The latest CCNA 200-301 exam questions and answers for December 2025 has been released!
The following 15 questions are the most frequently appeared original questions and adapted questions in this month’s exam (with a coverage rate of over 95%), complete with detailed explanations for difficult questions. Come and practice for free now!
New CCNA 200-301 Practice Questions
| Number of exam questions | Publication time |
| 15 (Free) | Dec 12, 2025 |
Q1:What is represented by the word “LB13” within this JSON schema?
A. array
B. value
C. object
D. key
Correct Answer: B
Q2: Which cable type must be used when connecting two like devices together using these criteria?
1.
Pins 1 to 3 and 2 to 6 are required.
2.
Auto detection MDI-X is unavailable.
A. straight-through
B. console
C. crossover
D. rollover
Correct Answer: C
Explanation:
When connecting two like devices together (e.g., two computers or two switches) directly without an intermediate device like a hub or a switch, and auto detection MDI-X (Media Dependent Interface with Crossover) is unavailable, a crossover cable is used. In a crossover cable, the transmit (TX) pins on one end are connected to the receive (RX) pins on the other end, and vice versa.
Q3: Which switch becomes the permanent root bridge for VLAN 5?
Refer to the exhibit. Only four switches are participating in the VLAN spanning-tree process.
Branch-1 priority 614440 Branch-2: priority 39082416 Branch-3: priority 0 Branch-4: root primary
A. Branch-1
B. Branch-2
C. Branch-3
D. Branch-4
Correct Answer: C
Explanation:
Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.
Q4: What is the minimum configuration required to permit remote management using the cryptographic protocol?
An engineer is configuring SSH version 2 exclusively on the R1 router.
A. hostname R1 ip domain name cisco crypto key generate rsa general-keys modulus 1024 username cisco privilege 15 password 0 cisco123 ip ssh version 2 line vty 0 15 transport input ssh login local
B. hostname R1 crypto key generate rsa general-keys modulus 1024 username cisco privilege 15 password 0 cisco123 ip ssh version 2 line vty 0 15 transport input all login local
C. hostname R1 service password-encryption crypto key generate rsa general-keys modulus 1024 username cisco privilege 15 password O cisco123 ip ssh version 2 line vty 0 15 transport input ssh login local
D. hostname R1 ip domain name cisco crypto key generate rsa general-keys modulus 1024 username cisco privilege 15 password 0 cisco123 ip ssh version 2 line vty 0 15 transport input all login local
Correct Answer: A
Q5: What is the root port in STP?
A. It is the port with the highest priority toward the root bridge.
B. It is the port on the root switch that leads to the designated port on another switch.
C. It is the port that is elected only when the root bridge has precisely one port on a single LAN segment.
D. It is the port on a switch with the lowest cost to reach the root bridge.
Correct Answer: D
Q6: Which interface condition is causing the performance problem?
Refer to the exhibit.
The link between PC1 and the switch is up, but it is performing poorly.
A. There is an issue with the fiber on the switch interface.
B. There is a duplex mismatch on the interface.
C. There is an interface type mismatch.
D. There is a speed mismatch on the interface.
Correct Answer: B
Explanation:
The PC\’s port runs in full duplex, while the Fa0/1 port on the switch is in auto-negotiate mode.
This results in a duplex mismatch that causes the switchport to operate as half-duplex, which culminates in poor performance on the link.
“A duplex mismatch occurs when two connected devices are configured in different duplex modes.
This may happen, for example, if one is configured for autonegotiation while the other one has a fixed mode of operation that is full duplex (no autonegotiation). In such conditions, the autonegotiation device correctly detects the speed of operation, but is unable to correctly detect the duplex mode.
As a result, it sets the correct speed but assumes half-duplex mode.
When a device is operating in full duplex while the other one operates in half duplex, the connection works reliably only at a very low throughput.”
Reference: https://en.wikipedia.org/wiki/Autonegotiation#Duplex_mismatch
Q7: According to the output, which parameter set is validated using the routing table of R7?
Refer to the exhibit.
A. R7 is missing a gateway of last resort. R7 is receiving routes that were redistributed in EIGRP. R7 will forward traffic destined to 10.90.8.0/24.
B. R7 has a gateway of last resort available. R7 is receiving routes that were redistributed from BGP. R7 will drop traffic destined to 10.90.8.0/24.
C. R7 is missing a gateway of last resort. R7 is receiving routes that were redistributed from BGP. R7 will forward traffic destined to 10.90.8.0/24.
D. R7 has a gateway of last resort available. R7 is receiving routes that were redistributed in EIGRP.
R7 will drop traffic destined to 10.90.8.0/24.
Correct Answer: D
Explanation:
EX = redistributed in EIGRP. We don\’t know for sure from what source these routes were redistributed.
Q8: What is a role of wireless controllers in an enterprise network?
A. centralize the management of access points in an enterprise network
B. support standalone or controller-based architectures
C. serve as the first line of defense in an enterprise network
D. provide secure user logins to devices on the network.
Correct Answer: A
Q9: Which effete does the aaa new-model configuration command have?
