Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

7.3. Scenario-Based Practice Questions (60 Questions)

Domain 1: Networking Concepts (Questions 1-14)

Question 1: A network administrator needs to determine which OSI layer is responsible for establishing, maintaining, and terminating connections between applications. Which layer provides this functionality?

  • A. Transport
  • B. Session ✓
  • C. Presentation
  • D. Application

Rationale:

  • A. Transport — Incorrect. Layer 4 handles segmentation, flow control, and reliable delivery (TCP/UDP), but not session management.
  • B. Session — Correct. Layer 5 manages sessions—the dialogues between applications including setup, coordination, and teardown.
  • C. Presentation — Incorrect. Layer 6 handles data formatting, encryption, and compression.
  • D. Application — Incorrect. Layer 7 provides the interface for user applications but relies on lower layers for session management.

Question 2: A switch receives a frame with a destination MAC address that is not in its MAC address table. What action does the switch take?

  • A. Drops the frame
  • B. Sends to the default gateway
  • C. Floods the frame to all ports except the source ✓
  • D. Sends an ARP request

Rationale:

  • A. Drops the frame — Incorrect. Switches don't drop frames for unknown destinations—they flood them.
  • B. Sends to the default gateway — Incorrect. Switches don't route; gateways are Layer 3.
  • C. Floods the frame to all ports except the source — Correct. Unknown unicast flooding ensures the frame reaches the destination (wherever it is), and the switch learns the MAC when the destination replies.
  • D. Sends an ARP request — Incorrect. ARP is for IP-to-MAC resolution; switches don't initiate ARP.

Question 3: A server is running web, email, and FTP services. A client wants to establish a web connection. What identifies the specific service on the server?

  • A. MAC address
  • B. IP address
  • C. Port number ✓
  • D. Protocol type

Rationale:

  • A. MAC address — Incorrect. MACs identify physical devices, not services.
  • B. IP address — Incorrect. IPs identify hosts; all three services share the same server IP.
  • C. Port number — Correct. Ports identify services: 80 for HTTP, 25 for SMTP, 21 for FTP. The client connects to the server IP + destination port.
  • D. Protocol type — Incorrect. Protocol (TCP/UDP) specifies transport, not which application.

Question 4: A small office experiences a brief power flicker lasting 2 seconds. Which device prevents the network equipment from shutting down during this event?

  • A. Surge protector
  • B. PDU
  • C. UPS ✓
  • D. Generator

Rationale:

  • A. Surge protector — Incorrect. Surge protectors handle voltage spikes, not power loss.
  • B. PDU — Incorrect. PDUs distribute power but don't provide backup.
  • C. UPS — Correct. Uninterruptible Power Supply provides battery backup for brief outages, keeping equipment running.
  • D. Generator — Incorrect. Generators handle extended outages but need 10-30 seconds to start—the 2-second flicker would cause a disruption.

Question 5: A security consultant discovers a web server running outdated software with known security flaws. What classification does this finding receive?

  • A. Threat
  • B. Exploit
  • C. Vulnerability ✓
  • D. Risk

Rationale:

  • A. Threat — Incorrect. A threat is a potential source of harm (attacker, disaster), not a weakness.
  • B. Exploit — Incorrect. An exploit is the technique used to take advantage of a vulnerability.
  • C. Vulnerability — Correct. A vulnerability is a weakness that could be exploited. Outdated software with known flaws is the textbook definition.
  • D. Risk — Incorrect. Risk = Threat × Vulnerability × Impact—it's a calculation, not a finding.

Question 6: An employee notices someone positioned behind them watching their screen while they enter credentials. What attack type occurred?

  • A. Vishing
  • B. Shoulder surfing ✓
  • C. Tailgating
  • D. Whaling

Rationale:

  • A. Vishing — Incorrect. Vishing is voice phishing via phone calls.
  • B. Shoulder surfing — Correct. Visual observation of screens or keyboards to capture information.
  • C. Tailgating — Incorrect. Following an authorized person through a secured door.
  • D. Whaling — Incorrect. Phishing targeting executives.

