CompTIA Network+ N10-009 Practice Test

CompTIA Network+ (N10-009) validates practical networking judgment across concepts, implementation, operations, security, and troubleshooting. If you are searching for N10-009 sample questions, a practice test, mock exam, or simulator, this is the main IT Mastery page to start on web and continue on iOS or Android with the same IT Mastery account.

Free diagnostic: Try the 90-question CompTIA Network+ full-length practice exam before subscribing. Use it to separate misses around networking concepts, implementation, operations, security, troubleshooting, and PBQ-style topology reasoning.

What this N10-009 practice page gives you

• a direct route into IT Mastery practice for CompTIA Network+
• topic drills, PBQ-style sets, and mixed sets across the full N10-009 scope
• detailed explanations that show why the best networking answer is correct
• a clear free-preview path before you subscribe
• the same IT Mastery account across web and mobile

N10-009 exam snapshot

• Vendor: CompTIA
• Official exam name: CompTIA Network+ (N10-009)
• Exam code: N10-009
• Maximum questions: 90
• Exam time: 90 minutes
• Passing score: 720 on a 100 to 900 scale
• Question style: multiple-choice and performance-based networking scenarios

Network+ questions usually reward the option that identifies the right layer, uses the right tool, and resolves the root cause instead of chasing symptoms.

Topic coverage for N10-009 practice

N10-009 troubleshooting filters

Network+ questions usually reward isolation of the failing layer or service before remediation.

N10-009 readiness map

How to use the N10-009 simulator efficiently

1. Start with subnetting, ports, and protocol drills so the basic network logic becomes automatic.
2. Review every miss until you can explain the correct layer, service, or control behind the best answer.
3. Move into PBQ-style and mixed sets once you can interpret topology, command output, and troubleshooting symptoms quickly.
4. Finish with timed runs so the 90-minute pace feels manageable before exam day.

Final 7-day N10-009 practice sequence

When N10-009 practice is enough

If you can score above 75% on several unseen mixed attempts and explain the network layer, service, or tool behind each miss, you are likely ready. Do not keep repeating familiar topology items until memory replaces troubleshooting discipline.

Focused sample questions

Use these child pages when you want focused IT Mastery practice before returning to mixed sets and timed mocks.

• Free CompTIA Network+ N10-009 Full-Length Practice Exam
• Networking Fundamentals
• Network Implementations
• Network Operations
• Network Security
• Network Troubleshooting

Free study resources

Need concept review first? Read the CompTIA Network+ N10-009 Cheat Sheet on Tech Exam Lexicon, then return here for timed mocks, topic drills, and full IT Mastery practice.

Free preview vs premium

• Free preview: a smaller web set so you can validate the question style and explanation depth.
• Premium: the full N10-009 practice bank, focused drills, mixed sets, timed mock exams, detailed explanations, and progress tracking across web and mobile.

24 N10-009 sample questions with detailed explanations

Question 1

Topic: Domain 5: Network Troubleshooting

Which tool is specifically designed to locate a fault on a copper network cable and report the approximate distance to that fault?

Options:

• A. Basic cable tester
• B. Tone generator and probe
• C. Time-domain reflectometer (TDR)
• D. Optical time-domain reflectometer (OTDR)

Best answer: C

Explanation: The choice describing a time-domain reflectometer is correct because a TDR is designed for copper cabling and can both detect a fault and estimate its distance from the tester, which directly matches the requirement in the question.

Question 2

Topic: Domain 3: Network Operations

A network administrator is creating a business continuity and disaster recovery plan for several switches, routers, and firewalls, as well as critical file shares. The goal is to ensure network configurations and data can be restored quickly after a failure. Which of the following actions should you AVOID including in this plan? (Select TWO.)

Options:

• A. Configure automated nightly backups of all network device configurations to a central backup server, retaining at least 30 days of versions.
• B. Encrypt backup files and copy them to an offsite or cloud-based storage location as part of the disaster recovery strategy.
• C. Perform quarterly test restores of network device configuration backups to lab or spare hardware to verify they can be successfully applied.
• D. Store each device’s only configuration backup on that same device’s local flash storage, with no additional off-device copy.
• E. Rely on manual backups that administrators run only when they remember, with no documented schedule or automation.

Correct answers: D and E

Explanation: The option that stores each device’s only configuration backup on its own local flash is unsafe because a device failure, fire, theft, or other site-wide disaster will likely destroy both the device and its local backup. Disaster recovery requires off-device, preferably offsite copies.

