CompTIA Network+ N10-009 Practice Questions: 20 Free Questions with Answers (2026)

How to Use These Practice Questions

Each question includes a domain label matching the five N10-009 exam domains and a difficulty marker. Read the question, choose your answer, then check the explanation. The questions below are weighted to reflect the real exam: Troubleshooting (24%) and Networking Concepts (23%) are the heaviest, followed by Implementation (20%), Operations (19%), and Security (14%).

Network+ rewards specifics. Port numbers, OSI layers, protocol behaviours, and troubleshooting steps are tested directly. When a question lists multiple plausible answers, the right one is usually the most precise rather than the most general. Practice with the actual port numbers, the actual subnet math, the actual OSI layer for each protocol - guessing-from-context is the fastest way to fail this exam.

These 20 questions are a small sample from the ReadRoost N10-009 pack. The complete pack includes 500+ scenario-based questions, full performance-based question (PBQ) simulations including drag-and-drop topology tasks, and Roost AI explanations. Start your free preview at readroo.st/marketplace/comptia-network-plus-n10-009.

Questions 1-5: Networking Concepts

Domain: Networking Concepts | Difficulty: Foundation 1. An administrator captures network traffic on port 443 between a client browser and a web server. At which layer of the OSI model does the encryption protecting this traffic operate? A) Layer 3 (Network) B) Layer 4 (Transport) C) Layer 5 (Session) D) Layer 6 (Presentation)

Correct Answer: D TLS (which secures HTTPS on port 443) operates at the Presentation layer (Layer 6) in the OSI model, handling encryption, decryption, and data formatting between application and session layers. CompTIA's official mapping treats TLS as Layer 6. Note that some textbooks place TLS at Layer 5 (Session) due to handshake state - on the Network+ exam, Layer 6 is the expected answer.

Domain: Networking Concepts | Difficulty: Foundation 2. A user reports that they cannot resolve hostnames to IP addresses but can connect when given an IP address directly. Which protocol and port is most likely failing? A) DHCP, UDP 67/68 B) DNS, UDP/TCP 53 C) HTTP, TCP 80 D) NTP, UDP 123

Correct Answer: B Name resolution failure points to DNS (port 53). UDP 53 handles standard queries; TCP 53 is used for zone transfers and large responses. DHCP (67/68) is for IP address assignment. HTTP (80) and NTP (123) are unrelated to name resolution.

Domain: Networking Concepts | Difficulty: Moderate 3. An administrator configures a server with the IPv6 address 2001:db8::1/64. Which IPv6 address class does this represent, and what is the host portion of the address? A) Link-local; host portion is the last 16 bits B) Global unicast; host portion is the last 64 bits C) Multicast; host portion is the last 32 bits D) Unique local; host portion is the last 48 bits

Correct Answer: B 2001::/3 is the global unicast range (similar to public IPv4 addresses, routable on the public IPv6 internet). With a /64 prefix, the network portion is the first 64 bits and the host portion is the last 64 bits. Link-local is fe80::/10. Unique local is fc00::/7. Multicast is ff00::/8.

Domain: Networking Concepts | Difficulty: Moderate 4. A technician needs to allocate subnets from the 192.168.10.0/24 network. Each subnet must support at least 30 hosts. What is the most efficient subnet mask? A) /25 (255.255.255.128) B) /26 (255.255.255.192) C) /27 (255.255.255.224) D) /28 (255.255.255.240)

Correct Answer: C A /27 has 32 addresses per subnet (2^5 = 32), with 30 usable hosts after subtracting the network and broadcast addresses. /28 only supports 14 hosts. /26 supports 62 hosts (more than needed - less efficient). /25 supports 126 hosts (much more than needed). /27 is the tightest fit.

