CompTIA A+ Core 1 Domain 2: Networking

TCP is connection-oriented and delivers a reliable, in-order byte stream, detecting loss through sequence numbers and correcting it through retransmission, which exactly satisfies the requirement.

• AThis option chases minimal overhead, but UDP offers no acknowledgments or retransmission, so lost or duplicated datagrams are never recovered, which fails the all-bytes-intact-and-ordered requirement.
• BSMTP is an application-layer protocol used to send and relay email between servers, not a transport-layer protocol, so it cannot itself supply the reliable ordered byte stream the scenario demands.
• DIP is the best-effort network-layer protocol that only addresses and forwards datagrams; on its own it never guarantees delivery, ordering, or retransmission, so it cannot meet the reliability requirement.

SSH listens on TCP 22 and provides secure remote login with strong encryption and server authentication over an insecure network, protecting the CLI session.

• ATelnet on port 23 provides terminal access but lacks the strong encryption SSH offers, so credentials and keystrokes are exposed when carried across an untrusted network.
• CRDP on port 3389 delivers a remote graphical desktop to Windows hosts, not an encrypted command-line session to a switch, so it does not fit the CLI management scenario.
• DHTTPS on port 443 secures web traffic with TLS, but it is a browser/web protocol rather than the interactive encrypted shell needed to manage a switch's command line.

FTP's control channel uses TCP 21 to carry commands and replies between client and server, which is the connection needed for USER, PASS, and LIST.

• BPort 20 is the FTP default data channel that moves the actual file contents, so opening only it would not allow the command-and-reply control dialog described in the scenario.
• CPort 22 belongs to SSH (and SFTP), a separate secure protocol; a plain FTP control session does not negotiate on 22, so this confuses FTP with SSH-based transfer.
• DPort 23 is Telnet for remote terminal sessions and has nothing to do with the FTP control channel, so allowing it would not enable the FTP command dialog.

IMAP listens on TCP 143 and manipulates mailboxes as remote folders, keeping messages on the server so multiple devices stay in sync, matching the requirement.

• ABy default POP3 on port 110 downloads messages to one device and removes them from the server, so it cannot keep multiple devices synchronized with shared server-side folders.
• BSMTP on port 25 is used to send and relay outgoing mail between servers; it is not a mailbox-access protocol and cannot retrieve or synchronize messages into folders.
• CHTTP on port 80 serves web pages and webmail front ends in cleartext, but it is not the dedicated mailbox-access protocol that synchronizes message folders across clients.

DNS uses port 53 to translate domain names into IP addresses, so allowing it restores the hostname-to-address lookups that are currently failing.

• ADHCP on UDP 67 and 68 automatically assigns IP addresses and options to clients; it does not translate hostnames into IP addresses, so unblocking it would not fix name resolution.
• CHTTP on port 80 carries the web page request after the address is already known; because IP access already works, HTTP is not the service responsible for the name-resolution failure.
• DHTTPS on port 443 encrypts web traffic once an address is reached, but it does not perform name lookups, so opening it would not resolve hostnames to IP addresses.

DHCP automatically supplies the IP address, subnet mask, default gateway, and DNS server to clients, with the server on UDP 67 and the client on UDP 68.

• BDNS on port 53 translates hostnames into IP addresses; it does not lease IP configuration to clients, so it cannot perform the automatic addressing the scenario requires.
• CHTTP on port 80 delivers web content to browsers and plays no role in assigning IP addresses or other TCP/IP settings to client computers on the LAN.
• DRDP on port 3389 provides remote graphical control of a Windows host and has nothing to do with automatically issuing IP configuration to clients at startup.

RDP listens on TCP 3389 and delivers an encrypted remote graphical desktop to Windows hosts, letting the technician control the GUI as if local.

• ASMB on port 445 shares files and printers between hosts; it transfers files to a server but does not deliver an interactive remote graphical desktop session.
• BSSH on port 22 gives an encrypted command-line shell, not a graphical desktop, so it does not satisfy the requirement to see and control the Windows GUI.
• DTelnet on port 23 offers only an unencrypted text terminal session, which provides neither a graphical desktop nor the security expected for remote management.

