Cert-Pass
Log in Sign up
arrow_back Cert

Cisco CCNA 200-301

🔥 0 streak
0%
timer Mock Exam lock Pro menu_book Course description 3-Page download Free
menu_book

CCNA 200-301

Compressed Course

CCNA 200-301 v1.1 Compressed Complete Exam Course

Purpose: A start-to-finish revision course for the active Cisco CCNA 200-301 v1.1 exam.
Use: Learn the decision rules, practise the commands, then return to the rapid-review sections before exam day.


1. Exam Overview

What the exam is testing

Cisco currently describes Implementing and Administering Cisco Solutions (200-301 CCNA) v1.1 as a 120-minute exam associated with the CCNA certification. The official blueprint covers six areas:

  1. Network Fundamentals
  2. Network Access
  3. IP Connectivity
  4. IP Services
  5. Security Fundamentals
  6. Automation and Programmability

The blueprint is a guide to likely content rather than a promise that every delivery will contain only the listed items. Related topics can still appear where they support the tested skills.

Official references:

What changed in v1.1

The v1.1 update strengthened areas that are easy to overlook when studying older materials:

  • Rapid PVST+ protection features: root guard, loop guard, BPDU filter, and BPDU guard
  • Broader network-device management access, including cloud-managed access
  • Generative AI, predictive AI, and machine learning in network operations
  • REST API authentication types
  • Configuration-management mechanisms including Ansible and Terraform

Do not study as though CCNA is only routing and switching. The routing and switching fundamentals remain central, but automation, security, wireless, and management-access decisions matter.

How to think like the exam

Most scenario questions become easier when you separate the task into four steps:

  1. Identify the layer or function.
    Is the problem physical, Layer 2, Layer 3, a network service, security, wireless, or automation?

  2. Find the decisive symptom.
    Examples: CRC errors, a native VLAN mismatch, a missing route, hostname-only failure, a received BPDU on an edge port, or a rogue DHCP server.

  3. Apply the narrowest correct rule.
    Do not choose a broad technology when a specific mechanism solves the stated problem.

  4. Reject distractors from the wrong layer.
    A DNS failure does not explain duplex errors. OSPF does not solve a switching loop. PortFast does not replace a trunk. NTP does not resolve hostnames.

How to use this course

Use the guide in four passes:

  • Pass 1: Learn the domain structure and the major decision rules.
  • Pass 2: Practise the command patterns and compare confusing services.
  • Pass 3: Work through scenario questions while explaining why the strongest distractor is wrong.
  • Pass 4: Use Sections 8–10 for rapid revision.

2. Exam Domains

Official domain list and priorities

Official domain Weight Priority Main focus
1.0 Network Fundamentals 20% High Components, architectures, cabling, addressing, wireless principles, virtualization, switching
2.0 Network Access 20% High VLANs, trunks, LACP, Rapid PVST+, wireless infrastructure, management access
3.0 IP Connectivity 25% Highest Routing tables, forwarding decisions, static routes, single-area OSPFv2, first-hop redundancy
4.0 IP Services 10% Medium NAT, NTP, DHCP, DNS, SNMP, syslog, QoS, SSH, FTP/TFTP
5.0 Security Fundamentals 15% High Security concepts, ACLs, Layer 2 security, AAA, VPNs, WLAN security
6.0 Automation and Programmability 10% Medium Controllers, APIs, JSON, AI/ML, Ansible, Terraform

Priority notes from the supplied practice bank

The source bank correctly emphasized the official weights and repeatedly tested the following high-value reasoning areas:

  • IP Connectivity: longest-prefix matching, administrative distance, static routes, floating static routes, OSPF adjacency, router ID, DR/BDR, and first-hop redundancy
  • Network Access: VLAN assignment, 802.1Q trunks, native VLAN behavior, LACP, STP roles, and STP protection features
  • Security: ACL processing, DHCP snooping, dynamic ARP inspection, port security, AAA, and WLAN security
  • Service choices: DNS vs DHCP, NTP vs syslog vs SNMP, shaping vs policing, SSH vs Telnet, TFTP vs FTP
  • Automation: northbound vs southbound APIs, REST verbs, JSON, AI/ML, Ansible, and Terraform

What matters most

A good study plan does not treat every topic equally. Spend the most time on:

  1. Routing-table interpretation and forwarding decisions
  2. IPv4 subnetting
  3. VLANs, trunks, and inter-VLAN connectivity
  4. STP roles, PortFast, and guard features
  5. Static routing and single-area OSPFv2
  6. ACL logic and Layer 2 security
  7. Wireless architecture and WLAN settings
  8. Service-selection comparisons
  9. Controller-based networking, REST, JSON, Ansible, and Terraform

3. Start-to-Finish Study Path

Foundation

Study these first:

  1. Network components and their roles
  2. OSI-style layer reasoning: physical, Layer 2, Layer 3, and services
  3. Ethernet switching and MAC learning
  4. IPv4 addressing, private ranges, and subnetting
  5. IPv6 address types
  6. TCP vs UDP
  7. VLAN access ports and 802.1Q trunks

Foundation milestone: You can look at a simple symptom and identify the correct layer before considering commands.

Intermediate

Continue with:

  1. Inter-VLAN connectivity
  2. LACP EtherChannel
  3. Rapid PVST+ roles, states, and protections
  4. Routing-table interpretation
  5. Static IPv4 and IPv6 routes
  6. OSPFv2 single-area fundamentals
  7. NAT, DHCP, DNS, NTP, SNMP, syslog, QoS, SSH, FTP, and TFTP
  8. ACLs, AAA, VPNs, WLAN security, and Layer 2 security

Intermediate milestone: You can explain why one service, route, or switch feature is more appropriate than a plausible distractor.

Advanced

Finish with:

  1. Multi-step scenarios combining routing and route preference
  2. OSPF adjacency troubleshooting
  3. STP guard-feature selection
  4. Security feature dependencies, especially DHCP snooping and DAI
  5. Wireless controller, AP, switchport, and WLAN GUI relationships
  6. Controller-based networking, underlay, overlay, fabric, APIs, JSON, AI/ML, Ansible, and Terraform
  7. Timed elimination drills

Advanced milestone: You can solve unfamiliar scenarios by applying a short decision framework rather than recalling a memorized sentence.

