network+ practice test Advanced Practice Exam: Hard Questions 2025

A network team is migrating a campus core to a routed access design. After the change, users on VLAN 30 (10.30.0.0/16) intermittently lose access to a server subnet (10.80.20.0/24). Packet captures show that traffic from VLAN 30 is being forwarded to an old distribution switch that should no longer be in the path. The team finds that both the old distribution and the new core advertise 10.80.20.0/24 into OSPF, but the old distribution also advertises a summary route 10.80.0.0/16. Which change MOST directly prevents VLAN 30 traffic from preferring the old distribution path while keeping summarization benefits elsewhere?

An enterprise uses dual WAN links with a next-generation firewall (NGFW) providing site-to-site IPsec to a partner. During a failover test from ISP1 to ISP2, the tunnel re-establishes but application traffic fails for 2–3 minutes. The partner reports they continue to send traffic to the enterprise’s old public IP until their timers expire. The enterprise wants sub-minute failover without asking the partner to change their network. Which solution BEST meets the goal?

A data center team is implementing EVPN/VXLAN overlays. A legacy monitoring platform relies on seeing client MAC addresses in the core for security analytics. After the migration, the platform no longer sees end-host MACs in the underlay and reports reduced visibility. The network is operating correctly and must retain the overlay design. What is the MOST accurate explanation for the loss of visibility and the BEST direction for remediation?

A company has multiple SSIDs mapped to different VLANs. Users on the "Corp" SSID authenticate with 802.1X and should be placed into VLAN 20 via RADIUS attributes. A subset of users consistently lands in VLAN 999 (guest quarantine) even though authentication succeeds. The switchport to the AP is a trunk. Which misconfiguration is MOST likely causing the VLAN placement issue?

During peak hours, users report intermittent slow access to SaaS applications. The WAN link shows only 55% utilization. NetFlow indicates many short-lived TCP sessions with high retransmissions, and interface statistics show increasing output drops on the edge router’s WAN interface. QoS is configured with a strict priority queue for voice and a single default queue for everything else. Which change is MOST likely to improve SaaS performance without impacting voice quality?

A NOC receives alerts that multiple access switches are flapping between STP forwarding and blocking on uplinks after a new distribution switch was installed. The uplinks are configured as 802.1Q trunks with LACP. Logs show frequent topology change notifications (TCNs). The distribution switch is confirmed to be the intended root bridge. Which configuration change is the BEST corrective action to stabilize the topology and reduce unnecessary TCN impact on access ports?

A security audit finds that a public-facing web application is protected by a WAF, but attackers can still directly reach the origin servers and bypass the WAF. The origin servers are in a private subnet, and the load balancer has a public listener. The organization wants to ensure ALL inbound HTTP/HTTPS traffic is inspected by the WAF while keeping high availability. Which design change BEST addresses the finding?

A company is implementing 802.1X on wired ports with MAB fallback for printers/IoT. An attacker unplugs a printer and connects a laptop, gaining network access because the switch authorizes the port based on the printer’s MAC address. The company needs to mitigate this specific risk without breaking legitimate printer connectivity. Which configuration is MOST effective?

Users in a branch office report that they can reach internal IP addresses but not internal hostnames. The branch uses a site-to-site VPN to headquarters. A packet capture at the branch firewall shows DNS queries from clients to 10.1.10.53 (HQ DNS) leaving the branch, and responses returning, but clients still time out. The capture also shows DNS responses with a UDP length near the typical Ethernet MTU and the DF bit set on encapsulated packets. Which is the MOST likely root cause?

After enabling IPv6 in a dual-stack environment, a help desk ticket notes that some Windows clients prefer IPv6 and cannot access an internal web app hosted on IPv4-only servers. DNS has both A and AAAA records for the app’s hostname, but the AAAA record points to an old decommissioned address. The team fixes DNS, but some clients still fail for hours until they reboot or flush caches. What is the BEST explanation and corrective action?