Network+ N10-009: Home Lab Ideas to Study Networking the Right Way

The CompTIA Network+ N10-009 proves you can design, configure, manage, and troubleshoot real networks. It’s one of the most recognized mid-level certifications in IT — and it’s the foundation that everything else (Security+, cloud, DevOps) builds on.

The challenge is that networking is deeply physical by nature. Routers, switches, cables, IP addresses — it’s hard to understand these concepts without actually touching them. That’s exactly where a home lab changes everything.

This post covers the tools, environments, and specific labs you can build — most of them free — organized around all five N10-009 exam domains.

The N10-009 Exam Domains

Domain 5 (Troubleshooting) is the biggest at 25% — and you cannot study your way through it. You have to break things and fix them. Labs are the only way.

Setting Up Your Lab Environment

The good news: you don’t need physical switches and routers to learn networking. Virtualization tools let you simulate entire networks on a single laptop.

Primary Tool: GNS3 (Free)

GNS3 is the industry standard for network simulation. It runs real Cisco IOS images, emulates network topologies, and integrates with VirtualBox/VMware so your virtual servers can connect to your virtual network.

• Download from gns3.com
• Install the GNS3 VM (VirtualBox or VMware) for better performance
• Use Cisco IOSv or Cisco CSR1000v images (freely available for personal lab use)

Alternative: Cisco Packet Tracer (Free)

If GNS3 feels like too much setup, Cisco Packet Tracer is simpler and completely free with a free NetAcad account.

• Not real IOS, but covers 90% of what the exam tests
• Great for beginners, VLANs, routing protocols, and subnetting practice
• Download at netacad.com

Alternative: EVE-NG (Community Edition, Free)

EVE-NG is more powerful than GNS3 for large topologies. The community edition is free and runs as a VM.

Supporting VMs

Spin these up in VirtualBox alongside your network topology:

Domain 1: Networking Concepts (23%)

This domain covers the OSI model, protocols, ports, IP addressing, and network services. It’s theory-heavy but you can anchor it with fast, practical labs.

Lab 1 — Subnetting Practice Until It’s Automatic

Subnetting shows up everywhere on the exam. The fastest way to get good at it is repetition with a tool that gives instant feedback.

Use network.it-learn.io to drill the subnetting flashcards, then practice the math manually:

Given: 192.168.10.0/26
Block size: 256 - 192 = 64
Subnets: 192.168.10.0, .64, .128, .192
Hosts per subnet: 64 - 2 = 62 usable
Broadcast of first subnet: 192.168.10.63

Practice until you can calculate network address, broadcast, usable host range, and subnet mask in under 30 seconds. The exam has timed scenarios where slow subnetting will hurt you.

Lab 2 — Map Every Port and Protocol You Need to Know

Build a reference sheet and then test yourself. The exam will ask you which port a protocol uses or what a packet capture shows.

The lab: open Wireshark and capture real traffic. Filter by protocol and verify the ports match your reference sheet. Seeing it in a packet makes it stick.

Lab 3 — Build and Query Your Own DNS Server

DNS is on every domain of the exam — troubleshooting, security, operations. Build one so you understand it end to end.

 1# Install BIND9 on Ubuntu Server
 2sudo apt install bind9 bind9utils -y
 3
 4# Create a forward lookup zone for "lab.local"
 5# Edit /etc/bind/named.conf.local:
 6zone "lab.local" {
 7    type master;
 8    file "/etc/bind/db.lab.local";
 9};
10
11# Create the zone file /etc/bind/db.lab.local:
12$TTL 604800
13@   IN  SOA ns1.lab.local. admin.lab.local. (
14            2024010101 ; Serial
15            604800     ; Refresh
16            86400      ; Retry
17            2419200    ; Expire
18            604800 )   ; Negative TTL
19
20@   IN  NS   ns1.lab.local.
21ns1 IN  A    192.168.56.10
22www IN  A    192.168.56.20
23mail IN A    192.168.56.30
24
25# Restart and test
26sudo systemctl restart bind9
27nslookup www.lab.local 192.168.56.10
28dig @192.168.56.10 www.lab.local

Now troubleshoot it: remove a record and watch nslookup fail. Add it back. This is exactly what the exam tests.

Domain 2: Network Implementation (19%)

This domain is all about routing, switching, wireless, and cabling. GNS3 is your best friend here.

