Study Guide · N10-009

N10-009 Cheat Sheet

692 entries · 34 chapters · 5 domains

Networking Concepts

OSI Model

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Know the seven OSI layers in order, top to bottom

The OSI model stacks seven layers: Application (7), Presentation (6), Session (5), Transport (4), Network (3), Data Link (2), Physical (1). Each layer communicates logically with its peer on the other host and relies on the layer below to deliver. The mnemonics All People Seem To Need Data Processing (7 to 1) and Please Do Not Throw Sausage Pizza Away (1 to 7) fix the order, which is what most OSI questions hinge on.

Name the PDU and you have pinned the layer

The protocol data unit (PDU) name changes down the stack and identifies the layer outright: bits at Layer 1 Physical, frame at Layer 2 Data Link, packet at Layer 3 Network, segment (TCP) or datagram (UDP) at Layer 4 Transport, and data at Layers 5 to 7. When a stem mentions a frame it is asking about Layer 2; a packet means Layer 3; a segment means Layer 4.

Trap Calling a Layer 3 unit a frame; the frame is the Layer 2 PDU, while Layer 3 carries the packet that the frame wraps.

1 question tests this
Physical (Layer 1) moves raw bits, with no addressing

Layer 1 transmits and receives raw bits as electrical, optical, or radio signals and defines cabling, connectors, pinouts, and signal levels. It has no concept of an address, so devices that only regenerate signal, like hubs and repeaters, are Layer 1 devices. A dead link light, a bad cable, or a wrong connector is a Layer 1 problem.

Layer 2 packages bits into frames and delivers them across one local link using the 48-bit MAC (media access control) hardware address. Switches, bridges, and NICs operate here, and IEEE 802 standards such as 802.3 Ethernet and 802.11 Wi-Fi define this layer. Layer 2 is commonly split into the LLC and MAC sublayers.

Trap Placing a switch at Layer 3; a standard switch forwards by MAC address at Layer 2, and only a Layer 3 switch additionally routes by IP.

Network (Layer 3) adds logical IP addressing and routing

Layer 3 assigns logical addresses (IP) and selects a path across multiple networks, which is routing. Its PDU is the packet, and routers and Layer 3 switches operate here, alongside protocols like IP and ICMP. When a question involves an IP address, a default gateway, a subnet mask, or moving between networks, it is testing Layer 3.

Trap Assigning routing to Layer 2; switching forwards within one local link at Layer 2, while routing between separate IP networks is a Layer 3 function.

Transport (Layer 4) uses ports and picks TCP or UDP

Layer 4 provides end-to-end delivery between processes using port numbers and chooses the reliability model: TCP is connection-oriented with acknowledgements and retransmission, while UDP is connectionless and best-effort with lower overhead. Port-aware firewalls and Layer 4 load balancers act here. A clue that names a port number or a blocked service points to Layer 4.

Trap Treating a port number as a Layer 3 concept; ports live at Layer 4 Transport, while IP addresses are the Layer 3 identifier.

Session (Layer 5) sets up, manages, and tears down dialogs

Layer 5 opens, maintains, and closes the session between two endpoints, tracking which side may transmit and re-establishing a conversation that drops. It governs the dialog itself rather than the data's format or its routing. On the exam it is the layer associated with establishing and terminating connections at the session level.

Presentation (Layer 6) handles encoding, compression, and encryption

Layer 6 translates data into a form the application can use: character encoding such as ASCII and Unicode, data compression, and encryption. TLS is commonly placed at the Presentation layer because it encrypts the application data before transport. A question about data format conversion or encryption of the payload points here.

Application (Layer 7) is the service the user's software touches

Layer 7 provides network services directly to applications: web (HTTP), file transfer (FTP), email (SMTP), and name resolution (DNS) are Layer 7 protocols. Content-aware controls that read the actual payload, such as a next-generation firewall, a proxy, or a web application firewall (WAF), operate here. A clue that inspects a URL, a host header, or a SQL string is Layer 7.

Encapsulation adds a header per layer on the way down

Sending data runs top-down, and each layer wraps the unit from above in its own header (the Data Link layer also adds a trailer): application data becomes a segment, then a packet, then a frame, then bits. The receiver reverses this as de-encapsulation, stripping exactly one header per layer on the way up until the application reads the original data.

The header a layer adds is what defines its PDU

Each PDU name corresponds to the header just added: the TCP/UDP header makes a segment at Layer 4, the IP header makes a packet at Layer 3, and the frame header plus trailer makes a frame at Layer 2. Because the headers nest, a packet capture shows them as concentric wrappers around the original application data, outermost being the Layer 2 frame.

MAC addresses change every hop; IP addresses stay end to end

The Layer 2 frame's source and destination MAC addresses are rewritten by each router for the next link, so they change at every hop, while the Layer 3 packet's source and destination IP addresses remain the same from origin to final destination. This is why a capture along a path shows constant IPs but different MACs on each segment.

Trap Assuming the source MAC stays constant across a routed path; routers rewrite the Layer 2 MAC addresses at every hop, unlike the end-to-end Layer 3 IP addresses.

Encapsulation overhead is why MTU caps payload size

Every layer's header consumes bytes, so the maximum transmission unit (MTU), the largest payload a link will carry, limits how much application data fits in one packet; standard Ethernet MTU is 1500 bytes. Jumbo frames raise the MTU to about 9000 bytes to reduce per-frame overhead on links that support it. When a packet exceeds the next link's MTU, Layer 3 either fragments it or, with the don't-fragment bit set, drops it and signals back.

The internet runs the four-layer TCP/IP model, not OSI's seven

OSI is the teaching and troubleshooting reference, but real hosts implement the four-layer TCP/IP (Internet) model defined in RFC 1122: Application, Transport, Internet, and Link (Network Access). IP runs at the Internet layer and TCP or UDP at the Transport layer. Expect to translate a question between the two models rather than assuming they line up layer for layer.

TCP/IP Application spans OSI Layers 5 to 7

The TCP/IP Application layer collapses the OSI Session, Presentation, and Application layers into one, so session control, encoding, and the application itself all sit together (HTTP, DNS, SMTP). When a stem names the TCP/IP Application layer and asks for the OSI equivalent, the answer is Layers 5 through 7, not Layer 7 alone.

Trap Mapping the TCP/IP Application layer to OSI Layer 7 only; it covers OSI Layers 5, 6, and 7 together.

TCP/IP Transport equals OSI 4; Internet equals OSI 3

The two clean one-to-one mappings between the models are TCP/IP Transport to OSI Layer 4 (TCP and UDP) and TCP/IP Internet to OSI Layer 3 (IP). These are the pairings most likely to be tested directly because they line up exactly, unlike the collapsed Application and Link layers.

The TCP/IP Link layer (also called Network Access or Network Interface) combines the OSI Physical and Data Link layers, covering both framing and physical signaling in one layer with technologies like Ethernet and Wi-Fi. Asked for the OSI equivalent of the TCP/IP Link layer, the answer is Layers 1 and 2 together.

A firewall's OSI layer depends on what it inspects

Place a firewall by what it examines, not by the word firewall: a packet-filtering or stateful firewall acts on IP addresses and ports at Layers 3 to 4, while a next-generation firewall, proxy, or WAF reads the application payload at Layer 7. The same logic applies to load balancers: Layer 4 when balancing by IP and port, Layer 7 when routing by URL, host header, or cookie.

Trap Calling every firewall a Layer 7 device; a basic packet-filtering or stateful firewall operates only at Layers 3 to 4 and never reads application content.

Troubleshoot bottom-up, mapping each symptom to a layer

Working the stack from Layer 1 upward isolates a fault to one layer: a cable or link-light fault is Layer 1, a VLAN or switch-loop or MAC-table issue is Layer 2, a wrong gateway or subnet mask or routing problem is Layer 3, a blocked port or firewall rule is Layer 4, and a certificate, encryption, or application error points to Layer 6 or 7. Naming the layer first narrows the tools you reach for.

Networking Appliances

Read full chapter
  • Identify a networking appliance by the OSI layer it reads to decide
  • A hub is a Layer 1 repeater that floods every bit, making no decision
  • A switch forwards by MAC address and extends a broadcast domain
  • A router forwards by IP between networks and terminates the broadcast domain
  • A Layer 3 switch routes between VLANs in hardware at wire speed
  • A stateless packet filter checks each packet alone and is blind to payload
  • A stateful firewall tracks sessions and auto-permits the return traffic
  • Use a WAF or NGFW at Layer 7 to block web-application attacks
  • A UTM bundles many security functions into one box for small sites
  • A firewall ruleset ends in an implicit deny, so explicit allows go on top
  • An IDS is out-of-band and only detects; an IPS is inline and can block
  • An inline IPS adds latency and risk; an out-of-band IDS adds neither
  • A load balancer is active and inline, health-checking a server pool
  • A Layer 4 load balancer uses IP and port; Layer 7 uses URL, host, or cookie
  • A forward proxy fronts clients; a reverse proxy fronts servers
  • NAS serves files over the LAN; SAN serves raw blocks over a fabric
  • iSCSI carries block SCSI commands over IP as a SAN alternative to Fibre Channel
  • A wireless LAN controller centrally manages lightweight access points
  • A firewall's OSI layer depends on what it inspects, not the label firewall
  • A stateful firewall tracks UDP as a pseudo-session that an idle timer expires
  • A stateful firewall validates TCP by flags and sequence against its state table, and can drop idle sessions
  • A network IPS reassembles the TCP stream before matching, and can inject RSTs to kill a session
  • A perimeter IPS only sees north-south traffic and misses lateral east-west movement

Unlock with Premium — includes all practice exams and the complete study guide.

Cloud Concepts

Read full chapter
  • A VPC is a logically isolated private network inside the provider's cloud
  • NFV turns physical network appliances into software you spin up on demand
  • An NSG (security group) is a stateful virtual firewall, so replies are allowed automatically
  • NSG is stateful, network ACL is stateless
  • An internet gateway gives a subnet two-way internet; that subnet is the public subnet
  • A NAT gateway is outbound-only: private instances reach out but stay unreachable
  • A VPN gateway terminates the encrypted site-to-site tunnel to your datacenter
  • A transit gateway hubs many VPCs and sites instead of a mesh of peerings
  • IaaS, PaaS, SaaS differ only in where the manage-it line is drawn
  • Shared responsibility: the provider owns more layers as you climb to SaaS
  • Four deployment models answer who the cloud serves
  • Hybrid cloud connects private and public so workloads can move between them
  • Elasticity adds AND automatically removes capacity to track demand
  • Scale up (vertical) vs scale out (horizontal)
  • Multitenancy is the shared-hardware trade that makes isolation mandatory
  • Site-to-site VPN vs direct connection: cheap-and-quick vs consistent-and-private
  • An isolated VPC reaches nothing until you add a route to a gateway
  • Public subnet vs private subnet is defined by the route, not the IPs
  • A new cloud security group denies all inbound, allows all outbound, and matches on a five-tuple
  • Reference another security group as the source to scope access to that group's members

Unlock with Premium — includes all practice exams and the complete study guide.

Ports and Protocols

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A port number plus a transport protocol identifies one service

A 16-bit port number (0 to 65535) sits in the Layer 4 header and tells the receiving host which application a packet belongs to, while the IP address in the Layer 3 header only gets the packet to the host. The full tuple of source IP, destination IP, source port, and destination port pins one conversation to one application, which is why a firewall rule, a packet capture, and an exam stem all key off the destination port. Knowing the well-known port for each service is the core of N10-009 objective 1.4.

1 question tests this
Choose TCP when delivery must be guaranteed

TCP is connection-oriented: it opens with a three-way handshake, numbers bytes so they can be reordered, acknowledges and retransmits losses, and closes with FIN, so anything that must arrive intact rides it. Web (HTTPS 443), email (SMTP 25, IMAP 143), file transfer (FTP 21, SSH/SFTP 22), and remote desktop (RDP 3389) are all TCP. Reach for UDP instead only when the overhead of that reliability would hurt more than an occasional lost packet.

Trap Assuming TCP is always the safer default; for real-time voice or video the retransmission and ordering add latency that degrades the call, where UDP's drop-and-continue behavior is actually correct.

Choose UDP for real-time or one-shot traffic

UDP is connectionless with no handshake, acknowledgements, or retransmission, which makes it lighter and lower-latency. It fits streaming voice and video, plus single request-and-reply services where building a connection is wasteful: DNS queries (53), DHCP (67/68), TFTP (69), SNMP (161/162), NTP (123), and syslog (514) are all UDP. Any reliability UDP needs must be added by the application itself.

Ports split into well-known, registered, and ephemeral bands

IANA divides the 0 to 65535 space into three ranges: well-known ports 0 to 1023 for core system services (HTTP 80, SSH 22), registered ports 1024 to 49151 for vendor applications (RDP 3389, MySQL 3306), and dynamic or ephemeral ports 49152 to 65535 that a client picks at random for the source side of an outbound connection. A server listens on a fixed low port; the client dials out from an ephemeral one, and the server replies to that ephemeral port.

Trap Treating the ephemeral range as something the firewall must open inbound; a stateful firewall tracks the outbound flow and permits the return automatically, so no manual ephemeral-range rule is needed.

DNS uses both UDP 53 and TCP 53

DNS is the classic dual-transport service: it answers ordinary name queries over UDP 53 for speed, but switches to TCP 53 for zone transfers between servers and for any response too large to fit a single UDP datagram. On the exam, a scenario about a secondary server pulling a full zone is testing TCP 53, so 'UDP only' is the wrong-but-tempting answer.

Trap Answering 'DNS uses UDP only'; zone transfers and oversized responses use TCP 53, which a question about secondary-server replication is specifically probing.

Telnet 23 is cleartext; replace it with SSH 22

Telnet (TCP 23) carries the entire remote-administration session, credentials included, in plaintext, so it must be replaced with SSH (Secure Shell, TCP 22). SSH encrypts the session and also carries SFTP and SCP, so one open port (22) covers encrypted shell and file transfer. When a stem says a management protocol is 'exposing credentials', the answer is SSH 22.

Trap Picking the same insecure protocol on a non-standard port (Telnet on 2323); changing the port does not encrypt the traffic, and the exam wants the named secure protocol, SSH.

5 questions test this
HTTP 80 becomes HTTPS 443 with TLS

HTTP (TCP 80) serves web traffic in cleartext; HTTPS (TCP 443) wraps the same HTTP in TLS and listens on its own distinct port so a firewall or analyzer can tell secure from insecure web by port alone. Sending to 443 does not by itself encrypt anything unless TLS is actually negotiated, but the standard secure-web answer is always HTTPS 443.

3 questions test this
FTP uses 20 and 21; SFTP rides SSH on 22

FTP uses TCP 21 for the control channel and TCP 20 for the data channel, both cleartext. Its secure replacement SFTP is not FTP at all: it is a subsystem of SSH and runs over TCP 22 with no FTP ports, while FTPS is a different beast that wraps FTP in TLS. Confusing SFTP with FTPS, or expecting SFTP on port 21, is a common error.

Trap Assuming SFTP uses an FTP port like 21 or 22 as 'FTP over TLS'; SFTP is SSH File Transfer Protocol on TCP 22, whereas FTPS is the TLS-wrapped FTP variant.

6 questions test this
SMTP relays on 25; clients submit authenticated mail on 587

SMTP (TCP 25) moves mail between mail servers (server-to-server relay), while TCP 587 is the submission port a mail client uses to send authenticated outbound mail, typically upgrading to encryption with STARTTLS. Many providers block outbound 25 from clients to fight spam, so a user whose mail will not send is usually pointed at 587. Port 465 was historically SMTPS but the exam centers on 25 and 587.

Trap Assuming sending to 587 is automatically encrypted; submission still needs STARTTLS to negotiate TLS, otherwise the session stays in cleartext.

3 questions test this
POP3 110 and IMAP 143 secure to 995 and 993

POP3 (TCP 110) downloads mail and typically removes it from the server, while IMAP (TCP 143) keeps mail server-side and syncs folder state across devices. Their TLS-encrypted forms are POP3S on TCP 995 and IMAPS on TCP 993. The 993-versus-995 pair is a favorite distractor because the numbers are adjacent and the roles are easy to swap.

Trap Swapping the secure ports, calling IMAPS 995 and POP3S 993; IMAPS is 993 and POP3S is 995, anchored to their cleartext parents 143 and 110.

DHCP uses UDP 67 on the server and 68 on the client

DHCP assigns IP configuration dynamically over UDP, with the server on port 67 and the client on port 68. The handshake follows the DORA sequence (Discover, Offer, Request, Acknowledge), and the initial Discover is a broadcast because the client has no address yet. Reversing 67 and 68 is a classic trap, so anchor 67 to the server.

Trap Putting the DHCP server on 68 and the client on 67; the server listens on UDP 67 and the client on UDP 68, not the reverse.

4 questions test this
SNMP polls on UDP 161 and receives traps on UDP 162

SNMP monitors devices over UDP: the manager polls agents on port 161 (get/set requests), and agents push asynchronous alerts to the manager on port 162 (traps). Versions 1 and 2c authenticate only with a cleartext community string, so SNMPv3 is the secure choice because it adds authentication and encryption while staying on the same 161/162 ports.

Trap Believing SNMPv3 moves to a new port for security; v3 keeps UDP 161/162 and gains its protection from the protocol version, not a port change.

4 questions test this
NTP synchronizes clocks on UDP 123

NTP keeps device clocks in sync over UDP 123, and accurate time is load-bearing far beyond cosmetics: Kerberos authentication rejects tickets when clocks drift past about five minutes, log correlation across devices breaks, and certificate validity windows misfire. A stem about authentication failing org-wide or logs that will not line up is often really an NTP 123 problem.

LDAP queries on 389; LDAPS adds TLS on 636

LDAP reads and writes directory data (users, groups, computers) over TCP 389 in cleartext, and LDAPS wraps the same protocol in TLS on TCP 636. Directory binds carry credentials, so production directory traffic should use 636. The 389-to-636 pairing is the directory analogue of HTTP-to-HTTPS.

6 questions test this
SMB shares files on TCP 445 and must not face the internet

SMB provides Windows file and printer sharing over TCP 445 (modern, direct over TCP/IP; the legacy NetBIOS path used 137 to 139). SMB has a long history of wormable vulnerabilities, so port 445 should be blocked at the perimeter and confined to the internal LAN. A scenario about ransomware spreading laterally often hinges on open SMB 445.