HTTPS runs HTTP over TLS on the default port 443, encrypting the browser-to-server session so login credentials are protected in transit.

• AHTTP on port 80 carries web traffic in cleartext, so submitted login credentials could be read if intercepted, failing the requirement to encrypt data in transit.
• BFTP on port 21 is a file-transfer control protocol, not the web protocol browsers use to submit form data, so it does not apply to securing website logins.
• CSMTP on port 25 relays email between mail servers and has no role in encrypting a customer's browser session to a web store, so it does not fit the requirement.

10.0.0.0/8 is one of the three IANA-reserved private blocks, so 10.20.30.40 can be used inside an enterprise without coordination with any registry.

• AThis address falls just outside the 172.16.0.0 through 172.31.255.255 private block, so despite resembling the private range it is actually a public, globally routable address.
• CThe 169.254.0.0/16 range is APIPA/IPv4 link-local, self-assigned only when DHCP is unavailable, so it is not a configurable private LAN range and is not routable off-link.
• D8.8.8.8 is a globally routable public address that does not appear in any RFC 1918 private block, so it must not be self-assigned to internal LAN hosts.

A 169.254.x.x address with no gateway is APIPA, which a Windows client self-assigns when it cannot contact a DHCP server, explaining the loss of connectivity.

• BA 169.254 address is link-local and not globally reachable, so it is never a public ISP-assigned address, making this explanation inconsistent with the observed addressing.
• CDNS only resolves names to addresses and does not generate a 169.254 address; the link-local address comes from automatic configuration after DHCP failure, not from DNS settings.
• DLink-local 169.254 addresses are not routable and the standard says they should not be manually configured, so this could not be an intentional Internet-routing setup.

IPv6 addresses are 128-bit identifiers, and every interface is required to have a link-local address in the fe80::/10 range, enabling local communication automatically.

• AIPv6 actually increased the address size from 32 bits to 128 bits, not 64, so describing IPv6 addresses as 64-bit understates the real address length and space.
• BThe IPv6 loopback is ::1; 127.0.0.0/8 is the separate IPv4 loopback block, so equating the two confuses the IPv6 and IPv4 loopback addresses.
• DIPv6 addresses are written as eight colon-separated groups of hexadecimal digits, not four dotted-decimal octets, so this misstates the standard IPv6 text representation.

Wi-Fi 6E offers the features of Wi-Fi 6 (802.11ax) extended to the 6 GHz band, giving the SOHO access to the less congested spectrum it wants.

• AWi-Fi 5, based on 802.11ac, operates in the 2.4 GHz and 5 GHz bands and predates 6 GHz support, so it cannot place clients in the 6 GHz spectrum.
• BWi-Fi 4, based on 802.11n introduced in 2009, is an older generation operating in the 2.4 GHz and 5 GHz bands and provides no 6 GHz capability at all.
• CBase Wi-Fi 6 (802.11ax) delivers its efficiency gains in 2.4 GHz and 5 GHz; it is the 6E extension, not plain Wi-Fi 6, that adds the 6 GHz band.

A router connects multiple networks and forwards packets that are not addressed to itself, letting the LAN reach the ISP and the Internet, which matches the requirement.

• AA switch connects devices within the same local segment and keeps traffic on that link; it does not forward packets between different networks the way the scenario requires.
• CA firewall permits or blocks traffic according to security rules; it filters at the boundary rather than performing the inter-network routing that connects the LAN to the ISP.
• DA wireless access point bridges Wi-Fi clients onto the wired LAN to provide wireless coverage; it does not route traffic between the local network and external networks.

An optical network terminal terminates the fiber line at the premises and converts the optical signal into an Ethernet connection that the home router can use.

• BA router forwards packets between networks and shares the connection to many devices, but it does not terminate the fiber line or convert optical light signals into Ethernet.
• CA switch connects multiple wired devices within the LAN; it does not accept the incoming optical fiber or convert that optical signal for the home network.
• DA wireless access point provides Wi-Fi to client devices on the existing network and performs no optical-to-Ethernet conversion or termination of the ISP's fiber line.

