200-301 v2.0 — Cisco CCNA (200-301 v2.0) Exam Blueprint

Independent exam blueprint for Cisco CCNA (200-301 v2.0) candidates preparing for exam code 200-301 v2.0.

How to Use This Exam Blueprint

This independent Exam Blueprint translates the Cisco CCNA (200-301 v2.0) exam scope into practical readiness tasks. Use it to find weak areas, guide final review, and decide whether you can solve networking problems without relying on memorized answers.

For each topic area, ask:

  • Can I explain the concept clearly?
  • Can I choose the right technology in a scenario?
  • Can I recognize correct Cisco IOS-style configuration and verification output?
  • Can I troubleshoot from symptoms, not just from commands?
  • Can I eliminate plausible wrong answers under time pressure?

Do not treat this as an exact scoring guide. Exact exam weights, policies, and delivery details should be checked with Cisco. This page is a study blueprint and readiness checklist for exam code 200-301 v2.0.

High-level readiness map

Readiness areaWhat you should be able to doReady when you can…
Network fundamentalsExplain core networking models, devices, media, addresses, and traffic behaviorTrace packet flow across hosts, switches, routers, and WAN/cloud boundaries
IPv4 and IPv6 addressingSubnet, summarize, identify valid hosts, and interpret masks/prefixesSolve subnetting and route-selection questions quickly without a calculator
Switching and Layer 2Configure and verify VLANs, trunks, STP behavior, EtherChannel, and MAC learningPredict where frames go and identify common switching faults
WirelessUnderstand AP, WLC, SSID, RF, authentication, and roaming conceptsChoose a WLAN design or security option from a scenario
Routing and IP connectivityInterpret routing tables, static routes, default routes, IPv6 routes, and OSPF behaviorDetermine best path, next hop, and likely misconfiguration from output
IP servicesWork with DHCP, NAT, DNS, NTP, SNMP, syslog, QoS concepts, and device management servicesRecognize configuration purpose and troubleshoot service symptoms
Security fundamentalsApply device hardening, ACLs, AAA concepts, Layer 2 protections, and secure managementDecide which control reduces a given risk
Automation and programmabilityUnderstand controller-based networking, APIs, data formats, and automation workflowsRead basic JSON/YAML and explain how automation changes operations
TroubleshootingUse structured reasoning with show commands, pings, traceroutes, logs, and topology cluesNarrow a fault to Layer 1, Layer 2, Layer 3, service, or policy quickly

Network fundamentals checklist

Core concepts to review

TopicCandidate checklist
OSI and TCP/IP modelsMatch protocols, devices, addresses, and troubleshooting symptoms to layers
EncapsulationDescribe how data becomes segments, packets, frames, and bits
Network devicesDistinguish router, switch, firewall, AP, WLC, server, endpoint, and controller roles
Physical mediaCompare copper, fiber, duplex, speed, attenuation, interference, and connector considerations
Interface behaviorUnderstand administrative down, line protocol down, errors, speed/duplex mismatch, and MTU symptoms
EthernetExplain MAC addressing, broadcast domains, collision domains, ARP, frame forwarding, and MAC table learning
TCP and UDPChoose TCP or UDP based on reliability, ordering, handshake, retransmission, and latency needs
Common portsRecognize common management, name resolution, web, file transfer, time, and directory service ports
Network topologiesIdentify star, hub-and-spoke, mesh, spine-leaf concepts, WAN, LAN, WLAN, and cloud connectivity patterns
Cloud and virtualization basicsUnderstand virtual machines, containers, virtual switches, overlays, and shared responsibility concepts
High availabilityExplain redundancy, first-hop resilience concepts, link aggregation, failure domains, and single points of failure

Can you do this?

  • Explain what changes at each hop as a packet moves from one subnet to another.
  • Distinguish a MAC address lookup problem from an IP routing problem.
  • Identify whether a symptom points to Layer 1, Layer 2, Layer 3, DNS, or application failure.
  • Explain why a switch forwards, floods, filters, or drops a frame.
  • Describe how ARP supports IPv4 communication on a local network.
  • Describe the equivalent neighbor discovery role in IPv6 at a high level.
  • Recognize the difference between broadcast, multicast, unicast, and anycast concepts.
  • Explain why default gateways matter for inter-subnet communication.
  • Interpret common interface states and error counters.
  • Identify likely causes of latency, jitter, packet loss, and asymmetric routing.