Trap Exposing SMB 445 across a WAN or to the internet for remote file access; it belongs on the trusted LAN, and remote access should go through a VPN instead.

RDP is TCP 3389 and should never be open raw to the internet

Remote Desktop Protocol gives graphical Windows remote control over TCP 3389. Because it is a high-value target for brute force and exploitation, it should be reached through a VPN or a jump host rather than exposed directly. A stem describing a refused remote-desktop session points at 3389, and one describing a hardening fix points at tunneling it.

4 questions test this
SIP signals VoIP calls on 5060, with TLS on 5061

SIP sets up, modifies, and tears down VoIP calls on port 5060 (plaintext, over UDP or TCP), with SIP over TLS on 5061. SIP only handles the signaling; the actual media stream rides RTP on a separately negotiated UDP port range. A call that connects but has no audio is a media (RTP) problem, not a SIP 5060 signaling problem.

Trap Treating no-audio-on-an-otherwise-connected-call as a SIP 5060 failure; signaling succeeded, so the fault is in the RTP media path, not the SIP port.

5 questions test this
TFTP is UDP 69 with no authentication

TFTP (Trivial File Transfer Protocol) moves files over UDP 69 with no authentication and no encryption, which is why it is used only on trusted links for tasks like pushing firmware images, loading switch and router configs, or PXE network boot. Its full-featured, authenticated counterpart is FTP or SFTP; TFTP trades every feature for simplicity.

Syslog ships logs to a collector on UDP 514

Syslog centralizes event and log messages to a collector over UDP 514, the standard way devices feed a central log server or SIEM. Plain UDP syslog is fire-and-forget with no delivery guarantee, so high-assurance deployments may run it over TCP or TLS instead, but the exam default is UDP 514.

1 question tests this
Database services use 1433, 3306, and 5432

The common database ports N10-009 references are Microsoft SQL Server on TCP 1433, MySQL/MariaDB on TCP 3306, and PostgreSQL on TCP 5432, all in the registered range. These should be reachable only from application tiers, never exposed to the internet. They are easy to confuse with one another, so anchor each to its engine.

A port is a convention, not enforcement

Default ports are agreements, not guarantees: an administrator can run HTTPS on 8443 or SSH on 2222, and malware can listen on any free port. The exam tests the standard assignments, but real defense cannot trust a port alone, which is why deep packet inspection and application-aware firewalls look at content rather than just the port number.

Trap Assuming traffic on TCP 443 must be legitimate HTTPS; the port is only a label, and a stateful or next-gen firewall is needed to confirm what is actually riding it.

Traffic Types

Read full chapter
  • Pick the traffic type by how many hosts the destination represents
  • Unicast is one-to-one and the default for almost all traffic
  • Multicast sends one stream the network copies only toward joiners
  • IGMP is how IPv4 hosts join and leave multicast groups
  • Multicast needs multicast routing to leave its subnet
  • Anycast advertises one address from many sites and routing picks the nearest
  • Anycast fits stateless request/response, not long stateful sessions
  • Broadcast floods every host in one broadcast domain and stops at the router
  • 255.255.255.255 is the limited broadcast and routers never forward it
  • IPv6 has no broadcast and uses multicast instead
  • The IPv6 multicast prefix is ff00::/8
  • A switch puts each port in its own collision domain but keeps one broadcast domain
  • A router or VLAN boundary breaks a broadcast domain
  • Large flat networks invite broadcast storms
  • Some low class D addresses are reserved for protocols
  • Map the scenario keywords to the traffic type
  • IPv6 anycast addresses come from the unicast space and look identical to unicast
  • In PIM Sparse Mode the Rendezvous Point is the root of the shared tree where sources register and receivers join

Unlock with Premium — includes all practice exams and the complete study guide.

Transmission Media

Read full chapter
  • Pick transmission media by distance, bandwidth, EMI immunity, and cost
  • Every twisted-pair category stops at a 100 m channel
  • Cat 6 does 10 Gbps only to 55 m; Cat 6a does 10 Gbps to 100 m
  • Cat 8 is the fastest twisted-pair but only for ~30 m in a rack
  • Shielded twisted-pair (STP) fights EMI that UTP cannot
  • Single-mode fiber is the long-haul choice; multimode is short reach
  • Higher OM grade buys more multimode reach and bandwidth
  • Fiber light sources: laser for single-mode, LED/VCSEL for multimode
  • Use a DAC cable for cheap short links inside a rack
  • Coax survives mainly as the cable-internet drop
  • Wireless splits into Wi-Fi for LAN, cellular for WAN, satellite for remote
  • Plenum-rated cable is required in air-handling spaces
  • Fiber is immune to EMI and resists tapping
  • Match the constraint in the stem to the medium
  • Lower wireless frequencies travel farther and penetrate walls; higher frequencies carry more data but stop short
  • Wi-Fi 6 (802.11ax) adds OFDMA for efficiency in dense client environments, and 6E opens the 6 GHz band

Unlock with Premium — includes all practice exams and the complete study guide.

Transceivers and Connectors

Read full chapter
  • A transceiver is a hot-pluggable optic that converts a port's electrical signal to the cable's signal
  • SFP is the 1 Gbps single-channel optic; it replaced the legacy GBIC
  • SFP+ is the 10 Gbps optic in the same cage size as SFP
  • SFP28 is the 25 Gbps single-lane optic
  • QSFP+ delivers 40 Gbps as four 10G lanes
  • QSFP28 delivers 100 Gbps as four 25G lanes
  • Read the form factor as a speed: SFP 1G, SFP+ 10G, SFP28 25G, QSFP+ 40G, QSFP28 100G
  • Both ends must run the identical fiber mode and standard, not just the same form factor
  • A dark fiber link with good cable usually means a transceiver/connector mismatch
  • A reversed transmit/receive fiber pair leaves a link dark even with a clean cable
  • LC is the small-form-factor duplex connector used on SFP-family optics
  • SC is the square push-pull fiber connector with a 2.5 mm ferrule
  • ST is the bayonet twist-lock fiber connector
  • MPO/MTP packs 12 or 24 fibers into one connector for parallel 40G/100G optics
  • RJ45 (8P8C) is the eight-pin connector for twisted-pair Ethernet, never fiber
  • RJ11 is the small 6-position telephone/DSL connector, not Ethernet
  • Coax uses F-type for cable internet and BNC for legacy/video
  • Read the connector to read the media: LC/SC/ST/MPO fiber, RJ45/RJ11 copper, F-type/BNC coax
  • Never mate UPC to APC fiber; APC connectors are green
  • Use a DAC cable for cheap, short switch-to-server links

Unlock with Premium — includes all practice exams and the complete study guide.

Network Topologies

Read full chapter
  • A full mesh needs n(n-1)/2 links and has no single point of failure
  • Use a partial mesh to add redundancy only on the paths that matter
  • A star's central hub or switch is its single point of failure
  • Hub-and-spoke is a star at WAN scale, with the central site as the SPOF
  • Point-to-point connects exactly two endpoints over one dedicated link
  • Physical topology is the cabling; logical topology is how data flows
  • The three-tier model layers a network into core, distribution, and access
  • Routing, filtering, and QoS policy belong in the distribution layer
  • Collapsed core merges the core and distribution layers for smaller networks
  • In spine-and-leaf, every leaf connects to every spine and never to another leaf
  • Spine-and-leaf makes any server-to-server path two hops with uniform latency
  • Spine-and-leaf scales bandwidth by adding spines and ports by adding leaves
  • East-west traffic suits spine-leaf; north-south suits the hierarchy
  • Hybrid is the right label when a design deliberately mixes topologies
  • Redundancy decisions are fault-domain decisions
  • Spine-leaf uses ECMP so every uplink forwards at once with no blocked standby links
  • Three-tier hierarchy adds latency because traffic climbs access, distribution, and core layers

Unlock with Premium — includes all practice exams and the complete study guide.

IPv4 Addressing and Subnetting

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

An IPv4 address is 32 bits in four octets, each 0 to 255

An IPv4 address is a single 32-bit number written as four dotted-decimal octets, where each octet is 8 bits and so holds a value from 0 to 255 (2^8 = 256 values). That is why no octet can be 256 or higher, a detail exam stems use to flag an invalid address. The four octets together give the roughly 4.3 billion (2^32) addresses of the IPv4 space.

The subnet mask's 1 bits mark the network, its 0 bits mark the host

A subnet mask splits the 32 bits into a network portion (the contiguous, left-aligned 1 bits) and a host portion (the trailing 0 bits). Two addresses are on the same subnet only when their network portions match under the same mask. The mask, not the address alone, is what determines the boundary, so the same address can be in different networks under different masks.

CIDR /n is just the count of mask 1-bits

CIDR (Classless Inter-Domain Routing) notation writes the prefix length after a slash, and it equals the number of 1 bits in the mask, so /24 is 255.255.255.0 and /26 is 255.255.255.192. Converting between prefix and dotted mask is a frequent first step: each full 255 octet is 8 bits, and a partial octet (128, 192, 224, 240, 248, 252) adds the remaining bits. CIDR lets the prefix be any length from /0 to /32, which is what makes classless, right-sized subnetting possible.

3 questions test this
Usable hosts per subnet is 2^h minus 2

For a subnet with h host bits, the block holds 2^h addresses but the all-zeros host address (the network ID) and the all-ones host address (the broadcast) are reserved, leaving 2^h - 2 assignable hosts. A /24 has 8 host bits, so 254 usable; a /26 has 6, so 62 usable; a /28 has 4, so 14 usable. Forgetting the minus 2 is the single most common host-count error.

Trap Answering 2^h (for example 64 for a /26) as the usable host count; the network and broadcast addresses are not assignable, so it is always 2^h - 2.

8 questions test this
The network address has all host bits 0; the broadcast has all host bits 1

Within any subnet, the first address (all host bits 0) is the network ID and cannot be given to a machine, and the last address (all host bits 1) is the directed broadcast for that subnet and also cannot. The usable host range is every address strictly between them. For 192.168.10.0/26 that means network 192.168.10.0, broadcast 192.168.10.63, and usable 192.168.10.1 through 192.168.10.62.

Trap Assigning the network or broadcast address (the .0 or the all-ones host address) to a NIC; both are reserved and a host configured with either cannot communicate normally.

8 questions test this
Find the block size as 256 minus the mask's interesting octet

The magic-number (block-size) method finds subnet boundaries fast: take the mask's interesting octet (the last octet that is not 255) and compute 256 minus it. For /26 the interesting octet is 192, so the block size is 64, and subnets sit at 0, 64, 128, 192. The block size is always a power of two and equals the spacing between consecutive subnets, so you count up in blocks to locate any address.

5 questions test this
Locate a host's subnet by the block it falls into

To find which subnet an address belongs to, count up by the block size until you pass the host octet, then step back one block. For 192.168.10.130/26 the block size is 64, the boundaries are 0, 64, 128, 192, and 130 falls between 128 and 191, so the subnet is 192.168.10.128, the broadcast is 192.168.10.191, and the usable range is 192.168.10.129 to 192.168.10.190. The same three steps work for every prefix.

Trap Reading the broadcast as the next block's network (192.168.10.192) instead of one address below it (192.168.10.191); the broadcast is always block_start + block_size - 1.

9 questions test this
Size a subnet by the smallest host-bit count that fits

When a stem gives a host requirement and asks for the prefix, find the smallest h where 2^h - 2 meets the need, then the prefix is 32 minus h. A 50-host LAN needs h = 6 (62 usable, a /26) because h = 5 gives only 30 usable. Always round up to the next power of two minus two; choosing the exact power without the minus 2 leaves you two short.

Trap Sizing on 2^h >= need instead of 2^h - 2 >= need; for 30 hosts that wrongly picks a /27 boundary as if 32 fit, when after reserving network and broadcast a /27 holds exactly 30 and 31 hosts would need a /26.

5 questions test this
RFC 1918 reserves 10/8, 172.16/12, and 192.168/16 for private use

RFC 1918 defines three private ranges that are not globally routable: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Hosts inside these ranges must be translated by NAT before reaching the internet, which is why the same private addresses are reused by countless organizations. Any address outside these blocks (and outside the special ranges) is a public address.

The 172.16.0.0/12 private block ends at 172.31.255.255

The middle RFC 1918 range, 172.16.0.0/12, spans 172.16.0.0 through 172.31.255.255, covering the second octets 16 through 31 only. Addresses like 172.32.0.1 or 172.15.255.1 are public, not private. This boundary is a favorite distractor because the /12 mask is easy to misread as covering all of 172.x.

Trap Treating 172.32.x.x or any 172.x outside 16 to 31 as private; the /12 covers only 172.16.0.0 to 172.31.255.255, so 172.32.0.1 is a public address.

1 question tests this
A 169.254.x.x address means DHCP failed (APIPA)

APIPA (Automatic Private IP Addressing) self-assigns an address from 169.254.0.0/16 when a host requests DHCP and gets no reply. So a 169.254 address is a diagnosis, not a setup: the DHCP server is unreachable, out of leases, or the relay is broken. An APIPA host can reach other APIPA hosts on the same link but has no default gateway, so it cannot reach other subnets or the internet.

Trap Reading a 169.254.x.x address as a valid working configuration; it is a link-local fallback that signals DHCP failure and cannot route off the local segment.

3 questions test this
127.0.0.0/8 is loopback and never leaves the host

The entire 127.0.0.0/8 block is loopback, with 127.0.0.1 the usual address, and any packet sent to it is handled by the local TCP/IP stack rather than the network. Pinging 127.0.0.1 tests whether the host's own networking software works, independent of any cable or NIC. Because the whole /8 is reserved, no loopback address is ever a valid LAN host address.

1 question tests this
The default gateway must be an address inside the host's own subnet

The default gateway is the router interface a host uses for any destination not on its local subnet, and it has to be an address within that subnet to be reachable by ARP. A host with a gateway outside its subnet, or with no gateway, can still talk to local hosts but reaches nothing beyond the subnet, a classic 'can ping local, not remote' troubleshooting stem.

Trap Setting the default gateway to an address outside the host's subnet; the host cannot ARP for it, so off-subnet traffic fails while local traffic still works.

A /30 gives exactly 2 usable hosts for point-to-point links

A /30 (mask 255.255.255.252) has 2 host bits, so 2^2 - 2 = 2 usable addresses, which is exactly the two ends of a router-to-router or WAN point-to-point link. RFC 3021 also allows /31 on point-to-point links, giving 2 usable addresses with no separate network or broadcast. Using a /30 for these links conserves address space versus a larger prefix.

Trap Reaching for a /29 or larger on a simple point-to-point link; a /30 already provides the only two addresses such a link needs and wastes none.

Address classes A, B, C use default masks /8, /16, /24

Legacy classful addressing fixes the split by the first octet: Class A (1 to 126) defaults to /8, Class B (128 to 191) to /16, and Class C (192 to 223) to /24. The first octet's leading bits (0 for A, 10 for B, 110 for C) define the class. The exam tests these default masks even though real networks use CIDR, because they explain the reserved ranges and legacy diagrams.

Class A stops at 126 because 127 is loopback

Class A spans first octets 1 to 126, not 1 to 127, because 127.0.0.0/8 is reserved for loopback and sits between Class A and Class B. The 0.0.0.0 address is also special (meaning 'this host' or 'any'), so it is excluded too. These two carve-outs are exactly the kind of off-by-one the exam targets.

Trap Listing Class A as 1 to 127; 127 is loopback, so Class A is 1 to 126.

Class D is multicast (224-239) and Class E is reserved (240-255)

First octets 224 through 239 are Class D, the multicast range (224.0.0.0/4), and 240 through 255 are Class E (240.0.0.0/4), reserved and experimental. Neither is assignable to ordinary hosts: a Class D address names a group, and a Class E address is not used on production networks. An exam answer that offers 224.x or 240.x as a host's unicast address is wrong.

Trap Treating a 224.x to 239.x address as a normal host unicast address; that range is Class D multicast (a group address), not assignable to a single host.

2 questions test this
VLSM right-sizes each subnet, largest allocation first

VLSM (Variable Length Subnet Masking) means using different prefix lengths within one parent block so each segment gets only the addresses it needs. Allocate the largest subnet first: from 192.168.1.0/24 a 100-host LAN takes a /25, a 50-host LAN a /26 from the remainder, and a router link a /30. Going largest-first prevents a small subnet from carving up a block a larger one still needs, avoiding fragmentation.

Trap Allocating the smallest subnets first; a /30 placed early can split a contiguous block so no /25 remains for the largest LAN, fragmenting the space.

2 questions test this
Classful sizing wastes addresses; CIDR/VLSM fixes it

Classful allocation forced a network to take a whole class, so a site needing 300 hosts could not fit a Class C (254) and had to claim a Class B (65,534), stranding tens of thousands of addresses. CIDR and VLSM let the prefix be sized to the need, so that same site takes a /23 (510 usable) instead. A question about efficient or conservative allocation always wants a custom CIDR prefix, never a class default.

255.255.255.255 is the limited broadcast; 0.0.0.0 means this host or any

Two addresses are special beyond the class ranges: 255.255.255.255 is the limited broadcast, reaching every host on the local segment and never forwarded by a router, and 0.0.0.0 means 'this host' or 'any' (a DHCP client sources its first request from 0.0.0.0, and 0.0.0.0/0 is the default route). Neither is assignable to an interface as a normal unicast address.

To make a fixed number of equal subnets, borrow enough host bits so 2^n meets the count

Fixed-length subnet masking creates equal-sized subnets by borrowing host bits, where n borrowed bits yield 2^n subnets. Add those borrowed bits to the original prefix to get the new mask: from /24, borrowing 3 bits gives 2^3 = 8 subnets at /27 (255.255.255.224); from /16, borrowing 4 bits gives 16 subnets at /20 (255.255.240.0).

2 questions test this
IPAM centrally tracks allocations so VLSM subnets never overlap

IP Address Management (IPAM) gives a single record of every subnet and address allocation across the network. In a VLSM design with many different-sized subnets, it is what lets administrators see free space and catch an overlap, such as a /28 carved entirely inside an existing /27, before the conflicting assignment is deployed.

Trap Assuming two subnets cannot overlap just because they have different masks; a smaller subnet can sit entirely within a larger one's range, which only allocation tracking reveals.

