200-301 v2.0 — Cisco CCNA (200-301 v2.0) Exam Quick Reference

Compact Cisco CCNA 200-301 v2.0 quick reference for subnetting, switching, routing, IP services, security, wireless, automation, and troubleshooting.

Exam identity and how to use this page

This independent Quick Reference supports preparation for Cisco CCNA (200-301 v2.0), exam code 200-301 v2.0. Use it as a fast review sheet for high-yield decisions, command interpretation, subnetting, configuration patterns, and troubleshooting.

Focus your final review on:

  • Reading routing tables and choosing the forwarding path.
  • Subnetting quickly without a calculator.
  • Distinguishing Layer 2, Layer 3, and transport symptoms.
  • Knowing what each Cisco IOS show command proves.
  • Recognizing secure default choices: SSH, least privilege, encrypted management, port protections, ACL placement.
  • Understanding controller-based networking and API terms without overcomplicating them.

Layer model anchors

Layer / scopePDUCommon identifiersExam cues
ApplicationDataURL, FQDN, HTTP method, DNS nameUser-facing protocol behavior
TransportSegment / datagramTCP/UDP portReliability, sessions, retransmission, multiplexing
NetworkPacketIPv4/IPv6 addressRouting, subnets, next hop, TTL/hop limit
Data linkFrameMAC address, VLAN IDSwitching, trunks, STP, ARP, wireless association
PhysicalBitsCable, RF, speed/duplexLink lights, signal, cabling, interference
ConceptKey distinction
SwitchForwards frames using destination MAC address and VLAN.
RouterForwards packets using destination IP address and routing table.
Default gatewayHost’s next hop for off-subnet destinations.
ARPResolves IPv4 address to MAC address on the local segment.
NDPIPv6 neighbor discovery, router discovery, and address resolution.
EncapsulationData gains headers/trailers as it moves down the stack.
DecapsulationHeaders are removed as data moves up the stack.

IPv4 addressing and subnetting

High-yield IPv4 ranges

RangePurposeExam note
10.0.0.0/8PrivateNot routed on the public Internet.
172.16.0.0/12PrivateIncludes 172.16.0.0 through 172.31.255.255.
192.168.0.0/16PrivateCommon small-office and lab range.
169.254.0.0/16Link-local / APIPAHost self-assigns when DHCP fails.
127.0.0.0/8LoopbackLocal host testing.
224.0.0.0/4MulticastOne-to-many delivery.
255.255.255.255Local broadcastStays on local segment.
0.0.0.0/0Default route“Any destination” route.
0.0.0.0Unspecified sourceOften before address assignment.

Subnet math shortcuts

\[ \text{Block size} = 256 - \text{interesting mask octet} \]\[ \text{Typical usable IPv4 hosts per subnet} = 2^{\text{host bits}} - 2 \]
PrefixMaskWildcardTypical usable hostsCommon use / trap
/8255.0.0.00.255.255.25516,777,214Large classful-style summary.
/16255.255.0.00.0.255.25565,534Large private site block.
/20255.255.240.00.0.15.2554,094Block size 16 in third octet.
/21255.255.248.00.0.7.2552,046Block size 8 in third octet.
/22255.255.252.00.0.3.2551,022Block size 4 in third octet.
/23255.255.254.00.0.1.255510Block size 2 in third octet.
/24255.255.255.00.0.0.255254Common LAN subnet.
/25255.255.255.1280.0.0.127126Two subnets per /24.
/26255.255.255.1920.0.0.6362Four subnets per /24.
/27255.255.255.2240.0.0.3130Block size 32.
/28255.255.255.2400.0.0.1514Block size 16.
/29255.255.255.2480.0.0.76Small infrastructure subnet.
/30255.255.255.2520.0.0.32Traditional point-to-point subnet.
/31255.255.255.2540.0.0.12 on point-to-pointNo traditional network/broadcast on supported P2P links.
/32255.255.255.2550.0.0.01 addressHost route or loopback.

Fast subnet workflow

StepActionExample: 192.168.10.77/27
1Find interesting octet./27 is fourth octet.
2Calculate block size.256 - 224 = 32.
3List subnet starts.0, 32, 64, 96, 128…
4Choose range containing host.77 is in 64-95.
5Identify network and broadcast.Network 192.168.10.64, broadcast 192.168.10.95.
6Identify usable range.192.168.10.65-192.168.10.94.

