CCNA 200-301
Compressed Course
CCNA 200-301 v1.1 Compressed Complete Exam Course
Purpose: A start-to-finish revision course for the active Cisco CCNA 200-301 v1.1 exam.
Use: Learn the decision rules, practise the commands, then return to the rapid-review sections before exam day.
1. Exam Overview
What the exam is testing
Cisco currently describes Implementing and Administering Cisco Solutions (200-301 CCNA) v1.1 as a 120-minute exam associated with the CCNA certification. The official blueprint covers six areas:
- Network Fundamentals
- Network Access
- IP Connectivity
- IP Services
- Security Fundamentals
- Automation and Programmability
The blueprint is a guide to likely content rather than a promise that every delivery will contain only the listed items. Related topics can still appear where they support the tested skills.
Official references:
- Cisco exam page: https://www.cisco.com/site/us/en/learn/training-certifications/exams/ccna.html
- Cisco CCNA v1.1 blueprint: https://learningcontent.cisco.com/documents/marketing/exam-topics/200-301-CCNA-v1.1.pdf
- Cisco CCNA v1.1 release notes: https://learningcontent.cisco.com/documents/marketing/exam-topics/CCNA_1_1_release_notes.pdf
What changed in v1.1
The v1.1 update strengthened areas that are easy to overlook when studying older materials:
- Rapid PVST+ protection features: root guard, loop guard, BPDU filter, and BPDU guard
- Broader network-device management access, including cloud-managed access
- Generative AI, predictive AI, and machine learning in network operations
- REST API authentication types
- Configuration-management mechanisms including Ansible and Terraform
Do not study as though CCNA is only routing and switching. The routing and switching fundamentals remain central, but automation, security, wireless, and management-access decisions matter.
How to think like the exam
Most scenario questions become easier when you separate the task into four steps:
-
Identify the layer or function.
Is the problem physical, Layer 2, Layer 3, a network service, security, wireless, or automation? -
Find the decisive symptom.
Examples: CRC errors, a native VLAN mismatch, a missing route, hostname-only failure, a received BPDU on an edge port, or a rogue DHCP server. -
Apply the narrowest correct rule.
Do not choose a broad technology when a specific mechanism solves the stated problem. -
Reject distractors from the wrong layer.
A DNS failure does not explain duplex errors. OSPF does not solve a switching loop. PortFast does not replace a trunk. NTP does not resolve hostnames.
How to use this course
Use the guide in four passes:
- Pass 1: Learn the domain structure and the major decision rules.
- Pass 2: Practise the command patterns and compare confusing services.
- Pass 3: Work through scenario questions while explaining why the strongest distractor is wrong.
- Pass 4: Use Sections 8–10 for rapid revision.
2. Exam Domains
Official domain list and priorities
| Official domain | Weight | Priority | Main focus |
|---|---|---|---|
| 1.0 Network Fundamentals | 20% | High | Components, architectures, cabling, addressing, wireless principles, virtualization, switching |
| 2.0 Network Access | 20% | High | VLANs, trunks, LACP, Rapid PVST+, wireless infrastructure, management access |
| 3.0 IP Connectivity | 25% | Highest | Routing tables, forwarding decisions, static routes, single-area OSPFv2, first-hop redundancy |
| 4.0 IP Services | 10% | Medium | NAT, NTP, DHCP, DNS, SNMP, syslog, QoS, SSH, FTP/TFTP |
| 5.0 Security Fundamentals | 15% | High | Security concepts, ACLs, Layer 2 security, AAA, VPNs, WLAN security |
| 6.0 Automation and Programmability | 10% | Medium | Controllers, APIs, JSON, AI/ML, Ansible, Terraform |
Priority notes from the supplied practice bank
The source bank correctly emphasized the official weights and repeatedly tested the following high-value reasoning areas:
- IP Connectivity: longest-prefix matching, administrative distance, static routes, floating static routes, OSPF adjacency, router ID, DR/BDR, and first-hop redundancy
- Network Access: VLAN assignment, 802.1Q trunks, native VLAN behavior, LACP, STP roles, and STP protection features
- Security: ACL processing, DHCP snooping, dynamic ARP inspection, port security, AAA, and WLAN security
- Service choices: DNS vs DHCP, NTP vs syslog vs SNMP, shaping vs policing, SSH vs Telnet, TFTP vs FTP
- Automation: northbound vs southbound APIs, REST verbs, JSON, AI/ML, Ansible, and Terraform
What matters most
A good study plan does not treat every topic equally. Spend the most time on:
- Routing-table interpretation and forwarding decisions
- IPv4 subnetting
- VLANs, trunks, and inter-VLAN connectivity
- STP roles, PortFast, and guard features
- Static routing and single-area OSPFv2
- ACL logic and Layer 2 security
- Wireless architecture and WLAN settings
- Service-selection comparisons
- Controller-based networking, REST, JSON, Ansible, and Terraform
3. Start-to-Finish Study Path
Foundation
Study these first:
- Network components and their roles
- OSI-style layer reasoning: physical, Layer 2, Layer 3, and services
- Ethernet switching and MAC learning
- IPv4 addressing, private ranges, and subnetting
- IPv6 address types
- TCP vs UDP
- VLAN access ports and 802.1Q trunks
Foundation milestone: You can look at a simple symptom and identify the correct layer before considering commands.
Intermediate
Continue with:
- Inter-VLAN connectivity
- LACP EtherChannel
- Rapid PVST+ roles, states, and protections
- Routing-table interpretation
- Static IPv4 and IPv6 routes
- OSPFv2 single-area fundamentals
- NAT, DHCP, DNS, NTP, SNMP, syslog, QoS, SSH, FTP, and TFTP
- ACLs, AAA, VPNs, WLAN security, and Layer 2 security
Intermediate milestone: You can explain why one service, route, or switch feature is more appropriate than a plausible distractor.
Advanced
Finish with:
- Multi-step scenarios combining routing and route preference
- OSPF adjacency troubleshooting
- STP guard-feature selection
- Security feature dependencies, especially DHCP snooping and DAI
- Wireless controller, AP, switchport, and WLAN GUI relationships
- Controller-based networking, underlay, overlay, fabric, APIs, JSON, AI/ML, Ansible, and Terraform
- Timed elimination drills
Advanced milestone: You can solve unfamiliar scenarios by applying a short decision framework rather than recalling a memorized sentence.
Final review
In the final days:
- Rebuild the subnet table from memory.
- Practise route-selection order until it is automatic.
- Compare every commonly confused service in Section 5.
- Memorize STP protection-feature triggers.
- Review ACL top-down processing and implicit deny.
