N10-009 CompTIA Network+ Certification Exam Free Practice Exam Questions (2026 Updated)

BGP (Border Gateway Protocol) is used for routing data between different ISPs, making it essential for the functioning of the internet. Its primary use is for exchanging routing information between autonomous systems, especially different ISPs. Preventing loops within a LAN ishandled by protocols like Spanning Tree Protocol (STP), while improving reconvergence times and sharing routes with a Layer 3 switch are functions of other protocols or internal mechanisms.

To support about 800 workstations with minimal IP waste, you choose the smallest subnet that provides at least 800 usable host addresses. In IPv4, usable hosts per subnet are calculated as 2^(host bits) − 2 (subtracting network and broadcast addresses). A /22 leaves 10 host bits (32 − 22 = 10), providing 2^10 − 2 = 1024 − 2 = 1022 usable addresses—enough for 800 devices with relatively low waste.

Check the other options: /23 leaves 9 host bits, giving 2^9 − 2 = 512 − 2 = 510 usable addresses, which is not enough. A /21 provides 2^11 − 2 = 2048 − 2 = 2046 usable addresses—enough, but wastes more than /22. A /20 provides 2^12 − 2 = 4096 − 2 = 4094 usable addresses—much more waste.

Therefore, 10.0.100.0/22 is the best choice that meets the workstation requirement while minimizing unused addresses.

For a secure 802.1X design that includes BYOD access to a trusted wireless network, the engineer should implement NAC (Network Access Control). In the Network+ (N10-009) objectives, 802.1X provides authentication (commonly via EAP to a RADIUS server), but NAC expands this by enforcing policy-based access decisions—such as device posture checks, user/device identity validation, and dynamic assignment to the appropriate VLAN/role. With BYOD, the organization often needs to confirm whether devices meet requirements (OS version, encryption, security software) and then grant the correct level of access (full, limited, or quarantine/remediation). NAC is the architecture that ties these controls together in a scalable way for wireless networks.

An ACL can restrict traffic after a device connects, but it doesn’t perform authentication/posture assessment. MAC filtering is weak because MAC addresses can be spoofed and it does not provide strong identity assurance. Port security is mainly a wired switch control (limiting MAC addresses per port) and is not the right control set for secure BYOD wireless access. NAC best matches the requirement of secure, policy-driven 802.1X BYOD access.

===========

Smishing (SMS phishing) occurs when attackers send fraudulent text messages pretending to be a trusted source, tricking the victim into giving up sensitive credentials. Since this came via text message, it qualifies as smishing.

A. DNS poisoning corrupts name resolution.

B. ARP spoofing manipulates MAC-to-IP mappings.

C. Vishing is phishing via voice calls, not text.

References (CompTIA Network+ N10-009):

Domain: Network Security — Social engineering, phishing types (smishing, vishing, spear phishing).

MIBs (Management Information Bases) define the variables and objects that SNMP can query on a device. If the monitoring server authenticates but cannot interpret the data, it likely lacks the correct MIB for that vendor or model. Importing the proper MIB allows the monitoring server to correctly display device status and metrics.

A. Using a public community string is insecure and not related to missing MIBs.

C. Switchport analyzer (SPAN) captures traffic for packet analysis, not SNMP monitoring.

D. SNMPv3 privacy adds encryption but doesn’t fix missing MIB interpretation.

References (CompTIA Network+ N10-009):

Domain: Network Operations — SNMP, MIBs, network monitoring systems.

If a network appliance fails to start, standard remote access methods like SSH won't work. Instead, Out-of-Band (OOB) management provides a dedicated access path (e.g., a console port or iDRAC/iLO), allowing administrators to troubleshoot devices even when the network is down.

Breakdown of Options:

A. Crash cart – A physical monitor/keyboard setup, not a remote solution.

B. Jump box – A hardened system used for secure remote access but requires the device to be operational.

C. Secure Shell (SSH) – Requires the device to be fully booted and network-connected.

D. Out-of-band management – ✅ Correct answer. Provides independent access for troubleshooting failed network devices.

PaaS (Platform as a Service) is best suited for application development because it provides a managed platform that includes the runtime environment, development frameworks, middleware, databases (often), and build/deployment tooling. In a PaaS model, the cloud provider manages the underlying infrastructure (servers, storage, networking, OS patching, and often the application runtime), allowing developers to focus on writing code, testing, and releasing applications quickly. This aligns with Network+ cloud concepts where service models are compared by responsibility: PaaS reduces operational overhead for the customer and accelerates development through standardized environments and automation.