Wildcard masks

NeedMethodExample
Convert subnet mask to wildcardSubtract each octet from 255255.255.255.192 -> 0.0.0.63
Match one hostWildcard 0.0.0.0host 192.0.2.10 equals 192.0.2.10 0.0.0.0
Match any addressWildcard 255.255.255.255any equals 0.0.0.0 255.255.255.255
OSPF network statementUses wildcard, not subnet masknetwork 10.1.1.0 0.0.0.255 area 0
ACL matchingUses wildcard after source/destinationStandard ACL filters source only.

IPv6 essentials

TypeCommon prefix / examplePurpose
Global unicast2000::/3Publicly routable IPv6 addressing.
Unique localFC00::/7Private-like internal IPv6 space.
Link-localFE80::/10Required on IPv6 interfaces; used for neighbor/router discovery.
MulticastFF00::/8Replaces many IPv4 broadcast functions.
Loopback::1/128Local host.
Unspecified::/128“No address yet.”
Default route::/0Any IPv6 destination.
Solicited-node multicastFF02::1:FFxx:xxxx patternUsed by NDP for address resolution.
IPv6 conceptKnow this
No broadcastIPv6 uses multicast and neighbor discovery instead.
Link-local next hopIPv6 static routes often use link-local next-hop plus exit interface.
SLAACHost builds address using router advertisements.
DHCPv6Can provide stateful addressing or additional options depending on design.
NDPProvides neighbor solicitation/advertisement and router solicitation/advertisement.
AbbreviationRemove leading zeros and compress one contiguous all-zero sequence with :: once.

Example IPv6 static routes:

ipv6 route ::/0 2001:db8:1::1
ipv6 route 2001:db8:20::/64 gigabitEthernet0/0 fe80::1

Switching, VLANs, and trunks

MAC learning and forwarding

Frame conditionSwitch action
Source MAC unknownLearn source MAC on ingress port and VLAN.
Destination MAC knownForward only out the associated port in that VLAN.
Destination MAC unknownFlood within the VLAN, except ingress port.
BroadcastFlood within the VLAN.
Different VLANRequires Layer 3 routing.
MAC table entry ages outSwitch relearns when traffic appears.

VLAN and trunk reference

FeaturePurposeExam trap
Access portCarries one data VLAN for an endpoint.Voice VLAN may also be present for IP phone designs.
Trunk portCarries multiple VLANs between switches or to router/firewall/AP.Both sides must agree on trunking expectations.
802.1Q tagIdentifies VLAN on trunk frames.Native VLAN frames are not tagged by default behavior.
Native VLANVLAN used for untagged trunk traffic.Mismatch can cause connectivity/security issues.
Allowed VLAN listRestricts VLANs carried on trunk.VLAN may exist but still not pass over trunk.
Inter-VLAN routingEnables communication between VLANs.A Layer 2 switch alone does not route VLANs.

Common Cisco IOS VLAN commands:

vlan 10
 name USERS
vlan 20
 name VOICE

interface gigabitEthernet0/1
 switchport mode access
 switchport access vlan 10
 switchport voice vlan 20
 spanning-tree portfast

interface gigabitEthernet0/24
 switchport mode trunk
 switchport trunk native vlan 999
 switchport trunk allowed vlan 10,20,30,999

Verification:

show vlan brief
show interfaces trunk
show mac address-table
show interfaces switchport

Inter-VLAN routing patterns

PatternWhen usedKey configuration point
Router-on-a-stickRouter subinterfaces connect to a switch trunk.Each subinterface has 802.1Q encapsulation and gateway IP.
Layer 3 switch SVIMultilayer switch routes between VLANs.ip routing and interface VLAN gateways are required.
Routed physical portPoint-to-point L3 link.Use no switchport on capable switches.

