CCNA Cheatsheet Cheatsheet

🌐

CCNA 200-301 — Exam Overview

FOUNDATION

Exam At A Glance

Exam code200-301

ProviderCisco Systems

Cost$300 USD (+ taxes)

Duration120 minutes

Questions~100 (multiple choice, drag-and-drop, simulations)

Passing score~825 / 1000 (scaled, subject to change)

Validity3 years

RenewalRetake exam OR earn continuing education credits

Recommended experience1+ year implementing & administering Cisco solutions

DeliveryPearson VUE (test center or online proctored)

Exam Domains & Weights

Domain	Weight	Key Topics
1. Network Fundamentals	20%	OSI & TCP/IP models, IPv4/IPv6 addressing, Wi-Fi, Cisco DNA Center, QoS concepts, basic automation
2. Network Access	20%	VLANs, trunking, STP, EtherChannel, wireless (WLC, LWAP, WLAN), DHCP, ARP
3. IP Connectivity	25%	IPv4/IPv6 addressing & subnetting, routing concepts, OSPFv2, static routing, first hop redundancy
4. IP Services	10%	NAT, NTP, DNS, DHCP, SNMP, Syslog, NetFlow, device management (SSH, HTTPS, TFTP, SCP)
5. Security Fundamentals	15%	VPN, port security, ACL, 802.1X, Wi-Fi security (WPA3), device hardening
6. Automation & Programmability	10%	REST APIs, JSON, YANG/NETCONF, SDN, Puppet/Chef/Ansible, network programmability

💡

CCNA 200-301 replaces the old CCNA Routing & Switching (200-125). The new exam is broader — it covers wireless, security, and automation in addition to traditional routing & switching. You no longer need to choose a specialization track. One exam covers everything.

📐

OSI & TCP/IP Models

DOMAIN 1

OSI Model (7 Layers)

Layer	Name	PDU	Key Protocols & Devices
7	Application	Data	HTTP, FTP, SMTP, DNS, SSH, Telnet, SNMP, DHCP
6	Presentation	Data	SSL/TLS, JPEG, ASCII, encryption, compression
5	Session	Data	NetBIOS, RPC, PPTP, session management
4	Transport	Segment (TCP) / Datagram (UDP)	TCP (port 80, 443, 22, 21, 53), UDP (port 53, 67/68, 69, 123)
3	Network	Packet	IP, ICMP, ARP, OSPF, IPv4, IPv6 — Routers
2	Data Link	Frame	Ethernet (802.3), 802.1Q, STP, CDP, PPP — Switches
1	Physical	Bits	Cables (UTP Cat5e/6, fiber), hubs, repeaters, NICs

TCP/IP Model (4 Layers)

Layer	Name	OSI Equivalent	Key Protocols
4	Application	Layers 5-7	HTTP, DNS, SSH, SMTP, FTP, DHCP, SNMP, Telnet
3	Transport	Layer 4	TCP (reliable, 3-way handshake), UDP (fast, no guarantee)
2	Internet	Layer 3	IP, ICMP (ping), ARP, OSPF, IPv4, IPv6
1	Network Access	Layers 1-2	Ethernet, Wi-Fi (802.11), MAC addresses, CSMA/CD

TCP vs UDP Comparison

Feature	TCP	UDP
Connection	Connection-oriented (3-way handshake)	Connectionless
Reliability	Guaranteed delivery (ACKs, retransmission)	Best effort delivery
Ordering	Sequenced delivery	No ordering
Flow control	Sliding window	None
Speed	Slower (overhead)	Faster (minimal overhead)
Header size	20-60 bytes	8 bytes
Use cases	HTTP, SSH, FTP, SMTP, Telnet	DNS queries, DHCP, TFTP, VoIP, streaming
Common ports	80 (HTTP), 443 (HTTPS), 22 (SSH), 21 (FTP)	53 (DNS), 67/68 (DHCP), 69 (TFTP), 123 (NTP)

Common Well-Known Ports

Port	Protocol	Transport	Description
20 / 21	FTP (data / control)	TCP	File Transfer Protocol
22	SSH	TCP	Secure Shell (encrypted remote access)
23	Telnet	TCP	Unencrypted remote access (legacy)
25	SMTP	TCP	Simple Mail Transfer Protocol
53	DNS	TCP/UDP	Domain Name System
67 / 68	DHCP	UDP	Dynamic Host Configuration Protocol (server/client)
69	TFTP	UDP	Trivial File Transfer Protocol
80	HTTP	TCP	Hypertext Transfer Protocol
110	POP3	TCP	Post Office Protocol v3 (email retrieval)
123	NTP	UDP	Network Time Protocol
161 / 162	SNMP	UDP	Simple Network Management Protocol (agent/trap)
443	HTTPS	TCP	HTTP Secure (TLS/SSL)
514	Syslog	UDP	System logging

⚠️

Mnemonic for OSI layers (top to bottom): All People Seem To Need Data Processing (Application, Presentation, Session, Transport, Network, Data Link, Physical). Remember: routers operate at Layer 3, switches at Layer 2, hubs at Layer 1, and firewalls can operate at multiple layers (L3-L7).

🔢

IPv4 & IPv6 Addressing

DOMAIN 1 & 3

IPv4 Address Classes

Class	Range	Default Mask	Networks	Hosts per Network	Use
A	1.0.0.0 – 126.255.255.255	/8 (255.0.0.0)	126	16,777,214	Very large networks
B	128.0.0.0 – 191.255.255.255	/16 (255.255.0.0)	16,384	65,534	Medium/large networks
C	192.0.0.0 – 223.255.255.255	/24 (255.255.255.0)	2,097,152	254	Small networks
D	224.0.0.0 – 239.255.255.255	N/A	N/A	N/A	Multicast
E	240.0.0.0 – 255.255.255.255	N/A	N/A	N/A	Reserved / experimental

Special IPv4 Addresses

Address	Description	Use Case
0.0.0.0	Default route / unspecified	Used as default gateway in routing tables
127.0.0.1	Loopback	Localhost testing, "this host"
169.254.0.0/16	Link-local (APIPA)	Auto-assigned when DHCP fails
224.0.0.0 – 239.255.255.255	Multicast	One-to-many delivery
255.255.255.255	Limited broadcast	All hosts on the local network segment
10.0.0.0/8	Private (Class A)	Internal networks (NAT to Internet)
172.16.0.0/12	Private (Class B)	Internal networks (NAT to Internet)
192.168.0.0/16	Private (Class C)	Internal networks / home routers (NAT to Internet)

