CCNA® 200-301
Cisco's foundational networking certification. Aligned to the official 200-301 exam blueprint. Each topic page: TL;DR · mental model · topology · commands · verification · common mistakes · lab · cheat strip.
Free: CCNA 12-Week Study Plan Week-by-week schedule · free certs to stack · lab list · mock-exam strategy Open →Mapped to the official Cisco 200-301 v1.1 blueprint.
Cisco's exam blueprint defines six weighted domains. Our library covers every one — these are the same buckets Cisco grades you on. The table below maps our categories to the official domains.
| Official Cisco 200-301 domain | Our library categories | Topics |
|---|---|---|
| 1.0 Network Fundamentals | Network Fundamentals + Device Operations | 13 + 5 |
| 2.0 Network Access | Network Access + Wireless | 12 + 6 |
| 3.0 IP Connectivity | IP Connectivity | 10 |
| 4.0 IP Services | IP Services | 11 |
| 5.0 Security Fundamentals | Security Fundamentals | 10 |
| 6.0 Automation & Programmability | Automation & Programmability | 7 |
Cisco®, CCNA® and 200-301 are trademarks of Cisco Systems, Inc. PacketMentor is independent and not affiliated with Cisco. Weights are from the official Cisco 200-301 v1.1 blueprint.
Network Fundamentals
OSI Model & TCP/IP
Two networking reference models compared side-by-side. The seven OSI layers, the four TCP/IP layers, and which one the real internet actually runs on (spoiler: not OSI).
IPv4 Addressing
32-bit addresses, dotted decimal, classful vs classless, private ranges, and the special addresses (loopback, broadcast, APIPA) you should never accidentally use for production hosts.
TCP vs UDP
Two flavors of Layer 4 transport. TCP gives reliability and order at the cost of latency; UDP gives speed with no safety net. Covers the 3-way handshake, ports, when to use each, and the protocols that pick the wrong one.
Subnetting
Definitive CCNA-level subnetting guide — magic-number method, VLSM, wildcard masks, enterprise IP plans, 8 worked practice problems, and the subnetting-at-the-speed-of-conversation drill.
IPv6 Basics
128-bit addresses, hex notation, the :: shortcut, address types (global, link-local, multicast), SLAAC, and why IPv6 is finally happening 25 years after it was supposed to.
ARP — Address Resolution Protocol
How a host turns an IP address into the MAC address it needs to actually deliver a frame. Broadcast question, unicast answer, cached for hours. Also covers Gratuitous ARP, Proxy ARP, and the ARP spoofing attack.
ICMP — Internet Control Message Protocol
The network's diagnostic channel. Covers echo / reply (ping), destination unreachable, TTL exceeded (traceroute), and the security trade-offs of blocking ICMP at the firewall.
TCP 3-Way Handshake
The three packets every TCP connection starts with — SYN, SYN-ACK, ACK. Covers sequence numbers, the half-open state, SYN floods, and why HTTPS connections feel slower than they should over high-latency links.
Cabling & Media Standards
What's actually inside the cables and fiber you're plugging in — Cat5e/6/6A/8, single-mode vs multi-mode fiber, transceivers (SFP/SFP+/QSFP), distance and bandwidth limits, when to use what.
MTU & Fragmentation
Why packets get fragmented or dropped on links with smaller MTU than expected. Covers MTU vs MSS, the Don't-Fragment bit, ICMP 'Fragmentation Needed,' Path MTU Discovery, and why blocking ICMP breaks the internet.
WAN Connection Types
The connection types you'll actually meet at branch sites — leased lines, Metro Ethernet, MPLS L3VPN, broadband (cable / DSL / FTTH), wireless (LTE/5G), and how SD-WAN ties them together.
Hierarchical Network Design
Cisco's three-tier model — Access, Distribution, Core — and the design principles that have built every campus network for 25 years. When to collapse the core, where to put redundancy, and why hierarchical design beats flat networks every time.
Network Virtualization & Containers
Hypervisors, virtual machines, virtual switches, containers, container networking — how server virtualization changed networking and what a CCNA candidate must understand.
Device Operations
Cisco IOS Device Management
How you actually log into and configure a Cisco device. Covers console / SSH / Telnet access, command modes (user / privileged / config), saving config, banners, the password types, and modern best practices for line security.
Power over Ethernet (PoE)
How a switch port also powers a phone, AP, or camera over the same Ethernet cable. PoE standards (802.3af / at / bt), power classes, detection sequence, budgets, and the troubleshooting questions you'll actually ask.
