How to pass Cisco Certified Network Associate (CCNA 200-301) (200-301)
21 min read6 domains coveredFree practice, no sign-up
The Cisco Certified Network Associate (CCNA 200-301) is the industry's best-known associate networking credential. It tests whether you can build, configure, verify, and troubleshoot a small enterprise network across switching, routing, IP services, security, and the automation that increasingly sits on top. The exam is broad and hands-on in spirit: most questions are short scenarios with fictional devices, real addressing, and plausible show-command output, and they ask for the correct configuration, the resulting behaviour, or the diagnosis of a fault.
It suits early-career network engineers, support and operations staff moving into networking, and developers who need to understand the infrastructure their applications run on. If you can already subnet in your head and read a routing table, much of the exam will feel like confirmation. If subnetting, spanning tree, and OSPF are still fuzzy, the gap is closable in a couple of focused months because the blueprint, while wide, is built on a small number of rules applied over and over.
The exam rewards precision, not vibes. Many options are real Cisco commands or true networking statements that are simply wrong for the scenario as written. The skill being tested is applying the exact rule: the usable-host count for a prefix, which router wins a DR election, which ACL line matches first, what administrative distance beats what. Practise on scenario questions with worked explanations so you learn why each distractor fails, not just which letter is right.
CCNA rewards applying the exact rule - the host count, the election winner, the first-match ACL line - not recalling a definition. The best answer hinges on a precedence rule or a boundary value.
Difficulty
Intermediate
Best for
Early-career network engineers, IT support and operations staff moving into networking, and developers and cloud practitioners who need a working grasp of how enterprise networks are built and run.
Prerequisites
None formally. Comfort with binary and basic IT concepts helps, and the subnetting and routing domains assume you are willing to do arithmetic by hand.
100 to 120
Questions
120 min
Time allowed
$300
Exam cost (USD)
306
Practice questions
How this exam thinks
Three habits separate a pass from a fail on the CCNA, and all three are about applying a rule precisely rather than knowing more facts.
First, the exam is decided by boundary values and precedence rules, not by general truths. A subnet question turns on the fact that the network and broadcast addresses are not usable hosts, so a /27 gives 30 hosts and not 32. A routing question turns on the order longest-prefix-match, then administrative distance, then metric, applied in exactly that sequence. An election turns on the tie-break chain: the STP root is the lowest bridge ID, which is priority first and then MAC address, while the OSPF DR is the highest priority and then the highest router ID. When two options both look plausible, the right one is the one that respects the precedence rule or lands on the correct boundary; the distractor is usually off by one host, one election step, or one administrative-distance value.
Second, the exam expects you to know default values cold, because the distractors are built from the wrong ones. Administrative distance is the classic trap: connected 0, static 1, eBGP 20, EIGRP internal 90, OSPF 110, RIP 120, EIGRP external 170, iBGP 200. The same applies to the implicit deny that ends every ACL, the native VLAN that travels untagged on an 802.1Q trunk, the 300-second MAC aging timer, and the standard PoE budgets. If you cannot recall the default, you cannot tell the keyed answer from the distractor that quotes a believable wrong number.
Third, the exam wants the single BEST action for the scenario, and configuration questions reward reading the requirement before the options. A standard ACL belongs near the destination and an extended ACL near the source; a wildcard mask, not a subnet mask, defines the range in an ACL or an OSPF network statement; a floating static route uses a higher administrative distance so it installs only when the preferred route fails. Read the last line of the stem first to find what is actually being asked, then judge each option against that requirement and against the exact rule, not against whether it is a real command.
What each domain tests and how to study it
The 200-301 blueprint is split across 6 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Identify what each network device does, subnet IPv4 and IPv6 correctly by hand, and explain switching and transport behaviour well enough to predict what a frame or segment does next.
In one sentenceThe foundation the rest of the exam stands on: device roles and topologies, IPv4 and IPv6 addressing and subnetting, how a switch learns and forwards frames, and TCP versus UDP.
Recall check: answer these from memory first
For 192.168.10.0/27, give the broadcast address, the usable host range, and the number of usable hosts.
Derive the modified EUI-64 interface identifier from MAC 00:1A:2B:3C:4D:5E, in order, including the bit you flip.
State what a switch does with a known-unicast frame, an unknown-unicast frame, and a broadcast frame.
