CCNA Exam v1.1 (200-301) Ultimate Cheat Sheet

6 Domains • 106 Concepts • Approx. 14 pages

Your Quick Reference Study Guide

This cheat sheet covers the core concepts, terms, and definitions you need to know for the CCNA Exam v1.1 (200-301). We've distilled the most important domains, topics, and critical details to help your exam preparation.

💡 Note: While this study guide highlights essential concepts, it's designed to complement—not replace—comprehensiv e learning materials. Use it for quick reviews, last-minute prep, or to identify areas that need deeper study before your exam.

CCNA Exam v1.1 (200-301) Practice Questions

Access Mock Exams & Comprehensive Question Bank

Listen to Audio Podcasts

Expert summaries for CCNA Exam v1.1 (200-301)

Router — Inter‑Network Forwarder

Forwards IP packets between networks using routing tables/protocols; enables segmentation and WAN connectivity.

Key Insight

Operates at Layer 3 (IP) — forwards by network prefix; not a MAC switch and not automatically a firewall/NAT.

Often Confused With

Layer 3 switchLayer 2 switch

Common Mistakes

Assuming routers forward using MAC addresses (they route by IP prefixes).
Believing routers always provide firewalling or NAT out of the box.

L3 Switch — Inter‑VLAN Engine

High‑speed multilayer switch that performs wire‑speed switching plus inter‑VLAN routing via SVIs and routing protocols.

Key Insight

Built for campus LANs: SVIs give fast inter‑VLAN routing and it can run routing protocols, but it lacks many router WAN/NAT features.

Often Confused With

RouterLayer 2 switch

Common Mistakes

Assuming L3 switches can't run routing protocols like OSPF/EIGRP.
Thinking L3 switches always replace routers — they miss some WAN and NAT capabilities.

Spine‑Leaf Fabric (ECMP East‑West)

Data‑center fabric: leaf switches attach servers, spines provide equal‑cost L3 paths for low‑latency east‑west traffic.

Key Insight

Built for east‑west traffic: uses L3 routing + ECMP across spines — leaves don’t need a full mesh and routing remains required.

Often Confused With

three-tier architecturetwo-tier architecture

Common Mistakes

Believing spine‑leaf removes routing — it still uses L3 at leaves/spines.
Thinking leaves require a full mesh — spines provide the fabric; leaves connect to spines only.
Assuming ECMP = proprietary feature — ECMP is a standard path distribution pattern, not vendor magic.

Two‑Tier / Collapsed Core

Collapsed core: combines access and aggregation for small/medium sites to cut cost and complexity at the expense of long

Key Insight

Combines access + aggregation to simplify wiring and equipment — tradeoff is fewer policy enforcement points and reduced scalability.

Often Confused With

three-tier architecturespine-leaf architecture

Common Mistakes

Assuming it’s as scalable as three‑tier — collapsed core limits growth and traffic segmentation.
Thinking redundancy is impossible — you can use link aggregation, dual devices, HSRP/VRRP for resiliency.
Believing collapsed core removes routing — inter‑VLAN and uplink routing still required.

Fiber Core: SMF (single‑mode) vs MMF (multi‑mode)

SMF ≈9 µm core for long‑reach, low‑loss links; MMF (50/62.5 µm) for short reach but higher modal dispersion.

Key Insight

Core diameter affects modal behavior and bandwidth; attenuation is set by wavelength and fiber type, not core size alone.

Often Confused With

Connector types (LC/SC/ST)Modal dispersion

Common Mistakes

Don't assume larger core = lower attenuation.
Connector choice is independent of core diameter.
Ignoring wavelength: 1310 nm vs 1550 nm have different attenuation profiles.

Link Length Limits: Copper (~100 m) vs Fiber (m→km)

Copper Ethernet ~100 m limit (varies by speed); fiber reach spans meters to kilometers depending on SMF/MMF and transce

Key Insight

Distance = media + Ethernet standard + PHY + transceiver/link budget—always check spec'd distance for the exact combo.

Often Confused With

Throughput vs distanceLink budget / attenuation

Common Mistakes

Believing 'fiber has no practical distance limits.'
Thinking copper >100 m only reduces speed; it causes CRC errors and link failure.
Skipping transceiver/link‑budget checks when planning longer links.

Duplex Mismatch (Half vs Full)

Link endpoints using different duplex modes, producing collisions, CRCs, and severe throughput loss.

Key Insight

Mixing auto and forced settings usually causes it — one side shows collisions/late collisions, the other shows CRC/input errors.

