Network Architecture Design - 31%
|
|
Given a scenario, analyze business requirements to apply core networking concepts to a network design. |
- Open Systems Interconnection (OSI) model
- Internet Protocol (IP) addressing
-
IPv4
-
IPv6
-
IP subnetting
-
Classless Inter-domain Routing (CIDR) notation
-
Variable Length Subnet Mask (VLSM)
-
Public vs. private
-
Static vs. dynamic
- Network address translation (NAT)
-
Port forwarding
-
Port address translation (PAT)
-
NAT64
- Networking protocols
-
Transmission Control Protocol (TCP)/User Datagram Protocol (UDP)
-
Authentication protocols
- Power and cooling
- 802.1X
- Remote Authentication Dial-in User Service (RADIUS)
- Terminal Access Controller Access Control System Plus (TACACS+)
- Lightweight Directory Access Protocol (LDAP)
-
Routing protocols
- Dynamic
1. Open Shortest Path First (OSPF)
2. Border Gateway Protocol (BGP)
- Static
1. Routing tables
-
Dynamic Host Configuration Protocol (DHCP)
-
Network Time Protocol (NTP)
-
Domain Name System (DNS)
- Domain Name System Security Extensions (DNSSEC)
- DNS over Transport Layer Security (TLS) (DoT)
- DNS over Hypertext Transfer Protocol Secure (HTTPS) (DoH)
- Container networking
- Network virtual interfaces |
|
Given a scenario, analyze business requirements to select and implement the appropriate network architectures and topologies. |
- Topology types
-
Mesh
-
Star
-
Hub-and-spoke
-
Spine-and-leaf
-
Point-to-point
- Zones
-
Trusted
-
Untrusted
-
Screened subnet
- Traffic flows
- Segmentation
-
Virtual local area network (VLAN)
-
Virtual extensible LAN (VXLAN)
-
Generic Network Virtualization Encapsulation (GENEVE)
- Environments
-
Production
-
Non-production
|
|
Given a scenario, analyze requirements to select appropriate connectivity solutions in a hybrid environment. |
- Multi-protocol Label Switching (MPLS)
- Software-defined wide area network (SD-WAN)
- Cellular
- Satellite
- Dark fiber
- Direct internet access
- Metro network
- Public cloud connectivity
-
ExpressRoute
-
Direct Connect
-
Software-defined cloud interconnect (SDCI)
- Remote access
-
Bastion host
-
Secure Shell (SSH)
-
Remote Desktop Protocol (RDP)
- Application gateways
- Private Platform as a Service (PaaS) connectivity
-
Service endpoints
-
Transit gateways
-
Virtual private cloud (VPC) peering
-
Private link
- Virtual private network (VPN)
-
Site-to-site
-
Point-to-site
-
Remote access
-
Split tunneling
-
WireGuard
|
|
Given a scenario, analyze availability requirements to recommend technologies that meet business needs. |
- Load balancing
-
Global
-
Local
-
Virtual IP (VIP)
-
Methods
- Round robin
- Load-based
- Least connections
- Weighted
- High availability
-
Active-active
-
Active-passive
- Link aggregation
- Autoscaling
- Regions and availability zones
- Content delivery network (CDN)
- Fault domains
- Update domains
- Redundancy
|
|
Given a scenario, evaluate business requirements to make recommendations for physical campus installations. |
- Power considerations
-
Voltage
-
Wattage
-
Amperage
-
Power distribution unit (PDU)
-
Uninterruptible power supply (UPS)
-
Utility power
-
Emergency power off (EPO)
-
Backup power generators
- Power disruption
-
Blackout
-
Brownout
-
Surge
-
Spike
- Environmental factors
-
Temperature
-
Humidity
-
British thermal units (BTUs)
- Fire suppression
- Physical access controls
-
Video surveillance
-
Biometrics
-
Proximity readers
-
Locks and keys
-
Near-field communication (NFC)
-
Door sensors
|
|
Given a scenario, analyze business requirements to select the appropriate campus wired network components. |
- Layer 2 vs. Layer 3
- Power over Ethernet (PoE)
- Three-tier hierarchy
- Collapsed core
- Intermediate distribution frame (IDF)/Main distribution frame (MDF)