2 questions test this

Network Implementation

Routing Technologies

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Longest-prefix match decides the route before anything else

When more than one route in the table covers a destination, the router forwards out of the most specific one, the route with the longest matching prefix, and this is settled before administrative distance or metric is even looked at. A packet to 10.1.1.5 takes a 10.1.1.0/24 entry over a 10.1.0.0/16 entry over a 0.0.0.0/0 default, because /24 is more specific than /16 which is more specific than /0. A /32 host route therefore beats every shorter prefix no matter how attractive the shorter route's AD or metric looks.

Trap Picking the entry with the lowest administrative distance or best metric when a different entry has a longer prefix; specificity is decided first, so the more specific prefix wins regardless of AD or metric.

Administrative distance ranks how much a router trusts a route's source

Administrative distance (AD) is a 0 to 255 trust value a router uses to choose between two sources advertising the same prefix, where lower is more trusted. It only arbitrates between sources; it never measures path quality and never travels in an advertisement, so it is local to one router. Once a source wins on AD, that protocol's own metric picks the best path within it.

Trap Treating administrative distance as a path metric; AD only chooses which source to believe for a prefix, while the metric (cost, hops) compares paths inside one protocol.

Memorize the default administrative distances in order

For the same prefix learned from multiple sources, the router installs the one with the lowest AD: directly connected is 0, static route is 1, external BGP (eBGP) is 20, EIGRP internal is 90, OSPF is 110, RIP is 120, EIGRP external is 170, and internal BGP (iBGP) is 200. The most-tested instance is a static route (1) beating an OSPF-learned route (110) for the same network. These compare only across sources of one prefix, never as path metrics.

Trap Assuming OSPF (AD 110) wins over a static route (AD 1) because OSPF is dynamic and seems smarter; the lower AD wins, so the static route is installed.

The metric breaks ties only within a single protocol

The protocol metric chooses the best path only after prefix length and administrative distance have already tied, and a lower metric is better. Each protocol measures differently: RIP counts hops, OSPF sums an inverse-bandwidth cost, and EIGRP computes a composite of bandwidth and delay. Comparing metrics across two different protocols is meaningless, which is exactly why AD exists to arbitrate between protocols first.

Static routing is hand-set, predictable, and silent

A static route is one administrator-entered line mapping a prefix to a next hop, so it uses no CPU or bandwidth advertising itself and is invisible to routing-protocol scans. Its weakness is that it does not react to failure: if the next hop dies the route blackholes traffic unless you add a floating static backup (a higher-AD static that activates only when the primary is gone). It fits small or stub networks and a single Internet exit.

The default route 0.0.0.0/0 is the gateway of last resort

A default route, written 0.0.0.0/0, matches any destination not covered by a more specific entry and sends it toward the configured next hop, typically the ISP. Because it is the shortest possible prefix (/0), longest-prefix match uses it only when nothing more specific matches. A stub site with one exit usually needs just this single static default plus its connected routes.

Dynamic routing trades overhead for automatic failover

Dynamic protocols discover neighbors, exchange reachability, and recompute paths on their own when a link changes, so they scale to networks too large to hand-edit and reroute around failures with no human. The cost is CPU, memory, and bandwidth for the protocol's own traffic, plus a larger attack surface (route injection, neighbor spoofing) you mitigate with protocol authentication. Reach for it the moment the network has redundant paths that must fail over or more subnets than you want to track by hand.

Convergence time is the headline difference between protocols

Convergence is the time for every router to agree on new best paths after a topology change, and it separates the protocols sharply: OSPF and EIGRP converge in seconds, while classic RIP can take minutes because it ages routes out slowly. A scenario that stresses fast recovery after a link failure is pointing at a link-state (OSPF) or advanced distance-vector (EIGRP) protocol, not RIP.

RIP is distance-vector and caps the network at 15 hops

Routing Information Protocol advertises only a destination, a hop count, and a direction, trusting neighbors like rumor, which makes it simple but slow. Its metric is hop count with 16 meaning unreachable (infinity), so the usable network diameter is 15 hops. RIPv2 added subnet masks (classless/VLSM) and multicast updates over RIPv1, but any topology wider than 15 hops needs OSPF or EIGRP instead.

Trap Picking RIP for a large network because it is simple; a route at 16 hops is unreachable, so RIP cannot span more than 15 hops.

Open Shortest Path First (RFC 2328) has every router flood Link State Advertisements (LSAs) describing its own links, so all routers build an identical map and run Dijkstra to compute shortest paths by cost (lower is better, derived from bandwidth). It scales through areas, a hierarchy where every non-backbone area attaches to the backbone, Area 0, keeping each router's database bounded. It converges fast at the cost of more memory and CPU than RIP.

Trap Assuming OSPF uses hop count like RIP; OSPF's metric is bandwidth-based cost, and an area design must connect every area to Area 0.

2 questions test this
EIGRP is Cisco's advanced distance-vector protocol

Enhanced Interior Gateway Routing Protocol blends distance-vector advertising with link-state-style fast reaction, which is why it is often called hybrid. Its DUAL algorithm precomputes a loop-free backup (the feasible successor) so it can switch on a failure without full recomputation, and its metric is a composite weighted on bandwidth and delay. It converges quickly but historically ran only on Cisco equipment.

BGP is the path-vector protocol that runs the Internet

Border Gateway Protocol (RFC 4271) advertises the full AS-path, the ordered list of autonomous systems a route crosses, and uses that path plus policy attributes to pick loop-free routes between organizations. It is the only exterior gateway protocol (EGP) in use and rides TCP port 179 for reliable, ordered delivery, unlike the IGPs which carry their own transport. Because its job is policy between networks, it converges deliberately rather than fast.

Trap Running BGP inside a single campus for fast convergence; BGP is for policy between autonomous systems, and an IGP (OSPF or EIGRP) is the right tool inside one AS.

IGPs route inside one AS; BGP routes between them

An interior gateway protocol (IGP), namely OSPF, RIP, or EIGRP, finds best paths inside a single autonomous system, while an exterior gateway protocol (EGP), in practice only BGP, connects separate autonomous systems. The same BGP runs two ways the exam contrasts: external BGP (eBGP) peers between two different AS numbers, and internal BGP (iBGP) carries those learned routes across routers within one AS. Their trust differs accordingly, eBGP at AD 20 and iBGP at AD 200.

NAT translates non-routable private addresses to public ones

Network Address Translation rewrites a packet's private RFC 1918 source address (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to a routable public address on the way out, because private addresses are not globally unique and cannot be routed on the Internet. Static NAT maps one private address to one public address permanently to publish an inside server, while dynamic NAT hands out public addresses from a pool to inside hosts on a first-come basis.

6 questions test this
PAT (NAT overload) lets one public IP serve a whole network

Port Address Translation maps many private hosts to a single public IP by tracking a unique source port per conversation, which is why one residential or office ISP address can serve thousands of devices. It is the everyday default and the answer whenever a stem describes a LAN sharing one public address. Static NAT (one-to-one) and dynamic NAT (a pool) both still need a public IP per simultaneous host, so they do not solve the one-address case.

Trap Choosing static or dynamic NAT when many hosts must share a single public IP; only PAT multiplexes them behind one address by port.

23 questions test this
NAT hides and conserves addresses but is not a firewall

NAT and PAT rewrite addresses to conserve public IPs and obscure the inside topology, but they do not inspect or filter traffic and outbound-initiated sessions still pass freely. Treating NAT as a security control leaves the network unprotected; an actual stateful firewall or ACL is still required alongside the translation.

Trap Relying on NAT or PAT as the network's security boundary; address translation provides no traffic inspection, so a real firewall or ACL is still needed.

An FHRP gives hosts a redundant virtual gateway IP

A first hop redundancy protocol (FHRP) lets two or more routers share one virtual IP (VIP) and virtual MAC that hosts use as their default gateway, so when the active router fails a standby takes over the VIP within seconds and no host setting changes. This is the answer when a stem asks how to remove the default gateway as a single point of failure without reconfiguring clients. Routing protocols reroute transit paths but do not provide end hosts a redundant gateway address.

Trap Reaching for a dynamic routing protocol to make the default gateway redundant; routing protocols reroute transit paths, but only an FHRP hands hosts a failover virtual gateway IP.

4 questions test this
VRRP is the open FHRP; HSRP and GLBP are Cisco

VRRP (RFC 5798) is the vendor-neutral IETF first hop redundancy protocol for a mixed-vendor environment, while HSRP and GLBP are Cisco proprietary. GLBP additionally load-balances traffic across all routers in the group rather than leaving the standbys idle. Pick VRRP when the question specifies multi-vendor or an open standard; pick HSRP or GLBP when it specifies an all-Cisco network.

4 questions test this
Router-on-a-stick uses 802.1Q subinterfaces for inter-VLAN routing

To route between VLANs over a single physical link, a router divides one port into subinterfaces, each tagged for a different VLAN with 802.1Q and assigned that VLAN's gateway IP, so one trunk carries all VLANs to the router and one port routes among them. This pattern is called router-on-a-stick. A Layer 3 switch with switched virtual interfaces does the same job at higher scale and is preferred when port density or throughput matters.

5 questions test this
A floating static route is a backup that activates on failure

A floating static route is a static route configured with a deliberately higher administrative distance than the primary path, so it stays out of the table until the preferred route disappears. It gives static routing a manual failover: when the primary next hop or dynamic route is lost, the higher-AD static floats into the table and keeps traffic moving. It is the simple way to add redundancy without running a full dynamic protocol.

An exhausted dynamic-NAT pool or PAT port range drops new sessions while existing ones survive

Dynamic NAT hands each inside host a public address from a finite pool; once every pool address is in use, further connection attempts fail until a mapping times out or is released. PAT (NAT overload) instead multiplexes many hosts behind one public IP using unique source ports, but each IP offers only about 65,000 ports, so heavy session counts can exhaust the ports and block new outbound sessions even though the WAN link is up. NAT and PAT entries are stateful and are reclaimed automatically after an idle timeout.

Trap Blaming a dead WAN link when an operational interface plus a full translation table points to pool or port exhaustion.

8 questions test this
FHRP elects the highest priority; preemption (default on in VRRP, off in HSRP) lets it take back over

First-hop redundancy protocols elect the gateway with the highest configured priority as master/active. Preemption governs whether a higher-priority router that comes online later seizes the role from a current lower-priority master: VRRP enables preemption by default, while HSRP requires it to be turned on explicitly. In VRRP, the priority value 255 is reserved for the router that actually owns the virtual IP address, and that owner always becomes master.

Trap Assuming a higher-priority router always takes over immediately, which only happens when preemption is enabled (it is off by default in HSRP).

4 questions test this

Switching Technologies

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A VLAN is a broadcast domain defined in software, not by wiring

A VLAN (virtual LAN) carves one physical switch into separate broadcast domains by configuration, so two ports on the same switch in different VLANs are isolated and a broadcast in one VLAN never reaches another. The win is segmentation without rewiring: smaller broadcast domains, traffic isolation, and a security boundary you set per port. Because each VLAN is its own broadcast domain, moving traffic between VLANs always takes a Layer 3 hop.

1 question tests this
Adding a VLAN separates departments; connecting them needs Layer 3

VLANs exist to keep broadcast domains apart, so you cannot 'connect' two departments by giving them VLANs; that is the opposite of what VLANs do. To let two VLANs communicate you need inter-VLAN routing on a router (a tagged subinterface per VLAN, 'router on a stick') or, far more commonly, a Layer 3 switch routing between them in hardware. When a stem says two VLANs cannot reach each other, the fix is a Layer 3 device.

Trap Creating another VLAN to make two VLANs communicate; VLANs separate broadcast domains, only a router or Layer 3 switch joins them.

Access ports carry one VLAN untagged; trunks carry many tagged

An access port belongs to exactly one VLAN and faces an end device that knows nothing of VLANs, so its frames are untagged. A trunk port carries many VLANs over one link between switches (or to a router) and tags each frame so the far end can sort it back. Pick access for a single host, trunk for an inter-switch link that must carry several VLANs.

3 questions test this
802.1Q inserts a 4-byte tag with a 12-bit VLAN ID (1 to 4094)

IEEE 802.1Q is the VLAN tagging standard: a trunk inserts a 4-byte tag into the Ethernet header carrying a 12-bit VLAN ID, giving a usable range of 1 to 4094 (0 and 4095 are reserved). The tag lets one trunk cable carry dozens of VLANs without mixing them, and it is stripped again as a frame exits onto an access port. Memorize that 802.1Q equals VLAN tagging on the exam.

5 questions test this
The native VLAN crosses a trunk untagged and both ends must match

On an 802.1Q trunk, one VLAN, the native VLAN, has its frames sent untagged; everything else is tagged. Both trunk ends must agree on the native VLAN, because a mismatch drops untagged frames into the wrong VLAN, leaking traffic and enabling double-tagging VLAN-hopping attacks. Best practice is to set the native VLAN explicitly to an unused VLAN rather than leaving it as VLAN 1.

Trap Leaving the native VLAN mismatched between trunk ends; untagged frames land in the wrong VLAN and open a VLAN-hopping path.

5 questions test this
VLAN 1 is the default VLAN and should not carry user or management traffic

Every switch port belongs to VLAN 1 out of the box, so VLAN 1 is the default VLAN. Best practice is to move user traffic to other VLANs and never use VLAN 1 for management, because an attacker who reaches an unconfigured port lands in VLAN 1 by default. Assign ports to purpose-built VLANs and keep VLAN 1 unused.

A voice VLAN keeps phone traffic separate on a shared access port

A voice VLAN is a dedicated VLAN for IP phones so voice traffic is separated from the data of a PC sharing the same access port. The separation lets QoS prioritize voice and keeps a compromised PC off the voice segment. It is the standard answer when a stem wants phone traffic isolated and prioritized without a second cable run.

Spanning Tree blocks redundant links so a Layer 2 loop can't form

Ethernet frames have no TTL, so a single frame in a switching loop circulates forever and a broadcast storm saturates every link in seconds. Spanning Tree Protocol (STP, IEEE 802.1D) prevents this by electing a root bridge and putting redundant paths into a blocking state, leaving exactly one active path. The blocked link stays cabled for failover but logically off until needed, so the answer to a storm after adding a redundant link is STP, not removing redundancy.

Trap Removing the redundant link to stop a broadcast storm; the correct fix is to enable Spanning Tree, which keeps the backup link for failover while blocking the loop.

Lowest bridge ID wins the root election; default priority is 32768

STP elects one root bridge by comparing each switch's bridge ID, which is its bridge priority (default 32768) followed by its MAC address; the lowest bridge ID wins. With equal priorities the switch with the lowest MAC becomes root, so to control which switch is root you lower its priority below 32768. Every other switch then selects its lowest-cost root port toward the root.

5 questions test this
Switches elect the root and detect loops using BPDUs

BPDUs (Bridge Protocol Data Units) are the control frames Spanning Tree switches exchange to elect the root bridge, compute path costs, and detect loops. A port that should face only a host but starts receiving BPDUs signals that a switch was plugged in where it should not be. BPDU Guard uses exactly that signal to error-disable a PortFast port.

Classic STP ports walk blocking, listening, learning, forwarding

An 802.1D port passes through four states before carrying data: blocking (BPDUs only), listening (works out the topology, no data, no MAC learning), learning (builds the MAC table, still no data), and forwarding (fully active). Walking listening then learning is why a change takes roughly 30 to 50 seconds to converge and why an access port can sit dark for half a minute after a host boots.

6 questions test this
RSTP (802.1w) converges in about 1 to 2 seconds, not 30 to 50

Rapid Spanning Tree (RSTP, IEEE 802.1w) does the same loop-prevention job as 802.1D but converges in about one to two seconds instead of 30 to 50. It collapses the port states to three (discarding, learning, forwarding) and adds explicit port roles so a standby path is promoted almost instantly. RSTP is the modern default and is backward compatible with 802.1D, so it is the answer when slow STP convergence is the complaint.

7 questions test this
RSTP port roles add an alternate as a pre-computed backup to the root

RSTP defines four port roles: root (best path to the root bridge), designated (forwarding port on a segment), alternate (a pre-computed backup path to the root), and backup (a backup to a designated port on the same segment). The alternate role is what lets RSTP fail over in seconds: the standby path is already chosen, so it activates without re-running a long timer. This is the structural reason RSTP beats 802.1D on convergence.

4 questions test this
MSTP (802.1s) maps VLAN groups to separate spanning-tree instances

Multiple Spanning Tree (MSTP, IEEE 802.1s) runs several spanning-tree instances and maps groups of VLANs to different instances. That lets traffic load-share across redundant links, because one instance can forward on a link that another instance blocks, instead of a single tree blocking the same port for every VLAN. It is the answer for a large multi-VLAN network that wants to use its redundant links rather than park them.

9 questions test this
PortFast skips the STP delay on host ports without disabling STP

On an access port facing a single host there is no switch behind it to form a loop, so the listening/learning wait is pure delay. PortFast moves such an edge port straight to forwarding, eliminating the ~30-second wait, while Spanning Tree keeps protecting the rest of the topology. The right fix for a host port that takes 30 seconds to come up is PortFast, never turning STP off network-wide.

Trap Disabling Spanning Tree to cure a slow-to-link host port; that strips loop protection from the whole topology when PortFast solves it on the one safe port.

BPDU Guard error-disables a PortFast port that receives a BPDU

BPDU Guard is the safety catch for PortFast: if a port set for PortFast ever receives a BPDU, meaning a switch was plugged in where only a host should be, BPDU Guard error-disables the port. That protects the loop-free topology from a shortcut introduced at the edge. PortFast plus BPDU Guard belong only on edge/host ports, never on a switch-to-switch uplink.

Trap Enabling PortFast on a switch-to-switch uplink; it skips the loop-prevention states on a link where a loop can form, inviting the storm STP exists to stop.

A duplex mismatch leaves the link up but slow with late collisions

If one end of a link is hard-coded full duplex and the other is left on auto-negotiation, the auto side cannot detect the partner and defaults to half duplex, creating a duplex mismatch. The link stays up, but you see late collisions, CRC/FCS errors, and throughput that craters under load, not a loss of carrier. The fix is to set both ends the same way, ideally both back to auto.

