Ethernet standards call for switches and network adapters to support autonegotiation by default, which enables devices to communicate and select the best network speed and duplex mode available to them both. Therefore, speed mismatches and duplex mismatches no longer occur unless someone modifies the speed or duplex settings to incompatible values on one or both devices.
  72. D. Fluorescent light fixtures and other devices in an office environment can generate magnetic fields, resulting in electromagnetic interference (EMI). When a copper-based cable runs too near to such a device, the magnetic fields can generate an electric current on the cable that interferes with the signals exchanged by network devices. Jitter, crosstalk, and attenuation are all conditions that can affect the performance of a wired network, but they are not directly related to the cables' proximity to light fixtures.
  73. C. The link pulse LED indicates the adapter is connected to a functioning hub or switch. The speed LED specifies the data rate of the link. The collision LED lights up when collisions occur. There is no status LED on a network interface adapter.
  74. C. The Alternative B PoE variant can use the spare wire pairs in a Category 5 (Cat 5) or better 10Base-T or 100Base-TX cable to supply power to connected devices. The Alternative A and 4PPoE variants cannot use the spare wire pair in this manner; they supply power using the wire pairs that carry data at the same time. For Gigabit Ethernet or faster installations, Alternative B is capable of using the data wire pairs.
  75. C. Jitter is defined as delays in the transmission of individual network packets. For audio or video transmissions, jitter can result in dropped words or frames. For data file transmissions, jitter can require retransmission of packets.
  76. A, B, C, D. The 1000Base-SX standard calls for multimode cable with a maximum length of approximately 500 meters, while the new cable run is 4,000 meters and uses single-mode cable. The 1000Base-SX transceiver will also be incompatible with the 1000Base-BX10 transceiver at the other end. 1000Base-BX10 uses wavelengths from 1,300 to 1,600 nanometers (nm), whereas 1000Base-SX uses wavelengths of 770 to 860 nm.
  77. A. There should be no collisions on a full-duplex network, so the problem is clearly related to the duplexing of the communications. Ethernet running over twisted-pair cable, in its original half-duplex mode, detects collisions by looking for data on the Transmit and Receive (TX/RX) pins at the same time. In full-duplex mode, data is supposed to be transmitted and received at the same time. When one side of a connection is configured to use full duplex, as Alice's new computers are, and the other end is configured to use half duplex (as the switches must be), the full-duplex communications on the one side look like collisions to the half-duplex side. The half-duplex adapter transmits a jam signal as a result of each collision, which causes the full-duplex side to receive an incomplete frame. Both sides then start to retransmit frames in a continuing cycle, causing network performance to diminish drastically. The ping tests do not detect a problem, because ping only transmits a small amount of data in one direction at a time. The other options would likely cause the ping tests to fail as well. The solution to the problem is to configure all of the devices to autonegotiate their speed and duplex modes.
  78. B, E. One possible cause of the problem is that the DNS process on the remote server is corrupted or not running. Another possible cause is that there is a firewall blocking access to the server's Unshielded Twisted Pair (UTP) port 53. Both of these would render the port unreachable. The Transmission Control Protocol/Internet Protocol (TCP/IP) client on the server is operating, as verified by the ping utility. This means that the IP host configurations on Ralph's computer and on the DNS server are both functioning. The router does not need to be running DNS to forward datagrams.
  79. A, B. Both Telnet and FTP are protocols that include command-line client applications, with Telnet providing terminal emulation and FTP file transfer functionality. SNMP and DNS are both application layer protocols, but neither one includes a program. Nslookup has a command-line interface, but it executes commands on the local system, not a remote one.
  80. D. The Windows tracert tool transmits a series of ICMP messages with incrementing Time to Live (TTL) values, which identify each router on the path that the packets take through the network. Ping uses ICMP, but it does not manipulate TTL values. Netstat, Route, Nslookup, and Hostname do not use ICMP messages, nor do they manipulate TTL values when performing their normal functions.
  81. B. If Alice suspects that a DNS server is not resolving hostnames, she should try connecting to a remote host using the Internet Protocol (IP) address instead of the name. If she can connect, she knows that all internal Local Area Network (LAN) components and the Internet gateway are functioning, and the remote host is functioning. The problem most likely lies within the DNS server itself. If Alice cannot connect to a remote host using the IP address, the problem is not the DNS server. She would need to do more testing to isolate the problem device and the affected area. ipconfig is a workstation command that enables you to verify the local IP configuration; it is not used to test a DNS server's functionality. Using the ping command will only tell you whether the computer hosting the DNS service is functioning at the network layer of the Open Systems Interconnection (OSI) model; it will not test the DNS service functionality. The tracert (or traceroute ) command is used to identify the hop-by-hop path taken to reach a destination; it does not allow you to test functionality above the network layer of the OSI model.
  82. B, E. nslookup and dig are both command-line utilities that you can direct to a specific DNS server and then generate queries that display resource record information the program retrieves from the server. netstat displays information about networking protocols, whereas nbtstat displays information derived from the system's Network Basic Input/Output System (NetBIOS) over Transmission Control Protocol/Internet Protocol (TCP/IP) implementation. arp is a tool that you can use to display and manage a system's Address Resolution Protocol (ARP) table entries. netstat, nbtstat, and arp are not able to display resource record information.
  83. D. Running the arp utility with the -a parameter on a Windows system displays the contents of the Address Resolution Protocol (ARP) cache. The cache contains records of the Internet Protocol (IP) addresses on the network that arp has resolved into Media Access Control (MAC) addresses. The ping, tracert, netstat, and hostname utilities are not capable of producing this output.
  84. B. The Windows tracert utility functions by transmitting a series of Internet Control Message Protocol (ICMP) Echo Request messages to a specified destination with incrementing Time to Live (TTL) values. Each successive message reaches one hop farther on the route to the destination before timing out. The tracert display therefore lists the names and addresses of the routers that packets must traverse to reach the destination. The ping, netstat, arp, and hostname utilities are not capable of producing this output.
  85. A. The Windows ping utility functions by transmitting a series of Internet Control Message Protocol (ICMP) Echo Request messages to a specified destination. The destination system responds with ICMP Echo Reply messages that are listed in the output display. The tracert, netstat, arp, and hostname utilities are not capable of producing this output.
  86. C. Running the Windows netstat utility with no parameters generates a list of the workstation's active connections. The ping, tracert, arp, and hostname utilities are not capable of producing this output.
  87. B. Like traceroute and tracert, pathping is capable of generating a list of the routers that packets pass through on the way to a specific destination system. pathping also displays the percentage of lost packets for each hop, which traceroute and tracert cannot do. The ping, netstat, and route utilities are not capable of displaying route traces.
  88. C. The traceroute (or tracert ) utility can locate a malfunctioning router by using an Echo Request messages with incrementing Time to Live (TTL) values. ifconfig is a network configuration utility for Unix and Linux systems; ping can test connectivity to another Transmission Control Protocol/Internet Protocol (TCP/IP) system, but it cannot locate a malfunctioning router; and netstat displays information about network connections and traffic but cannot locate a malfunctioning router.
  89. E. All Windows ping transactions use Internet Control Message Protocol (ICMP) messages. ICMP messages are encapsulated directly within Internet Protocol (IP) datagrams; they do not use transport layer protocols, such as User Datagram Protocol (UDP). Ping transactions to destinations on the local network are encapsulated within Ethernet frames. On Unix and Linux, ping uses UDP, which is also encapsulated in IP datagrams.
  90. B. The netstat utility can display the routing table, along with other types of network traffic and port information. The arp utility is for adding addresses to the Address Resolution Protocol (ARP) cache; it cannot display the routing table. The ifconfig command displays Transmission Control Protocol/Internet Protocol (TCP/IP) configuration information on Unix and Linux systems; it cannot display the routing table. Telnet is a terminal emulation program; it cannot display the routing table.
  91. C. Running ping with the -l parameter enables you to specify the size of the messages sent to the target—in this case, 2028 bytes. The -n parameter enables you to specify the number of messages the ping tool should transmit—in this case, 11. Combining these two parameters generates the output in the figure. The -t parameter causes the ping tool to transmit messages until manually halted.
  92. C. The arp -a command displays the entries in the ARP table stored in its cache. The arp -d command is for deleting entries, and the arp -s command is for adding entries. The arp -c command is not a valid option.
  93. B. The nslookup tool enables you to generate DNS request messages from the command line and send them to a specific DNS server. The other options listed are not DNS utilities.
  94. A. On a Unix or Linux host, the ifconfig command displays the system's current IP configuration settings and parameters. ipconfig is a Windows command-line utility that performs the same basic function. The other options are command-line utilities that do not display IP configuration information.
  95. B. Running the ping tool with the -t parameter causes it to send messages to the target continuously until it is manually stopped. The -n parameter specifies the number of messages the ping tool should transmit. The -i parameter specifies the time-to-live (TTL) value of the messages ping transmits. The -a parameter resolves an Internet Protocol (IP) address specify as the target to a hostname.
  96. B. The arp -d command is for deleting cache entries, and by running it with the asterisk wildcard, the command deletes all of the entries in the cache. The arp -a command displays the entries in the ARP table stored in its cache, and the arp -s command is for adding entries. The arp -c * command is not a valid option.
  97. D. The nmap utility is capable of scanning a system for open ports that might be a security hazard. The tcpdump, dig, iptables, and iperf utilities cannot do this.
  98. C, D. ping and tracert are both utilities that test network layer characteristics using ICMP messages. ping tests the network layer functionality of the host, and traceroute displays the path to the host through the internetwork. ipconfig and netstat do not use ICMP messages.
  99. C. Running the ping tool with the -i parameter specifies the TTL value of the messages that ping transmits. The -t parameter causes the ping tool to send messages to the target continuously until it is manually stopped. The -n parameter specifies the number of messages the ping tool should transmit. The -a parameter resolves an Internet Protocol (IP) address specified as the target to a hostname.
  100. B. Ralph wants to store and view only the traffic relating to the hosts that are experiencing problems. The best way to do this is to set a capture filter. Capture filters determine what is stored in the buffer. Display filters only determine what is displayed from the contents of the buffer. You do not set a trap on an analyzer—you set traps on Simple Network Management Protocol (SNMP) agents. Also, there is no need to configure both a capture filter and a display filter. If you set a capture filter that blocks all other traffic from entering the buffer, the display filter would be redundant.
  101. A, D. Ralph can use the ping and traceroute tools to verify the network layer functionality of the application server and the router. The ping tool tests the network layer through the exchange of Internet Control Message Protocol (ICMP) Echo and Echo Reply messages. The traceroute tool can verify that there is a functioning path between the users' workstations and the application server. The route tool is used to administer the routing table on the local machine. The arp tool is used to view a computer's Internet Protocol to Media Access Control (IP to MAC) address resolution table stored in memory.
  102. C. A protocol analyzer copies all network traffic, interprets the protocol headers and fields, and displays the output. The Event Viewer displays system, application, and security event logs on a single computer. There is no network troubleshooting tool called a traffic monitor. A management console is a remote monitoring and management device that queries Simple Network Management Protocol (SNMP) agents.
  103. E. Of the utilities listed, tcpdump, dig, iptables, and ifconfig are all tools that run on Unix or Linux systems only. The route utility runs on both Unix or Linux and Windows.
  104. A. nslookup is a command-line utility that generates Domain Name System (DNS) resource record requests and sends them to a specific DNS server. The output shown here first specifies the name and address of the DNS server to which the request was sent, and then the response to the request, containing the name to be resolved and the Internet Protocol (IP) addresses contained in the server's resource record for that name. The pathping, netstat, and route utilities cannot perform DNS queries.
  105. A. Running the ping tool with the -n parameter specifies the number of messages the tool should transmit with each execution. The -t parameter causes the ping tool to send messages to the target continuously until manually stopped. The -i parameter specifies the Time to-Live (TTL) value of the messages that ping transmits. The -a parameter resolves an Internet Protocol (IP) address specified as the target to a hostname.
  106. A, E. The ping and nslookup utilities can both run on Windows, Unix, or Linux systems. The traceroute command runs only on Unix or Linux, although there is a Windows version called tracert . The ifconfig and iptables commands only exist on Unix and Linux systems.
  107. D. The ifconfig command runs only on Unix and Linux systems. The ping and netstat utilities run on Windows, Unix, or Linux systems. The ipconfig and tracert commands run only on Windows, although there is a Unix/Linux version of tracert called traceroute .
  108. B. The ipconfig command runs only on Windows, although there is a similar Unix or Linux-only command called ifconfig . The ping and netstat utilities run on Windows, Unix, or Linux systems. The traceroute utility runs only on Unix or Linux systems, although there is a Windows version called tracert .
  109. B, D. Both Linux and the Cisco IOS operating systems have the traceroute utility. Windows has a version of the utility, but it is called tracert . The CSU/DSU cannot run a traceroute command.
  110. B. The netstat -s command displays packet counts and other traffic statistics for the IPv6, IPv4, ICMP, TCP, and UDP protocols. The netstat -a command displays all of a workstation's current connections and ports on which it is listening. The netstat -e command displays Ethernet statistics, such as the number of bytes and packets sent and received. The netstat -r command displays the computer's routing table.
  111. A. Running netstat with the -e parameter on a Windows workstation displays Ethernet statistics, including the number of bytes and packets the workstation has sent and received. The ipconfig command displays Transmission Control Protocol/Internet Protocol (TCP/IP) configuration data; it does not display network traffic statistics. The tcpdump and iptables commands both run only on Unix and Linux workstations.
  112. A, B, D. Windows, Linux, and the Cisco IOS operating systems all include the ping utility. The CSU/DSU cannot run a ping command.
  113. B. The Internet Protocol (IP) address 127.0.0.1 is a dedicated loopback address that directs outgoing IP traffic directly into the incoming IP traffic buffer. A successful ping test using that address indicates that the computer's Transmission Control Protocol/Internet Protocol (TCP/IP) stack is functioning properly, but the traffic never reaches the network adapter or the network, so the test does not confirm that the adapter is functioning or that the computer has a correct IP address for the network.
  114. B, C. The Internet Protocol (IP) address 127.0.0.1 is a dedicated loopback address that directs outgoing IP traffic directly into the incoming IP traffic buffer. The hostname localhost resolves to the 127.0.0.1 address on every TCP/IP system. Ed can therefore ping either the hostname or the IP address to test that his TCP/IP stack is functional. Loopback is not a hostname for the loopback address, and 127.0.0.0 is a network address, not a host address, so it will not work in this situation.
  115. B. ipconfig is a Windows command that displays a computer's current IP address and Transmission Control Protocol/Internet Protocol (TCP/IP) configuration settings, including whether the computer has obtained its address from a DHCP server. The ifconfig command displays the same information for Unix and Linux systems. msinfo32 is a Windows program that generates a graphical display of the computer's hardware and software configuration, but not its IP address and TCP/IP settings. The tracert command in Windows displays the path that packets take through the internetwork to reach a specified destination, but it does not display DHCP information.
  116. B, C, D. When you run the netstat command without any switch options, it displays the computer's active connections. Running netstat -e displays the computer's interface statistics. Running netstat -r displays the routing table. There is no netstat switch that displays the computer's connection state.
  117. B. The route print command displays both the IPv4 and IPv6 routing tables. To display only the IPv6 routing table, you add the -6 parameter to the route print command. route list and route list -6 are not valid commands.
  118. C. Running the Windows netstat command with the -e parameter displays Ethernet statistics, including the number of bytes and packets that have been transmitted and received. The ping, tracert, and arp utilities are not capable of producing this output.
  119. B. Running the arp -e command on a Linux system displays the contents of the Address Resolution Protocol (ARP) cache in the format shown here. The arp -a command displays the cache using an alternative format. The arp -d command is for deleting cache entries, and the arp -s command is for creating cache entries.
  120. D. The arp -s command enables you to create a cache record specifying the Media Access Control (MAC) address and its associated Internet Protocol (IP) address. The arp -N command enables you to display the ARP cache entries for a specified network interface. The arp -d command is for deleting cache entries. The arp -a command displays the entries in the ARP table stored in its cache.
  121. C. The tcpdump utility is a command-line tool that captures network packets and displays their contents. The iptables, nmap, and pathping utilities cannot capture and analyze packets. iptables manages Unix/Linux kernel firewall rules, nmap is a port scanner, and pathping is a Windows route tracing tool.