Router-on-a-stick example:

interface gigabitEthernet0/0
 no shutdown

interface gigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0

interface gigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0

Layer 3 switch SVI example:

ip routing

interface vlan 10
 ip address 192.168.10.1 255.255.255.0
 no shutdown

interface vlan 20
 ip address 192.168.20.1 255.255.255.0
 no shutdown

Spanning Tree and EtherChannel

STP/RSTP essentials

ItemMeaningSelection / behavior
Root bridgeLogical center of STP topology.Lowest bridge ID wins. Bridge ID includes priority and MAC.
Root portBest port toward root bridge.One per non-root switch.
Designated portBest port for a segment.Forwards for that segment.
Alternate portBackup path in RSTP.Discards until needed.
PortFastSpeeds endpoint port transition.Use on access ports, not switch-to-switch links.
BPDU GuardProtects PortFast edge ports.Err-disables port if BPDU is received.
Root GuardPrevents unexpected root bridge.Blocks superior BPDUs on protected ports.
DecisionPrefer
Make a specific switch rootLower its STP priority.
Protect user-facing access portsPortFast plus BPDU Guard.
Prevent a downstream switch from becoming rootRoot Guard on appropriate upstream ports.
Troubleshoot blocked portsCheck root bridge, path cost, port role, VLAN-specific STP state.

Verification:

show spanning-tree
show spanning-tree vlan 10
show spanning-tree interface gigabitEthernet0/1 detail

EtherChannel

Protocol / modeForms channel withNotes
LACP activeactive or passiveStandards-based negotiation.
LACP passiveactive onlyWaits for peer.
PAgP desirabledesirable or autoCisco negotiation.
PAgP autodesirable onlyWaits for peer.
Onon onlyNo negotiation; mismatch can cause issues.

EtherChannel requirements commonly tested:

  • Same speed and duplex.
  • Same trunk/access mode.
  • Same native VLAN on trunks.
  • Same allowed VLAN list on trunks.
  • Same access VLAN on access bundles.
  • Compatible negotiation mode.

Example:

interface range gigabitEthernet0/1 - 2
 channel-group 1 mode active

interface port-channel1
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

Verification:

show etherchannel summary
show interfaces port-channel1
show interfaces trunk

IP routing

Route selection order

StepRouter considersExam meaning
1Longest prefix matchMost specific route wins first.
2Administrative distanceUsed only when prefix length is the same from different sources.
3MetricUsed by a routing protocol to choose among routes it owns.
4Equal-cost pathsMay load share if multiple equal best routes exist.

Common administrative distances:

Route sourceAD
Connected0
Static1
eBGP20
EIGRP internal90
OSPF110
RIP120
Unknown / unusable255

Routing table codes commonly seen:

CodeMeaning
CConnected route
LLocal host route for interface IP
SStatic route
OOSPF route
DEIGRP route
RRIP route
BBGP route
*Candidate default route

Example static and default routes:

ip route 192.168.50.0 255.255.255.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 203.0.113.1

ipv6 route 2001:db8:50::/64 2001:db8:1::2
ipv6 route ::/0 2001:db8:ffff::1

OSPFv2 quick reference

ItemWhat to remember
Link-state protocolRouters build LSDB and run SPF.
AreaCCNA-level questions often focus on single-area basics.
Router IDHighest priority: manual router ID, then loopback, then active interface IP.
Neighbor requirementMatching area, subnet, timers, authentication if used, and compatible network type.
DR/BDRElected on broadcast multiaccess networks.
Passive interfaceAdvertises network but does not form neighbor relationships there.
MetricBased on cost. Lower total cost is better.

OSPF configuration:

router ospf 1
 router-id 1.1.1.1
 network 10.1.1.0 0.0.0.255 area 0
 passive-interface gigabitEthernet0/1

Interface-based OSPF alternative:

interface gigabitEthernet0/0
 ip ospf 1 area 0

Verification:

show ip ospf neighbor
show ip ospf interface brief
show ip route ospf
show ip protocols

First-hop redundancy

ConceptPurpose
HSRP/VRRP/GLBP categoryProvides a resilient default gateway for hosts.
Virtual IPDefault gateway address configured on hosts.
Active/standby or equivalent rolesOne device forwards for the virtual gateway depending on protocol/design.
PriorityHigher priority is generally preferred.
PreemptionAllows a recovered higher-priority device to reclaim active role if configured.