Question 7: A help desk receives a call: "Nothing works." Following CompTIA's methodology, what should the technician do FIRST?

  • A. Check if the network cable is connected
  • B. Gather information and identify the problem ✓
  • C. Establish a theory of probable cause
  • D. Restart the user's computer

Rationale:

  • A. Check cable — Incorrect. Testing a theory before having one.
  • B. Gather information and identify the problem — Correct. Step 1: Question the user, identify symptoms, determine scope.
  • C. Establish theory — Incorrect. Step 2 comes after identifying the problem.
  • D. Restart computer — Incorrect. Implementing solution without diagnosis.

Question 8: A workstation shows IP address 169.254.47.89. What is the most likely cause?

  • A. Static IP conflict
  • B. DHCP server unavailable ✓
  • C. DNS server not responding
  • D. Default gateway misconfigured

Rationale:

  • A. Static IP conflict — Incorrect. Conflicts show the configured IP, not APIPA.
  • B. DHCP server unavailable — Correct. 169.254.x.x is APIPA—Windows/Mac self-assign this when DHCP fails.
  • C. DNS not responding — Incorrect. DNS issues affect name resolution, not IP assignment.
  • D. Gateway misconfigured — Incorrect. Gateway issues affect routing, not IP assignment.

Question 9: A healthcare organization needs complete control over security with dedicated infrastructure and strict HIPAA compliance. Which deployment model?

  • A. Public cloud
  • B. Private cloud ✓
  • C. Hybrid cloud
  • D. Community cloud

Rationale:

  • A. Public cloud — Incorrect. Multi-tenant, shared resources make complete control harder.
  • B. Private cloud — Correct. Single-tenant, dedicated infrastructure provides maximum control.
  • C. Hybrid cloud — Incorrect. Combines models but doesn't maximize control.
  • D. Community cloud — Incorrect. Shared among organizations with common concerns—not single-tenant.

Question 10: A website receives millions of requests per second from 50,000 different IP addresses. What attack type?

  • A. DoS attack
  • B. DDoS attack ✓
  • C. SQL injection
  • D. DNS poisoning

Rationale:

  • A. DoS — Incorrect. DoS is single-source; this is distributed.
  • B. DDoS — Correct. Distributed Denial of Service uses multiple sources—50,000 IPs indicates botnet.
  • C. SQL injection — Incorrect. Database attack through input fields, not traffic flooding.
  • D. DNS poisoning — Incorrect. Corrupts DNS cache, doesn't generate traffic.

Question 11: An administrator needs encrypted command-line access to Linux servers. Which protocol?

  • A. Telnet
  • B. SSH ✓
  • C. RDP
  • D. TFTP

Rationale:

  • A. Telnet — Incorrect. Plaintext—credentials visible to sniffers.
  • B. SSH — Correct. Port 22, encrypted CLI access.
  • C. RDP — Incorrect. Graphical remote desktop for Windows.
  • D. TFTP — Incorrect. Simple file transfer, not management.

Question 12: Two locations with different subnets need to communicate. What device is required?

  • A. Switch
  • B. Router ✓
  • C. Access point
  • D. Media converter

Rationale:

  • A. Switch — Incorrect. Layer 2, doesn't route between subnets.
  • B. Router — Correct. Layer 3, forwards packets between networks.
  • C. Access point — Incorrect. Wireless connectivity, not routing.
  • D. Media converter — Incorrect. Changes media types, not routing.

Question 13: A startup wants to deploy a web application without managing servers or OS—just focus on code. Which model?

  • A. IaaS
  • B. PaaS ✓
  • C. SaaS
  • D. On-premises

Rationale:

  • A. IaaS — Incorrect. You still manage OS and runtime.
  • B. PaaS — Correct. Platform provided; you upload code.
  • C. SaaS — Incorrect. Complete application; you don't deploy your own code.
  • D. On-premises — Incorrect. Maximum management responsibility.

