Courseiva

Cisco · Free Practice Questions · Last reviewed May 2026

200-301 Exam Questions and Answers

36 real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

1367 exam questions
120 min time limit
Pass at 825 / 1000
6 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1

Domain 1: IP Services

10% of exam · 6 sample questions below

All IP Services questions
Q1
mediumFull explanation →

A network team wants centralized logging and also wants log timestamps from different devices to line up accurately. Which combination best supports that goal?

A

Syslog and NTP

This is correct because Syslog centralizes log collection and NTP aligns timestamps across devices.

B

DHCP and STP

C

PAT and EtherChannel

D

ARP and CDP

Why: The right combination is Syslog plus NTP. In plain language, Syslog gives the team a central place to collect and review device messages, while NTP makes sure the timestamps on those messages are consistent across the network. Centralized logs are useful on their own, but without synchronized clocks, incident timelines can become confusing and misleading. This pairing is a common operational best practice. Syslog handles the collection side, and NTP handles the time-correlation side. Other services such as DHCP, STP, or NAT do not solve this combination of requirements. The best answer is the one that recognizes that centralized logging and time synchronization are complementary, not competing, services.
Q2
mediumFull explanation →

Why is NTP especially valuable when a network uses centralized Syslog servers?

A

Because synchronized clocks make log timestamps easier to correlate across devices

This is correct because NTP improves the usefulness of centralized logs by aligning time.

B

Because NTP converts Syslog into a routing protocol

C

Because NTP automatically creates DHCP pools

D

Because NTP eliminates the need for a Syslog server

Why: NTP is especially valuable because centralized logs are much easier to interpret when device clocks are synchronized. In plain language, if multiple routers and switches send messages to one logging server but each device believes a different time, the event sequence becomes confusing. NTP helps align those clocks so the timestamps in the logs are consistent and the team can reconstruct incidents more accurately. This is a practical operations concept rather than a syntax question. Syslog solves the collection problem, and NTP solves the time-correlation problem. Together they make logs more useful than either one alone. That is why the best answer focuses on timestamp consistency rather than on routing, VLAN, or NAT behavior.
Q3
mediumFull explanation →

Why is NTP especially useful when devices send logs to a centralized Syslog server?

A

It helps align device clocks so centralized log timestamps can be correlated more accurately.

This is correct because consistent time improves the usefulness of centralized logs.

B

It assigns the Syslog server an IP address.

C

It replaces the need for a Syslog server.

D

It encrypts every Syslog message automatically.

Why: NTP is especially useful because synchronized clocks make the log timestamps more meaningful and easier to correlate. In plain language, if each device thinks the current time is different, the sequence of events in the centralized log becomes confusing. NTP helps align time across devices so the logs tell a more accurate story. This is an operational best practice. Syslog collects the messages, and NTP makes their timing consistent. The correct answer is the one focused on timestamp correlation.
Q4
hardFull explanation →

Why is the combination of strong authentication and centralized logging generally better than using either one alone?

A

Authentication helps prevent unauthorized access, while centralized logging improves visibility and investigation.

This is correct because the two controls complement each other.

B

They are redundant because both perform exactly the same function.

C

Centralized logging makes authentication unnecessary.

D

Strong authentication removes the need for device event records.

Why: The combination is better because strong authentication helps prevent unauthorized access, while centralized logging helps detect, review, and investigate activity across the environment. In plain language, one control focuses more on prevention, while the other improves visibility and accountability. Together they create a stronger security posture than either one alone. This is an important design mindset. Security is stronger when controls complement each other instead of trying to solve every problem with one mechanism. The correct answer is the one focused on prevention plus visibility.
Q5
mediumFull explanation →

Why is centralized logging especially useful when combined with NTP?

A

Because synchronized clocks make centralized log timelines easier to analyze accurately.

This is correct because NTP improves the usefulness of centralized logs by aligning timestamps.

B

Because NTP assigns the Syslog server its IP address.

C

Because Syslog replaces authentication when NTP is present.

D

Because centralized logging blocks unauthorized traffic automatically.