Mobile access is a use case for remote access solutions (VPN, zero trust access, MDM), not specifically PaaS. An e-commerce site could be hosted using many models (IaaS, PaaS, SaaS), so it’s not the most specific match. Cloud-native software describes an architectural style (microservices, containers, managed services) and can be built using PaaS components, but it is broader than a single “use case” and is not as directly tied to the PaaS definition as application development is. Therefore, application development is the clearest and most accurate PaaS use case.

===========

Border Gateway Protocol (BGP): BGP is the most commonly used routing protocol for interconnecting WANs, especially across the internet. It is used for exchanging routing information between autonomous systems (AS), making it the backbone protocol for large-scale WANs.

IGP (A): Interior Gateway Protocols like OSPF and EIGRP are typically used within a single AS, not between them.

EIGRP (B): While it is efficient, EIGRP is primarily used for intra-domain routing and not ideal for WAN interconnection.

OSPF (D): While OSPF can be used for WANs, it is not as common as BGP for inter-AS communication.

A load balancer is designed to distribute user requests across multiple servers to ensure high availability and performance.

Breakdown of Options:

A. Router – Directs traffic between networks, not between web servers.

B. Switch – Works at Layer 2, does not distribute web traffic.

C. Firewall – Secures network traffic, but does not distribute load.

D. Load balancer – ✅ Correct answer. Optimizes web traffic distribution across multiple servers.

Configuration monitoring and management tools (often part of network management systems) maintain version-controlled records of device configurations, track changes, and log who made them. This provides accountability and supports compliance audits.

A. Network access control (NAC) manages endpoint access policies but does not track device config changes.

C. Zero Trust is a security framework requiring strict identity verification, not a configuration tracking tool.

D. Syslog collects system logs, but without a config monitoring system, it does not directly compare documentation to device state.

References (CompTIA Network+ N10-009):

Domain: Network Operations — Change management, configuration management, auditing.

Using a /30 subnet mask is the most efficient way to conserve IP space for a point-to-point connection between two routers. A /30 subnet provides four IP addresses, two of which can be assigned to the router interfaces, one for the network address, and one for the broadcast address. This makes it ideal for point-to-point links where only two usable IP addresses are needed.References: CompTIA Network+ study materials and subnetting principles.

A toner and probe tool, also known as a tone generator and probe, is used to trace and identify individual cables within a bundle or to locate the termination points of cables in wiring closets and patch panels. It generates a tone that can be picked up by the probe, helping technicians quickly and accurately identify and label wall plates and wiring. This is the best tool for identifying proper wiring in the Intermediate Distribution Frame (IDF). References: CompTIA Network+ Exam Objectives and official study guides.

Introduction to Security Zones:

Security zones are logical segments within a network designed to enforce security policies and control access. They help in segregating and securing different parts of the network.

Types of Security Zones:

Trusted Zone: This is the most secure zone, typically used for internal corporate networks where only trusted users have access.

Extranet: This zone allows controlled access to external partners, vendors, or customers.

VPN (Virtual Private Network): While VPNs are used to create secure connections over the internet, they are not a security zone themselves.

Public Zone: This zone is the least secure and is typically used for public-facing services accessible by anyone.

Trusted Zone Implementation:

The trusted zone is configured to include internal corporate users and resources. Access controls, firewalls, and other security measures ensure that only authorized personnel can access this zone.

Internal network segments, such as the finance department, HR, and other critical functions, are usually placed in the trusted zone.

Example Configuration:

Firewall Rules: Set up rules to allow traffic only from internal IP addresses.

Access Control Lists (ACLs): Implement ACLs on routers and switches to restrict access based on IP addresses and other criteria.

Segmentation: Use VLANs and subnetting to segment and isolate the trusted zone from other zones.

Explanation of the Options:

A. Extranet: Suitable for external partners, not for internal-only access.

B. Trusted: The correct answer, as it provides controlled access to internal corporate users.

C. VPN: A method for secure remote access, not a security zone itself.

D. Public: Suitable for public access, not for internal corporate users.

Conclusion:

Implementing a trusted zone is the best solution for controlling access within a corporate network. It ensures that only trusted internal users can access sensitive resources, enhancing network security.

When a host fails to obtain an IP address from a DHCP server, it assigns itself an APIPA (Automatic Private IP Addressing) address in the 169.254.x.x range, commonly described as a “self-assigned IP.” This prevents communication outside the local link, including reaching the default gateway.

