CCNA 200-301 Complete Course

Understanding the OSI model is foundational to every CCNA topic. When troubleshooting, work from Layer 1 upward: verify the physical cable first, then check the data link (MAC/ARP), then network (IP/routing), and finally transport and application layers. The TCP/IP model is what you will encounter in production, but the OSI model provides the vocabulary used throughout the exam.

The CCNA exam tests your ability to identify the right topology for a given scenario. Star topologies dominate campus LANs because they simplify management and isolate faults. For the exam, know the difference between a WAN, LAN, WLAN, SAN, and SOHO network, and understand how spine-leaf architectures are used in modern data centers as an alternative to three-tier designs.

Subnetting is heavily tested on the CCNA. Practice until you can subnet in your head: know the powers of 2, memorize the key subnet boundaries (/25 = 128, /26 = 64, /27 = 32, /28 = 16, /29 = 8, /30 = 4), and always remember to subtract 2 for the network and broadcast addresses. VLSM lets you assign different-sized subnets to different segments, which is critical for efficient IP space usage.

IPv6 is a significant portion of the CCNA 200-301 exam. Unlike IPv4, IPv6 has no broadcast — it uses multicast and anycast instead. Remember the key multicast addresses: FF02::1 (all nodes), FF02::2 (all routers), FF02::1:FF00::/104 (solicited-node). For the exam, be comfortable shortening IPv6 addresses, identifying address types by their prefix, and explaining how SLAAC works with NDP.

Switches are Layer 2 devices that make forwarding decisions based on MAC addresses. When a frame arrives, the switch looks up the destination MAC in its MAC address table. If found, it forwards out the specific port; if not, it floods the frame. Understanding this process is essential because VLANs, STP, and port security all build on top of basic switch forwarding behavior.

VLANs are one of the most heavily tested CCNA topics. Remember that VLANs are locally significant to each switch; you need a trunk link to extend a VLAN across switches. Always verify trunk status with show interfaces trunk and VLAN assignment with show vlan brief. A common exam trap: DTP (Dynamic Trunking Protocol) can auto-negotiate trunk links, but best practice is to manually configure trunks and disable DTP with switchport nonegotiate.

STP is critical for any switched network with redundant links. For the exam, know how the root bridge is elected (lowest priority wins, then lowest MAC as tiebreaker), how path cost determines root and designated ports (the lower the cost, the better), and the differences between classic STP, RSTP, and PVST+. Cisco uses Per-VLAN Spanning Tree Plus (PVST+) by default, running a separate STP instance per VLAN. Rapid PVST+ is the recommended mode for modern networks.

All member interfaces in an EtherChannel must share identical speed, duplex, VLAN configuration, and trunk settings. A mismatch causes the channel to fail or enter a suspended state. Always prefer LACP over PAgP because it is the open standard and supports up to 16 links (8 active + 8 standby). Verify status with show etherchannel summary and look for the (SU) flag indicating the port-channel is Layer 2, in use, and bundled correctly.

Static routes are the simplest form of routing but do not adapt to topology changes. Use them in small networks, for default routes, and as floating static routes (set AD higher than the dynamic protocol, e.g., ip route 10.0.0.0 255.0.0.0 192.168.1.1 200 as a backup to OSPF). For the exam, practice reading routing table output from show ip route and identifying the source code (C for connected, S for static, O for OSPF, etc.).

OSPF is the only dynamic routing protocol tested in depth on the CCNA 200-301. For single-area OSPF, all interfaces belong to Area 0 (backbone). Understand the cost formula: Reference Bandwidth (default 100 Mbps) / Interface Bandwidth. For modern networks, adjust the reference bandwidth with auto-cost reference-bandwidth 10000 to differentiate between gigabit and 10-gigabit links. Verify OSPF with show ip ospf neighbor and show ip ospf interface.

Multi-area OSPF is tested at an awareness level on the CCNA. You need to understand why areas exist, how ABRs summarize routes between areas, and how to identify route types in the routing table. Remember that all non-backbone areas must attach to Area 0 — a virtual link is the workaround when direct attachment is not possible. For troubleshooting, verify area assignments match on both sides of a link using show ip ospf interface brief.

HSRP is the FHRP most tested on the CCNA. Know how to configure it: standby [group] ip [virtual-ip], standby [group] priority [value], and standby [group] preempt. Without preemption, a recovered higher-priority router will not reclaim the Active role. Verify with show standby. While VRRP and GLBP are tested at an awareness level, understand their key differences from HSRP, especially that VRRP preempts by default and GLBP provides load balancing.