The option that relies on manual backups that administrators run only when they remember is also unsafe. Without a documented schedule and automation, backups will be inconsistent, frequently outdated, or entirely missing. This undermines recovery point objectives and makes it likely that you cannot restore the current configuration after a failure.

Question 3

Topic: Domain 4: Network Security

Which of the following statements about secure remote administrative access is NOT correct?

Options:

• A. In a secure design, administrators can manage network devices directly over the public Internet from any device as long as SSH is used.
• B. Privileged access workstations are locked-down endpoints dedicated to administrative tasks and should not be used for routine activities such as web browsing and email.
• C. Jump hosts act as controlled entry points for administrative sessions and should be tightly monitored and kept up to date with security patches.
• D. A VPN that requires multi-factor authentication provides an encrypted tunnel for administrators connecting from remote locations to reach internal management resources.

Best answer: A

Explanation: The statement claiming that it is acceptable for administrators to manage devices directly over the public Internet from any device as long as SSH is used is incorrect. While SSH provides encryption, it does not address the risk of exposing management ports to the Internet or using unmanaged, potentially compromised devices. Best practice is to restrict management to private addresses behind a firewall, require VPN access (with MFA), and often route sessions through a hardened jump host or PAW.

Question 4

Topic: Domain 2: Network Implementations

A 200-person company runs a latency-sensitive ERP system in its headquarters data room. A remote manufacturing plant must access the ERP reliably 24x7. Management is willing to pay more for a provider-managed service with QoS and an SLA that guarantees uptime and latency. Which of the following WAN proposals is the LEAST appropriate for this requirement and should NOT be selected?

Options:

• A. Use business-grade DIA at each site, integrated with SD-WAN overlays and 5G failover, selecting plans that include business SLAs for availability.
• B. Install low-cost consumer broadband connections at both sites with no formal SLA and use them as the sole links for ERP access between sites.
• C. Purchase a provider-managed MPLS service between the two sites with QoS classes and a business SLA for uptime and latency.
• D. Lease a point-to-point Ethernet WAN circuit between the sites with committed bandwidth and a carrier SLA, then route ERP traffic over that link.

Best answer: B

Explanation: The option that proposes using low-cost consumer broadband at both sites, with no SLA, as the sole WAN path for ERP is the least appropriate.

Consumer broadband is:

• Best-effort, without strong uptime or latency guarantees.
• Typically unmanaged for QoS, so latency-sensitive ERP traffic may compete with all other traffic.
• Single-homed in this scenario, offering no redundancy.

This directly contradicts the requirements for provider-managed QoS, predictable performance, and a formal SLA. As such, it is the clear anti-pattern and the only option that should not be selected.

Question 5

Topic: Domain 2: Network Implementations

Which statement BEST describes single-mode fiber compared to multimode fiber in typical enterprise networks?

Options:

• A. Single-mode fiber supports much longer distances and higher potential bandwidth but uses a smaller core and usually requires more expensive optics.
• B. Single-mode fiber is generally limited to about 100 m, similar to Cat6 copper, and is chosen mainly for cost savings over copper.
• C. Single-mode fiber has a larger core than multimode fiber, which makes it suitable only for short-distance runs inside a wiring closet.
• D. Single-mode fiber is primarily a legacy medium used for low-speed links below 100 Mbps and is being replaced by multimode fiber.

Best answer: A

Explanation: The option stating that single-mode fiber “supports much longer distances and higher potential bandwidth but uses a smaller core and usually requires more expensive optics” is correct because it captures the key trade-off: single-mode offers superior distance and bandwidth characteristics due to its small core and laser-based signaling, but this comes with increased optics cost compared to multimode.

Question 6

Topic: Domain 3: Network Operations

A small healthcare clinic is deploying a new electronic health records (EHR) application that will store and transmit patient information across its wired and wireless LAN. Management states that the clinic must comply with data-protection regulations and be able to show auditors where regulated data flows and how it is protected on the network. Which of the following actions should the network technician take to BEST support this requirement?

