Cisco's CCNA is one of the most misunderstood entry-level certifications in IT. People assume it's an exam you pass by memorizing port numbers and protocol names. It's not. The CCNA tests whether you can design, configure, verify, and troubleshoot real networks — and the candidates who fail are almost always the ones who treated it like a multiple-choice knowledge quiz.
Before committing months of study time, here's what the CCNA actually requires and how to approach it correctly.
What the CCNA Actually Tests
The current exam is 200-301, replacing the earlier split between ICND1/ICND2. It's a single exam covering networking fundamentals through enterprise features.
| Domain | Weight |
|---|---|
| Network Fundamentals | 20% |
| Network Access | 20% |
| IP Connectivity | 25% |
| IP Services | 10% |
| Security Fundamentals | 15% |
| Automation and Programmability | 10% |
IP Connectivity at 25% is the largest domain and the one that separates candidates who understand routing from candidates who memorized definitions. This domain tests OSPF configuration, IPv4/IPv6 routing, and static route implementation at a level that requires hands-on practice.
What changed in 200-301 vs the old CCNA R&S: The current exam added automation and programmability (Ansible, Python basics, REST APIs, SD-WAN, SD-Access concepts) that weren't tested in earlier versions. Candidates studying from materials published before 2020 are missing roughly 10% of the exam content.
Prerequisites That Aren't Officially Required but Practically Are
Cisco lists no prerequisites for CCNA 200-301. This is technically true and practically misleading.
Candidates without basic networking concepts — what IP addresses are, what a switch does vs a router, what subnetting means — spend their first month not learning CCNA content but learning foundational networking. This is inefficient and demoralizing.
If you're starting from zero, cover these before starting CCNA study materials:
The OSI model and what happens at each layer
What IP addressing and subnet masks mean (not how to subnet — just what they represent)
The difference between switches (Layer 2) and routers (Layer 3)
What a default gateway is and why it's needed
The CompTIA Network+ covers this ground and is a genuine CCNA prerequisite for candidates with no networking background. Many candidates find the transition from Network+ to CCNA much smoother than starting CCNA cold.
The Subnetting Requirement
No CCNA topic generates more questions than subnetting, and for good reason — it appears throughout the exam, not just in one section.
What subnetting means on the exam: given a network address and a mask, identify the network address, broadcast address, valid host range, and whether two hosts are on the same subnet. You need to calculate this quickly — exam time pressure is real.
The binary method vs the fast method:
Binary method: convert addresses to binary, apply the mask bit by bit. Accurate, slow, not viable under time pressure.
Fast method (magic number / block size): identify the interesting octet, calculate the block size (256 - subnet mask value), find the network boundary. Fast, sufficient for all CCNA subnetting questions.
"Subnetting is a skill, not knowledge. You can read about it in an afternoon and still be unable to do it in 30 seconds under pressure. The only way to develop exam-speed subnetting is drilling — 100 problems, then 100 more. Candidates who reach CCNA exam day unable to subnet quickly have eliminated their chance before they start." — Jeremy's IT Lab, CCNA 200-301 Complete Course
Subnet mask representations tested:
Dotted decimal:
255.255.255.0CIDR notation:
/24Wildcard masks (for ACL configuration):
0.0.0.255
All three appear on the exam. Practice converting between them.
Routing Protocols: OSPF as the Core
CCNA tests one interior routing protocol in depth: OSPF (Open Shortest Path First). EIGRP appears but is covered more lightly. RIP version 2 is mostly historical context.
Why OSPF dominates: it's the most widely deployed enterprise routing protocol and the one Cisco expects network engineers to configure without reference material.
OSPF concepts tested on 200-301:
| Concept | What the exam tests |
|---|---|
| Router ID | How it's selected (loopback IP > physical interface IP > manual configuration) |
| Neighbor relationships | What must match for OSPF neighbors to form (area, hello/dead timers, subnet mask, authentication) |
| Area 0 (backbone) | Why all OSPF areas must connect to area 0 |
| Link state updates | How LSAs are flooded vs how routing tables are built |
| DR/BDR election | How designated router/backup DR are elected on broadcast networks |
| Cost calculation | How interface cost is determined (reference bandwidth / interface bandwidth) |
Common OSPF configuration on the exam:
router ospf 1
router-id 1.1.1.1
network 192.168.1.0 0.0.0.255 area 0
network 10.0.0.0 0.0.0.3 area 0
Candidates need to write and interpret this configuration, not just recognize it.
VLANs and Switching
The Network Access domain (20%) tests switching at a level that requires understanding, not memorization.
