Cisco Study Guide

Cisco CCNA 200-301 Study Guide

The Cisco CCNA 200-301 is a single, associate-level exam that validates your ability to install, configure, operate, and troubleshoot small-to-medium enterprise networks. It covers six domains - network fundamentals, network access, IP connectivity, IP services, security fundamentals, and automation - and is aimed at entry-level network engineers and technicians. The exam runs 120 minutes, requires a scaled score of roughly 825/1000 to pass, and mixes multiple-choice, drag-and-drop, and simulation-style items.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6

Practice Cisco CCNA 200-301 questions free Create free account

Domain 1: Network Fundamentals

Key concepts you must know · 148 practice questions

The OSI model has seven layers; Layer 1 (Physical) moves bits, Layer 2 (Data Link) uses MAC addresses and switches, Layer 3 (Network) uses IP addresses and routers, and Layer 4 (Transport) uses TCP/UDP port numbers.
TCP is connection-oriented and reliable: it uses a three-way handshake (SYN, SYN-ACK, ACK), sequence/acknowledgment numbers, and a sliding window for flow control. UDP is connectionless, best-effort, low-overhead, and used for DNS, VoIP, and streaming.
Switches operate at Layer 2, forward frames by MAC address, and create separate collision domains per port but a single broadcast domain (per VLAN). Routers operate at Layer 3 and separate broadcast domains.
ARP resolves a known IPv4 address to an unknown MAC address on the local segment; the request is a broadcast and the reply is a unicast.
A /24 yields 254 usable hosts, a /23 (255.255.254.0) yields 510 usable hosts, and a /26 yields 62 usable hosts. Usable hosts = 2^(host bits) - 2.
RFC 1918 private ranges are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The 169.254.0.0/16 range is APIPA, auto-assigned when a DHCP server cannot be reached.
IPv4 default classful masks: Class A = /8 (1-126), Class B = /16 (128-191), Class C = /24 (192-223). 127.0.0.0/8 is reserved for loopback.
IPv6 addresses are 128 bits written as eight hextets; leading zeros in a hextet can be dropped and one run of all-zero hextets can be compressed to '::' (used once). Example: 2001:DB8:0:0:0:0:0:1 compresses to 2001:DB8::1.
IPv6 link-local addresses use the FE80::/10 prefix, are auto-generated on every interface, and are not routable beyond the local link. SLAAC lets a host autoconfigure a global address from a Router Advertisement.
IPv6 traffic types are unicast (one-to-one), multicast (one-to-many, FF00::/8), and anycast (one-to-nearest). IPv6 has no broadcast; its role is replaced by multicast.
Common WAN/LAN topologies: star (all devices to a central switch/hub, easy to expand), mesh (redundant paths), and point-to-point leased lines (dedicated, guaranteed bandwidth between two sites).
Ethernet cabling: straight-through connects unlike devices (PC-to-switch), crossover connects like devices (switch-to-switch) on legacy gear, though Auto-MDIX now negotiates this automatically.
A collision domain is bounded by switch ports and routers; a broadcast domain is bounded by routers (and by VLAN boundaries on a switch).
VLSM allows different subnet mask lengths within the same address space to conserve addresses; the most efficient subnet is the smallest one that still meets the host requirement.