B. RFC1918 addresses are private ranges (10.x.x.x, 172.16–31.x.x, 192.168.x.x), but these are not self-assigned.

C. If the TCP/IP stack were disabled, the host wouldn’t have any IP at all.

D. If a static IP were assigned, it would show a configured value, not self-assigned.

References (CompTIA Network+ N10-009):

Domain: Network Troubleshooting — IP addressing issues, DHCP failures, APIPA behavior.

The correct answer is Full-tunnel because the policy requires all network traffic from remote corporate laptops to pass through the company’s VPN. In a full-tunnel VPN configuration, once the VPN connection is established, all traffic—including internet-bound traffic—is routed through the corporate network before reaching its destination. This ensures centralized monitoring, content filtering, logging, and enforcement of security controls such as IDS/IPS and firewalls.

According to CompTIA Network+ (N10-009) security objectives, full-tunnel VPNs enhance security by preventing users from directly accessing the internet from their local connection, thereby reducing exposure to local network threats (e.g., public Wi-Fi attacks).

A split-tunnel VPN (Option D) allows users to access the internet directly while only sending corporate-bound traffic through the VPN, which does not meet the “all traffic” requirement. A site-to-site tunnel (Option C) connects entire networks rather than individual remote users. A clientless VPN (Option A) typically provides web-based access without a full network tunnel and does not necessarily route all traffic.

Therefore, full-tunnel best matches the policy requirement.

This is an example of Multi-Factor Authentication (MFA) because it requires:

Something you know (username/password)

Something you have (a phone-generated passcode)

Breakdown of Options:

A. SSO (Single Sign-On) – Allows one login for multiple services, but does not add a second authentication factor.

B. LDAP (Lightweight Directory Access Protocol) – Used for directory authentication, not MFA.

C. MFA (Multi-Factor Authentication) – ✅ Correct answer. Uses multiple authentication factors for better security.

D. SAML (Security Assertion Markup Language) – Used for federated identity management, not multi-factor authentication.

Role of NTP (Network Time Protocol):

NTP is used to synchronize the clocks of network devices to a reference time source. Accurate time synchronization is critical for correlating events and logs from different systems.

Importance for SIEM Systems:

Event Correlation: SIEM (Security Information and Event Management) systems collect and analyze log data from various sources. Accurate timestamps are essential for correlating events across multiple systems.

Time Consistency: Without synchronized time, it is challenging to piece together the sequence of events during an incident, making forensic analysis difficult.

Comparison with Other Protocols:

DNS (Domain Name System): Translates domain names to IP addresses but is not related to time synchronization.

LDAP (Lightweight Directory Access Protocol): Used for directory services, such as user authentication and authorization.

DHCP (Dynamic Host Configuration Protocol): Assigns IP addresses to devices on a network but does not handle time synchronization.

Implementation:

Ensure that all network devices, servers, and endpoints are synchronized using NTP. This can be achieved by configuring devices to use an NTP server, which could be a local server or an external time source.

DHCP Options: DHCP options allow additional configuration parameters, such as the address of a TFTP server, to be provided to clients during the DHCP lease process. This is essential for VoIP phones to locate the server for configuration files.

Exclusions (A): Prevents certain IP addresses from being assigned by DHCP but does not direct devices to servers.

Lease time (B): Determines how long an IP address is assigned but does not impact TFTP settings.

Scope (D): Defines a range of IP addresses but does not include additional server information.

Comprehensive and Detailed Explanation (paraphrased, aligned to N10-009):

In a spine–leaf architecture, endpoints (including servers, firewalls, and WAN/edge routers) connect to leaf switches. Leaf switches then uplink to spine switches; spine switches do not have endpoints connected directly to them. Therefore, a WAN router (an external/edge device) should connect to the leaf layer—often specifically to a “border leaf” that handles external connectivity.

Why not B. Core or D. Spine? In spine–leaf, “core” isn’t a formal layer, and spines are designed only to interconnect leafs, not to terminate endpoints.

Why not A. Access? “Access” is a term from the traditional three-tier model (access–distribution–core). In modern spine–leaf language, the analogous layer for endpoint attachment is the leaf.

References (CompTIA Network+ N10-009):

Domain: Network Infrastructure — Data center and campus architectures (spine–leaf vs. three-tier), roles of leaf/spine, WAN/edge connectivity points.

===========