CompTIA N10-009 Practice Test

Explanation:

When a new Network Interface Card (NIC) is installed in a server and it is connected directly to a switch, the most common cause for a complete loss of connectivity is a TX/RX reversal.

How it happens: Ethernet communication requires that the Transmit (TX) pins on one device connect to the Receive (RX) pins on the other. A standard straight-through cable is designed to handle this crossover internally when connecting a device like a computer to a switch.

The Problem: If a crossover cable is used in this scenario, the TX and RX lines are reversed at both ends. The server's TX pins connect to the switch's TX pins, and the RX to RX, resulting in no communication. This was a frequent issue in the past, but many modern NICs and switches have auto-MDI/MDI-X, a feature that automatically detects and corrects for an incorrect cable type. However, if this feature is disabled, malfunctioning, or not supported on the new NIC, a crossover cable will cause the exact symptom described: a complete inability to reach the server immediately after a hardware change.

Detailed Analysis of Other Options

A. The PoE power budget was exceeded. is incorrect.
Why it's plausible: If a switch port delivers Power over Ethernet (PoE) and too many devices are connected, the switch can exceed its total power budget, preventing new devices from receiving power.
Why it's not the most likely reason: A standard server NIC is not a PoE device. It does not draw power from the switch port. Therefore, the PoE budget is irrelevant in this specific scenario.

C. A port security violation occurred. is incorrect.
Why it's plausible: Port security is a feature that restricts a switch port to only allow specific MAC addresses. Installing a new NIC gives the server a new MAC address, which would violate the port security configuration and cause the switch to shut down the port.
Why it's not the most likely reason: While possible, port security is typically configured on ports facing end-users, not servers. A network administrator performing a planned upgrade would likely be aware of and would have updated any port security settings for a critical server. A TX/RX issue is a much more common and simple oversight during a physical hardware installation.

D. An incorrect cable type was installed. is partially correct but not specific enough.
This is actually the umbrella cause, and option B (TX/RX transposed) is the specific technical reason why the incorrect cable type fails. A "crossover" cable is the "incorrect cable type" for connecting a server to a switch. Therefore, while technically true, option B provides the precise technical failure, making it the superior and "most likely" answer.

Reference:
This question aligns with the CompTIA Network+ (N10-009) Exam Objectives, specifically under:

Domain 1.0: Networking Fundamentals
Objective 1.3: Explain the use of network appliances. This includes understanding cabling and physical connectivity issues, such as the difference between straight-through and crossover cables and the function of auto-MDI/MDI-X.

Domain 2.0: Network Implementations
Objective 2.1: Compare and contrast various devices, their features, and their appropriate placement on the network. This includes knowledge of NICs and switch port configuration.

Explanation:

✅ C. A logical interface used for the routing of VLANs
→ An SVI (Switched Virtual Interface) is a logical (virtual) Layer 3 interface configured on a switch.
→ Its main purpose is to provide routing capabilities between VLANs (also known as Inter-VLAN routing).
→ Since the administrator wants to separate voice and data traffic, they likely have different VLANs (e.g., VLAN 10 for data, VLAN 20 for voice). An SVI allows traffic between these VLANs without requiring an external router.
→ This is a standard use case in enterprise networks with Layer 3 switches.

❌ Why the other options are incorrect:

A. A physical interface used for trunking logical ports
Trunk ports are physical interfaces configured to carry multiple VLANs. They are not SVIs. An SVI is not physical—it’s virtual.

B. A physical interface used for management access
While an SVI can provide management access (like assigning an IP for switch management), that is not the main reason here. The use case clearly states separating voice and data traffic, which is about VLAN routing, not just management.

D. A logical interface used when the number of physical ports is insufficient
This describes technologies like port channels or sub-interfaces. SVIs are not meant to overcome port shortages; they are meant for routing between VLANs.

