200-301 v2.0 — Cisco CCNA Quick Review
Independent Quick Review for Cisco CCNA (200-301 v2.0): subnetting, switching, routing, services, security, automation, common traps, and practice focus.
Cisco CCNA Quick Review for 200-301 v2.0
This independent Quick Review is for candidates preparing for the Cisco CCNA (200-301 v2.0) exam, code 200-301 v2.0. Use it to refresh high-yield concepts before moving into topic drills, mock exams, and detailed explanations.
The goal is not to replace hands-on lab work. The goal is to help you quickly reconnect facts, decision rules, and troubleshooting logic so your original practice questions expose gaps instead of becoming your first review pass.
How to Use This Quick Review
- Skim the decision rules first. CCNA questions often test what you would choose next, not just definitions.
- Do subnetting and route-selection practice daily. These are fast to lose and high-impact across multiple topics.
- Review command outputs, not only configuration syntax. Many questions ask you to interpret
showoutput. - Practice wrong-answer recognition. Cisco distractors often use correct terms in the wrong layer, wrong direction, or wrong order.
- After this review, use topic drills. Focus especially on subnetting, VLAN/trunking, STP, OSPF, ACLs, NAT, wireless, security fundamentals, and automation concepts.
High-Yield Exam Map
| Area | You should be able to do | Common traps |
|---|---|---|
| Network fundamentals | Explain OSI/TCP-IP models, cabling, interface states, IPv4/IPv6, subnetting, endpoint communication | Confusing MAC vs IP roles; forgetting ARP/NDP; treating default gateway as optional |
| Switching | Configure/interpret VLANs, trunks, access ports, STP, EtherChannel, CDP/LLDP | Native VLAN mismatch; wrong trunk encapsulation assumptions; STP root confusion |
| Routing | Select best route, configure static/default routes, understand OSPF basics | Ignoring longest-prefix match; mixing AD and metric; missing passive interfaces |
| IP services | DHCP, DNS, NAT/PAT, NTP, syslog, SNMP, QoS concepts | Applying NAT ACL backward; forgetting DHCP relay; confusing SNMP traps and polling |
| Security | ACLs, device hardening, SSH, AAA concepts, Layer 2 protections, wireless security | ACL direction errors; implicit deny; weak port-security assumptions |
| Wireless | AP/WLC roles, SSIDs, channels, authentication, roaming concepts | Confusing autonomous APs with controller-based WLANs; mixing WPA modes |
| Automation | APIs, JSON, controllers, SDN, NETCONF/RESTCONF, AI/ML concepts in operations | Memorizing buzzwords without knowing data flow or use case |
Core Networking Models
OSI and TCP/IP Fast Mapping
| OSI layer | Common examples | CCNA review focus |
|---|---|---|
| 7 Application | HTTP, DNS, DHCP, SNMP, SSH | Service purpose, port numbers, client/server behavior |
| 6 Presentation | Encoding, encryption, compression | Usually conceptual |
| 5 Session | Session establishment/management | Usually conceptual |
| 4 Transport | TCP, UDP, ports | Reliability, sequencing, retransmission, connectionless delivery |
| 3 Network | IPv4, IPv6, ICMP, routing | Addressing, subnetting, routing decisions |
| 2 Data Link | Ethernet, MAC, VLANs, STP | Switching, frames, trunks, Layer 2 loop prevention |
| 1 Physical | Copper, fiber, RF | Cables, speeds, duplex, signal issues |
TCP vs UDP
| Feature | TCP | UDP |
|---|---|---|
| Connection setup | Uses handshake | No handshake |
| Reliability | Acknowledgments, retransmission, sequencing | Best-effort |
| Overhead | Higher | Lower |
| Typical uses | HTTP/HTTPS, SSH, FTP, SMTP | DNS queries, DHCP, VoIP/RTP, streaming |
| Exam trap | “Reliable” does not mean faster | “Connectionless” does not mean unusable or insecure by itself |
Common Ports to Know
| Protocol | Port/transport | Purpose |
|---|---|---|
| FTP data/control | TCP 20/21 | File transfer |
| SSH | TCP 22 | Secure CLI access |
| Telnet | TCP 23 | Insecure CLI access |
| SMTP | TCP 25 | Mail transfer |
| DNS | UDP/TCP 53 | Name resolution |
| DHCP server/client | UDP 67/68 | Address assignment |
| HTTP | TCP 80 | Web |
| POP3 | TCP 110 | Mail retrieval |
| NTP | UDP 123 | Time sync |
| SNMP | UDP 161/162 | Monitoring/traps |
| HTTPS | TCP 443 | Secure web |
| Syslog | UDP 514 | Logging |
Ethernet, Frames, and Switching
What a Switch Does
A Layer 2 switch:
- Learns source MAC addresses and associates them with ingress ports.