Addressing, subnetting, and route math

Subnetting is a major readiness divider. You should not merely recognize subnet terms; you should be able to calculate networks, hosts, broadcast addresses, wildcard masks, and summaries quickly.

IPv4 subnetting readiness

SkillReady when you can…
CIDR notationConvert between dotted-decimal masks and prefix length
Network addressIdentify the subnet for any host/prefix pair
Broadcast addressFind the last address in a subnet
Valid host rangeDetermine usable host addresses quickly
Subnet countCalculate how many subnets are created by borrowing bits
Host countCalculate approximate usable host capacity per subnet
VLSMAllocate different subnet sizes without overlap
SummarizationCombine contiguous networks into an appropriate summary route
Wildcard maskConvert subnet masks into ACL or routing wildcard masks
Private addressingRecognize RFC1918-style private IPv4 ranges and common design uses
APIPA/link-local behaviorRecognize symptoms when a host self-assigns a non-routable local address

Useful formulas:

\[ \text{Number of IPv4 addresses in a subnet} = 2^{\text{host bits}} \]\[ \text{Typical usable IPv4 host addresses} = 2^{\text{host bits}} - 2 \]\[ \text{Wildcard mask} = 255.255.255.255 - \text{subnet mask} \]

Subnetting speed checks

PromptYou should be able to answer
192.168.10.37/27Network, broadcast, and valid host range
10.10.12.0/22Covered address range and next subnet
172.16.5.128/25Valid host range and broadcast address
192.168.1.0/24 split into 4 equal subnetsNew prefix and subnet ranges
Need at least 50 hosts per subnetSmallest practical IPv4 prefix
ACL needs to match 192.168.20.0/24Correct wildcard mask
Summarize 10.1.0.0/24 through 10.1.3.0/24Best summary prefix

IPv6 readiness

TopicCandidate checklist
IPv6 notationCompress and expand IPv6 addresses correctly
Prefix lengthInterpret IPv6 prefixes and subnet boundaries
Address typesDistinguish global unicast, link-local, multicast, loopback, unspecified, and unique local concepts
Link-local useExplain why link-local addresses matter for neighbor relationships and next-hop behavior
SLAAC and DHCPv6 conceptsUnderstand basic host addressing options
Neighbor DiscoveryRecognize its role in address resolution and reachability
IPv6 routing tableInterpret connected, static, and dynamically learned IPv6 routes
Dual stackExplain coexistence of IPv4 and IPv6 in the same network

Common traps

  • Confusing host bits with borrowed subnet bits.
  • Forgetting that wildcard masks are inverse masks.
  • Treating all /31 and /32 scenarios like ordinary host subnets without considering context.
  • Assuming the numerically smallest route wins instead of longest-prefix match.
  • Misreading IPv6 compressed zeros.
  • Forgetting that IPv6 link-local addresses are not globally routable.
  • Overlooking the default gateway when hosts in different subnets cannot communicate.

Switching and Layer 2 readiness

VLANs, trunks, and switching behavior

TopicWhat to knowReadiness check
VLAN purposeSeparate broadcast domains on switchesExplain why two ports on the same switch may not communicate
Access portsCarry traffic for a single VLANIdentify correct access VLAN configuration
Trunk portsCarry multiple VLANs using taggingVerify allowed VLANs and native VLAN behavior
Native VLANUntagged traffic on an 802.1Q trunkSpot native VLAN mismatch symptoms
MAC address tableMaps MAC addresses to switch portsPredict frame forwarding from MAC table output
ARP table vs MAC tableARP maps IP-to-MAC; MAC table maps MAC-to-portChoose the right table for a troubleshooting step
Inter-VLAN routingRequires a Layer 3 device or Layer 3 switch functionCompare router-on-a-stick and SVI-based designs
Voice VLANSeparates IP phone traffic from data trafficRecognize access port plus voice VLAN configuration
CDP/LLDPNeighbor discovery protocolsUse neighbor output to validate topology

Spanning Tree and EtherChannel

TopicCandidate checklist
STP purposeExplain loop prevention in Layer 2 networks
Root bridgeIdentify root bridge selection factors from output
Port rolesRecognize root, designated, alternate, and blocked/discarding behavior
Port statesUnderstand forwarding versus non-forwarding states at a practical level
PortFastKnow where it is appropriate and where it is dangerous
BPDU GuardExplain how it protects edge ports
Root Guard conceptRecognize use case for protecting STP topology
EtherChannelBundle multiple physical links into one logical link
LACP/PAgP/static conceptsDistinguish negotiation methods conceptually
EtherChannel consistencyRecognize why mismatched speed, duplex, VLAN, trunk, or mode settings break bundles

Can you do this?

