Network+ is the credential that proves you can run any network, regardless of vendor.

CompTIA Network+ has been the benchmark vendor-neutral networking certification for over two decades. Unlike Cisco’s CCNA (which focuses on IOS and Cisco hardware) or Juniper’s JNCIA, Network+ covers core networking concepts that apply across any equipment and any environment: on-premises, cloud, hybrid, and virtualised. This universality is both its strength and its limitation — Network+ is the right starting credential for candidates who want to work as network technicians, support engineers, or junior network administrators before specialising. It is also a DoD 8570/8140 baseline requirement, meaning that federal government contractors and military IT roles often list it explicitly as a minimum qualification.

The N10-009 version of the exam, released by CompTIA in late 2024, significantly updated two areas that had lagged behind industry reality in the N10-008 version. First, network security received a dedicated domain at 20% weighting — up from 19% in N10-008 — and the content now explicitly covers zero-trust architecture, identity-based network access controls, and modern threat vectors that appear on every enterprise network. Second, cloud and virtualisation topics were woven throughout multiple domains rather than appearing as a self-contained section, reflecting how hybrid networking has become the standard rather than the exception. The restructuring means that an N10-009 candidate must understand the same core networking concepts as always, but in the context of AWS VPCs, Azure Virtual Networks, and SD-WAN overlays rather than purely physical infrastructure.

This guide covers the N10-009 exam format, all five domains in detail, how Network+ compares to the CCNA, and the ideal study path for candidates coming from a help-desk or A+ background.

Exam format and logistics

Network+ N10-009 is a maximum-90-question exam with a 90-minute time limit. Questions are a mix of multiple-choice (single and multiple correct answers) and performance-based questions (PBQs): drag-and-drop network diagrams, simulated command-line outputs to interpret, and scenario-based troubleshooting sequences. PBQs appear at the start of the exam; most candidates should budget 15–20 minutes for them and not let them consume the entire time allocation.

Exam quick facts

Exam code: N10-009  ·  Questions: up to 90 (MCQ + PBQs)  ·  Time: 90 minutes  ·  Passing score: 720/900  ·  Cost: ~$369 USD  ·  Delivery: Pearson VUE (in-person or online proctored)  ·  Validity: 3 years (CE program)

The exam is delivered through Pearson VUE at authorised testing centres worldwide, or via online proctored delivery from any quiet location with a webcam. CompTIA periodically offers discount vouchers through training providers and their own store; the list price is $369 but candidates who buy through academic partners or bundle with official study materials often pay $280–$320. The exam has no formal prerequisites, though CompTIA recommends at least 9–12 months of hands-on networking experience or A+ certification before attempting Network+. Candidates with no prior networking background who study only from books rather than labs consistently report higher failure rates.

Maintaining Network+ requires earning 30 Continuing Education (CE) units over the three-year validity period. Units are earned through training, conferences, webinars, or passing higher-level CompTIA exams. Earning a higher-level CompTIA cert (Security+, CASP+, CySA+) automatically renews Network+ without requiring separate CE tracking. The annual fee for the CE program is $25 USD per year, or waived with CertMaster CE completion.

The five N10-009 domains

The five domains in N10-009 are not independent silos. Troubleshooting draws on operational knowledge; security depends on implementation; implementation depends on fundamentals. The exam frequently presents scenarios that require understanding across multiple domains simultaneously — a deliberate design choice that rewards candidates who study concepts rather than memorising domain-by-domain.

Domain 1 — Networking Fundamentals (23%)

The conceptual foundation everything else builds on. This is the heaviest domain by weighting and the one where most exam failures occur for candidates who underestimate it.