- Forwards known unicast frames out the matching port.
- Floods unknown unicast, broadcast, and many multicast frames within the VLAN.
- Maintains a separate MAC address table per VLAN.
Frame Forwarding Decision
| Frame type | Switch behavior |
|---|---|
| Known unicast | Forward only out the learned destination port |
| Unknown unicast | Flood within the VLAN except ingress port |
| Broadcast | Flood within the VLAN except ingress port |
| Multicast | Flood or constrain depending on multicast features |
MAC Address Table Traps
- A switch learns from the source MAC address, not the destination.
- MAC learning is per VLAN.
- If a MAC moves ports, the table updates.
- Clearing the MAC table may temporarily increase flooding.
- A switch does not need an IP address to switch frames; management IP is for administration.
IPv4 Subnetting Review
Must-Know Private IPv4 Ranges
| Range | Default classful range | Common CIDR |
|---|---|---|
| 10.0.0.0 to 10.255.255.255 | Class A private | 10.0.0.0/8 |
| 172.16.0.0 to 172.31.255.255 | Class B private | 172.16.0.0/12 |
| 192.168.0.0 to 192.168.255.255 | Class C private | 192.168.0.0/16 |
Subnetting Formulas
Usable IPv4 host count for most subnets:
\[ 2^{h} - 2 \]Where \(h\) is the number of host bits.
Number of equal-size subnets created by borrowing bits:
\[ 2^{b} \]Where \(b\) is the number of borrowed bits.
Remember: point-to-point
/31and host/32routes have special uses, but many basic host-count questions still expect the traditional usable-host formula.
CIDR Quick Review
| Prefix | Mask | Block size in interesting octet | Usable hosts |
|---|---|---|---|
| /24 | 255.255.255.0 | 1 | 254 |
| /25 | 255.255.255.128 | 128 | 126 |
| /26 | 255.255.255.192 | 64 | 62 |
| /27 | 255.255.255.224 | 32 | 30 |
| /28 | 255.255.255.240 | 16 | 14 |
| /29 | 255.255.255.248 | 8 | 6 |
| /30 | 255.255.255.252 | 4 | 2 |
| /31 | 255.255.255.254 | 2 | Special point-to-point use |
| /32 | 255.255.255.255 | 1 | Single host route |
Fast Subnetting Method
For an address such as 192.168.10.77/27:
- Convert
/27to mask:255.255.255.224. - Interesting octet is the fourth octet.
- Block size:
256 - 224 = 32. - Subnets:
.0,.32,.64,.96, … 77falls in.64to.95.- Network:
192.168.10.64. - Broadcast:
192.168.10.95. - Usable range:
192.168.10.65to192.168.10.94.
Subnetting Mistakes to Eliminate
| Mistake | Fix |
|---|---|
| Treating the first usable IP as the network address | Network address has all host bits set to 0 |
| Treating broadcast as usable | Broadcast has all host bits set to 1 |
| Calculating block size from the wrong octet | Find the octet where the mask is not 255 or 0 |
| Forgetting longest-prefix match | A /28 route beats a /24 route for matching traffic |
| Confusing host bits and borrowed bits | Host bits determine host count; borrowed bits determine subnet count |
IPv6 Review
IPv6 Essentials
| Concept | Review point |
|---|---|
| Address size | 128 bits |
| Notation | Hexadecimal, colon-separated |
| Compression | One contiguous run of zero groups can become :: |
| Broadcast | No IPv6 broadcast; multicast and anycast are used |
| Neighbor discovery | Uses ICMPv6 Neighbor Discovery instead of ARP |
| Common LAN prefix | Often /64 for host subnets |
| Link-local | FE80::/10; required for many local functions |
| Global unicast | Publicly routable IPv6 addressing |
| Unique local | FC00::/7, commonly FD00::/8 style local addressing |
| Multicast | FF00::/8 |
IPv6 Address Compression Rules
| Full form | Valid compressed form | Notes |
|---|---|---|
2001:0DB8:0000:0000:0000:0000:0000:0001 | 2001:DB8::1 | Leading zeros removed; one zero run compressed |
FE80:0000:0000:0000:0202:B3FF:FE1E:8329 | FE80::202:B3FF:FE1E:8329 | Link-local example |
2001:DB8:0:1:0:0:0:10 | 2001:DB8:0:1::10 | Only one :: allowed |
IPv6 Traps
::can appear only once in an IPv6 address.- Leading zeros inside a hextet can be removed; internal zeros cannot be randomly removed.
