N10-009 CompTIA Network+ Certification Exam Free Practice Exam Questions (2026 Updated)

GSM (Global System for Mobile communications) is the international standard that uses SIM cards to authenticate and connect phones to the cellular network. GSM allows users to place and receive calls while traveling globally, provided they have a SIM card. CDMA, on the other hand, does not use SIM cards in the same way and is primarily used in the United States. (Reference: CompTIA Network+ Study Guide, Chapter on Network Fundamentals)

The correct answer is B. Port 25 . In CompTIA Network+ N10-009, candidates are expected to know common networking protocols, their purposes, and their associated port numbers. SMTP, or Simple Mail Transfer Protocol, uses TCP port 25 and is primarily responsible for sending email messages between mail servers. When one organization’s mail server needs to deliver a message to another organization’s mail server, SMTP commonly performs that server-to-server transfer using port 25.

The other options are associated with different services. Port 21 is used by FTP for command/control communication during file transfers. Port 53 is used by DNS for name resolution, translating domain names into IP addresses. Port 69 is used by TFTP, a simplified file transfer protocol often associated with lightweight network device file transfers, such as firmware or configuration files.

For Network+ exam purposes, it is important to distinguish SMTP from email retrieval protocols. POP3 uses port 110 , and IMAP uses port 143 for client mail retrieval, while SMTP is used for sending and relaying email. Therefore, the port used to transfer data between mail exchange servers is TCP 25 .

To confirm a theory in the troubleshooting process, the technician should duplicate (replicate) the problem under controlled conditions. In the Network+ (N10-009) methodology, confirming a theory means validating that the suspected cause actually produces the observed symptoms. Replicating the issue helps ensure the technician is not chasing a coincidence, and it allows changes to be tested safely (for example, reproducing the issue with a specific user account, endpoint, cable, port, SSID, or configuration). If the problem can be duplicated, the technician can then try targeted actions to see whether the symptoms change in predictable ways—strengthening or disproving the hypothesis.

The other choices occur earlier as part of forming the theory. Identify the symptoms is an initial step to define the problem clearly. Gather information is part of the discovery phase—collect logs, error messages, topology details, and user observations. Determine any changes is also an early step used to correlate recent modifications (patches, new devices, config changes) with the onset of the issue. Those steps help create a theory; duplication helps confirm it before implementing a full fix.

===========

In disaster recovery, the first step after an incident is to conduct a thorough damage assessment to understand the extent of the damage and determine the next appropriate steps. This allows for informed decision-making during the recovery process. The document says:

“The first step after a disaster is to conduct a damage assessment. This involves evaluating the extent of damage to equipment, infrastructure, and data, forming the foundation for recovery efforts and prioritizing response actions.”

Understanding the Requirements

Network Address: 192.168.1.0/24

The /24 notation means a subnet mask of 255.255.255.0, providing 256 total addresses (192.168.1.0–192.168.1.255).

Usable hosts: 256 – 2 (network and broadcast) = 254.

Goal: Create 3 subnets, each with 30 hosts.

Each subnet needs enough addresses to accommodate 30 hosts, plus 2 reserved addresses (network and broadcast) per subnet.

Total addresses per subnet = 30 (hosts) + 2 (network/broadcast) = 32 addresses.

Subnetting Basics (Networking Fundamentals)

Subnet Mask: Determines how many bits are borrowed from the host portion to create subnets.

Original Mask: /24 (255.255.255.0) = 24 network bits, 8 host bits.

Formulae:

Number of subnets = 2^(number of borrowed bits).

Number of addresses per subnet = 2^(remaining host bits).

Usable hosts per subnet = 2^(remaining host bits) – 2.

We need:

At least 3 subnets.

At least 32 addresses per subnet (to fit 30 hosts + 2 reserved).

Step-by-Step Analysis

Determine Addresses Needed per Subnet:

32 addresses is a power of 2 (2^5 = 32).

This means each subnet requires 5 host bits (since 2^5 = 32 total addresses, and 32 – 2 = 30 usable hosts).

