Back to CCNA 200-301 v2 questions

Scenario-based practice

Hard Difficulty Questions

Practise CCNA 200-301 v2 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
200-301
exam code
Cisco
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related 200-301 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Open the full VLAN trunking answer →

A switchport connected to another switch should carry multiple VLANs, but it was manually configured as an access port. What is the most likely operational result?

You are connected to R1. Configure IPv4 and IPv6 addressing on R1's interfaces and verify reachability to R2. The current configuration has a wrong subnet mask on G0/0, missing default gateway for IPv4, and R1's IPv6 address is configured using EUI-64 while R2 uses a static IPv6 address. Fix these issues so that R1 can ping both R2's IPv4 and IPv6 addresses.

Exhibit

R1#show running-config
Building configuration...

hostname R1
!
interface GigabitEthernet0/0
 ip address 192.0.2.1 255.255.255.0
 ipv6 address 2001:db8:1::/64 eui-64
 no shutdown
!
interface GigabitEthernet0/1
 ip address 198.51.100.1 255.255.255.0
 ipv6 address 2001:db8:2::1/64
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
end

R2#show running-config
Building configuration...

hostname R2
!
interface GigabitEthernet0/0
 ip address 192.0.2.2 255.255.255.252
 ipv6 address 2001:db8:1::2/64
 no shutdown
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0
 no shutdown
!
end

R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     192.0.2.1       YES manual up                    up
GigabitEthernet0/1     198.51.100.1    YES manual up                    up

R1#ping 192.0.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#ping 2001:db8:1::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:db8:1::2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A small office uses PAT for user Internet access. What mechanism does PAT use to allow many users to share one public address while keeping their sessions distinct?

Question 4hardmultiple choice
Study the full AAA explanation →

A switchport is configured for 802.1X authentication. What is the usual role of the RADIUS server in that design?

Question 5hardmultiple choice
Full question →

A switch shows a clock that is several minutes off from other devices even though an NTP server has been configured. Which issue is the most likely cause?

Exhibit

show ntp associations
 address         ref clock     st when poll reach delay offset disp
*~10.10.50.5     .INIT.        16   -   64    0  0.000  0.000 16000
Configured server: 10.10.50.5
Question 6hardmultiple choice
Full question →

Why is idempotency valuable in network automation?

Question 7hardmultiple choice
Review the full OSPF breakdown →

A network engineer is troubleshooting OSPFv3 adjacency between two directly connected Cisco routers, R1 and R2, both running IOS-XE. The engineer configures OSPFv3 on both routers but notices that the adjacency does not form. The engineer runs 'show ospfv3 neighbor' on R1 and sees no neighbors. What is the most likely cause of this issue?

Exhibit

R1# show ospfv3 neighbor

          OSPFv3 1 address-family ipv6 (router-id 1.1.1.1)

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface

R1# show ipv6 interface brief
GigabitEthernet0/0   [up/up]
    FE80::1
GigabitEthernet0/1   [up/up]
    FE80::2

R1# show running-config | section router ospfv3
router ospfv3 1
 address-family ipv6
  router-id 1.1.1.1
  area 0
  interface GigabitEthernet0/0
  interface GigabitEthernet0/1

R1# show running-config interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ipv6 address FE80::1 link-local
 ipv6 ospfv3 1 ipv6 area 0
!
Question 8hardmultiple choice
Read the full NAT/PAT explanation →

Exhibit: Users report no internet access after PAT was configured. The inside and outside interfaces are marked correctly. Which missing configuration is the most likely cause?

Exhibit

Configured:
interface G0/0
 ip nat inside
interface G0/1
 ip nat outside
No translations appear in 'show ip nat translations'.
Question 9hardmultiple choice
Full question →

A network administrator notices that a switchport in access mode with PortFast enabled has transitioned to an err-disabled state. What is the most likely cause?

Exhibit

interface GigabitEthernet1/0/9
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable

Event:
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on PortFast enabled port. Disabling interface.
Question 10hardmultiple choice
Open the full VLAN trunking answer →

An engineer configures 802.1X port-based authentication on a Cisco IOS-XE switch for a voice VLAN deployment. After applying the configuration, IP phones on interface GigabitEthernet1/0/1 fail to receive a voice VLAN and remain in an unauthenticated state. The switchport is configured as an access port with voice VLAN 10. What is the most likely cause of the failure?

Exhibit

Interface: GigabitEthernet1/0/1
MAC Address: aaaa.bbbb.cccc
IP Address: Unknown
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A1B2C3D4E5F6G7H8I9J
Acct Session ID: 0x00000001
Handle: 0x81000001

Current Policy: DEFAULT

Server Policies:
    Vlan Group: Vlan: 10

Method status list:
   Method           State
   dot1x            Authc Success
Question 11hardmultiple choice
Full question →

Which statement best describes why a token might be used in an API request instead of sending a username and password with every request?

Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a client VLAN and then enable a DHCP relay agent on a different interface to forward client requests to a remote server.

