The Cisco CCNA 200-301 is the gold standard entry-level networking certification. It proves you can configure, troubleshoot, and operate enterprise networks — Cisco’s routers and switches specifically — and it opens doors that no CompTIA cert can match in the Cisco-heavy enterprise world.
The challenge is obvious: Cisco hardware is expensive. A used Cisco 2811 router runs $30–100 on eBay, switches cost more, and you need multiple devices to build anything realistic. That adds up fast.
The good news: you can pass the CCNA without buying a single piece of hardware. Cisco itself provides a free simulation tool, and the open-source community has built professional-grade alternatives that run real IOS images in software.
This guide covers everything you need — the tools, the labs, and the approach — organized around the five CCNA exam domains.
The CCNA 200-301 Exam Domains
| Domain | Weight |
|---|---|
| 1.0 Network Fundamentals | 20% |
| 2.0 Network Access | 20% |
| 3.0 IP Connectivity | 25% |
| 4.0 IP Services | 10% |
| 5.0 Security Fundamentals | 15% |
| 6.0 Automation and Programmability | 10% |
Domain 3 (IP Connectivity) is the biggest at 25% — routing protocols, static routes, and path selection. You cannot learn this from slides alone. You need to configure it, watch it work, and break it.
Setting Up Your Lab Environment
Option 1: Cisco Packet Tracer (Free — Best Starting Point)
Cisco Packet Tracer is Cisco’s own simulator and it’s completely free with a free Cisco NetAcad account. It doesn’t run real IOS — it’s a simulation — but it covers 80–90% of what the CCNA tests.
- Download at netacad.com
- Includes routers, switches, wireless APs, firewalls, PCs, and servers
- Great for VLANs, OSPF, EIGRP, ACLs, NAT, STP, and basic configs
- Cisco’s own CCNA labs are built in Packet Tracer
Start here if you’re new to the CCNA. Get comfortable with the CLI before moving to GNS3.
Option 2: GNS3 (Free — Runs Real IOS)
GNS3 runs actual Cisco IOS images, making your lab behavior identical to real hardware. This is the closest you’ll get to the real exam environment without buying equipment.
- Download at gns3.com
- Download and install the GNS3 VM (VirtualBox or VMware) for best performance
- Requires Cisco IOSv or CSR1000v images (freely available for personal lab use with a Cisco account)
- Integrates with VirtualBox so your simulated routers can talk to real VMs
Option 3: EVE-NG Community Edition (Free — Best for Complex Topologies)
EVE-NG (Emulated Virtual Environment) runs as a VM and supports larger, more complex topologies than GNS3. The community edition is free and extremely powerful.
- Ideal once you’re comfortable with GNS3 basics
- Web-based interface — you manage your lab from a browser
- Supports Cisco IOS, IOS-XE, and many other vendors
Supporting VMs to Run Alongside Your Network
| VM | Purpose |
|---|---|
| Ubuntu Server 22.04 | DHCP, DNS, web server, syslog target |
| Kali Linux | Packet capture, scanning, verification |
| Windows 10/11 | Client machine, RADIUS/AD testing |
Domain 1: Network Fundamentals (20%)
This domain covers the OSI model, TCP/IP stack, Ethernet, IPv4/IPv6 addressing, and basic switching concepts. It’s heavy on theory but you can anchor it with fast, practical labs.
Lab 1 — Subnetting Until It’s Automatic
Subnetting is the CCNA’s biggest stumbling block and it appears in every other domain. The exam doesn’t give you a calculator.
Master the block-size method:
Given: 172.16.0.0/20
Block size: 256 - 240 = 16
Subnets: 172.16.0.0, 172.16.16.0, 172.16.32.0 ...
Hosts per subnet: 4096 - 2 = 4094 usable
Broadcast of first: 172.16.15.255
Practice with these mask values until you can work them instantly: /24, /25, /26, /27, /28, /29, /30. Use network.it-learn.io to drill subnetting flashcards and practice questions.
The exam will give you a network and ask you to identify valid hosts, the broadcast address, or how many subnets fit within a given block. Slowness here costs you points everywhere.
Lab 2 — Read and Analyze Ethernet Frames with Wireshark
The CCNA expects you to understand what happens at Layer 2. Wireshark lets you see it directly.
