Cisco CCNA 200-301

Every CCNA topic — frames, packets, ports, applications — is referenced by OSI layer number. Mastering the 7-layer model first gives you the vocabulary for the rest of the exam and a systematic way to troubleshoot.

• OSI 7 Layers: Physical (bits on the wire), Data Link (frames & MAC addressing), Network (packets & IP routing), Transport (segments & reliability), Session (connection management), Presentation (data formatting & encryption), Application (user-facing protocols)
• TCP/IP Model: A four-layer practical model — Network Access, Internet, Transport, Application — that maps directly to how the Internet works
• TCP vs UDP: TCP provides reliable, ordered delivery with a three-way handshake (SYN, SYN-ACK, ACK) and flow control; UDP is connectionless, offering lower latency for real-time traffic like VoIP and video streaming
• Protocol Data Units (PDUs): Data is encapsulated at each layer — data at L7-L5, segments/datagrams at L4, packets at L3, frames at L2, bits at L1
• Common Protocols by Layer: L7: HTTP, HTTPS, DNS, DHCP, SMTP, FTP. L4: TCP (port 80, 443, 22), UDP (port 53, 67/68, 161). L3: IP, ICMP, OSPF. L2: Ethernet, 802.11 Wi-Fi

A user reports "the web app won't load". Walk the OSI stack bottom-up: Layer 1 — check link light on the switch port + show interfaces Gi0/1 status for connected. Layer 2 — verify MAC learning with show mac address-table, ARP resolution with show arp. Layer 3 — ping the default gateway, then traceroute the destination. Layer 4 — telnet 10.10.10.5 443 to confirm the port is open. Last: Layer 7 — DNS resolution with nslookup. Each layer eliminated narrows the fault.

CCNA tests your ability to pick the right topology for a given scenario and to identify Cisco's canonical campus designs (two-tier, three-tier, spine-leaf). Topology choice drives everything from cabling to STP behaviour.

• LAN (Local Area Network): Connects devices in a limited geographic area such as an office floor; typically uses Ethernet (802.3) at 1 Gbps or 10 Gbps
• WAN (Wide Area Network): Connects geographically separated LANs; technologies include MPLS, Metro Ethernet, point-to-point leased lines, and Internet VPNs
• Star Topology: All end devices connect to a central switch. Most common in modern LANs because a single link failure only affects one device
• Mesh Topology: Every device connects to every other device. Full mesh provides redundancy but is costly; partial mesh is more practical in WANs
• Two-Tier vs Three-Tier Architecture: Small campuses use a collapsed core/distribution design (two-tier). Large enterprises add a core layer for high-speed backbone switching (three-tier: access, distribution, core)

Design task: a 4-floor office, 600 users, plus a data center with 40 racks. Pick: three-tier campus — access switches per floor (Cisco 9200), distribution switches per IDF closet (Cisco 9300 stacks), core switches in the MDF (Cisco 9500 pair). The data center uses spine-leaf — every leaf connects to every spine, no STP blocking, deterministic 2-hop latency. Validate with show cdp neighbors at each tier to confirm uplinks are wired as designed.

Subnetting is the single most-tested CCNA skill. The exam expects you to subnet under time pressure with no calculator — VLSM, host counts, broadcast addresses, valid host ranges. Memorise the powers of 2 and the magic-number method.

• IPv4 Address Structure: 32-bit address written in dotted decimal (e.g., 192.168.1.1). Divided into a network portion and a host portion by the subnet mask
• Subnet Masks & CIDR: A /24 mask (255.255.255.0) gives 254 usable hosts. CIDR notation replaced classful addressing, enabling Variable Length Subnet Masking (VLSM) for efficient IP allocation
• Private IP Ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 — defined in RFC 1918, not routable on the public Internet, used with NAT
• Subnetting Practice: Given 192.168.10.0/24, borrowing 3 bits creates 8 subnets (/27), each with 30 usable hosts. The formula: 2^(borrowed bits) = subnets; 2^(remaining host bits) - 2 = usable hosts
• Special Addresses: Network address (all host bits 0), broadcast address (all host bits 1), loopback (127.0.0.0/8), link-local (169.254.0.0/16 for APIPA)

Task: subnet 10.20.30.0/24 for four VLANs needing 50, 25, 10, and 2 hosts. Solution (VLSM, largest first): VLAN A (50 hosts) → 10.20.30.0/26 (62 hosts, mask 255.255.255.192). VLAN B (25) → 10.20.30.64/27 (30 hosts). VLAN C (10) → 10.20.30.96/28 (14 hosts). VLAN D (2, point-to-point) → 10.20.30.112/30 (2 hosts). Verify with show ip route connected after assigning gateway IPs to each L3 SVI.

IPv6 is a significant portion of CCNA 200-301. The exam tests address shortening, prefix classification, SLAAC, and NDP — IPv6 replaces ARP with ICMPv6 Neighbor Discovery and has no broadcast at all.

