Cisco CCNA 200-301: The One Exam That Proves You Know Networking

Why the CCNA consolidation matters

Before 2020, Cisco offered separate CCNA-level certifications for Routing & Switching, Security, Cloud, Wireless, Data Centre, and CyberOps Associate. Engineers had to pick a track and accept blind spots in the others. The 200-301 exam replaced all of them with a single syllabus that mirrors how modern infrastructure actually operates: the same engineer who configures a VLAN today may push a Python automation script tomorrow. The consolidation also removed prerequisites — you can sit 200-301 without holding any prior Cisco credential.

The exam costs $330 USD and is delivered through Pearson VUE test centres and online proctoring. Cisco does not publish a fixed passing threshold, but candidate experience consistently places the passing score at approximately 825 out of 1000. The question types that catch candidates off guard are the simulation items: you are dropped into a virtual terminal and must configure or troubleshoot a live device. No multiple-choice options, no partial credit for half-right commands. These items cannot be memorised — they must be practised.

The CCNA mental model

Everything on the CCNA flows from one principle: data moves through layers. Frames carry packets, packets carry segments, segments carry data. If you can trace a communication problem to the exact OSI layer where it is breaking — and name the correct tool, protocol, or command to fix it at that layer — you are thinking like a network engineer, not just recalling definitions.

The six exam domains

Cisco publishes the full 200-301 exam topics at learningnetwork.cisco.com. The six domains and their approximate weights are:

Domain 1 — Network Fundamentals (20%)

The foundation that every other domain builds on. Candidates who rush past this section struggle later with IP connectivity and security.

OSI and TCP/IP models: Know which protocols live at which layer, and — more importantly — know which layer a given problem is most likely to originate from. Exam scenarios describe a symptom; you must identify the layer.
Ethernet and switching: How a switch builds its MAC address table, how frames are forwarded versus flooded, and the difference between half-duplex and full-duplex operation. Collision domains vs broadcast domains.
IPv4 addressing and subnetting: The deepest study investment in this domain. You must subnet quickly under exam time pressure — binary method or the increment shortcut, whichever you can execute reliably in under 30 seconds per question.
IPv6: Address types (global unicast, link-local, multicast), EUI-64 interface ID generation, and the neighbour discovery protocol (NDP) that replaces ARP in IPv6 networks.
Wireless basics: 802.11 standards (a/b/g/n/ac/ax), the 2.4 GHz vs 5 GHz band trade-offs, BSS vs ESS topologies, and infrastructure vs ad hoc modes.

Domain 2 — Network Access (20%)

This domain covers how traffic is segmented and controlled at Layer 2 — the switch layer that underpins every campus and data centre network.

VLANs and trunking: Creating VLANs, assigning access ports, configuring 802.1Q trunks with switchport mode trunk, and native VLAN behaviour. Inter-VLAN routing via a router-on-a-stick or a Layer 3 switch.
Spanning Tree Protocol: How STP eliminates Layer 2 loops by electing a root bridge and blocking redundant ports. Port states (blocking → listening → learning → forwarding), and why Rapid PVST+ (802.1w) is the default on modern Cisco switches. PortFast and BPDU Guard for access ports connected to end devices.
EtherChannel: Bundling multiple physical links into one logical interface for bandwidth and redundancy. LACP (open standard) vs PAgP (Cisco-proprietary) negotiation modes.
Wireless LAN architecture: Autonomous APs vs controller-based deployments (Cisco WLC), SSID-to-VLAN mapping, and the management and data plane split in controller architectures.

Domain 3 — IP Connectivity (25%)

The largest domain by weight. It covers how routers move traffic between networks — the core skill set of a network engineer.

IP routing fundamentals: How a router uses its routing table, the concept of administrative distance (AD) for resolving conflicts between routing sources, and the longest-prefix match rule.
Static routes: Next-hop static routes vs exit-interface static routes, floating static routes (backup paths using elevated AD), and the default route (ip route 0.0.0.0 0.0.0.0).
OSPFv2 (single-area): The CCNA covers only single-area OSPF, but covers it deeply. DR/BDR election on multi-access networks, neighbour adjacency formation, LSA types, and the show ip ospf neighbor / show ip route ospf verification commands. OSPFv3 for IPv6 follows the same mechanics with different syntax.
First-hop redundancy: HSRP (Hot Standby Router Protocol) provides a virtual IP and virtual MAC that client default gateways point to. Active/standby election, preemption, and how failover works when the active router goes down.

Domain 4 — IP Services (10%)

The smallest domain by weight but frequently tested in scenario questions, because these are the services that keep networks running day-to-day.

NAT: Static NAT (one-to-one), dynamic NAT (pool), and PAT/NAT overload (many-to-one using port numbers). Verification with show ip nat translations.
DHCP: Configuring a Cisco router as a DHCP server, excluding addresses, and the ip helper-address command that forwards DHCP broadcasts across router interfaces to a centralised DHCP server.
DNS: How name resolution works in a network context, and ip domain-lookup / ip name-server configuration on IOS.
NTP: Synchronising device clocks with ntp server and ntp master. Stratum levels. Why time synchronisation matters for log correlation during incident response.
QoS concepts: Differentiated Services Code Point (DSCP) marking, queuing mechanisms (FIFO, weighted fair queuing, LLQ), and policing vs shaping — understand the concepts; the exam does not require deep QoS configuration.
SSH: Configuring SSH access on an IOS device (crypto key generate, ip ssh version 2, transport input ssh on VTY lines). Why Telnet is insecure and should not appear in a properly configured exam topology.

