Sign in Subscribe

CompTIA Network+ N10-008: Network Topologies and Network Types Explained

CompTIA Network+ N10-008: Network Topologies and Network Types Explained

When I teach Network+ students, this is where I can usually tell who is memorizing terms and who actually understands how networks behave. Topology is about arrangement and traffic flow. Network type is about scope, ownership, or purpose. Access model is something else again. If you lump all of those together, the exam can feel way more confusing than it really is.

Just a quick version note: these ideas line up nicely with older CompTIA Network+ N10-008 coverage, but you’ll still want to check the current objectives since N10-009 is the active exam version now. That said, the fundamentals still absolutely matter.

Topology vs. Network Type vs. Architecture vs. Access Model

This distinction is one of the biggest exam traps.

  • Topology: star, bus, ring, mesh, point-to-point, point-to-multipoint
  • Architecture/design model: hierarchical campus, spine-and-leaf
  • Network type/scope: PAN, LAN, WLAN, CAN, MAN, WAN, SAN
  • Access/service model: peer-to-peer, client-server

So if a question says “central switch with many endpoints,” that is a star topology. If it says “multiple buildings under one organization,” that is a CAN. If it says “centralized authentication and file services,” that is client-server. Those are not interchangeable answers.

Physical vs. Logical Topology

Physical topology is the real layout of cables, switches, routers, APs, and circuits. Logical topology is how traffic actually behaves. A modern Ethernet LAN is usually physically star because endpoints connect back to switches, but it may be logically segmented into multiple VLANs and subnets.

Here’s a classic example: old hub-based Ethernet could look like a star on the map, but it behaved more like a bus behind the scenes. Devices all plugged into a central hub, but the hub repeated traffic out all ports, creating one shared collision domain. By contrast, a switch creates a separate collision domain per port, and in full-duplex switched Ethernet, CSMA/CD collisions are effectively eliminated.

Broadcast domains are different from collision domains. A VLAN is really just a Layer 2 broadcast domain, so it keeps a specific group of traffic together on the switching side. Broadcast traffic usually stays inside its VLAN unless something is intentionally set up to move it somewhere else — or, frankly, the config has gone sideways. Routers and Layer 3 interfaces usually don’t pass along Layer 2 broadcasts, and honestly, that’s a really important distinction. That’s why VLANs and inter-VLAN routing matter so much in real networks — they let you separate traffic in a controlled way without isolating every group from everything else.

For example, if a PC on VLAN 10 is talking to another PC on that same VLAN, the traffic usually stays local and gets switched at Layer 2. In that case, the switch is basically just moving frames around within the same Layer 2 segment. If that same PC needs to reach a server on VLAN 20, the traffic has to go to the default gateway — maybe a router, maybe a Layer 3 switch SVI — then get routed over to VLAN 20. Physically, all those devices might be sitting on the same switch stack, but logically they’re still separate networks with a Layer 3 boundary between them.

Segmentation, failure domains, and traffic flow — this is where network design really starts to matter.

Segmentation is where topology becomes operational. Access ports carry one VLAN for endpoints. Trunk ports can carry multiple VLANs by tagging traffic with 802.1Q as it moves between switches, access points, and routers. Voice VLANs are commonly used to keep IP phones separate from regular user PCs, which makes the network a lot easier to organize and support. Inter-VLAN routing can be done with a router-on-a-stick setup, although in most enterprise environments I usually see a Layer 3 switch doing the job.

VLANs definitely help with organization and they shrink the broadcast scope, but by themselves they’re not complete security controls. If you want real security boundaries, you usually need things like ACLs, firewalls, NAC, port security, or 802.1X working together. In other words, segmentation helps a lot, but policy enforcement is what actually decides who gets in and who doesn’t.

Failure domains matter just as much. If one access switch fails in a star design, users on that switch lose service. If a distribution switch or core path fails, the impact is a lot bigger — the blast radius gets much wider. In WLANs, one AP can broadcast multiple SSIDs that map to different VLANs, so one physical device can support separate guest and corporate logical networks.

Performance also follows traffic patterns. Traditional campus traffic was often north-south — think client to server, or user to internet. Modern data centers, though, generate a lot of east-west traffic — server to server, hypervisor to hypervisor, application tier to database tier. That is one reason spine-and-leaf exists.

Common Topologies and Design Models

Star is the default modern LAN shape. Endpoints connect to a central switch. It is easy to expand and easy to troubleshoot, but the central device matters. Resilience can be improved with switch stacks, dual uplinks, LACP, redundant power supplies, and redundant upstream paths.