What it tests. The building blocks: the role of routers, Layer 2 and Layer 3 switches, next-generation firewalls and IPS, access points, controllers, and PoE, and two-tier, three-tier, and spine-leaf designs. The heaviest part is IPv4 subnetting and VLSM plus IPv6 addressing, prefixes, address types, and modified EUI-64. It also covers how a switch builds its MAC address table, floods unknown-unicast and broadcast frames, and ages entries, and how connection-oriented TCP differs from connectionless UDP.
How to study it. Make subnetting automatic before anything else, because it underpins routing, ACLs, and OSPF. Drill until you can produce the network address, broadcast address, usable range, and host count for any prefix in seconds, and remember that the network and broadcast addresses are never usable hosts. Practise IPv6 compression and modified EUI-64 by hand (split the MAC, insert FFFE, flip the seventh bit of the first byte). Learn the switch forwarding logic as a decision: known unicast goes out one port, unknown unicast and broadcast flood the VLAN.
Easy to confuse
Usable hosts versus total addresses in a subnet. Total addresses are 2 to the power of the host bits; usable hosts are that minus two, because the network address and the broadcast address cannot be assigned to a device. The exam plants a distractor that forgets to subtract the two, so a /27 shows 32 or 31 instead of 30.
TCP versus UDP. TCP is connection-oriented with a three-way handshake, sequencing, acknowledgements, and retransmission; UDP is connectionless with none of that and lower overhead. Match the requirement: reliable file transfer or web is TCP, low-latency voice, video, and DNS lookups favour UDP.
Link-local versus global unicast IPv6. Link-local addresses start fe80::/10 and are never forwarded off the link; global unicast addresses begin 2000::/3 and are routable on the internet. A frame sourced from fe80:: cannot be the answer to a question about routed reachability.
Worked example from the 200-301 bank
lock_openFree sampleNetwork Fundamentalshard
A host is automatically configuring a link-local IPv6 address with no router present on the segment. Which prefix identifies the address it generates, and what is the defining property of that address?
Afe80::/10, valid only on the local link and never forwarded by a routercheck_circle Correct
Bfc00::/7, routable within a single organisation but not on the public internet
C2000::/3, globally routable and reachable across the public internet
Dff00::/8, delivered to every interface that has joined the group
Identify the fe80::/10 link-local prefix and recognise that link-local traffic is never forwarded beyond the local link. Every IPv6 interface generates a link-local address from fe80::/10 for on-link functions such as neighbour discovery, and routers are required never to forward packets whose source or destination is link-local, so the address scope is exactly one link.
Why A is correct: Link-local addresses always come from the fe80::/10 range and an IPv6 router never forwards them off the link, so they remain confined to the local segment - this is the defining property the question asks for.
Why B is wrong: fc00::/7 is the unique local address (ULA) range, which is site-scoped and can be routed between internal subnets; it is not the prefix a host self-assigns for link-local communication, so it is the wrong classification here.
Why C is wrong: 2000::/3 is the global unicast range used for internet-reachable addresses; a host cannot mint a globally routable address without a router advertisement supplying the prefix, so this does not describe the no-router self-configured address.
Why D is wrong: ff00::/8 is the multicast range used for one-to-many delivery, not a unicast address a single host assigns to its own interface; it is a tempting confusion because both are auto-derived, but it is not link-local.
What you must be able to do. Configure VLANs and 802.1Q trunks across switches, bundle links with EtherChannel, predict spanning-tree elections and port states, and read a controller-based wireless setup.
In one sentenceThe switched access layer: VLANs and trunking, CDP and LLDP, EtherChannel with LACP, Rapid PVST+ spanning tree, and Cisco wireless architectures.
Recall check: answer these from memory first
Given four switches with stated priorities and MAC addresses, say which becomes the root bridge and why.
State what travels untagged on an 802.1Q trunk and what breaks if the two ends disagree on it.
Name the LACP mode combinations that form an EtherChannel and the one combination that never does.
What it tests. Segmenting a network with VLANs, carrying them between switches over an 802.1Q trunk with a native VLAN, and configuring access ports for data and voice. It covers discovering neighbours with CDP and LLDP, bundling links into an EtherChannel with LACP, and the operation of Rapid PVST+: root-bridge and root-port election, port roles and states, and PortFast. It also covers Cisco wireless architectures, AP modes, WLC connections, and reading a WLAN GUI.