Calculate Remaining Bits:

Original network has 8 host bits (/24).

If 5 bits are left for hosts, we borrow: 8 – 5 = 3 bits for subnetting.

New Subnet Mask:

Original mask: /24 (24 network bits).

Borrow 3 bits: 24 + 3 = /27.

/27 = 255.255.255.224 (binary: 11111111.11111111.11111111.11100000).

Verify Requirements:

Number of Subnets: 2^3 = 8 subnets (meets the requirement of at least 3).

Addresses per Subnet: 2^5 = 32 addresses.

Usable Hosts per Subnet: 32 – 2 = 30 hosts (exactly meets the requirement).

Subnet Breakdown:

Increment: 256 – 224 = 32 (each subnet increments by 32 in the fourth octet).

Subnets:

192.168.1.0–192.168.1.31 (Network: .0, Broadcast: .31, Hosts: .1–.30)

192.168.1.32–192.168.1.63 (Network: .32, Broadcast: .63, Hosts: .33–.62)

192.168.1.64–192.168.1.95 (Network: .64, Broadcast: .95, Hosts: .65–.94)

(And 5 more subnets up to 192.168.1.255.)

Three subnets fit perfectly with 30 hosts each.

Evaluating the Options

A. 255.255.255.128 (/25):

Borrow 1 bit: 24 + 1 = /25.

Subnets: 2^1 = 2 (not enough, need 3).

Host bits: 7 (2^7 = 128 addresses, 126 hosts).

Why Not: Only 2 subnets, fails the requirement.

B. 255.255.255.192 (/26):

Borrow 2 bits: 24 + 2 = /26.

Subnets: 2^2 = 4 (meets 3).

Host bits: 6 (2^6 = 64 addresses, 62 hosts).

Why Not: 62 hosts exceeds 30, but it’s overkill; /27 is more efficient and still valid.

C. 255.255.255.224 (/27):

Borrow 3 bits: 24 + 3 = /27.

Subnets: 2^3 = 8 (meets 3).

Host bits: 5 (2^5 = 32 addresses, 30 hosts).

Why Yes: Perfectly fits 3 subnets with exactly 30 hosts each.

D. 255.255.255.240 (/28):

Borrow 4 bits: 24 + 4 = /28.

Subnets: 2^4 = 16 (meets 3).

Host bits: 4 (2^4 = 16 addresses, 14 hosts).

Why Not: Only 14 hosts per subnet, fails the 30-host requirement.

Why /27 (255.255.255.224) is Best

It provides exactly 30 usable hosts per subnet, avoiding waste while meeting the minimum requirement.

It allows 8 subnets, exceeding the need for 3, ensuring flexibility.

The study guide emphasizes efficient subnet design, and /27 balances host count and subnet availability.

CompTIA Network+ Context

Networking Fundamentals: Subnetting is a core skill, requiring understanding of CIDR, binary conversion, and address allocation.

Example from Study Guide: Similar problems calculate subnet masks for specific host counts, reinforcing /27 as a common solution for ~30 hosts.

The loopback address 127.0.0.1 is used to test the TCP/IP stack of the local machine. Pinging this address confirms whether the local system ' s networking stack is functioning correctly.

=================

An SFP (Small Form-factor Pluggable) transceiver is a modular device that provides the interface between fiber-optic or copper cabling and the networking equipment (e.g., switch or router). It operates primarily at Layer 2 (Data Link), converting optical or electrical signals into frames usable by the network device.

A. SC is a fiber connector type, not the transceiver.

B. DAC (Direct Attach Copper) is a passive copper cable assembly with fixed transceivers, not a general-purpose module.

D. Twinaxial cable is a copper medium, not an interface device.

References (CompTIA Network+ N10-009):

Domain: Networking Concepts — Transceivers (SFP, GBIC, QSFP), fiber connectivity, OSI model mapping.

802.1X is a port-based Network Access Control (NAC) method that enforces authentication before allowing access to the network. It uses a RADIUS server for identity verification and policy enforcement, ensuring only authorized users/devices gain access.

