- (Topic 3)
Which of the following would be the BEST choice to connect branch sites to a main office securely?

1. A. VPN headend
2. B. Proxy server
3. C. Bridge
4. D. Load balancer

Correct Answer: A
Host-to-Site, or Client-to-Site, VPN allows for remote servers, clients, and other hosts to establish tunnels through a VPN gateway (or VPN headend) via a private network. The tunnel between the headend and the client host encapsulates and encrypts data.

- (Topic 3)
A network engineer is designing a secure communication link between two sites The entire data stream needs to remain confidential. Which of the following will achieve this goal?

1. A. GRE
2. B. IKE
3. C. ESP
4. D. AH

Correct Answer: C
ESP stands for Encapsulating Security Payload, and it is a protocol that provides confidentiality, integrity, and authentication for IP packets. ESP encrypts the payload of the IP packet, which contains the data stream, and adds a header and a trailer that contain security information. ESP can be used to create a secure communication link between two sites by using a VPN tunnel that protects the data stream from unauthorized access or modification. GRE stands for Generic Routing Encapsulation, and it is a protocol that encapsulates one network protocol inside another. GRE does not provide encryption or security by itself, but it can be combined with ESP or other protocols to create a secure VPN tunnel. IKE stands for Internet Key Exchange, and it is a protocol that negotiates and establishes security associations for IPsec, which is a suite of protocols that includes ESP and AH. IKE does not encrypt or protect the data stream, but it enables the secure exchange of keys and parameters for IPsec. AH stands for Authentication Header, and it is a protocol that provides integrity and authentication for IP packets. AH does not encrypt the payload of the IP packet, which means the data stream is not confidential. AH adds a header that contains security information and a checksum that verifies the integrity of the packet

- (Topic 2)
There are two managed legacy switches running that cannot be replaced or upgraded. These switches do not support cryptographic functions, but they are password protected. Which of the following should a network administrator configure to BEST prevent unauthorized access?

1. A. Enable a management access list
2. B. Disable access to unnecessary services.
3. C. Configure a stronger password for access
4. D. Disable access to remote management
5. E. Use an out-of-band access method.

Correct Answer: E
Using an out-of-band access method is the best way to prevent unauthorized access to the legacy switches that do not support cryptographic functions. Out-of-band access is a method of accessing a network device through a dedicated channel that is separate from the main network traffic. Out-of-band access can use physical connections such as serial console ports or dial-up modems, or logical connections such as VPNs or firewalls. Out-of-band access provides more security and reliability than in-band access, which uses the same network as the data traffic and may be vulnerable to attacks or failures. References: https://www.cisco.com/c/en/us/td/docs/ios- xml/ios/fundamentals/configuration/15mt/fundamentals-15-mt-book/cf-out-band-mgmt.html

- (Topic 1)
A network administrator is configuring a load balancer for two systems. Which of the following must the administrator configure to ensure connectivity during a failover?

1. A. VIP
2. B. NAT
3. C. APIPA
4. D. IPv6 tunneling
5. E. Broadcast IP

Correct Answer: A
A virtual IP (VIP) address must be configured to ensure connectivity during a failover. A VIP address is a single IP address that is assigned to a group of servers or network devices. When one device fails, traffic is automatically rerouted to the remaining devices, and the VIP address is reassigned to the backup device, allowing clients to continue to access the service without interruption.
References:
✑ CompTIA Network+ Certification Study Guide, Exam N10-007, Fourth Edition, Chapter 6: Network Servers, p. 300

- (Topic 3)
A technician is investigating an issue with connectivity at customer's location. The technician confirms that users can access resources locally but not over the internet The technician theorizes that the local router has failed and investigates further. The technician's testing results show that the route is functional: however, users still are unable to reach resources on the internal. Which of the following describes what the technician should do NEXT?

1. A. Document the lessons learned
2. B. Escalate the issue
3. C. identify the symptoms.
4. D. Question users for additional information

Correct Answer: C
According to the CompTIA Network+ troubleshooting model123, this is the first step in troubleshooting a network problem. The technician should gather information about the current state of the network, such as error messages, device status, network topology, and user feedback. This can help narrow down the scope of the problem and eliminate possible causes.