Exam identity and how to use this page
This independent Quick Reference supports preparation for Cisco CCNA (200-301 v2.0), exam code 200-301 v2.0. Use it as a fast review sheet for high-yield decisions, command interpretation, subnetting, configuration patterns, and troubleshooting.
Focus your final review on:
- Reading routing tables and choosing the forwarding path.
- Subnetting quickly without a calculator.
- Distinguishing Layer 2, Layer 3, and transport symptoms.
- Knowing what each Cisco IOS
show command proves. - Recognizing secure default choices: SSH, least privilege, encrypted management, port protections, ACL placement.
- Understanding controller-based networking and API terms without overcomplicating them.
Layer model anchors
| Layer / scope | PDU | Common identifiers | Exam cues |
|---|
| Application | Data | URL, FQDN, HTTP method, DNS name | User-facing protocol behavior |
| Transport | Segment / datagram | TCP/UDP port | Reliability, sessions, retransmission, multiplexing |
| Network | Packet | IPv4/IPv6 address | Routing, subnets, next hop, TTL/hop limit |
| Data link | Frame | MAC address, VLAN ID | Switching, trunks, STP, ARP, wireless association |
| Physical | Bits | Cable, RF, speed/duplex | Link lights, signal, cabling, interference |
| Concept | Key distinction |
|---|
| Switch | Forwards frames using destination MAC address and VLAN. |
| Router | Forwards packets using destination IP address and routing table. |
| Default gateway | Host’s next hop for off-subnet destinations. |
| ARP | Resolves IPv4 address to MAC address on the local segment. |
| NDP | IPv6 neighbor discovery, router discovery, and address resolution. |
| Encapsulation | Data gains headers/trailers as it moves down the stack. |
| Decapsulation | Headers are removed as data moves up the stack. |
IPv4 addressing and subnetting
High-yield IPv4 ranges
| Range | Purpose | Exam note |
|---|
| 10.0.0.0/8 | Private | Not routed on the public Internet. |
| 172.16.0.0/12 | Private | Includes 172.16.0.0 through 172.31.255.255. |
| 192.168.0.0/16 | Private | Common small-office and lab range. |
| 169.254.0.0/16 | Link-local / APIPA | Host self-assigns when DHCP fails. |
| 127.0.0.0/8 | Loopback | Local host testing. |
| 224.0.0.0/4 | Multicast | One-to-many delivery. |
| 255.255.255.255 | Local broadcast | Stays on local segment. |
| 0.0.0.0/0 | Default route | “Any destination” route. |
| 0.0.0.0 | Unspecified source | Often before address assignment. |
Subnet math shortcuts
\[
\text{Block size} = 256 - \text{interesting mask octet}
\]\[
\text{Typical usable IPv4 hosts per subnet} = 2^{\text{host bits}} - 2
\]
| Prefix | Mask | Wildcard | Typical usable hosts | Common use / trap |
|---|
| /8 | 255.0.0.0 | 0.255.255.255 | 16,777,214 | Large classful-style summary. |
| /16 | 255.255.0.0 | 0.0.255.255 | 65,534 | Large private site block. |
| /20 | 255.255.240.0 | 0.0.15.255 | 4,094 | Block size 16 in third octet. |
| /21 | 255.255.248.0 | 0.0.7.255 | 2,046 | Block size 8 in third octet. |
| /22 | 255.255.252.0 | 0.0.3.255 | 1,022 | Block size 4 in third octet. |
| /23 | 255.255.254.0 | 0.0.1.255 | 510 | Block size 2 in third octet. |
| /24 | 255.255.255.0 | 0.0.0.255 | 254 | Common LAN subnet. |
| /25 | 255.255.255.128 | 0.0.0.127 | 126 | Two subnets per /24. |
| /26 | 255.255.255.192 | 0.0.0.63 | 62 | Four subnets per /24. |
