IT2 Networking / TCP-IP Advancement hard
Exam Questions and Answers with Rationale
Latest Versions 2026 Top Rated A+
>> Question 1 (Hard – IPv6 + Routing)
In a dual-stack enterprise network running OSPFv3, a router receives two routes for the same
IPv6 prefix 2001:db8:abcd::/48.
- Route A: Learned via OSPFv3 intra-area with metric 20
- Route B: Learned via BGP with AS-Path length 2 and Local Preference 100
Which route is installed in the RIB, and why? What changes if the BGP route has Local
Preference 90?
Answer: Route A (OSPFv3) is installed.
Rationale: OSPFv3 has a lower Administrative Distance (110 for OSPF vs 20 for eBGP / 200 for
iBGP). AD is checked before metric or Local Preference. If the BGP route is eBGP (AD 20), it
would win. With Local Preference 90 it still loses to OSPF on AD unless it is eBGP. This tests
understanding that AD trumps all other attributes in most vendors (Cisco, Juniper, Huawei).
>> Question 2 (Very Hard – TCP Congestion Control 2025+)
A client using TCP BBRv2 (Bottleneck Bandwidth and RTT) communicates with a server using
Cubic over a high-latency satellite link (RTT 600 ms, 100 Mbps bandwidth, 0.5% random packet
loss).
Explain step-by-step what happens to throughput compared to traditional Reno/Cubic, and
which algorithm is better suited for this link. Mention one recent Linux kernel improvement (as
of 2025–2026).
,Answer: BBRv2 will achieve significantly higher throughput.
Rationale:
- Cubic/Reno treat loss as congestion signal → drastically reduce cwnd (multiplicative decrease).
- BBRv2 models the network (probe bandwidth & RTT) and maintains inflight data near the
bandwidth-delay product (BDP) while being less aggressive on random loss.
- On satellite links, BBRv2 typically delivers 2–5× higher goodput.
Recent improvement: Linux 6.8+ BBRv2 includes better ECN handling and "BBRv2 Pace" for
reduced queueing delay.
>> Question 3 (Hard – Security & IPv6)
An attacker on the local link sends RA (Router Advertisement) messages with a malicious prefix
and sets the M-flag (Managed) to 0 and O-flag to 0. What attack is this, and what are two
modern mitigations used in enterprise networks in 2026?
Answer: Rogue Router Advertisement / IPv6 SLAAC Attack (MITM/Redirection).
Rationale & Mitigations:
1. RA Guard (RFC 6105) on switches.
2. IPv6 First-Hop Security features (Cisco: IPv6 ND Inspection, Binding Table; Juniper: Router
Advertisement Inspection).
3. SEND (Secure Neighbor Discovery – RFC 3971/3972) with CGA (Cryptographically Generated
Addresses), though still not widely deployed due to complexity.
This is more dangerous in IPv6 than IPv4 because of stateless autoconfiguration.
>> Question 4 (Hard – Performance & Troubleshooting)
A server reports TCP retransmission rate of 8% and high latency spikes. Packet capture shows
many SACK blocks and duplicate ACKs, but no full retransmission timeouts. The path MTU is
1500 bytes with no fragmentation.
,What is the most likely cause, and what single command/config change would you apply on a
Linux server (kernel 6.6+) to mitigate it?
Answer: Tail-drop or shallow-buffer congestion on a middlebox/router causing bursty loss.
Mitigation: Enable `tcp_ecn=1` and use `tcp_bbr` (or BBRv2) + increase `tcp_mem` / `tcp_rmem`
values, or implement CoDel/FQ-CoDel on the router.
Rationale: SACK + DupACKs without RTO indicate recoverable loss in a window. Classic sign of
bufferbloat or aggressive drop-tail queuing. BBR + ECN helps avoid entering loss-based recovery.
>> Question 5 (Hard – Modern TCP/IP Features)
Which of the following statements about QUIC (HTTP/3) vs traditional TCP+TLS is false in 2026?
A. QUIC uses 0-RTT resumption more safely than TLS 1.3 0-RTT
B. QUIC migration to a new IP address is seamless without breaking the connection
C. Head-of-Line blocking is completely eliminated in QUIC
D. QUIC always uses UDP port 443
Answer: D is false (partially).