Install Wireshark on Kali Linux and capture traffic on your lab network. Filter for ARP:
arp
Watch what happens when a device doesn’t know a MAC address — it broadcasts an ARP request, gets a reply, and caches the result. Run:
1# Clear ARP cache on Linux
2sudo ip neigh flush all
3
4# Ping another VM and watch ARP fire
5ping 192.168.56.20
You’ll see the ARP request (broadcast) and reply (unicast) before the first ICMP packet. This makes Layer 2 addressing and MAC tables completely concrete.
Domain 2: Network Access (20%)
This domain covers VLANs, trunking, Spanning Tree Protocol, EtherChannel, and wireless. It’s the core of campus switching.
Lab 3 — Configure VLANs, Trunks, and Inter-VLAN Routing
This is one of the most common CCNA exam topics. Build this topology in Packet Tracer or GNS3:
[PC1 - VLAN 10] ---\
[SW1] ---[trunk]--- [R1]
[PC2 - VLAN 20] ---/
On the switch:
! Create VLANs
SW1(config)# vlan 10
SW1(config-vlan)# name SALES
SW1(config)# vlan 20
SW1(config-vlan)# name ENGINEERING
! Assign access ports
SW1(config)# interface gi0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10
SW1(config)# interface gi0/2
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 20
! Configure trunk to router
SW1(config)# interface gi0/24
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 10,20
On the router (Router-on-a-Stick):
R1(config)# interface gi0/0.10
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address 192.168.10.1 255.255.255.0
R1(config)# interface gi0/0.20
R1(config-subif)# encapsulation dot1q 20
R1(config-subif)# ip address 192.168.20.1 255.255.255.0
Verify connectivity between VLANs:
PC1> ping 192.168.20.10
Then break it: remove the trunk encapsulation and watch it fail. Remove inter-VLAN routing and confirm PCs in different VLANs can’t talk. Understanding why it breaks is what the exam actually tests.
Lab 4 — Spanning Tree Protocol: Watch It Work
STP prevents Layer 2 loops. The exam tests root bridge election, port roles, and port states.
Build a three-switch loop in Packet Tracer:
[SW1] --- [SW2]
\ /
[SW3]
Run this on each switch:
SW1# show spanning-tree vlan 1
SW1# show spanning-tree detail
Identify the root bridge, root ports, designated ports, and blocking ports. Then manually force a different root:
SW2(config)# spanning-tree vlan 1 priority 4096
Watch the topology reconverge. Understand PortFast and when to use it (access ports connecting to end devices):
SW1(config)# interface gi0/1
SW1(config-if)# spanning-tree portfast
Lab 5 — Configure EtherChannel
EtherChannel bundles multiple physical links into one logical link, providing both redundancy and increased bandwidth. The exam tests LACP vs PAgP vs static.
! Configure LACP EtherChannel between SW1 and SW2
SW1(config)# interface range gi0/1-2
SW1(config-if-range)# channel-group 1 mode active
SW1(config-if-range)# exit
SW1(config)# interface port-channel 1
SW1(config-if)# switchport mode trunk
! Verify
SW1# show etherchannel summary
SW1# show interfaces port-channel 1
Domain 3: IP Connectivity (25%) — The Biggest Domain
This domain covers static routing, OSPF, and how routers make forwarding decisions. It’s 25% of the exam and the most lab-heavy section.
Lab 6 — Static Routes: Default, Summary, and Floating
Before dynamic routing, you need to understand static routes completely.
Build a simple three-router topology:
[PC] --- [R1: 10.0.12.1] --- [R2: 10.0.12.2 / 10.0.23.1] --- [R3: 10.0.23.2] --- [Server]
192.168.1.0/24 192.168.3.0/24
Configure static routes:
! On R1 — reach the far network via R2
R1(config)# ip route 192.168.3.0 255.255.255.0 10.0.12.2
! On R3 — return route back to R1's network
R3(config)# ip route 192.168.1.0 255.255.255.0 10.0.23.1
! Default static route (points all unknown traffic toward ISP)
R1(config)# ip route 0.0.0.0 0.0.0.0 10.0.12.2
! Floating static route (backup, higher AD = only used when primary fails)
R1(config)# ip route 192.168.3.0 255.255.255.0 10.0.12.2 254
Verify with show ip route and traceroute. Understanding when to use a default route vs. a specific static route vs. a floating static route is exam-tested directly.
Lab 7 — Configure and Troubleshoot OSPFv2
OSPF is the dynamic routing protocol you must know cold for the CCNA. It’s on the exam in configure, verify, and troubleshoot scenarios.
