CCNA Topics Need a Lab Map, Not Just a Checklist
The official CCNA 200-301 topic list is useful, but it is not a study plan by itself. If you only read the objectives, you can recognize words without being able to configure, verify, or troubleshoot anything. If you only build random Packet Tracer labs, you can spend hours on tasks that do not map cleanly to the exam.
This blueprint turns the current Cisco domains into an action plan: what to know, what to lab, what to drill, and what to review last.
Use Cisco as the source of truth. Cisco's 200-301 CCNA exam page lists Implementing and Administering Cisco Solutions (200-301 CCNA) v1.1 as a 120-minute exam tied to the CCNA certification, priced at U.S. $300 or Cisco Learning Credits. Cisco also publishes the current CCNA v1.1 exam topics PDF, which defines the six domains and weights, and Cisco's v1.1 update article explains the added AI, machine learning, cloud management, and updated automation emphasis.
CCNA 200-301 Exam Facts at a Glance
| Item | Detail |
|---|---|
| Exam code and version | 200-301 CCNA v1.1 (effective August 20, 2024) |
| Length | 120 minutes |
| Questions | About 100 to 120 (Cisco does not publish an exact count) |
| Question types | Multiple choice, multiple response, drag-and-drop, simulations |
| Cost | $300 USD plus tax, or Cisco Learning Credits |
| Delivery | Pearson VUE test center or online proctored |
| Prerequisites | None required |
| Passing score | Not published by Cisco; scaled, commonly cited near 825/1000 (unofficial) |
| Certification validity | 3 years |
| Domains | 6 (see weights below) |
A few things candidates get wrong: you cannot skip a question and come back to it, the scaled score is not a simple percentage, and the 825 figure is a community estimate, not a Cisco number. Build a margin and do not aim to scrape a pass.
free CCNA practice questionsPractice questions with detailed explanations
The Six Official CCNA Domains
| Domain | Weight | What it means for study |
|---|---|---|
| Network Fundamentals | 20% | Concepts, devices, cabling, topology, IP basics, wireless basics |
| Network Access | 20% | Switching, VLANs, trunks, STP, EtherChannel, wireless architectures |
| IP Connectivity | 25% | Routing, subnetting, IPv4/IPv6, static routes, OSPF, routing tables |
| IP Services | 10% | DHCP, DNS, NAT, NTP, SNMP, syslog, QoS basics |
| Security Fundamentals | 15% | ACLs, device access, Layer 2 security, AAA, wireless security |
| Automation and Programmability | 10% | APIs, JSON, controllers, configuration management, AI/ML awareness |
The immediate lesson is that IP Connectivity cannot be an afterthought. It is the largest domain and also the place where weak subnetting, routing-table reading, OSPF gaps, and IPv6 confusion compound.
The second lesson is that 10% domains still matter. IP Services and Automation are smaller, but they often contain compact topics where a little focused practice produces reliable points.
The third lesson is that the verbs matter. Cisco objectives that say configure and verify deserve hands-on labs. Objectives that say interpret deserve command-output drills. Objectives that say compare or describe deserve quick decision tables. This is where many syllabus pages stop too early: they list the nouns, but they do not tell you what action proves readiness.
Domain 1: Network Fundamentals
Network Fundamentals is not just "OSI model and cables." It is the vocabulary layer for everything else. Your goal is to explain how traffic moves across hosts, switches, routers, wireless infrastructure, cloud-connected networks, and small office networks.
Lab and drill targets:
- Identify routers, Layer 2 switches, Layer 3 switches, firewalls, access points, controllers, endpoints, servers, and PoE devices in diagrams.
- Compare two-tier, three-tier, spine-leaf, WAN, SOHO, on-premises, and cloud topologies.
- Explain TCP vs. UDP with ports, reliability, and use cases.
- Practice IPv4 addressing and subnetting until block sizes are automatic.
- Configure and verify IPv6 addressing and prefixes, and identify address types: global unicast, unique local, link-local, anycast, multicast, and Modified EUI-64.
- Verify IP parameters on client operating systems (Windows, macOS, Linux) using ipconfig and ifconfig/ip equivalents.
- Explain switching concepts: MAC learning and aging, frame switching, frame flooding, and the MAC address table.
- Explain virtualization fundamentals: server virtualization, containers, and VRFs.
- Describe wireless principles: nonoverlapping Wi-Fi channels, SSID, RF, and encryption.
- Recognize interface and cable issues such as speed mismatch, duplex mismatch, errors, and collisions.
- Explain private IPv4 space and why NAT appears later in IP Services.
Best lab: build a small topology with two LANs, a router, one switch per LAN, and a server. Label every device role, IP subnet, gateway, and cable type. Then explain the packet path from host A to server B, and confirm the host with ipconfig/ip addr.