Why: Centralized logging is much more useful when device clocks are synchronized because the timestamps can be correlated properly. In practical terms, collecting messages in one place is valuable, but if one router thinks it is 9:00 and another thinks it is 9:17, the event sequence becomes confusing. NTP solves that time-alignment problem. This is a common operations best practice. Syslog provides the central visibility, and NTP makes the timeline trustworthy.
Q6
hardFull explanation →

Why is the combination of strong authentication and centralized logging better than either control by itself?

A

Authentication improves prevention, while centralized logging improves visibility and investigation.

This is correct because the two controls complement each other.

B

They are redundant because both perform exactly the same task.

C

Centralized logging makes authentication unnecessary.

D

Strong authentication removes the need for any event records.

Why: The combination is better because strong authentication helps prevent unauthorized access, while centralized logging helps detect, review, and investigate what happened across the environment. In practical terms, one control is stronger on prevention, and the other is stronger on visibility and accountability. Together they provide broader protection than either one alone. This reflects a real security principle: mature security depends on layers of control, not one mechanism trying to do every job.

Want more IP Services practice?

Practice this domain
2

Domain 2: Security Fundamentals

15% of exam · 6 sample questions below

All Security Fundamentals questions
Q1
mediumFull explanation →

Two switches are connected by an 802.1Q trunk. CDP reports a native VLAN mismatch. Which issue is most likely to appear because of this?

A

Untagged traffic may be placed into different VLANs on each switch.

That is the classic symptom of a native VLAN mismatch.

B

All tagged traffic on the trunk is dropped immediately.

C

STP is disabled on the trunk link.

D

The trunk automatically converts to an access port.

Why: A native VLAN mismatch can cause untagged traffic sent on one side to be placed into a different VLAN on the other side. That leads to confusing connectivity issues and can also create security concerns. It does not automatically disable the trunk.
Q2
mediumFull explanation →

Match each REST API method to the action it most closely represents in a typical network automation workflow.

Why: These mappings reflect the common CRUD model used by RESTful APIs. GET retrieves data, POST creates a new resource, PUT replaces or updates a resource in a full-update style, and DELETE removes a resource.
Q3
hardFull explanation →

R1 has the following routes installed:

O    10.10.10.0/24 via 192.0.2.2
S    10.10.10.128/25 via 198.51.100.2

S* 0.0.0.0/0 via 203.0.113.1

A packet destined for 10.10.10.200 arrives at R1. Which route is used?

A

The OSPF route to 10.10.10.0/24 via 192.0.2.2

B

The static route to 10.10.10.128/25 via 198.51.100.2

Longest prefix match makes the /25 win.

C

The default route via 203.0.113.1

D

The packet is dropped because OSPF routes cannot overlap with static routes.

Why: Routers forward using longest prefix match first. Even though the OSPF /24 exists, the static /25 is more specific and covers 10.10.10.200, so the packet is sent via 198.51.100.2. The default route is used only when nothing more specific matches.
Q4
mediumFull explanation →

A branch router has only one WAN link connected to an Ethernet handoff from the provider. Which static default route is generally the better choice?

A

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

B

ip route 0.0.0.0 0.0.0.0 198.51.100.1

A next-hop address is generally preferred on Ethernet provider handoffs.

C

ip route 255.255.255.255 255.255.255.255 198.51.100.1

D

No static default route should ever be used on Ethernet.

Why: On multiaccess Ethernet, pointing the default route to a next-hop IP address is usually cleaner because the router can resolve the next hop with ARP. Using only the exit interface on Ethernet can make the router treat many destinations as directly connected and trigger unnecessary ARP behavior.
Q5
easyFull explanation →

Match each DHCPv4 message in the DORA process to its role.

Why: DORA is basic but important. Discover is the client broadcast looking for servers, Offer is the server proposing an address, Request is the client asking to use one offer, and Acknowledge is the server confirming the lease.
Q6
mediumFull explanation →

An engineer successfully authenticates to a controller and receives a token. What is the usual reason for including that token in later API requests?

A

To identify and authorize the client without resending full login credentials each time

That is the practical purpose of token-based API access.

B

To convert HTTP requests into SNMP traps

C

To elect the active controller in the cluster

D

To compress JSON payloads before transport

Why: The token proves the client has already authenticated and is authorized to continue interacting with the API for the lifetime of that token or session. It is commonly sent in an HTTP header such as Authorization. It does not replace the need for IP routing or DNS resolution.

