Practise CCNA 200-301 v2 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.
These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.
Quick answer
Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Related practice questions
Related 200-301 topic practice pages
Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.
A switchport connected to another switch should carry multiple VLANs, but it was manually configured as an access port. What is the most likely operational result?
A
The link will not carry multiple VLANs as intended because an access port handles one VLAN only.
This is correct because access mode is the wrong role for a multi-VLAN inter-switch link.
B
The switch automatically converts the access port into a proper trunk.
Why wrong: This is wrong because the device does not simply self-correct the design requirement.
C
The port becomes a routed Layer 3 interface.
Why wrong: This is wrong because access-port configuration does not create a routed port.
D
The VLANs are summarized into one prefix automatically.
Why wrong: This is wrong because VLAN transport and route summarization are unrelated concepts.
You are connected to R1. Configure IPv4 and IPv6 addressing on R1's interfaces and verify reachability to R2. The current configuration has a wrong subnet mask on G0/0, missing default gateway for IPv4, and R1's IPv6 address is configured using EUI-64 while R2 uses a static IPv6 address. Fix these issues so that R1 can ping both R2's IPv4 and IPv6 addresses.
Exhibit
R1#show running-config
Building configuration...
hostname R1
!
interface GigabitEthernet0/0
ip address 192.0.2.1 255.255.255.0
ipv6 address 2001:db8:1::/64 eui-64
no shutdown
!
interface GigabitEthernet0/1
ip address 198.51.100.1 255.255.255.0
ipv6 address 2001:db8:2::1/64
no shutdown
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
end
R2#show running-config
Building configuration...
hostname R2
!
interface GigabitEthernet0/0
ip address 192.0.2.2 255.255.255.252
ipv6 address 2001:db8:1::2/64
no shutdown
!
interface GigabitEthernet0/1
ip address 203.0.113.1 255.255.255.0
no shutdown
!
end
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.0.2.1 YES manual up up
GigabitEthernet0/1 198.51.100.1 YES manual up up
R1#ping 192.0.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 2001:db8:1::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:db8:1::2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
A
Change R1 G0/0 subnet mask to /30, add a default route via 192.0.2.2, and configure a static IPv6 address 2001:db8:1::1/64 on G0/0.
This corrects all three issues: the mask matches R2's /30, the default route points to R2's G0/0 IP (192.0.2.2), and the static IPv6 address places R1 on the same subnet as R2's static address 2001:db8:1::2/64.
B
Change R1 G0/0 subnet mask to /30, add a default route via 192.0.2.254, and keep the EUI-64 IPv6 address on G0/0.
Why wrong: This is incorrect because the default route points to 192.0.2.254, which is not R2's G0/0 IP (192.0.2.2), so IPv4 traffic will not be forwarded. Also, EUI-64 generates an interface ID from the MAC, which will not match the subnet expected by R2's static address 2001:db8:1::2/64.
C
Change R1 G0/0 subnet mask to /24, add a default route via 192.0.2.2, and configure a static IPv6 address 2001:db8:1::1/64 on G0/0.
Why wrong: This is incorrect because the subnet mask on R1's G0/0 remains /24, which does not match R2's /30. R1 will consider the subnet to be 192.0.2.0/24, while R2 uses 192.0.2.0/30, causing a mismatch that prevents direct communication.
D
Change R1 G0/0 subnet mask to /30, add a default route via 192.0.2.2, and keep the EUI-64 IPv6 address on G0/0.
Why wrong: This is incorrect because while the IPv4 issues are fixed, the IPv6 address generated by EUI-64 will not match the subnet expected by R2's static address 2001:db8:1::2/64. EUI-64 creates an interface ID based on the MAC, which is unpredictable and unlikely to be in the same subnet as R2's static address.
A small office uses PAT for user Internet access. What mechanism does PAT use to allow many users to share one public address while keeping their sessions distinct?
A
Use transport-layer port values to distinguish multiple inside sessions behind one outside address.
This is correct because PAT uses ports to separate many sessions sharing one public IP.
B
Convert all inside hosts to the same private IP address.