NAT is essential because IPv4 address exhaustion means organizations must translate private addresses to public ones. The exam frequently tests NAT terminology — make sure you can identify the four address types (inside local, inside global, outside local, outside global) in a given scenario. PAT is by far the most widely deployed; configure it with ip nat inside source list [ACL] interface [outside-if] overload. Do not forget to mark interfaces as ip nat inside or ip nat outside.

DHCP is almost guaranteed to appear on the CCNA exam. Memorize the DORA process and know that the client initially uses 0.0.0.0 as the source and 255.255.255.255 as the destination. If a client gets a 169.254.x.x address (APIPA), DHCP has failed. For DNS, understand that it translates human-readable domain names to IP addresses and be able to identify common record types. Both DHCP (67/68) and DNS (53) are UDP-based protocols.

NTP and SNMP are both tested at the foundational level. For NTP, know that lower stratum values are more accurate, and always configure at least two NTP servers for redundancy. For SNMP, the exam focuses on the differences between versions: v2c is widely deployed but insecure; v3 is the only version that provides encryption. Read-only community strings allow monitoring; read-write strings allow configuration changes and must be protected carefully.

QoS is tested at a conceptual level on the CCNA. You do not need to configure complex QoS policies, but you must understand the end-to-end QoS model: classify and mark traffic as close to the source as possible, then honor those markings at every hop. Know that voice traffic requires less than 150ms one-way latency, less than 30ms jitter, and less than 1% packet loss. DSCP is the modern standard for marking; the older IP Precedence field uses only 3 bits.

The CCNA security domain is broad but tested at a conceptual level. Understand the CIA triad as the foundation of all security decisions. Know the difference between IDS (detection, passive, out-of-band) and IPS (prevention, inline, can drop packets). For VPNs, be familiar with IPsec concepts: AH provides authentication only, ESP provides encryption and authentication. GRE tunnels are unencrypted but can be combined with IPsec for encrypted site-to-site connectivity.

ACLs are heavily tested on the CCNA. The most common mistake is placing a standard ACL too close to the source, which blocks traffic to all destinations. Remember the rule of thumb: standard ACLs near the destination, extended ACLs near the source. When writing ACLs, always include a remark (remark [description]) for documentation. Use show access-lists to verify match counts and show ip interface [interface] to confirm ACL application direction.

For the CCNA, understand the differences between RADIUS and TACACS+: RADIUS is best for network access control, TACACS+ is best for device administration. In an 802.1X deployment, the switch acts as a middleman — it does not make the authentication decision itself but relays EAP messages between the supplicant and the RADIUS server. Until authentication succeeds, the port only allows EAPOL (EAP over LAN) frames. Know that ISE (Identity Services Engine) is Cisco's enterprise AAA and policy platform.

Wireless security and Layer 2 security features are both part of this exam domain. For wireless, know that WPA2-Enterprise with 802.1X is the recommended approach for organizations. WPA3-Personal's SAE handshake is a significant improvement over WPA2-Personal's 4-way handshake because it prevents offline brute-force attacks. For port security, the default violation mode is shutdown, which err-disables the port. Recovery requires shutdown then no shutdown on the interface, or configure errdisable recovery.

The automation domain is worth approximately 10% of the CCNA exam. You need to understand concepts rather than write code. Know the three planes: management plane (SSH, SNMP, APIs for accessing the device), control plane (routing protocols, STP, ARP), and data plane (actual forwarding of packets). Controller-based architectures centralize the control plane, making the network programmable and easier to manage at scale.

For the CCNA, you must be able to read and interpret JSON output from a REST API. Know what each HTTP method does and which are idempotent (GET, PUT, DELETE produce the same result when called multiple times; POST does not). Understand that CRUD operations map to HTTP methods: Create = POST, Read = GET, Update = PUT/PATCH, Delete = DELETE. Be able to compare JSON, YAML, and XML data formats and identify their syntax differences.

The CCNA tests your awareness of these tools, not your ability to write playbooks or recipes. The key exam points are: Ansible is agentless and push-based (best for network devices that cannot run agents), Puppet and Chef are agent-based and pull-based. All three tools are idempotent and declarative — you define the desired end state, not the step-by-step commands. Ansible is the most widely used tool for network automation because network devices (routers, switches) typically support SSH but not custom agents.

SDN concepts are tested at a high level. Know the three-layer SDN architecture and the direction of the APIs: northbound (controller to application, typically REST) and southbound (controller to device, e.g., OpenFlow, NETCONF, RESTCONF). For Cisco SD-WAN, understand that vManage provides the GUI, vSmart handles control-plane policy, and vEdge routers form the data plane. NETCONF uses YANG data models to define the structure of configuration and operational data — YANG is to NETCONF what MIB is to SNMP.