Trap Reading a duplex mismatch as a down link or bad cable; the carrier stays up and the tells are late collisions and falling throughput, not loss of link.

Standard Ethernet MTU is 1500 bytes; a jumbo frame raises it to 9000

The maximum transmission unit (MTU) is the largest payload a frame carries; standard Ethernet MTU is 1500 bytes. A jumbo frame raises the payload to as much as 9000 bytes to cut per-frame overhead and CPU interrupts for high-volume traffic like iSCSI/NAS storage and backups. Remember the two numbers: 1500 standard, up to 9000 jumbo.

Jumbo frames must be set to the same MTU on every device in the path

Jumbo frames only work if every switch, NIC, and router along the path is configured for the same larger MTU. A single 1500-byte device in the middle drops the oversized frames, and the symptom looks like intermittent loss or stalled large transfers rather than an obvious error. So enable jumbo frames end to end or not at all.

Trap Setting a 9000-byte MTU on the server but not on the switches between it and the peer; the mismatched middle device silently drops the big frames.

Auto-negotiation on both ends is the recommended speed/duplex default

Auto-negotiation lets the two ports advertise their speed and duplex capabilities and settle on the best common pair, and leaving both ends on auto is the recommended default. Hard-coding only one end is what creates a duplex mismatch, so the safe practice is matching configuration: both auto, or both manually set to the same speed and duplex.

Link aggregation with LACP (802.3ad) bonds links without an STP block

Link aggregation under IEEE 802.3ad uses LACP (Link Aggregation Control Protocol) to bond several parallel physical links into one logical link, adding their bandwidth and surviving the loss of a member link. Crucially, STP treats the bundle as one logical port, so the parallel links are not blocked as a loop, which is what would happen if you cabled them without aggregation. It is the answer for more bandwidth between switches without redundancy being blocked.

Trap Cabling two parallel switch links for bandwidth without aggregating them; STP blocks the second as a loop, so you must bundle them with LACP to use both.

1 question tests this
A switch forwards by its MAC address table (CAM table)

A switch forwards frames using its MAC address table (also called the CAM table, for content-addressable memory): it learns the source MAC of each frame and the port it arrived on, then forwards later frames only out the matching port instead of flooding. Entries age out after a timeout. The table is also the target of a MAC flooding attack, which overflows it so the switch fails open and floods all traffic.

Classic 802.1D STP takes ~50 seconds: 20s max-age plus 15s listening plus 15s learning

With default timers, a blocked port in traditional 802.1D Spanning Tree waits out the 20-second max-age timer after an indirect failure, then transitions through the listening state (15 seconds) and the learning state (15 seconds) before it forwards, totaling about 50 seconds. The listening-plus-learning portion alone (twice the 15-second forward delay) is 30 seconds. This slow convergence is why RSTP (802.1w) was introduced.

Trap Counting only the 30-second forward delay and forgetting the 20-second max-age wait that precedes it after an indirect failure.

5 questions test this
Port-security shutdown mode err-disables the port; restrict and protect just drop frames

Port security caps how many (or which) MAC addresses a switch port accepts, defeating MAC-flooding attacks that try to overflow the CAM table from one port. On a violation, shutdown mode error-disables the port and requires manual re-enablement, while restrict and protect modes keep the port up and simply drop the offending traffic (restrict also logs and counts it).

Trap Expecting the default violation action to merely drop traffic, when the default shutdown mode err-disables the entire port.

2 questions test this
Sticky MAC learning auto-records allowed addresses and saves them to the config

Sticky MAC address learning lets port security dynamically learn the MAC of whatever device connects and write it into the running configuration, so an administrator does not have to type each allowed address by hand. Once the configuration is saved, the learned addresses persist through a reboot.

Trap Confusing sticky learning with statically typed secure MACs; sticky is the hands-off option that learns addresses automatically.

2 questions test this

Wireless Networks

Read full chapter
  • Map each 802.11 standard to its Wi-Fi generation name
  • Memorize the band and top speed of each legacy 802.11 standard
  • 802.11ac (Wi-Fi 5) is 5 GHz only
  • The 6 GHz band is reachable only by Wi-Fi 6E and Wi-Fi 7
  • OFDMA is the defining efficiency feature of Wi-Fi 6
  • 2.4 GHz reaches farther; 5 and 6 GHz go faster with less interference
  • Only channels 1, 6, and 11 are non-overlapping in 2.4 GHz
  • Co-channel and adjacent-channel interference are different problems
  • Keep 2.4 GHz at 20 MHz; save wide channels for 5 and 6 GHz
  • 2.4 GHz shares spectrum with non-Wi-Fi devices
  • SSID is the network name; BSSID is the AP radio's MAC
  • Hiding the SSID is obscurity, not security
  • A BSS is one AP; an ESS is one SSID across many APs
  • Roaming needs overlapping cells and a clean channel plan
  • Infrastructure, ad-hoc, and mesh are the three WLAN topologies
  • WPA2 still uses AES in CCMP; its weakness is the PSK handshake
  • WPA3-Personal uses SAE to defeat offline password cracking
  • Personal uses one shared key; Enterprise authenticates each user via 802.1X
  • Know the 802.1X role triad: supplicant, authenticator, RADIUS server
  • Isolate a guest SSID from internal VLANs
  • Directional antennas focus a beam; omnidirectional cover an area
  • Run a site survey to plan AP placement and find dead zones
  • WEP's RC4 with a 24-bit IV lets attackers recover the key from captured traffic
  • WPA3 makes Protected Management Frames mandatory; WPA2 only made them optional
  • 802.1X enterprise: PEAP-MSCHAPv2 needs only a server cert; the AP needs a RADIUS shared secret

Unlock with Premium — includes all practice exams and the complete study guide.

Physical Installations

Read full chapter
  • The demarc is the provider-vs-customer boundary
  • MDF is the building's main wiring room; IDFs serve the floors
  • Backbone cabling links MDF to IDF; horizontal links IDF to the jack
  • Patch panels make moves/adds/changes a patch-cord swap
  • A cross-connect joins two cabling segments
  • PoE delivers power and data over one Ethernet cable
  • Know the PoE wattages: af 15.4 / at 30 / bt 60 or 90
  • 802.3bt (PoE++) energizes all four pairs
  • A switch's PoE budget is a shared pool, not per-port
  • A UPS rides out short gaps; a generator covers the long haul
  • A PDU distributes rack power; size the circuit in VA
  • Redundant (dual) power supplies survive losing one feed
  • HVAC holds temperature and humidity in the gear's range
  • Humidity cuts both ways: too dry static, too humid corrosion
  • Hot-aisle/cold-aisle keeps supply and exhaust air from mixing
  • Use clean-agent fire suppression over water for live gear
  • Twisted-pair Ethernet is limited to a 100 m channel
  • One rack unit (1U) is 1.75 inches, so device height divided by 1.75 gives U
  • Mount the heaviest gear at the bottom of the rack to lower the center of gravity
  • Verify the rack and floor load rating before mounting any equipment
  • A lockable enclosed rack with locking doors restricts physical access to gear
  • Bond each rack to the grounding system to give fault current a safe path
  • Blanking panels seal empty rack U so hot exhaust can't recirculate to intakes
  • Horizontal and vertical cable managers route patch cables clear of airflow
  • When a clean-agent suppression system discharges, HVAC must shut down
  • Monitor cold-aisle intake temperature against the recommended data-center range

Unlock with Premium — includes all practice exams and the complete study guide.

Network Operations

Network Documentation

Read full chapter
  • Physical documentation answers where; logical answers how
  • Read the diagram whose OSI layer matches the symptom
  • A logical diagram cannot locate a bad cable
  • A rack diagram maps devices by rack-unit (U) position
  • A cable map plus labels is what you trace for a link fault
  • ANSI/TIA-606 standardizes structured-cabling labeling
  • A floor plan places drops and APs on the building layout
  • IPAM is the system of record for IP address space
  • An asset inventory tracks devices, not addresses
  • A baseline is the known-good reference you compare against
  • A wireless survey heat map shows signal coverage on the floor plan
  • An SLA defines measurable service levels plus penalties for missing them
  • SLA, MOU, and MSA carry different weight; only the SLA fixes a metric
  • Higher availability targets translate to tighter downtime budgets
  • Match the stem's keyword to the one artifact that owns the job
  • An accurate CMDB drives dependency mapping and safe decommissioning
  • A rack diagram documents PDU power capacity and airflow blanking

Unlock with Premium — includes all practice exams and the complete study guide.

Life-Cycle Management

Read full chapter
  • End of support, not end of sale, is when security patches stop
  • Past end of support, the fix is to replace the device, not patch it
  • The same date is confusingly labeled EOL by some vendors
  • Extended support delivers security fixes only, as a migration bridge
  • You cannot patch what you have not inventoried, so track versions
  • Firmware is software too, and it gets security fixes
  • Patch management runs assess, test, deploy, verify on a loop
  • Updates flow through change management, with a rollback plan
  • Refresh hardware on a 3 to 5 year cycle, before it ages out
  • The asset inventory drives both patching and refresh planning
  • Decommissioning is a security task, not just unplugging a box
  • Remove config and credentials when decommissioning
  • Reclaim licenses and update inventory before the device leaves
  • NIST SP 800-88 defines three sanitization levels: Clear, Purge, Destroy
  • Match the sanitization method to where the media goes next
  • Degaussing erases magnetic media only, never SSDs
  • Cryptographic erase destroys the key, not the bits
  • Sanitization must be verified and documented with a certificate

Unlock with Premium — includes all practice exams and the complete study guide.

Change Management

Read full chapter
  • Every production change rides one fixed lifecycle: request, assess, approve, schedule, implement, validate, document
  • A change is any add, modify, or remove that could affect production
  • An RFC is the ticket that formally requests and records a change
  • A standard change is low-risk and pre-approved, so it needs no fresh sign-off
  • A normal change is assessed and approved by the CAB before it is scheduled
  • An emergency change fixes an active outage now and is documented afterward
  • The CAB reviews and authorizes changes, it does not implement them
  • The ECAB is the on-call subset of the CAB that approves emergencies fast
  • Higher risk demands heavier approval: standard, normal, emergency
  • Implement approved changes in a scheduled maintenance window
  • Write the back-out plan before you implement, and execute it when a change fails
  • Smaller, reversible changes are safer because rollback is fast
  • Peer-review a complex change before it ships
  • Validate after implementing, then document and close the RFC
  • The RFC and approval record are the audit trail that proves who authorized a change
  • Change management governs the process; configuration management governs the artifacts
  • A change's risk assessment weighs service impact and a rollback plan
  • A standard operating procedure gives repeatable step-by-step instructions

Unlock with Premium — includes all practice exams and the complete study guide.

Configuration Management

Read full chapter
  • A configuration lives in three states: running, backup, and baseline
  • The running config is live in RAM and is lost on reboot unless saved
  • Save running to startup, or the change does not survive a reboot
  • A baseline is the approved known-good reference, changed only through change control
  • A backup is whatever was on the device; a baseline is the approved standard
  • A golden image is a baseline packaged as a full deployable template
  • Configuration drift is any undocumented deviation from the baseline
  • Secure config management runs establish, deploy, maintain
  • Version-control configs to get diffs and rollback to any revision
  • Automate config backups so a recent restore point always exists
  • Run version control and automated backup together, not one or the other
  • Replace failed hardware by loading the backup, not rebuilding by hand
  • When a change breaks production, restore the last known-good config
  • An untested backup is a guess; test restores periodically
  • Configuration management stores artifacts; change management approves changes
  • Infrastructure as Code prevents configuration drift
  • Declarative IaC states the desired end state, not the steps

Unlock with Premium — includes all practice exams and the complete study guide.

Network Monitoring

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Match the monitoring tool to the question: health, conversations, or content

Pick the monitoring data source by what you need to learn. SNMP answers whether a device is up and how loaded it is, flow data answers who talked to whom and how much, and full packet capture answers what exactly was sent. Reaching for a heavier tool than the question needs wastes storage and time, so when a flow record already shows which two hosts saturate a link, you do not stand up a full capture to learn the same thing.

Trap Running full packet capture to measure traffic volume; flow data answers who-and-how-much at a fraction of the storage cost.

SNMP is a manager-agent system addressed through the MIB by OID

Simple Network Management Protocol (SNMP) has a manager (the monitoring station) talk to an agent on each managed device. Every readable or settable value lives in the Management Information Base (MIB), a hierarchical catalog, and each value is named by an object identifier (OID), a dotted-number path. Pointing a monitoring tool at a device walks that OID tree to collect counters like interface byte counts.

5 questions test this
GET polls, SET writes, TRAP and INFORM push events

SNMP uses GET to read a value on a schedule and SET to change one, while the agent uses TRAP to push an unsolicited notification the instant something notable happens, such as an interface going down. A TRAP is fire-and-forget; an INFORM carries the same content but is acknowledged, so the agent resends if the manager does not confirm. The exam tell is direction and trigger: a scheduled status pull is a GET poll, an unsolicited device-down push is a TRAP.

Trap Calling a scheduled, manager-initiated status check a trap; polling is a GET pull, a trap is the agent's unsolicited push.

6 questions test this
Use SNMPv3 because v1 and v2c send the community string in cleartext

SNMPv1 and v2c authenticate only with a community string, a shared secret transmitted in cleartext, so anyone sniffing the segment reads it and can then query or reconfigure the device. SNMPv3 replaces that with the User-based Security Model, adding per-message authentication and encryption (privacy). When a question contrasts the versions or worries about credentials readable on the wire, v3 is the secure answer.

Trap Choosing SNMPv2c for a security-sensitive segment; its community string is sent in cleartext, so only v3 provides authentication and encryption.

7 questions test this
Flow data is conversation metadata, never payload

A flow record summarizes a conversation as source and destination IP, source and destination port, protocol, byte count, packet count, and timestamps, and deliberately omits the payload. That makes it cheap to store over long windows and ideal for capacity planning, finding top talkers, and spotting anomalies like a host beaconing out or a sudden volume spike. Because it carries no payload, it can never show you what was inside a packet.

Trap Expecting flow data to reveal packet contents; flow records carry only metadata, so payload inspection needs full capture or IDS.

NetFlow, sFlow, and IPFIX are one category: flow export

Treat the flow family as one tool for the exam. NetFlow is Cisco's original export protocol (v9 the common version), sFlow is a sampling-based alternative that exports every nth packet's header plus interface counters for very low overhead on fast switches, and IPFIX (IP Flow Information Export) is the IETF-standardized, vendor-neutral form built from NetFlow v9. All three export flow metadata and none capture payload.

IPFIX is the IETF standard version of NetFlow v9

IPFIX (IP Flow Information Export) is the IETF standard for exporting flow data, defined in RFC 7011 and built directly from Cisco's NetFlow v9. It is the vendor-neutral form of the same flow-export idea, so a question asking for the open, standards-based flow protocol points to IPFIX rather than the vendor-specific NetFlow.

Full packet capture saves every byte at high storage cost

A protocol analyzer (a sniffer) performs full packet capture, saving headers and payload so you can read application content and reconstruct an entire session. That power costs heavy storage and slow search, which forces short retention, so capture is for targeted deep troubleshooting and forensics, not always-on volume monitoring. When the goal is to see the actual contents of the traffic, capture is the only source that shows it.

Trap Picking flow data when the question needs the actual packet contents; flow has no payload, so only full capture reads the bytes.

Port mirroring (SPAN) copies traffic to the analyzer

To capture traffic that is not addressed to the analyzer itself, you duplicate it with port mirroring, also called a SPAN (Switched Port Analyzer) session, which copies traffic from one or more source ports to the analyzer port. A hardware tap does the same job inline. Without a mirror or tap, a switch only forwards frames to their destination port, so the analyzer would see nothing.

Syslog centralizes event logs off the originating host

Syslog ships each device's event messages to a central collector, which both protects the records and lets you search every device's events in one place. Centralizing matters for security because a copy already shipped off-host survives an attacker wiping the local logs, and it matters for operations because one query spans the whole network instead of logging into each box.

2 questions test this
Syslog severity runs 0 Emergency to 7 Debug, where lower is worse

Each syslog message carries a severity on a fixed 0-to-7 scale, and the direction is inverted from intuition: 0 is Emergency (system unusable) and 7 is Debug, with Alert, Critical, Error, Warning, Notice, and Informational in between. A filter for severity 3 and below therefore captures Error, Critical, Alert, and Emergency, the messages you actually act on. The separate facility field (values 0 to 23) names which subsystem produced the message.

Trap Treating severity 7 as the most critical; the scale is inverted, so 0 Emergency is most urgent and 7 Debug is least.

2 questions test this
A SIEM aggregates and correlates logs; it is not a sensor

A Security Information and Event Management (SIEM) system provides centralized logging for many log types, ingesting syslog, flow records, and device logs and correlating events across sources into one storyline, for example tying a firewall port scan to a later endpoint alert and a data upload. The SIEM sees the cross-source pattern no single device could, but it does not itself scan for malware or block traffic, which are sensor jobs.

Trap Naming the SIEM as the component that scans for malware or blocks a file; those are sensor jobs, the SIEM only aggregates and correlates.

Establish a performance baseline before setting alert thresholds

A performance baseline is a recorded picture of normal CPU and memory utilization, interface throughput, error and discard counters, and latency, sampled over time. It is the reference an alert is measured against, because a reading like 70% CPU only means something once you know normal is 20%. Establish the baseline first, then alert on deviation from it; without a baseline a threshold is a guess.

Trap Setting alert thresholds from intuition with no baseline; deviation from recorded normal, not an arbitrary number, is what signals a problem.

4 questions test this
Key performance metrics: utilization, errors, discards, and latency

The core health metrics to watch are CPU and memory utilization, interface bandwidth utilization, interface error and discard (drop) counters, and round-trip latency. Rising error or discard counters on an interface point to a physical or congestion problem, and tracking utilization against the baseline shows whether a link needs upgrading. These are the counters SNMP polling typically collects.

Streaming telemetry pushes metrics through device APIs

Modern platforms increasingly collect metrics through device APIs as streaming telemetry, where the device pushes fine-grained data continuously instead of waiting to be polled. This complements or replaces scheduled SNMP polling, giving denser, more timely data, and is the answer when a question describes continuous API-driven metric streaming rather than interval polling.