Why wrong: This is wrong because PAT does not require all inside hosts to use the same private address.
C
Increase the size of the NAT pool to include multiple public addresses.
Why wrong: This is wrong because disabling the default route would break Internet access rather than improve PAT.
D
Configure static NAT mappings for each inside host.
Why wrong: This is wrong because switchport trunking does not create PAT behavior.
A switch shows a clock that is several minutes off from other devices even though an NTP server has been configured. Which issue is the most likely cause?
Exhibit
show ntp associations
address ref clock st when poll reach delay offset disp
*~10.10.50.5 .INIT. 16 - 64 0 0.000 0.000 16000
Configured server: 10.10.50.5
A
The NTP server is unsynchronized or unreachable
This is correct because NTP requires a reachable, synchronized time source. If the server is unreachable or not synchronized, the switch cannot update its clock, leading to drift.
B
The device must run Syslog before NTP can sync
Why wrong: Syslog is unrelated.
C
NTP requires a trunk port on the management VLAN
Why wrong: NTP needs IP reachability, not a trunk specifically.
D
The clock can sync only if DNS is configured
Why wrong: NTP uses IP connectivity; DNS is optional if using addresses.
A network engineer is troubleshooting OSPFv3 adjacency between two directly connected Cisco routers, R1 and R2, both running IOS-XE. The engineer configures OSPFv3 on both routers but notices that the adjacency does not form. The engineer runs 'show ospfv3 neighbor' on R1 and sees no neighbors. What is the most likely cause of this issue?
Exhibit
R1# show ospfv3 neighbor
OSPFv3 1 address-family ipv6 (router-id 1.1.1.1)
Neighbor ID Pri State Dead Time Interface ID Interface
R1# show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::1
GigabitEthernet0/1 [up/up]
FE80::2
R1# show running-config | section router ospfv3
router ospfv3 1
address-family ipv6
router-id 1.1.1.1
area 0
interface GigabitEthernet0/0
interface GigabitEthernet0/1
R1# show running-config interface GigabitEthernet0/0
interface GigabitEthernet0/0
ipv6 address FE80::1 link-local
ipv6 ospfv3 1 ipv6 area 0
!
A
The OSPFv3 process ID must match on both routers.
Why wrong: OSPFv3 process IDs are locally significant and do not need to match for adjacency to form.
B
The interface GigabitEthernet0/0 is missing the 'ospfv3 1 ipv6 area 0' command.
Without this command, OSPFv3 is not enabled on the interface, preventing adjacency formation.
C
The link-local addresses are not in the same subnet.
Why wrong: Link-local addresses are only used for neighbor discovery and do not require subnet matching; they are always on the same link.
D
The router ID 1.1.1.1 is duplicated on R2.
Why wrong: Duplicate router IDs can cause issues, but the 'show ospfv3 neighbor' output would typically show the neighbor in EXSTART or EXCHANGE state, not missing entirely.
Exhibit: Users report no internet access after PAT was configured. The inside and outside interfaces are marked correctly. Which missing configuration is the most likely cause?
Exhibit
Configured:
interface G0/0
ip nat inside
interface G0/1
ip nat outside
No translations appear in 'show ip nat translations'.
A
No ACL and nat overload statement identifying inside source addresses
A network administrator notices that a switchport in access mode with PortFast enabled has transitioned to an err-disabled state. What is the most likely cause?
Exhibit
interface GigabitEthernet1/0/9
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
Event:
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on PortFast enabled port. Disabling interface.
A
BPDU Guard disabled the PortFast-enabled access port after it received a BPDU.
This is correct because the event message explicitly identifies a BPDU Guard violation.
B
Port security shut down the port because the VLAN was wrong.
Why wrong: This is wrong because the event shown is about BPDUs, not MAC-based port security.
C
DHCP snooping disabled the interface because a host requested an address.
Why wrong: This is wrong because DHCP snooping does not produce this spanning-tree error.
D
EtherChannel suspended the interface because the bundle was incomplete.
Why wrong: This is wrong because the event message points to BPDU Guard, not EtherChannel.