  122. C. A NetFlow analyzer is a tool that can collect network traffic data and analyze how bandwidth is being used and who is using it. A protocol analyzer is also a tool that captures network packets, but for the purpose of analyzing their contents. A bandwidth speed tester measures a network’s internet access speed. An Internet Protocol (IP) scanner lists the IP addresses that are in use on a network.
  123. B. The destination system is the last one listed in the trace. By averaging the response times of 99, 106, and 108 milliseconds (ms), you can calculate the average response time: 104.33 ms.
  124. B. The dig utility in Linux can display the authoritative Domain Name System (DNS) servers for a particular domain when you specify the domain name and the ns (name server) parameter. The netstat, nslookup, and route commands cannot generate this particular output.
  125. D. On Unix and Linux systems, the traceroute utility tests Transmission Control Protocol/Internet Protocol (TCP/IP) connectivity by transmitting User Datagram Protocol (UDP) messages. This is unlike the tracert utility on Windows systems, which uses Internet Control Message Protocol (ICMP) messages. Neither version uses TCP or Hypertext Transfer Protocol (HTTP).
  126. B. To access the Internet, the workstation's routing table must include a default gateway entry, which would have a Network Destination value of 0.0.0.0. A workstation's routing table does not specify the address of a Domain Name System (DNS) server. The loopback and 224.0.0.0 multicast addresses are normal routing table entries.
  127. D. A protocol analyzer is a tool that enables a user to view the contents of packets captured from a network. In Ed's case, if IPSec is properly implemented, he should be able to see that the data in packets captured from his workstation is encrypted. A packet sniffer is a tool that captures packets for the purpose of traffic analysis but cannot view their contents. In practice, however, packet sniffer and protocol analyzer capabilities are usually integrated into a single tool. A port scanner examines a system, looking for open Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports, and a multimeter is a tool that reads voltages on electrical circuits. An Internet Protocol (IP) scanner queries the network for the IP addresses currently in use and gathers information about the devices using them. None of these tools can examine packet contents.
  128. A. A packet sniffer is a tool that captures packets for the purpose of traffic analysis but cannot view their contents. A protocol analyzer is a tool that enables a user to view the contents of packets captured from a network. In practice, however, packet sniffer and protocol analyzer capabilities are often integrated into a single tool. Both tools can function in promiscuous mode to capture packets from an entire network.
  129. B, E. The ipconfig /release command terminates the current DHCP address lease. Then, the ipconfig /renew command causes the client to begin the process of negotiating a new lease, this time with an authorized DHCP server. dump, lease, and discard are not valid ipconfig parameters.
  130. D. The correct syntax for the Windows route add command is to specify the destination network address, followed by the subnet mask for the destination network, followed by the address of the router interface on the local network that provides access to the destination network. The other options do not specify the correct addresses in the syntax.
  131. C. The correct syntax for the Windows route add command is to specify the destination network address, followed by the subnet mask for the destination network, followed by the address of the router interface on the local network that provides access to the destination network. Therefore, 192.168.87.226 is the address of the router interface on the internal network, where Ralph's workstation is located.
  132. C. Port scanning identifies open ports on a single computer, whereas port sweeping scans multiple computers for a single open port. War driving and bluejacking are methods of attacking wireless networks.
  133. D. A protocol analyzer captures frames and displays their contents, including the header fields created by the protocols at the various Open Systems Interconnection (OSI) model layers. To interpret the exchanges between the computers on the network, you must be familiar with the protocols and how they operate. Protocol analyzers are useful tools in the hands of experienced network administrators, but they can also be used for malicious purposes, such as displaying unencrypted passwords and other confidential information in the captured packets. The difference between analyzers and sniffers is that analyzers read the internal contents of the packets they capture, parse the individual data units, and display information about each of the protocols involved in the creation of the packet, while sniffers look for trends and patterns in the network traffic without examining the contents of each packet.
  134. A, B. nmap is a command-line utility that scans a range of IP addresses, runs a series of scripts against each device it finds, and displays a list of the open ports it finds on each one. Nessus is similar to nmap in that it also scans a range of IP addresses to find open ports, but it then proceeds to mount attacks against those ports, to ascertain their vulnerability. Network Monitor is a protocol analyzer or packet sniffer, which is a program that captures network traffic samples and analyzes them. It is not a port scanner. Performance Monitor is a program that displays statistics for specific system and network performance criteria. It is not a port scanner.
  135. B. The top utility displays performance information about the currently running processes on a Unix/Linux system. netstat is a tool that enables you to view active network connections and Transmission Control Protocol/Internet Protocol (TCP/IP) traffic statistics. It does not measure system performance. There is no Unix or Linux tool called monitor or cpustat .
  136. B. Protocol analyzers report the total number of frames seen compared to the number of frames that were accepted. If a capture filter is in place, there will be a discrepancy between these two values. Only frames that meet the capture criteria will be accepted by the analyzer and placed in the buffer for later display. Protocol analyzers place good and bad frames into the buffer as long as they meet the capture criteria. If only good frames were placed in the buffer, there would be no way to identify problems.
  137. B. A port scanner examines a system for open endpoints, accessible using the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), which intruders can conceivably use to gain access to the system from the network.
  138. B. A port is a numbered service endpoint identifying an application running on a Transmission Control Protocol/Internet Protocol (TCP/IP) system. A port scanner examines a system for open endpoints, accessible using the TCP or User Datagram Protocol (UDP) at the transport layer, which intruders can conceivably use to gain access to the system from the network.
  139. B. The ports that a port scanner examines are the system endpoints identified by port numbers in Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) headers. An open port provides network access to an application running on the computer, which can conceivably be exploited by an intruder.
  140. C. A packet analyzer is capable of looking at the data inside packets, which in the case of packets generated by Telnet and FTP, can contain passwords in clear text. Packet sniffers analyzer traffic patterns, vulnerability scanners search for open ports, and Trivial File Transfer Protocol (TFTP) servers transfer boot files to Dynamic Host Configuration Protocol (DHCP) client workstations. Telnet is itself a terminal emulator and does not display packet contents.
  141. A. Protocol analyzers capture packets from the network and interpret their contents including the display of the application layer payload, which can include confidential information. Protocol analyzers can display the Internet Protocol (IP) addresses of systems on the network, but this is not as great a security threat. Protocol analyzers cannot decrypt the protected information it finds in captured packets. Vulnerability scanners detect open ports and launch attacks against them; protocol analyzers do not do this.
  142. B. Microsoft Assessment and Planning Toolkit (MAP Toolkit) is a free application that performs an agentless inventory of a network and uses the information to create reports on specific scenarios, such as whether computers are prepared for an operating system upgrade. Nessus, Nmap, and Microsoft Baseline Security Analyzer (MBSA) are all tools that include vulnerability scanning but that have other capabilities as well.
  143. D. Port scanning, the process of looking for open Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports that are exploitable by attackers, is one of the many functions that qualifies as a type of vulnerability scanning. Network mapping, the remediation of vulnerabilities, and penetration testing, which is the process of deliberately performing a planned attack, are not considered vulnerability scanning techniques.
  144. A. Once the frames are in the buffer, Alice can configure a display filter to block the unwanted frames from view. This does not delete them from the buffer. Since the capture was already performed, there is no need to restart the capture. Configuring a capture filter will not meet the requirements, because the filter will eliminate the other frames completely from the buffer. It is not possible to delete specific frames from an analyzer buffer.
  145. A. The 802.11b standard calls for a maximum speed of 11 Mbps, so there is nothing that Ralph can do to increase his network's speed except purchase new equipment.
  146. A, C, E. The 2.4 GHz band used by Wireless Local Area Networks (WLANs) consists of channels that are 20 (or 22) MHz wide. However, the channels are only 5 MHz apart, so there is channel overlap that can result in interference. Channels 1, 6, and 11 are the only channels that are far enough apart from each other to avoid any overlap with the adjacent channels. Channels 4 and 8 are susceptible to overlap.
  147. A. Specifying the wrong passphrase for the encryption protocol is the most common cause of a failure to connect to the network with no indication of an error. Incorrect antenna placement and channel overlap could result in a weak signal or no signal, either of which would be indicated in the Available Networks list. An incorrect Service Set Identifier (SSID) is not likely to be the error, as long as Ralph selected the AP from the list.
  148. B, D, E. Interference resulting from channel overlap, a weak signal due to incorrect antenna polarization, and signal loss due to antenna cable attenuation could render the workstation unable to make contact with the AP. An incorrect passphrase would not be the problem unless Ralph had already seen the AP and attempted to connect to it. An incorrect Service Set Identifier (SSID) would be the problem only if Ralph had already attempted to manually enter an SSID.
  149. C. A patch antenna is a flat device that transmits signals in a half-spherical pattern. By placing the antenna against the building's outer wall, Ralph can provide coverage inside the building and minimize coverage extending to the outside. A dipole antenna is another name for the omnidirectional antenna usually provided with an AP. A unidirectional antenna directs signals in a straight line, which would not provide the coverage Ralph needs. A Yagi antenna is a type of unidirectional antenna.
  150. A, D. Greater distance from the AP or interference from intervening walls can both cause a weakening of wireless signals, resulting in the intermittent connectivity that Trixie is experiencing. An incorrect Service Set Identifier (SSID) would prevent Trixie's laptop from ever connecting to the network. An omnidirectional antenna generates signals in every direction, which would not account for Trixie's problem.
  151. B. It is possible that the WAP has been configured to not broadcast the network's SSID as a security measure, so Alice should first attempt to access it by typing the SSID in manually. She would not be able to type in the WPA2 passphrase until she is connecting to the SSID. Moving the laptop closer to the WAP or away from possible sources of electromagnetic interference might be solutions to the problem, but they should not be the first thing Alice tries.
  152. D. The most likely cause of Alice's problem is that she has selected an incorrect encryption protocol. Wired Equivalent Privacy (WEP) is still provided as an option on many wireless devices, but it has long since been found to be insecure and is almost never used. Alice should try selecting the other security types that enable her to enter her passphrase, such as WiFi Protected Access II (WPA2). Although the other options are possible causes of the problem, encryption protocol mismatch is the most likely cause.
  153. D. Wireless Local Area Network (WLAN) equipment built to the 802.11a standard can only use the 5 GHz frequency. However, an 802.11g AP can only use the 2.4 GHz frequency. Therefore, the network adapters cannot connect to Ralph's AP.
  154. B. The 802.11b and 802.11g standards do not support 5 GHz communications. Configuring the AP to support 2.4 GHz is the only way for the 802.11g computers to connect to the network. The 5 GHz band does support automatic channel selection, so there is no need to configure the channel on each laptop manually. The 5 GHz band does support MIMO, and the 802.11n laptops should be able to connect. Replacing the adapters with 802.11g will prevent them from connecting, as that standard does not support 5 GHz communications. The 802.11a standard does support the 5 GHz band, and those laptops should be able to connect.
  155. D. As wireless computers move farther away from the AP, their signals attenuate (weaken), their Received Signal Strength Indicators (RSSIs) go down, and the maximum speed of their connections drops. If the computers were using a different encryption protocol than the AP, there would be no connection at all, not a diminished connection speed. A SSID mismatch would cause the computers to connect to a different network, not necessarily connect at a slower speed. If the computers had 802.11a adapters, they would fail to connect to the AP at all, because 802.11a requires the use of the 5 GHz frequency band, and 802.11g uses 2.4 GHz.
  156. B. Replacing the AP with an 802.11n model is not going to have any effect at all unless you upgrade the computer's network adapter as well. Installing a higher gain antenna on the AP can improve its range, enabling the computer to connect more readily. Moving the computer closer to the AP can strengthen the signal and raise its Received Signal Strength Indicator (RSSI), enabling it to connect more reliably. Changing the channel on the AP to a lesser used one can enable the computer to connect more easily.
  157. C. Disabling Service Set Identifier (SSID) broadcasts will not defeat dedicated attackers, but it can prevent casual intruders from accessing the network. Media Access Control (MAC) filtering would require Ed to configure the AP with the MAC addresses of all devices that will access the network, which would be impractical in this case. The network is unsecured, so there is no passphrase to change, and a frequency change will have no effect on the problem.
  158. D. Absorption is a type of interference that occurs when radio signals have to pass through barriers made of dense materials, such as concrete or cinderblock walls. The density of the material's molecular structure causes the radio signals to be partially converted to heat, which weakens them. Reflection is when signals bounce off of certain surfaces, such as metal. Refraction is when signals bend as they pass through certain barriers, such as glass or water. Diffraction is when signals have to pass around barriers to reach a particular destination. All of these phenomena can weaken the radio signals used in wireless networking, but absorption is the primary problem for Alice in this case.
  159. A. The closer the users are to the AP, the stronger the signals will be. Installing an additional AP nearer to the executive offices will likely enable the signals to pass through the barriers more efficiently. The channel used by the AP, the standard on which the AP is based, and the broadcasting of Service Set Identifier (SSID) signals have no effect on the strength of the signals reaching the executive offices and will not resolve Ralph's problem.
  160. D. Absorption is a type of interference that occurs when radio signals have to pass through barriers made of dense materials, such as walls and doors. In this case, the construction of the barriers has made them more formidable. Reflection is when signals bounce off of certain surfaces, such as metal. Refraction is when signals bend as they pass through certain barriers, such as glass or water. Diffraction is when signals have to pass around barriers to reach a particular destination. All of these phenomena can weaken the radio signals used in wireless networking, but absorption is the primary problem for Ralph in this case.
  161. B, D. Attenuation is the tendency of signals to weaken as they travel through a network medium. In the case of a wireless network, the medium is the air, and the farther away a wireless device is from the Access Point (AP), the weaker the signal will be. Refraction is when signals bend as they pass through certain types of barriers, such as the glass walls of conference rooms. The bending changes the direction of the signals, possibly causing them to weaken in the process. Reflection is when signals bounce off of certain surfaces, such as metal. Diffraction is when signals have to pass around barriers to reach a particular destination. All of these phenomena can weaken the radio signals used in wireless networking, but attenuation and refraction are likely to be the primary problems for Ralph in this case.
  162. A, C. The 802.11ac and 802.11g wireless networking standards are fundamentally incompatible. The 802.11g AP uses the 2.4 GHz band, and the user's 802.11ac laptop uses the 5 GHz band. Therefore, the only possible solutions are to install an 802.11ac AP or an 802.11g network adapter. Changing channels on the WAP and moving the user will have no effect on the problem.
  163. D. The use of an incorrect wireless security protocol is a well-known source of errorless connection failures, so checking this will most likely enable Ed to locate the source of the problem. Channel overlap is a problem that Ed would check and resolve at the Access Point (AP), not the users' workstations. It is not possible to change the frequency on the WAP because the 802.11g standard only supports the 2.4 GHz frequency. Although signal interference could conceivably be the cause for a connection failure, the users can see the network, so this is probably not the problem.
  164. A, B, C. Moving the Wireless Access Point (WAP) to the center of the building will keep as much of its operational range inside the structure as possible. If the signals still reach outside the building, Ed can reduce the power level of the WAP until the network is only accessible inside. Disabling SSID broadcasts will not defeat dedicated attackers, but it can prevent casual intruders from accessing the network. MAC filtering would require Ed to configure the WAP with the MAC addresses of all devices that will access the network, which would be impractical in this case. Installing a captive portal would not block outside users unless Ed configures the portal to require user authentication, which defeats the purpose of the guest network.
  165. B, C. The first steps Alice should take are the simplest ones: make sure that the wireless interface in the user's laptop is turned on and that she is attempting to connect to the correct SSID for the company network. Changing the channel would not be necessary unless other users in the area are also having problems due to interference. The 802.11n wireless networking standard is backward compatible with 802.11g, so it should not be necessary to provide the user with a new network adapter.
  166. C. If the users are losing their connections due to interference from other types of devices, changing the channel alters the frequency the network uses and can enable it to avoid the interference. The other options are not likely to affect any condition that would cause users to drop their connections.
  167. B, D. Of the options provided, the ones most likely to be causing the problem are the use of an incorrect Service Set Identifier (SSID) or encryption protocol. Although signal interference could possibly be a cause, it is more likely that the new users have devices that are incorrectly configured for Ed's network. Channel overlap is a problem that Ed would check and resolve at the Access Point (AP), not the users' workstations.