Cisco IOS File System
Where Cisco IOS stores configs, images, and logs — flash:, nvram:, system:, tftp:. Covers copy syntax, image management, boot variables, and the file-system commands you actually use day-to-day.
Password Recovery & Configuration Register
How to recover access to a Cisco router or switch when you've lost the enable password. Covers the configuration register, ROMMON, the standard CCNA recovery procedure, and the security implications of physical access.
Network Troubleshooting Methodology
How seasoned engineers actually approach unknown problems — OSI bottom-up vs top-down vs divide-and-conquer, the questions that come before commands, and the seven-step Cisco methodology.
Network Access
MAC Address Table
How a switch learns where every device is and decides where to forward each frame. Covers source-MAC learning, destination-MAC lookup, unknown-unicast flooding, and the CAM table on Cisco switches.
VLANs
Definitive CCNA-level VLAN guide — broadcast domains, access vs trunk ports, 802.1Q tagging, native VLAN, voice VLANs, VTP, VLAN design, the 6-step trunk debug, security pitfalls, and 7 worked exam scenarios.
Trunks & 802.1Q Tagging
How switches carry multiple VLANs over a single link using 802.1Q tags. Includes DTP behavior, native VLAN gotchas, and the allowed-VLAN list.
Spanning Tree Protocol (STP)
Definitive CCNA-level STP guide — why loops are catastrophic, bridge ID + priority election, three port roles, five port states, BPDU anatomy, PortFast + BPDU Guard + Root Guard + Loop Guard, RSTP convergence, MSTP overview, and 8 worked scenarios.
EtherChannel (Link Aggregation)
Bundle multiple physical links between two switches into one logical Port-Channel — more bandwidth, instant failover, and STP sees it as a single link. Covers LACP, PAgP, static, and load-balancing methods.
Switching Operation
How a switch actually decides where to forward each frame. Covers source-MAC learning, destination-MAC lookup, the three outcomes (forward / flood / drop), and store-and-forward vs cut-through.
CDP & LLDP — Neighbor Discovery
How devices learn about their directly-connected neighbors. CDP is Cisco-proprietary; LLDP is the vendor-neutral standard. Both shout the same info: who I am, what model, what IOS, what port — invaluable for troubleshooting.
BPDU Guard & Root Guard
Two Spanning Tree security features that protect your STP topology from misconfiguration and rogue switches. BPDU Guard locks user-facing ports; Root Guard pins the root bridge so a misplaced switch can't hijack it.
Catalyst Boot Process
What happens between powering on a Cisco device and the prompt appearing. Covers POST, ROMMON, IOS image selection, config register, boot variables, and password recovery.
VTP — VLAN Trunking Protocol
Cisco's protocol for sharing VLAN config across switches in the same VTP domain. Powerful, dangerous, and the reason every CCNA engineer learns the value of `vtp mode transparent`.
Rapid STP & MSTP
Why classic 802.1D STP's 50-second convergence is unacceptable in 2026, and how RSTP and MSTP fix it — port roles, port states, sync mechanism, MST regions and instances.
Private VLANs (PVLAN)
How Private VLANs add a second layer of isolation inside one Layer-3 subnet — primary + secondary VLANs, isolated vs community vs promiscuous ports, and real-world use cases (hotels, MDU, hosting).
Wireless
Wireless LAN Basics
Definitive CCNA-level Wi-Fi fundamentals — SSID / BSS / ESS / BSSID terminology, autonomous vs lightweight APs, CAPWAP tunnel anatomy, WLC discovery (DHCP option 43 + DNS), Wi-Fi standards generations, security (WPA / WPA2 / WPA3), roaming, and 7 worked scenarios.
WLAN Architectures — Autonomous, Centralized (WLC), Cloud, Embedded
Definitive CCNA-level WLAN architecture guide — autonomous vs centralized vs cloud-managed vs embedded WLC, split-MAC duty division, CAPWAP tunnel, AP modes (Local / FlexConnect / Bridge), WLC discovery, redundancy / N+1 / SSO, when each architecture fits.
Wi-Fi Security — WEP, WPA, WPA2, WPA3
Twenty-five years of wireless security in one page. Why WEP is broken, why WPA is a stop-gap, why WPA2 ruled for two decades, and what WPA3 actually fixes.
Wi-Fi 6, 6E, and 7 Features
What changed in 802.11ax (Wi-Fi 6), 6 GHz extension (6E), and 802.11be (Wi-Fi 7) — OFDMA, MU-MIMO, target wake time, 6 GHz spectrum, MLO, and what each one actually means for users.
