The CCNA 200-301 is a single exam that certifies you can install, configure, and troubleshoot a small enterprise network, and this study guide breaks down exactly what it tests and the order to learn it in. Cisco organizes the exam into six domains, each carrying a fixed share of your score, so knowing those weights tells you where to spend your study hours. The biggest mistake candidates make is studying in domain-number order and running out of time before the heaviest scoring blocks. This roadmap fixes that: it maps every domain to its weight, sequences the topics by what depends on what, and points you to a hands-on lab and a tutorial for each one. Everything below is mapped to the current 200-301 v1.1 blueprint (effective August 2024) and was checked against Cisco’s official exam topics in June 2026.
What the CCNA 200-301 exam actually tests
The exam is 120 minutes, delivered at a Pearson VUE test center or via online proctoring, and costs 300 USD plus any local taxes. You answer the questions in a mix of formats: single-answer multiple choice, multiple-answer multiple choice, drag-and-drop, and the two that carry the most weight per item, simulations and simlets (a small live IOS topology you must configure or read). Cisco does not publish the passing score or the exact question count, and the score is scaled, but community data has long put the threshold near 825 out of 1000 and the count in the region of 100 questions. You cannot go back to a question once you submit it, so pace yourself.
Six domains make up the blueprint. Their weights are the single most useful planning number you have, because they tell you the share of marks each area is worth:
| Domain | Weight | Most-tested topics | Study priority |
|---|---|---|---|
| 1. Network Fundamentals | 20% | Subnetting, switching concepts, IPv6 address types | 1 (foundation, start here) |
| 2. Network Access | 20% | VLANs, 802.1Q trunking, STP, EtherChannel | 2 |
| 3. IP Connectivity | 25% | Routing table, static routes, single-area OSPF | 3 (study with Domain 2) |
| 4. IP Services | 10% | NAT, DHCP, NTP, SSH, syslog | 4 |
| 5. Security Fundamentals | 15% | ACLs, device access control, Layer 2 security | 5 |
| 6. Automation and Programmability | 10% | SDN, REST APIs, JSON, AI/ML in network operations | 6 (study last) |
IP Connectivity at 25% is the heaviest single block, and Network Fundamentals plus Network Access together make up 40% of the exam. That means roughly two-thirds of your marks come from fundamentals, switching, and routing. Services, security, and automation share the remaining third. Plan your weeks against those numbers, not against the order the domains are listed in.
How the six domains connect (and why the order matters)
The domains are numbered for the blueprint, not for learning. There is a dependency chain underneath them, and following it saves real study time. Domain 1 fundamentals feed everything: you cannot configure a VLAN interface or a routing protocol without IPv4 addressing and subnetting in your head first. Domain 2 (switching and VLANs) and Domain 3 (routing) are the core configurable skills and overlap heavily, an OSPF simlet often runs across a multi-switch topology where VLAN knowledge is assumed. Domain 4 services like NAT and DHCP sit on top of a working routed network, so they make sense only after routing. Domain 5 security, especially ACLs, requires you to already understand how a router forwards packets. Domain 6 automation is conceptual and slots in last, because its ideas (control plane, APIs, intent-based management) only click once you know what the devices it manages actually do.
The practical consequence: study subnetting before VLANs, VLANs before OSPF, NAT and DHCP after routing, and ACLs after NAT. The roadmap table later in this guide encodes exactly that sequence. For the underlying routing theory that ties Domain 3 together, our IP routing primer is a good warm-up before you touch a router.
Domain 1: Network Fundamentals (20%)
This is the widest domain by topic count, and two areas return the most marks: IPv4 subnetting and switching concepts. Subnetting underpins every addressing and routing question on the exam, so you need to compute subnet, broadcast, and host ranges quickly without a calculator. Switching concepts (MAC learning and aging, frame flooding for unknown unicast, and how the MAC address table is built) are the heaviest tested subcategory here and feed directly into Domain 2.