Bus is mostly legacy. Devices share one backbone cable, often associated with older coax Ethernet. Terminators were required at both ends, and a break or bad termination could affect the whole segment. It was cheap, but troubleshooting was painful because many devices shared the same medium.

Ring connects each device to two neighbors. Historical examples include Token Ring and FDDI. Some ring technologies used token passing for controlled access, and some supported dual-ring resilience. Modern Ethernet does not normally operate as a classic ring; instead, switched networks prevent loops with STP or RSTP.

Mesh provides multiple paths. A full mesh of n nodes requires n(n-1)/2 links, which is why full mesh becomes expensive fast. Partial mesh is more common in WANs. Mesh improves availability, no question, but troubleshooting can get trickier because routing may reconverge, ECMP can use multiple valid paths, and asymmetric routing can make the analysis a little messy.

Point-to-point is a direct connection between two nodes, like a leased line or building-to-building fiber. It is simple and predictable, but a single point-to-point link is not inherently redundant unless a second path is added.

Point-to-multipoint means one central node serves many endpoints. A wireless AP is the easiest introductory example, though Wi-Fi is a shared RF medium rather than a dedicated circuit model. This also appears in wireless bridges and provider last-mile distribution.

Hybrid is the real world. A campus may use star at the access layer, redundant distribution, and partial-mesh WAN connectivity. If a design mixes topology styles, hybrid is often the right answer.

Hierarchical campus uses access, distribution, and core layers. Access connects users and edge devices. Distribution aggregates access switches and often applies policy, routing, and summarization. Core provides fast transport across the campus. Smaller environments often use a collapsed core, combining distribution and core. Resiliency commonly includes first-hop redundancy such as HSRP or VRRP.

Spine-and-leaf is a modern data center architecture. Every leaf connects to every spine, and endpoints connect to leaves. Traffic between leaves typically crosses a spine, creating predictable low-hop east-west forwarding. ECMP is commonly used to spread traffic across equal-cost paths. That’s different from older three-tier data center designs because it scales much better for server-to-server traffic and overlay technologies like VXLAN.

Network Types and Common Confusions

PAN is personal, short-range connectivity such as Bluetooth headphones or a smartwatch.

LAN is a local wired network, usually within a room, floor, building, or site.

WLAN is a local wireless network using 802.11 Wi-Fi. It still has local scope, but the medium is shared airtime over RF. Good WLAN design usually includes channel planning, guest isolation, WPA2 or WPA3 security, and often 802.1X for enterprise authentication. And those details really matter if you want the wireless network to actually hold up under real-world load.

CAN is a campus area network: multiple buildings under one organization, often on contiguous property and usually organization-controlled.

MAN is metro-scale, often provider-facilitated, connecting sites across a city.

WAN spans long distances and connects branches, data centers, cloud edges, or remote users.

SAN is a storage area network for block-level storage traffic, commonly using Fibre Channel, iSCSI, or FCoE. This is where students often get tripped up, so be careful: SAN is not NAS. SAN provides block storage over a dedicated storage network or fabric. NAS provides file-level access over standard IP/Ethernet networks, usually as shared folders or file services.

Access Models and Network Reach

Peer-to-peer means devices share resources directly without a central server model. It can work in tiny environments, but once things grow, management and security get messy fast — and honestly, that’s where the wheels usually come off.

Client-server means centralized services such as AD, DNS, DHCP, file shares, databases, or authentication servers provide resources to clients. This is the normal enterprise model.

Intranet is internal-only organizational access. Extranet exposes a controlled portion of resources to outside partners, vendors, or customers. Internet is the public global network. Another exam trap: VPN is not a network type. It is a secure tunnel or overlay across another network, usually the internet.

WAN Options and What They Really Mean

MPLS is a provider-managed forwarding service used in many enterprise WANs. It can offer predictable traffic handling and QoS classes, but it doesn’t come encrypted by default. If confidentiality matters, you’ll want to add VPNs or other encryption controls on top of that.

Leased lines are dedicated point-to-point circuits. They are simple and predictable, but expensive.

Metro Ethernet is a service offering, not a topology. It extends Ethernet handoff across a metro or WAN provider network and is often associated with MAN or WAN connectivity.

Broadband is cost-effective and common. Business fiber, cable, and DSL all differ in speed, symmetry, service guarantees, and availability, so the ‘best’ choice really depends on the site.

Cellular is useful for backup, mobile, or hard-to-wire sites. LTE and 5G are common, but signal quality, carrier-grade NAT, and data limits can absolutely matter.