How to study it. Treat spanning tree as an election with a fixed tie-break chain and practise it until it is mechanical: the root bridge is the lowest bridge ID (priority then MAC), each non-root switch picks the root port by lowest cumulative path cost, and the rest become designated or blocking. Memorise the short-mode path costs (100 Mbps is 19, 1 Gbps is 4, 10 Gbps is 2). For VLANs, internalise that the native VLAN crosses an 802.1Q trunk untagged and that a native-VLAN mismatch on the two ends breaks connectivity. For EtherChannel, know which LACP mode combinations form a bundle.
Easy to confuse
Root bridge election versus root port selection. The root bridge is chosen network-wide by the lowest bridge ID (priority, then MAC); the root port is chosen per non-root switch by the lowest cumulative path cost to that root. One is a global election, the other a per-switch decision, and the exam swaps them.
Access port versus trunk port and the native VLAN. An access port carries one VLAN untagged; a trunk carries many VLANs, tagging all except the native VLAN. The trap is forgetting that the native VLAN is the one untagged VLAN on the trunk, so a native-VLAN mismatch silently merges two VLANs.
LACP active or passive, and which pairs form a bundle. Active initiates LACP negotiation; passive only responds. Active-active and active-passive form an EtherChannel, but passive-passive never does because neither side initiates. The exam offers passive-passive as the bundle that quietly fails.
Worked example from the 200-301 bank
lock_openFree sampleNetwork Accessmedium
Two switches are joined by an 802.1Q trunk. One switch is configured with native VLAN 1 on the trunk, the other with native VLAN 99. Spanning tree and CDP are running. What is the consequence of this configuration?
AThe trunk forms normally and all VLANs pass, because the native VLAN only affects which VLAN carries management traffic and never the forwarding of user data.
BThe trunk is administratively shut down by the switch as soon as the mismatch is detected through CDP, requiring a manual no shutdown to recover.
CTraffic from the two native VLANs is merged so that frames in VLAN 1 on one side arrive in VLAN 99 on the other, creating a security and reachability problem.check_circle Correct
DOnly VLAN 99 is permitted across the link, because the higher native VLAN number always takes precedence and prunes the lower-numbered native VLAN.
Understand that an 802.1Q native VLAN mismatch leaks traffic between the two native VLANs rather than disabling the trunk. On an 802.1Q trunk the native VLAN is the one VLAN sent without a tag. A receiving switch assigns any untagged frame to its own configured native VLAN. When the two ends disagree, untagged frames from VLAN 1 on one side are absorbed into VLAN 99 on the other, bridging the two VLANs together; the link stays up while data crosses VLAN boundaries.
Why A is wrong: It is tempting because a native-VLAN mismatch does not bring the physical link down, but the mismatch does affect user data: untagged frames leak between the two different native VLANs.
Why B is wrong: CDP does log a native VLAN mismatch notice, but Cisco switches do not err-disable or shut the trunk for this; the port stays up and continues forwarding, which is what makes the problem subtle.
Why C is correct: Each switch sends its native-VLAN traffic untagged, and the neighbour places received untagged frames into ITS own native VLAN, so VLAN 1 and VLAN 99 traffic is bridged together across the link.
Why D is wrong: There is no rule that a higher native VLAN number wins or prunes another VLAN; native VLAN selection is purely about which VLAN is sent untagged, so this invented precedence is wrong.
What you must be able to do. Read a routing table and predict the chosen route, configure IPv4 and IPv6 static and floating-static routes, bring up single-area OSPFv2, and explain first-hop redundancy.
In one sentenceHow routers choose paths: the routing table and the longest-prefix-match, administrative-distance, metric order; static and floating-static routes; single-area OSPFv2; and HSRP.
Recall check: answer these from memory first
List the order a router uses to choose between candidate routes, and say which factor wins when a /24 and a /16 both match.
Give the default administrative distance for connected, static, eBGP, EIGRP internal, OSPF, and RIP.
State when OSPF elects a DR and BDR, when it does not, and the two-step tie-break that decides the DR.