Domain 2: Network Access

Key concepts you must know · 137 practice questions

An access port belongs to a single VLAN; 'switchport mode access' then 'switchport access vlan 20' assigns it. The VLAN is auto-created in the database if it does not already exist.
A trunk port carries multiple VLANs using IEEE 802.1Q tagging, which inserts a 4-byte tag into each frame. 'switchport trunk allowed vlan 10,20,30' restricts which VLANs cross the trunk.
The native VLAN (default VLAN 1) is sent untagged across an 802.1Q trunk; the native VLAN must match on both ends or a mismatch is flagged.
STP (IEEE 802.1D) prevents Layer 2 loops by blocking redundant paths; without it, broadcast storms, MAC table instability, and duplicate frames occur.
The root bridge is the switch with the lowest bridge ID (bridge priority + MAC address). Default priority is 32768; the lowest bridge ID wins, and ties break on the lowest MAC.
802.1D STP port states are blocking, listening, learning, and forwarding (plus disabled). Rapid PVST+ (802.1w) port roles include root, designated, alternate (backup path to root), and backup.
PortFast moves an access (edge) port directly to forwarding, skipping listening/learning - use only on ports connected to end devices, never switch-to-switch links.
EtherChannel bundles multiple physical links into one logical link. LACP (802.3ad, standard) modes are active/passive; PAgP (Cisco-proprietary) modes are desirable/auto. At least one side must actively negotiate (e.g., active-passive or active-active).
VTP propagates VLAN definitions across trunks within a domain; modes are server, client, and transparent. Transparent mode forwards VTP messages but does not sync its own database.
Wi-Fi 2.4 GHz has three non-overlapping channels: 1, 6, and 11. The 5 GHz band offers many more non-overlapping channels and less interference.
802.11 standards: 802.11n (Wi-Fi 4, 2.4/5 GHz), 802.11ac (Wi-Fi 5, 5 GHz only, up to ~6.93 Gbps, MU-MIMO downlink), 802.11ax (Wi-Fi 6, both bands, OFDMA).
A wireless LAN controller (WLC) centrally manages lightweight access points using CAPWAP; APs can run in local or FlexConnect modes.
Cisco AP management options include the device's console, Telnet/SSH, HTTP/HTTPS, and centralized management through a WLC.
An SVI (interface vlan X) gives a Layer 3 switch an IP in a VLAN for inter-VLAN routing or management; it stays up only while at least one port in that VLAN is active.

Domain 3: IP Connectivity

Key concepts you must know · 95 practice questions

Administrative distance ranks route trustworthiness when multiple sources offer the same prefix: connected = 0, static = 1, eBGP = 20, EIGRP = 90, OSPF = 110, RIP = 120, external EIGRP = 170, iBGP = 200. Lowest AD wins.
When routes tie on AD, the router compares the metric within that protocol; the longest prefix match always wins over AD when prefixes differ in length.
OSPF is a link-state protocol that floods LSAs to build an LSDB and runs the Dijkstra SPF algorithm to compute a loop-free shortest-path tree. Default OSPF cost = 100 Mbps / interface bandwidth.
OSPF neighbors must agree on area ID, subnet/mask on the connecting interface, Hello and Dead timers, authentication, and MTU before they form an adjacency.
All OSPF areas must connect to the backbone Area 0. An Area Border Router (ABR) has interfaces in Area 0 and at least one other area and generates Type 3 summary LSAs between them.
OSPF uses Hello packets to discover and maintain neighbors; the default Hello is 10 seconds and the Dead interval is 40 seconds on broadcast/point-to-point links.
EIGRP is a Cisco advanced distance-vector protocol that uses the DUAL algorithm, supports unequal-cost load balancing (via the variance command), and uses a composite metric based on bandwidth and delay by default.
A static default route is 'ip route 0.0.0.0 0.0.0.0 <next-hop>'; in the routing table it appears as a gateway of last resort, often shown as S*. A specific static route is 'ip route <network> <mask> <next-hop>'.
Routing table codes: C = connected, S = static, O = OSPF, D = EIGRP, R = RIP, B = BGP. S* marks a candidate default static route.
Router-on-a-stick provides inter-VLAN routing over one physical trunk using subinterfaces, e.g., 'interface g0/1.30' then 'encapsulation dot1Q 30' and an IP for that VLAN's gateway.
First-hop redundancy protocols provide a virtual default gateway: HSRP (Cisco, default priority 100, active/standby), VRRP (standard, master/backup), and GLBP (Cisco, load-balances across gateways).
An ICMP Redirect tells a host that a better next-hop gateway exists on the same subnet for a given destination.
BGP path selection begins with the highest Weight (Cisco-local, not advertised), then highest Local Preference, locally originated routes, shortest AS-path, and so on.
OSPF and EIGRP both support VLSM and CIDR (classless), advertising the subnet mask with each route, unlike classful RIPv1.