Question 14: A packet starts with TTL=64 and arrives with TTL=58. How many hops?

  • A. 58
  • B. 64
  • C. 6 ✓
  • D. 122

Rationale:

  • A. 58 — Incorrect. Remaining TTL, not hop count.
  • B. 64 — Incorrect. Initial TTL, not hop count.
  • C. 6 — Correct. 64 - 58 = 6 router hops (each decrements by 1).
  • D. 122 — Incorrect. Meaningless sum.

Domain 2: Network Implementation (Questions 15-26)

Question 15: A router has routes to 10.1.0.0/16 via OSPF and 10.1.0.0/24 via EIGRP. Which route reaches 10.1.0.50?

  • A. OSPF route because /16 is more general
  • B. EIGRP route because /24 is more specific ✓
  • C. OSPF route because it has lower AD
  • D. EIGRP route because it has lower metric

Rationale:

  • B. EIGRP route because /24 is more specific — Correct. Longest prefix match is evaluated FIRST, before AD or metric.

Question 16: Two switches need to carry traffic for VLANs 10, 20, and 30 over a single link. Which technology?

  • A. Link aggregation
  • B. 802.1Q trunking ✓
  • C. Port mirroring
  • D. Spanning tree

Rationale:

  • B. 802.1Q trunking — Correct. Tags frames with VLAN IDs, allowing single link to carry multiple VLANs.

Question 17: After adding a redundant link, the network experiences severe slowness and high CPU. What would have prevented this?

  • A. Link aggregation
  • B. 802.1Q trunking
  • C. Spanning Tree Protocol ✓
  • D. VLAN segmentation

Rationale:

  • C. STP — Correct. Symptoms describe broadcast storm from Layer 2 loop. STP blocks redundant paths.

Question 18: In 2.4 GHz, which channel plan minimizes co-channel interference?

  • A. Channels 1, 4, 8, 11
  • B. Channels 1, 6, 11 ✓
  • C. Channels 2, 6, 10
  • D. Channels 1, 3, 5, 7, 9, 11

Rationale:

  • B. Channels 1, 6, 11 — Correct. Only non-overlapping channels in 2.4 GHz band.

Question 19: 50 devices with private IPs need internet access using one public IP. Which technology?

  • A. DHCP
  • B. PAT/NAT ✓
  • C. DNS
  • D. VLAN

Rationale:

  • B. PAT/NAT — Correct. PAT maps many private IPs to one public IP using port numbers.

Question 20: Which port combination is used by FTP?

  • A. 20 and 21 ✓
  • B. 22 and 23
  • C. 25 and 110
  • D. 80 and 443

Rationale:

  • A. 20 and 21 — Correct. Port 21 for control, port 20 for data.

Question 21: A technician needs to connect a server that requires 10 Gbps over 300 meters. Which solution?

  • A. Cat6a copper
  • B. Multimode fiber ✓
  • C. Cat5e copper
  • D. Coaxial cable

Rationale:

  • B. Multimode fiber — Correct. 10GBASE-SR supports up to 400m on multimode. Cat6a only reaches 100m.

Question 22: What is the purpose of a native VLAN on a trunk port?

  • A. To tag all frames with a VLAN ID
  • B. To carry untagged traffic ✓
  • C. To increase bandwidth
  • D. To enable routing between VLANs

Rationale:

  • B. To carry untagged traffic — Correct. Untagged frames on a trunk are assigned to the native VLAN.

Question 23: A company wants guest wireless users isolated from the corporate network. What technology?

  • A. Port mirroring
  • B. VLAN ✓
  • C. Link aggregation
  • D. Port security

Rationale:

  • B. VLAN — Correct. Separate VLAN for guest traffic isolates it from corporate resources.