IP services

DHCP

ComponentRole
DHCP DiscoverClient broadcasts to find server.
DHCP OfferServer offers address options.
DHCP RequestClient requests offered address.
DHCP AckServer confirms lease.
Default gateway optionTells clients their router.
DNS optionTells clients name servers.
DHCP relayForwards client broadcasts to server on another subnet.

Router DHCP server example:

ip dhcp excluded-address 192.168.10.1 192.168.10.20

ip dhcp pool USERS
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 192.0.2.53

DHCP relay example:

interface vlan 10
 ip helper-address 192.168.100.10

NAT and PAT

TypeUseKey distinction
Static NATOne inside local to one inside global.Fixed mapping.
Dynamic NATInside hosts use a pool.Pool can be exhausted.
PAT / overloadMany inside hosts share one or more global addresses.Uses ports to multiplex sessions.
Inside localPrivate/internal address before translation.Seen on inside network.
Inside globalTranslated address representing inside host.Seen by outside network.

PAT example:

access-list 1 permit 192.168.10.0 0.0.0.255

interface gigabitEthernet0/0
 ip nat inside

interface gigabitEthernet0/1
 ip nat outside

ip nat inside source list 1 interface gigabitEthernet0/1 overload

Verification:

show ip nat translations
show ip nat statistics

Other services

ServicePurposeVerification / notes
DNSName-to-address resolution.If IP works but names fail, check DNS.
NTPTime synchronization.Important for logs, certificates, troubleshooting.
SyslogCentralized logging.Severity lower number means more critical.
SNMPMonitoring and management.Know manager, agent, MIB, trap/inform.
CDPCisco neighbor discovery.Layer 2 adjacent Cisco devices.
LLDPStandards-based neighbor discovery.Multi-vendor neighbor discovery.
QoSClassifies, marks, queues, and prioritizes traffic.Voice/video are common priority examples.
TFTP/FTP/SCPFile transfer for images/configs.Prefer secure options when available.

Useful commands:

show cdp neighbors detail
show lldp neighbors detail
show ntp status
show logging
show clock

Wireless fundamentals

TopicKey points
APBridges wireless clients into the wired network.
WLCCentralizes AP management, SSIDs, security, roaming, and policies.
CAPWAPUsed between lightweight APs and controllers.
SSIDWireless network name.
BSSIDAP radio MAC associated with an SSID.
WPA2/WPA3-PersonalPre-shared key authentication.
WPA2/WPA3-Enterprise802.1X/EAP with centralized authentication.
2.4 GHzLonger range, fewer non-overlapping channels, more interference.
5 GHzMore channels and capacity, generally shorter range than 2.4 GHz.
6 GHzNewer spectrum support where available; know conceptually if referenced.
RoamingClient moves between APs while maintaining service.
Design decisionPrefer
Enterprise user authenticationWPA-Enterprise with 802.1X.
Guest access separationSeparate SSID/VLAN and policy controls.
Voice over Wi-FiStrong coverage, low latency, QoS support, careful roaming design.
Interference troubleshootingCheck channel overlap, power, neighboring APs, non-Wi-Fi interference.
Secure legacy avoidanceAvoid open or weak authentication/encryption designs.

Security fundamentals

Device hardening

ControlWhy it matters
enable secretStores privileged password using stronger protection than enable password.
Local user accountsRequired for local authentication and SSH login.
SSH instead of TelnetEncrypts management traffic.
AAACentralizes authentication, authorization, and accounting.
Login bannersProvide administrative notice; do not leak sensitive information.
Exec timeoutReduces risk from abandoned sessions.
Secure management VLAN/pathLimits who can reach device management.
NTPSupports reliable log timestamps.
SyslogPreserves events centrally.
Configuration backupsSupports recovery and change comparison.

Basic SSH management example:

hostname R1
ip domain-name example.local
username admin privilege 15 secret StrongSecretHere
crypto key generate rsa
ip ssh version 2

line vty 0 4
 login local
 transport input ssh
 exec-timeout 10 0

ACLs

ACL typeFilters byPlacement guidance
Standard IPv4 ACLSource IPv4 onlyPlace near destination to avoid overblocking.
Extended IPv4 ACLSource, destination, protocol, portsPlace near source to stop unwanted traffic early.
IPv6 ACLIPv6 source/destination and upper-layer fieldsApplied with IPv6 access-group syntax.