• IPv6 Address Format: 128-bit address written as eight groups of four hex digits separated by colons (e.g., 2001:0DB8:ACAD:0001:0000:0000:0000:0001). Leading zeros can be omitted; one group of consecutive all-zero fields can be replaced with ::
• Address Types: Global Unicast (GUA, 2000::/3) is the equivalent of public IPv4. Link-Local (FE80::/10) is auto-configured on every interface and used for neighbor discovery. Unique Local (FC00::/7) is similar to RFC 1918 private addresses
• EUI-64: A method to auto-generate the 64-bit interface ID from the 48-bit MAC address by inserting FFFE in the middle and flipping the 7th bit
• SLAAC & DHCPv6: Stateless Address Autoconfiguration uses Router Advertisements to provide the prefix; DHCPv6 can supply additional information (stateless) or manage full addressing (stateful)
• NDP (Neighbor Discovery Protocol): Replaces ARP in IPv6 using ICMPv6 messages — Neighbor Solicitation (NS), Neighbor Advertisement (NA), Router Solicitation (RS), and Router Advertisement (RA)

Task: enable IPv6 SLAAC on a router LAN interface. On R1: ipv6 unicast-routing, then on interface Gi0/0 apply ipv6 address 2001:db8:cafe:1::1/64 + no shutdown. The router begins sending Router Advertisements to FF02::1 (all-nodes multicast). A connected host auto-generates its address as 2001:db8:cafe:1: + its EUI-64 interface ID. Verify with show ipv6 interface brief + on the host ipconfig /all (Windows) or ip -6 addr (Linux). Reachability test: ping ipv6 FE80::1%Gi0/0 (note the scope ID).

Switching is Layer 2 — frames, MAC addresses, and forwarding tables. CCNA tests the exact mechanics of how a switch learns, ages, and forwards frames, plus the difference between cut-through and store-and-forward.

• MAC Addresses: 48-bit hardware addresses (e.g., AA:BB:CC:DD:EE:FF) burned into the NIC. The first 24 bits are the OUI (vendor), the last 24 bits are the device identifier
• Switch Forwarding Methods: Store-and-forward (receives full frame, checks CRC, then forwards) vs cut-through (forwards as soon as it reads the destination MAC, lower latency but no error checking)
• MAC Address Table: Switches learn source MACs dynamically and associate them with the ingress port. Unknown unicast frames are flooded out all ports except the source port
• Full Duplex & Speed: Modern switches auto-negotiate speed (10/100/1000 Mbps) and duplex. Duplex mismatches cause collisions and poor performance — a common troubleshooting scenario
• Ethernet Frame: Preamble (7 bytes), SFD (1 byte), Destination MAC (6), Source MAC (6), Type/Length (2), Payload (46-1500), FCS (4). The minimum frame size is 64 bytes

Two PCs on SW1: PC-A (Fa0/1) pings PC-B (Fa0/2) for the first time. Step 1: PC-A sends an ARP request — broadcast frame, dest MAC FFFF.FFFF.FFFF. SW1 learns PC-A's MAC on Fa0/1 and floods the broadcast out every other port. Step 2: PC-B replies — SW1 learns PC-B's MAC on Fa0/2 and forwards the unicast back to Fa0/1 only. Verify with show mac address-table dynamic. Duplex/speed must match on both ends — check with show interfaces Fa0/1 looking for Full-duplex, 1000Mb/s.

VLANs are among the most heavily tested CCNA topics. The exam expects you to configure access ports, 802.1Q trunks, native VLAN, and inter-VLAN routing (router-on-a-stick or L3 switch SVIs) under time pressure.

• VLANs: Logically segment a single physical switch into multiple broadcast domains. Each VLAN acts as a separate LAN — traffic between VLANs requires a Layer 3 device (router or L3 switch)
• Access Ports: Assigned to exactly one VLAN. The switch strips any VLAN tag before delivering the frame to the end device. Configured with switchport mode access and switchport access vlan X
• Trunk Ports (802.1Q): Carry traffic for multiple VLANs between switches. Each frame is tagged with a 4-byte 802.1Q header (TPID + TCI with 12-bit VLAN ID). The native VLAN is sent untagged
• Native VLAN: Frames on the native VLAN (default VLAN 1) cross the trunk untagged. Native VLAN mismatches between switches cause traffic leakage. Best practice: change the native VLAN from VLAN 1 and match it on both ends
• Inter-VLAN Routing: Router-on-a-stick uses subinterfaces on a single router port, each configured with a VLAN encapsulation and gateway IP. SVIs (Switch Virtual Interfaces) on a Layer 3 switch are more efficient

Task: configure router-on-a-stick for VLANs 10 (data) and 20 (voice) between SW1 and R1. On SW1: vlan 10, vlan 20; on interface Fa0/1 (uplink to R1) switchport mode trunk + switchport trunk allowed vlan 10,20. On R1: interface Gi0/0.10, encapsulation dot1Q 10, ip address 10.10.10.1 255.255.255.0; repeat for .20 subinterface with VLAN 20. Verify with show interfaces trunk on SW1 + show ip route connected on R1. Ping cross-VLAN to confirm routing.

