CompTIA N10-009 Practice Test

Why ACLs Are the Best Choice?

Purpose-Built for Security Zones:

ACLs filter traffic between subnets/VLANs, making them ideal for enforcing boundaries between departments.

Example: Block HR traffic from reaching Engineering while allowing necessary communication.

Granular Control:

Can permit/deny traffic based on:

Source/destination IP (department subnets).

Port numbers (applications/services).

Layer 3 Enforcement:

Works at the router/switch level (where inter-department traffic flows).

Why Not the Others?

B) Port security – Prevents unauthorized devices on switch ports (MAC filtering), but doesn’t segment departments.

C) Content filtering – Blocks websites/apps (e.g., social media), not inter-department traffic.

D) NAC (Network Access Control) – Authenticates devices joining the network, but doesn’t control traffic between zones.

Implementation Example:

Assign each department a unique VLAN/subnet.

Apply ACLs on the router/firewall to restrict cross-zone traffic.

Reference:

CompTIA Network+ Objective 3.3 (Network Segmentation) – ACLs are standard for zone-based security.

NIST SP 800-41 recommends ACLs for inter-zone traffic control.

Final Answer: A) ACLs are the correct tool for creating security zones.

Why Port 587?

Secure Email Submission (SMTPS):

Port 587 is the standard for secure email submission (SMTP with TLS/STARTTLS encryption).

Used by email clients (e.g., Outlook, Thunderbird) to send messages securely to mail servers.

Explicit TLS (Opportunistic Encryption):

Unlike port 465 (legacy SMTPS), port 587 starts unencrypted but upgrades to TLS via STARTTLS.

Mandated by RFC 8314 for modern email security.

Why Not the Others?

A) Port 25 – Legacy SMTP for server-to-server email (no encryption by default; often blocked by ISPs).

B) Port 110 – POP3 (unencrypted email retrieval; secure version uses POP3S on port 995).

C) Port 143 – IMAP (unencrypted email access; secure version uses IMAPS on port 993).

Reference:

CompTIA Network+ Objective 1.5 (Ports & Protocols) – Lists port 587 for secure email.

RFC 8314 (2018) recommends ports 587 (STARTTLS) and 465 (SMTPS) for secure submission.

Final Answer: D) 587 is the correct port for secure email submission.

Why This Order?

Bottom-Up Approach in the Three-Tier Model:

Access Layer (Bottom):

Connects end devices (PCs, phones, printers).

Provides port security, VLANs, and STP.

Distribution Layer (Middle):

Aggregates traffic from access switches.

Enforces routing, ACLs, QoS, and VLAN routing.

Core Layer (Top):

High-speed backbone for fast traffic between distribution layers.

Focuses on throughput and reliability (no packet manipulation).

Why Not the Others?

B) Core, root, and distribution – Incorrect terms ("root" isn’t a tier; order is reversed).

C) Core, spine, and leaf – Describes a spine-leaf (two-tier) data center model, not the traditional three-tier hierarchy.

D) Access, core, and roof – "Roof" is invalid; core should be at the top.

Reference:

CompTIA Network+ Objective 2.1 (Network Infrastructure) – Three-tier model is standard for enterprise networks.

Cisco’s Hierarchical Network Design (Access → Distribution → Core).

Final Answer: A) Access, distribution, and core is the correct order.

Why NS Records?

Purpose:

NS (Name Server) records specify which DNS servers are authoritative for a domain.

To change where your domain’s DNS records are hosted (e.g., from GoDaddy to Cloudflare), you update the NS records at the registrar.

How It Works:

Example: If moving DNS hosting to AWS Route 53, you’d replace the old NS records with AWS’s assigned name servers (e.g., ns-123.awsdns-45.com).

Why Not the Others?

B) SOA (Start of Authority) – Defines the primary authoritative server and zone parameters (e.g., TTL, refresh intervals), but doesn’t control where records are hosted.

C) PTR (Pointer) – Used for reverse DNS (IP → hostname), unrelated to changing DNS hosting.

D) CNAME (Canonical Name) – Aliases one hostname to another (e.g., www.example.com → example.com), not for DNS server delegation.

Steps to Change DNS Hosting:

Get the new name servers from your new DNS provider (e.g., Cloudflare, AWS).

Log in to your domain registrar (e.g., GoDaddy, Namecheap).

Replace the old NS records with the new ones.

Wait for propagation (up to 48 hours).

Reference:

CompTIA Network+ Objective 1.6 (DNS Records) – NS records delegate DNS authority.

RFC 1035 defines DNS record types and their roles.

Final Answer: A) NS records must be updated at the registrar to change where DNS is hosted.

Why Firmware Updates Resolve CPU Vulnerabilities?

Vendor Firmware Patches Often Fix Hardware-Level Flaws:

CPU vulnerabilities (e.g., Spectre, Meltdown, or vendor-specific bugs) are typically mitigated through microcode updates delivered via firmware.

Firmware updates address low-level CPU behavior without replacing hardware.

Router Firmware Includes:

Microcode patches for CPUs.

Security fixes for other hardware components.

Why Not the Other Options?

B) Replace the system board – Overkill unless the CPU is physically defective (rare for vulnerabilities).

C) Patch the OS – OS patches don’t fix CPU microcode flaws (firmware handles this).

D) Isolate the system – A temporary measure, but doesn’t resolve the vulnerability.

Steps to Mitigate:

Check the vendor advisory for firmware version requirements.

