Security Study Guide

CompTIA Network+ (N10-009) Study Guide

CompTIA Network+ (N10-009) validates the core skills needed to design, implement, operate, secure, and troubleshoot wired and wireless networks. It is a vendor-neutral, early-career certification aimed at network technicians, help-desk staff, and junior administrators who need to prove foundational networking competence. The 90-minute exam has up to ~90 questions (multiple-choice plus performance-based), and you must score 720 on a 100-900 scale to pass.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice CompTIA Network+ (N10-009) questions free Create free account

Domain 1: Networking Concepts

Key concepts you must know · 104 practice questions

The OSI model has 7 layers: Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), and Application (7). Layer 3 (IP) handles logical addressing and routing; Layer 2 (MAC) handles local frame delivery; Layer 6 (Presentation) handles encryption, encoding, and format translation.
TCP is connection-oriented and reliable, using a three-way handshake (SYN, SYN-ACK, ACK), sequence numbers, acknowledgements, retransmission, and a sliding window for flow control. UDP is connectionless, best-effort, has no flow control, and has lower overhead - preferred for VoIP, streaming, and DNS queries.
Memorize well-known ports: FTP 20/21 (data/control), SSH/SFTP 22, Telnet 23, SMTP 25, DNS 53, DHCP 67/68, TFTP 69, HTTP 80, NTP 123, HTTPS 443, SNMP 161/162, RDP 3389, and SMB 445.
DHCP leases addressing via the DORA process: Discover, Offer, Request, Acknowledge. A DHCP scope assigns IP address, subnet mask, default gateway, and DNS servers; DHCP relay (ip helper-address) forwards requests across subnets.
DNS resolves hostnames to IP addresses. Record types: A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail), PTR (reverse lookup), TXT (SPF/DKIM), NS (name server), SOA (zone authority). DoH (DNS over HTTPS) and DoT (DNS over TLS) encrypt DNS queries.
NAT lets many internal private hosts share public IPs. PAT (NAT overload) maps many hosts to one public IP using different source ports; static NAT is a fixed one-to-one private-to-public mapping.
RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. APIPA (169.254.0.0/16) is auto-assigned when DHCP fails; loopback is 127.0.0.0/8.
A /30 (255.255.255.252) provides exactly 2 usable host addresses, ideal for point-to-point links. A /31 (RFC 3021) provides 2 usable addresses with no separate network/broadcast addresses, also for point-to-point.
VLSM (Variable Length Subnet Masking) and CIDR let you size each subnet to its host count to minimize wasted addresses. A /26 block is 64 addresses, so .130 falls in the .128/26 subnet while .200 falls in the .192/26 subnet.
IPv6 uses 128-bit addresses written as 8 hextets; compress with :: once for consecutive zero groups (2001:0db8:0000:0000:0000:0000:0000:0001 becomes 2001:db8::1). Its huge address space removes the need for NAT, favoring end-to-end addressing.
IPv6 hosts can self-configure via SLAAC using Router Advertisements (no DHCP server required). Link-local addresses use the fe80::/10 prefix and are auto-generated on every IPv6 interface.
The Transport layer multiplexes sessions using port numbers (0-65535): well-known 0-1023, registered 1024-49151, dynamic/ephemeral 49152-65535. Sockets combine an IP address and port.
Common topologies: star/hub-and-spoke (central device), mesh (full redundancy), bus, ring, and hybrid. Modern data centers use spine-and-leaf (Clos) fabrics for predictable east-west latency.
Jumbo frames (MTU up to ~9000 bytes) reduce per-packet overhead and CPU interrupts for large transfers but must be configured consistently end-to-end or fragmentation/black-holing occurs.