  • OSI and TCP/IP models: The seven OSI layers (Physical, Data Link, Network, Transport, Session, Presentation, Application) and their TCP/IP equivalents. The exam does not ask you to recite the models — it presents a scenario and asks which layer is responsible for a specific function: frame addressing is Layer 2, logical addressing and routing is Layer 3, reliable delivery and port numbers are Layer 4, and so on. Protocol Data Unit (PDU) naming by layer: bits (L1), frames (L2), packets (L3), segments (L4), data (L5–L7).
  • IP addressing and subnetting: IPv4 class-based ranges (Class A: 1–126, Class B: 128–191, Class C: 192–223), private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), CIDR notation, and subnet calculations. Given a /25 subnet, you must derive: 2 usable host bits (well, 128 addresses — 2 = 126 usable), the network address, broadcast address, and valid host range. VLSM (Variable Length Subnet Masking) for efficient address allocation. IPv6 structure: 128-bit address, colon-hexadecimal notation, :: compression for consecutive zero groups, link-local (fe80::/10), unique-local (fc00::/7), and global unicast addresses. Transition mechanisms: dual-stack, tunnelling, NAT64.
  • Common ports and protocols: The N10-009 exam tests approximately 30 port/protocol pairs. Critical ones: FTP (20/21), SSH (22), Telnet (23), SMTP (25), DNS (53), DHCP (67/68), HTTP (80), HTTPS (443), SMB (445), RDP (3389), SNMP (161/162), LDAP (389), LDAPS (636), NTP (123), IMAP (143), POP3 (110). The exam also tests protocol purpose: DHCP assigns addresses dynamically; DNS resolves names to IPs; NTP synchronises clocks; SNMP monitors network devices. Confusing a protocol’s port number with a different protocol’s function is a common distractor pattern.
  • Networking topologies: Physical topologies (bus, ring, star, mesh, hybrid) and logical topologies. Point-to-point, point-to-multipoint, MPLS (Multiprotocol Label Switching) for service-provider WAN. Spine-leaf architecture for modern data centres: every leaf switch connects to every spine switch, providing consistent low-latency paths regardless of which leaf the source and destination are behind. Three-tier (access, distribution, core) vs. two-tier (collapsed core) vs. spine-leaf design decisions.
  • Cloud and virtualisation basics: N10-009 weaves these into Fundamentals rather than isolating them. IaaS, PaaS, SaaS distinctions. Virtual switches, overlay networks (VXLAN for extending VLANs across routed boundaries), SDN (Software-Defined Networking) separating control plane from data plane. VPC (Virtual Private Cloud) as a logically isolated network segment within a public cloud. Direct Connect (AWS) and ExpressRoute (Azure) as dedicated private WAN links bypassing the public internet.

Domain 2 — Network Implementation (19%)

Deploying and configuring real networking components: routing, switching, wireless, and physical infrastructure.

  • Routing protocols: Static routes vs. dynamic routing. OSPF (Open Shortest Path First): link-state protocol, uses Dijkstra’s SPF algorithm, organises routers into areas with Area 0 as the backbone, elects a Designated Router (DR) and Backup DR (BDR) on broadcast segments. BGP (Border Gateway Protocol): the internet’s routing protocol, path-vector, used between autonomous systems (eBGP) and within them (iBGP). EIGRP (Cisco proprietary hybrid, still tested for awareness). RIP (Routing Information Protocol) distance-vector: limited to 15 hops, slow convergence, largely replaced but still appears in exam scenarios as what-not-to-use. Routing table concepts: longest prefix match determines which route wins when multiple routes match a destination.
  • Switching and VLANs: MAC address table operation: switches learn source MACs and port associations, then forward frames only to the correct port. When a destination MAC is unknown, the switch floods to all ports in the VLAN. VLANs (Virtual LANs) create broadcast domain segmentation on a single physical switch: VLAN 10 for engineering, VLAN 20 for HR, etc. 802.1Q trunk links carry multiple VLANs between switches using tagged frames (4-byte 802.1Q header). Native VLAN frames on a trunk are untagged by default — a misconfigured native VLAN is the source of VLAN hopping attacks. Spanning Tree Protocol (STP) prevents loops in redundant switched networks: elect a root bridge, block redundant paths, 802.1D classic vs. 802.1w RSTP (Rapid STP, faster convergence). Port fast / BPDU guard for access ports that connect directly to end devices.
  • Wireless networking: 802.11 standards and their frequencies, maximum theoretical speeds, and channel plans. 802.11a/g: 5GHz and 2.4GHz respectively, 54 Mbps. 802.11n (Wi-Fi 4): 2.4GHz and 5GHz, MIMO, up to 600 Mbps. 802.11ac (Wi-Fi 5): 5GHz only, MU-MIMO, up to ~6.9 Gbps. 802.11ax (Wi-Fi 6/6E): 2.4/5/6GHz, OFDMA, up to ~9.6 Gbps. Channel overlap in the 2.4GHz band: only channels 1, 6, and 11 are non-overlapping in the US. 5GHz has many more non-overlapping channels. SSID broadcast, BSS vs. ESS (multiple APs with the same SSID = Extended Service Set). Wireless site survey: use a heat map to identify coverage gaps and co-channel interference before placing APs.
  • Physical infrastructure: Cable categories: Cat 5e (1 GbE up to 100m), Cat 6 (1 GbE up to 100m / 10 GbE up to 55m), Cat 6A (10 GbE up to 100m), Cat 8 (25/40 GbE up to 30m). TIA-568A vs. TIA-568B pinout standards and when to use straight-through vs. crossover cables. Fibre: single-mode (OS1/OS2, long-distance, laser) vs. multimode (OM3/OM4/OM5, short-distance, LED or VCSEL). SFP, QSFP form factors. Rack cabling, patch panels, cable management. PoE (Power over Ethernet): 802.3af (15.4W), 802.3at (30W), 802.3bt (60W / 100W) for powering APs, IP cameras, and VoIP phones without separate power supplies.