A. Standard ACL filters traffic by IP, not identity.

B. MAC filtering controls devices by hardware address but can be spoofed.

D. SSO (Single Sign-On) provides user convenience across services, not network-level access control.

References (CompTIA Network+ N10-009):

Domain: Network Security — NAC, 802.1X authentication, identity-based access.

Port 587 is used for secure email submission. This port is designated for message submission by mail clients to mail servers using the SMTP protocol, typically with STARTTLS for encryption.

Port 25: Traditionally used for SMTP relay, but not secure and often blocked by ISPs for outgoing mail due to spam concerns.

Port 110: Used for POP3 (Post Office Protocol version 3), not typically secured.

Port 143: Used for IMAP (Internet Message Access Protocol), which can be secured with STARTTLS or SSL/TLS.

Port 587: Specifically used for authenticated email submission (SMTP) with encryption, ensuring secure transmission of email from clients to servers.

Network References:

CompTIA Network+ N10-007 Official Certification Guide: Discusses email protocols and ports, including secure email transmission.

Cisco Networking Academy: Provides training on securing email communications and the use of appropriate ports.

Network+ Certification All-in-One Exam Guide: Explains email protocols, ports, and security considerations for email transmission.

To support about 800 workstations with minimal IP waste, you choose the smallest subnet that provides at least 800 usable host addresses. In IPv4, usable hosts per subnet are calculated as 2^(host bits) − 2 (subtracting network and broadcast addresses). A /22 leaves 10 host bits (32 − 22 = 10), providing 2^10 − 2 = 1024 − 2 = 1022 usable addresses—enough for 800 devices with relatively low waste.

Check the other options: /23 leaves 9 host bits, giving 2^9 − 2 = 512 − 2 = 510 usable addresses, which is not enough. A /21 provides 2^11 − 2 = 2048 − 2 = 2046 usable addresses—enough, but wastes more than /22. A /20 provides 2^12 − 2 = 4096 − 2 = 4094 usable addresses—much more waste.

Therefore, 10.0.100.0/22 is the best choice that meets the workstation requirement while minimizing unused addresses.

The correct answer is Spanning Tree because broadcast storms are typically caused by Layer 2 switching loops in Ethernet networks. According to the CompTIA Network+ (N10-009) objectives under switching concepts, the Spanning Tree Protocol (STP) is specifically designed to prevent loops in networks that have redundant switch connections.

In a Layer 2 environment, switches forward broadcast frames out all ports except the one on which they were received. If redundant paths exist without STP, frames can circulate indefinitely, creating a broadcast storm. This results in excessive traffic, high CPU utilization on switches, MAC address table instability, and significant network performance degradation.

STP prevents this by logically blocking redundant paths while maintaining them as backups. If the active path fails, STP recalculates and activates a previously blocked path, preserving redundancy without loops.

The other options—EIGRP and BGP (routing protocols) and CDP and LLDP (device discovery protocols)—do not prevent Layer 2 loops.

Therefore, configuring Spanning Tree Protocol is the appropriate solution to mitigate broadcast storms.

Multimode fiber optic cables involve the transmission of light signals that bounce off the core ' s cladding as they travel down the fiber. This characteristic differentiates it from single-mode fiber, where the light travels directly down the fiber without reflecting off the cladding.

Here are some detailed points about multimode fiber cables:

Construction: Multimode fibers have a larger core diameter, typically 50 or 62.5 microns, compared to single-mode fibers, which have a core diameter of about 9 microns.

Light Propagation: The larger core of multimode fiber allows multiple light modes to propagate. These modes travel at different angles, leading to reflections off the core-cladding boundary.

Distance and Bandwidth: Due to modal dispersion, where different light modes arrive at the receiver at different times, multimode fibers are suited for shorter distance applications compared to single-mode fibers. Typical distances are up to 550 meters for 10 Gbps Ethernet using OM4 multimode fiber.

Applications: Multimode fibers are commonly used in LANs (Local Area Networks), data centers, and for shorter distance data transmission due to their cost-effectiveness and ease of installation.