Options:

• A. Allow the EHR vendor to manage all network configurations remotely so the vendor can attest to compliance
• B. Upgrade the internet connection to a higher bandwidth circuit so the new EHR traffic will not be delayed
• C. Disable network device logging to avoid accidentally capturing patient information in log files
• D. Create and maintain up-to-date network and data-flow diagrams that identify systems handling patient data and the security controls between them

Best answer: D

Explanation: The choice to create and maintain up-to-date network and data-flow diagrams directly addresses management’s request: it shows where patient data flows on the network and what security controls protect it. This aligns with common compliance expectations that organizations document data locations, flows, and protections, and is a core part of applying network policies and procedures for regulatory compliance.

Question 7

Topic: Domain 4: Network Security

Which statement BEST describes the purpose of a demilitarized zone (DMZ) in an enterprise network?

Options:

• A. A management network used exclusively for out‑of‑band access to infrastructure devices
• B. A secure VPN tunnel that remote users connect through to gain full internal network access
• C. A semi‑trusted network segment that isolates public‑facing services from the internal LAN to limit exposure if those services are compromised
• D. A dedicated VLAN that carries only VoIP traffic to prioritize voice packets over data traffic

Best answer: C

Explanation: The choice describing a “semi‑trusted network segment that isolates public‑facing services from the internal LAN” correctly defines a DMZ. It captures both the placement (between the internet and the internal network) and the purpose (limiting exposure and containing damage if public‑facing systems are compromised), which directly aligns with segmentation and layered security best practices.

Question 8

Topic: Domain 5: Network Troubleshooting

A network administrator applies a scheduled firewall firmware upgrade during a 1-hour maintenance window. After the reboot, users in the finance VLAN experience intermittent loss of Internet access, and a quick check of the vendor site shows this firmware has a known bug with no immediate fix. There are 10 minutes left in the window, finance relies on continuous Internet access for payment processing, and the change record includes a tested rollback plan. Which action is the BEST next step?

Options:

• A. Extend the maintenance window and continue troubleshooting the new firmware until a workaround is found.
• B. Leave the new firmware in place and ask the finance users to use mobile hotspots until the vendor releases a fix.
• C. Roll back the firewall to the previous firmware version using the documented rollback plan.
• D. Temporarily bypass the firewall and connect the finance VLAN directly to the ISP modem to restore Internet access.

Best answer: C

Explanation: Rolling back the firewall to the previous firmware version uses the documented rollback plan to return the device to a known-good state within the maintenance window. This minimizes downtime for a critical department, aligns with change-management best practices, and avoids running a version with a known, unfixed bug in production. It is exactly the type of situation where rollback is preferred over continued experimentation or risky workarounds.

Question 9

Topic: Domain 1: Networking Fundamentals

A small office deploys a server that translates human‑readable hostnames (such as files.example.com) into IP addresses for client PCs on the LAN. Which protocol and default port combination should this service use?

Options:

• A. SMTP over TCP port 25
• B. DNS over UDP/TCP port 53
• C. HTTP over TCP port 80
• D. DHCP over UDP ports 67 and 68

Best answer: B

Explanation: The option that specifies DNS over UDP/TCP port 53 is correct because DNS is explicitly designed for resolving hostnames to IP addresses, exactly as described. Its well-known default port is 53, and it uses both UDP (for most queries) and TCP (for zone transfers and large responses) on that port.

Question 10

Topic: Domain 5: Network Troubleshooting

A branch router (R1) connects a LAN and an ISP. Users can reach local servers but cannot access any Internet sites. The technician runs the following command on R1:

R1# show ip route
Codes: C - connected, S - static

C    10.10.10.0/24 is directly connected, Gig0/0
C    203.0.113.0/30 is directly connected, Gig0/1

The ISP router is connected to R1 on network 203.0.113.0/30. Which of the following actions should the technician AVOID? (Select TWO.)

Options:

• A. Run a traceroute from a LAN host to an Internet IP address to see where the path fails
• B. Delete the connected route to 203.0.113.0/30 because it is not needed for LAN access
• C. Add a default route on R1 that points to interface Gig0/0 (the LAN interface) instead of the ISP next-hop
• D. Configure a static default route on R1: ip route 0.0.0.0 0.0.0.0 203.0.113.1
• E. Verify that the ISP router at 203.0.113.1 has a route back to 10.10.10.0/24

Correct answers: B and C

Explanation: Deleting the connected route to 203.0.113.0/30 would remove the WAN interface’s network from the routing table, effectively severing the link to the ISP. This guarantees that no Internet traffic can be forwarded.