Subnetting Cheat Sheet

CIDR	Subnet Mask	Binary	Subnets (/24)	Hosts
/8	255.0.0.0	11111111.00000000.00000000.00000000	—	16,777,214
/16	255.255.0.0	11111111.11111111.00000000.00000000	—	65,534
/24	255.255.255.0	11111111.11111111.11111111.00000000	1	254
/25	255.255.255.128	11111111.11111111.11111111.10000000	2	126
/26	255.255.255.192	11111111.11111111.11111111.11000000	4	62
/27	255.255.255.224	11111111.11111111.11111111.11100000	8	30
/28	255.255.255.240	11111111.11111111.11111111.11110000	16	14
/29	255.255.255.248	11111111.11111111.11111111.11111000	32	6
/30	255.255.255.252	11111111.11111111.11111111.11111100	64	2
/31	255.255.255.254	11111111.11111111.11111111.11111110	128	2 (point-to-point)
/32	255.255.255.255	11111111.11111111.11111111.11111111	256	1 (host route)

IPv6 Fundamentals

Feature	Details
Address length	128 bits (vs 32 bits in IPv4)
Notation	8 groups of 4 hex digits, separated by colons: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Shorthand	Leading zeros per group can be omitted; one consecutive all-zero group can be written as :: (e.g., 2001:db8::1)
Address space	2^128 ≈ 3.4 × 10^38 addresses (effectively unlimited)
Prefix	/64 is standard for a subnet, /128 is a single host
Types	Global unicast (2000::/3), Link-local (fe80::/10), Unique local (fc00::/7), Multicast (ff00::/8)
Loopback	::1 (equivalent to 127.0.0.1)
Auto-configuration	SLAAC ( Stateless Address Autoconfiguration) uses EUI-64 or random IID
No broadcast	IPv6 uses multicast instead of broadcast
No NAT (ideally)	Every device can have a globally routable address
Transition	Dual-stack (run IPv4 + IPv6 simultaneously), tunneling, NAT64/DNS64

subnetting-examples.txt

╔══════════════════════════════════════════════════════════════╗
║            SUBNETTING QUICK CALCULATION METHOD                 ║
╠══════════════════════════════════════════════════════════════╣
║                                                               ║
║  Given: 192.168.1.0/27                                       ║
║                                                               ║
║  Step 1: Find the block size                                  ║
║    256 - 224 = 32 (block size = 2^(8-27%8) = 2^5 = 32)      ║
║                                                               ║
║  Step 2: Find network, first usable, last usable, broadcast   ║
║    Subnet 0: 192.168.1.0    (network)                         ║
║              192.168.1.1    (first usable)                    ║
║              192.168.1.30   (last usable)                     ║
║              192.168.1.31   (broadcast)                       ║
║    Subnet 1: 192.168.1.32   (network)                         ║
║              192.168.1.33   (first usable)                    ║
║              192.168.1.62   (last usable)                     ║
║              192.168.1.63   (broadcast)                       ║
║                                                               ║
║  Step 3: Number of subnets = 2^(borrowed bits) = 2^3 = 8    ║
║  Step 4: Usable hosts per subnet = 2^(host bits) - 2         ║
║           = 2^5 - 2 = 30 hosts                                ║
║                                                               ║
║  ──────────────────────────────────────────────────────────── ║
║  Shortcut for /25 to /30:                                     ║
║    /25 → 128, /26 → 64, /27 → 32, /28 → 16,                ║
║    /29 → 8,  /30 → 4                                         ║
║    Block size = 256 - mask octet value                         ║
╚══════════════════════════════════════════════════════════════╝

🚫

Subnetting is the #1 skill tested on CCNA. You must be able to subnet quickly — no calculator allowed. Practice until you can determine network address, broadcast address, usable host range, and number of subnets/hosts within 30 seconds for any given CIDR.

🔀

VLANs & Trunking

DOMAIN 2

VLAN Concepts

Concept	Details
Definition	Virtual LAN — logically separate broadcast domains on a single physical switch
Default VLAN	VLAN 1 (all switch ports are in VLAN 1 by default)
Native VLAN	Untagged traffic on a trunk port (default VLAN 1, should be changed for security)
Range	Normal: 1-1005 (stored in VLAN.dat), Extended: 1006-4094 (VTP version 3)
VLAN 0	Reserved (priority tagging in 802.1Q)
VLAN 1002-1005	Reserved for Token Ring and FDDI (legacy)
Management VLAN	Separate VLAN for switch management access (SSH, SNMP, etc.)
Voice VLAN	Dedicated VLAN for IP phones, separated from data VLAN
Benefits	Security (isolation), reduced broadcast domain, flexibility, easier management

802.1Q Trunking

Feature	Details
Standard	IEEE 802.1Q (open standard, 4-byte tag inserted in frame)
ISL	Cisco proprietary (Inter-Switch Link) — legacy, no longer on CCNA
Native VLAN	Frames on the native VLAN are sent untagged over a trunk
Allowed VLANs	Restrict which VLANs can traverse a trunk (port security)
DTP	Dynamic Trunking Protocol — auto-negotiates trunking (on, desirable, auto, nonegotiate)

vlan-configuration.txt

# ── VLAN Configuration ──

# Create VLANs
Switch(config)# vlan 10
Switch(config-vlan)# name SALES
Switch(config-vlan)# vlan 20
Switch(config-vlan)# name ENGINEERING
Switch(config-vlan)# vlan 99
Switch(config-vlan)# name MANAGEMENT
Switch(config-vlan)# exit

# Assign access ports to VLANs
Switch(config)# interface range fa0/1 - 10
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10

Switch(config)# interface range fa0/11 - 20
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 20

# Configure trunk port
Switch(config)# interface gi0/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# switchport trunk allowed vlan 10,20,99

# Verify VLANs and trunks
Switch# show vlan brief
Switch# show interfaces trunk
Switch# show interfaces gi0/1 switchport

# ── Voice VLAN Configuration ──
Switch(config)# interface fa0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# mls qos trust cos
Switch(config-if)# switchport voice vlan 50

💡

Always change the native VLAN from the default VLAN 1 to an unused VLAN (e.g., VLAN 99 or 999). This prevents VLAN hopping attacks where an attacker sends tagged frames on the native VLAN to gain access to other VLANs. Make sure both ends of the trunk use the same native VLAN.