What it tests. Interpreting a routing table and applying the default forwarding logic in order: longest prefix match first, then administrative distance between sources, then metric within a source. It covers IPv4 and IPv6 static routing including default, host, and floating-static routes, single-area OSPFv2 (neighbor adjacencies, point-to-point versus broadcast network types, DR and BDR election, and the router ID), and the purpose and operation of a first-hop redundancy protocol such as HSRP.
How to study it. Drill the forwarding decision as a strict sequence: a more specific prefix always wins regardless of administrative distance, administrative distance only breaks a tie between sources for the same prefix, and metric only breaks a tie within one protocol. Memorise the administrative-distance defaults. For OSPF, learn that a DR and BDR are elected only on broadcast or multi-access segments, never on point-to-point links, by highest priority then highest router ID, and how the router ID is chosen when not set. For HSRP, learn the active/standby roles, priority, and preemption.
Easy to confuse
Administrative distance versus metric. Administrative distance ranks the trustworthiness of different route sources for the same prefix; metric ranks routes within a single protocol. A lower administrative distance wins between OSPF and RIP; a lower metric wins between two OSPF paths. The exam swaps the two.
Longest prefix match versus administrative distance. The most specific matching prefix is selected first, before administrative distance is even considered. A /32 host route via RIP beats a /24 via OSPF for that host, because specificity outranks trust. The trap is letting a lower administrative distance override a longer prefix.
OSPF DR election versus router-ID selection. The DR is elected per broadcast segment by highest OSPF priority then highest router ID; the router ID itself is chosen once per router (manual, then highest loopback IP, then highest active interface IP). The exam blurs the segment-level election with the device-level ID choice.
Floating static route versus a normal static route. A floating static route is a static route given a higher administrative distance so it stays out of the table until the preferred route fails. A normal static (AD 1) would take precedence immediately, so the higher AD is the whole point of making it floating.
Worked example from the 200-301 bank
lock_openFree sampleIP Connectivitymedium
A router holds four routes that all match the destination 10.1.1.5: a connected route to 10.0.0.0/8, an OSPF route to 10.1.0.0/16, an EIGRP route to 10.1.1.0/24, and a static default route 0.0.0.0/0. By default, which route does the router use to forward the packet?
AThe OSPF route to 10.1.0.0/16, because OSPF has a lower administrative distance than EIGRP
BThe connected route to 10.0.0.0/8, because connected routes have the lowest administrative distance of 0
CThe static default route 0.0.0.0/0, because static routes are preferred over dynamic routes
DThe EIGRP route to 10.1.1.0/24, because it is the longest prefix that matches the destinationcheck_circle Correct
A router selects the most specific matching route by longest prefix match before administrative distance or metric is considered. Forwarding decisions apply longest prefix match first: the router picks the route whose network mask covers the destination with the most bits set. Only when two routes share the identical prefix do administrative distance and then metric act as tie-breakers, so the /24 wins outright here.
Why A is wrong: Administrative distance is tempting here, but it only breaks ties between routes to the SAME prefix; with different prefix lengths the longest match is chosen first, so the /16 is never compared by AD.
Why B is wrong: A connected route does have AD 0, but administrative distance is not consulted until after longest prefix match; the /8 is the least specific of the matches, so it loses on prefix length.
Why C is wrong: Static routes do carry a low AD of 1, but the default route is the least specific match of all; longest prefix match selects a more specific entry whenever one exists.
Why D is correct: Longest prefix match is the first and decisive test: /24 covers 10.1.1.5 and is more specific than /16, /8, or the default, so this route is installed for forwarding regardless of AD or metric.
What you must be able to do. Configure and verify NAT, NTP, and DHCP, explain SNMP, syslog, and QoS per-hop behaviour, and secure remote management with SSH.
In one sentenceThe services that keep a network usable: NAT, NTP, DHCP and DNS, SNMP and syslog, QoS per-hop behaviour, and SSH, TFTP, and FTP for management.
Recall check: answer these from memory first
Define inside local, inside global, outside local, and outside global, with an example address for each.
Order syslog severities from most to least severe, and say which end the smaller number sits at.
List the configuration steps to enable SSH on the VTY lines, in the order they must happen.
What it tests. Configuring inside source NAT with static entries and pools and PAT overload, NTP in client and server mode, and DHCP client and relay, plus the role of DHCP and DNS. It covers SNMP polling and traps, syslog facilities and severity levels (lower number means more severe), and QoS per-hop behaviour: classification, marking, queuing, and the difference between policing and shaping. It also covers securing remote access with SSH and the roles of TFTP and FTP.