- Link-local addresses are not routed beyond the local link.
- IPv6 does not use ARP.
- SLAAC, DHCPv6, and static configuration are different address assignment methods.
VLANs and Trunking
VLAN Decision Rules
| Requirement | Likely configuration |
|---|---|
| One endpoint in one VLAN | Access port |
| Carry multiple VLANs between switches | Trunk port |
| Carry VLANs between switch and router subinterface | Trunk to router-on-a-stick |
| Isolate Layer 2 broadcast domains | Separate VLANs |
| Allow inter-VLAN communication | Layer 3 routing is required |
Access vs Trunk
| Feature | Access port | Trunk port |
|---|---|---|
| Carries | One data VLAN, optionally a voice VLAN | Multiple VLANs |
| Tagging | Usually untagged for data VLAN | 802.1Q tagging |
| Endpoint use | PCs, printers, many servers | Switches, routers, APs, firewalls |
| Native VLAN | Not normally relevant to endpoint | Sent untagged by default on 802.1Q trunks |
High-Yield Commands
| Task | Common Cisco IOS command |
|---|---|
| Create VLAN | vlan 10 |
| Name VLAN | name SALES |
| Assign access VLAN | switchport mode access and switchport access vlan 10 |
| Configure trunk | switchport mode trunk |
| Limit trunk VLANs | switchport trunk allowed vlan 10,20,30 |
| Configure native VLAN | switchport trunk native vlan 99 |
| Verify VLANs | show vlan brief |
| Verify trunks | show interfaces trunk |
VLAN/Trunk Traps
- VLANs must exist in the VLAN database for normal use.
- A trunk can be up while a needed VLAN is missing from the allowed list.
- Native VLAN mismatch can create confusing connectivity and security issues.
- Inter-VLAN routing does not happen automatically on a Layer 2 switch.
- A host’s default gateway should be in the same subnet/VLAN as the host.
Spanning Tree Protocol Review
Why STP Exists
STP prevents Layer 2 loops. Without loop prevention, redundant switch links can cause:
- Broadcast storms
- MAC address table instability
- Duplicate frame delivery
- Severe network outage
STP Roles and States
| Item | Meaning |
|---|---|
| Root bridge | Central reference point for STP topology |
| Root port | Best path from a non-root switch toward the root bridge |
| Designated port | Forwarding port for a segment |
| Alternate/blocking port | Backup path that does not forward user traffic |
| Forwarding | Sends and receives user traffic |
| Blocking/discarding | Prevents loops |
Root Bridge Election
STP chooses the lowest bridge ID. Bridge ID includes priority and MAC address.
Decision order:
- Lowest bridge priority.
- If tied, lowest MAC address.
Path Selection Toward Root
A switch chooses the best path using, in general:
- Lowest root path cost.
- Lowest sender bridge ID.
- Lowest sender port ID.
- Lowest local port ID.
STP Traps
- The root bridge should usually be intentionally controlled, not left to the lowest MAC address.
- Lower priority is better.
- Blocking is normal in a redundant Layer 2 topology.
- STP is per VLAN in common Cisco environments, so different VLANs may have different forwarding paths.
- PortFast is for edge/access ports, not switch-to-switch links.
EtherChannel Review
EtherChannel Purpose
EtherChannel bundles multiple physical links into one logical link to provide:
- Higher aggregate bandwidth
- Redundancy
- STP simplification, because STP sees one logical link
Modes
| Protocol/mode | Behavior |
|---|---|
| LACP active | Actively negotiates |
| LACP passive | Waits for negotiation |
| PAgP desirable | Actively negotiates Cisco PAgP |
| PAgP auto | Waits for negotiation |
| On | Forces channel without negotiation |
EtherChannel Compatibility
Member links should match important settings:
- Speed
- Duplex
- Access/trunk mode
- Native VLAN
- Allowed VLANs
- STP-related consistency
- Layer 2 vs Layer 3 mode
Common Working Pairings
| Side A | Side B | Result |
|---|---|---|
| LACP active | LACP active | Forms |
| LACP active | LACP passive | Forms |
| LACP passive | LACP passive | Does not form |
| PAgP desirable | PAgP desirable | Forms |
| PAgP desirable | PAgP auto | Forms |
| PAgP auto | PAgP auto | Does not form |
| On | On | Forms, but no negotiation |
Routing Fundamentals
How Routers Forward Packets
A router:
- Receives a frame on an interface.
