N10-009 Exam Dumps - CompTIA Network+ Certification Exam

Link Layer Discovery Protocol (LLDP) is a network protocol used for discovering devices and their capabilities on a local area network, primarily at the data link layer (Layer 2). It helps in identifying the connected switch and the specific port to which a device is connected. When troubleshooting a VoIP handset connection, the technician can use LLDP to determine the exact switch and port where the handset is connected. This protocol is widely used in network management to facilitate the discovery of network topology and simplify troubleshooting.

Other options such as IKE (Internet Key Exchange), VLAN (Virtual LAN), and netstat (network statistics) are not suitable for identifying the switch and port information. IKE is used in setting up secure IPsec connections, VLAN is used for segmenting networks, and netstat provides information about active connections and listening ports on a host but not for discovering switch port details.

When traffic moves laterally between VMs within the same network or subnet, it is known as east-west traffic. This contrasts with north-south traffic, which refers to communication between internal and external networks.

Breakdown of Options:

A. East-west – Correct answer. This refers to traffic between internal servers or VMs, which is a common security concern.

B. Point-to-point – Point-to-point describes a direct connection between two devices, but does not specifically define lateral movement.

C. Horizontal-scaling – This refers to adding more instances or nodes in cloud computing, unrelated to traffic flow.

D. Hub-and-spoke – This network topology describes a centralized design, not lateral traffic.

The correct answer is B. EOL documentation . If a network engineer wants to confirm whether a device is still receiving updates, patches, or vendor support, the first thing to review is the vendor’s End-of-Life (EOL) and often related End-of-Support (EOS) documentation. These documents show whether the device is still actively supported, whether firmware and security updates are still being issued, and when that support is scheduled to stop.

This is important in network operations because devices that are no longer supported can become security risks and operational liabilities. Once a vendor declares a product end-of-life or end-of-support, future bug fixes, feature releases, and security updates may no longer be available. That directly affects patch management, lifecycle planning, and risk assessment.

The other choices do not answer the question as directly. A baseline configuration shows the intended device settings, not the support status. Asset inventory licensing helps track ownership, software entitlements, or subscriptions, but it does not prove that updates are still being released. Software development life cycle refers to the process of building software, not the support state of a deployed network device.

For Network+ exam purposes, when the question asks whether updates are still being released, the best source is the vendor’s EOL documentation .

A DoS (Denial of Service) attack directly targets availability, one of the core security goals (CIA triad) emphasized in Network+ (N10-009) security objectives. A web-based customer portal depends on reachable services (web servers, load balancers, DNS, upstream bandwidth). In a DoS, an attacker attempts to overwhelm the portal or its supporting infrastructure—consuming bandwidth, exhausting server resources, or saturating state tables—so legitimate users cannot connect or experience severe degradation. This is the most direct and common scenario where “availability” is impacted for a public web service.

MAC flooding aims to overflow a switch’s CAM table and can lead to traffic being broadcast out ports, which is more commonly associated with enabling sniffing or disruption within a local switched network segment—not typically the primary attack described for a web portal’s availability. ARP spoofing is a local network man-in-the-middle/redirection technique affecting integrity/confidentiality and potentially availability for local hosts, but it is not the best match for a public portal availability impact. Rogue devices can introduce risk, but the option is broad and indirect; DoS is the clearest availability-focused threat.

===========

The correct answer is A. IaC . Infrastructure as Code is used to define and deploy infrastructure through templates, configuration files, or code rather than building everything manually. During a cloud migration, that approach helps keep deployments consistent across environments and reduces the chance of human error.

This fits the question especially well because it mentions consistency, reliability, and efficiency in both provisioning and management. Those are exactly the kinds of benefits IaC is meant to provide. Instead of configuring servers, networks, and services one by one, administrators can reuse tested deployment definitions and apply the same settings repeatedly. That makes rollouts faster and easier to audit.

The other options do not match the task. A CDN improves content delivery performance. SASE is a networking and security architecture. ZTA focuses on access control and trust decisions. All of those are important in the right context, but none is primarily a provisioning and management automation tool.

In a cloud migration, the organization usually wants repeatable builds, standardization, and faster recovery if something has to be recreated. That is why IaC is the strongest answer here. It directly supports automated, dependable, and scalable infrastructure deployment.

A site-to-site VPN is used to securely connect two networks over an untrusted network, most commonly the public internet. In Network+ (N10-009) objectives, VPNs are described as providing confidentiality and integrity for data in transit by creating an encrypted tunnel between sites (for example, headquarters and a branch office). This allows systems at both locations to communicate as if on the same private WAN, while preventing eavesdropping or tampering by intermediate networks. Typical implementations use IPsec tunneling and rely on negotiated encryption/authentication parameters to protect traffic end-to-end between VPN gateways.

Encrypting data at rest refers to storage encryption (disk/database), not VPN tunneling. Filtering traffic between two internal subnets is usually handled by ACLs, firewalls, or segmentation controls, not a site-to-site VPN. Hosting public-facing applications is a DMZ / reverse proxy / WAF design concern; a VPN is not the primary control for exposing public services (and generally you would not require the public to use a VPN to reach a public website). Therefore, securing site connectivity across an untrusted network is the best match.

===========

EIGRP (Enhanced Interior Gateway Routing Protocol) has a default administrative distance (AD) value of 90 for internal routes. The administrative distance is used to rate the trustworthiness of routing information received from different routing protocols. EIGRP, developed by Cisco, has an AD of 90, which is lower than that of RIP (120) and OSPF (110), making it more preferred if multiple protocols provide a route to the same destination.References: CompTIA Network+ study materials.

When configuring a firewall, the first step is identifying which ports, protocols, and services are required for normal business operations. This ensures only legitimate traffic is allowed. After establishing the required rules, a default deny rule is added for security.

B. Deny all rule is important, but it should come after defining required rules.

C. VPN access is a service to configure, but only after determining baseline needs.

D. Outbound traffic policies are part of refinement, not the first consideration.

References (CompTIA Network+ N10-009):

Domain: Network Security — Firewall configuration, rule order, least privilege.