LDAPS (LDAP over TLS/SSL) is registered to TCP 636 and encrypts the session from connection start, matching the secure directory-lookup requirement.

• APort 389 carries standard LDAP that begins unencrypted; choosing it would expose directory credentials in cleartext, which is exactly the secure-lookup requirement the scenario rules out.
• BPort 88 is Kerberos authentication used inside Active Directory; it does not transport LDAP directory queries, so opening it would not satisfy the encrypted-lookup requirement described.
• DPort 143 is IMAP for email retrieval and has nothing to do with directory services; selecting it would fail to pass any LDAP directory traffic at all.

Agents are polled on UDP 161 (snmp), and traps/notifications are sent to the manager on UDP 162 (snmptrap), matching the poll-then-notify scenario.

• APort 161 is correct for polling, but 514 is the syslog logging port, not SNMP traps; mixing logging and SNMP notification ports is a common confusion this distractor targets.
• BThis reverses the roles: the agent listens on 161 for polls while traps go to the manager on 162, so swapping the two numbers misassigns both directions of SNMP traffic.
• CPort 443 is HTTPS web traffic and is unrelated to SNMP polling, so pairing it with 161 would block the manager from receiving any trap notifications from agents.

RFC 6409 specifies that client message submission normally uses port 587, separating authenticated submission from server-to-server relay on port 25.

• APort 25 is reserved for SMTP message relay between mail servers; using it for authenticated client submission ignores the separation the submission standard defines and is often blocked by ISPs.
• CPort 110 is POP3, used to retrieve mail from a server to a client, so it cannot be used to submit or send outbound messages as the scenario requires.
• DPort 993 is IMAPS for encrypted mailbox access and retrieval, not for submitting outbound email, so selecting it would not deliver the client's outgoing messages.

NTP synchronizes device clocks to UTC and operates over UDP port 123, the registered well-known port for time synchronization traffic.

• BAlthough the number 123 is right, NTP uses connectionless UDP rather than TCP for time exchange, so specifying TCP misstates the transport the protocol actually relies on.
• CUDP 161 is the SNMP agent polling port used for network management, not clock synchronization, so it would carry monitoring queries rather than NTP time updates.
• DTCP 119 is NNTP for Usenet news transfer and is unrelated to time services, so choosing it would not synchronize any device clocks in the scenario.

Syslog receivers must accept event messages on the well-known UDP port 514 by default, which is where the device sends its logs.

• ATCP 22 is SSH for encrypted remote administration sessions, not event-message forwarding, so it would not deliver syslog records to the logging collector by default.
• BUDP 69 is TFTP used for simple file transfers such as firmware or configs, so it cannot carry the device's logged event messages to a syslog server.
• DTCP 443 is HTTPS for encrypted web traffic and is not the default syslog channel, so relying on it would not match the standard logging behavior described.

The AAAA record type stores a single 128-bit IPv6 address for a host, which is exactly what dual-stack clients query to reach the server over IPv6.

• AAn A record maps a hostname only to a 32-bit IPv4 address, so it cannot publish the server's 128-bit IPv6 address that IPv6 clients need to resolve.
• CAn MX record designates mail exchangers for a domain and carries no host IP address, so it cannot provide the IPv6 address a web client must resolve.
• DA CNAME only aliases one name to another canonical name and does not itself hold any address, so it cannot directly map the host to its IPv6 address.

The MX (mail exchange) record identifies the domain's mail servers and uses a preference value (lower is preferred) to order delivery attempts.

• ATXT records hold arbitrary text such as SPF or verification strings; they do not designate which mail servers accept the domain's email or in what preference order.
• BPTR records perform reverse IP-to-name lookups and are used by spam checks, but they do not tell sending servers which mail exchangers handle the domain's inbound mail.
• CSRV records locate generic services like SIP or XMPP by port and priority, but email routing for a domain is handled specifically by mail exchange records, not SRV.

A CNAME (canonical name) record creates an alias that points one hostname to another name, which the resolver then follows to the canonical host.