- Removes the Layer 2 header/trailer.
- Examines the destination IP address.
- Finds the best matching route.
- Decrements TTL/hop limit.
- Rewrites Layer 2 encapsulation for the outgoing interface.
- Forwards the packet.
Route Selection Order
When multiple routes exist, remember:
- Longest prefix match wins first.
- If prefix length ties, use administrative distance.
- If administrative distance ties, use the routing protocol’s metric.
- If equal-cost routes exist, load balancing may occur.
Administrative Distance Quick Reference
| Route source | Typical AD |
|---|---|
| Connected | 0 |
| Static | 1 |
| EIGRP summary | 5 |
| External BGP | 20 |
| Internal EIGRP | 90 |
| OSPF | 110 |
| RIP | 120 |
| External EIGRP | 170 |
| Unknown/untrusted | 255, not installed |
For the Cisco CCNA (200-301 v2.0), the most important practical comparison is usually connected vs static vs dynamic routes such as OSPF.
Static and Default Routes
| Route type | Example intent | Common syntax pattern |
|---|---|---|
| Static network route | Reach one remote subnet | ip route destination mask next-hop-or-exit-interface |
| Default route | Send unmatched traffic upstream | ip route 0.0.0.0 0.0.0.0 next-hop |
| Floating static route | Backup route with higher AD | ip route ... administrative-distance |
Static Route Traps
- A default route is used only when no more specific route matches.
- A floating static route must have a higher AD than the primary route.
- Recursive next-hop lookup must still resolve to a reachable exit path.
- A route may be configured but not installed if the next hop is unreachable.
- On Ethernet, specifying only an exit interface can create ARP-related inefficiency in some designs.
OSPF Quick Review
OSPF Concepts
| Concept | Meaning |
|---|---|
| Link-state protocol | Routers exchange topology information and calculate best paths |
| Area | Logical grouping; single-area OSPF is common in CCNA practice |
| Router ID | 32-bit identifier, formatted like IPv4 |
| Neighbor adjacency | Relationship formed with compatible OSPF routers |
| Cost | Metric based on interface bandwidth/reference bandwidth |
| DR/BDR | Designated routers used on multiaccess networks |
| Passive interface | Advertises network but does not form neighbor adjacencies |
OSPF Neighbor Requirements
OSPF neighbors generally need compatible:
- Area ID
- Subnet
- Hello/dead timers
- Authentication settings, if used
- Stub area settings, if used
- MTU compatibility in many real troubleshooting cases
OSPF Router ID Selection
Typical selection order:
- Manually configured router ID.
- Highest IPv4 address on an up loopback interface.
- Highest IPv4 address on an up non-loopback interface.
Changing the router ID may require restarting the OSPF process or adjacency for the new value to take effect.
OSPF Verification
| Need | Command |
|---|---|
| See neighbors | show ip ospf neighbor |
| See OSPF interfaces | show ip ospf interface brief |
| See OSPF routes | show ip route ospf |
| See OSPF process details | show ip ospf |
| See route table | show ip route |
OSPF Traps
networkstatements enable OSPF on matching interfaces; they do not simply “advertise a network” in isolation.- Wildcard masks are inverse masks, not subnet masks.
- Passive interfaces do not form neighbors.
- OSPF cost is not the same as administrative distance.
- If no neighbor forms, check Layer 1/2, addressing, area, timers, passive settings, and authentication.
Inter-VLAN Routing
Three Common Patterns
| Method | Description | Review point |
|---|---|---|
| Router-on-a-stick | Router subinterfaces on a trunk | Each subinterface maps to VLAN and gateway IP |
| Layer 3 switch SVIs | Switch virtual interfaces route between VLANs | Requires Layer 3 capability and routing enabled |
| Physical router interfaces | One router interface per VLAN | Simple but inefficient at scale |
Router-on-a-Stick Essentials
Each VLAN subinterface typically needs:
- Encapsulation with VLAN ID
- IP address in that VLAN subnet
- Trunk link to switch
- Host default gateway pointing to subinterface IP
Common trap: configuring host VLANs correctly but forgetting the switch-to-router trunk.
ACLs
ACL Logic
Access control lists evaluate traffic:
- Top to bottom.