Network References:

CompTIA Network+ N10-007 Official Certification Guide, which covers fiber optic technologies, including the differences between multimode and single-mode fibers.

Cisco Networking Academy: Provides training materials and reference guides on the properties of different fiber optic cables.

Fiber Optic Association (FOA): A professional society dedicated to fiber optics, offering extensive information and certification on fiber optic technologies.

Multimode fibers are specifically designed for short-range communication with higher data rates and are typically used in environments like data centers, where high bandwidth over shorter distances is crucial. The reflections off the cladding, inherent to multimode fiber, facilitate this high-capacity communication.

Unshielded cables (D) are more prone to interference and may not be suitable for certain environments, especially after a fire where interference could be heightened.

Using the wrong transceiver (E) for new terminations can lead to compatibility issues, causing network failures.

=================

Comprehensive and Detailed Explanation (aligned to N10-009):

APIs (Application Programming Interfaces) allow automation tools and scripts to push configurations to network devices programmatically. Modern network automation platforms rely on APIs to ensure consistency and scalability.

A. RDP is remote desktop for Windows systems, not automation.

B. Telnet is insecure and manual.

C. GUI requires manual configuration, not automation.

References (CompTIA Network+ N10-009):

Domain: Network Operations — Automation, orchestration, APIs in network management.

If a switch has port security enabled (such as sticky MAC or a configured allowed MAC), the port will only allow the original NIC’s MAC address. When a new NIC with a different MAC address is installed, the port rejects traffic, preventing network connectivity.

B. BPDU guard protects against rogue switches, not end hosts.

C. Link aggregation applies when bundling multiple uplinks, not a single PC connection.

D. PoE budget applies to powered devices like APs, not PCs.

References (CompTIA Network+ N10-009):

Domain: Network Troubleshooting — Port security, MAC address filtering, switch security features.

A client-to-site VPN (remote-access VPN) is designed to let an individual user securely connect into an organization’s network over an untrusted network (like the internet) and access resources as if the user were locally connected. Network+ objectives emphasize VPNs as encrypted tunnels that provide confidentiality and integrity for traffic, commonly using technologies such as IPsec or SSL/TLS-based VPNs. With a client-to-site VPN, the user’s device establishes a tunnel to the corporate VPN gateway, receives routes (and sometimes DNS settings), and can reach internal subnets and cloud resources according to policy.

A jump box/host is a hardened intermediate system used to access sensitive segments, but it does not make the user’s device behave as if it is directly on the network; it provides controlled administrative access. SSH is a secure remote management protocol for connecting to a host’s command line—useful for administration, not full network access to multiple internal resources. A GRE tunnel provides encapsulation but does not provide encryption by itself, so it is not inherently “securely access” unless combined with additional security (e.g., GRE over IPsec). Therefore, client-to-site VPN is the correct choice.

A Security Information and Event Management (SIEM) system collects, correlates, and analyzes logs from multiple sources in real-time, providing enhanced visibility across multivendor environments.

Breakdown of Options:

A. SNMP – SNMP is used for network device monitoring, but it lacks real-time correlation across multiple vendors.

B. SIEM – Correct answer. SIEM aggregates, analyzes, and correlates logs from multiple sources, providing real-time visibility.

C. Nmap – Nmap is a network scanning tool used for mapping hosts and detecting open ports but does not provide log correlation.

D. Syslog – Syslog collects logs but does not correlate or analyze them in real-time.

A cold site is a backup facility that provides infrastructure (such as power, cooling, and space) but does not have active IT resources installed. When a disaster occurs, IT teams must bring in and configure all necessary hardware and software before services can resume. This process can take weeks or longer—which matches the scenario described.

•Why not the other options?

•Hot site (A) – A hot site is a fully operational backup facility with up-to-date data and pre-configured hardware, allowing almost instant failover (minutes to hours).

•Warm site (B) – A warm site has pre-installed hardware and some software/configurations, but it requires some setup before becoming fully operational (hours to a few days).

•Active-active approach (D) – This means that multiple sites run simultaneously with load balancing, ensuring no downtime in case of a failure.