The domain also covers device roles (routers, Layer 2 and Layer 3 switches, next-generation firewalls, access points, wireless and network controllers, endpoints, servers, and PoE), topology architectures (two-tier, three-tier, spine-leaf, WAN, SOHO, on-premise versus cloud), TCP versus UDP, and IPv6. The IPv6 address types in objective 1.9 come up often: global unicast, unique local, link-local, and how a modified EUI-64 interface ID is built from a MAC address. Objective 1.10 expects you to verify IP settings on Windows, macOS, and Linux, so know ipconfig /all, ip addr, and ifconfig equivalents. Cabling and physical media (single-mode versus multimode fiber, copper, duplex and speed mismatches) are tested at a describe level, do not over-invest there.
Domain 2: Network Access (20%)
VLANs and trunking are the most heavily tested topics in this domain, and they are pure configure-and-verify, so practice them on a real switch CLI rather than memorizing. You need VLANs spanning multiple switches (access ports for data and voice, the default VLAN), 802.1Q trunk ports, and the native VLAN. The native VLAN mismatch is a classic exam trap: if the native VLAN differs on the two ends of a trunk, CDP logs a mismatch and untagged traffic lands in the wrong VLAN.
Beyond VLANs, cover the Layer 2 discovery protocols CDP and LLDP (mostly describe-level, a quick win), Layer 2 and Layer 3 EtherChannel with LACP, and Rapid PVST+ Spanning Tree. For STP, focus on root bridge election (lowest bridge ID wins), the port roles and states (root, designated, forwarding, blocking), PortFast on access ports, and the protection features the v1.1 blueprint now calls out by name: root guard, loop guard, BPDU guard, and BPDU filter. Wireless objectives 2.6 through 2.9 carry moderate weight: know the AP modes, how a WLC connects to the wired network (access and trunk ports, LAG), the network device management access methods (including cloud-managed), and how to create a WLAN with WPA2 in the WLC GUI. If you want a feel for switch-side labs, our IOS CLI editing shortcuts speed up every configuration task.
Domain 3: IP Connectivity (25%, the heaviest domain)
At 25% this is the single biggest scoring block, so it deserves the most lab time. Three subtopics dominate. First, reading the routing table (objective 3.1): you must interpret the protocol code, prefix, mask, next hop, administrative distance, and metric, and recognize the gateway of last resort. A connected route shows as C, a local route as L, a static route as S, and OSPF as O. Second, static routing (3.3) including default routes, host routes, and floating static routes (a backup route with a higher administrative distance that only installs when the primary fails). Third, single-area OSPFv2 (3.4): neighbor adjacencies, point-to-point versus broadcast networks, DR and BDR election on broadcast segments, and how the router ID is chosen.
Objective 3.2 asks how a router chooses a path by default: longest prefix match first, then administrative distance between sources, then the routing protocol metric. First hop redundancy protocols (3.5, such as HSRP) are describe-level here, you should understand the virtual gateway concept and active/standby roles. IPv6 routing appears in this domain too, and the static route syntax differs slightly from IPv4. To see a redundant-gateway setup end to end, work through our HSRP configuration lab.
Domain 4: IP Services (10%)
This domain is only 10% of the blueprint, but one topic punches far above its weight: NAT. Inside source NAT with static mappings and with pools (including PAT overload) shows up constantly, and in our analysis of the exam topic surface, NAT appears far more often than its domain weight alone would suggest. That is because NAT rarely stands alone, it turns up inside multi-step simlets where the same scenario also tests routing and ACLs, so a single NAT question can gate several marks. Give it proportional lab time even though the domain is small.
The other configure-and-verify objectives here are NTP in client and server mode, and DHCP client and relay (the ip helper-address command that forwards broadcasts to a DHCP server on another subnet). The describe-level objectives are DNS and DHCP roles, SNMP, syslog (know the eight severity levels, 0 emergency through 7 debugging), QoS per-hop behavior (classification, marking, queuing, policing, shaping), and TFTP/FTP for IOS file management. SSH for remote device access (4.8) is tested here and again in the security domain. Our SSH access lab and DNS server lab both run in GNS3 or Packet Tracer.