| /27 | 255.255.255.224 | 0.0.0.31 | 30 | Block size 32. |
| /28 | 255.255.255.240 | 0.0.0.15 | 14 | Block size 16. |
| /29 | 255.255.255.248 | 0.0.0.7 | 6 | Small infrastructure subnet. |
| /30 | 255.255.255.252 | 0.0.0.3 | 2 | Traditional point-to-point subnet. |
| /31 | 255.255.255.254 | 0.0.0.1 | 2 on point-to-point | No traditional network/broadcast on supported P2P links. |
| /32 | 255.255.255.255 | 0.0.0.0 | 1 address | Host route or loopback. |
Fast subnet workflow
| Step | Action | Example: 192.168.10.77/27 |
|---|
| 1 | Find interesting octet. | /27 is fourth octet. |
| 2 | Calculate block size. | 256 - 224 = 32. |
| 3 | List subnet starts. | 0, 32, 64, 96, 128… |
| 4 | Choose range containing host. | 77 is in 64-95. |
| 5 | Identify network and broadcast. | Network 192.168.10.64, broadcast 192.168.10.95. |
| 6 | Identify usable range. | 192.168.10.65-192.168.10.94. |
Wildcard masks
| Need | Method | Example |
|---|
| Convert subnet mask to wildcard | Subtract each octet from 255 | 255.255.255.192 -> 0.0.0.63 |
| Match one host | Wildcard 0.0.0.0 | host 192.0.2.10 equals 192.0.2.10 0.0.0.0 |
| Match any address | Wildcard 255.255.255.255 | any equals 0.0.0.0 255.255.255.255 |
| OSPF network statement | Uses wildcard, not subnet mask | network 10.1.1.0 0.0.0.255 area 0 |
| ACL matching | Uses wildcard after source/destination | Standard ACL filters source only. |
IPv6 essentials
| Type | Common prefix / example | Purpose |
|---|
| Global unicast | 2000::/3 | Publicly routable IPv6 addressing. |
| Unique local | FC00::/7 | Private-like internal IPv6 space. |
| Link-local | FE80::/10 | Required on IPv6 interfaces; used for neighbor/router discovery. |
| Multicast | FF00::/8 | Replaces many IPv4 broadcast functions. |
| Loopback | ::1/128 | Local host. |
| Unspecified | ::/128 | “No address yet.” |
| Default route | ::/0 | Any IPv6 destination. |
| Solicited-node multicast | FF02::1:FFxx:xxxx pattern | Used by NDP for address resolution. |
| IPv6 concept | Know this |
|---|
| No broadcast | IPv6 uses multicast and neighbor discovery instead. |
| Link-local next hop | IPv6 static routes often use link-local next-hop plus exit interface. |
| SLAAC | Host builds address using router advertisements. |
| DHCPv6 | Can provide stateful addressing or additional options depending on design. |
| NDP | Provides neighbor solicitation/advertisement and router solicitation/advertisement. |
| Abbreviation | Remove leading zeros and compress one contiguous all-zero sequence with :: once. |
Example IPv6 static routes:
ipv6 route ::/0 2001:db8:1::1
ipv6 route 2001:db8:20::/64 gigabitEthernet0/0 fe80::1
Switching, VLANs, and trunks
MAC learning and forwarding
| Frame condition | Switch action |
|---|
| Source MAC unknown | Learn source MAC on ingress port and VLAN. |
| Destination MAC known | Forward only out the associated port in that VLAN. |
| Destination MAC unknown | Flood within the VLAN, except ingress port. |
| Broadcast | Flood within the VLAN. |
| Different VLAN | Requires Layer 3 routing. |
| MAC table entry ages out | Switch relearns when traffic appears. |
VLAN and trunk reference
| Feature | Purpose | Exam trap |
|---|
| Access port | Carries one data VLAN for an endpoint. | Voice VLAN may also be present for IP phone designs. |
| Trunk port | Carries multiple VLANs between switches or to router/firewall/AP. | Both sides must agree on trunking expectations. |
