Cisco · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
25% of exam · 6 sample questions below
An interface is configured with 10.24.7.158/27. What is the broadcast address of that subnet?
10.24.7.159
Correct. It is the last address in the /27 block.
10.24.7.191
10.24.7.127
10.24.7.160
Which two statements accurately compare TCP and UDP? (Choose two.)
TCP provides connection-oriented transport
Correct. TCP is a connection-oriented transport protocol.
UDP guarantees delivery through acknowledgments
UDP has lower overhead than TCP
Correct. UDP generally has lower header and session-management overhead.
TCP does not use port numbers
UDP is always faster because it avoids congestion
Which medium is the most common choice for a 10G uplink between wiring closets on different floors of the same building?
Rollover cable
Fiber optic cable
Correct. Fiber is the standard uplink choice here.
Coaxial cable
Console cable
At which OSI layer do routers make forwarding decisions based on logical addressing?
Layer 1
Layer 2
Layer 3
Correct. Layer 3 is the network layer.
Layer 4
Which command enables IPv6 routing on a Cisco router?
ipv6 unicast-routing
Correct. This is the required global command.
ipv6 enable
ip routing ipv6
ipv6 route enable
A host sends traffic to a web server on another subnet. Which address is used as the destination MAC address in the first Ethernet frame sent by the host?
The MAC address of the remote web server
The MAC address of the local default gateway
Correct. The default gateway is the Layer 2 next hop for remote destinations.
The MAC address of the DNS server
The broadcast MAC address
Want more Network Infrastructure and Connectivity practice?
Practice this domain25% of exam · 6 sample questions below
Which spanning-tree port state listens for BPDUs and participates in STP, but does not learn MAC addresses yet?
Blocking
Listening
Correct. Listening occurs before learning and forwarding.
Learning
Forwarding
Switch SW1 sends traffic for VLAN 30 across a trunk to SW2, but hosts in VLAN 30 on SW2 cannot communicate with hosts in VLAN 30 on SW1. Other VLANs work across the trunk. Which trunk issue is most likely?
VLAN 30 is pruned or missing from the allowed VLAN list
Native VLAN settings can matter, but they do not best explain why other VLANs still work while VLAN 30 alone fails.
The native VLAN is set to 1 on both switches
The trunk uses 802.1Q encapsulation
SW1 is the STP root bridge
What is a common requirement for interfaces to successfully bundle into an EtherChannel?
All member interfaces must use matching speed, duplex, and trunk/access settings
Correct. Mismatched settings commonly prevent bundling.
Each interface must belong to a different VLAN
Only odd-numbered switch ports can be bundled
Each interface must have a different STP path cost
In a router-on-a-stick design, what is configured on the physical router interface connected to the switch?
One IP address for every VLAN on the physical interface itself only
No subinterfaces; the switch handles all inter-VLAN routing internally
Subinterfaces with 802.1Q encapsulation for each routed VLAN
Correct. Subinterfaces with dot1q encapsulation are the key configuration element.
A serial encapsulation setting for each VLAN
Which two functions are commonly handled by a wireless LAN controller in a controller-based deployment? (Choose two.)
Centralized management of lightweight APs
Correct. Centralized AP management is a core controller role.
Per-host DHCP address assignment on every WLAN
Policy enforcement for SSIDs and WLAN settings
Correct. Policy and WLAN settings are commonly centralized on the controller.
Providing STP root bridge election for the campus
Replacing all Layer 2 switching functions in the access layer
A switch receives a unicast frame for a destination MAC address that is not yet in its MAC address table. What does the switch do?
Drops the frame immediately
Floods the frame out all ports in the same VLAN except the incoming port
Correct. Unknown unicast is flooded within the VLAN.
Sends the frame to the default gateway first
Converts the frame to a broadcast packet
Want more Switching and Network Access practice?
Practice this domainA router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
The static route, because static routes always win
The OSPF route, because 110 is lower than 150
Correct. OSPF is preferred here because AD 110 is lower than 150.
Both routes, because administrative distances are different
Neither route, because the static route is floating
A router output shows this neighbor state:
Neighbor ID 10.1.1.1 State FULL/DR Address 192.168.12.1
What does the FULL/DR state indicate?
The local router is the DR and adjacency formation has failed
The neighbor relationship is complete and the neighbor is the DR on that segment
Correct. The adjacency is complete, and that neighbor is acting as the DR.
The routers are exchanging only link-state requests
The neighbor has been learned through BGP redistribution
A router learns 10.10.10.0/24 from OSPF and EIGRP at the same time. OSPF reports a metric of 20, and EIGRP reports a metric of 30720. Which route is installed in the routing table by default?