Flow beats capture for volume; a poll beats a capture for up/down

When two tools could technically work, the exam wants the lighter one that still answers the question. To learn which hosts dominate a link and by how much, flow data answers it without the storage burden of full capture. To confirm a device or interface is up, an SNMP poll or trap answers it without capturing any traffic at all. Capture is reserved for when you genuinely need the payload.

Trap Defaulting to packet capture because it sees everything; its storage and search cost make it the wrong first reach when metadata answers the question.

SNMP polls on UDP 161 and receives traps on UDP 162

The manager polls agents with GET and SET requests over UDP port 161, and agents push asynchronous trap and inform notifications back to the manager on UDP port 162. A firewall must allow inbound UDP 162 at the NMS for traps to arrive, which is the usual cause of polling working while traps silently vanish.

Trap Swapping the two ports, expecting traps on 161; 161 is for polling, 162 is for the unsolicited notifications.

4 questions test this
Syslog forwards log messages on UDP port 514

Standard syslog uses UDP port 514 as its well-known destination port for forwarding event messages to a centralized collector. A firewall rule permitting devices to log centrally must allow UDP 514 inbound to the syslog server.

2 questions test this
SNMPv3 has three security levels: noAuthNoPriv, authNoPriv, authPriv

noAuthNoPriv neither authenticates nor encrypts; authNoPriv verifies the sender's identity but sends the payload in the clear; authPriv both authenticates the sender and encrypts the payload. Match the level to the policy: authentication-only requirements call for authNoPriv, while requirements to also stop eavesdropping call for authPriv.

Trap Choosing authPriv when the policy asks only to verify the sender; encryption is extra overhead the requirement did not ask for, so authNoPriv is the precise answer.

5 questions test this
RSPAN carries mirrored traffic between switches over a dedicated VLAN

Remote SPAN extends port mirroring across separate switches by tagging the copied frames into a dedicated RSPAN VLAN. That VLAN must be allowed on every trunk link between the source switch and the switch hosting the analyzer, so the mirror can reach a destination in another wiring closet or building.

2 questions test this
A capture NIC needs promiscuous mode to see mirrored traffic

By default a network adapter discards frames not addressed to its own MAC. Promiscuous mode makes the adapter accept every frame that arrives on the interface, which is required for a protocol analyzer plugged into a SPAN destination port to display the mirrored traffic rather than only its own.

1 question tests this

Disaster Recovery

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

RPO is the maximum data loss you can tolerate, measured in time

The recovery point objective (RPO) is the point in time to which data must be recovered after an outage, so it expresses the maximum acceptable data loss as a span of time, not a clock duration of downtime. A one-hour RPO means losing at most the last hour of data is acceptable. It is a target you set in advance, typically during a business impact analysis, not a value measured from equipment.

Trap Reading RPO as how long the system can be down; that is RTO. RPO is about data loss, measured backward from the disaster to the last good backup.

1 question tests this
RPO sets backup frequency: the interval can never exceed the RPO

Because RPO is the most data you can afford to lose, your backup or replication interval must be no longer than the RPO. A one-hour RPO requires backups at least hourly; a near-zero RPO requires continuous replication rather than nightly tape. The tighter the RPO, the more often (and more expensively) you must capture data.

Trap Setting backup frequency from the downtime target (RTO); backup cadence is governed by RPO, the data-loss target.

10 questions test this
RTO is the maximum downtime you can tolerate before unacceptable harm

The recovery time objective (RTO) is the overall length of time a system can be in the recovery phase before it negatively impacts the organization's mission. It is the clock that starts when service drops and stops when service is restored, so a four-hour RTO means the business can be down for up to four hours. Like RPO, it is a target you choose, not a measured statistic.

Trap Confusing RTO with how much data can be lost; data loss is RPO. RTO is downtime, measured forward from the disaster to service restored.

RTO drives the recovery method and the recovery-site tier

A long RTO can be met by restoring from backup tape, but a short RTO cannot wait for a restore and forces faster machinery: a standby site, replicated systems, or automated failover. The shorter the RTO, the more you must pre-stage and the more it costs. This is why RTO, not RPO, points you toward a cold, warm, or hot site.

7 questions test this
RPO and RTO are independent: one governs data, the other governs downtime

RPO and RTO are set separately because they protect different things, and a system can have a tight one and a loose other. A bank may tolerate hours of downtime (loose RTO) but almost no transaction loss (near-zero RPO); a marketing site may tolerate losing a day of edits (loose RPO) but need to be back in minutes (tight RTO). Hold the one-line split: RPO is how much data can we lose, RTO is how long can we be down.

Trap Swapping RPO and RTO, the single most common DR distractor; backups and data loss are RPO, downtime and time-to-restore are RTO.

1 question tests this
RPO and RTO are objectives you set; MTTR and MTBF are properties you measure

The cleanest way to keep the four DR acronyms straight is by origin: RPO and RTO are objectives chosen before any failure, while MTTR and MTBF are statistics calculated after observing real failures. You declare an RTO in a plan, but you cannot declare an MTBF; you compute it from failure history.

Trap Treating MTTR or MTBF as a target you assert in a plan the way you set an RTO; only RPO and RTO are chosen objectives.

1 question tests this
MTTR is the average time to repair a failed component (recoverability)

Mean time to repair (MTTR) is the average time it takes to restore a failed component once it breaks, computed by dividing total repair time by the number of failures. It measures recoverability, so it drives spare-parts inventory, on-call staffing, and whether a vendor's support response is fast enough. A lower MTTR is better and directly helps you meet a tight RTO.

3 questions test this
MTBF is the average operating time between failures (reliability)

Mean time between failures (MTBF) is the average operating time between failures of a repairable system, so a high MTBF means failures are rare. It measures reliability, which is why it drives design choices: which component to buy and when to schedule redundancy or proactive replacement before a part is likely to fail. A higher MTBF is better.

Trap Confusing MTBF (time between failures, reliability) with MTTR (time to repair, recoverability); MTBF answers how reliable, MTTR answers how fast to fix.

3 questions test this
A cold site has space, power, and cooling but no IT equipment

A cold site is a backup facility with the necessary electrical and physical components (space, power, cooling) but no computer equipment in place. It is the cheapest tier to keep on standby and the slowest to activate, because after the disaster you must install and configure hardware and then load data, so recovery takes days. It fits a long RTO on a tight budget.

A warm site is partially equipped and needs current data loaded

A warm site is an environmentally conditioned work space partially equipped with information systems and telecommunications gear. Most of the equipment is already there, so you load current data and finish setup before cutting over, which puts recovery in hours. It is the middle of the cost-versus-speed ladder, between a cold and a hot site.

A hot site is fully operational and ready to take over in minutes

A hot site is a fully operational offsite facility equipped with hardware and software and kept continuously updated, so it mirrors production and can take traffic almost immediately, putting recovery in minutes. It delivers the shortest RTO and is the most expensive tier to run because it duplicates production and stays synchronized.

6 questions test this
Pick the cheapest recovery-site tier that still meets your RTO

The three site types are a deliberate trade of ongoing cost against recovery speed: higher cost buys a lower RTO. The selection rule is to choose the least expensive tier that still satisfies the RTO, not always the fastest one. A near-zero RTO with budget points to a hot site; a long RTO on a tight budget tolerates a cold site; a warm site splits the difference.

Trap Choosing a hot site when a loose RTO and a tight budget would be met by a cold or warm site; the correct tier is the cheapest one that meets the RTO.

Active-active runs all nodes live, sharing load and surviving a node loss

In an active-active design every node carries live traffic at the same time, so the design both spreads load and survives the loss of a node because survivors absorb the failed node's share. This gives the shortest recovery, often with no perceptible outage, but it is the most expensive and complex because every node must be sized for extra load and kept fully synchronized.

3 questions test this
Active-passive keeps a standby idle until a failover promotes it

In an active-passive design the primary handles all traffic while the secondary stands by idle (or warm) until a failover promotes it to active. It is simpler and cheaper than active-active because the standby does not serve users day to day, but recovery includes the failover delay and the standby's capacity is unused until something breaks. A hot site fronted by automated failover is the active-passive design that gets closest to active-active recovery time.

Trap Assuming active-passive recovers as instantly as active-active; active-passive still incurs the failover delay before the standby takes traffic.

A tabletop exercise validates the plan by discussion, touching no systems

A tabletop exercise (walkthrough) is a discussion in which the recovery team talks through the plan against a scenario to surface gaps and ambiguities. No systems are touched, so it is the cheapest and safest test and the natural first step, but it only proves the plan reads correctly, not that it actually works under load.

Trap Believing a passed tabletop proves the recovery site works; a discussion only validates the documented plan, not real recovery.

A simulation models the disaster and response without a real cutover

A simulation exercises procedures and decision-making against a constructed disaster scenario more concretely than a discussion, but without performing a real production cutover. It catches process problems a tabletop misses while still keeping production untouched, so it sits above tabletop and below parallel on the fidelity ladder.

A parallel test runs the recovery site alongside live production

A parallel test stands the recovery systems up for real and runs them alongside live production, with real data flowing into the recovery environment to confirm it produces correct results. Production stays primary the whole time, so users are never at risk, which makes the parallel test the way to prove the recovery site actually functions without betting the business on it.

A full failover test actually shifts production to the recovery site

A full failover test (full-interruption test, or cutover) actually moves production to the recovery site exactly as a real disaster would. It is the only test that proves end-to-end recovery including the failover mechanism and real user load, and it is the most disruptive and risky, so it is run rarely, in a maintenance window, with a tested back-out to the primary.

1 question tests this
DR tests climb a fidelity ladder: tabletop, simulation, parallel, full failover

DR plans are exercised on a ladder of increasing realism and risk: tabletop (discuss), simulation (model), parallel (run beside production), then full failover (shift production over). Each rung proves more but disrupts and endangers more, so you start low and climb only as the plan earns trust. Pick the lowest rung that answers the question being asked.

A documented DR plan is not a tested recovery capability

A written runbook proves nothing about whether recovery actually works; stale documentation, expired credentials, or an undersized replication link surface only when the plan is exercised. Until a parallel or full-failover test runs it end to end, assume the plan has untested gaps, which is why periodic testing is part of disaster recovery rather than an optional extra.

Trap Treating the existence of a polished runbook as proof the plan works; only an end-to-end test (parallel or full failover) demonstrates real recovery.

Recovery metrics come out of the business impact analysis

RPO and RTO are not picked arbitrarily; they are derived during a business impact analysis (BIA), the exercise that identifies an organization's critical processes and the cost of their disruption over time. The BIA quantifies how much downtime and data loss each process can tolerate, and those tolerances become the RTO and RPO that the rest of the DR plan is built around.

Availability equals MTBF divided by the sum of MTBF and MTTR

The standard availability percentage is MTBF / (MTBF + MTTR) x 100, where MTBF is the mean time between failures and MTTR is the mean time to repair. Availability rises when you increase MTBF (failures become rarer) and when you decrease MTTR (repairs become faster).

Trap Computing MTBF / MTTR instead of MTBF / (MTBF + MTTR); the denominator is total time, the uptime plus the repair time, not the repair time alone.

4 questions test this
Tightening RPO and RTO drives up cost and complexity

Lowering the RPO forces more frequent backups or continuous replication, and lowering the RTO forces faster recovery mechanisms such as hot standby infrastructure. Both moves trade money and operational complexity for less data loss and shorter downtime, so aggressive objectives carry a higher price tag.

1 question tests this

Network Services

Read full chapter
  • DHCP leases IPv4 config through the DORA exchange
  • A DHCP scope is the pool plus the options handed out with it
  • A reservation gives a device a fixed address while staying DHCP-managed
  • DHCP lease time controls renew at 50% and rebind at 87.5%
  • A DHCP relay carries the broadcast across subnets to a central server
  • SLAAC autoconfigures IPv6 addresses with no DHCP server
  • EUI-64 builds the IPv6 interface ID from the 48-bit MAC
  • Stateful DHCPv6 tracks IPv6 leases; SLAAC does not
  • The RA's M and O flags decide how an IPv6 host configures
  • DNS maps names to addresses with typed resource records
  • PTR records and reverse lookup map an address back to a name
  • Authoritative servers own zones; caching resolvers just remember answers
  • TTL trades change-propagation speed against query load
  • Recursive query asks for the answer; iterative returns a referral
  • NTP synchronizes clocks because logs, certs, and Kerberos depend on time
  • NTP stratum counts hops from the reference clock
  • PTP gives sub-microsecond time by stamping packets in hardware
  • NTS authenticates NTP so an attacker cannot forge time
  • Split-horizon DNS returns different answers by query source
  • An SRV record advertises a service's host and port
  • IXFR transfers only the changed zone records
  • A secondary compares SOA serial numbers to decide on a transfer
  • DHCP Option 82 carries the client's circuit and port identity
  • DHCP Option 66 hands clients their TFTP server name

Unlock with Premium — includes all practice exams and the complete study guide.

Remote Access and Management

Read full chapter
  • Separate the management path from the protocol that secures it
  • Use out-of-band management to recover an unreachable device
  • Console and serial ports are the local, network-free recovery interface
  • In-band management is cheap and convenient but dies with the data plane
  • SSH replaced Telnet because it encrypts the whole session
  • SSH key authentication sends no reusable password
  • A site-to-site VPN joins two networks gateway-to-gateway
  • A client-to-site VPN connects one remote user's device
  • A clientless VPN reaches internal web apps through the browser
  • IPsec ESP is the encrypting protocol; AH does not encrypt
  • AH breaks across NAT; ESP with NAT-T survives it
  • IPsec tunnel mode encrypts the whole packet; transport mode only the payload
  • IKE negotiates IPsec keys over UDP 500, switching to UDP 4500 for NAT-T
  • TLS/SSL VPNs traverse firewalls better than IPsec because they use TCP 443
  • Full tunnel inspects all traffic; split tunnel sends only corporate traffic through the VPN
  • Use the REST API, not the GUI, for repeatable bulk changes
  • A bastion host is the single hardened entry point for admin sessions
  • Disable plaintext management protocols in favor of their encrypted peers
  • REST APIs use HTTP verbs, JSON bodies, and stateless requests
  • SCP transfers files securely over SSH on TCP port 22

Unlock with Premium — includes all practice exams and the complete study guide.

Network Security

Logical Security

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Encrypt data in both transit and at rest, they are separate layers

Encryption in transit protects data while it crosses the network and encryption at rest protects it while stored on disk, and the two are independent controls. A system can secure one and leave the other open, so TLS on the wire does nothing for a stolen backup tape, and full-disk encryption does nothing for credentials sniffed off the network. Always confirm which state the scenario is actually leaving exposed.

Trap Assuming TLS or HTTPS also protects stored data; it only covers the wire, so at-rest encryption is still needed on disk and backups.

2 questions test this
TLS secures application traffic in transit; require 1.2+ and prefer 1.3

TLS is the dominant in-transit protocol, wrapping HTTP into HTTPS and tunneling TLS/SSL VPNs over TCP 443. NIST SP 800-52 Rev. 2 requires servers to support TLS 1.2 as the minimum and to prefer TLS 1.3, while SSL 2.0/3.0 and TLS 1.0/1.1 are obsolete and must not be used. TLS 1.3 completes its handshake in one round trip and makes forward secrecy mandatory.

Trap Allowing TLS 1.0/1.1 or SSL 3.0 as still acceptable; all are deprecated and fail modern configuration baselines.

1 question tests this
PKI binds an identity to a public key through a CA-signed X.509 certificate

Public key infrastructure issues X.509 certificates that pair a public key with a verified identity, and a certificate authority (CA) signs each one. A verifier trusts the certificate because a chain of signatures runs from it, through any intermediate CAs, up to a root CA already in its trust store. This same chain-of-trust model underpins TLS, EAP-TLS, and code signing.

A keypair splits into a private key you guard and a public key you share

Asymmetric cryptography gives each party a private key kept secret and a public key distributed freely, and an X.509 certificate carries only the public key. Publishing a certificate therefore exposes nothing secret, because the private key never leaves the owner. Anyone can encrypt to or verify a signature from the public key, but only the private-key holder can decrypt or sign.

Trap Believing a published certificate leaks the private key; the certificate contains only the public key, so the private key stays protected.

AAA is three distinct steps: authentication, authorization, accounting

Identity and access management runs on AAA: authentication proves who you are, authorization decides what you may do, and accounting records what you did. These are separate concerns, and exam answers split along the same lines, so passing authentication does not by itself grant any access. A protocol or control usually targets one or two of the three, not all interchangeably.

Trap Treating successful authentication as authorization; proving identity does not decide what the user is permitted to do.

MFA needs factors from different categories, not just multiple prompts

Multi-factor authentication combines two or more factors from distinct categories: something you know (password, PIN), something you have (token, smart card, TOTP app), something you are (biometric), and somewhere you are (location). Two factors from the same category are still single-factor, so a password plus a PIN is single-factor because both are things you know, and a fingerprint plus a face scan is single-factor because both are things you are. Count categories, not the number of prompts.

Trap Counting password plus security question as MFA; both are something you know, so it remains single-factor.

3 questions test this
TOTP gives a something-you-have factor from a rotating code

A time-based one-time password (TOTP) derives a short code from a shared seed and the current time, rotating roughly every 30 seconds. It supplies a something you have factor without dedicated hardware, since the authenticator app holds the seed. On the exam, a code that changes every 30 seconds from an app is TOTP, a possession factor, not a knowledge factor.

Geofencing is the somewhere-you-are factor

Geofencing restricts or conditions access based on physical location, enforcing the somewhere you are factor. It can require that a login originate from inside a building, campus, or country before access is granted. It adds context to authentication rather than replacing the identity-proving step.

Least privilege grants only the access a task requires

Least privilege means giving each user or process only the permissions its job needs and nothing more, which shrinks the blast radius of a compromised account. It is the principle every access-control model rides on, including RBAC, MAC, DAC, and ABAC. Combine it with MFA so a stolen password alone cannot reach much.

RBAC ties permissions to roles, so access follows job function

Role-based access control (RBAC) assigns permissions to roles and assigns users to roles, so access follows job function rather than being granted per individual. It implements least privilege at scale because adding or removing a person is a role change, not a permission audit. The exam tell is access keyed to a job role.

Trap Confusing RBAC with ABAC; RBAC keys access to job roles, while ABAC decides on contextual attributes like device, time, or location.