| 802.1Q tag | Identifies VLAN on trunk frames. | Native VLAN frames are not tagged by default behavior. |
| Native VLAN | VLAN used for untagged trunk traffic. | Mismatch can cause connectivity/security issues. |
| Allowed VLAN list | Restricts VLANs carried on trunk. | VLAN may exist but still not pass over trunk. |
| Inter-VLAN routing | Enables communication between VLANs. | A Layer 2 switch alone does not route VLANs. |
Common Cisco IOS VLAN commands:
vlan 10
name USERS
vlan 20
name VOICE
interface gigabitEthernet0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
interface gigabitEthernet0/24
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30,999
Verification:
show vlan brief
show interfaces trunk
show mac address-table
show interfaces switchport
Inter-VLAN routing patterns
| Pattern | When used | Key configuration point |
|---|
| Router-on-a-stick | Router subinterfaces connect to a switch trunk. | Each subinterface has 802.1Q encapsulation and gateway IP. |
| Layer 3 switch SVI | Multilayer switch routes between VLANs. | ip routing and interface VLAN gateways are required. |
| Routed physical port | Point-to-point L3 link. | Use no switchport on capable switches. |
Router-on-a-stick example:
interface gigabitEthernet0/0
no shutdown
interface gigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
interface gigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
Layer 3 switch SVI example:
ip routing
interface vlan 10
ip address 192.168.10.1 255.255.255.0
no shutdown
interface vlan 20
ip address 192.168.20.1 255.255.255.0
no shutdown
Spanning Tree and EtherChannel
STP/RSTP essentials
| Item | Meaning | Selection / behavior |
|---|
| Root bridge | Logical center of STP topology. | Lowest bridge ID wins. Bridge ID includes priority and MAC. |
| Root port | Best port toward root bridge. | One per non-root switch. |
| Designated port | Best port for a segment. | Forwards for that segment. |
| Alternate port | Backup path in RSTP. | Discards until needed. |
| PortFast | Speeds endpoint port transition. | Use on access ports, not switch-to-switch links. |
| BPDU Guard | Protects PortFast edge ports. | Err-disables port if BPDU is received. |
| Root Guard | Prevents unexpected root bridge. | Blocks superior BPDUs on protected ports. |
| Decision | Prefer |
|---|
| Make a specific switch root | Lower its STP priority. |
| Protect user-facing access ports | PortFast plus BPDU Guard. |
| Prevent a downstream switch from becoming root | Root Guard on appropriate upstream ports. |
| Troubleshoot blocked ports | Check root bridge, path cost, port role, VLAN-specific STP state. |
Verification:
show spanning-tree
show spanning-tree vlan 10
show spanning-tree interface gigabitEthernet0/1 detail
EtherChannel
| Protocol / mode | Forms channel with | Notes |
|---|
| LACP active | active or passive | Standards-based negotiation. |
| LACP passive | active only | Waits for peer. |
| PAgP desirable | desirable or auto | Cisco negotiation. |
| PAgP auto | desirable only | Waits for peer. |
| On | on only | No negotiation; mismatch can cause issues. |
EtherChannel requirements commonly tested:
- Same speed and duplex.
- Same trunk/access mode.
- Same native VLAN on trunks.
- Same allowed VLAN list on trunks.
- Same access VLAN on access bundles.
- Compatible negotiation mode.