  • Given a switchport configuration, identify whether the port is access, trunk, routed, or misconfigured.
  • Given show vlan brief, determine whether an endpoint is in the expected VLAN.
  • Given show interfaces trunk, identify whether a VLAN is allowed and active on a trunk.
  • Given show spanning-tree, determine the root bridge and port roles.
  • Explain why a host can reach devices in the same VLAN but not another VLAN.
  • Identify when router-on-a-stick requires subinterfaces and 802.1Q tags.
  • Explain why a native VLAN mismatch can cause unexpected traffic behavior.
  • Recognize an EtherChannel that is configured but not bundled.
  • Distinguish a Layer 2 loop from a routing loop symptom.
  • Explain how broadcast storms affect network performance.

Wireless readiness

Wireless topics often test whether you can map design decisions to symptoms and constraints, not just define acronyms.

TopicWhat to reviewReady when you can…
AP modes and rolesAutonomous, lightweight/controller-based conceptsExplain why a WLC is used
WLC functionCentralized control, policy, RF management, client handlingIdentify what is configured on WLC versus AP
SSID and WLANLogical wireless network mappingMatch SSIDs to VLANs and policies
RF basicsChannels, interference, signal strength, coverage, overlapDiagnose poor signal versus authentication failure
2.4 GHz vs 5 GHz conceptsCoverage, channel availability, interference tendenciesChoose a band tradeoff in a scenario
Security modesPersonal/PSK and enterprise authentication conceptsSelect stronger authentication for business use
802.1X conceptsSupplicant, authenticator, authentication serverPlace RADIUS in the authentication flow
RoamingClient movement between APsExplain why coverage overlap matters
Guest WLANSegmentation, captive portal concepts, limited accessIdentify security and isolation needs
CAPWAP conceptAP-to-controller communicationRecognize controller-based architecture clues

Wireless scenario checks

ScenarioWhat to decide
Users can associate but cannot get an IP addressCheck VLAN mapping, DHCP reachability, relay, scope, or policy
Users see SSID but authentication failsCheck credentials, PSK, 802.1X/RADIUS, certificates, or WLAN security profile
Users have poor throughput in one areaConsider RF coverage, interference, channel overlap, client density, or AP placement
Guest users can access internal serversCheck segmentation, ACLs, firewall policy, guest VLAN design
AP joins failConsider controller reachability, addressing, discovery, time, or compatibility clues
Roaming causes dropsReview coverage overlap, authentication method, and controller policy behavior

Routing and IP connectivity

Routing fundamentals

TopicCandidate checklist
Routing table structureIdentify connected, local, static, default, and dynamically learned routes
Longest-prefix matchChoose the most specific matching route
Administrative distance conceptUnderstand preference between route sources
Metric conceptUnderstand route selection within the same routing source
Static routesConfigure and interpret next-hop and exit-interface style routes
Default routesRecognize gateway of last resort behavior
Floating static routesUnderstand backup route behavior conceptually
Recursive lookupExplain how a router resolves next-hop reachability
IPv6 routingInterpret IPv6 static/default routes and next-hop behavior
Equal-cost pathsRecognize load-sharing concepts when multiple equal routes exist

OSPF readiness

TopicWhat to knowReady when you can…
OSPF purposeDynamic routing using link-state conceptsExplain why OSPF is used instead of static routes
Neighbor formationRouters must agree on key parametersTroubleshoot missing adjacency from interface, area, timer, network, or authentication clues
Router IDUnique identifier in OSPF processIdentify how router ID affects neighbor output
AreasLogical OSPF structureRecognize single-area design expectations
Passive interfaceAdvertise network without forming neighborsChoose it for user-facing interfaces
DR/BDR conceptElection on multiaccess networksInterpret neighbor state clues
OSPF network statementsEnable OSPF on matching interfacesSpot wildcard or area mismatch errors
OSPF costsInfluence path selectionCompare routes when metrics differ

Inter-VLAN routing choices

DesignWhen it appearsWhat to verify
Router-on-a-stickOne router interface with subinterfaces and trunk to switchEncapsulation tag, subinterface IP, trunk status, VLAN allowed
Layer 3 switch with SVIsSwitch performs routing between VLAN interfacesSVI up/up, VLAN exists, access ports assigned, IP routing enabled where applicable
Separate physical router interfacesOne router interface per VLAN/subnetInterface addressing, cabling, switchport VLAN assignment

Can you do this?