VLAN hopping allows an attacker to send traffic into another VLAN without authorization, often by impersonating a switch and negotiating a trunk link. This lets the attacker traverse into normally inaccessible VLANs.

A. MAC flooding disrupts switch operations but does not cross VLANs.

B. DNS poisoning corrupts name resolution.

D. ARP spoofing reroutes local traffic but doesn’t grant VLAN traversal.

References (CompTIA Network+ N10-009):

Domain: Network Security — VLAN attacks, unauthorized lateral movement.

On Core-SW01, the ports are configured with LACP (mode active) for link aggregation. On Core-SW02, the ports are configured as independent trunks, not as part of an LACP group. Because of this mismatch, LACP cannot form the bundle, and the aggregated ports on SW01 will go into a suspended state.

A. CRC errors suggest cabling or signal integrity issues, not config mismatch.

B. Error disabled occurs when a violation (like BPDU guard or port security) disables the port, not LACP mismatch.

C. Administratively down indicates a shutdown command, not the case here.

References (CompTIA Network+ N10-009):

Domain: Network Troubleshooting — Port-channel/LACP configuration issues, interface states.

Routers determine the best route to a destination using longest prefix match. This means the router chooses the route entry with the most specific matching network prefix for the destination IP address. For example, if a routing table contains 10.1.0.0/16 and 10.1.2.0/24, a packet destined to 10.1.2.50 matches both entries, but the router prefers /24 because it is more specific (longer mask). Network+ (N10-009) routing fundamentals emphasize that route selection begins with prefix length specificity before considering other factors within the same prefix length (such as administrative distance and metric, depending on the platform).

“Shortest prefix match” is the opposite of correct behavior. “Routes learned from EIGRP” and “routes learned from OSPF” describe sources of routes, not the general selection rule routers use when multiple matching routes exist. Even if routes come from different protocols, the router still applies selection logic; the universal rule for matching destination networks is longest prefix match. Hence, option C is correct.

The correct answer is Network bandwidth and utilization because latency issues with a SaaS (Software as a Service) application are most commonly related to network performance constraints, not local server hardware or virtualization settings. According to CompTIA Network+ (N10-009) troubleshooting objectives, technicians should evaluate bandwidth capacity, throughput, congestion, packet loss, and overall utilization when diagnosing performance issues affecting cloud-based applications.

Since SaaS applications are hosted externally by a service provider, the organization typically does not control the underlying server hardware or virtual machine configurations (Options A and D). Therefore, adjusting internal server specifications would not resolve user-side latency.

Option B, data-at-rest encryption, applies to stored data security and does not impact real-time application responsiveness.

High network utilization, insufficient bandwidth, QoS misconfiguration, or WAN congestion can significantly increase latency. Technicians should review network monitoring tools, check interface statistics, analyze traffic patterns, and verify Quality of Service (QoS) policies to ensure SaaS traffic is prioritized appropriately.

Thus, optimizing bandwidth and reducing network congestion is the most appropriate corrective action.

The customer can access local resources (a database server), which means local networking is working. However, the inability to reach the internet suggests an issue with the default gateway. If the default gateway is unreachable, packets will not be routed outside the local network.

Breakdown of Options:

A. Incorrect DNS – DNS issues would cause problems resolving domain names, but the user should still be able to access external resources via IP addresses.

B. Unreachable gateway – ✅ Correct answer. If the default gateway is incorrect or unreachable, the device cannot route traffic to the internet.

C. Failed root bridge – STP (Spanning Tree Protocol) failures cause switching issues, but the user can still access local devices, meaning STP is not the problem.

D. Poor upstream routing – Would affect the entire network, not just one user.

A honeypot is specifically designed to attract, isolate, and observe malicious activity so defenders can learn how an attacker is operating and determine attack techniques. In the context of Network+ (N10-009) security objectives, honeypots (and broader deception technologies) are defensive controls used to detect reconnaissance and exploitation attempts by presenting a decoy system or service that appears legitimate. Because a honeypot should not receive normal production traffic, any interaction is suspicious, making it valuable for identifying threat actors, collecting indicators of compromise, and analyzing the attacker’s tools, commands, and behavior patterns. This supports the goal of understanding the type of attack used (for example, credential stuffing, exploitation attempts, lateral movement probes) while keeping the attacker away from real assets.

