CompTIA Network+ Practice Test (N10-009)

DNSSEC (Domain Name Security Extensions) enhances the security of the domain name system by signing records with public key cryptography. This allows client systems to verify the authenticity and integrity of the response, protecting against certain types of attacks such as cache poisoning. Technologies like DoH and DoT, while providing confidentiality through encryption of requests, do not offer mechanisms for response validation akin to DNSSEC.

Given the scenario, among the listed reasons, the most probable cause for the IP camera not powering up is exceeding the maximum power delivery range for PoE over Cat5e, which is typically recommended up to 100 meters. As the power reaches the limits of its range, voltage drops can occur, leading to insufficient power delivery to the device. Upgrading to a Cat6 cable could help due to its inherently lower resistance per meter, potentially mitigating voltage drop over the same distance. The other options, though possible in different contexts, are less likely in this specific scenario given the details provided (e.g., no mention of incorrect standards or device incompatibility).

Generic Routing Encapsulation (GRE) can encapsulate a wide variety of OSI Layer-3 passenger protocols inside an IP carrier, letting dissimilar routed protocols move across a single-protocol backbone. GRE itself provides no confidentiality, integrity, or endpoint authentication, so it is often paired with IPsec when those protections are needed. IPsec includes strong encryption and authentication, which violates the "no built-in security" condition. TLS/SSL secures individual application sessions rather than transporting multiple routed protocols, and MPLS is a label-switching technology used mainly by service-provider networks to forward traffic and build VPN services rather than for simple point-to-point tunnels.

The MX (Mail Exchange) record is used in DNS to specify the mail servers responsible for receiving email messages on behalf of a domain. This record is essential for directing email traffic correctly to the organization's mail servers. The A record links a domain to an IP address for general queries but is not specific for mail servers. The CNAME record creates an alias for another domain name, not specifically used for mail servers. Lastly, the TXT record is used for providing arbitrary text about a host, commonly for security data like SPF or DKIM, not for mail server specification.

VLANs (Virtual Local Area Networks) operate at Layer 2 of the OSI model and enable a network engineer to create multiple, isolated broadcast domains on a single physical network infrastructure without requiring additional hardware. This allows for improved network segmentation and traffic management. Subnetting operates at Layer 3 by dividing networks based on IP addresses. Routing and NAT (Network Address Translation) are also Layer 3 functions and do not provide Layer 2 segmentation capabilities.

The correct answer is the one that defines a network's ability to dynamically adjust its services and priorities based on the recognition and analysis of different types of application traffic, which is central to the concept of being application aware. This involves real-time adaptation to optimize application performance and reliability, differentiating it from static configurations that do not change based on the traffic type.

The likeliest issue in this scenario is that the default gateway is not configured or incorrectly configured on the router. The default gateway provides the necessary routing information for forwarding packets destined for external networks and the internet. If it's missing or incorrect, devices can communicate within the local network but fail to find a route for external addresses. Incorrect entries in the routing table typically only affect specific network segments, and incorrect subnets would largely prevent local communications, not just external communications.

The correct reason why the port would go into an 'error disabled' state in this scenario is usually due to a violation of port security settings, such as exceeding the maximum allowed MAC addresses. Port security limits the number of valid MAC addresses allowed on a port to prevent unauthorized access. If this number is exceeded, the default action for many switches is to disable the port to prevent possible security breaches. Incorrect cable types or DHCP exhaustion typically do not directly cause ports to be error disabled, and temperature anomalies are more related to hardware malfunctions rather than configurations that trigger port security.

The described behavior is application aware networking (often called application-aware routing). The SD-WAN appliance inspects traffic up to Layer 7 to identify the application generating each flow, then applies policies-such as path selection, prioritization, throttling, or blocking-tailored to that application's requirements. Zero-touch provisioning automates initial device onboarding, transport agnostic refers to supporting any underlying WAN medium, and multitenancy refers to isolating different customer or departmental networks on shared infrastructure. None of those terms involve recognizing applications and acting on that information, so they are incorrect choices.

Port 22 is used by SSH (Secure Shell) and by extension, SFTP (SSH File Transfer Protocol), which uses SSH to securely transfer files. Ensuring that port 22 is open on the firewall allows for encrypted transmissions, providing both security and verification. Port 21 is used by FTP, which is not secure by itself. Port 23, used by Telnet, transmits data in plaintext and is less secure than SFTP/SSH. Port 443 is commonly used by HTTPS, which is secure but meant for secure web traffic, not the type of file server access implied in the scenario.