- First match wins.
- If no statement matches, implicit deny applies.
Standard vs Extended ACLs
| ACL type | Matches on | Placement rule of thumb |
|---|---|---|
| Standard IPv4 ACL | Source IP only | Place near destination |
| Extended IPv4 ACL | Source, destination, protocol, ports | Place near source |
Wildcard Masks
Wildcard masks are inverse masks:
| Subnet mask | Wildcard mask |
|---|---|
| 255.255.255.255 | 0.0.0.0 |
| 255.255.255.0 | 0.0.0.255 |
| 255.255.255.128 | 0.0.0.127 |
| 255.255.255.192 | 0.0.0.63 |
| 255.255.0.0 | 0.0.255.255 |
ACL Direction
| Direction | Meaning |
|---|---|
| Inbound | Checked as packets enter the interface |
| Outbound | Checked as packets leave the interface |
ACL Traps
- Forgetting the implicit
deny any. - Applying the ACL in the wrong direction.
- Applying the ACL to the wrong interface.
- Blocking return traffic unintentionally.
- Using a standard ACL when protocol/port matching is required.
- Using subnet masks instead of wildcard masks.
- Placing a broad deny before a specific permit.
NAT and PAT
NAT Types
| Type | Meaning | Common use |
|---|---|---|
| Static NAT | One inside local maps to one inside global | Publish a specific internal host |
| Dynamic NAT | Pool of public addresses maps internal hosts | Less common than PAT in small networks |
| PAT/overload | Many inside hosts share one/few public IPs using ports | Internet access for many clients |
NAT Terms
| Term | Meaning |
|---|---|
| Inside local | Private/internal address before translation |
| Inside global | Public/translated address representing internal host |
| Outside global | Address of external host as globally routed |
| Outside local | How external host appears to inside network, if translated |
NAT/PAT Troubleshooting Checklist
- Is the inside interface marked
ip nat inside? - Is the outside interface marked
ip nat outside? - Does the ACL match the internal source addresses to translate?
- Is the NAT rule correct?
- Is routing correct in both directions?
- Does the return path know how to reach the translated address?
- Are translations being created? Check
show ip nat translations.
NAT Traps
- NAT does not replace routing; both must work.
- NAT ACLs usually match the inside local source addresses.
- Direction matters: inside and outside interfaces must be correct.
- PAT uses transport-layer port numbers to multiplex many sessions.
- Static NAT is not the same as port forwarding, though related configurations can publish internal services.
DHCP, DNS, NTP, Syslog, and SNMP
IP Services Summary
| Service | Purpose | Common exam angle |
|---|---|---|
| DHCP | Dynamically assigns IP settings | Pools, exclusions, default gateway, DNS, relay |
| DNS | Resolves names to addresses | Client/server lookup behavior |
| NTP | Synchronizes time | Accurate logs, certificates, troubleshooting |
| Syslog | Sends/stores log messages | Severity levels and central logging |
| SNMP | Network monitoring/management | Polling, traps, community/credentials concepts |
| TFTP/FTP/SCP | File transfer | IOS images, configs, backups |
| SSH | Secure management | Preferred over Telnet |
DHCP Process
A basic IPv4 DHCP exchange is often remembered as DORA:
| Step | Message | Direction |
|---|---|---|
| 1 | Discover | Client broadcasts |
| 2 | Offer | Server offers settings |
| 3 | Request | Client requests offered address |
| 4 | Acknowledge | Server confirms lease |
DHCP Relay
If the DHCP server is not in the client VLAN, the router or Layer 3 interface needs relay behavior, commonly configured with ip helper-address.
Common trap: DHCP broadcasts do not cross routers by default.
Syslog Severity
| Severity | Name |
|---|---|
| 0 | Emergency |
| 1 | Alert |
| 2 | Critical |
| 3 | Error |
| 4 | Warning |
| 5 | Notification |
| 6 | Informational |
| 7 | Debugging |
Lower number means more severe.
Device Management and Hardening
Secure Management Basics
| Goal | Better choice |
|---|---|
| Remote CLI | SSH instead of Telnet |
| Local account | Username with secret |
| Privileged mode protection | enable secret |
| Password storage | Avoid plain-text where possible |
| Unused ports | Shut down or restrict |
| Management access | Limit with ACLs and secure protocols |
| Time accuracy | NTP |
| Audit trail | Syslog and AAA where appropriate |
Management Plane Traps
- An SVI needs the VLAN to exist and have an active Layer 2 port in that VLAN to come up in many switch scenarios.
