Cisco CCNA 200-301 v2.0 Practice Test

Cisco Certified Network Associate (CCNA) validates foundational networking knowledge across network infrastructure, switching and access, IP routing, network services, security, operations, and automation-aware troubleshooting.

Start with the free 100-question CCNA diagnostic or the 24 public sample questions. See how the scenarios test switching, routing, services, security, AI-assisted operations, and troubleshooting before you subscribe; IT Mastery then gives you a stable, objective-mapped CCNA 200-301 v2.0 bank with 660 questions, timed mocks, topic drills, progress tracking, and detailed explanations across web and mobile.

Initial release note: This is an initial release. We expand high-demand banks first based on learner usage, feedback, and subscriber demand. Subscribers receive access to future additions automatically.

Free diagnostic: Try the Cisco CCNA 200-301 v2.0 full-length practice exam before subscribing. Use it as one networking baseline, then return to IT Mastery for timed mocks, topic drills, explanations, and the full CCNA question bank.

CCNA snapshot

• Vendor: Cisco
• Official certification name: Cisco Certified Network Associate
• Exam code: 200-301 CCNA
• Route tracked here: CCNA 200-301 v2.0
• Practice reference: 100 questions in 120 minutes in the Mastery catalog
• IT Mastery practice bank: 660 questions
• Current IT Mastery status: live practice available

Before scheduling, verify Cisco’s current exam topics, delivery rules, and version timing. This page is independent practice support and does not claim affiliation with Cisco.

What this CCNA practice page gives you

• a direct route into IT Mastery practice for Cisco CCNA 200-301 v2.0
• 24 on-page sample questions selected from the live CCNA practice bank
• a free 100-question diagnostic across the CCNA topic areas
• topic drills for infrastructure, switching, routing, services, security, AI-assisted operations, and management
• timed mocks, mixed sets, detailed explanations, and progress tracking across web and mobile

Who CCNA is for

• networking candidates building associate-level switching, routing, IP services, security, and troubleshooting judgment
• help desk, network technician, and junior infrastructure candidates moving beyond entry-level networking vocabulary
• cloud, cybersecurity, and DevOps candidates who need stronger IP, VLAN, routing, ACL, and network-operations fundamentals

Topic coverage for CCNA practice

How to use the CCNA simulator efficiently

1. Start with the free diagnostic so you can separate broad networking weaknesses from one-topic mistakes.
2. Drill switching and routing separately if you miss questions because VLAN, STP, longest-prefix, OSPF, or next-hop evidence blurs together.
3. Use network services and security drills when NAT, DHCP, DNS, ACLs, wireless security, device hardening, or management-plane controls drive your misses.
4. Add timed mixed sets near the end so you can move from symptoms to evidence without over-focusing on one familiar domain.

CCNA decision checklist

Use this checklist when a networking question gives you logs, outputs, diagrams, or user symptoms:

• Layer first: confirm whether the evidence points to physical/link, VLAN, IP addressing, routing, services, security policy, or operations.
• Scope next: decide whether the issue affects one host, one VLAN, one route, one service, one site, or the broader control plane.
• Evidence before change: prefer answers that verify interface state, addressing, routes, neighbors, ACL matches, logs, or counters before disruptive changes.
• Specificity matters: choose the route, ACL, VLAN, or service behavior that exactly matches the symptom instead of applying a broad fix.
• Automation support: use AI or controllers as evidence helpers, not as a replacement for verifying commands, topology, and operational impact.

Focused sample questions

Use these child pages when you want focused IT Mastery practice before returning to mixed sets and timed mocks.

• Free Cisco CCNA 200-301 v2.0 Full-Length Practice Exam
• Network Infrastructure and Connectivity
• Switching and Network Access
• IP Routing
• Network Services and Security
• AI, Network Operations and Management

Free study resources

Need concept review first? Read the Cisco CCNA 200-301 v2.0 cheat sheet for switching, routing, services, security, operations, and troubleshooting cues before starting the free diagnostic or timed practice.

24 CCNA sample questions with detailed explanations

These are original IT Mastery practice questions selected from the live Cisco CCNA 200-301 v2.0 bank. Use them to inspect the scenario style, answer explanations, and topic coverage before starting the free diagnostic or full bank.

Question 1

Topic: AI, and Network Operations and Management

A NOC engineer is creating a prompt template for an AI assistant that reviews Cisco IOS XE show output and syslog excerpts during troubleshooting. The team must be able to verify recommendations before making changes, and the assistant must not perform remediation. Which output-format instruction best meets this goal?

• A. Use sections for Evidence, Assumptions, Recommended next checks, and Confidence.
• B. Use one concise root-cause paragraph with the most likely fix first.
• C. Use a prioritized command checklist without confidence ratings or assumptions.
• D. Use a configuration patch showing commands to apply immediately.