ACL rules to remember:

  • Processed top-down, first match wins.
  • There is an implicit deny at the end.
  • More specific entries should appear before broader entries.
  • Direction matters: inbound before routing decision, outbound after routing decision.
  • Editing named ACLs is usually easier than editing numbered ACLs.
  • Standard ACLs cannot match destination or TCP/UDP port.

Examples:

ip access-list extended BLOCK_TELNET
 deny tcp 192.168.10.0 0.0.0.255 any eq 23
 permit ip any any

interface gigabitEthernet0/0
 ip access-group BLOCK_TELNET in
ip access-list standard MGMT_ONLY
 permit 192.168.100.0 0.0.0.255
 deny any

line vty 0 4
 access-class MGMT_ONLY in

Verification:

show access-lists
show ip interface gigabitEthernet0/0
show running-config | section access-list

Layer 2 security

FeatureProtects againstKey idea
Port securityUnauthorized MACs on access portsLimit/learn allowed MAC addresses.
DHCP snoopingRogue DHCP serversTrust uplinks/server-facing ports only.
Dynamic ARP InspectionARP spoofingUses DHCP snooping binding table.
BPDU GuardRogue switches on edge portsErr-disables PortFast port receiving BPDU.
Storm controlExcessive broadcast/multicast/unknown unicastLimits traffic storms.
Native VLAN changeVLAN hopping risk reductionUse unused native VLAN and avoid user traffic on it.
Disable unused portsPhysical access riskShut down and place in unused VLAN.

Port security example:

interface gigabitEthernet0/10
 switchport mode access
 switchport access vlan 10
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 switchport port-security violation restrict

Verification:

show port-security
show port-security interface gigabitEthernet0/10
show interfaces status err-disabled

Automation and programmability

TermPractical meaning
Controller-based networkingCentral control/management plane programs network devices.
Northbound APIInterface from controller to applications/orchestrators.
Southbound APIInterface from controller to network devices.
REST APIHTTP-based API style using methods such as GET, POST, PUT/PATCH, DELETE.
JSONCommon structured data format used by APIs.
XMLStructured markup format used by some network APIs.
YANGData modeling language for network configuration/state.
NETCONFModel-driven management protocol commonly using XML and YANG models.
RESTCONFREST-style protocol using YANG-modeled data.
AnsibleAgentless automation commonly using YAML playbooks.
Puppet/ChefConfiguration management tools; often agent/model driven.
IdempotenceReapplying automation should not create unintended repeated changes.

Data format recognition

JSON:

{
  "interface": {
    "name": "GigabitEthernet0/1",
    "enabled": true,
    "vlan": 10
  }
}

YAML:

interface:
  name: GigabitEthernet0/1
  enabled: true
  vlan: 10

REST method quick map:

MethodTypical use
GETRead data.
POSTCreate or trigger action.
PUTReplace a resource.
PATCHPartially update a resource.
DELETERemove a resource.

Traditional vs controller-based networking

AreaTraditional device-by-deviceController-based
ConfigurationCLI per devicePolicy/templates/API-driven
VisibilityPer-device show commandsCentral inventory, telemetry, assurance
ConsistencyDepends on operator processEnforced through automation/policy
TroubleshootingHop-by-hopController view plus device validation
RiskManual driftAutomation errors can scale quickly if poorly tested

Command interpretation map

Need to proveCisco IOS commands
Interface status and IPsshow ip interface brief, show ipv6 interface brief
Physical/link errorsshow interfaces, show controllers where applicable
VLAN membershipshow vlan brief
Trunk state and allowed VLANsshow interfaces trunk
MAC learningshow mac address-table
ARP resolutionshow ip arp
IPv6 neighborsshow ipv6 neighbors
Routing tableshow ip route, show ipv6 route
Default routeshow ip route 0.0.0.0, show ipv6 route ::/0
OSPF neighborsshow ip ospf neighbor
OSPF-enabled interfacesshow ip ospf interface brief
DHCP bindingsshow ip dhcp binding
NAT translationsshow ip nat translations
ACL hitsshow access-lists
Running configurationshow running-config
Startup configurationshow startup-config
Neighbor devicesshow cdp neighbors detail, show lldp neighbors detail
EtherChannelshow etherchannel summary
STPshow spanning-tree
SSH statusshow ip ssh
Logsshow logging