Adding a default route that points to the LAN interface (Gig0/0) instead of toward the ISP’s next-hop causes non-local traffic to be sent back into the LAN. This can create routing loops or blackholing of packets and does not provide a valid path to the Internet. Both of these actions are unsafe and do not align with correct routing practices, so they are the actions that must be avoided.

Question 11

Topic: Domain 4: Network Security

A company wants to secure its corporate WLAN so that each employee uses individual network credentials, and access can be revoked centrally when someone leaves. Security policy requires that Wi‑Fi authentication be tied to the existing directory service and that shared passphrases are not used. Which solution BEST meets these requirements?

Options:

• A. Configure the WLAN for WPA2/WPA3‑Enterprise using 802.1X, with access points acting as authenticators and forwarding EAP requests to a centralized RADIUS server tied to the directory service.
• B. Use WPA2‑Personal with a long, complex pre‑shared key that is given only to employees and changed whenever someone leaves.
• C. Configure an open WLAN and require users to log in through a captive web portal on a firewall that validates credentials with a RADIUS server.
• D. Enable MAC address filtering on the access points and store the list of allowed MAC addresses in a RADIUS server connected to the directory service.

Best answer: A

Explanation: Using WPA2/WPA3‑Enterprise with 802.1X and RADIUS makes the APs authenticators that pass EAP conversations from clients to a centralized RADIUS server. The RADIUS server authenticates users against the directory, enabling per‑user access control and straightforward revocation by disabling or changing the user’s account. This matches all stated requirements and implements 802.1X, RADIUS, and EAP in their intended roles for secure WLANs.

Question 12

Topic: Domain 5: Network Troubleshooting

A technician is investigating intermittent Wi‑Fi drops for one user. On the WLAN controller, they pull the following snapshot of current 5 GHz clients:

Assume that on this WLAN an SNR below 20dB usually leads to unstable connections, while SNR of 20dB or higher is generally acceptable.

Based on the SNR values only, which client is MOST likely experiencing wireless connectivity issues?

Options:

• A. PHONE-22
• B. TABLET-07
• C. LAPTOP-19
• D. LAPTOP-01

Best answer: B

Explanation: The client TABLET-07 has an SNR of 19dB, which is the only value below the 20dB stability threshold specified in the stem. Because the question tells you to make the decision based on SNR values only, TABLET-07 stands out as the only client whose signal quality is likely too low for stable performance, making it the correct choice.

Question 13

Topic: Domain 3: Network Operations

A small company has a single edge firewall, one internet circuit, and a flat LAN. The IT team recently created business continuity and disaster recovery documentation but has never practiced using it. Management wants to validate the plan, identify gaps, and improve team coordination without risking downtime in production. Which activity would BEST meet these goals?

Options:

• A. Enable automated nightly backups to cloud storage and defer any recovery testing until a real disaster occurs, to avoid extra work.
• B. Perform an unannounced live failover test by powering down the main data center during business hours to see how users are affected.
• C. Schedule quarterly document reviews where only the IT manager reads the BC/DR plan and updates it based on technology changes.
• D. Hold a structured tabletop exercise where stakeholders talk through a scripted outage scenario step by step using the current BC/DR procedures.

Best answer: D

Explanation: The option to hold a structured tabletop exercise where stakeholders talk through a scripted outage scenario directly uses a recognized BC/DR validation method. It:

• Exercises the existing plan in a realistic scenario.
• Involves multiple stakeholders, which improves coordination and clarifies roles.
• Identifies gaps or unclear steps in the documentation.
• Does all of this without touching production systems, so there is no added risk of downtime.

This aligns exactly with the stated goals: validate the plan, find weaknesses, and improve coordination while avoiding impact to the live network.

Question 14

Topic: Domain 4: Network Security

A small company currently uses a basic edge router that only performs NAT and simple stateful packet filtering based on IP addresses and TCP/UDP ports. Management wants to continue allowing normal web and SaaS access but block social media and peer-to-peer applications that often run over ports 80 and 443. Which solution is the BEST way to meet these requirements without adding unnecessary complexity?

Options:

• A. Replace the router with a firewall that only uses traditional stateful inspection based on source/destination IP and port numbers, and create rules to allow HTTP/HTTPS while denying all other outbound ports.
• B. Replace the edge router with a next-generation firewall that performs stateful inspection and application-aware filtering to allow business web apps while blocking social media and peer-to-peer traffic.
• C. Deploy a standalone intrusion detection system (IDS) sensor on a SPAN/mirror port to alert on social media and peer-to-peer traffic but leave the router configuration unchanged.
• D. Add outbound ACLs on the existing router to block TCP ports 80 and 443, preventing social media and peer-to-peer traffic from leaving the network.

