Roughly one in five candidates fails the CCNA on their first try. Not because the material is impossible. Because they walked in having read about networking instead of having answered questions under a ticking clock.
That’s the gap this CCNA practice test 2026 is built to close. You’ve studied the theory. You can explain OSPF to a friend. But the real exam doesn’t ask you to explain anything, it asks you to pick the right answer in about 70 seconds, again and again, for two hours straight.
Here’s what you’ll get below: a free set of exam-style questions across all six CCNA domains, each with the correct answer and a plain explanation of why the other options are wrong. We pulled these from the kinds of mistakes our live students actually make. Work through them honestly, mark the ones you miss, and you’ll know exactly where your prep is thin.
Let’s start with how the exam works in 2026, then get to the questions.
How the CCNA 200-301 Exam Works in 2026
Quick answer: it’s one exam, 120 minutes, around 100 to 120 questions, and you need 825 out of 1000 to pass.

The current blueprint is CCNA 200-301 version 1.1, which Cisco released on 20 August 2024 and kept live through 2026. It still has six domains, but v1.1 added generative AI, machine learning, and cloud network management topics, and leaned harder into automation. So if your study notes are from 2023, parts of them are stale.
The exam isn’t all multiple choice. You’ll hit drag-and-drop matching, multiple-select questions, and simulation-style items (simlets and testlets) where you read router output and answer based on what you see. Those simulations trip people up the most.
Here’s how the six domains are weighted. Spend your study time accordingly:
| Domain | Exam Weight |
|---|---|
| Network Fundamentals | 20% |
| Network Access | 20% |
| IP Connectivity | 25% |
| IP Services | 10% |
| Security Fundamentals | 15% |
| Automation and Programmability | 10% |
IP Connectivity is the heaviest single domain at 25%, so subnetting and routing pull real weight. You can see the full objective list on the official Cisco CCNA exam topics page.

Want the full bank, not just the sample below? Download all 200+ CCNA practice questions free → (organized by domain, with an answer key you can drill against).
Now, the questions. Each section matches one exam domain.
Network Fundamentals Practice Questions (20%)
This domain covers OSI and TCP/IP models, cabling, IPv4 and IPv6 addressing, and subnetting basics.

Q1. How many usable host addresses are in a /27 subnet?
A) 32
B) 30
C) 14
D) 62
Answer: B (30). A /27 leaves 5 host bits, so 2^5 = 32 total addresses. Subtract the network and broadcast addresses and you get 30 usable hosts. Option A counts the network and broadcast as usable, which the exam never accepts. C is a /28 (14 hosts), D is a /26 (62 hosts).
Q2. Which IPv6 address type always begins with the prefix FE80::/10?
A) Global unicast
B) Unique local
C) Link-local
D) Multicast
Answer: C (Link-local). Every IPv6 interface auto-generates a link-local address in the FE80::/10 range. Global unicast starts 2000::/3, unique local starts FC00::/7, and multicast starts FF00::/8.
Q3. What is the valid host range for the network 192.168.10.0/26?
A) 192.168.10.0 to 192.168.10.63
B) 192.168.10.1 to 192.168.10.63
C) 192.168.10.1 to 192.168.10.62
D) 192.168.10.1 to 192.168.10.254
Answer: C. A /26 holds 64 addresses (.0 to .63). The network is .0, the broadcast is .63, so usable hosts run .1 to .62. This is the single most common subnetting mistake we see, candidates forget to drop the broadcast address.
Q4. Which OSI layer handles logical addressing and path selection?
A) Data Link (Layer 2)
B) Network (Layer 3)
C) Transport (Layer 4)
D) Session (Layer 5)
Answer: B (Network). Layer 3 manages IP addressing and routing decisions. Layer 2 deals with MAC addresses and switching. Layer 4 handles segmentation and ports (TCP/UDP).
Q5. Which cable do you use to connect a PC directly to a router for initial console access?
A) Straight-through Ethernet
B) Crossover Ethernet
C) Rollover (console) cable
D) Fibre patch cable
Answer: C. The rollover cable (often RJ-45 to USB on modern laptops) connects to the device’s console port for out-of-band setup. Straight-through and crossover cables carry data traffic, not console sessions.
Q6. A host has IP 172.16.5.130/25. What is its network address?
A) 172.16.5.0
B) 172.16.5.128
C) 172.16.5.64
D) 172.16.5.192
Answer: B (172.16.5.128). A /25 splits the last octet into blocks of 128: the 0 subnet (.0 to .127) and the 128 subnet (.128 to .255). Address .130 falls in the second block, so the network is .128.