📖 Reference:
CompTIA Network+ N10-009 Exam Objectives (Domain 2.3 – Configure and Deploy Common Ethernet Switching Features)
Cisco: Configuring SVI

Explanation:
The correct answer is SSH (Secure Shell), which provides secure remote access over port 22. SSH is a cryptographic network protocol used to securely access and manage remote systems, typically Linux or Unix-based servers, over an unsecured network such as the Internet.

SSH encrypts all data transmitted between the client and the remote device, including authentication credentials, command executions, and session data. This encryption ensures confidentiality, integrity, and authenticity, protecting against threats like packet sniffing, session hijacking, and man-in-the-middle attacks.

By default, SSH uses TCP port 22 for establishing connections between the SSH client and the SSH server (commonly the sshd daemon). Administrators can modify the default port for additional security, but 22 remains the industry-standard and exam-recognized port number for SSH operations.

SSH replaces older, unencrypted protocols such as Telnet and rlogin, offering enhanced security features like:

Public key authentication: Users can authenticate using cryptographic key pairs instead of passwords.

Secure file transfers: SSH supports secure file operations through associated protocols such as SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol), both using the same port 22.

Encrypted tunneling and port forwarding: SSH can tunnel other traffic securely, allowing administrators to protect additional services over encrypted channels.

A typical SSH connection command looks like:
ssh user@remotehost
Once connected, the administrator gains a secure command-line interface to manage, monitor, and configure the remote system.

Why the other options are incorrect

B. Telnet ❌
Telnet is an older protocol that provides remote command-line access, but it transmits data, including usernames and passwords, in plaintext, offering no encryption. This makes it vulnerable to packet sniffing and interception. Telnet uses TCP port 23 by default, not port 22.

While Telnet and SSH serve similar purposes, SSH was specifically designed to replace Telnet to ensure secure remote administration. Telnet is now rarely used in production environments except for simple testing scenarios or connecting to legacy network devices.
Key difference: Telnet → port 23, unencrypted; SSH → port 22, encrypted.

C. TLS (Transport Layer Security) ❌
TLS is a cryptographic protocol that provides encryption for web and application-level communication, such as HTTPS, SMTP, POP3, and IMAP. TLS itself does not provide remote access; rather, it secures data in transit for other application protocols.
TLS operates across multiple ports depending on the service being secured:


HTTPS (HTTP over TLS): Port 443
SMTPS (Secure Mail Transfer): Port 465
IMAPS (Secure IMAP): Port 993

Thus, TLS is not a remote access protocol—it’s an encryption layer used to protect the transmission of data for other protocols. SSH, on the other hand, inherently integrates encryption and authentication for remote access over port 22.

D. RDP (Remote Desktop Protocol) ❌
RDP, developed by Microsoft, is used for graphical remote desktop access to Windows-based systems. It allows administrators or users to control a remote computer with a full desktop interface, not just command-line access.

RDP uses TCP port 3389 by default. Like SSH, RDP can encrypt data transmissions, but it operates differently at the graphical interface level and uses distinct authentication methods.

While SSH provides secure command-line sessions (mostly for Unix/Linux systems), RDP provides GUI-based remote control primarily for Windows systems.

Therefore, RDP is not the correct answer because it does not use port 22 and serves a different use case than SSH.

Security Features of SSH:

Encryption using AES or other symmetric algorithms.
Authentication via passwords or RSA/DSS keys.
Integrity verification using message authentication codes (MACs).
Support for tunneling X11, databases, or web applications securely.
Common SSH Implementations:
OpenSSH (Linux/Unix systems)
PuTTY (Windows client)
Dropbear (Lightweight SSH server for embedded devices)

Common Uses:
Remote server management.
Secure file transfer (SFTP/SCP).
Remote command execution in automated scripts.
Secure tunneling for application traffic.