Satellite is valuable in remote areas. GEO satellite has high latency; newer LEO services reduce latency but still involve coverage and service trade-offs.

SD-WAN is an overlay and policy engine, not a transport by itself. It uses one or more underlay links — like MPLS, broadband, or LTE — and then steers traffic based on policy and link health.

VPN typically provides encrypted connectivity and integrity protection over another network. Common examples are site-to-site IPsec and remote-access SSL/TLS or IPsec VPNs.

Security Boundaries by Design

Topology decisions affect security. Guest WLANs should map to isolated VLANs and be able to reach the internet without ever touching the corporate LAN. Corporate WLANs may use WPA2-Enterprise or WPA3-Enterprise with 802.1X.1Extranet services are often placed behind firewalls or reverse proxies in controlled zones. Inter-VLAN traffic should be filtered using least privilege, not just allowed because the VLANs happen to exist.

Storage traffic should stay isolated from user traffic. In SAN environments, that may mean separate fabrics, zoning, multipathing, and dedicated interfaces. In campus networks, it may mean ACLs, firewalls, or VRFs between trust zones.

Media and infrastructure anchors — basically the physical pieces that make the design real.

Ethernet is defined under IEEE 802.3. Wi-Fi is defined under IEEE 802.11. Copper is still common for endpoint connections because it’s affordable, easy to deploy, and supports PoE — which is a big deal for phones, access points, and cameras. Fiber is usually the go-to choice for uplinks, backbones, long distances, and high-speed links because it reaches farther, carries data faster, and isn’t bothered by electromagnetic interference. In practice, Cat5e, Cat6, and Cat6a are common copper options, while multimode and single-mode fiber usually come down to distance and whatever optics the design needs.

Practical troubleshooting by topology — because network design only really proves itself when something breaks.

If one user is down in a star topology, I’d start by checking the cable, NIC, switch port, VLAN assignment, and IP settings first. That’s usually the fastest way to narrow it down. If an entire floor is down, I’d look at the access switch, the uplink, power, and anything upstream from there. When a bigger chunk of the network disappears, you’ve got to think in terms of shared dependencies.

If users connect to Wi-Fi but land on the wrong subnet, I’d start looking at SSID-to-VLAN mapping, the trunk setup to the AP, or the wrong DHCP scope. That’s a classic wireless segmentation issue. If they connect but performance is lousy, I’d think channel overlap, weak RSSI, interference, or airtime contention.

If a branch can reach the internet but can’t get to headquarters, the WAN link itself may be fine while the VPN is the part that’s actually broken. In that case, I’d check tunnel status, routes, ACLs, NAT exemptions, and firewall policy. One weak link in that chain can break the whole path.

If devices in one VLAN can’t reach another, check the default gateway, the SVI or router subinterface status, the allowed VLANs on trunks, and the inter-VLAN routing policy.

Useful first-step tools include ipconfig/ifconfig for addressing, ping for local and remote reachability, tracert/traceroute for path visibility, arp for local Layer 2 resolution, and device commands such as show interface, show vlan, and show ip route.

Exam Strategy and Common Traps — this part can save you points fast.

First, figure out what the question is actually asking for: topology, network type, WAN method, architecture, or access model. That one step alone knocks out a lot of bad answers.

  • Central device = star
  • Highest redundancy = mesh
  • Multiple buildings under one organization = CAN
  • City-wide = MAN
  • Personal devices = PAN
  • Storage traffic = SAN
  • Modern data center east-west traffic = spine-and-leaf
  • Encrypted remote access = VPN, not “internet”

Also remember the common wrong-answer traps:

  • Client-server is not a topology.
  • VPN is not a network type.
  • WLAN is a network type and access method, not the same thing as point-to-multipoint topology.
  • SAN is not NAS.
  • Metro Ethernet is a service, not a topology.

Rapid Review

Star is the standard LAN shape. Bus and ring are mostly legacy recognition topics. Mesh gives multiple paths but adds complexity. Hierarchical campus is a structured enterprise model. Spine-and-leaf is a modern data center model optimized for east-west traffic. LAN and WLAN are local. CAN is campus-wide under one organization. MAN is metro-scale. WAN is long-distance. SAN is dedicated storage networking.

If you can separate arrangement from scope, recognize the trade-offs, and identify the likely failure domain, you are in good shape for Network+. That is the real skill the exam is looking for: not just naming a design, but understanding what the design means when traffic grows, a link fails, or security policy has to be enforced.