An unauthorized server that assigns network configurations, such as a rogue DHCP server, often intercepts or disrupts network traffic by providing incorrect configurations to clients. This misdirection can lead to man-in-the-middle attacks or other security breaches, highlighting why understanding this threat is crucial. The incorrect answers do not accurately describe the primary malicious intent of such a server.

Port 587 is reserved for SMTP message submission. By default, it begins as an unencrypted session and should be upgraded to TLS with the STARTTLS command. Enabling STARTTLS on the server (and requiring clients to use it) ensures that each message is encrypted after the initial handshake. Using plain SMTP on port 587 does not guarantee encryption; implicit SSL/TLS requires port 465 instead, and IMAP is a different protocol entirely.

Choosing a passive tap is important because it copies traffic without inserting any active electronics into the data path. Passive taps require no external power, introduce virtually zero latency, and will continue to pass production traffic even if the monitoring device or the tap itself loses power. Active taps, by contrast, must be powered to regenerate or multiplex the signal; a loss of power can create a point of failure and even low-latency active taps still add measurable delay. Placing an additional hub or switch in line would introduce active components that can drop, filter, or alter frames and may oversubscribe bandwidth, so these options are not recommended for unbiased, high-speed monitoring.

The correct answer is that one or more switch ports have been assigned to the wrong VLAN. VLANs (Virtual LANs) create logically separate networks on the same physical infrastructure. If a switch port used by a marketing department device is mistakenly assigned to the finance department's VLAN, that device will become part of the finance network segment, bypassing the intended security separation. A misconfigured default gateway or a routing loop would typically cause connectivity failures or performance degradation, not grant unintended access. While a missing access control list (ACL) on a router could also allow unwanted inter-VLAN traffic, the most fundamental cause for a device appearing in the wrong logical segment is an incorrect VLAN assignment on its switch port.

Configuration drift occurs when the actual configuration state of a device or system deviates from the desired or documented state-often because of manual, out-of-band, or incomplete changes. This divergence can introduce inconsistencies, reduce reliability, and create security or compliance risks. Effective IaC and automation practices continuously detect and remediate drift to keep infrastructure aligned with its intended configuration.

The correct answer is Cat 6a because it supports speeds up to 10 Gbps over distances up to 100 meters, which is ideal for a modern small business requiring high-speed applications like video conferencing and large file transfers. In contrast, Cat 6 supports 10 Gbps but only up to 55 meters in high crosstalk environments, making it less reliable for consistent high-speed delivery across a business premise. Cat 5e, supporting up to 1 Gbps, currently does not meet the requirements for higher speed applications. Cat 7, although capable of up to 10 Gbps, is typically used for specific cases due to its shielded system and is not a common upgrade path from Cat 5e.

A Layer 1 diagram is the best choice because it focuses specifically on the physical aspects of the network-such as cabling, media, and physical ports-which aligns precisely with the requirement to display physical transmission mediums and connections. Layer 2 and Layer 3 diagrams emphasize data-link and network-layer information, while a logical diagram focuses on traffic flow and subnet relationships rather than cabling.

A toner, which consists of a tone generator and a probe, is specifically designed for tracing and identifying wires or cables within a group. It works by sending a tone signal down the cable, which the probe can then detect. This is crucial in environments where cables are unmarked or bundled together, allowing a technician to follow the tone to locate the correct cable. A cable tester is primarily used for verifying the functionality and integrity of a cable's connections, not for tracing its physical path. Wire strippers are used to remove the protective coating of wires for termination. A Wi-Fi analyzer is a tool for wireless networks and is not applicable to wired cable tracing.

The correct answer effectively captures the essence of the Session layer, which is managing sessions or dialogs between applications. This includes opening, closing, and managing sessions between end-user application processes. Dialog control ensures that the session can be set up as simplex or duplex. While the other options relate to sessions, they do not directly reflect the core responsibilities of the Session layer in the OSI model.

An Access control list (ACL) is the correct answer because it is used to define which users or systems are granted access to specific resources. ACLs can restrict access to network resources based on IP addresses, protocols, or ports, effectively controlling which packets are allowed through a router or firewall. In contrast, MAC filtering is mainly used to allow or deny network access based on hardware addresses, which is less about resource-specific permissions and more about network access. Content filtering manages access to specific types of content rather than securing resources based on network segments. Disabling unused ports is a precautionary security measure to minimize unnecessary network entry points, but it does not involve resource access permissions between network segments.