- Read JSON examples without hesitation.
- Revisit all quick memory rules in Section 8.
4. Core Concepts by Domain
Domain 1 — 1.0 Network Fundamentals
1.1 Network components
| Component | Primary role | Common distractor trap |
|---|---|---|
| Router | Forwards packets between IP networks using a routing table | A Layer 2 switch forwards frames inside a LAN; it is not the default inter-network forwarding answer |
| Layer 2 switch | Learns source MAC addresses and forwards Ethernet frames within VLANs | Do not choose it for routing between IP networks unless Layer 3 switching is explicitly involved |
| Layer 3 switch | Performs switching and routing, commonly using SVIs | Do not assume every switch is Layer 3 capable |
| Next-generation firewall | Enforces security policy; can provide deeper inspection | An IPS focuses on detection/prevention of malicious activity; do not confuse it with basic forwarding |
| IPS | Detects and can prevent malicious traffic | Not a default-gateway or VLAN-segmentation solution |
| Access point | Provides wireless client access to the wired LAN | A WLC manages AP behavior but is not the radio endpoint for users |
| Controller | Centralizes management or control functions | It does not replace the data-plane devices that forward traffic |
| Endpoint | Client device consuming network services | Not a routing or switching infrastructure device |
| Server | Provides application or network services | Do not select a server when a forwarding or security device is required |
| PoE switch port | Supplies electrical power and data over supported Ethernet cabling | DNS, DHCP, and routing do not supply power |
1.2 Architecture patterns
| Architecture | Recognize it when you see | Best-fit reasoning |
|---|---|---|
| Two-tier campus | Access and distribution functions are collapsed | Common for smaller or medium campus designs |
| Three-tier campus | Access, distribution, and core are separate | Use when scale and a dedicated high-speed core matter |
| Spine-leaf | Each leaf connects to each spine | Predictable east-west paths; common data-center pattern |
| WAN | Connects geographically separated networks | Think provider or internet transport between sites |
| SOHO | Small office or home office with few devices | Simple broadband router, AP, and endpoints |
| On-premises | Infrastructure hosted in the organization’s facilities | Local physical control |
| Cloud | Resources delivered from provider infrastructure | Elasticity and provider-managed components may matter |
Architecture trap
Do not select spine-leaf merely because multiple switches exist. The defining pattern is that each leaf connects to each spine. Do not select three-tier for a small design that collapses core and distribution.
1.3 Cabling and interface issues
| Medium | Best use | Main advantage | Trap |
|---|---|---|---|
| Single-mode fiber | Long-distance links | Long reach and resistance to electromagnetic interference | Usually unnecessary for a short low-cost in-building connection |
| Multimode fiber | Shorter fiber links, often within a building or data center | Fiber benefits with lower-cost optics for shorter distances | Not the longest-distance answer |
| Copper twisted pair | Endpoint access and PoE | Cost-effective and supports power delivery | More susceptible to distance limits and interference than fiber |
Interface troubleshooting clues
| Symptom | Think first |
|---|---|
| Late collisions after manual configuration changes | Duplex mismatch |
| Rapidly increasing CRC errors | Physical cabling, connector, or interference issue |
| One side forced to 100 Mb/s and the other to 1 Gb/s | Speed mismatch |
| Interface administratively disabled | shutdown state |
| Link physically unavailable | Cable, transceiver, remote port, power, or physical layer |
1.4 TCP vs UDP
| Feature | TCP | UDP |
|---|---|---|
| Connection-oriented | Yes | No |
| Ordered delivery | Yes | No guarantee |
| Reliability and retransmission | Yes | No built-in guarantee |
| Lower overhead | No | Yes |
| Typical scenario clue | File transfer, SSH, reliable application session | Voice, streaming, DNS query, timely telemetry |
Decision rule: If the question stresses reliable ordered delivery, choose TCP. If it stresses low overhead and timely delivery where retransmission may be less valuable than freshness, choose UDP.
1.5 IPv4 addressing and subnetting
Private IPv4 ranges
| Range | CIDR |
|---|---|
| 10.0.0.0–10.255.255.255 | 10.0.0.0/8 |
| 172.16.0.0–172.31.255.255 | 172.16.0.0/12 |
| 192.168.0.0–192.168.255.255 | 192.168.0.0/16 |
Fast subnet table
| Prefix | Mask | Block size in changing octet | Total addresses | Usable hosts |
|---|---|---|---|---|
| /24 | 255.255.255.0 | 256 | 256 | 254 |
| /25 | 255.255.255.128 | 128 | 128 | 126 |
| /26 | 255.255.255.192 | 64 | 64 | 62 |
| /27 | 255.255.255.224 | 32 | 32 | 30 |
| /28 | 255.255.255.240 | 16 | 16 | 14 |
| /29 | 255.255.255.248 | 8 | 8 | 6 |
| /30 | 255.255.255.252 | 4 | 4 | 2 |
Subnetting method
For a host such as 192.168.10.77/27:
/27gives a block size of32.- Subnet boundaries in the last octet are
0, 32, 64, 96, .... 77falls in64–95.- Network address:
192.168.10.64 - Broadcast address:
192.168.10.95 - Usable range:
192.168.10.65–192.168.10.94
Common subnetting trap
If asked for the network and broadcast, do not answer with the first and last usable host. Read the wording carefully.
1.6 IPv6 essentials
| Address type | Typical prefix or example | Meaning |
|---|---|---|
| Global unicast | 2000::/3 |
Publicly routable unicast space |
| Unique local | FC00::/7, commonly locally assigned from FD00::/8 |
Private-like local use |
| Link-local | FE80::/10 |
Local-link communication; not routed beyond the link |
| Multicast | FF00::/8 |
One-to-many delivery |
| Loopback | ::1 |
Local host |
| Unspecified | :: |
No address assigned |
| Anycast | Same unicast address assigned to multiple interfaces | Traffic reaches a suitable instance, usually nearest by routing |
Modified EUI-64: A method for constructing an interface identifier from a MAC address. Know the concept and recognize the transformation pattern.
1.7 Client IP verification
| Client OS | Useful command |
|---|---|
| Windows | ipconfig /all |
| Linux | ip addr show |
| macOS | ifconfig |
1.8 Wireless principles
- SSID: The WLAN name clients select.
- RF: Radio-frequency behavior, including attenuation and interference.
- 2.4-GHz nonoverlapping-channel memory rule: Commonly use 1, 6, and 11.
- Encryption: Wireless access is not secure merely because an SSID exists.
- Metal, distance, obstacles, and interference sources can reduce signal quality.