STP keeps redundant Layer 2 networks loop-free. CCNA tests root-bridge election, port roles/states, classic STP vs RSTP, and the Cisco-specific Per-VLAN Spanning Tree Plus (PVST+). Tuning STP is one of the design questions on every CCNA attempt.

• Purpose of STP (802.1D): Prevents Layer 2 loops by placing redundant ports in a blocking state. Without STP, broadcast storms would saturate the network, and MAC address tables would become unstable
• Root Bridge Election: The switch with the lowest Bridge ID (priority + MAC address) becomes the root bridge. Default priority is 32768; configure a lower priority to control root bridge placement
• Port Roles: Root port (best path toward the root bridge), Designated port (best port on each segment, forwards traffic), Alternate/Blocked port (redundant path, does not forward)
• Port States: Blocking (receives BPDUs only), Listening (processes BPDUs, no MAC learning), Learning (learns MACs but does not forward), Forwarding (fully operational). Classic STP convergence takes 30-50 seconds
• Rapid STP (802.1w): Reduces convergence to a few seconds using proposal/agreement mechanism. Port roles include Alternate (backup root port) and Backup (backup designated port). Port states simplified to Discarding, Learning, Forwarding

Task: force the core switch (CORE-SW) to be the root for VLAN 10. On CORE-SW: spanning-tree vlan 10 root primary (sets priority to 24576). On the backup core (CORE2): spanning-tree vlan 10 root secondary (priority 28672). Globally on every switch: spanning-tree mode rapid-pvst for fast convergence. Verify with show spanning-tree vlan 10 — confirm CORE-SW is "This bridge is the root". Edge access ports get spanning-tree portfast + spanning-tree bpduguard enable to skip listening/learning and auto-shut on rogue BPDUs.

EtherChannel bundles multiple physical links into one logical link so STP doesn't block any of them. CCNA tests the three modes (LACP, PAgP, static) and the mismatched-config gotchas that keep bundles from forming.

• Purpose: Bundles multiple physical links into a single logical channel, increasing bandwidth and providing redundancy. STP treats the bundle as one link, so no ports are blocked
• LACP (802.3ad): Industry-standard negotiation protocol. Interfaces can be set to Active (initiates) or Passive (responds). At least one side must be Active for the channel to form
• PAgP (Cisco proprietary): Uses Desirable (initiates) and Auto (responds) modes. At least one side must be Desirable. Not compatible with non-Cisco devices
• Static (mode on): Forces the EtherChannel without negotiation. Both sides must be set to on. No protocol messages exchanged, so misconfigurations are harder to detect
• Load Balancing: EtherChannel distributes traffic based on a hash of source/destination MAC, IP, or port. Verify the method with show etherchannel load-balance

Task: bundle Gi0/1 and Gi0/2 between SW1 and SW2 with LACP. On SW1: interface range Gi0/1-2, channel-group 1 mode active. On SW2: same range, channel-group 1 mode active (both sides active is fine; one-active-one-passive also works). The logical port appears as Port-channel1 — configure trunking on the Po1 interface, not the physical members. Verify with show etherchannel summary looking for the (SU) flag (S = Layer 2, U = in use). Mismatched speed, duplex, VLAN, or trunk mode prevents bundling.

Static routes are the foundation: predictable, no overhead, perfect for stub networks and default routes. CCNA tests the route-selection process — longest prefix match, administrative distance, and the floating-static pattern as backup to a dynamic protocol.

• Routing Table Components: Each entry contains the destination network, subnet mask, next-hop IP or exit interface, administrative distance (AD), and metric. The router uses the longest prefix match to select the best route
• Administrative Distance (AD): Determines route trustworthiness when multiple sources advertise the same prefix. Lower AD wins: Connected (0), Static (1), EIGRP (90), OSPF (110), RIP (120)
• Static Routes: Manually configured with ip route [network] [mask] [next-hop | exit-interface]. Useful for stub networks, backup paths (floating static with higher AD), and small networks
• Default Route: A static route to 0.0.0.0/0 that acts as the gateway of last resort. Matches any destination not found in the routing table. Essential for Internet connectivity
• IPv6 Static Routes: Configured with ipv6 route [prefix/length] [next-hop | exit-interface]. Link-local next hops require specifying the exit interface as well

Task: configure a default route to the ISP with an OSPF-learned backup. On the edge router: ip route 0.0.0.0 0.0.0.0 203.0.113.1 — points to the primary ISP. For redundancy with a second ISP learned via OSPF (AD 110), add a floating static: ip route 0.0.0.0 0.0.0.0 198.51.100.1 200 — the AD of 200 means it only installs if both the primary static and OSPF are gone. Verify with show ip route 0.0.0.0 showing the active gateway. Drop the primary link: show ip route reveals OSPF takes over; drop OSPF too and the floating static kicks in.

OSPFv2 is the only dynamic IGP CCNA tests in depth. The exam expects you to bring up adjacencies, identify neighbor states, calculate cost, and tune timers — all in the IOS CLI.

