CompTIA Network+ Practice Test (N10-009)

An active-active high-availability approach involves multiple systems running simultaneously, each capable of handling requests. This configuration enhances the overall performance and provides redundant systems as a fallback in case one fails, ensuring no single point of failure and maintaining continuous service availability. The incorrect answers describe different aspects or configurations that do not align with the active-active definition. An active-passive setup involves standby servers that remain idle until a failover, whereas load balancing refers to distributing network or application traffic across multiple servers; though related to high-availability, it's not specific to the active-active approach described.

The correct configuration to ensure a specific range of IP addresses is always distributed to a particular department's devices is to use reservations. DHCP reservations bind specific IP addresses to the MAC addresses of devices, guaranteeing that these devices receive the same IP addresses each time they connect to the network. In contrast, exclusions are used to prevent certain IP addresses from being assigned from a scope; scope defines the entire range of possible IP addresses that can be assigned to devices; and lease time determines how long a device holds an IP address before it must renew its DHCP configuration.

The correct answer emphasizes the strategic use of a screened subnet to host services that are intended for public access, such as a web server, thus isolating them from the internal network. This setup acts as a buffer zone, reducing the risk of external attacks directly impacting the core internal network. The incorrect options, although plausible in different contexts, fail to capture the primary security function of a screened subnet as an intermediary that shields internal networks from direct exposure to public internet traffic.

TXT records are specifically designed to store arbitrary text information associated with a hostname, which includes various purposes such as verifying domain ownership, security measures, and other services that require direct information about the domain. Despite other records serving critical direct resolution roles, TXT records uniquely enable both humans and machines to read additional information that does not fit into typical resolution protocols, providing a versatile medium for various configurations.

IPSec is the correct choice because it is designed to provide security at the network layer. By encrypting and authenticating each IP packet of a communication session, IPSec ensures that the data remains confidential and has not been tampered with during transit. SSL/TLS, while also commonly used for encrypting connections, operates at a higher layer in the OSI model and is generally implemented for securing HTTP connections. GRE is a tunneling protocol used to encapsulate a wide variety of network layer protocols, but it does not inherently provide encryption or authentication.

By establishing automated backups to occur at regular intervals coupled with an off-site storage option, the configurations are kept up-to-date and the risk of data loss due to on-site disasters is minimized. Manual backups, while still usable, can be error-prone and may not be as timely. Using personal devices for storage introduces security risks, and storing on the same network risks losing the backups if the network is compromised.

EIGRP's ability to support unequal-cost load balancing allows the protocol to use multiple paths of different metrics to the same destination, unlike protocols that support only equal-cost paths. This extends the capability of a network by using all viable paths effectively, increasing bandwidth and redundancy without compromising the routing efficiency.

The incorrect answers referenced methods that are either not directly linked to EIGRP's advanced capabilities (like basic split horizon) or are benefits of EIGRP that do not address the specific capability of unequal-cost load balancing - speed (not a unique feature of using this type of load balancing) or metrics simplification (which is related broadly to how EIGRP calculates path costs but not specifically to the benefit of unequal-cost load balancing).

The correct answer is to create a descriptive and unique SSID that relates to the company or its department. A descriptive and unique SSID can help users easily identify their specific network while minimizing the chances of connecting to nearby networks with similar SSIDs. On the other hand, using generic names can lead to confusion, and overly revealing SSIDs may expose the network to potential security threats. Using the default SSID is not advisable as it could indicate the hardware being used, potentially aiding attackers. Including too much detail like specific department names in populous areas might give away internal organizational structure unnecessarily.

Out-of-band management provides an alternative path for network administration that is not dependent on the regular network infrastructure. This management method typically involves a dedicated management channel like a serial console port that allows administrators to manage network devices directly, bypassing the primary network interfaces. This is particularly vital during network outages, ensuring administrators can still access and control devices. In-band management methods such as SSH, Telnet, and API all rely on network connectivity to the devices and therefore may not be available during network outages.

Network Address Translation (NAT) allows multiple devices on a private network to access the internet using a single public IP address. This is crucial for conserving IP addresses and for allowing an entire network to communicate to the outside world using a simple, singular address. NAT modifies the IP addresses of outgoing packets from a private network to appear as though they are originating from the router’s public IP address to external hosts. The other options describe different technologies or concepts that are not directly related to the specific function of NAT.

A Denial-of-Service attack is intended to make a server or network resource unavailable to users, typically by overwhelming it with excessive requests until it can no longer respond effectively. The sudden spike in traffic and degradation of service mentioned in the scenario is characteristic of a DoS attack. ARP poisoning, also a security threat, typically affects data integrity by redirecting network traffic, irrelevant to the symptoms described as excessive traffic. MAC flooding aims at saturating the switch's MAC address table to cause traffic to be broadcasted out, still not in line with the symptoms mentioned. Finally, Rogue AP deals with unauthorized access points in the network and does not directly cause excessive traffic to legitimate services.

Nmap is a versatile tool used for network discovery and security auditing. It can effectively identify host details such as the operating system, service versions, and open ports, making it excellent for ad hoc discovery when unknown or unauthorized devices are detected on the network. Wireshark, while powerful for analyzing packet flows, is primarily a packet capture tool and does not inherently provide comprehensive device profiling. Ping is simply a network utility tool to check the reachability of a host on an IP network and does not reveal detailed information about the device’s operating system or running services. Netstat displays active connections and listening ports on the host it’s run from, but it is not used for discovering details about other devices.

A combination of physical and logical diagrams provides the most comprehensive overview of the network’s infrastructure. This approach helps in visualizing both the actual physical layout of the network components, such as cable runs and hardware locations (physical diagram), and their logical interconnections, paths, and data flow (logical diagram). This dual perspective is crucial during upgrades and troubleshooting as it offers insights into how changes in the physical layer can affect network behavior and connectivity.

An Access control list (ACL) is the correct answer because it is used to define which users or systems are granted access to specific resources. ACLs can restrict access to network resources based on IP addresses, protocols, or ports, effectively controlling which packets are allowed through a router or firewall. In contrast, MAC filtering is mainly used to allow or deny network access based on hardware addresses, which is less about resource specific permissions and more about network access. Content filtering manages access to specific types of content rather than securing resources based on network segments. Disabling unused ports is a precautionary security measure to minimize unnecessary network entry points, but it does not involve resource access permissions between network segments.

A Content Delivery Network (CDN) is designed to cache content at multiple geographical locations to ensure faster delivery of multimedia content and webpages to a global audience, effectively handling high traffic and enhancing web performance. VPNs, while useful for secure connectivity, primarily focus on security rather than performance enhancement. Load balancers distribute traffic across servers to prevent any one server from becoming overwhelmed, but they do not reduce latency caused by geographical distance. Firewalls monitor and control incoming and outgoing network traffic based on predetermined security rules and do not influence content delivery speed.