• BAn A record maps a name straight to an IPv4 address, so it cannot create a name-to-name alias to a canonical hostname as the requirement explicitly describes.
• CA PTR record maps an IP address back to a hostname for reverse lookups, which is the opposite direction of the forward alias the administrator wants to create.
• DA DNAME redirects an entire subtree of names rather than aliasing one specific hostname to a canonical name, so it does not match this single www-to-host alias requirement.

A PTR (pointer) record maps an IP address back to a hostname via the reverse-lookup zone, which is exactly what the receiving server queries.

• AAn A record provides forward resolution from a name to an IPv4 address, which is the opposite direction of the reverse IP-to-name lookup the mail server is performing.
• BAn AAAA record forward-resolves a name to an IPv6 address; it does not map an address back to a hostname, so it cannot satisfy the reverse-lookup check described.
• DA TXT record stores free-form text like SPF policies; it does not perform address-to-name translation, so it cannot answer the reverse lookup the mail server initiates.

A DHCP scope is the administrative grouping of IP addresses, with options like subnet mask, gateway, and lease duration, that the server leases to clients on a subnet.

• AA reservation ties one client's MAC address to a single fixed IP so it always gets the same address; it is not the overall range and options grouping the scenario defines.
• CAn exclusion only carves specific addresses out of a range so they are not handed out; it is a subset, not the whole range-plus-options configuration described.
• DA superscope groups several existing scopes together for multinet subnets; it is a container of scopes, not the single per-subnet range and options being defined here.

Configuring ip helper-address makes the router a DHCP relay agent that converts client broadcasts to unicast, sets giaddr, and forwards them to the remote server.

• AA static route fixes how routed unicast packets reach a network, but DHCP discovers are layer-2 broadcasts a router drops, so routing alone never forwards them to the server.
• BA conditional forwarder steers name-resolution queries to specific DNS servers; it has nothing to do with relaying DHCP broadcasts, so clients still get no address leases.
• CNAT overload translates many private addresses to one public address for internet access; it does not forward broadcast DHCP requests across subnets to the server.

The host compares its subnet mask against its own and the destination IP to determine whether the target is local or must be forwarded to the gateway.

• BA MAC address is a layer-2 hardware identifier used only within a local segment; it does not define network boundaries, so it cannot decide if a destination is local or remote.
• CA DNS server resolves names to IP addresses but plays no role in computing whether a resolved address sits on the local subnet or needs the default gateway.
• DLease time only controls how long a DHCP-assigned address remains valid; it has no bearing on the host's local-versus-remote forwarding decision for a destination.

The default gateway is the router the host forwards traffic to for destinations off the local subnet; a missing or wrong gateway blocks internet access while local traffic still works.

• AThe scenario states the subnet mask is correct and local communication works, so the mask is not the cause; the failure is specifically reaching networks beyond the local subnet.
• BDHCP lease duration only controls how long an assigned address stays valid before renewal; it has no role in routing traffic off the local subnet to the internet.
• DAn MX record only directs email delivery for a domain and has no role in general host routing, so it cannot explain a workstation's inability to reach the internet.

WPA3 is mandatory for Wi-Fi 6E devices in the 6 GHz band and uses SAE for WPA3-Personal, replacing the WPA2 pre-shared-key handshake.

• AWEP is an obsolete, easily cracked legacy cipher that is disallowed on modern certified Wi-Fi and is explicitly not permitted for 6 GHz operation, so it cannot be used here.
• CWPA2-Personal with a pre-shared key is exactly the handshake being replaced, and WPA2 is not permitted for 6 GHz operation, so it cannot secure this 6E SSID.
• DAn open network with MAC filtering provides no encryption and MAC addresses are trivially spoofed, so it neither meets 6 GHz security requirements nor uses SAE.

A switch examines its MAC address table and forwards the frame out only the single port associated with the destination MAC, unlike a hub that floods every port.

• BFlooding out all ports is exactly the hub behavior the switch improves upon; a switch only floods when a destination MAC is unknown, not for a known unicast frame.
• CIP-address and routing-table decisions occur at Layer 3 on a router; a Layer 2 switch makes forwarding decisions on MAC addresses and is unaware of the IP payload.
• DARP is used by hosts to learn a MAC for an IP and is not how a switch forwards each frame; broadcasting every frame would defeat the switch's per-port efficiency.

