CompTIA Network+ (N10-009) Practice Exam

What the CompTIA Network+ (N10-009) exam covers

• Networking Concepts51 questions
• Network Implementation48 questions
• Network Operations84 questions
• Network Security65 questions
• Network Troubleshooting52 questions

Free CompTIA Network+ (N10-009) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 300.

1. Question 1Networking Concepts

   At which OSI layer do IP addressing and routing operate?

   • ALayer 3 (Network)Correct
   • BLayer 2 (Data Link)
   • CLayer 4 (Transport)
   • DLayer 7 (Application)
   ✓ Correct answer: A

   The Network layer of the OSI model is responsible for logical addressing and path determination. IP (Internet Protocol) defines the IP addressing scheme that uniquely identifies hosts and networks, and routers use this information along with routing tables to make forwarding decisions. Layer 3 devices examine the destination IP address in each packet header to determine the best path to forward traffic across interconnected networks.

   Why the other options are wrong

   • BLayer 2 (Data Link) is incorrect because Layer 2 uses MAC addresses to forward frames within a single network segment, not IP addresses across different networks.
   • CLayer 4 (Transport) is incorrect because the Transport layer handles end-to-end communication using port numbers via TCP and UDP, not IP addressing or routing.
   • DLayer 7 (Application) is incorrect because the Application layer is where user-facing protocols like HTTP, DNS, and SMTP operate, not where IP addressing and routing functions reside.
2. Question 2Network OperationsSelect all that apply

   Which TWO improve network availability? (Choose TWO)

   • AA single switch with no backup
   • Bredundant links and first-hop redundancy (HSRP/VRRP)Correct
   • CDisabling monitoring
   • Dbackup power (UPS/generator)Correct
   ✓ Correct answer: B, D

   Network availability depends on eliminating single points of failure at every layer. Redundant links combined with first-hop redundancy protocols ensure that the loss of a single physical link or gateway router does not cause a network outage — HSRP and VRRP allow a standby router to take over the virtual gateway IP automatically. Backup power via UPS (Uninterruptible Power Supplies) and generators ensures network equipment remains operational during power outages, which are a leading cause of network downtime.

   Why the other options are wrong

   • AA single switch with no backup is incorrect because a single non-redundant switch is itself a single point of failure; if it fails or loses power, all connected devices lose connectivity with no failover path.
   • CDisabling monitoring is incorrect because removing network monitoring eliminates the ability to detect failures, degraded performance, and capacity issues proactively; good monitoring is essential to maintaining and quickly restoring availability when problems occur.
3. Question 3Network Troubleshooting

   Users report slow large-file transfers across a high-latency WAN even though the link is not saturated. Which TCP characteristic most likely limits throughput?

   • AA missing DNS PTR record
   • BAn incorrect default gateway
   • CA small TCP window size relative to the bandwidth-delay productCorrect
   • DAn expired DHCP lease
   ✓ Correct answer: C

   TCP's sliding window mechanism controls how much unacknowledged data can be in flight at any time. On a high-latency WAN link, the bandwidth-delay product (BDP = bandwidth × round-trip time) may be very large — for example, a 100 Mbps link with 100ms RTT has a BDP of 1.25 MB. If the TCP receive window size is smaller than the BDP, TCP must wait for acknowledgements before sending more data, creating idle time on the link and capping actual throughput well below the link's physical capacity. Modern TCP window scaling (RFC 1323) addresses this, but small default buffer sizes or MTU issues can still cause this problem.

   Why the other options are wrong

   • AA missing DNS PTR record is incorrect because a missing PTR (reverse DNS) record affects reverse DNS lookups used by some services for logging or authentication; it does not affect TCP data transfer throughput on high-latency WAN links.
   • BAn incorrect default gateway is incorrect because an incorrect default gateway would prevent traffic from being routed at all; if large file transfers are occurring (just slowly), routing is clearly working and the gateway is not the issue.
   • DAn expired DHCP lease is incorrect because an expired DHCP lease would cause a host to lose its IP address entirely, stopping all communication rather than causing slow but functional large file transfers.
4. Question 4Network Troubleshooting

   On Windows, which command clears the local DNS resolver cache?

   • Anetsh dns reset
   • Bipconfig /clearcache
   • Cnslookup /flush
   • Dipconfig /flushdnsCorrect
   ✓ Correct answer: D

   On Windows, the DNS resolver cache stores recently resolved hostname-to-IP mappings to speed up repeated lookups. When DNS changes are made (new records, updated IP addresses) or when troubleshooting stale cached entries that may be causing connection failures, `ipconfig /flushdns` clears all entries from the local resolver cache, forcing the next lookup for each hostname to query the DNS server for a fresh result. This command is run from the command prompt with administrator privileges.