• OSPF Overview: Open Shortest Path First is a link-state protocol using Dijkstra's SPF algorithm. It uses cost (based on bandwidth) as its metric and supports VLSM and CIDR. OSPF operates over IP protocol 89
• OSPF Neighbors: Routers must agree on Hello interval (default 10s on broadcast), Dead interval (default 40s), area ID, subnet, authentication, and stub flags. Neighbors are discovered via Hello packets sent to 224.0.0.5
• Neighbor States: Down, Init, 2-Way, ExStart, Exchange, Loading, Full. A stable adjacency reaches the Full state. On broadcast networks, routers remain at 2-Way with non-DR/BDR neighbors
• DR/BDR Election: On multi-access segments, a Designated Router (DR) and Backup DR reduce OSPF traffic. Elected by highest priority (default 1), then highest Router ID. Priority 0 means the router cannot be DR/BDR
• OSPF Configuration: router ospf [process-id], network [address] [wildcard] area [area-id]. Alternatively, use ip ospf [process-id] area [area-id] directly on the interface

Task: bring up OSPF between R1 and R2 across 10.1.12.0/30. On R1: router ospf 1, router-id 1.1.1.1, network 10.1.12.0 0.0.0.3 area 0. On R2: same with router-id 2.2.2.2. Watch the neighbor progress through states with debug ip ospf adj — DOWN → INIT → 2-WAY → EXSTART → EXCHANGE → LOADING → FULL. Verify with show ip ospf neighbor looking for FULL/DR or FULL/BDR on the broadcast link, or FULL/- on a point-to-point. Tune cost on a slow link: ip ospf cost 100.

Multi-area OSPF reduces LSDB size and SPF churn. CCNA tests the LSA-type cheat-sheet and the route-code letters in show ip route output — that's how you tell an intra-area, inter-area, or external OSPF route apart.

• Why Multi-Area: Dividing a large OSPF domain into multiple areas reduces the size of the link-state database (LSDB), limits SPF recalculations, and summarizes routes at area boundaries
• Area 0 (Backbone): All areas must connect to Area 0, either directly or via a virtual link. ABRs (Area Border Routers) sit between Area 0 and non-backbone areas
• LSA Types: Type 1 (Router LSA) stays within an area. Type 2 (Network LSA) for multi-access segments. Type 3 (Summary LSA) advertised by ABRs between areas. Type 5 (External LSA) redistributed into OSPF by ASBRs
• Route Types: O (intra-area), O IA (inter-area from ABR), O E1/E2 (external routes). E2 routes have a fixed metric regardless of internal cost; E1 adds internal cost to the external metric
• Router Roles: Internal router (all interfaces in one area), ABR (interfaces in multiple areas including Area 0), ASBR (redistributes from another protocol), Backbone router (at least one interface in Area 0)

Task: configure ABR R2 between Area 0 (toward R1) and Area 10 (toward R3, stub area). On R2: router ospf 1, router-id 2.2.2.2, network 10.0.12.0 0.0.0.3 area 0, network 10.0.23.0 0.0.0.3 area 10, area 10 stub. On R3: matching config + area 10 stub (BOTH sides must declare the area type). R3's routing table now shows O IA routes for everything outside area 10 plus a default route from the ABR. Verify with show ip ospf database for the LSA inventory and show ip route ospf for the codes.

Hosts only know one default gateway IP. FHRP — HSRP, VRRP, GLBP — lets two or more routers share that IP so failure of one doesn't black-hole the LAN. CCNA focuses heavily on HSRP configuration.

• Problem Statement: End devices are configured with a single default gateway IP. If that router fails, all hosts lose connectivity. FHRP protocols provide a virtual IP shared between two or more routers for seamless failover
• HSRP (Cisco): Hot Standby Router Protocol uses an Active/Standby model. The router with the highest priority (default 100) becomes Active. Preemption must be explicitly enabled. Timers: Hello 3s, Hold 10s. Uses virtual MAC 0000.0c07.acXX
• VRRP (Open Standard): Virtual Router Redundancy Protocol uses a Master/Backup model. Preemption is enabled by default. The router whose real IP matches the virtual IP is automatically the Master (priority 255)
• GLBP (Cisco): Gateway Load Balancing Protocol provides both redundancy and load balancing by assigning different virtual MACs to different hosts via the AVG (Active Virtual Gateway) and AVF (Active Virtual Forwarder) roles
• HSRP Versions: HSRPv1 uses group numbers 0-255 and multicast 224.0.0.2. HSRPv2 supports groups 0-4095, uses multicast 224.0.0.102, and supports IPv6

Task: configure HSRP group 10 on R1 (primary) and R2 (standby) for VLAN 10 SVI 10.10.10.0/24, virtual IP 10.10.10.1. On R1 (interface Vlan10): standby version 2, standby 10 ip 10.10.10.1, standby 10 priority 110, standby 10 preempt. On R2: same with default priority 100 — R1 wins. Without preempt, after R1 reboots it stays Standby; with it, R1 reclaims Active on recovery. Verify with show standby brief showing Active on R1 and Standby on R2.

NAT translates private addresses to public ones. CCNA tests the four-name terminology (inside local, inside global, outside local, outside global) and the PAT (overload) configuration that's everywhere in real networks.