How to study it. Keep the NAT terminology straight with a table: inside local is the private address on the host, inside global is the public address it is translated to, and PAT overloads many inside locals onto one inside global using port numbers. Learn syslog severities by the rule that 0 is most severe and 7 is least, and that policing drops or remarks excess traffic while shaping buffers it. For SSH, know the configuration steps in order: hostname, domain name, generate the RSA key, create a local user, and set transport input ssh on the VTY lines.
Easy to confuse
Policing versus shaping. Policing enforces a rate by dropping or remarking traffic that exceeds it, which is harsh but adds no delay; shaping buffers excess traffic and releases it later, smoothing bursts at the cost of latency. The exam matches the requirement (drop now versus delay and smooth) to the tool.
Inside local versus inside global in NAT. Inside local is the private address as seen inside the network; inside global is the public address the same host appears as outside, after translation. The trap mislabels the translated public address as inside local, or vice versa.
SNMP versus syslog. SNMP lets a manager poll device state and receive traps in a structured MIB; syslog is a one-way stream of event messages classified by facility and severity. The exam offers one when the scenario needs the other; structured metrics and polling point to SNMP, event logging points to syslog.
Worked example from the 200-301 bank
lock_openFree sampleIP Servicesmedium
A router runs inside source NAT so that a workstation in the private LAN can reach a public web server. The workstation holds a private RFC 1918 address, and the router rewrites the source to a registered public address before the packet leaves the WAN interface. Which NAT term describes that registered public address the workstation is translated to?
AInside local address, because it is the address the router assigns to the inside host before the packet is forwarded to the WAN.
BOutside global address, because it is the public address that the inside host is given when its traffic crosses to the outside.
CInside global address, because it is the registered public address that represents the inside host as seen from the outside network.check_circle Correct
DOutside local address, because it is the public address the inside host presents while communicating with the outside server.
Distinguish inside global as the translated public address of an inside host from the inside local and outside NAT terms. In Cisco NAT terminology the inside local address is the private address used inside, while the inside global address is the registered public address the router maps it to; outside local and outside global describe the far-end host, so only inside global names the translated public address of the inside host.
Why A is wrong: The inside local address is the private address the host actually uses inside the network, not the registered public address it is translated to, so this term is the wrong end of the mapping.
Why B is wrong: The outside global address is the real public address of the destination on the outside network, not the address assigned to the translated inside host, so the label is applied to the wrong host.
Why C is correct: The inside global address is exactly the routable public address the router substitutes for the inside host's private address, so outside devices see the inside host by this address.
Why D is wrong: The outside local address is how an outside host appears to devices inside the network, so it does not describe the inside host's own translated public address.
What you must be able to do. Apply core security concepts and VPN types, harden device access with AAA, write standard and extended ACLs that match and are placed correctly, and configure Layer 2 and wireless security.
In one sentenceSecuring the network: threats versus vulnerabilities, IPsec VPNs, AAA and device access control, standard and extended ACLs, and Layer 2 and wireless security.
Recall check: answer these from memory first
State where a standard ACL and an extended ACL should each be placed, and why the placement differs.
Convert the subnet mask 255.255.255.0 to its ACL wildcard mask, and explain the relationship.
Distinguish authentication, authorization, and accounting in one line each.
What it tests. Defining threats, vulnerabilities, exploits, and mitigations, security program elements, and IPsec remote-access versus site-to-site VPNs. It covers device access control with local accounts and enable secret, password policy and stronger alternatives, and the AAA split of authentication, authorization, and accounting. The heaviest part is standard and extended IPv4 ACLs: what they match, the implicit deny, wildcard masks, and placement. It also covers DHCP snooping, dynamic ARP inspection, port security, and WPA, WPA2, and WPA3.
How to study it. Make ACLs mechanical: standard ACLs match source only and go near the destination, extended ACLs match source, destination, protocol, and port and go near the source, lists are processed top-down with first-match wins, and an implicit deny any ends every list. Practise converting a subnet mask to its wildcard (invert each octet) because the exam tests it directly. For AAA, fix the three words: authentication proves who you are, authorization controls what you may do, accounting records what you did. For wireless, order the generations WPA, WPA2 (AES/CCMP), WPA3 (SAE).