Question 13hardScenario
Study the full ACL explanation →

You are connected to R1 in a small office network. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the public IP 203.0.113.1 (the IP assigned to interface G0/0). Also configure a static NAT for the internal web server at 192.168.1.10 to the public IP 203.0.113.6. The current configuration has errors: the inside/outside interface assignments are swapped, the ACL for PAT does not match the inside subnet, and the PAT rule points to the wrong ACL. Fix all issues so that both PAT and static NAT work correctly.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.10 80 203.0.113.6 80
!
ip nat inside source list 2 interface GigabitEthernet0/0 overload
!
interface GigabitEthernet0/0
 ip address 203.0.113.1 255.255.255.248
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
Question 14hardmultiple choice
Review the full OSPF breakdown →

Two routers are directly connected over IPv6 and should form an OSPFv3 adjacency, but they do not. Link-local addressing is present on both interfaces. Which issue is most likely to prevent the adjacency?

Question 15hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator has configured dynamic NAT on a Cisco router to allow internal hosts to access the Internet. Internal hosts can ping external servers, but external hosts cannot initiate connections to any internal host. The administrator checks the NAT translations. What is the most likely cause of this behavior?

Exhibit

R1# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.10       192.168.1.10       ---                ---
--- 203.0.113.11       192.168.1.11       ---                ---
--- 203.0.113.12       192.168.1.12       ---                ---
--- 203.0.113.13       192.168.1.13       ---                ---
--- 203.0.113.14       192.168.1.14       ---                ---
--- 203.0.113.15       192.168.1.15       ---                ---
--- 203.0.113.16       192.168.1.16       ---                ---
--- 203.0.113.17       192.168.1.17       ---                ---
--- 203.0.113.18       192.168.1.18       ---                ---
--- 203.0.113.19       192.168.1.19       ---                ---
--- 203.0.113.20       192.168.1.20       ---                ---
--- 203.0.113.21       192.168.1.21       ---                ---
--- 203.0.113.22       192.168.1.22       ---                ---
--- 203.0.113.23       192.168.1.23       ---                ---
--- 203.0.113.24       192.168.1.24       ---                ---
--- 203.0.113.25       192.168.1.25       ---                ---
--- 203.0.113.26       192.168.1.26       ---                ---
--- 203.0.113.27       192.168.1.27       ---                ---
--- 203.0.113.28       192.168.1.28       ---                ---
--- 203.0.113.29       192.168.1.29       ---                ---
--- 203.0.113.30       192.168.1.30       ---                ---
Question 16hardmultiple choice
Open the full VLAN trunking answer →

A network engineer configures an EtherChannel between two Cisco switches SW1 and SW2 using LACP. After configuration, hosts connected to SW1 report intermittent connectivity to hosts on SW2. The engineer checks the EtherChannel status and sees that the trunk is up but only allows VLAN 1, while the hosts communicate across VLANs 10 and 20. Which command should the engineer apply to both switches to resolve the issue?

Network Topology
+SW1# show etherchannel summaryH - Hot-standby (LACP only)u - unsuitable for bundlingd - default portNumber of aggregators: 1Group Port-channel Protocol Ports
Question 17hardmultiple choice
Review the full routing breakdown →

A router has a default route and a specific route to 203.0.113.0/24. Which route is used for traffic to 203.0.113.25?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator configured dynamic NAT on a Cisco router to allow internal hosts to access the internet. After the configuration, users report that they can access some websites but not others. The administrator checks the router and discovers that the NAT translation table is full, and new connection attempts are being dropped. What is the most likely cause of this issue?

Exhibit

R1# show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.0.2.10         10.0.0.10          ---                ---
--- 192.0.2.11         10.0.0.11          ---                ---
--- 192.0.2.12         10.0.0.12          ---                ---
--- 192.0.2.13         10.0.0.13          ---                ---
--- 192.0.2.14         10.0.0.14          ---                ---
--- 192.0.2.15         10.0.0.15          ---                ---
--- 192.0.2.16         10.0.0.16          ---                ---
--- 192.0.2.17         10.0.0.17          ---                ---
--- 192.0.2.18         10.0.0.18          ---                ---
--- 192.0.2.19         10.0.0.19          ---                ---

R1# show running-config | include ip nat
ip nat pool MYPOOL 192.0.2.10 192.0.2.19 netmask 255.255.255.240
ip nat inside source list 1 pool MYPOOL
Question 19hardmultiple choice
Review the full OSPF breakdown →

R1 and R2 are directly connected. Both are configured in OSPF area 0, and they can successfully ping each other. However, OSPF neighbor adjacency fails. R1's interface is configured with `ip ospf authentication message-digest` and a valid key, while R2's interface has no OSPF authentication configured. What is the most likely cause?

Exhibit

R1#
interface GigabitEthernet0/0
 ip address 10.1.12.1 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cisco123
!
router ospf 10
 network 10.1.12.0 0.0.0.255 area 0

R2#
interface GigabitEthernet0/0
 ip address 10.1.12.2 255.255.255.0
!
router ospf 10
 network 10.1.12.0 0.0.0.255 area 0
Question 20hardmulti select
Review the full OSPF breakdown →

R1 learns the route 192.0.2.0/24 via OSPF, RIP, and a static route configured with an administrative distance of 130. Based on this information, which two statements are correct?

Exhibit

show ip route 192.0.2.0
Routing entry for 192.0.2.0/24
  Known via "ospf 1", distance 110, metric 20, type intra area
  Last update from 10.1.12.2 on GigabitEthernet0/0

Configured routes:
ip route 192.0.2.0 255.255.255.0 10.1.13.3 130

RIP also advertises 192.0.2.0/24 with distance 120.

These 200-301 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-301 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.