Wireless RF Fundamentals
How Wi-Fi actually moves bits through the air — channels, bands, SNR, RSSI, free-space path loss, antenna patterns, and why your laptop disconnects in the conference room corner.
Access Point Operating Modes
Cisco AP modes explained — Local, FlexConnect, Bridge / Mesh, Monitor, Sniffer, SE-Connect, Rogue Detector. When each is the right choice in real enterprise Wi-Fi deployments.
IP Connectivity
Inter-VLAN Routing
How devices in different VLANs talk to each other. Covers router-on-a-stick (with sub-interfaces), Layer-3 switch SVIs, and when to pick each.
Static Routing
Definitive CCNA-level static routing guide — next-hop vs exit-interface vs fully-specified, default routes, floating statics, summary routes, recursive lookup, IPv6 statics, AD reference, 8 worked scenarios, and the static-routing debug workflow.
Default Routing
The catch-all route every edge router needs. Covers static defaults, dynamic defaults (originated by OSPF/EIGRP/BGP), gateway of last resort, and the difference between a default and a summary route.
Routing Decision Process
How a router actually decides where to forward a packet. Longest prefix match, administrative distance, and metric — in that order. Covers why a /30 static beats a /16 OSPF even though OSPF is the better protocol.
FHRP — HSRP, VRRP & GLBP
First-hop redundancy protocols. How two routers share one virtual IP so hosts don't notice when their default gateway fails. Covers HSRP states, election, preemption, and the GLBP load-balancing twist.
Layer-3 Switch & SVI Routing
How a Layer-3 switch routes between VLANs at line rate using SVIs (Switched Virtual Interfaces) — the modern replacement for router-on-a-stick in any campus network.
OSPF Single-Area
Definitive CCNA-level OSPF guide — link-state mental model, seven neighbor states, LSA types, DR/BDR election, cost tuning, authentication, route summarization, common debug patterns, and 8 worked scenarios.
Route Summarization
Why aggregating many specific routes into one shorter prefix shrinks route tables, speeds convergence, and limits the blast radius of a flapping link. Covers manual, OSPF, and EIGRP summarization.
IPv6 SLAAC & DHCPv6
Two ways an IPv6 host gets an address. SLAAC has hosts auto-generate from a router-advertised prefix. DHCPv6 mirrors IPv4 DHCP. Covers RA/RS messages, EUI-64, privacy addresses, and stateful vs stateless DHCPv6.
IPv6 Transition Mechanisms
How networks bridge the IPv4 → IPv6 gap — dual-stack, tunneling (6to4, 6in4, GRE), NAT64 / DNS64, and the realistic 2026 migration patterns.
IP Services
HSRP vs VRRP vs GLBP — FHRP Compared
Side-by-side of the three First Hop Redundancy Protocols on Cisco gear. When HSRP wins, why VRRP is the open standard, how GLBP load-balances across multiple actives, and which to pick in 2026.
DHCP — Dynamic Host Configuration Protocol
Definitive CCNA-level DHCP guide — the DORA exchange step-by-step, packet anatomy, DHCP options table, lease renewal timing (T1/T2), Cisco IOS server + relay config, DHCPv6 brief, DHCP Snooping security, 8 worked scenarios, and the DHCP debug workflow.
NAT & PAT
Definitive CCNA-level NAT guide — static NAT, dynamic NAT, PAT/overload, the four inside/outside terms, port forwarding, CGNAT, NAT64 brief, hairpin NAT, translation table limits, 8 worked scenarios, and the NAT debug workflow.
DNS — Domain Name System
How www.example.com becomes an IP address. Covers the recursive query path (root → TLD → authoritative), record types (A, AAAA, CNAME, MX, PTR), TTL caching, and the most common DNS failure modes.
NTP — Network Time Protocol
How every device on the network ends up with the same clock. Covers stratum hierarchy, client and server config, authentication, and why broken NTP makes log correlation a nightmare.
Syslog
Send every device's log messages to a central server. Covers severity levels (0-7), facilities, message format, where to send logs (local buffer / console / monitor / server), and the eternal question of how much logging is too much.
QoS Basics
How routers and switches handle congestion — classifying packets, marking them with DSCP, queueing by priority, and shaping/policing traffic. Why VoIP and video deserve special treatment over file downloads.