- Spanning Tree Protocol (STP)
- Tagging/trunking
- Bonding
- Voice and video
-
Session Initiation Protocol (SIP)
-
WebRTC
-
Real-time Streaming Protocol (RTSP)
-
H.323
- Customer premises equipment (CPE)
|
|
Given a scenario, analyze business requirements to select the appropriate campus wireless network components. |
- Wi-Fi
-
Wireless access points
- Antenna types
1. Omni-directional
2. Directional
- Placement
- Enclosure
- Power considerations
- Controllers
- Standards and protocols
1. 802.11
- Frequencies
1. 2.4GHz
2. 5GHz
3. 6GHz
- Channels
- Service set identifier (SSID)
1. Hidden vs. advertised
- Wireless roaming
- Bluetooth Low Energy (BLE)
- NFC
- Long-range wide area network (LoRaWAN) |
|
Given a scenario, analyze requirements to select the appropriate artifacts for architecture documentation. |
- Requirements analysis
-
Business
-
Technical
-
Regulatory compliance
-
Statement of work (SOW)
- Network diagramming
-
Physical vs. logical
-
High-level vs. low-level designs
-
Flow diagrams
- Verification and validation
- Runbooks
- Work breakdown structure (WBS)
- Knowledge base articles
- Baselines
- Reference architectures
- Configuration management database (CMDB) |
Network Security - 28%
|
|
Explain common cloud and network threats, vulnerabilities, and mitigations. |
- Threats
-
Distributed denial-of-service (DDoS) attack
-
Data exfiltration
-
On-path attack
-
Credential reuse
-
Brute-force attack
-
Out-of-band (OOB) attack
-
IP spoofing
-
Buffer overflow
-
Privilege escalation
-
Insider threat
-
Evil twin
-
Rogue access point
-
Initialization vector attack
-
BGP hijacking
-
Social engineering attack
- Vulnerabilities
-
Zero-day
-
Open Worldwide Application Security Project (OWASP) top 10
-
Overly permissive rules
-
IP reuse
-
Legacy access control lists (ACLs)
-
Insecure protocols
-
Unpatched devices
-
Misconfigurations
- Mitigations
-
Input sanitization
-
Data loss prevention (DLP) controls
-
IP address management (IPAM)
-
MITRE ATT&CK Framework
-
Cyber Kill Chain
-
Cloud Controls Matrix (CCM)
-
Patch management
-
Vulnerability management
-
Center for Internet Security (CIS) benchmarks
-
Configuration reviews
-
Null routing
|
|
Given a scenario, analyze requirements to select the appropriate technology to secure a network. |
- Firewalls
-
Next-generation firewall (NGFW)
-
Cloud-native firewall
-
Web application firewall (WAF)
- Intrusion prevention system (IPS)/ intrusion detection system (IDS)
- Encryption
-
Protocol types
-
Secure sockets layer (SSL)/TLS inspection
-
Cipher suites
-
Algorithms
-
Asymmetric
-
Symmetric
- Application gateway
- Secure web gateway
- Network access control (NAC)
- Dynamic list |
|
Given a scenario, configure the appropriate access controls to secure a network. |
- Firewall rules
-
Decryption rules
-
Application aware
-
Source and destination
-
Allow list
-
Block list
- Network access control lists (NACLs)
- Network security groups
-
Inbound rules
-
Outbound rules
- IPS/IDS signature rules
- Geolocation rules
- Content/Uniform Resource Locator (URL) filtering
-
Categories
-
Applications
-
File blocking
- DLP controls
- Port security |
|
Given a scenario, analyze requirements to apply the appropriate Zero Trust architecture (ZTA) principles to secure a network. |
- Microsegmentation
- Secure Access Service Edge (SASE)
-
Secure Service Edge (SSE)
- Cloud Access Security Broker (CASB)
- Identity as the perimeter
- Device trust
- Principle of least privilege
- Zero Trust network access |
|
Given a scenario, apply identity and access management to secure a network environment. |
- Single sign-on (SSO)
-
Federation
-
Security Assertion Markup Language (SAML)
-
OAuth 2.0
-
OpenID Connect (OIDC)
- Multifactor authentication (MFA)
- Conditional access