When Priya started our live CCNA program, she could recite subnet masks but froze on questions like Q6. We had her drill 20 subnetting questions a day for two weeks. By her mock exam she was solving them in under 30 seconds. She passed with an 879. The fix wasn’t more theory, it was reps under time pressure.
Network Access Practice Questions (20%)
This domain covers VLANs, trunking, spanning tree, EtherChannel, and wireless access.
Q7. Which switchport mode allows a single interface to carry traffic for multiple VLANs?
A) Access
B) Trunk
C) Dynamic auto
D) Blocking
Answer: B (Trunk). A trunk port tags frames (usually with 802.1Q) so it can carry many VLANs over one link. An access port belongs to a single VLAN. “Dynamic auto” is a DTP negotiation state, not a final mode, and “blocking” is an STP state.
Q8. By default, which switch becomes the spanning tree root bridge?
A) The switch with the highest MAC address
B) The switch with the lowest bridge ID
C) The switch with the most ports
D) The newest switch on the network
Answer: B. The root is the switch with the lowest bridge ID (priority plus MAC). Since default priority is the same (32768) on every switch, the lowest MAC address wins the tie. Want the deeper version of how this plays out per VLAN? Read our guide on per-VLAN spanning tree (PVST) explained.
Q9. What encapsulation protocol does Cisco use for VLAN trunking on modern switches?
A) ISL
B) 802.1Q
C) CDP
D) LACP
Answer: B (802.1Q). The IEEE 802.1Q standard inserts a 4-byte tag into the Ethernet frame to identify the VLAN. ISL is Cisco’s legacy method, now deprecated. CDP is a discovery protocol, LACP negotiates EtherChannel.
Q10. Port security is configured with a maximum of 1 MAC address and violation mode shutdown. A second MAC appears. What happens?
A) The frame is dropped silently
B) The port enters err-disabled state
C) The port keeps forwarding and logs a message
D) The new MAC replaces the old one
Answer: B (err-disabled). Shutdown mode disables the port and sets it to err-disabled, requiring manual recovery. “Protect” drops frames silently (option A), and “restrict” drops frames and logs while staying up (option C).
Q11. Which protocol bundles multiple physical links into one logical EtherChannel using an open standard?
A) PAgP
B) LACP
C) STP
D) HSRP
Answer: B (LACP). Link Aggregation Control Protocol (802.3ad) is the vendor-neutral standard. PAgP is Cisco proprietary. STP prevents loops, HSRP provides gateway redundancy.
Q12. In a lightweight wireless setup, what protocol carries traffic between an access point and the WLC?
A) CAPWAP
B) CDP
C) GRE only
D) Telnet
Answer: A (CAPWAP). Control and Provisioning of Wireless Access Points tunnels both control and data traffic between the AP and the wireless LAN controller. The other options don’t manage AP-to-controller communication.
IP Connectivity Practice Questions (25%)
This is the heaviest domain. It covers routing concepts, static routes, OSPF, and how a router picks the best path.
Q13. What is the default administrative distance of OSPF?
A) 90
B) 110
C) 120
D) 1
Answer: B (110). OSPF’s AD is 110. EIGRP internal is 90, RIP is 120, and a directly connected route is 0. A static route is 1. Lower AD wins when two protocols offer the same route.
Q14. A router has routes to 10.1.1.0/24 via OSPF and 10.1.1.0/24 via a static route. Which does it install?
A) The OSPF route
B) The static route
C) Both, load-balanced
D) Neither, it drops them
Answer: B (the static route). With equal prefix length, the router compares administrative distance. Static (1) beats OSPF (110), so the static route goes in the routing table.
Q15. Which command creates a default route pointing to next hop 203.0.113.1?
A) ip route 0.0.0.0 0.0.0.0 203.0.113.1
B) ip route 203.0.113.1 255.255.255.255 0.0.0.0
C) ip default-gateway 203.0.113.1
D) ip route default 203.0.113.1
Answer: A. The quad-zero route (0.0.0.0 0.0.0.0) matches any destination not found elsewhere. ip default-gateway only works when routing is disabled, like on a switch.
Q16. A router has these routes to the same destination IP. Which one is used to forward the packet?
A) 10.0.0.0/8 via OSPF
B) 10.1.0.0/16 via RIP
C) 10.1.1.0/24 via EIGRP
D) 0.0.0.0/0 static default
Answer: C (10.1.1.0/24). Routers use longest prefix match first, before they ever look at administrative distance. The /24 is the most specific match, so it wins regardless of which protocol learned it.
Q17. In OSPF, two routers stay stuck in the EXSTART/EXCHANGE state. What is the most likely cause?