  • Given a routing table, identify the route used for a destination.
  • Explain why a default route is used only when no more specific match exists.
  • Determine whether a static route points to a reachable next hop.
  • Recognize a missing return route symptom.
  • Troubleshoot OSPF neighbors stuck or missing.
  • Distinguish routing failure from ACL denial.
  • Explain why two hosts in the same subnet should not need a router.
  • Identify when VLAN, trunk, or SVI problems masquerade as routing problems.
  • Interpret IPv6 next-hop behavior using link-local addresses.
  • Recognize asymmetric routing as a potential troubleshooting complication.

IP services readiness

Core services

ServiceWhat to reviewScenario cue
DHCPAddress leasing, pools, exclusions, default gateway option, DNS optionClient has no valid IP or wrong gateway
DHCP relayForward DHCP requests across routersClients in remote VLAN cannot obtain address
DNSName-to-address resolutionIP works but hostname fails
NAT/PATTranslate private to public addressing conceptsInside users cannot access outside resources
NTPTime synchronizationLogs, certificates, or authentication behavior inconsistent
SyslogCentralized logging and severity conceptsNeed historical troubleshooting evidence
SNMPMonitoring and polling conceptsNMS can or cannot read device status
QoS conceptsClassification, marking, queuing, policing, shapingVoice/video suffer under congestion
TFTP/FTP/SCP/SFTP conceptsFile transfer for configs/imagesNeed backup or restore method
SSHSecure remote managementTelnet should be avoided for management
CDP/LLDPNeighbor discoveryTopology validation or cabling investigation

NAT/PAT readiness

TopicCandidate checklist
Inside vs outsideIdentify NAT inside and outside interfaces correctly
Static NATOne-to-one mapping concept
Dynamic NATPool-based translation concept
PAT/overloadMany inside addresses share one outside address or pool
NAT ACLDefines which internal traffic is eligible for translation
Troubleshooting NATVerify interfaces, ACL match, route, and translation table
NAT order of operationsUnderstand that NAT interacts with routing and ACLs in troubleshooting

DHCP readiness

TaskReady when you can…
Identify scope mismatchSpot clients receiving addresses from the wrong subnet
Recognize missing gatewayExplain why local communication works but remote access fails
Use relay conceptPlace ip helper-address on the correct interface in a routed design
Troubleshoot exhaustionRecognize when pool capacity or exclusions matter
Validate bindingUse binding/output clues to confirm lease assignment

Security fundamentals checklist

Device and management security

TopicCandidate checklist
Secure managementPrefer SSH over Telnet; understand management plane protection
Local usersConfigure and recognize local authentication
Password handlingUnderstand enable secret, service password encryption concepts, and avoiding plaintext where possible
AAA conceptsAuthentication, authorization, accounting roles
Role-based access conceptMatch least privilege to administrator duties
BannersRecognize legal/administrative login message purpose
VTY linesUnderstand remote access line configuration
Console accessSecure local administrative access
Management VLANSeparate management traffic where appropriate
Time and loggingUse NTP and syslog for reliable audit trails

ACL readiness

ACL typeWhat to knowReady when you can…
Standard IPv4 ACLFilters primarily by source addressPlace it close to the destination in many classic scenarios
Extended IPv4 ACLFilters by source, destination, protocol, and portsPlace it closer to the source when appropriate
Named ACLUses names rather than only numbersRead and edit logically
IPv6 ACL conceptFilters IPv6 traffic with IPv6 syntax and behaviorRecognize IPv6-specific application
Implicit denyUnmatched traffic is deniedAdd needed permit statements deliberately
ACL directionInbound or outbound relative to the interfacePredict whether traffic is filtered
Wildcard masksMatch address ranges correctlyAvoid subnet-mask/wildcard confusion
Sequence logicTop-down first matchFind shadowed or unreachable rules