Routers do not forward Layer 2 broadcasts, so each routed segment becomes its own broadcast domain, which is why broadcasts no longer cross between them.

• AExtending one collision domain describes a hub's effect, not a router's; a router actually bounds both broadcast and collision domains rather than merging segments into one.
• BMerging segments into a single broadcast domain is what a switch with one VLAN does; a router does the opposite by stopping broadcasts at its interfaces.
• CPer-port boundaries describe collision domains on a switch, not broadcast domains; broadcast domains are bounded by routers (or VLANs), so this misstates how segmentation works.

TFTP issues its initial read/write request to the well-known TID 69 over UDP, and its lockstep design needs no login or directory browsing, matching the boot-time config pull described.

• BTCP 21 is the FTP control channel, a full file-transfer protocol with authentication and directory listing, which contradicts the no-login, no-listing lightweight transfer the scenario specifies.
• CThe number 69 is right but the transport is wrong; TFTP runs over connectionless UDP datagrams, not a TCP stream, so a TCP socket on 69 would not match the registered service.
• DUDP 53 carries DNS name-resolution queries, not file transfers, so it cannot deliver a switch configuration image and is unrelated to the boot-time file pull described here.

The Kerberos KDC listens on port 88 for Authentication Service and Ticket-Granting Service requests, so opening 88 lets workstations obtain the tickets that prove their identity.

• APort 636 is LDAPS, encrypted directory lookups to a domain controller; it carries directory queries, not the Kerberos ticket-granting exchange the KDC performs for authentication.
• CPort 445 is SMB for file and printer sharing; while common in domains, it transports file access, not the Kerberos authentication tickets the KDC issues to clients.
• DPort 53 is DNS, which clients use to locate the domain controller, but it does not carry the Kerberos credential exchange itself, so it alone cannot satisfy ticketing.

MySQL's classic client/server protocol listens on TCP 3306 by default, so permitting 3306 between the app server and database restores the blocked connection described.

• BTCP 1433 is the default for Microsoft SQL Server, a different database engine; opening it would not let clients reach a MySQL instance listening on its own port.
• CTCP 3389 is Remote Desktop Protocol for graphical Windows sessions and has nothing to do with database queries, so it cannot carry MySQL client traffic.
• DTCP 5432 is PostgreSQL's default port; although also a SQL database, it is a separate product and will not accept connections destined for the MySQL service.

Remote Desktop Protocol uses TCP/UDP 3389 by default, so the host must accept 3389 for the analyst's client to open the graphical Windows session.

• APort 5900 is VNC's Remote Framebuffer used for cross-platform screen sharing, not the native Windows RDP graphical session this Remote Desktop client establishes.
• BPort 443 is HTTPS and may front an RD Gateway, but the direct host-to-client Remote Desktop session itself uses a different standard port, so 443 alone is not the answer.
• CPort 23 is Telnet, an unencrypted command-line protocol; it offers no graphical desktop and is unrelated to the RDP session the analyst needs to establish.

VNC clients reach the Remote Framebuffer (RFB) server on TCP 5900 by default, and RFB is platform-independent, matching the cross-platform desktop control scenario.

• APort 3389 is Microsoft's RDP, which is Windows-centric; it is not the Remote Framebuffer protocol used by the cross-platform VNC tool described for Linux and macOS.
• CPort 5985 is WinRM/PowerShell Remoting for Windows management, not a graphical screen-sharing protocol, so it cannot provide the VNC desktop control required here.
• DPort 22 is SSH for encrypted command-line access; while it can tunnel VNC, by itself it does not present the remote graphical framebuffer the technician needs.

IEEE 802.3af power-sourcing equipment supplies up to 15.4 W per port (about 12.95 W reaching the powered device after cable loss), which defines the original PoE standard.

