Cisco CCNA Practice Test (200-301)
Cisco Certified Network Associate
Use the form below to configure your Cisco CCNA Practice Test (200-301). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

Cisco CCNA 200-301 Information
The Cisco Certified Network Associate (CCNA) certification is one of the most recognized credentials in the networking industry. It is designed to validate foundational knowledge and skills in networking, which are essential for IT professionals working with Cisco systems. The CCNA exam, identified as 200-301, covers a wide range of networking topics and prepares individuals for roles such as network administrator, network engineer, and help desk technician.
The CCNA certification focuses on essential networking concepts like IP connectivity, IP services, network fundamentals, security, and automation. Additionally, it introduces key aspects of programmability and automation that reflect the growing importance of these technologies in modern network environments. Candidates for the CCNA exam should ideally have some practical networking experience, although formal prerequisites are not required. Cisco recommends having a year of experience in implementing and administering Cisco solutions, which helps candidates grasp the topics covered in the exam more effectively. You can explore the certification in more detail on the official CCNA page from Cisco.
The exam is available in multiple languages, including English and Japanese, ensuring global accessibility. With a duration of 120 minutes, candidates will face approximately 100-120 questions, covering a range of topics from networking fundamentals to security and automation. The format includes multiple-choice questions, drag-and-drop exercises, and simulations, which test both theoretical understanding and practical skills. The passing score typically falls between 800 and 850 out of a maximum of 1,000 points, although the exact score required to pass may vary depending on the version of the exam and its difficulty level at the time.
Preparation for the CCNA requires comprehensive study due to the breadth of topics covered in the exam. Cisco offers official study materials and practice exams, and there are various online platforms that provide training courses and hands-on labs. Cisco's own training resources and career path guide, available in the Cisco Career Path PDF, provide detailed information on the skills needed and the certification roadmap.
The CCNA certification is part of Cisco's career certifications program, which offers a clear progression for those looking to advance their networking skills. After obtaining the CCNA, professionals can pursue more specialized certifications, such as Cisco Certified Network Professional (CCNP), which delve deeper into specific technologies and job roles.
Maintaining a CCNA certification requires renewal every three years. This can be achieved by retaking the current version of the exam or advancing to a higher-level Cisco certification. As networking technology continues to evolve, staying certified ensures that professionals remain up-to-date with the latest trends and best practices.
The CCNA is an essential stepping stone for anyone looking to build a career in networking. It opens doors to various job opportunities and serves as a foundation for further specialization. Cisco remains a dominant player in the networking field, and its certifications are respected worldwide, making the CCNA a valuable credential for professionals seeking to validate their skills and enhance their career prospects. More information can be found directly on Cisco's official certifications page.
Free Cisco CCNA 200-301 Practice Test
Press start when you are ready, or press Change to modify any settings for the practice test.
- Questions: 20
- Time: Unlimited
- Included Topics:Network FundamentalsNetwork AccessIP ConnectivityIP ServicesSecurity FundamentalsAutomation and Programmability
A network administrator needs to prevent hosts in the 192.168.10.0/24 network from initiating Telnet sessions to a remote server with IP address 10.1.1.1, while allowing all other traffic. Which access control list configuration achieves this requirement?
An access-list 101 entry matching TCP traffic from 192.168.10.0/24 to host 10.1.1.1 on port 80
An access-list 101 entry matching TCP traffic from host 10.1.1.1 to 192.168.10.0/24 on port 23
An access-list 101 entry matching TCP traffic from 192.168.10.0/24 to host 10.1.1.1 on port 23
An access-list 101 entry matching UDP traffic from 192.168.10.0/24 to host 10.1.1.1 on port 23
Answer Description
The correct configuration is the access-list entry that matches TCP traffic from the 192.168.10.0/24 network to host 10.1.1.1 on port 23. This entry specifically targets Telnet traffic (which uses TCP port 23) from the specified source network to the destination host. By matching this traffic, the administrator can effectively prevent Telnet sessions without affecting other services. The other options either have incorrect source and destination parameters, incorrect protocols, or target the wrong port, and therefore would not achieve the intended restriction.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an access control list (ACL) in networking?
Why does Telnet use TCP port 23, and how does that affect ACL configuration?
What happens if the ACL rule sequence is incorrect?
What command enables port security on an interface?
switchport port-security
Answer Description
Port security restricts the devices that can connect to a port based on their MAC addresses, enhancing network security.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is port security used for?
How does the switch enforce port security using MAC addresses?