4 questions test this
Access-control models differ on who controls the policy

MAC is enforced by the system against labels and clearances and cannot be overridden by the owner, DAC lets the resource owner grant access at their discretion (file ACLs), RBAC ties permissions to job roles, and ABAC decides on attributes of the subject, object, action, and environment. The exam tells: system enforces classification and owner cannot override is MAC, owner decides sharing is DAC, access keyed to job function is RBAC, and decision depends on context is ABAC. All four ride on least privilege.

Trap Calling owner-controlled file permissions mandatory access control; owner discretion is DAC, while MAC is system-enforced via labels the owner cannot change.

SSO lets one authentication serve many applications

Single sign-on (SSO) authenticates the user once and grants access to many applications without re-entering credentials, reducing password fatigue. When the apps span organizations, SSO is federated: an identity provider asserts the user's identity to many service providers. SSO is a convenience and consistency layer over authentication, not an authorization model.

1 question tests this
SAML is the XML standard for enterprise web SSO federation

SAML 2.0, an OASIS standard, is the XML browser-redirect protocol for enterprise web single sign-on. An identity provider authenticates the user and issues a digitally signed assertion that a service provider trusts, carrying authentication plus attributes over HTTPS rather than a dedicated AAA port. Choose SAML when the scenario is one login across many web applications in a federation.

Trap Picking LDAP for cross-organization web SSO; LDAP is the directory store the flow resolves against, while SAML is the federation protocol.

3 questions test this
RADIUS does AAA over UDP and encrypts only the password

RADIUS (RFC 2865) runs over UDP using authentication port 1812 and accounting port 1813 (legacy 1645/1646), is cross-vendor, and is the standard authentication server behind 802.1X and wireless access. It encrypts only the User-Password attribute in the packet and combines authentication with authorization in one exchange. That makes it ideal for is this user allowed onto the network but weak for fine-grained per-command control.

Trap Assuming RADIUS encrypts the whole packet; only the User-Password attribute is hidden, leaving the rest in cleartext.

5 questions test this
TACACS+ runs over TCP 49, separates AAA, and obfuscates the whole body

TACACS+ (RFC 8907) runs over TCP port 49, is Cisco-originated, obfuscates the entire packet body, and separates authentication, authorization, and accounting into independent functions. That separation is what lets it authorize and log individual administrator commands, so it is the answer for centralized device-administration control on network gear. Reach for it when per-command authorization or full-payload protection matters.

RADIUS vs TACACS+: network access vs device administration

RADIUS uses UDP (1812/1813), is cross-vendor, encrypts only the password, and combines authn with authz, fitting 802.1X and wireless network access. TACACS+ uses TCP 49, is Cisco-originated, obfuscates the whole body, and separates the three A's, fitting granular administrator command control on network devices. Match the stem: get-onto-the-network is RADIUS, authorize-each-admin-command is TACACS+.

Trap Choosing RADIUS to authorize individual admin commands; it combines authn/authz and encrypts only the password, so TACACS+ with separated AAA is the fit.

LDAP is the directory store, not an AAA protocol

LDAP (Lightweight Directory Access Protocol, RFC 4511) holds user and group objects and answers directory lookups; it is not itself an AAA protocol. Plain LDAP listens on TCP 389, and secured over TLS it becomes LDAPS on TCP 636. RADIUS, SAML, and SSO flows commonly resolve identities against an LDAP directory behind the scenes.

Trap Treating LDAP as the single sign-on protocol; it is the backing directory, while SAML or another federation protocol performs the SSO.

802.1X authenticates a port or SSID before passing general traffic

IEEE 802.1X is port-based network access control that gates a wired switch port or wireless SSID before an IP address is issued, using a supplicant (client), an authenticator (switch or AP), and an authentication server (typically RADIUS). The supplicant and authenticator exchange EAP over the LAN and the authenticator relays credentials to the RADIUS server. EAP-TLS within this flow uses client certificates for the strongest mutual authentication.

3 questions test this
IPsec secures whole IP packets for VPN tunnels

IPsec protects data in transit at the IP layer and is the classic choice for site-to-site and remote-access VPN tunnels, encrypting whole packets with ESP. A TLS/SSL VPN over TCP 443 is the alternative when you need clientless, NAT-friendly access through firewalls. Pick IPsec for gateway-to-gateway tunnels and a TLS VPN when browser-based or firewall-traversal access is the priority.

1 question tests this
Authorization decides access only after authentication succeeds

Authentication and authorization are sequential and distinct: the system first verifies identity, then a separate step decides what that verified identity may do. A user can be correctly authenticated yet authorized for nothing, and a permission change never re-proves identity. Keeping them separate is why TACACS+ can authorize each command independently of the initial login.

Physical Security

Read full chapter
  • Physical access defeats logical controls, so the room is the perimeter
  • Layer controls to deter, detect, delay, and respond
  • A camera is detective and a deterrent, but never preventive
  • An access-control vestibule defeats tailgating
  • Badge and biometric locks add an audit trail keyed locks lack
  • Cipher and keyed locks have no per-user accountability
  • Lock the rack inside the locked room for a second delay layer
  • Asset tags track and deter theft but do not prevent it
  • Tamper seals and chassis intrusion detection reveal covert access
  • Match the stem's verb: prevent entry versus record an event
  • Physical controls are the wrong answer for a remote attack
  • Provider-hosted gear shifts physical security to contracts and audits

Unlock with Premium — includes all practice exams and the complete study guide.

Deception Technologies

Read full chapter
  • A honeypot is a single decoy with no legitimate purpose, so any access is suspect
  • A honeynet is a whole decoy network of honeypots, not a single host
  • More realism and lateral-movement study points to a honeynet over a honeypot
  • Deception detects and diverts, it does not prevent
  • Place a decoy inside a trusted segment to catch post-breach and insider activity
  • Low-interaction decoys are safe but easy to spot; high-interaction are rich but risky
  • Isolate the decoy so a compromised honeypot cannot become a pivot
  • Deception observes your own assets; it is not a license to hack back

Unlock with Premium — includes all practice exams and the complete study guide.

Security Terminology

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A vulnerability is the weakness, not the attacker or the payload

A vulnerability is a weakness in a system, security procedure, internal control, or implementation that a threat could exploit or trigger, an unpatched service, a default password, an open port. It is a state of the system, never the actor and never the code thrown at it. Pin this down first because most labeling questions on this topic hinge on separating the weakness from the thing that abuses it.

Trap Calling the crafted input or malware the vulnerability; that payload is the exploit or attack, while the vulnerability is the underlying flaw it abuses.

A threat is the actor or event with potential to cause harm

A threat is any circumstance, event, or actor with the potential to adversely impact operations, assets, or individuals: a ransomware gang, a malicious insider, a flood, a power failure. It describes the source of possible harm, not the weakness and not the technique. You usually cannot control a threat directly, which is why network controls target the vulnerability side instead.

1 question tests this
An exploit is the technique or code that abuses a vulnerability

An exploit is the actual method, tool, or code a threat uses to take advantage of a vulnerability, a Metasploit module, a crafted SQL string, an oversized buffer-overflow input. It is the action against the system, distinct from both the weakness it targets and the actor running it. If a stem hands you a packet, a script, or a malicious message, that is the exploit, not the vulnerability.

Trap Treating the exploit as the vulnerability; the exploit is the action taken, the vulnerability is the hole it goes through.

4 questions test this
Risk is the likelihood a threat hits a vulnerability times the impact

Risk is a measure of how threatened an asset is, typically a function of the likelihood an event occurs and the adverse impact if it does, so think risk = likelihood x impact. A related shorthand is risk = threat x vulnerability: drive either factor toward zero and realized risk follows. Because it is a product, a single problem often has more than one valid mitigation depending on which factor you attack.

2 questions test this
A threat exploits a vulnerability to realize risk

The four core terms form one causal chain: a threat uses an exploit to abuse a vulnerability, and the outcome is realized risk. Reading a scenario as this chain, rather than four isolated words, tells you exactly which label fits each clause. The same incident can ask you to name the open port, the attacker, the tool, or the business measure.

1 question tests this
Reduce risk by lowering likelihood or impact, not just one

Since risk is likelihood times impact, you can cut it on either axis. Patching, hardening, and segmentation lower the likelihood a threat reaches a vulnerability; redundancy, backups, disaster recovery, and cyber-insurance lower the impact when it does. An exam item offering one defense of each type is testing that you see risk as a two-factor product rather than a single lever.

Trap Assuming only patching reduces risk; adding redundancy or transferring the loss via insurance lowers impact and is equally valid risk reduction.

1 question tests this
The four risk responses are avoid, mitigate, transfer, accept

Once you understand a risk, you choose how to handle it: avoid (stop the risky activity), mitigate or reduce (apply controls, the usual network answer), transfer (shift the financial loss to a third party like an insurer), or accept (formally acknowledge a low or unavoidable risk and proceed). Whatever remains after controls is residual risk. Accepting residual risk is a deliberate, documented decision, not negligence.

Trap Picking an option that promises to eliminate risk entirely; residual risk always remains, so accept or transfer is often the mature, correct answer.

Confidentiality keeps data secret with encryption and access control

Confidentiality preserves authorized restrictions on access and disclosure, the C in the CIA triad. You enforce it with encryption (in transit and at rest) and access control. A packet sniffer reading a cleartext Telnet password is a confidentiality failure, and the fix is to encrypt the channel by using SSH instead of Telnet.

Trap Mapping eavesdropping to integrity; reading data without changing it breaks confidentiality, while integrity is about unauthorized modification.

Integrity guards against improper change with hashing and signatures

Integrity guards data against improper modification or destruction and includes non-repudiation and authenticity, the I in the CIA triad. You enforce it with cryptographic hashes (a checksum that changes if any bit changes) and digital signatures. An on-path attacker silently altering a file in transit is an integrity failure, caught because the recomputed hash no longer matches.

Trap Choosing encryption to ensure integrity; encryption protects confidentiality, while a hash or signature is what detects tampering.

Availability keeps systems reachable with redundancy and DR

Availability ensures timely and reliable access to information and systems, the A in the CIA triad. You enforce it with redundancy, failover, load balancing, backups, and disaster recovery. A DDoS flood that knocks a web server offline is an availability failure, and the answer is capacity, filtering, and redundancy rather than encryption.

Trap Reaching for encryption to fix a DoS outage; encryption protects confidentiality and does nothing for availability, which needs redundancy and filtering.

Map a security incident to the CIA goal it violates

The exam often names an incident and asks which security goal it broke. Eavesdropping or data leakage is a Confidentiality failure, tampering or a failed checksum is an Integrity failure, and an outage, DoS, or hardware failure is an Availability failure. Reverse it for controls: encryption serves confidentiality, hashing and signatures serve integrity, redundancy and backups serve availability.

1 question tests this
CompTIA folds authenticity and non-repudiation into integrity

Some references extend the CIA triad with Authenticity (data genuinely comes from who it claims) and Non-repudiation (the sender cannot deny sending it), but in CompTIA's model these live inside Integrity. Do not reach for a fourth security goal on a CIA mapping question unless the stem explicitly introduces one.

AAA is three stages: authentication, authorization, accounting

AAA stands for Authentication, Authorization, and Accounting, three distinct stages. Authentication proves who you are (password, token, certificate, biometric), authorization decides what that proven identity may do (which VLAN, which files, read versus write), and accounting logs what was actually done for audit, forensics, and billing. RADIUS and TACACS+ are the protocols that centralize AAA for network devices.

Login success but no access is an authorization failure

When a user authenticates fine but cannot reach a resource, they passed authentication and failed authorization. The remediation is a permission, group, or ACL change, not a credential reset. The reverse, being unable to log in at all, is the authentication problem; keep the two stages separate.

Trap Resetting the user's password when they can log in but cannot reach a share; the credentials already worked, so the fix is an authorization change.

Attack surface is the whole boundary; a vector is one route in

The attack surface is the set of all points on a system's boundary where an attacker could try to enter, affect, or extract data, every open port, exposed service, account, and interface. An attack vector (threat vector) is a single route an intrusion actually takes, such as a phishing email or an exposed RDP port. Hardening shrinks the attack surface so fewer vectors exist.

Trap Using attack surface and attack vector interchangeably; the surface is the aggregate of all entry points, while a vector is one specific path through it.

A zero-day exploits an unknown flaw, so no patch exists yet

A zero-day is an attack against a previously unknown vulnerability the vendor and public do not yet know about. Because no patch or signature exists, applying the vendor patch is impossible by definition. The correct mitigations are compensating and behavioral controls: segmentation, least privilege, anomaly detection, and virtual patching at an IPS, until a real fix ships.

Trap Selecting apply the vendor patch for a zero-day; no patch exists for an unknown flaw, so the answer is compensating controls until one is released.

1 question tests this
Hardening reduces risk by shrinking the attack surface

Device and network hardening lowers risk by removing reachable weaknesses: close unused ports, disable unnecessary services, change default credentials, and segment the network. Each removed exposure is one fewer vulnerability for a threat to exploit, which is the likelihood side of risk = likelihood x impact. The goal is fewer entry points, not a single perfect control.

1 question tests this

Audits and Compliance

Read full chapter
  • Compliance turns law and contract into concrete network controls
  • Data sovereignty ties data to the laws of where it physically sits
  • Satisfy a residency law by controlling region and replication, not just access
  • PCI DSS is a card-brand contract, not a government law
  • The CDE is card-data systems plus anything with unrestricted connectivity to them
  • Segmentation is not required by PCI DSS, but it shrinks the audit
  • Reduce PCI audit cost by segmenting, not by hardening the flat network
  • GDPR protects people in the EU and reaches you wherever you host
  • GDPR splits roles into data subject, controller, and processor
  • GDPR requires breach notification within 72 hours of awareness
  • The GDPR right to erasure is not absolute
  • GDPR's higher fine tier reaches EUR 20M or 4% of global turnover
  • Audit logging is the evidence a compliance audit examines
  • An audit tests controls; attestation is the signed result
  • Internal reporting is candid; external reporting is formal and deadline-bound
  • Compliance is a floor on a date, not proof of security
  • Match the regulation to the data type in the stem
  • GDPR can waive data-subject breach notice when encryption left the data unintelligible
  • Without an adequacy decision, Standard Contractual Clauses make a GDPR transfer lawful
  • PCI DSS sets fixed cadences: quarterly ASV scans, six-month rule review, one-year log retention

Unlock with Premium — includes all practice exams and the complete study guide.

Network Segmentation

Read full chapter
  • Segment to limit the blast radius of a breach
  • A VLAN is the boundary; a firewall or ACL is the control
  • Isolate unpatchable OT/ICS/SCADA, do not try to patch it
  • Put IoT/IIoT devices on a dedicated VLAN
  • Place internet-facing servers in a screened subnet (DMZ)
  • Give guests and BYOD internet-only access, no internal reach
  • Microsegmentation stops east-west, same-subnet lateral movement
  • Zero trust grants nothing for being on the internal network
  • North-south crosses the zone edge; east-west moves laterally
  • Segment regulated systems to cut PCI DSS audit scope
  • Segmentation contains a breach; it does not prevent one
  • Use 802.1X to assign a device to the right segment at connect
  • Build inter-zone rules deny-by-default, then allow only what is needed
  • OT, ICS, and SCADA name overlapping operational-technology scopes
  • Segment when device classes or trust levels actually differ

Unlock with Premium — includes all practice exams and the complete study guide.

Network Attacks

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Match an attack to the control at the layer it abuses

Network+ attack items reduce to one move: name the attack, place it on the OSI stack, and the control usually sits at that same layer. A SYN flood is an L3/L4 availability attack answered upstream, ARP poisoning is an L2 on-path attack answered by Dynamic ARP Inspection, and DNS spoofing is a service attack answered by DNSSEC. The distractors are typically real controls for the wrong layer, so the only way to pick wrong is to misplace the attack.

DoS and DDoS attack availability, the A of the CIA triad

A denial-of-service exhausts bandwidth, a connection table, or CPU so legitimate users are turned away, attacking availability rather than confidentiality or integrity. A distributed denial-of-service launches the same assault from a botnet of many sources, which is what makes blocking one source IP useless. Recognize it by symptom: the service is reachable for normal load but collapses under flood, with no data theft involved.

Trap Labeling a DDoS as an integrity or confidentiality attack; it degrades availability, and no data is read or altered.

1 question tests this
Mitigate DDoS upstream, because the firewall is the bottleneck

A volumetric DDoS saturates the link itself, so a stateful firewall or single ACL on the edge box is the very thing being overwhelmed and cannot help. The working controls live closer to the source: rate limiting, anti-spoofing filters at the network edge, and a cloud-based scrubbing service that absorbs and cleans traffic before it reaches your link. The exam tell is scale, a distributed attack is never solved by one rule on one device.

Trap Choosing a stateful firewall to stop a volumetric DDoS; it becomes the chokepoint the flood saturates rather than the cure.

Reflection spoofs the victim's IP; amplification multiplies the reply

In a reflection attack the attacker sends queries to third-party servers with the victim's IP spoofed as the source, so every reply lands on the victim. Amplification is the reflection variant that picks protocols where a small request draws a large response, multiplying the attacker's bandwidth; DNS and NTP are classic amplifiers. The tell that separates these from a plain flood is the spoofed source address and the small-query, large-reply ratio.

Trap Calling reflected/amplified traffic a direct flood from the reflectors; the reflectors are unwitting relays, the spoofed victim IP is what aims the replies.

A SYN flood drains the half-open connection table

A SYN flood opens many TCP handshakes by sending SYNs but never completing them with the final ACK, so the server's table of half-open connections fills and it refuses new sessions. It targets connection-state capacity rather than raw bandwidth, which is why a low-bandwidth attacker can still take a server offline. Defenses include SYN cookies and connection rate limiting that avoid pinning state until the handshake completes.

2 questions test this
MAC flooding overflows the CAM table so the switch fails open

A switch records which MAC lives on which port in its content-addressable memory (CAM) table; MAC flooding sends a storm of frames with bogus source MACs until that table is full. With nowhere to learn new mappings the switch fails open and floods frames out every port like a hub, letting the attacker see traffic meant for others. The control is port security, which limits how many MAC addresses a port may learn and shuts down or restricts the port past that cap.

Trap Reaching for DHCP snooping or DAI against MAC flooding; those defend ARP/DHCP, whereas a flooded CAM table is answered by port security.