Rationale: QUIC can use any UDP port (though 443 is default). All others are true: Connection
migration via Connection ID, per-stream flow control (no HOL blocking), and improved 0-RTT
with anti-replay.
>> Question 6 (Scenario – Advanced Subnetting & Anycast)
You are designing an anycast DNS service using IPv6. You have 4 global sites. Each site should
advertise the same /48 prefix. What is the smallest prefix you can use for the service address
while maintaining proper anycast behavior, and which BGP attribute should you manipulate to
influence return traffic?
, Answer: Use a /128 for the anycast address itself (or /64 for the subnet), but announce the
same /48 or /64 from all sites. Manipulate Local Preference or MED (Multi-Exit Discriminator)
for return path optimization.
Rationale: Anycast works by announcing identical prefixes from multiple locations. Longest-
match routing decides the nearest site. /128 is valid for a single anycast address.
>> Question 7 (Hard – NAT & IPv6 Transition)
In 2026, an ISP is still using MAP-E (Mapping of Address and Port with Encapsulation) for IPv4-
as-a-Service over IPv6. A customer complains about failing connections to certain IPv4 servers.
What is the most common cause related to port mapping, and how does it differ from DS-Lite?
Answer: Port-set exhaustion or restricted port-range in MAP-E rules.
Rationale: MAP-E allocates a deterministic port-set per customer (based on algorithm). This can
break applications needing many simultaneous outbound ports (e.g., torrent clients, some
CDNs). DS-Lite uses CGNAT with dynamic port allocation (more flexible but stateful), while MAP-
E is stateless and deterministic.
>> Question 8 (Hard – Protocol Evolution)
Explain how TCP Fast Open (TFO) + TLS 1.3 0-RTT works together, and identify one security risk
that remains even in 2026 implementations.
Answer: TFO allows data in the SYN packet (using a cookie), while TLS 1.3 0-RTT allows early
data. Combined, they enable true zero-RTT HTTP requests.
Risk: Replay attacks on 0-RTT data (mitigated by nonces and application-level anti-replay, but
still possible within a short window). Modern stacks (Linux, Nginx, Cloudflare) implement strict
replay protection.
Exam Questions and Answers with Rationale
Latest Versions 2026 Top Rated A+
>> Question 1 (Hard – IPv6 + Routing)
In a dual-stack enterprise network running OSPFv3, a router receives two routes for the same
IPv6 prefix 2001:db8:abcd::/48.
- Route A: Learned via OSPFv3 intra-area with metric 20
- Route B: Learned via BGP with AS-Path length 2 and Local Preference 100
Which route is installed in the RIB, and why? What changes if the BGP route has Local
Preference 90?
Answer: Route A (OSPFv3) is installed.
Rationale: OSPFv3 has a lower Administrative Distance (110 for OSPF vs 20 for eBGP / 200 for
iBGP). AD is checked before metric or Local Preference. If the BGP route is eBGP (AD 20), it
would win. With Local Preference 90 it still loses to OSPF on AD unless it is eBGP. This tests
understanding that AD trumps all other attributes in most vendors (Cisco, Juniper, Huawei).
>> Question 2 (Very Hard – TCP Congestion Control 2025+)
A client using TCP BBRv2 (Bottleneck Bandwidth and RTT) communicates with a server using
Cubic over a high-latency satellite link (RTT 600 ms, 100 Mbps bandwidth, 0.5% random packet
loss).
Explain step-by-step what happens to throughput compared to traditional Reno/Cubic, and
which algorithm is better suited for this link. Mention one recent Linux kernel improvement (as
of 2025–2026).
,Answer: BBRv2 will achieve significantly higher throughput.
Rationale:
- Cubic/Reno treat loss as congestion signal → drastically reduce cwnd (multiplicative decrease).
- BBRv2 models the network (probe bandwidth & RTT) and maintains inflight data near the
bandwidth-delay product (BDP) while being less aggressive on random loss.
- On satellite links, BBRv2 typically delivers 2–5× higher goodput.
Recent improvement: Linux 6.8+ BBRv2 includes better ECN handling and "BBRv2 Pace" for
reduced queueing delay.