References:
CompTIA Network+ (N10-009) Official Exam Objectives – Domain 1.3: “Explain the purpose and use cases for common networking protocols and ports.” → CompTIA Network+ Certification Page

Cisco Networking Academy – Introduction to Networks (ITN) v7.0: Section on Secure Shell (SSH) and Remote Access Protocols. → Cisco NetAcad Course Material

RFC 4251 – The Secure Shell (SSH) Protocol Architecture: Internet Engineering Task Force (IETF). → Defines SSH as a secure replacement for Telnet using TCP port 22.

Mike Meyers, CompTIA Network+ Certification All-in-One Exam Guide, 9th Edition (N10-009).

Chapter on “Network Protocols and Ports” clearly identifies SSH → TCP 22 and its secure remote access capabilities.

Explanation:
802.1X is a port-based network access control protocol defined by IEEE. It provides authentication at the switch port level using credentials (e.g., username/password or certificates) before allowing any traffic to pass. This ensures that only authorized users or devices can access the network, making it ideal for switches placed in unsecured or public areas.

When a device connects to a port configured with 802.1X:
The switch acts as an authenticator.
The device (supplicant) must provide valid credentials.
The switch forwards these credentials to a RADIUS server (authentication server).
If authentication succeeds, the port is opened for traffic; otherwise, access is denied.
This mechanism prevents rogue or unknown devices from gaining network access, even if they physically connect to the switch.

❌ Why Other Options Are Incorrect

A. SSE (Secure Service Edge)
SSE is a cloud-delivered security model that includes services like SWG, CASB, and ZTNA. It’s not relevant to local switch port security or physical access control. It operates at a broader network edge level, not at the LAN switch level.

B. ACL (Access Control List)
ACLs filter traffic based on IP addresses, ports, or protocols. While useful for controlling traffic flow, ACLs do not prevent a device from connecting to the network. They operate after the device has already gained access.

C. Perimeter Network (DMZ)
A perimeter network isolates public-facing servers from the internal network. It’s a network design concept, not a method for preventing unauthorized access to switch ports. It doesn’t apply to physical port-level security.

Operational Insight
802.1X is widely used in enterprise environments to enforce network access control (NAC). It integrates with identity services like Microsoft NPS or Cisco ISE and supports dynamic VLAN assignment, guest access policies, and endpoint posture checks.
For switches in customer-accessible areas (e.g., lobbies, conference rooms), enabling 802.1X:
Prevents unauthorized access.
Supports centralized authentication.
Can trigger alerts or quarantine policies for unknown devices.
This is a best practice in securing physical network infrastructure.

🔗 References
CompTIA Network+ N10-009 Objective: Network Security – Authentication and Access Control CompTIA Network+ Certification

Cisco: 802.1X Port-Based Authentication
“802.1X provides a mechanism to authenticate devices before they gain access to the network.”
IEEE: 802.1X Standard Overview

Explanation:
The key to this question is understanding the difference between SSID and ESSID.
SSID (Service Set Identifier): This is simply the human-readable name of a wireless network. A single access point (AP) broadcasts an SSID.
ESSID (Extended Service Set Identifier): This is the name given to a wireless network that is composed of multiple access points all broadcasting the same SSID. This creates an Extended Service Set (ESS).

The primary user benefit of an ESSID is seamless roaming. A user device (like a laptop or smartphone) can move throughout a building or campus, and as the signal from one AP grows weak, the device can automatically and seamlessly disconnect from it and associate with a different AP that is broadcasting the same ESSID, all without dropping the network connection or requiring manual user intervention.

Detailed Analysis of Other Options

A. Stronger wireless connection is incorrect.
While an ESS can provide more consistent coverage, which can prevent a weak connection in dead zones, it does not inherently make the wireless connection itself "stronger" from a signal-to-noise ratio (SNR) or transmit power perspective at any single location. The strength of the connection to the individual AP a user is currently associated with remains the same.