Can port security be configured to allow multiple devices on one port?
What command enables an interface?
no shutdown
no shut
Answer Description
By default, Cisco interfaces are administratively down. no shutdown
activates the interface for network communication.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are Cisco interfaces administratively down by default?
Are there any differences between 'no shutdown' and 'no shut'?
How can I verify if an interface is administratively down or up?
In an 802.1D Spanning Tree Protocol (STP) topology, which characteristic is evaluated first to determine which switch becomes the root bridge for a given VLAN?
Highest MAC address
Highest bridge-priority value
Lowest bridge-priority value
Lowest port ID
Answer Description
STP uses each switch's Bridge ID (BID) to elect the root bridge. The BID combines a 16-bit bridge-priority value with the switch's MAC address. The switch with the lowest numerical bridge-priority value wins the election. Only if two or more switches share the same priority does STP compare their MAC addresses, selecting the switch with the lowest MAC as the root. Therefore, the lowest bridge-priority value is the primary deciding factor, while the other attributes serve only as tiebreakers.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Bridge ID (BID) in STP?
Why does STP compare MAC addresses only after the bridge priority?
Can the bridge-priority value in STP be changed, and if so, why?
In the following routing table entry, which value specifies the destination network and subnet mask?
"O 192.168.10.0/24 [110/2] via 10.0.0.2, 00:00:22, Serial0/0/0"
192.168.10.0/24
110/2
Serial0/0/0
10.0.0.2
Answer Description
The value "192.168.10.0/24" represents the destination network and subnet mask in CIDR notation. This specifies the network to which packets are destined, known as the 'Prefix' in the routing table. Identifying the correct prefix is essential for routing decisions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does CIDR notation in '192.168.10.0/24' mean?
Why is '192.168.10.0/24' referred to as the destination network in the routing table?
What is the significance of the 'Prefix' in routing decisions?
In a controller-based networking architecture, which type of API enables the controller to communicate with and manage the underlying network devices?
Southbound APIs
Configuration APIs
Northbound APIs
Management APIs
Answer Description
Southbound APIs enable the controller to communicate with and control the underlying network devices. They are responsible for translating the controller's instructions into configurations and policies that the devices can implement, effectively bridging the control plane and the data plane. Northbound APIs, in contrast, allow applications and services to interact with the controller to program the network, not directly with the devices. Options like 'Management APIs' and 'Configuration APIs' are generic terms and do not specifically describe the standardized interfaces used in controller-based architectures.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Southbound APIs and how do they function?
What is the difference between Southbound and Northbound APIs?
How do Southbound APIs use protocols like OpenFlow and NETCONF?
A network administrator notices that a switch is flooding frames out of all ports except the source port when trying to reach a specific device. What is the most likely cause of this behavior?
The switch is experiencing a broadcast storm due to network loops.
The switch does not have the destination MAC address in its MAC address table.
A hardware failure in the switch is causing improper frame forwarding.
The switch's MAC address table is full and cannot store new addresses.
Answer Description
When a switch receives a frame with a destination MAC address that is not in its MAC address table, it floods the frame out of all other ports to locate the destination device. This is standard behavior for switch learning. Other options like a full MAC address table or hardware failure could cause issues, but they would typically result in dropped frames or system errors rather than frame flooding.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does a switch flood frames when it doesn't recognize the destination MAC address?
How does a switch populate its MAC address table?
What happens if a switch's MAC address table becomes full?
By default, which criterion does a router use first when selecting a route to forward a packet?
It selects the route with the longest matching prefix.
It prefers the route with the lowest metric.
It chooses the route with the lowest administrative distance.
It forwards packets based on the oldest route in the table.
Answer Description
Routers use the longest prefix match when selecting a route to forward a packet. This means the router looks for the most specific route that matches the destination IP address. If multiple routes are available, the one with the longest network prefix (most matching bits) is chosen. Administrative distance and routing protocol metrics are considered only if multiple routes have the same prefix length.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'longest prefix match' mean in routing?
When does administrative distance matter in route selection?
What role does a routing metric play in route selection?
An enterprise network is experiencing difficulties with the manual configuration and management of a large number of network devices, leading to increased operational costs and complexity. The network engineer is considering adopting a controller-based networking model to address these issues. What is a fundamental difference between traditional and controller-based networks that could help solve this problem?
Controller-based networks require manual configuration of each device, increasing operational workload.
In traditional networks, the control plane and data plane are always separated on different devices to simplify management.
Traditional networks use centralized controllers to automate network device management.