Download and install the firmware update via the router’s management interface

Reboot to apply microcode changes.

Reference:

CompTIA Network+ Objective 3.2 (Security Vulnerabilities) – Firmware updates are critical for hardware-level fixes.

CVE Database lists CPU vulnerabilities (e.g., CVE-2018-3639 for Spectre).

Final Answer: A) Update the firmware is the correct action to resolve a CPU vulnerability.

Why Hybrid Cloud is the Best Choice?

Combines On-Premises and Cloud Services:

Key services run on-site (data center) for control/performance.

Enterprise services run in the cloud for scalability/cost savings.

Balances cost, mobility, and user impact by integrating both environments.

Fits the CTO’s Requirements:

Reduces costs (cloud for non-critical workloads).

Maintains critical operations locally (minimizes disruption).

Enables mobility (cloud services accessible anywhere).

Why Not the Others?

A) Public Cloud – Fully cloud-based; doesn’t preserve on-site services.

C) SaaS – A service model (e.g., Office 365), not a deployment model.

D) Private Cloud – Fully on-premises/off-premises dedicated cloud; no cost savings for hybrid needs.

Hybrid Cloud Use Cases:

Bursting: On-premises apps scale to the cloud during peak demand.

Data Tiering: Sensitive data stays local; less critical data moves to the cloud.

Reference:

CompTIA Network+ Objective 1.8 (Cloud Models) – Hybrid cloud integrates on-prem and public cloud.

NIST SP 800-145 defines hybrid cloud as a composition of distinct environments.

Final Answer: B) Hybrid is the ideal deployment model for this scenario.

Why 32768?

Default STP (Spanning Tree Protocol) Priority:

The default Bridge Priority value for a switch in STP/RSTP/MSTP is 32768 (0x8000 in hexadecimal).

This is standardized by IEEE 802.1D for all VLANs unless manually changed.

How STP Priority Works:

The switch with the lowest priority becomes the Root Bridge.

Priority is set in increments of 4096 (e.g., 32768, 36864, 40960).

Why Not the Others?

A) 4096 – A valid STP priority (low enough to force a Root Bridge election), but not the default.

B) 8192 – Not a standard STP priority increment (must be multiples of 4096).

D) 36684 – Invalid (not a multiple of 4096; max is 61440).

Key Notes:

Extended System ID (VLAN ID) is added to the base priority (e.g., VLAN 10 = 32768 + 10 = 32778).

To manually set a switch as Root Bridge, lower its priority (e.g., 4096 for VLAN 1).

Reference:

CompTIA Network+ Objective 2.3 (Spanning Tree Protocol) – Default priority is 32768.

IEEE 802.1D Standard defines STP priority values.

Final Answer: C) 32768 is the default STP priority value.

Why RPO?

Definition:

RPO (Recovery Point Objective) measures the maximum acceptable amount of data loss after a disaster.

It answers: "How much data can we afford to lose since the last backup?"

Example:

If backups run every 4 hours, the RPO is 4 hours (worst-case data loss).

Why Not the Others?

A) MTTR (Mean Time to Repair) – Time to fix a system, not data loss.

B) RTO (Recovery Time Objective) – Time to restore operations, not data loss.

D) MTBF (Mean Time Between Failures) – Predicts hardware reliability, unrelated to backups.

Reference:

CompTIA Network+ Objective 4.4 (Disaster Recovery Metrics) – RPO is explicitly defined for data loss.

NIST SP 800-34 outlines RPO/RTO in contingency planning.

Final Answer: C) RPO describes acceptable data loss since the last backup.

Why Power Budget is the Most Likely Issue?

PoE (Power over Ethernet) Limitations:

Each PoE camera draws power (typically 4–15W per device).

Switches have a total power budget (e.g., 370W for a 48-port switch).

If the total power demand exceeds the budget, some devices won’t receive power.

Symptoms Match:

Most cameras work, but a few don’t (consistent with partial power shortage).

New cables were tested (ruling out wiring/attenuation issues).

Why Not the Others?

A) Incorrect wiring standard – Would affect all cameras, not just a few (and cables were tested).

C) Signal attenuation – Unlikely with new, tested cables (and PoE issues would cause power loss before signal degradation).

D) Wrong voltage – PoE standards (802.3af/at/bt) auto-negotiate voltage; unlikely unless using non-standard gear.

Reference:

CompTIA Network+ Objective 1.4 (Power over Ethernet) – Covers PoE budgets and standards.

IEEE 802.3af/at/bt defines PoE power limits (15.4W, 30W, 90W per port).

Final Answer: B) Power budget exceeded is the most likely cause.

Explanation:

A CNAME record is used when you want one domain name (like newapplication.comptia.org) to always point to another domain name (like www.comptia.org). This way, if the IP address of www.comptia.org changes, newapplication.comptia.org will automatically update to match it without needing manual adjustments.

Why Not the Other Options?

SOA (Start of Authority): This record manages DNS zone information (like admin email or refresh rates) but doesn’t link domain names.

MX (Mail Exchange): This directs email traffic to mail servers, not for aliasing web addresses.

NS (Name Server): This specifies which servers handle DNS queries for a domain, not for redirecting addresses.

Key Benefit of CNAME:

Simplifies maintenance since you only need to update the target domain’s IP (e.g., www.comptia.org), and the alias (newapplication.comptia.org) follows automatically.

Final Answer: C) CNAME is the correct DNS record for this scenario.