C. Advanced security is incorrect.
The security of the network is determined by the encryption and authentication protocols used (e.g., WPA2, WPA3), not by whether it is a single AP (BSS) or a multi-AP network (ESS). The same security standards can be applied to both an SSID and an ESSID.

D. Increased throughput is incorrect.
An ESSID does not directly increase the bandwidth or throughput available to a single user. A user is still connected to only one AP at a time and is limited by that AP's shared medium and backhaul connection. In fact, if not properly designed, having too many clients on an ESS can lead to co-channel interference, which can decrease overall performance. The benefit is coverage and mobility, not aggregated speed.

Reference:
This question aligns with the CompTIA Network+ (N10-009) Exam Objectives, specifically under:

Domain 2.0: Network Implementations
Objective 2.4: Given a scenario, install and configure the appropriate wireless standards and technologies. This objective requires knowledge of wireless service sets, including:

Basic Service Set (BSS): A single AP.
Extended Service Set (ESS): Multiple APs with the same SSID/ESSID to form one continuous network, with the primary benefit being seamless roaming for clients.

Explanation:

Network switches (and routers) traditionally use an RJ45 console port for out-of-band management.
Administrators connect a console cable (often RJ45-to-DB9 or USB-to-RJ45) from their computer to the switch’s console port.
This allows direct CLI (Command Line Interface) access for configuration and troubleshooting, even if the network is down.

❌ Why the other options are incorrect:

A. ST
A fiber-optic connector (Straight Tip).
Used for network connections, not console access.

C. BNC
A coaxial connector, historically used in older Ethernet networks (10BASE2) or for RF connections.
Not used for switch console access.

D. SFP
Small Form-factor Pluggable transceiver slot for fiber or copper modules.
Provides uplink capability for network traffic, not console management.

📖 Reference:
CompTIA Network+ N10-009 Exam Objectives (Domain 2.2 – Deploy and Configure Ethernet Switching Features)
Cisco: Connecting a Console to the Switch

⚡ Exam Tip:
Console access = RJ45 (management port)
Network uplinks = SFP/fiber/copper
Legacy coax = BNC

Explanation:

Why A (802.1X) is Correct:
✅ 802.1X is an IEEE standard for port-based Network Access Control (NAC).
✅ It provides authentication for both wired and wireless devices before granting network access.
✅ Uses RADIUS servers (e.g., FreeRADIUS, Microsoft NPS) to validate user credentials (e.g., username/password, certificates).
✅ Ensures only authorized users/devices can connect, making it ideal for enterprise networks.

🔴 Why Other Options Are Incorrect:

B) Access Control List (ACL)
Filters traffic based on IP/MAC addresses or ports, but does not authenticate users.
Works after a device is connected, not as a pre-connection security measure.

C) Port Security
Restricts switch ports to specific MAC addresses but lacks user authentication.
Primarily used to prevent unauthorized devices (not users) from connecting.

D) MAC Filtering
Allows/denies devices based on hardware (MAC) addresses, but:
No user authentication (easily bypassed via MAC spoofing).
Does not scale well in large environments.

Reference:
CompTIA Network+ Objective 4.3 (Network Access Control)
IEEE 802.1X Standard (Port-Based Authentication)

Final Answer:
A) 802.1X

Explanation:

🟢 A patch panel is a central termination point where network cables from different locations on a floor are terminated.
🟢 It allows cables to be neatly organized and connected to network switches using short patch cables.
🟢 This design provides flexibility, easy troubleshooting, and structured cabling management.

❌ Why the other options are incorrect:

B. UPS (Uninterruptible Power Supply)
Provides backup power and protection against outages or surges.
Does not serve as a cable termination point.

C. MDF (Main Distribution Frame)
The MDF is the main building-level termination point for telecommunication cables and connections.
However, the question specifies “on the floor of a company building” → the correct term for that is IDF (Intermediate Distribution Frame), which typically uses patch panels for floor-level cable termination.