  168. D. WPA has been found to be vulnerable, and WPA2 was designed to address those vulnerabilities, so Ralph should use WPA2 instead of WPA. Suppressing SSID broadcasts does not prevent users from connecting to the network, and MAC filtering strengthens security without exposing MAC addresses to undue risk.
  169. C. The 2.4 GHz band used by Wireless Local Area Networks (WLANs) consists of channels that are 20 (or 22) MHz wide. However, the channels are only 5 MHz apart, so there is channel overlap that can result in interference, possibly causing long AP association times and degraded performance. Channels 1, 6, and 11 are the only channels that are far enough apart from each other to avoid any overlap with the adjacent channels. This is why they are often recommended. However, in Ralph's case, these channels are too crowded with other networks. Ralph should therefore use a channel that is as far as possible from the crowded ones. Channels 2, 5, and 10 are all immediately adjacent to a crowded channel, but channel 9 is at least two channels away from the nearest crowded channel. Therefore, Ralph should configure his equipment to use channel 9.
  170. B. Effective Isotropic Radiated Power (EIRP) is a measurement of the signal strength generated by an access point (or other radio transceiver) with a particular antenna. Received Signal Strength Indicator (RSSI) is a measurement of the strength of the signal received by a device from an access point. Service Set Identifier (SSID) is a designation assigned to a specific wireless network, which appears in the Available Networks list of a WiFi client. Multiple Input, Multiple Output (MIMO) is a technology used by some IEEE wireless networking standards to increase throughput by using multiple antennae.
  171. C. Because the customer can access the other two computers in the house, Ed knows that her Internet Protocol (IP) address and subnet mask are properly configured, that the network cable is plugged in and functional, and that a switching loop is not preventing access to the Internet. Ed also knows that the computer's Domain Name System (DNS) record does not play a role in outgoing connections. The problem is most likely in the default gateway because the gateway address the customer specified is on another network, 172.16.43.0, rather than on her own network, 172.16.41.0.
  172. D. The problem is most likely incorrect Access Control List (ACL) settings. Because the computers are all able to access the Internet, their Transmission Control Protocol/Internet Protocol (TCP/IP) settings, including their IP addresses, subnet mask, and default gateway address, must be correct. However, if the users do not have the correct permissions in the ACLs of the filesystem shares, they will not be able to access the shares over the network.
  173. B. Because Alice is able to access the server and open the spreadsheet file, the problem is not related to blocked ports, firewall settings, or an untrusted certificate. The problem is most likely that though she has the necessary filesystem ACL permissions to open and read the file, she does not have the permissions needed to modify it.
  174. D. The address 169.254.199.22 is from the 169.254.0.0/16 network address assigned to Automatic Private Internet Protocol Addressing (APIPA), a standard for the assignment of IP addresses to DHCP clients when they cannot obtain an address from a DHCP server. 127.0.0.1 is the standard IP loopback address. 240.15.167.251 is from the 240.0.0.0 network address, which is reserved for experimental use. Neither of these is ever assigned by DHCP. 255.255.255.0 is not an IP address at all; it is a subnet mask.
  175. B. The Default Gateway setting should contain the address of a router on the local network that provides access to other networks, such as the Internet. In this case, therefore, the Default Gateway address should be on the 192.168.4.0 network, but it contains an address on the 192.18.6.0 network, which is not local. Therefore, the user can only access systems on the 192.168.4.0 network. The Subnet Mask setting must be correct, or the user would not be able to access any other systems. Unlike the default gateway, the Domain Name System (DNS) server does not have to be on the local network, so the address shown can be correct. Dynamic Host Configuration Protocol (DHCP) is not necessary to access the Internet.
  176. C. The 169.254.203.42 address assigned to the workstation is from the 169.254.0.0/16 network address assigned to Automatic Private Internet Protocol Addressing (APIPA), a standard for the assignment of Internet Protocol (IP) addresses to Dynamic Host Configuration Protocol (DHCP) clients when they cannot obtain an address from a DHCP server. Since no one else is experiencing a problem, the DHCP server is presumably functioning. The Subnet Mask value is correct for an APIPA address, and APIPA does not provide Default Gateway or Domain Name System (DNS) server addresses. Therefore, an exhausted DHCP scope is the only one of the explanations provided that could be the cause of the problem.
  177. B. For a computer connected to the 192.168.32.0/20 network, the Subnet Mask value should be 255.255.240.0, not 255.255.255.0, as shown in the ipconfig output. The IPv4 Address, Default Gateway, and Domain Name System (DNS) Servers settings are appropriate for the network. The workstation apparently has Dynamic Host Configuration Protocol (DHCP) disabled, so it has not retrieved appropriate Internet Protocol (IP) address settings from the DHCP server.
  178. B. The Dynamic Host Configuration Protocol (DHCP) client on the workstation is enabled, but the Internet Protocol (IP) address assigned to the workstation is not from the 192.168.4.0/24 network. The assigned address is not an Automatic Private Internet Protocol Addressing (APIPA) address, nor is it expired, so the only conclusion is that there is a rogue DHCP server on the network assigning addresses from a wholly different subnet.
  179. D. The autonegotiation mechanism is not the problem, nor is the pinout standard or Ralph's wire pair selection. The speed autonegotiation mechanism in Gigabit Ethernet uses only two wire pairs, so although the Light-Emitting Diodes (LEDs) do light up successfully, a functional Gigabit Ethernet data connection requires all four wire pairs.
  180. D. Cable runs are traditionally wired “straight through”; that is, with the transmit pins at one end wired to the transmit pins at the other end. It is the switch that is supposed to implement the crossover circuit that connects the transmit pins to the receive pins. Cable runs wired using T568A at one end and T568B at the other end create a crossover circuit in the cable run. At one time, this would have been a serious problem, but today's switches automatically configure crossover circuits as needed, so they will adjust themselves to adapt to the cable runs. All of the other options would correct the problem, but doing nothing is certainly the easiest and best option.
  181. A. The problem is unlikely to be a bad hub port or a bad cable, so moving the cable from port 4 to port 2 will not help. The problem is the crossover circuit between the two computers. The two systems were once connected directly together, which means that Ralph was using a crossover cable. The hub also provides a crossover circuit (except in the X port), and old hubs often do not autonegotiate crossovers. Therefore, the connection has two crossovers, which is the equivalent of wiring transmit pins to transmit pins, instead of transmit pins to receive pins. All of the other options eliminate one of the crossover circuits, enabling the computers to be wired correctly.
  182. B. Older Ethernet hubs do not autonegotiate crossovers. Instead, they have an X (or uplink) port that provides a connection without a crossover circuit, so you can connect one hub to another. If both of the cables had been standard straight-through Ethernet cables or if both had been crossover cables, then plugging them into two regular ports should have worked. Because plugging one cable into the X port worked, this means that only one of the cables must be a crossover cable. The problem, therefore, was the cable, not the port. The X port does not provide extra strength to the signals.
  183. B. A bent pin on one of the 12th computer's connections would cause a break in the bus, essentially forming two networks that operate independently. The failure to terminate or ground the network would not produce this type of fault. Reversing the transmit and receive pins is not possible on a coaxial connection, due to the architecture of the cable.
  184. A, B. An open circuit is caused either by a break in the wire somewhere inside the cable or a bad connection with the pin in one or both connectors. A short is when a wire is connected to two or more pins at one end of the cable or when the conductors of two or more wires are touching inside the cable. In this instance, the damage to the cables could have resulted in either condition. A split pair is a connection in which two wires are incorrectly mapped in exactly the same way on both ends of the cable. Having transposed pairs is a fault in which both of the wires in a pair are connected to the wrong pins at one end of the cable. Both of these faults are the result of incorrect wiring during installation; they are not caused by damaged cables.
  185. A. Crosstalk is a type of interference that occurs on copper-based networks when a signal transmitted on one conductor bleeds over onto another nearby conductor. Twisted-pair cables, which have eight or more conductors compressed together inside one sheath, are particularly susceptible to crosstalk. Twisting each of the separate wire pairs tends to reduce the amount of crosstalk to manageable levels. Twisting the wire pairs does not prevent signals from being affected by electromagnetic interference (EMI) or attenuation. Latency is a measurement of the time it takes for a signal to travel from its source to its destination.
  186. D. Either the T568A or the T568B pinout standard is acceptable. The patch cables will function properly as long as both ends are wired using the same pinout standard.
  187. C. Crosstalk is a type of interference that occurs on copper-based networks when in a signal transmitted on one conductor bleeds over onto another nearby conductor. Twisted-pair cables, which have eight or more conductors compressed together inside one sheath, are particularly susceptible to crosstalk. Twisting each of the separate wire pairs tends to reduce the amount of crosstalk to manageable levels. Untwisting the pairs leaves them more susceptible to crosstalk. Jitter, attenuation, and electromagnetic interference (EMI) are all conditions that can affect the performance of a wired network, but they are not directly related to untwisted wire pairs.
  188. A, C. In this scenario, the user was previously able to connect to the network. There have been no hardware or software changes to the computer. These factors indicate that there is possibly a physical layer problem, such as a loose cable, a faulty cable, a bad switch port, or a bad network interface adapter in the computer. Since the user's cable previously worked, there is no need to verify that it is pinned and paired properly, and crossover cables are not used to connect workstations to switches. The first thing Ed should do is verify that all cable connections are secure. If he finds a loose cable and the link pulse LED lights up when he reseats it, then the cable was the problem. If the link pulse LED does not light, Ed should replace the existing cable with a straight-through cable that is known to be good. If the LED lights up, the existing cable was probably faulty. If the LED does not light up, Ed should suspect a faulty network interface adapter or switch port and try moving the cable to a port on the switch that is known to function. If the connection works, the problem is probably a failed switch port. If the connection still does not work, then the fault is probably the network interface adapter in the user's computer.
  189. C, D. Option A is the T568B pinout, and option B is the T568A pinout. Both of these are correct and may be used. Options C and D are both incorrect and can result in excessive amounts of crosstalk.
  190. C. In this scenario, some, but not all, users on VLAN2 cannot connect to local and remote resources. Since users connected to other switches within the same VLAN and on other VLANs are not reporting any problems, the router is not the issue. This also excludes a VLAN2 configuration problem because this would affect the VLAN2 users on all of the switches. VLAN3 and VLAN4 users can communicate through the router, so they are also not the problem. The likeliest problem is the common component, which is the switch to which the VLAN2 users experiencing the outage are connected.
  191. A. In this scenario, only users on one LAN are experiencing problems connecting to the Internet and other internal LANs. This isolates the problem to a component within that LAN only. Since users can connect successfully to local resources, the problem does not lie within the individual computers, the switch that connects the users to the network, or the backbone network cable. The likeliest problem is in the router connecting problem LAN to the backbone network. Since users on the other internal LANs are not reporting problems connecting to the Internet, the problem most likely does not involve the Internet router.
  192. D. Internet Group Management Protocol (IGMP) snooping is a switching technique that prevents network hosts from receiving multicast packets when they are not members of the multicast group. The multicast traffic will still appear on the network, but only the members of the multicast group will process the packets. Asymmetric routing and multipathing all affect the route that the packets take through the network, and flow control only affects the speed at which transmitting systems send packets. None of these can control which hosts process the incoming packets.
  193. B. In this scenario, all of the internal users are experiencing problems connecting to the Internet, so the router that provides access to the Internet is the suspected component. Since users can connect to resources on the internal LANs, the problem probably is not in any of the routers connecting the LANs to the backbone or the backbone cable itself. This also eliminates the probability that the switches on the LANs are the problem.
  194. A, B, C. Ed will first have to change the Internet Protocol (IP) addresses. This is because the computers on the other side of the router, on the screened subnet, must use an IP network address that is different from the internal network's address. Next, Ed will have to change the default gateway address setting on the internal network computers to the address of the router so that traffic can be directed to the screened subnet. Finally, Ed will have to update the resource records on the Domain Name System (DNS) server to reflect the IP address changes. Media Access Control (MAC) addresses are hard-coded into network interface adapters and are not easily changed.
  195. C. The problem is most likely the default gateway address, which directs all traffic intended for the Internet to the cable modem/router. If that address is incorrect, the traffic will never reach the router. Because the computer can access the other two systems on the local network, the Internet Protocol (IP) address and subnet mask are not the problem. It is not necessary (and not always possible) to change the Media Access Control (MAC) address on a Windows workstation.
  196. D. Because Ed can connect to WebServ1 successfully, the problem is not an unresponsive service or blocked ports on the server. The problem is not a name resolution failure because Ralph can successfully ping WebServ1 by name. Therefore, of the options listed, the only possible problem must be that the firewall on Ralph's workstation is not configured to allow the remote desktop client's traffic out.
  197. C. When a Dynamic Host Configuration Protocol (DHCP) client is offered an Internal Protocol (IP) address by a DHCP server, the client broadcasts Address Resolution Protocol (ARP) requests using that address before accepting it. If another computer on the local network is using the offered address, the computer responds to the ARP request, and the DHCP client declines the address. The DHCP server then offers another address. Domain Name Service (DNS) queries and routing table checks are not reliable means of checking for duplicate IP addresses. It is possible to have two DHCP servers on the same local network, but they must be configured with scopes that do not overlap.
  198. C. If someone on the network is spoofing the Media Access Control (MAC) address of Ed's workstation, the MAC address table in the switch handing the network traffic might be continually changing as packets from each computer reach the switch. This could cause some of the response packets to be forwarded to Ed's workstation and some to the spoofer's workstation. Duplicate IP addresses would not cause this problem, because they would be detected by the operating system. Blocked Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports, incorrect firewall settings, or a flood of multicast transmissions could prevent Ed from receiving responses, but they would not be sent to another workstation.
  199. B. Operating systems detect duplicate IP addresses immediately and display error messages or notifications on the computers involved. Therefore, the user with the problem would have been informed immediately if another system were using her IP address. All of the other options are possible causes of the problem that are more difficult to troubleshoot.
  200. B. The users' browsers are failing to resolve the hostnames of the requested websites into Internet Protocol (IP) addresses, which they must do before they can connect to the web servers. By asking where the company's DNS server is located, Ralph can determine if the problem is the DNS server itself or the router that provides access to the Internet. If the DNS server is located on Adatum's company network, then the DNS server could be failing to resolve the website names. However, the DNS server could be located on the Internet Service Provider's (ISP's) network, in which case the problem might be in the router that provides access to the ISP's network.
  201. B. Attenuation is the weakening of the signals as they traverse the network medium. In this case, the problem is most likely the result of cable runs that exceed the 100 meter maximum defined in the Ethernet twisted-pair specification. Therefore, shortening the cable runs will be likely to solve the problem. All of the Ethernet twisted-pair specifications have a 100 meter maximum length, so running the network at a slower speed, installing a higher grade cable, and installing higher end network adapters might have no effect if the runs are overly long.
  202. A. Elevator machinery, fluorescent light fixtures, and other electrical devices in an office environment can generate magnetic fields, resulting in electromagnetic interference (EMI). When copper-based data cables are located too near to such a device, the magnetic fields can generate an electric current on the cable that interferes with the signals exchanged by network devices. If the network users experience a problem every time the elevator machinery switches on, EMI is a likely cause of the problem. Near-end crosstalk (NEXT), far-end crosstalk (FEXT), and attenuation can all cause intermittent network communication problems, but they cannot be caused by elevator machinery.
  203. B, D. It is common practice on many networks to disable switch ports that are not in use so that unauthorized individuals cannot plug devices into them. Some networks also use port security, in which switches are configured with Access Control Lists (ACLs) that specify the Media Access Control (MAC) addresses of devices that are permitted to use them. Either of these could be the source of Ralph's problem. Because there are no other network users reporting problems, malfunctioning services such as Network Address Translation (NAT) and Domain Name System (DNS) are not likely to be the cause.
  204. A. A duplex mismatch is the most likely of the options. Ethernet running over twisted-pair cable, in its original half-duplex mode, detects collisions by looking for data on the transmit and receive pins at the same time. In full-duplex mode, data is supposed to be transmitted and received at the same time. When one side of a connection is configured to use full duplex and the other end is configured to use half duplex, the full-duplex communications on the one side look like collisions to the half-duplex side. The half-duplex adapter transmits a jam signal as a result of each collision, which causes the full-duplex side to receive an incomplete frame. Both sides then start to retransmit frames in a continuing cycle, causing network performance to diminish drastically. If the problem were a crossover cable or a disabled switch port, the link pulse LED would not light. Outdated drivers would not be likely to slow network performance, and if they did, the slowdown would be minor.