Final review

In the final days:

  • Rebuild the subnet table from memory.
  • Practise route-selection order until it is automatic.
  • Compare every commonly confused service in Section 5.
  • Memorize STP protection-feature triggers.
  • Review ACL top-down processing and implicit deny.
  • Read JSON examples without hesitation.
  • Revisit all quick memory rules in Section 8.

4. Core Concepts by Domain

Domain 1 — 1.0 Network Fundamentals

1.1 Network components

Component Primary role Common distractor trap
Router Forwards packets between IP networks using a routing table A Layer 2 switch forwards frames inside a LAN; it is not the default inter-network forwarding answer
Layer 2 switch Learns source MAC addresses and forwards Ethernet frames within VLANs Do not choose it for routing between IP networks unless Layer 3 switching is explicitly involved
Layer 3 switch Performs switching and routing, commonly using SVIs Do not assume every switch is Layer 3 capable
Next-generation firewall Enforces security policy; can provide deeper inspection An IPS focuses on detection/prevention of malicious activity; do not confuse it with basic forwarding
IPS Detects and can prevent malicious traffic Not a default-gateway or VLAN-segmentation solution
Access point Provides wireless client access to the wired LAN A WLC manages AP behavior but is not the radio endpoint for users
Controller Centralizes management or control functions It does not replace the data-plane devices that forward traffic
Endpoint Client device consuming network services Not a routing or switching infrastructure device
Server Provides application or network services Do not select a server when a forwarding or security device is required
PoE switch port Supplies electrical power and data over supported Ethernet cabling DNS, DHCP, and routing do not supply power

1.2 Architecture patterns

Architecture Recognize it when you see Best-fit reasoning
Two-tier campus Access and distribution functions are collapsed Common for smaller or medium campus designs
Three-tier campus Access, distribution, and core are separate Use when scale and a dedicated high-speed core matter
Spine-leaf Each leaf connects to each spine Predictable east-west paths; common data-center pattern
WAN Connects geographically separated networks Think provider or internet transport between sites
SOHO Small office or home office with few devices Simple broadband router, AP, and endpoints
On-premises Infrastructure hosted in the organization’s facilities Local physical control
Cloud Resources delivered from provider infrastructure Elasticity and provider-managed components may matter

Architecture trap

Do not select spine-leaf merely because multiple switches exist. The defining pattern is that each leaf connects to each spine. Do not select three-tier for a small design that collapses core and distribution.

1.3 Cabling and interface issues

Medium Best use Main advantage Trap
Single-mode fiber Long-distance links Long reach and resistance to electromagnetic interference Usually unnecessary for a short low-cost in-building connection
Multimode fiber Shorter fiber links, often within a building or data center Fiber benefits with lower-cost optics for shorter distances Not the longest-distance answer
Copper twisted pair Endpoint access and PoE Cost-effective and supports power delivery More susceptible to distance limits and interference than fiber

Interface troubleshooting clues

Symptom Think first
Late collisions after manual configuration changes Duplex mismatch
Rapidly increasing CRC errors Physical cabling, connector, or interference issue
One side forced to 100 Mb/s and the other to 1 Gb/s Speed mismatch
Interface administratively disabled shutdown state
Link physically unavailable Cable, transceiver, remote port, power, or physical layer

1.4 TCP vs UDP

Feature TCP UDP
Connection-oriented Yes No
Ordered delivery Yes No guarantee
Reliability and retransmission Yes No built-in guarantee
Lower overhead No Yes
Typical scenario clue File transfer, SSH, reliable application session Voice, streaming, DNS query, timely telemetry

Decision rule: If the question stresses reliable ordered delivery, choose TCP. If it stresses low overhead and timely delivery where retransmission may be less valuable than freshness, choose UDP.

1.5 IPv4 addressing and subnetting

Private IPv4 ranges

Range CIDR
10.0.0.0–10.255.255.255 10.0.0.0/8
172.16.0.0–172.31.255.255 172.16.0.0/12
192.168.0.0–192.168.255.255 192.168.0.0/16

Fast subnet table

Prefix Mask Block size in changing octet Total addresses Usable hosts
/24 255.255.255.0 256 256 254
/25 255.255.255.128 128 128 126
/26 255.255.255.192 64 64 62
/27 255.255.255.224 32 32 30
/28 255.255.255.240 16 16 14
/29 255.255.255.248 8 8 6
/30 255.255.255.252 4 4 2

Subnetting method

For a host such as 192.168.10.77/27:

  1. /27 gives a block size of 32.
  2. Subnet boundaries in the last octet are 0, 32, 64, 96, ....
  3. 77 falls in 64–95.
  4. Network address: 192.168.10.64
  5. Broadcast address: 192.168.10.95
  6. Usable range: 192.168.10.65–192.168.10.94

Common subnetting trap

If asked for the network and broadcast, do not answer with the first and last usable host. Read the wording carefully.

1.6 IPv6 essentials

Address type Typical prefix or example Meaning
Global unicast 2000::/3 Publicly routable unicast space
Unique local FC00::/7, commonly locally assigned from FD00::/8 Private-like local use
Link-local FE80::/10 Local-link communication; not routed beyond the link
Multicast FF00::/8 One-to-many delivery
Loopback ::1 Local host
Unspecified :: No address assigned
Anycast Same unicast address assigned to multiple interfaces Traffic reaches a suitable instance, usually nearest by routing

Modified EUI-64: A method for constructing an interface identifier from a MAC address. Know the concept and recognize the transformation pattern.

1.7 Client IP verification

Client OS Useful command
Windows ipconfig /all
Linux ip addr show
macOS ifconfig

1.8 Wireless principles

  • SSID: The WLAN name clients select.
  • RF: Radio-frequency behavior, including attenuation and interference.
  • 2.4-GHz nonoverlapping-channel memory rule: Commonly use 1, 6, and 11.
  • Encryption: Wireless access is not secure merely because an SSID exists.
  • Metal, distance, obstacles, and interference sources can reduce signal quality.

1.9 Virtualization

Technology What it isolates
Server virtualization Multiple virtual machines on a hypervisor
Containers Isolated application environments sharing the host OS kernel
VRFs Separate routing tables on the same routing device

Trap: A VRF separates routing contexts. It is not a VLAN, container, or hypervisor.