Best answer: A

Explanation: For AI-assisted network troubleshooting, the prompt should require a verifiable structure. Evidence should contain facts from the provided outputs, assumptions should identify what the assistant inferred, recommended next checks should tell the engineer how to validate the conclusion, and confidence should show how strongly the evidence supports the recommendation. This keeps the AI from blending facts with guesses or jumping directly to configuration changes. The key is not just getting an answer quickly, but making the reasoning auditable before a network operator acts.

Question 2

Topic: Network Infrastructure and Connectivity

A technician connects a desktop PC to switch SW1 on Gi1/0/12, but the PC reports that the network cable is unplugged. The switch port is enabled and assigned to the correct access VLAN.

Exhibit:

SW1# show interfaces gi1/0/12 status
Port      Name   Status      Vlan  Duplex  Speed  Type
Gi1/0/12  PC-7   notconnect  20    auto    auto   10/100/1000BaseTX

Cable tag: RJ-45 rollover console cable
Tester pin map: 1->8  2->7  3->6  4->5  5->4  6->3  7->2  8->1

What is the best interpretation or next action?

• A. Configure PortFast on the switch port.
• B. Replace it with an Ethernet crossover cable.
• C. Replace it with a straight-through Ethernet patch cable.
• D. Manually set both ends to full duplex.

Best answer: C

Explanation: The exhibit points to a physical cabling problem, not a VLAN, spanning-tree, or duplex problem. The switch shows notconnect, and the cable tag plus tester pin map identify a rollover console cable, where pin 1 maps to pin 8, pin 2 to pin 7, and so on. A rollover cable is used for console connections, not for Ethernet data links. For a typical desktop PC connected to a switch access port, use a normal straight-through Ethernet patch cable. The key clue is the reversed pinout before the link ever establishes.

Question 3

Topic: IP Routing

R1 and R2 run single-area OSPFv2 in area 0 over 10.0.12.0/30. R2 has a user LAN on G0/1, 192.168.20.1/24. R1 must learn the R2 LAN by OSPF. No route filtering is configured.

Exhibit:

R1# show ip ospf neighbor
Neighbor ID     Pri   State     Address       Interface
2.2.2.2           1   FULL/DR   10.0.12.2     Gi0/0

R1# show ip route 192.168.20.0
% Network not in table

R2# show ip route connected
C 10.0.12.0/30 is directly connected, GigabitEthernet0/0
C 192.168.20.0/24 is directly connected, GigabitEthernet0/1

Which configuration decision should meet the goal?

• A. Enable OSPF on R2 G0/1 in area 0.
• B. Change R2’s OSPF router ID and restart OSPF.
• C. Enable OSPF for 192.168.20.0/24 on R1.
• D. Configure a default static route on R1 toward R2.

Best answer: A

Explanation: The neighbor output shows that R1 and R2 already have a working OSPF adjacency, so the transit link is not the problem. R1 has no route for 192.168.20.0/24, while R2 shows that subnet as directly connected. In OSPF, a connected network is advertised only when the matching interface or subnet is enabled for OSPF in the correct area. The correct operational fix is on R2, for the LAN-facing interface or its subnet in area 0. If no OSPF neighbors should form on that LAN, making the interface passive is also common, but it still must be included in OSPF.

Question 4

Topic: Switching and Network Access

A user reports intermittent connectivity from a wired desktop connected to SW1. The VLAN assignment is correct, and the port remains up. Based on the exhibit, what is the best interpretation?

Exhibit:

SW1# show interfaces gigabitEthernet1/0/18
GigabitEthernet1/0/18 is up, line protocol is up
  Hardware is Gigabit Ethernet, address is 0c9e.6a11.1212
  MTU 1500 bytes, BW 1000000 Kbit/sec
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  5 minute input rate 81000 bits/sec, 70 packets/sec
  5 minute output rate 76000 bits/sec, 65 packets/sec
     186,240 packets input, 0 giants, 0 throttles
     4,912 input errors, 4,887 CRC, 0 frame, 0 overrun
     0 collisions, 0 late collision

• A. The access VLAN is missing from the switch
• B. Spanning Tree is blocking the desktop port
• C. A physical cabling or connector problem is likely
• D. The port is administratively shut down

Best answer: C

Explanation: CRC errors are received frames that fail the frame check sequence, commonly caused by physical-layer problems such as a damaged patch cable, bad connector, excessive interference, or a failing NIC/transceiver. In the exhibit, the interface is up/up at 1000 Mb/s full duplex, so the port is operational and passing traffic. The large number of input errors that are almost entirely CRC errors makes the physical medium the best place to investigate first. A reasonable next action would be to replace or test the cable and check the desktop NIC and switchport connection. VLAN or STP issues can cause reachability failures, but they do not explain this specific error pattern.