🌳

Spanning Tree Protocol (STP)

DOMAIN 2

STP Fundamentals

Concept	Details
Purpose	Prevent Layer 2 loops in redundant switched networks
IEEE Standard	802.1D (original STP), 802.1w (Rapid STP), 802.1s (Multiple STP)
BPDU	Bridge Protocol Data Unit — exchanged between switches every 2 seconds
Root Bridge	Switch with the LOWEST Bridge ID (priority + MAC address)
Port Roles	Root port (closest to root), Designated port (forwarding), Non-designated/Blocked (preventing loops)
Port States	Blocking → Listening → Learning → Forwarding (or Disabled)
Convergence	Original STP: 30-50 seconds; Rapid PVST+: sub-second
Default priority	32768 (lower is better; values must be multiples of 4096)

STP Variants

Protocol	Standard	Features	Convergence
STP (802.1D)	IEEE 802.1D	Single instance, slow convergence	30-50 seconds
PVST+ (Per-VLAN STP+)	Cisco	Separate STP instance per VLAN	30-50 seconds
RSTP (802.1w)	IEEE 802.1w	Rapid transition to forwarding, edge ports	1-10 seconds
Rapid PVST+	Cisco	RSTP per VLAN (default on modern Cisco switches)	Sub-second
MSTP (802.1s)	IEEE 802.1s	Map multiple VLANs to one STP instance	1-10 seconds

stp-configuration.txt

# ── STP Configuration ──

# Set primary root bridge for VLAN 10
Switch(config)# spanning-tree vlan 10 root primary
# (Sets priority to 24576 — automatically lower than current root)

# Set secondary root bridge (backup)
Switch(config)# spanning-tree vlan 10 root secondary
# (Sets priority to 28672)

# Manually set bridge priority
Switch(config)# spanning-tree vlan 10 priority 4096

# Enable Rapid PVST+ (default on most switches)
Switch(config)# spanning-tree mode rapid-pvst

# Configure PortFast (edge port — for end devices only!)
Switch(config)# interface fa0/1
Switch(config-if)# spanning-tree portfast

# Enable BPDU Guard on PortFast edge ports
Switch(config)# interface fa0/1
Switch(config-if)# spanning-tree bpduguard enable

# Verify STP
Switch# show spanning-tree
Switch# show spanning-tree vlan 10
Switch# show spanning-tree root
Switch# show spanning-tree detail

🚫

NEVER enable PortFast on trunk ports or ports connecting to other switches! PortFast skips the Listening and Learning states and goes directly to Forwarding — this creates loops. Only use PortFast on ports connected to end devices (PCs, printers, IP phones). Always pair PortFast with BPDU Guard.

🗺️

IP Routing — Static & OSPF

DOMAIN 3

Static Routing

Command	Description
ip route 192.168.2.0 255.255.255.0 10.0.0.2	Static route via next-hop IP
ip route 192.168.2.0 255.255.255.0 gi0/0	Static route via exit interface (only for point-to-point)
ip route 0.0.0.0 0.0.0.0 10.0.0.1	Default route (gateway of last resort)
ip route 192.168.2.0 255.255.255.0 10.0.0.2 150	Floating static route (AD = 150, backup)

Administrative Distance (AD)

Route Source	AD	Notes
Connected interface	0	Most trusted — directly attached network
Static route	1	Manually configured
EIGRP (summary)	5	Cisco proprietary (not on CCNA 200-301)
EBGP	20	External BGP
EIGRP (internal)	90	Cisco proprietary
OSPF	110	Open standard — most common on CCNA
IS-IS	115	Intermediate System to Intermediate System
RIP	120	Distance vector (legacy)
EIGRP (external)	170	Cisco proprietary
IBGP	200	Internal BGP
Unknown	255	Never used (route is unreachable)

routing-configuration.txt

# ── Static Routing ──
R1(config)# ip route 10.0.1.0 255.255.255.0 10.0.0.2
R1(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.1    # Default route
R1(config)# ip route 10.0.1.0 255.255.255.0 gi0/1 210  # Floating (AD=210)

# ── OSPFv2 Single-Area Configuration ──
R1(config)# router ospf 1
R1(config-router)# router-id 1.1.1.1
R1(config-router)# network 10.0.0.0 0.0.0.3 area 0    # Wildcard mask!
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0
R1(config-router)# passive-interface gi0/1              # Don't send OSPF hellos out this interface

# ── OSPFv2 with Interface-Level Config (modern method) ──
R1(config)# interface gi0/0
R1(config-if)# ip address 10.0.0.1 255.255.255.252
R1(config-if)# ip ospf 1 area 0
R1(config-if)# ip ospf cost 10                          # Manually set OSPF cost

# ── OSPF Verification ──
R1# show ip ospf neighbor
R1# show ip ospf interface brief
R1# show ip route ospf
R1# show ip ospf database
R1# show ip ospf

OSPF Key Concepts

Concept	Details
Type	Link-state routing protocol (uses Dijkstra SPF algorithm)
Metric	Cost = 10^8 / bandwidth (bps) — e.g., Gigabit = 1, FastEthernet = 10
Areas	Hierarchical design: Backbone Area 0 + non-backbone areas
LSA Types (CCNA)	Type 1 (Router LSA), Type 2 (Network LSA), Type 3 (Summary LSA)
Neighbor Adjacency	Hello packets (10s on broadcast, 30s on P2P), must match: area, subnet, hello/dead timers, MTU
DR/BDR	Designated Router / Backup DR elected on multi-access segments (highest priority, then highest Router ID)
Router ID	Highest loopback IP, then highest active interface IP, or manually set
Wildcard Mask	Inverse of subnet mask: 0.0.0.255 = /24, 0.0.0.3 = /30

Wildcard Mask Quick Reference

Subnet Mask	Wildcard	CIDR
255.0.0.0	0.255.255.255	/8
255.255.0.0	0.0.255.255	/16
255.255.255.0	0.0.0.255	/24
255.255.255.128	0.0.0.127	/25
255.255.255.192	0.0.0.63	/26
255.255.255.224	0.0.0.31	/27
255.255.255.240	0.0.0.15	/28
255.255.255.248	0.0.0.7	/29
255.255.255.252	0.0.0.3	/30
255.255.255.254	0.0.0.1	/31

💡

OSPF wildcard masks = inverse of subnet mask. To calculate: 255 - each octet of the subnet mask. Example: 255.255.255.0 → wildcard = 0.0.0.255. The wildcard specifies which bits the router should "ignore" when matching. network 192.168.1.0 0.0.0.255 area 0 means "match any IP starting with 192.168.1.x".

