CompTIA Network+ (N10-009) PBQs

30 truly interactive simulations — animated firewall, Wireshark hex pane, working Cisco IOS terminal, VLAN port painter, drag-build topology, subnet visualizer.

30 PBQs
10 GUI/Sim
4 Terminal
4 Diagram/Log
12 DD/Form
Score: 0%
PBQ 1 Firewall Rule Builder & Packet Simulator
15:00Domain 4.0 Security
SCENARIO
Acme Corp is launching a new public-facing web server (10.10.1.5) in the DMZ. As the network admin, you have been asked to harden the perimeter firewall before the launch. The compliance team requires a least-privilege ruleset: only the traffic actually needed should reach the DMZ, and management access (SSH) must be restricted to a single bastion host (10.0.0.50). Telnet is forbidden by policy. The firewall implements an implicit deny-all as the final rule. The vendor evaluates the ACL top-down, first match wins.

INSTRUCTIONS:
1. Drag the appropriate rule chips from the pool below into the firewall slots in priority order.
2. Select a test packet scenario from the dropdown and click Send Test Packet — watch it animate through the topology. Green = permitted, red = blocked at the firewall.
3. When all four test packets behave correctly, click Validate ACL.
Requirements:
  • Permit HTTPS (TCP/443) from any source to the web server
  • Permit DNS (UDP/53) outbound queries from web server
  • Permit SSH (TCP/22) only from admin host 10.0.0.50
  • Block Telnet (TCP/23) from anywhere
  • Implicit deny-all at the bottom
Internet Untrusted FIREWALL ACL Top-down evaluation Rule 1: (drop here) Rule 2: (drop here) Rule 3: (drop here) Rule 4: (drop here) implicit DENY ALL DMZ Zone Web 10.10.1.5 DNS 10.10.1.6
Available rule chips — drag into firewall slots
PERMIT tcp any → :443
PERMIT udp any → :53
PERMIT tcp 10.0.0.50 → :22
PERMIT tcp any → :80
DENY tcp any → :23
DENY tcp any → :22
PERMIT icmp any
Test packet:
[firewall] ACL empty — drop chips into slots, then send a test packet.
PBQ 2 VLAN Port Assignment Console
12:00Domain 2.0 Implementation
TASK
Click each switch port to assign a VLAN. Ports color-code by VLAN. Apply the design from the scenario, then validate.
Design (Catalyst 2960 — SW1):
  • VLAN 10 (DATA) blue: Gi0/1, Gi0/2, Gi0/3, Gi0/4
  • VLAN 20 (VOICE) green: Gi0/5, Gi0/6
  • VLAN 30 (GUEST) orange: Gi0/7, Gi0/8
  • VLAN 99 (MGMT) purple: Gi0/9
  • TRUNK 802.1Q striped: Gi0/11, Gi0/12
  • Gi0/10 — leave unassigned
SW1 — Catalyst 2960-X · 12 Gigabit ports
VLAN 10 DataVLAN 20 VoiceVLAN 30 GuestVLAN 99 MgmtTrunk 802.1QUnassigned
PBQ 3 Wireshark Packet Analysis
15:00Domain 5.0 Troubleshooting
TASK
Click a frame to load it. Click a tree field and the corresponding bytes light up in the hex pane. Then answer the questions.
FileEditViewGoCaptureAnalyzeStatisticsTelephonyWirelessToolsHelp
📂💾🔍Capture: web-troubleshoot.pcap · 6 frames
Apply a display filter  
No.
Time
Source
Destination
Proto
Length
Info
Click a frame above to inspect its protocol tree.
web-troubleshoot.pcapPackets: 6 · Displayed: 6 (100.0%)Profile: Default
PBQ 4 Cisco IOS Configuration Terminal
20:00Domain 2.0 Implementation
TASK
Type real IOS commands to configure router R1: hostname, enable secret, interface G0/0 with IP 192.168.10.1/24, no shutdown, save config. Each command updates real router state.
R1 — Cisco IOS 15.4
Cisco IOS Software, ISR Software (C2900-UNIVERSALK9-M), Version 15.4(3)M5 cisco CISCO2911/K9 (revision 1.0) with 487424K/36864K bytes of memory. Press RETURN to start.
Router>
Required outcome: hostname=R1, enable secret set, interface g0/0 with IP 192.168.10.1 255.255.255.0, status up/up, config saved with copy run start.
PBQ 5 Network Topology Builder
15:00Domain 1.0 Concepts
SCENARIO
Acme Corp is opening a new branch office for 25 employees. You are the network engineer responsible for the physical design. The branch must reach the corporate HQ over the Internet through an ISP-provided link, with a perimeter firewall as the security boundary. Inside the office, two wired desktop workstations and a wireless access point (for laptops/phones) need to share a single Layer-2 switch. Routing between the LAN and the WAN sits on a dedicated SOHO router behind the firewall.