- A default gateway is needed on a Layer 2 switch for management traffic outside the local subnet.
- Telnet is insecure because it sends traffic in clear text.
- SSH requires appropriate hostname/domain/key/user configuration depending on platform and configuration style.
Layer 2 Security
Port Security
Port security can restrict MAC addresses on an access port.
| Feature | Review point |
|---|---|
| Static secure MAC | Manually configured |
| Dynamic secure MAC | Learned until aging/reload depending on config |
| Sticky MAC | Dynamically learned and added to running config |
| Violation modes | Protect, restrict, shutdown |
Violation Modes
| Mode | Drops violating traffic | Logs/counts violation | Err-disables port |
|---|---|---|---|
| Protect | Yes | No or limited | No |
| Restrict | Yes | Yes | No |
| Shutdown | Yes | Yes | Yes |
DHCP Snooping and Dynamic ARP Inspection
| Feature | Protects against | Key idea |
|---|---|---|
| DHCP snooping | Rogue DHCP servers | Trust uplinks/server-facing ports; untrust access ports |
| Dynamic ARP Inspection | ARP spoofing/poisoning | Uses trusted bindings, often from DHCP snooping |
| IP Source Guard | IP/MAC spoofing | Uses binding information to filter |
Layer 2 Security Traps
- Do not trust user-facing access ports for DHCP snooping.
- DAI depends on accurate binding information.
- Port security is usually applied to access ports, not trunks.
- Shutdown violation mode may require manual recovery or errdisable recovery.
- Security features can break connectivity if trust boundaries are wrong.
Wireless Review
Wireless Architecture
| Component | Role |
|---|---|
| AP | Provides wireless client access |
| WLC | Centrally manages lightweight APs and WLAN policy |
| SSID | Wireless network name |
| BSSID | MAC address associated with a radio/AP for a WLAN |
| WLAN | Logical wireless network configuration |
| CAPWAP | Common AP-to-controller control/data tunneling concept |
Wireless Bands and Channels
| Band | General traits |
|---|---|
| 2.4 GHz | Longer range, fewer non-overlapping channels, more interference |
| 5 GHz | More channels, less crowded, shorter range than 2.4 GHz in many environments |
| 6 GHz | More spectrum in supported environments and devices |
Wireless Security Concepts
| Term | Review point |
|---|---|
| WPA2/WPA3 | Wireless security standards |
| PSK | Shared passphrase model |
| Enterprise authentication | Uses centralized authentication, commonly 802.1X/EAP concepts |
| Open network | No encryption/authentication by default |
| Guest WLAN | Usually isolated and controlled |
Wireless Traps
- SSID is not the same as BSSID.
- A WLC manages AP policy; it is not simply a wireless router.
- Channel overlap and interference can cause poor performance even when signal is visible.
- Strong authentication and encryption are different from simply hiding an SSID.
- Roaming requires compatible WLAN configuration across AP coverage areas.
QoS Fundamentals
Why QoS Matters
QoS prioritizes or manages traffic when congestion occurs. It cannot create bandwidth that does not exist, but it can decide which traffic is delayed, dropped, shaped, or prioritized.
QoS Terms
| Term | Meaning |
|---|---|
| Classification | Identify traffic type |
| Marking | Set a QoS value such as DSCP or CoS |
| Queuing | Decide order of transmission during congestion |
| Policing | Enforce rate by dropping or remarking excess traffic |
| Shaping | Buffer and delay traffic to smooth rate |
| Trust boundary | Point where markings are accepted or reset |
QoS Traps
- QoS is most visible during congestion.
- Marking alone does not prioritize traffic unless devices act on the marking.
- Policing can drop traffic; shaping delays traffic.
- Voice and video are sensitive to delay, jitter, and loss.