• Static NAT: One-to-one mapping between a private (inside local) and public (inside global) IP address. Used for servers that need consistent reachability from the Internet. Configured with ip nat inside source static [local] [global]
• Dynamic NAT: Maps private IPs to a pool of public IPs on a first-come, first-served basis. Uses an ACL to define which inside addresses are translated and a pool to define the available public addresses
• PAT (Port Address Translation): Also called NAT overload. Many private IPs share a single public IP, differentiated by unique source port numbers. This is the most common form of NAT used in home and enterprise networks
• NAT Terminology: Inside Local (private IP on the inside network), Inside Global (translated public IP), Outside Local (destination as seen from inside), Outside Global (actual destination on the Internet)
• Verification: show ip nat translations displays the active translation table. show ip nat statistics shows hit counts, misses, and pool usage. clear ip nat translation * flushes all entries

Task: PAT the entire 10.10.10.0/24 LAN behind the WAN interface Gi0/1. Step 1: access-list 1 permit 10.10.10.0 0.0.0.255 — defines who gets translated. Step 2: ip nat inside source list 1 interface Gi0/1 overload — the overload keyword is what makes it PAT (port-mux). Step 3: on the LAN interface ip nat inside; on the WAN interface ip nat outside. Verify with show ip nat translations — each session shows inside-local:port ↔ inside-global:port. Use debug ip nat if a session fails to translate.

DHCP and DNS are the two services every CCNA candidate must be able to configure on IOS — DHCP server, DHCP relay with ip helper-address, and the standard DNS record types.

• DHCP DORA Process: Discover (client broadcast to find servers), Offer (server proposes an IP), Request (client formally requests the offered IP), Acknowledge (server confirms the lease). All four messages are broadcast in the initial exchange
• DHCP Relay: When the DHCP server is on a different subnet, the router uses ip helper-address [server-ip] on the client-facing interface to forward DHCP broadcasts as unicast to the server
• DHCP Configuration on IOS: ip dhcp pool [name], network [subnet] [mask], default-router [gateway], dns-server [ip]. Exclude addresses with ip dhcp excluded-address [start] [end]
• DNS Record Types: A (hostname to IPv4), AAAA (hostname to IPv6), CNAME (alias to another hostname), MX (mail exchange server), NS (authoritative name server), PTR (reverse lookup, IP to hostname)
• DNS Resolution: Client queries local DNS resolver, which checks its cache, then performs recursive queries to root servers, TLD servers, and authoritative servers. DNS uses UDP port 53 (TCP for zone transfers and large responses)

Task: stand up a DHCP pool for VLAN 10 on R1, plus relay VLAN 20 broadcasts to an external DHCP server. Local pool: ip dhcp excluded-address 10.10.10.1 10.10.10.10, then ip dhcp pool VLAN10, network 10.10.10.0 /24, default-router 10.10.10.1, dns-server 8.8.8.8. Relay: on interface Vlan20 add ip helper-address 172.16.5.10 — DHCP broadcasts now get unicast-forwarded to the external server. Verify with show ip dhcp binding for active leases and show ip dhcp conflict for ping-detected conflicts.

Time sync and remote monitoring underpin every other CCNA topic — without correct timestamps, logs are useless; without SNMP, you have no visibility. The exam asks about NTP stratum levels and the difference between SNMPv2c and SNMPv3.

• NTP (Network Time Protocol): Synchronizes clocks across network devices using a hierarchical stratum model. Stratum 0 is an atomic clock; stratum 1 servers connect directly to it. Each additional hop adds one stratum level. Cisco IOS: ntp server [ip]
• NTP Importance: Accurate timestamps are critical for log correlation, certificate validation, authentication protocols (Kerberos), and troubleshooting. Clock skew can cause syslog events to be misinterpreted
• SNMP (Simple Network Management Protocol): Enables centralized monitoring and management. The NMS (Network Management System) polls agents on devices. Key components: MIB (Management Information Base), OIDs (Object Identifiers), community strings
• SNMP Versions: SNMPv1/v2c use community strings (plaintext, insecure). SNMPv3 provides authentication (AuthNoPriv) and encryption (AuthPriv) and is the recommended version for production networks
• SNMP Operations: Get (retrieve a specific OID), GetNext (walk through the MIB), Set (modify a value), Trap (unsolicited alert from agent to NMS), Inform (trap with acknowledgment)

Task: configure NTP and SNMPv3 on R1. NTP: ntp server 10.0.0.5, ntp server 10.0.0.6 (two for redundancy), clock timezone CET 1. Verify with show ntp associations — look for * on the selected master. SNMPv3: snmp-server group ADMINS v3 priv read READ-VIEW, then snmp-server user netadmin ADMINS v3 auth sha cisco123 priv aes 128 secretkey. snmp-server view READ-VIEW iso included. The NMS now polls R1 with both authentication and AES encryption — no plaintext community strings.

QoS is tested at the conceptual level on CCNA — classification, marking (CoS at L2, DSCP at L3), queuing (LLQ, CBWFQ), and trust boundaries. You don't need to write the policy-maps, but you must recognise the components.

