RoleMath Study Track for Cisco Certified Network Associate (200-301)
A free study companion keyed to the officially published exam domains of Cisco Certified Network Associate (200-301): what each domain covers in plain language, clearly labeled free resources, a guided lab outline for every domain, and interactive self-checks from our own question bank. Cisco CCNA 200-301 v1.1 exam topics
A free, source-cited study companion built on Cisco's published 200-301 (v1.1) exam topics — not official training, not a pass guarantee. Verify the current objectives on the official page before your exam.
A free CCNA program blueprint pinned to Cisco's current 200-301 v1.1 topics, combining official-first and vetted community instruction with configuration, verification, troubleshooting, and automation evidence in authorized Cisco lab environments or clearly labeled written alternatives, without claiming instructional completeness or an exam or employment outcome.
This draft exposes RoleMath’s authored sequence and evidence plan. The current labs are guided outlines, not yet a fully fixture-backed course, and objective-leaf coverage has not passed the gold-standard gate. Completion does not predict an exam result.
Modules
6
Labs
6
Concept checks
13
Resource mix
4 official / 1 community
Choose an outcome
Three routes through the same evidence
Choose provisionally. Change routes when the work tells you something new about fit, time, or readiness.
Certification-focused
Learners who have chosen CCNA and need one complete practice sequence across all six current 200-301 v1.1 domains.
Completion emphasis: Complete all six modules and labs, the two-site Cisco capstone, a command-and-objective crosswalk, and a final gap review against Cisco's official topics.
Required phases: Scope, simulator, and baseline, Models, media, addressing, and subnetting, Switching, VLANs, trunks, and access, Routing tables, static paths, and OSPF, Services and device/network protection, Controllers, APIs, JSON, and automation reasoning, Two-site Cisco network capstone
Network engineering skills first
Career changers and support technicians who want reviewable Cisco-style configuration, verification, troubleshooting, and documentation artifacts before scheduling an exam.
Completion emphasis: Retain a redacted topology, address and VLAN plan, configuration evidence, show-command baseline, services/security tests, automation artifact, fault records, rollback plan, and technical handoff.
Required phases: Scope, simulator, and baseline, Models, media, addressing, and subnetting, Switching, VLANs, trunks, and access, Routing tables, static paths, and OSPF, Services and device/network protection, Controllers, APIs, JSON, and automation reasoning, Two-site Cisco network capstone
Career-fit sprint
Learners deciding whether command-line network configuration, packet-flow reasoning, troubleshooting, and automation concepts fit how they like to work.
Completion emphasis: Complete the diagnostic, subnetting, VLAN, routing, and JSON labs; record whether building, verifying, and repairing a simulated network is work you want to pursue further.
Required phases: Scope, simulator, and baseline, Models, media, addressing, and subnetting, Switching, VLANs, trunks, and access, Routing tables, static paths, and OSPF, Controllers, APIs, JSON, and automation reasoning
Start safely
Prerequisite diagnostic
Route learners to foundations and a safe simulator setup before associate-level configuration; this is a practice-readiness diagnostic, not a Cisco prerequisite or pass prediction.
Can you identify an IPv4 address, prefix, subnet, default gateway, and usable host range, or are you prepared to complete the subnetting bridge first?
Ready when: Yes, including a willingness to work subnet boundaries by hand before checking them with a tool.
If not yet: Complete a vendor-neutral addressing and subnetting foundation before routing, VLAN, DHCP, NAT, ACL, or OSPF configuration.
Can you enter hierarchical commands exactly, distinguish user, privileged, global, and interface context, and read command output without applying it to real gear?
Ready when: Yes, inside an authorized Cisco lab environment with the current prompt visible.
If not yet: Use the IOS-mode warm-up and command-transcript alternative before the first switch or router configuration lab.
Can you run Cisco Modeling Labs - Free on a compatible personal computer, access a suitable Cisco DevNet Sandbox, or use the written topology-and-transcript route?
Ready when: Yes, with the Cisco account, installation permission, hardware capacity, or sandbox reservation required by the selected authorized route.
If not yet: Use the topology, configuration-transcript, expected-output, and troubleshooting-table alternatives; label them observation-only until an authorized execution environment is available.
Can you keep every configuration and deliberate fault inside an owned simulator or disposable lab and preserve a known-good file before changes?
Ready when: Yes, with no work, school, public, shared, or third-party network in scope.
If not yet: Do not configure real equipment; use an authorized disposable lab or the written alternative and complete the backup, rollback, and authorization checklist first.
Can you read a small JSON object as keys, values, types, lists, and nested objects even if you have never written automation code?
Ready when: Yes, or you can complete the short JSON parsing warm-up before the automation phase.
If not yet: Practice reading and repairing a neutral JSON interface record; no programming or live API account is required.
Can you reserve short concept blocks plus longer sessions for building, saving, breaking, verifying, and documenting simulator topologies?
Ready when: Yes, with enough time to explain command evidence and recover from mistakes rather than only follow steps.
If not yet: Choose the steady pace, separate topology build from configuration and verification, and defer exam scheduling until the routine is sustainable.
Plan, then adapt
Pace options
Steady
14 weeks 8-10 hours/week
A planning estimate for learners new to networking: reserve several weeks for addressing, switching, and routing foundations, then separate services, security, automation, troubleshooting, and integration.
Standard
10 weeks 10-14 hours/week
A planning estimate that moves through one major configuration phase most weeks and protects the final two weeks for the integrated build, fault recovery, and objective gaps.
Intensive
6 weeks 16-20 hours/week
For learners with prior Network+, support, addressing, or Cisco CLI experience; slow down when a route, VLAN, service, ACL, or JSON result cannot be predicted before verification.
Evidence-gated sequence
Program roadmap
1
Scope, simulator, and baseline
Pin 200-301 v1.1, choose a goal and pace, establish the simulator and evidence workspace, and record the addressing, CLI, safety, and automation baseline.
Exit evidence
Confirm the six current domains and their weights in Cisco's official 200-301 v1.1 topics PDF.
Choose CML-Free, a suitable DevNet Sandbox, or a labeled observation-only route and create a known-good save and rollback convention.
Complete the authorization, addressing, CLI-mode, and structured-data diagnostic.
2
Models, media, addressing, and subnetting
Build the addressing, device-role, protocol, media, and packet-flow foundation that every switching, routing, service, security, and automation task assumes.
Retain topology, interface table, static-route and OSPF configuration, adjacency, route-table, ping, and trace evidence.
Predict the selected route and next hop before running `show ip route`, then explain any mismatch.
Demonstrate one simulated link failure and recovery with the expected OSPF route withdrawal and return.
5
Services and device/network protection
Configure and verify address assignment, translation, access control, and switch-port protection while preserving secure management and reversible change boundaries.
Retain DHCP binding and NAT translation evidence tied to the address and interface plan.
Retain port-security and ACL configuration, expected permit/deny tests, counters, violation state, recovery, and rollback.
Explain how DNS, NTP, logging, management protocols, device hardening, authentication, segmentation, and wireless security support the running network.
6
Controllers, APIs, JSON, and automation reasoning
Read structured network data, distinguish traditional and controller-based management, and explain a safe desired-state workflow without pointing automation at live gear.
Retain valid nested JSON describing at least two interfaces and a deliberate parse error that was diagnosed and fixed.
Explain controller, northbound/southbound interface, API request, authentication, desired state, idempotence, and verification in plain language.
Write pseudocode or a workflow that reads inventory, validates a proposed change, applies it only to a simulator, checks state, and rolls back or escalates on mismatch.
7
Two-site Cisco network capstone
Integrate addressing, access, connectivity, services, security, automation, verification, troubleshooting, rollback, and handoff in one coherent simulator project.
Complete the capstone packet and pass its addressing, configuration, expected-state, safety, security, rollback, and consistency review.
Crosswalk every domain to a configuration, verification, design, or automation artifact and at least one corrected or confidently explained check.
Record remaining objective gaps and choose a continue, practice, defer, or exam-logistics-verification next decision.