VLAN concepts:
VLANs logically segment a physical network. A switch with ports in VLAN 10 and VLAN 20 treats them as separate networks — a device in VLAN 10 cannot communicate with a device in VLAN 20 without routing.
Access ports: carry traffic for one VLAN. Connect end devices (PCs, servers).
Trunk ports: carry traffic for multiple VLANs using 802.1Q tagging. Connect switches to switches or switches to routers.
Inter-VLAN routing methods tested:
Router on a stick: single physical interface on a router, divided into subinterfaces, each carrying traffic for one VLAN. Configuration involves
encapsulation dot1q <vlan-id>on each subinterface.Layer 3 switch (SVI): switch virtual interfaces (SVIs) are logical interfaces on a multilayer switch, one per VLAN, acting as the default gateway for devices in that VLAN. No physical router required.
The exam scenario: "A company needs devices in VLAN 10 to communicate with devices in VLAN 20. Which two methods could achieve this?" Router on a stick (correct) and Layer 3 SVI (correct). A regular switch (wrong — Layer 2 only).
Spanning Tree Protocol (STP): The exam tests basic STP operation: root bridge election (lowest bridge ID wins), port states (blocking, listening, learning, forwarding), and why STP exists (prevent loops in redundant switched networks).
Rapid STP (RSTP) is also tested — the modern replacement for classic STP with faster convergence.
Security Fundamentals (15%)
The security domain changed significantly in 200-301. The exam now tests:
Access Control Lists (ACLs):
Standard ACLs (numbered 1-99, named): filter based on source IP only. Place close to destination.
Extended ACLs (numbered 100-199, named): filter based on source IP, destination IP, protocol, port. Place close to source.
Port Security: limits which MAC addresses can access a switch port. Violation modes:
Protect: drops violating traffic, no log
Restrict: drops violating traffic, increments violation counter
Shutdown: err-disables the port (most common exam answer for "most secure")
DHCP Snooping: marks switch ports as trusted (connected to DHCP server) or untrusted (connected to end devices). Prevents rogue DHCP servers from providing false default gateway information.
Dynamic ARP Inspection (DAI): validates ARP packets using the DHCP snooping binding table. Prevents ARP poisoning attacks.
Automation and Programmability (10%)
This domain caught many candidates unprepared when it was added. It doesn't require writing code, but it requires understanding the concepts:
Network automation tools:
Ansible: agentless configuration management. Uses YAML playbooks. Pushes configuration from a control node.
Puppet/Chef: agent-based, more complex. Less common in network-specific contexts.
REST APIs: the exam tests the concepts — HTTP methods (GET, POST, PUT, DELETE), JSON data format, and what a REST API call returns. Not writing API code.
SD-WAN and SD-Access: conceptual understanding of software-defined networking — centralized control plane, intent-based networking, fabric architecture. No deep configuration detail required.
JSON vs XML: data formats used by network APIs. JSON (key-value, lightweight) is more common in modern network APIs. The exam may show a JSON structure and ask what it represents.
Study Resources That Work
Jeremy's IT Lab (YouTube, free): the most recommended free CCNA resource. Jeremy Cioara has produced a complete CCNA 200-301 course available on YouTube and his own platform. Lab files (Packet Tracer) are included. The explanation quality is exceptional.
Todd Lammle's CCNA Study Guide: the most widely used book for CCNA preparation. Updated for 200-301. Covers all domains with practice questions and Packet Tracer labs.
Packet Tracer: Cisco's free network simulator. Download from the Cisco Networking Academy (NetAcad) after creating a free account. Essential for routing and switching practice — candidates who study without simulation consistently underperform.
Boson ExSim-Max: the gold standard for CCNA practice exams. More detailed explanations than most practice platforms and questions that match the difficulty and style of the real exam.
Target score before booking: 85%+ on Boson ExSim-Max. The CCNA passing score is approximately 825/1000 — one of the highest in the Cisco certification portfolio. 80% on practice frequently isn't enough margin.
CCNA 200-301 Exam Format in Full Detail
Understanding the exam mechanics before you sit it eliminates avoidable surprises:
| Element | Details |
|---|---|
| Exam code | 200-301 CCNA |
| Duration | 120 minutes |
| Number of questions | 100-120 questions |
| Passing score | Approximately 825/1000 (Cisco does not publish the exact cutoff) |
| Question types | Multiple choice (single answer), multiple choice (multiple answer), drag and drop, fill-in-the-blank, testlet (scenario with multiple questions), simlet (simulation with questions) |
| Retake policy | Wait 5 days after first fail; 5 days between subsequent attempts |
| Exam cost | $330 USD |
| Delivery | Pearson VUE test center or online proctored |
| Language | English, Japanese |
The 825/1000 passing threshold is one of the highest in the Cisco certification portfolio. CCNA does not grade on a curve — 825 is 825, and simulations and testlets tend to be higher-stakes questions. Missing a multi-select question completely is worse than getting partial credit on it, so understanding how multi-answer questions work matters.