1.9 Virtualization
| Technology | What it isolates |
|---|---|
| Server virtualization | Multiple virtual machines on a hypervisor |
| Containers | Isolated application environments sharing the host OS kernel |
| VRFs | Separate routing tables on the same routing device |
Trap: A VRF separates routing contexts. It is not a VLAN, container, or hypervisor.
1.10 Ethernet switching
A switch normally:
- Learns the source MAC address on the ingress port.
- Looks up the destination MAC address.
- Forwards a known unicast frame out the matching port.
- Floods an unknown unicast frame within the same VLAN, except out the ingress port.
- Removes stale dynamic MAC entries after aging.
Trap: Switches learn from the source MAC, not the destination MAC.
Domain 2 — 2.0 Network Access
2.1 VLANs, access ports, voice VLANs, and inter-VLAN connectivity
Access port
A workstation in VLAN 20:
interface GigabitEthernet1/0/10
switchport mode access
switchport access vlan 20
Data and voice on an endpoint-facing port
interface GigabitEthernet1/0/10
switchport mode access
switchport access vlan 20
switchport voice vlan 120
The workstation uses the data VLAN; the IP phone uses the voice VLAN.
Inter-VLAN connectivity
Devices in different VLANs need Layer 3 forwarding. Common methods:
- Router-on-a-stick with router subinterfaces and 802.1Q encapsulation
- Layer 3 switch using SVIs and routing
Trap: Assigning VLANs does not automatically create inter-VLAN communication.
2.2 Trunks, 802.1Q, and native VLANs
A trunk carries multiple VLANs over one link.
interface GigabitEthernet0/24
switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 99
Key rules:
- 802.1Q tags VLAN traffic across the trunk.
- Native VLAN traffic is untagged by default.
- Native VLAN configuration should match on both ends.
- A native VLAN mismatch can create operational and security problems.
- An access port normally carries one data VLAN for an endpoint.
Exam trap: Do not configure an interswitch multi-VLAN link as an access port.
2.3 CDP and LLDP
| Protocol | Vendor scope | Purpose |
|---|---|---|
| CDP | Cisco proprietary | Discover directly connected Cisco neighbors |
| LLDP | Standards-based | Discover directly connected neighbors in mixed-vendor environments |
Common commands:
show cdp neighbors
show lldp neighbors
2.4 EtherChannel and LACP
EtherChannel bundles physical links into one logical channel. LACP is the standards-based negotiation protocol.
| LACP side 1 | LACP side 2 | Forms? |
|---|---|---|
| Active | Active | Yes |
| Active | Passive | Yes |
| Passive | Passive | No |
Rules:
- Member interfaces must be configured consistently.
- For a Layer 2 channel, align trunk/access settings, VLANs, and related parameters.
- For a Layer 3 channel, configure members consistently as routed interfaces before adding them to the channel as appropriate.
Trap: LACP passive does not initiate negotiation. Passive plus passive fails.
2.5 Rapid PVST+
Why spanning tree exists
Redundant Layer 2 paths can cause loops. STP preserves redundancy while preventing uncontrolled forwarding loops.
Core terms
| Term | Meaning |
|---|---|
| Root bridge | The switch with the lowest bridge ID |
| Root port | Best path toward the root bridge on a nonroot switch |
| Designated port | Forwarding port selected for a segment |
| Alternate port | Backup path in a discarding state |
| PortFast | Allows an edge port to transition rapidly for endpoint connectivity |
Rapid STP states
- Discarding
- Learning
- Forwarding
Protection features
| Feature | Trigger or goal | Result | Best-fit scenario |
|---|---|---|---|
| BPDU guard | BPDU received on an edge/PortFast port | Typically error-disables the port | Block an unexpected switch connected to an endpoint port |
| Root guard | Superior BPDU received where a downstream switch must not become root | Places port into root-inconsistent behavior | Prevent an access-layer switch from influencing root election |
| Loop guard | Expected BPDUs stop arriving on a protected non-designated path | Prevents unsafe transition to forwarding | Reduce risk from unidirectional or BPDU-loss conditions |
| BPDU filter | Suppresses BPDU sending/processing depending on configuration | Removes STP visibility | Use with caution; it can create loop risk |
STP decision rules
- Lowest bridge ID becomes root.
- Root port is the best path toward the root bridge.
- PortFast belongs on endpoint-facing edge ports, not arbitrary interswitch trunks.
- BPDU guard and BPDU filter are not interchangeable.
2.6 Wireless architectures and AP modes
| Pattern | Recognize it when |
|---|---|
| Controller-based architecture | Lightweight APs are centrally managed by a WLC |
| Autonomous AP | AP operates with more local configuration and independence |
| Local AP mode | Normal client-serving operation |
| Monitor AP mode | AP observes RF conditions rather than serving normal clients |
| FlexConnect use case | Remote-site AP behavior supports branch use cases when controller connectivity is constrained |
Wireless infrastructure connections
- An AP-facing switchport may be an access port when only one locally switched VLAN is required.
- A trunk may be needed when multiple VLANs must traverse the AP-facing connection.
- WLC uplinks may use link aggregation depending on design.
- WLANs map wireless client traffic into appropriate wired VLANs.
2.7 Management access
| Method | Encrypted? | Best use |
|---|---|---|
| Console | Local, out-of-band style access | Initial setup or recovery |
| Telnet | No | Recognize as insecure legacy remote CLI |
| SSH | Yes | Secure remote CLI |
| HTTP | No | Insecure browser management |
| HTTPS | Yes | Secure browser management |
| TACACS+ | Centralized AAA | Common network-device administration use case |
| RADIUS | Centralized AAA | Common network access and authentication use case |
| Cloud-managed | Provider dashboard or platform | Centralized device management through a cloud service |
2.8 WLAN GUI reasoning
When reviewing WLAN GUI questions, verify:
- WLAN exists and is enabled.
- SSID is correct.
- VLAN mapping is correct.
- Security method matches the requirement.
- Client PSK matches when WPA2 PSK is used.
- QoS profile aligns with the application need.
- Advanced settings do not contradict the design.
Domain 3 — 3.0 IP Connectivity
3.1 Routing-table interpretation
Example:
O 10.20.30.0/24 [110/20] via 192.0.2.2
Interpretation:
| Element | Meaning |
|---|---|
O |
Learned by OSPF |
10.20.30.0/24 |
Destination prefix |
110 |
Administrative distance |
20 |
Protocol metric |
192.0.2.2 |
Next hop |
Useful route codes:
| Code | Meaning |
|---|---|
C |
Connected |
L |
Local host route for an interface address |
S |
Static |
S* |
Candidate default static route |
O |
OSPF |
Gateway of last resort
A default route is used when no more-specific route matches.