Before a lab
Environment, access, and safety
Required and optional setup
Required
A personal computer with permission to install or run a network simulator, or access to the labeled transcript-and-diagram alternative
For executed Cisco IOS configuration and fault evidence: Cisco Modeling Labs - Free on compatible local hardware or a suitable Cisco DevNet Sandbox; otherwise use the labeled transcript-and-diagram alternative
A text, spreadsheet, and diagram workspace for address/VLAN/interface plans, configurations, show output, tests, changes, incidents, and reflections
Optional
A second saved simulator topology for experimentation while preserving the known-good capstone file
A local JSON formatter or Python's built-in `json.tool` for structured-data validation
Free diagramming software such as diagrams.net and a version-control folder for sanitized configuration snapshots
Accounts and accessibility routes
Accounts
CML-Free is a no-cost, single-user Cisco offering that requires a Cisco.com account, local installation, compatible virtualization resources, and acceptance of Cisco's terms; its free tier runs up to five nodes at once.
Cisco DevNet Sandbox is a free official route when a suitable always-on or reservable environment is available; access and reservation requirements vary by sandbox.
GNS3 is optional only when the learner independently has device images licensed for that use. Cisco images bundled with CML must remain inside CML. An open FRRouting appliance avoids proprietary images, but its syntax and supported behavior differ from Cisco IOS and must be labeled concept-only.
Packet Tracer may be used only within Cisco Networking Academy or another purpose Cisco approves in writing; RoleMath does not require it, create Packet Tracer courseware, or distribute .pkt, .pkz, or .pka files.
No paid Cisco training, cloud account, physical lab, or production-device access is required for the core program.
Equivalent routes
Use a labeled topology, IOS configuration transcript, expected `show` output, and test matrix when installation, motor, visual, device, or account constraints block simulator execution; mark it observation-only.
Use command blocks with the active CLI context and annotate each state change, expected result, verification, and rollback when direct typing is inaccessible.
Split topology, addressing, configuration, verification, fault injection, recovery, and reflection across sessions without reducing exit criteria.
Safety baseline
Keep every configuration, credential example, service, ACL, port-security event, automation request, and deliberate fault inside an owned simulator or disposable authorized lab.
Preserve a known-good file before every fault or major change, use fictional credentials and documentation addresses, and record rollback plus verification.
Never configure, scan, capture, automate, disrupt, or test work, school, public, shared, or third-party networks or devices for this program.
Do not redistribute Cisco courseware, lab files, software images, PDFs, or proprietary questions; link to registered official and community sources. Packet Tracer files are not RoleMath deliverables.
Show your work
Module evidence and missed-check protocol
Module exit evidence
A saved subnet plan, topology, configuration, show-command transcript, test matrix, JSON artifact, fault record, or documented accessibility alternative tied to the module objective map.
A plain-language explanation of intended state, relevant packet or control-plane decision, observed state, mismatch, corrective action, and verification.
All authored checks attempted, with each miss corrected against its cited source and applied to a fresh addressing, configuration, or troubleshooting scenario.
After a missed check
Identify whether the question tests addressing, Layer 2 access, routing, a service, a security control, or automation before reviewing the answer.
Write why the distractor was plausible and which topology fact, IOS state, route-table entry, counter, structured-data field, or official topic distinguishes it.
Change one parameter in a simulator or written scenario, predict the new result, verify it, and explain any mismatch before marking the gap reviewed.
Completing this policy demonstrates 200-301 coverage and simulator practice inside RoleMath; it does not predict a CCNA score, replace Cisco's current guidance, or authorize changes to any real network.
Integrated practice
Two-site Cisco network build, hardening, automation, and fault handoff
Design, configure, verify, secure, document, and troubleshoot a fictional headquarters-and-branch network in a simulator, then produce a sanitized handoff spanning all six current CCNA domains.
Workflow
Write a fictional brief for a small headquarters and branch with staff, operations, guest, management, and server segments, wired and wireless access, internet simulation, centralized services, and an explicit out-of-scope list.
Draw the physical and logical topology with routers, switches, access points or wireless-controller concept, endpoints, trunks, routed links, internet boundary, trust zones, management path, interface names, and redundancy assumptions.
Create IPv4 VLSM and introductory IPv6 plans listing subnet/prefix, gateway, ranges, VLAN, site, purpose, reserved addresses, growth, and routing advertisement; prove there is no overlap.
Create VLAN, access-port, trunk, native-VLAN, inter-VLAN-routing, spanning-tree/root, aggregation, wireless, and interface tables. Implement the simulator-supported subset and label design-only items honestly.
Configure interface addressing and inter-site connectivity. Establish static reachability first, then single-area OSPF where supported; retain `show ip interface brief`, neighbor, route-table, ping, and trace evidence that matches the plan.
Configure DHCP for client segments and NAT/PAT at the simulated internet boundary. Document DNS, NTP, logging, monitoring, QoS, file transfer, and secure management expectations, implementing only the simulator-supported and safe subset.
Apply a security baseline: fictional local identities, secure remote-management design, disabled or assigned unused ports, port security, least-privilege management assumptions, guest separation, and one extended ACL with explicit expected permits and denies.
Build a verification matrix covering VLAN membership, trunks, inter-VLAN paths, OSPF adjacency and routes, DHCP leases, NAT translations, ACL counters, port-security state, expected wireless path, secure management, and negative tests.
Create a nested JSON desired-state and inventory record for at least two interfaces or VLANs. Write a controller/API workflow that validates the proposed state, targets only the simulator, applies or simulates the change, retrieves observed state, compares it, and rolls back or escalates on mismatch.
Preserve the known-good simulator file, then create three reversible faults: one incorrect access VLAN, one missing or incorrect OSPF network statement or route, and one ACL order/direction or service configuration error. Do not combine faults until each is understood.
For each fault, record symptom, scope, baseline comparison, ranked hypotheses, least-destructive show or test commands, root cause, correction, rollback, verification, and the documentation that should change.
Produce a before-and-after change record for one planned network change with purpose, affected devices, dependencies, risk, approval assumption, backup, test plan, rollback trigger, validation, and stakeholder communication.
Write a concise stakeholder update and a detailed technician handoff including topology version, known-good file, current state, evidence locations, unresolved limitations, and next safe action.
Crosswalk every design, configuration, show output, test, automation, fault, and handoff artifact to the six CCNA domain IDs; flag uncovered topic areas and record the next practice decision.
Retained artifacts
Fictional two-site requirements brief and physical/logical topology
IPv4/IPv6, VLAN, port, trunk, interface, routing, service, wireless, and security plan
Known-good simulator file or labeled configuration-and-expected-output transcript
Configuration snapshots and show-command/test validation matrix
JSON desired-state record and controller/API verification workflow
Three troubleshooting records plus one change/rollback record
Stakeholder update, technician handoff, six-domain crosswalk, and gap reflection
Review checklist
Topology, addresses, VLANs, interfaces, routes, services, controls, JSON state, tests, faults, and handoff describe the same fictional network without overlap or contradictions.
Every implemented feature has intended-state, configuration, verification, negative-test, and rollback evidence; unsupported simulator features are labeled design-only.
Every deliberate fault stays inside the saved simulator/disposable lab, is introduced one at a time, and has recovery plus known-good verification.
No real credential, person, employer, domain, public address, device identifier, licensed image, proprietary lab, raw course content, or third-party configuration remains in the packet.
The automation artifact targets only fictional simulator state and distinguishes desired state, request, observed state, mismatch, verification, and rollback or escalation.
All six 200-301 v1.1 domains map to at least one artifact; uncovered topics remain explicit gaps rather than implied completion.
The packet does not claim exam success, official Cisco training, production network experience, or a RoleMath credential.
Safety boundary: Build, automate, break, and repair only fictional devices inside an owned simulator or explicitly authorized disposable lab. Never apply these configurations, credentials, ACLs, port-security settings, routing changes, captures, scans, or automation requests to work, school, public, shared, or third-party gear, and do not redistribute licensed Cisco images or courseware.
Finish honestly
Completion, portfolio, and maintenance
Completion evidence
All six current 200-301 v1.1 domain modules have been covered and checked against Cisco's official topics PDF.