Best answer: B

Explanation: The choice to replace the edge router with a next-generation firewall that performs stateful inspection and application-aware filtering directly addresses both needs:

• It retains stateful inspection, maintaining normal security behavior for connections.
• It adds application awareness, allowing policies such as “allow business web/SaaS” while “blocking social media and P2P,” even when those applications use ports 80 and 443.
• It provides the requested control without introducing unnecessary complexity like unusual port blocking or separate monitoring-only systems that do not enforce policy.

This is exactly what NGFWs are designed to do: filter traffic by application, user, and category in addition to IP and port.

Question 15

Topic: Domain 5: Network Troubleshooting

Which statement BEST describes asymmetric routing in an IP network?

Options:

• A. Packets between two networks circulate endlessly because routers continually forward them back and forth.
• B. A static route on a router points to the wrong next-hop IP address or outgoing interface.
• C. Traffic from a source to a destination takes a different path than traffic returning from that destination to the source.
• D. A router has no entry for a destination network in its routing table and therefore drops the traffic.

Best answer: C

Explanation: The choice describing traffic from a source to a destination taking a different path than the return traffic precisely matches the definition of asymmetric routing. It focuses on the fact that the forward and reverse paths between the same endpoints are not symmetric, which is the key concept tested when identifying asymmetric routing issues in routing tables and path traces.

Question 16

Topic: Domain 4: Network Security

Which of the following statements about AAA (authentication, authorization, and accounting) is NOT correct?

Options:

• A. Authorization is responsible for verifying usernames and passwords during the login process to confirm the user’s identity.
• B. Authorization defines what a user is allowed to do or which network resources they can access after they are authenticated.
• C. Authentication verifies a user’s identity, such as checking a username and password before granting access.
• D. Accounting records details about user activities, such as logon time, duration of sessions, and resources accessed.

Best answer: A

Explanation: The statement claiming that authorization is responsible for verifying usernames and passwords is incorrect because it mis-assigns the roles within AAA. Credential verification during login is the function of authentication. Authorization only applies after a user has been authenticated, to decide which actions and resources are permitted. This confusion between “proving identity” (authentication) and “granting permissions” (authorization) is exactly what the question is testing.

Question 17

Topic: Domain 4: Network Security

A network administrator is deploying a new corporate Wi‑Fi network. Security policy requires each employee to authenticate with their own directory credentials, and the APs must validate users against a central RADIUS server. Which wireless security configuration should the administrator implement to meet this requirement?

Options:

• A. Configure the SSID with WPA2-Personal using a strong shared passphrase
• B. Configure the SSID with WPA2-Enterprise using 802.1X and a RADIUS server
• C. Configure the SSID with WPA3-Personal using SAE passphrases
• D. Configure an open SSID and use a captive portal for login

Best answer: B

Explanation: Configuring the SSID with WPA2-Enterprise using 802.1X and a RADIUS server is correct because this is the wireless security mode specifically built for enterprise environments. It supports per-user credentials, integrates with centralized AAA systems via RADIUS, and allows policies based on user identity rather than a shared key. It directly satisfies the requirement for authentication against a central RADIUS server using individual directory logins.

Question 18

Topic: Domain 1: Networking Fundamentals

Which TWO statements about Simple Network Management Protocol (SNMP) are correct? (Select TWO.)

Options:

• A. SNMP normally uses TCP port 23 to securely encrypt management sessions.
• B. SNMP is a file transfer protocol commonly used to move OS images between servers.
• C. SNMP traps let network devices send unsolicited alerts to a management station when events occur.
• D. SNMP is primarily used to synchronize device clocks across the network.
• E. SNMP allows a central monitoring system to query routers and switches for status information.

Correct answers: C and E

Explanation: The statement that SNMP allows a central monitoring system to query routers and switches for status information is correct because this describes the basic poll/response model of SNMP: a manager reads MIB values from agents to see interface counters, CPU use, and similar metrics.

The statement that SNMP traps let devices send unsolicited alerts to a management station is also correct. Traps (or notifications) are one of SNMP’s key features, enabling near real-time alerts when important events occur without waiting for the next polling cycle.

Question 19

Topic: Domain 3: Network Operations

Which of the following statements about logical diagrams, physical diagrams, and IP address plans is NOT correct?