Security Fundamentals
Authentication, Authorization, Accounting
| AAA function | Meaning |
|---|---|
| Authentication | Who are you? |
| Authorization | What are you allowed to do? |
| Accounting | What did you do? |
Common Security Concepts
| Concept | Review point |
|---|---|
| Least privilege | Give only required access |
| Defense in depth | Multiple layers of protection |
| VPN | Encrypted tunnel across untrusted networks |
| Site-to-site VPN | Connects networks |
| Remote-access VPN | Connects individual users |
| Firewall | Enforces security policy between zones/networks |
| IPS | Detects and may block malicious activity |
| Endpoint security | Protects hosts, not just the network |
ACL vs Firewall
| Feature | ACL | Firewall |
|---|---|---|
| State awareness | Often stateless in basic router ACLs | Often stateful |
| Policy depth | Basic matching | Deeper application/session controls |
| Typical CCNA focus | Permit/deny logic, placement, direction | Conceptual role and traffic control |
Automation, Controllers, APIs, and Data Formats
Traditional vs Controller-Based Networking
| Traditional model | Controller-based model |
|---|---|
| Device-by-device configuration | Centralized intent/policy/control |
| Manual CLI focus | APIs, templates, automation |
| Distributed management | Controller provides visibility and orchestration |
| Human-driven changes | Programmatic workflows possible |
SDN Concepts
| Plane | Role |
|---|---|
| Data plane | Forwards user traffic |
| Control plane | Makes forwarding decisions |
| Management plane | Configuration, monitoring, administration |
In software-defined or controller-based designs, control and management functions may be more centralized, while devices still forward traffic in the data plane.
APIs and Data Encoding
| Concept | Review point |
|---|---|
| REST API | Uses HTTP-style operations to interact with resources |
| GET | Retrieve information |
| POST | Create or submit data |
| PUT/PATCH | Replace or modify data depending on API design |
| DELETE | Remove a resource |
| JSON | Common structured data format |
| Key-value pair | Basic JSON structure |
| NETCONF | Network configuration protocol often associated with YANG models |
| RESTCONF | REST-like access to YANG-modeled data |
| YANG | Data modeling language |
JSON Example Recognition
Key features:
- Objects use braces.
- Arrays use brackets.
- Strings use quotes.
- Data is commonly represented as key-value pairs.
Example shape:
{"interface":"GigabitEthernet0/1","status":"up","vlan":10}
AI/ML in Network Operations
For CCNA-level review, focus on practical concepts:
| Concept | Network operations use |
|---|---|
| Analytics | Identify trends, anomalies, and capacity patterns |
| Machine learning | Detect patterns from data rather than fixed manual rules only |
| AI-assisted operations | Help with troubleshooting, recommendations, and event correlation |
| Telemetry | Continuous structured data collection from devices |
| Intent-based networking | Translate business/network intent into automated policy and validation |
Automation Traps
- Automation does not remove the need to understand routing, switching, and security fundamentals.
- JSON is a data format, not a transport protocol.
- An API is an interface for software interaction, not automatically a complete automation system.
- Controllers centralize management and policy, but devices still forward traffic.
- AI/ML outputs should be validated; they support operations rather than magically replacing design and troubleshooting.
Troubleshooting Workflow
Use a layered, evidence-driven approach instead of changing random settings.
flowchart TD
A[Problem reported] --> B[Define scope]
B --> C{One user or many?}
C -->|One user| D[Check host IP, mask, gateway, DNS, cable/Wi-Fi]
C -->|Many users| E[Check VLAN, trunk, gateway, routing, services]
D --> F{Can ping gateway?}
E --> F
F -->|No| G[Focus on Layer 1/2, VLAN, local subnet]
F -->|Yes| H{Can reach remote IP?}
H -->|No| I[Check routing, ACLs, NAT, upstream path]
H -->|Yes| J{Can reach by name?}
J -->|No| K[Check DNS]
J -->|Yes| L[Check application/server policy]
Troubleshooting Commands to Recognize
| Need | Command |
|---|---|
| Interface summary | show ip interface brief |
| Interface details | show interfaces |
| Switchport mode/VLAN | show interfaces switchport |
| VLAN list | show vlan brief |
| Trunks | show interfaces trunk |
| MAC table | show mac address-table |
| ARP table | show ip arp |
| Routing table | show ip route |
| CDP neighbors | show cdp neighbors |
| LLDP neighbors | show lldp neighbors |
| OSPF neighbors | show ip ospf neighbor |
| NAT translations | show ip nat translations |
| ACLs | show access-lists |
| Running config | show running-config |
Common Question Patterns and How to Answer Them
“Host Cannot Reach Remote Network”
Check in this order:
- Host IP address, subnet mask, default gateway.
- VLAN assignment and access port status.
- Trunk status and allowed VLANs.
- Default gateway interface/SVI/subinterface status.
- Routing table on Layer 3 devices.
- ACLs in both directions.
- NAT if crossing to outside networks.
- DNS only if IP connectivity works but names fail.
“Two Switches Connected but VLAN Traffic Fails”
Likely causes:
- Link is access instead of trunk.
- VLAN missing from allowed trunk list.