Every domain lab has a saved simulator artifact, configuration/output record, or clearly labeled accessibility alternative.
Every authored knowledge check has been attempted and each miss has a cited correction plus a fresh topology, state, or troubleshooting scenario.
The registered official and community resources have been used within their access and link-only limits; no Cisco courseware or proprietary questions were redistributed.
The two-site capstone passes addressing, access, routing, service, security, automation, verification, troubleshooting, rollback, privacy, consistency, and six-domain coverage review.
The learner has recorded remaining topic gaps and an explicit next decision; completion is not represented as an exam result, credential, authorization, or production experience.
Portfolio candidates
A sanitized two-site logical topology and addressing/VLAN plan
A selected configuration plus show-command and negative-test evidence packet
One routed-connectivity or access-control troubleshooting record
A JSON desired-state and verification workflow
A change/rollback plan and technician handoff
A reflection explaining one route, segmentation, service, or automation tradeoff
Present the artifacts as self-directed CCNA simulator work demonstrating configuration, verification, troubleshooting, and documentation. Do not call them production administration, employment experience, official Cisco labs, or a RoleMath credential.
Freshness controls
Objective source checked 2026-07-10. Recheck objectives every 30 days and resources every 90 days.
Stop and re-verify when
Cisco changes the active CCNA exam code, v1.1 topic blueprint, domain, published weight, lifecycle, or official experience guidance.
An official or community resource changes ownership, URL, 200-301 coverage, free-access posture, account requirement, or reuse terms.
CML-Free, DevNet Sandbox, Packet Tracer terms, GNS3 image licensing, the open FRRouting route, JSON tooling, or a documented IOS behavior becomes paid, unavailable, unsafe, or materially different.
A lab or capstone configuration no longer produces the stated state/output, lacks a safe rollback, or cannot stay inside the named simulator/accessibility route.
Any module, lab, command, check, resource mapping, phase, or capstone fails technical, source, beginner-walkthrough, safety, licensing, accessibility, or claims review.
Skills measured
The official objective domains and their exam weight — titles & weights only, straight from the vendor’s exam objectives. Cisco CCNA 200-301 v1.1 exam topics
Our default sequencing advice is heaviest-weight-first, because the published weights tell you where the exam spends its questions. For CCNA that mostly works, with one honest dependency wrinkle worth naming up front. By pure weight the order would be IP Connectivity (25%) first, then the two 20% domains Network Fundamentals and Network Access, then Security Fundamentals (15%), then the two 10% domains IP Services and Automation and Programmability. We keep IP Connectivity first because it is both the heaviest domain and the heart of what CCNA tests — routing between networks. The wrinkle is that Network Fundamentals (20%) is the addressing-and-vocabulary foundation the routing domain assumes you already speak: you cannot reason about routes and next hops until you are fluent in IP addressing and subnetting. So if the routing material feels like a foreign language when you start, drop back to Network Fundamentals first and then return — the two are tightly coupled, and many people find it easier to learn a little addressing, then routing, then more addressing. After those come Network Access (switching, VLANs, wireless), then Security Fundamentals, then the lighter IP Services and Automation domains, which build on everything before them. This is sequencing advice based on the published weights and how the topics depend on each other, not a claim about the science of learning — if a different order fits how you think, use it. CCNA is an associate-level exam; it assumes basic familiarity with computers and networking going in, so give yourself extra time on the fundamentals if you are brand new.
First in our suggested order — the single heaviest domain at 25% and the heart of what CCNA tests. This is routing: how traffic gets from one network to another. It leans hard on the addressing from Network Fundamentals, so if it reads like a foreign language, drop back to the fundamentals and then return.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Cisco CCNA 200-301 v1.1 exam topics
This is the routing domain, the single heaviest slice at 25%, and the heart of what CCNA is about: getting traffic from one network to another. Where the access domain moved traffic within a network, this one is about the decisions a router makes at every hop — look at a destination address, consult a table, forward the packet toward the right next hop. It is also the domain that leans hardest on the addressing fluency from Network Fundamentals, which is exactly why, even though it is our recommended starting point by weight, we tell you to fall back to the fundamentals the moment routing stops making sense.
The foundation is the routing table and how a router chooses a path. You are expected to read a routing table and understand how a router decides between competing routes: the longest-prefix match (the most specific route to a destination wins), administrative distance (how much a router trusts one source of a route over another), and metrics (how a protocol ranks paths once trust is equal). The mental model to build is a decision at every hop: given this destination, which entry in the table is the best match, out which interface does the packet go, and why?
The domain distinguishes the two ways routes get into that table. Static routes are typed in by an administrator — simple, predictable, and fully under your control, but they do not adapt when the network changes. Dynamic routing protocols let routers learn and share routes automatically, adapting to failures and growth at the cost of complexity. You are expected to configure static routes (including a default route, the 'if nothing else matches, send it here' entry) for both IPv4 and IPv6, and to understand where each approach fits.
The dynamic-routing centerpiece at the associate level is OSPF — a link-state protocol that routers use to build a shared map of the network and calculate shortest paths. You are expected to configure single-area OSPF for IPv4: enabling it, advertising networks, understanding neighbor relationships and the router ID, and reading the routes it produces. You do not need to master every OSPF nuance, but you should be able to stand up a small OSPF network, watch two routers become neighbors, and see the routes they learn appear in each other's tables — which is exactly what this domain's lab does.
The domain also covers the supporting realities of connectivity: the difference between IPv4 and IPv6 forwarding, first-hop redundancy at a conceptual level (how two routers can share responsibility for being a gateway so one failing does not strand a network), and the everyday verification commands that tell you whether connectivity is actually working. A recurring exam skill is less about typing a command and more about interpreting its output: what does this routing table entry mean, why did the router pick this path, and what would change if a link went down?
Study this domain by building routes, not just reading about them. The simulator lab below has you connect two routers, address the link between them, and get networks on opposite sides to reach each other — first with a static route, then by letting OSPF learn the path automatically — so 'a router forwards between networks' becomes something you made happen and then watched adapt. Keep narrating the destination, the matching table entry, and the next hop as you go. And read the official 200-301 (v1.1) exam-topics list for the exact topics; this explanation paraphrases the domain's scope in our own words rather than reproducing Cisco's.
Learn it free
Official · Official exam objectives
Cisco CCNA 200-301 (v1.1) exam topics (official PDF)The authoritative topic list for the exam's heaviest domain — worth reading in full given its 25% weight, especially its routing and OSPF topics. Current v1.1 blueprint. (captured 2026-07-08)
Official · Free-tier official lab environment (account and local setup required)
Cisco Modeling Labs - Free (CML-Free)Cisco's no-cost single-user environment for running this four-node routing lab with Cisco-provided images inside CML's licensed boundary; review the account, hardware, telemetry, image-use, and five-node limits first. (captured 2026-07-10)
Lab: route between two routers with a static route, then OSPF
Connect two routers, address the link between them, and get a network behind each router to reach the other — first by typing a static route by hand, then by tearing that out and letting single-area OSPF learn the same path automatically. This is the core CCNA skill, routing between networks, built and then made adaptive with your own hands.
Free tools
Cisco Modeling Labs - Free (CML-Free) — Cisco's no-cost single-user simulator; a Cisco.com account, compatible local virtualization resources, download, and setup are required, and this four-node lab fits its five-running-node limit
OR a suitable Cisco DevNet Sandbox — a free official browser-accessible or reservable environment when an appropriate networking sandbox is available; Cisco account and reservation requirements vary
Optional advanced route: GNS3 only with device images you are independently licensed to use. Never move CML-bundled Cisco images into GNS3. An open FRRouting appliance can demonstrate static routing and OSPF concepts, but its CLI and some behavior differ from Cisco IOS and must be labeled concept-only
A labeled topology, IOS configuration transcript, expected show output, route table, and test matrix when authorized execution access is unavailable
Steps
Open your simulator and place two routers (R1 and R2) connected to each other, plus one PC behind each router (PC-A behind R1, PC-B behind R2). Cable them: PC-A to R1's LAN interface, R1 to R2 on a second interface each, PC-B to R2's LAN interface.
