Came from the IG reel? You commented, here are all 20. 👇

These are 20 free Network+ practice questions in the exact format of the N10-009 exam, spread across all five domains. Answer each one honestly — no Googling, no flashcards open — then click Show answer to reveal the explanation and check yourself.

The 20-question practice test

Pick your answer for each question first, then click Show answer to check it. No peeking — the whole point of a practice test is committing to an answer before you see the right one. Keep a tally as you go; there’s a scoring guide at the bottom.

Q1Networking concepts

Which port number is used by SSH?

A. 21
B. 22
C. 23
D. 25

Show answer
B (22). SSH uses TCP/22. Same port as SFTP and SCP. Telnet (unencrypted) is 23 — the most common trap.
Q2Networking concepts

A user reports that they can ping their default gateway but cannot reach any website by name. Which service is most likely failing?

A. DHCP
B. DNS
C. ARP
D. SMTP

Show answer
B (DNS). Ping by IP works, ping by hostname fails → DNS resolution is broken. Default gateway reachability rules out network connectivity issues.
Q3Networking concepts

What is the broadcast address of the subnet 192.168.5.0/29?

A. 192.168.5.6
B. 192.168.5.7
C. 192.168.5.8
D. 192.168.5.15

Show answer
B (192.168.5.7). /29 has block size 8 (256 − 248). Subnets: 0, 8, 16, … The first /29 covers .0–.7, so broadcast is .7.
Q4Network implementation

Which device operates at OSI Layer 2 and forwards frames based on MAC addresses?

A. Hub
B. Switch
C. Router
D. Firewall

Show answer
B (Switch). Switch operates at Layer 2 (Data Link), forwards frames based on MAC addresses, builds a MAC address table. Hub is Layer 1, router is Layer 3.
Q5Network implementation

A network administrator needs to connect two VLANs on the same switch. Which technology is required?

A. Inter-VLAN routing (or a Layer-3 switch)
B. Spanning Tree Protocol (STP)
C. Port mirroring
D. Link aggregation

Show answer
A (Inter-VLAN routing). VLANs are Layer-2 isolation. Crossing between VLANs requires Layer-3 forwarding — either a router-on-a-stick or a Layer-3 switch.
Q6Network operations

A new server needs an IP address that does not change. Which DHCP feature accomplishes this?

A. DHCP relay
B. DHCP reservation
C. DHCP scope
D. APIPA

Show answer
B (DHCP reservation). Reservation binds a specific MAC address to a specific IP within the DHCP scope, so the device always gets the same IP without manual configuration.
Q7Network security

Which of the following provides authentication, authorization, and accounting for network device administration?

A. RADIUS
B. TACACS+
C. LDAP
D. Kerberos

Show answer
B (TACACS+). RADIUS does authentication + authorization but combines them — not great for granular device admin. TACACS+ separates all three (AAA) and is the Cisco-preferred network device admin protocol.
Q8Network security

A user can log in to the corporate WiFi but cannot access internal file shares. Other users at the same access point have no issue. What is the most likely cause?

A. WPA2 key mismatch
B. The user is assigned to the wrong VLAN
C. The DNS server is offline
D. The access point is misconfigured

Show answer
B (Wrong VLAN). If WiFi auth worked, WPA2 is fine. If DNS were down, all users would be affected. The single-user, single-symptom pattern points to a VLAN misassignment — the user is on a guest VLAN that can’t reach internal shares.
Q9Network troubleshooting

Which command is the first step in troubleshooting “I can’t reach a server” from a Windows machine?

A. ipconfig /all
B. ping default-gateway
C. tracert server-address
D. nslookup server-name

Show answer
A (ipconfig /all). Before pinging anything, confirm your machine has a valid IP, default gateway, and DNS server. If ipconfig shows 169.254.x.x (APIPA), the problem is DHCP, not the destination server.
Q10Network troubleshooting

A switchport is in a “blocking” state. Which protocol is most likely responsible?

A. CDP
B. LACP
C. STP
D. VTP

Show answer
C (STP). Spanning Tree Protocol puts redundant switchports into a blocking state to prevent Layer-2 loops. CDP is discovery, LACP is link aggregation, VTP is VLAN configuration distribution.
Q11Networking concepts

At which OSI layer does a router make its forwarding decisions?

A. Layer 1 (Physical)
B. Layer 2 (Data Link)
C. Layer 3 (Network)
D. Layer 4 (Transport)

Show answer
C (Layer 3). Routers forward packets based on IP addresses, which live at Layer 3 (Network). Switches forward frames at Layer 2 using MAC addresses; hubs repeat bits at Layer 1.
Q12Networking concepts

A web server is configured to accept encrypted traffic only. Which port must be open on the firewall?

A. 80
B. 443
C. 8080
D. 21

Show answer
B (443). HTTPS uses TCP/443. Port 80 is unencrypted HTTP, 8080 is an alternate HTTP port, and 21 is FTP control.
Q13Network implementation

What is the maximum supported cable length for a 1000BASE-T (Gigabit Ethernet over copper) run?

A. 55 meters
B. 100 meters
C. 185 meters
D. 500 meters

Show answer
B (100 meters). Twisted-pair Ethernet (10/100/1000BASE-T) is rated to 100 m total, typically 90 m of horizontal cable plus 10 m of patch cords. Beyond that you need fiber or a repeater/switch.
Q14Network implementation

Which wireless standard is marketed as Wi-Fi 6 and operates in both the 2.4 GHz and 5 GHz bands?

A. 802.11n
B. 802.11ac
C. 802.11ax
D. 802.11g

Show answer
C (802.11ax). 802.11ax = Wi-Fi 6, dual-band (2.4 + 5 GHz), adds OFDMA and improved efficiency. 802.11ac (Wi-Fi 5) is 5 GHz only; 802.11n (Wi-Fi 4) is dual-band but older and slower.
Q15Network operations

Which protocol synchronizes device clocks across the network so that log timestamps line up during an investigation?

A. SNMP
B. NTP
C. Syslog
D. NetFlow

Show answer
B (NTP). Network Time Protocol (UDP/123) keeps clocks in sync. SNMP polls device health, Syslog forwards log messages, NetFlow exports traffic-flow data. Accurate time is what makes correlated logs trustworthy.
Q16Network operations

Which technology provides default-gateway redundancy so hosts keep connectivity if one router fails?

A. STP
B. LACP
C. FHRP (HSRP / VRRP)
D. QoS

Show answer
C (FHRP). A First Hop Redundancy Protocol — HSRP, VRRP, or GLBP — lets two or more routers share a virtual gateway IP so failover is transparent to hosts. STP prevents L2 loops, LACP bundles links, QoS prioritizes traffic.
Q17Network security

An attacker positions themselves between a user and the gateway, silently relaying and reading the traffic that passes through. What type of attack is this?

A. On-path (man-in-the-middle)
B. Denial of service
C. SQL injection
D. Brute force

Show answer
A (On-path / MITM). An on-path attacker intercepts and can read or modify traffic between two parties, often via ARP spoofing or a rogue access point. DoS overwhelms a service, SQLi targets databases, brute force guesses credentials.
Q18Network security

Which wireless security standard provides the strongest protection and introduces Simultaneous Authentication of Equals (SAE)?

A. WEP
B. WPA
C. WPA2
D. WPA3

Show answer
D (WPA3). WPA3 replaces the WPA2 pre-shared-key handshake with SAE (a.k.a. Dragonfly), which resists offline dictionary attacks. WEP and WPA are both broken and deprecated; WPA2 is still common but weaker than WPA3.
Q19Network troubleshooting

A gigabit link between two switches negotiates at only 100 Mbps. Both switches and both ports support gigabit. What is the most likely cause?

A. Duplex mismatch
B. A faulty cable with only two working pairs
C. Incorrect VLAN assignment
D. STP is blocking the port

Show answer
B (Faulty cable — only two pairs working). 1000BASE-T needs all four pairs; 10/100 only needs two. A damaged cable, bad termination, or a pulled pair drops the link to 100 Mbps. Re-terminate or replace the cable and test with a cable tester.
Q20Network troubleshooting

Users report slow performance, and you see “late collisions” incrementing on a switch interface. What is the most likely cause?

A. Duplex mismatch
B. Broadcast storm
C. DNS failure
D. IP address conflict

Show answer
A (Duplex mismatch). Late collisions are the signature of a duplex mismatch — one side set to full duplex, the other to half. Set both ends to auto-negotiate (or hard-set both to the same duplex). A broadcast storm shows as high broadcast traffic, not late collisions.

Score yourself

The real exam passes at 720/900 ≈ 80%. On these 20 questions, that’s 16 correct.

ScoreWhat it meansNext step
18–20Exam-ready. You’re consistently above the pass bar.Schedule the exam — and take one more fresh test to confirm.
15–17Right at the line. A focused weak-domain pass gets you clear.Drill the domains you missed for another week, then retest.
12–14Solid foundation, not exam-ready yet.2–3 more weeks. Use the final-week plan when you’re close.
Below 12More foundation work needed before booking the exam.Work domain-by-domain. Don’t schedule until you’re consistently 16+.

Spot your weak domain: each question is tagged with its official Network+ domain (Networking concepts, Implementation, Operations, Security, Troubleshooting). If you missed 2+ questions in the same domain, that’s exactly what to drill next.

Want more practice?

📡 Studying for CompTIA Network+?

Practice with free flashcards, subnetting drills, and exam-style scenarios at network.it-learn.io — aligned to the current N10-009 objectives. Free with a quick signup.

The Network+ practice-test bank on network.it-learn.io has 500+ questions across all five domains — including the PBQ-style drag-and-drop scenarios (subnet allocation, OSI-layer mapping) that this multiple-choice set doesn’t cover. All aligned to the N10-009 objectives. Drill 20 a day for two weeks and you’ll be over the 80% bar on every domain.

🎯 Studying for any IT cert?

All the free cert-study tools — Network+, Security+, CCIE Security, CHFI, ECIH — live at study.it-learn.io. Flashcards, quizzes, calculators, mnemonics. Free with a quick signup.