Question 24: What technology allows a single router interface to route between multiple VLANs?

  • A. NAT
  • B. Subinterfaces with 802.1Q ✓
  • C. DHCP relay
  • D. Port security

Rationale:

  • B. Subinterfaces with 802.1Q — Correct. Router-on-a-stick configuration: one physical interface, multiple subinterfaces with VLAN tags.

Question 25: A company needs gateway redundancy so clients don't reconfigure if the router fails. Which technology?

  • A. OSPF
  • B. FHRP (HSRP/VRRP) ✓
  • C. NAT
  • D. EIGRP

Rationale:

  • B. FHRP — Correct. Multiple routers share a virtual IP; failover is transparent to clients.

Question 26: Which cable type is required in air handling spaces (HVAC plenums)?

  • A. UTP
  • B. STP
  • C. Plenum-rated ✓
  • D. Coaxial

Rationale:

  • C. Plenum-rated — Correct. Fire-resistant jacket, produces less toxic smoke. Code requirement for air handling spaces.

Domain 3: Network Operations (Questions 27-38)

Question 27: A backup policy tolerates losing up to 4 hours of data. Which metric?

  • A. RTO
  • B. RPO ✓
  • C. MTTR
  • D. MTBF

Rationale:

  • B. RPO — Correct. Recovery Point Objective = maximum acceptable data loss.

Question 28: Branch office on different subnet can't get DHCP addresses. What feature needed on router?

  • A. DHCP scope
  • B. DHCP relay/IP helper ✓
  • C. DHCP reservation
  • D. DHCP exclusion

Rationale:

  • B. DHCP relay — Correct. Forwards DHCP broadcasts (which don't cross routers) to the server.

Question 29: Email delivery requires which DNS record?

  • A. A record
  • B. CNAME record
  • C. MX record ✓
  • D. PTR record

Rationale:

  • C. MX record — Correct. Mail Exchange record specifies which server handles email for a domain.

Question 30: SNMP community strings transmitted in plaintext. Which version fixes this?

  • A. SNMPv1
  • B. SNMPv2c
  • C. SNMPv3 ✓
  • D. SNMP with HTTPS

Rationale:

  • C. SNMPv3 — Correct. Adds authentication and encryption.

Question 31: Primary data center fails; resume operations in 15 minutes with zero data loss. Which site type?

  • A. Cold site
  • B. Warm site
  • C. Hot site ✓
  • D. Mobile site

Rationale:

  • C. Hot site — Correct. Fully operational with real-time replication = fastest recovery, zero data loss.

Question 32: Two offices need secure network-to-network connection without client software. Which VPN?

  • A. Client-to-site VPN
  • B. Site-to-site VPN ✓
  • C. SSL VPN
  • D. Split tunnel VPN

Rationale:

  • B. Site-to-site VPN — Correct. Connects networks through gateways; no client software needed.

Question 33: IPv6 hosts configure addresses without DHCP. What mechanism?

  • A. APIPA
  • B. SLAAC ✓
  • C. DHCPv6
  • D. Manual configuration

Rationale:

  • B. SLAAC — Correct. Stateless Address Autoconfiguration uses router advertisements + interface ID.

Question 34: Management needs list of all equipment with serial numbers, locations, warranties. Which documentation?

  • A. Network topology
  • B. Asset inventory ✓
  • C. Baseline configuration
  • D. Change management log

Rationale:

  • B. Asset inventory — Correct. Tracks hardware details, locations, warranty information.

Question 35: What protocol synchronizes time across network devices?

  • A. SNMP
  • B. NTP ✓
  • C. LDAP
  • D. DNS

Rationale:

  • B. NTP — Correct. Network Time Protocol provides clock synchronization.

Question 36: A device receives an SNMP trap. What function is the device performing?