Controller-based networks centralize management, enabling automated configuration of multiple devices simultaneously.
Answer Description
Controller-based networks centralize network management by using a central controller that communicates with all network devices. This centralization allows for unified and automated configuration, policy enforcement, and management across the network, significantly reducing the need for manual configuration of individual devices. In contrast, traditional networks typically require network administrators to configure and manage each device separately, which can be time-consuming and error-prone, especially in large networks. By adopting a controller-based model, the enterprise can streamline network operations and reduce complexity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to centralize network management in controller-based networks?
What are the control plane and data plane, and how are they different in traditional and controller-based networks?
What technologies or protocols are commonly used in controller-based networks?
Which Cisco access point mode allows an AP to continue switching client data traffic locally even after it loses connectivity to its wireless LAN controller?
Monitor mode
FlexConnect (H-REAP)
Sniffer mode
Local mode
Answer Description
FlexConnect mode (formerly H-REAP) supports local switching. If the WAN link to the controller fails, a FlexConnect AP enters standalone mode and locally bridges client traffic, so wireless users remain connected. Other modes such as Local, Monitor, and Sniffer shut down client data services when the controller connection is lost.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is FlexConnect mode in Cisco access points?
What happens in Local mode when the connection to the WLC is lost?
How does Monitor mode function differently from FlexConnect mode?
What type of secure connection allows individual users to access a private network over the internet as if they were directly connected?
Extranet tunneling
Site-to-site VPN
Remote access VPN
Virtual private LAN service
Answer Description
Remote access VPNs enable individual users to establish secure connections to a private network over the internet. This allows them to access network resources remotely, just like being directly connected to the network. Site-to-site VPNs, on the other hand, link entire networks at different locations, facilitating network-to-network communication.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does a Remote Access VPN work?
What is the difference between a Remote Access VPN and a Site-to-Site VPN?
What are the key security protocols used in Remote Access VPNs?
A company discovers that one of its applications has a security weakness, which could allow an attacker to perform SQL injection attacks. In terms of security concepts, how would this security weakness be classified?
A mitigation
A threat
An exploit
A vulnerability
Answer Description
Answer Description:
A vulnerability is a flaw or weakness in a system's design, implementation, or operation that could be exploited to violate the system's security policy. In this scenario, the security weakness that allows for SQL injection attacks is considered a vulnerability. A threat is anything that has the potential to cause harm to a system. An exploit is the method or technique used to take advantage of a vulnerability. Mitigation refers to the steps taken to reduce the risk associated with vulnerabilities and threats. Understanding these distinctions helps in effectively securing network resources.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SQL injection?
How is a vulnerability different from a threat?
What are common mitigations for SQL injection vulnerabilities?
Which wireless security protocol enhances security by introducing measures to protect against brute-force attacks and ensures forward secrecy?
WPA3
WPA2
WPA
Answer Description
WPA3 is the wireless security protocol that introduces new features to protect against brute-force dictionary attacks and provides forward secrecy. It replaces the Pre-shared Key (PSK) authentication method with Simultaneous Authentication of Equals (SAE), which is more secure. WPA2, although more secure than WPA, still uses PSK and lacks the additional protections introduced in WPA3. WPA is older and has known security vulnerabilities.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is forward secrecy in WPA3?
How does Simultaneous Authentication of Equals (SAE) work in improving security?
What distinguishes WPA3 from WPA2 in terms of brute-force attack prevention?
Which IEEE standard enables the transmission of multiple VLANs across a single Ethernet link between switches?
ISL
802.1X
802.3ad
802.1Q
Answer Description
802.1Q is the IEEE standard that defines the method for frame tagging to support VLANs over trunk links between network devices. It inserts a VLAN tag into the Ethernet frame header, allowing switches to identify which VLAN a frame belongs to, thereby permitting multiple VLANs to share a single physical link.
ISL (Inter-Switch Link) is a Cisco proprietary protocol for VLAN tagging but is no longer widely used. 802.1X is a standard for port-based Network Access Control (NAC) and deals with authentication, not VLAN tagging. 802.3ad refers to link aggregation for combining multiple physical links into one logical link, but it does not handle VLAN tagging.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VLAN tagging in 802.1Q?
How does 802.1Q differ from ISL?
What is the purpose of the native VLAN in 802.1Q?
In software-defined networking, which component is responsible for providing the actual physical pathways that data packets traverse across network devices?