  205. C. Green LEDs indicate the device is running at the full speed supported by the switch, whereas orange LEDs indicate that the device is running at a reduced speed. If no device is connected, the LED does not illuminate at all. The LED does not indicate the occurrence of collisions or the type of device connected to the port.
  206. A. If the time on the domain controller at the new office is more than five minutes off of the time held by domain controller at the home office, then the new domain controller will not sync. Duplicate Internet Protocol (IP) addresses or an incorrect default gateway address would prevent the new domain controller from connecting to the home office network. A server hardware failure would manifest as an outage far more serious than a domain controller synchronization issue.
  207. C. Ralph's new computer is probably equipped with a network adapter that supports at least Fast Ethernet (100Base-TX). Fast Ethernet and newer network adapters support autonegotiation of the connection speed, but 10Base-T does not. Therefore, if the computer tries to negotiate a connection speed with the 10Base-T hub, it will fail and run at its default speed, which the hub does not support. By manually configuring the adapter in the computer to run at 10 Mbps, it should be able to communicate with the network. Setting the computer's adapter to run at 100 Mbps will not change anything. It is not possible to change the speed of a 10Base-T hub.
  208. A. Only Domain Name System (DNS) servers perform FQDN resolutions, so that is likely to be the source of the problem. It is possible to ping a device on the local network using its computer name without the use of DNS. Electromagnetic interference (EMI) would inhibit all network communication, and Access Control Lists (ACLs) have no effect on ping tests. Dynamic Host Configuration Protocol (DHCP) assigns IP addresses to clients; it does not resolve FQDNs.
  209. D. Since only one user is reporting the problem, the user's computer is the likeliest source of the problem. The user has probably changed or removed the WINS server address. If the user is working with an incorrect WINS address, he can access local network resources but not resources on another internal LAN. Also, he can access resources on the Internet, which means the Internet router and the DNS server are not the problem.
  210. C. The 169.254.0.0/16 network is used by Automatic Private Internet Protocol Addressing (APIPA), a standard that provides Dynamic Host Configuration Protocol (DHCP) clients with an Internet Protocol (IP) address when they cannot contact a DHCP server. Unknown to Ralph, the DHCP server on his network has been down for over a week, and the users' IP address leases have begun to expire. This causes them to revert to APIPA addresses. Multiple users changing their IP addresses would not result in them all using the same network address. A rogue DHCP would not be likely to deploy APIPA addresses to clients. Malware infections that modify IP addresses are rare.
  211. D. For the link pulse LED on the switch port to light up, there must be a completed connection between the switch and a computer at the other end. None of the other options will cause the LED to light.
  212. B. Because Ed knows that the network workstations should be using DHCP to obtain their IP addresses, the best thing to do is to enable the DHCP client and close the ticket rather than configure the system with another static address. There is no indication that there is a rogue DHCP server on the network since the workstation's DHCP client is disabled. This is not the first time that Ed has had a user lie to him, nor will it be the last. He should just let it go and work on addressing the problem.
  213. B, D. The solution should call for Ralph to create a VLAN on the ADSL router that matches the Virtual Local Area Network (VLAN) that the network switch port is using. Therefore, he should create a VLAN4 on the router and assign a port to it, which will be the port Ralph uses to connect the router to the network switch. There is no need to create a VLAN1 on the network switch, because all switches have a default VLAN called VLAN1. Modifying the VLAN assignments on the network switch is not a good idea, because it might interfere with the existing VLAN strategy in place.
  214. A, B. Ralph could purchase a license upgrade for the router that would enable him to create a VLAN4. However, the simpler and less expensive solution would be to create a VLAN2 on the switch. As long as both ends of the cable are plugged into ports using the same Virtual Local Area Network (VLAN), the router should be able to service the network. Configuring the devices to use the default VLAN1 might interfere with the existing VLAN strategy.
  215. A. For the website's Secure Socket Layer (SSL) certificate to be trusted, it must be signed by a source that both parties in the transaction trust. Many security firms are in the business of providing SSL certificates to companies that have provided them with confirmation of their identities. This is what Ralph must do to prevent the error message from appearing to the company's clients. Creating a self-signed certificate or installing a certification authority in-house are not sufficient and are probably already the cause of the problem. Users are not likely to be convinced that everything is all right.
  216. B, D. The route tool, with the print parameter, displays the contents of the routing table on a Windows computer. So does the netstat -r command. The nbtstat and nslookup tools cannot display the routing table.
  217. D. To access the Internet, the workstation's routing table must include a default gateway entry. To create a default gateway entry in the routing table, you use the route add command with a Network Destination value of 0.0.0.0, a MASK value of 0.0.0.0, and the address of a router on the local network (in this case, 192.168.2.99). The entry must also have a METRIC value that is lower than the other entries in the table so that it will be used first.
  218. A. The most likely cause for the slowdown is a broadcast storm. DHCP relies on broadcast messages to assign IP addresses to users, so 500 users all turning on their computers at 9:00 a.m. can generate an abnormally high number of broadcast packets. This can degrade network performance until all of the users have completed their DHCP address assignments. Routing loops, switching loops, and asymmetric routing can degrade network performance, but the degradation would not be limited to the early morning hours. A rogue DHCP server can cause problems but not the one described here.
  219. C. Alice's calculations are called an optical link budget. By adding up the various loss factors in decibels (dB), she can determine whether the budget is low, resulting in communication problems over the link. Protocol analysis is an examination of network packet contents. A routing loop is a condition in which packets are circulating endlessly around a network. RSSI is a wireless networking statistic that does not apply to fiber-optic connections.
  220. D. On all of the servers, NTP uses the well-known User Datagram Protocol (UDP) port 123 for its communications with a Coordinated Universal Time (UTC) server. If a server's firewall is blocking that port, it cannot synchronize its clock time. If the domain controllers have clocks that are not synchronized, their data synchronization processes can be affected. The problem is not a name resolution failure, an unresponsive database service, or incorrect Transmission Control Protocol/Internet Protocol (TCP/IP) settings because other server functions are not affected.

Chapter 6: Practice Exam 1

  1. A, C, D. The three-tier hierarchical architecture for datacenters consists of core, distribution, and access layers. The access layer in a datacenter contains servers, the distribution layer contains redundant switch connections, and the core layer provides high-speed transport between the switches. There is no intermediate layer in the architecture.
  2. B. An Acceptable Use Policy (AUP) specifies whether and how employees can use company-owned hardware and software resources. AUPs typically specify what personal work employees can perform while on the job, what hardware and software they can install, and what levels of privacy they are permitted when using company equipment. This is the document that will most likely include the information you seek. A Service Level Agreement (SLA) is a contract between a provider and a subscriber. A Non-Disclosure Agreement (NDA) specifies what company information employees are permitted to discuss outside the company. Bring Your Own Device (BYOD) is a policy that specifies how employees can connect their personal devices to the company network.
  3. A. There are many possible causes for the problem that are more likely than a router configuration error, so this is not something you should check first. Asking if the user can access the local network attempts to isolate the problem. If she cannot, the problem could be in her computer; if she can, then the problem lies somewhere in the Internet access infrastructure. If other users are experiencing the problem, then the issue should receive a higher priority, and you will know for sure that the problem does not lie in the user's computer. While the user's job title might not be the first thing you check, it is a political reality that higher ranking users get preferential treatment.
  4. B. Biometric scans, identification badges, and key fobs are all mechanisms that are designed to distinguish authorized from unauthorized personnel. Motion detection cannot make this distinction and is therefore not a means of preventing unauthorized access.
  5. C. The problem is most likely the result of a duplex mismatch. There should be no collisions on a full-duplex network, so the problem is clearly related to the duplexing of the communications. A twisted-pair Ethernet adapter, running in its original half-duplex mode, detects collisions by looking for data on both the transmit and receive pins at the same time. In full-duplex mode, however, data is supposed to be transmitted and received at the same time. When one side of a connection is configured to use full duplex, as the new computers are, and the other end is configured to use half duplex (as the network switches must be), the full-duplex communications on the one side look like collisions to the half-duplex side. The half-duplex adapter transmits a jam signal as a result of each collision, which causes the full-duplex side to receive an incomplete frame. Both sides then start to retransmit frames in a continuing cycle, causing network performance to diminish alarmingly. The ping tests do not detect a problem, because ping transmits only a small amount of data in one direction at a time. All of the other options would likely cause the ping tests to fail. The solution to the problem is to configure the new computers to autonegotiate their speed and duplex modes.
  6. B. An ad hoc topology (also known as an independent basic service set) is one in which wireless computers communicate directly with one another without the need for an access point. A Wireless Access Point (WAP) is a device with a wireless transceiver that also connects to a standard cabled network. Wireless computers communicate with the access point, which forwards their transmissions over the network cable. This is called an infrastructure topology. Star and bus topologies are not used by wireless networks; they require the computers to be physically connected to the network cable.
  7. C. A multilayer switch is a network connectivity device that functions at both layer 2 and layer 3 of the Open Systems Interconnection (OSI) model. At layer 2, the data link layer, the device functions like a normal switch, providing an individual collision domain to each connected node and enabling you to create multiple VLANs. At layer 3, the network layer, the device also provides routing capabilities by forwarding packets between the VLANs. Virtual routers, load balancers, and broadband routers are strictly layer 3 devices that can route traffic but cannot create VLANs.
  8. B, C, D. Data at-rest is a data loss prevention term that describes data that is currently in storage while not in use. Data in-motion is the term used to describe network traffic. Data-in-use describes endpoint actions. Data on-line is not one of the standard data loss prevention terms.
  9. C. WiFi Protected Access (WPA) is the wireless security protocol that was designed to replace the increasingly vulnerable Wired Equivalent Privacy (WEP) protocol. WPA added an encryption protocol called Temporal Key Integrity Protocol (TKIP) that was more difficult to penetrate. However, over time, TKIP too became vulnerable, and WPA2 was introduced, which replaced TKIP with the Advanced Encryption Standard protocol (CCMP-AES).
  10. A. The device shown in the figure is a tone generator and locator, which you can use to test twisted-pair wiring and detect certain basic wiring faults. By connecting the tone generator to each wire in turn and locating the tone at the other end, you can determine whether each wire is attached to the appropriate pin in the connector. This tool is not capable of performing any of the tasks described in the other options.
  11. C. The term something you have refers to a physical possession that identifies a user, such as a smartcard. This type of authentication is nearly always used as part of a multifactor authentication procedure because it is possible for a smartcard or other physical possession to be lost or stolen. A fingerprint would be considered something you are, a password is something you know, and a finger gesture is something you do.
  12. A, C, D. Port number 1433 is used by SQL Server; port 1521 is used by SQLnet, and port 3306 is used by MySQL. The port number 3389 is used by the Remote Desktop Protocol (RDP) and is not involved in SQL communications.
  13. D. Wireless Local Area Network (WLAN) equipment built to the 802.11a standard can only use the 5 GHz frequency band. However, an 802.11g access point can only use the 2.4 GHz frequency band. Therefore, the network adapters cannot be made to connect to your access point by any means.
  14. C, D. RAID is a technology for storing data on multiple hard disk drives, providing fault tolerance, increased performance, or both. The various RAID levels provide different levels of functionality and have different hardware requirements. RAID 5 and RAID 6 both combine disk striping with distributed storage of parity information. RAID 5 enables recovery from a single disk failure. RAID 6 uses redundant parity to enable recovery from a double disk failure. RAID 1 and RAID 10 both use disk mirroring to provide fault tolerance, which does not require parity data. RAID 0 uses data striping only (blocks written to each disk in turn), which does not provide any form of fault tolerance.
  15. A, C, E. The 2.4 GHz band used by Wireless Local Area Networks (WLANs) consists of channels that are 20 (or 22) MHz wide. However, the channels are only 5 MHz apart, so it is possible for channel overlap to occur between the access points, which can result in interference. Channels 1, 6, and 11 are the only channels that are far enough apart from each other to avoid any overlap with the adjacent channels. Channels 4 and 8 are susceptible to overlap.
  16. B, C, D. Disabling services and ports that are not in use is a server hardening technique that reduces the attack surface of a server. Creating privileged user accounts that are only used for tasks that require those privileges reduces the chance that the administrative accounts will be compromised. These, therefore, are all forms of server hardening. Upgrading the UEFI or BIOS firmware on a server typically does not enhance its security, so it cannot be considered a form of server hardening.
  17. C. The Default Gateway setting should contain the address of a router on the workstation's local network that provides access to other networks, such as the Internet. In this case, therefore, the Default Gateway address should be on the 192.168.23.0 network, but it contains an address on the 192.168.216.0 network, which is not local. Therefore, the user can only access systems on the 192.168.23.0/24 network. The Subnet Mask setting must be correct, or the user would not be able to access any other systems. Unlike the default gateway, the DNS server does not have to be on the workstation's local network, so the address shown can be correct. DHCP does not have to be enabled for the computer to access the Internet.
  18. C, D, E. A smartphone app that can adjust your thermostat, a remotely monitored cardiac pacemaker, and a camera-equipped refrigerator are all examples of IoT devices because they all have IP addresses and use the Internet to communicate with a controller or monitoring station. Key fobs that unlock cars and TV remote controls are typically short-range radio or infrared devices that do not use the Internet for their communications.
  19. A. Windows networks that use Active Directory Domain Services (AD DS) authenticate clients using the Kerberos protocol, in part because it never transmits passwords over the network, even in encrypted form. Remote Authentication Dial-In User Service (RADIUS) is an authentication, authorization, and accounting service for remote users connecting to a network. Windows does not use it for internal clients. WiFi Protected Access II (WPA2) is a security protocol used by Wireless Local Area Networks (WLANs). It is not used for AD DS authentication. Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) is a remote authentication protocol that AD DS networks do not use for internal clients.
  20. C, D. The solution requires you to create a Virtual Local Area Network (VLAN) on the ADSL router that matches the VLAN the network switch port is using. Therefore, you should create a VLAN4 on the router's switch module and assign an Ethernet port to it, which will be the port you use to connect the ADSL router to the network switch. There is no need to create a VLAN1 on the network switch because all switches already have a default VLAN called VLAN1. Modifying the VLAN assignments on the network switch is not a good idea, because it might interfere with the existing VLAN strategy in place.
  21. A, D. Changing the length of the Service Set Identifier (SSID) will be no help in preventing a war driving attack. The SSID is just an identifier; its length has no effect on security. Wired Equivalent Privacy (WEP) is a security protocol that has been found to have serious weaknesses that are easily exploitable. It is not a satisfactory way to avoid attacks. On the other hand, configuring the access point not to broadcast its SSID will prevent a war driving attacker with standard equipment from seeing the network. Configuring your equipment to use WiFi Protected Access II (WPA2) security will make it difficult for a war driver who detects your network to connect to it.
  22. A, D. Infrastructure as a Service (IaaS) provides consumers with processing, storage, and networking resources that they can use to install and run operating systems and other software of their choice. In the public cloud model, one organization functions as the provider, and another organization—in this case, you—consumes the services of the provider. Platform as a Service (PaaS) provides consumers with the ability to install applications of their choice on a server furnished by the provider. Software as a Service (SaaS) provides consumers with access to a specific application running on the provider's servers, but the consumers have no control over the operating system, the servers, or the underlying resources. In a private cloud, the same organization that uses the cloud services is also the sole owner of the infrastructure that provides those services. A hybrid cloud is a combination of public and private infrastructure so that the consumer organization is only a partial owner of the infrastructure.
  23. D. The plier-like device is a crimper, which cable installers use to attach RJ45 connectors, like those in the bag, to lengths of bulk cable. This is the process of creating patch cables, which are used to connect computers to wall plates and patch panel ports to switches. Your boss is telling you to start making patch cables in five- and ten-foot lengths. You do not use a crimper to attach keystone connectors, and the boss has not given you the tools and components needed to pull cable runs or install a patch panel.