Lab 4 — Configure VLANs and Inter-VLAN Routing

VLANs are on almost every networking exam. Build this topology in GNS3 or Packet Tracer:

[PC1 - VLAN 10] ---\
                    [Switch] --- [Router] --- [Internet]
[PC2 - VLAN 20] ---/

Configure the switch:

! Create VLANs
Switch(config)# vlan 10
Switch(config-vlan)# name SALES
Switch(config)# vlan 20
Switch(config-vlan)# name IT

! Assign access ports
Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

Switch(config)# interface fa0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20

! Configure trunk to router
Switch(config)# interface fa0/24
Switch(config-if)# switchport mode trunk

Configure the router (Router-on-a-Stick):

Router(config)# interface fa0/0.10
Router(config-subif)# encapsulation dot1q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0

Router(config)# interface fa0/0.20
Router(config-subif)# encapsulation dot1q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.0

Verify that PC1 (VLAN 10) can ping PC2 (VLAN 20) through the router. Then verify they can’t reach each other if you remove the routing. This teaches VLANs, trunking, 802.1Q, and inter-VLAN routing in one lab.

Lab 5 — Configure OSPF Between Multiple Routers

Static routes work for small networks but the exam expects you to understand dynamic routing protocols — especially OSPF.

Build a three-router topology in GNS3:

[R1: 10.0.12.1] --- [R2: 10.0.12.2 / 10.0.23.1] --- [R3: 10.0.23.2]
  192.168.1.0/24                                          192.168.3.0/24

Configure OSPF on each router:

R1(config)# router ospf 1
R1(config-router)# network 10.0.12.0 0.0.0.255 area 0
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0

R2(config)# router ospf 1
R2(config-router)# network 10.0.12.0 0.0.0.255 area 0
R2(config-router)# network 10.0.23.0 0.0.0.255 area 0

R3(config)# router ospf 1
R3(config-router)# network 10.0.23.0 0.0.0.255 area 0
R3(config-router)# network 192.168.3.0 0.0.0.255 area 0

Verify routes with show ip route and show ip ospf neighbor. Then simulate a link failure and watch OSPF reconverge. This makes questions about convergence, neighbor relationships, and routing tables completely clear.

Lab 6 — Spanning Tree Protocol in Action

STP prevents loops in switched networks. It’s on the exam and it’s confusing until you see it work.

In GNS3 or Packet Tracer, build a loop:

[Switch1] --- [Switch2]
     \            /
      [Switch3]

Enable STP (it’s on by default) and run:

Switch1# show spanning-tree
Switch1# show spanning-tree detail

Watch which ports become root, designated, and blocking. Then manually set a different switch as root bridge:

Switch2(config)# spanning-tree vlan 1 priority 4096

Watch the topology reconverge. This turns STP exam questions from memorization into something you’ve actually seen happen.

Domain 3: Network Operations (17%)

This domain covers monitoring, documentation, high availability, and network services like DHCP and NTP.

Lab 7 — Build a DHCP Server and Capture the DORA Process

DHCP’s Discover → Offer → Request → Acknowledge process is a guaranteed exam topic. Build it yourself and capture it with Wireshark.

 1# Install isc-dhcp-server on Ubuntu
 2sudo apt install isc-dhcp-server -y
 3
 4# Configure /etc/dhcp/dhcpd.conf
 5subnet 192.168.56.0 netmask 255.255.255.0 {
 6  range 192.168.56.100 192.168.56.200;
 7  option routers 192.168.56.1;
 8  option domain-name-servers 8.8.8.8, 8.8.4.4;
 9  option domain-name "lab.local";
10  default-lease-time 600;
11  max-lease-time 7200;
12}
13
14sudo systemctl restart isc-dhcp-server

On a client VM, open Wireshark and filter bootp, then run:

1sudo dhclient -r eth0  # release
2sudo dhclient eth0     # renew

Watch all four DORA packets appear in the capture. You’ll never miss a DHCP question again.

Lab 8 — Monitor Your Network with LibreNMS

LibreNMS is a free, open-source network monitoring platform (think SolarWinds but free). It uses SNMP to poll devices and shows you bandwidth, CPU, memory, and uptime.

1# Install on Ubuntu Server (see librenms.org for full guide)
2# Once installed, add your GNS3 router as a device with SNMP
3
4# Enable SNMP on a Cisco router in GNS3:
5Router(config)# snmp-server community public RO
6Router(config)# snmp-server location "Home Lab"
7Router(config)# snmp-server contact "admin@lab.local"

Add the router to LibreNMS and watch it start graphing traffic in real time. This teaches SNMP, MIBs, OIDs, polling intervals, and alerting — all Network+ topics.

Domain 4: Network Security (16%)

This domain covers firewalls, IDS/IPS, VPNs, wireless security, and network hardening.

Lab 9 — Build a Firewall with pfSense

pfSense turns any VM into a fully featured firewall and router. Install it in VirtualBox with three network adapters:

• em0 → WAN (NAT to your real internet)
• em1 → LAN (trusted network, 192.168.1.0/24)
• em2 → DMZ (servers, 192.168.2.0/24)

Configure rules in the pfSense web UI:

• LAN → WAN: allow all outbound
• DMZ → WAN: allow ports 80/443 only
• LAN → DMZ: allow all (so you can manage servers)
• DMZ → LAN: block all (critical — servers shouldn’t reach clients)
• WAN → DMZ: allow ports 80/443 from internet (port forward)

Test each rule and verify traffic is blocked or allowed as expected. This is network segmentation, firewall rule order, and implicit deny all in one lab.