Troubleshooting decision tables

Host cannot reach anything

CheckIf failingLikely issue
Link statusInterface down/downCable, disabled port, physical/RF issue.
Host IP/mask/gatewayMissing or APIPADHCP failure or static misconfiguration.
Same-subnet pingCannot reach neighborVLAN, switchport, ARP/NDP, host firewall.
Default gateway pingFailsWrong gateway, SVI/router down, VLAN/trunk issue.
Off-subnet ping by IPGateway works, remote failsRouting, ACL, NAT, upstream path.
DNS name pingIP works, name failsDNS configuration or resolution issue.

VLAN user cannot reach gateway

SymptomCheck first
Access port in wrong VLANshow vlan brief, show interfaces switchport
VLAN absent on switchshow vlan brief
VLAN not allowed on trunkshow interfaces trunk
Native VLAN mismatchTrunk configuration on both sides
SVI downAt least one active port in VLAN and no shutdown on SVI
Router-on-a-stick failureSubinterface encapsulation, trunk to router, IP address

Routing failure

SymptomLikely area
Route missingRouting protocol not advertising, static route absent, interface down.
Wrong next hop selectedLongest prefix, AD, or metric misunderstanding.
Default route missingInternet/unknown destinations fail.
OSPF neighbor downArea/subnet/timer/authentication/network type issue.
One direction works onlyReturn route, ACL, NAT, or asymmetric path.
Ping fails but route existsACL, firewall, host issue, MTU, wrong source interface.

NAT/PAT failure

CheckWhat to confirm
Inside/outside labelsCorrect interfaces marked ip nat inside and ip nat outside.
ACL matchInside source addresses are permitted by NAT ACL.
Route to outsideRouter can reach next hop.
Return trafficOutside path returns to translated address.
Translationsshow ip nat translations increments during test.
OverlapAvoid ambiguous inside/outside addressing.

Common exam traps

TrapCorrect thinking
“Lowest AD always wins.”Longest prefix match is evaluated before AD.
Confusing MAC and IP forwardingSwitches use MAC/VLAN; routers use IP routes.
Forgetting implicit ACL denyAdd explicit permits as needed.
Applying ACL in wrong directionInbound and outbound are from the router interface perspective.
Using subnet mask in OSPF network commandOSPF network uses wildcard mask.
Assuming VLAN exists because trunk allows itVLAN must exist and be active where needed.
Ignoring native VLAN mismatchCan break or misdirect untagged traffic.
Assuming SVI up just because configuredSVI needs VLAN present and active Layer 2 state.
PortFast on switch-to-switch linksPortFast is for edge/access ports.
EtherChannel partial mismatchMember ports must have compatible speed, duplex, VLAN, trunk settings.
DHCP relay forgottenDHCP broadcasts do not cross routers without relay.
DNS blamed for IP failureTest by IP first, then by name.
IPv6 default gateway confusionLink-local next hops are normal in IPv6.
Telnet accepted as secure managementUse SSH for encrypted CLI management.
service password-encryption overvaluedIt obscures some passwords but is not strong password protection.

Final quick-review checklist

Before exam day, make sure you can do the following without notes:

  • Subnet /24 through /30 quickly, including network, broadcast, usable range, and wildcard.
  • Interpret show ip route and explain why one route wins.
  • Configure and verify VLANs, trunks, router-on-a-stick, and SVIs.
  • Identify STP root, port roles, and common edge protections.
  • Recognize OSPF neighbor requirements and basic verification output.
  • Configure a simple static route, default route, DHCP pool, PAT, SSH, and ACL.
  • Troubleshoot by layer instead of guessing.
  • Explain REST, JSON, YANG, NETCONF, RESTCONF, controller-based networking, and northbound/southbound APIs at a practical level.

Next step: use this Quick Reference as your checklist while working through timed Cisco CCNA (200-301 v2.0) practice questions and hands-on configuration labs, then revisit any command or decision point you cannot explain from memory.