Example:
interface range gigabitEthernet0/1 - 2
channel-group 1 mode active
interface port-channel1
switchport mode trunk
switchport trunk allowed vlan 10,20,30
Verification:
show etherchannel summary
show interfaces port-channel1
show interfaces trunk
IP routing
Route selection order
| Step | Router considers | Exam meaning |
|---|
| 1 | Longest prefix match | Most specific route wins first. |
| 2 | Administrative distance | Used only when prefix length is the same from different sources. |
| 3 | Metric | Used by a routing protocol to choose among routes it owns. |
| 4 | Equal-cost paths | May load share if multiple equal best routes exist. |
Common administrative distances:
| Route source | AD |
|---|
| Connected | 0 |
| Static | 1 |
| eBGP | 20 |
| EIGRP internal | 90 |
| OSPF | 110 |
| RIP | 120 |
| Unknown / unusable | 255 |
Routing table codes commonly seen:
| Code | Meaning |
|---|
| C | Connected route |
| L | Local host route for interface IP |
| S | Static route |
| O | OSPF route |
| D | EIGRP route |
| R | RIP route |
| B | BGP route |
| * | Candidate default route |
Example static and default routes:
ip route 192.168.50.0 255.255.255.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 203.0.113.1
ipv6 route 2001:db8:50::/64 2001:db8:1::2
ipv6 route ::/0 2001:db8:ffff::1
OSPFv2 quick reference
| Item | What to remember |
|---|
| Link-state protocol | Routers build LSDB and run SPF. |
| Area | CCNA-level questions often focus on single-area basics. |
| Router ID | Highest priority: manual router ID, then loopback, then active interface IP. |
| Neighbor requirement | Matching area, subnet, timers, authentication if used, and compatible network type. |
| DR/BDR | Elected on broadcast multiaccess networks. |
| Passive interface | Advertises network but does not form neighbor relationships there. |
| Metric | Based on cost. Lower total cost is better. |
OSPF configuration:
router ospf 1
router-id 1.1.1.1
network 10.1.1.0 0.0.0.255 area 0
passive-interface gigabitEthernet0/1
Interface-based OSPF alternative:
interface gigabitEthernet0/0
ip ospf 1 area 0
Verification:
show ip ospf neighbor
show ip ospf interface brief
show ip route ospf
show ip protocols
First-hop redundancy
| Concept | Purpose |
|---|
| HSRP/VRRP/GLBP category | Provides a resilient default gateway for hosts. |
| Virtual IP | Default gateway address configured on hosts. |
| Active/standby or equivalent roles | One device forwards for the virtual gateway depending on protocol/design. |
| Priority | Higher priority is generally preferred. |
| Preemption | Allows a recovered higher-priority device to reclaim active role if configured. |
IP services
DHCP
| Component | Role |
|---|
| DHCP Discover | Client broadcasts to find server. |
| DHCP Offer | Server offers address options. |
| DHCP Request | Client requests offered address. |
| DHCP Ack | Server confirms lease. |
| Default gateway option | Tells clients their router. |
| DNS option | Tells clients name servers. |
| DHCP relay | Forwards client broadcasts to server on another subnet. |
Router DHCP server example:
ip dhcp excluded-address 192.168.10.1 192.168.10.20
ip dhcp pool USERS
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.0.2.53
DHCP relay example:
interface vlan 10
ip helper-address 192.168.100.10
NAT and PAT
| Type | Use | Key distinction |
|---|
| Static NAT | One inside local to one inside global. | Fixed mapping. |
| Dynamic NAT | Inside hosts use a pool. | Pool can be exhausted. |
| PAT / overload | Many inside hosts share one or more global addresses. | Uses ports to multiplex sessions. |
| Inside local | Private/internal address before translation. | Seen on inside network. |
| Inside global | Translated address representing inside host. | Seen by outside network. |
PAT example:
access-list 1 permit 192.168.10.0 0.0.0.255
interface gigabitEthernet0/0
ip nat inside
interface gigabitEthernet0/1