Domain 5: Security Fundamentals (15%)
Access control lists and device access control are the most testable items here. For ACLs (5.6) you need standard and extended IPv4 syntax, numbered and named ACLs, the implicit deny at the end of every list, and where to apply each (standard ACLs close to the destination, extended close to the source). For device access (5.3 and 5.4), know the difference between enable secret (a strong hash) and enable password (cleartext), why service password-encryption only provides weak type-7 encoding, and the password policy elements (complexity, multifactor authentication, certificates, biometrics).
Layer 2 security (5.7) is configure-and-verify: port security (limiting MAC addresses per port and the violation actions), DHCP snooping, and dynamic ARP inspection. The remaining objectives are describe-level: key security concepts (threats, vulnerabilities, exploits, mitigations), security program elements, AAA (the difference between authentication, authorization, and accounting, and RADIUS versus TACACS+), IPsec remote-access and site-to-site VPNs, and the wireless security protocols WPA, WPA2, and WPA3. The hands-on SSH and access-control work overlaps with Domain 4, so study them together.
Domain 6: Automation and Programmability (10%)
This domain is conceptual. There are no IOS configuration simulations on automation, so the questions test understanding rather than syntax, which makes it fast to study and a good finisher. Know the software-defined networking architecture: the separation of the control plane (decides where traffic goes) from the data plane (forwards it), the difference between overlay, underlay, and fabric, and northbound versus southbound APIs. Compare traditional box-by-box device management with controller-based management. The v1.1 blueprint added an objective here that older study guides miss: explain AI (generative and predictive) and machine learning in network operations, so know at a high level how AI-assisted operations and predictive analytics fit into modern network management.
The data-handling objectives are REST API characteristics (authentication types, the CRUD operations and their HTTP verbs GET, POST, PUT, and DELETE, plus data encoding) and recognizing the components of JSON-encoded data (objects, arrays, key-value pairs, data types). For configuration management the current blueprint names Ansible and Terraform: know what each does and that both are agentless (Ansible pushes configuration over SSH, Terraform declares desired infrastructure state). Study this domain last, its concepts settle quickly once the rest of the network makes sense.
CCNA 200-301 study guide roadmap: the order that cuts your study time
This is the sequence we recommend, built from the dependency chain above rather than the blueprint numbering. It assumes roughly 10 to 12 hours a week. Compress it to eight weeks if you study full time, or stretch it to twelve if you are working alongside. The point is the order, not the calendar: each week builds on the one before it.
| Week | Focus area | Blueprint objectives | Why here |
|---|---|---|---|
| 1 | Networking models, devices, cabling, TCP/UDP | 1.1, 1.2, 1.3, 1.5 | Vocabulary and mental model for everything that follows |
| 2 | IPv4 addressing and subnetting | 1.6, 1.7 | The single most reused skill on the exam |
| 3 | IPv6 addressing and types; client OS verification | 1.8, 1.9, 1.10 | Addressing complete before configuring anything |
| 4 | Switching concepts, VLANs, trunking | 1.13, 2.1, 2.2 | First hands-on config; foundation for routing labs |
| 5 | STP, EtherChannel, CDP/LLDP | 2.3, 2.4, 2.5 | Completes the switching picture |
| 6 | Routing table, static and default routes | 3.1, 3.2, 3.3 | How forwarding works before adding a protocol |
| 7 | Single-area OSPF and FHRP | 3.4, 3.5 | The heaviest scoring topic; needs VLANs from week 4 |
| 8 | NAT, DHCP, NTP, SSH | 4.1, 4.2, 4.6, 4.8 | Services layered on a working routed network |
| 9 | ACLs and Layer 2 security | 5.3, 5.6, 5.7 | Builds on routing and NAT from weeks 6 to 8 |
| 10 | Security and wireless concepts | 5.1, 5.2, 5.4, 5.5, 5.8, 5.9, 2.6 to 2.9 | Describe-level; lighter load before the finish |
| 11 | Automation and programmability | 6.1 to 6.7 | Conceptual; fastest domain once the rest is known |
| 12 | Full practice exams and weak-area review | all | Timed practice under exam conditions |
Notice that OSPF (week 7) comes after VLANs and trunking (weeks 4 and 5), even though routing is a higher-weight domain. That ordering is deliberate: OSPF labs almost always run on top of a switched topology, and trying to learn both at once is where most candidates stall.