Common mistake: memorizing the OSI layers without connecting each layer to troubleshooting evidence. If a link light is down, that is physical. If MAC learning is wrong, that is Layer 2. If the default gateway is wrong, that is Layer 3.
Domain 2: Network Access
Network Access is where CCNA candidates move from "networks exist" to "I can build the switching edge." The concepts are practical: VLANs, trunks, inter-VLAN routing, EtherChannel, STP, and wireless architecture.
Lab and drill targets:
- Create VLANs and assign access ports.
- Configure 802.1Q trunks and verify allowed VLANs.
- Explain native VLAN risk and mismatch behavior.
- Configure router-on-a-stick or switched virtual interfaces for inter-VLAN routing.
- Build Layer 2/Layer 3 EtherChannel with LACP and verify the bundle state.
- Interpret Rapid PVST+ behavior: root bridge (primary/secondary), port states and roles, PortFast, and BPDU/root/loop guard.
- Use Layer 2 discovery protocols (Cisco Discovery Protocol and LLDP) to map neighbors.
- Compare Cisco wireless architectures and AP modes, and describe WLAN physical connections (AP, WLC, access/trunk ports, and LAG).
- Interpret a wireless LAN controller GUI to create a WLAN, set security, and apply QoS profiles.
Best lab: three switches, three VLANs, two trunks, one EtherChannel, and one routed gateway. Break one trunk allowed VLAN list and use show commands to find the symptom. Add a WLC and build one WLAN through the GUI.
Common mistake: treating VLANs as IP subnets. VLANs are Layer 2 broadcast domains. IP subnets are Layer 3 address boundaries. They often align, but they are not the same thing.
Domain 3: IP Connectivity
This is the CCNA make-or-break domain. It is the largest domain at 25%, and it is where theory and hands-on thinking meet.
Your non-negotiable skills:
- Subnet quickly and accurately.
- Interpret every routing-table component: routing protocol code, prefix, network mask, next hop, administrative distance, metric, and gateway of last resort.
- Predict how a router forwards by default: longest prefix match first, then administrative distance, then metric.
- Configure and verify IPv4 and IPv6 static routes: default, network, host, and floating static.
- Configure and verify single-area OSPFv2: neighbor adjacencies, point-to-point vs. broadcast (DR/BDR selection), and router ID.
- Recognize IPv6 address types and routing basics.
- Describe the purpose, functions, and concepts of first hop redundancy protocols.
Subnetting should be a daily warm-up, not a weekend event. Use 10 minutes per day:
| Task | Target speed |
|---|---|
| Find block size for /25 through /30 | Under 10 seconds |
| Identify network and broadcast address | Under 30 seconds |
| Calculate usable range | Under 45 seconds |
| Choose a mask for required host count | Under 45 seconds |
| VLSM allocation for three LANs | Under 5 minutes |
Best lab: three routers in a triangle, three LANs, one OSPF area, one static default route, and one intentionally wrong wildcard mask. Verify neighbors, routes, and end-to-end reachability.
Common mistake: using ping as the only verification tool. Ping tells you reachability; it does not tell you whether the path is correct, whether OSPF is healthy, or whether a route is learned the way you think.
Domain 4: IP Services
IP Services is only 10%, but it appears everywhere in real networks. It also produces scenario questions because services have clear symptoms.
Lab and drill targets:
- Configure DHCP pools and excluded addresses.
- Explain DHCP relay.
- Configure and verify NAT/PAT.
- Explain DNS lookup flow and common record types.
- Read basic syslog severity and purpose.
- Explain NTP and why time matters for logs and authentication.
- Describe SNMP managers, agents, traps, and versions.
- Explain per-hop behavior (PHB) for QoS: classification, marking, queuing, congestion, policing, and shaping.
- Describe the capabilities and functions of TFTP and FTP in the network.
Note on weights: the official blueprint places inside source NAT (static and pools) and NTP in IP Services, while access control lists and Layer 2 security live in Security Fundamentals. Lab them together, but tag each objective to the correct domain when you review.
Best lab: create an inside LAN that uses DHCP, reaches an outside network through PAT, logs to a syslog server, and uses NTP. Then break NAT and identify whether the symptom is addressing, routing, or translation.
Common mistake: seeing NAT as security. NAT changes address representation; it is not a substitute for firewall policy.
Domain 5: Security Fundamentals
Security on CCNA is practical network security, not a full cybersecurity certification. You need to know how to restrict management access, filter traffic, protect switchports, understand wireless security, and recognize AAA concepts.
Lab and drill targets:
- Define key security concepts: threats, vulnerabilities, exploits, and mitigation techniques.
- Describe security program elements: user awareness, training, and physical access control.
- Configure and verify device access control using local passwords; describe password policy elements and alternatives such as multifactor authentication, certificates, and biometrics.
- Describe IPsec remote-access and site-to-site VPNs at a conceptual level.
- Configure standard and extended ACLs, and place them in the correct direction and interface.