Options:

• A. An IP address plan documents subnet ranges, default gateways, and how addresses are allocated (static or DHCP) for each network segment.
• B. A logical network diagram typically shows subnets, VLANs, and routing relationships between devices.
• C. An IP address plan is concerned only with static server IPs; DHCP scopes and dynamic addresses are normally excluded to keep the document simple.
• D. A physical network diagram usually includes device locations, rack positions, and cabling runs between ports.

Best answer: C

Explanation: The statement claiming that an IP address plan is concerned only with static server IPs and normally excludes DHCP scopes is incorrect because a proper IP plan must cover the entire address space for each subnet. That includes dynamic client ranges, DHCP scopes, and any reservations, alongside static server and infrastructure addresses. Without this, technicians cannot easily see how many addresses are available, where conflicts may occur, or how addressing is organized across VLANs and sites.

Question 20

Topic: Domain 1: Networking Fundamentals

A help desk technician is troubleshooting a user’s laptop that cannot send email through the corporate SMTP server. The user can successfully browse internal and external websites, and the technician can ping smtp.example.com by hostname with no packet loss. A senior administrator advises, “Use the TCP/IP model to focus on the right layer first instead of randomly changing settings.” Which next step BEST follows this guidance?

Options:

• A. Schedule a maintenance window to upgrade the access switch firmware that the laptop is connected to.
• B. Verify the user’s email client SMTP server name, port, and encryption/authentication settings.
• C. Change the laptop’s default gateway to the SMTP server’s IP address and reboot the system.
• D. Replace the laptop’s Ethernet patch cable and retest connectivity.

Best answer: B

Explanation: Verifying the email client’s SMTP server name, port, and encryption/authentication settings focuses directly on the application layer, where SMTP operates in the TCP/IP model. Because lower-layer tests (web access and ping by hostname) already succeed, the models indicate that the problem is isolated to the application itself or its configuration, making this the best next step.

Question 21

Topic: Domain 1: Networking Fundamentals

Which of the following statements about modern wireless security methods is NOT correct?

Options:

• A. WPA2-Enterprise typically uses 802.1X with a RADIUS server so each user can authenticate with unique credentials.
• B. WPA3 networks commonly use TKIP encryption to maintain compatibility with older devices and are therefore recommended over WPA2.
• C. WPA2-Personal is designed around a single pre-shared key that is shared by all devices on the WLAN.
• D. WPA3-Personal improves resistance to offline password-guessing attacks by using the SAE handshake instead of the WPA2 PSK handshake.

Best answer: B

Explanation: The statement claiming that “WPA3 networks commonly use TKIP encryption to maintain compatibility with older devices and are therefore recommended over WPA2” is incorrect.

WPA3 requires modern, strong encryption suites based on AES, such as CCMP or GCMP. TKIP is a legacy cipher associated with older WPA/WPA2 configurations and is considered insecure. It is not permitted with WPA3 and should not be recommended for any modern deployment. Compatibility with older devices is sometimes handled through transitional or mixed WPA2/WPA3 modes, but those still must avoid TKIP to remain secure and standards-compliant.

Question 22

Topic: Domain 1: Networking Fundamentals

Which statement BEST describes a clientless VPN solution for remote access?

Options:

• A. It provides secure remote access through a standard web browser using SSL/TLS without installing a dedicated VPN client.
• B. It provides command-line access to a remote device over TCP port 23 with clear-text credentials and traffic.
• C. It allows users to control a remote desktop session over UDP without any encryption or authentication.
• D. It creates a full tunnel to the internal network by installing a VPN client that routes all traffic through the corporate firewall.

Best answer: A

Explanation: The option that describes secure remote access through a standard web browser using SSL/TLS without installing a dedicated VPN client matches the definition of a clientless VPN. It correctly highlights the browser-based nature and the use of SSL/TLS instead of a separate VPN client application.

Question 23

Topic: Domain 3: Network Operations

A network technician receives a call from a coworker who cannot log in to the corporate VPN from home. The coworker asks the technician to share the technician’s own VPN username and password so they can finish urgent work. According to standard security policies and best practices, which of the following technician responses would be INCORRECT?