INSTRUCTIONS:
1. Drag each device from the left palette onto the canvas (faded ghost positions show where they belong).
2. Click the yellow 🔗 Connect mode button to enter wiring mode, then click any two devices in succession to draw a Cat6 link between them.
3. Required adjacencies: ISP ↔ Firewall ↔ Router ↔ Switch; the Switch branches out to the AP and both PCs.
4. Do not create direct PC↔PC, AP↔PC, or Firewall↔PC links — those will fail validation.
5. Click Validate when finished.
Required topology:
  • 1 ISP → 1 Firewall → 1 Router → 1 Switch
  • Switch connects to: 1 Wireless AP, 2 PCs
  • No PC↔PC, no AP↔PC, no Firewall↔PC links
Devices
ISP
Firewall
Router
Switch
Wi-Fi AP
PC
ISP
Firewall
Router
Switch
AP
PC1
PC2
↑ Drag these 7 devices from the left palette to fill these positions ↑
Drop devices on the canvas. Then click "Connect" and click two devices.
PBQ 6 Cloudflare DNS — acme.com zone editor
20:00Domain 1.0 Concepts
SCENARIO
Acme is migrating DNS to Cloudflare. You have console access to the acme.com zone. The marketing team needs the public website reachable; the IT director needs mail flowing; the security team needs sender-policy (SPF + DMARC) records published. The zone currently has only NS/SOA records auto-generated by Cloudflare. You must populate it correctly — using the right record type for each goal — and configure the orange-cloud proxy state appropriately. After saving, a live DNS resolver below will issue dig queries against your records and report PASS / FAIL per requirement.

INSTRUCTIONS:
  • www — web server, IPv4 203.0.113.10, IPv6 2001:db8:42::10. Proxied through Cloudflare (orange cloud) so the origin IP is hidden.
  • shop — alias to www.acme.com. Proxied.
  • @ (apex) — mail handled by mail.acme.com, priority 10; backup MX mail2.acme.com priority 20.
  • @ — SPF policy v=spf1 include:_spf.google.com ~all
  • _dmarc — DMARC policy v=DMARC1; p=quarantine; rua=mailto:dmarc@acme.com
  • @ — CAA record restricting certificate issuance to Let's Encrypt only (0 issue "letsencrypt.org")
Cloudflare DNS · acme.com Active · Free plan
Cloudflare DNS is using these nameservers: ada.ns.cloudflare.com, elliot.ns.cloudflare.com · 2/6 required records present
Type
Name
Content
Proxy
TTL
NS
acme.com
ada.ns.cloudflare.com
DNS only
Auto
read-only
SOA
acme.com
ada.ns.cloudflare.com hostmaster.acme.com
DNS only
Auto
read-only
🔍 DNS resolver live test (dig)
Click "Save & Run dig" to test your records against an upstream resolver.
PBQ 7 AWS Management Console — VPC Security Groups
20:00Domain 1.0 Cloud
SCENARIO
Acme has launched a three-tier web app in us-east-1 inside vpc-0deadbeef. You are the cloud admin. The web-tier-sg attached to the public-facing EC2 ALB targets currently has no inbound rules — users can't reach the site. Configure the SG so:
  • Inbound — HTTPS (TCP/443) from 0.0.0.0/0 + IPv6 ::/0
  • Inbound — SSH (TCP/22) only from the bastion host 10.0.0.50/32
  • Outbound — MySQL (TCP/3306) to the DB tier 10.0.20.0/24 only
  • Outbound — HTTPS (TCP/443) to 0.0.0.0/0 for package mirrors
The default "allow all outbound" rule must be removed to enforce least privilege.