Domain 3 — Network Operations (17%)

Keeping networks running: documentation, monitoring, high availability, and disaster recovery.

  • Network documentation: Logical topology diagrams (Layer 3 — IP addresses, routing) vs. physical topology diagrams (Layer 1/2 — cable runs, patch panel locations, rack elevation). IP address management (IPAM) tools. Network baseline: a documented “normal state” for bandwidth utilisation, latency, and device CPU that makes anomalies detectable. Change management: formal processes for implementing network changes (RFC — Request for Change, change window, rollback plan, post-change verification) to prevent uncoordinated changes that cause outages.
  • Network monitoring: SNMP v1/v2c/v3: SNMP agents on network devices expose MIBs (Management Information Bases) to a central NMS (Network Management System). SNMP v3 adds authentication (MD5/SHA) and encryption (DES/AES) — v1/v2c use community strings in plaintext and are considered insecure. Syslog: devices send log messages to a centralised syslog server; severity levels 0–7 (0=Emergency through 7=Debug). NetFlow: router-exported flow records (source IP, destination IP, port, protocol, byte count) for traffic analysis and capacity planning. SNMP traps vs. polling: traps are unsolicited alerts from device to NMS; polling is NMS-initiated periodic requests. Bandwidth monitoring tools: MRTG, Cacti, PRTG, LibreNMS.
  • High availability and redundancy: HSRP (Hot Standby Router Protocol) and VRRP (Virtual Router Redundancy Protocol): two or more routers share a virtual IP address; one is active, one is standby — failover is transparent to hosts using the VIP as their default gateway. Link aggregation (802.3ad LACP): bonding multiple physical links into a logical interface for redundancy and increased bandwidth. ECMP (Equal Cost Multi-Path): routing traffic over multiple equal-cost paths simultaneously. N+1 and N+N redundancy models for power supplies and UPS systems. RPO (Recovery Point Objective) and RTO (Recovery Time Objective): RPO defines maximum tolerable data loss; RTO defines maximum tolerable downtime. Backup strategies: full (all data, slow/large), incremental (only changes since last backup, faster/smaller), differential (all changes since last full backup, medium).
  • DHCP and DNS operations: DHCP DORA sequence: Discover (client broadcast), Offer (server unicast), Request (client broadcast for chosen offer), Acknowledgment (server confirms). DHCP scope: the pool of addresses a server hands out. DHCP relay agent (IP helper): forwards DHCP broadcasts across routed boundaries to a centralised DHCP server. DNS record types: A (IPv4 address), AAAA (IPv6 address), CNAME (alias), MX (mail exchanger), NS (nameserver), PTR (reverse lookup), SOA (Start of Authority), TXT (text, used for SPF/DKIM verification). DNS recursive vs. authoritative queries. DNS hierarchy: root → TLD (.com, .org) → authoritative nameserver. TTL and caching.

Domain 4 — Network Security (20%)

The domain with the largest curriculum expansion in N10-009 vs. N10-008, reflecting how security is now inseparable from networking.