A. It enables AAA services on the device.
B. It configures the device to connect to a RADIUS server for AAA.
C. It associates a RADIUS server to the group.
D. It configures a local user on the device.
Correct Answer: A
Explanation:
To enable AAA, you need to configure the aaa new-model command in global configuration.
Q10: Which characteristic differentiates the concept of authentication from authorization and accounting?
A. user-activity logging
B. service limitations
C. consumption-based billing
D. identity verification
Correct Answer: D
Q11: Which field within the access-request packet is encrypted by RADIUS?
A. authorized services
B. password
C. authenticator
D. username
Correct Answer: B
Explanation:
RADIUS by itself provides no encryption of all traffic. It protects only a small part of the traffic, notably the passwords.
Question 12: (Labs)
Guidelines
This is a lab item in which tasks will be performed on virtual devices
1.
Refer to the Tasks tab to view the tasks for this lab item.
2.
Refer to the Topology tab to access the device console(s) and perform the tasks.
3.
Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.
4.
All necessary preconfigurations have been applied.
5.
Do not change the enable password or hostname for any device.
6.
Save your configurations to NVRAM before moving to the next item.
7.
Click Next at the bottom of the screen to submit this lab and move to the next question.
8.
When Next is clicked the lab closes and cannot be reopened.
Three switches must be configured for Layer 2 connectivity. The company requires only the designated VLANs to be configured on their respective switches and permitted across any links between switches for security purposes. Do not modify or delete VTP configurations.
The network needs two user-defined VLANs configured:
1.
VLAN 202: MARKETING
2.
VLAN 303: FINANCE
1.
Configure the VLANs on the designated switches and assign them as access ports to the interfaces connected to the PCs.
2.
Configure the e0/2 interfaces on Sw1 and Sw2 as 802.1q trunks with only the required VLANs permitted.
3.
Configure the e0/3 interfaces on Sw2 and Sw3 as 802.1q trunks with only the required VLANs permitted.
A. Check the below
B. Place Holder
C. Place Holder
D. Place Holder
Correct Answer: A
Explanation:
SW1):
vlan 303 name FINANCE vlan 202 name MARKETING
int e0/1 switchport mode access switchport access vlan 303
int e0/2 switchport mode trunk switchport encapsulation dot1q switchport trunk allowed vlan 303, 202
SW2):
vlan 303 name FINANCE vlan 202 name MARKETING
int e0/1 switchport mode access switchport access vlan 202
int e0/2 switchport mode trunk switchport encapsulation dot1q switchport trunk allowed vlan 303, 202
int e0/3 switchport mode trunk switchport encapsulation dot1q switchport access vlan 303, 202
SW3):
vlan 303 name FINANCE vlan 202 name MARKETING
int e0/0 switchport mode access switchport access vlan 202
int e0/1 switchport mode access switchport access vlan 303
int e0/3 switchport mode trunk switchport encapsulation dot1q switchport trunk allowed vlan 303, 202
Question 13: (Labs)
Guidelines
This is a lab item in which tasks will be performed on virtual devices.
1.
Refer to the Tasks tab to view the tasks for this lab item.
2.
Refer to the Topology tab to access the device console(s) and perform the tasks.
3.
Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.
4.
All necessary preconfigurations have been applied.
5.
Do not change the enable password or hostname for any device.
6.
Save your configurations to NVRAM before moving to the next item.
7.
Click Next at the bottom of the screen to submit this lab and move to the next question.
8.
When Next is clicked, the lab doses and cannot be reopened.
Topology
Tasks
All physical cabling is in place. A company plans to deploy 16 new sites. The sites will utilize both IPv4 and IPv6 networks.
1.
Subnet 10.20.0.0/16 to meet the subnet requirements and maximize the number of hosts
Using the second subnet Assign the first usable IP address to e0/0 on Sw101 Assign the last usable IP address to e0/0 on Sw102
2.
Subnet 2001:db8::/52 to meet the subnet requirements and maximize the number of hosts
Using the second subnet Assign an IPv6 GUA using a unique 64-Bit interface identifier on e0/0 on Sw101 Assign an IPv6 GUA using a unique 64-Bit interface identifier on e0/0 on Sw102
A. Check the below
B. Place Holder
C. Place Holder
D. Place Holder
Correct Answer: A
Q14: Which summary address must be advertised in OSPF?
Refer to the exhibit.
Router R1 receives static routing updates from routers A, B, C, and D. The network engineer wants R1 to advertise static routes in OSPF area 1.
A. 10.1.41.0/25
B. 10.1.40.0/24
C. 10.1.40.0/25
D. 10.1.40.0/23
Correct Answer: D
Q15: What does physical access control regulate?
A. access to spec fie networks based on business function
B. access to servers to prevent malicious activity
C. access 😮 computer networks and file systems
D. access to networking equipment and facilities
Correct Answer: D
Whether you’re revisiting networking fundamentals or polishing your skills for the final exam push, incorporating updated practice material keeps your preparation relevant and targeted. The CCNA remains the most respected entry-level networking certification, and staying aligned with the latest question patterns will give you a real advantage.