MFA strengthens authentication but does not provide a controlled environment to observe attacker techniques. A screened subnet (DMZ) is for segmentation of public-facing services and reducing exposure of internal systems, but it is not primarily used to “bait” and analyze attackers. A captive portal enforces user acknowledgement/authentication for network access; it is not a deception/analysis system. Therefore, honeypot is the best match.

===========

Availability refers to ensuring that data is accessible when needed. If a customer ' s data is accidentally deleted, it impacts availability, as the data can no longer be accessed.

=================

BGP (Border Gateway Protocol) uses attributes like AS path, origin, and MED (multi-exit discriminator) to determine the best path among multiple available routes.

From Andrew Ramdayal’s guide:

“BGP is the protocol underlying the global routing system of the internet. It is used for routing data between autonomous systems (ASes)... BGP uses a path vector mechanism and maintains a list of attributes for route selection.”

Devices in both buildings should be able to access the Internet.

Security insists that all Internet traffic be inspected before entering the network.

Desktops should not see traffic destined for other devices.

Here is the corrected layout with explanation:

Building A:

Switch: Correctly placed to connect all desktops.

Firewall: Correctly placed to inspect all incoming and outgoing traffic.

Building B:

Switch: Not needed. Instead, place a Wireless Access Point (WAP) to provide wireless connectivity for laptops and mobile devices.

Between Buildings:

Wireless Range Extender: Correctly placed to provide connectivity between the buildings wirelessly.

Connection to the Internet:

Router: Correctly placed to connect to the Internet and route traffic between the buildings and the Internet.

Firewall: The firewall should be placed between the router and the internal network to inspect all traffic before it enters the network.

Corrected Setup:

Top-left (Building A): Switch

Bottom-left (Building A): Firewall (inspect traffic before it enters the network)

Top-middle (Internet connection): Router

Bottom-middle (between buildings): Wireless Range Extender

Top-right (Building B): Wireless Access Point (WAP)

In this corrected setup, the WAP in Building B will connect wirelessly to the Wireless Range Extender, which is connected to the Router. The Router is connected to the Firewall to ensure all traffic is inspected before it enters the network.

Configuration for Wireless Range Extender:

SSID: CORP

Security Settings: WPA2 or WPA2 - Enterprise

Key or Passphrase: [Enter a strong passphrase]

Mode: [Set based on your network plan]

Channel: [Set based on your network plan]

Speed: Auto

Duplex: Auto

With these settings, both buildings will have secure access to the Internet, and all traffic will be inspected by the firewall before entering the network. Desktops and other devices will not see traffic intended for others, maintaining the required security and privacy.

To configure the wireless range extender for security, follow these steps:

SSID (Service Set Identifier):

Ensure the SSID is set to " CORP " as shown in the exhibit.

Security Settings:

WPA2 or WPA2 - Enterprise: Choose one of these options for stronger security. WPA2-Enterprise provides more robust security with centralized authentication, which is ideal for a corporate environment.

Key or Passphrase:

If you select WPA2, enter a strong passphrase in the " Key or Passphrase " field.

If you select WPA2 - Enterprise, you will need to configure additional settings for authentication servers, such as RADIUS, which is not shown in the exhibit.

Wireless Mode and Channel:

Set the appropriate mode and channel based on your network design and the environment to avoid interference. These settings are not specified in the exhibit, so set them according to your network plan.

Wired Speed and Duplex:

Set the speed to " Auto " unless you have specific requirements for 100 or 1000 Mbps.

Set the duplex to " Auto " unless you need to specify half or full duplex based on your network equipment.

Save Configuration:

After making the necessary changes, click the " Save " button to apply the settings.