Domain: Networking Concepts | Difficulty: Challenging 5. A company is connecting two data centres via a service provider's MPLS network. The provider gives them a Layer 3 VPN service. From the customer's perspective, how do their routers interact with the provider's network? A) Customer routers form a Layer 2 broadcast domain across the WAN B) Customer routers exchange routes with the provider's PE routers via BGP or OSPF C) Customer routers use static routes only; dynamic routing is not supported D) Customer routers tunnel traffic through GRE without provider awareness

Correct Answer: B In an MPLS Layer 3 VPN, customer-edge (CE) routers exchange routes with provider-edge (PE) routers via a routing protocol (typically eBGP, sometimes OSPF). The provider distributes the customer's routes across the MPLS core using MP-BGP and VPN labels. Layer 2 services (VPLS) are different. GRE is for site-to-site tunnels without provider routing awareness.

Questions 6-10: Network Implementation + Operations

Domain: Network Implementation | Difficulty: Foundation 6. A network administrator is configuring a switch port that will connect to a desktop PC. The PC requires access only to the data VLAN, not the voice VLAN. Which switch port mode is appropriate? A) Access mode B) Trunk mode C) Hybrid mode D) Routed mode

Correct Answer: A Access mode assigns the port to a single VLAN, exactly the requirement for an end-user device. Trunk mode carries multiple VLANs (used for switch-to-switch links and IP phones with PCs daisy-chained). Hybrid mode is vendor-specific. Routed mode (no switchport) makes the port behave like a Layer 3 interface.

Domain: Network Implementation | Difficulty: Moderate 7. A network engineer is configuring redundant uplinks between two switches. Both links are active, and the engineer wants traffic to load-balance across them as a single logical link. Which technology achieves this? A) Spanning Tree Protocol (STP) B) Link Aggregation Control Protocol (LACP) / EtherChannel C) Hot Standby Router Protocol (HSRP) D) Virtual Router Redundancy Protocol (VRRP)

Correct Answer: B LACP (IEEE 802.3ad) bundles multiple physical links into a single logical link with load balancing across the members and automatic failover if one link fails. STP would block one of the redundant links to prevent loops, the opposite of what is wanted here. HSRP and VRRP are first-hop redundancy protocols for default gateways, not link aggregation.

Domain: Network Implementation | Difficulty: Moderate 8. A wireless administrator is deploying Wi-Fi 6 (802.11ax) access points in a high-density office. To ensure simultaneous client communication on the same channel, which technology should be enabled? A) MU-MIMO B) OFDMA C) Beamforming D) Channel bonding

Correct Answer: B Orthogonal Frequency-Division Multiple Access (OFDMA) is a key Wi-Fi 6 feature that subdivides each channel into Resource Units (RUs), allowing multiple clients to transmit simultaneously on the same channel. MU-MIMO supports parallel streams to multiple clients but doesn't subdivide the channel. Beamforming directs the signal toward specific clients. Channel bonding combines channels for higher throughput but reduces channel availability.

Domain: Network Implementation | Difficulty: Challenging 9. A network engineer is configuring OSPF on a router. The router connects to two other OSPF neighbours: one in area 0 and one in area 5. To exchange routes between the two areas, the router must function as which type of OSPF router? A) Internal Router B) Area Border Router (ABR) C) Autonomous System Boundary Router (ASBR) D) Designated Router (DR)

Correct Answer: B An ABR sits between OSPF areas (one interface in area 0, another in a non-zero area) and exchanges Type 3 summary LSAs between them. Internal routers have all interfaces in the same area. ASBR redistributes routes from other routing protocols into OSPF. DR is elected on multiaccess networks to reduce LSA flooding.

Domain: Network Operations | Difficulty: Foundation 10. A network administrator wants to monitor real-time bandwidth utilisation on key interfaces. Which protocol allows the administrator to poll devices and receive interface counter values periodically? A) SNMP B) Syslog C) NetFlow D) ICMP

Correct Answer: A SNMP (typically v2c or v3) is the standard protocol for polling devices to read MIB values, including interface counters used for bandwidth monitoring. Syslog is for event logging, not polling. NetFlow exports flow records (source, destination, bytes per flow) - useful for traffic analysis but not interface counter polling. ICMP is for connectivity/diagnostics.