Layer 2 security readiness

ControlWhat it helps preventReadiness cue
Port securityUnauthorized MAC access or excessive MACsAccess port security violation symptoms
DHCP snooping conceptRogue DHCP serversTrust uplinks, not untrusted edge ports
Dynamic ARP Inspection conceptARP spoofingDepends on trusted bindings or validation
BPDU GuardAccidental switch connection on edge portEdge port shuts when BPDU received
Storm control conceptBroadcast/multicast/unknown unicast impactProtects against excessive traffic
Unused port shutdownReduces attack surfaceDisable and place unused ports appropriately
Native VLAN hygieneReduces trunk misuse riskAvoid user traffic on native VLAN
Wireless securityProtects WLAN access and encryptionPrefer enterprise-grade authentication for business scenarios

Security threat recognition

  • Identify phishing, malware, credential theft, brute force, and social engineering at a basic level.
  • Match spoofing and man-in-the-middle risks to appropriate controls.
  • Recognize why segmentation limits blast radius.
  • Explain how ACLs differ from stateful firewall inspection.
  • Understand the purpose of VPNs at a conceptual level.
  • Recognize why least privilege matters for administrators and users.
  • Distinguish confidentiality, integrity, and availability impacts.
  • Explain why logging without time synchronization can weaken investigations.

Automation and programmability readiness

The Cisco CCNA (200-301 v2.0) candidate should be comfortable with the operational language of modern networks: controllers, APIs, structured data, and repeatable configuration.

Concepts to review

TopicWhat to knowReady when you can…
Traditional networkingDevice-by-device CLI modelExplain operational limitations at scale
Controller-based networkingCentralized policy/control conceptsDistinguish control plane, data plane, and management plane
Northbound APIsApplications talk to controllerIdentify client-to-controller automation flow
Southbound APIsController communicates with network devicesRecognize controller-to-device role
REST APIsHTTP methods and resource-oriented interactionMatch GET, POST, PUT/PATCH, DELETE to intent
JSONCommon structured data formatRead key-value pairs, arrays, and nested objects
YAML/XML conceptsOther structured data formatsRecognize syntax and use cases at a high level
Idempotency conceptSame automation run should not create unintended repeated changesExplain why repeatability matters
Configuration managementTemplates, variables, desired stateIdentify benefits over manual changes
TelemetryModel-driven or streaming operational data conceptsExplain why telemetry improves monitoring
Infrastructure as code conceptNetwork state described in files/workflowsRecognize audit and repeatability benefits

Data format recognition

You should be able to read small structured examples like this and identify keys, values, lists, and nesting:

{
  "interface": "GigabitEthernet0/1",
  "description": "User access port",
  "enabled": true,
  "vlan": 20
}

Readiness checks:

  • Identify whether data is JSON, YAML, or XML from syntax.
  • Explain why APIs are useful for repeatable network operations.
  • Match REST methods to common actions.
  • Interpret an HTTP status success or failure at a basic level.
  • Distinguish intent-based policy from manual per-device commands.
  • Explain why automation can reduce configuration drift.
  • Recognize that automation errors can scale quickly without validation.
  • Understand why source control, review, and rollback plans matter.

Cisco IOS-style command recognition

You do not need to memorize every possible command variant, but you should recognize common verification and troubleshooting commands and know what problem each command helps isolate.

Verification command checklist

TaskUseful command family
Interface status summaryshow ip interface brief, show ipv6 interface brief
Physical/interface errorsshow interfaces
Switchport mode and VLANshow interfaces switchport, show vlan brief
Trunk statusshow interfaces trunk
MAC learningshow mac address-table
ARP resolutionshow arp or similar ARP table output
Routing tableshow ip route, show ipv6 route
OSPF neighborsshow ip ospf neighbor
OSPF interface/processshow ip ospf interface, show ip protocols
STP statusshow spanning-tree
EtherChannelshow etherchannel summary
NAT translationsshow ip nat translations, show ip nat statistics
DHCP bindingsshow ip dhcp binding
ACL entries and matchesshow access-lists
Neighbor discoveryshow cdp neighbors, show lldp neighbors
Logsshow logging
Running configurationshow running-config
Connectivityping, traceroute

Configuration recognition examples

Use snippets like these as recognition practice. Focus on purpose, required pieces, and likely verification steps.

interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast
 spanning-tree bpduguard enable

Readiness cue: access port in VLAN 20 with edge-port behavior and BPDU protection.

interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

Readiness cue: trunk carrying selected VLANs; verify with trunk and VLAN output.

interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0

Readiness cue: router-on-a-stick subinterface for VLAN 20.