Here is how the configuration should look after adjustments:

SSID: CORP

Security Settings: WPA2 or WPA2 - Enterprise

Key or Passphrase: [Enter a strong passphrase]

Mode: [Set based on your network plan]

Channel: [Set based on your network plan]

Speed: Auto

Duplex: Auto

Once these settings are configured, your wireless range extender will provide secure connectivity for devices in both buildings.

Firewall setting to to ensure complete compliance with the requirements and best security practices, consider the following adjustments and additions:

DNS Rule: This rule allows DNS traffic from the internal network to any destination, which is fine.

HTTPS Outbound: This rule allows HTTPS traffic from the internal network (assuming 192.169.0.1/24 is a typo and should be 192.168.0.1/24) to any destination, which is also good for secure web browsing.

Management: This rule allows SSH access to the firewall for management purposes, which is necessary for administrative tasks.

HTTPS Inbound: This rule denies inbound HTTPS traffic to the internal network, which is good unless you have a web server that needs to be accessible from the internet.

HTTP Inbound: This rule denies inbound HTTP traffic to the internal network, which is correct for security purposes.

Suggested Additional Settings:

Permit General Outbound Traffic: Allow general outbound traffic for web access, email, etc.

Block All Other Traffic: Ensure that all other traffic is blocked to prevent unauthorized access.

Firewall Configuration Adjustments:

Correct the Network Typo:

Ensure that the subnet 192.169.0.1/24 is corrected to 192.168.0.1/24.

Permit General Outbound Traffic:

Rule Name: General Outbound

Source: 192.168.0.1/24

Destination: ANY

Service: ANY

Action: PERMIT

Deny All Other Traffic:

Rule Name: Block All

Source: ANY

Destination: ANY

Service: ANY

Action: DENY

Here is how your updated firewall settings should look:

Rule Name

Source

Destination

Service

Action

DNS Rule

192.168.0.1/24

ANY

DNS

PERMIT

HTTPS Outbound

192.168.0.1/24

ANY

HTTPS

PERMIT

Management

ANY

192.168.0.1/24

SSH

PERMIT

HTTPS Inbound

ANY

192.168.0.1/24

HTTPS

DENY

HTTP Inbound

ANY

192.168.0.1/24

HTTP

DENY

General Outbound

192.168.0.1/24

ANY

ANY

PERMIT

Block All

ANY

ANY

ANY

DENY

These settings ensure that:

Internal devices can access DNS and HTTPS services externally.

Management access via SSH is permitted.

Inbound HTTP and HTTPS traffic is denied unless otherwise specified.

General outbound traffic is allowed.

All other traffic is blocked by default, ensuring a secure environment.

Make sure to save the settings after making these adjustments.

IPv4 addresses are divided into classes:

Class A: Supports 16,777,214 hosts (large enterprises).

Class B: Supports 65,534 hosts (medium to large networks).

Class C: Supports 254 hosts (small to medium networks).

Class D: Used for multicast, not for assigning IPs to hosts.

Step-by-step Calculation:

The network will have 150 users initially, with a projected growth of 10 users, totaling 160 users.

Each user has two devices, so 160 × 2 = 320 IP addresses needed.

A Class C subnet has 254 usable IPs by default, which is not sufficient.

A Class B subnet can support thousands of hosts, making it the most appropriate option.

Incorrect Options:

A. Class D: Reserved for multicast, not for host assignments.

C. Class A: Overkill for a network of this size.

D. Class C: Cannot support 320 hosts without subnetting, making Class B the best choice.

If the business shares or duplicates the ISP-assigned public IP address, routing instability and conflicts will occur. Pinging a public IP like 8.8.8.8 may work (since ICMP can bypass certain conflicts), but browsing websites (which requires stable sessions and return traffic) will fail intermittently.

A. If the default gateway were incorrect, no external connectivity would work at all.

B. VLAN mismatch is an internal issue, not affecting ISP routing.

C. Subnet mask misconfiguration would prevent consistent routing but usually blocks ping too.

References (CompTIA Network+ N10-009):

Domain: Network Troubleshooting — Internet connectivity issues, ISP IP conflicts.