Question 5

Topic: Network Services and Security

Users in VLAN 30 report that IPv4 access works, but some Windows clients intermittently lose IPv6 Internet access. The affected clients show a valid IPv4 address from the DHCP server and an IPv6 default gateway learned from an unknown link-local address. The access switch log shows the link-local address arriving on a user-facing port connected to a small unmanaged router. What is the best corrective action?

• A. Enable Dynamic ARP Inspection for VLAN 30
• B. Configure storm control on the user-facing port
• C. Enable DHCP snooping for VLAN 30
• D. Enable RA guard on the user-facing port

Best answer: D

Explanation: The symptom points to a rogue IPv6 Router Advertisement, not an IPv4 DHCP, ARP, or broadcast-rate problem. IPv6 hosts can learn their default gateway from RA messages sent by routers on the local link. Because the unknown link-local gateway is being advertised from a user-facing port connected to an unmanaged router, RA guard is the Layer 2 control that should block those unauthorized RA messages at the access edge. DHCP snooping protects DHCP message trust boundaries, DAI validates ARP, and storm control limits excessive Layer 2 traffic rates. The key is matching the control to the specific Layer 2 threat.

Question 6

Topic: AI, and Network Operations and Management

After a change window, users on VLAN 30 in Building 2 cannot obtain DHCP leases. The approved Ansible task is limited to read-only validation commands on Building 2 access switches only.

Exhibit: Proposed plan

inventory:
  access_bldg2: [ASW21, ASW22]
  distribution: [DSW1, DSW2]

play:
  hosts: all
  tasks:
    - cisco.ios.ios_command:
        commands:
          - show vlan brief
          - show interfaces trunk
          - configure terminal
          - interface Gi1/0/24
          - shutdown

Which action best keeps the Ansible command execution plan within the approved operational scope?

• A. Use ios_config to shut and re-enable Gi1/0/24
• B. Limit hosts to access_bldg2 and remove configuration commands
• C. Keep hosts: all to compare access and distribution trunks
• D. Run the plan because ios_command is read-only by design

Best answer: B

Explanation: The key issue is operational scope control for Ansible command execution. The approval permits read-only validation commands and only on the Building 2 access switches. The proposed plan violates both limits: hosts: all includes distribution switches, and the command list includes configuration-mode commands that would shut an interface. A safe validation plan would target the access_bldg2 inventory group and include only nonchanging commands such as show vlan brief and show interfaces trunk.

The tool module name does not replace scope review; the host pattern and command list must both match the approved task.

Question 7

Topic: Network Infrastructure and Connectivity

A user in VLAN 20 reports that a wired PC cannot ping its IPv6 default gateway. The switchport is up/up in VLAN 20, and other VLAN 20 users can reach the gateway.

Exhibit:

Expected VLAN 20 prefix: 2001:db8:20:10::/64
R1 Gi0/0.20 IPv6:       2001:db8:20:10::1/64
PC IPv6 address:        2001:db8:20:1::25/64
PC default gateway:     2001:db8:20:10::1

Which root cause is best supported by the facts?

• A. The PC address is outside the VLAN 20 prefix.
• B. The switchport is assigned to the wrong VLAN.
• C. The PC default gateway is not reachable by other users.
• D. The router subinterface has the wrong prefix length.

Best answer: A

Explanation: IPv6 prefix membership is determined by comparing the network portion defined by the prefix length. For a /64 unicast prefix, the first four hextets identify the subnet. VLAN 20 expects 2001:db8:20:10::/64, and the router interface is correctly addressed inside that subnet as 2001:db8:20:10::1/64. The PC address 2001:db8:20:1::25/64 belongs to 2001:db8:20:1::/64, not 2001:db8:20:10::/64. Because the PC is configured in a different /64, it will not treat the gateway’s global address as on-link for the expected VLAN 20 subnet. The closest trap is the switchport VLAN, but the stem says the port is up/up in VLAN 20 and other users work.

Question 8

Topic: IP Routing

R1 and R2 provide the default gateway for VLAN 10 using HSRP group 10. R1 uses 10.10.10.2, R2 uses 10.10.10.3, and the virtual gateway is 10.10.10.1.

Exhibit: R1 output

R1# show standby brief
Interface  Grp  Pri  P  State    Active       Standby  Virtual IP
Vl10       10   110  P  Standby  10.10.10.3  local    10.10.10.1

Which device is currently forwarding traffic sent to the virtual gateway?