ip route 0.0.0.0 0.0.0.0 203.0.113.1
ipv6 route ::/0 2001:db8:1::1

Readiness cue: IPv4 and IPv6 default routes.

router ospf 1
 network 192.168.10.0 0.0.0.255 area 0
 passive-interface GigabitEthernet0/2

Readiness cue: OSPF enabled for matching interfaces, with one interface not forming neighbors.

access-list 10 permit 192.168.10.0 0.0.0.255

Readiness cue: standard ACL matching a source subnet using a wildcard mask.

access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq 443
access-list 101 deny ip any any

Readiness cue: extended ACL allowing HTTPS from a subnet, then explicitly denying other IP traffic.

interface GigabitEthernet0/0
 ip nat inside

interface GigabitEthernet0/1
 ip nat outside

access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload

Readiness cue: PAT for inside subnet traffic using an outside interface.

interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.100.10

Readiness cue: SVI provides default gateway for VLAN 20 and relays DHCP to a server.

Troubleshooting decision checks

Fast isolation workflow

    flowchart TD
	    A[User reports network failure] --> B{Link lights / interface up?}
	    B -- No --> L1[Check cable, speed, duplex, admin state, errors]
	    B -- Yes --> C{Valid IP, mask, gateway, DNS?}
	    C -- No --> IP[Check DHCP, static config, VLAN, relay]
	    C -- Yes --> D{Can reach local gateway?}
	    D -- No --> L2[Check VLAN, trunk, ARP, MAC table, port security]
	    D -- Yes --> E{Can reach remote IP?}
	    E -- No --> L3[Check routes, ACLs, NAT, return path]
	    E -- Yes --> F{Can reach by hostname?}
	    F -- No --> DNS[Check DNS server and name resolution]
	    F -- Yes --> APP[Check application, firewall, policy, server]

Symptom-to-cause table

SymptomLikely areas to check
Interface administratively downInterface shutdown state or configuration
Interface up/down or down/downCable, optics, speed/duplex, remote end, physical fault
Host can reach same VLAN but not other VLANsDefault gateway, SVI/router subinterface, routing, ACL
Host has wrong IP subnetDHCP scope, VLAN assignment, relay path
Host has no DHCP addressDHCP server, relay, VLAN, trunk, ACL, exhausted scope
One VLAN missing across trunkAllowed VLAN list, VLAN existence, STP, native mismatch
OSPF neighbor missingInterface/network statement, area mismatch, passive interface, timers, authentication, reachability
Route present but traffic failsACL, NAT, return route, next-hop issue, asymmetric path
NAT translations absentInside/outside interface, NAT ACL, route, traffic match
SSH fails but ping worksVTY, username/password, AAA, ACL, crypto/key settings, management policy
DNS fails but IP worksDNS server setting, reachability to DNS, record issue
Wireless connects but no accessWLAN-to-VLAN mapping, DHCP, ACL, authentication policy
Slow voice/videoQoS, congestion, duplex errors, wireless RF, WAN latency/jitter

Scenario and decision-point practice

Use these prompts to test judgment. For each, decide the most likely issue and the first verification command or artifact you would inspect.

Layer 2 and VLAN scenarios

PromptDecision focus
A user moved desks and now cannot reach the department serverAccess VLAN, port security, DHCP, cabling
VLAN 30 works on one switch but not across the uplinkTrunk allowed VLANs, VLAN database, STP state
A new switch caused intermittent outages after being connectedSTP loop, BPDU Guard, root bridge change
Phones work but PCs behind phones do notVoice VLAN versus data VLAN, access port config
EtherChannel links are connected but only one forwardsChannel mode mismatch or inconsistent member settings

Routing scenarios

PromptDecision focus
Router has two matching routes to a destinationLongest prefix, then route source preference/metric concepts
Branch office reaches HQ, but HQ cannot reach branchMissing return route, ACL, NAT, firewall path
Static default route exists, but internet access failsNext-hop reachability, NAT, upstream route, ACL
OSPF route missing on one routerNeighbor state, area, network statement, passive interface
IPv6 host can reach local link but not remote subnetDefault gateway/router advertisement, IPv6 route, ACL

Security scenarios

PromptDecision focus
Unauthorized device plugged into office portPort security, shutdown unused ports, 802.1X concept
Users receive addresses from an unknown gatewayRogue DHCP, DHCP snooping concept
ACL intended to block web traffic blocks everythingACL order, implicit deny, protocol/port match
Admin can ping a switch but cannot SSHVTY, local user, SSH settings, ACL, management source
Guest Wi-Fi users can access internal file serversSegmentation, ACL/firewall policy, WLAN mapping