Options:

• A. Explain that sharing accounts is against company policy and that each user must use their own credentials
• B. Share their VPN credentials this one time so the coworker can finish the urgent task, then ask the coworker to change the password later
• C. Offer to help the coworker verify they are using the correct VPN client, URL, and username before escalating to the help desk
• D. Refuse to share credentials and direct the coworker to contact the service desk to reset their VPN password

Best answer: B

Explanation: The choice to share the technician’s VPN credentials “this one time” is incorrect because it violates several core security principles:

• It breaks accountability: logs will show actions under the technician’s account, not the actual user.
• It violates least privilege and unique user identification: each person must have their own access rights and credentials.
• It goes against typical acceptable use and security policies, which explicitly forbid password sharing.

Even under time pressure or business urgency, the technician is required to uphold policy and not share credentials. That makes this response the clearly unsafe and incorrect option.

Question 24

Topic: Domain 3: Network Operations

A small company has a single edge firewall and a few managed switches connecting about 80 users on one LAN. Currently, administrators make configuration changes directly on devices during business hours with no formal review, documentation, or backups. Twice in the last month, a firewall rule change caused an outage that took an hour to diagnose and manually undo.

Management wants to:

• Reduce the risk of outages from configuration changes.
• Ensure changes are reviewed and approved.
• Be able to quickly restore service if a change goes wrong.

Which of the following change approaches would BEST meet these goals?

Options:

• A. Schedule all configuration changes for after-hours (for example, 10 p.m. to midnight) and send a courtesy email to the IT team after each change is completed.
• B. Prohibit any firewall configuration changes except during a once-per-year maintenance window, and require administrators to be extremely careful when making those changes.
• C. Allow only the most experienced administrator to make configuration changes at any time, but require them to keep a personal log of what was changed.
• D. Implement a formal change management process that requires a change ticket with risk/impact analysis, documented approval, scheduled maintenance windows, and pre-change configuration backups with a defined rollback plan for each change.

Best answer: D

Explanation: The choice that introduces a formal change management process with change tickets, risk/impact analysis, documented approvals, scheduled maintenance windows, and pre-change backups plus a defined rollback plan is best because it incorporates all the core elements of structured change control.

• Risk reduction: Risk and impact analysis, along with peer or management approval, helps catch bad ideas or poorly planned changes before they reach production.
• Visibility and accountability: Change tickets and approvals create a record of what was changed, by whom, and why.
• Quick recovery: Pre-change configuration backups and a defined rollback plan ensure that if a change causes issues, the network can be quickly restored to a known-good state.

This aligns precisely with the scenario’s goals and with common change management best practices for network operations.

Network+ N10-009 network operations map

Use this map after the sample questions to connect individual items to the Network+ design, implementation, security, operations, and troubleshooting decisions these practice samples test.

    flowchart LR
	  S1["Connectivity or design requirement"] --> S2
	  S2["Identify layer service or topology"] --> S3
	  S3["Check addressing switching routing and wireless evidence"] --> S4
	  S4["Apply security and segmentation controls"] --> S5
	  S5["Monitor performance and availability"] --> S6
	  S6["Document fix or design tradeoff"]

Quick Cheat Sheet

Mini Glossary

• ACL: Access control list filtering traffic by defined rules.
• DHCP: Service that automatically assigns IP configuration to clients.
• DNS: Service that resolves names to IP addresses.
• VLAN: Logical network segment on switched infrastructure.
• NAT: Network address translation between private and public addressing.

In this section

• CompTIA Network+ N10-009: Networking Fundamentals
  Try 10 focused CompTIA Network+ N10-009 questions on Networking Fundamentals, with explanations, then continue with IT Mastery.
• CompTIA Network+ N10-009: Network Implementations
  Try 10 focused CompTIA Network+ N10-009 questions on Network Implementations, with explanations, then continue with IT Mastery.
• CompTIA Network+ N10-009: Network Operations
  Try 10 focused CompTIA Network+ N10-009 questions on Network Operations, with explanations, then continue with IT Mastery.
• CompTIA Network+ N10-009: Network Security
  Try 10 focused CompTIA Network+ N10-009 questions on Network Security, with explanations, then continue with IT Mastery.
• CompTIA Network+ N10-009: Network Troubleshooting
  Try 10 focused CompTIA Network+ N10-009 questions on Network Troubleshooting, with explanations, then continue with IT Mastery.
• Free CompTIA Network+ N10-009 Full-Length Practice Exam: 90 Questions
  Try 90 free CompTIA Network+ N10-009 questions across the exam domains, with explanations, then continue with full IT Mastery practice.