Domain 5 — Security Fundamentals (15%)

Network security at Layer 2 through Layer 4. This domain has grown in scope since the original CCNA R&S, reflecting the reality that basic security configuration is now expected of every network engineer.

Access Control Lists (ACLs): Standard ACLs (match source IP only, applied close to destination), extended ACLs (match source, destination, protocol, port — applied close to source), and named ACLs. The implicit deny at the end of every ACL. Verification with show access-lists and hit count monitoring.
Layer 2 security: DHCP snooping (builds a binding table, drops DHCP offers from untrusted ports), Dynamic ARP Inspection (validates ARP packets against the DHCP snooping table), and port security (limit MAC addresses per port, shutdown on violation).
AAA concepts: Authentication (who are you?), authorisation (what can you do?), and accounting (what did you do?). RADIUS vs TACACS+ — RADIUS is UDP, encrypts only the password; TACACS+ is TCP, encrypts the entire payload and separates auth/authz/accounting.
VPN concepts: Site-to-site vs remote-access VPNs, IPsec IKEv1/IKEv2 phases, and SSL/TLS VPNs. The exam tests conceptual understanding, not deep IPsec configuration.
Wireless security: WPA2 (AES/CCMP) vs WPA3, 802.1X port-based authentication, and the difference between personal (PSK) and enterprise (RADIUS) wireless security modes.

Domain 6 — Automation and Programmability (10%)

The domain that distinguishes the 2020 CCNA from every predecessor. It reflects the industry shift toward software-defined networking and infrastructure-as-code.

Network management evolution: Traditional CLI management vs controller-based vs intent-based networking (IBN). Cisco DNA Center as the on-premises IBN controller for campus networks. Cisco SD-WAN (formerly Viptela) for WAN fabric management through a centralised vManage controller.
REST APIs: HTTP methods (GET, POST, PUT, DELETE, PATCH), JSON and XML as data formats, authentication via API keys or OAuth tokens. Reading and interpreting a JSON API response from a network controller.
Configuration management tools: Puppet, Chef, Ansible, and Python — understand the difference between agent-based (Puppet/Chef) and agentless (Ansible) approaches, and which is typically preferred for network device management.
Python basics: Variables, lists, dictionaries, loops, and conditionals in the context of a simple network automation script. The exam does not require writing Python from scratch but does require reading and interpreting short scripts.

The single most common CCNA failure mode: spending 80% of study time reading and only 20% in a lab. The simulation questions on the real exam require muscle memory with IOS commands — show commands, debug output, and configuration syntax. You cannot build that from a textbook alone.

Lab strategy and study resources

Cisco’s Packet Tracer simulator is free, officially supported, and handles the majority of 200-301 topics including VLANs, OSPF, ACLs, NAT, and basic automation. Download it from the Cisco Skills for All platform at no cost. Candidates who want higher-fidelity IOS simulation for OSPF topology experiments should supplement with GNS3 or EVE-NG using legally obtained IOS images.

The canonical study resource is Wendell Odom’s CCNA 200-301 Official Cert Guide (two volumes, Cisco Press). Work through one volume, lab every configuration example, then move to the second. Many successful candidates spend 3–6 months on preparation if starting from a general IT background, or 6–10 weeks if they already work with networks daily. The target before booking your exam: consistently scoring 80% or above on full-length practice tests under timed conditions.

Why it matters for cert candidates

The CCNA is not only a networking credential — it is a force multiplier for every other IT certification path. Cloud architects who understand VPC routing, Transit Gateway BGP, and SD-WAN are rare; the CCNA gives you the vocabulary to operate at that level. Security engineers pursuing CompTIA CySA+, Cisco CCNP Security, or the CISSP will find that ACLs, AAA, Layer 2 security, and VPN concepts covered in CCNA Domain 5 are revisited at greater depth in every subsequent security exam. And for those aiming at CCNP Enterprise or CCIE, the 200-301 is the foundation on which the entire Cisco advanced certification stack is built — every CCNP concentration exam assumes this knowledge is already solid.

What comes after CCNA

The 200-301 is the prerequisite — formal or informal — for every Cisco Professional-level exam. The two most common paths from CCNA are:

CCNP Enterprise: Requires passing the core exam (350-401 ENCOR, covering advanced routing, SD-WAN, wireless, and virtualisation) plus one concentration exam. ENCOR is where OSPF, BGP, EIGRP, and MPLS are tested at production depth.
CCNP Security: Core exam is 350-701 SCOR, covering network security, cloud security, content security, endpoint protection, and secure network access. Heavily overlaps with the CISSP and CompTIA CySA+ in terms of concept coverage.

Candidates who pass CCNA often find that cloud certifications — particularly AWS Solutions Architect and Azure Administrator — become significantly easier, because the underlying networking concepts (subnetting, routing, VPN, ACL-equivalents) are already deeply understood rather than learned as cloud-specific abstractions.

Ready to test your networking knowledge? We have Cisco CCNA-style practice questions covering subnetting, spanning tree, OSPF, ACLs, and more — timed, randomised, and free.

Start CCNA Practice Questions →