SNMP — Simple Network Management Protocol
How monitoring systems pull metrics and receive alerts from network devices. Covers SNMPv1/v2c/v3, community strings, traps vs informs, MIB / OID navigation, and why SNMPv3 is the only one acceptable in 2026.
IGMP & IGMP Snooping
How hosts join multicast groups (IGMP) and how a switch learns which ports actually want multicast traffic (snooping) — so it stops blasting video streams out every port.
NTP Authentication & Security
How to harden NTP — authentication keys, peer/client/server roles done right, ACL restrictions, and why a bad clock breaks Kerberos, TLS, logs, and forensics.
DHCP Relay & IP Helper
How `ip helper-address` forwards DHCP DISCOVER broadcasts across Layer 3 boundaries so one DHCP server can serve many VLANs. Includes Option 82, the GIADDR field, and the relay troubleshooting flow.
Security Fundamentals
Access Control Lists (ACLs)
Definitive CCNA-level ACL guide — first-match-wins, implicit deny, wildcard masks, standard vs extended vs named, direction (in vs out), the established keyword, time-based ACLs, named-ACL editing, 9 worked scenarios, and the ACL debug workflow.
Port Security
Lock a switch port to a specific MAC address (or addresses). Covers static, dynamic, and sticky learning, violation modes (protect / restrict / shutdown), and the err-disable recovery dance.
DHCP Snooping
Switch security feature that blocks rogue DHCP servers. Trusts one port (where the real server lives) and drops DHCP server messages from any other port. Foundation for Dynamic ARP Inspection too.
AAA · RADIUS & TACACS+
Authentication, Authorization, Accounting — centralize who can log in, what they can do, and what they did. Covers RADIUS vs TACACS+, method lists, and why every network with more than 5 devices uses centralized auth.
802.1X — Port-Based Network Access Control
Lock every switch port until the connected device proves identity. Covers the supplicant / authenticator / auth server roles, EAPOL on the wire, and how 802.1X plugs into RADIUS for enterprise Wi-Fi and wired auth.
VPN Basics — IPsec & SSL
How two separated networks (or one user and a network) can talk privately over the public internet. Covers site-to-site IPsec, remote-access SSL/TLS VPNs, IKE phases, and what 'tunnel' actually means.
Dynamic ARP Inspection (DAI)
The Layer-2 security feature that kills ARP spoofing dead. Validates every ARP packet against the DHCP Snooping binding table — bogus replies get dropped, trust your gateway again.
IP Source Guard (IPSG)
The fourth Layer-2 security feature. Validates the source IP of every IP packet against the DHCP Snooping binding table — blocking IP spoofing attacks at the access port.
Encryption Fundamentals
The cryptography networking engineers must understand — symmetric vs asymmetric, hashing, digital signatures, certificates, and where each is used in IPsec, TLS, SSH, and 802.1X.
Cybersecurity Threats & Mitigation
The threat landscape every network engineer must recognize — phishing, ransomware, MITM, DDoS, supply-chain attacks, insider threats — and the mitigation controls that actually move the needle.
Automation & Programmability
REST APIs for Network Engineers
Modern Cisco devices expose REST APIs so you can configure them with HTTP requests and JSON instead of SSH and screen-scraping. Covers verbs (GET/POST/PUT/DELETE), authentication, data formats, and where REST fits in network automation.
Ansible for Network Engineers
Push configuration to dozens of Cisco devices from one YAML playbook. Covers inventory, modules, idempotency, and why Ansible became the default automation tool for network teams who don't want to write a custom Python script for every change.
JSON, YAML & XML for Network Engineers
The three data formats you'll meet doing network automation. JSON for APIs, YAML for configs/playbooks, XML for legacy and NETCONF. Same data, three syntaxes, different ergonomics.
NETCONF & YANG
The structured-data alternative to SSH-and-screen-scrape. Covers how NETCONF moves XML configs over SSH, what YANG models are, and where they fit alongside REST APIs in modern network automation.
Python for Network Engineers
Why Python is the de-facto language for network automation, plus the four libraries you'll actually use — Netmiko (SSH), NAPALM (vendor-agnostic), Nornir (parallel runner), and requests (REST APIs).
SDN & Controller-Based Networking
Software-Defined Networking explained. Why control plane and data plane were separated, what a network controller actually does, and where Cisco DNA Center, ACI, and Meraki fit in the landscape.
AI & ML in Network Operations
Where machine learning actually shows up in networks today — anomaly detection, predictive maintenance, generative AI assistants, and the difference between marketing AI and the real thing.
Ready for the next level? Browse CCNP-level topics →