An engineer configures 802.1X port-based authentication on a Cisco IOS-XE switch for a voice VLAN deployment. After applying the configuration, IP phones on interface GigabitEthernet1/0/1 fail to receive a voice VLAN and remain in an unauthenticated state. The switchport is configured as an access port with voice VLAN 10. What is the most likely cause of the failure?
Exhibit
Interface: GigabitEthernet1/0/1
MAC Address: aaaa.bbbb.cccc
IP Address: Unknown
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A1B2C3D4E5F6G7H8I9J
Acct Session ID: 0x00000001
Handle: 0x81000001
Current Policy: DEFAULT
Server Policies:
Vlan Group: Vlan: 10
Method status list:
Method State
dot1x Authc Success
A
Re-authenticate the phone using 'dot1x reauthenticate interface Gi1/0/1'
Why wrong: Re-authentication would not change the domain assignment because the port is still in single-host mode.
B
Configure 'authentication host-mode multi-domain' on the interface
This command allows the switch to authorize both data and voice domains separately on the same port, enabling the phone to receive the voice VLAN.
C
Add 'switchport voice vlan 10' under the interface
Why wrong: The voice VLAN is already configured; the issue is not the VLAN assignment but the authentication domain.
D
Change the port to 'authentication port-control force-authorized'
Why wrong: This would bypass 802.1X entirely, which is not desired for a secure deployment and would not resolve the domain issue.
Drag and drop the following steps into the correct order to configure a Cisco IOS-XE router as a DHCP server for a client VLAN and then enable a DHCP relay agent on a different interface to forward client requests to a remote server.
A
Enter global configuration mode, create the DHCP pool, configure the network and default gateway, exclude addresses, enable DHCP relay on the required interface, and verify.
Why wrong: This is the correct sequence: first enter global configuration mode, then create the DHCP pool with network and default gateway, exclude addresses to prevent conflicts, enable DHCP relay on the interface that needs to forward requests, and finally verify the configuration.
B
Enter global configuration mode, enable DHCP relay on the required interface, create the DHCP pool, configure the network and default gateway, exclude addresses, and verify.
This is incorrect because DHCP relay should be configured after the DHCP pool is created and addresses are excluded, not before. The relay configuration depends on the interface and the DHCP server address, which is independent of the pool, but the logical order is to set up the server first.
C
Enter global configuration mode, create the DHCP pool, enable DHCP relay on the required interface, configure the network and default gateway, exclude addresses, and verify.
This is incorrect because the network and default gateway must be configured within the DHCP pool before excluding addresses. The pool configuration includes the network and default gateway, and excluding addresses is part of the pool configuration.
D
Enter global configuration mode, exclude addresses, create the DHCP pool, configure the network and default gateway, enable DHCP relay on the required interface, and verify.
Correct order: exclusions first to protect reserved addresses, then pool configuration, relay agent, and verification.
You are connected to R1 in a small office network. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the public IP 203.0.113.1 (the IP assigned to interface G0/0). Also configure a static NAT for the internal web server at 192.168.1.10 to the public IP 203.0.113.6. The current configuration has errors: the inside/outside interface assignments are swapped, the ACL for PAT does not match the inside subnet, and the PAT rule points to the wrong ACL. Fix all issues so that both PAT and static NAT work correctly.
Exhibit
R1# show running-config | section ip nat
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.10 80 203.0.113.6 80
!
ip nat inside source list 2 interface GigabitEthernet0/0 overload
!
interface GigabitEthernet0/0
ip address 203.0.113.1 255.255.255.248
ip nat inside
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat outside
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
A
Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 1 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
This correctly sets the outside interface (G0/0) and inside interface (G0/1), corrects the ACL to match the LAN subnet, and applies PAT using the correct ACL and outside interface. The static NAT is already correctly configured.
B
Configure G0/0 as inside, G0/1 as outside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 1 interface G0/1 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
Why wrong: This is incorrect because the interface assignments are swapped: G0/0 (public) should be outside, not inside. PAT must be applied to the outside interface (G0/0), not G0/1.