1.10 Ethernet switching

A switch normally:

  1. Learns the source MAC address on the ingress port.
  2. Looks up the destination MAC address.
  3. Forwards a known unicast frame out the matching port.
  4. Floods an unknown unicast frame within the same VLAN, except out the ingress port.
  5. Removes stale dynamic MAC entries after aging.

Trap: Switches learn from the source MAC, not the destination MAC.


Domain 2 — 2.0 Network Access

2.1 VLANs, access ports, voice VLANs, and inter-VLAN connectivity

Access port

A workstation in VLAN 20:

interface GigabitEthernet1/0/10
 switchport mode access
 switchport access vlan 20

Data and voice on an endpoint-facing port

interface GigabitEthernet1/0/10
 switchport mode access
 switchport access vlan 20
 switchport voice vlan 120

The workstation uses the data VLAN; the IP phone uses the voice VLAN.

Inter-VLAN connectivity

Devices in different VLANs need Layer 3 forwarding. Common methods:

  • Router-on-a-stick with router subinterfaces and 802.1Q encapsulation
  • Layer 3 switch using SVIs and routing

Trap: Assigning VLANs does not automatically create inter-VLAN communication.

2.2 Trunks, 802.1Q, and native VLANs

A trunk carries multiple VLANs over one link.

interface GigabitEthernet0/24
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 switchport trunk native vlan 99

Key rules:

  • 802.1Q tags VLAN traffic across the trunk.
  • Native VLAN traffic is untagged by default.
  • Native VLAN configuration should match on both ends.
  • A native VLAN mismatch can create operational and security problems.
  • An access port normally carries one data VLAN for an endpoint.

Exam trap: Do not configure an interswitch multi-VLAN link as an access port.

2.3 CDP and LLDP

Protocol Vendor scope Purpose
CDP Cisco proprietary Discover directly connected Cisco neighbors
LLDP Standards-based Discover directly connected neighbors in mixed-vendor environments

Common commands:

show cdp neighbors
show lldp neighbors

2.4 EtherChannel and LACP

EtherChannel bundles physical links into one logical channel. LACP is the standards-based negotiation protocol.

LACP side 1 LACP side 2 Forms?
Active Active Yes
Active Passive Yes
Passive Passive No

Rules:

  • Member interfaces must be configured consistently.
  • For a Layer 2 channel, align trunk/access settings, VLANs, and related parameters.
  • For a Layer 3 channel, configure members consistently as routed interfaces before adding them to the channel as appropriate.

Trap: LACP passive does not initiate negotiation. Passive plus passive fails.

2.5 Rapid PVST+

Why spanning tree exists

Redundant Layer 2 paths can cause loops. STP preserves redundancy while preventing uncontrolled forwarding loops.

Core terms

Term Meaning
Root bridge The switch with the lowest bridge ID
Root port Best path toward the root bridge on a nonroot switch
Designated port Forwarding port selected for a segment
Alternate port Backup path in a discarding state
PortFast Allows an edge port to transition rapidly for endpoint connectivity

Rapid STP states

  • Discarding
  • Learning
  • Forwarding

Protection features

Feature Trigger or goal Result Best-fit scenario
BPDU guard BPDU received on an edge/PortFast port Typically error-disables the port Block an unexpected switch connected to an endpoint port
Root guard Superior BPDU received where a downstream switch must not become root Places port into root-inconsistent behavior Prevent an access-layer switch from influencing root election
Loop guard Expected BPDUs stop arriving on a protected non-designated path Prevents unsafe transition to forwarding Reduce risk from unidirectional or BPDU-loss conditions
BPDU filter Suppresses BPDU sending/processing depending on configuration Removes STP visibility Use with caution; it can create loop risk

STP decision rules

  • Lowest bridge ID becomes root.
  • Root port is the best path toward the root bridge.
  • PortFast belongs on endpoint-facing edge ports, not arbitrary interswitch trunks.
  • BPDU guard and BPDU filter are not interchangeable.

2.6 Wireless architectures and AP modes

Pattern Recognize it when
Controller-based architecture Lightweight APs are centrally managed by a WLC
Autonomous AP AP operates with more local configuration and independence
Local AP mode Normal client-serving operation
Monitor AP mode AP observes RF conditions rather than serving normal clients
FlexConnect use case Remote-site AP behavior supports branch use cases when controller connectivity is constrained

Wireless infrastructure connections

  • An AP-facing switchport may be an access port when only one locally switched VLAN is required.
  • A trunk may be needed when multiple VLANs must traverse the AP-facing connection.
  • WLC uplinks may use link aggregation depending on design.
  • WLANs map wireless client traffic into appropriate wired VLANs.

2.7 Management access

Method Encrypted? Best use
Console Local, out-of-band style access Initial setup or recovery
Telnet No Recognize as insecure legacy remote CLI
SSH Yes Secure remote CLI
HTTP No Insecure browser management
HTTPS Yes Secure browser management
TACACS+ Centralized AAA Common network-device administration use case
RADIUS Centralized AAA Common network access and authentication use case
Cloud-managed Provider dashboard or platform Centralized device management through a cloud service

2.8 WLAN GUI reasoning

When reviewing WLAN GUI questions, verify:

  1. WLAN exists and is enabled.
  2. SSID is correct.
  3. VLAN mapping is correct.
  4. Security method matches the requirement.
  5. Client PSK matches when WPA2 PSK is used.
  6. QoS profile aligns with the application need.
  7. Advanced settings do not contradict the design.

Domain 3 — 3.0 IP Connectivity

3.1 Routing-table interpretation

Example:

O 10.20.30.0/24 [110/20] via 192.0.2.2

Interpretation:

Element Meaning
O Learned by OSPF
10.20.30.0/24 Destination prefix
110 Administrative distance
20 Protocol metric
192.0.2.2 Next hop

Useful route codes:

Code Meaning
C Connected
L Local host route for an interface address
S Static
S* Candidate default static route
O OSPF

Gateway of last resort

A default route is used when no more-specific route matches.

IPv4 default prefix:

0.0.0.0/0

IPv6 default prefix:

::/0

3.2 The route-selection order

Use this order:

  1. Longest prefix match
    Choose the route with the most specific matching prefix.

  2. Administrative distance
    If multiple route sources provide the same prefix length, prefer the more trusted source with the lower AD.