Plan three subnets: R1's LAN is 192.168.1.0/24 (R1 = .1, PC-A = .10), R2's LAN is 192.168.2.0/24 (R2 = .1, PC-B = .10), and the router-to-router link is 10.0.0.0/30 (R1 = .1, R2 = .2).
Configure R1's interfaces with 'enable', 'configure terminal', then for each interface 'interface <name>', 'ip address <addr> <mask>', 'no shutdown', 'exit'. Do the same on R2. Set each PC's IP, mask, and default gateway (its local router).
Test the directly connected pieces first: from PC-A, ping its gateway 192.168.1.1, and from R1 ping R2 across the link (ping 10.0.0.2). Both should succeed — each router knows its own directly connected networks automatically.
Now ping PC-B from PC-A (ping 192.168.2.10). It FAILS — R1 has no idea how to reach the 192.168.2.0 network on the far side of R2. This is the whole problem routing solves.
Add a static route on R1: 'ip route 192.168.2.0 255.255.255.0 10.0.0.2'. This tells R1 'to reach 192.168.2.0, hand the packet to R2 at 10.0.0.2'. Add the mirror route on R2: 'ip route 192.168.1.0 255.255.255.0 10.0.0.1'.
Ping PC-B from PC-A again. It now succeeds — you taught both routers the far network by hand. Run 'show ip route' on R1 and find your static route (marked with an S) sitting alongside the directly connected networks (marked C).
Now switch to dynamic routing. Remove the static routes ('no ip route ...' on each) and confirm the ping between PCs fails again. Then on each router enable single-area OSPF: 'router ospf 1', then 'network 192.168.1.0 0.0.0.255 area 0' and 'network 10.0.0.0 0.0.0.3 area 0' on R1 (use R2's own networks on R2), then 'exit'.
Watch the routers become OSPF neighbors — the console may print an adjacency message. Run 'show ip route' again: the far LAN now appears marked with an O (OSPF-learned), placed there automatically with no static route from you.
Prove it adapts: ping PC-B from PC-A (it succeeds via the OSPF-learned route). Then shut down the link interface on R1 ('interface <link>', 'shutdown') and watch the OSPF route disappear from the table; bring it back up and watch the route return. That automatic reaction to a change is exactly why dynamic routing exists.
What you should see
A ping between two PCs that fails until a route exists, succeeds once you add a static route (visible as an S in 'show ip route'), fails again when you remove it, and then succeeds once more via an OSPF-learned route (visible as an O) that you never typed by hand — and that disappears and reappears on its own when you disable and re-enable the link. You have built inter-network routing two ways and seen the difference between static and dynamic first-hand.
This lab practices the static-routing, default-route, and single-area OSPF configuration and the routing-table interpretation covered by Domain 3 (IP Connectivity) of the official 200-301 v1.1 exam topics — see the official exam-topics list for the exam's own wording. The IOS commands here are functional configuration, not copied objective prose.
Stay safe & legal: Keep every route and interface change inside CML-Free, a suitable authorized DevNet Sandbox, or an explicitly owned disposable lab. Never configure third-party gear or networks. Do not move CML images into another emulator or distribute images or lab files. Packet Tracer is not required for this RoleMath lab; use it only within Cisco Networking Academy or another purpose Cisco approves in writing.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 2 of 6 · domain 1 · 20% of the exam
Network Fundamentals
Second in our suggested order by weight, but the true foundation. This domain is the addressing-and-vocabulary bedrock — IP addressing, subnetting, and how the pieces of a network fit together — that the heavier IP Connectivity domain assumes you already speak. If routing ever reads like a foreign language, the gap is almost always here; drop back to this domain and then return.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Cisco CCNA 200-301 v1.1 exam topics
This is the foundation domain, and at 20% it is one of the two largest slices on the outline. Before CCNA asks you to route between networks, secure a switch, or automate a device, it establishes the shared language for describing a network at all: the components a network is built from, how devices are addressed, and how data is modeled as it crosses a wire. Almost every scenario elsewhere on the exam is written in the words this domain teaches, so if a later routing or switching question ever reads like a foreign language, the gap is usually right here — which is exactly why, despite the weight order, we treat this as bedrock.
The first area is the physical and logical components of a network: routers, switches, endpoints, servers, access points, and the cabling and interfaces that connect them. Routers move traffic between different networks; switches move traffic within a network; endpoints are the devices people actually use. You are expected to know what each component is for, where it sits, and the common cabling and connection types — copper versus fiber, the roles of different interface and port types, and the honest reality that a surprising share of real network problems are physical. Respecting the physical layer is part of thinking like a network engineer.
The second big idea is layering. Networking is easier to reason about when you slice it into layers, each responsible for one job and talking only to the layers directly above and below it. The classic teaching model is the seven-layer OSI model — from the physical signals on the wire up through addressing, routing, and the application a person uses — alongside the more practical TCP/IP model that real networks run on. You do not need to worship either model; you need to be able to place a technology, a device, or a problem at the right layer. 'Is this a cabling issue or a routing issue?' is a layering question, and layering is the mental filing cabinet the rest of the exam keeps opening.
The third big idea is addressing, and this is where the domain gets concrete and where CCNA is famously demanding. Every device on an IP network needs an address, and you are expected to be fluent in IPv4 (the familiar four-number dotted format), the reasons IPv6 exists and how its longer addresses are written and compressed, and the difference between public and private ranges. The skill that separates people who 'get' networking from people who have only memorized it is subnetting — carving an address block into smaller networks using a prefix length, and being able to say, for any address, which network it belongs to, what its usable host range is, and where its boundaries fall. CCNA expects you to do this quickly and by hand, which is exactly what this domain's lab drills.
The fourth area is the supporting concepts that everything else depends on: the difference between the reliable, connection-oriented transport and the fast, connectionless one; the well-known protocols and their roles; how switching forwards frames using hardware addresses; and the basics of wireless architecture and the everyday principles of virtualization that modern networks assume. These are introduced here as concepts and then put to work in the access, connectivity, and services domains — so time spent making them solid here pays off repeatedly later.
On the job and on the exam, this domain is the difference between memorizing acronyms and reasoning about them. A good way to study is to stop reading and start locating: take any everyday action — loading a web page, sending a message — and narrate which layer, which addresses, and which components it touches, out loud, until the story is automatic. Pair that with the subnetting lab below, which turns the single most testable concept in the domain into something you have worked by hand and then verified in a free simulator. And read the official 200-301 (v1.1) exam-topics list for the exact topics — the wording there is Cisco's own, and this explanation deliberately paraphrases rather than reproduces it.
Learn it free
Official · Official exam objectives
Cisco CCNA 200-301 (v1.1) exam topics (official PDF)The exam's own topic list for this domain — read its Network Fundamentals section directly rather than relying on any summary, including ours. This is the current v1.1 blueprint (the v2.0 version is not testable until 2027-02-03). (captured 2026-07-08)
Official · Free-tier official lab environment (account and local setup required)
Cisco Modeling Labs - Free (CML-Free)Cisco's no-cost single-user simulation environment for executing this small topology with Cisco-provided images inside their licensed CML boundary; read its five-node, account, hardware, telemetry, and image-use limits before setup. (captured 2026-07-10)
Official · Free-tier official course (account required)
Cisco Networking Academy (NetAcad) — free official coursesCisco's own learning environment. Follow its on-platform activities and terms; Packet Tracer is not required for this independent RoleMath lab, and RoleMath does not distribute Packet Tracer lab files. (captured 2026-06-14)
Lab: subnet by hand, then verify addressing in a free simulator
Carve an address block into subnets with nothing but paper and reasoning — apply a prefix, compute each subnet's network address, broadcast, and usable host range — then assign those addresses to devices in a free network simulator and confirm the boundaries hold. Fast, accurate subnetting by hand is the single most testable hands-on skill in CCNA's fundamentals, and it only sticks once you have done it by hand and then watched it work.