ip nat outside
ip nat inside source list 1 interface gigabitEthernet0/1 overload
Verification:
show ip nat translations
show ip nat statistics
Other services
| Service | Purpose | Verification / notes |
|---|
| DNS | Name-to-address resolution. | If IP works but names fail, check DNS. |
| NTP | Time synchronization. | Important for logs, certificates, troubleshooting. |
| Syslog | Centralized logging. | Severity lower number means more critical. |
| SNMP | Monitoring and management. | Know manager, agent, MIB, trap/inform. |
| CDP | Cisco neighbor discovery. | Layer 2 adjacent Cisco devices. |
| LLDP | Standards-based neighbor discovery. | Multi-vendor neighbor discovery. |
| QoS | Classifies, marks, queues, and prioritizes traffic. | Voice/video are common priority examples. |
| TFTP/FTP/SCP | File transfer for images/configs. | Prefer secure options when available. |
Useful commands:
show cdp neighbors detail
show lldp neighbors detail
show ntp status
show logging
show clock
Wireless fundamentals
| Topic | Key points |
|---|
| AP | Bridges wireless clients into the wired network. |
| WLC | Centralizes AP management, SSIDs, security, roaming, and policies. |
| CAPWAP | Used between lightweight APs and controllers. |
| SSID | Wireless network name. |
| BSSID | AP radio MAC associated with an SSID. |
| WPA2/WPA3-Personal | Pre-shared key authentication. |
| WPA2/WPA3-Enterprise | 802.1X/EAP with centralized authentication. |
| 2.4 GHz | Longer range, fewer non-overlapping channels, more interference. |
| 5 GHz | More channels and capacity, generally shorter range than 2.4 GHz. |
| 6 GHz | Newer spectrum support where available; know conceptually if referenced. |
| Roaming | Client moves between APs while maintaining service. |
| Design decision | Prefer |
|---|
| Enterprise user authentication | WPA-Enterprise with 802.1X. |
| Guest access separation | Separate SSID/VLAN and policy controls. |
| Voice over Wi-Fi | Strong coverage, low latency, QoS support, careful roaming design. |
| Interference troubleshooting | Check channel overlap, power, neighboring APs, non-Wi-Fi interference. |
| Secure legacy avoidance | Avoid open or weak authentication/encryption designs. |
Security fundamentals
Device hardening
| Control | Why it matters |
|---|
enable secret | Stores privileged password using stronger protection than enable password. |
| Local user accounts | Required for local authentication and SSH login. |
| SSH instead of Telnet | Encrypts management traffic. |
| AAA | Centralizes authentication, authorization, and accounting. |
| Login banners | Provide administrative notice; do not leak sensitive information. |
| Exec timeout | Reduces risk from abandoned sessions. |
| Secure management VLAN/path | Limits who can reach device management. |
| NTP | Supports reliable log timestamps. |
| Syslog | Preserves events centrally. |
| Configuration backups | Supports recovery and change comparison. |
Basic SSH management example:
hostname R1
ip domain-name example.local
username admin privilege 15 secret StrongSecretHere
crypto key generate rsa
ip ssh version 2
line vty 0 4
login local
transport input ssh
exec-timeout 10 0
ACLs
| ACL type | Filters by | Placement guidance |
|---|
| Standard IPv4 ACL | Source IPv4 only | Place near destination to avoid overblocking. |
| Extended IPv4 ACL | Source, destination, protocol, ports | Place near source to stop unwanted traffic early. |
| IPv6 ACL | IPv6 source/destination and upper-layer fields | Applied with IPv6 access-group syntax. |
ACL rules to remember:
- Processed top-down, first match wins.
- There is an implicit deny at the end.
- More specific entries should appear before broader entries.
- Direction matters: inbound before routing decision, outbound after routing decision.
- Editing named ACLs is usually easier than editing numbered ACLs.
- Standard ACLs cannot match destination or TCP/UDP port.