D. Rack
A rack is the physical frame that houses network equipment (switches, patch panels, servers, etc.).
It organizes equipment but is not specifically the termination point.

📖 Reference:
CompTIA Network+ N10-009 Exam Objectives (Domain 1.3 – Explain the Concepts and Characteristics of Cabling and Connectors)
TIA/EIA-568 Structured Cabling Standards

⚡ Exam Tip:
Patch Panel → Floor/IDF termination point
MDF → Building-wide termination point
Rack → Housing equipment
UPS → Power backup

Explanation:

✅ A clientless VPN is accessed directly through a web browser without requiring a dedicated VPN client application.
✅ It often uses TLS/SSL encryption to provide secure access to specific internal applications (like web-based portals or financial systems).
✅ In this case, the user simply logs into the VPN gateway through a browser → establishes a secure TLS session → and then accesses the internal financial system.

❌ Why the other options are incorrect:

B. Client-to-site
Requires a VPN client software installed on the user’s device.
Since this scenario specifies web browser access with TLS, no client software is being used.

C. Full tunnel
A full tunnel VPN sends all of the user’s traffic (internal and internet) through the VPN connection.
The scenario only mentions accessing a specific internal system via TLS, not tunneling all traffic.

D. Site-to-site
Used to connect entire networks together (e.g., branch office to headquarters).
This is about an individual user accessing via a browser, so not site-to-site.

📖 Reference:
CompTIA Network+ N10-009 Exam Objectives (Domain 3.3 – Compare and Contrast Remote Access Methods)
Cisco: SSL VPN Overview

⚡ Exam Tip:
Browser + TLS → Clientless VPN
Installed VPN software → Client-to-site
Connects whole offices → Site-to-site
All traffic tunneled → Full tunnel

Explanation:
OT (Operational Technology) refers to hardware and software that monitors and controls physical devices, processes, and infrastructure in industrial environments. Examples include SCADA systems, industrial control systems (ICS), and IoT devices like sensors and programmable logic controllers (PLCs).

The most critical and fundamental security measure when integrating OT devices into a traditional IT network is network segmentation.

Why it's necessary: OT devices are often:
Legacy Systems: They were designed for isolated networks and may run on outdated, unpatchable operating systems with known vulnerabilities.
Resource-Constrained: They lack the computing power to run modern security software like host-based firewalls or antivirus.
Safety-Critical: A compromise can lead to physical damage, production shutdowns, or safety hazards.

How it works: Segmentation involves creating separate network zones (e.g., using VLANs or a physically separate network) and controlling the traffic between them with a firewall. This isolates the fragile OT environment from the corporate IT network, preventing threats like malware from spreading from IT to OT and limiting the attack surface of the OT devices.

Detailed Analysis of Other Options

A. Honeynet is incorrect.
A honeynet is a decoy network designed to attract and study attackers. While a valuable security research tool, it is not a primary or necessary security control for protecting critical OT assets. The focus for OT is on hardening and isolating the real production systems, not on creating attractive targets.

B. Data-at-rest encryption is incorrect.
While encryption is a key security principle, it is often impractical or impossible to implement on OT devices. Many OT devices lack the processing capability for encryption, and the primary risk to OT systems is often operational disruption rather than data theft. The network itself is the first and most critical layer of defense.

C. Time-based authentication is incorrect.
Time-based authentication (like TOTP - Time-based One-Time Passwords) is a strong method for user access control. However, it is irrelevant for most OT devices, which typically use machine-to-machine (M2M) communication and do not have a user logging in with a password. The authentication in OT environments is often handled at the system or network level, not per device with time-based codes.

Reference:
This question aligns with the CompTIA Network+ (N10-009) Exam Objectives, specifically under:
Domain 4.0: Network Security
Objective 4.2: Explain common security concepts. This includes segmentation as a core security principle.
Objective 4.8: Explain the importance of physical security. OT security is a direct bridge between cybersecurity and physical security, as a network breach can have physical consequences.