  24. B. The default port for the Post Office Protocol 3 (POP3) is 110, but that is used for incoming mail. Outgoing mail uses the Simple Mail Transfer Protocol (SMTP), which uses the well-known port number 25 by default. Port number 143 is the default port for the Internet Message Access Protocol (IMAP), a different email mailbox protocol that clients never use with POP3. Port number 80 is the default port for the Hypertext Transfer Protocol (HTTP), which is not used by email clients.
  25. B. The cable type used for thin Ethernet segments is a coaxial cable called RG-58. RG-8 coaxial is used exclusively on thick Ethernet segments. RJ45 is a type of connector used in twisted pair cabling for data networks. RJ11 is a connector type used in twisted-pair cabling for telecommunications networks.
  26. A. A rollover cable is a type of null modem cable, usually flat and light blue in color, with the pinouts reversed on either end, to enable a terminal to communicate with a router or switch through the device's dedicated console port. It cannot connect a workstation to the network. A straight-through cable is the standard network cable used to connect a workstation or other device to an Ethernet network. A crossover cable is designed to connect network adapters to each other directly, creating a two-node network. A plenum cable is a type of cable intended for use within air spaces that has an outer sheath that does not produce toxic fumes when it burns. A shielded cable is intended to protect signals from electromagnetic interference. Both plenum and shielded cables can connect a workstation to a network.
  27. A. Authentication Header (AH) is a protocol in the TCP/IP suite that provides digital integrity services, in the form of a digital signature, which ensures that an incoming packet actually originated from its stated source. Encapsulating Security Protocol (ESP) provides encryption services for IPSec. Secure Sockets Layer (SSL) is a security protocol that provides encrypted communications between web browsers and servers. Remote Desktop Protocol (RDP) is a component of Remote Desktop Services, a Windows mechanism that enables a client program to connect to a server and control it remotely.
  28. B. VLANs are virtual layer 2 (data link layer) LANs defined within switches. As with physical LANs, only devices in the same VLAN can communicate with each other until a layer 3 device, such as a router or a layer 3 switch, is added to the network. Re-creating and reconfiguring the VLANs will not correct the problem. Traffic filters are usually implemented on routers, not switches. Once a router is in place, VLANs do not have to use the same data link protocol to communicate with each other.
  29. A, C. The term for an IPv4 address and port number in combination, which identifies an application running on a specific host, is socket. A Media Access Control (MAC) address is an address hard-coded into a network adapter. It is not a TCP/IP element. A subnet mask is not needed to identify a host or an application running on it.
  30. A, B, C, D. A cable modem must function as a broadband router to provide access to the cable provider's network. Many cable modems are also Wireless Access Points (WAPs), enabling users to construct a Local Area Network (LAN) without a cable installation. Many cable modems have switched Ethernet ports for connections to wired devices, such as printers and computers. Most cable modems use Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to devices on the home network. Cable modems for home use typically do not function as proxy servers or Remote Authentication Dial-In User Service (RADIUS) servers, which are devices generally used on large networks.
  31. A. Like A and AAAA records, which are used for forward name resolution, Pointer (PTR) records contain hostnames and IP addresses. However, PTR records are used only for reverse name resolution—that is, resolving IP addresses into hostnames. A Mail Exchange (MX) record specifies the mail server that the domain should use. Canonical Name (CNAME) records specify aliases for a given hostname. An AAAA resource record maps a hostname to an IPv6 address for name resolution purposes. All of these records except PTR are used for forward name resolution.
  32. C, D. Protocol analyzers capture packets from the network and interpret their contents, which can include displaying the application layer payload. Depending on the application, the payload can conceivably include confidential information, such as passwords. Protocol analyzers also display the IP addresses of the systems involved in packet transmissions. Although this in itself might not be a great security threat, intruders might use the IP address information to launch other types of attacks. Protocol analyzers cannot decrypt the protected information they find in captured packets. Vulnerability scanners detect open ports and launch attacks against them; protocol analyzers do not do this.
  33. B, D, E. A Remote Authentication Dial-In User Service (RADIUS) server, also known as an AAA server, provides centralized authentication, authorization, and accounting for other network services. Assistance and attenuation are not functions provided by RADIUS or AAA servers.
  34. C. Only Domain Name System (DNS) servers perform FQDN resolutions, so that is likely to be the source of the problem. It is possible to successfully ping a device on the local network using its computer name without the use of DNS. Dynamic Host Configuration Protocol (DHCP) cannot be the problem, or you would not be able to ping the server at all. Electromagnetic interference (EMI) would inhibit all network communication, and Access Control Lists (ACLs) are an authorization mechanism that has no effect on ping tests.
  35. B. Proxy servers provide network users with access to Internet services, and the unregistered IP addresses on the client computers protect them from unauthorized access by users on the Internet, which satisfies the primary objective. The proxy servers also make it possible for network administrators to monitor and regulate users' access to the Internet, which satisfies one of the two secondary objectives. However, proxy servers are not capable of assigning IP addresses to the client computers, and the proposal makes no mention of a Dynamic Host Configuration Protocol (DHCP) server or any another automatic TCP/IP configuration mechanism. Therefore, the proposal does not satisfy the other secondary objective.
  36. C. Software as a Service (SaaS) provides the least amount of control. Consumers receive access to a specific application running on the provider's servers, but they have no control over the operating system, the servers, or the underlying resources. The Infrastructure as a Service (IaaS) model provides the consumers with the most control, as the provider furnishes processing, storage, and networking resources that the consumer can use as needed. Platform as a Service (PaaS) provides consumers with the ability to install applications of their choice on a server furnished by the provider, but they have only limited control over the server and no control over the underlying resources.
  37. A. Ethernet uses jumbo frames at the data link layer to transfer large amounts of data more efficiently. Ethernet typically restricts frame size to 1,500 bytes, but jumbo frames enable Ethernet systems to create frames up to 9,000 bytes. PPP does not support the use of jumbo frames. Frames are protocol data units associated only with the data link layer, so they do not apply to IP and TCP, which operate at the network and transport layers, respectively.
  38. C. The first step in the troubleshooting protocol involves identifying the problem by questioning the user and creating a trouble ticket. You complete the other steps in the troubleshooting protocol after the trouble ticket has been created and prioritized.
  39. C. The user has experienced a ransomware attack. Ransomware is a type of attack in which a user's access to his or her data is blocked unless a certain amount of money is paid to the attacker. The blockages can vary from simple screen locks to data encryption. War driving is an attack method that consists of driving around a neighborhood with a computer scanning for unprotected wireless networks. Denial-of-Service (DoS) is a type of attack that overwhelms a computer with traffic, preventing it from functioning properly. Address Resolution Protocol (ARP) poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches.
  40. B, C. The word asymmetric in Asymmetric Digital Subscriber Line (ADSL) means that the service provides different amounts of bandwidth in each direction. In nearly all cases, asymmetric WAN services provide more downstream bandwidth than upstream. Cable television (CATV) networks are also asymmetrical. The word symmetric in Symmetric Digital Subscriber Line (SDSL) means that the service provides equal amounts of bandwidth in both directions. Fibre Channel over Ethernet (FCoE) is also symmetrical.
  41. B, C. A large enterprise network will—at minimum—have demarcation points for telephone services and a connection to an Internet Service Provider's (ISP's) network. In many cases, these services enter the building in the same equipment room that houses the backbone switch, which enables all the devices on the network to access those resources. This room is then called the Main Distribution Frame (MDF). An Intermediate Distribution Frame (IDF) is a place where localized telecommunications equipment, such as the interface between the horizontal cabling and the backbone, is located. For example, an enterprise network housed in a single building might have its MDF in the basement and an IDF on each floor. Mean Time Between Failures (MTBF) and Remote Desktop Protocol (RDP) are not network cabling locations.
  42. B. A plenum space is an area of a building that provides air circulation as part of its ventilation system, such as a heating or air-conditioning duct. Plenum cables have a sheath made of a fire-retardant material that does not outgas toxic fumes when it burns. When network cables are installed in plenum spaces, many local building codes require that installers use plenum-rated cables conforming to specific standards. Plenum cables provide no benefit when installed near other cables, or EMI sources, or when they exceed specified lengths.
  43. D. Clustering refers to the combination of multiple servers—not network adapters—into a single unit to enhance performance and provide fault tolerance. Bonding, link aggregation, port aggregation, and NIC teaming are all terms for the same basic technology, in which the bandwidth of multiple network adapter connections is joined to speed up transmissions. The technology also enables the network communication to continue if one of the adapters fails or is disconnected.
  44. C, D. Secure Shell (SSH) and Telnet are both remote terminal programs, but Telnet clients pass instructions (including passwords) to the target server in clear text, whereas SSH uses encrypted transmissions. In the same way, Hypertext Transfer Protocol Secure (HTTPS) is the encrypted version of HTTP. In both of these cases, the substitute is more secure and should be suggested to the director. However, Temporal Key Integrity Protocol (TKIP) provides encryption that is less secure than Advanced Encryption Standard (AES), and Wired Equivalent Protocol (WEP) is less secure than WiFi Protected Access II (WPA2).
  45. A. A Management Information Base (MIB) is the database on an SNMP agent in which ASN.1 information about the properties of the managed device is stored. The other three options do not perform this function. A trap is an alert message that SNMP agents send to the network management console when an exceptional event occurs. Syslog is a standard for message logging components. Security Information and Event Management (SIEM) is a combination tool that uses information gathered from logs and network devices to provide a real-time analysis of the network's security condition.
  46. A, D. Secure Sockets Layer (SSL) is a now-deprecated security protocol that provides encrypted communications between web browsers and servers. Transport Layer Security (TLS) is an updated security protocol that is designed to replace SSL. Datagram Transport Layer Security (DTLS) is a security protocol that provides the same basic functions as TLS but for User Datagram Protocol (UDP) traffic instead of TCP. Secure Shell (SSH) is a character-based tool that enables users to execute commands on remote computers; it does not provide web server/browser security.
  47. B. Another term for a screened subnet is a DMZ, or demilitarized zone. They are also known as perimeter networks. A Virtual Local Area Network (VLAN) is a logical network segment created within a switch. Protected Extensible Authentication Protocol (PEAP) is an authentication protocol, and Temporal Key Integrity Protocol (TKIP) is an encryption algorithm. These three options are not terms for a screened subnet.
  48. D. RDP is a component of Remote Desktop Services, a Windows mechanism that enables a client program to connect to a server and control it remotely. RDP does not carry actual application data; it just transfers keystrokes, mouse movements, and graphic display information.
  49. D, F. Of the options shown, only the 802.11n and 802.11ax standards define WLAN devices that can support both the 2.4 GHz and 5 GHz frequencies. The 802.11a and 802.11ac standards support only 5 GHz, and the 802.11b and 802.11g standards support only 2.4 GHz.
  50. B. Multitenancy does not call for tenants to have individual virtual machines. Multitenancy is a software architecture in which multiple tenants share a single instance of an application running in the cloud. Because tenants share a single application, there is a chance that data could be compromised. Because a single application instance is running in the cloud, the operational overhead is reduced compared to the use of individual virtual machines. Tenants share a finite amount of bandwidth, so the possibility exists for competition to occur, such as when one tenant is the target of a Denial-of-Service (DoS) attack.
  51. A, C. Secure Hash Algorithm (SHA) and Message Digest 5 (MD5) are file hashing algorithms used to test data integrity by calculating a hash value before transmitting a file over the network. After the transmission, the receiving system performs the same calculation. If the values match, then the data is intact. RC4 and Advanced Encryption Standard (AES) are both cryptographic algorithms, but they are not used for file hashing.
  52. B. Least privilege is the practice of only providing users with the permissions they need to perform their designated tasks and no more. For her standard activities, Alice is given an account that does not have administrative permissions because she does not need those permissions to perform standard tasks. The administrative account has the additional permissions needed for Alice to perform administrative tasks. The intention is for Alice to use that account only for those administrative tasks. Zero day is a type of vulnerability; multifactor authentication calls for users to supply two identifying factors; defense in depth refers to the use of multiple security mechanisms to provide additional protection. None of these other three options refers to the use of multiple user accounts.
  53. E. After you have established a theory of probable cause, you can try to test the theory by replacing hardware components one by one until you find the faulty device. All of the other options are steps that come either earlier or later in the troubleshooting process.
  54. D. An insider threat by definition originates with an authorized user. Therefore, smartcards, motion detection, and biometrics will only detect the presence of someone who is authorized to enter sensitive areas. Video surveillance, however, can track the activities of anyone, authorized or not.
  55. D. All of these occurrences are malfunctions on a full-duplex Ethernet network, but collisions are normal and expected on a half-duplex network. Runt frames occur when a network interface generates packets that are smaller than the 64-byte minimum allowable length. Giants occur when frames are larger than the 1518-byte maximum allowable length. Late collisions occur when network cables are too long, and frames collide after leaving the sending system.
  56. B. The Unix/Linux tcpdump utility is a protocol analyzer. It is a command-line tool that captures network packets and displays their contents. The iptables, nmap, and pathping utilities cannot capture and analyze packets. iptables manages Unix/Linux kernel firewall rules, nmap is a port scanner, and pathping is a Windows route tracing tool.
  57. A, B. NAS devices are self-contained file servers that connect directly to a standard IP network. A NAS device provides file-level access to its storage devices, and it includes an operating system and a filesystem. NAS devices are typically not iSCSI targets. SANs provide block-level storage and typically function as iSCSI targets, but they do not include an operating system or filesystem.
  58. C. Penetration testing is a type of network security evaluation in which a client engages an outside consultant who attempts to penetrate the network's security and gain unauthorized access to protected network resources. Testing by an internal administrator familiar with the security barriers would not be a valid test. Although having a consultant examine the network's security from within can be useful, it is not a penetration test. Computers or networks that are alluring targets for intruders are called honeypots or honeynets. Implementation of a new security protocol can only come after the current security situation has been evaluated.
  59. C. All of the mechanisms listed are designed to make any attempts to tamper with or physically compromise the hardware devices immediately evident. These mechanisms are therefore various forms of tamper detection. Asset tracking is for locating and identifying hardware. Geofencing is a wireless networking technique for limiting access to a network. Port security refers to network switch ports. These options do not apply to the specified mechanisms.
  60. B. The various types of wavelength division multiplexing use different spacing of the wavelengths they carry, which enables them to fit different numbers of channels on a single medium. WDM (or BWDM) carries two wavelengths for bidirectional communication. CWDM can carry up to 16 channels, and DWDM can carry 40 or 80 (depending on the spacing used). Various amplification technologies (including EFDA and Raman) can expand the amounts of usable wavelength in each type.
  61. A, B, C. Layer 2 Tunneling Protocol (L2TP), Internet Protocol Security (IPSec), and Multipoint Generic Routing Encapsulation (MGRE) are all protocols that encapsulate packets in an encrypted form within another protocol to secure their contents. Network Address Translation (NAT) enables workstations on private networks to access the Internet by substituting a public IP address in packets generated with private addresses. NAT does not use tunneling.
  62. C. To create a network with 8 subnets and 30 hosts per subnet, you must allocate 3 of the 8 bits in the last octet for use as a subnet identifier. This results in a binary value of 11100000 for the last octet in the subnet mask, which converts to a decimal value of 224. Therefore, the correct subnet mask value is 255.255.255.224. Values for the last octet that are lower than 224 would not enable you to create 8 subnets. Values higher than 224 would not enable you to create 30 host addresses.
  63. B. Media Access Control (MAC) filtering takes the form of an Access Control List (ACL) on the wireless network's access points, listing the MAC addresses of all the devices that are permitted to access the network. If the MAC address of your laptop is not included in the ACL, you will be unable to connect to the network. Geofencing is intended to prevent users outside the office from accessing the network. You are inside, so this should not be the problem. You have been given the passphrase for the network, so you should be able to configure the WiFi Protected Access II (WPA2) protocol on your laptop. You have been given the SSID of the network, so you should be able to connect by manually entering it, even if the access points are not broadcasting the SSID.
  64. D. For the link pulse LED on the switch port to light up, there must be an active connection between the switch and a functioning network device at the other end. Plugging a running computer into the wall plate will enable the Ethernet adapters at both ends of the connection to communicate, causing the LED to light. None of the other options will cause the LED to light.