🔄

Network Address Translation (NAT)

DOMAIN 4

NAT Types

Type	Description	Use Case
Static NAT	1-to-1 mapping (inside local ↔ inside global)	Web servers, mail servers accessible from the Internet
Dynamic NAT	Pool of public IPs mapped to private IPs (first-come, first-served)	When you have a pool of public IPs but fewer than hosts
PAT (NAT Overload)	Many-to-1 using port numbers (port address translation)	Home/SMB routers — most common, saves public IPs

NAT Terminology

Term	Meaning	Example
Inside local	Private IP of the internal host	192.168.1.10
Inside global	Public IP after NAT translation	203.0.113.5
Outside local	IP of the external host as seen from inside	203.0.113.100
Outside global	Real public IP of the external host	203.0.113.100

nat-configuration.txt

# ── Static NAT (1-to-1) ──
R1(config)# ip nat inside source static 192.168.1.10 203.0.113.10
R1(config)# interface gi0/0
R1(config-if)# ip nat inside
R1(config)# interface gi0/1
R1(config-if)# ip nat outside

# ── Dynamic NAT ──
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat pool MYPOOL 203.0.113.50 203.0.113.60 netmask 255.255.255.0
R1(config)# ip nat inside source list 1 pool MYPOOL

# ── PAT / NAT Overload (most common) ──
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 1 interface gi0/1 overload

# ── Verify NAT ──
R1# show ip nat translations
R1# show ip nat statistics
R1# clear ip nat translation *

⚠️

Remember the NAT direction: The ip nat inside command goes on the interface facing your LAN (private network), and ip nat outside goes on the interface facing the ISP (public network). Always verify with show ip nat translations to confirm translations are occurring.

🛡️

Access Control Lists (ACLs)

DOMAIN 5

ACL Types

Type	Range	Features
Standard	1-99, 1300-1999	Filters by source IP only
Extended	100-199, 2000-2699	Filters by source, destination, protocol, port
Named (standard)	N/A	Standard ACL with a name instead of number
Named (extended)	N/A	Extended ACL with a name instead of number

ACL Rules & Best Practices

Rule	Description
Implicit deny	Every ACL has an invisible "deny all" at the end — always add a permit statement
Processing order	Top-down — first match wins (order matters!)
Standard ACL placement	Place close to the destination (cannot filter on destination)
Extended ACL placement	Place close to the source (more specific, saves bandwidth)
One ACL per interface per direction	You can have one inbound and one outbound ACL per interface
No filtering on locally generated traffic	ACLs on an interface do not filter traffic originating from the router itself

acl-configuration.txt

# ── Standard ACL (numbered) ──
R1(config)# access-list 10 deny 192.168.1.50 0.0.0.0   # Block one host
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255 # Allow the rest of the subnet
R1(config)# access-list 10 deny any                       # (implicit — no need to add)
R1(config)# interface gi0/1
R1(config-if)# ip access-group 10 out

# ── Extended ACL (numbered) ──
R1(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.1 eq 80
R1(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.1 eq 443
R1(config)# access-list 100 deny tcp any any eq 22       # Block SSH
R1(config)# access-list 100 permit ip any any             # Allow everything else
R1(config)# interface gi0/0
R1(config-if)# ip access-group 100 in

# ── Named Extended ACL (recommended) ──
R1(config)# ip access-list extended WEB-ONLY
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 443
R1(config-ext-nacl)# permit udp 192.168.1.0 0.0.0.255 any eq 53
R1(config-ext-nacl)# deny ip any any log
R1(config)# interface gi0/0
R1(config-if)# ip access-group WEB-ONLY in

# ── Verify ACLs ──
R1# show access-lists
R1# show ip access-lists WEB-ONLY
R1# show ip interface gi0/0 | include access

🔒

Switch Port Security

DOMAIN 5

Port Security Modes

Mode	Description	Violation Action
Protect	Drops new frames silently; does not notify	Traffic from unauthorized MAC is dropped, no SNMP/Syslog trap
Restrict	Drops new frames AND sends SNMP trap / Syslog	Same as protect but with notifications
Shutdown (default)	Puts the port in err-disable state	Port is shut down, must be manually re-enabled or use errdisable recovery

Aging & Sticky MAC

Feature	Description
Static MAC	Manually configure allowed MAC addresses
Sticky MAC	Learn MAC addresses dynamically and add them to running-config
Static + Sticky	Combine both methods for flexibility
Aging (absolute)	MAC addresses expire after a fixed time, regardless of activity
Aging (inactivity)	MAC addresses expire after being inactive for a specified time
Max MAC	Set maximum number of MAC addresses per port (default: 1)

port-security-configuration.txt

# ── Port Security Configuration ──
Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security                 # Enable port security
Switch(config-if)# switchport port-security maximum 5       # Max 5 MAC addresses
Switch(config-if)# switchport port-security mac-address sticky # Learn and save MACs
Switch(config-if)# switchport port-security violation restrict # Mode: restrict
Switch(config-if)# switchport port-security aging time 10    # Age out after 10 minutes
Switch(config-if)# switchport port-security aging type inactivity # Inactivity-based aging

# Err-disable recovery
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 60              # Re-enable after 60 seconds

# Verify port security
Switch# show port-security interface fa0/1
Switch# show port-security
Switch# show port-security address

📶

Wireless Networking

DOMAIN 2 & 5

Wi-Fi Standards

Standard	Frequency	Speed (theoretical)	Max Bandwidth	MIMO
802.11a	5 GHz	54 Mbps	20 MHz	No
802.11b	2.4 GHz	11 Mbps	20 MHz	No
802.11g	2.4 GHz	54 Mbps	20 MHz	No
802.11n (Wi-Fi 4)	2.4 / 5 GHz	600 Mbps	40 MHz	Yes (4x4)
802.11ac (Wi-Fi 5)	5 GHz	6.93 Gbps	160 MHz	Yes (8x8)
802.11ax (Wi-Fi 6/6E)	2.4 / 5 / 6 GHz	9.6 Gbps	160 MHz	Yes (8x8, OFDMA)

WLC Architecture

Component	Description
WLC (Wireless LAN Controller)	Centralized management of APs, handles authentication, roaming, RF management
LWAP (Lightweight AP)	Thin AP managed by WLC — handles radio, WLC handles intelligence (CAPWAP tunnel)
CAPWAP	Control And Provisioning of Wireless Access Points — tunnel between LWAP and WLC
Autonomous AP	Standalone AP (no WLC needed) — older deployment model
SSID	Service Set Identifier — the Wi-Fi network name users see
BSSID	Basic Service Set Identifier — MAC address of the AP radio
VLAN mapping	Map SSIDs to VLANs for traffic segmentation