Easy to confuse
Standard versus extended ACL placement. A standard ACL matches source only, so it is placed near the destination to avoid blocking traffic it should not; an extended ACL matches source and destination, so it is placed near the source to drop unwanted traffic early. The exam reverses the placement as the distractor.
Wildcard mask versus subnet mask. A subnet mask marks the network bits with ones; a wildcard mask is its inverse, where zero means match exactly and one means ignore. 255.255.255.0 becomes 0.0.0.255. The exam offers the subnet mask where a wildcard is required, especially in ACLs and OSPF network statements.
Authentication versus authorization. Authentication verifies identity (who you are); authorization decides what an authenticated identity may do. The trap describes a permissions or privilege-level decision and labels it authentication, or vice versa.
DHCP snooping versus dynamic ARP inspection. DHCP snooping blocks rogue DHCP servers on untrusted ports and builds a binding table; dynamic ARP inspection uses that same binding table to drop spoofed ARP. DAI depends on snooping, so a statically addressed host with no binding entry has its ARP dropped.
Worked example from the 200-301 bank
lock_openFree sampleSecurity Fundamentalsmedium
A security analyst is documenting an incident in which an unpatched web server was compromised. The server software contained a known coding flaw, the attacker used a publicly released piece of code that takes advantage of that flaw, and the result was full remote access. Using standard security terminology, what is the coding flaw itself best classified as?
AA threat, because it represents the external party who has the intent and capability to cause harm to the server.
BAn exploit, because it is the mechanism that takes advantage of the weakness to achieve remote access.
CA vulnerability, because it is a weakness in the system that could be used to compromise it.check_circle Correct
DA mitigation, because identifying the flaw is the control that reduces the overall risk to the server.
Classify a system weakness or flaw as a vulnerability, distinct from the threat that endangers it and the exploit that leverages it. In security terminology a vulnerability is a weakness in a system such as an unpatched software defect, a threat is the potential danger or actor that could act against it, and an exploit is the specific code or technique that takes advantage of the vulnerability; the coding flaw matches the definition of a vulnerability.
Why A is wrong: A threat is the potential danger or the actor that could cause harm, such as the attacker; the coding flaw is the internal weakness being targeted, not the source of danger, so the term is misapplied.
Why B is wrong: The exploit is the piece of code or technique that leverages the weakness; the flaw is what gets leveraged, so calling the flaw itself the exploit confuses the weakness with the tool used against it.
Why C is correct: A vulnerability is a weakness or flaw in a system, such as an unpatched coding defect, that an attacker can leverage; the scenario describes exactly such a flaw, so this classification is correct.
Why D is wrong: A mitigation is a countermeasure such as patching or filtering that reduces risk; the flaw is the problem, not the control, so labelling the weakness a mitigation inverts the relationship between the risk and its remedy.
What you must be able to do. Explain how automation and controller-based architectures change network management, read REST and JSON, and recognise what Ansible and Terraform do.
In one sentenceThe modern operations layer: automation and controller-based or software-defined networking, REST APIs and JSON, and configuration management with Ansible and Terraform.
Recall check: answer these from memory first
State which direction northbound and southbound APIs face on a network controller, and what sits at each end.
Map the four CRUD operations to their HTTP verbs.
Name the two configuration management tools in the v1.1 outline and the one-line role of each.
What it tests. How automation reduces manual, error-prone CLI work, and how a controller-based or software-defined architecture separates the control plane from the data plane, with an overlay, underlay, and fabric and northbound and southbound APIs. It covers cloud network management and Cisco Catalyst Center, the characteristics of REST APIs (CRUD mapped to HTTP verbs and status codes), reading JSON, and the capabilities of configuration management tools, which in the v1.1 outline means Ansible and Terraform.
How to study it. Anchor the SDN vocabulary to direction: northbound APIs face the applications above the controller, southbound APIs face the devices below it, and the control plane (decisions) is centralised away from the data plane (forwarding). For REST, map CRUD to verbs (create is POST, read is GET, update is PUT or PATCH, delete is DELETE) and learn to read a small JSON object to pull the value of a key. For configuration management, know that this is the v1.1 outline: it is Ansible (agentless, playbooks over SSH) and Terraform (declarative infrastructure as code), not the retired Puppet and Chef.