   Why the other options are wrong

   • Anetsh dns reset is incorrect because `netsh dns reset` resets the DNS client configuration to defaults but is not the standard command for flushing the DNS resolver cache; the cache flush is performed by `ipconfig /flushdns`.
   • Bipconfig /clearcache is incorrect because `/clearcache` is not a valid ipconfig parameter; the correct parameter for clearing the DNS resolver cache is `/flushdns`.
   • Cnslookup /flush is incorrect because nslookup is a DNS query tool for performing forward and reverse lookups; it does not have a /flush parameter and cannot clear the Windows DNS resolver cache.
5. Question 5Network ImplementationSelect all that apply

   An architect is choosing between Layer 2 link aggregation (LACP) and Layer 3 ECMP for combining multiple uplinks. Which TWO statements are accurate design tradeoffs? (Choose TWO)

   • AECMP requires Spanning Tree to block redundant paths to prevent loops
   • BLACP guarantees per-packet load balancing across all member links for a single flow
   • CLACP bundles links into one logical Layer 2 interface, useful between a switch and a server or two switches in the same broadcast domainCorrect
   • DECMP load-balances across multiple routed paths at Layer 3 without extending a broadcast domainCorrect
   ✓ Correct answer: C, D

   LACP (Link Aggregation Control Protocol, IEEE 802.3ad) creates a single logical link from multiple physical links at Layer 2, presenting one MAC address and one broadcast domain to both sides. It is used in scenarios where Layer 2 adjacency is needed, such as between a server and its access switch or between two switches in the same VLAN. ECMP (Equal-Cost Multi-Path) routing distributes traffic across multiple Layer 3 paths with identical metrics, enabling load balancing while keeping each path as a separate routed hop without extending the broadcast domain.

   Why the other options are wrong

   • AECMP requires Spanning Tree to block redundant paths to prevent loops is incorrect because ECMP operates at Layer 3 using routing protocols; Layer 3 routed paths do not create broadcast loops, so STP is not needed and not involved — STP only prevents loops at Layer 2.
   • BLACP guarantees per-packet load balancing across all member links for a single flow is incorrect because LACP uses a hash of source/destination address (MAC, IP, or port) for load balancing, meaning all packets within a single TCP/UDP flow typically traverse the same member link; per-packet round-robin load balancing would cause out-of-order delivery and is not how LACP works.
6. Question 6Networking Concepts

   Which IPv4 address range is reserved for APIPA (link-local) when a host fails to obtain a DHCP lease?

   • A192.0.2.0/24
   • B100.64.0.0/10
   • C169.254.0.0/16Correct
   • D127.0.0.0/8
   ✓ Correct answer: C

   Automatic Private IP Addressing (APIPA) is a Windows feature defined in RFC 3927 that activates when a host cannot contact a DHCP server within the standard timeout period. The host self-assigns an address in the 169.254.0.0/16 range and uses ARP probing to verify the chosen address is not already in use by another host on the segment. APIPA addresses are link-local and are never routed off the local subnet, meaning hosts with APIPA addresses can communicate only with other APIPA hosts on the same physical segment.

   Why the other options are wrong

   • A192.0.2.0/24 is incorrect because that range is reserved for TEST-NET-1 documentation and example purposes in RFCs, not for APIPA self-assignment.
   • B100.64.0.0/10 is incorrect because that range is the IANA-reserved Carrier-Grade NAT (CGN) shared address space defined in RFC 6598, used between ISPs and customers.
   • D127.0.0.0/8 is incorrect because that range is the loopback address space, used to address the local host itself (most commonly 127.0.0.1), not for APIPA.
7. Question 7Network Troubleshooting

   A client can reach internal resources but no internet sites, and tracert to 8.8.8.8 fails at the very first hop. What should you check FIRST?

   • AThe client's monitor cable
   • BThe DNS suffix search order
   • CThe switch port LED color only
   • DThe default gateway configuration and its upstream connectivityCorrect
   ✓ Correct answer: D

   When tracert fails at the very first hop (hop 1), it means the client cannot reach its default gateway. Since the client can access internal resources, the client's own Layer 1/2/3 configuration is functional within the local subnet. The first hop in traceroute is always the default gateway, so failure at hop 1 to an external IP like 8.8.8.8 means either the default gateway IP is misconfigured on the client, the gateway device is down, or the gateway itself has lost its upstream connection to the internet. Verifying the gateway address and then its WAN interface is the correct first step.

