Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications200-301Exam Questions

Cisco · Free Practice Questions · Last reviewed May 2026

200-301 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

100 exam questions
120 min time limit
Pass: Variable
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Network Infrastructure and Connectivity2. Switching and Network Access3. IP Routing4. Network Services and Security5. AI and Network Operations
1

Domain 1: Network Infrastructure and Connectivity

25% of exam · 6 sample questions below

All Network Infrastructure and Connectivity questions
Q1
hardFull explanation →

An interface is configured with 10.24.7.158/27. What is the broadcast address of that subnet?

A

10.24.7.159

Correct. It is the last address in the /27 block.

B

10.24.7.191

C

10.24.7.127

D

10.24.7.160

Why: A /27 uses blocks of 32 addresses. The block containing .158 is 10.24.7.128 through 10.24.7.159, so .159 is the broadcast address.
Q2
mediumFull explanation →

Which two statements accurately compare TCP and UDP? (Choose two.)

A

TCP provides connection-oriented transport

Correct. TCP is a connection-oriented transport protocol.

B

UDP guarantees delivery through acknowledgments

C

UDP has lower overhead than TCP

Correct. UDP generally has lower header and session-management overhead.

D

TCP does not use port numbers

E

UDP is always faster because it avoids congestion

Why: TCP is connection-oriented and uses sequencing, acknowledgments, and related controls. UDP is simpler and has lower overhead, but it does not guarantee delivery.
Q3
easyFull explanation →

Which medium is the most common choice for a 10G uplink between wiring closets on different floors of the same building?

A

Rollover cable

B

Fiber optic cable

Correct. Fiber is the standard uplink choice here.

C

Coaxial cable

D

Console cable

Why: Fiber is commonly used for building uplinks because it supports higher bandwidth and longer distances than typical copper for this use case.
Q4
easyFull explanation →

At which OSI layer do routers make forwarding decisions based on logical addressing?

A

Layer 1

B

Layer 2

C

Layer 3

Correct. Layer 3 is the network layer.

D

Layer 4

Why: Routers operate at the network layer when making forwarding decisions based on logical Layer 3 addresses such as IPv4 or IPv6 destination addresses.
Q5
mediumFull explanation →

Which command enables IPv6 routing on a Cisco router?

A

ipv6 unicast-routing

Correct. This is the required global command.

B

ipv6 enable

C

ip routing ipv6

D

ipv6 route enable

Why: The global configuration command 'ipv6 unicast-routing' enables IPv6 forwarding on a Cisco router. 'ipv6 enable' is an interface-level command used to enable IPv6 on a specific interface, not globally. 'ip routing ipv6' and 'ipv6 route enable' are syntactically invalid commands that do not exist in Cisco IOS.
Q6
easyFull explanation →

A host sends traffic to a web server on another subnet. Which address is used as the destination MAC address in the first Ethernet frame sent by the host?

A

The MAC address of the remote web server

B

The MAC address of the local default gateway

Correct. The default gateway is the Layer 2 next hop for remote destinations.

C

The MAC address of the DNS server

D

The broadcast MAC address

Why: When a host wants to communicate with a device on a different subnet, it cannot reach that device directly. The host must send the frame to its default gateway, which is the router that connects to other subnets. Therefore, the destination MAC address in the first Ethernet frame is the MAC address of the local default gateway, not the remote web server (A). The DNS server (C) is used for name resolution, not for forwarding traffic. The broadcast MAC address (D) would send the frame to all devices on the local subnet, which is not appropriate for unicast communication to a remote destination.

Want more Network Infrastructure and Connectivity practice?

Practice this domain
2

Domain 2: Switching and Network Access

25% of exam · 6 sample questions below

All Switching and Network Access questions
Q1
mediumFull explanation →

Which spanning-tree port state listens for BPDUs and participates in STP, but does not learn MAC addresses yet?

A

Blocking

B

Listening

Correct. Listening occurs before learning and forwarding.

C

Learning

D

Forwarding

Why: In the classic 802.1D sequence, the listening state processes BPDUs and prepares for forwarding decisions, but it does not populate the MAC address table yet.
Q2
hardFull explanation →

Switch SW1 sends traffic for VLAN 30 across a trunk to SW2, but hosts in VLAN 30 on SW2 cannot communicate with hosts in VLAN 30 on SW1. Other VLANs work across the trunk. Which trunk issue is most likely?