C
Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.2.0 0.0.0.255; apply ip nat inside source list 1 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
Why wrong: This is incorrect because ACL 1 still permits the wrong subnet (192.168.2.0/24) instead of the correct inside subnet (192.168.1.0/24). PAT would not translate traffic from the LAN.
D
Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 2 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
Why wrong: This is incorrect because the PAT command references ACL 2, but ACL 2 is not defined or does not match the inside subnet. The correct ACL is ACL 1 after modification.
Two routers are directly connected over IPv6 and should form an OSPFv3 adjacency, but they do not. Link-local addressing is present on both interfaces. Which issue is most likely to prevent the adjacency?
A
The interfaces are assigned to different OSPFv3 areas.
This is correct because OSPF neighbors on the same segment must agree on the area for adjacency formation.
B
The routers need matching hostnames before OSPFv3 can start.
Why wrong: This is wrong because hostnames do not determine OSPFv3 adjacency formation.
C
IPv6 requires a /64 only for routing protocols to function.
Why wrong: This is wrong because the specific adjacency issue here is best explained by a protocol mismatch, not a blanket statement about all IPv6 routing.
D
OSPFv3 cannot run on directly connected interfaces.
Why wrong: This is wrong because OSPFv3 is designed to run on directly connected interfaces.
A network administrator has configured dynamic NAT on a Cisco router to allow internal hosts to access the Internet. Internal hosts can ping external servers, but external hosts cannot initiate connections to any internal host. The administrator checks the NAT translations. What is the most likely cause of this behavior?
The NAT pool is exhausted because it contains only 21 addresses, and more than 21 internal hosts are trying to access the Internet simultaneously.
Why wrong: While pool exhaustion is possible, the output shows many translations already, and the symptom is that external hosts cannot initiate connections—a problem that would persist even with a larger pool if overload is not used.
B
The router is configured for dynamic NAT without overload (PAT), so it assigns one public IP per inside host and does not allow inbound connections without a static mapping.
The absence of protocol/port in the translations indicates one-to-one dynamic NAT without overload. This explains why internal hosts can initiate outbound traffic (they get a public IP) but external hosts cannot reach internal hosts (no return path).
C
The inside local addresses are not in the same subnet as the inside interface, causing asymmetric routing.
Why wrong: The inside local addresses (192.168.1.x) are typical private IPs and are assumed to be correctly configured on the inside interface. The translations show them mapping to public IPs, so routing is likely symmetric.
D
The outside global addresses are not routable on the Internet, so external hosts cannot send return traffic.
Why wrong: The public IPs shown (203.0.113.x) are from the TEST-NET-3 range, which is not globally routable. However, this is a common documentation range used in examples; in a real network, these would be replaced with routable IPs. The question assumes they are routable for the scenario.
A network engineer configures an EtherChannel between two Cisco switches SW1 and SW2 using LACP. After configuration, hosts connected to SW1 report intermittent connectivity to hosts on SW2. The engineer checks the EtherChannel status and sees that the trunk is up but only allows VLAN 1, while the hosts communicate across VLANs 10 and 20. Which command should the engineer apply to both switches to resolve the issue?
Network Topology
A
channel-group 1 mode active
Why wrong: The ports are already in LACP active mode (as shown by the protocol being LACP and the ports being bundled). Reapplying this command will not fix the intermittent connectivity.
B
switchport trunk allowed vlan 1,10,20
This command ensures that all member ports of the EtherChannel have the same VLAN list. Inconsistent allowed VLANs across member ports can cause traffic to be dropped intermittently. Applying this to all member interfaces on both switches resolves the issue.
C
lacp rate fast
Why wrong: This command changes the LACP rate to fast, which sends LACP packets every second instead of every 30 seconds. This would not cause intermittent connectivity; it is used for faster failure detection.
D
switchport mode trunk
Why wrong: The ports are already configured as trunk ports (the Po1 is Layer2 and trunking is implied). Reapplying this command will not resolve the intermittent connectivity.