Domain 2: Network Implementation

Key concepts you must know · 113 practice questions

A Layer 2 switch forwards frames using destination MAC addresses stored in its CAM/MAC address table; an unknown destination is flooded out all ports. A router (Layer 3) forwards packets between different IP networks using the routing table and destination IP.
VLANs logically segment one physical switch into multiple broadcast domains, improving security/policy separation and containing broadcast traffic. Inter-VLAN traffic requires a router or Layer 3 switch.
A trunk port carries multiple VLANs with 802.1Q tags; an access port carries a single untagged VLAN. The native VLAN on a trunk is sent untagged - mismatched native VLANs cause connectivity and security issues.
Example Cisco VLAN/access config: 'interface gi0/1', 'switchport mode access', 'switchport access vlan 20'. Trunk config: 'switchport mode trunk', 'switchport trunk allowed vlan 10,20'. Create a VLAN: 'vlan 50', 'name ENGINEERING'.
A default static route is 'ip route 0.0.0.0 0.0.0.0 203.0.113.1' (next hop). OSPF example: 'router ospf 1', 'network 10.0.0.0 0.0.0.255 area 0'. Linux IP assignment: 'ip addr add 192.168.1.10/24 dev ens33'.
PoE delivers electrical power to devices (APs, IP phones, cameras) over the Ethernet cable. 802.3af provides ~15.4W, 802.3at (PoE+) ~30W, and 802.3bt (PoE++) up to ~90-100W at the port.
Single-mode fiber (SMF) carries one light path over long distances (km); multimode fiber (MMF) carries multiple paths over shorter distances. Fiber is immune to EMI/RFI, unlike copper.
Copper categories: Cat5e (1 Gbps to 100m), Cat6 (10 Gbps to ~55m, 1 Gbps to 100m), Cat6a (10 Gbps to 100m), Cat7/Cat8 for higher data center speeds. Multigigabit Ethernet (NBASE-T / 802.3bz) runs 2.5/5 Gbps over existing Cat5e/Cat6.
Link aggregation (LACP, 802.3ad) bundles multiple physical links into one logical Layer 2 interface for bandwidth and redundancy; all member links must match speed and duplex. Cisco config: 'channel-group 1 mode active'.
ECMP (Equal-Cost Multi-Path) load-balances across multiple routed Layer 3 paths without extending a broadcast domain - distinct from LACP which works at Layer 2.
802.11 Wi-Fi standards: 802.11n (Wi-Fi 4, 2.4/5 GHz), 802.11ac (Wi-Fi 5, 5 GHz), 802.11ax (Wi-Fi 6/6E, adds 6 GHz). In the 2.4 GHz band use only non-overlapping channels 1, 6, and 11 to avoid co-channel interference.
Switch stacking and MLAG (multi-chassis link aggregation) let multiple switches act as one logical device, allowing aggregated links to span chassis and eliminating STP-blocked uplinks.
Three-tier hierarchical design uses core, distribution, and access layers. A collapsed-core (two-tier) design merges core and distribution to reduce cost for small/medium networks; a separate core improves scalability for large networks.
Spanning Tree Protocol (STP/RSTP, 802.1w) prevents Layer 2 loops by blocking redundant paths. PortFast speeds up access-port convergence; BPDU Guard protects against rogue switches on access ports.

Domain 3: Network Operations

Key concepts you must know · 204 practice questions

The default gateway is the router interface IP on the host's local subnet; the host sends all off-subnet traffic to it. Verify with the host's routing table and a ping to the gateway.
SNMP monitors and manages devices: the NMS polls agents with GET on UDP 161 to read MIB values (interface utilization, errors, CPU, memory); agents push trap alerts to the manager on UDP 162. SNMPv3 adds authentication, integrity, and encryption.
QoS classifies and prioritizes traffic to control bandwidth, latency, jitter, and loss. VoIP is marked DSCP EF (Expedited Forwarding, value 46) and placed in a priority/Low-Latency Queue (LLQ) so it meets strict latency needs.
Traffic shaping buffers and smooths bursts to a defined rate (delays excess); traffic policing drops or remarks traffic exceeding the rate. Shaping flattens peaks; policing enforces hard limits.
High availability eliminates single points of failure: first-hop redundancy (HSRP/VRRP/GLBP) provides a shared virtual gateway IP for failover, plus redundant links/paths (with STP or link aggregation) and backup power (UPS/generator).
Dynamic routing protocols (OSPF, EIGRP, BGP, RIP) automatically adapt to topology changes and failures. Path selection uses administrative distance (which protocol to trust) then the protocol metric (cost/hop count).
Route summarization/aggregation reduces routing-table entries advertised between areas/domains and hides route flapping of a specific subnet, improving overall stability.
IPAM (IP Address Management) tracks and allocates IP address space along with related DHCP scopes and DNS zones/records, preventing overlap and conflicts.
Accurate documentation - network diagrams, IP/VLAN schemes, port maps, and cable labels - speeds troubleshooting and change management by showing the real topology and connections.
A performance baseline captures normal utilization, latency, and error rates so anomalies are recognizable. Capacity planning provisions links to actual measured demand plus headroom rather than over-provisioning blindly.
Load balancing spreads client requests across multiple servers to improve performance and availability; methods include round-robin, least-connections, and weighted. Health checks remove failed servers from the pool.
Branch/WAN optimization techniques include WAN optimization with data deduplication, local caching/proxy of frequently accessed content, a CDN to serve content closer to users, compression/caching, and local internet breakout (split tunneling at the branch).
NFV (Network Functions Virtualization) runs network functions (routers, firewalls, load balancers) as software on standard servers. SDN separates the control plane from the data plane for centralized, programmable management.
NTP synchronizes device clocks (UDP 123) - critical for accurate logs, certificates, and authentication. Syslog (UDP 514) centralizes log collection; severity levels run 0 (emergency) to 7 (debug).