• B12.95 W is the power available at the powered device under 802.3af after cable loss, not the per-port maximum the source equipment actually outputs.
• C60 W corresponds to 802.3bt Type 3 (PoE++) using four pairs; it far exceeds the two-pair 802.3af budget described and applies to a much newer standard.
• D90 W is the 802.3bt Type 4 per-port maximum; it requires all four pairs energized and is unrelated to the original 802.3af specification in question.

IEEE 802.3at (PoE+) source equipment supplies up to 30 W per port over two pairs, enough for higher-draw devices like PTZ cameras that exceed the 802.3af limit.

• A15.4 W is the original 802.3af limit that proved insufficient for this camera; PoE+ was created precisely to exceed that figure, so it understates the PoE+ port budget.
• B12.95 W is the power available at the powered device under 802.3af after cable loss, not the per-port source maximum of the PoE+ standard being asked about.
• CRoughly 100 W is the theoretical ceiling of 802.3bt Type 4 over four pairs; it greatly exceeds the two-pair PoE+ standard the camera is plugged into.

802.3bt Type 4 source equipment supplies up to about 90 W by energizing all four twisted pairs, with roughly 71 W reaching the powered device after cable loss.

• A15.4 W over two pairs describes original 802.3af, which cannot approach the roughly 71 W a Type 4 device needs, so it badly understates the bt delivery method.
• C30 W over two pairs is the 802.3at PoE+ profile; it falls far short of Type 4 levels and does not use the four-pair powering that 802.3bt requires.
• D60 W is the Type 3 ceiling and Type 3/4 both energize all four pairs, so describing 60 W on only two pairs misstates both the wattage and the wiring.

In the US 2.4 GHz band only channels 1, 6, and 11 are spaced far enough apart to not overlap, so reusing this trio lets neighboring APs avoid interfering.

• AChannels 3, 6, and 9 are spaced too closely; their 22 MHz signals overlap, causing adjacent-channel interference rather than the clean separation the plan requires.
• CBecause each channel is about 22 MHz wide, the 4-channel spacing of 1, 5, and 9 still produces a small overlap, so this set is not truly non-overlapping.
• DUsing every channel guarantees heavy mutual overlap among adjacent APs, which is the exact interference the technician is trying to eliminate with a reuse plan.

An omnidirectional antenna radiates a 360-degree doughnut-shaped pattern in the horizontal plane, providing coverage in all directions, which suits a centrally mounted AP serving clients all around it.

• BA Yagi is a high-gain directional antenna that focuses energy into a narrow beam for point-to-point links, leaving clients off to the sides poorly covered in an open office.
• CA parabolic dish concentrates RF into the tightest beam of all WLAN antennas for long-range line-of-sight links, so it would ignore most of the surrounding office area.
• DA patch is a directional antenna that projects an egg-shaped pattern away from a wall or ceiling surface, covering one sector rather than the full surrounding space.

A high-gain directional antenna focuses RF into a narrow beam, increasing coverage distance toward one target, which is exactly what a long line-of-sight building-to-building bridge needs.

• AAn equal-in-all-directions, low-gain pattern wastes most energy on empty space around the building and lacks the reach to bridge an 800-meter point-to-point hop.
• CA 2.14 dBi rubber-duck dipole is a short-range omnidirectional antenna for local client coverage; its low gain and wide pattern cannot reliably span hundreds of meters.
• DAntennas do not add power; they only redirect existing energy. Choosing one for added power misunderstands gain, which comes from focusing the beam, not amplification.

A remote access VPN securely connects an individual endpoint outside the office into the corporate network over an encrypted tunnel, letting the laptop behave as if on the LAN.

• AA site-to-site VPN links two entire networks, such as a headquarters and a branch, using dedicated gateway equipment; it is not the model for a single roaming laptop.
• CPort forwarding exposes one internal service to the public internet on a chosen port; it does not give the laptop broad, encrypted access to internal resources like a VPN does.
• DA DMZ host forwards all inbound traffic to one internal device, increasing exposure; it provides no encrypted client tunnel and does not securely connect a remote laptop inward.

Port forwarding maps a port on the router's public IP to a specific internal IP and port, making the inside web server reachable from the external network as required.