Services scenarios

PromptDecision focus
Clients can ping 8.8.8.8-style addresses but not namesDNS
Logs from devices show inconsistent timesNTP
Monitoring system cannot poll deviceSNMP settings, ACL, reachability
Internal users cannot access outside after ISP changeNAT outside interface, default route, ACL
Remote VLAN clients fail DHCP but local VLAN worksDHCP relay/helper, routing to server, ACL

Common weak areas and traps

Weak areaWhy it causes missed questionsHow to fix it
Subnetting under pressureCandidates know the method but take too longDrill mixed prefixes daily until answers are automatic
Wildcard masksEasy to confuse with subnet masksPractice ACL and OSPF wildcard examples together
Routing table selectionCandidates pick route source before longest prefixAlways apply longest-prefix match first
VLAN/trunk troubleshootingSymptoms look like routing failuresVerify Layer 2 before changing routes
Native VLAN assumptionsUntagged traffic behavior is easy to overlookCheck trunk configuration and mismatch clues
STP root/port rolesOutput interpretation requires topology awarenessPractice identifying root bridge and blocked links
OSPF adjacency issuesMany possible causesUse a checklist: interface, area, network type, timers, passive, authentication, reachability
ACL directionInbound/outbound perspective is reversedDraw the packet entering or leaving the interface
ACL implicit denyMissing final permit breaks trafficRead ACLs top-down and account for unmatched traffic
NAT troubleshootingNAT, routing, and ACLs interactVerify inside/outside, match ACL, route, translation
DHCP relay placementHelper configured on the wrong interfacePlace relay where client broadcasts enter the router/L3 interface
Wireless symptomsRF, authentication, VLAN, and DHCP get mixed togetherSeparate association, authentication, addressing, and reachability
Automation syntaxJSON/YAML mistakes look minor but change meaningPractice reading small structured data snippets
Memorized commands without purposeOutput cannot be interpretedTie each command to a troubleshooting question

Final-week review checklist

Technical review

  • Rework subnetting drills covering /24 through smaller and larger subnets.
  • Convert subnet masks to wildcard masks without hesitation.
  • Review IPv6 address types, compression, and default route syntax recognition.
  • Read routing tables until you can choose the selected route quickly.
  • Review static, default, and floating static route scenarios.
  • Review OSPF neighbor formation, passive interfaces, router ID, and route verification.
  • Practice VLAN, trunk, native VLAN, and router-on-a-stick questions.
  • Review STP root bridge, port roles, PortFast, and BPDU Guard.
  • Review EtherChannel negotiation and consistency requirements.
  • Review DHCP, relay, DNS, NAT/PAT, NTP, SNMP, syslog, SSH, and QoS concepts.
  • Review ACL placement, direction, wildcard masks, implicit deny, and top-down matching.
  • Review device hardening and secure management steps.
  • Review wireless authentication, WLC/AP roles, SSID-to-VLAN mapping, and RF symptoms.
  • Review controller-based networking, APIs, JSON, and automation benefits/risks.

Command and output review

  • For each common show command, state what problem it helps confirm or eliminate.
  • Practice interpreting partial outputs rather than full lab walkthroughs.
  • Identify whether an issue is Layer 1, Layer 2, Layer 3, service, security, or application-related.
  • Review configuration snippets for VLANs, trunks, SVIs, subinterfaces, static routes, OSPF, ACLs, NAT, DHCP relay, and SSH.
  • Practice explaining the expected verification command after a configuration change.

Exam-readiness checks

  • You can solve subnetting questions quickly and accurately.
  • You can read a small topology and predict traffic flow.
  • You can choose between similar troubleshooting commands.
  • You can explain why a wrong answer is wrong.
  • You can handle mixed scenarios involving VLANs, routing, ACLs, and NAT together.
  • You are not relying only on memorized definitions.
  • You have reviewed your missed practice questions by topic, not just by score.
  • You have a short list of last-minute weak areas and a plan to revisit them.

Practical next step

Use this checklist as a gap analysis. Mark every item as confident, uncertain, or weak. Then focus practice on the weak and uncertain areas with hands-on labs, command-output interpretation, subnetting drills, and scenario-based questions for Cisco CCNA (200-301 v2.0), exam code 200-301 v2.0.