Examples:
ip access-list extended BLOCK_TELNET
deny tcp 192.168.10.0 0.0.0.255 any eq 23
permit ip any any
interface gigabitEthernet0/0
ip access-group BLOCK_TELNET in
ip access-list standard MGMT_ONLY
permit 192.168.100.0 0.0.0.255
deny any
line vty 0 4
access-class MGMT_ONLY in
Verification:
show access-lists
show ip interface gigabitEthernet0/0
show running-config | section access-list
Layer 2 security
| Feature | Protects against | Key idea |
|---|
| Port security | Unauthorized MACs on access ports | Limit/learn allowed MAC addresses. |
| DHCP snooping | Rogue DHCP servers | Trust uplinks/server-facing ports only. |
| Dynamic ARP Inspection | ARP spoofing | Uses DHCP snooping binding table. |
| BPDU Guard | Rogue switches on edge ports | Err-disables PortFast port receiving BPDU. |
| Storm control | Excessive broadcast/multicast/unknown unicast | Limits traffic storms. |
| Native VLAN change | VLAN hopping risk reduction | Use unused native VLAN and avoid user traffic on it. |
| Disable unused ports | Physical access risk | Shut down and place in unused VLAN. |
Port security example:
interface gigabitEthernet0/10
switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
Verification:
show port-security
show port-security interface gigabitEthernet0/10
show interfaces status err-disabled
Automation and programmability
| Term | Practical meaning |
|---|
| Controller-based networking | Central control/management plane programs network devices. |
| Northbound API | Interface from controller to applications/orchestrators. |
| Southbound API | Interface from controller to network devices. |
| REST API | HTTP-based API style using methods such as GET, POST, PUT/PATCH, DELETE. |
| JSON | Common structured data format used by APIs. |
| XML | Structured markup format used by some network APIs. |
| YANG | Data modeling language for network configuration/state. |
| NETCONF | Model-driven management protocol commonly using XML and YANG models. |
| RESTCONF | REST-style protocol using YANG-modeled data. |
| Ansible | Agentless automation commonly using YAML playbooks. |
| Puppet/Chef | Configuration management tools; often agent/model driven. |
| Idempotence | Reapplying automation should not create unintended repeated changes. |
JSON:
{
"interface": {
"name": "GigabitEthernet0/1",
"enabled": true,
"vlan": 10
}
}
YAML:
interface:
name: GigabitEthernet0/1
enabled: true
vlan: 10
REST method quick map:
| Method | Typical use |
|---|
| GET | Read data. |
| POST | Create or trigger action. |
| PUT | Replace a resource. |
| PATCH | Partially update a resource. |
| DELETE | Remove a resource. |
Traditional vs controller-based networking
| Area | Traditional device-by-device | Controller-based |
|---|
| Configuration | CLI per device | Policy/templates/API-driven |
| Visibility | Per-device show commands | Central inventory, telemetry, assurance |
| Consistency | Depends on operator process | Enforced through automation/policy |
| Troubleshooting | Hop-by-hop | Controller view plus device validation |
| Risk | Manual drift | Automation errors can scale quickly if poorly tested |
Command interpretation map
| Need to prove | Cisco IOS commands |
|---|
| Interface status and IPs | show ip interface brief, show ipv6 interface brief |
| Physical/link errors | show interfaces, show controllers where applicable |
| VLAN membership | show vlan brief |
| Trunk state and allowed VLANs | show interfaces trunk |
| MAC learning | show mac address-table |
| ARP resolution | show ip arp |
| IPv6 neighbors | show ipv6 neighbors |
| Routing table | show ip route, show ipv6 route |
| Default route | show ip route 0.0.0.0, show ipv6 route ::/0 |
| OSPF neighbors | show ip ospf neighbor |
| OSPF-enabled interfaces | show ip ospf interface brief |
| DHCP bindings | show ip dhcp binding |
| NAT translations | show ip nat translations |
| ACL hits | show access-lists |
| Running configuration | show running-config |
| Startup configuration | show startup-config |
| Neighbor devices | show cdp neighbors detail, show lldp neighbors detail |
| EtherChannel | show etherchannel summary |
| STP | show spanning-tree |
| SSH status | show ip ssh |
| Logs | show logging |
Troubleshooting decision tables
Host cannot reach anything