  • Security concepts and frameworks: CIA Triad (Confidentiality, Integrity, Availability) as the security objective framework. Zero-trust architecture: “never trust, always verify” — no implicit trust based on network location; every connection must authenticate and authorise regardless of origin (on-prem, VPN, or cloud). Network access control (NAC): 802.1X port-based authentication uses EAP (Extensible Authentication Protocol) to require device and/or user authentication before granting network access. Supplicant (client device), Authenticator (switch or AP), Authentication Server (RADIUS). RADIUS (Remote Authentication Dial-In User Service) as the backend authentication server protocol. TACACS+ (Terminal Access Controller Access-Control System Plus) for device administration authentication — distinguishes authentication, authorisation, and accounting as separate functions.
  • Network hardening: Disable unnecessary services and ports on network devices. Change default credentials on all devices (a failure to do this is the root cause of many IoT and SMB network compromises). SSH instead of Telnet for device management (SSH is encrypted; Telnet is plaintext). Port security on switches: limit the number of MAC addresses allowed per port, shut down the port on violation. BPDU guard: prevent rogue switches from being plugged into access ports and participating in STP. DHCP snooping: build a trusted port table to drop forged DHCP offers from rogue servers. Dynamic ARP Inspection (DAI): validate ARP packets against the DHCP snooping binding table to prevent ARP poisoning attacks.
  • Firewalls and filtering: Stateful vs. stateless firewalls. Stateless (ACL-based): each packet is evaluated independently against rules — fast but cannot distinguish established from new connections. Stateful: tracks connection state table, allowing return traffic for established sessions without explicit return rules. Next-generation firewalls (NGFW): Layer 7 application awareness, user identity, SSL/TLS inspection, and integrated IPS/IDS. ACL rule ordering: rules are evaluated top-to-bottom; first match wins; implicit deny at the bottom means anything not explicitly permitted is dropped. DMZ (Demilitarised Zone): a network segment between two firewall interfaces hosting public-facing servers (web, mail) that need internet access but should not reach the internal network directly.
  • VPNs and remote access: IPsec: suite of protocols (AH for integrity, ESP for encryption and integrity, IKE for key negotiation). Transport mode vs. tunnel mode. IKEv2 as the modern standard. SSL/TLS VPN (e.g., OpenVPN, Cisco AnyConnect): operates over HTTPS (port 443), firewall-friendly. Site-to-site VPN: connects two office networks permanently. Client-to-site (remote access) VPN: individual users connect from home or travel. Split tunnelling: only traffic destined for the corporate network goes through the VPN; all other traffic uses the local internet directly. Full tunnelling: all traffic routes through the VPN (higher security, more bandwidth overhead). WireGuard as a modern, lightweight VPN protocol increasingly replacing IPsec in SMB and self-hosted deployments.
  • Wireless security: WEP is broken (weak IV, RC4). WPA2-Personal uses PSK (Pre-Shared Key) with CCMP/AES — vulnerable to offline dictionary attacks on the 4-way handshake. WPA3-Personal uses SAE (Simultaneous Authentication of Equals / Dragonfly handshake) — resistant to offline dictionary attacks because the handshake does not expose the PSK to capture. WPA2/WPA3-Enterprise uses 802.1X/RADIUS authentication instead of a shared key — each user authenticates individually. Common wireless attacks: evil twin (rogue AP with matching SSID), de-authentication flooding (forged 802.11 management frames), KRACK (Key Reinstallation Attack against WPA2 4-way handshake). Rogue AP detection via wireless intrusion detection/prevention systems (WIDS/WIPS).

Domain 5 — Network Troubleshooting (21%)

The highest-stakes domain for real-world job readiness. The exam presents break-fix scenarios; understanding the methodology matters as much as knowing the individual commands.

  • Troubleshooting methodology: CompTIA’s formal 7-step model: (1) Identify the problem — gather information, duplicate if possible, question users; (2) Establish a theory of probable cause — consider the obvious first; (3) Test the theory; (4) Establish a plan of action; (5) Implement the solution; (6) Verify functionality and implement preventive measures; (7) Document findings and lessons learned. The exam regularly presents a troubleshooting scenario and asks which step should come next — knowing the order matters. The methodology is also the basis for change management: always have a rollback plan (step 4) before implementing (step 5).
  • Command-line tools: ping: ICMP echo/reply — confirms basic IP reachability; if ping fails, connectivity, routing, or firewall may be blocking ICMP. traceroute / tracert: discovers the hop-by-hop path and where failures or high latency occur. nslookup / dig: DNS resolution testing. ipconfig (Windows) / ifconfig or ip addr (Linux): shows IP configuration, subnet mask, default gateway. netstat: shows active connections and listening ports. arp -a: shows the ARP cache mapping IP addresses to MAC addresses. route print / ip route: shows the routing table. nmap: port scanning (exam context is diagnostic, not offensive). Wireshark / tcpdump: packet capture for deep protocol analysis.
  • Common connectivity problems and causes: Duplex mismatch (one side auto-negotiates to full-duplex, the other is hard-coded half-duplex): symptoms are high error counts and collisions on the interface, not a complete outage. VLAN mismatch: device on VLAN 10 cannot reach device on VLAN 20 without inter-VLAN routing (Layer 3 switch SVI or router-on-a-stick). MTU mismatch: packets larger than the MTU of a link are fragmented or dropped (if DF bit is set); symptoms are large transfers failing while small ones succeed — common with VPN and PPPoE overhead. Duplicate IP addresses: ARP conflicts cause intermittent connectivity for whichever device last claimed the IP. Incorrect default gateway: the host can reach local subnet devices but cannot reach anything beyond the local subnet. DHCP scope exhaustion: all addresses in the pool are leased; new devices get APIPA addresses (169.254.x.x) and cannot reach the network. DNS resolution failure: the host has a valid IP but cannot resolve hostnames — symptom is that ping 8.8.8.8 works but ping google.com fails.
  • Wireless troubleshooting: Signal strength and RSSI: −50 dBm is excellent, −70 dBm is usable, −80 dBm is marginal. Co-channel interference occurs when overlapping APs use the same channel, degrading throughput for all. Adjacent-channel interference occurs when neighbouring channels partially overlap (e.g., channels 1 and 3). Hidden node problem: two clients can reach the AP but not each other, causing collisions at the AP that neither client detects before transmitting — mitigated by RTS/CTS handshaking. Captive portal issues: clients associate and get an IP but cannot reach the captive portal to authenticate, usually caused by DNS or HTTP redirect misconfiguration. Wrong security type: client configured for WPA2-Personal but AP requires WPA3-Enterprise (802.1X) — the client will associate but fail authentication.