Testlets vs Simlets: A testlet presents a network scenario description (text) with multiple questions about it. A simlet presents an interactive simulation where you can run show commands, then asks questions based on what the simulation output shows. Simlets are closer to real-world troubleshooting. Many candidates encounter simlets and freeze because they haven't practiced reading and interpreting IOS show command output under time pressure.
Time management: 120 minutes for 100-120 questions leaves 60-72 seconds per question. Simulations and testlets take longer. Experienced candidates budget 3-4 minutes for simlets and move quickly through single-answer multiple choice. Sticking on any single question for more than 5 minutes is a time management failure — mark it and return.
Subnetting From First Principles: What CCNA Actually Tests
The CCNA subnetting requirement is broader than candidates expect. Here is exactly what the exam tests:
Given a host address and prefix length, identify:
Network address (the address with all host bits set to 0)
Broadcast address (the address with all host bits set to 1)
First valid host (network address + 1)
Last valid host (broadcast address - 1)
Subnet mask in dotted decimal
Example — work this in under 30 seconds: Host: 192.168.10.65/26
Block size for /26: 256 - 192 = 64
Network boundaries in the 4th octet: 0, 64, 128, 192
65 falls in the 64-128 block
Network address: 192.168.10.64
Broadcast address: 192.168.10.127
First host: 192.168.10.65
Last host: 192.168.10.126
Subnet mask: 255.255.255.192
VLSM (Variable Length Subnet Masking): the exam presents scenarios where you must allocate subnets efficiently. "A company needs one subnet for 50 hosts, one for 30 hosts, one for 14 hosts, and one for 2 hosts." You need to assign appropriate subnet sizes to avoid wasting address space. Practice allocating from largest to smallest host requirement.
Subnetting in context: subnetting questions don't appear only in the dedicated subnetting section. OSPF network statements require wildcard masks. ACL configuration uses wildcard masks. IP addressing scenarios in any domain may require calculating whether two devices are on the same subnet. This pervasiveness is why subnetting speed matters throughout the exam.
IOS Commands Every CCNA Candidate Must Know
The exam presents show command output and asks candidates to interpret it. Candidates who haven't practiced reading IOS output struggle with simlets regardless of conceptual knowledge.
Verification and Troubleshooting Commands
show ip route — displays the routing table
R1# show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, D - EIGRP
O 10.0.1.0/24 [110/2] via 192.168.1.2, 00:02:14, GigabitEthernet0/0
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
S* 0.0.0.0/0 [1/0] via 203.0.113.1
Read this output: O prefix = OSPF learned. [110/2] = administrative distance 110, metric 2. via 192.168.1.2 = next hop. The exam asks: "What is the administrative distance of this OSPF route?" Answer: 110.
show interfaces — interface status, counters, and statistics
Key output elements the exam tests:
GigabitEthernet0/0 is up, line protocol is up(fully operational)GigabitEthernet0/0 is administratively down(shutdown command applied)input errors,CRCcounters — indicate physical layer problems, often cable issues or duplex mismatchoutput drops— queue congestion
show ip protocols — routing protocol configuration and learned routes summary
Tells you which routing protocols are running, what networks they're advertising, and OSPF router IDs. Essential for diagnosing OSPF neighbor issues.
show ip ospf neighbor — OSPF neighbor state
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 00:00:36 192.168.1.2 Gig0/0
3.3.3.3 1 FULL/BDR 00:00:38 192.168.1.3 Gig0/0
FULL = complete adjacency and database exchange. If you see INIT or EXSTART, the adjacency is not forming. The exam asks what state indicates a working OSPF relationship: FULL.
show ip ospf interface — OSPF configuration on specific interfaces
Reveals hello/dead intervals, DR/BDR status, area assignment. When OSPF neighbors won't form, this command identifies timer mismatches or area mismatches.
debug ip ospf adj — real-time OSPF adjacency debugging
Shows hello packets being sent and received, which lets you see why adjacencies form or fail. In a lab environment, this is invaluable for understanding OSPF. In production, it generates significant output — always use undebug all afterward.
show vlan brief — VLAN assignments on switch ports
Shows which ports belong to which VLANs. A port not showing in any VLAN assignment is still in VLAN 1 (the default). If a device can't communicate across trunk links, verify this output first.
show interfaces trunk — trunk port status and allowed VLANs
Port Mode Encapsulation Status Native VLAN
Gi0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/1 1-4094
Port Vlans allowed and active in management domain
Gi0/1 1,10,20,30
The exam scenario: "VLAN 40 traffic is not crossing a trunk link." Check this output — if VLAN 40 is not in the "Vlans allowed and active" list, it's either not created on the switch or not in the trunk allowed list.
show port-security and show port-security interface — port security status
Shows sticky MAC addresses learned, violations counted, and whether a port is in error-disabled state. Port security questions in the exam often ask what happens after a violation: if the mode is shutdown, the port goes into err-disabled and must be manually recovered with shutdown followed by no shutdown.