>> Question 3 (Hard – Security & IPv6)
An attacker on the local link sends RA (Router Advertisement) messages with a malicious prefix
and sets the M-flag (Managed) to 0 and O-flag to 0. What attack is this, and what are two
modern mitigations used in enterprise networks in 2026?
Answer: Rogue Router Advertisement / IPv6 SLAAC Attack (MITM/Redirection).
Rationale & Mitigations:
1. RA Guard (RFC 6105) on switches.
2. IPv6 First-Hop Security features (Cisco: IPv6 ND Inspection, Binding Table; Juniper: Router
Advertisement Inspection).
3. SEND (Secure Neighbor Discovery – RFC 3971/3972) with CGA (Cryptographically Generated
Addresses), though still not widely deployed due to complexity.
This is more dangerous in IPv6 than IPv4 because of stateless autoconfiguration.
>> Question 4 (Hard – Performance & Troubleshooting)
A server reports TCP retransmission rate of 8% and high latency spikes. Packet capture shows
many SACK blocks and duplicate ACKs, but no full retransmission timeouts. The path MTU is
1500 bytes with no fragmentation.
,What is the most likely cause, and what single command/config change would you apply on a
Linux server (kernel 6.6+) to mitigate it?
Answer: Tail-drop or shallow-buffer congestion on a middlebox/router causing bursty loss.
Mitigation: Enable `tcp_ecn=1` and use `tcp_bbr` (or BBRv2) + increase `tcp_mem` / `tcp_rmem`
values, or implement CoDel/FQ-CoDel on the router.
Rationale: SACK + DupACKs without RTO indicate recoverable loss in a window. Classic sign of
bufferbloat or aggressive drop-tail queuing. BBR + ECN helps avoid entering loss-based recovery.
>> Question 5 (Hard – Modern TCP/IP Features)
Which of the following statements about QUIC (HTTP/3) vs traditional TCP+TLS is false in 2026?
A. QUIC uses 0-RTT resumption more safely than TLS 1.3 0-RTT
B. QUIC migration to a new IP address is seamless without breaking the connection
C. Head-of-Line blocking is completely eliminated in QUIC
D. QUIC always uses UDP port 443
Answer: D is false (partially).
Rationale: QUIC can use any UDP port (though 443 is default). All others are true: Connection
migration via Connection ID, per-stream flow control (no HOL blocking), and improved 0-RTT
with anti-replay.
>> Question 6 (Scenario – Advanced Subnetting & Anycast)
You are designing an anycast DNS service using IPv6. You have 4 global sites. Each site should
advertise the same /48 prefix. What is the smallest prefix you can use for the service address
while maintaining proper anycast behavior, and which BGP attribute should you manipulate to
influence return traffic?
, Answer: Use a /128 for the anycast address itself (or /64 for the subnet), but announce the
same /48 or /64 from all sites. Manipulate Local Preference or MED (Multi-Exit Discriminator)
for return path optimization.
Rationale: Anycast works by announcing identical prefixes from multiple locations. Longest-
match routing decides the nearest site. /128 is valid for a single anycast address.
>> Question 7 (Hard – NAT & IPv6 Transition)
In 2026, an ISP is still using MAP-E (Mapping of Address and Port with Encapsulation) for IPv4-
as-a-Service over IPv6. A customer complains about failing connections to certain IPv4 servers.
What is the most common cause related to port mapping, and how does it differ from DS-Lite?
Answer: Port-set exhaustion or restricted port-range in MAP-E rules.
Rationale: MAP-E allocates a deterministic port-set per customer (based on algorithm). This can
break applications needing many simultaneous outbound ports (e.g., torrent clients, some
CDNs). DS-Lite uses CGNAT with dynamic port allocation (more flexible but stateful), while MAP-
E is stateless and deterministic.
>> Question 8 (Hard – Protocol Evolution)
Explain how TCP Fast Open (TFO) + TLS 1.3 0-RTT works together, and identify one security risk
that remains even in 2026 implementations.
Answer: TFO allows data in the SYN packet (using a cookie), while TLS 1.3 0-RTT allows early
data. Combined, they enable true zero-RTT HTTP requests.
Risk: Replay attacks on 0-RTT data (mitigated by nonces and application-level anti-replay, but
still possible within a short window). Modern stacks (Linux, Nginx, Cloudflare) implement strict
replay protection.