Wireless Security

Protocol	Encryption	Authentication	Key Management	CCNA Notes
WEP	RC4 (40/104-bit)	Open / Shared key	Static key	CRACKED — never use
WPA	TKIP (RC4)	PSK / 802.1X	TKIP	Legacy — stop using
WPA2	AES-CCMP	PSK / 802.1X	4-way handshake	Still widely used, secure
WPA3	AES-GCMP	SAE / 802.1X	SAE (Dragonfly)	Most secure — replaces WPA2
802.1X	N/A	RADIUS server	EAP (EAP-TLS, PEAP)	Enterprise authentication

Wireless Best Practices

Practice	Reason
Use WPA3 (or WPA2 Enterprise)	Strongest encryption and authentication
Disable WPS	WPS PIN is vulnerable to brute-force attacks
Separate guest and corporate SSIDs	Isolate guest traffic, apply different policies
Map SSIDs to different VLANs	Segment traffic at Layer 2
Use 5 GHz band where possible	Less interference, more channels, higher throughput
Disable SSID broadcasting? (optional)	Minimal security benefit (probe requests still reveal SSID)
Use strong PSK (minimum 16 chars)	Dictionary attacks are common against weak passwords

💡

CCNA Wireless Focus:Know the difference between autonomous APs and lightweight APs (LWAP + WLC), understand CAPWAP, WPA2/WPA3 security modes, SSID-to-VLAN mapping, and the 802.11 standards. You don't need to configure a WLC — but you must understand the architecture.

🔁

First Hop Redundancy (HSRP / VRRP)

DOMAIN 3

HSRP (Cisco) vs VRRP (IEEE)

Feature	HSRP (Hot Standby Router Protocol)	VRRP (Virtual Router Redundancy Protocol)
Standard	Cisco proprietary	IEEE 802.1Q (open standard)
Virtual IP	Separate from real router IP	Can use real IP of active router
Active/Master	"Active" router	"Master" router
Standby/Backup	"Standby" router	"Backup" router
Multicast group	224.0.0.2	224.0.0.18
Default priority	100	100
Preemption	Disabled by default	Enabled by default
Version	HSRPv1 / HSRPv2	VRRPv2 / VRRPv3

GLBP (Gateway Load Balancing Protocol)

Feature	Details
Type	Cisco proprietary — load balances across multiple gateways
AVG	Active Virtual Gateway — answers ARP for the virtual IP
AVF	Active Virtual Forwarder — forwards traffic for a virtual MAC
Load balancing	Round-robin, weighted, or host-dependent
CCNA depth	Know that it exists and what it does — minimal config needed

hsrp-configuration.txt

# ── HSRP Configuration ──
# Active router (R1)
R1(config)# interface gi0/0
R1(config-if)# ip address 10.0.0.2 255.255.255.0
R1(config-if)# standby 1 ip 10.0.0.1          # Virtual IP
R1(config-if)# standby 1 priority 110          # Higher priority = Active
R1(config-if)# standby 1 preempt               # Take back Active role if recovered
R1(config-if)# standby 1 track gi0/1 30        # Decrease priority by 30 if gi0/1 goes down

# Standby router (R2)
R2(config)# interface gi0/0
R2(config-if)# ip address 10.0.0.3 255.255.255.0
R2(config-if)# standby 1 ip 10.0.0.1
R2(config-if)# standby 1 priority 100          # Default (will be Standby)
R2(config-if)# standby 1 preempt

# Verify
R1# show standby brief
R1# show standby

⚙️

Network Services & Device Management

DOMAIN 4 & 5

DHCP

Step	Description	Details
1. Discover	Client broadcasts DHCPDISCOVER	Source: 0.0.0.0, Dest: 255.255.255.255
2. Offer	Server responds with DHCPOFFER	Includes offered IP, subnet mask, lease time
3. Request	Client broadcasts DHCPREQUEST	Client accepts the offer
4. Acknowledge	Server sends DHCPACK	Confirms lease and provides options

DNS

Record Type	Purpose	Example
A	IPv4 address mapping	example.com → 93.184.216.34
AAAA	IPv6 address mapping	example.com → 2606:2800:220:1:...
CNAME	Alias (canonical name)	www.example.com → example.com
MX	Mail exchange	example.com → mail.example.com
NS	Name server	example.com → ns1.example.com
PTR	Reverse DNS (IP → name)	34.216.184.93.in-addr.arpa → example.com
SOA	Start of authority	Zone info, admin email, serial number, refresh
SRV	Service location	_sip._tcp.example.com → sip.example.com

device-management.txt

# ── Router DHCP Server Configuration ──
R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10
R1(config)# ip dhcp pool MYLAN
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1
R1(dhcp-config)# dns-server 8.8.8.8 8.8.4.4
R1(dhcp-config)# lease 7 0 0    # 7 days

# ── Switch DHCP Relay (ip helper) ──
Switch(config)# interface vlan 10
Switch(config-if)# ip helper-address 192.168.100.1    # Forward DHCP to server

# ── Secure Device Management ──
R1(config)# hostname R1
R1(config)# ip domain-name example.com
R1(config)# crypto key generate rsa modulus 2048      # Generate SSH keys
R1(config)# username admin privilege 15 secret MyStr0ngP@ss
R1(config)# line vty 0 4
R1(config-line)# transport input ssh                   # Only SSH (no Telnet!)
R1(config-line)# login local
R1(config)# ip ssh version 2                           # Use SSHv2

# ── NTP Configuration ──
R1(config)# ntp server 10.0.0.1
R1(config)# ntp server 10.0.0.2 prefer

# ── Syslog Configuration ──
R1(config)# logging host 192.168.100.10
R1(config)# logging trap informational                  # Severity level 6
R1(config)# logging source-interface gi0/0

# ── SNMP (read-only) ──
R1(config)# snmp-server community public RO
R1(config)# snmp-server host 192.168.100.10 version 2c public

# ── Backup & Restore ──
R1# copy running-config startup-config                  # Save config
R1# copy running-config tftp://192.168.100.10/R1-backup.cfg
R1# copy tftp://192.168.100.10/R1-backup.cfg running-config

🚫

NEVER use Telnet in production! Telnet sends everything in plaintext (including passwords). Always use SSHv2. The CCNA exam will expect you to know how to configure SSH: generate RSA keys, create a local username, and restrict VTY lines to SSH only (transport input ssh).

