Top 10 CCNA 200-301 interview questions and how to answer them in 2026

The 10 questions

1. What’s the difference between a collision domain and a broadcast domain?

A collision domain is a segment where two frames can collide. Every switch port is its own collision domain — that’s why switches replaced hubs, which shared one. A broadcast domain is every device that receives a given broadcast frame, bounded by a router or by a VLAN. Each VLAN is a separate broadcast domain. Mixing the two terms up is the fastest way to lose a screening call.

2. A host can’t reach a server on another subnet. Walk me through your troubleshooting.

Work the layers bottom-up: interface and cabling up, then a correct IP/mask/default-gateway on the host, then ARP resolving the gateway MAC, then the router holding a route to the destination (show ip route), then no ACL dropping the packet, and finally a valid return path. Candidates who ping once and blame DNS without opening the routing table are the red flag.

3. What is a VLAN, and how does a trunk carry several of them?

A VLAN is a logical broadcast domain on a switch. An access port belongs to exactly one VLAN; a trunk port carries many by adding an 802.1Q tag — a 12-bit VLAN ID — to each frame. The native VLAN is the exception: its frames cross the trunk untagged. A native-VLAN mismatch between the two ends of a trunk is a classic interview gotcha.

4. Why does Spanning Tree Protocol exist, and how is the root bridge elected?

Layer 2 frames have no TTL, so a single switching loop floods until the network collapses. STP blocks redundant links to leave one loop-free path. The root bridge wins on lowest bridge ID — priority first (default 32768), then lowest MAC address as the tie-breaker. The real-world answer: set priority deliberately so a core switch is root, never leave it to the MAC address.

5. OSPF or a static route — when do you pick which?

Static routes are deterministic and cheap on CPU but blind to a link failure. OSPF is a link-state IGP: it floods LSAs, builds a topology map, and reconverges on its own. Use static for stub networks and a default route to the ISP; use OSPF where redundancy and scale matter. Bonus point: OSPF elects a DR/BDR on multi-access segments to cut the adjacency count.

6. Given 192.168.10.0/24, you need at least 6 subnets. What mask?

A /27 (255.255.255.224): three borrowed bits give 8 subnets of 30 usable hosts each — the smallest mask that clears 6. The follow-up tests VLSM: use /30s for the point-to-point router links instead of applying one mask everywhere. Showing you’d size each subnet to its host count beats reciting the powers of two.

7. What’s the difference between NAT and PAT?

NAT maps inside addresses to outside addresses one-to-one. PAT — NAT overload — maps many inside hosts onto a single public IP by tracking a unique source port per flow. PAT is what virtually every home and branch office runs; it’s the reason one public IP can serve a whole office full of devices.

8. Standard vs. extended ACL — and where do you place each?

A standard ACL matches source IP only, so place it close to the destination to avoid filtering traffic too broadly. An extended ACL matches source, destination, protocol, and port, so place it close to the source to drop unwanted traffic early. And never forget the implicit deny any at the end of every ACL.

9. What does DHCP do, step by step, when a host boots?

DORA: Discover (the client broadcasts), Offer (a server proposes a lease), Request (the client accepts that offer), Acknowledge (the server confirms). A host sitting on a 169.254.x.x address pulled an APIPA address — DHCP failed. Across a routed network the gateway needs an ip helper-address so the broadcast reaches a DHCP server on another subnet.

10. CCNA added automation and programmability — why, and what do these roles pay in 2026?

Because network changes increasingly arrive as code: REST APIs, JSON payloads, and tools like Ansible instead of hand-typed CLI. The 2026 blueprint expects you to read JSON and contrast controller-based (SDN) with traditional networking. Network Engineer roles in the US open at $70,000–$95,000 and climb past $110,000 once the CCNA is paired with a cloud associate cert. The official Cisco CCNA 200-301 exam topics are the authoritative list of what’s tested; the BLS Occupational Outlook puts the 2024 median for network and computer systems administrators in the mid-$90,000s.

What these questions test

Every question here has a textbook answer and an operational answer. Interviewers want the operational one — the version that names the gotcha: the native-VLAN mismatch, the implicit deny any, APIPA meaning DHCP failed, STP priority winning over MAC address. Passing the CCNA proves you know the protocols. Answering these the operational way proves you’ve configured and broken a real network — which is what gets the offer.

Frequently asked questions