- Geofencing
- Privileged access management (PAM)
- Risk-based authentication
- Role-based access control
- Attribute-based access control (ABAC)
- Endpoint trust
- User and entity behavior analytics (UEBA)
- Public key infrastructure (PKI)
-
Certificate-based authentication
-
Key management system (KMS)
- Session-based tokens
- Just-in-time (JIT) provisioning
- System for Cross-domain Identity Management (SCIM)
- Cloud Infrastructure Entitlement Management (CIEM) |
|
Given a scenario, use the appropriate wireless security method or configuration. |
- Encryption
-
Advanced Encryption Standard (AES)
-
Wi-Fi Protected Access 2 (WPA2)
-
Wi-Fi Protected Access 3 (WPA3)
- Authentication
-
Temporal Key Integrity Protocol (TKIP)
-
Preshared key (PSK)
-
PSK enterprise
- Guest access
- Captive portal
- Layer 2 client isolation
- Media access control (MAC) address filtering |
|
Given a scenario, implement the appropriate appliance-hardening technique. |
- Patch management
-
Delivery channels
-
Verification
- Default credential management
- Disabling unneeded services
- Local password management
-
Password complexity
-
Password length
-
Password rotation
- Protocol configuration
-
Disabling insecure protocols
- Restricting access to administrative interfaces
- Disabling unused physical ports
- Log management
-
Log rotation
-
Remote logging
|
Network Operations, Monitoring, and Performance - 16%
|
|
Explain concepts related to operating and maintaining a network environment. |
- Risk management
-
Risk acceptance
- Waivers and exceptions
-
Risk avoidance
-
Risk transference
-
Risk mitigation
-
Risk register
- Business continuity
-
Mean time to recovery (MTTR)
-
Mean time between failures (MTBF)
-
Mean time to detect (MTTD)
-
Mean time to investigate (MTTI)
-
Recovery point objective (RPO)/ recovery time objective (RTO)
- Disaster recovery
- Service management
- Auditing
- Failure rate
- Contracts, agreements, and terms
-
Interconnection Security Agreement (ISA)
-
Memorandum of understanding (MOU)
-
Master service agreement (MSA)
-
Service-level indicator (SLI)/key performance indicator (KPI)
-
Service-level objective (SLO)
-
Service-level agreement (SLA)
-
Operational-level agreement (OLA)
-
Non-disclosure agreement (NDA)
-
Licensing agreements
-
End-of-life (EOL)/end-of support (EOS)
- Network function virtualization (NFV)
-
Firewall as a service
-
Reverse proxy
-
Forward proxy
-
NAT gateways
- OOB management
- Network cost management
-
Operating expenditure (OpEx)
-
Capital expenditure (CapEx)
-
Cost optimization
-
Chargeback model
-
Orphaned resources
- Service delivery
-
Self-service
-
Cross-connect
-
Time to market
|
|
Given a scenario, use tools and techniques related to monitoring and performance. |
- Traffic analysis
-
Traffic mirroring
-
Throughput
-
Latency
-
Loss
-
Jitter
-
Network flows
-
Reachability
- Log collection
-
Centralized logging
-
Security information and event management (SIEM)
-
Syslog
-
JavaScript Object Notation (JSON)
-
Data lake
- Simple Network Management Protocol (SNMP)
- Quality of service (QoS)
- Alerting
- Telemetry
- Dashboards
- Metrics
- Continuous monitoring
-
Resource utilization
-
Bandwidth utilization
-
Reactive vs. proactive monitoring
|
|
Given a scenario, apply automation and scripting to administer a hybrid cloud environment. |
- Infrastructure as code (IaC)
-
Resource provisioning
-
Resource configuration
-
Yet Another Markup Language (YAML)
-
JSON
-
Linters
- Life cycle management
-
Mutable infrastructure
-
Immutable infrastructure
-
Patch management
- Version control
-
Public vs. private repositories
-
Secrets management
- DevOps
-
Continuous integration and continuous delivery (CI/CD) pipeline management
-
GitOps
- Generative artificial intelligence (AI)
