CompTIA CNX-001 - CompTIA CloudNetX Exam

Comprehensive and Detailed Explanation From Exact Extract:

STP (Spanning Tree Protocol) is a Layer 2 standard protocol that prevents switching loops in Ethernet networks by creating a loop-free logical topology. It can automatically block and unblock redundant paths based on network changes, ensuring reliability and avoiding broadcast storms.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Ethernet Loop Prevention and Switching Protocols”:

“STP is a standard Layer 2 protocol used to detect and prevent network loops, enhancing network stability in switched topologies.”

Other options:

B. SIP is a signaling protocol used in VoIP.

C. RTSP is for media streaming control.

D. BGP is a routing protocol, not for Layer 2 loop prevention.

Comprehensive and Detailed Explanation From Exact Extract:

A 403 Forbidden error indicates that the request was understood by the server but is refusing to fulfill it due to insufficient authorization. The developer is attempting to call a protected API that requires valid credentials such as an access key and signature (often used in HMAC-based APIs), but the values appear as Postman variables (e.g., {{rapyd_access_key}}), which suggests they were not replaced with actual credentials.

This typically means that the request lacks proper authentication or authorization headers, or the keys/signature are incorrect or missing. The presence of access_key, signature, salt, and timestamp in the request implies the API requires authentication, but the variables were not resolved or valid.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “API Security and Authentication”:

“A 403 error typically results from failed authentication or lack of proper authorization. Developers must ensure that tokens or signatures are valid, not missing, and properly injected.”

Other options:

A. 404 is the code for a missing resource, not 403.

C. A firewall rule would block the request entirely (e.g., no response or a 0 status), not result in a 403 from the server.

D. HTTP redirection issues typically result in 3xx codes, not 403.

 

Comprehensive and Detailed Explanation From Exact Extract:

This scenario describes a classic example of social engineering. An attacker impersonated the help desk and convinced the user to change their password, likely to one the attacker controlled. Social engineering attacks manipulate human behavior to bypass technical security measures.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Social Engineering Threats”:

“Social engineering involves manipulating individuals to perform actions or divulge confidential information, such as passwords, often by impersonating trusted entities like IT support.”

Other options:

A. Initialization vector relates to encryption vulnerabilities.

B. On-path (formerly man-in-the-middle) requires network interception, which is not described here.

C. Evil twin is a rogue Wi-Fi AP attack, not applicable to this VPN login context.

Comprehensive and Detailed Explanation From Exact Extract:

Round-robin DNS is a simplistic form of load balancing that does not perform health checks. If one of the four servers is down, DNS will still resolve its IP to 25% of users, resulting in failed connections. This matches the symptom of 25% failure rate — 1 out of 4.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Load Balancing Techniques and Availability”:

“Round-robin DNS distributes requests without regard for health status. Without external health checks, failed servers will continue to receive traffic, leading to partial service disruptions.”

Other options:

B. The percentages do not align with a 25% failure rate.

C. Least-connection algorithms usually have integrated health checks.

D. If health checks are active, the load balancer would not forward requests to a failed server.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A collapsed core design combines the core and distribution layers into a single tier, making it ideal for small-scale networks such as satellite campuses or branch offices. It reduces complexity, cost, and footprint while still supporting redundancy and scalability where needed.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Network Design Models”:

“For small to medium-sized deployments, a collapsed core topology reduces hardware and configuration complexity while maintaining essential functionality.”

Other options:

A. Hybrid refers to cloud/physical blends, not network topology.

B. Dual-layer isn’t a standard enterprise architecture reference.

C. Three-tier is overkill for small networks and adds unnecessary complexity.

Comprehensive and Detailed Explanation From Exact Extract:

Traffic mirroring allows a copy of network traffic — including headers and payloads — to be sent to an analysis tool or appliance for deep packet inspection. This is essential for security analysis, network troubleshooting, and performance diagnostics in cloud environments.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Packet Capture and Network Flow Monitoring”:

“Traffic mirroring enables the capture of full packet data, including payloads, for forensic or performance analysis within cloud networks.”

Other options:

A. Application monitoring focuses on app-level metrics, not packet inspection.

B. Syslog is log-based, not for inspecting packets.

D. Network flows (e.g., NetFlow, VPC flow logs) provide metadata (source, destination, size) but not full packet content.

Comprehensive and Detailed Explanation From Exact Extract:

A CMDB (Configuration Management Database) is a centralized repository used to store information about IT assets and their relationships, including configuration items such as servers, applications, and databases. It provides visibility into dependencies between infrastructure components, including application and database tiers. This is essential for cloud migration and modernization projects where understanding interdependencies ensures accurate planning and reduces risks.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under the “Infrastructure Documentation and Planning” domain:

“CMDBs are used to track asset relationships, allowing network and systems engineers to visualize and manage dependencies between services, applications, and infrastructure components critical for change management and cloud migration.”

Other options:

A. Internal knowledge base articles may offer general guidance but not structured dependency mapping.

C. WBS (Work Breakdown Structure) outlines tasks and deliverables, not technical dependencies.

D. Physical server diagrams are not relevant in virtualized/cloud environments.

E. SOW (Statement of Work) defines project scope but lacks infrastructure-level detail.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

According to the standard CompTIA troubleshooting methodology, once the issue has been identified and a solution has been implemented (e.g., failing over traffic to the backup link), the next logical step is to verify full system functionality. This ensures that the backup path is working as intended and that services have resumed properly for the users.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Troubleshooting Process”:

“After implementing the solution, it is critical to verify full system functionality to ensure the resolution has addressed the problem without causing unintended consequences.”

Other options:

A. Documenting lessons learned is the final step.

B. The plan of action should have been created before the failover.

C. Identifying the problem already occurred earlier in the scenario.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

RADIUS (Remote Authentication Dial-In User Service) is the best-fit protocol for this requirement. It supports both authentication and authorization and is widely used in Wi-Fi network environments for client device authentication using credentials stored in centralized directories such as Active Directory.

RADIUS integrates seamlessly with enterprise authentication sources and supports EAP (Extensible Authentication Protocol), making it compatible with Wi-Fi-based client devices. It also allows for role-based access control, enabling policy enforcement specific to device types (e.g., inventory scanners).

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — “Authentication and Authorization Technologies”:

“RADIUS provides centralized authentication, authorization, and accounting (AAA) services and is commonly used for securing wireless access in conjunction with Active Directory.”

“Organizations use RADIUS to manage Wi-Fi authentication for user devices and enforce security policies during access attempts.”

Using a RADIUS server with 802.1X on the Wi-Fi infrastructure allows the scanners (and their users) to be authenticated against Active Directory and mapped to the correct authorization policies. TACACS+ is geared toward device management, LDAP alone doesn’t handle the Wi-Fi 802.1X handshake, and PKI by itself wouldn’t provide the user-to-device authorization flow needed. RADIUS gives you both authentication and authorization tied into AD.