Free tools
Paper and pencil — the primary tool; the point is to work the subnetting without software
Your OS calculator in programmer/binary mode (Windows Calculator, macOS Calculator, any Linux calculator) — free, built in — for checking binary conversions
Cisco Modeling Labs - Free (CML-Free) — Cisco's no-cost single-user simulator; a Cisco.com account, compatible local virtualization resources, download, and setup are required, and up to five nodes can run at once
OR a suitable Cisco DevNet Sandbox — a free official browser-accessible or reservable environment when an appropriate networking sandbox is available; Cisco account and reservation requirements vary
Optional advanced route: GNS3 only with device images you are independently licensed to use. Never move CML-bundled Cisco images into GNS3. An open FRRouting appliance avoids proprietary images, but its CLI and supported behavior differ from Cisco IOS and must be labeled concept-only
Optional: any free online subnet calculator, used only to check your paper answers after you have worked them yourself
Steps
Write the scenario: you are given the block 192.168.10.0/24 and must split it into 4 equal-size subnets. The /24 means the first 24 bits are the network and the last 8 identify hosts.
Decide how many bits to borrow. Four subnets need 2 borrowed bits (2 to the power 2 equals 4), so the new prefix is /26 and the subnet mask becomes 255.255.255.192.
Find the block size — how far apart the subnets sit. It is 256 minus the interesting mask octet: 256 minus 192 equals 64. So the fourth octet increments by 64.
List the 4 network (subnet) addresses by counting in 64s: 192.168.10.0, .64, .128, and .192. For each, the broadcast is one less than the next subnet's network (.63, .127, .191, .255), and the usable host range is everything between (for example .1 through .62 in the first subnet).
Check the host count: /26 leaves 6 host bits (32 minus 26), so 2 to the power 6 minus 2 equals 62 usable hosts per subnet. The 'minus 2' removes the network and broadcast addresses.
Prove one boundary to yourself in binary: write 192.168.10.64 as bits and mark where bit 26 falls — everything left of the line is network, everything right is host. Seeing the boundary is the whole trick.
Now open CML-Free or a suitable DevNet Sandbox. Place two host nodes and an unmanaged or Layer 2 switch, then put both hosts in your first subnet: PC-A at 192.168.10.10 /26 and PC-B at 192.168.10.20 /26, gateway 192.168.10.1. If neither environment is accessible, draw the topology and complete the address, expected-output, and failure-analysis transcript instead, labeled observation-only.
From PC-A, ping PC-B (ping 192.168.10.20). Steady replies confirm both addresses really do fall inside the same /26 subnet you calculated — your paper math and the simulator agree.
Now deliberately break the boundary: change PC-B's address to 192.168.10.70 /26 (which your math says is in the SECOND subnet, .64 to .127). Ping again from PC-A. It now fails, because the two hosts are in different subnets with no router between them — you have just watched a subnet boundary enforce itself.
Only now, check one or two of your paper answers with the programmer calculator or a free online subnet calculator. If they disagree, redo the math by hand until you find your slip — that debugging is where the learning happens.
What you should see
On paper: four /26 subnets at .0, .64, .128, and .192, each with 62 usable hosts and a clean broadcast at .63/.127/.191/.255, plus a binary boundary sitting exactly where the prefix says it should. In the simulator: two hosts in the same subnet ping successfully, and the moment you move one host across a subnet boundary the ping fails — the addressing math you did by hand, confirmed by real behavior.
This lab practices the IPv4/IPv6 addressing and subnetting skills that Domain 1 (Network Fundamentals) of the official 200-301 v1.1 exam topics names among its addressing topics — see the official exam-topics list for the exam's own wording.
Stay safe & legal: The subnetting is a paper exercise using example private-range addresses, and every ping must stay inside CML-Free, a suitable authorized DevNet Sandbox, or an explicitly owned disposable lab. Do not move CML images into another emulator or distribute images or lab files. Packet Tracer is not required for this RoleMath lab; use it only within Cisco Networking Academy or another purpose Cisco approves in writing.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 3 of 6 · domain 2 · 20% of the exam
Network Access
Third in our suggested order — one of the two 20% domains. This is the switching-and-wireless layer: VLANs, trunks, and how traffic moves within a network. It builds directly on the addressing from Network Fundamentals and pairs naturally with the switch-configuration simulator lab.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Cisco CCNA 200-301 v1.1 exam topics
This is the switching domain, and at 20% it is one of the two heaviest slices. Where Network Fundamentals taught you how networks are described and addressed, this domain is about how traffic moves within a network — the switches that forward it, the way one physical switch is carved into separate logical networks, the links that carry many of those networks between switches, and the wireless access that has become part of nearly every network. It rewards a hands-on mindset: these topics finally click when you have configured a switch, even in a simulator, and watched traffic behave.
The core skill is the virtual LAN, or VLAN. A single physical switch can be logically split into several separate networks, so that devices in one VLAN cannot talk directly to devices in another without passing through a router — which is both an organizational convenience and a security boundary at the same time. You are expected to configure VLANs, assign switch ports to them (access ports, which carry a single VLAN to an endpoint), and understand what problem VLANs solve. The mental model to build is that a VLAN turns one switch into many, and that membership is decided by configuration, not by which physical switch a device is plugged into.
Carrying multiple VLANs between switches requires trunk links. Where an access port carries one VLAN to a device, a trunk port carries many VLANs between switches by tagging each frame with the VLAN it belongs to, so the far switch knows where it goes. You are expected to understand trunking and the tagging standard behind it, the idea of a native VLAN, and how switches can discover and negotiate these links. This is the plumbing that lets a VLAN span an entire building rather than a single switch.
Because redundant switch connections can create loops that flood a network into collapse, the domain covers loop prevention — the mechanism that detects redundant paths and logically blocks them until they are needed, so you can have physical redundancy without a broadcast storm. You are expected to recognize the purpose of this mechanism and its basic operation rather than to master every timer. Alongside it sits link aggregation, which bundles several physical links into one logical link for more bandwidth and resilience, and the discovery protocols that let Cisco devices learn about their directly connected neighbors.
The wireless portion introduces how Wi-Fi networks are built and managed at an associate level: the roles of access points and wireless controllers, the architecture that lets many access points be managed centrally, the common connection and management interfaces, and the basics of securing a wireless network with modern encryption and real authentication rather than by hiding its name. Wireless security threads into the Security Fundamentals domain too, but the architecture is introduced here.
The way to study this domain is to configure, not just read. The simulator lab below has you create a VLAN, assign switch ports to it, and prove that two devices in the same VLAN can talk while a device in a different VLAN cannot — which turns 'a VLAN is a logical network' from a sentence into something you have built and then deliberately broken. As you work, keep narrating the layer and the addresses involved, the habit from the fundamentals domain. And read the official 200-301 (v1.1) exam-topics list for the exact topics; this explanation paraphrases the domain's scope in our own words rather than reproducing Cisco's.
Lab: configure a VLAN and switch ports in a free simulator
Build a small switched network with your own hands in a free simulator, create a VLAN, assign switch ports to it, and prove the boundary: two devices in the same VLAN can ping each other, while a device left in a different VLAN cannot reach them. This is switching and VLAN segmentation turned from theory into something you configured with real Cisco IOS commands.
Free tools
Cisco Modeling Labs - Free (CML-Free) — Cisco's no-cost single-user simulator; a Cisco.com account, compatible local virtualization resources, download, and setup are required, and this four-node lab fits its five-running-node limit
OR a suitable Cisco DevNet Sandbox — a free official browser-accessible or reservable environment when an appropriate networking sandbox is available; Cisco account and reservation requirements vary
Optional advanced route: GNS3 only with device images you are independently licensed to use. Never move CML-bundled Cisco images into GNS3. An open FRRouting appliance does not reproduce Cisco switch-port syntax, so it is not an execution substitute for this IOS switching lab
A labeled topology, IOS configuration transcript, expected show output, and test matrix when authorized execution access is unavailable
Steps
Open your simulator and start a new blank project. Place one switch and three PCs (PC-A, PC-B, PC-C) and cable each PC to a switch port with a straight-through copper link.
Give the three PCs addresses in the same subnet so that only VLAN membership — not addressing — will separate them: PC-A 192.168.1.10, PC-B 192.168.1.11, PC-C 192.168.1.12, all with mask 255.255.255.0.