• AA DHCP reservation only guarantees the PC always receives the same internal IP; it does not direct any inbound internet traffic to that host through the router.
• BContent filtering blocks or allows outbound access to categories of websites; it governs what internal users may reach, not how external users connect inward to a server.
• DMAC filtering permits or denies devices based on hardware address for LAN/Wi-Fi access control; it has no role in routing inbound internet connections to an internal server.

A cable tester runs a wiremap that checks end-to-end continuity on each pair and flags single-wire faults, shorts, miswires, and split pairs, exactly the verification needed.

• AA toner and probe trace and locate a specific cable within a bundle by sound; they identify which cable is which but do not validate the eight-pin wiremap for faults.
• BA loopback plug redirects a port's transmit pins back to receive to test a single NIC or interface, not to verify continuity and pin mapping across an installed cable run.
• CA Wi-Fi analyzer surveys wireless channels and signal strength; it has no function on a copper Ethernet run and cannot detect opens, shorts, or crossed pairs.

The tone generator injects a signal onto the target cable and the probe detects that tone at the block, letting the technician audibly pinpoint the one cable among many.

• BA crimper attaches connectors to cable ends by compressing the contacts; it builds or repairs cables but provides no way to trace or identify an existing run.
• CA punch-down tool seats conductors into IDC terminals on a block or jack; it terminates wires but cannot send or detect a tracing signal to find a cable.
• DAn OTDR characterizes faults and distance on fiber-optic links; it is the wrong medium and the wrong function for tracing a specific copper patch cable in a bundle.

The LC is a small-form-factor connector roughly half the size of the SC, so its higher density lets nearly twice as many ports fit on the same panel.

• AST is an older bayonet twist-lock connector; it is larger and lower density than LC, so preferring ST would reduce, not maximize, the panel port density sought.
• BSC is the larger square push-pull connector; choosing it over LC lowers port density, the opposite of the high-density goal stated in the scenario.
• DMPO is a multi-fiber array connector for trunk cabling, not the duplex small-form-factor connector described; it solves a different problem than dense duplex patching.

RG-6 is the modern 75-ohm coax for cable TV, satellite, and broadband internet, terminated with F-connectors, making it the standard drop cable for this DOCSIS run.

• ARG-58 is a 50-ohm coax used for older thin Ethernet and radio, not 75-ohm video/broadband; its impedance mismatch makes it unsuitable for CATV and cable-modem service.
• CCat 6 is twisted-pair copper with RJ45 connectors for Ethernet, not coaxial cable; it cannot carry the 75-ohm RF cable signal or accept an F-connector.
• DRG-59 is thinner 75-ohm coax once used for analog CCTV and short baseband video; its higher loss at broadband frequencies makes RG-6 the preferred choice for modern cable internet.

802.3bt Type 3 (PoE++) sources up to 60 W over four pairs, delivering roughly 51 W to the device, which covers a multi-radio AP that PoE+ cannot power.

• BPoE+ tops out near 30 W per port, the very limit the 51 W access point exceeds, so it cannot supply enough power for this device.
• COriginal 802.3af supplies only 15.4 W, far below the access point's 51 W demand, so an af port would fail to bring the device online at all.
• DUSB Power Delivery is a USB-cable charging standard, not Power over Ethernet; it cannot power a network access point through its RJ45 data port.

POP3 listens on TCP port 110 and, by default, downloads messages to the client and removes them from the server, matching the single-machine, server-cleared mailbox described.

• AIMAP on TCP 143 keeps messages synchronized on the server for access from many devices, which is the opposite of the download-and-remove single-machine behavior the user described.
• CSMTP on TCP 25 is the protocol that sends and relays outgoing mail between servers; it does not retrieve a user's incoming messages from a mailbox at all.
• DTCP 995 is the implicit-TLS secure POP3 (POP3S) port negotiated immediately at connection; it is not the default cleartext port on which the classic protocol listens.

Direct-hosted SMB runs over TCP 445, so opening that port lets Windows clients reach the server's shared folders and printers without relying on legacy NetBIOS.