IPv4 default prefix:
0.0.0.0/0
IPv6 default prefix:
::/0
3.2 The route-selection order
Use this order:
-
Longest prefix match
Choose the route with the most specific matching prefix. -
Administrative distance
If multiple route sources provide the same prefix length, prefer the more trusted source with the lower AD. -
Metric
Compare the routing protocol’s metric when choosing among comparable routes learned by the same protocol.
Example routes:
10.0.0.0/8
10.20.0.0/16
10.20.30.0/24
0.0.0.0/0
Destination 10.20.30.55 uses 10.20.30.0/24.
Common administrative distances
| Route source | AD |
|---|---|
| Connected | 0 |
| Static | 1 |
| OSPF | 110 |
Major trap: Do not compare AD before prefix length. A more-specific route wins the prefix match even if another route source has a lower AD for a less-specific prefix.
3.3 Static routing
IPv4 default route
ip route 0.0.0.0 0.0.0.0 203.0.113.1
IPv4 network route
ip route 10.50.0.0 255.255.0.0 192.0.2.2
IPv4 host route
ip route 203.0.113.25 255.255.255.255 192.0.2.2
A host route uses /32.
IPv6 static route
ipv6 route 2001:DB8:50::/64 2001:DB8:FF::2
Floating static route
A floating static route is a backup route with a higher AD than the primary route source.
ip route 10.50.0.0 255.255.0.0 198.51.100.2 200
If OSPF is primary with AD 110, a static route with AD 200 remains less preferred until OSPF disappears.
Trap: A static route with default AD 1 normally beats OSPF. Increase the AD when the static route must float behind OSPF.
3.4 Single-area OSPFv2
Neighbor adjacency checklist
When two OSPF routers fail to become neighbors, investigate:
- OSPF enabled on the correct interfaces
- Matching area IDs
- Compatible hello and dead timers
- Compatible network type
- Correct connected IP addressing and subnet relationship
- Unique router IDs
- Authentication compatibility if configured
- MTU issues where relevant to adjacency progress
Router ID selection
General selection order:
- Explicitly configured router ID
- Highest loopback IPv4 address
- Highest active physical-interface IPv4 address
For deterministic operation, configure the router ID explicitly.
Broadcast and point-to-point links
| Network type | DR/BDR election? | Reason |
|---|---|---|
| Broadcast Ethernet | Yes | Reduces adjacency complexity on a shared segment |
| Point-to-point | No | Only two routers participate |
DR/BDR election
On a broadcast network:
- Higher OSPF interface priority is preferred.
- Router ID is used as a tie-breaker among eligible routers.
- Election timing matters; do not assume preemption behavior that was not stated.
3.5 First-hop redundancy
Hosts often use a default gateway. If that gateway is one physical router with no redundancy, its failure breaks off-subnet connectivity.
A first-hop redundancy protocol provides:
- A virtual IP address used by hosts as the default gateway
- An active forwarding router
- A standby or alternate router able to assume responsibility
Trap: Hosts normally point to the virtual gateway, not the physical router’s individual address.
Domain 4 — 4.0 IP Services
4.1 NAT
Static inside-source NAT
Use when one inside local address should consistently map to one public address.
Conceptual form:
ip nat inside source static 10.10.10.10 198.51.100.10
Pool-based NAT
Use when a defined group of inside local addresses should translate using addresses from a public pool.
Reasoning sequence:
- Identify inside and outside interfaces.
- Define the inside source addresses, commonly with an ACL.
- Define the public NAT pool.
- Apply the inside-source translation rule.
- Verify translations.
Trap: NAT solves address translation. It does not solve DNS, NTP, switching loops, or DHCP trust.
4.2 NTP
NTP synchronizes device clocks.
| Role | Meaning |
|---|---|
| NTP client | Receives time from an upstream source |
| NTP server role | Provides time to downstream clients |
Why it matters:
- Comparable log timestamps
- Easier event correlation
- Consistent troubleshooting records
4.3 DHCP and DNS
| Service | Main role | Scenario clue |
|---|---|---|
| DHCP | Supplies IP parameters such as address, mask, default gateway, and DNS server | New endpoint needs automatic addressing |
| DNS | Resolves names to addresses | IP access works but hostname access fails |
| DHCP relay | Forwards DHCP requests between client subnet and centralized DHCP server | Clients and DHCP server are on different subnets |
Common relay command on the client-facing Layer 3 interface:
ip helper-address 192.0.2.50
Trap: DHCP can provide the DNS-server address, but DHCP does not resolve names.
4.4 SNMP and syslog
| Service | Main role |
|---|---|
| SNMP | Monitoring, polling, and notifications using management information |
| Syslog | Centralized operational event messages with severity levels |
Syslog severity levels
| Level | Name |
|---|---|
| 0 | Emergency |
| 1 | Alert |
| 2 | Critical |
| 3 | Error |
| 4 | Warning |
| 5 | Notification |
| 6 | Informational |
| 7 | Debugging |
Memory aid: Every Awesome Cisco Engineer Will Need Icecream Daily.
4.5 QoS per-hop behavior
| QoS action | What it does | Key distinction |
|---|---|---|
| Classification | Identifies traffic categories | Decides what traffic is |
| Marking | Writes a value such as DSCP | Labels traffic for downstream treatment |
| Queuing | Holds packets awaiting transmission | Used when the outbound interface is congested |
| Congestion management | Determines treatment under contention | Prioritization and scheduling matter |
| Policing | Drops or remarks traffic above an allowed rate | Immediate enforcement |
| Shaping | Buffers and releases traffic at a controlled rate | Smooths bursts by delaying traffic |
Major trap: Policing drops or remarks excess traffic. Shaping buffers and delays it.
4.6 Secure remote access with SSH
Typical preparation steps:
hostname R1
ip domain-name example.local
username admin secret StrongSecret
crypto key generate rsa
line vty 0 4
login local
transport input ssh
Trap: Telnet is remote CLI but does not encrypt the session.
4.7 TFTP vs FTP
| Protocol | Main characteristic | Best-fit clue |
|---|---|---|
| TFTP | Simple UDP-based file transfer with minimal features | Controlled environment and simplicity |
| FTP | Authenticated file-transfer capability with separate control behavior | Credentials and richer transfer features required |
Domain 5 — 5.0 Security Fundamentals
5.1 Security concepts
| Term | Meaning |
|---|---|
| Threat | Potential actor or event capable of causing harm |
| Vulnerability | Weakness that could be abused |
| Exploit | Technique or code that takes advantage of a vulnerability |
| Mitigation | Control that reduces likelihood or impact |
Trap: A vulnerability is the weakness. An exploit is the method used against the weakness.
