CompTIA N10-009 - CompTIA Network+ Certification Exam

VLAN hopping occurs when an attacker tricks a switch into believing the host is another switch by generating tagged frames or exploiting trunk negotiation (DTP). This allows the attacker to access traffic from multiple VLANs, potentially stealing sensitive data.

B. Evil twin is a rogue wireless AP attack, unrelated to switch impersonation.

C. DNS poisoning corrupts name resolution, not VLAN access.

D. ARP spoofing is a Layer 2 on-path attack, not masquerading as a switch.

References (CompTIA Network+ N10-009):

Domain: Network Security — VLAN hopping attacks, switch spoofing techniques.

The issue is that more students have arrived on campus, meaning the available IP addresses are exhausted. To fix this, the administrator should increase the DHCP scope size to allow more devices to obtain IP addresses.

Breakdown of Options:

A. Enable IP helper – IP helper is used to forward DHCP requests across different subnets. However, the problem here is that the DHCP scope is full, not that requests are not reaching the server.

B. Change the subnet mask – The subnet mask determines the number of available hosts, but changing it without increasing the IP pool does not help.

C. Increase the scope size – Correct answer. Expanding the DHCP scope provides more IP addresses for assignment.

D. Add address exclusions – Exclusions reserve IP addresses, which would further reduce available addresses instead of solving the issue.

In a mesh topology, every node is directly connected to every other node. This provides high redundancy and reliability, as there are multiple paths for data to travel between nodes. This topology is often used in networks where high availability is crucial.References: CompTIA Network+ study materials.

Site-to-Site VPN: A site-to-site VPN is used to securely connect two networks, such as a company ' s headquarters and a branch location, over the internet. This type of VPN creates a secure tunnel for data transmission, ensuring confidentiality and integrity.

Split-tunnel VPN (A): Allows some traffic to bypass the VPN tunnel, which may not secure all communications.

Clientless VPN (B): Used for individual users to access the network without VPN client software.

Full-tunnel VPN (C): Typically used for individual user traffic rather than connecting two networks.

Broadcast traffic is sent to all nodes on the network. In a broadcast, a single packet is transmitted to all devices in the network segment. This is commonly used for tasks like ARP (Address Resolution Protocol) requests.

Broadcast Domain: All devices within the same broadcast domain will receive broadcast traffic.

Network Types: Ethernet networks commonly use broadcast traffic for certain functions, including network discovery and addressing.

IPv4 Broadcast: An IPv4 broadcast address (e.g., 255.255.255.255) ensures the packet is sent to all devices on the network.

Network References:

CompTIA Network+ N10-007 Official Certification Guide: Explains network traffic types, including broadcast, unicast, and multicast.

Cisco Networking Academy: Provides training on network communication methods and traffic types.

Network+ Certification All-in-One Exam Guide: Discusses different types of network traffic and their uses in various network scenarios.

Broadcast traffic is essential for network operations that require communication with all nodes, such as ARP requests or DHCP discovery messages.

•API (Application Programming Interface) enables secure and granular access control, remote management, and logging, making it ideal for network monitoring.

•SNMP (A) is mainly used for device monitoring but lacks centralized logging and user-based privilege control.

•SIEM (C) is a security monitoring tool focused on log collection, not device management.

•SSO (D) is related to authentication, not monitoring.

📖 Reference: CompTIA Network+ N10-009 Official Documentation – Network Monitoring & Management Technologies.

In a data center that practices hot aisle/cold aisle ventilation, equipment should be installed so that the exhaust faces the rear of the rack. This setup ensures that hot air is expelled into the hot aisle, maintaining proper airflow and cooling efficiency.

Hot Aisle/Cold Aisle Configuration: Equipment intake should face the cold aisle where cool air is supplied, and exhaust should face the hot aisle where hot air is expelled.

Cooling Efficiency: Proper orientation of equipment helps maintain an efficient cooling environment by segregating hot and cold air, preventing overheating and improving energy efficiency.

Network References:

CompTIA Network+ N10-007 Official Certification Guide: Discusses data center design principles, including hot aisle/cold aisle configurations.

Cisco Data Center Design Guide: Provides best practices for data center layout and equipment installation.

Network+ Certification All-in-One Exam Guide: Covers data center environmental controls and ventilation strategies.

The correct answer is Full-tunnel because the policy requires all network traffic from remote corporate laptops to pass through the company’s VPN. In a full-tunnel VPN configuration, once the VPN connection is established, all traffic—including internet-bound traffic—is routed through the corporate network before reaching its destination. This ensures centralized monitoring, content filtering, logging, and enforcement of security controls such as IDS/IPS and firewalls.