| Check | If failing | Likely issue |
|---|
| Link status | Interface down/down | Cable, disabled port, physical/RF issue. |
| Host IP/mask/gateway | Missing or APIPA | DHCP failure or static misconfiguration. |
| Same-subnet ping | Cannot reach neighbor | VLAN, switchport, ARP/NDP, host firewall. |
| Default gateway ping | Fails | Wrong gateway, SVI/router down, VLAN/trunk issue. |
| Off-subnet ping by IP | Gateway works, remote fails | Routing, ACL, NAT, upstream path. |
| DNS name ping | IP works, name fails | DNS configuration or resolution issue. |
VLAN user cannot reach gateway
| Symptom | Check first |
|---|
| Access port in wrong VLAN | show vlan brief, show interfaces switchport |
| VLAN absent on switch | show vlan brief |
| VLAN not allowed on trunk | show interfaces trunk |
| Native VLAN mismatch | Trunk configuration on both sides |
| SVI down | At least one active port in VLAN and no shutdown on SVI |
| Router-on-a-stick failure | Subinterface encapsulation, trunk to router, IP address |
Routing failure
| Symptom | Likely area |
|---|
| Route missing | Routing protocol not advertising, static route absent, interface down. |
| Wrong next hop selected | Longest prefix, AD, or metric misunderstanding. |
| Default route missing | Internet/unknown destinations fail. |
| OSPF neighbor down | Area/subnet/timer/authentication/network type issue. |
| One direction works only | Return route, ACL, NAT, or asymmetric path. |
| Ping fails but route exists | ACL, firewall, host issue, MTU, wrong source interface. |
NAT/PAT failure
| Check | What to confirm |
|---|
| Inside/outside labels | Correct interfaces marked ip nat inside and ip nat outside. |
| ACL match | Inside source addresses are permitted by NAT ACL. |
| Route to outside | Router can reach next hop. |
| Return traffic | Outside path returns to translated address. |
| Translations | show ip nat translations increments during test. |
| Overlap | Avoid ambiguous inside/outside addressing. |
Common exam traps
| Trap | Correct thinking |
|---|
| “Lowest AD always wins.” | Longest prefix match is evaluated before AD. |
| Confusing MAC and IP forwarding | Switches use MAC/VLAN; routers use IP routes. |
| Forgetting implicit ACL deny | Add explicit permits as needed. |
| Applying ACL in wrong direction | Inbound and outbound are from the router interface perspective. |
| Using subnet mask in OSPF network command | OSPF network uses wildcard mask. |
| Assuming VLAN exists because trunk allows it | VLAN must exist and be active where needed. |
| Ignoring native VLAN mismatch | Can break or misdirect untagged traffic. |
| Assuming SVI up just because configured | SVI needs VLAN present and active Layer 2 state. |
| PortFast on switch-to-switch links | PortFast is for edge/access ports. |
| EtherChannel partial mismatch | Member ports must have compatible speed, duplex, VLAN, trunk settings. |
| DHCP relay forgotten | DHCP broadcasts do not cross routers without relay. |
| DNS blamed for IP failure | Test by IP first, then by name. |
| IPv6 default gateway confusion | Link-local next hops are normal in IPv6. |
| Telnet accepted as secure management | Use SSH for encrypted CLI management. |
service password-encryption overvalued | It obscures some passwords but is not strong password protection. |
Final quick-review checklist
Before exam day, make sure you can do the following without notes:
- Subnet /24 through /30 quickly, including network, broadcast, usable range, and wildcard.
- Interpret
show ip route and explain why one route wins. - Configure and verify VLANs, trunks, router-on-a-stick, and SVIs.
- Identify STP root, port roles, and common edge protections.
- Recognize OSPF neighbor requirements and basic verification output.
- Configure a simple static route, default route, DHCP pool, PAT, SSH, and ACL.
- Troubleshoot by layer instead of guessing.
- Explain REST, JSON, YANG, NETCONF, RESTCONF, controller-based networking, and northbound/southbound APIs at a practical level.
Next step: use this Quick Reference as your checklist while working through timed Cisco CCNA (200-301 v2.0) practice questions and hands-on configuration labs, then revisit any command or decision point you cannot explain from memory.