3 questions test this
ARP poisoning is a Layer 2 on-path attack, because ARP has no authentication

ARP maps an IP to a MAC and a host believes any reply it hears, so an attacker can send forged replies claiming the gateway's IP belongs to the attacker's MAC. Victims then send their traffic to the attacker first, which puts the attacker on-path (man-in-the-middle) to read or alter traffic in both directions. Symptoms include the wrong MAC for the gateway and duplicate-IP alarms.

4 questions test this
Dynamic ARP Inspection needs DHCP snooping to have a binding table

Dynamic ARP Inspection (DAI) stops ARP poisoning by checking every ARP packet on untrusted ports against a trusted IP-to-MAC binding table and dropping forgeries. DAI builds that table from DHCP snooping, so enabling DAI without DHCP snooping leaves it nothing to validate against. The two switch features are deployed together, which is itself a common exam point.

Trap Assuming DAI works standalone; with no DHCP snooping binding table there is no trusted database for DAI to check ARP packets against.

VLAN double-tagging works only when the access VLAN equals the native VLAN

In a double-tagging VLAN hop the attacker stamps a frame with two 802.1Q tags; the first switch strips the outer tag because it matches the native VLAN and forwards the still-inner-tagged frame onto a trunk, where a second switch delivers it into the target VLAN. The attack is one-way and only succeeds because the attacker's access VLAN is the same as the trunk's native VLAN. The fix is to set the native VLAN to an unused VLAN that no access port belongs to.

Trap Believing double-tagging gives two-way access into the target VLAN; the inner-tagged frame reaches the victim but return traffic has no path back.

1 question tests this
Switch spoofing hops VLANs by negotiating a trunk via DTP

In switch spoofing the attacker's port negotiates a trunk link using the Dynamic Trunking Protocol (DTP), and because a trunk carries every VLAN the attacker then sees them all. The control is to disable DTP and explicitly configure access ports as access mode so they never auto-trunk. Hardening trunking this way, together with moving the native VLAN, closes both VLAN-hopping variants.

Trap Leaving ports on dynamic/auto trunking; an attacker negotiates a trunk via DTP and reaches every VLAN, so disabling DTP is the fix.

3 questions test this
DNS cache poisoning is fixed by DNSSEC validation

DNS cache poisoning injects a forged record into a resolver's cache so it hands clients a malicious IP for a real hostname, steering every client of that resolver until the bad record expires. DNSSEC defends against it by digitally signing DNS records so a validating resolver can verify origin authenticity and integrity and reject forged answers. Note the scope: DNSSEC authenticates the data, it does not encrypt it, so query confidentiality is a separate problem.

Trap Assuming DNSSEC encrypts DNS traffic for privacy; it provides origin authentication and integrity only, while confidentiality needs DNS over TLS.

1 question tests this
A rogue DHCP server wins by answering first, so use DHCP snooping

DHCP clients accept the first lease offer they receive, so a rogue DHCP server that answers faster than the real one can hand victims a malicious default gateway or DNS server and become on-path. DHCP snooping is the switch control: it marks only the port toward the legitimate DHCP server as trusted and drops server-type DHCP messages (offers and acks) arriving on untrusted access ports. That same snooping binding table is what Dynamic ARP Inspection later relies on.

An evil twin clones a legitimate SSID to capture clients

A rogue access point is any unsanctioned AP on the network; an evil twin is the specific wireless on-path attack where the attacker broadcasts a legitimate SSID, often at a stronger signal, so clients associate to it and route traffic through the attacker. Detection and prevention use a wireless intrusion prevention system (WIPS) to spot unauthorized radios plus 802.1X so only authenticated devices and users reach the real network. The defense targets authentication and detection, not the airwaves themselves.

Trap Choosing MAC filtering to stop an evil twin; the attacker spoofs an approved MAC, so only mutual authentication (802.1X/WPA3-Enterprise) and WIPS actually defend.

ARP poisoning, rogue DHCP, and evil twins all lead to one on-path position

On-path (man-in-the-middle) is the position, not a single technique: the attacker sits between two parties and relays traffic while reading or altering it. ARP poisoning, a rogue DHCP gateway, and an evil twin are three different routes to that same position. The control that survives all of them is end-to-end encryption with mutual authentication (TLS, IPsec), because traffic routed through an attacker still cannot be read or silently changed.

1 question tests this
Social engineering attacks the person, so no network device stops it

Social engineering is deception that gets a person to reveal information or grant access by abusing trust, and it never touches the network on the way in, so firewalls, IPS, and ACLs do nothing against it. The defenses are people and process: security awareness training, verification procedures, and physical controls. When a stem describes a human being tricked into giving up access, the answer is a human or physical control.

Trap Offering TLS, a VPN, or a firewall against phishing or tailgating; those protect packets and ports, not the person the attacker is manipulating.

Phishing is the email channel; spear/vishing/smishing change aim or medium

Phishing is fraudulent email, or a cloned web page, that lures a victim into clicking a link, opening an attachment, or entering credentials; NIST calls it a digital form of social engineering. Variants are distinguished by aim and channel: spear phishing targets a named individual, vishing uses voice calls, and smishing uses SMS. Match the stem on channel and targeting rather than treating them as interchangeable.

Trap Labeling a targeted phone-call scam as phishing; voice phishing is vishing, and a scam aimed at one named person is spear phishing.

Dumpster diving, shoulder surfing, and tailgating each have a physical fix

These social-engineering techniques bypass technical controls physically: dumpster diving recovers sensitive data from discarded paper or hardware, shoulder surfing reads a screen or keypad over someone's shoulder, and tailgating (piggybacking) follows an authorized person through a secured door. Each fix is physical or procedural: shredding and secure disposal, privacy screens and shielded PIN entry, and a mantrap (access-control vestibule) with guards. The control never lives in the network stack.

Trap Treating tailgating as a network problem; following someone through a door is defeated by a mantrap and badge discipline, not by any switch or firewall setting.

1 question tests this
Spoofing forges what a machine trusts; social engineering forges what a person trusts

Spoofing fakes an address or identity a system relies on, such as a forged source IP, ARP reply, or SSID, so a machine is fooled. Social engineering fakes a story a person relies on, such as a convincing email or a confident stranger at the door. Use this split to choose the control family: spoofing is countered with technical validation (DAI, DNSSEC, 802.1X), social engineering with training and physical procedure.

Security Hardening and Defense

Read full chapter
  • Hardening means subtracting: change defaults, disable the unused, patch
  • Change default credentials before a device ever goes live
  • Disable unused ports and services so they can't be a way in
  • Patch firmware to close known vulnerabilities
  • Replace Telnet with SSH; the swap, not the toggle, is the answer
  • Use HTTPS for the device GUI, SFTP for file transfer
  • Prefer SNMPv3 because v1/v2c send community strings in cleartext
  • NAC makes an admission decision the moment a device connects
  • A NAC posture check admits only healthy, compliant devices
  • Non-compliant devices are quarantined to a remediation VLAN, not just blocked
  • Agent-based NAC inspects deeply; agentless covers unmanaged devices
  • An ACL is read top-down and stops at the first match
  • Every ACL ends in an implicit deny-all
  • Write ACLs most-specific first and place them near the source
  • Block websites with URL/content filtering, not an IP ACL
  • Trusted and untrusted zones express trust as topology
  • Host public servers in a screened subnet (DMZ) between the zones
  • DHCP snooping blocks rogue DHCP servers and builds the binding table
  • Dynamic ARP inspection stops ARP poisoning using the snooping table
  • Port security limits MACs per port to stop MAC flooding
  • Key management protects the keys the rest of security depends on
  • An IDS only detects and alerts; an IPS sits inline and blocks in real time
  • An inline IPS signature is the compensating control when you cannot patch yet
  • A vulnerability scanner proactively finds known CVE weaknesses, it does not block attacks
  • A firewall enforces access policy by permitting or denying traffic on IP, protocol, and port
  • An inbound ACL on the border router is the fastest way to block a known malicious source range

Unlock with Premium — includes all practice exams and the complete study guide.

Network Troubleshooting

Troubleshooting Methodology

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Know CompTIA's seven troubleshooting steps in exact order

The methodology is a fixed sequence: (1) identify the problem, (2) establish a theory of probable cause, (3) test the theory to determine the cause, (4) establish a plan of action and identify potential effects, (5) implement the solution or escalate, (6) verify full system functionality and implement preventive measures, (7) document findings, actions, outcomes, and lessons learned. The order is the most-tested property, because most questions ask which step comes next or where a described action belongs.

Trap Reordering implement (step 5) before plan of action (step 4); you always plan the change and its effects before applying it.

Investigation finishes before action: steps 1-3 then 4-7

Steps 1 to 3 are the investigation (identify, theory, test) and steps 4 to 7 are the action (plan, implement, verify, document). The dividing line is a confirmed cause: you never plan or implement a change until a test has proven the theory. Treat any stem that has someone changing configuration before testing as out of order.

Trap Acting on a theory before testing it; an unproven theory sends you back to step 2, never forward to a fix.

Step 1 is information gathering, not fixing

Identifying the problem covers six activities: gather information from logs and error messages, question users, identify symptoms, determine if anything has changed, duplicate the problem, and approach multiple problems individually. No change is made at this step; its job is to define what is actually broken and how to reproduce it before any theory is formed.

"Did anything change?" is the highest-yield first question

A network that worked yesterday and fails today almost always broke because of a recent change: a config push, a firmware update, a new device, an expired certificate, or a swapped cable. Determining what changed, by asking users and checking change records, points at the cause faster than any other single activity, which is why CompTIA names it explicitly inside step 1.

Trap Placing "determine if anything changed" under establish a theory (step 2); it is an information-gathering activity inside identify the problem (step 1).

Duplicate the problem before you spend effort on it

Duplicating the problem proves the symptom is real and reproducible, and it hands you a repeatable test you can rerun after a fix to confirm it worked. If you cannot reproduce a reported fault, you have not yet defined the problem and should keep gathering information rather than guessing at a cause.

Treat multiple reported faults as separate problems

When a user lists several complaints, approach each as its own problem with its own cause rather than forcing them into one root cause. Bundling unrelated symptoms invents a single fault that does not exist and sends you chasing it, where solving them individually keeps each diagnosis tractable.

Trap Assuming several simultaneous symptoms must share one root cause; unrelated faults solved as one waste time on a phantom cause.

A theory is a guess; a test is what confirms the cause

Step 2 establishes a theory of probable cause and step 3 tests it to determine the actual cause. The two are deliberately separate because describing a likely cause is not the same as proving it. Question the obvious first (unplugged cable, disabled interface, wrong subnet mask) before reaching for exotic explanations.

Trap Treating the step 2 theory as the confirmed cause and skipping step 3; the cause is not established until a test confirms it.

After testing, a confirmed theory advances; a disproven one loops or escalates

If the test confirms the theory, proceed to step 4 and plan the fix. If it does not confirm the theory, either re-establish a new theory (return to step 2) or escalate when the problem exceeds your knowledge, access, or authority. A failed test never licenses you to start making changes.

Trap Beginning to change configuration after a test disproves your theory; a disproven theory returns you to step 2 for a new one.

1 question tests this
For layered problems, work the OSI stack top-to-bottom or bottom-to-top

CompTIA's guidance for layered technologies is to consider multiple approaches, including working the OSI model top-to-bottom or bottom-to-top, so the search is systematic instead of random. This keeps step 2 disciplined: you eliminate layers in order rather than jumping between unrelated guesses.

Bottom-up starts at Layer 1 for suspected physical faults

The bottom-up approach starts at the physical layer (Layer 1) and works upward through the OSI stack. Reach for it when the symptom points at hardware or media: no link light, a dead port, a damaged or wrong cable, or a powered-off device. It wastes time when lower-layer connectivity is already proven good.

1 question tests this
Top-down starts at Layer 7 for application-level complaints

The top-down approach starts at the application layer (Layer 7) and works downward. It fits a complaint about a specific service or app when the host plainly has network connectivity, for example a web app that fails even though the user can ping the server. Choosing it avoids re-checking lower layers that are already known good.

Divide-and-conquer halves the layer search each test

Divide-and-conquer starts in the middle of the OSI stack (often the network or transport layer) and uses each test to eliminate half the remaining layers. A successful ping, for instance, confirms Layers 1 to 3 in one test and lets you focus upward. It is fastest when you have no strong starting hypothesis about which layer holds the fault.

Trap Calling a fixed Layer-1-upward sweep "divide-and-conquer"; that is bottom-up, while divide-and-conquer starts mid-stack and halves the search each test.

Follow-the-path traces traffic hop by hop across devices

The follow-the-path approach traces the traffic from source to destination, checking each switch, router, and firewall along the route to find where the path breaks. Reach for it when connectivity fails across multiple devices or network segments rather than at a single host, because the break is somewhere along the route, not on one endpoint.

Trap Reaching for top-down or bottom-up on a single host when the fault spans the route between hosts; a multi-device path break is what follow-the-path is for.

The four approaches are tactics inside step 2, not extra steps

Top-down, bottom-up, divide-and-conquer, and follow-the-path describe how to form and order theories within step 2 (establish a theory). They are not additional steps in the seven-step method, so a question asking for the methodology's steps never lists them.

Trap Listing a search approach such as top-down or follow-the-path as one of the seven methodology steps; the seven steps are fixed and these are tactics within step 2.

Plan of action also identifies the potential effects of the fix

Step 4 is not just deciding what to change; it explicitly identifies the potential effects of that change, including the blast radius if it goes wrong. This is where change management lives for a non-trivial fix: a change request, a rollback plan, and a maintenance window so resolving one problem does not cause a new outage.

Trap Assuming identifying potential effects happens at verification (step 6); the effects of a change are weighed in the plan (step 4), before it is applied.

Escalate when a fix exceeds your access, authority, or skill

Step 5 is implement the solution or escalate as necessary, and escalation is a legitimate outcome, not a failure. Hand the problem to another team, a vendor, or a carrier when the resolution needs access, approval, or expertise you do not have. Escalation can also occur at step 3 if testing reveals the issue sits outside your control.

Trap Forcing an unauthorized or risky change rather than escalating; when a fix is beyond your access, authority, or skill, escalation is the correct step-5 action.

Verify full system functionality end to end, as the user sees it

Step 6 confirms the problem is gone as the end user experiences it, not merely that the device you touched responds. "Full system functionality" means end to end, so a partial check on one component can let a residual fault ship. This step also implements preventive measures so the same fault does not recur.

Trap Confirming only that the device you changed responds; verification must prove the user's full workflow works, or a residual fault survives.

Implement does not equal verify; they are separate steps

Applying a change (step 5) is not evidence that the change fixed the problem; verification (step 6) is a distinct step that proves it. The exam routinely offers "implement" as a distractor for "verify" and vice versa, so map the action precisely: applying the fix is step 5, confirming it worked is step 6.

Trap Picking implement (step 5) when the stem describes confirming the fix worked; confirming functionality is verify (step 6).

Preventive measures belong to step 6, not a separate step

Implementing preventive measures (replacing a marginal cable instead of reseating it, saving a running config so it survives a reboot, adding monitoring on the failure point) is part of step 6, verify full system functionality. It stops the same fault from recurring rather than just clearing the current symptom.

Documentation is the final graded step, not optional cleanup

Step 7 documents findings, actions, outcomes, and lessons learned. It feeds the knowledge base and change records that make the next similar incident faster to diagnose, and it is a required step in the method. A fix is not complete until it is written down, even when the symptom is already gone.

Trap Treating documentation as optional once the problem is fixed; step 7 is part of the methodology, and skipping it forces the next technician to rediagnose from scratch.

Match an action to its step by the verb in the stem

Many methodology items describe one activity and ask which step it is. Map the verb: gathering information or questioning users is step 1, guessing a cause is step 2, swapping a cable to confirm is step 3, deciding what to change is step 4, applying it is step 5, confirming end-to-end is step 6, and writing it up is step 7.

The next step after a confirmed test is plan, not implement

When a stem says the technician has just tested and confirmed the cause and asks for the next step, the answer is step 4 (establish a plan of action and identify potential effects), not step 5 (implement). Jumping straight to implementing skips the plan, which is exactly the ordering error these questions probe.

Trap Choosing implement the solution as the step right after confirming the cause; the immediate next step is plan of action (step 4).

1 question tests this
No SYN-ACK means blocked; an immediate RST,ACK means no listener

In a capture, a client SYN that gets no SYN-ACK at all means the request never reached a responding service: the host is down, the service is not running, or a firewall is silently dropping the traffic. By contrast, an immediate RST,ACK in reply to the SYN means the host is up and its TCP stack actively refused the connection because nothing is listening on that port. The difference between silence and a reset tells you blocked-or-down versus port-closed.

Trap Treating an immediate RST,ACK the same as no reply, when a reset is an active refusal from a reachable host and silence suggests a drop or a down service.

4 questions test this

Cabling and Physical Issues

Read full chapter
  • Diagnose physical faults symptom to cause to tool
  • Twisted-pair copper stops at 100 meters regardless of category
  • Attenuation is signal loss over distance
  • EMI corrupts copper frames; fiber is immune
  • Crosstalk and NEXT signal a termination problem
  • Keep one T568 standard on both ends of a straight-through run
  • TX/RX transposed kills a like-device link without Auto-MDIX
  • Auto-MDIX removes the need to choose straight vs crossover
  • CRC errors and runts mean a physical-layer fault
  • Giants point at an MTU or tagging misconfiguration
  • Late collisions are the signature of a duplex mismatch
  • A duplex mismatch is one side full, the other half
  • Compare error counts to total traffic before acting
  • PoE fails when the switch power budget is exhausted
  • Match the PoE standard to the device's power draw
  • A transceiver mismatch keeps a fiber link down
  • Single-mode and multimode optics and fiber must match
  • Fiber health is measured as dB loss against a link budget
  • Port status names the next step: down vs err-disabled
  • Passing wiremap but failing insertion loss points to damage or wrong category
  • A split pair passes wiremap but causes crosstalk and CRC errors
  • A reversed pair swaps pin 1 and pin 2 within one pair

Unlock with Premium — includes all practice exams and the complete study guide.