According to CompTIA Network+ (N10-009) security objectives, full-tunnel VPNs enhance security by preventing users from directly accessing the internet from their local connection, thereby reducing exposure to local network threats (e.g., public Wi-Fi attacks).

A split-tunnel VPN (Option D) allows users to access the internet directly while only sending corporate-bound traffic through the VPN, which does not meet the “all traffic” requirement. A site-to-site tunnel (Option C) connects entire networks rather than individual remote users. A clientless VPN (Option A) typically provides web-based access without a full network tunnel and does not necessarily route all traffic.

Therefore, full-tunnel best matches the policy requirement.

The correct answer is SaaS (Software as a Service). According to the CompTIA Network+ N10-009 objectives, SaaS is the most cost-efficient cloud model for hosting common business applications such as email, collaboration tools, and productivity suites. With SaaS, the cloud provider manages all infrastructure, operating systems, application software, security updates, and maintenance, significantly reducing administrative overhead and operational costs.

Email services are a prime example of workloads that benefit from SaaS solutions such as Microsoft 365 or Google Workspace. Organizations pay a subscription-based fee, typically per user, and avoid expenses related to server hardware, licensing, patching, backups, redundancy, and disaster recovery. This makes SaaS far more economical than deploying and maintaining email servers internally or in lower-level cloud models.

IaaS requires the organization to manage virtual machines, operating systems, email server software, and security configurations, which increases both cost and complexity. PaaS simplifies application development but is not designed for hosting ready-made services like email platforms. A VPC (Virtual Private Cloud) is a networking construct, not a service model, and does not inherently provide email hosting functionality.

The Network+ objectives emphasize selecting cloud service models based on cost, management responsibility, and operational efficiency. For standardized services like email, SaaS offers the lowest total cost of ownership and the least administrative burden, making it the best and most cost-effective choice.

A computer network diagram with many boxes and text AI-generated content may be incorrect.

IPv4 addresses are divided into classes:

Class A: Supports 16,777,214 hosts (large enterprises).

Class B: Supports 65,534 hosts (medium to large networks).

Class C: Supports 254 hosts (small to medium networks).

Class D: Used for multicast, not for assigning IPs to hosts.

Step-by-step Calculation:

The network will have 150 users initially, with a projected growth of 10 users, totaling 160 users.

Each user has two devices, so 160 × 2 = 320 IP addresses needed.

A Class C subnet has 254 usable IPs by default, which is not sufficient.

A Class B subnet can support thousands of hosts, making it the most appropriate option.

Incorrect Options:

A. Class D: Reserved for multicast, not for host assignments.

C. Class A: Overkill for a network of this size.

D. Class C: Cannot support 320 hosts without subnetting, making Class B the best choice.

Comprehensive and Detailed Explanation (aligned to N10-009):

802.1X provides port-based Network Access Control (NAC), requiring authentication (often through RADIUS) before granting access. This is the standard for enterprise authentication on both wired and wireless networks.

A. 802.1Q defines VLAN trunking.

C. 802.3bt defines higher-power PoE.

D. 802.11h deals with spectrum management in wireless.

References (CompTIA Network+ N10-009):

Domain: Network Security — NAC, 802.1X authentication.

DNS poisoning (also commonly called DNS cache poisoning) is characterized by inserting fraudulent DNS data into a resolver’s cache so that subsequent queries return incorrect IP mappings. Option D describes this precisely: false DNS records are injected into a DNS server’s cache, causing users to be redirected to attacker-controlled destinations even when they request a legitimate hostname. This aligns with Network+ security objectives covering common network attacks targeting name resolution and trust relationships. Editing authoritative DNS records on a DNS server (A) implies direct compromise or unauthorized administrative change, which is a different scenario than cache poisoning. Setting up a malicious DNS server in place of a legitimate server (B) is closer to DNS hijacking or rogue DNS configuration rather than cache poisoning. Intercepting client requests and returning false responses (C) describes man-in-the-middle style spoofing on the wire; while related, the defining “poisoning” trait is the persistence created by corrupting the cache so the bad answer continues to be served. For defensive relevance in Network+ scope, cache poisoning highlights the importance of DNS security controls such as source port randomization, transaction ID entropy, and DNSSEC validation where applicable.

After implementing the solution, the immediate next step is to verify full system functionality. This confirms that the problem has been resolved and helps ensure no new issues have been introduced.

From Andrew Ramdayal’s guide:

“After the solution is implemented, test the system to ensure that it is fully operational, and the original problem has been resolved. Also, put in place any measures that could prevent the issue from recurring.”