A network administrator configured dynamic NAT on a Cisco router to allow internal hosts to access the internet. After the configuration, users report that they can access some websites but not others. The administrator checks the router and discovers that the NAT translation table is full, and new connection attempts are being dropped. What is the most likely cause of this issue?
Exhibit
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 192.0.2.10 10.0.0.10 --- ---
--- 192.0.2.11 10.0.0.11 --- ---
--- 192.0.2.12 10.0.0.12 --- ---
--- 192.0.2.13 10.0.0.13 --- ---
--- 192.0.2.14 10.0.0.14 --- ---
--- 192.0.2.15 10.0.0.15 --- ---
--- 192.0.2.16 10.0.0.16 --- ---
--- 192.0.2.17 10.0.0.17 --- ---
--- 192.0.2.18 10.0.0.18 --- ---
--- 192.0.2.19 10.0.0.19 --- ---
R1# show running-config | include ip nat
ip nat pool MYPOOL 192.0.2.10 192.0.2.19 netmask 255.255.255.240
ip nat inside source list 1 pool MYPOOL
A
The inside local addresses are not properly defined in the access list.
Why wrong: The access list is not shown, but the translations are present, indicating that the access list is matching the correct internal hosts.
B
The NAT pool is exhausted; configure PAT to allow multiple hosts to share a single public IP.
The pool has only 10 addresses, and once all are used, new translations fail. PAT allows many internal hosts to share a single public IP by using unique port numbers.
C
The outside interface is not configured with the ip nat outside command.
Why wrong: If the outside interface were missing this command, no translations would be created at all, but translations are present.
D
The inside interface is not configured with the ip nat inside command.
Why wrong: Similar to option C, translations are present, indicating that the inside interface is correctly configured.
R1 and R2 are directly connected. Both are configured in OSPF area 0, and they can successfully ping each other. However, OSPF neighbor adjacency fails. R1's interface is configured with `ip ospf authentication message-digest` and a valid key, while R2's interface has no OSPF authentication configured. What is the most likely cause?
Exhibit
R1#
interface GigabitEthernet0/0
ip address 10.1.12.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco123
!
router ospf 10
network 10.1.12.0 0.0.0.255 area 0
R2#
interface GigabitEthernet0/0
ip address 10.1.12.2 255.255.255.0
!
router ospf 10
network 10.1.12.0 0.0.0.255 area 0
A
The routers are in different OSPF areas.
Why wrong: This is wrong because both routers place the subnet into area 0.
B
The OSPF authentication settings do not match.
This is correct because one side expects MD5 authentication and the other side is not shown with matching authentication.
C
The routers need identical hostnames before adjacency can form.
Why wrong: This is wrong because hostnames do not determine OSPF adjacency.
D
The subnet mask prevents OSPF multicast traffic.
Why wrong: This is wrong because the /24 mask does not block OSPF multicast here.
R1 learns the route 192.0.2.0/24 via OSPF, RIP, and a static route configured with an administrative distance of 130. Based on this information, which two statements are correct?
Exhibit
show ip route 192.0.2.0
Routing entry for 192.0.2.0/24
Known via "ospf 1", distance 110, metric 20, type intra area
Last update from 10.1.12.2 on GigabitEthernet0/0
Configured routes:
ip route 192.0.2.0 255.255.255.0 10.1.13.3 130
RIP also advertises 192.0.2.0/24 with distance 120.
A
The OSPF route is installed because its administrative distance is lower than RIP and the floating static route.
For the same /24 prefix, OSPF AD 110 beats RIP 120 and static 130.
B
The static route will be preferred because static routes always beat dynamic routes.
Why wrong: Only if the static route has a lower AD than the competing routes.
C
The static route acts as a backup and can be installed if the OSPF route disappears.
With AD 130, it is a classic floating static route.
D
RIP wins because its metric is lower than OSPF cost.
Why wrong: Different routing protocols are compared by AD first, not by their internal metrics.
E
All three routes should load-balance because the prefix length is the same.
Why wrong: Equal prefix length alone is not enough; the route source and attributes do not match for ECMP here.
These 200-301 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-301 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.