Exam Day Tips Specific to CCNA
Arrive knowing your wildcard masks: wildcard mask = 255.255.255.255 minus the subnet mask. /26 = mask 255.255.255.192, wildcard = 0.0.0.63. This calculation appears in OSPF and ACL configuration — having it automatic saves time.
For simulation questions: before answering any questions in a simlet, run show ip route, show ip interface brief, and show interfaces on relevant devices. This gives you the state of the network before the specific question directs your attention. You may answer multiple simlet questions from this single set of show outputs.
Drag-and-drop questions: read every option before placing any. The wrong first placement is hard to correct under pressure. CCNA drag-and-drop questions often test ordered processes (OSI encapsulation order, STP port states, router boot sequence).
Multi-select "choose two" questions: if you're sure about one correct answer but uncertain about the second, eliminate obvious wrong answers rather than guessing randomly. Mark and return if time permits.
Flag confusing questions: the Pearson VUE interface allows flagging. Use it aggressively on questions where your reasoning is uncertain. Spend time on simlets and testlets first (higher time cost), complete all single-answer questions, then return to flagged items.
Don't rush through simulations: simlets in particular are worth more than single multiple-choice questions. A simlet that takes 4 minutes and earns full credit is a better time investment than four 1-minute multiple choice questions where you guess wrong on two.
See also: Cisco CCNA without a home lab: how to use Packet Tracer effectively, CCNA vs Network+: which networking certification should you pursue first]
References
Cisco. CCNA 200-301 Official Exam Topics. Cisco, 2024. https://learningnetwork.cisco.com/s/ccna-exam-topics
Lammle, Todd. CCNA Cisco Certified Network Associate Study Guide: Exam 200-301. Sybex, 2021. ISBN: 978-1119659808. (Most widely used CCNA study guide, updated for current exam objectives)
Jeremy's IT Lab. CCNA 200-301 Complete Course. YouTube/jeremysitlab.com, 2024. (Free complete CCNA course with Packet Tracer labs, widely considered the best free CCNA resource)
Cisco. Cisco Packet Tracer — Download and Documentation. Cisco Networking Academy, 2024. https://www.netacad.com/courses/packet-tracer
Boson Software. ExSim-Max for Cisco 200-301 CCNA Practice Exams. Boson, 2024. https://www.boson.com (Industry standard practice exam platform for Cisco certifications)
Odom, Wendell. CCNA 200-301 Official Cert Guide, Volumes 1 & 2. Cisco Press, 2020. ISBN: 978-0135792735. (Official Cisco Press exam guide from the primary CCNA author)
Frequently Asked Questions
How hard is the CCNA 200-301 exam?
CCNA has an estimated first-attempt pass rate of 40-50%. The passing score is approximately 825/1000 — one of the highest in the Cisco portfolio. It requires hands-on configuration and troubleshooting knowledge that can't be acquired through multiple-choice practice alone.
Do I need to know how to configure routers for CCNA?
Yes. The exam tests actual Cisco IOS configuration — writing and interpreting OSPF configuration, VLAN assignments, ACL syntax, interface configuration. Candidates who only study conceptually without Packet Tracer or real equipment practice consistently underperform.
How long does CCNA preparation take?
Candidates with basic networking knowledge typically need 12-16 weeks of regular study. Complete beginners need 20-24 weeks including time to build foundational networking concepts before CCNA-specific content. Daily Packet Tracer lab practice is required throughout.
What is the best free CCNA study resource?
Jeremy's IT Lab on YouTube is the most recommended free CCNA resource — a complete course with Packet Tracer lab files. Combined with Cisco Packet Tracer (free from NetAcad) for practice, this is sufficient content preparation. Supplement with Boson ExSim-Max for exam-quality practice questions.
Does CCNA cover IPv6?
Yes. IPv6 addressing, prefix notation, link-local vs global unicast addresses, stateless address autoconfiguration (SLAAC), and OSPFv3 basics are all tested. The Network Fundamentals and IP Connectivity domains both include IPv6 content.