  3. Metric
    Compare the routing protocol’s metric when choosing among comparable routes learned by the same protocol.

Example routes:

10.0.0.0/8
10.20.0.0/16
10.20.30.0/24
0.0.0.0/0

Destination 10.20.30.55 uses 10.20.30.0/24.

Common administrative distances

Route source AD
Connected 0
Static 1
OSPF 110

Major trap: Do not compare AD before prefix length. A more-specific route wins the prefix match even if another route source has a lower AD for a less-specific prefix.

3.3 Static routing

IPv4 default route

ip route 0.0.0.0 0.0.0.0 203.0.113.1

IPv4 network route

ip route 10.50.0.0 255.255.0.0 192.0.2.2

IPv4 host route

ip route 203.0.113.25 255.255.255.255 192.0.2.2

A host route uses /32.

IPv6 static route

ipv6 route 2001:DB8:50::/64 2001:DB8:FF::2

Floating static route

A floating static route is a backup route with a higher AD than the primary route source.

ip route 10.50.0.0 255.255.0.0 198.51.100.2 200

If OSPF is primary with AD 110, a static route with AD 200 remains less preferred until OSPF disappears.

Trap: A static route with default AD 1 normally beats OSPF. Increase the AD when the static route must float behind OSPF.

3.4 Single-area OSPFv2

Neighbor adjacency checklist

When two OSPF routers fail to become neighbors, investigate:

  • OSPF enabled on the correct interfaces
  • Matching area IDs
  • Compatible hello and dead timers
  • Compatible network type
  • Correct connected IP addressing and subnet relationship
  • Unique router IDs
  • Authentication compatibility if configured
  • MTU issues where relevant to adjacency progress

Router ID selection

General selection order:

  1. Explicitly configured router ID
  2. Highest loopback IPv4 address
  3. Highest active physical-interface IPv4 address

For deterministic operation, configure the router ID explicitly.

Broadcast and point-to-point links

Network type DR/BDR election? Reason
Broadcast Ethernet Yes Reduces adjacency complexity on a shared segment
Point-to-point No Only two routers participate

DR/BDR election

On a broadcast network:

  1. Higher OSPF interface priority is preferred.
  2. Router ID is used as a tie-breaker among eligible routers.
  3. Election timing matters; do not assume preemption behavior that was not stated.

3.5 First-hop redundancy

Hosts often use a default gateway. If that gateway is one physical router with no redundancy, its failure breaks off-subnet connectivity.

A first-hop redundancy protocol provides:

  • A virtual IP address used by hosts as the default gateway
  • An active forwarding router
  • A standby or alternate router able to assume responsibility

Trap: Hosts normally point to the virtual gateway, not the physical router’s individual address.


Domain 4 — 4.0 IP Services

4.1 NAT

Static inside-source NAT

Use when one inside local address should consistently map to one public address.

Conceptual form:

ip nat inside source static 10.10.10.10 198.51.100.10

Pool-based NAT

Use when a defined group of inside local addresses should translate using addresses from a public pool.

Reasoning sequence:

  1. Identify inside and outside interfaces.
  2. Define the inside source addresses, commonly with an ACL.
  3. Define the public NAT pool.
  4. Apply the inside-source translation rule.
  5. Verify translations.

Trap: NAT solves address translation. It does not solve DNS, NTP, switching loops, or DHCP trust.

4.2 NTP

NTP synchronizes device clocks.

Role Meaning
NTP client Receives time from an upstream source
NTP server role Provides time to downstream clients

Why it matters:

  • Comparable log timestamps
  • Easier event correlation
  • Consistent troubleshooting records

4.3 DHCP and DNS

Service Main role Scenario clue
DHCP Supplies IP parameters such as address, mask, default gateway, and DNS server New endpoint needs automatic addressing
DNS Resolves names to addresses IP access works but hostname access fails
DHCP relay Forwards DHCP requests between client subnet and centralized DHCP server Clients and DHCP server are on different subnets

Common relay command on the client-facing Layer 3 interface:

ip helper-address 192.0.2.50

Trap: DHCP can provide the DNS-server address, but DHCP does not resolve names.

4.4 SNMP and syslog

Service Main role
SNMP Monitoring, polling, and notifications using management information
Syslog Centralized operational event messages with severity levels

Syslog severity levels

Level Name
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notification
6 Informational
7 Debugging

Memory aid: Every Awesome Cisco Engineer Will Need Icecream Daily.

4.5 QoS per-hop behavior

QoS action What it does Key distinction
Classification Identifies traffic categories Decides what traffic is
Marking Writes a value such as DSCP Labels traffic for downstream treatment
Queuing Holds packets awaiting transmission Used when the outbound interface is congested
Congestion management Determines treatment under contention Prioritization and scheduling matter
Policing Drops or remarks traffic above an allowed rate Immediate enforcement
Shaping Buffers and releases traffic at a controlled rate Smooths bursts by delaying traffic

Major trap: Policing drops or remarks excess traffic. Shaping buffers and delays it.

4.6 Secure remote access with SSH

Typical preparation steps:

hostname R1
ip domain-name example.local
username admin secret StrongSecret
crypto key generate rsa
line vty 0 4
 login local
 transport input ssh

Trap: Telnet is remote CLI but does not encrypt the session.

4.7 TFTP vs FTP

Protocol Main characteristic Best-fit clue
TFTP Simple UDP-based file transfer with minimal features Controlled environment and simplicity
FTP Authenticated file-transfer capability with separate control behavior Credentials and richer transfer features required

Domain 5 — 5.0 Security Fundamentals

5.1 Security concepts

Term Meaning
Threat Potential actor or event capable of causing harm
Vulnerability Weakness that could be abused
Exploit Technique or code that takes advantage of a vulnerability
Mitigation Control that reduces likelihood or impact

Trap: A vulnerability is the weakness. An exploit is the method used against the weakness.

5.2 Security program elements

Security is not only configuration:

  • User-awareness training
  • Phishing recognition and reporting
  • Physical access control for equipment rooms
  • Operational procedures
  • Credential-handling policy

5.3 Local device access control

Common IOS ideas:

enable secret StrongEnableSecret
username admin secret StrongUserSecret
line console 0
 login local
line vty 0 4
 login local
 transport input ssh

enable secret is preferred over relying on weakly protected password storage.