Open the switch node's console in the authorized environment. Enter configuration mode: type 'enable', then 'configure terminal'.
Create a VLAN: type 'vlan 10', then 'name SALES', then 'exit'. You have defined a logical network numbered 10 on this switch.
Put PC-A's and PC-B's ports into VLAN 10. Use the interface names shown by your selected environment: for each port enter 'interface <PC-port>', 'switchport mode access', 'switchport access vlan 10', 'exit'. Repeat for the second port and leave PC-C's port in the default VLAN 1.
Confirm your work: run 'do show vlan brief'. You should see VLAN 10 (SALES) listing PC-A's and PC-B's ports, while PC-C's port stays in VLAN 1.
From PC-A's command prompt, ping PC-B (ping 192.168.1.11). Steady replies prove two devices in the same VLAN, on the same subnet, can talk through the switch.
Now ping PC-C from PC-A (ping 192.168.1.12). It fails — even though PC-C is in the same IP subnet, it sits in a different VLAN, and without a router between VLANs the traffic has nowhere to go. That failure is VLAN segmentation doing its job.
Move PC-C into VLAN 10 (repeat the access-port steps for its port), then ping it again from PC-A. It now succeeds. Watching connectivity appear the instant you fix the VLAN membership is how you learn where the boundary really lives.
Save the running configuration if your simulator prompts you, then note in one sentence what changed connectivity: not the addresses, but the VLAN each port belonged to.
What you should see
A 'show vlan brief' output listing your new VLAN 10 with the ports you assigned; successful pings between two devices in the same VLAN; a failed ping to a device in a different VLAN despite identical addressing; and connectivity that appears the moment you move that device into the same VLAN. You have built and enforced Layer 2 segmentation from scratch.
This lab practices the VLAN configuration and switch-port (access) skills covered by Domain 2 (Network Access) of the official 200-301 v1.1 exam topics — see the official exam-topics list for the exam's own wording. The IOS commands here are functional configuration, not copied objective prose.
Stay safe & legal: Keep every change inside CML-Free, a suitable authorized DevNet Sandbox, or an explicitly owned disposable lab. Never configure third-party gear or networks. Do not move CML images into another emulator or distribute images or lab files. Packet Tracer is not required for this RoleMath lab; use it only within Cisco Networking Academy or another purpose Cisco approves in writing.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 4 of 6 · domain 5 · 15% of the exam
Security Fundamentals
Fourth in our suggested order at 15%. This domain applies the earlier building blocks to defense — access control, port security, ACLs, and secure device access. It is also the natural on-ramp to a security path like CyberOps Associate or Security+ afterward.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Cisco CCNA 200-301 v1.1 exam topics
This is the defense domain, and at 15% it is a middle-weight slice that punches above its size for career direction: it is the natural bridge from CCNA toward a security-focused path afterward. Where the earlier domains taught you to describe, build, connect, and service a network, this one asks how you keep it from being abused — the concepts security rests on, the common threats, and the standard controls a network engineer puts in place. Much of it is the earlier domains applied with an adversary in mind.
The starting point is a small set of security concepts the rest of the domain leans on. The classic statement of what security protects is confidentiality (only the right people can read it), integrity (nobody has silently changed it), and availability (it works when you need it) — and a striking number of scenarios are really asking which of those three is at stake. Around that sit authentication (proving who you are), authorization (what you are allowed to do), accounting (recording what was done), and everyday principles like least privilege and defense in depth. CCNA expects you to reason with these at the network level rather than to master them in depth.
Next comes the threat landscape as it touches networks. The domain expects you to recognize common attacks from a description of their behavior: traffic interception and on-path attacks that sit between two parties, denial-of-service attacks that overwhelm a service, address and name spoofing, and Layer 2 attacks specific to switches — such as flooding a switch's address table or tricking devices onto a rogue VLAN. You are also expected to appreciate the human-facing social-engineering tricks that bypass technology entirely by fooling a person. You are not being asked to launch any of these; you are being asked to name what is happening and know which control addresses it.
The hands-on heart of the domain is the access controls you actually configure. Port security limits which devices can connect to a switch port and can shut the port down if an unexpected device appears — a direct defense against several Layer 2 attacks. Access control lists (ACLs) filter traffic by matching source, destination, and other fields, permitting or denying packets as they cross a router or switch — the everyday tool for deciding what traffic is allowed where. You are expected to configure standard and extended ACLs and to apply them in the right place and direction, which is exactly what this domain's lab practices.
The domain also covers securing device access and the wider defenses. Hardening a device means changing default credentials, using strong and encrypted remote access rather than cleartext, and controlling who can administer it. Broader ideas include the role of VPNs for secure remote connectivity, the basics of wireless security (modern encryption and real authentication, not hiding the network name), and the layered principle that a network is defended in depth — no single control is trusted to be enough. Physical security earns a mention too, because a switch someone can walk up to is a control that has already failed.
A good way to study this domain is to configure the controls and watch them enforce, which is what the lab below does: you set up port security and an ACL in a simulator and then prove they block what they should. As you study, keep asking the defender's questions: which security goal does this protect, what attack does this stop, and what can a compromised device still reach? And read the official 200-301 (v1.1) exam-topics list for the exact topics; this explanation paraphrases the domain's scope in our own words rather than reproducing Cisco's.
RoleMath glossary: firewallA cited definition of the classic chokepoint that enforces policy between network zones — kin to the ACLs this domain configures.
RoleMath glossary: encryptionA cited definition of the mechanism behind secure remote access and wireless security this domain recommends.
Lab: configure port security and an ACL in a free simulator
Configure two foundational Cisco security controls with your own hands and watch them enforce: port security that shuts a switch port down when an unexpected device appears, and an access control list that permits some traffic while denying the rest. Both are done with real IOS commands inside a free simulator so you see the control actually block something.
Free tools
Cisco Modeling Labs - Free (CML-Free) — Cisco's no-cost single-user simulator; a Cisco.com account, compatible local virtualization resources, download, and setup are required, and execute the two lab parts separately to stay within its five-node limit
OR a suitable Cisco DevNet Sandbox — a free official browser-accessible or reservable environment when an appropriate networking sandbox is available; Cisco account and reservation requirements vary
Optional advanced route: GNS3 only with device images you are independently licensed to use. Never move CML-bundled Cisco images into GNS3. An open FRRouting appliance can demonstrate ACL concepts, but it does not reproduce Cisco switch port-security syntax and its CLI differs from Cisco IOS
A labeled topology, IOS configuration transcript, expected counters/state, and positive/negative test matrix when authorized execution access is unavailable
Steps
Open your simulator. Part one is port security. Place a switch with one PC (PC-A, 192.168.1.10/24) cabled to a port, and have a second PC (PC-B) ready but unplugged.
On the switch, enter configuration mode ('enable', 'configure terminal') and secure PC-A's port: 'interface <port>', 'switchport mode access', 'switchport port-security', 'switchport port-security maximum 1', 'switchport port-security violation shutdown', 'switchport port-security mac-address sticky', 'exit'. This says: allow one device, learn its address, and shut the port if a different device appears.
Send a little traffic from PC-A (ping the gateway or another host) so the switch learns and 'sticks' PC-A's MAC address to the port. Confirm with 'do show port-security interface <port>' — you should see the learned address and a secure state.
Now simulate an intruder: unplug PC-A and plug PC-B into the same port, then have PC-B send traffic. Because PC-B's MAC differs from the stuck address, the port detects a violation and shuts down (err-disabled). Run 'show port-security interface <port>' again and read the violation count and the shutdown state — the control just stopped an unexpected device.
Re-enable the port to recover ('interface <port>', 'shutdown', then 'no shutdown') after reconnecting the legitimate device, noting that recovery is a deliberate step — the shutdown is meant to get an administrator's attention.
Part two is an ACL. Build a small routed network: a router (R1) with two LANs — 192.168.1.0/24 (with PC-A) and 192.168.2.0/24 (with a server, 192.168.2.10) — each on its own interface. Confirm PC-A can ping the server before you filter anything.