Underlay network
Control plane
Orchestration layer
Overlay network
Answer Description
The underlay network is the physical infrastructure consisting of the actual routers, switches, and links that carry data packets. It provides the physical pathways for data transmission. The overlay network, on the other hand, is a virtual network built on top of the underlay network, enabling network virtualization and abstraction. The control plane manages network policies and decisions but does not provide physical pathways. The orchestration layer handles the coordination of network resources, not the physical data transmission.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between the underlay and overlay networks?
What role does the control plane play in networking?
How does the orchestration layer differ from the control plane in SDN?
As a network engineer, you receive the following JSON data from a device:
{ "hostname": "Router1", "enabled": true, "interfaces": null, "mtu": 1500 }
Which JSON data type is associated with the value of "enabled"?
Boolean
String
Null
Number
Answer Description
The value of "enabled" is true, which is a Boolean data type in JSON. Booleans in JSON represent logical true or false values. The other options are incorrect: "true" in quotes would be a String, null represents the absence of a value, and 1500 is a Number.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Boolean data type in JSON?
How is a Boolean data type different from a String in JSON?
What does the 'null' data type represent in JSON?
Which wireless security protocol offers the highest level of security by implementing stronger encryption and authentication methods compared to its predecessors?
WPA3
WPA2
WEP
WPA
Answer Description
WPA3 provides the highest level of security among the listed protocols by introducing stronger encryption algorithms and improved authentication methods, such as Simultaneous Authentication of Equals (SAE). WPA2, while still widely used, does not include these enhancements. WPA and WEP are older protocols with known vulnerabilities.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What makes WPA3 more secure than WPA2?
What is Simultaneous Authentication of Equals (SAE) in WPA3?
Why are WPA and WEP considered vulnerable compared to WPA3?
Which protocol is most suitable for applications that require minimal latency, where occasional packet loss is acceptable, such as live video streaming?
FTP
SMTP
UDP
TCP
Answer Description
UDP (User Datagram Protocol) is the correct choice for applications like live video streaming where speed is critical, and some data loss can be tolerated. UDP does not establish a connection or provide reliable data delivery, which reduces overhead and latency.
In contrast, TCP (Transmission Control Protocol) provides reliable data delivery with error checking and retransmission but introduces more overhead and latency, making it less suitable for live streaming. SMTP (Simple Mail Transfer Protocol) and FTP (File Transfer Protocol) are application layer protocols used for email transmission and file transfers, respectively, and are not suitable for streaming applications.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does UDP not provide reliable data delivery?
How does TCP ensure reliable data delivery?
What are other examples of applications that use UDP?
Which type of cabling is best suited for transmitting data over the longest distances in a network due to its low signal attenuation and high bandwidth capacity?
Copper twisted pair cable
Coaxial cable
Multimode fiber
Single-mode fiber
Answer Description
Single-mode fiber is ideal for long-distance data transmission because it uses a single light path, minimizing signal attenuation and allowing for higher bandwidth over extended distances. Multimode fiber, while also a fiber optic medium, experiences modal dispersion, which limits its effective transmission distance. Copper cables, such as twisted pair and coaxial, are prone to higher attenuation and electromagnetic interference, making them less suitable for long-distance applications.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does single-mode fiber experience less signal attenuation compared to other cabling types?
What is modal dispersion, and why does it affect multimode fiber's transmission distance?
Why are copper cables less suitable for long-distance data transmission compared to fiber optic cables?
An enterprise has been allocated a range of public addresses by its ISP and wants its internal hosts to access the Internet using these addresses. The network administrator prefers not to manually create one-to-one mappings for each internal host but wants the router to assign any available public address from the assigned range when internal hosts initiate connections. Which configuration should the administrator implement on the router?
Set up outside source translation
Implement Port Address Translation (PAT) using a single public address
Configure dynamic inside source translation using an address pool
Configure static inside source translation for each host
Answer Description
Configuring dynamic inside source translation using an address pool allows internal hosts to access external networks by dynamically mapping their private addresses to a pool of public addresses. This way, when an internal host initiates a connection, the router assigns an available public address from the pool without manual configuration for each host. Static inside source translation requires manual one-to-one mapping between private and public addresses, which the administrator wants to avoid. Port Address Translation (PAT) allows multiple internal hosts to share a single public address, which is unnecessary when multiple public addresses are available. Outside source translation is used for translating external addresses to internal addresses, which does not meet the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is dynamic inside source translation?
How does an address pool work in NAT?
What is the difference between dynamic NAT and Port Address Translation (PAT)?
That's It!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.