Want more Security Fundamentals practice?

Practice this domain
3

Domain 3: Automation and Programmability

10% of exam · 6 sample questions below

All Automation and Programmability questions
Q1
mediumFull explanation →

A network engineer sends an HTTP GET request to a controller API and receives status code 401. What does that response indicate?

A

The API endpoint does not exist

B

The request was successful but returned an empty body

C

Authentication is required or the token is invalid

Correct choice.

D

The server is overloaded and cannot process the request

Why: HTTP 401 means the request is not authorized because valid authentication credentials were not supplied or were rejected. In practice, this usually means the token is missing, expired, malformed, or otherwise invalid.
Q2
mediumFull explanation →

Match each automation term to the best description.

Why: YANG defines a data model, JSON is a data format, an API is the interface software uses to interact with another system, and a token is commonly used to prove identity or authorization in API workflows.
Q3
easyFull explanation →

Which data format is most commonly used in REST APIs because it is lightweight and easy for applications to parse?

A

YANG

B

JSON

Correct choice.

C

STP

D

TFTP

Why: JSON is widely used with REST because it is compact, human-readable, and easy for software to parse. It is common in controller APIs and automation workflows.
Q4
easyFull explanation →

Which data format uses key-value pairs and is commonly returned by REST APIs?

A

YANG

B

JSON

JSON commonly represents API payloads.

C

Syslog

D

CDP

Why: JSON is lightweight, human-readable, and widely used in modern APIs for structured data exchange.
Q5
mediumFull explanation →

Which statement best describes YANG in a network automation context?

A

It is a transport protocol that replaces HTTPS

B

It is a data modeling language for configuration and operational data

That is the core purpose of YANG.

C

It is a Cisco-only scripting language for switch automation

D

It is a logging format used by telemetry collectors

Why: YANG is a data modeling language used to describe configuration and operational state. It defines the structure of the data; protocols such as NETCONF or RESTCONF transport that data.
Q6
mediumFull explanation →

Match each HTTP method to the action it most commonly performs in a REST API.

Why: GET retrieves data, POST creates a new resource, PUT replaces or updates a resource, and DELETE removes one.

Want more Automation and Programmability practice?

Practice this domain
4

Domain 4: Network Fundamentals

20% of exam · 6 sample questions below

All Network Fundamentals questions
Q1
hardFull explanation →

An interface is configured with 10.24.7.158/27. What is the broadcast address of that subnet?

A

10.24.7.159

Correct. It is the last address in the /27 block.

B

10.24.7.191

C

10.24.7.127

D

10.24.7.160

Why: A /27 uses blocks of 32 addresses. The block containing .158 is 10.24.7.128 through 10.24.7.159, so .159 is the broadcast address.
Q2
mediumFull explanation →

Which two statements accurately compare TCP and UDP? (Choose two.)

A

TCP provides connection-oriented transport

Correct. TCP is a connection-oriented transport protocol.

B

UDP guarantees delivery through acknowledgments

C

UDP has lower overhead than TCP

Correct. UDP generally has lower header and session-management overhead.

D

TCP does not use port numbers

E

UDP is always faster because it avoids congestion

Why: TCP is connection-oriented and uses sequencing, acknowledgments, and related controls. UDP is simpler and has lower overhead, but it does not guarantee delivery.
Q3
easyFull explanation →

Which medium is the most common choice for a 10G uplink between wiring closets on different floors of the same building?

A

Rollover cable

B

Fiber optic cable

Correct. Fiber is the standard uplink choice here.

C

Coaxial cable

D

Console cable

Why: Fiber is commonly used for building uplinks because it supports higher bandwidth and longer distances than typical copper for this use case.
Q4
easyFull explanation →

At which OSI layer do routers make forwarding decisions based on logical addressing?

A

Layer 1

B

Layer 2

C

Layer 3

Correct. Layer 3 is the network layer.

D

Layer 4

Why: Routers operate at the network layer when making forwarding decisions based on logical Layer 3 addresses such as IPv4 or IPv6 destination addresses.
Q5
mediumFull explanation →

Which command enables IPv6 routing on a Cisco router?

A

ipv6 unicast-routing

Correct. This is the required global command.