Write an extended ACL on R1 that denies PC-A from reaching the server but allows everything else: 'access-list 100 deny ip host 192.168.1.10 host 192.168.2.10', then 'access-list 100 permit ip any any'. The final permit matters — ACLs end with an implicit deny, so without it you would block all traffic.
Apply the ACL to the right interface in the right direction: 'interface <R1-LAN1-interface>', 'ip access-group 100 in', 'exit'. Applying it inbound on the interface closest to the source filters the traffic before it is routed.
Test it: from PC-A, ping the server (192.168.2.10) — it now FAILS, blocked by your deny rule. Then ping the server from a different host in the 192.168.1.0 network — it SUCCEEDS, because the permit rule lets everyone else through. You have allowed some traffic and denied specific traffic exactly as written.
Read the enforcement with 'show access-lists' on R1: the counter next to your deny rule increments each time it blocks a packet. Write one sentence stating what each control protected and which attack or misuse it addressed.
What you should see
A switch port that works normally for its learned device but goes into a shutdown/err-disabled state the moment a different device connects (with a rising violation count), and a router ACL that blocks one specific source from one specific destination while letting all other traffic through — with the access-list counters ticking up as the deny rule fires. You have watched two access controls enforce policy rather than just read about them.
This lab practices the port-security and access-control-list (ACL) configuration covered by Domain 5 (Security Fundamentals) of the official 200-301 v1.1 exam topics — see the official exam-topics list for the exam's own wording. The IOS commands here are functional configuration, not copied objective prose.
Stay safe & legal: Keep every security control and deliberate violation inside CML-Free, a suitable authorized DevNet Sandbox, or an explicitly owned disposable lab. Never configure security controls on third-party gear or networks. Do not move CML images into another emulator or distribute images or lab files. Packet Tracer is not required for this RoleMath lab; use it only within Cisco Networking Academy or another purpose Cisco approves in writing.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 5 of 6 · domain 4 · 10% of the exam
IP Services
Fifth in our suggested order — one of the two lightest domains at 10%. These are the network services that keep everything running: DHCP, NAT, NTP, DNS, and remote-management protocols. They build on the addressing and routing you already know, which is why they come near the end.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Cisco CCNA 200-301 v1.1 exam topics
This is the services domain, and at 10% it is one of the two lightest slices — but the services it covers are the ones a network quietly depends on every day, and they show up constantly in real work. Where the connectivity domain moved packets between networks, this domain is about the helper services that make a network usable: handing out addresses automatically, letting many private devices share a public address, keeping clocks aligned, resolving names, and managing devices remotely. It builds directly on the addressing and routing you already know, which is why we place it near the end.
The first service is automatic address assignment (DHCP). Rather than typing an address, mask, gateway, and DNS server into every device by hand, a DHCP server hands out that configuration automatically, leasing each address for a fixed time. You are expected to understand the role of DHCP, the difference between a client and a server, and how a Cisco router can act as a DHCP server or relay requests to one elsewhere. When 'the internet is down' turns out to be 'this device never got an address', DHCP is where you look.
The second service is network address translation (NAT), which lets many devices using private addresses share one or a few public addresses to reach the internet. You are expected to understand why NAT exists (the shortage of public IPv4 addresses), the difference between static and dynamic translation, and the very common form where many inside devices share a single public address distinguished by port number. NAT is one of those topics that feels abstract until you watch a private address get rewritten to a public one on the way out.
The third cluster is the smaller-but-important services: time synchronization (NTP), which keeps clocks aligned so that logs, certificates, and security events across many devices can actually be compared; name resolution (DNS) from the client's point of view; and the everyday quality-of-service idea that some traffic (voice, video) is more delay-sensitive than other traffic and can be prioritized. You are expected to recognize what each service does and what its failure looks like, not to become a specialist in any one of them.
The domain also covers how you manage devices remotely and safely: the difference between insecure and secure remote-access protocols (reaching a device over an encrypted session rather than a cleartext one), logging device events to a central place, and the management protocols that let monitoring systems read a device's health. This threads into the security and automation domains, because how you reach and monitor a device is both an operational and a security question.
Study this domain by making its invisible services visible, which is what the lab below does: it has you configure a Cisco router as a DHCP server in a simulator and watch a PC receive its address, gateway, and DNS automatically, then set up basic NAT and see a private address translated. That turns DHCP and NAT from acronyms into things you have configured and observed. And read the official 200-301 (v1.1) exam-topics list for the exact topics; this explanation paraphrases the domain's scope in our own words rather than reproducing Cisco's.
Lab: configure DHCP and NAT on a router in a free simulator
Make two of the network's most important background services visible by configuring them yourself: set up a Cisco router as a DHCP server and watch a PC receive its address automatically, then configure basic address translation (NAT) and see a private address rewritten to a public one. Both are done with real IOS commands inside a free simulator.
Free tools
Cisco Modeling Labs - Free (CML-Free) — Cisco's no-cost single-user simulator; a Cisco.com account, compatible local virtualization resources, download, and setup are required, and keep the running topology within its five-node limit
OR a suitable Cisco DevNet Sandbox — a free official browser-accessible or reservable environment when an appropriate networking sandbox is available; Cisco account and reservation requirements vary
Optional advanced route: GNS3 only with device images you are independently licensed to use. Never move CML-bundled Cisco images into GNS3. An open FRRouting appliance can demonstrate DHCP or NAT concepts, but its syntax and supported behavior differ from Cisco IOS and must be labeled concept-only
A labeled topology, IOS configuration transcript, expected host/router output, and test matrix when authorized execution access is unavailable
Steps
Open your simulator. Place one router (R1), one switch, and two PCs (PC-A, PC-B) cabled to the switch, and connect the switch to R1's LAN interface.
Configure R1's LAN interface as the gateway: 'enable', 'configure terminal', 'interface <lan-interface>', 'ip address 192.168.1.1 255.255.255.0', 'no shutdown', 'exit'.
Create a DHCP pool on R1: 'ip dhcp pool LAN', 'network 192.168.1.0 255.255.255.0', 'default-router 192.168.1.1', 'dns-server 8.8.8.8', 'exit'. Then exclude the router's own address so it is not handed out: 'ip dhcp excluded-address 192.168.1.1'.
On each simulated host, use the selected environment's documented DHCP-client action. Within a moment each host should receive an address in the 192.168.1.0 range plus the gateway and DNS you configured.
Confirm it worked with the host's address and route inspection command (for example 'ip address show' and 'ip route' on a Linux host). Both hosts should have distinct addresses from the pool — that is DHCP in action.
Verify from the router side: run 'show ip dhcp binding' on R1 to see the leases it has handed out, one row per PC. You are watching the server's own record of who got which address.
Now set up basic NAT. Add a second interface on R1 facing an 'outside' network (for example 203.0.113.1/30 to a second router or a simulated ISP device), and mark your interfaces: on the LAN interface 'ip nat inside', on the outside interface 'ip nat outside'.
Configure port-based translation so inside devices share the outside address: define which addresses may be translated with an access list ('access-list 1 permit 192.168.1.0 0.0.0.255'), then 'ip nat inside source list 1 interface <outside-interface> overload'.
Generate traffic from a PC toward the outside (ping the outside device), then run 'show ip nat translations' on R1. You should see the PC's private 192.168.1.x address translated to the outside address — a private address becoming a public one, visible in a table.
Write one sentence describing what each service did: DHCP gave the PC its identity on the network automatically, and NAT let that private identity reach the outside world through a shared public address.
What you should see
PCs that receive their addresses automatically from the router's DHCP pool (confirmed by 'ipconfig' on the PC and 'show ip dhcp binding' on the router), and a 'show ip nat translations' table showing a private inside address translated to the outside address when the PC sends traffic outward. Two invisible services made concrete and watchable.
This lab practices the DHCP and NAT configuration and verification covered by Domain 4 (IP Services) of the official 200-301 v1.1 exam topics — see the official exam-topics list for the exam's own wording. The IOS commands here are functional configuration, not copied objective prose.