Easy to confuse
Northbound versus southbound API. A northbound API faces upward to applications and orchestration tools that consume the controller; a southbound API faces downward to the network devices the controller programs. The exam swaps the two directions.
Control plane versus data plane. The control plane decides how traffic should be forwarded (routing, topology); the data plane actually forwards the packets. Controller-based networking centralises the control plane and leaves forwarding on the devices, so a question about where decisions are made is about the control plane.
Ansible versus Terraform. Ansible is agentless configuration management and orchestration that pushes desired state to devices over SSH using playbooks; Terraform is declarative infrastructure as code that provisions and tracks infrastructure state. The v1.1 outline tests these two, not the retired Puppet or Chef.
Worked example from the 200-301 bank
lock_openFree sampleAutomation and Programmabilitymedium
A network engineer is documenting how a traditional distributed network differs from an SDN architecture that separates the control plane from the data plane. In the SDN model, which function does the centralised controller take over from the individual forwarding devices?
APhysically rewriting frames and pushing packets out of egress interfaces at line rate
BStoring the MAC address table and performing per-frame hardware lookups inside the ASIC
CGenerating link-state hello packets on every interface to keep neighbour adjacencies alive
DBuilding the forwarding logic and reachability decisions, then programming the resulting state down to the switchescheck_circle Correct
In SDN, the centralised controller owns the control plane and programs forwarding state into devices that retain only the data plane. Control and data plane separation means the controller centralises the intelligence that decides how traffic should be forwarded and installs that state into the network elements, while each device still performs the local job of moving packets out of its interfaces.
Why A is wrong: Tempting because the controller manages forwarding, but actually moving frames out of interfaces at line rate is the data plane function that stays on each switch, not the controller.
Why B is wrong: Per-frame ASIC lookups against the MAC table are data plane operations performed locally on the switch hardware, so this is not what the controller centralises.
Why C is wrong: This describes a traditional distributed control protocol running independently on each device, which is exactly the per-device behaviour an SDN controller replaces rather than performs on their behalf.
Why D is correct: Separating the control plane means the controller computes routing and forwarding intelligence centrally and pushes the resulting forwarding state to the devices, which keep only the data plane.
A study plan that works
Map the blueprint and set a date
Day 1
Read the official 200-301 exam topics and the six domains with their weights. Book a provisional exam date now: a fixed date converts open-ended study into a plan and is the single biggest predictor of actually sitting the exam.
Make subnetting automatic
Week 1
Subnetting underpins routing, ACLs, and OSPF, so do not move on until it is fast and reliable. Drill until you can give the network address, broadcast address, usable range, and host count for any prefix in seconds, then add VLSM and IPv6 compression and modified EUI-64. Use the recall prompts: cover the answer, work it out, then reveal.
Lock the switched access layer (Network Access)
Weeks 1-2
Get VLANs, 802.1Q trunking and the native VLAN, EtherChannel, and Rapid PVST+ solid. Practise the spanning-tree election and the LACP bundle rules until they are mechanical, and build comfort reading switch show output.
Go deep on IP Connectivity
Weeks 2-3
This is the heaviest-weighted domain. Drill the routing-decision order, the administrative-distance defaults, static and floating-static routes, and single-area OSPFv2 including DR and BDR election and the router ID. Use scenario questions with real routing-table output, not flashcards alone.
Cover IP Services and Security Fundamentals
Weeks 3-4
Work through NAT, NTP, DHCP, SNMP, syslog, and QoS, then the security domain: AAA, standard and extended ACLs with correct matching and placement, wildcard masks, and Layer 2 and wireless security. ACLs and NAT terminology are high-value, so practise them with scenarios.
Finish with Automation and a scenario pass
Week 5
Cover the automation domain (controller-based and software-defined networking, REST and JSON, Ansible and Terraform), which is conceptual and lower weight. Then move to full practice sets and read the explanation for every question, including the ones you got right, because the marks are in knowing why each distractor is wrong.
Sit a timed mock, then drill weak domains
Week 6
Take at least one full timed mock to rehearse pacing and the flag-and-return habit. Treat the score as a per-domain readiness signal, drill the two domains dragging you down rather than re-reading what you know, and repeat until every domain clears the line with margin.