• A. R1, because it has priority 110
• B. Both routers, because HSRP load-balances by default
• C. R1, because it is local
• D. R2, because 10.10.10.3 is Active

Best answer: D

Explanation: HSRP uses one Active router to forward traffic for the virtual IP address and one Standby router to take over if the Active router fails. The show standby brief output is from R1, but R1’s state is Standby. The Active column lists 10.10.10.3, which the stem identifies as R2. Therefore, R2 is the device currently forwarding traffic sent to 10.10.10.1. Priority matters during election, but the current operational state in the output is the deciding evidence.

Question 9

Topic: Switching and Network Access

A workstation on access port Gi1/0/12 in VLAN 30 cannot obtain an IPv4 address by DHCP. The DHCP server is reached through trunk Gi1/0/48 toward the distribution switch. You run simultaneous packet captures for 30 seconds.

Exhibit: Packet-capture summary

What is the best interpretation?

• A. DHCP is failing because the client uses unicast requests.
• B. VLAN 30 traffic is not being forwarded on the trunk.
• C. The DHCP server is rejecting the client MAC address.
• D. The client is not sending DHCP Discover messages.

Best answer: B

Explanation: The capture evidence separates client behavior from forwarding behavior. The client is generating DHCP Discover broadcasts, so the workstation and DHCP protocol start are working. Because those same frames are absent on the trunk that should carry VLAN 30 toward the DHCP server, the likely fault is Layer 2 forwarding or filtering on the access switch path, such as VLAN 30 not being allowed, not active, or not properly carried on the trunk.

The next practical check would be trunk and VLAN state, not DHCP server policy.

Question 10

Topic: Network Services and Security

R1 should provide PAT for LAN subnet 192.168.10.0/24 to the ISP. LAN hosts use 192.168.10.1 as their default gateway. Which interpretation is best based on the exhibit?

R1# show running-config | include interface|description|ip address|ip nat|access-list
interface GigabitEthernet0/0
 description Link to ISP
 ip address 203.0.113.2 255.255.255.252
 ip nat inside
interface GigabitEthernet0/1
 description LAN users
 ip address 192.168.10.1 255.255.255.0
 ip nat outside
ip nat inside source list 10 interface GigabitEthernet0/0 overload
access-list 10 permit 192.168.10.0 0.0.0.255

• A. Move PAT overload to G0/1 instead of G0/0.
• B. Swap the NAT roles on G0/0 and G0/1.
• C. Permit 203.0.113.0/30 in ACL 10.
• D. Keep the roles because inside means the ISP-facing source.

Best answer: B

Explanation: In IOS XE NAT, ip nat inside identifies the interface facing the original inside local addresses, usually the LAN. ip nat outside identifies the interface facing the outside network, usually the ISP. Here, G0/1 is the LAN default gateway for 192.168.10.0/24, so it should be inside. G0/0 connects to the ISP and is the interface whose address should be used for PAT overload, so it should be outside. The ACL is already matching the inside local subnet that needs translation. The issue is the reversed interface roles, not the overload interface or ACL source network.

Question 11

Topic: AI, and Network Operations and Management

Users on access switch SW1 report that VLAN 20 clients are receiving APIPA addresses. The DHCP server is reached through distribution switch DSW1 on uplink Gi1/0/48, and the VLAN 20 SVI on DSW1 already has the correct helper address. A digital network assistant recommends automatically disabling DHCP snooping for VLAN 20.

Exhibit:

SW1# show ip dhcp snooping
DHCP snooping is enabled
DHCP snooping VLANs: 20
Trusted interfaces: Gi1/0/48

SW1# show interfaces trunk
Port        Mode   Status    Allowed vlans
Gi1/0/48    on     trunking  10,30

What is the best next action supported by the evidence?

• A. Approve disabling DHCP snooping on VLAN 20
• B. Reload SW1 to clear DHCP snooping bindings
• C. Add VLAN 20 to the trunk after validation
• D. Configure a helper address on the VLAN 20 SVI

Best answer: C

Explanation: Agentic AI can assist troubleshooting, but its proposed configuration changes should be validated against network evidence before being applied. Here, DHCP snooping is enabled for VLAN 20, but the uplink to DSW1 is already trusted, so snooping is not the supported root cause. The trunk output shows Gi1/0/48 allows only VLANs 10 and 30, which prevents VLAN 20 DHCP traffic from reaching the distribution switch and its helper address. The evidence supports correcting the trunk allowed VLAN list through normal change control, not blindly accepting the assistant’s autonomous change.

Question 12

Topic: Network Infrastructure and Connectivity

A portable web service was moved from a VM to a container on a Linux server. Users on VLAN 30 cannot reach the service at 10.30.10.50, but the physical server can ping the VLAN 30 gateway.

Exhibit:

Switch Gi1/0/12: up/up, access VLAN 30
Linux host eth0: 10.30.10.10/24, gateway 10.30.10.1
Container eth0: 172.17.0.2/16, gateway 172.17.0.1
Host route: 172.17.0.0/16 connected via docker0

Which root cause is best supported by the facts?