• Why QoS: Network links have finite bandwidth. Without QoS, all traffic is treated equally (best effort), and latency-sensitive applications like VoIP suffer during congestion. QoS provides prioritization and bandwidth guarantees
• QoS Mechanisms: Classification (identify traffic types), Marking (tag packets with priority values), Queuing (schedule transmission order), Shaping & Policing (control bandwidth), Congestion avoidance (WRED drops before queue fills)
• Marking Values: Layer 2: CoS (Class of Service) in the 802.1Q tag, 3 bits (0-7). Layer 3: DSCP (Differentiated Services Code Point) in the IP header, 6 bits (0-63). Common DSCP values: EF (46) for voice, AF classes for data, CS values for backward compatibility
• Trust Boundaries: Define where in the network QoS markings are trusted. Typically at the access switch closest to the endpoint. Untrusted traffic gets re-marked at the boundary to prevent abuse
• Queuing: Weighted Fair Queuing (WFQ) allocates bandwidth proportionally. Low Latency Queuing (LLQ) adds a strict priority queue for real-time traffic. Class-Based WFQ (CBWFQ) allows custom bandwidth allocation per traffic class

Task: design a QoS plan for a campus VoIP rollout. Classify + mark voice traffic at the access edge: Cisco IP phone CDP-discovered → access switch trusts cos 5 via mls qos trust cos, mapped to DSCP EF (46). Data traffic gets cos 0. Queue at the WAN edge: policy-map WAN-OUT with class VOICE matching DSCP EF, priority percent 30 (LLQ). Everything else falls into class class-default fair-queue. Verify with show policy-map interface Gi0/1 for drops and queue depth.

The security domain is tested at a conceptual level — CIA triad, common threats, IDS vs IPS, firewalls, VPNs. Foundational vocabulary you'll see referenced in every other security question.

• CIA Triad: Confidentiality (data is accessible only to authorized parties — achieved through encryption), Integrity (data is not tampered with — verified through hashing like SHA-256), Availability (services are accessible when needed — protected via redundancy and DDoS mitigation)
• Common Threats: Phishing (social engineering via email), DDoS (flooding a target to deny service), Man-in-the-Middle (intercepting traffic between two parties), Malware (viruses, ransomware, trojans), Password attacks (brute force, dictionary)
• Defense in Depth: Multiple layers of security controls: firewalls, IPS/IDS, endpoint protection, access control, encryption, physical security. No single layer is sufficient alone
• Firewalls: Stateful firewalls track connection state and allow return traffic automatically. Next-Generation Firewalls (NGFW) add application awareness, intrusion prevention, and URL filtering
• VPNs: Site-to-site VPNs connect entire networks over encrypted tunnels (IPsec). Remote access VPNs allow individual users to securely connect to the corporate network (SSL/TLS or IPsec)

Task: design defense-in-depth for a small branch. Perimeter: Cisco ASA stateful firewall + IPS module — deny all inbound except whitelisted ports (HTTPS to the public web server, IPsec to HQ). Internal segmentation: VLANs per department, ACLs between SVIs blocking unnecessary east-west traffic. Endpoint: AnyConnect VPN for remote users (SSL-TLS), Umbrella DNS-layer filter. Site-to-site: IPsec tunnel to HQ using crypto isakmp policy + crypto map. Layered controls — compromise of any one doesn't grant blanket access.

ACLs filter traffic by Layer 3/4 headers. CCNA tests both standard and extended ACLs, the standard-near-destination / extended-near-source rule, and the silent implicit deny any at the end.

• Standard ACLs (1-99, 1300-1999): Filter traffic based on source IP address only. Place as close to the destination as possible to avoid unintentionally blocking traffic to other destinations
• Extended ACLs (100-199, 2000-2699): Filter by source IP, destination IP, protocol (TCP/UDP/ICMP), and port numbers. Place as close to the source as possible to drop unwanted traffic early
• Named ACLs: More readable and maintainable than numbered ACLs. Created with ip access-list standard|extended [name]. Support sequence numbers for inserting and reordering entries
• ACL Processing: Entries are evaluated top-down; the first match wins. Every ACL has an implicit deny any at the end. At least one permit statement is needed or all traffic is blocked
• Applying ACLs: Applied to an interface with ip access-group [name|number] in|out. Inbound ACLs filter traffic entering the interface; outbound ACLs filter traffic leaving. Only one ACL per interface, per direction, per protocol

Task: allow only the management subnet 10.10.99.0/24 to SSH to R1, deny everything else. Named extended ACL: ip access-list extended VTY-FILTER, permit tcp 10.10.99.0 0.0.0.255 any eq 22, deny ip any any log. Apply to the VTY lines: line vty 0 15, access-class VTY-FILTER in (note: access-class, not ip access-group, for VTY). Verify with show access-lists VTY-FILTER for hit counts. The log keyword sends syslog hits to the console — useful for chasing the source of denied attempts.

AAA — authentication, authorization, accounting — centralises identity decisions. CCNA expects you to know RADIUS vs TACACS+ trade-offs and the three roles in an 802.1X port-based auth deployment.

