Search Pass4Sure

cisco-guides

CCNA 200-301 Complete Study Guide: All Domains Covered

Complete CCNA 200-301 study guide covering all six exam domains including networking fundamentals, routing, security, and automation with an 8-week study plan.

Kalenux Team·February 4, 2026
12 min read·790 views
CCNA 200-301 Complete Study Guide: All Domains Covered

The Cisco Certified Network Associate (CCNA) 200-301 exam is the most recognized networking certification in the world and the foundation for every Cisco career track. Cisco consolidated its previously fragmented CCNA tracks (Routing and Switching, Security, Cloud, Wireless, and others) into this single comprehensive exam in 2020, making it both broader in scope and more demanding than its predecessors. The CCNA 200-301 covers networking fundamentals, IP connectivity, security, automation, and programmability across six domains.

According to the 2024 Global Knowledge IT Skills and Salary Report, CCNA-certified professionals in North America earn a median salary of $87,000, with experienced network engineers holding CCNA as a baseline certification earning significantly more. Cisco reported that over 3 million CCNA certifications have been issued since the program's inception, making it the most widely held professional networking credential globally.

This guide covers all six exam domains, explains the critical concepts for each, and provides a structured study plan to pass the CCNA 200-301 on your first attempt.

Exam Overview

Detail Information
Exam Code 200-301
Full Name Cisco Certified Network Associate
Number of Questions 100-120
Time Limit 120 minutes
Passing Score Approximately 825/1000 (Cisco does not publish the exact score)
Cost $330 USD
Prerequisites None (recommended 1+ years of networking experience)
Validity 3 years
Question Types Multiple choice, drag-and-drop, simulation

The six exam domains and their weights:

  1. Network Fundamentals (20%)
  2. Network Access (20%)
  3. IP Connectivity (25%)
  4. IP Services (10%)
  5. Security Fundamentals (15%)
  6. Automation and Programmability (10%)

"The CCNA exam is unique because it expects you to understand networking at a conceptual level and be able to configure devices at a practical level. You cannot pass by only reading theory. You must build labs, configure routers and switches, and troubleshoot real problems." -- Wendell Odom, author of the official CCNA 200-301 Official Cert Guide

Domain 1: Network Fundamentals (20%)

The OSI and TCP/IP Models

OSI model -- the Open Systems Interconnection reference model, a seven-layer conceptual framework that standardizes how network protocols communicate: Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), and Application (7).

The exam tests your ability to map protocols and devices to the correct OSI layer. In practice, the TCP/IP model (four layers: Network Access, Internet, Transport, Application) is more commonly referenced in modern networking, but the OSI model remains the standard framework for understanding where different technologies operate.

OSI Layer Key Protocols/Technologies Devices
Layer 7 - Application HTTP, HTTPS, DNS, DHCP, FTP Application servers
Layer 4 - Transport TCP, UDP Firewalls
Layer 3 - Network IPv4, IPv6, OSPF, EIGRP Routers, L3 switches
Layer 2 - Data Link Ethernet, 802.11 WiFi, ARP Switches, WAPs
Layer 1 - Physical Copper (Cat5e/6/6a), fiber optic, wireless Cables, hubs, NICs

IPv4 Addressing and Subnetting

Subnetting is the single most tested skill on the CCNA. You must be able to:

  1. Calculate the number of hosts and subnets for a given subnet mask
  2. Determine the network address, broadcast address, and valid host range for any IP/mask combination
  3. Perform Variable Length Subnet Masking (VLSM) to efficiently allocate address space
  4. Convert between dotted decimal (255.255.255.0) and CIDR notation (/24)

Subnetting -- the process of dividing a large network into smaller, more manageable sub-networks (subnets), each identified by a unique network address and subnet mask.

For example, the network 192.168.1.0/24 contains 254 usable host addresses (256 minus network and broadcast). Subnetting it to /26 creates four subnets of 62 hosts each: 192.168.1.0/26, 192.168.1.64/26, 192.168.1.128/26, and 192.168.1.192/26.