Domain 4: Network Security

Key concepts you must know · 134 practice questions

A firewall enforces an allow/deny rule set on traffic between zones based on source/destination IP, protocol, port, and connection state. Stateful firewalls track TCP session state and permit return traffic; an implicit deny-all sits at the end of rule lists.
A next-generation firewall (NGFW) adds application awareness, integrated IPS, and deep packet inspection (DPI). A UTM appliance consolidates firewall, IPS, antivirus, content filtering, and VPN into one device.
IDS detects and alerts on malicious traffic out-of-band; IPS sits inline and can actively block. Both use signature-based and anomaly/behavior-based detection.
A VPN creates an encrypted tunnel over an untrusted network. Site-to-site VPNs (typically IPsec) connect whole networks/locations; remote-access VPNs connect individual users. SSL/TLS VPNs can offer clientless access to published applications.
IPsec provides confidentiality, integrity, and authentication using AH and ESP, operating in transport or tunnel mode; IKE negotiates the security association and keys.
802.1X is port-based network access control: a supplicant authenticates to an authenticator (switch/AP) which checks credentials against a RADIUS server before opening the port. EAP carries the authentication.
NAC (Network Access Control) admits only authenticated, compliant devices (correct patches, AV, configuration), often quarantining noncompliant hosts to a remediation VLAN.
Network segmentation and microsegmentation limit lateral movement by isolating zones; a DMZ hosts public-facing services between an external and internal firewall.
Zero Trust assumes no implicit trust based on network location - every request is authenticated and authorized, paired with microsegmentation and least-privilege, per-workload policies.
Switchport hardening: 'switchport port-security' with 'switchport port-security maximum 1' limits MAC addresses per port. Disable unused ports, use BPDU Guard, and assign unused ports to an unused VLAN.
Standard ACL example: 'access-list 10 permit 10.1.1.0 0.0.0.255' (note inverse/wildcard mask), applied with 'ip access-group' on an interface ('ip access-group 101 in'). Standard ACLs filter by source only; extended ACLs filter by source, destination, protocol, and port.
Harden remote management: enforce SSHv2 ('ip ssh version 2') and restrict VTY lines to SSH only ('transport input ssh'); disable Telnet. Generate a key/cert with 'openssl genrsa -out server.key 2048'.
A DDoS attack floods a target from many compromised hosts (a botnet), harder to block than a single-source DoS. Mitigations include rate limiting, upstream scrubbing services, and blackholing. SSL/TLS offload centralizes encryption to free back-end servers.