- VLAN not created.
- Native VLAN mismatch.
- STP blocking expected forwarding path.
- EtherChannel inconsistency.
- Wrong access VLAN on endpoint-facing port.
“OSPF Neighbor Does Not Form”
Check:
- Interfaces up/up.
- Same subnet.
- Same area.
- Matching timers.
- Not passive.
- Correct wildcard/network command or interface OSPF activation.
- Authentication compatibility if configured.
- MTU or network type issues if symptoms suggest adjacency stuck.
“ACL Does Not Work as Expected”
Check:
- Correct ACL type.
- Correct source/destination addresses.
- Correct wildcard masks.
- Correct protocol and port.
- Correct statement order.
- Correct interface.
- Correct direction.
- Implicit deny.
- Return traffic requirements.
“NAT Is Configured but Internet Access Fails”
Check:
- Inside/outside interface markings.
- NAT ACL matches inside local addresses.
- Overload keyword for PAT when needed.
- Default route toward ISP/upstream.
- Return route from upstream.
- ACL/firewall filtering.
- Translation table.
Fast Decision Rules
| If you see… | Think… |
|---|---|
| Same VLAN, same subnet, no gateway needed | Switching/ARP problem likely |
| Different subnet | Default gateway and routing required |
| Can ping IP but not hostname | DNS problem likely |
| Can ping gateway but not remote | Routing, ACL, NAT, or upstream issue |
| Trunk up but one VLAN fails | Allowed VLAN, VLAN existence, STP, or native mismatch |
| OSPF route missing | Neighbor, network statement, passive interface, or route filtering/design issue |
| Static backup route active too early | Administrative distance too low |
| ACL permits still fail | Earlier deny or wrong direction/interface |
| DHCP fails across router | Missing relay/helper or server reachability |
| SSH fails but ping works | VTY, credentials, domain/key, ACL, or transport input issue |
Candidate Mistakes That Cost Easy Points
- Not reading whether the question asks for source or destination.
- Ignoring whether traffic is entering or leaving an interface.
- Choosing a route by AD before checking longest prefix.
- Treating VLANs as if they route automatically.
- Forgetting the default gateway on hosts or Layer 2 switch management.
- Using subnet masks where wildcard masks are required.
- Confusing
show vlan briefwithshow interfaces trunk. - Assuming an interface is working without checking
up/up. - Forgetting that STP blocking can be correct behavior.
- Memorizing automation terms without knowing which are protocols, data models, formats, or controllers.
Last-Minute Review Checklist
Before you start full mock exams, make sure you can do these without notes:
Subnetting
- Find network, broadcast, and usable range.
- Calculate usable hosts.
- Identify overlapping subnets.
- Choose the smallest subnet that fits a host requirement.
- Compare prefixes for longest-prefix match.
Switching
- Identify access vs trunk port needs.
- Interpret VLAN and trunk outputs.
- Explain native VLAN behavior.
- Predict basic STP root/port roles.
- Recognize EtherChannel mode compatibility.
Routing
- Read a routing table.
- Choose best route using prefix, AD, and metric.
- Configure/recognize static and default routes.
- Explain OSPF neighbor basics.
- Troubleshoot missing routes.
Services and Security
- Apply ACL direction and placement logic.
- Recognize NAT inside/outside and PAT overload behavior.
- Explain DHCP relay.
- Know why NTP, syslog, and SNMP matter.
- Distinguish SSH from Telnet.
- Recognize Layer 2 security features and trust boundaries.
Wireless and Automation
- Distinguish AP, WLC, SSID, BSSID, and WLAN.
- Know basic wireless security modes.
- Explain controller-based networking.
- Recognize JSON structure.
- Match REST methods to basic CRUD-style operations.
- Understand telemetry, analytics, and AI/ML at a network-operations level.
Practice Plan After This Review
Use this Quick Review as a launch point for IT Mastery practice:
- Start with topic drills for subnetting, VLANs/trunks, routing tables, OSPF, ACLs, and NAT.
- Review every missed item with detailed explanations, especially when your error was direction, order, or layer confusion.
- Move to mixed original practice questions once individual topics are stable.
- Use full mock exams to build timing, endurance, and question-reading discipline.
- Revisit this page after each mock exam and mark the sections where mistakes repeat.
Practical next step: begin with a focused question bank session on your weakest two topics, then review the detailed explanations until you can explain why each wrong answer is wrong.
Continue in IT Mastery
Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official Cisco questions, copied live-exam content, or exam dumps.