INSTRUCTIONS: use the AWS console below — navigate to VPC → Security Groups → web-tier-sg, click the Inbound/Outbound tabs, Edit inbound rules or Edit outbound rules, add each row, save. Live-test packets are sent to your SG and the results render below.
Services VPC
🔍 SearchSupport ▾admin @ acme
us-east-1 ▾
VPC DashboardSecuritySecurity Groupssg-0abc123def456 (web-tier-sg)
VIRTUAL PRIVATE CLOUD
Your VPCs
Subnets
Route tables
Internet gateways
NAT gateways
Endpoints
SECURITY
Network ACLs
Security groups
REACHABILITY
Reachability Analyzer
Network Manager

sg-0abc123def456 · web-tier-sg

Security group ID
sg-0abc123def456
VPC ID
vpc-0deadbeef
Description
Public web tier
Owner
123456789012
Inbound rules
Outbound rules
Tags
TypeProtocolPort rangeSourceDescription
TypeProtocolPort rangeDestinationDescription
No tags assigned.
🔍 Reachability Analyzer — live
PBQ 8 SDN OpenFlow Controller
12:00Domain 3.0 Operations
TASK
Build the OpenFlow flow table on switch sw-edge-1. Add the 3 required entries.
Required flows:
  • Priority 100 — match tcp_dst=443output:2
  • Priority 50 — match arpflood
  • Priority 10 — match anycontroller (table-miss)
PriMatchActionCounters
PBQ 9 Cisco Catalyst — Port-Security & 802.1X (live console)
20:00Domain 4.0 Security
SCENARIO
Acme has rolled out a hot-desking policy. Each cubicle drop must accept exactly one corporate-issued laptop authenticated via the corporate RADIUS server. If a user plugs in a personal switch or a foreign device, the port must restrict the traffic but stay up for legitimate frames. Port Gi0/5 is the test port for this rollout. Below the SVG of the switch you see the real Cisco IOS console attached to the device. Type the actual commands — this is not a form. The config preview on the right reflects the running config in real time, and the SVG port-LED changes color as you progress: amber = unconfigured, green = secured, red = violation.

INSTRUCTIONS: get to config-if mode for Gi0/5 and apply: switchport mode access, switchport port-security, switchport port-security maximum 1, switchport port-security mac-address sticky, switchport port-security violation restrict, then enable 802.1X (aaa new-model, aaa authentication dot1x default group radius, dot1x system-auth-control, radius-server host 10.0.0.10 auth-port 1812 key ExamSecret!, then on the interface dot1x port-control auto). Save with copy run start. Use the Test buttons to simulate plug-in events — the LED updates live.
Cisco Catalyst 2960 — SW1 (FastEthernet panel) Gi0/1 Gi0/2 Gi0/3 Gi0/4 Gi0/5 Gi0/6 Gi0/7 Gi0/8
SW1 console
SW1 boot complete. Console attached.
SW1>
Test bench:
running-config (live)
! empty — nothing applied
PBQ 10 NetGear Nighthawk — live SOHO router admin
20:00Domain 2.0 Implementation
SCENARIO
You're commissioning a NetGear Nighthawk SOHO router at a new branch office. Internet comes from the local ISP via DHCP. The internal LAN needs to live on 192.168.1.0/24 with the router as .1; static device assignments take .2.99; DHCP clients get .100.199. The 5 GHz radio broadcasts SSID BranchOffice protected with WPA3-Personal; passphrase WelcomeAcme2026!. Three test clients are waiting in the lobby: a corporate laptop, a guest phone, and a printer at static .50. Apply your changes and they'll attempt to associate live in the right-hand status panel.