5.2 Security program elements
Security is not only configuration:
- User-awareness training
- Phishing recognition and reporting
- Physical access control for equipment rooms
- Operational procedures
- Credential-handling policy
5.3 Local device access control
Common IOS ideas:
enable secret StrongEnableSecret
username admin secret StrongUserSecret
line console 0
login local
line vty 0 4
login local
transport input ssh
enable secret is preferred over relying on weakly protected password storage.
Trap: service password-encryption provides limited obfuscation. Do not treat it as a strong modern cryptographic control.
5.4 Password alternatives and stronger authentication
| Control | What it adds |
|---|---|
| MFA | More than one authentication factor |
| Certificates | Signed digital credentials for identity validation |
| Biometrics | Physical or behavioral user characteristic |
| Password policy | Length, complexity, management, and lifecycle expectations |
5.5 VPN types
| VPN type | Scenario |
|---|---|
| Site-to-site IPsec VPN | Encrypted connectivity between networks or branches |
| Remote-access VPN | Encrypted user access from a remote endpoint into the organization |
Trap: A branch-to-branch requirement is not a remote-user-only use case.
5.6 ACLs
ACL logic is sequential:
- Process entries from top to bottom.
- Stop at the first match.
- Apply the implicit deny when no entry matches.
Standard ACL
Standard ACLs filter mainly on source IPv4 address.
access-list 10 deny host 10.10.10.25
access-list 10 permit any
Wildcard masks
| Subnet mask | Wildcard mask |
|---|---|
| 255.255.255.0 | 0.0.0.255 |
| 255.255.255.128 | 0.0.0.127 |
| 255.255.255.192 | 0.0.0.63 |
| 255.255.255.255 | 0.0.0.0 |
Example:
access-list 10 permit 10.20.30.0 0.0.0.255
Extended ACL context
Extended ACLs can filter using more detail, such as protocol, source, destination, and ports. A useful placement rule of thumb:
- Standard ACL: place closer to the destination when practical
- Extended ACL: place closer to the source when practical
Major trap: A subnet mask and a wildcard mask are inverses. Do not use 255.255.255.0 where IOS expects 0.0.0.255.
5.7 Layer 2 security
| Feature | Protects against or controls | Key dependency or trap |
|---|---|---|
| DHCP snooping | Rogue DHCP server behavior; builds trusted bindings | Mark only appropriate uplinks or server-facing ports as trusted |
| Dynamic ARP inspection | ARP spoofing | Commonly validates against trusted DHCP snooping bindings |
| Port security | MAC learning limits and violation handling on access ports | Does not replace DHCP snooping or DAI |
Decision sequence: Rogue DHCP server? Think DHCP snooping. ARP spoofing? Think DAI. Too many unexpected MAC addresses on an access port? Think port security.
5.8 AAA
| AAA function | Question it answers |
|---|---|
| Authentication | Who are you? |
| Authorization | What are you allowed to do? |
| Accounting | What did you do and when? |
5.9 Wireless security
| Protocol | Relative position |
|---|---|
| WPA | Older improvement over obsolete WEP-era security |
| WPA2 | Widely used stronger option; know WPA2 PSK GUI configuration |
| WPA3 | Strongest of WPA, WPA2, and WPA3 when supported and appropriate |
For a WPA2 PSK WLAN:
- Create or select the WLAN.
- Map it to the correct VLAN.
- Select WPA2 PSK security.
- Enter the correct preshared key.
- Verify clients use the same PSK.
- Check QoS and advanced settings when symptoms persist.
Domain 6 — 6.0 Automation and Programmability
6.1 Why automation matters
Automation can improve:
- Consistency
- Repeatability
- Scale
- Speed
- Version-controlled change processes
- Reduction of manual configuration drift
Automation does not eliminate the need for validation, change control, testing, or human judgment.
6.2 Traditional and controller-based networking
| Model | Main idea |
|---|---|
| Traditional | Configuration and control behavior are handled device by device |
| Controller-based | A logically centralized system provides broader policy and control functions while devices still forward traffic |
Planes
| Plane | Role |
|---|---|
| Data plane | Forwards traffic |
| Control plane | Makes forwarding decisions and builds forwarding information |
| Management plane | Supports configuration, monitoring, and administration |
6.3 Underlay, overlay, and fabric
| Term | Meaning |
|---|---|
| Underlay | Physical devices and links carrying traffic |
| Overlay | Virtualized network relationships built across the underlay |
| Fabric | Integrated architecture that provides structured connectivity and policy behavior |
API direction
| API type | Direction |
|---|---|
| Northbound API | Applications communicate with the controller |
| Southbound API | Controller communicates with infrastructure devices |
Trap: Northbound does not mean “toward the internet.” It means toward applications consuming controller services.
6.4 AI and machine learning in network operations
| Term | Best-fit scenario |
|---|---|
| Generative AI | Produces or summarizes content, such as a draft remediation plan |
| Predictive AI | Uses historical data to estimate likely future conditions, such as failure probability |
| Machine learning | Learns patterns from data for classification, detection, or prediction |
Decision rule: AI-generated output can assist operations, but validate recommendations before implementation.
6.5 REST APIs
CRUD and HTTP verbs
| CRUD action | Common HTTP verb |
|---|---|
| Create | POST |
| Read | GET |
| Update or replace | PUT |
| Partial update | PATCH |
| Delete | DELETE |
REST characteristics
Know how to recognize:
- Resources
- URIs
- HTTP methods
- Request and response data
- Status codes at a high level
- Authentication approaches, such as credentials, tokens, or API keys depending on implementation
- JSON encoding
Trap: GET retrieves. POST commonly creates. DELETE removes. Do not choose a verb because it merely “sounds active.”
6.6 Ansible and Terraform
| Tool | Best-fit description |
|---|---|
| Ansible | Automation and configuration management commonly expressed through human-readable playbooks |
| Terraform | Declarative infrastructure-as-code approach for defining and managing infrastructure resources and lifecycle |
Both support repeatable, reviewable workflows. Neither removes the need for testing.
6.7 JSON
Example:
{
"hostname": "R1",
"enabled": true,
"interfaces": ["GigabitEthernet0/1", "GigabitEthernet0/2"],
"metric": 20
}
Recognize:
| JSON element | Example |
|---|---|
| Object | { ... } |
| Key | "hostname" |
| String | "R1" |
| Boolean | true |
| Array | [ ... ] |
| Number | 20 |
| Null | null |
Trap: JSON braces define objects. Brackets define arrays.