Lab 10 — Set Up a Site-to-Site VPN with WireGuard

VPNs are on the exam — types, use cases, and protocols. Build one.

 1# Install WireGuard on two Ubuntu VMs (simulating two "sites")
 2sudo apt install wireguard -y
 3
 4# On VM1 (Site A gateway):
 5wg genkey | tee privatekey | wg pubkey > publickey
 6
 7# /etc/wireguard/wg0.conf on Site A:
 8[Interface]
 9Address = 10.10.0.1/24
10PrivateKey = <site_a_private_key>
11ListenPort = 51820
12
13[Peer]
14PublicKey = <site_b_public_key>
15AllowedIPs = 10.10.0.2/32, 192.168.2.0/24
16Endpoint = SITE_B_IP:51820
17
18# Bring up the tunnel
19sudo wg-quick up wg0
20sudo wg show

Once it’s up, ping across the tunnel and capture the traffic with Wireshark — you’ll see encrypted UDP packets on port 51820. This teaches tunneling, encryption in transit, and VPN architecture.

Domain 5: Network Troubleshooting (25%) — The Big One

This is the highest-weighted domain and the most practical. You need to be fast and methodical with troubleshooting tools.

Lab 11 — Wireshark Deep Dive

Wireshark is the single most important tool for the Network+ exam. You should be comfortable reading a capture before exam day.

Install Wireshark on Kali or Ubuntu and practice these essential filters:

# Find all traffic to/from a specific host
ip.addr == 192.168.56.10

# See only DNS queries and responses
dns

# Find HTTP requests
http.request

# Spot TCP connection issues (RST = reset, FIN = close)
tcp.flags.reset == 1
tcp.flags.fin == 1

# Find ICMP (ping) traffic
icmp

# See only DHCP
bootp

# Detect ARP (useful for finding IP conflicts)
arp

Practice scenario: generate an SSH connection from Kali to Ubuntu Server. Capture it. Find the TCP three-way handshake (SYN → SYN-ACK → ACK). Find where the session ends (FIN-ACK). Understand what you’re looking at.

Lab 12 — Troubleshoot a Broken Network Methodically

In GNS3, build a working network, then intentionally break it in one of these ways and practice finding the fault:

Use the OSI model as your troubleshooting framework — start at Layer 1 (is the cable/link up?) and work up:

 1# Layer 1 — Physical
 2ping 127.0.0.1              # Is TCP/IP stack working?
 3ip link show                # Is the NIC up?
 4
 5# Layer 2 — Data Link
 6arp -a                      # ARP table — is MAC resolving?
 7
 8# Layer 3 — Network
 9ping 192.168.1.1            # Can I reach the gateway?
10ip route show               # Do I have a route?
11traceroute 8.8.8.8          # Where does it fail?
12
13# Layer 4-7 — Transport to Application
14curl http://192.168.1.20    # Can I reach the service?
15nslookup google.com         # Is DNS working?

Working through this process systematically is exactly what the exam’s troubleshooting scenarios expect from you.

Recommended Study Stack

Study Tips That Actually Work

1. Subnet until it’s boring. Subnetting is worth the investment. If you can subnet fast and accurately, a big chunk of the exam gets easier. Use the table method and drill it daily for two weeks.

2. Use Wireshark for everything. Every time you set up a new service, capture the traffic. Seeing protocols in packets is worth ten times more than reading about them.

3. Build, break, fix. Set up a working lab, intentionally misconfigure something, and troubleshoot it back to working. This is exactly how the exam’s performance-based questions work.

4. Know your OSI layers cold. Most troubleshooting questions map to a specific OSI layer. If you can quickly identify what layer a problem lives on, you’ll find the answer faster.

5. Take at least 300 practice questions before exam day. Use network.it-learn.io to drill objectives by domain. Focus extra time on Domain 5 (Troubleshooting) — it’s 25% of the exam.

What’s Next After Network+?

Network+ is one of the most versatile certs in IT. It gives you the vocabulary and mental model to understand every other technical domain — security, cloud, DevOps, and beyond.

Start Today

You don’t need to build all 12 labs at once. Start here:

1. Install Packet Tracer and build a basic VLAN topology (30 minutes)
2. Run Wireshark and capture a ping, a DNS query, and an HTTP request (20 minutes)
3. Practice subnetting with the /24, /25, /26, /27, and /28 blocks until they feel natural

That’s a solid evening — and you’ll understand more about how networks actually work than most people who just watch videos.

Good luck on the exam. 🌐