• A. The hypervisor virtual switch is missing a VLAN trunk.
• B. The container is attached to an isolated bridge network.
• C. The switch access port is in the wrong VLAN.
• D. The VM network adapter is disconnected.

Best answer: B

Explanation: Containers are portable and process-isolated, but their network attachment depends on the container network mode. The physical server is connected correctly to VLAN 30 because its interface is up and it can reach the VLAN gateway. The failed service has an address on the container bridge network, 172.17.0.0/16, so hosts on VLAN 30 cannot reach it directly at 10.30.10.50 unless the service is published/NATed or attached to an appropriate VLAN-aware network. The evidence points to the container networking layer, not the physical switch, hypervisor, or VM layer.

Question 13

Topic: IP Routing

An engineer must apply an outbound policy only on the interface R1 will use to forward packets to destination 10.20.30.90. Use only the routing table excerpt; do not assume any physical topology beyond what is shown.

R1# show ip route | include 10.20|0.0.0.0
O    10.20.0.0/16 [110/20] via 192.0.2.2, GigabitEthernet0/0
S    10.20.30.0/24 [1/0] via 198.51.100.2, GigabitEthernet0/1
O    10.20.30.0/25 [110/30] via 192.0.2.6, GigabitEthernet0/2
S    10.20.30.64/26 [1/0] via 198.51.100.6, GigabitEthernet0/3
S*   0.0.0.0/0 [1/0] via 203.0.113.1, GigabitEthernet0/4

Which interface should be selected?

• A. GigabitEthernet0/4
• B. GigabitEthernet0/0
• C. GigabitEthernet0/1
• D. GigabitEthernet0/3

Best answer: D

Explanation: Routers choose the forwarding route by longest prefix match among routes installed in the routing table. The destination 10.20.30.90 falls within 10.20.30.64/26, which covers addresses 10.20.30.64 through 10.20.30.127. That prefix is more specific than the /25, /24, /16, and default route entries, so R1 forwards the packet toward next hop 198.51.100.6 out GigabitEthernet0/3. Administrative distance does not override a longer matching prefix when both routes are present in the table. The safest conclusion is the one directly supported by the route entry, not by assumed topology.

Question 14

Topic: Switching and Network Access

A network engineer is preparing an IOS XE change to preserve the current Rapid PVST+ root bridge for VLAN 10 after maintenance. Based on the spanning-tree evidence, which configuration target is correct?

Exhibit:

SW-A# show spanning-tree vlan 10
Root ID    Priority 24586
           Address  0050.56aa.bbbb
           Cost     4
           Port     Gi1/0/1
Bridge ID  Priority 32778
           Address  0050.56aa.aaaa

SW-B# show spanning-tree vlan 10
Root ID    Priority 24586
           Address  0050.56aa.bbbb
Bridge ID  Priority 24586
           Address  0050.56aa.bbbb

SW-C# show spanning-tree vlan 10
Root ID    Priority 24586
           Address  0050.56aa.bbbb
           Cost     8
           Port     Gi1/0/2
Bridge ID  Priority 32778
           Address  0050.56aa.cccc

• A. Preserve SW-C as the VLAN 10 root bridge
• B. Preserve any switch with default priority
• C. Preserve SW-A as the VLAN 10 root bridge
• D. Preserve SW-B as the VLAN 10 root bridge

Best answer: D

Explanation: In Rapid PVST+, the root bridge is selected per VLAN by the lowest bridge ID, which combines bridge priority and MAC address. In the exhibit, the Root ID for VLAN 10 is priority 24586 and MAC address 0050.56aa.bbbb. SW-B’s Bridge ID has the same priority and MAC address, so SW-B is the current root bridge for VLAN 10. SW-A and SW-C show a root port and path cost toward that Root ID, which means they are non-root switches forwarding toward the root. The key evidence is the match between the Root ID and a switch’s local Bridge ID.

Question 15

Topic: Network Services and Security

An engineer must back up R1’s running configuration to a file server. The security requirement says the transfer must protect both credentials and file contents in transit. Review the exhibit and choose the best next action.

Exhibit:

R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

R1# ping 192.0.2.50
Success rate is 100 percent (5/5)

R1# copy running-config tftp://192.0.2.50/R1-running.cfg
Destination filename [R1-running.cfg]?
!!!!!
[OK - 4821 bytes]

• A. Keep the completed TFTP backup
• B. Disable SSH and retry the transfer
• C. Repeat the backup using FTP to 192.0.2.50
• D. Repeat the backup using SCP to 192.0.2.50

Best answer: D

Explanation: SCP is the appropriate secure file transfer method when a device configuration or software file must be protected in transit. In the exhibit, the router successfully used TFTP, but TFTP does not encrypt credentials or file data. The same exhibit also shows SSH version 2 is enabled and the target server is reachable, which supports using SCP for the required secure copy behavior. FTP would still expose credentials and data, and disabling SSH would remove the transport SCP depends on. The key distinction is that a successful transfer is not enough when the requirement specifically calls for secure transfer.