Lab strategy: how to practice the configure-and-verify objectives
You cannot pass CCNA by reading alone. More than a dozen objectives are explicitly configure-and-verify (VLANs, trunking, EtherChannel, static and OSPF routing, NAT, NTP, DHCP, SSH, ACLs, port security, and WLAN setup), and the simlets on the exam expect you to type real commands under time pressure. You have three practical ways to get a CLI to practice on.
- GNS3 with Cisco IOSv images. The closest thing to real gear, running real IOS. We have GNS3 setup guides for Ubuntu, Fedora, Debian, macOS, and Kali, plus a guide to running the GNS3 VM on VirtualBox. IOS images require a Cisco license, which is the one cost to be aware of.
- Cisco Packet Tracer. Free from Cisco Networking Academy after a free enrollment. It does not run real IOS, but it covers the full CCNA command set and is more than enough for almost every objective. The best no-cost starting point.
- A physical lab kit. Used Cisco routers and switches on the second-hand market. Realistic, but more expensive and noisier than emulation, and only worth it if you prefer real hardware.
Whichever you pick, build the same small topology you will see in the exam: a couple of routers and switches you can address, trunk, route between, and secure. Several of the labs linked in this guide run unchanged in both GNS3 and Packet Tracer.
CCNA exam tips before you book
Cisco does not publish a pass rate, but community data consistently puts the first-attempt pass rate around 70 to 75% for candidates who completed a full study plan with hands-on labs, and far lower for those who only read. The labs are what move that number. A few things worth knowing before you sit it:
- You cannot return to a question. Once you submit an answer, it is locked. Read carefully and commit.
- Simulations and simlets carry the most marks per item. They also take the longest. Budget your time so you are not rushing them at the end, and remember to save your configuration in a sim where it applies.
- Test center versus online proctored. A Pearson VUE test center removes the risk of a home setup failing the proctor check. Online proctoring is convenient but has strict environment rules; read them in advance.
- The retake rule. If you fail, you must wait five calendar days before booking again, and the certification is valid for three years.
- Subnet fast. Drill subnetting until you can find a subnet, broadcast, and host range in seconds. It saves minutes you will need for the simlets. Start with subnetting by network requirements, then VLSM, and keep the subnetting cheat sheet handy.
For deeper reading on top of this guide, see our roundup of the best CCNA 200-301 study books, which pairs well with the hands-on labs above.
Your CCNA learning path on this site
Use this as your navigation map. Each entry is a companion guide on this site that covers an exam area in depth, and we are expanding the set across all six domains. Bookmark this page and work down the list as you move through the roadmap above.
| Domain | Topic | Guide |
|---|---|---|
| 1 | IP routing concepts | IP routing and routing protocols explained |
| 2 | IOS CLI | Cisco IOS CLI editing commands |
| 3 | First hop redundancy | HSRP configuration lab |
| 4 | DNS service | DNS server configuration lab |
| 4 / 5 | Remote access | SSH access configuration lab |
| Lab setup | Build a lab | Install GNS3 on Ubuntu and recommended CCNA books |
Start at the top of the roadmap, follow the weekly order, and run every configure-and-verify objective on a real or emulated device. That combination, the dependency-ordered plan plus hands-on labs, is what gets candidates through the CCNA 200-301 on the first attempt.