  65. B. The Ethernet (or IEEE 802.3) protocol at the data link layer uses MAC addresses to identify computers on the local network. MAC addresses are coded into the firmware of physical network interface adapters by the manufacturer. The physical layer deals with signals and is not involved in addressing. The IP at the network layer has its own addressing system. The transport layer protocols are not involved in addressing.
  66. C. The Cisco symbol shown in the figure is used in network diagrams to represent a router, as symbolized by the arrows pointing both in and out. This symbol is not used to represent a hub, a switch, or a gateway.
  67. B, D. By inserting modified entries into a device's ARP cache, an attacker can cause traffic to be diverted from the correct destination to a system controlled by the attacker. This can enable the attacker to intercept traffic intended for another destination. In a man-in-the-middle attack, the attacker can read the intercepted traffic and even modify it before sending it on to the correct destination. In a session hijacking attack, the attacker can use the intercepted traffic to obtain authentication information, including passwords. Neither of the other two options is facilitated by ARP poisoning. An evil twin is a fraudulent access point on a wireless network. Social engineering is a form of attack in which an innocent user is persuaded by an attacker to provide sensitive information via email or telephone.
  68. D. A honeypot is a computer configured to function as bait for attackers, causing them to waste their time penetrating a resource that provides no significant access. This is also a technique that enables the target to gather information about the attackers. A demilitarized zone (DMZ), also known as a screened subnet or perimeter network, is a network segment on which administrators locate servers that must be accessible from the Internet but that are separated from the internal network by a firewall. A root guard provides protection to switch ports. Spoofing is an attack technique in which an intruder modifies packets to assume the appearance of another user or computer.
  69. A. A repeater is a physical layer device that regenerates incoming signals and retransmits them. A hub is a type of repeater that receives data through any one of its multiple ports and retransmits the data out through all of its other ports. Bridges and switches are data link layer devices, and routers are network layer devices. None of these three can be described as a multiport repeater.
  70. D. A port scanner examines a system for open ports or endpoints that are accessible from the network using the TCP or UDP protocol, which intruders can conceivably exploit to gain access to the system. Port scanners do not list user processes, hardware ports, numbers of packets, or IP addresses.
  71. A, E. A Storage Area Network (SAN) is a network that is dedicated to carrying traffic between servers and storage devices. SANs can use specialized network protocols, such as Fibre Channel in this case, or standard Gigabit Ethernet. A Local Area Network (LAN) is a connected group of computers, usually inside a single room or building. In this case, the cluster has one LAN connecting the nodes together and another providing other users with access to the cluster. A Personal Area Network (PAN) provides communication among devices associated with a single person, such as smartphones. A Wide Area Network (WAN) is a network that connects devices or networks at different geographic locations. A Metropolitan Area Network (MAN) is a type of WAN that connects devices within a limited geographic area. The cluster is not connected to a PAN, WAN, or MAN.
  72. C. Since only one user is reporting the problem and he has admitted to making changes to his IP configuration, you should start by checking the workstation configuration using the ipconfig command. If the routers, the switches, or the DNS server were causing the problem, more than one user would be affected, and there would be additional users calling the help desk.
  73. C. Because your colleague can connect to WebServ1 successfully, the problem is not an unresponsive service or blocked ports on the server. The problem is not a name resolution failure, because you can successfully ping WebServ1 by name. Therefore, of the options listed, the only possible problem must be that the firewall on your workstation is configured to block the remote desktop client's traffic.
  74. C. The device shown in the figure is a punchdown tool, which you use to connect unshielded twisted-pair cable ends to the keystone connectors used in modular wall plates and patch panels. After lining up the individual wires in the cable with the connector, you use the tool to press each wire into its slot. The tool also cuts the wire sheath to make an electrical contact and trims the end of the wire. This tool is not capable of performing any of the tasks described in the other options.
  75. A, B, C. The 5 GHz frequency has 23 channels available in the United States, whereas the 2.4 GHz frequency has only 11. Many household devices, such as cordless telephones, use the 2.4 GHz frequency band, but relatively few devices use the 5 GHz band. Higher frequencies typically support faster transmission speeds, because with all other conditions equal, they can carry more data in the same amount of time. The 5 GHz frequency typically has a shorter range than 2.4 GHz, because it is less able to penetrate barriers.
  76. C. The device shown in the figure is a butt set, a basic tool of telephone installers and line workers. By connecting the clips to pins in a punchdown block, you can access telephone circuits in order to test them or place telephone calls. The device shown is not a crimper, a tone generator and locator, or a punchdown tool.
  77. A. The File Transfer Protocol (FTP) uses two port numbers. It uses the first, port 21, for a control connection that remains open during the entire client-server session. The second port, 20, is for a data connection that opens only when the protocol is actually transferring a file between the client and the server. Network Time Protocol (NTP), Simple Network Management Protocol (SNMP), and Hypertext Transfer Protocol (HTTP) all use a single port on the server.
  78. A. The 13-bit prefix indicated in the network address will result in a mask with 13 ones followed by 19 zeroes. Broken into 8-bit blocks, the binary mask value is as follows:

    11111111 11111000 00000000 00000000

    Converted into decimal values, this results in a subnet mask value of 255.248.0.0.

  79. B. The failure to detect a tone on the eighth wire indicates that there is either a break in the wire somewhere inside the cable or a bad pin connection in one or both connectors. This type of fault is called an open circuit. None of the other three options are faults that manifest as described. A short circuit is when a wire is connected to two or more pins at one end of the cable. A split pair is a connection in which two wires are incorrectly mapped in exactly the same way on both ends of the cable. Crosstalk is a type of interference caused by signals on one wire bleeding over to other wires.
  80. B, D. The session layer is responsible for creating and maintaining a dialog between end systems. This dialog can be a two-way alternate dialog that requires end systems to take turns transmitting, or it can be a two-way simultaneous dialog in which either end system can transmit at will. The session layer functions are called dialog control and dialog separation. Data encryption is performed at the presentation layer, and datagram routing occurs at the network layer.
  81. A. When individual packets in a data stream are delayed, due to network congestion, different routing, or queuing problems, the resulting connectivity problem is called jitter. While this condition might not cause problems for asynchronous applications, real-time communications, such as VoIP or streaming video, can suffer interruptions from which the phenomenon gets its name. Latency describes a generalized delay in network transmissions, not individual packet delays. Attenuation is the weakening of a signal as it travels through a network medium. A bottleneck is a condition in which all traffic is delayed, due to a faulty or inadequate component. None of these three options would account for the problems reported by the users.
  82. C. The 802.11ac standard defines a wireless LAN running at speeds of up to 1.3 gigabits per second (Gbps). None of the other 802.11 standards define networks running at speeds beyond 600 Mbps. There is no currently ratified IEEE 802.11 standard that enables speeds of 2.6 Gbps.
  83. B, D. Network Address Translation (NAT) is a network layer service, typically integrated into a router, that converts the private IP addresses in all of a client's Internet transmissions to a registered IP address. NAT therefore works for all applications. A proxy server is an application layer device that performs the same type of conversion but only for specific applications. A Remote Authentication Dial-In User Service (RADIUS) server can provide authentication, authorization, and accounting services for remote access servers, but it does not convert IP addresses. A unified threat management (UTM) appliance typically performs Virtual Private Network (VPN), firewall, and antivirus functions. It too does not convert IP addresses.
  84. A, B. 1.1.1.0 and 9.34.0.0 are both valid IPv4 network addresses. IPv4 addresses with first byte values from 224 to 239 are Class D addresses, which are reserved for use as multicast addresses. Therefore, the user cannot use 229.6.87.0 for his network. 103.256.77.0 is an invalid address because the value 256 cannot be represented by an 8-bit binary value.
  85. B. Distance vector protocols rely on hop counts—that is, the number of routers between a source and a destination—to evaluate the efficiency of routes. Link state protocols use a different type of calculation, usually based on Dijkstra's algorithm. The terms interior gateway protocol and edge gateway protocol do not refer to the method of calculating routing efficiency.
  86. A, C. Any type of fiber-optic cable will satisfy the client's requirements. Fiber-optic cable supports the required 1000 Mbps data rate and can connect networks that are 500 meters apart. Fiber-optic cable is also immune to EMI. Although both multimode and single-mode fiber would meet the corporation's general needs, multimode is substantially less expensive than single-mode fiber. Twisted-pair wiring (STP or UTP) meets the data rate, but it does not support connections longer than 100 meters. Thin coaxial cable does not support the data rate or distances longer than 185 meters.
  87. C, D. An incorrect frequency, Service Set Identifier (SSID), or WiFi Protected Access II (WPA2) passphrase would prevent the user's laptop from ever connecting to the network, so these cannot be the cause of the problem. Greater distance from the access point or interference from intervening walls can both cause a weakening of wireless signals, which can result in the intermittent connectivity that the user is experiencing.
  88. A, C, E. Static routes are not automatically added to the routing table by routing protocols and do not automatically adapt to changes in the network. They are therefore not recommended for large internetworks with redundant paths between networks. Administrators must manually add, modify, or delete static routes when a change in a network occurs. For this reason, static routes are recommended only for use in small networks without multiple paths to each destination.
  89. C. Network layer protocols specify logical addresses, such as IP addresses, for end system communication. They also use those addresses to route packets to destinations on other networks. The physical layer defines standards for physical and mechanical characteristics of a network. The data link layer uses Media Access Control (MAC) or hardware addresses, not logical addresses. The transport layer uses port numbers, not logical addresses. Session layer protocols create and maintain a dialog between end systems. Presentation layer protocols are responsible for the formatting, translation, and presentation of information. The application layer provides an entry point for applications to access the protocol stack and prepare information for transmission across a network.
  90. C. The use of an incorrect wireless security protocol is a well-known source of errorless connection failures, so checking this will most likely enable you to discover the source of the problem. Channel overlap is a problem that you would check and resolve at the access point, not at the users' workstations. It is not possible to change the frequency on the access point, because the 802.11g standard only supports the 2.4 GHz frequency. Although signal interference could conceivably be the cause for a connection failure, the users can see the network's SSID, so this is not likely to be the problem.
  91. A, B, C. iSCSI does not include its own flow control mechanism, so this option is incorrect. It runs over a TCP connection, which is the protocol responsible for flow control. Fibre Channel requires a dedicated network using fiber-optic cable. iSCSI traffic can coexist with standard LAN traffic on a single network, although some type of Quality of Service (QoS) mechanism is frequently recommended. Because it runs on any IP network, iSCSI traffic is routable, and it is far less expensive to implement than Fibre Channel.
  92. B, C, E. The client's DNS server uses iterative queries when sending name resolution requests to root domain servers and to the authoritative servers for the com and adatum.com domains. In an iterative query, the server replies immediately with the best information it possesses, and the transaction ends. When a client sends a name resolution query to its DNS server, it uses a recursive request so that the server will assume the responsibility for resolving the name. The only other use of recursive requests is in the case of a forwarder, which is configured to pass that responsibility on to another DNS server.
  93. D. To access the Internet, the workstation's routing table must include a default gateway entry. The default gateway is a router on the local network that provides access to other networks, such as the Internet. To manually create a default gateway entry in the routing table, you use the route add command with a Network Destination value of 0.0.0.0, a MASK value of 0.0.0.0, and the address of a router on the local network (in this case 192.168.2.99). The entry must also have a METRIC value that is lower than the other entries in the table so that it will be used first.
  94. A, B, D. Thin Ethernet networks use BNC connectors. Thick Ethernet networks use N-type connectors. All Unshielded Twisted Pair (UTP) Ethernet networks use RJ45 connectors. You will not need F-type or DB-9 connectors. F-type connectors are used with coaxial cable but are typically used for cable television installations. DB-9 connectors are commonly used for serial communications ports.
  95. A. Geofencing is the generic term for a technology that limits access to a network or other resource based on the client's location. It is therefore best described as somewhere you are. A finger gesture would be considered something you do, a password is something you know, and a smartcard is something you have.
  96. A. Hot, warm, and cold backup sites differ in the hardware and software they have installed. A cold site is just a space at a remote location. The hardware and software must be procured and installed before the network can be restored. It is therefore the least expensive and takes the most time. A warm site has hardware in place, but it still must be installed and configured. A hot site has all of the necessary hardware already installed and configured. A warm site is more expensive than a cold site, and a hot site is the most expensive of all and takes the shortest amount of time to be made operational.
  97. A. A host-to-site VPN is a remote access solution, enabling users to access the corporate network from home or while traveling. A site-to-site VPN enables one network to connect to another, enabling users on both networks to access resources on the other one. This is usually a more economical solution for branch office connections than a Wide Area Network (WAN) link. A host-to-host VPN enables two individual users to establish a protected connection to each other. An extranet VPN is designed to provide clients, vendors, and other outside partners with the ability to connect to your corporate network with limited access.
  98. B, C, D. The leaf and spine topology uses a full mesh topology in its two layers of switches. This is more expensive than the three-tier topology, but it reduces latency by requiring the same number of hops in the path between any two routers. The use of software-defined networking provides adaptive path determination without the use of the Spanning Tree Protocol (STP) for layer 2 port blocking.
  99. D. Performance Monitor is a Windows application that can create logs of specific system and network performance statistics over extended periods of time. Such a log created on a new computer can function as a baseline for future troubleshooting. Event Viewer is a Windows application for displaying system log files; it cannot create a performance baseline. Syslog is a log compilation program originally created for Unix systems; it does not create performance baselines. Network Monitor is a protocol analyzer. Although it can capture a traffic sample that can function as a reference for future troubleshooting efforts, this cannot be called a performance baseline.
  100. C. Although a DoS attack typically involves traffic flooding, any attack that prevents a server from functioning can be called a DoS attack. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning. This can be a physical attack that actually damages the server hardware, or the attacker can disable the server by altering its software or configuration settings. Flood-based attacks include the Distributed Denial-of-Service (DDoS) attack, in which the attacker uses hundreds or thousands of computers, controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as DNS servers, causing them to send a flood of responses that overwhelm the target.

Chapter 7: Practice Exam 2

  1. B, D, E. Bluetooth, Z-Wave, and near-field communication (NFC) are all short-range wireless technologies that are capable of providing communications between PAN devices. The other options are not suitable for PAN communications. Radio-frequency identification (RFID) uses tags containing data, frequently embedded in pets, which can be read using electromagnetic fields. Integrated Services Digital Network (ISDN) is a wide area networking technology that uses the telephone infrastructure to provide a high-speed dial-up service.
  2. E. Each port on a router defines a separate network segment. Because routers do not forward broadcast transmissions, each of the three segments forms a separate broadcast domain. Hubs forward all traffic to all of the connected nodes, so the network segment with the hub forms a single collision domain. Switches forward traffic only to the destination node, so each workstation connected to one of the switches forms a separate collision domain. The switch-to-router links count for two more collision domains. There are six switched workstations, plus the hub segment and the two switch-to-router links, for a total of nine collision domains.
  3. D. A. Remote Authentication Dial-In User Service (RADIUS) server can provide authentication, authorization, and accounting services for remote access servers. Intrusion Detection Systems (IDSs), Next-Generation Firewalls (NGFWs), and Network Attached Storage (NAS) devices do not provide this type of authentication services.
  4. B. A multilayer switch is a network connectivity device that functions at both the data link layer (layer 2) and the network layer (layer 3) of the Open Systems Interconnection (OSI) reference model. At layer 2, the device functions like a normal switch, creating an individual collision domain for each connected node and enabling administrators to create multiple VLANs. At layer 3, the device also provides routing capabilities by forwarding packets between the VLANs. Virtual routers, load balancers, and broadband routers are strictly layer 3 devices that can route traffic but cannot create VLANs.
  5. C. The value after the slash in a Classless Inter-Domain Routing (CIDR) address specifies the number of bits in the network identifier. An IP address has 32 bits, so if 19 bits are allocated to the network identifier, 13 bits are left for the host identifier.
  6. D. On a TCP/IP network, the Internet Protocol (IP) at the network layer is the protocol responsible for the delivery of data to its final destination, using IP addresses that can be routed through an internetwork. Data link layer protocols are only concerned with communication between devices on a Local Area Network (LAN) or between two points connected by a Wide Area Network (WAN). The transport, session, and application layers are not involved in the actual delivery of data over the network.