Domain 5: Network Troubleshooting

Key concepts you must know · 103 practice questions

Follow the CompTIA 7-step methodology in order: 1) Identify the problem (gather info), 2) Establish a theory of probable cause, 3) Test the theory, 4) Establish a plan of action, 5) Implement the solution, 6) Verify full functionality and apply preventive measures, 7) Document findings, actions, and outcomes.
ping uses ICMP Echo to test Layer 3 reachability, loss, and round-trip time. traceroute (Unix)/tracert (Windows) maps each hop by incrementing TTL and reading ICMP Time Exceeded replies; pathping/mtr combine both to show per-hop loss.
nslookup and dig query DNS - target a specific server and request record types (e.g., 'dig @8.8.8.8 example.com MX') to verify name resolution. ipconfig /all (Windows) and ip addr (Linux) show host addressing.
Renew DHCP on Linux with 'dhclient -r eth0 && dhclient eth0' (Windows: ipconfig /release then /renew). A host stuck on a 169.254.x.x APIPA address indicates the DHCP server is unreachable.
A packet analyzer (Wireshark/tcpdump) captures and inspects frames to confirm exactly where traffic is dropped, see retransmissions, and validate protocol behavior. Flow logs and NetFlow show traffic volumes per conversation.
A duplex/speed mismatch (one side full-duplex, other half-duplex) causes late collisions, CRC/FCS errors, and slow throughput - check interface counters on both ends and prefer matching fixed settings or auto on both.
Throughput far below link speed despite low loss often indicates a small TCP window relative to the bandwidth-delay product; jitter is variation in packet delay that degrades VoIP/video.
MTU mismatch (e.g., inconsistent jumbo frames) causes fragmentation or silent black-holing when Don't Fragment is set - configure MTU consistently end-to-end and test with ping using a set packet size and DF bit.
Duplicate IP addresses show up as an ARP table mapping one IP to two different MAC addresses over time, causing intermittent connectivity. A subnet mask mismatch makes a host misjudge what is local versus remote.
Interface input drops/discards mean the interface is receiving more traffic than it can process or forward, causing buffer overruns; runts, giants, and CRC errors point to physical/cabling or duplex problems.
Wireless issues: excessive retransmissions from a low signal-to-noise ratio (high noise floor), co-channel/adjacent-channel interference, and overlapping channels degrade performance - survey and reassign channels (1/6/11 on 2.4 GHz).
Intermittent failures after a failover are commonly caused by asymmetric routing breaking stateful firewall sessions when traffic shifts paths. Missing intermediate hops in traceroute often mean routers are configured not to send ICMP TTL-exceeded replies.
When an application can't connect, review the firewall/ACL rule set against the app's documented required ports/flows, then use a packet capture or flow logs to confirm where traffic is being dropped.
A cable run exceeding the 100m copper Ethernet limit, or a damaged cable, causes attenuation and errors - use a cable tester/TDR for length and continuity, and a tone generator to trace runs. If a syslog collector gets no logs, verify UDP/514 is not blocked by a firewall/ACL.

CompTIA Network+ (N10-009) exam tips

Master subnetting cold - practice converting between CIDR, dotted-decimal masks, host counts, and network/broadcast addresses until you can do it in your head, since the exam includes multiple subnetting and address-range questions plus performance-based items.
Memorize the well-known ports and protocols table (FTP 20/21, SSH 22, DNS 53, DHCP 67/68, HTTP 80, HTTPS 443, SNMP 161/162, RDP 3389) and the OSI layers in order - these are high-frequency, easy points.
Learn the 7-step troubleshooting methodology in exact order; questions ask which step comes next, and the first step is always to identify the problem (never to implement a fix or escalate first).
For performance-based questions, practice reading device configs and topology diagrams - know basic Cisco/Linux commands for VLANs, trunks, access ports, static routes, ACLs, and port security.
Watch for 'BEST' and 'MOST likely' wording: eliminate clearly wrong answers, then choose the option that directly matches the scenario's symptoms (e.g., duplex mismatch for CRC errors, MTU mismatch for jumbo-frame black-holing).

Study guide FAQ

What is the passing score and format of the N10-009 exam?

You need 720 on a scaled range of 100-900. The exam has up to roughly 90 questions - a mix of multiple-choice (single and multiple response) and performance-based items - and you get 90 minutes to complete it.

How is N10-009 different from the older N10-008 version?

N10-009 refreshes content around modern infrastructure: more emphasis on Zero Trust and SASE/SSE security models, software-defined and cloud networking, infrastructure-as-code automation concepts, and updated wireless (Wi-Fi 6/6E). The five domain areas remain similar, but coverage of legacy topics is reduced in favor of current technologies.

Do I need prior certifications or experience before taking Network+?

There are no mandatory prerequisites. CompTIA recommends having CompTIA A+ (or equivalent knowledge) and about 9-12 months of hands-on networking experience, but anyone can sit the exam. It is commonly taken after A+ and before Security+.

How much subnetting and command-line knowledge do I really need?

Subnetting is essential - expect several questions requiring you to calculate subnets, host ranges, and masks quickly, including with VLSM/CIDR. You also need to recognize and interpret basic switch/router CLI configuration (VLANs, trunks, routes, ACLs, port security) and core troubleshooting commands like ping, traceroute, ipconfig/ip, nslookup/dig, and dhclient.

Test yourself: 658 CompTIA Network+ (N10-009) practice questions