The OSPF route, because 20 is lower than 30720
The EIGRP route, because its administrative distance is lower
Correct. EIGRP wins because its default administrative distance is lower than OSPF.
Both routes, because they point to the same prefix
Neither route, because the metrics are not comparable
A router shows this output:
R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0
Which statement is correct?
R1 has failed to form adjacency with 10.1.1.3
This can be normal on a broadcast segment where DROTHER routers remain in 2-Way
Correct. This is normal DR/DROTHER behavior on many multiaccess networks.
R1 has a duplicate router ID with 10.1.1.3
The interface is passive
Which command correctly configures an IPv6 default route using next-hop address 2001:db8:1::1?
ipv6 route ::/0 2001:db8:1::1
Correct. This is the valid IOS syntax for an IPv6 default route.
ip route :: 2001:db8:1::1
ipv6 default-route 2001:db8:1::1
ip default-gateway 2001:db8:1::1
A routing table entry begins with the code C. What does that code indicate?
A route learned through EIGRP
A connected network
Correct. C means connected.
A candidate default route
A static route to a classful network
Want more IP Routing practice?
Practice this domain20% of exam · 6 sample questions below
A router interface applies this ACL inbound:
10 deny tcp any any eq 80 20 permit ip any any
A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
The ACL blocks all traffic because the first entry is a deny
The ACL blocks HTTP but allows ICMP
Correct. HTTP matches the deny, while ping is permitted by the later broad permit.
The ACL permits HTTP because line 20 overrides line 10
The ACL blocks ping because ICMP is not explicitly permitted
A switch has DHCP snooping enabled, but users still experience IP-to-MAC spoofing attacks. Which additional feature should be considered to help address that specific problem?
PortFast
Dynamic ARP Inspection
Correct. DAI directly targets ARP spoofing.
EtherChannel
NetFlow
What is a key difference between SNMPv3 and earlier SNMP versions?
SNMPv3 supports IPv4 only
SNMPv3 adds authentication and encryption features
Correct. Stronger security is the primary differentiator.
SNMPv3 cannot be used for monitoring interface counters
SNMPv3 replaces syslog completely
In AAA, what does the second A stand for?
Application
Accounting
Authorization
Correct. The second A is Authorization.
Auditing
Which ACL type can filter using source and destination IP addresses as well as TCP or UDP port numbers?
Standard IPv4 ACL
Extended IPv4 ACL
Correct. Extended ACLs support the granularity described.
Prefix list
Native VLAN ACL
Which wireless security method is considered strongest among these choices for modern enterprise WLAN deployments?
WEP
WPA
WPA2 with AES
Correct. WPA2 with AES is the strongest listed option.
Open authentication
Want more Network Services and Security practice?
Practice this domain10% of exam · 6 sample questions below
An API client sends a valid GET request and receives an HTTP 200 response. What does that indicate?
The resource was deleted successfully
The request was successful
Correct. HTTP 200 means the request succeeded.
Authentication permanently failed
The server requires a reboot
Why is version control valuable for network automation files?
It increases interface bandwidth
It tracks changes and allows rollback to earlier versions
Correct. Change tracking and rollback are major benefits.
It replaces the need for device backups
It guarantees that configuration changes are error free
Why is version control useful for network automation scripts?
It automatically fixes coding mistakes
It tracks changes and supports rollback and review
Correct. Tracking and rollback are the key benefits.
It removes the need for API authentication
It replaces the device operating system
What is a main operational benefit of a controller-based networking architecture?
It removes the need for IP addressing
It centralizes policy and can simplify network-wide changes
Correct. Centralized policy is a major benefit.
It eliminates the data plane on switches
It forces all routes to become static
What is a northbound API in a controller-based network architecture?
An interface used by the controller to program forwarding tables on switches
An interface used by applications to communicate with the controller
Correct. Northbound means application-to-controller communication.
A dedicated out-of-band management port on the controller
A wireless uplink between access points and the controller
Which HTTP method is commonly used to retrieve information from a REST API without modifying the resource?
POST
GET
Correct. GET retrieves data.
PUT
DELETE
Want more AI and Network Operations practice?
Practice this domainThe 200-301 exam has 100 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco certification exam page before booking.
CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration scenario questions.
The exam covers 5 domains: Network Infrastructure and Connectivity, Switching and Network Access, IP Routing, Network Services and Security, AI and Network Operations. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Cisco 200-301 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.