IPv6 Fundamentals

The exam also tests IPv6, which uses 128-bit addresses written in hexadecimal. Key concepts include:

  • Global unicast addresses: The IPv6 equivalent of public IPv4 addresses (prefix 2000::/3)
  • Link-local addresses: Automatically assigned on every interface (prefix FE80::/10), used for local communication
  • SLAAC (Stateless Address Autoconfiguration): Allows devices to configure their own IPv6 addresses without a DHCP server
  • Dual-stack: Running IPv4 and IPv6 simultaneously on the same network, which is the most common transition strategy

Domain 2: Network Access (20%)

Ethernet Switching

Ethernet frame -- the data link layer protocol data unit that contains a destination MAC address, source MAC address, EtherType field, payload data, and Frame Check Sequence (FCS) for error detection.

Switches learn MAC addresses by examining the source MAC of incoming frames and recording them in the MAC address table. They then forward frames based on the destination MAC:

  • Known unicast: Forward to the specific port associated with the destination MAC
  • Unknown unicast: Flood to all ports except the source (the switch does not yet know where the destination is)
  • Broadcast: Flood to all ports except the source (destination MAC is FF:FF:FF:FF:FF:FF)

VLANs and Trunking

VLAN (Virtual Local Area Network) -- a logical segmentation of a physical switch into multiple broadcast domains, allowing devices on the same switch to be isolated as if they were on separate networks.

VLANs are configured on switches to separate traffic for security, performance, and management purposes. Key VLAN concepts for the exam:

  • Access ports carry traffic for a single VLAN
  • Trunk ports carry traffic for multiple VLANs using 802.1Q tagging
  • The native VLAN is the untagged VLAN on a trunk port (default: VLAN 1)
  • Inter-VLAN routing requires a Layer 3 device (router or L3 switch)
  • Router-on-a-stick: A configuration where a single router interface uses sub-interfaces to route between VLANs on a connected switch

Wireless Networking

The CCNA covers 802.11 wireless standards:

  • 802.11n (WiFi 4): 2.4 GHz and 5 GHz, up to 600 Mbps
  • 802.11ac (WiFi 5): 5 GHz only, up to 3.5 Gbps
  • 802.11ax (WiFi 6): 2.4 GHz and 5 GHz, up to 9.6 Gbps, with OFDMA and BSS Coloring for high-density environments

Cisco wireless architectures tested include autonomous APs (standalone), lightweight APs managed by a Wireless LAN Controller (WLC), and Cisco Meraki cloud-managed APs.

Domain 3: IP Connectivity (25%)

This is the highest-weighted domain and focuses on routing.

Static and Dynamic Routing

Routing -- the process of selecting a path across one or more networks for forwarding packets from source to destination, based on the destination IP address in the packet header.

  • Static routes: Manually configured paths. Appropriate for small networks or specific traffic engineering scenarios. Configured with the ip route command.
  • Default route: A catch-all route (0.0.0.0/0) that forwards packets when no more specific route exists.
  • Dynamic routing protocols: Automatically discover and maintain routes. The CCNA tests OSPF in detail and expects conceptual knowledge of EIGRP.

OSPF (Open Shortest Path First)

OSPF -- a link-state routing protocol that uses Dijkstra's Shortest Path First algorithm to calculate the best path to every destination network, standardized in RFC 2328 (OSPFv2) and RFC 5340 (OSPFv3 for IPv6).

Key OSPF concepts for the exam:

  1. OSPF routers form neighbor adjacencies by exchanging Hello packets on shared segments
  2. Each router builds a Link-State Database (LSDB) containing the topology of its area
  3. The SPF algorithm calculates the shortest path tree from the LSDB
  4. OSPF uses cost as its metric, calculated as reference bandwidth divided by interface bandwidth
  5. Multi-area OSPF uses Area 0 (backbone) as the central area, with all other areas connecting to it

First Hop Redundancy

  • HSRP (Hot Standby Router Protocol): Cisco proprietary protocol providing gateway redundancy. An active router handles traffic while a standby router takes over if the active router fails.
  • VRRP (Virtual Router Redundancy Protocol): Open standard equivalent of HSRP.