A) Mismatched OSPF process IDs
B) An MTU mismatch on the interfaces
C) Different hostnames
D) Different IOS versions
Answer: B (MTU mismatch). OSPF neighbours that disagree on interface MTU get stuck in EXSTART/EXCHANGE. Process IDs are locally significant and don’t need to match. Hostnames and IOS versions don’t block adjacency.
Q18. What does OSPF use to choose the best path to a destination?
A) Hop count
B) Bandwidth-based cost
C) Lowest IP address
D) Administrative distance
Answer: B (cost). OSPF calculates cost from interface bandwidth (reference bandwidth divided by interface bandwidth) and picks the lowest total. Hop count is RIP’s metric. AD is used to compare different routing sources, not paths within OSPF.

Marcus had eight years on the job and assumed IP Connectivity would be his easy domain. On his first mock he scored 61% on it. The reason? He’d never been tested on longest prefix match versus administrative distance order, like Q16. On the job, the router just worked. The exam wants you to know why. He drilled the order, retook the mock, and hit 88%.
Ready to stop guessing on the heavy domains? Our live CCNA course runs real labs on routing and switching, and every student gets free one-on-one mentorship to fix exactly these gaps. No credit card to book a seat in the next intake.
IP Services Practice Questions (10%)
This domain covers NAT, NTP, DHCP, DNS, SNMP, QoS, and syslog.
Q19. Which NAT type maps many private addresses to a single public address using port numbers?
A) Static NAT
B) Dynamic NAT
C) PAT (NAT overload)
D) Twice NAT
Answer: C (PAT). Port Address Translation, also called NAT overload, lets many inside hosts share one public IP by tracking unique source ports. Static NAT is one-to-one, dynamic NAT maps from a pool without port reuse.
Q20. What is the role of a DHCP relay agent (ip helper-address)?
A) It assigns IP addresses directly
B) It forwards DHCP broadcasts to a DHCP server on another subnet
C) It blocks rogue DHCP servers
D) It shortens the lease time
Answer: B. Routers don’t forward broadcasts by default, so ip helper-address converts the client’s DHCP broadcast into a unicast aimed at a server on a different subnet. Blocking rogue servers is DHCP snooping’s job.
Q21. In syslog, which severity level is the most critical?
A) Level 7 (Debugging)
B) Level 5 (Notifications)
C) Level 0 (Emergencies)
D) Level 3 (Errors)
Answer: C (Level 0). Syslog severity runs 0 to 7, and lower numbers are more severe. Level 0 (Emergencies) means the system is unusable. Level 7 (Debugging) is the least urgent. Remember the phrase: “Every Awesome Cisco Engineer Will Need Ice cream Daily.”
Q22. Why does an NTP client care about a server’s stratum number?
A) It sets the time zone
B) It shows how close the source is to an authoritative clock
C) It defines the polling interval
D) It encrypts the time updates
Answer: B. Stratum measures distance from a reference clock. Stratum 1 sits directly on an atomic or GPS source, and each hop away adds one. Lower stratum means a more trusted time source.
Security Fundamentals Practice Questions (15%)
This domain covers ACLs, Layer 2 threats, AAA, VPNs, and wireless security.
Q23. Where should you place a standard ACL for best practice?
A) Closest to the source
B) Closest to the destination
C) On every interface
D) Only on the WAN link
Answer: B (closest to the destination). Standard ACLs filter only on source IP, so placing them near the source could block traffic you meant to allow elsewhere. Extended ACLs, which match source and destination, go closest to the source.
Q24. Which feature stops a rogue DHCP server from handing out addresses?
A) Port security
B) DHCP snooping
C) Dynamic ARP inspection
D) BPDU guard
Answer: B (DHCP snooping). DHCP snooping marks ports as trusted or untrusted and drops DHCP server responses arriving on untrusted ports. DAI protects against ARP spoofing, BPDU guard protects STP.
Q25. Which wireless security standard is the current recommended option in 2026?
A) WEP
B) WPA
C) WPA2-Personal
D) WPA3
Answer: D (WPA3). WPA3 is the latest standard and fixes weaknesses in WPA2’s handshake. WEP is broken and should never be used. WPA2 is still common but is being phased out.
Q26. In AAA, what does the second “A” (Authorization) control?
A) Who the user is
B) What the user is allowed to do
C) What the user did
D) How fast the user connects
Answer: B. Authentication verifies identity, authorization decides which commands or resources a user can access, and accounting logs what they did. Easy to confuse the first two under pressure.
Q27. What does this ACL line do: access-list 10 deny 192.168.1.0 0.0.0.255?