- Secure device management with SSH.
- Disable unused ports and use port security.
- Configure and verify Layer 2 security: DHCP snooping, Dynamic ARP Inspection, and port security; recognize common Layer 2 attacks.
- Compare authentication, authorization, and accounting (AAA), including RADIUS and TACACS+.
- Describe wireless security protocols (WPA, WPA2, WPA3) and configure a WLAN in the GUI using WPA2 PSK.
Best lab: build two VLANs and write an ACL that permits one application while denying another. Verify with source and destination tests. Then explain why the ACL belongs close to the source or destination depending on standard vs. extended behavior.
Common mistake: forgetting implicit deny. If you write an ACL and do not permit required traffic, you blocked it.
Domain 6: Automation and Programmability
Effective August 20, 2024, CCNA v1.1 expanded this domain with generative and predictive AI, machine learning, and cloud network management, plus heavier automation emphasis. It is still only 10%, but the topics are compact and very testable, so do not skip them.
The official objectives expect you to:
- Explain how automation impacts network management, and compare traditional networks with controller-based networking.
- Describe controller-based, software-defined architecture: overlay, underlay, and fabric, including separation of the control plane and data plane.
- Distinguish northbound and southbound APIs.
- Explain AI (generative and predictive) and machine learning in network operations, such as anomaly detection and predictive analytics.
- Describe REST-based APIs: authentication types, CRUD operations, HTTP verbs (GET, POST, PUT, PATCH, DELETE), and data encoding.
- Recognize configuration management mechanisms such as Ansible and Terraform.
- Recognize the components of JSON-encoded data.
Best drill: read a small JSON response and identify keys, values, arrays, and nested objects. Then match HTTP verbs to CRUD actions: GET reads, POST creates, PUT/PATCH updates, DELETE removes.
Common mistake: trying to become a developer for CCNA. You need network automation literacy, not deep software engineering.
Choosing a Lab Tool: Packet Tracer vs. CML vs. GNS3
You do not need physical Cisco gear to pass CCNA. Pick one environment you can run consistently and map every lab to an objective.
| Tool | Cost | Best for | Limits |
|---|---|---|---|
| Cisco Packet Tracer | Free with a free Cisco Networking Academy account | Switching, routing, VLANs, ACLs, DHCP, NAT, OSPF, and WLC GUI practice | Simulated, not real IOS; some features behave differently than hardware |
| Cisco Modeling Labs (CML) | Paid (CML Personal license) | Real IOS images, realistic troubleshooting, automation and API labs | Higher resource needs and cost |
| GNS3 / EVE-NG | Free software; you supply images | Mixed-vendor and advanced topologies | Steeper setup; you must source legal device images |
For the vast majority of CCNA objectives, Packet Tracer is enough and is the fastest way to start. Move to CML or GNS3 when you want real IOS output for OSPF, NAT, and API troubleshooting. The tool matters less than the discipline of mapping each lab to an objective and saving verification notes.
The Weekly Lab Blueprint
Use this eight-week lab sequence after you have basic video or reading coverage:
| Week | Lab focus | Practice focus |
|---|---|---|
| 1 | Basic topology, addressing, device roles | Network Fundamentals |
| 2 | VLANs, trunks, inter-VLAN routing | Network Access |
| 3 | EtherChannel and STP behavior | Network Access |
| 4 | Subnetting and static routing | IP Connectivity |
| 5 | OSPF and routing-table verification | IP Connectivity |
| 6 | DHCP, NAT, DNS, NTP, syslog | IP Services |
| 7 | ACLs, SSH, port security, Layer 2 security | Security Fundamentals |
| 8 | JSON, REST, controllers, mixed review | Automation and full practice |
Cisco lists Cisco Modeling Labs as a hands-on way to design, build, and troubleshoot real network environments, and Packet Tracer remains a practical starting point for many associate-level labs. Use whichever environment you can run consistently; the non-negotiable requirement is that each lab has a mapped objective and a verification step.
Every lab should end with three artifacts:
- A topology diagram.
- A table of IP addresses and VLANs.
- A verification note listing the show commands or tests that prove it works.
That habit turns labs into exam evidence. You are not just clicking around; you are learning what correct state looks like.
Final Review Priorities
Your final readiness checklist:
- Subnetting is fast enough that it does not steal exam time.
- You can read a routing table and choose the best route.
- You can configure and verify VLANs, trunks, static routes, OSPF, DHCP, NAT, ACLs, and SSH.
- You can explain common failure symptoms by layer.
- You can read simple JSON and match API methods to actions.
- You know Cisco's official six-domain blueprint and your weakest two domains.
CCNA is not passed by reading the blueprint. It is passed by converting the blueprint into repeatable network decisions. Build, break, verify, review, and then test yourself under time pressure.
Buy on Amazon
Prep options on Achievable
Take courses on Udemy
Learning path on Pluralsight