  7. C, D. The iSCSI protocol runs on a standard IP network, and the Fibre Channel over Ethernet (FCoE) variant runs on a standard Ethernet network. Both of these protocols can share a network with LAN traffic, although the use of a Quality of Service (QoS) mechanism is usually recommended. The original Fibre Channel implementation and InfiniBand both require a dedicated network medium that does not support LAN traffic.
  8. B, D. SMTP and DNS are both application layer protocols, but neither one includes a character-based program. Both Telnet and FTP are protocols that include command-line client applications, with Telnet providing terminal emulation and FTP file transfer functionality.
  9. B. The Cisco symbol shown in the figure is used in network diagrams to represent a switch, as symbolized by the multiple arrows pointing outward. This symbol is not used to represent a hub, a router, or a gateway.
  10. D, E, F. DHCP servers use well-known port numbers 67 and 68. TFTP uses port number 69. Neither protocol uses port 64, 65, or 66.
  11. C, D. The change management team is usually not responsible for tasks directly involved in the implementation of the changes they approve. Therefore, they would not be the ones to notify users exactly when the change will take place or document the procedure afterward. They would, however, be responsible for providing a maintenance window, during which the change must occur, and authorizing any downtime that would be needed.
  12. C. A server with dual power supplies can run in one of two modes: redundant or combined. In redundant mode, each of the power supplies is capable of providing 100 percent of the power needed by the server. Therefore, the server can continue to run if one power supply fails, making it fault tolerant. In combined mode, both power supplies are needed to provide the server's needs, so a failure of one power supply will bring the server down. Individual mode and hot backup mode are not terms used for this purpose.
  13. B. The word paris is the name of the bottommost domain in the given FQDN. paris is a subdomain within mydomain, and mydomain is a second-level domain registered by a particular organization. The topmost layer in the DNS hierarchy is represented by org, which is a top-level domain. In this FQDN, www is not the name of a domain; it is the name of a particular host in the paris.mydomain.org domain.
  14. B, C. The two main connectionless protocols in the TCP/IP suite are the Internet Protocol (IP) and the User Datagram Protocol (UDP), both of which use the term datagram for their protocol data units. Ethernet uses the term frame, and Transmission Control Protocol (TCP) uses the term segment.
  15. D. Data is stored on tape drives in a linear fashion. Once you write backup data to a tape, you cannot selectively replace individual files. When you perform a restore job, you have to restore the most recent full backup, followed by incremental backups, which overwrite some of the full backup files with newer ones. Hard disk drives are random access devices, meaning that individual files can be written to and read from any location on the disk. When you perform incremental backup jobs to a hard disk, the software can restore data using any version of each file that is available. Data capacity, transfer speed, and block size are not relevant to the number of jobs required.
  16. B. A patch is a relatively small update that is designed to address a specific issue, often a security exploit or vulnerability. Patches do not add features or new capabilities; they are fixes targeted at a specific area of the operating system. Updates, upgrades, and service packs are larger packages that might include new features and/or many different fixes.
  17. A, D. The twisted wire pairs inside twisted-pair cable prevent the signals on the different wires from interfering with each other (which is called crosstalk). The twists also provide resistance to outside EMI. The twists have no effect on collisions. The twists do nothing to facilitate the attachment of connectors. Twists have nothing to do with the bend radius allowance for the cable.
  18. D. The top utility displays performance information about the currently running processes on a Unix/Linux system. The other options are tools that do not display running processes. netstat is a tool that enables you to view active network connections and TCP/IP traffic statistics. It does not measure system performance. The dig tool generates Domain Name System (DNS) queries. perfmon is a Windows performance monitoring tool; there no Unix/Linux tool by that name.
  19. B. The Software as a Service (SaaS) model provides consumers with access to a specific application, such as email, running on the provider's servers. Infrastructure as a Service (IaaS) provides the consumers with processing, storage, and networking resources that they can use to install and run operating systems and other software of their choice. Platform as a Service (PaaS) provides consumers with the ability to install applications of their choice on a server installed by the provider.
  20. D. In SIEM, forensic analysis is a process of searching logs on multiple computers for specific information based on set criteria and time periods. The other three options specify other SIEM functions. Data aggregation is a process of consolidating log information from multiple sources. Correlation is the process of linking logged events with common attributes together. Retention is the long-term storage of log data.
  21. A. DHCP clients use broadcasts to transmit DHCPDISCOVER messages on the local network. DHCP servers are then required to respond to the broadcasts. DHCP clients cannot use unicast, multicast, or anycast messages to initiate contact with DHCP servers, because the clients have no way of learning the addresses of the DHCP servers.
  22. A. Layer 2 Tunneling Protocol (L2TP) is a VPN protocol that creates the tunnel forming a VPN connection, but it does not encrypt the traffic passing through the tunnel. To do this, it requires a separate protocol that provides encryption, such as IPsec. Point-to-Point Tunneling Protocol (PPTP) and Secure Sockets Layer (SSL) are both capable of encrypting traffic in the tunnels they create.
  23. C, D. IEEE 802.11b, 802.11g, and 802.11n networks all can use the 2.4 GHz frequency band for their transmissions, which can experience interference from a wireless telephone using the same frequency. IEEE 802.11a and IEEE 802.11ac, however, use the 5 GHz band, which will not experience interference from a 2.4 GHz phone.
  24. C. A switch is a data link layer device that essentially performs the function of a bridge for each device connected to one of its ports. It can therefore be described as a multiport bridge. Multiport repeater is another term for a hub, and multihomed router is a redundancy, as all routers are by definition multihomed—that is, connected to multiple networks. There is no such device as a multicast hub.
  25. D. The term out-of-band describes any type of management access to a device that does not go through the production network. Plugging a laptop into the console port avoids the network, so it is considered to be an example of out-of-band management. In-band management describes an access method that does go through the production network. Client-to-site is a type of Virtual Private Network (VPN) connection, and Bring Your Own Device (BYOD) is a policy defining whether and how users are permitted to connect their personal devices to the network.
  26. A, B, C, D. The longer the password, the more difficult it is to guess. Corporate policies typically require passwords of a minimum length. A larger character set also makes a password more difficult to guess, so requiring uppercase, lowercase, numeric, and special characters is common. Changing passwords forces the cracking process to start over, so policies typically require frequent password changes and require users to create unique passwords at each change.
  27. B. The technology that uses human physical characteristics to authenticate users is called biometrics. Biometric devices can identify users based on fingerprints, retinal patterns, voice prints, and other characteristics.
  28. B, C, D. Option B contains a p, which is a nonhexadecimal digit. Option C contains blocks larger than 16 bits. Option D contains only seven 16-bit blocks (and no double-colon) instead of the eight required for a 128-bit IPv6 address. The address fe00::c955:c944:acdd:3fcb in option A is correctly formatted for IPv6, with the double-colon replacing three blocks of zeroes. Uncompressed, the address would appear as follows: fe00:0000:0000:0000:c955:c944:acdd:3fcb.
  29. A. The terms fail close and fail open refer to the default position of an electric or electronic door lock when there is a power failure. Security is often a trade-off with safety, and in the event that an emergency occurs that results in a power outage, whether secured doors are permanently locked or left permanently open is a critical factor. The terms fail close and fail open do not apply to motion detectors or video cameras. A honeypot is a computer, application, or website configured to lure potential attackers; it is not a physical security mechanism.
  30. C. Video surveillance can monitor the activities of all users in a sensitive area, authorized or not. With properly placed equipment, even specific actions, such as commands typed into a computer, can be monitored. Identification badges, key fobs, and motion detection can indicate the presence of individuals in a sensitive area, but they cannot monitor specific activities.
  31. C. The IP address 127.0.0.1 is a dedicated loopback address that directs outgoing IP traffic directly into the incoming IP traffic buffer. A successful ping test using that address indicates that the computer's TCP/IP stack is functioning properly, but the traffic never reaches the network adapter or the network, so the test does not confirm that the adapter is functioning or that the computer has a correct IP address for the network.
  32. B, C. Multifactor authentication combines two or more authentication methods and reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. A password and a retinal scan is an example of a multifactor authentication system. A smartcard and a PIN, which is the equivalent of a password, is an example of multifactor authentication because it requires users to supply something they know and something they have. Multifactor authentication refers to the proofs of identity a system requires, not the number of servers used to implement the system. Therefore, the use of a Remote Authentication Dial-In User Service (RADIUS) server is not an example of multifactor authentication. A system that requires two passwords is not an example of multifactor authentication, because an attacker can compromise one password as easily as two. A multifactor authentication system requires two different forms of authentication.
  33. C. To access the Internet, the workstation's routing table must include a default gateway entry, which would have a Network Destination value of 0.0.0.0. A workstation's routing table does not have to specify the address of a Domain Name System (DNS) server. The loopback (127.0.0.1) and multicast (224.0.0.0) addresses are normal routing table entries that do not affect Internet access.
  34. A, D. Multimode cables use an LED light source and have a smaller bend radius than single-mode cables. Single-mode cables have a smaller core filament and can span longer distances than multimode cables. Fiber-optic cables are not conductors of electricity, so they do not require a ground.
  35. D. Authentication is the process of confirming a user's identity. Smartcards and passwords are two of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected.
  36. B, D. Ethernet has never used a ring or mesh topology. The first Ethernet networks used a physical layer implementation commonly known as Thick Ethernet or 10Base5. The network used coaxial cable in a bus topology. Later Ethernet standards use twisted-pair or fiber-optic cables in a star topology.
  37. C, D. Disabling Service Set Identifier (SSID) broadcasting prevents a wireless network from appearing to clients. The clients must specify the SSID to which they want to connect. Media Access Control (MAC) address filtering is a form of Access Control List (ACL) that is maintained in the access point and that contains the addresses of devices that are to be permitted to access the network. Both of these mechanisms make it more difficult for unauthorized devices to connect to the access point. The other two options will not help to prevent unauthorized access. Kerberos is an authentication protocol used by Active Directory, and relocating the access point to a screened subnet (or DMZ) will not resolve the problem.
  38. B, D. Bandwidth throttling is a traffic shaping technique that prevents specified data streams from transmitting too many packets. Rate limiting is a traffic shaping technique that controls the transmission rate of sending systems. A broadcast storm is a type of network switching loop. NAT is a method by which private networks can share registered IP addresses. Neither of these last two is a traffic shaping technique.
  39. E, F. The primary function of a network switch is to process packets based on their Media Access Control (MAC) addresses, which makes it a data link layer device. However, multiprotocol switches are devices that can also perform routing functions based on IP addresses, which operate at the network layer. Switches are not typically associated with the other layers of the OSI model.
  40. B. An SSID that is not being broadcasted is not detectable by clients, so you must type it in manually. Security protocols are also not detectable, so you must select the WPA2 protocol from the list of options provided on the laptop.
  41. C. The IEEE 802.11ac standard, like all of the Wireless Local Area Network (WLAN) standards in the 802.11 working group, uses CSMA/CA for media access control. The 802.1X standard defines an authentication mechanism and does not require a media access control mechanism. The IEEE 802.3 (Ethernet) standard uses a different mechanism for media access control: Carrier Sense Multiple Access with Collision Detection (CSMA/CD).
  42. D. The place containing the demarcation points and the backbone switch is called the Main Distribution Frame (MDF). An Intermediate Distribution Frame (IDF) is the location of localized telecommunications equipment such as the interface between the horizontal cabling and the backbone. Mean Time Between Failures (MTBF) and Remote Desktop Protocol (RDP) are not network wiring locations.
  43. A. Geofencing is the generic term for a technology that limits access to a network or other resource based on the client's location. In wireless networking, geofencing is intended to prevent unauthorized clients outside the facility from connecting to the network. By allowing only users with strong signals to connect, you help to prevent access to outside users. Local authentication is an application or service that triggers an authentication request to which the user must respond before access is granted. Port security is a method for protecting access to switch ports. Motion detection is a system designed to trigger a notification or alarm when an individual trespasses in a protected area. None of these other options are related to signal strength.
  44. C. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. No software or hardware solution can prevent it; the only way is to educate users of the potential dangers and establish policies that inform users what to do when they experience a social engineering attempt. Social engineering is not a virus or other form of malware, so an antivirus product has no effect against it. Social engineering is not implemented in network traffic, so a firewall cannot filter it, and IPsec cannot protect against it.
  45. C. A Class B address uses the first two octets as the network identifier, which yields a binary subnet mask of 11111111 11111111 00000000 00000000. In decimal form, the subnet mask is 255.255.0.0. The 255.0.0.0 mask is for Class A addresses, and the 255.255.255.0 mask is for Class C addresses. 255.255.255.255 is the broadcast address for the current network.
  46. B. All of the mechanisms that Alice has implemented are designed to make any attempts to tamper with or physically compromise the network hardware devices immediately evident. This is therefore a form of tamper detection. Asset tracking is for locating and identifying specific hardware components. Geofencing is a wireless networking technique for limiting access to a network based on signal strength. Port security refers to the protection of network switch ports from unauthorized access.
  47. A. Because the administrative site is encrypted, you must use the https:// prefix to access it. Because the administrative site uses the nondefault port number 12354, you must append that number to the server name after a colon.
  48. C. Disabling SSID broadcasts is a way of hiding the presence of a wireless network, but if an intruder knows that a network is there, it is a simple matter to capture packets transmitted by the wireless devices and read the SSID from them. The other options do not explain the weakness of suppressing SSID broadcasts. It is not possible to connect to a wireless network without the SSID. SSIDs are set by the administrator of the access point; they are not printed on the device's label. SSIDs can be found relatively easily, but guessing them is no easier than guessing a password.
  49. A. In a private cloud, the same organization that uses the cloud services is also the sole owner of the infrastructure that provides those services. In the public cloud model, one organization functions as the provider, and another organization consumes the services of the provider. A hybrid cloud is a combination of public and private infrastructure so that the consumer organization is only a partial owner of the infrastructure. There is no such thing as an ad hoc cloud model.
  50. B. On-boarding and off-boarding are identity management processes in which users are added or removed from an organization's Identity and Access Management (IAM) system. This grants new users the privileges they need to use the network, modifies their privileges if they change positions, and revokes privileges when they leave the company. On-boarding and off-boarding are not data loss prevention, incident response, or inventory management processes.
  51. B, D. A standard VPN typically uses full tunneling, in which all of the system's network traffic is encapsulated and encrypted for transmission. Split tunneling is a variation of this method in which only part of the system's traffic uses the VPN connection; the rest is transmitted over the network in the normal manner. Administrators can select which applications and devices use the VPN. Split tunneling can conserve the Internet bandwidth used by the VPN and provide access to local network services without the need for encapsulation. Split tunneling does not provide additional data integrity protection or improved performance through multiplexing.
  52. B, C. If there is no way for unauthorized people to access the datacenter, then there is no danger of someone plugging a device into a port that is left enabled. If the switch uses an Access Control List (ACL) that specifies the Media Access Control (MAC) addresses of systems permitted to connect to it, then there is no need to disable unused ports, because any unknown devices plugged into open ports will not be granted access to the network. The other two options are not valid reasons. Ports that are not patched in can still be compromised at the switch location. Enabling ports is not difficult, so accommodating new users is not a valid reason for leaving them enabled.
  53. C. There are no policies that can prevent users from creating easily guessed passwords. The only action that can help is to educate users that attackers are frequently able to guess passwords by using information such as familiar names and dates. Forcing more frequent password changes would not compel users to alter their method for choosing passwords, nor would increasing the minimum password age value. Assigning random passwords would address the issue, but user complaints and forgotten passwords would likely create greater problems than it would solve.
  54. A, B, C, E. ACLs restrict access to network devices by filtering user names, Media Access Control (MAC) addresses, IP addresses, or other criteria. Routers, servers, switches, and Wireless Access Points (WAPs) all can use ACLs to control access to them. Hubs are purely physical layer devices that relay electrical or optical signals. They have no access control mechanisms.
  55. D. Role separation is the practice of creating a different virtual server for each server role or application. In addition to providing other benefits as well, this forces intruders to mount attacks on multiple servers to disable an entire network. Geofencing is a technique for limiting access to a wireless network. Network segmentation describes the process of creating multiple Virtual Local Area Networks (VLANs) or deploying firewalls to isolate part of a network. VLAN hopping is a type of attack in which an intruder sends command messages to a switch to transfer a port from one VLAN to another. None of these last three options refers to virtual machine deployment.