INSTRUCTIONS: walk the admin tabs, fill the values, click Apply & Reboot. The reboot animation runs; then each test client attempts DHCP and Wi-Fi association. Validation requires WAN up, DHCP serving 100–199 (laptop + phone get IPs), printer keeps its static lease, and the SSID actually visible. Wrong values cause specific clients to fail.
NetGear Nighthawk R7800 · Admin FW 1.4.2 · logged in as admin
WAN
LAN / DHCP
Wi-Fi 5 GHz
Status
WAN Connection
LAN / DHCP server
192.168.1.50 → HP_Printer (aa:11:22)
Wi-Fi 5 GHz
Router status
Router state    : Not yet committed
WAN status      : -
LAN IP          : -
SSID broadcast  : -
DHCP leases     : 0
Last reboot     : -
Test clients
💻 corp laptop (DHCP)disconnected
📱 guest phone (DHCP)disconnected
🖨 HP printer (static .50)disconnected
📶
SSID: none broadcasting
PBQ 11 Network Diagnostics CLI
10:00Domain 5.0 Troubleshooting
TASK
Live CMD — type real commands: ping, tracert, nslookup, ipconfig, arp -a, netstat -an, route print.
🖥 Command Prompt — C:\Users\admin
Microsoft Windows [Version 10.0.22631.4317] (c) Microsoft Corporation. All rights reserved.
C:\Users\admin>
PBQ 12 Linux Network Troubleshooting (bash)
10:00Domain 5.0 Troubleshooting
TASK
Live bash — type: ip a, ip route, ss -tlnp, dig, tcpdump, nmap, curl.
admin@ubuntu-srv01: ~
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-92-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Tue May 10 14:22:18 2026 from 192.168.1.50
admin@ubuntu-srv01:~$
PBQ 13 Authentication Log Triage
10:00Domain 4.0 Security
TASK
Click the Flag button on each suspicious row. Then identify the attack and outcome.
SystemAccountSource IPStatusMethodCountFlag
Goldadministrator10.2.1.2FailureLocal1
Bronzeandrew10.11.12.13SuccessLocal1
Silverpaul10.2.2.3FailureSSH893
Goldandrew10.11.12.13SuccessLocal1
Leadpaul10.2.2.3FailureSSH780
Antimonypaul10.2.2.3FailureSSH230
Goldbob10.11.12.12SuccessSSH1
Antimonypaul10.2.2.3SuccessSSH1
Identify the attack:
Did it succeed?
PBQ 14 DHCP DORA Capture Analysis
10:00Domain 1.0 Concepts
TASK
Identify the four DORA stages and key fields.
#TimeSrcDstProtoInfo
10.0000.0.0.0:68255.255.255.255:67DHCPDiscover - XID 0x3d1f
20.012192.168.1.1:67255.255.255.255:68DHCPOffer - 192.168.1.150 / lease 86400s
30.0180.0.0.0:68255.255.255.255:67DHCPRequest - Requested IP 192.168.1.150
40.024192.168.1.1:67255.255.255.255:68DHCPACK - Bound 192.168.1.150 GW 192.168.1.1 DNS 1.1.1.1
PBQ 15 WAN Topology Identification
8:00Domain 1.0 Concepts
TASK
Identify the topology shown.
HQ Hub Branch-A Branch-B Branch-C Branch-D
PBQ 16 Network Diagram for Company A — Live Triage
20:00Domain 5.0 Troubleshooting
Network Diagram for Company A
TEST QUESTION

After experiencing attacks on its servers, Company A hired a cybersecurity analyst to configure a DMZ and increase security measures.

Shortly after the network was reconfigured, an assistant on the 2nd floor reported that one of the executives could not access the Internet (specifically https://comptia.org).

However, he said they CAN send internal email, use the intranet, and print on the local printer.

INSTRUCTIONS
  1. Click each workstation on the diagram — a CMD terminal pops up showing its ipconfig and a ping 8.8.8.8 attempt. Identify which one is broken.
  2. Click the Router — an ACL editor opens with the live access-list. The router's ACL implements an implicit deny.
  3. Modify the ACL so the affected workstation can reach the Internet without giving up DMZ protection.
  4. Re-click the affected workstation to re-run ping 8.8.8.8 — if your fix works, the ping succeeds.
  5. Click Validate fix at the bottom.

Only make the change needed to fix the connectivity. Do not weaken DMZ protection.