Domain 4: IP Services

Key concepts you must know · 104 practice questions

Static NAT maps one private address to one public address; dynamic NAT maps from a pool; PAT (NAT overload) maps many private addresses to one public IP by tracking unique source port numbers.
'show ip nat translations' lists active NAT/PAT entries; 'ip nat inside'/'ip nat outside' mark the interfaces and the direction of translation.
DHCP uses the DORA sequence: Discover (client broadcast), Offer (server), Request (client broadcast), Acknowledge (server). The client starts with no IP, so initial messages are broadcasts.
'ip helper-address <server>' on the client-facing interface relays DHCP (and a few other UDP broadcasts) across subnets as unicast, since routers do not forward broadcasts by default. DHCP uses UDP ports 67 (server) and 68 (client).
DNS resolves hostnames to IP addresses using UDP port 53 for normal queries; it switches to TCP port 53 for zone transfers or responses larger than 512 bytes.
NTP synchronizes clocks; stratum 0 is the reference hardware clock, stratum 1 is directly attached to it, and higher numbers are farther away. 'ntp server <ip>' sets a sync source; 'show ntp associations' shows peers.
Syslog severity levels run 0 (emergency) to 7 (debug); lower is more severe. 'logging host <ip>' (or 'logging <ip>') sends messages to a central syslog server.
SNMP polls and configures devices and sends traps on events. SNMPv3 adds username-based authentication and encryption (authPriv); v1/v2c rely on plaintext community strings. The MIB is the database of managed objects.
Use SSH (TCP 22) instead of Telnet (TCP 23) for secure CLI access. Generating RSA keys requires a configured hostname and a domain name ('ip domain-name'), then 'crypto key generate rsa'.
DHCP Snooping classifies ports as trusted/untrusted, blocks rogue DHCP server replies on untrusted ports, and builds an IP-to-MAC binding table used by Dynamic ARP Inspection.
QoS classifies and marks traffic: DSCP marks at Layer 3 (6 bits, up to 64 values) and CoS marks at Layer 2 (3 bits). EF (Expedited Forwarding) is the standard marking for voice.
QoS tools include classification/marking, queuing/scheduling (e.g., LLQ for low-latency voice, WFQ/CBWFQ), congestion avoidance (WRED), policing (drops excess), and shaping (buffers excess).
FTP uses TCP 20/21, HTTP uses TCP 80, HTTPS uses TCP 443, Telnet uses TCP 23, and TFTP uses UDP 69 - common ports the exam expects you to recognize.
Per-port enhancements: an SVI or DHCP relay must point traffic correctly, and 'show ip dhcp binding' verifies leases the router itself has handed out.

Domain 5: Security Fundamentals

Key concepts you must know · 88 practice questions

Standard ACLs (1-99, 1300-1999) match only the source IP and are placed close to the destination to avoid blocking unintended traffic. Extended ACLs (100-199, 2000-2699) match source, destination, protocol, and ports and are placed close to the source.
ACLs are processed top-down, first match wins, and there is an implicit 'deny any' at the end; wildcard masks are inverse subnet masks (0 = must match, 255 = ignore).
AAA stands for Authentication (who you are), Authorization (what you can do), and Accounting (what you did). RADIUS and TACACS+ are the centralized AAA servers.
TACACS+ (Cisco, TCP port 49) encrypts the entire packet and separates the three AAA functions. RADIUS (standard, UDP 1812/1813 or 1645/1646) encrypts only the password and combines authentication with authorization.
Port security limits MAC addresses per port. Violation modes: protect (silently drops, no log/counter), restrict (drops, logs, increments counter), and shutdown (err-disables the port - the default). 'switchport port-security maximum 3' caps the count.
Layer 2 attack mitigation: BPDU Guard disables PortFast edge ports that receive a BPDU, DHCP Snooping stops rogue DHCP servers, and Dynamic ARP Inspection (DAI) validates ARP to stop ARP spoofing/poisoning man-in-the-middle attacks.
ARP spoofing/poisoning sends forged ARP replies to associate the attacker's MAC with another host's IP, redirecting traffic; DAI (which relies on the DHCP snooping binding table) defeats it.
WPA2 uses AES-CCMP and is the recommended minimum for enterprise wireless; WPA3 is the current strongest standard. WEP and WPA (TKIP) are deprecated and insecure.
A DoS attack overwhelms a target to deny service to legitimate users; a DDoS uses many distributed sources. A man-in-the-middle attack intercepts traffic between two parties.
Password protection: 'enable secret' uses hashing (default Type 5 MD5), 'enable algorithm-type scrypt secret' uses Type 9 scrypt, and 'service password-encryption' applies weak Type 7 (reversible) encryption.
Restrict remote management with 'transport input ssh' on the VTY lines to permit only SSH and disable Telnet; 'ip ssh version 2' enforces the more secure SSHv2.
Device hardening best practices: disable unused ports and services, use strong unique passwords, apply login banners, enable BPDU Guard and port security, and restrict management via ACLs.
Security program elements: physical access controls, user awareness training, and password policies are the three pillars of an organizational security posture.
A next-generation firewall adds application visibility and control (AVC), inspecting and filtering traffic at the application layer beyond simple port/protocol rules.