B

ipv6 enable

C

ip routing ipv6

D

ipv6 route enable

Why: The global configuration command ipv6 unicast-routing enables IPv6 forwarding on Cisco routers.
Q6
easyFull explanation →

A host sends traffic to a web server on another subnet. Which address is used as the destination MAC address in the first Ethernet frame sent by the host?

A

The MAC address of the remote web server

B

The MAC address of the local default gateway

Correct. The default gateway is the Layer 2 next hop for remote destinations.

C

The MAC address of the DNS server

D

The broadcast MAC address

Why: When the destination is remote, the host sends the frame to its default gateway. The next-hop MAC is the gateway's MAC, not the remote host's MAC.

Want more Network Fundamentals practice?

Practice this domain
5

Domain 5: Network Access

20% of exam · 6 sample questions below

All Network Access questions
Q1
mediumFull explanation →

Which spanning-tree port state listens for BPDUs and participates in STP, but does not learn MAC addresses yet?

A

Blocking

B

Listening

Correct. Listening occurs before learning and forwarding.

C

Learning

D

Forwarding

Why: In the classic 802.1D sequence, the listening state processes BPDUs and prepares for forwarding decisions, but it does not populate the MAC address table yet.
Q2
easyFull explanation →

What is the main purpose of a VLAN on a switch?

A

To create a separate Layer 2 broadcast domain

Correct. VLANs create separate broadcast domains.

B

To encrypt user traffic on the switch

C

To increase the physical speed of switch ports

D

To replace the need for a default gateway

Why: A VLAN separates switch ports into distinct Layer 2 broadcast domains, improving segmentation and reducing unnecessary broadcast scope.
Q3
hardFull explanation →

Switch SW1 sends traffic for VLAN 30 across a trunk to SW2, but hosts in VLAN 30 on SW2 cannot communicate with hosts in VLAN 30 on SW1. Other VLANs work across the trunk. Which trunk issue is most likely?

A

VLAN 30 is pruned or missing from the allowed VLAN list

Native VLAN settings can matter, but they do not best explain why other VLANs still work while VLAN 30 alone fails.

B

The native VLAN is set to 1 on both switches

C

The trunk uses 802.1Q encapsulation

D

SW1 is the STP root bridge

Why: If only one VLAN fails across an otherwise healthy trunk, a missing or filtered VLAN in the allowed list is a common cause. Native VLAN matching and encapsulation would affect broader trunk behavior, not usually just one VLAN in this way.
Q4
mediumFull explanation →

What is a common requirement for interfaces to successfully bundle into an EtherChannel?

A

All member interfaces must use matching speed, duplex, and trunk/access settings

Correct. Mismatched settings commonly prevent bundling.

B

Each interface must belong to a different VLAN

C

Only odd-numbered switch ports can be bundled

D

Each interface must have a different STP path cost

Why: EtherChannel members must have compatible operational and administrative settings, including speed, duplex, and switchport mode.
Q5
mediumFull explanation →

In a router-on-a-stick design, what is configured on the physical router interface connected to the switch?

A

One IP address for every VLAN on the physical interface itself only

B

No subinterfaces; the switch handles all inter-VLAN routing internally

C

Subinterfaces with 802.1Q encapsulation for each routed VLAN

Correct. Subinterfaces with dot1q encapsulation are the key configuration element.

D

A serial encapsulation setting for each VLAN

Why: Router-on-a-stick uses one physical router interface with multiple logical subinterfaces. Each subinterface is associated with a VLAN using 802.1Q encapsulation and gets an IP address for that VLAN.
Q6
mediumFull explanation →

Which two functions are commonly handled by a wireless LAN controller in a controller-based deployment? (Choose two.)

A

Centralized management of lightweight APs

Correct. Centralized AP management is a core controller role.

B

Per-host DHCP address assignment on every WLAN

C

Policy enforcement for SSIDs and WLAN settings

Correct. Policy and WLAN settings are commonly centralized on the controller.

D

Providing STP root bridge election for the campus

E

Replacing all Layer 2 switching functions in the access layer

Why: Wireless LAN controllers commonly centralize AP management and apply WLAN policies consistently across access points. They do not replace every switching or DHCP function in the network.

Want more Network Access practice?

Practice this domain
6

Domain 6: IP Connectivity

25% of exam · 6 sample questions below

All IP Connectivity questions
Q1
hardFull explanation →

A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?