Floor 2 — Executive Offices Switch Printer 🖨 Workstation 1 🖥 no Internet Workstation 2 🖥 OK Floor 1 — Telco Closet Internet Router ACL needs fix eth1 eth2 Switch DMZ DNS Email Web File trunk to floor 2
Status: WS1 cannot reach Internet — ACL fix required
PBQ 17 Drag Protocols to OSI Layers
10:00Domain 1.0 Concepts
TASK
Drag each protocol chip into the matching OSI layer.
Protocols
HTTP
TCP
UDP
IP
ICMP
Ethernet
ARP
1000BASE-T
Layer 7 Application
Layer 4 Transport (2 chips)
Layer 3 Network (2 chips)
Layer 2 Data Link (2 chips)
Layer 1 Physical
PBQ 18 Cable Type by Scenario
8:00Domain 1.0 Concepts
TASK
Drag the right cable into each scenario.
Cables
Single-mode fiber (10 km)
Multi-mode fiber (300 m)
Cat 6A UTP shielded
Cat 5e UTP
SFP+ DAC
RG-6 coax
Branch ↔ HQ over 8 km dark fiber
ToR switch ↔ server, 1 m, 10 GbE
10 GbE workstation drop, 80 m, RJ45
Cable modem coax run from demarc
Server room ↔ MDF 250 m, 10 GbE fiber
Cubicle phones, 1 GbE, 60 m
PBQ 19 Network Attack Identification
10:00Domain 4.0 Security
TASK
Drag the attack onto its scenario.
Attacks
ARP Spoofing
DNS Cache Poisoning
Evil Twin AP
Volumetric DDoS
VLAN Hopping (DTP)
Rogue SLAAC RA
Attacker pretends to be the gateway in MAC table
Captive-portal lookalike Wi-Fi steals creds
Malicious resolver returns wrong IP for bank.com
100 Gbps UDP flood saturates ISP uplink
Rogue host negotiates trunking, jumps VLANs
Unauthorized IPv6 router advertisement
PBQ 20 Routing Protocol Selection
8:00Domain 2.0 Implementation
TASK
Drag the right routing protocol into each scenario.
Protocols
OSPF
BGP
EIGRP
Static Route
RIPv2
Multi-vendor enterprise IGP, link-state, area design
Internet AS path between two ISPs
All-Cisco shop, fast convergence
Single point-to-point WAN to one branch
Tiny lab with 4 routers, simple distance vector
PBQ 21 Wireless Security Mapping
8:00Domain 4.0 Security
TASK
Map security mode to use case.
Security modes
WPA3-Enterprise (192-bit)
WPA3-Personal (SAE)
WPA2-Enterprise + RADIUS
Open / Captive Portal
DoD classified Wi-Fi, suite-B crypto
Modern home Wi-Fi, no AAA infrastructure
Corporate BYOD, per-user identity, RADIUS exists
Coffee-shop guest Wi-Fi with web sign-in
PBQ 22 Transceiver Selection
8:00Domain 1.0 Concepts
TASK
Match the transceiver to the link spec.
Transceivers
1G SFP (LX, 10km SMF)
10G SFP+ (SR, 300m MMF)
40G QSFP+ (LR4, 10km)
100G QSFP28 (SR4, 100m)
10 km SMF link, 1 Gbps
300 m MMF, 10 Gbps
10 km SMF, 40 Gbps
ToR 100 GbE spine link
PBQ 23 Cloud Connectivity Type
8:00Domain 1.0 Cloud
TASK
Pick the right cloud connectivity model.
Connectivity
AWS Direct Connect / Azure ExpressRoute
Site-to-Site IPsec VPN
Client-to-Site VPN
Transit Gateway / Hub VPC
Predictable 10 Gbps private link to AWS region
Branch encrypted tunnel to cloud over Internet
Remote employee laptop into corporate VPC
Many VPCs need any-to-any routing
PBQ 24 Troubleshooting Methodology Order
8:00Domain 5.0 Troubleshooting
TASK
Drag the steps into the correct CompTIA 7-step order.
Steps
Identify the problem
Establish a theory
Test the theory
Plan of action
Implement solution
Verify functionality
Document findings
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
PBQ 25 IPv4 Subnet Calculator (visual binary)
10:00Domain 1.0 Concepts
TASK
Type a CIDR — bit map updates live (blue=net, green=host). Then fill in details for 10.50.40.0/22.































PBQ 26 VLSM Subnet Design
 12:00Domain 1.0 Concepts


TASK
From 192.168.10.0/24, allocate the most efficient prefix per subnet.




SubnetNetworkPrefix



HQ LAN (100 hosts)192.168.10.0/?


Branch LAN (50 hosts)192.168.10.128/?


WAN P2P (2 hosts)192.168.10.192/?

















PBQ 27 Spanning Tree Port Roles
 10:00Domain 2.0 Implementation


TASK
SW1 is the root. Equal cost. SW3 has higher MAC than SW2. Identify each port role.





SW1 (Root)Pri 4096SW2MAC 00:0c:aaSW3MAC 00:0c:ffABC (SW2↔SW3)




























PBQ 28 QoS DSCP Marking
 10:00Domain 3.0 Operations


TASK
Mark each traffic class with the standard DSCP code-point.





























PBQ 29 IPv6 Address Classification
 10:00Domain 1.0 Concepts


TASK
Classify each IPv6 address.































PBQ 30 Branch Network Hardening Checklist
 12:00Domain 4.0 Security


TASK
Check every action that must be done before going live.

































PBQ 1/30
0% passed