Trap: service password-encryption provides limited obfuscation. Do not treat it as a strong modern cryptographic control.

5.4 Password alternatives and stronger authentication

Control What it adds
MFA More than one authentication factor
Certificates Signed digital credentials for identity validation
Biometrics Physical or behavioral user characteristic
Password policy Length, complexity, management, and lifecycle expectations

5.5 VPN types

VPN type Scenario
Site-to-site IPsec VPN Encrypted connectivity between networks or branches
Remote-access VPN Encrypted user access from a remote endpoint into the organization

Trap: A branch-to-branch requirement is not a remote-user-only use case.

5.6 ACLs

ACL logic is sequential:

  1. Process entries from top to bottom.
  2. Stop at the first match.
  3. Apply the implicit deny when no entry matches.

Standard ACL

Standard ACLs filter mainly on source IPv4 address.

access-list 10 deny host 10.10.10.25
access-list 10 permit any

Wildcard masks

Subnet mask Wildcard mask
255.255.255.0 0.0.0.255
255.255.255.128 0.0.0.127
255.255.255.192 0.0.0.63
255.255.255.255 0.0.0.0

Example:

access-list 10 permit 10.20.30.0 0.0.0.255

Extended ACL context

Extended ACLs can filter using more detail, such as protocol, source, destination, and ports. A useful placement rule of thumb:

  • Standard ACL: place closer to the destination when practical
  • Extended ACL: place closer to the source when practical

Major trap: A subnet mask and a wildcard mask are inverses. Do not use 255.255.255.0 where IOS expects 0.0.0.255.

5.7 Layer 2 security

Feature Protects against or controls Key dependency or trap
DHCP snooping Rogue DHCP server behavior; builds trusted bindings Mark only appropriate uplinks or server-facing ports as trusted
Dynamic ARP inspection ARP spoofing Commonly validates against trusted DHCP snooping bindings
Port security MAC learning limits and violation handling on access ports Does not replace DHCP snooping or DAI

Decision sequence: Rogue DHCP server? Think DHCP snooping. ARP spoofing? Think DAI. Too many unexpected MAC addresses on an access port? Think port security.

5.8 AAA

AAA function Question it answers
Authentication Who are you?
Authorization What are you allowed to do?
Accounting What did you do and when?

5.9 Wireless security

Protocol Relative position
WPA Older improvement over obsolete WEP-era security
WPA2 Widely used stronger option; know WPA2 PSK GUI configuration
WPA3 Strongest of WPA, WPA2, and WPA3 when supported and appropriate

For a WPA2 PSK WLAN:

  1. Create or select the WLAN.
  2. Map it to the correct VLAN.
  3. Select WPA2 PSK security.
  4. Enter the correct preshared key.
  5. Verify clients use the same PSK.
  6. Check QoS and advanced settings when symptoms persist.

Domain 6 — 6.0 Automation and Programmability

6.1 Why automation matters

Automation can improve:

  • Consistency
  • Repeatability
  • Scale
  • Speed
  • Version-controlled change processes
  • Reduction of manual configuration drift

Automation does not eliminate the need for validation, change control, testing, or human judgment.

6.2 Traditional and controller-based networking

Model Main idea
Traditional Configuration and control behavior are handled device by device
Controller-based A logically centralized system provides broader policy and control functions while devices still forward traffic

Planes

Plane Role
Data plane Forwards traffic
Control plane Makes forwarding decisions and builds forwarding information
Management plane Supports configuration, monitoring, and administration

6.3 Underlay, overlay, and fabric

Term Meaning
Underlay Physical devices and links carrying traffic
Overlay Virtualized network relationships built across the underlay
Fabric Integrated architecture that provides structured connectivity and policy behavior

API direction

API type Direction
Northbound API Applications communicate with the controller
Southbound API Controller communicates with infrastructure devices

Trap: Northbound does not mean “toward the internet.” It means toward applications consuming controller services.

6.4 AI and machine learning in network operations

Term Best-fit scenario
Generative AI Produces or summarizes content, such as a draft remediation plan
Predictive AI Uses historical data to estimate likely future conditions, such as failure probability
Machine learning Learns patterns from data for classification, detection, or prediction

Decision rule: AI-generated output can assist operations, but validate recommendations before implementation.

6.5 REST APIs

CRUD and HTTP verbs

CRUD action Common HTTP verb
Create POST
Read GET
Update or replace PUT
Partial update PATCH
Delete DELETE

REST characteristics

Know how to recognize:

  • Resources
  • URIs
  • HTTP methods
  • Request and response data
  • Status codes at a high level
  • Authentication approaches, such as credentials, tokens, or API keys depending on implementation
  • JSON encoding

Trap: GET retrieves. POST commonly creates. DELETE removes. Do not choose a verb because it merely “sounds active.”

6.6 Ansible and Terraform

Tool Best-fit description
Ansible Automation and configuration management commonly expressed through human-readable playbooks
Terraform Declarative infrastructure-as-code approach for defining and managing infrastructure resources and lifecycle

Both support repeatable, reviewable workflows. Neither removes the need for testing.

6.7 JSON

Example:

{
  "hostname": "R1",
  "enabled": true,
  "interfaces": ["GigabitEthernet0/1", "GigabitEthernet0/2"],
  "metric": 20
}

Recognize:

JSON element Example
Object { ... }
Key "hostname"
String "R1"
Boolean true
Array [ ... ]
Number 20
Null null

Trap: JSON braces define objects. Brackets define arrays.