  • A. Agent
  • B. Manager ✓
  • C. MIB
  • D. OID

Rationale:

  • B. Manager — Correct. Receives traps from agents; traps are unsolicited alerts.

Question 37: Administrator needs to verify all changes follow approved procedures. Which process?

  • A. Asset management
  • B. Change management ✓
  • C. Configuration backup
  • D. License management

Rationale:

  • B. Change management — Correct. Formal process for approving and tracking changes.

Question 38: A firewall denies traffic by default and only allows explicitly permitted traffic. What principle?

  • A. Least privilege
  • B. Defense in depth
  • C. Implicit deny ✓
  • D. Zero trust

Rationale:

  • C. Implicit deny — Correct. If not explicitly permitted, it's denied.

Domain 4: Network Security (Questions 39-46)

Question 39: An attacker floods a switch's MAC table causing it to flood all traffic. What attack?

  • A. ARP poisoning
  • B. VLAN hopping
  • C. MAC flooding ✓
  • D. DNS spoofing

Rationale:

  • C. MAC flooding — Correct. Overflow CAM table → switch floods all traffic like a hub.

Question 40: What defense prevents unauthorized devices from obtaining network access?

  • A. Port mirroring
  • B. 802.1X ✓
  • C. Link aggregation
  • D. STP

Rationale:

  • B. 802.1X — Correct. Port-based authentication requires credentials before network access.

Question 41: An employee receives email appearing to be from CEO asking for wire transfer. What attack?

  • A. Vishing
  • B. Whaling ✓
  • C. Tailgating
  • D. Shoulder surfing

Rationale:

  • B. Whaling — Correct. Phishing targeting executives or impersonating executives for high-value fraud.

Question 42: A company places web servers in a separate network segment accessible from internet but isolated from internal network. What is this zone called?

  • A. VLAN
  • B. DMZ/Screened subnet ✓
  • C. VPN
  • D. NAT

Rationale:

  • B. DMZ — Correct. Semi-trusted zone for public-facing services.

Question 43: Which security feature limits the number of MAC addresses on a switch port?

  • A. 802.1X
  • B. Port security ✓
  • C. VLAN tagging
  • D. NAC

Rationale:

  • B. Port security — Correct. Limits MACs per port; violation triggers action (shutdown, restrict).

Question 44: An attacker creates a wireless network with the same name as a legitimate corporate network. What attack?

  • A. Rogue DHCP
  • B. Evil twin ✓
  • C. VLAN hopping
  • D. ARP spoofing

Rationale:

  • B. Evil twin — Correct. Malicious AP with same SSID as legitimate network.

Question 45: What AAA protocol encrypts the entire payload and separates authentication, authorization, and accounting?

  • A. RADIUS
  • B. TACACS+ ✓
  • C. LDAP
  • D. Kerberos

Rationale:

  • B. TACACS+ — Correct. Encrypts entire payload; separates AAA functions. RADIUS only encrypts password.

Question 46: A security team needs to detect intrusions without blocking traffic during evaluation. What should they deploy?

  • A. Firewall
  • B. IPS
  • C. IDS ✓
  • D. Proxy

Rationale:

  • C. IDS — Correct. Detects and alerts without blocking—passive monitoring during evaluation.

Domain 5: Network Troubleshooting (Questions 47-60)

Question 47: A user cannot access any network resources. Technician sees 169.254.10.25 IP. What should be checked first?

  • A. DNS server
  • B. DHCP server ✓
  • C. Default gateway
  • D. Proxy server

Rationale:

  • B. DHCP server — Correct. 169.254.x.x = APIPA = DHCP failure.

Question 48: Network performance degrades every day at 2 PM. What tool identifies the cause?

  • A. Cable tester
  • B. Protocol analyzer
  • C. Baseline comparison/monitoring ✓
  • D. Tone generator

Rationale:

  • C. Baseline comparison — Correct. Compare current performance to baseline; identify what changes at 2 PM (backup jobs, lunch rush, etc.).