Using the same three-router topology:
R1(config)# router ospf 1
R1(config-router)# router-id 1.1.1.1
R1(config-router)# network 10.0.12.0 0.0.0.255 area 0
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0
R1(config-router)# passive-interface gi0/0 ! No OSPF hellos toward PC
R2(config)# router ospf 1
R2(config-router)# router-id 2.2.2.2
R2(config-router)# network 10.0.12.0 0.0.0.255 area 0
R2(config-router)# network 10.0.23.0 0.0.0.255 area 0
R3(config)# router ospf 1
R3(config-router)# router-id 3.3.3.3
R3(config-router)# network 10.0.23.0 0.0.0.255 area 0
R3(config-router)# network 192.168.3.0 0.0.0.255 area 0
Essential verification commands — know these cold:
R1# show ip ospf neighbor ! Are adjacencies forming?
R1# show ip ospf interface brief ! Cost, state, hello/dead intervals
R1# show ip route ospf ! What routes has OSPF learned?
R1# show ip protocols ! OSPF process ID, router ID, networks
Now troubleshoot it: change the hello interval on one side and watch the neighbor relationship drop:
R1(config)# interface gi0/0
R1(config-if)# ip ospf hello-interval 20
Neighbors won’t form (hello/dead mismatch). Fix it and watch adjacency come back. OSPF neighbor issues are one of the most common exam troubleshooting scenarios.
Domain 4: IP Services (10%)
This domain covers NAT, NTP, DHCP, DNS, SNMP, Syslog, and QoS.
Lab 8 — Configure NAT Overload (PAT)
PAT (Port Address Translation) lets many internal devices share one public IP — it’s how every home router works, and it’s a key CCNA topic.
! Define inside/outside interfaces on R1
R1(config)# interface gi0/0
R1(config-if)# ip nat inside
R1(config)# interface gi0/1
R1(config-if)# ip nat outside
! Create an ACL to match internal traffic
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
! Configure PAT using the outside interface IP
R1(config)# ip nat inside source list 1 interface gi0/1 overload
! Verify
R1# show ip nat translations
R1# show ip nat statistics
Generate traffic from an inside host and watch the NAT translation table fill up. You’ll see internal IPs mapping to the outside interface IP with different port numbers — that’s PAT in action.
Lab 9 — Configure DHCP on a Cisco Router
The exam tests Cisco router DHCP (not just knowing what DHCP does):
R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10
R1(config)# ip dhcp pool LAN_POOL
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1
R1(dhcp-config)# dns-server 8.8.8.8
R1(dhcp-config)# lease 1
! Verify
R1# show ip dhcp pool
R1# show ip dhcp binding
R1# show ip dhcp conflict
Configure a client PC to get its IP automatically and verify it receives the right address, gateway, and DNS.
Domain 5: Security Fundamentals (15%)
This domain covers ACLs, port security, VPNs, AAA, and wireless security.
Lab 10 — Configure and Troubleshoot ACLs
Access Control Lists are one of the most tested CCNA topics. The exam tests both standard and extended ACLs, placement, and rule order.
Standard ACL (filters by source IP only — place close to destination):
! Deny PC1 (192.168.10.10) from reaching Server VLAN
R1(config)# access-list 10 deny 192.168.10.10
R1(config)# access-list 10 permit any
R1(config)# interface gi0/1
R1(config-if)# ip access-group 10 out
Extended ACL (filters by source, destination, protocol, port — place close to source):
! Allow only web traffic from SALES to SERVER, deny everything else
R1(config)# ip access-list extended SALES_TO_WEB
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 host 192.168.30.10 eq 80
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 host 192.168.30.10 eq 443
R1(config-ext-nacl)# deny ip any any
! Apply inbound on the SALES-facing interface
R1(config)# interface gi0/1
R1(config-if)# ip access-group SALES_TO_WEB in
! Verify hits
R1# show ip access-lists
The critical rule to remember: ACLs have an implicit deny all at the end. If you don’t explicitly permit traffic, it gets dropped. This causes more exam mistakes than anything else in this domain.
Lab 11 — Configure Port Security on a Switch
Port security limits which MAC addresses can use a switch port — protecting against rogue devices and MAC flooding attacks.
SW1(config)# interface gi0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security maximum 2
SW1(config-if)# switchport port-security mac-address sticky
SW1(config-if)# switchport port-security violation restrict
! Verify
SW1# show port-security interface gi0/1
SW1# show port-security address
Test it: connect a third device and watch the violation counter increment. Change the violation mode to shutdown and watch the port go into err-disabled state. Practice recovering it:
SW1(config)# interface gi0/1
SW1(config-if)# shutdown
SW1(config-if)# no shutdown
Domain 6: Automation and Programmability (10%)
This domain covers SDN concepts, the differences between data/control/management planes, REST APIs, JSON, YANG, and basic Python for network automation.