Question 16

Topic: AI, and Network Operations and Management

A network team uses Ansible to verify port status before a cabling change. The approved scope is read-only command execution on Site-A access switches only. The inventory contains these groups:

[site_a_access]
SW-A1
SW-A2

[site_a_distribution]
DSW-A1
DSW-A2

[all_switches:children]
site_a_access
site_a_distribution

Which Ansible plan best stays within the approved operational scope?

• A. Run ios_command against site_a_access for show interfaces status.
• B. Run ios_command against site_a_distribution for show interfaces status.
• C. Run ios_command against all_switches for show interfaces status.
• D. Run ios_config against site_a_access to set interface descriptions.

Best answer: A

Explanation: An Ansible command execution plan must match both the target scope and the allowed operation type. In this case, the approved scope is limited to Site-A access switches and read-only verification. The site_a_access inventory group contains only SW-A1 and SW-A2, so it matches the device boundary. The ios_command module is appropriate for operational show commands such as show interfaces status; it does not express an intent to change the running configuration. Targeting a broader or different group violates the device scope, and using a configuration module changes the type of operation. The key validation is: correct inventory group plus read-only command module.

Question 17

Topic: Network Infrastructure and Connectivity

A warehouse barcode scanner cannot connect to the Inventory WLAN after the WLAN security profile was updated. Other scanners using the same AP are connected and passing traffic.

Exhibit:

Which root cause is best supported by these facts?

• A. Weak wireless signal
• B. Incorrect AP channel selection
• C. DHCP scope exhaustion
• D. Wireless encryption mismatch

Best answer: D

Explanation: The key distinction is whether the client is failing at the wireless association/security stage or after joining the WLAN. Here, the scanner sees the SSID with strong signal strength, and the AP channel/noise information does not indicate an RF problem. The decisive clue is the security mismatch: the WLAN requires WPA2-Personal with AES/CCMP, but the scanner profile is saved for WPA2-Personal with TKIP. Because the client cannot complete the required wireless security negotiation, it never reaches the point where DHCP can assign an address. A missing DHCP lease is therefore a symptom, not the root cause.

Question 18

Topic: IP Routing

Users in VLAN 10 use 192.0.2.1 as their default gateway. An engineer checks the two routers participating in VRRP group 10.

Exhibit:

R1 Gi0/0 address: 192.0.2.2/24
R2 Gi0/0 address: 192.0.2.3/24

Device  Int    Grp  Pri  State   Master addr  Group addr
R1      Gi0/0  10   110  Master  192.0.2.2    192.0.2.1
R2      Gi0/0  10   100  Backup  192.0.2.2    192.0.2.1

What is the best interpretation of the VRRP status?

• A. R1 is forwarding for the virtual gateway.
• B. Both routers are active because they share the group address.
• C. R2 is forwarding because it has the lower priority.
• D. The group is down because the virtual IP is not physical.

Best answer: A

Explanation: In VRRP, the router in the Master state owns forwarding responsibility for the shared virtual IP address. The exhibit shows both routers agree that 192.0.2.2 is the master address and that the group address is 192.0.2.1, which is the default gateway used by clients. R1 has priority 110 and is listed as Master; R2 has priority 100 and is listed as Backup. The higher-priority router normally becomes master when preemption and normal election behavior allow it. The key takeaway is that clients use the virtual IP, but the current master router performs the forwarding.

Question 19

Topic: Switching and Network Access

After a new access switch is added, users in VLAN 20 still have connectivity, but the expected uplink on SW1 is not the forwarding path. Review the Rapid PVST+ evidence.

SW1# show spanning-tree vlan 20
Root ID    Priority 24596
           Address 001e.7a11.2222
           Cost 4
           Port Gi1/0/1
Bridge ID  Priority 32788
           Address 001e.7a11.1111

SW2# show spanning-tree vlan 20
Root ID    Priority 24596
           Address 001e.7a11.2222
Bridge ID  Priority 24596
           Address 001e.7a11.2222
           This bridge is the root

Which switch is the root bridge for VLAN 20?