Domain 4: IP Services (10%)

DHCP and DNS

  • DHCP: Automatically assigns IP addresses, subnet masks, default gateways, and DNS servers to devices. The four-step DORA process: Discover, Offer, Request, Acknowledge.
  • DNS: Resolves hostnames to IP addresses. Understanding A records (IPv4), AAAA records (IPv6), CNAME records (aliases), and MX records (mail) is sufficient for the exam.

NAT (Network Address Translation)

NAT -- a technique that translates private IP addresses to public IP addresses (and vice versa) at the network boundary, enabling multiple internal devices to share a single public IP address.

  • Static NAT: One-to-one mapping of a private address to a public address
  • Dynamic NAT: Maps private addresses to a pool of public addresses on a first-come basis
  • PAT (Port Address Translation): Maps multiple private addresses to a single public address using different port numbers. This is the most common form and is sometimes called NAT overload.

NTP, SNMP, and Syslog

  • NTP (Network Time Protocol): Synchronizes clocks across network devices. Accurate timestamps are critical for log correlation and troubleshooting.
  • SNMP (Simple Network Management Protocol): Monitors and manages network devices. SNMPv3 adds authentication and encryption.
  • Syslog: Collects log messages from network devices for centralized monitoring and analysis.

Domain 5: Security Fundamentals (15%)

Access Control Lists (ACLs)

ACLs filter traffic based on source/destination IP addresses, protocols, and port numbers:

  • Standard ACLs (numbered 1-99): Filter based on source IP address only. Place close to the destination.
  • Extended ACLs (numbered 100-199): Filter based on source and destination IP, protocol, and port. Place close to the source.

Each ACL has an implicit deny any at the end, meaning any traffic not explicitly permitted is dropped.

Port Security and 802.1X

  • Port security: Limits the number of MAC addresses allowed on a switch port, preventing unauthorized devices from connecting
  • 802.1X: Network access control that requires authentication before granting network access. Uses a supplicant (client), authenticator (switch), and authentication server (RADIUS)
  • DHCP snooping: Prevents rogue DHCP servers from distributing incorrect IP configurations
  • Dynamic ARP Inspection: Validates ARP packets to prevent ARP spoofing attacks

VPN and Wireless Security

  • Site-to-site VPN: Connects two networks over an encrypted tunnel using IPsec
  • Remote access VPN: Allows individual users to connect to a corporate network securely
  • WPA2: Uses AES encryption with CCMP. Required minimum for enterprise wireless.
  • WPA3: Enhanced security with SAE (Simultaneous Authentication of Equals) replacing PSK

Kevin Wallace, a Cisco trainer and author of multiple Cisco Press titles, recommends that "security is where many CCNA candidates lose points unnecessarily. They focus all their study time on routing and switching and treat security as an afterthought. At 15% of the exam, security fundamentals can make or break your passing score."

Domain 6: Automation and Programmability (10%)

Network Automation Concepts

This domain was added in the 2020 CCNA revision and reflects the industry's shift toward programmable infrastructure.

  • REST APIs: The standard interface for programmatic interaction with network devices and controllers. Uses HTTP methods (GET, POST, PUT, DELETE) and returns data in JSON or XML format.
  • Cisco DNA Center: Cisco's intent-based networking controller for enterprise campus networks. Provides a REST API for automation.
  • Configuration management tools: Ansible, Puppet, and Chef are the three major platforms. Ansible is the most common for network automation because it is agentless and uses SSH to configure devices.

Software-Defined Networking (SDN) -- a network architecture approach that separates the control plane (decision-making about where traffic goes) from the data plane (actual forwarding of packets), enabling centralized, programmable network management.

JSON and Data Formats

The exam tests your ability to read and interpret JSON data structures, which are the standard output format for REST API calls to network devices. You should be able to identify key-value pairs, nested objects, and arrays in JSON output.

Infrastructure as Code and Intent-Based Networking

Intent-Based Networking (IBN) -- a networking approach where administrators define the desired state of the network (the "intent"), and automated systems translate that intent into device configurations, verify the outcome, and remediate any drift from the desired state.

Cisco DNA Center is the primary example of IBN that appears on the exam. Rather than configuring each switch and router individually, an administrator defines policies centrally (for example, "all IoT devices should be isolated in VLAN 100 with restricted internet access") and DNA Center pushes the necessary configurations to all affected devices.