• BTCP 21 is the FTP control channel for file transfer sessions with login and directory commands; it does not carry Windows SMB file and printer sharing traffic.
• CTCP 389 is LDAP for directory queries to a domain controller; while common in Windows domains, it does not transport the SMB file-sharing sessions described here.
• DTCP 3389 is Remote Desktop Protocol for graphical remote sessions to a host; it provides a desktop, not access to shared folders and printers over SMB.

The DHCP server listens on UDP 67 (BootP server) for the broadcast discover, and the client receives the offer on UDP 68 (BootP client), so this pair is correct.

• AUDP 53 is DNS name resolution and 953 is unrelated to address leasing; neither carries the DHCP discover and offer messages that assign a client its IP configuration.
• BThe port numbers are right but the transport is wrong, because DHCP relies on connectionless UDP broadcasts at bootup rather than establishing a TCP connection first.
• DUDP 69 is the TFTP service used for trivial file transfers, not the DHCP server port, so mixing it in misidentifies the address-leasing conversation captured here.

Single-mode fiber's small core limits modal dispersion, letting transceivers such as 1000BASE-LX reach 10 km, comfortably covering the 8-kilometer building-to-building backbone.

• AThis reverses reality; multimode's larger core suffers modal dispersion that limits typical reach to hundreds of meters, so it cannot span the 8-kilometer link reliably.
• COM1 is the oldest, lowest-bandwidth multimode grade for short legacy links; its reach is measured in hundreds of meters, far short of the multi-kilometer span needed here.
• DBalanced twisted-pair copper is limited to a 100-meter channel regardless of category, so Cat 6A cannot bridge an 8-kilometer run and is the wrong medium entirely.

Category 6A was engineered to control alien crosstalk and support 10GBASE-T across the full 100-meter channel, so it covers the 95-meter run at 10 Gbps.

• ACategory 5e is specified for 1 Gigabit Ethernet to 100 meters and lacks the bandwidth and alien-crosstalk control needed to carry 10GBASE-T over this run at all.
• BCategory 6 can carry 10GBASE-T only over a sharply reduced length of roughly 37 to 55 meters, so it cannot reliably reach the 95-meter workstation drops required.
• DCategory 3 is legacy voice-grade cabling rated for only 10 Mbps Ethernet, so it is orders of magnitude short of the 10 Gbps performance the installer needs.

Keeping the 2.4 GHz radio at 20 MHz preserves the three non-overlapping channels in the limited band, which is the recommended width and minimizes interference in dense environments.

• ABonding to 40 MHz consumes most of the narrow 2.4 GHz band, leaving no room for non-overlapping reuse and increasing interference with neighboring access points rather than reducing it.
• BAn 80 MHz width is wider than the entire usable 2.4 GHz spectrum allows and is not supported there, so selecting it cannot fix and would aggravate the congestion.
• DA 160 MHz channel is a very wide bonding option intended for spacious 5 and 6 GHz spectrum; it cannot fit in the small 2.4 GHz band and only invites more overlap.

QoS classifies and places voice into a priority queue so real-time packets are served ahead of bulk transfers, reducing the jitter and loss that cause choppy call audio.

• BPort forwarding maps an inbound external port to an internal host so outside users can reach a service; it does nothing to prioritize voice packets during link congestion.
• CMAC filtering permits or denies devices by hardware address for access control; it cannot give voice traffic priority over competing data flows on a saturated link.
• DContent filtering blocks or allows categories of websites for users; it governs which sites are reachable and does not influence queuing or prioritization of voice packets.

The 5 GHz band offers many more non-overlapping channels and avoids common 2.4 GHz emitters like microwave ovens, so steering capable clients there relieves the congestion and interference.

• BForcing all radios onto a single channel maximizes co-channel contention, so every device shares one crowded medium and interference rises rather than falls in the dense area.
• CCranking up transmit power makes this router louder but also extends its interference footprint and does not silence the microwave or the neighboring 2.4 GHz networks causing the drops.
• DTurning off WPA3 only weakens security and has no effect on radio-frequency interference, since encryption operates above the physical layer where the microwave and channel overlap occur.