Network Services Issues

Read full chapter
  • Diagnose service faults by the reachability pattern, not by guessing the device
  • A 169.254.x.x address means DHCP failed, so chase the DHCP path
  • DHCP scope exhaustion produces silence, never a DHCPNAK
  • A missing DHCP relay sends a whole remote subnet to APIPA
  • An APIPA host can ping its own subnet but nothing routed
  • A wrong VLAN isolates a host that passes every physical test
  • STP elects the lowest bridge ID as root; a change can leave a port blocking
  • A switching loop with no STP becomes a broadcast storm that saturates the segment
  • An ACL is evaluated top-down, first match wins, with an implicit deny at the end
  • A missing route drops only the destinations it lacks an entry for
  • A missing default route breaks reach to every network not explicitly known
  • A wrong next hop drops packets even though the route exists
  • Asymmetric routing can break stateful firewalls even when both paths work
  • A wrong default gateway loses all off-subnet traffic but keeps the local subnet
  • A wrong subnet mask gives partial, inconsistent reachability
  • A duplicate IP causes intermittent connectivity and conflict warnings
  • Keep static IPs out of the DHCP scope to avoid duplicate-address conflicts
  • STP topology changes flush MAC tables by shortening the aging timer
  • A native VLAN mismatch lands untagged frames in the wrong VLAN
  • An access port drops tagged frames, so multi-VLAN links need a trunk
  • A VLAN missing from the trunk's allowed list is pruned across switches
  • Inter-VLAN routing requires a Layer 3 interface per VLAN
  • PortFast on a switch-to-switch link can create a Layer 2 loop
  • RSTP collapses disabled, blocking, and listening into discarding
  • RSTP root, alternate, and backup ports have distinct redundancy roles
  • Classic STP listening and learning add about 30 seconds before forwarding

Unlock with Premium — includes all practice exams and the complete study guide.

Performance Issues

Read full chapter
  • Bandwidth is the rated capacity; throughput is what you actually measure
  • Congestion is demand exceeding capacity, and it raises delay and loss together
  • Tail drop is what a full interface buffer does to overflow traffic
  • QoS reorders the queue under congestion; it never creates bandwidth
  • QoS marks traffic with DSCP, a 6-bit value in the IP header's DS field
  • Latency is total delay: propagation plus serialization plus queuing
  • Jitter is the variation in latency, and it is what breaks VoIP
  • A jitter buffer smooths arrival timing, not packet loss
  • Packet loss has several causes, so confirm the cause before the fix
  • Measure packet loss with a continuous ping, not a single probe
  • Match the tool to the metric: ping for latency and loss, iperf for throughput
  • Co-channel interference is access points sharing one channel via CSMA/CA backoff
  • Adjacent-channel interference corrupts frames and lowers SNR
  • On 2.4 GHz, only channels 1, 6, and 11 are non-overlapping
  • 5 GHz and 6 GHz offer more non-overlapping channels for crowded areas
  • Non-Wi-Fi sources raise the noise floor in the 2.4 GHz band
  • RSSI measures signal strength; SNR measures signal above noise
  • Mark voice and video with QoS so they survive a saturating bulk flow
  • TCP retransmissions and duplicate ACKs in a capture point to packet loss
  • NetFlow identifies top talkers and bandwidth-hogging applications
  • SNMP polling at intervals builds utilization and error baselines
  • An SNMP trap is an unsolicited push for immediate event alerting
  • ifInDiscards and ifOutDiscards count no-error drops from buffer congestion

Unlock with Premium — includes all practice exams and the complete study guide.

Troubleshooting Tools

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Name the layer before you pick a tool

Decide first whether a symptom is physical (Layer 1) or logical (Layer 3 and above), because that one split eliminates most wrong-tool answers. A dead cable, a port that will not light, or a powered device that will not boot is physical and needs a hardware tool like a cable tester, TDR, or toner probe. Reachability, addressing, name resolution, and routing are logical and need a command-line tool like ping, traceroute, nslookup, or ipconfig.

ping tests reachability, traceroute tests the path

ping sends ICMP echo requests and reports whether a host answers plus the round-trip latency and loss, so it answers "is it alive and how cleanly." traceroute (tracert on Windows) reports every router hop to the destination and where the path breaks or slows, so it answers "which hop is responsible." Confirm the destination is alive with ping first, then switch to traceroute once you know it is unreachable or slow.

Trap Reaching for traceroute to test whether a host is simply up; that wastes time mapping hops when one ping already answers the liveness question.

11 questions test this
A failed ping is not proof a host is down

Many firewalls drop ICMP while still passing real application traffic, so a host that will not answer ping can still be serving on its TCP ports. When ping fails, confirm with a TCP port test, telnet or nc (netcat) to the service port, before declaring the host unreachable. A successful port test with a failed ping means ICMP is filtered, not that the service is down.

Trap Concluding a server is down from a failed ping alone, when the firewall is only dropping ICMP and the service port is still open.

A silent traceroute hop is usually rate-limiting, not a failure

traceroute works by raising the IP TTL one step at a time so each router returns an ICMP Time Exceeded, but routers commonly rate-limit or deprioritize that ICMP. A single middle hop showing asterisks while later hops still answer is that router quietly throttling, not a break. Read the path by the last hop that answers normally and the first that does not, not by one silent hop in the middle.

Trap Treating an asterisk on one middle hop as the point of failure, when later hops still respond and the gap is just ICMP rate-limiting.

10 questions test this
Use nslookup or dig when a name fails but the IP works

When a site loads by IP address but not by name, the fault is name resolution, and nslookup (cross-platform) or dig (more detailed, on Linux and macOS) query a DNS server directly to prove it. They show which server answered and what record came back, separating a DNS problem from a connectivity problem in one command. You can also aim them at a specific resolver to test whether one server is stale while another is correct.

Trap Pinging the hostname to diagnose a name failure; ping by name blends DNS and connectivity, so it confirms something is wrong but never that DNS specifically is the cause.

11 questions test this
ipconfig reads the local IP config; 169.254 means DHCP failed

ipconfig (Windows) and ifconfig or ip (Linux and macOS) print the interface's address, subnet mask, default gateway, and DNS servers, the first stop for a "my machine cannot get anywhere" report. An address in the 169.254.0.0/16 range is an APIPA (Automatic Private IP Addressing) link-local address, which a host assigns itself only after asking for a DHCP lease and getting no reply. So an APIPA address means the DHCP server is unreachable or its pool is exhausted, not that DNS or routing is broken.

Trap Reading a 169.254.x.x address as a DNS or gateway problem; it is the specific signature of a failed DHCP lease.

netstat shows a host's own ports and connections

netstat lists the local host's active TCP and UDP connections and the ports it is listening on, a view only the host itself can give. Use it to confirm a service is actually bound and listening (for example a web server on port 443) and to see which remote hosts a machine is talking to. It is the local counterpart to nmap, which scans ports from across the network.

6 questions test this
arp shows the IP-to-MAC cache for the local segment

arp displays and edits the host's Address Resolution Protocol cache, the table mapping IPv4 addresses to MAC addresses on the local broadcast domain. It is the tool for a suspected duplicate IP or a stale or poisoned mapping: if two hosts claim one address, or an entry points at the wrong MAC, arp shows it. ARP only works within the local segment, so an entry for an off-subnet host shows the default gateway's MAC, not the remote host's.

Trap Expecting an arp entry to show a remote off-subnet host's MAC; ARP is local-only, so it returns the gateway's MAC for anything off the segment.

6 questions test this
nmap maps which ports a remote host exposes

nmap scans a remote target or a whole subnet to report which hosts are up and which ports they expose, answering "what services does this host offer" from across the network. For a single quick check you do not need a full scan: a telnet or nc connection to one host and port simply succeeds or refuses. Reach for nmap when you must discover the service footprint, and for the one-port test when you just need to confirm a single port is reachable.

A protocol analyzer is the last resort, not the first

A protocol analyzer (packet sniffer) such as Wireshark or the command-line tcpdump captures frames and decodes them field by field, so it can answer almost any question about what a host sent or received. That power costs time and expertise, so it belongs at the end of the workflow, after cheaper tools have narrowed the problem. Reach for it only when you must read the protocol exchange itself, such as a TLS handshake that fails partway, a DHCP request that gets no offer, or a retransmission storm.

Trap Capturing packets to answer a question ping or traceroute already settles; the analyzer is for protocol-level mysteries, not basic reachability.

2 questions test this
Capturing on a switch needs port mirroring

A switch forwards unicast frames only to the destination port, so a protocol analyzer plugged into one port sees only its own traffic plus broadcasts. To capture another port's traffic you configure port mirroring (a SPAN port), which copies frames from one or more ports to the monitoring port. Capturing also normally requires the analyzer's NIC in promiscuous mode so it accepts frames addressed to other hosts.

Trap Expecting a packet capture on a switched network to see every host's traffic by default; without a mirror or SPAN port the switch never forwards it to the analyzer.

8 questions test this
A wiremap cable tester proves continuity and pinout

A wiremap cable tester lights each conductor in turn to prove opens (a broken conductor), shorts (two conductors touching), reversed pairs, transposed pairs, and split pairs on a copper run. It is the right tool the instant you suspect a bad termination or a miswired patch. It only proves the copper is good, though, and says nothing about VLANs, routing, or any logical fault, so once continuity passes, move up to the command-line tools.

2 questions test this
TDR locates copper faults; OTDR locates fiber faults

When a cable tests bad or intermittent and you need to know where along a long run the fault is, a reflectometer reports the distance to it. A time-domain reflectometer (TDR) pulses copper and times the reflection from a break or short; an optical time-domain reflectometer (OTDR) does the same for fiber, reporting distance to a break, splice, or high-loss bend. The pairing to memorize is TDR for copper, OTDR for fiber.

Trap Using a copper TDR on a fiber run (or an OTDR on copper); the medium decides the instrument, TDR for copper and OTDR for fiber.

11 questions test this
A toner probe locates an unlabeled cable

A toner probe is a two-piece tool: a tone generator clipped to one end injects an audible signal, and an inductive probe waved over a bundle at the far end finds the cable carrying that tone. It is the tool for the specific job of locating or labeling an unmarked cable in a crowded patch panel or wiring closet. No tester or analyzer does this job; only the toner probe traces one physical cable through a bundle.

A light meter verifies fiber is within its dB loss budget

Fiber health is measured as optical loss in decibels, and a light meter (optical power meter) reads the power arriving at the far end of a run. A reading outside the link's loss budget means the run is too long for the optic, a connector is dirty, or the fiber is bent past its minimum radius. Use the light meter to confirm a fiber link carries enough signal; use an OTDR when you also need the distance to the fault.

2 questions test this
A loopback plug proves a port works but never locates a break

A loopback plug folds a port's transmit pins back into its receive pins so the port talks to itself, proving a NIC or switch port can send and receive. It confirms the port hardware is functional, which is useful to rule the port in or out. It never locates a cable fault or measures distance, so reaching for it to find where a cable is broken is the classic loopback distractor.

Trap Choosing a loopback plug to locate a cable break; it only tests that a port can transmit and receive, not where the wire is faulted.

4 questions test this
A Wi-Fi analyzer reads 802.11 channels and signal

A Wi-Fi analyzer scans the wireless bands and reports the access points in range, the channel each uses, and the signal strength a client sees, so it is the tool for wireless that is slow or dropping. It exposes co-channel and adjacent-channel interference (too many APs sharing or overlapping a channel) and weak signal, pointing to a fix of non-overlapping channels or moving the AP. The 2.4 GHz band has only three non-overlapping channels (1, 6, 11), which is why crowded 2.4 GHz cells interfere so easily.

A spectrum analyzer finds non-Wi-Fi RF interference

A Wi-Fi analyzer only sees 802.11 traffic, so when the interference comes from a microwave oven, cordless phone, or Bluetooth device rather than another access point, it shows nothing. A spectrum analyzer reads raw radio energy across a band and reveals those non-Wi-Fi sources. The distinction the exam draws is that a Wi-Fi analyzer reads the 802.11 network while a spectrum analyzer reads the RF spectrum itself.

Trap Using a Wi-Fi analyzer to chase interference from a microwave or cordless phone; it only sees 802.11, so non-Wi-Fi RF needs a spectrum analyzer.

1 question tests this
Run reachability tools in order: ping, then traceroute, then nslookup/dig

The fast triage for a "the internet is down" report is to run three command-line tools in sequence, each answering one question. ping asks whether the destination is alive and how cleanly; traceroute asks which hop breaks once ping says it is unreachable or slow; nslookup or dig asks whether the name resolves when a site works by IP but not by name. Running them host-outward narrows the fault quickly without jumping to a packet capture.

1 question tests this
tcpdump -w writes raw packets to a pcap file for Wireshark

The tcpdump -w flag saves captured packets in raw pcap binary form to a file instead of printing them, and the file opens directly in Wireshark or reads back with tcpdump -r. Combine it with -i to pick the interface and a trailing BPF expression to limit what is captured, for example tcpdump -i eth0 -w capture.pcap port 80 to save only HTTP traffic.

Trap Using -r or a display option to save a capture, when -w is the flag that writes the pcap file.

4 questions test this
Capture filters limit what is recorded; display filters limit what is shown

A Wireshark capture filter uses BPF syntax and decides which packets get written at capture time, so it is the way to shrink the file on a busy network, written like host 10.1.1.50 or port 53. A display filter uses Wireshark's own syntax and only changes what is shown from an already-saved capture, written like ip.src == 192.168.1.100, ip.addr == 10.1.1.50 and tcp.port == 443, or dns.flags.response == 1. The two syntaxes are different and serve different stages.

Trap Expecting a display filter to reduce the capture file size, when only a capture filter limits what is recorded and a display filter just hides already-captured packets.

6 questions test this
Follow TCP Stream isolates a conversation; Protocol Hierarchy summarizes the capture

Follow TCP Stream pulls every packet of a single TCP conversation together by applying a stream-index filter and reconstructs the application-layer exchange between the two endpoints. Statistics, Protocol Hierarchy instead gives a tree of every protocol seen with packet counts and percentages, which is the fast way to spot an unexpected or unauthorized protocol across a large capture.

Trap Reaching for Follow TCP Stream to survey which protocols appeared, when Protocol Hierarchy is the capture-wide breakdown and Follow Stream drills into one conversation.

3 questions test this
On a TDR an open reflects positive, a short reflects negative

A time-domain reflectometer sends a pulse and reads reflections from impedance changes, with the delay giving the distance to the fault. An open circuit, a break or disconnection, is high impedance and returns an in-phase positive upward spike. A short between conductors is low impedance and returns an inverted negative reflection. A localized impedance change without a full open or short, such as a kink, crush, or crimp, shows as a sharp anomaly at that distance even when a basic wiremap still passes.

Trap Reading a positive TDR spike as a short, when the in-phase upward reflection is an open and the inverted reflection is the short.

7 questions test this
pathping computes per-hop loss to find which router drops packets

Pathping first traces the route, then sends repeated probes to every hop over a sustained period and reports per-hop and per-link latency and packet-loss percentages. That makes it the right tool for intermittent slowness where connectivity is never fully lost: it pinpoints which specific router or link along the path is dropping the most packets, which a single traceroute or ping cannot do.

Trap Using a one-shot traceroute to find an intermittent packet-dropping hop, when pathping is what accumulates per-hop loss statistics over time.

4 questions test this
Read a traceroute by where replies stop, repeat, or jump in time

Traceroute output is diagnostic by pattern. Hops that reply normally then turn into all-timeouts mark the failure at or just beyond the last responding hop. The same two addresses alternating across many hops until the max hop count is a routing loop, where packets bounce until the TTL expires. A sudden large latency jump between two hops, with later hops staying near that level, locates the added delay on the link between those two hops.

Trap Blaming the hop that times out, when the fault is at or just past the last hop that actually replied.

13 questions test this
netstat -ano maps listening ports to owning process IDs and shows socket states

On Windows, netstat -ano lists all connections and listening ports (-a) numerically (-n) with the owning process ID (-o), so it ties a port like 443 to the exact process serving it. The connection state column is itself diagnostic: many SYN_SENT entries to one host mean the remote end is not answering, and many CLOSE_WAIT entries mean the local application received the client's FIN but never closed its sockets, an application-level socket leak.

Trap Reading CLOSE_WAIT pileups as the remote side hanging, when CLOSE_WAIT means the local application failed to close its half of the connection.

5 questions test this
A centralized syslog server correlates timestamped events across devices

A centralized syslog server aggregates timestamped log messages from every network device into one place, which is what lets you correlate the timing of events, an interface flapping, a device rebooting, a spanning tree reconverging, across multiple switches and routers at once. It is the right approach for intermittent, multi-device problems where you need to line up when things happened. Syslog severity runs 0 Emergency to 7 Debug, with level 4 meaning Warning.

Trap Logging into each device one at a time to chase an intermittent multi-device fault, when centralized syslog lines the events up on a single timeline.

7 questions test this
An RJ45 loopback plug wires pin 1 to 3 and pin 2 to 6

An RJ45 Ethernet loopback plug connects the transmit pair, pins 1 and 2, to the receive pair, pins 3 and 6, so data the port sends loops straight back into its own receive circuit to confirm the port transmits and receives. It proves a port works but, having no run of cable, it can never locate a break or a distance fault.

Trap Expecting a loopback plug to find where a cable is broken, when it only validates the local port and cannot locate a fault along a run.

2 questions test this
A visual fault locator pinpoints a fiber bend or break by escaping red light

A visual fault locator injects bright visible red light, typically around 650 nm, into a fiber, and at a sharp bend, crack, or break the light escapes through the jacket and is visible to the eye, so the technician can walk the run and pin down the exact fault location. It is the quick visual tool for locating a physical fiber fault, distinct from an OTDR's distance trace or a light meter's loss measurement.

Trap Reaching for a light meter to locate a fiber bend, when a light meter only measures end-to-end loss and the VFL shows the physical fault point.

2 questions test this
Read nslookup output to separate a wrong server from a dead resolver

nslookup's first lines name the DNS server it queried, so when only one workstation cannot resolve internal names and that server is an external public resolver, the host is simply pointed at the wrong DNS server. A reply of DNS request timed out means the configured server did not answer, and the next isolating step is to ping that server's IP to test reachability. A Non-authoritative answer is normal: the response came from a caching resolver rather than the zone's authoritative server.

Trap Treating a Non-authoritative answer as an error, when it just means the answer came from a cache and is the expected result of recursive resolution.

5 questions test this