  56. A, C, D. DHCP snooping is a feature found in some network switches that prevents rogue DHCP servers from assigning IP addresses to clients. It can also detect when DHCP release or decline messages arrive over a port other than the one on which the DHCP transaction originated. While DHCP snooping can prevent DHCP clients from being assigned an incorrect IP address, it does not directly prevent the poisoning of Dynamic Name System (DNS) server caches with erroneous information.
  57. D. In this scenario, only one user is reporting a problem. Therefore, the likeliest next step is to perform the same task on another computer attached to the same segment. If you can perform the task successfully, the problem most likely lies within the user's computer or the connection to the switch. Since no other users are reporting the same problem, the server and switches on the network are probably up and functioning. Checking the router is not necessary since the user and server are on the same network.
  58. D. A captive portal is a web page displayed to a user attempting to access a public wireless network. The user typically must supply identification, submit credentials, provide payment, or accept an end user agreement before access is granted. A captive portal does not refer to a switch port, a secured entryway to a room, or a type of extortionate computer attack.
  59. B. After identifying the problem, the next step is to establish a theory for the probable cause of the problem. After that, you can test your theory, establish a plan of action, implement a solution, verify the functionality of the system, and document the entire process.
  60. B, D. The well-known port for HTTPS is 443. The port for unsecured HTTP is 80. Neither of the other options are ports used by HTTP or HTTPS by default. Port 25 is used for the Simple Mail Transfer Protocol (SMTP), and Port 110 is used for the Post Office Protocol (POP3).
  61. A, C, D. A load balancing router typically works by processing incoming traffic based on rules set by an administrator. The rules can distribute traffic among a group of servers using various criteria, such as each server's current load or response time or which server is next in a given rotation. Load balancers generally do not use the hardware configuration of the servers to direct traffic, as this is a factor that does not change over time.
  62. D. Since only one user is reporting difficulty, the problem is most likely to be in the user's computer and its configuration. A DNS server, proxy server, or router problem would affect more than one user.
  63. A. VLAN hopping is a method for sending false commands to switches to transfer a port from one VLAN to another. This can enable the attacker to connect his or her device to a potentially sensitive VLAN. VLAN hopping does not modify the switch's patch panel connections, only its VLAN assignments. It is not possible to rename a switch's default VLAN. VLAN hopping does not enable an attacker to change a switch's native VLAN.
  64. A. A problem that affects the entire network should be given highest priority. This includes the issue with the mission-critical backbone router. Problems that affect multiple LANs or an entire department are generally given the next highest priority. A problem that affects a shared application server on a LAN should be given the next highest priority. A problem with a single user's computer should be given the lowest priority, compared to the other problems that have been reported.
  65. C, D. One possible cause of the problem is that the DNS process on the remote server is corrupted or not running. Another possible cause is that there is a firewall blocking access to the DNS server's UDP port 53. Both of these would render the port unreachable. The TCP/IP client on the server is operating, as verified by the ping utility. This means that the IP host settings on your computer and on the DNS server are both configured properly and functioning. A router does not need to be running DNS to forward datagrams.
  66. D. Store-and-forward switches take in the entire frame and verify its contents by performing a CRC calculation before forwarding it. Cut-through switches are faster because they look at only the first 6 bytes (the destination Media Access Control, or MAC, address) when forwarding a frame; they do not perform a CRC on the entire frame. Source route is a bridging technique in which the source host, not the switch, determines the path a frame will take through a network to reach a destination. Packet filtering is a technique used by firewalls. Neither of these is a type of switch.
  67. A. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. It can therefore affect both wired and wireless clients. The other options are all attacks directed at wireless networks. Deauthentication is a type of Denial-of-Service (DoS) attack in which the attacker targets a wireless client by sending a deauthentication frame that causes the client to be disconnected from the network. The object of the attack is often to compel the client to connect to a rogue access point called an evil twin. An evil twin is a fraudulent access point on a wireless network that mimics the Service Set Identifier (SSID) of a legitimate access point, in the hope of luring in users. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks.
  68. B, E. Upgrading all of the wireless devices to 802.11n will enable them to use the 5 GHz band and evade the interfering traffic generated by the surrounding networks. Configuring the devices to use the 5 GHz band will provide many more channels to choose from and will avoid the interference from the surrounding 2.4 GHz networks. The other options will not resolve the problem. The type of encryption that a wireless network uses has no bearing on the ability of the devices to avoid the interference generated by surrounding networks. Suppressing Service Set Identifier (SSID) broadcasts will not help the devices to connect to the network. Upgrading the firmware on the devices is not likely to have any effect on the connection problems when they are the result of interference from other networks.
  69. A. Running the arp utility with the -a parameter on a Windows system displays the contents of the Address Resolution Protocol (ARP) cache, as shown here. The cache contains records of the IP addresses on the network that ARP has resolved into Media Access Control (MAC) addresses. The ping, tracert, and netstat utilities are not capable of producing this output.
  70. C. The device shown in the figure is a crimper, which is used to create patch cables by attaching connectors to both ends of a relatively short length of bulk cable. This tool is not capable of placing telephone calls, generating a tone on a wire, or measuring electric current.
  71. B. The device shown in the figure is a punchdown tool, used to connect unshielded twisted-pair cable ends to the keystone connectors used in modular wall plates and patch panels. After lining up the individual wires in the cable with the connector, you use the tool to press each wire into its slot. The tool also cuts the wire sheath to make an electrical contact and trims the end of the wire. The tool shown is not a crimper, a butt set, or a tone generator and locator.
  72. C, E. IEEE 802.11g supports transmission speeds up to 54 Mbps, and it is backward compatible with 802.11b equipment. IEEE 802.11n is also backward compatible with 802.11b, and it can run at speeds up to 600 Mbps. Bluetooth is not compatible with any of the IEEE 802.11 standards. IEEE 802.11 cannot run at 54 Mbps, and though 802.11a can, it is not compatible with 802.11b.
  73. A, B. Both Linux and the Cisco IOS operating systems include the traceroute utility. Windows has its own version of the utility, but it is called tracert . The CSU/DSU cannot run a traceroute command.
  74. C, E. WLANs can use the ad hoc topology, in which devices communicate directly with each other, or the infrastructure topology, in which the wireless devices connect to an access point. The bus, star, and mesh topologies are used by wired networks only.
  75. C. In this scenario, the best solution is for you to use the existing CATV service for the Internet connection. CATV offers faster data rates than standard modem-to-modem service and supports VPN connections. A dedicated fractional T-1 line is expensive and is not typically used for remote user connections. Since your telephone lines are not run through conduit and the distance to the central office is more than 18,000 feet, you probably cannot use DSL technology, because it requires good-quality lines and close proximity to a central office.
  76. C. The customer's IP address, subnet mask, and default gateway values are appropriate for her home network. There is nothing wrong with having a zero in the network address. Therefore, of the options presented, the only logical choice is that the workstation's network cable is damaged or unplugged.
  77. D. The Spanning Tree Protocol (STP) prevents packets from endlessly looping from switch to switch due to redundant links. Creating redundant links is a good preventive measure against switch failure, but packets transmitted over multiple links can circulate from switch to switch infinitely. STP creates a database of switching links and shuts down the redundant ones until they are needed. None of the other three protocols listed can perform this function. Network Address Translation (NAT) is a routing method that enables private networks to share registered IP addresses. Routing Information Protocol (RIP) propagates routing table information to other routers. A Virtual Local Area Network (VLAN) is an organizational tool that operates within switches by creating multiple broadcast domains.
  78. C. In this scenario, only the users on one LAN are experiencing problems connecting to the Internet and the other internal LANs. This isolates the problem to a component within that LAN only. Since users can connect successfully to local resources, the problem does not lie within the individual computers, the switch that connects the users to the network, or the backbone network cable. The likeliest problem is therefore in the router connecting the problem LAN to the backbone network. Since users on the other internal LANs are not reporting problems connecting to the Internet, the problem most likely does not involve the Internet router.
  79. B. The agreed upon 99.9 percent guaranteed availability will be part of a Service Level Agreement (SLA), which is a contract between a provider and a subscriber that specifies the percentage of time that the contracted services are available. None of the other three options contain the guaranteed reliability language. Acceptable Use Policies (AUPs) specify whether and how employees can use company-owned hardware and software resources. A Nondisclosure Agreement (NDA) specifies what company information employees are permitted to discuss outside the company. A Bring Your Own Device (BYOD) policy specifies the personal electronics that employees are permitted to use on the company network and documents the procedures for connecting and securing them.
  80. A, B. A bridge can split a single network into two collision domains, because it forwards only the packets that are destined for the other side of the bridge. A switch creates a separate collision domain for each port. Both bridges and switches forward all broadcast packets, so they maintain a single broadcast domain for the entire network. A hub maintains a single collision domain and a single broadcast domain. A router creates two collision domains, but it does not forward broadcasts, so it creates two broadcast domains as well.
  81. A. Media Access Control (MAC) addresses are hard-coded into network interface adapters and are not easily changeable. There is also no need to change them for this purpose. First, you will have to change IP addresses of the web servers. This is because the computers on the other side of the router, on the screened subnet, must use an IP network address that is different from the internal network's address. Next, you will have to change the default gateway address setting on the internal network computers to the address of the router on the internal network so that traffic can be forwarded to the screened subnet. Finally, you will have to update the resource records on your Domain Name System (DNS) server to reflect the IP address changes.
  82. C. A short is when a wire is connected to two or more pins at one end of the cable or when the conductors of two or more wires are touching inside the cable. This would cause a tone applied to a single pin at one end to be heard on multiple pins at the other end. The other three options would not cause this to occur. An open circuit would manifest as a failure to detect a tone on a wire, indicating that there is either a break in the wire somewhere inside the cable or a bad connection with the pin in one or both connectors. A split pair is a connection in which two wires are incorrectly mapped in exactly the same way on both ends of the cable. Crosstalk is a type of interference caused by signals on one wire bleeding over to other wires.
  83. B. Elevator machinery, fluorescent light fixtures, and other electrical devices in an office environment can generate magnetic fields, resulting in electromagnetic interference (EMI). When copper-based cables are located too near to such a device, the magnetic fields can generate an electric current on the cable that interferes with the signals exchanged by network devices. If the network users experience a problem every time the elevator machinery switches on, EMI is a likely cause of the problem. Crosstalk and attenuation can both cause intermittent network communication problems, but they cannot be caused by elevator machinery. Latency describes a generalized delay in network transmissions, not intermittent packet delays.
  84. B, D. In an active-active configuration, servers can balance the incoming client load between them. Because the active servers are all servicing clients, the overall performance of the cluster is increased. Both active-active and active-passive configurations provide fault tolerance. Data encapsulation is not a factor in either configuration.
  85. D. It is possible that the WAP has been configured to not broadcast the network's SSID as a security measure, so you should first attempt to access it by typing the SSID in manually. You cannot type in the WPA2 passphrase until you are in the process of connecting to the SSID. Moving the laptop closer to the access point or away from possible sources of electromagnetic interference might be solutions to the problem, but they should not be the first thing you try in this case.
  86. D. The 802.11b and 802.11g standards do not support 5 GHz communications. Configuring the access point to support 2.4 GHz is the only way for the 802.11b and 802.11g computers to connect to the network. The 5 GHz band does support automatic channel selection, so there is no need to configure the channel on each laptop manually. The 5 GHz band does support MIMO, and the 802.11n laptops should be able to connect. The 802.11b standard does support the 2.4 GHz band.
  87. D. The Name Server (NS) resource record identifies the authoritative servers for a particular DNS zone. Pointer Records (PTRs) are used to resolve IP addresses into hostnames. Mail Exchange (MX) records identify the mail servers for a particular domain. Service Records (SRVs) identify the designated servers for a particular application. None of these other options identify the authoritative servers for a zone.
  88. B. The 2.4 GHz band used by Wireless Local Area Networks (WLANs) consists of channels that are 20 (or 22) MHz wide. However, the channels are only 5 MHz apart, so there is channel overlap that can result in interference. Channels 1, 6, and 11 are the only channels that are far enough apart from each other to avoid any overlap with the adjacent channels. This is why they are often recommended. However, in this scenario, these channels are too crowded with other networks. You should therefore use a channel that is as far as possible from the crowded ones. Channels 2, 5, and 10 are all immediately adjacent to a crowded channel, but channel 9 is at least two channels away from the nearest crowded channel. Therefore, you should configure your equipment to use channel 9.
  89. A. Material Safety Data Sheets (MSDSs) are documents created by manufacturers of chemical, electrical, and mechanical products that specify the potential risks and dangers associated with them, particularly in regard to flammability and the possibility of toxic outgassing. A properly documented network should have MSDS documents on file for all of the chemical and hardware products used to build and maintain it. MSDSs can be obtained from manufacturers or the Environmental Protection Agency (EPA). Electrostatic discharges (ESDs), Nondisclosure Agreements (NDAs), and Bring Your Own Device (BYOD) policies are not concerned with the dangers inherent in building contents.
  90. C. The Alternative B PoE variant can use the spare wire pair in a CAT 5 or better 10Base-T or 100Base-TX cable to supply power to connected devices. The Alternative A and 4PPoE variants cannot use the spare wire pair in this manner; they supply power using the wire pairs that carry data at the same time. For Gigabit Ethernet or faster installations, Alternative B is also capable of using the data wire pairs.
  91. D. The Internet Storage Name Service (iSNS) is an application that provides iSCSI initiators with automated discovery of targets located on the network. iSNS can also function as a discovery service for Fibre Channel devices. Internet Control Message Protocol (ICMP) and Domain Name System (DNS) are not capable of registering iSCSI targets. iDNS does not exist.
  92. C. WPA has been found to be vulnerable, and WPA2 was designed to address those vulnerabilities, so you should use WPA2 instead of WPA. Suppressing SSID broadcasts does not prevent users from connecting to the network, and MAC filtering strengthens security without exposing MAC addresses to undue risk.
  93. B, D, E. Subscriber Connector (SC), Mechanical Transfer - Registered Jack (MT-RJ), and Straight Tip (ST) are all types of fiber-optic connectors. DB-9 is a D-shell connector used for serial ports. Bayonet-Neill-Concelman (BNC) is a type of connector used with coaxial cable. RJ11 is used with twisted-pair cable for telephone connections.
  94. E. The IoT consists of devices that are ordinarily passive, but which have been made intelligent by installing a network client configuring them to participate on an IP network. All of the devices listed are available as “smart” devices that enable remote users to interact with them over the Internet.
  95. D. The physical layer defines the mechanical and electrical characteristics of the cables used to build a network. The data link layer defines specific network (LAN or WAN) topologies and their characteristics. The physical layer specification you will implement is dependent on the data link layer protocol you select. The network, transport, and application layers are not concerned with cables and topologies.
  96. D. The 169.254.203.42 address assigned to the workstation is from the 169.254.0.0/16 network address assigned to Automatic Private IP Addressing (APIPA), a standard for the assignment of IP addresses to Dynamic Host Configuration Protocol (DHCP) clients when they cannot obtain an address from a DHCP server. The workstation's DHCP client is activated, and since no one else is experiencing a problem, you can assume that the DHCP server is functioning. The Subnet Mask value is correct for an APIPA address, and APIPA does not provide Default Gateway or Domain Name System (DNS) server addresses. Therefore, an exhausted DHCP scope is the only one of the explanations provided that could be the cause of the problem.
  97. C. Operating systems detect duplicate IP addresses immediately and display error messages or notifications on the computers involved. Therefore, the user with the problem would have been informed immediately if another system was using her IP address. All of the other options are possible causes of the problem that are more difficult to troubleshoot.
  98. C, D. The ipconfig /release command terminates the current DHCP address lease. Then, the ipconfig /renew command causes the client to begin the process of negotiating a new lease, this time with the authorized DHCP server. dump, lease, and discard are not valid ipconfig parameters.
  99. C. East-west traffic describes traffic flow within the datacenter, while north-south is traffic between devices inside the datacenter and outside devices. The terms east-west and north-south do not pertain to the OSI model layers or to the specific devices used.
  100. B. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when certain conditions are met, such as when a specific time or date arrives. All of the other options do not involve software products. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. An evil twin is a fraudulent access point on a wireless network that mimics the Service Set Identifier (SSID) of a legitimate access point, in the hope of luring in users.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.71.159