A

VLAN 30 is pruned or missing from the allowed VLAN list

Native VLAN settings can matter, but they do not best explain why other VLANs still work while VLAN 30 alone fails.

B

The native VLAN is set to 1 on both switches

C

The trunk uses 802.1Q encapsulation

D

SW1 is the STP root bridge

Why: If only one VLAN fails across an otherwise healthy trunk, a missing or filtered VLAN in the allowed list is a common cause. Native VLAN matching and encapsulation would affect broader trunk behavior, not usually just one VLAN in this way.
Q3
mediumFull explanation →

What is a common requirement for interfaces to successfully bundle into an EtherChannel?

A

All member interfaces must use matching speed, duplex, and trunk/access settings

Correct. Mismatched settings commonly prevent bundling.

B

Each interface must belong to a different VLAN

C

Only odd-numbered switch ports can be bundled

D

Each interface must have a different STP path cost

Why: EtherChannel members must have compatible operational and administrative settings, including speed, duplex, and switchport mode.
Q4
mediumFull explanation →

In a router-on-a-stick design, what is configured on the physical router interface connected to the switch?

A

One IP address for every VLAN on the physical interface itself only

B

No subinterfaces; the switch handles all inter-VLAN routing internally

C

Subinterfaces with 802.1Q encapsulation for each routed VLAN

Correct. Subinterfaces with dot1q encapsulation are the key configuration element.

D

A serial encapsulation setting for each VLAN

Why: Router-on-a-stick uses one physical router interface with multiple logical subinterfaces. Each subinterface is associated with a VLAN using 802.1Q encapsulation and gets an IP address for that VLAN. Option A is wrong because IP addresses are configured on subinterfaces, not directly on the physical interface for all VLANs. Option B is wrong because inter-VLAN routing requires a router; the switch alone does not perform inter-VLAN routing in this design. Option D is wrong because serial encapsulation is used for WAN connections, not for VLAN tagging on Ethernet interfaces.
Q5
mediumFull explanation →

Which two functions are commonly handled by a wireless LAN controller in a controller-based deployment? (Choose two.)

A

Centralized management of lightweight APs

Correct. Centralized AP management is a core controller role.

B

Per-host DHCP address assignment on every WLAN

C

Policy enforcement for SSIDs and WLAN settings

Correct. Policy and WLAN settings are commonly centralized on the controller.

D

Providing STP root bridge election for the campus

E

Replacing all Layer 2 switching functions in the access layer

Why: Wireless LAN controllers commonly centralize AP management and apply WLAN policies consistently across access points. They do not replace every switching or DHCP function in the network.
Q6
mediumFull explanation →

A switch receives a unicast frame for a destination MAC address that is not yet in its MAC address table. What does the switch do?

A

Drops the frame immediately

B

Floods the frame out all ports in the same VLAN except the incoming port

Correct. Unknown unicast is flooded within the VLAN.

C

Sends the frame to the default gateway first

D

Converts the frame to a broadcast packet

Why: An unknown unicast frame is flooded within the VLAN because the switch does not yet know which port leads to the destination MAC. The frame is not sent back out the receiving port.

Want more Switching and Network Access practice?

Practice this domain
3

Domain 3: IP Routing

20% of exam · 6 sample questions below

All IP Routing questions
Q1
hardFull explanation →

A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?

A

The static route, because static routes always win

B

The OSPF route, because 110 is lower than 150

Correct. OSPF is preferred here because AD 110 is lower than 150.

C

Both routes, because administrative distances are different

D

Neither route, because the static route is floating

Why: The route with the lower administrative distance is installed. A static route configured with a higher AD becomes a floating static route and remains as a backup until the preferred route disappears.
Q2
mediumFull explanation →

A router output shows this neighbor state:

Neighbor ID 10.1.1.1   State FULL/DR   Address 192.168.12.1

What does the FULL/DR state indicate?

A

The local router is the DR and adjacency formation has failed

B

The neighbor relationship is complete and the neighbor is the DR on that segment

Correct. The adjacency is complete, and that neighbor is acting as the DR.

C

The routers are exchanging only link-state requests

D

The neighbor has been learned through BGP redistribution

Why: FULL means the OSPF adjacency is fully formed. The /DR suffix indicates that the listed neighbor is the Designated Router for that multiaccess segment.
Q3
mediumFull explanation →

A router learns 10.10.10.0/24 from OSPF and EIGRP at the same time. OSPF reports a metric of 20, and EIGRP reports a metric of 30720. Which route is installed in the routing table by default?