A

The static route, because static routes always win

B

The OSPF route, because 110 is lower than 150

Correct. OSPF is preferred here because AD 110 is lower than 150.

C

Both routes, because administrative distances are different

D

Neither route, because the static route is floating

Why: The route with the lower administrative distance is installed. A static route configured with a higher AD becomes a floating static route and remains as a backup until the preferred route disappears.
Q2
mediumFull explanation →

A router output shows this neighbor state:

Neighbor ID 10.1.1.1   State FULL/DR   Address 192.168.12.1

What does the FULL/DR state indicate?

A

The local router is the DR and adjacency formation has failed

B

The neighbor relationship is complete and the neighbor is the DR on that segment

Correct. The adjacency is complete, and that neighbor is acting as the DR.

C

The routers are exchanging only link-state requests

D

The neighbor has been learned through BGP redistribution

Why: FULL means the OSPF adjacency is fully formed. The /DR suffix indicates that the listed neighbor is the Designated Router for that multiaccess segment.
Q3
mediumFull explanation →

A router learns 10.10.10.0/24 from OSPF and EIGRP at the same time. OSPF reports a metric of 20, and EIGRP reports a metric of 30720. Which route is installed in the routing table by default?

A

The OSPF route, because 20 is lower than 30720

B

The EIGRP route, because its administrative distance is lower

Correct. EIGRP wins because its default administrative distance is lower than OSPF.

C

Both routes, because they point to the same prefix

D

Neither route, because the metrics are not comparable

Why: When the same prefix is learned from different routing protocols, the router compares administrative distance first. EIGRP internal routes use AD 90, while OSPF uses AD 110, so the EIGRP route is preferred.
Q4
hardFull explanation →

A router shows this output:

R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.1.2          1   FULL/DR         00:00:34    192.168.12.2    GigabitEthernet0/0
10.1.1.3          1   2WAY/DROTHER    00:00:39    192.168.12.3    GigabitEthernet0/0

Which statement is correct?

A

R1 has failed to form adjacency with 10.1.1.3

B

This can be normal on a broadcast segment where DROTHER routers remain in 2-Way

Correct. This is normal DR/DROTHER behavior on many multiaccess networks.

C

R1 has a duplicate router ID with 10.1.1.3

D

The interface is passive

Why: On broadcast OSPF networks, full adjacency is typically formed with the DR and BDR. DROTHER routers can remain in the 2-Way state with one another and still be operating normally.
Q5
mediumFull explanation →

Which command correctly configures an IPv6 default route using next-hop address 2001:db8:1::1?

A

ipv6 route ::/0 2001:db8:1::1

Correct. This is the valid IOS syntax for an IPv6 default route.

B

ip route :: 2001:db8:1::1

C

ipv6 default-route 2001:db8:1::1

D

ip default-gateway 2001:db8:1::1

Why: The IPv6 default route uses the prefix ::/0. On Cisco IOS, the correct syntax is ipv6 route ::/0 followed by the next-hop address or exit interface.
Q6
mediumFull explanation →

A routing table entry begins with the code C. What does that code indicate?

A

A route learned through EIGRP

B

A connected network

Correct. C means connected.

C

A candidate default route

D

A static route to a classful network

Why: In Cisco routing table output, C indicates a directly connected network. These routes are installed when an interface is up and has an address in that subnet.

Want more IP Connectivity practice?

Practice this domain

Frequently asked questions

How many questions are on the 200-301 exam?

The 200-301 exam has up to 1367 questions and must be completed in 120 minutes. The passing score is 825/1000.

What types of questions appear on the 200-301 exam?

The 200-301 exam uses multiple-choice, multiple-select, drag-and-drop, and exhibit-based questions. Exhibit questions show CLI output, network diagrams, or routing tables and ask you to interpret them — exactly the format Courseiva uses.

How are 200-301 questions organised by domain?

The exam covers 6 domains: IP Services, Security Fundamentals, Automation and Programmability, Network Fundamentals, Network Access, IP Connectivity. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual 200-301 exam questions?

No. These are original exam-style practice questions written against the official Cisco 200-301 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 1367 200-301 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all 200-301 questionsTake a timed practice test