Questions 11-15: Network Operations + Security

Domain: Network Operations | Difficulty: Moderate 11. A network administrator notices that the syslog server is receiving a high volume of informational messages from switches, making it difficult to spot critical events. Which configuration change should be made? A) Disable syslog on the switches B) Configure the switches to log only severity level 4 (warning) and above C) Send all logs to email instead of syslog D) Reduce the syslog server's storage capacity

Correct Answer: B Syslog uses severity levels 0-7 (0 = Emergency, 7 = Debug). Configuring switches to log severity 4 (warning) and lower-numbered (more critical) means informational and notice messages are filtered out, leaving warnings, errors, and emergencies for the operator's attention. Disabling syslog or reducing storage are not solutions. Email is unsuitable for high-volume logs.

Domain: Network Operations | Difficulty: Moderate 12. An organisation is implementing a Configuration Management process for network devices. After a configuration change is made, which step is most important to ensure the change is documented and recoverable? A) Update the change ticket and back up the running configuration to a central repository B) Reboot the device to confirm the change persists C) Email the change details to the network team D) Save the running configuration to startup-config only

Correct Answer: A Proper change management requires both documentation (the change ticket) AND a configuration backup to a central repository (rancid, oxidized, vendor NMS, or similar). This provides traceability for audits and rollback capability if the change causes problems. Saving to startup-config preserves the change locally but doesn't provide central recoverability. Reboots and emails don't satisfy the documentation requirement.

Domain: Network Security | Difficulty: Foundation 13. A network administrator wants to secure remote management access to switches and routers. Which protocol should replace Telnet for command-line access? A) FTP B) HTTP C) SSH D) SNMPv1

Correct Answer: C SSH (port 22) provides encrypted command-line access, replacing Telnet (port 23) which transmits credentials and commands in cleartext. FTP and HTTP are file/web protocols, not management. SNMPv1 is for monitoring, not management CLI, and is itself insecure (community strings in cleartext).

Domain: Network Security | Difficulty: Moderate 14. An organisation is implementing 802.1X port-based authentication on the corporate LAN. Which three components are required to make 802.1X work? A) Supplicant, authenticator, authentication server (typically RADIUS) B) Supplicant, certificate authority, syslog server C) Switch, router, firewall D) Client, DHCP server, DNS server

Correct Answer: A 802.1X uses three roles: the supplicant (client device requesting access), the authenticator (the switch port that gates network access), and the authentication server (typically a RADIUS server such as Microsoft NPS or FreeRADIUS). The supplicant sends credentials via EAP, the authenticator relays them to RADIUS, and RADIUS approves or denies port access.

Domain: Network Security | Difficulty: Challenging 15. A security team detects ARP spoofing on the corporate LAN, where attackers are intercepting traffic by associating their MAC address with the gateway's IP. Which switch feature provides direct mitigation? A) Storm Control B) BPDU Guard C) Dynamic ARP Inspection (DAI) D) Port Security

Correct Answer: C Dynamic ARP Inspection (DAI) inspects ARP packets against a trusted DHCP snooping binding table and drops ARP messages that do not match a valid IP-to-MAC binding. This directly mitigates ARP spoofing. Storm Control prevents broadcast/multicast floods. BPDU Guard protects against rogue switches. Port Security limits MAC addresses per port (related but not as targeted as DAI for ARP spoofing).

Questions 16-20: Network Troubleshooting

Domain: Network Troubleshooting | Difficulty: Foundation 16. A user reports they cannot reach any websites. The technician runs `ping 8.8.8.8` (Google's public DNS) and receives replies. Which layer of the OSI model is most likely the problem source? A) Layer 1 (Physical) B) Layer 3 (Network) C) Layer 7 (Application) - specifically DNS resolution D) Layer 4 (Transport)

Correct Answer: C If ping by IP works (Layer 3 connectivity is fine) but websites fail (which require name resolution), the issue is at the application layer with DNS. The technician should check the user's DNS configuration and try resolving a hostname (`nslookup google.com` or `dig google.com`). Layer 1 and Layer 4 are working since ICMP echo replies are returning.