5. Service Selection Guide

Core service map

Requirement Choose Do not confuse it with
Resolve hostname to IP address DNS DHCP
Automatically supply client IP parameters DHCP DNS
Reach a centralized DHCP server from another subnet DHCP relay NAT
Translate inside addresses to public addresses NAT ACL filtering
Synchronize device clocks NTP Syslog
Collect operational events Syslog SNMP polling
Poll device health and receive management notifications SNMP Syslog-only logging
Secure remote CLI SSH Telnet
Secure browser management HTTPS HTTP
Simple UDP file transfer TFTP FTP
Authenticated richer file-transfer use case FTP TFTP
Vendor-neutral neighbor discovery LLDP CDP
Cisco-focused neighbor discovery CDP LLDP
Centralized device administration AAA TACACS+ Local-only passwords
General centralized authentication use cases RADIUS DHCP
Block rogue DHCP messages on access ports DHCP snooping Port security
Validate ARP messages against trusted information DAI DHCP relay
Restrict learned MAC addresses on an access port Port security BPDU guard
Buffer and smooth excess traffic Shaping Policing
Drop or remark excess traffic immediately Policing Shaping

Management-access selection

Scenario phrase Best answer
“Secure remote command line” SSH
“Legacy unencrypted remote command line” Telnet
“Secure browser-based administration” HTTPS
“Initial setup after loss of remote access” Console
“Centralized command authorization and accounting” TACACS+
“Cloud dashboard for device administration” Cloud-managed access

Security-feature selection

Scenario phrase Think
“Unexpected BPDU on an endpoint port” BPDU guard
“Do not let downstream switch become root” Root guard
“BPDUs stop arriving and a blocked path must not forward unsafely” Loop guard
“Suppress BPDUs” BPDU filter, with caution
“Rogue DHCP server” DHCP snooping
“ARP spoofing” DAI
“Too many MAC addresses on one access port” Port security
“Who are you?” Authentication
“Which commands may you run?” Authorization
“Record what happened” Accounting

6. Architecture Patterns

Pattern 1: Small campus with collapsed layers

Scenario: A modest campus needs access switching and policy aggregation but does not justify a separate high-speed core.

Recommended solution: Two-tier campus design.

Why alternatives fail:

  • Three-tier adds a separate core when the scenario does not require that scale.
  • Spine-leaf is a different topology pattern, common for east-west-heavy environments such as data centers.
  • SOHO is too small and simple for a campus design.

Pattern 2: Large campus with separate core

Scenario: Multiple distribution blocks require a dedicated high-speed backbone.

Recommended solution: Three-tier campus design.

Why alternatives fail:

  • Two-tier collapses core and distribution and may not fit the stated scale.
  • Spine-leaf has a different connectivity pattern.

Pattern 3: Predictable east-west connectivity

Scenario: Each leaf switch connects to each spine switch.

Recommended solution: Spine-leaf.

Why alternatives fail: Merely having redundant uplinks does not make a topology spine-leaf.

Pattern 4: Multi-VLAN interswitch connection

Scenario: VLANs 10, 20, and 30 must cross one link between switches.

Recommended solution: 802.1Q trunk.

Why alternatives fail:

  • An access port carries an endpoint VLAN, not multiple interswitch VLANs.
  • A routed port changes the design and does not extend Layer 2 VLANs.
  • PortFast is not a VLAN-transport mechanism.

Pattern 5: Resilient Layer 2 uplink

Scenario: Two compatible parallel links should behave as one logical connection.

Recommended solution: EtherChannel using LACP.

Why alternatives fail:

  • Passive plus passive will not negotiate.
  • HSRP is first-hop gateway redundancy, not link bundling.
  • STP alone does not combine bandwidth into one logical channel.

Pattern 6: Redundant default gateway

Scenario: Hosts should retain off-subnet connectivity if one router fails.

Recommended solution: First-hop redundancy with a virtual gateway IP.

Why alternatives fail:

  • DNS does not provide gateway redundancy.
  • Every endpoint should not need manual reconfiguration during a gateway failure.
  • LACP bundles links; it does not provide a virtual default gateway.

Pattern 7: Centralized wireless design

Scenario: Lightweight APs require centralized management.

Recommended solution: Controller-based WLAN architecture using a WLC.

Why alternatives fail:

  • Autonomous AP design is more locally managed.
  • A Layer 3 route does not replace WLAN control.
  • A trunk or access port is part of wired integration, not the controller itself.

Pattern 8: Controller-based programmable network

Scenario: Applications request services from a controller, and the controller programs infrastructure.

Recommended mapping:

  • Application to controller: northbound API
  • Controller to devices: southbound API
  • Physical devices and links: underlay
  • Virtualized network relationships: overlay

7. Exam Traps

Misleading wording patterns

Wording What to notice
“Most specific route” Longest prefix match
“Backup static route only if OSPF fails” Floating static route with AD higher than OSPF
“Untagged traffic on the trunk” Native VLAN
“Unexpected switch connected to user port” BPDU guard
“Downstream switch must not become root” Root guard
“IP address works, hostname fails” DNS
“Clients need automatic address parameters” DHCP
“Remote DHCP server on another subnet” DHCP relay
“Excess traffic is buffered” Shaping
“Excess traffic is dropped or remarked” Policing
“Retrieve an API resource” GET
“Create an API resource” POST
“Objects and arrays” JSON
“Branch-to-branch encrypted tunnel” Site-to-site IPsec VPN
“Traveling employee secure access” Remote-access VPN

Wrong-but-plausible answers

  1. Correct technology, wrong layer
    Example: selecting DNS for a duplex mismatch.

  2. Correct service, wrong symptom
    Example: selecting DHCP because DNS settings are delivered through DHCP, even though the actual failure is hostname resolution.

  3. Correct security feature, wrong attack
    Example: selecting port security for ARP spoofing instead of DAI.

  4. Correct routing concept, wrong order
    Example: comparing administrative distance before longest prefix match.

  5. Correct STP term, wrong trigger
    Example: selecting root guard when an edge port receives a BPDU; BPDU guard is the direct match.

  6. Correct management protocol, insecure variant
    Example: Telnet instead of SSH, or HTTP instead of HTTPS.

  7. Correct file-transfer category, wrong capability
    Example: TFTP when authenticated richer transfer behavior is required.

  8. Correct API family, wrong verb
    Example: POST for retrieval instead of GET.

Elimination strategy

For a four-option question:

  1. Remove answers that operate at the wrong layer.
  2. Remove answers that contradict a required security or reliability property.
  3. Remove answers with the wrong scope: endpoint-only, link-only, VLAN-only, or network-wide.
  4. Compare the two remaining choices against the exact symptom.
  5. Prefer the answer that solves the stated issue with the fewest assumptions.

Command-reading strategy

When reading IOS syntax:

  • Identify whether the command belongs to interface mode, line mode, or global configuration.
  • Check whether the address mask is a subnet mask or a wildcard mask.
  • Confirm whether the question asks for a network route, host route, or default route.
  • Verify whether the static route must be primary or floating.
  • Check whether a switchport should be access or trunk.
  • Confirm whether a protocol is secure or legacy.