Question 49: Pinging an IP address works, but pinging the hostname fails. What should be checked?

  • A. Default gateway
  • B. DNS ✓
  • C. DHCP
  • D. Firewall

Rationale:

  • B. DNS — Correct. IP connectivity works (ping by IP); name resolution fails (ping by hostname) = DNS issue.

Question 50: A switch port shows many CRC errors. What is the likely cause?

  • A. Duplicate IP address
  • B. Bad cable or interference ✓
  • C. Incorrect VLAN
  • D. STP loop

Rationale:

  • B. Bad cable — Correct. CRC errors indicate frame corruption—typically physical layer issue.

Question 51: Users report slow internet, but internal resources are fast. Where is the bottleneck?

  • A. Access switch
  • B. Core switch
  • C. WAN connection ✓
  • D. DHCP server

Rationale:

  • C. WAN connection — Correct. Internal fast, external slow = WAN/internet link is the bottleneck.

Question 52: A workstation can reach servers on its VLAN but not other VLANs. What should be checked?

  • A. Switch port configuration
  • B. Default gateway ✓
  • C. DNS server
  • D. DHCP scope

Rationale:

  • B. Default gateway — Correct. Local connectivity works; inter-VLAN (Layer 3) fails = gateway/routing issue.

Question 53: traceroute shows requests timing out at hop 5. What does this indicate?

  • A. Destination is 5 hops away
  • B. Router at hop 5 is blocking or down ✓
  • C. DNS server is unreachable
  • D. TTL is too low

Rationale:

  • B. Router at hop 5 — Correct. Timeouts at specific hop indicate that router is blocking ICMP or experiencing issues.

Question 54: A switch port immediately goes to "error disabled" when a device connects. What caused this?

  • A. VLAN mismatch
  • B. Port security violation ✓
  • C. STP loop
  • D. Duplex mismatch

Rationale:

  • B. Port security — Correct. Err-disabled immediately on connect suggests MAC address violation.

Question 55: VoIP calls have choppy audio. What metric should be checked?

  • A. Bandwidth
  • B. Latency
  • C. Jitter ✓
  • D. Packet size

Rationale:

  • C. Jitter — Correct. Variation in latency causes choppy real-time audio. VoIP is sensitive to jitter.

Question 56: nslookup returns correct IP, but browser cannot load website. What should be checked next?

  • A. DNS server
  • B. Firewall or proxy ✓
  • C. DHCP server
  • D. Default gateway

Rationale:

  • B. Firewall/proxy — Correct. DNS works; HTTP blocked = firewall filtering port 80/443 or proxy misconfiguration.

Question 57: What command displays the path packets take to reach a destination?

  • A. ping
  • B. traceroute ✓
  • C. netstat
  • D. arp

Rationale:

  • B. traceroute — Correct. Shows each hop between source and destination.

Question 58: A cable tester shows "open" on pairs 1 and 2. What does this mean?

  • A. Cable is working correctly
  • B. Cable has a break in those pairs ✓
  • C. Cable has a short
  • D. Cable is too long

Rationale:

  • B. Break — Correct. "Open" means no continuity—wire is broken.

Question 59: Users in one department cannot print. Other departments print normally. Where should troubleshooting focus?

  • A. Print server
  • B. Switch or VLAN for that department ✓
  • C. Default gateway
  • D. DNS server

Rationale:

  • B. Department switch/VLAN — Correct. Problem isolated to one department = that segment's connectivity issue.

Question 60: After replacing a switch, devices connect but experience intermittent connectivity and slow performance. Interface shows "duplex mismatch." What is the issue?

  • A. Wrong VLAN configuration
  • B. Speed and duplex mismatch ✓
  • C. STP blocking port
  • D. Port security violation

Rationale:

  • B. Duplex mismatch — Correct. One side auto-negotiating, other side hardcoded = mismatch causes late collisions and poor performance.
Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications