Free NETWORK Plus Practice Questions

Correct answer: B - Transport

TCP segments are the protocol data unit (PDU) at Layer 4, the Transport layer. Each OSI layer has its own PDU name: Layer 1 uses bits, Layer 2 uses frames, Layer 3 uses packets, and Layer 4 uses segments (TCP) or datagrams (UDP). Memorizing the PDU-to-layer mapping is one of the fastest ways to answer OSI scenario questions on the exam - if you see 'TCP segment,' you're at Layer 4; if you see 'IP packet,' you're at Layer 3; if you see 'Ethernet frame,' you're at Layer 2.

Correct answer: A - /26

To split a network into 4 equal subnets, you need 2 borrowed bits because 2² = 4. Starting from /24 and adding 2 bits gives you /26. Quick reference: /25 = 2 subnets, /26 = 4 subnets, /27 = 8 subnets, /28 = 16 subnets. Each /26 subnet contains 64 addresses (62 usable hosts). The four resulting subnets would be 192.168.1.0/26, 192.168.1.64/26, 192.168.1.128/26, and 192.168.1.192/26. Practice the formula: 2ⁿ = number of subnets, where n is the number of bits borrowed.

Correct answer: B - Cat 6 supports only 55m at 10G

Standard Cat 6 supports 10GBASE-T only up to 55 meters under typical conditions due to crosstalk; beyond that distance the link becomes unreliable or fails to establish. For 10G runs up to the full 100m, you need Cat 6a (augmented) or higher. Quick reference: Cat 5e supports 1G to 100m, Cat 6 supports 10G to 55m and 1G to 100m, Cat 6a/Cat 7/Cat 8 support 10G to 100m. This is a frequently-tested gotcha because it looks like a working cable type but distance silently breaks the link - exactly the kind of detail that separates passing from failing the exam.

Correct answer: C - BPDU Guard

BPDU Guard is specifically designed to protect PortFast access ports. PortFast skips the listening/learning states and goes straight to forwarding - which is dangerous if a switch is plugged in there, because that switch's BPDUs could change the topology. BPDU Guard immediately err-disables the port the moment any BPDU is received, protecting the network. Don't confuse the four STP defenses: Root Guard prevents a port from becoming a root port (used on designated ports facing potential rogue switches), Loop Guard prevents loops on unidirectional links by putting ports in 'loop-inconsistent' state, and UDLD detects unidirectional fiber failures. All four are real Spanning Tree defenses, which is why this question tests precise differentiation.

Correct answer: A - WPA3

WPA3 introduces Simultaneous Authentication of Equals (SAE), which replaces the WPA2-Personal 4-way handshake with a Dragonfly-based key exchange. SAE provides forward secrecy (a captured handshake can't be used to decrypt past traffic) and resists offline dictionary attacks even with weak passphrases - the two biggest weaknesses of WPA2-PSK. WPA3 also mandates Protected Management Frames (PMF) and uses stronger encryption (AES-GCMP-256 in Enterprise mode). The N10-009 exam expects you to know WPA3 features by name: SAE for personal, 192-bit Suite B option for Enterprise, and Wi-Fi Enhanced Open (OWE) for opportunistic encryption on guest networks.

Correct answer: B - ss (socket statistics)

The ss (socket statistics) command replaces netstat on modern Linux distributions and is significantly faster, especially on busy systems with many connections. It pulls socket info directly from kernel structures rather than parsing /proc files. Common usage: 'ss -tuln' shows TCP/UDP listening sockets numerically, 'ss -tnp' shows TCP with process names. The N10-009 exam emphasizes modern tooling, so know the legacy-to-modern transitions: netstat → ss, ifconfig → ip (e.g., 'ip addr' replaces 'ifconfig', 'ip route' replaces 'route'). Knowing both is important since you'll see netstat/ifconfig on older systems and ss/ip on current ones.

Correct answer: C - RTO (Recovery Time Objective)

RTO (Recovery Time Objective) defines the maximum acceptable downtime - how long a service can be unavailable before causing unacceptable business impact. The 4-hour figure in the scenario maps directly to RTO. Don't confuse the four metrics, which are routinely confused on the exam: RPO is the maximum acceptable data loss measured in time (how far back you'd restore from); MTBF measures component reliability between failures; MTTR is how long it takes to repair once a failure occurs. Memory aid: RTO is about *how long until we're up*, RPO is about *how much data we lose*. Lower RTO/RPO costs more - synchronous replication for near-zero RPO is far more expensive than nightly backups.

Correct answer: D - Whaling attack

Whaling specifically targets high-value individuals - executives, C-suite, finance leadership - because the payoff (wire transfer fraud, M&A intel, credentials with broad access) justifies the attacker's research effort. Whaling emails are highly customized with information harvested from LinkedIn, press releases, and public filings. Differentiate the social engineering family: spear phishing targets specific individuals or small groups (whaling is a specialized form of spear phishing aimed at the top of the org chart), vishing uses voice/phone, smishing uses SMS text messages, and pretexting builds a fictional scenario to manipulate the target. The exam tests precise terminology - knowing the channel (voice/SMS/email) and the target (broad/specific/executive) lets you eliminate distractors quickly.

Correct answer: D - Configure DHCP relay (IP helper)

DHCP discovery uses Layer 2 broadcasts (DHCPDISCOVER), which routers don't forward across subnets by default. When clients are on a different VLAN than the DHCP server, the router/Layer 3 switch needs a DHCP relay agent - configured with the 'ip helper-address <dhcp-server-ip>' command on the client-facing interface. The relay receives the broadcast, repackages it as a unicast to the DHCP server, and forwards the response back. Symptoms of missing DHCP relay: clients on the local VLAN with the DHCP server work fine, but remote-VLAN clients fall back to APIPA (169.254.x.x) addresses. This is one of the most common real-world DHCP failures and a near-certainty on the Network+ exam.

Correct answer: C - A more general entry above is matching first

ACLs are evaluated top-down with first-match-wins semantics. If a broader rule earlier in the ACL matches the traffic (for example, a 'deny tcp any any' that catches everything before the specific 'permit' near the bottom is reached), the traffic is denied - and the more specific rule lower in the ACL is never evaluated. The fix is to reorder the ACL: put more specific rules above general rules. Always remember the implicit deny at the end: any traffic not explicitly permitted is dropped. This top-down logic is also why inserting a new ACL entry requires care - adding a 'permit' below an existing 'deny' that already matches will have no effect. ACL ordering issues are one of the most-tested troubleshooting scenarios on the exam because they look like firewall problems but are actually rule-order problems.