The exam also tests the concept of controller-based versus traditional networking architectures. In traditional networking, each device makes independent forwarding decisions using its local control plane. In controller-based architectures like Cisco SD-WAN and Cisco ACI, a centralized controller manages the control plane for multiple devices, enabling consistent policy enforcement and simplified management at scale. Companies like Netflix and LinkedIn have adopted SDN architectures for their data center networks, using programmable infrastructure to manage the massive scale of their operations. Understanding this architectural shift from distributed to centralized control is essential for the automation domain and increasingly relevant in real-world network engineering roles.

Study Plan and Resources

Recommended Eight-Week Plan

  1. Weeks 1-2: Network Fundamentals. Master subnetting (practice until you can subnet in your head). Study the OSI model and TCP/IP protocols.
  2. Weeks 3-4: Network Access. Build labs with VLANs, trunking, and STP. Use Cisco Packet Tracer (free) or GNS3.
  3. Weeks 5-6: IP Connectivity and Services. Configure OSPF, static routes, DHCP, NAT. This is the highest-weighted domain.
  4. Weeks 7-8: Security and Automation. Study ACLs, port security, VPN concepts, REST APIs, and SDN. Take practice exams and review weak areas.

Essential Resources

  • CCNA 200-301 Official Cert Guide (Volumes 1 and 2) by Wendell Odom -- the definitive study reference published by Cisco Press
  • Cisco Packet Tracer: Free network simulation tool from Cisco. Essential for hands-on practice without physical hardware.
  • David Bombal's CCNA course on Udemy: Highly rated practical course with extensive lab exercises
  • Boson ExSim practice exams: Widely considered the closest simulation of the actual exam experience
  • Subnetting.net: Free subnetting practice drills that build speed and accuracy

Jeremy Cioara, a Cisco instructor whose training videos have been viewed millions of times, advises that "the CCNA requires about 200-300 hours of study for someone with basic IT knowledge. The biggest mistake candidates make is reading without labbing. You must configure devices, break things, and troubleshoot your way out. That is how networking knowledge becomes permanent."

Exam Registration and Logistics

Register for the CCNA exam through Pearson VUE, Cisco's authorized testing partner. You can take the exam at a physical testing center or through Pearson VUE's OnVUE online proctoring service from your home. If you choose online proctoring, ensure your workspace meets their requirements: a clean desk, no secondary monitors, a working webcam and microphone, and a stable internet connection. The exam costs $330 USD, and Cisco does not offer retake vouchers, so thorough preparation before scheduling is essential.

See also: CCNP Enterprise certification path, Network engineering career roadmap, CompTIA Network+ vs CCNA comparison

References

  1. Cisco. "CCNA Exam Topics: 200-301." Cisco Learning Network, 2025.
  2. Odom, Wendell. CCNA 200-301 Official Cert Guide, Volumes 1 and 2. Cisco Press, 2024.
  3. Global Knowledge. "IT Skills and Salary Report 2024." Global Knowledge Training, 2024.
  4. Cisco. "Cisco Certifications Program Overview." Cisco Certifications, 2025.
  5. Wallace, Kevin. CCNA 200-301 Portable Command Guide. Cisco Press, 2020.
  6. Lammle, Todd. CCNA Certification Study Guide. Sybex/Wiley, 2024.

Tags

CCNA Cisco networking certification study guide

Frequently Asked Questions

How long does it take to study for the CCNA 200-301?

Most candidates need 200-300 hours of study over 8-12 weeks. This includes reading the official cert guide, hands-on lab practice with Cisco Packet Tracer or GNS3, and practice exams. Prior networking experience can reduce this timeline.

What is the passing score for CCNA 200-301?

Cisco does not publish the exact passing score, but it is approximately 825 out of 1000. The exam contains 100-120 questions and has a 120-minute time limit. Questions include multiple choice, drag-and-drop, and simulation-based items.

Is CCNA still worth it in 2025?

Yes, CCNA remains the most recognized networking certification globally. It validates skills in networking, security, and automation that are essential for network engineer, systems administrator, and cloud infrastructure roles. Certified professionals earn a median salary premium over non-certified peers.

Share this article

Continue Reading