8. Quick Memory Rules

Rules of thumb

  • Switches learn source MAC addresses.
  • Unknown unicast Ethernet frames are flooded within the VLAN, except out the ingress port.
  • Router forwarding begins with longest prefix match.
  • After prefix length, use administrative distance across route sources.
  • Compare the routing protocol’s metric within the relevant protocol decision.
  • /32 means one IPv4 host route.
  • 0.0.0.0/0 is the IPv4 default route.
  • ::/0 is the IPv6 default route.
  • OSPF broadcast network: think DR/BDR.
  • OSPF point-to-point network: no DR/BDR election.
  • LACP passive plus passive: no channel.
  • Native VLAN traffic is untagged by default on an 802.1Q trunk.
  • PortFast is for endpoint-facing edge ports.
  • Shaping buffers; policing drops or remarks.
  • DNS resolves names; DHCP distributes addressing parameters.
  • DAI protects ARP; DHCP snooping protects DHCP trust; port security limits MAC learning.
  • Authentication = identity, authorization = permissions, accounting = records.
  • Northbound = application to controller; southbound = controller to devices.
  • REST read = GET; create = POST; delete = DELETE.
  • JSON braces {} are objects; brackets [] are arrays.

“If you see X, think Y”

If you see Think
CRC errors increasing Physical layer issue
Late collisions and manually configured link settings Duplex mismatch
Building-to-building link with interference concern Fiber
Need long-distance fiber Single-mode fiber
Shorter lower-cost fiber link Multimode fiber
Workstation plus IP phone Data VLAN plus voice VLAN
Several VLANs across one switch link Trunk
Untagged frames across trunk Native VLAN
Standards-based neighbor discovery LLDP
Standards-based link bundling LACP
Lowest bridge ID Root bridge
BPDU received on edge port BPDU guard
Superior BPDU must not change root Root guard
Expected BPDUs disappear on protected path Loop guard
Address begins with FE80 IPv6 link-local
Address begins with FF IPv6 multicast
Hostname fails but IP works DNS
Logs disagree on time NTP
Central log messages Syslog
Monitoring polling or traps SNMP
Secure remote CLI SSH
Simple UDP file copy TFTP
Remote user encrypted access Remote-access VPN
Branch-to-branch encrypted access Site-to-site IPsec VPN
Rogue DHCP offers DHCP snooping
ARP spoofing DAI
Retrieve API resource GET
Create API resource POST
Draft remediation summary from an AI system Generative AI
Failure forecast from historical telemetry Predictive AI
Human-readable automation playbook Ansible
Declarative infrastructure lifecycle Terraform

Subnet arithmetic memory

  • Block size = 256 - mask value in the changing octet.
  • Find the boundary immediately below the host.
  • Network = lower boundary.
  • Broadcast = next boundary minus 1.
  • First usable = network plus 1.
  • Last usable = broadcast minus 1.

9. Final Revision Notes

Highest-yield review points

Routing

  • Read route codes, prefixes, next hops, AD, metrics, and default routes.
  • Use route-selection order correctly.
  • Recognize default, network, host, IPv6, and floating static routes.
  • Troubleshoot OSPF area, timer, network-type, router-ID, and interface participation issues.
  • Know why broadcast links elect DR/BDR and point-to-point links do not.
  • Explain the purpose of a virtual gateway in first-hop redundancy.

Switching and network access

  • Configure access ports, data VLANs, voice VLANs, trunks, allowed VLANs, and native VLANs.
  • Distinguish CDP and LLDP.
  • Know LACP active/passive behavior.
  • Explain STP root, root port, designated port, alternate port, PortFast, and guard features.
  • Connect APs and WLCs using access, trunk, or LAG reasoning that matches the WLAN design.

Addressing

  • Calculate /24 through /30 subnet boundaries quickly.
  • Recognize private IPv4 ranges.
  • Recognize IPv6 global, unique-local, link-local, multicast, anycast, loopback, and unspecified concepts.
  • Know client commands for Windows, Linux, and macOS.

Services

  • DNS vs DHCP vs DHCP relay
  • NAT static vs pool-based translation
  • NTP vs SNMP vs syslog
  • Classification vs marking vs queuing vs shaping vs policing
  • SSH vs Telnet
  • FTP vs TFTP

Security

  • Threat vs vulnerability vs exploit vs mitigation
  • MFA, certificates, biometrics, and password policy
  • Site-to-site vs remote-access VPNs
  • ACL top-down processing, wildcard masks, and implicit deny
  • DHCP snooping, DAI, and port security
  • Authentication, authorization, and accounting
  • WPA, WPA2, WPA3, and WPA2 PSK GUI settings

Automation

  • Traditional vs controller-based networking
  • Data plane, control plane, and management plane
  • Underlay, overlay, and fabric
  • Northbound vs southbound APIs
  • Generative AI vs predictive AI vs ML
  • CRUD and HTTP verbs
  • JSON objects, arrays, keys, strings, numbers, Booleans, and null
  • Ansible vs Terraform

Last-day revision list

  1. Write the subnet table from memory.
  2. Solve five longest-prefix-match questions.
  3. Write one default, one host, one IPv6, and one floating static route.
  4. Review the OSPF adjacency checklist.
  5. Recite the four STP protection features and their triggers.
  6. Compare DHCP snooping, DAI, and port security.
  7. Compare DNS, DHCP, NTP, SNMP, and syslog.
  8. Compare shaping and policing.
  9. Recite CRUD-to-HTTP mappings.
  10. Read one JSON object and identify every data type.
  11. Explain Ansible and Terraform in one sentence each.
  12. Revisit the elimination strategy.

10. Exam-Day Checklist

Must-know topics

Network Fundamentals

  • I can identify routers, L2 switches, L3 switches, firewalls, IPS, APs, controllers, endpoints, servers, and PoE use cases.
  • I can distinguish two-tier, three-tier, spine-leaf, WAN, SOHO, on-premises, and cloud patterns.
  • I can select single-mode fiber, multimode fiber, or copper for a scenario.
  • I can recognize CRC errors, collisions, duplex mismatches, and speed mismatches.
  • I can compare TCP and UDP.
  • I can subnet IPv4 quickly and recognize private IPv4 ranges.
  • I can classify common IPv6 address types.
  • I can verify client IP settings on Windows, Linux, and macOS.
  • I understand SSID, RF, nonoverlapping channels, and encryption.
  • I understand virtualization, containers, VRFs, and basic switching behavior.