- Application programming interface (API)
- Software development kit (SDK)
- Command-line interface (CLI)
- Desired state
-
Configuration reviews
-
Baselines/benchmarks
-
Configuration backup and restore
- Change management |
Network Troubleshooting - 25%
|
|
Explain the troubleshooting methodology. |
- Identify the problem
-
Gather information
-
Question users
-
Identify symptoms
-
Determine if anything has changed
-
Duplicate the problem, if possible
-
Approach multiple problems individually
- Establish a theory of probable cause
-
Question the obvious
-
Consider multiple approaches
- Top-to-bottom/bottom-to-top OSI model
- Divide and conquer
- Test the theory to determine cause
-
If the theory is confirmed, determine the next steps to resolve the problem
-
If the theory is not confirmed, re-establish a new theory or escalate
- Establish a plan of action to resolve the problem and identify potential effects
- Implement the solution or escalate as necessary
- Verify full system functionality and if applicable implement preventive measures
- Document findings, actions, outcomes, and lessons learned throughout the process |
|
Given a scenario, use the appropriate tool or command. |
- Tools
-
Wireshark
-
Netcat
-
Nmap
-
Iperf
-
radclient
-
OpenSSL
-
Postman
- Commands
-
tcpdump
-
dig
-
mtr
-
arp
-
netstat
-
curl
-
ping
-
nslookup
-
traceroute
-
ip
-
ipconfig
- flushdns
-
ifconfig
-
route
-
ss
-
dhclient
-
top
-
snmpwalk
-
nfdump
|
|
Given a scenario, analyze output from network tools and commands to resolve issues. |
- Tools
-
Wireshark
-
Netcat
-
Nmap
-
Iperf
-
radclient
-
OpenSSL
-
Postman
-
Spectrum analyzer
-
Heat map
-
SIEM
- Commands
-
tcpdump
-
dig
-
mtr
-
arp
-
netstat
-
curl
-
ping
-
nslookup
-
traceroute
-
ip
-
ipconfig
-
ifconfig
-
route
-
ss
-
dhclient
-
top
-
snmpwalk
-
nfdump
- Performance issues
- Connectivity issues
- Access and security issues |
|
Given a scenario, troubleshoot connectivity issues. |
- Intermittent connectivity
- DNS issues
- Asymmetric routing
- Port exhaustion
- Port misconfiguration
- Duplicated IP addresses
- Duplicated MAC addresses
- IP address exhaustion
- NAT table exhaustion
- DHCP issues
- Request timeouts
- IPv6 router advertisements
- Physical layer disruptions
- Stale cache
- IPSec issues
- BGP issues
- Routing loops
- Single point of failure |
|
Given a scenario, troubleshoot network performance issues. |
- Latency issues
- Packet loss
- Maximum transmission unit (MTU) issues
-
Misconfigured jumbo frames
-
Fragmentation
- Hairpinning
- Broadcast storm
- Resource exhaustion
- Bandwidth issues
-
Overutilization
-
Bottleneck
-
Throttling
- Network scanning issues |
|
Given a scenario, troubleshoot Wi-Fi performance issues. |
- Signal interference
- Signal loss
- Signal degradation
- Low signal strength
- Band steering issues
- Channel overlap
- Incorrect channel width
- Client disassociation
- Roaming issues
- Transmitter/receiver incompatibility |
|
Given a scenario, troubleshoot access and security issues. |
- Rule and policy issues
-
Incorrect security group
-
Missing rules
-
Misconfigured rules
-
Overly permissive rules
-
URL/web content filtering
-
Geo-restriction
-
ACL issues
- DoS issues
- Authentication and authorization failures
-
Password issues
-
Incorrect group membership
-
Mismatched secrets
- Certificate issues
-
Mismatch
-
Expired certificates
-
Revoked certificates
-
Trust issues
-
Hash incompatibility
-
TLS issues
- Blocked or dropped traffic |
Use this quick start guide to collect all the information about CompTIA CloudNetX (CNX-001) Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the CNX-001 CompTIA CloudNetX exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual CompTIA CloudNetX certification exam.