5. Service Selection Guide
Core service map
| Requirement | Choose | Do not confuse it with |
|---|---|---|
| Resolve hostname to IP address | DNS | DHCP |
| Automatically supply client IP parameters | DHCP | DNS |
| Reach a centralized DHCP server from another subnet | DHCP relay | NAT |
| Translate inside addresses to public addresses | NAT | ACL filtering |
| Synchronize device clocks | NTP | Syslog |
| Collect operational events | Syslog | SNMP polling |
| Poll device health and receive management notifications | SNMP | Syslog-only logging |
| Secure remote CLI | SSH | Telnet |
| Secure browser management | HTTPS | HTTP |
| Simple UDP file transfer | TFTP | FTP |
| Authenticated richer file-transfer use case | FTP | TFTP |
| Vendor-neutral neighbor discovery | LLDP | CDP |
| Cisco-focused neighbor discovery | CDP | LLDP |
| Centralized device administration AAA | TACACS+ | Local-only passwords |
| General centralized authentication use cases | RADIUS | DHCP |
| Block rogue DHCP messages on access ports | DHCP snooping | Port security |
| Validate ARP messages against trusted information | DAI | DHCP relay |
| Restrict learned MAC addresses on an access port | Port security | BPDU guard |
| Buffer and smooth excess traffic | Shaping | Policing |
| Drop or remark excess traffic immediately | Policing | Shaping |
Management-access selection
| Scenario phrase | Best answer |
|---|---|
| “Secure remote command line” | SSH |
| “Legacy unencrypted remote command line” | Telnet |
| “Secure browser-based administration” | HTTPS |
| “Initial setup after loss of remote access” | Console |
| “Centralized command authorization and accounting” | TACACS+ |
| “Cloud dashboard for device administration” | Cloud-managed access |
Security-feature selection
| Scenario phrase | Think |
|---|---|
| “Unexpected BPDU on an endpoint port” | BPDU guard |
| “Do not let downstream switch become root” | Root guard |
| “BPDUs stop arriving and a blocked path must not forward unsafely” | Loop guard |
| “Suppress BPDUs” | BPDU filter, with caution |
| “Rogue DHCP server” | DHCP snooping |
| “ARP spoofing” | DAI |
| “Too many MAC addresses on one access port” | Port security |
| “Who are you?” | Authentication |
| “Which commands may you run?” | Authorization |
| “Record what happened” | Accounting |
6. Architecture Patterns
Pattern 1: Small campus with collapsed layers
Scenario: A modest campus needs access switching and policy aggregation but does not justify a separate high-speed core.
Recommended solution: Two-tier campus design.
Why alternatives fail:
- Three-tier adds a separate core when the scenario does not require that scale.
- Spine-leaf is a different topology pattern, common for east-west-heavy environments such as data centers.
- SOHO is too small and simple for a campus design.
Pattern 2: Large campus with separate core
Scenario: Multiple distribution blocks require a dedicated high-speed backbone.
Recommended solution: Three-tier campus design.
Why alternatives fail:
- Two-tier collapses core and distribution and may not fit the stated scale.
- Spine-leaf has a different connectivity pattern.
Pattern 3: Predictable east-west connectivity
Scenario: Each leaf switch connects to each spine switch.
Recommended solution: Spine-leaf.
Why alternatives fail: Merely having redundant uplinks does not make a topology spine-leaf.
Pattern 4: Multi-VLAN interswitch connection
Scenario: VLANs 10, 20, and 30 must cross one link between switches.
Recommended solution: 802.1Q trunk.
Why alternatives fail:
- An access port carries an endpoint VLAN, not multiple interswitch VLANs.
- A routed port changes the design and does not extend Layer 2 VLANs.
- PortFast is not a VLAN-transport mechanism.
Pattern 5: Resilient Layer 2 uplink
Scenario: Two compatible parallel links should behave as one logical connection.
Recommended solution: EtherChannel using LACP.
Why alternatives fail:
- Passive plus passive will not negotiate.
- HSRP is first-hop gateway redundancy, not link bundling.
- STP alone does not combine bandwidth into one logical channel.
Pattern 6: Redundant default gateway
Scenario: Hosts should retain off-subnet connectivity if one router fails.
Recommended solution: First-hop redundancy with a virtual gateway IP.
Why alternatives fail:
- DNS does not provide gateway redundancy.
- Every endpoint should not need manual reconfiguration during a gateway failure.
- LACP bundles links; it does not provide a virtual default gateway.
Pattern 7: Centralized wireless design
Scenario: Lightweight APs require centralized management.
Recommended solution: Controller-based WLAN architecture using a WLC.
Why alternatives fail:
- Autonomous AP design is more locally managed.
- A Layer 3 route does not replace WLAN control.
- A trunk or access port is part of wired integration, not the controller itself.
Pattern 8: Controller-based programmable network
Scenario: Applications request services from a controller, and the controller programs infrastructure.
Recommended mapping:
- Application to controller: northbound API
- Controller to devices: southbound API
- Physical devices and links: underlay
- Virtualized network relationships: overlay
7. Exam Traps
Misleading wording patterns
| Wording | What to notice |
|---|---|
| “Most specific route” | Longest prefix match |
| “Backup static route only if OSPF fails” | Floating static route with AD higher than OSPF |
| “Untagged traffic on the trunk” | Native VLAN |
| “Unexpected switch connected to user port” | BPDU guard |
| “Downstream switch must not become root” | Root guard |
| “IP address works, hostname fails” | DNS |
| “Clients need automatic address parameters” | DHCP |
| “Remote DHCP server on another subnet” | DHCP relay |
| “Excess traffic is buffered” | Shaping |
| “Excess traffic is dropped or remarked” | Policing |
| “Retrieve an API resource” | GET |
| “Create an API resource” | POST |
| “Objects and arrays” | JSON |
| “Branch-to-branch encrypted tunnel” | Site-to-site IPsec VPN |
| “Traveling employee secure access” | Remote-access VPN |
Wrong-but-plausible answers
-
Correct technology, wrong layer
Example: selecting DNS for a duplex mismatch. -
Correct service, wrong symptom
Example: selecting DHCP because DNS settings are delivered through DHCP, even though the actual failure is hostname resolution. -
Correct security feature, wrong attack
Example: selecting port security for ARP spoofing instead of DAI. -
Correct routing concept, wrong order
Example: comparing administrative distance before longest prefix match. -
Correct STP term, wrong trigger
Example: selecting root guard when an edge port receives a BPDU; BPDU guard is the direct match. -
Correct management protocol, insecure variant
Example: Telnet instead of SSH, or HTTP instead of HTTPS. -
Correct file-transfer category, wrong capability
Example: TFTP when authenticated richer transfer behavior is required. -
Correct API family, wrong verb
Example: POST for retrieval instead of GET.