🔗

EtherChannel (Link Aggregation)

DOMAIN 2

EtherChannel Protocols

Protocol	Standard	Description
PAgP	Cisco proprietary	Port Aggregation Protocol — auto-negotiates EtherChannel
LACP	IEEE 802.3AD	Link Aggregation Control Protocol — open standard (preferred)

EtherChannel Rules

Rule	Details
Same speed and duplex	All physical ports must match (e.g., all Gigabit full-duplex)
Same VLAN configuration	All ports must be in the same VLAN / trunk config
Same native VLAN	If trunking, native VLAN must match on all ports
Same allowed VLANs	Trunk allowed list must be identical
Switch port mode must match	All must be access OR all must be trunk
Max 8 active ports	Up to 8 physical links per EtherChannel (16 total, 8 standby with LACP)

etherchannel-configuration.txt

# ── LACP EtherChannel (recommended — open standard) ──
Switch(config)# interface range gi0/1 - 2
Switch(config-if-range)# channel-group 1 mode active    # Active LACP
Switch(config-if-range)# exit
Switch(config)# interface port-channel 1
Switch(config-if)# switchport mode trunk

# ── PAgP EtherChannel (Cisco only) ──
Switch(config)# interface range gi0/3 - 4
Switch(config-if-range)# channel-group 2 mode desirable  # Auto-negotiate (PAgP)

# ── Static EtherChannel (no protocol) ──
Switch(config)# interface range fa0/1 - 2
Switch(config-if-range)# channel-group 3 mode on         # Forces EtherChannel (risky if misconfigured)

# Modes comparison:
# LACP:   active    (initiates)  | passive   (responds only)
# PAgP:   desirable (initiates)  | auto      (responds only)
# Static: on        (forces)     |           (must match on both sides)

# Verify
Switch# show etherchannel summary
Switch# show interfaces port-channel 1

🔐

Security Fundamentals

DOMAIN 5

VPN Technologies

Technology	Type	Description	CCNA Notes
IPsec	Site-to-Site	Encrypts entire IP packet, uses IKE for key exchange	Transport mode (payload) vs Tunnel mode (entire packet)
SSL VPN	Remote Access	Uses HTTPS/TLS, clientless or with AnyConnect	Common for remote workers
DMVPN	Hub-and-Spoke / Mesh	Dynamic spoke-to-spoke tunnels over mGRE + NHRP	Scalable for branch offices

Device Hardening Checklist

Practice	Command / Action
Disable unused services	no ip http server, no cdp run (globally)
Enable SSH, disable Telnet	transport input ssh on VTY lines
Set strong passwords	enable secret (hashed), service password-encryption
Create local users	username admin privilege 15 secret <password>
Configure banners	banner motd # Authorized Access Only #
Enable logging	logging host <server-ip>, logging trap informational
Disable IP source routing	no ip source-route
Set login failure rate	login block-for 120 attempts 3 within 30
Use SSH key authentication	crypto key generate rsa modulus 2048
Use ACLs on VTY	Restrict who can SSH/Telnet to the device

security-hardening.txt

# ── Device Security Hardening ──
R1(config)# hostname R1
R1(config)# no ip domain-lookup                        # Prevent DNS resolution typos
R1(config)# banner motd #                              # MOTD banner
Authorized access only. All activity is monitored.
#

# Password security
R1(config)# service password-encryption                 # Encrypt plaintext passwords
R1(config)# enable secret MyStr0ngP@ss                 # Privileged EXEC password (hashed)

# User management
R1(config)# username admin privilege 15 secret Admin@123
R1(config)# aaa new-model
R1(config)# aaa authentication login default local

# Login rate limiting
R1(config)# login block-for 120 attempts 3 within 30

# Disable unused services
R1(config)# no ip http server
R1(config)# no ip http secure-server
R1(config)# no cdp run

# SNMP security
R1(config)# snmp-server community Str0ngP@ss RO 10     # ACL 10 limits SNMP access

🤖

Automation & Programmability

DOMAIN 6

SDN & Cisco DNA Center

Concept	Details
SDN	Software-Defined Networking — decouples control plane from data plane
Cisco DNA Center	Centralized management platform for enterprise networks
Cisco ISE	Identity Services Engine — 802.1X, posture assessment, guest access
APIC-EM	Application Policy Infrastructure Controller — SDN controller (legacy)
Network as a Service (NaaS)	Managing the network through software APIs

Data Formats & APIs

Format/Protocol	Type	CCNA Focus
JSON	Data format (key-value pairs)	Lightweight, human-readable, used by REST APIs
XML	Data format (tags/attributes)	Heavier, used by NETCONF/SOAP
YAML	Data format (configuration)	Used by Ansible playbooks, clean syntax
REST API	Architecture (HTTP methods)	GET, POST, PUT, DELETE — CRUD operations over HTTP(S)
NETCONF	Network management protocol	XML-based, programmatic config management (RFC 6241)
YANG	Data modeling language	Models network device config/state (RFC 7950)
RESTCONF	REST-like NETCONF	HTTP + JSON/YANG, modern alternative to NETCONF

REST API Methods

HTTP Method	CRUD Operation	Idempotent	Description
GET	Read	Yes	Retrieve data (never changes state)
POST	Create	No	Create new resource
PUT	Update/Replace	Yes	Replace entire resource (or create)
PATCH	Partial Update	No	Update part of a resource
DELETE	Delete	Yes	Remove a resource

Configuration Management Tools

Tool	Language	Approach	Key Feature
Ansible	YAML	Agentless (SSH/WinRM)	Playbooks, modules, easy to learn — most common on CCNA
Chef	Ruby	Agent-based	Recipes, cookbooks, pull model
Puppet	Ruby DSL	Agent-based	Declarative, manifests, pull model
SaltStack	YAML/Jinja	Agent-based (ZeroMQ)	Fast execution, event-driven
Python (ncclient, Netmiko, NAPALM)	Python	Script-based	Programmatic control via SSH/NETCONF

rest-api-examples.txt

# ── REST API Example (Cisco IOS-XE) ──
# Get interface status
GET https://10.0.0.1/restconf/data/ietf-interfaces:interfaces