Domain: Network Troubleshooting | Difficulty: Moderate 17. A technician is troubleshooting intermittent connectivity on a copper Ethernet link. They run a cable tester and see the cable passes wiremap but fails the NEXT (Near-End Crosstalk) test. What is the likely cause? A) The cable is too long for the cable category B) The connector pinout is incorrect C) Excessive untwisting at the termination, or damage to the twisted pairs D) The cable is the wrong category for the speed

Correct Answer: C NEXT failures typically indicate that twisted pairs have been untwisted too far at the termination (more than ~13mm for Cat6/6A) or that the cable jacket has been damaged, allowing signal from one pair to interfere with adjacent pairs. Wiremap passes because the connections are correct - it's the signal-quality test that fails. Length issues show as Insertion Loss; wrong-category issues fail multiple tests.

Domain: Network Troubleshooting | Difficulty: Moderate 18. A wireless user reports slow performance and frequent disconnects in a particular conference room. The site survey shows good signal strength (-55 dBm) but high channel utilisation (~80%). What is the most likely cause? A) Weak signal strength B) Channel interference from co-channel APs or non-Wi-Fi devices on the same channel C) Authentication server failure D) Insufficient bandwidth on the wired uplink

Correct Answer: B Good signal but high channel utilisation is the textbook indication of co-channel interference (other APs broadcasting on the same channel) or non-Wi-Fi sources (microwaves, Bluetooth, baby monitors on 2.4 GHz). Solutions: re-channel the AP to a less-used frequency, reduce transmit power on neighbouring APs to shrink overlap, or move to 5 GHz/6 GHz where more channels are available. Auth and uplink issues would cause different symptom patterns.

Domain: Network Troubleshooting | Difficulty: Challenging 19. A technician runs `traceroute` to a destination and sees that hops 1-5 respond normally, hops 6-8 show timeouts (* * *), and hops 9-12 respond again, with the destination reached at hop 12. What is the most likely explanation? A) The connection is broken between hops 5 and 9 B) Hops 6-8 are configured to drop ICMP traceroute responses but still forward traffic C) The destination is unreachable D) The local DNS server is failing

Correct Answer: B If the destination at hop 12 was reached, traffic IS passing through hops 6-8 - they just aren't replying to traceroute (typically ICMP TTL Exceeded responses). Many ISPs and security-conscious networks rate-limit or drop traceroute responses without affecting forwarding. This is the expected pattern when traceroute crosses such networks. A real connectivity break would prevent the destination from responding.

Domain: Network Troubleshooting | Difficulty: Moderate 20. An application owner reports that a web application is slow only when accessed from the corporate WAN, while local users have no issue. The network team confirms the WAN link has spare bandwidth and low latency. Which troubleshooting step is most likely to identify the cause? A) Increase the WAN bandwidth B) Capture packets at both ends of the WAN and check for retransmissions, MTU issues, or QoS misclassification C) Reset the WAN router D) Migrate the application to the cloud

Correct Answer: B Spare bandwidth and low average latency don't rule out micro-bursts, packet loss causing TCP retransmissions, MTU mismatches causing fragmentation, or QoS policies deprioritising the application's traffic class. Packet captures at both ends are the diagnostic step that surfaces these. The other options (more bandwidth, reset, migrate) are guesses that may not address the actual bottleneck.

Score Yourself, Then Drill the Gaps

18-20 correct: You're exam-ready on multiple-choice. The remaining gap is the PBQs - performance-based questions like dragging cable types onto a topology, configuring a router via simulated CLI, or matching ports to protocols. Practise those before booking.

14-17 correct: Solid foundation. The 3-6 gaps are diagnostic. Pay particular attention to the OSI layer mapping (TLS at L6, ARP straddling L2/L3) and the subnet math - these trip up the largest number of candidates.

10-13 correct: Two likely gaps. Either the protocol/port memorisation isn't there yet (drill the common ports list), or the troubleshooting reasoning isn't structured. Both are fixable with focused practice.

Under 10 correct: Step back to a structured study cycle. The Network+ N10-009 study guide walks the five domains. Then return to question banks once the foundations are in.

ReadRoost's N10-009 pack carries 500+ scenario questions across the five domains plus simulated PBQs (drag-and-drop topology builds, configuration simulators), all weighted to the real exam. Free preview at readroo.st/marketplace/comptia-network-plus-n10-009.