A reader recently queried about a sample performance-based question he saw on CompTIA’s website. He was confused by it and wanted to know how he could answer it.
Normally, it’s easy to answer these types of queries. I encourage the reader to read the explanation and point out that questions without explanations may be brain dumps. One of the dangers with brain dumps is that they often have incorrect answers. This combined with no explanations encourage people to memorize incorrect answers causing them to fail the live exam without knowing why.
Unfortunately, CompTIA chose not to give an explanation with the sample.
Similar Sample Performance-Based Question
Here’s a similar sample Performance-Based Question based on the sample posted by Comptia. It’s not exact, but if you apply the same knowledge learned with this, you can correctly answer the CompTIA sample.
Question. After a recent attack, security administrators configured a DMZ and placed appropriate servers within it.
After completing their work, one of the users on the 2nd floor reported that he could no longer access the getcertifiedgetahead.com site on the Internet. The following graphic shows part of the network:
Instructions.
Check the IP addresses and connectivity for each of the relevant computers to determine which computer has been impacted by this change.
Check the ACL and change the rule causing the problem.
Performance-Based Question Function
When you click on Bart’s computer, you’ll see the command line. What command would you enter to check its connectivity? What command would you enter to determine its IP address?
Similarly, when you click on Homer’s computer, you’ll see the command line. What command would you enter to check its connectivity? What command would you enter to determine its IP address?
Last, when you click on the router, you can see the configuration for each of the interfaces, and the access control list.
Performance-Based Question Answer Which Computer
Click on Homer’s computer and enter:
ping getcertifiedgetahead.com
It fails.
Because you have verified that Homer’s computer is the one having the problem, you may think you don’t need to repeat this step on Bart’s computer. However, if you skip it, you’ won’t get one of the available points from the question.
Remember, the instructions stated:
“Check the IP addresses and connectivity for each of the relevant computers to determine which computer has been impacted by this change.”
The relevant computers are on Floor 2. Click on Bart’s computer and enter
ping getcertifiedgetahead.com
It succeeds.
At this point, you have answered one part of the question. You know which computer (Homer’s) was affected by the change.
What about Lisa and Marge’s computers? They are on floor 1 and the question states the problem is limited to one of the computers on floor 2.
Performance-Based Question Answer Check IP Addresses
Return to Homer’s computer and enter
ipconfig
You see
IPv4 Address …….: 192.168.0.82
Subnet Mask ……..:255.255.255.224
Default Gateway….:192.168.0.65
Because Homer’s computer is the one having the problem, you may think you don’t need to repeat this step on Bart’s computer. However, if you skip it, you’ won’t get one of the available points from the question.
Remember, the instructions stated:
“Check the IP addresses and connectivity for each of the relevant computers to determine which computer has been impacted by this change.”
The relevant computers are on Floor 2. Click on Bart’s computer and enter
ipconfig
You see
IPv4 Address …….: 192.168.0.68
Subnet Mask ……..:255.255.255.224
Default Gateway….:192.168.0.65
It succeeds.
At this point, you have answered two parts of the question. You know which computer was affected by the change (Homer) and you know the IP addresses of both the computers on floor 2.
Performance-Based Question Answer Check Interfaces
Click on the router. You’ll see the configuration for each of the interfaces.
eth1
- Address: 192.168.0.65
- Netmask: 255.255.255.224
- Network: 162.168.0.64/27
- Broadcast: 192.168.0.95
eth2
- Address: 192.168.0.33
- Netmask: 255.255.255.224
- Network: 162.168.0.32/27
- Broadcast: 192.1680.63
eth3
- Address: 192.0.2.2
- Netmask: 255.255.255.252
- Network: 192.0.2.0/30
- Broadcast: 192.0.2.3
Everything looks good here. Note that floor 2 connects to the eth1 interface of the router. It’s IP address is 192.168.0.65. Each computer on floor 2 should use this as its default gateway, and they do.
Performance-Based Question Answer Subnetting
Have you learned subnetting yet? If not, it’s time. There isn’t enough room in this short blog to teach subnetting, but you should be aware of the range of valid IP addresses in a subnet. Especially if you’re planning on taking the Network+ exam.
The eth1 interface is configured for the network 192.168.0.64.27 as shown when you look at the interfaces.
What is the valid range of IP addresses for this network?
The first IP address is 192.168.0.64/27 but you can’t use it because it is the network address. The valid IP address is found by adding 1. It is 192.168.0.65/27.
The last IP address is 192.168.0.95/27 but you can’t use it because it is the broadcast address. The question doesn’t require you to figure this out because it shows the broadcast address. The last valid IP address is found by subtracting one from the broadcast address. It is 192.168.0.94/27.
In other words, the range of valid IP addresses in the network is
192.168.0.65 to 192.168.0.94
Homer’s computer failed the connectivity test, but it has an assigned address (192.168.0.82) within the range of valid IP addresses. The subnet mask also matches. The CIDR notation of /27 is the same as a subnet mask of 255.255.255.224.
Check out the Subnetting and Security+ blog post for more detailed information on identifying the first and last valid IP addresses in a subnet.
Performance-Based Question Answer Check ACL
Click on the Access Control List for the router. You’ll see the following rules:
Rule | Source | Destination | Protocol | Port | Access |
1 | 192.168.0.64/27 | 192.168.0.32/37 | Any | Any | Accept |
2 | 192.168.0.64/27 | Any | TCP/UDP | 22, 3389 | Deny |
3 | Any | 192.168.0.32/27 | TCP | 80, 443 | Accept |
4 | 192.168.0.80/28 | Any | Any | Any | Deny |
5 | 192.168.0.64/27 | Any | Any | 123 | Allow |
6 | Any | Any | Any | Any | Deny |
Do you see which rule is at fault?
Rule 1 specifies that all traffic from Floor 2 to the DMZ is accepted.
Rule 2 denies all traffic from Floor 2 using port 22 or 3389. Port 22 is used by Secure Shell (SSH) and port 3389 is used by the Remote Desktop Protocol (RDP).
Rule 3 accepts any traffic from anywhere and destined for the DMZ using ports 80 and 443. Port 80 is used by the HyperText Transfer Protocol (HTTP) and port 443 is used by HTTP Secure (HTTPS).
Rule 4 denies all traffic from 192.168.0.80/28.
Rule 5 allows all traffic from the DMZ using port 123. Port 123 is used by the Network Time Protocol (NTP)
Rule 6 is an implicit deny rule. All traffic that isn’t expressly allowed by a previous rule is denied.
If you can identify the rule causing the problem, just click it.
Performance-Based Question Answer Subnetting Pt 2
Can you identify the range of address for the address of 19.168.0.80/28?
The first address is 192.168.0.80, which is the network ID. The first usable address is 192.168.0.81.
The last address is 192.168.0.95 which is the broadcast ID. The last usable address is 192.168.0.94.
In other words, this defines a range of addresses from 192.168.0.81 to 192.168.0.94.
Because Homer’s computer is in this range (192.168.0.82), rule 4 blocks all traffic from Homer’s computer.
Deleting rule 4 resolves the problem. If you do so, you will get the remaining two points available for this question.
CompTIA Sample Performance-Based Question
Try it yourself. See if you can get all four available points from the sample provided by CompTIA.
You may also like to check out this page that discusses the Performance-Based Questions