Stay safe & legal: Keep every service and interface change inside CML-Free, a suitable authorized DevNet Sandbox, or an explicitly owned disposable lab; the outside range is documentation-only and must not reach the public internet. Never configure third-party gear or networks. Do not move CML images into another emulator or distribute images or lab files. Packet Tracer is not required for this RoleMath lab; use it only within Cisco Networking Academy or another purpose Cisco approves in writing.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 6 of 6 · domain 6 · 10% of the exam
Automation and Programmability
Last in our suggested order — one of the two lightest domains at 10%, and the most conceptual. It is about how networks are increasingly managed by software rather than by typing on each device. It builds on everything before it, which is why it comes last, and it points toward where networking careers are heading.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Cisco CCNA 200-301 v1.1 exam topics
This is the automation domain, and at 10% it is one of the two lightest slices — but it is the one that most clearly signals where networking is heading, and it is why Cisco added it to an associate exam that was once purely hands-on-the-command-line. Where the rest of CCNA is about configuring a network device by device, this domain is about managing networks with software: describing what you want in code, letting controllers push configuration at scale, and letting systems talk to each other through interfaces rather than a human typing on each box. For a career changer, this is the most forward-looking material on the exam.
The first idea is the shift from traditional to controller-based and software-defined networking. In the traditional model, each device makes its own forwarding decisions and you configure each one individually. In a controller-based model, a central controller holds the intelligence and pushes configuration and policy out to many devices, so you manage the network as one system rather than as a pile of individual boxes. You are expected to understand this separation — the idea that the 'control plane' (deciding where traffic goes) can be centralized while the 'data plane' (actually forwarding it) stays on the devices — and the benefits and trade-offs it brings.
The second idea is APIs — the interfaces through which software talks to network systems. Rather than a person typing commands, a program can send a structured request to a controller or device and get a structured answer back. You are expected to recognize the common style of web API used in networking (the kind that uses standard web methods to create, read, update, and delete things), the difference between an interface meant for machines and one meant for humans, and roughly how authentication and requests work at a conceptual level. You are not being asked to write production software — you are being asked to understand what an API is and why network automation depends on it.
The third idea is data formats and how automated systems exchange information. Automation tools pass structured data back and forth, and the common formats for that (a lightweight, widely used data-interchange format chief among them) are readable once you know the shape: names paired with values, nested to describe complex things. You are expected to interpret a small block of this structured data — to look at it and say what it describes — rather than to write it from scratch. Being able to read the shape of the data is most of the skill at this level.
The fourth idea is configuration-management and automation tooling at a conceptual level: the category of tools that apply a described configuration consistently across many devices, the principle of describing infrastructure as code so the same setup can be recreated and reviewed, and the general benefits — consistency, speed, and fewer human errors — that automation brings, alongside the honest trade-off that it adds a layer of tooling to learn and maintain. CCNA keeps this conceptual; you are recognizing what these tools do and why teams adopt them, not mastering any one of them.
Because this domain is conceptual and does not require configuring live gear, the lab below is a read-and-explain exercise: you examine a small block of structured data (the kind an API returns) and a simple description of an automated workflow, and you narrate what each part does — building the interpret-the-data skill the exam actually tests without touching any device or network. And read the official 200-301 (v1.1) exam-topics list for the exact topics; this explanation paraphrases the domain's scope in our own words rather than reproducing Cisco's.
Learn it free
Official · Official exam objectives
Cisco CCNA 200-301 (v1.1) exam topics (official PDF)The authoritative topic list for this domain's automation, controller-based networking, API, and JSON coverage — current v1.1 blueprint. (captured 2026-07-08)
RoleMath glossary: cloud computingContext for the software-defined and controller-based models this domain introduces, which grew up alongside cloud computing.
Lab: read structured API data and explain an automation workflow (no live gear)
Build the one hands-on skill this conceptual domain actually tests — interpreting the structured data an automation system exchanges — without touching any network device. You will read a small block of JSON like an API might return, name what each field describes, and then narrate how a simple automation workflow uses it, using only free tools and your own reasoning.
Free tools
Any plain-text editor already on your computer (Notepad, TextEdit, VS Code, or any free editor) — no install needed
Optional: a free online JSON viewer/formatter (used only to pretty-print and check the sample below), or Python's built-in json.tool if you happen to have Python
No network device, account, or live gear of any kind — this lab is entirely read-and-explain
Steps
In your text editor, type out (do not copy from any exam material — this is a neutral example) a small block of structured data representing one network interface, such as: { "interface": "GigabitEthernet0/1", "ip_address": "192.168.1.1", "prefix_length": 24, "enabled": true, "description": "link to core switch" }.
Read it as an API response would arrive: each name in quotes is a key, each value after the colon describes that key. Say out loud what each field means — this interface's name, its address, its subnet size, whether it is up, and a human note about its purpose.
Notice the value types: text is quoted, the prefix length is a plain number, and 'enabled' is a true/false boolean. Recognizing types is part of reading structured data — a number is not the same as the text of a number.
Now nest it, the way a real response describing several interfaces would: wrap two such objects inside a list under a key like 'interfaces'. Read the shape aloud: a device object, containing a list, containing interface objects. Being able to describe that nesting is the skill the exam checks.
Deliberately break the format to feel the rules: remove one closing brace or one comma and run the text through a free JSON viewer or json.tool. The parser reports an error and points near the problem — structured data is strict, which is exactly what lets machines rely on it.
Fix it back to valid data and confirm the viewer accepts it. That parse-fail-then-fix loop is how you learn where the format's rules actually bite.
Now the workflow half. Write, in plain English, the steps an automation script would take to configure this interface on many devices: authenticate to a central controller through its API, send a structured request (data shaped like your sample) describing the desired interface, and let the controller push that configuration to every target device at once.
Contrast that with the traditional approach from the rest of CCNA: logging into each device by hand and typing the interface commands one box at a time. Name the trade-off out loud — automation is faster and more consistent across many devices, but it adds a controller and tooling you must learn and maintain.
Map the pieces back to the domain's concepts: the JSON is the data format, the controller-plus-API is controller-based networking and the API concept, and 'describe it once, apply it everywhere' is infrastructure as code. If you can point at each concept in your own example, the domain is no longer abstract.
Write two or three sentences summarizing what the data described and how an automated workflow would use it. That written explanation is the deliverable — this domain rewards being able to read and reason about automation, not to operate any single tool.
What you should see
A small block of structured data you can read field by field and describe in plain English, a deliberate format error that a free JSON viewer flags and you then fix, and a clear written contrast between configuring one device by hand and pushing configuration to many devices through a controller and an API. You have practiced the interpret-the-data-and-explain-the-workflow skill this domain tests — with no device, account, or live gear involved.
This lab practices interpreting structured data (JSON) and understanding controller-based networking, APIs, and automation concepts covered by Domain 6 (Automation and Programmability) of the official 200-301 v1.1 exam topics — see the official exam-topics list for the exam's own wording.
Stay safe & legal: This lab touches no network device, account, or live gear at all — it is a pure read-and-explain exercise on a neutral example you typed yourself. There is nothing to configure and nothing that could affect any real system; never point automation tooling at gear or networks you do not own.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Skills you’ll build
Studying Cisco Certified Network Associatebuilds transferable skills that carry across employers and platforms, not just toward this one exam. Each has a free, source-cited RoleMath primer — what it is, a step-by-step free learning path, clearly labeled free resources, and a safe hands-on exercise:
Work through the modules above, then get a personalized read on where you stand: the readiness check maps your background against these same published domains and suggests what to study first — no score, no pass prediction.
Exam registration fee: About $300 USD for the 200-301 CCNA exam — verify the current price on Cisco's official exam and pricing pages before you register, as Cisco's fees change and taxes are not included Official Cisco CCNA exam page
Certification validity: 3 years — CCNA is valid for three years and is renewed through Cisco's Continuing Education program or by re-examination; verify the current renewal rules on Cisco's official recertification page before relying on them Official Cisco CCNA exam page
A free, source-cited study companion built on Cisco's published 200-301 (v1.1) exam topics — not official training, not a pass guarantee. Verify the current objectives on the official page before your exam.
Certification and vendor names are used only to identify the program this independent study companion refers to. RoleMath is not affiliated with, endorsed by, or sponsored by Cisco.