Elimination strategy
For a four-option question:
- Remove answers that operate at the wrong layer.
- Remove answers that contradict a required security or reliability property.
- Remove answers with the wrong scope: endpoint-only, link-only, VLAN-only, or network-wide.
- Compare the two remaining choices against the exact symptom.
- Prefer the answer that solves the stated issue with the fewest assumptions.
Command-reading strategy
When reading IOS syntax:
- Identify whether the command belongs to interface mode, line mode, or global configuration.
- Check whether the address mask is a subnet mask or a wildcard mask.
- Confirm whether the question asks for a network route, host route, or default route.
- Verify whether the static route must be primary or floating.
- Check whether a switchport should be access or trunk.
- Confirm whether a protocol is secure or legacy.
8. Quick Memory Rules
Rules of thumb
- Switches learn source MAC addresses.
- Unknown unicast Ethernet frames are flooded within the VLAN, except out the ingress port.
- Router forwarding begins with longest prefix match.
- After prefix length, use administrative distance across route sources.
- Compare the routing protocol’s metric within the relevant protocol decision.
/32means one IPv4 host route.0.0.0.0/0is the IPv4 default route.::/0is the IPv6 default route.- OSPF broadcast network: think DR/BDR.
- OSPF point-to-point network: no DR/BDR election.
- LACP passive plus passive: no channel.
- Native VLAN traffic is untagged by default on an 802.1Q trunk.
- PortFast is for endpoint-facing edge ports.
- Shaping buffers; policing drops or remarks.
- DNS resolves names; DHCP distributes addressing parameters.
- DAI protects ARP; DHCP snooping protects DHCP trust; port security limits MAC learning.
- Authentication = identity, authorization = permissions, accounting = records.
- Northbound = application to controller; southbound = controller to devices.
- REST read = GET; create = POST; delete = DELETE.
- JSON braces
{}are objects; brackets[]are arrays.
“If you see X, think Y”
| If you see | Think |
|---|---|
| CRC errors increasing | Physical layer issue |
| Late collisions and manually configured link settings | Duplex mismatch |
| Building-to-building link with interference concern | Fiber |
| Need long-distance fiber | Single-mode fiber |
| Shorter lower-cost fiber link | Multimode fiber |
| Workstation plus IP phone | Data VLAN plus voice VLAN |
| Several VLANs across one switch link | Trunk |
| Untagged frames across trunk | Native VLAN |
| Standards-based neighbor discovery | LLDP |
| Standards-based link bundling | LACP |
| Lowest bridge ID | Root bridge |
| BPDU received on edge port | BPDU guard |
| Superior BPDU must not change root | Root guard |
| Expected BPDUs disappear on protected path | Loop guard |
Address begins with FE80 |
IPv6 link-local |
Address begins with FF |
IPv6 multicast |
| Hostname fails but IP works | DNS |
| Logs disagree on time | NTP |
| Central log messages | Syslog |
| Monitoring polling or traps | SNMP |
| Secure remote CLI | SSH |
| Simple UDP file copy | TFTP |
| Remote user encrypted access | Remote-access VPN |
| Branch-to-branch encrypted access | Site-to-site IPsec VPN |
| Rogue DHCP offers | DHCP snooping |
| ARP spoofing | DAI |
| Retrieve API resource | GET |
| Create API resource | POST |
| Draft remediation summary from an AI system | Generative AI |
| Failure forecast from historical telemetry | Predictive AI |
| Human-readable automation playbook | Ansible |
| Declarative infrastructure lifecycle | Terraform |
Subnet arithmetic memory
- Block size =
256 - mask valuein the changing octet. - Find the boundary immediately below the host.
- Network = lower boundary.
- Broadcast = next boundary minus 1.
- First usable = network plus 1.
- Last usable = broadcast minus 1.
9. Final Revision Notes
Highest-yield review points
Routing
- Read route codes, prefixes, next hops, AD, metrics, and default routes.
- Use route-selection order correctly.
- Recognize default, network, host, IPv6, and floating static routes.
- Troubleshoot OSPF area, timer, network-type, router-ID, and interface participation issues.
- Know why broadcast links elect DR/BDR and point-to-point links do not.
- Explain the purpose of a virtual gateway in first-hop redundancy.
Switching and network access
- Configure access ports, data VLANs, voice VLANs, trunks, allowed VLANs, and native VLANs.
- Distinguish CDP and LLDP.
- Know LACP active/passive behavior.
- Explain STP root, root port, designated port, alternate port, PortFast, and guard features.
- Connect APs and WLCs using access, trunk, or LAG reasoning that matches the WLAN design.
Addressing
- Calculate
/24through/30subnet boundaries quickly. - Recognize private IPv4 ranges.
- Recognize IPv6 global, unique-local, link-local, multicast, anycast, loopback, and unspecified concepts.
- Know client commands for Windows, Linux, and macOS.
Services
- DNS vs DHCP vs DHCP relay
- NAT static vs pool-based translation
- NTP vs SNMP vs syslog
- Classification vs marking vs queuing vs shaping vs policing
- SSH vs Telnet
- FTP vs TFTP
Security
- Threat vs vulnerability vs exploit vs mitigation
- MFA, certificates, biometrics, and password policy
- Site-to-site vs remote-access VPNs
- ACL top-down processing, wildcard masks, and implicit deny
- DHCP snooping, DAI, and port security
- Authentication, authorization, and accounting
- WPA, WPA2, WPA3, and WPA2 PSK GUI settings
Automation
- Traditional vs controller-based networking
- Data plane, control plane, and management plane
- Underlay, overlay, and fabric
- Northbound vs southbound APIs
- Generative AI vs predictive AI vs ML
- CRUD and HTTP verbs
- JSON objects, arrays, keys, strings, numbers, Booleans, and null
- Ansible vs Terraform
Last-day revision list
- Write the subnet table from memory.
- Solve five longest-prefix-match questions.
- Write one default, one host, one IPv6, and one floating static route.
- Review the OSPF adjacency checklist.
- Recite the four STP protection features and their triggers.
- Compare DHCP snooping, DAI, and port security.
- Compare DNS, DHCP, NTP, SNMP, and syslog.
- Compare shaping and policing.
- Recite CRUD-to-HTTP mappings.
- Read one JSON object and identify every data type.
- Explain Ansible and Terraform in one sentence each.
- Revisit the elimination strategy.
10. Exam-Day Checklist
Must-know topics
Network Fundamentals
- I can identify routers, L2 switches, L3 switches, firewalls, IPS, APs, controllers, endpoints, servers, and PoE use cases.