• AAA Framework: Authentication (who are you?), Authorization (what can you do?), Accounting (what did you do?). Can be implemented locally on the device or centrally via an external server
• RADIUS: Open standard (UDP 1812/1813). Combines authentication and authorization in a single response. Encrypts only the password field. Widely used for network access (Wi-Fi, VPN, 802.1X)
• TACACS+ (Cisco): Uses TCP port 49. Separates authentication, authorization, and accounting into independent processes. Encrypts the entire payload. Preferred for device administration (managing routers and switches)
• 802.1X Port-Based Access Control: Three roles — Supplicant (the client device), Authenticator (the switch), Authentication Server (RADIUS). The switch port stays unauthorized until the client successfully authenticates via EAP
• EAP Methods: EAP-TLS (mutual certificate authentication, most secure), PEAP (server certificate + client password), EAP-FAST (Cisco, uses PAC for fast reauthentication)

Task: configure 802.1X with RADIUS-backed authentication on access switch SW1. Global: aaa new-model, radius server ISE-1, address ipv4 10.10.5.10 auth-port 1812 acct-port 1813, key C1sco123, then aaa authentication dot1x default group radius, dot1x system-auth-control. Per port: interface Fa0/1, switchport mode access, authentication port-control auto, dot1x pae authenticator. The supplicant (laptop) sends EAPOL → SW1 relays to ISE → ISE evaluates → port transitions to authorized and applies the dynamic VLAN from the RADIUS Access-Accept attributes.

Wireless and Layer 2 security share a lesson because both prevent unauthorised access at the edge. CCNA tests WPA2 vs WPA3 differences, port security violation modes, and DHCP snooping as the foundation for Dynamic ARP Inspection.

• WPA2 (802.11i): Uses AES-CCMP encryption. WPA2-Personal uses a pre-shared key (PSK) suitable for home networks. WPA2-Enterprise uses 802.1X with a RADIUS server for per-user credentials
• WPA3: Successor to WPA2. WPA3-Personal uses SAE (Simultaneous Authentication of Equals) which protects against offline dictionary attacks. WPA3-Enterprise uses 192-bit cryptographic suite for sensitive environments
• Port Security: Limits the number of MAC addresses on a switch port. Violation modes: Protect (drops, no log), Restrict (drops + syslog), Shutdown (disables port, default). Configure with switchport port-security
• DHCP Snooping: Prevents rogue DHCP servers by classifying ports as trusted (toward legitimate DHCP server) or untrusted (toward clients). Builds a binding table used by Dynamic ARP Inspection (DAI)
• Wireless Architecture: Autonomous APs manage themselves. Lightweight APs (LAPs) are managed centrally by a Wireless LAN Controller (WLC) using CAPWAP (Control and Provisioning of Wireless Access Points) tunnels

Task: harden an access port and enable DHCP snooping. Port security: interface Fa0/5, switchport mode access, switchport port-security, switchport port-security maximum 2 (data + voice), switchport port-security violation restrict, switchport port-security mac-address sticky. DHCP snooping (global): ip dhcp snooping, ip dhcp snooping vlan 10,20. On the uplink toward the legitimate DHCP server: ip dhcp snooping trust. All other ports remain untrusted — DHCP server replies on those ports are dropped. Verify with show ip dhcp snooping binding.

The automation domain rewards conceptual fluency: the three planes (management, control, data), the difference between traditional and controller-based networks, and the value proposition of Infrastructure-as-Code for network operations.

• Why Automate: Manual CLI configuration does not scale. Automation reduces human error, ensures consistency across hundreds of devices, enables faster deployment, and supports version-controlled infrastructure
• Controller-Based Networking: Separates the control plane (decisions about where to send traffic) from the data plane (actual packet forwarding). A centralized controller manages the network programmatically through APIs
• Cisco DNA Center: Cisco's intent-based networking controller for campus networks. Provides automation, assurance (monitoring), policy management, and device provisioning through a GUI and APIs
• Traditional vs Controller-Based: Traditional networks configure each device individually via CLI. Controller-based networks push configurations from a central point, offering single-pane-of-glass management and network-wide visibility
• Infrastructure as Code (IaC): Network configurations stored as code files, versioned in Git, reviewed through pull requests, and deployed automatically. This brings software development practices to network operations

Task: contrast a 50-switch traditional deployment vs a DNA Center-managed fabric. Traditional: a NetOps engineer SSHes to each switch, pastes a VLAN/trunk config — 50 sessions, 50 chances to fat-finger. Controller-based: the engineer creates a network template in DNA Center, assigns it to the site, and DNA Center pushes the rendered config to every switch via NETCONF + telemetry. Drift detection alerts on any local CLI change. Provisioning a new switch: zero-touch — the box phones home via PnP, fetches its day-0 config, and joins the fabric.

REST APIs + JSON are the universal interface for modern network controllers. CCNA tests your ability to read JSON, identify HTTP methods, and map CRUD to REST verbs — no actual coding required.