Network Access

  • I can configure VLAN access and voice ports.
  • I can explain inter-VLAN connectivity.
  • I can configure and verify 802.1Q trunks and native VLANs.
  • I can compare CDP and LLDP.
  • I can reason about LACP active and passive modes.
  • I can identify root bridge, root port, designated port, alternate port, and PortFast.
  • I can select BPDU guard, root guard, loop guard, or BPDU filter from a scenario.
  • I understand controller-based wireless architecture, AP modes, AP/WLC physical connections, and WLAN GUI settings.
  • I can choose console, Telnet, SSH, HTTP, HTTPS, TACACS+, RADIUS, or cloud-managed access appropriately.

IP Connectivity

  • I can interpret routing-table components.
  • I apply longest prefix match before AD and metric.
  • I can configure default, network, host, IPv6, and floating static routes.
  • I can troubleshoot single-area OSPFv2 adjacencies.
  • I know OSPF router-ID selection.
  • I know where DR/BDR election occurs.
  • I understand first-hop redundancy and virtual gateways.

IP Services

  • I understand static and pool-based inside-source NAT.
  • I can choose NTP client and server roles.
  • I can distinguish DHCP, DNS, and DHCP relay.
  • I can distinguish SNMP and syslog.
  • I know syslog severity levels.
  • I can compare classification, marking, queuing, congestion, policing, and shaping.
  • I can configure SSH access conceptually.
  • I can distinguish FTP and TFTP.

Security Fundamentals

  • I can distinguish threats, vulnerabilities, exploits, and mitigations.
  • I understand security awareness and physical access controls.
  • I can configure local passwords and secure remote login conceptually.
  • I understand password policy, MFA, certificates, and biometrics.
  • I can choose site-to-site or remote-access IPsec VPNs.
  • I can process ACLs top-down and calculate wildcard masks.
  • I can choose DHCP snooping, DAI, or port security.
  • I can distinguish authentication, authorization, and accounting.
  • I can compare WPA, WPA2, and WPA3 and recognize WPA2 PSK GUI tasks.

Automation and Programmability

  • I understand why automation improves consistency and scale.
  • I can compare traditional and controller-based networks.
  • I can distinguish underlay, overlay, and fabric.
  • I can distinguish control plane, data plane, and management plane.
  • I can distinguish northbound and southbound APIs.
  • I can distinguish generative AI, predictive AI, and ML.
  • I know REST authentication at a high level and can map CRUD to HTTP verbs.
  • I can distinguish Ansible and Terraform.
  • I can read basic JSON.

Final confidence checklist

  • I answer the exact symptom, not a nearby concept.
  • I eliminate options from the wrong layer first.
  • I do not compare administrative distance before prefix length.
  • I check whether IOS expects a subnet mask or wildcard mask.
  • I distinguish secure and insecure management protocols.
  • I select the narrowest feature that directly solves the scenario.
  • I can explain why the strongest wrong answer fails.
  • I have completed timed practice and reviewed my error patterns.

Appendix A — Compact IOS Command Patterns

VLAN access and voice port

interface GigabitEthernet1/0/10
 switchport mode access
 switchport access vlan 20
 switchport voice vlan 120

Trunk

interface GigabitEthernet0/24
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 switchport trunk native vlan 99

Default route

ip route 0.0.0.0 0.0.0.0 203.0.113.1

Host route

ip route 203.0.113.25 255.255.255.255 192.0.2.2

Floating static route

ip route 10.50.0.0 255.255.0.0 198.51.100.2 200

IPv6 route

ipv6 route 2001:DB8:50::/64 2001:DB8:FF::2

DHCP relay

interface GigabitEthernet0/1
 ip helper-address 192.0.2.50

SSH preparation

hostname R1
ip domain-name example.local
username admin secret StrongSecret
crypto key generate rsa
line vty 0 4
 login local
 transport input ssh

Standard ACL

access-list 10 deny host 10.10.10.25
access-list 10 permit 10.20.30.0 0.0.0.255
access-list 10 permit any

Appendix B — One-Page Mental Model

When a scenario appears, ask:

  1. Is it physical?
    Cable, fiber type, CRC, collisions, speed, duplex.

  2. Is it Layer 2?
    MAC learning, VLAN, trunk, native VLAN, LACP, STP, BPDU guard, root guard, loop guard, port security, DHCP snooping, DAI.

  3. Is it Layer 3?
    IPv4, IPv6, subnet, route table, longest prefix, AD, metric, static route, OSPF, virtual gateway.

  4. Is it a network service?
    NAT, DHCP, DNS, NTP, SNMP, syslog, QoS, SSH, FTP, TFTP.

  5. Is it security?
    ACL, AAA, VPN, WLAN security, credential policy, physical access.

  6. Is it automation?
    Controller, plane separation, underlay, overlay, API direction, REST verb, JSON structure, AI/ML, Ansible, Terraform.

Then choose the smallest answer that directly satisfies the requirement.


Appendix C — Source-Bank Synthesis Notes

The supplied practice bank contained:

  • 1,100 questions
  • 275 IP Connectivity questions
  • 220 Network Fundamentals questions
  • 220 Network Access questions
  • 165 Security Fundamentals questions
  • 110 IP Services questions
  • 110 Automation and Programmability questions

This matches the official blueprint weighting. Repeated question patterns were consolidated into the decision rules, comparison tables, architecture patterns, and trap lists in this course rather than repeated question-by-question.

lock_open

Unlock the full course

All 59 modules with detailed explanations, code examples, and exam tips.

workspace_premium
You've answered 0 of 35 free questions 1065 questions locked : these will appear on exam day.
0/35
rocket_launch Unlock All
event_available
Day 1 of 16 72 questions/day Finish by Jul 28, 2026
Question 1 of 1100
1.0 Network Fundamentals · 20%

How should the address 10.44.7.9 be classified?

0 correct
0 wrong
1100 left
0% done