Lab 12 — Query a REST API with Python
The CCNA doesn’t require deep coding skills, but you need to understand how to interact with a REST API.
Install Python and the requests library:
1pip install requests
Query Cisco’s DevNet sandbox (free) or your own local device API:
1import requests
2import json
3
4# Example: GET request to a REST API
5url = "https://sandbox-iosxe-latest-1.cisco.com/restconf/data/ietf-interfaces:interfaces"
6
7headers = {
8 "Accept": "application/yang-data+json",
9 "Content-Type": "application/yang-data+json"
10}
11
12response = requests.get(url, auth=("developer", "C1sco12345"), headers=headers, verify=False)
13
14# Parse and print the JSON response
15data = response.json()
16print(json.dumps(data, indent=2))
This shows you REST (GET method), authentication, JSON format, and YANG data models — all exam topics — in a single working script.
Cisco’s DevNet Sandbox at developer.cisco.com/site/sandbox has always-on free labs with IOS-XE devices you can reach without any setup.
Recommended Study Stack
| Resource | Cost | Best for |
|---|---|---|
| Jeremy’s IT Lab (YouTube) | Free | Best free CCNA video series, covers every topic |
| Cisco Packet Tracer | Free | Switching, routing, and protocol labs |
| GNS3 + IOSv | Free | Real IOS behavior, complex topologies |
| Cisco DevNet Sandbox | Free | Automation and REST API labs |
| network.it-learn.io | Free | Flashcards and practice questions |
| Neil Anderson on Udemy | ~$15 (sale) | Structured video + hands-on labs |
| Wendell Odom OCG | ~$50 | The definitive CCNA book (two volumes) |
| Boson NetSim | ~$109 | Best commercial simulator for CCNA |
Study Tips That Actually Work
1. Learn the CLI by typing, not reading. Every command in this guide should go through your fingers in a real lab. Muscle memory matters when the exam clock is running.
2. Use show commands as much as the config commands. The CCNA exams heavily test your ability to read output from show ip route, show ip ospf neighbor, show interfaces, and show spanning-tree. Know what healthy output looks like and what broken output looks like.
3. Do Jeremy’s IT Lab labs, not just the videos. Jeremy (jeremysitlab.com) provides free Packet Tracer lab files matched to every video. Use them.
4. Break things on purpose. Set up a working topology and then deliberately misconfigure one thing. Figure out what broke and why. This is exactly what the exam’s troubleshooting questions test.
5. Subnetting is non-negotiable. You will see subnetting on the CCNA exam multiple times, embedded in routing, ACL, and design questions. If you’re slow at it, you lose time across the entire exam.
The Difference Between CCNA and Network+
If you already have your CompTIA Network+, here’s how the CCNA compares:
| Network+ | CCNA | |
|---|---|---|
| Vendor | Vendor-neutral | Cisco-specific |
| Depth | Broad concepts | Deep configuration |
| CLI | Minimal | Extensive |
| Routing protocols | Conceptual | Configure and troubleshoot |
| Industry recognition | Strong in IT generalist roles | Required for network engineer roles |
| Difficulty | Moderate | Harder |
The CCNA is harder, more hands-on, and more specific — but it’s also more valuable for networking-focused roles. If you want to be a network engineer, the CCNA is the credential hiring managers look for.
What’s Next After CCNA?
| Path | Next Certification | Focus |
|---|---|---|
| Enterprise networking | CCNP Enterprise | Advanced routing, SD-WAN, wireless |
| Security | CCNA Security / CyberOps Associate | Cisco security fundamentals |
| Cloud | AWS Solutions Architect Associate | Cloud infrastructure |
| Automation | DevNet Associate | Network programmability and APIs |
| Wireless | CCNA Wireless / CWNP | Enterprise wireless design |
Start Today
You don’t need to build all 12 labs at once. Start here:
- Install Cisco Packet Tracer — configure a basic router with an IP address and ping between two hosts (15 minutes)
- Build a VLAN lab — create two VLANs on a switch and configure inter-VLAN routing (45 minutes)
- Configure OSPF between two routers and verify the neighbor relationship forms
That’s one solid study session and you’ll already understand more about how enterprise networks work than most people who just read a book.
The CCNA is a serious exam — but it’s absolutely passable with lab time and the right resources. Good luck. 🌐