• A. The new access switch
• B. SW1
• C. SW2
• D. Cannot be determined from this output

Best answer: C

Explanation: In Rapid PVST+, each VLAN elects one root bridge based on the lowest bridge ID, which includes bridge priority and MAC address. The decisive evidence is the Root ID. On SW1, the Root ID is 001e.7a11.2222, while SW1’s own Bridge ID is 001e.7a11.1111, so SW1 is not the root and has a root port toward the root. On SW2, the Bridge ID matches the Root ID, and the output explicitly says This bridge is the root. A non-root switch has a root port; the root bridge does not need one for that VLAN.

Question 20

Topic: Network Services and Security

A new branch office can reach Internet sites, but users cannot reach the HQ file server at 10.10.20.50. The branch has printers, VoIP phones, and PCs that all need access to HQ resources.

Clues:

What is the best corrective action?

• A. Configure an IPsec site-to-site VPN between the edge routers.
• B. Configure PAT only on the branch edge router.
• C. Add a CNAME record for the HQ file server.
• D. Install remote-access VPN software on every branch device.

Best answer: A

Explanation: An IPsec site-to-site VPN is appropriate when two locations need secure network-to-network connectivity over an untrusted network such as the Internet. In this case, the branch LAN has working DHCP, an up WAN link, and a default route for Internet access, but many device types need private access to HQ resources. Remote-access VPN works only for endpoints that can run a client, which does not fit printers, phones, and other shared devices. A site-to-site tunnel between the branch and HQ edge devices can protect traffic between the two private subnets transparently to the hosts.

Question 21

Topic: AI, and Network Operations and Management

A network monitoring server polls SW1 every 5 minutes. The NMS graphs interface counters and CPU normally, but it did not alert when uplink Gi1/0/48 went down for 2 minutes.

Exhibit: SW1 clues

show running-config | include snmp-server
snmp-server community MON ro

show logging | include Gi1/0/48
%LINK-3-UPDOWN: Interface Gi1/0/48, changed state to down
%LINK-3-UPDOWN: Interface Gi1/0/48, changed state to up

Which action best addresses the supported root cause?

• A. Increase the NMS polling interval to 30 minutes.
• B. Add a static route from SW1 to the NMS subnet.
• C. Configure SW1 to send SNMP notifications to the NMS.
• D. Change the SNMP community used for polling.

Best answer: C

Explanation: SNMP monitoring uses two complementary behaviors. An SNMP manager polls an agent on a device to read MIB values such as interface counters and CPU usage. SNMP notifications, such as traps or informs, are agent-initiated messages sent to a configured manager when an event occurs. In this case, polling succeeds, so basic SNMP read access and reachability are already working. The syslog proves the link-down and link-up events occurred, but the configuration shown only has a read-only community and no notification destination. To receive immediate event alerts between polling cycles, the switch must be configured to send SNMP notifications to the NMS.

Question 22

Topic: Network Infrastructure and Connectivity

A branch office has one access switch port connected to a lightweight AP. Wired clients in VLAN 20 receive DHCP addresses and reach the default gateway. Wireless clients can associate to SSID Employees, which is configured to tag client traffic for VLAN 20, but they receive 169.254.x.x addresses. The AP management interface must remain untagged in VLAN 10.

Current switch port role for the AP: access port in VLAN 10.

Which configuration action should be taken?

• A. Enable PortFast on all wired client access ports.
• B. Configure the AP switch port as an 802.1Q trunk with native VLAN 10 and allow VLAN 20.
• C. Add a DHCP relay address to the VLAN 20 SVI.
• D. Change the SSID VLAN mapping from VLAN 20 to VLAN 10.

Best answer: B

Explanation: An AP that carries multiple VLANs to a switch normally needs an 802.1Q trunk. In this scenario, AP management must stay untagged in VLAN 10, while the Employees SSID tags client frames for VLAN 20. An access port in VLAN 10 drops or fails to carry the tagged VLAN 20 client traffic correctly, so wireless clients cannot reach DHCP even though wired VLAN 20 clients can. The focused fix is to make the AP-facing switch port a trunk, set VLAN 10 as the native VLAN, and permit VLAN 20. The working wired clients prove that VLAN 20 DHCP and gateway services are already functioning.

Question 23

Topic: IP Routing

R1 has the following routes installed. A packet arrives with destination IP address 10.10.8.77. Which next hop will IOS XE select for this packet?

O    10.10.0.0/16    [110/20] via 172.16.1.1
S    10.10.8.0/24    [1/0]   via 172.16.2.1
O    10.10.8.64/26   [110/30] via 172.16.3.1
S    10.10.8.72/29   [5/0]   via 172.16.4.1

• A. 172.16.1.1
• B. 172.16.2.1
• C. 172.16.4.1
• D. 172.16.3.1

Best answer: C

Explanation: IOS XE selects a route using longest prefix match first. The destination 10.10.8.77 falls within 10.10.8.72/29, whose usable range includes addresses from 10.10.8.73 through 10.10.8.78. Even though other routes also match the destination, the /29 is more specific than the /26, /24, and /16 routes. Administrative distance is used to choose between competing routes to the same prefix length, not to override a longer matching prefix already in the routing table.