# Response (JSON):
{
  "ietf-interfaces:interfaces": {
    "interface": [
      {
        "name": "GigabitEthernet0/0",
        "type": "iana-if-type:ethernetCsmacd",
        "enabled": true,
        "ietf-ip:ipv4": {
          "address": [
            { "ip": "10.0.0.1", "netmask": "255.255.255.0" }
          ]
        }
      }
    ]
  }
}

# Configure interface via RESTCONF PUT
PUT https://10.0.0.1/restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet0%2F0
Content-Type: application/yang-data+json

{
  "ietf-interfaces:interface": {
    "name": "GigabitEthernet0/0",
    "type": "iana-if-type:ethernetCsmacd",
    "enabled": true,
    "ietf-ip:ipv4": {
      "address": [{ "ip": "10.0.0.1", "netmask": "255.255.255.0" }]
    }
  }
}

# ── Ansible Example (yaml) ──
# playbook.yml
---
- name: Configure VLANs on Cisco switches
  hosts: switches
  gather_facts: no
  tasks:
    - name: Create VLAN 10
      cisco.ios.ios_vlans:
        config:
          - vlan_id: 10
            name: SALES
        state: merged

💡

Domain 6 is worth 10% but growing in importance.Focus on: understanding REST API methods (CRUD mapping), JSON/YAML/XML data formats, YANG/NETCONF concepts, and knowing that Ansible is the most commonly tested configuration management tool on CCNA. You don't need to write production code — just understand the concepts.

💻

Cisco IOS Essential Commands

QUICK REF

Navigation & Configuration Modes

Command	Mode	Description
enable	User EXEC → Privileged EXEC	Enter privileged mode
configure terminal	Privileged EXEC → Global Config	Enter global config mode
interface gi0/0	Global Config → Interface Config	Configure a specific interface
router ospf 1	Global Config → Router Config	Enter OSPF routing config
end	Any config mode → Privileged EXEC	Exit to privileged EXEC
exit	Any mode	Go back one level
disable	Privileged EXEC → User EXEC	Return to user mode
write memory / copy run start	Privileged EXEC	Save running-config to NVRAM
reload	Privileged EXEC	Reboot the device

Show & Verification Commands

Command	Description
show running-config	Display current active config (RAM)
show startup-config	Display saved config (NVRAM)
show ip interface brief	Quick interface status & IP summary
show interfaces gi0/0	Detailed interface info (MAC, speed, errors)
show ip route	Routing table
show ip route ospf	OSPF-learned routes only
show ip ospf neighbor	OSPF neighbors and adjacency status
show vlan brief	VLAN assignment summary
show interfaces trunk	Trunk ports and allowed VLANs
show spanning-tree	STP status, root bridge, port roles
show mac address-table	MAC address table (CAM table)
show port-security	Port security status
show access-lists	All ACLs and hit counts
show cdp neighbors	Cisco Discovery Protocol neighbors
show ntp status	NTP synchronization status

ios-configuration-checklist.txt

╔══════════════════════════════════════════════════════════════╗
║          CCNA NEW SWITCH/ROUTER CONFIGURATION CHECKLIST         ║
╠══════════════════════════════════════════════════════════════╣
║                                                               ║
║  1. INITIAL SETUP                                             ║
║     hostname SW1                                              ║
║     no ip domain-lookup                                       ║
║     enable secret <strong-password>                           ║
║     username admin privilege 15 secret <strong-password>      ║
║     service password-encryption                               ║
║     banner motd # Authorized Access Only #                    ║
║                                                               ║
║  2. SSH ACCESS                                                ║
║     ip domain-name example.com                                ║
║     crypto key generate rsa modulus 2048                      ║
║     line vty 0 15                                            ║
║       transport input ssh                                     ║
║       login local                                             ║
║     ip ssh version 2                                          ║
║                                                               ║
║  3. INTERFACES                                                ║
║     interface gi0/0                                           ║
║       description Uplink-to-R1                                ║
║       ip address 10.0.0.2 255.255.255.0                      ║
║       no shutdown                                             ║
║                                                               ║
║  4. VLANS (if switch)                                        ║
║     vlan 10 / name SALES                                      ║
║     vlan 20 / name ENGINEERING                                ║
║     interface range fa0/1-10                                   ║
║       switchport mode access                                  ║
║       switchport access vlan 10                               ║
║                                                               ║
║  5. TRUNKING (if switch)                                     ║
║     interface gi0/1                                           ║
║       switchport trunk encapsulation dot1q                    ║
║       switchport mode trunk                                   ║
║       switchport trunk native vlan 99                         ║
║       switchport trunk allowed vlan 10,20,99                 ║
║                                                               ║
║  6. STP (if switch)                                          ║
║     spanning-tree mode rapid-pvst                             ║
║     spanning-tree vlan 10 root primary                        ║
║     interface fa0/1                                           ║
║       spanning-tree portfast                                  ║
║       spanning-tree bpduguard enable                          ║
║                                                               ║
║  7. ROUTING (if router)                                      ║
║     ip routing                                               ║
║     router ospf 1                                            ║
║       router-id 1.1.1.1                                      ║
║       network 10.0.0.0 0.0.0.3 area 0                        ║
║     ip route 0.0.0.0 0.0.0.0 10.0.0.1                        ║
║                                                               ║
║  8. SECURITY                                                  ║
║     access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 22║
║     access-list 101 deny ip any any log                       ║
║     interface gi0/0                                           ║
║       ip access-group 101 in                                  ║
║                                                               ║
║  9. SAVE                                                      ║
║     copy running-config startup-config                        ║
║                                                               ║
╚══════════════════════════════════════════════════════════════╝

🎯

CCNA Interview Questions & Scenarios

EXAM PREP

Common CCNA Exam Questions

Q#	Question	Key Points
Q1	What is the difference between a switch and a router?	Switch: L2 (MAC addresses), separates collision domains. Router: L3 (IP addresses), separates broadcast domains.
Q2	How does STP prevent loops?	Elects root bridge, blocks redundant paths, only allows one active path between any two points.
Q3	What is the difference between TCP and UDP?	TCP: connection-oriented, reliable, ordered (HTTP, SSH). UDP: connectionless, fast, no guarantees (DNS, DHCP, VoIP).
Q4	What is NAT and why is it used?	Translates private IPs to public IPs to conserve IPv4 addresses and hide internal addressing. PAT allows many-to-one mapping.
Q5	What is the difference between standard and extended ACLs?	Standard: filters by source IP only. Extended: filters by source, destination, protocol, and port.
Q6	What is the purpose of VLAN 1?	Default VLAN for all switch ports. Cannot be deleted. Should not carry user traffic (security).
Q7	What is OSPF and what is its administrative distance?	Link-state protocol, AD = 110, uses Dijkstra SPF algorithm, hierarchical (areas).
Q8	What is a wildcard mask and how is it different from a subnet mask?	Inverse of subnet mask. Used in OSPF/network commands. 0.0.0.255 means "match first 24 bits".