Know when you're ready
Readiness for the CCNA is a score on questions you have not seen before, not a feeling that the material is familiar. Those are different things, and the gap between them is where people fail. Re-reading notes and watching videos builds fluency, and fluency feels like knowledge, so confidence rises while the ability to actually subnet under time pressure or pick the first-matching ACL line does not.
The fix is to test yourself on fresh scenarios. If you can take an unseen subnetting, OSPF, or ACL question, work the rule, and explain why the other options are off by one host or one election step, you know it. If you can only follow an explanation after seeing the answer, you do not yet. Be especially wary of the comfortable middle of study where the concepts read as obvious but the arithmetic is still slow: the exam is timed, and a rule you cannot apply quickly is a rule you do not have.
This guide gives you the map and the decision rules. The practice bank is where you find out whether you can apply them, with a worked explanation and a reason every distractor is wrong on every question. Set the bar at clearing every domain comfortably on unseen questions across more than one session, not scraping a target once, and let your measured per-domain accuracy, not your gut, tell you when you are ready.
Ready to put this into practice?
Free 200-301 questions with worked explanations. No sign-up.
Read the last line of the question first. It tells you whether you are being asked for a configuration, a resulting behaviour, or a fault, so you can read the scenario looking for that.
On any subnet question, write down the network address, broadcast address, and usable range before looking at the options. Most distractors are off by one because they count the network or broadcast as a usable host.
Know the administrative-distance defaults and the implicit deny cold. The wrong options are built from believable wrong numbers, so recall removes the trap.
For routing questions, apply the order strictly: longest prefix match first, then administrative distance, then metric. A more specific route wins even from a less trusted source.
Watch wildcard masks. Where an ACL or an OSPF network statement needs a wildcard, the subnet mask is the planted distractor.
Flag and move on. Do not lose time on one hard subnetting item when easier marks are waiting; cover every question first, then return to the flagged ones.
On simulation and configuration items, verify as you go (show running-config, show ip interface brief) rather than assuming a command took effect.
Frequently asked questions
Is the CCNA 200-301 hard?
It is an associate exam that is broad and applied rather than deep. The difficulty is breadth plus precision under time pressure: you must subnet quickly, recall default values, and apply precedence rules exactly. With steady practice on scenario questions it is very passable, and the worked explanations are where the real learning happens.
How long should I study for the CCNA?
Most candidates need two to four months of consistent study, depending on background. If subnetting, spanning tree, and OSPF are new, lean towards the longer end and spend the early weeks making subnetting automatic before moving to routing.
Do I need to know subnetting by hand?
Yes, and quickly. Subnetting underpins routing, ACLs, and OSPF network statements, and the exam is timed, so a slow method costs you marks across the whole paper. Drill it until network address, broadcast, usable range, and host count are near-instant for any prefix.
What is the pass mark for the CCNA?
Cisco scores the exam on a scaled range and does not publish a fixed percentage; the figure in the facts panel above is the guide value. Because scoring is scaled, aim to clear every domain comfortably on unseen practice questions rather than targeting a single number.
Which domains carry the most weight?
IP Connectivity is the largest single domain, with Network Fundamentals and Network Access close behind. Together those three are the bulk of the exam, so they deserve the most study time; IP Services, Security Fundamentals, and Automation are smaller but still need solid coverage.
Is the 200-301 still current, and what changed in v1.1?
Yes. The v1.1 update kept the six domains and their weights and refreshed the content: generative AI and machine learning in network operations, cloud network management, and configuration management with Ansible and Terraform rather than the retired Puppet and Chef. Study the current tools and framing.
Are there still simulations on the exam, or just multiple choice?
The real exam mixes multiple choice with drag-and-drop and hands-on simulation and configuration items, so command-line fluency matters. This practice bank focuses on single-best and multiple-response questions with full per-option explanations to build the underlying reasoning; pair it with hands-on lab practice for the simulation items.
How many practice questions should I do before booking?
Enough that every domain clears the line with margin on questions you have not seen before, and that a full timed mock feels comfortable on pacing. Quality of review beats raw volume: read the explanation on every question, including the ones you answered correctly.
Examworthy is not affiliated with or endorsed by Cisco. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. 200-301 and related marks belong to their respective owners.