Domain 6: Automation and Programmability

Key concepts you must know · 84 practice questions

Software-Defined Networking (SDN) separates the control plane from the data (forwarding) plane and centralizes control logic, exposing it through APIs for programmability.
Controller APIs are described by direction: northbound APIs (typically REST) face applications/automation tools, while southbound APIs (NETCONF, OpenFlow) push configuration to the network devices.
Cisco DNA Center (Catalyst Center) is Cisco's intent-based networking controller for automation, assurance, and policy; it exposes northbound REST APIs to translate business intent into network policy.
REST APIs are stateless and use standard HTTP methods: GET (read), POST (create), PUT (replace an entire resource), PATCH (partial update), and DELETE (remove).
HTTP status codes: 200 OK, 201 Created (successful POST), 400 Bad Request, 401 Unauthorized (authentication required), 403 Forbidden, 404 Not Found, 500 Server Error.
JSON uses key-value pairs in curly braces {} for objects and square brackets [] for arrays; it is lightweight, human-readable, and the most common REST payload format.
YAML uses indentation for structure and lists each item with a hyphen and a space ('- item'); it is favored for human-edited configuration and Ansible playbooks.
XML uses nested tag pairs and is the data encoding used by NETCONF; data is structured according to YANG data models.
NETCONF (over SSH) uses YANG models and XML to install, manipulate, and delete device configuration; RESTCONF exposes YANG data over REST using JSON or XML.
Ansible is agentless and connects over SSH (or NETCONF) using YAML playbooks - practical for network gear since no agent is installed on devices. It is push-based.
Puppet and Chef use agents on managed nodes and a pull-based model; Puppet uses a declarative DSL in manifests describing the desired end state.
Configuration management tools enforce a desired state, reduce configuration drift, and make changes idempotent (re-running yields the same result).
Cisco DevNet provides developer resources, learning labs, and always-on/reservable sandboxes for safely testing network APIs and automation.
Zero-touch provisioning (ZTP) lets a new device automatically download and apply its configuration on first boot, eliminating manual box-by-box setup.

Cisco CCNA 200-301 exam tips

Memorize the number tables cold: administrative distances, common TCP/UDP port numbers, default timers (OSPF Hello 10 / Dead 40, HSRP priority 100), and subnetting host counts - these appear in many questions and free up time.
Practice subnetting until you can find network address, broadcast, usable range, and the most efficient mask in under 30 seconds without a calculator; it underpins multiple domains.
On simulation (sim) and configuration questions, verify your work with show commands (show ip interface brief, show running-config, show vlan brief, show ip route) the way you would on a real device.
Read every word of ACL, NAT, and STP questions carefully - direction (inbound/outbound, inside/outside), placement (source vs destination), and the implicit deny change the correct answer.
You cannot move backward in the CCNA exam, so do not leave questions blank; there is no penalty for guessing - eliminate wrong options and commit before moving on.

Study guide FAQ

How long is the CCNA 200-301 exam and what score do I need to pass?

The exam is 120 minutes with roughly 100-120 questions. Cisco does not publish a fixed passing percentage; scores are scaled and the commonly cited threshold is about 825 out of 1000. Plan your pacing so you average well under a minute per question, banking time for simulations.

Do I need to memorize Cisco IOS commands, or is it all multiple choice?

You need working command knowledge. Alongside multiple-choice and drag-and-drop items, the exam includes simulation and testlet questions where you configure or troubleshoot devices and read show-command output. Be fluent with VLAN, trunking, OSPF, ACL, NAT, DHCP, and SSH configuration.

Are there any prerequisites for taking the CCNA?

No formal prerequisites are required. Cisco recommends about one year of hands-on experience with Cisco solutions, a solid grasp of IP addressing and subnetting, and familiarity with network fundamentals. Many candidates prepare with Packet Tracer or GNS3 labs to build the hands-on skills.

How much does the automation and programmability domain matter?

It is about 10 percent of the exam and is conceptual rather than coding-heavy. Focus on SDN and control/data plane separation, REST/HTTP methods and status codes, JSON and YAML formats, NETCONF/YANG, the difference between Ansible (agentless, push) and Puppet/Chef (agent, pull), and Cisco DNA Center. You will not have to write full programs.

Test yourself: 656 Cisco CCNA 200-301 practice questions