• REST API Fundamentals: Representational State Transfer uses HTTP methods to interact with resources. Stateless: each request contains all the information needed. Resources are identified by URIs (e.g., /api/v1/devices)
• HTTP Methods: GET (retrieve data, safe/idempotent), POST (create a new resource), PUT (replace an entire resource), PATCH (partial update), DELETE (remove a resource). Response codes: 200 OK, 201 Created, 400 Bad Request, 401 Unauthorized, 404 Not Found
• JSON (JavaScript Object Notation): Lightweight data format using key-value pairs. Objects use curly braces {}, arrays use square brackets []. Values can be strings, numbers, booleans, null, objects, or arrays. Example: {"hostname": "R1", "interfaces": [{"name": "Gi0/0", "ip": "10.1.1.1"}]}
• YAML: Human-readable data serialization using indentation instead of braces. Often used in Ansible playbooks and configuration files. YAML is a superset of JSON
• XML: Uses opening and closing tags (like HTML). More verbose than JSON but still used in NETCONF and some legacy APIs. Example: <hostname>R1</hostname>

Task: query DNA Center's REST API for all switches. Step 1 (auth): POST /dna/system/api/v1/auth/token with basic-auth header returns a JSON { "Token": "eyJ..." }. Step 2 (query): GET /dna/intent/api/v1/network-device with header X-Auth-Token: eyJ.... Response is JSON: { "response": [{ "hostname": "SW1", "managementIpAddress": "10.10.5.11", ... }, ... ] }. Step 3 (create): POST a new device payload to the same endpoint to onboard a switch. CRUD ↔ HTTP: Create = POST, Read = GET, Update = PUT/PATCH, Delete = DELETE.

CCNA tests awareness of Ansible, Puppet, and Chef — not how to write playbooks. The exam asks which tool is agentless, which uses YAML, and what idempotency means for network state.

• Ansible: Agentless (uses SSH), written in Python, configurations defined in YAML playbooks. Push model: the control node connects to managed devices and applies changes. Most popular for network automation due to its simplicity and agentless nature
• Puppet: Agent-based (requires a Puppet agent on managed nodes), uses its own declarative language (Puppet DSL). Pull model: agents check in with the Puppet master for configuration updates. Strong in large-scale server environments
• Chef: Agent-based, configurations written in Ruby (called recipes and cookbooks). Pull model: the Chef client on each node pulls configurations from the Chef server. Common in DevOps environments
• Key Differences: Ansible is agentless (biggest advantage for networking); Puppet and Chef require agents. Ansible uses YAML; Puppet uses its own DSL; Chef uses Ruby. All three enforce desired state — they make the device match the defined configuration
• Idempotency: Running the same automation task multiple times produces the same result. If the device already matches the desired configuration, no changes are made. This prevents configuration drift

Task: push a standard SNMP config to 200 IOS switches via Ansible. Inventory file (YAML): lists every device hostname + IP + group. Playbook: uses the cisco.ios.ios_config module — applies the canonical snmp-server lines, only if missing. Run: ansible-playbook -i inventory.yml snmp.yml from the control host over SSH — no agent on the switches. The task is idempotent: rerun it tomorrow and nothing changes because the desired state already matches. Ansible Tower / AWX adds RBAC + scheduling on top.

SDN principles — separation of control and data planes, programmable APIs, centralised policy — underpin Cisco's SD-WAN and SD-Access products. CCNA tests the three-layer architecture, northbound vs southbound APIs, and the role of NETCONF/RESTCONF + YANG.

• SDN Architecture: Application layer (business apps), Control layer (SDN controller), Infrastructure layer (network devices). Northbound APIs connect apps to the controller; Southbound APIs/protocols connect the controller to devices
• Southbound Interfaces: OpenFlow (original SDN protocol, directly programs forwarding tables), NETCONF (uses XML over SSH, port 830, supports get-config and edit-config operations), RESTCONF (RESTful interface to NETCONF datastores, uses JSON or XML over HTTPS)
• Cisco SD-WAN: Extends SDN principles to the WAN. Components: vManage (management), vSmart (control plane), vBond (orchestration), vEdge/cEdge (data plane routers). Provides centralized policy, transport independence, and application-aware routing
• Cisco SD-Access: SDN solution for campus networks built on DNA Center. Uses VXLAN fabric for overlay networking and LISP for endpoint location. Automates microsegmentation through Scalable Group Tags (SGTs)
• Benefits of SDN: Centralized management, programmability via APIs, consistent policy enforcement, faster provisioning, network-wide visibility, and the ability to integrate with DevOps toolchains and CI/CD pipelines

Task: enable NETCONF on R1 and pull running config via RESTCONF. On R1: netconf-yang, restconf, plus an IOS user with privilege 15. From the controller / curl: GET https://10.0.0.1/restconf/data/Cisco-IOS-XE-native:native with header Accept: application/yang-data+json + basic auth. R1 returns the full running-config as JSON keyed by the Cisco IOS-XE YANG model. SD-WAN does the same conceptually but at scale — vManage pushes templates via NETCONF to every cEdge router; vSmart handles policy distribution; vBond brings new edges into the overlay.