The key takeaway is that the most specific matching route determines the forwarding next hop.

Question 24

Topic: Switching and Network Access

A user in VLAN 10 reports that a server in another building is unreachable. The PC has a valid DHCP address, can ping its default gateway, and the access switch trunk shows VLAN 10 allowed. OSPF between R1 and R2 is FULL.

Exhibit: Traceroute from the PC to 10.30.30.20

Tracing route to 10.30.30.20
 1  10.10.10.1       2 ms   1 ms   1 ms
 2  192.0.2.2        4 ms   4 ms   5 ms
 3  *                *      *
 4  *                *      *

Which routed segment is the most likely place to investigate first?

• A. R1-to-R2 routed segment
• B. R2-to-next-hop routed segment
• C. PC-to-access-switch segment
• D. Access switch-to-R1 VLAN 10 path

Best answer: B

Explanation: Traceroute identifies each Layer 3 hop that returns a TTL-expired message. Because hop 1, the default gateway, replies, the local VLAN and gateway path are working. Because hop 2 replies, traffic is reaching R2 across the R1-to-R2 routed path. The first missing hop is hop 3, so the investigation should begin after R2: the R2 outbound interface, the next-hop router, or the routed segment between them.

A timeout after a hop does not prove the last responding router is faulty, but it narrows the likely failure point to the path beyond that router.

CCNA troubleshooting map

    flowchart LR
	    A["User or network symptom"] --> B["Confirm Layer 1 and addressing"]
	    B --> C["Check VLAN and switching path"]
	    C --> D["Validate routing and default gateway"]
	    D --> E["Review services and security filters"]
	    E --> F["Verify and document the fix"]

Use this map when a CCNA question describes broken connectivity. Strong answers usually move from physical/link and addressing evidence through switching, routing, services, and security filters rather than guessing from one symptom.

Quick Cheat Sheet

Mini Glossary

• Default gateway: Router address a host uses to reach destinations outside its local subnet.
• Trunk port: Switch port that carries traffic for multiple VLANs.
• STP: Spanning Tree Protocol, used to prevent Layer 2 loops.
• ACL: Access control list that permits or denies traffic based on defined conditions.
• Administrative distance: Router preference value used when multiple route sources exist.

Free preview vs premium

• Free preview: 24 public sample questions, the 100-question diagnostic, and the web app entry so you can inspect the question style and explanation depth.
• Premium: the full 660-question CCNA 200-301 v2.0 bank, focused drills, mixed sets, timed mock exams, detailed explanations, and progress tracking across web and mobile.

Good related pages

• Cisco CCST Networking 100-150 if CCNA feels too broad and you want the entry-level Cisco networking route first
• CompTIA Network+ if you need a live vendor-neutral networking practice page first
• Cisco CCNA Automation / DevNet 200-901 if your next target is network automation
• Cisco CCNA Cybersecurity / CyberOps 200-201 if your next target is security operations

Official sources

• Cisco CCNA 200-301 exam page

In this section

• Cisco CCNA 200-301 v2.0: Network Infrastructure and Connectivity
  Try 10 focused Cisco CCNA 200-301 v2.0 questions on Network Infrastructure and Connectivity, with explanations, then continue with IT Mastery.
• Cisco CCNA 200-301 v2.0: Switching and Network Access
  Try 10 focused Cisco CCNA 200-301 v2.0 questions on Switching and Network Access, with explanations, then continue with IT Mastery.
• Cisco CCNA 200-301 v2.0: IP Routing
  Try 10 focused Cisco CCNA 200-301 v2.0 questions on IP Routing, with explanations, then continue with IT Mastery.
• Cisco CCNA 200-301 v2.0: Network Services and Security
  Try 10 focused Cisco CCNA 200-301 v2.0 questions on Network Services and Security, with explanations, then continue with IT Mastery.
• Cisco CCNA 200-301 v2.0: AI, Network Operations and Management
  Try 10 focused Cisco CCNA 200-301 v2.0 questions on AI, Network Operations and Management, with explanations, then continue with IT Mastery.
• Free Cisco CCNA 200-301 v2.0 Full-Length Practice Exam: 100 Questions
  Try 100 free Cisco CCNA 200-301 v2.0 questions across the exam domains, with explanations, then continue with full IT Mastery practice.
• Cisco CCNA 200-301 v2.0 Cheat Sheet
  Review a compact Cisco Certified Network Associate (CCNA) 200-301 v2.0 cheat sheet for switching, routing, IP services, security, operations, AI-assisted network management, and troubleshooting before IT Mastery practice.