   Why the other options are wrong

   • AThe client's monitor cable is incorrect because the monitor cable carries video signals and has absolutely no effect on network connectivity or traceroute behavior.
   • BThe DNS suffix search order is incorrect because DNS suffix configuration affects name resolution for unqualified hostnames; the traceroute is targeting an IP address (8.8.8.8), so DNS is not involved.
   • CThe switch port LED color only is incorrect because while an LED check is a quick physical-layer verification, the symptom points to a Layer 3 routing issue at the gateway, making LED color alone an insufficient and misleading first diagnostic step.
8. Question 8Network SecuritySelect all that apply

   Which TWO monitoring practices best support detecting a security breach early? (Choose TWO)

   • ADisabling logging to reduce noise
   • BFlow analysis to spot unusual data exfiltration volumes or destinationsCorrect
   • CAllowing device clocks to drift freely
   • DCentralized logging with alerting on anomalous authentication and access patternsCorrect
   ✓ Correct answer: B, D

   Centralized logging with alerting on anomalous authentication and access patterns. Early breach detection requires visibility into two key dimensions: what is leaving the network and who is accessing what. NetFlow/IPFIX analysis reveals abnormal traffic volumes, unexpected large outbound flows, or connections to unusual external destinations that could indicate data exfiltration or command-and-control communications. Centralized log aggregation with correlation rules detects anomalous authentication patterns such as credential stuffing, lateral movement via multiple failed logins, or access to sensitive resources outside normal working hours.

   Why the other options are wrong

   • ADisabling logging to reduce noise is incorrect because disabling logging eliminates the data source that detection depends on; reducing log volume should be achieved through severity filtering, not disabling logging entirely.
   • CAllowing device clocks to drift freely is incorrect because unsynchronized clocks make cross-device log correlation unreliable; events from different systems that occurred simultaneously may appear to have occurred minutes apart, obscuring the attack timeline.
9. Question 9Network Troubleshooting

   A user reports their PC gets a 169.254.x.x address and cannot reach anything. Other PCs on the same VLAN work fine. What should you investigate first?

   • AThe internet WAN circuit being down
   • BThe DNS server's forwarders
   • CThe firewall's outbound rules
   • DDHCP reachability for that client (bad port/cable/VLAN preventing it from getting a lease)Correct
   ✓ Correct answer: D

   The 169.254.x.x address range is assigned by APIPA when a Windows host fails to receive a DHCP response within the timeout period (typically after approximately 60 seconds of attempting). Since other hosts on the same VLAN are receiving valid DHCP-assigned addresses, the DHCP server is functioning correctly; the problem is specific to this one client. The most likely causes are a physical connectivity issue (bad cable, faulty NIC, or unplugged cable), the port being in the wrong VLAN preventing DHCP broadcasts from reaching the server, or a switch port that is down or in an error state.

   Why the other options are wrong

   • AThe internet WAN circuit being down is incorrect because if the WAN circuit were down, the entire organization would lose internet connectivity, not just one client; additionally, APIPA is assigned before any routing to the internet is involved.
   • BThe DNS server's forwarders is incorrect because DNS forwarders affect external name resolution; the 169.254.x.x address is assigned before DNS is involved at all—the client cannot even complete Layer 3 initialization.
   • CThe firewall's outbound rules is incorrect because firewall rules operate on routed traffic; DHCP uses broadcasts within the local subnet that do not traverse the firewall, so outbound firewall rules would not prevent DHCP lease acquisition.
10. Question 10Network Security

    Which AAA protocol encrypts the entire packet payload and separates authentication, authorization, and accounting, making it preferred for device administration?

    • ATACACS+Correct
    • BRADIUS
    • CLDAP
    • DKerberos
    ✓ Correct answer: A

    TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco-developed AAA protocol that encrypts the entire packet payload—not just the password field—providing comprehensive confidentiality for authentication, authorization, and accounting data. It separates the three AAA functions into distinct protocol exchanges, allowing fine-grained command authorization (specifying exactly which CLI commands a user is permitted to execute). TACACS+ uses TCP port 49 for reliable delivery. These characteristics make it the preferred protocol for device administration in environments requiring detailed per-command authorization and full session encryption.

    Why the other options are wrong

    • BRADIUS is incorrect because RADIUS encrypts only the password field within the authentication packet, leaving other attributes such as username, attributes, and accounting records in cleartext; it also combines authentication and authorization into a single exchange rather than separating them, limiting per-command authorization granularity.
    • CLDAP is incorrect because LDAP (Lightweight Directory Access Protocol) is a directory service protocol for querying user accounts and group memberships; while often used as an authentication backend, it does not provide the combined AAA functions, device administration command authorization, or full-packet encryption of TACACS+.
    • DKerberos is incorrect because Kerberos is a ticket-based authentication protocol used for network identity verification in environments such as Active Directory; it does not provide the command authorization and full packet encryption architecture of TACACS+ for device administration.

CompTIA Network+ (N10-009) practice exam FAQ