A) Denies a single host
B) Denies the entire 192.168.1.0/24 network
C) Permits the 192.168.1.0/24 network
D) Denies all traffic
Answer: B. The wildcard mask 0.0.0.255 matches the whole /24 range (the 0 bits must match, the 255 bits are “don’t care”). So this line denies every host from 192.168.1.0 to 192.168.1.255.
Automation and Programmability Practice Questions (10%)
This domain covers REST APIs, data formats, controller-based networking, and config management tools. Cisco grew this section in v1.1, so don’t skip it.
Q28. Which data format uses curly braces, key-value pairs, and is common in REST APIs?
A) YAML
B) XML
C) JSON
D) CSV
Answer: C (JSON). JavaScript Object Notation uses {} for objects and “key”: value pairs. YAML uses indentation, XML uses tags like <key>, CSV is comma-separated rows.
Q29. Which HTTP method does a REST API use to retrieve data without changing it?
A) POST
B) GET
C) DELETE
D) PUT
Answer: B (GET). GET reads data and is safe to repeat. POST creates, PUT updates or replaces, DELETE removes. Mixing these up is a common exam trap.
Q30. What makes Ansible different from Puppet and Chef?
A) It needs an agent on every device
B) It is agentless and uses SSH or APIs
C) It only works on Cisco gear
D) It can’t push configurations
Answer: B (agentless). Ansible pushes changes over SSH or APIs with no software installed on the managed device. Puppet and Chef use an agent-based pull model. This is the single most-tested automation fact on the CCNA.
Q31. In a controller-based (SDN) network, what does the southbound interface connect?
A) The controller to network applications
B) The controller to the physical network devices
C) Two controllers together
D) The user to the GUI
Answer: B. Southbound APIs (like NETCONF or OpenFlow) run between the controller and the switches and routers it manages. Northbound APIs connect the controller up to applications and orchestration tools.
Q32. What is the main benefit of network automation for a growing team?
A) It removes the need for any network knowledge
B) It applies consistent configs at scale and cuts manual errors
C) It makes the network slower but cheaper
D) It only helps with monitoring
Answer: B. Automation lets one engineer push identical, validated configs across hundreds of devices, which kills the typos that cause outages. It doesn’t replace networking knowledge, it multiplies it. If this domain interests you, our CCNA Automation track goes deeper than the exam requires.
How to Use This CCNA Practice Test to Actually Pass
Answering questions is step one. Turning misses into knowledge is what gets you the score.
Here’s the method our instructors give every student. Take each question you got wrong and write one sentence explaining why the right answer is right. Not the option letter, the reason. If you can’t write that sentence, you don’t know it yet, you just recognized it.
Then group your misses by domain. Three wrong in IP Connectivity and zero in IP Services? You know where tomorrow’s study hour goes. Most candidates spread their time evenly, which wastes it. Target your weak domains.
Time yourself too. On the real exam you get roughly 70 to 75 seconds per question. If a subnetting problem takes you three minutes here, it’ll sink you there. Speed comes from reps, not from rereading.
One honest note about cost and timing before you book. The exam isn’t cheap, and a failed attempt means paying again. Our breakdown of the CCNA exam cost in 2026 lays out the full numbers so there are no surprises. And if you’re still deciding whether CCNA is even the right starting point, the CCNA vs CCNP comparison will help you choose.
When Daniel finished our program last spring, he’d worked through more than 600 practice questions, not 200. He told us the exam felt easier than his mocks. That’s the point. You want test day to feel like a Tuesday, not an ambush. He’s now earning the kind of pay our CCNA salary guide describes, and network roles keep growing per the U.S. Bureau of Labor Statistics.
For extra drilling between study sessions, pair these questions with a CCNA 200-301 workbook from our sister company at SMEnode Labs. Workbook plus live class is how most of our students hit their target on the first try.
Bottom Line
The CCNA 200-301 in 2026 is passable. You need 825 out of 1000, you’ve got two hours, and the questions reward people who practiced under time, not people who only read.
Three takeaways before you go:
- Drill the heavy domains first. IP Connectivity (25%), Network Fundamentals (20%), and Network Access (20%) make up nearly two-thirds of your score.
- Explain every miss in one sentence. Recognition isn’t knowledge. If you can’t say why, study it again.
- Practice at exam speed. Around 70 seconds a question, no notes, no pausing.
You’ve seen 32 questions here. The free bank has more than 200, sorted by domain with a clean answer key.
Download all 200+ CCNA practice questions free → Then, when you’re ready to fix your weak domains with live instruction and free mentorship, book a seat in our next CCNA intake. Your first network engineering offer is closer than the exam makes it feel.