A

The OSPF route, because 20 is lower than 30720

B

The EIGRP route, because its administrative distance is lower

Correct. EIGRP wins because its default administrative distance is lower than OSPF.

C

Both routes, because they point to the same prefix

D

Neither route, because the metrics are not comparable

Why: When the same prefix is learned from different routing protocols, the router compares administrative distance first. EIGRP internal routes use AD 90, while OSPF uses AD 110, so the EIGRP route is preferred.
Q4
hardFull explanation →

A router shows this output:

R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.1.2          1   FULL/DR         00:00:34    192.168.12.2    GigabitEthernet0/0
10.1.1.3          1   2WAY/DROTHER    00:00:39    192.168.12.3    GigabitEthernet0/0

Which statement is correct?

A

R1 has failed to form adjacency with 10.1.1.3

B

This can be normal on a broadcast segment where DROTHER routers remain in 2-Way

Correct. This is normal DR/DROTHER behavior on many multiaccess networks.

C

R1 has a duplicate router ID with 10.1.1.3

D

The interface is passive

Why: On broadcast OSPF networks, full adjacency is typically formed with the DR and BDR. DROTHER routers can remain in the 2-Way state with one another and still be operating normally.
Q5
mediumFull explanation →

Which command correctly configures an IPv6 default route using next-hop address 2001:db8:1::1?

A

ipv6 route ::/0 2001:db8:1::1

Correct. This is the valid IOS syntax for an IPv6 default route.

B

ip route :: 2001:db8:1::1

C

ipv6 default-route 2001:db8:1::1

D

ip default-gateway 2001:db8:1::1

Why: The correct IPv6 default route uses the prefix ::/0 with the command 'ipv6 route ::/0'. Option B is wrong because 'ip route' is used for IPv4 routes, not IPv6. Option C uses 'ipv6 default-route', which is not a valid Cisco IOS command. Option D sets the management default gateway for IPv4 only and does not insert a route into the IPv6 routing table.
Q6
mediumFull explanation →

A routing table entry begins with the code C. What does that code indicate?

A

A route learned through EIGRP

B

A connected network

Correct. C means connected.

C

A candidate default route

D

A static route to a classful network

Why: In Cisco routing table output, C indicates a directly connected network. These routes are installed when an interface is up and has an address in that subnet.

Want more IP Routing practice?

Practice this domain
4

Domain 4: Network Services and Security

20% of exam · 6 sample questions below

All Network Services and Security questions
Q1
hardFull explanation →

A router interface applies this ACL inbound:

10 deny tcp any any eq 80

20 permit ip any any

A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?

A

The ACL blocks all traffic because the first entry is a deny

B

The ACL blocks HTTP but allows ICMP

Correct. HTTP matches the deny, while ping is permitted by the later broad permit.

C

The ACL permits HTTP because line 20 overrides line 10

D

The ACL blocks ping because ICMP is not explicitly permitted

Why: ACLs are processed top down. Line 10 denies TCP destination port 80, which blocks HTTP. Line 20 then permits all remaining IP traffic, including ICMP echo packets used by ping.
Q2
hardFull explanation →

A switch has DHCP snooping enabled, but users still experience IP-to-MAC spoofing attacks. Which additional feature should be considered to help address that specific problem?

A

PortFast

B

Dynamic ARP Inspection

Correct. DAI directly targets ARP spoofing.

C

EtherChannel

D

NetFlow

Why: Dynamic ARP Inspection (DAI) validates ARP packets against trusted binding information learned through DHCP snooping, directly preventing IP-to-MAC spoofing. PortFast is used to speed up STP convergence and does not provide ARP security. EtherChannel aggregates multiple links for bandwidth and redundancy but does not inspect ARP traffic. NetFlow is a traffic accounting and monitoring tool, not a security control for ARP spoofing. Therefore, DAI is the correct additional feature to address IP-to-MAC spoofing.
Q3
mediumFull explanation →

What is a key difference between SNMPv3 and earlier SNMP versions?

A

SNMPv3 supports IPv4 only

B

SNMPv3 adds authentication and encryption features

Correct. Stronger security is the primary differentiator.

C

SNMPv3 cannot be used for monitoring interface counters

D

SNMPv3 replaces syslog completely

Why: SNMPv3 improves security by adding authentication, message integrity, and privacy features. Earlier versions, especially SNMPv1 and v2c, rely on community strings and provide much weaker protection.
Q4
mediumFull explanation →

In AAA, what does the second A stand for?