Network+ vs. CCNA: which path is right?

Comparison: Network+ vs. CCNA vs. JNCIA

  • CompTIA Network+ N10-009 — Best for candidates who want a vendor-neutral foundation, DoD 8570 compliance, or a credential that does not require access to specific vendor equipment for lab practice. The 90-minute exam format makes it achievable with 2–3 months of focused study from a networking background. Broadly recognised by employers for support and technician roles. Serves as a stepping stone to Security+, CCNA, or cloud-specific certs. The primary limitation: no vendor-specific hands-on component means the cert proves conceptual knowledge, not operational proficiency with a specific platform.
  • Cisco CCNA (200-301) — Best for candidates who want to work with Cisco equipment specifically, or who aspire to network engineering roles (as opposed to support). The 200-301 is a 120-minute, up-to-120-question exam at ~$330 USD. CCNA covers all of the same fundamentals as Network+ but adds deep Cisco IOS configuration, OSPF and EIGRP configuration, Cisco DNA Centre automation, QoS, and Cisco-specific wireless. Significantly harder than Network+ in terms of hands-on lab requirement: candidates who pass CCNA without real or simulated IOS practice (Packet Tracer, GNS3, CML) rarely pass. Also DoD 8570 approved. Career ceiling is higher than Network+ for pure networking roles.
  • Juniper JNCIA-Junos (JN0-105) — Best for candidates entering networking roles in service-provider or enterprise environments that run Juniper hardware. The JNCIA is more straightforward than CCNA (65 questions, 90 minutes, ~$200 USD) and focuses on Junos OS fundamentals. Less broadly recognised in the job market than either Network+ or CCNA, but highly respected in environments where it matters (ISPs, major financial institutions). Pair with Network+ if DoD compliance is also needed.
Network+ proves you understand how networks work. CCNA proves you can configure Cisco equipment. If you want to become a network engineer, CCNA is the destination — but Network+ is a faster first step if you’re changing careers or need DoD compliance quickly.

Recommended study path for N10-009

The N10-009 exam rewards candidates who study from both a textbook resource and a lab environment. The conceptual content (OSI model, subnetting, protocols) can be learned from books and video courses; the troubleshooting domain specifically rewards candidates who have seen real command-line output and worked through actual break-fix scenarios. A realistic study plan for candidates coming from an A+ or help-desk background is 8–12 weeks at 10–15 hours per week.

Week 1–3: Cover Domain 1 (Fundamentals) completely, with heavy focus on subnetting. Subnetting is the most consistently tested quantitative skill on the exam; candidates who cannot subnet binary-to-decimal in under 2 minutes struggle with time management on exam day. Use CIDR subnetting drills daily until it is automatic. Weeks 4–6: Domains 2 and 3 (Implementation and Operations). Set up a home lab or use Packet Tracer (free with a Cisco Networking Academy account) to practise VLAN configuration, STP observation, OSPF neighbour formation, and DHCP relay configuration. Weeks 7–9: Domain 4 (Security). Review every protocol/technology pair: what it does, what it replaces, and why. Weeks 10–12: Domain 5 (Troubleshooting) and full practice exams. Time yourself strictly on practice exams — 90 questions in 90 minutes leaves no margin for uncertainty-driven time waste.

Sharpen your networking knowledge with free Network+ practice questions on CertQuests — N10-009 content covering all five domains.

Start Practising Free