Troubleshooting Scenarios

Scenario	Likely Cause	Verification Command
Host cannot ping gateway	Wrong IP/subnet, VLAN mismatch, port shut down	show ip interface brief, show vlan brief
VLANs cannot communicate	Missing router-on-a-stick (sub-interfaces) or L3 switch SVI	show ip route, show running-config
OSPF neighbor stuck in INIT	Mismatched hello/dead timers, area mismatch, ACL blocking	show ip ospf neighbor, show running-config
Trunk not forming	Mismatched native VLAN, DTP mode mismatch, encapsulation missing	show interfaces trunk, show interfaces switchport
STP loop (broadcast storm)	BPDU Guard not enabled, PortFast on trunk, miswired	show spanning-tree, check CPU utilization
NAT translations not working	Missing ip nat inside/outside, ACL not matching	show ip nat translations, debug ip nat
SSH connection refused	RSA keys not generated, VTY not configured, ACL blocking	show ip ssh, show running-config \| section vty

💡

CCNA troubleshooting methodology: Always use the OSI model bottom-up approach: L1 (cables, link lights) → L2 (MAC, VLAN, trunk, STP) → L3 (IP, routing, ACL) → L4+ (TCP/UDP, application). Most exam troubleshooting questions can be solved by checking the basics first — is the interface up? Is the cable connected? Is the VLAN correct?

📚

Study Plan & Resources

PREPARATION

Recommended Resources

Resource	Type	Cost	Best For
Jeremy's IT Lab (YouTube)	Video course	Free	Full CCNA 200-301 walkthrough — best free resource
Wendell Odom Official Cert Guide	Book (2 volumes)	~$50-60	Comprehensive study guide with practice questions
Cisco Networking Academy	Online course	Free (academic)	Official curriculum, hands-on Packet Tracer labs
Packet Tracer	Network simulator	Free	Practice Cisco IOS commands and build topologies
GNS3 / EVE-NG	Network emulator	Free	Run real Cisco IOS images (closer to real equipment)
Boson Practice Exams	Practice tests	~$80	Closest to real exam difficulty — highly recommended
CBT Nuggets	Video course	$99/mo	Engaging video content with hands-on labs
Udemy (Neil Anderson, etc.)	Video course	~$15 (sale)	Affordable alternative video courses

8-Week Study Plan

Week	Focus	Activities
1-2	Network Fundamentals	OSI/TCP-IP models, IPv4/IPv6 addressing, subnetting (practice daily!), cables, Wi-Fi basics
3	Network Access	VLANs, trunking, STP, EtherChannel, wireless (WLC, CAPWAP, SSID-VLAN mapping)
4	IP Connectivity	IPv4/IPv6 subnetting, static routing, OSPFv2 (single area), FHRP (HSRP/VRRP)
5	IP Services	NAT (static, dynamic, PAT), DHCP, DNS, NTP, SNMP, Syslog, device management
6	Security	ACLs, port security, VPN concepts, device hardening, 802.1X, WPA2/WPA3
7	Automation	REST APIs, JSON/YAML/XML, YANG/NETCONF, SDN, Ansible, Cisco DNA Center
8	Review & Practice	Take 3-5 practice exams (Boson), review weak areas, lab on Packet Tracer daily

ccna-lab-topologies.txt

╔══════════════════════════════════════════════════════════════╗
║           CCNA LAB TOPOLOGIES TO PRACTICE                       ║
╠══════════════════════════════════════════════════════════════╣
║                                                               ║
║  Lab 1: Basic Switching (2 switches + 4 PCs)                  ║
║    - Configure VLANs, access ports, trunk link                ║
║    - Verify inter-VLAN routing via router-on-a-stick           ║
║    - Enable STP and observe root bridge election               ║
║                                                               ║
║  Lab 2: OSPF Single-Area (3 routers, triangle topology)       ║
║    - Configure OSPF on all routers                             ║
║    - Verify neighbor adjacencies and routing table             ║
║    - Change router priorities and observe DR/BDR election      ║
║                                                               ║
║  Lab 3: NAT + ACL (1 router, LAN + WAN)                      ║
║    - Configure PAT for Internet access                         ║
║    - Configure ACLs to restrict traffic                        ║
║    - Verify with show ip nat translations                      ║
║                                                               ║
║  Lab 4: Redundancy (2 routers + 1 switch + PCs)              ║
║    - Configure HSRP between two routers                        ║
║    - Verify failover by shutting down the active router        ║
║    - Configure tracking on an interface                        ║
║                                                               ║
║  Lab 5: EtherChannel + STP (2 switches, 3 links)              ║
║    - Bundle 3 links into an EtherChannel                      ║
║    - Verify load balancing and failover                        ║
║    - Configure PortFast + BPDU Guard on edge ports             ║
║                                                               ║
║  Lab 6: Wireless (WLC + 2 LWAPs + clients)                   ║
║    - Configure SSIDs and map to VLANs                          ║
║    - Configure WPA2 security                                    ║
║    - Verify CAPWAP tunnel and client association               ║
║                                                               ║
║  Lab 7: Device Management                                     ║
║    - Configure SSH, NTP, Syslog, SNMP                          ║
║    - Backup running-config to TFTP                             ║
║    - Apply security hardening checklist                        ║
║                                                               ║
║  Lab 8: Automation (optional)                                 ║
║    - Explore RESTCONF API on IOS-XE device                    ║
║    - Write simple Ansible playbook for VLAN config            ║
║    - Understand JSON/YANG data models                          ║
║                                                               ║
╚══════════════════════════════════════════════════════════════╝

💡

Packet Tracer is your best friend. Download it free from Cisco Networking Academy. Build every lab topology above. You cannot pass the CCNA without hands-on practice — memorizing commands is not enough. You need to understand the output of show commands and troubleshoot broken configurations.

⚠️

Subnetting is the single most tested skill.Practice with online subnetting calculators, apps, or flashcards. You should be able to answer questions like: "What is the network address for 192.168.5.100/26?" in under 10 seconds. The answer: 192.168.5.64 (network), 192.168.5.65-126 (usable), 192.168.5.127 (broadcast).

⏳

Loading cheatsheet...