- I can distinguish two-tier, three-tier, spine-leaf, WAN, SOHO, on-premises, and cloud patterns.
- I can select single-mode fiber, multimode fiber, or copper for a scenario.
- I can recognize CRC errors, collisions, duplex mismatches, and speed mismatches.
- I can compare TCP and UDP.
- I can subnet IPv4 quickly and recognize private IPv4 ranges.
- I can classify common IPv6 address types.
- I can verify client IP settings on Windows, Linux, and macOS.
- I understand SSID, RF, nonoverlapping channels, and encryption.
- I understand virtualization, containers, VRFs, and basic switching behavior.
Network Access
- I can configure VLAN access and voice ports.
- I can explain inter-VLAN connectivity.
- I can configure and verify 802.1Q trunks and native VLANs.
- I can compare CDP and LLDP.
- I can reason about LACP active and passive modes.
- I can identify root bridge, root port, designated port, alternate port, and PortFast.
- I can select BPDU guard, root guard, loop guard, or BPDU filter from a scenario.
- I understand controller-based wireless architecture, AP modes, AP/WLC physical connections, and WLAN GUI settings.
- I can choose console, Telnet, SSH, HTTP, HTTPS, TACACS+, RADIUS, or cloud-managed access appropriately.
IP Connectivity
- I can interpret routing-table components.
- I apply longest prefix match before AD and metric.
- I can configure default, network, host, IPv6, and floating static routes.
- I can troubleshoot single-area OSPFv2 adjacencies.
- I know OSPF router-ID selection.
- I know where DR/BDR election occurs.
- I understand first-hop redundancy and virtual gateways.
IP Services
- I understand static and pool-based inside-source NAT.
- I can choose NTP client and server roles.
- I can distinguish DHCP, DNS, and DHCP relay.
- I can distinguish SNMP and syslog.
- I know syslog severity levels.
- I can compare classification, marking, queuing, congestion, policing, and shaping.
- I can configure SSH access conceptually.
- I can distinguish FTP and TFTP.
Security Fundamentals
- I can distinguish threats, vulnerabilities, exploits, and mitigations.
- I understand security awareness and physical access controls.
- I can configure local passwords and secure remote login conceptually.
- I understand password policy, MFA, certificates, and biometrics.
- I can choose site-to-site or remote-access IPsec VPNs.
- I can process ACLs top-down and calculate wildcard masks.
- I can choose DHCP snooping, DAI, or port security.
- I can distinguish authentication, authorization, and accounting.
- I can compare WPA, WPA2, and WPA3 and recognize WPA2 PSK GUI tasks.
Automation and Programmability
- I understand why automation improves consistency and scale.
- I can compare traditional and controller-based networks.
- I can distinguish underlay, overlay, and fabric.
- I can distinguish control plane, data plane, and management plane.
- I can distinguish northbound and southbound APIs.
- I can distinguish generative AI, predictive AI, and ML.
- I know REST authentication at a high level and can map CRUD to HTTP verbs.
- I can distinguish Ansible and Terraform.
- I can read basic JSON.
Final confidence checklist
- I answer the exact symptom, not a nearby concept.
- I eliminate options from the wrong layer first.
- I do not compare administrative distance before prefix length.
- I check whether IOS expects a subnet mask or wildcard mask.
- I distinguish secure and insecure management protocols.
- I select the narrowest feature that directly solves the scenario.
- I can explain why the strongest wrong answer fails.
- I have completed timed practice and reviewed my error patterns.
Appendix A — Compact IOS Command Patterns
VLAN access and voice port
interface GigabitEthernet1/0/10
switchport mode access
switchport access vlan 20
switchport voice vlan 120
Trunk
interface GigabitEthernet0/24
switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 99
Default route
ip route 0.0.0.0 0.0.0.0 203.0.113.1
Host route
ip route 203.0.113.25 255.255.255.255 192.0.2.2
Floating static route
ip route 10.50.0.0 255.255.0.0 198.51.100.2 200
IPv6 route
ipv6 route 2001:DB8:50::/64 2001:DB8:FF::2
DHCP relay
interface GigabitEthernet0/1
ip helper-address 192.0.2.50
SSH preparation
hostname R1
ip domain-name example.local
username admin secret StrongSecret
crypto key generate rsa
line vty 0 4
login local
transport input ssh
Standard ACL
access-list 10 deny host 10.10.10.25
access-list 10 permit 10.20.30.0 0.0.0.255
access-list 10 permit any
Appendix B — One-Page Mental Model
When a scenario appears, ask:
-
Is it physical?
Cable, fiber type, CRC, collisions, speed, duplex. -
Is it Layer 2?
MAC learning, VLAN, trunk, native VLAN, LACP, STP, BPDU guard, root guard, loop guard, port security, DHCP snooping, DAI. -
Is it Layer 3?
IPv4, IPv6, subnet, route table, longest prefix, AD, metric, static route, OSPF, virtual gateway. -
Is it a network service?
NAT, DHCP, DNS, NTP, SNMP, syslog, QoS, SSH, FTP, TFTP. -
Is it security?
ACL, AAA, VPN, WLAN security, credential policy, physical access. -
Is it automation?
Controller, plane separation, underlay, overlay, API direction, REST verb, JSON structure, AI/ML, Ansible, Terraform.
Then choose the smallest answer that directly satisfies the requirement.
Appendix C — Source-Bank Synthesis Notes
The supplied practice bank contained:
- 1,100 questions
- 275 IP Connectivity questions
- 220 Network Fundamentals questions
- 220 Network Access questions
- 165 Security Fundamentals questions
- 110 IP Services questions
- 110 Automation and Programmability questions
This matches the official blueprint weighting. Repeated question patterns were consolidated into the decision rules, comparison tables, architecture patterns, and trap lists in this course rather than repeated question-by-question.
Unlock the full course
All 59 modules with detailed explanations, code examples, and exam tips.
How should the address 10.44.7.9 be classified?
Get Your Personalized Results
Enter your email to receive your score, weak-topic analysis, and a personalized revision plan.
Results sent! Check your inbox.
This Question is Locked
You're viewing 35 of 1100 free questions.
trending_up Certified pros earn 20-30% more
Higher salary: IT certifications add $12,000-$25,000/year on average to your paycheck
Job security: 87% of hiring managers prefer candidates with certifications : you become irreplaceable
More opportunities: Freelance gigs, remote roles, and promotions open up instantly
Practice all questions: Comprehensive practice is the #1 predictor of passing
Mock Exam : Upgrade to Unlock
Available in Q&A + Course + Mock Exam package
You've already started : one exam away from a career upgrade.