A

Application

B

Accounting

C

Authorization

Correct. The second A is Authorization.

D

Auditing

Why: AAA stands for Authentication, Authorization, and Accounting. Authorization determines what an authenticated user is allowed to do.
Q5
mediumFull explanation →

Which ACL type can filter using source and destination IP addresses as well as TCP or UDP port numbers?

A

Standard IPv4 ACL

B

Extended IPv4 ACL

Correct. Extended ACLs support the granularity described.

C

Prefix list

D

Native VLAN ACL

Why: Extended ACLs provide more granular matching, including source, destination, protocol, and Layer 4 port information.
Q6
mediumFull explanation →

Which wireless security method is considered strongest among these choices for modern enterprise WLAN deployments?

A

WEP

B

WPA

C

WPA2 with AES

Correct. WPA2 with AES is the strongest listed option.

D

Open authentication

Why: WPA2 with AES provides substantially stronger security than WEP, legacy WPA, or open authentication. In current enterprise environments, WPA2 and WPA3 are the expected baseline approaches depending on platform support.

Want more Network Services and Security practice?

Practice this domain
5

Domain 5: AI and Network Operations

10% of exam · 6 sample questions below

All AI and Network Operations questions
Q1
mediumFull explanation →

An API client sends a valid GET request and receives an HTTP 200 response. What does that indicate?

A

The resource was deleted successfully

B

The request was successful

Correct. HTTP 200 means the request succeeded.

C

Authentication permanently failed

D

The server requires a reboot

Why: HTTP 200 indicates a successful request. For a GET operation, it generally means the server successfully returned the requested resource representation.
Q2
mediumFull explanation →

Why is version control valuable for network automation files?

A

It increases interface bandwidth

B

It tracks changes and allows rollback to earlier versions

Correct. Change tracking and rollback are major benefits.

C

It replaces the need for device backups

D

It guarantees that configuration changes are error free

Why: Version control systems help teams track who changed what, compare revisions, and restore earlier states when needed. That improves operational discipline but does not guarantee correctness by itself.
Q3
mediumFull explanation →

Why is version control useful for network automation scripts?

A

It automatically fixes coding mistakes

B

It tracks changes and supports rollback and review

Correct. Tracking and rollback are the key benefits.

C

It removes the need for API authentication

D

It replaces the device operating system

Why: Version control provides change history, collaboration, and rollback options for scripts and infrastructure-as-code files.
Q4
mediumFull explanation →

What is a main operational benefit of a controller-based networking architecture?

A

It removes the need for IP addressing

B

It centralizes policy and can simplify network-wide changes

Correct. Centralized policy is a major benefit.

C

It eliminates the data plane on switches

D

It forces all routes to become static

Why: Controller-based architectures centralize the control plane, enabling network-wide policy management and simplifying changes. This is the correct answer because it accurately describes the primary operational benefit. Option A is wrong because controller-based architectures still require IP addressing for management and communication. Option C is wrong because the data plane on switches remains operational for local forwarding; only the control plane may be centralized. Option D is wrong because dynamic routing protocols can still be used, and routes are not forced to be static.
Q5
mediumFull explanation →

What is a northbound API in a controller-based network architecture?

A

An interface used by the controller to program forwarding tables on switches

B

An interface used by applications to communicate with the controller

Correct. Northbound means application-to-controller communication.

C

A dedicated out-of-band management port on the controller

D

A wireless uplink between access points and the controller

Why: Northbound APIs allow external applications, dashboards, and automation tools to interact with the controller. Southbound APIs are used by the controller to communicate with the network devices it manages.
Q6
easyFull explanation →

Which HTTP method is commonly used to retrieve information from a REST API without modifying the resource?

A

POST

B

GET

Correct. GET retrieves data.

C

PUT

D

DELETE

Why: GET is the standard HTTP method for retrieving a resource representation without changing the resource.

Want more AI and Network Operations practice?

Practice this domain

Frequently asked questions

How many questions are on the 200-301 exam?

The 200-301 exam has 100 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco certification exam page before booking.

What types of questions appear on the 200-301 exam?

CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration scenario questions.

How are 200-301 questions organised by domain?

The exam covers 5 domains: Network Infrastructure and Connectivity, Switching and Network Access, IP Routing, Network Services and Security, AI and Network Operations. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual 200-301 exam questions?

No. These are original exam-style practice questions written against the official Cisco 200-301 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 1367 200-301 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all 200-301 questionsTake a timed practice test