Often Confused With

AutonegotiationSpeed mismatch

Common Mistakes

Thinking duplex mismatch only occurs on switches
Treating CRC/input errors as definitive proof of duplex mismatch

Autonegotiation (Auto-Neg, 802.3u)

Ethernet process where endpoints advertise and agree speed/duplex to avoid manual mismatches.

Key Insight

If one side is autoneg and the peer is forced (10/100), autoneg often sets speed but defaults duplex to half — a common cause of duplex mismatch; GigE

Often Confused With

Duplex mismatchManual speed/duplex

Common Mistakes

Assuming autoneg always picks identical/optimal settings
Thinking disabling autoneg solves all link faults
Forgetting Gigabit (1000BASE-T) requires autoneg to negotiate properly

UDP — User Datagram Protocol (low-overhead, message-based)

Connectionless, minimal-overhead transport for latency-sensitive or multicast apps (DNS, VoIP, streaming).

Key Insight

No built-in retransmit, ordering, or flow control — pick UDP when latency or multicast matters and apps handle reliability.

Often Confused With

TCP (Transmission Control Protocol)SCTP (Stream Control Transmission Protocol)

Common Mistakes

Believing UDP has no integrity checks — it uses a checksum (required in IPv6; apps may add more).
Assuming UDP is always faster than TCP — real performance depends on loss, retransmits, and app logic.

Reliability Mechanisms — ACKs, Seq#s, Timers, Retransmit

ACKs, sequence numbers, timers and retransmits used by transport protocols to detect loss and ensure correct delivery.

Key Insight

Recovery depends on timers and ACK behavior (cumulative vs SACK); retransmission isn't instantaneous and affects latency.

Often Confused With

Flow ControlCongestion Control

Common Mistakes

Expecting retransmission to recover losses instantly — it waits for timeouts or duplicate-ACK thresholds.
Thinking ACKs are only sent by the receiver — ACKs can be piggybacked and occur both directions.

Subnet Zero & All‑Ones

Old first/last-subnet rules vs modern practice: routers usually allow both, but check device defaults.

Key Insight

Historically forbidden due to ambiguity; today most vendors permit subnet-zero/all-ones—legacy devices may require explicit enable.

Often Confused With

Network addressBroadcast address

Common Mistakes

Assuming subnet-zero is always forbidden
Believing all-ones subnets are never usable
Not checking vendor default (some legacy routers need 'ip subnet-zero')

Network ID (IP & Mask)

Compute the network ID by bitwise AND of IP and mask — it's the subnet's identifier used in routing.

Key Insight

Network ID = IP AND mask (binary). It's the subnet's address (not a usable host) and stays fixed for that mask/IP range.

Often Confused With

Broadcast addressFirst host address

Common Mistakes

Using the first host as the network address
Assuming network ID changes with different host assignments in same subnet
Skipping binary conversion for non‑/8,/16,/24 masks (e.g., /25, /27)

NAT (Network Address Translation)

Rewrites private RFC1918 IPv4 to public/other addresses so internal hosts can reach external networks; PAT shares one IP

Key Insight

NAT changes IP (and sometimes port) mappings: static = 1:1, PAT/overload = many-to-1. It's translation, not a firewall.

Often Confused With

PAT (Port Address Translation)Static NATFirewall

Common Mistakes

Treating NAT as a security solution — it doesn't block or filter traffic by default
Expecting end-to-end transparency for protocols that embed IP/port (they break without ALG)
Counting public IPs wrong — PAT lets many hosts share one public address

VLSM (Variable-Length Subnet Mask) Subnetting

Right-size RFC1918 subnets using different masks per need to minimize waste and enable route summarization.

Key Insight

Allocate largest host blocks first, work down to smallest; align boundaries to enable contiguous summarization.

Often Confused With

CIDRClassful addressingRoute summarization

Common Mistakes

Designing all subnets the same size — wastes addresses and hinders scaling
Subnetting small-to-large instead of largest-first, causing overlapping/inefficient allocations
Ignoring summarization when choosing masks, bloating routing tables

IPv6 Interface Setup — Static, SLAAC, DHCPv6

Assign IPv6 on interfaces: static with 'ipv6 address', SLAAC with 'ipv6 address autoconfig'; enable routing with 'ipv6 l

Key Insight

Routers don't auto-route IPv6 — you must enable 'ipv6 unicast-routing'; link‑local (fe80::) and NDP handle neighbor reachability.

Often Confused With

IPv4 interface addressingSLAAC (Stateless Address Autoconfiguration)DHCPv6

Common Mistakes

Thinking assigning a global address auto‑enables IPv6 routing
Using IPv4 'ip address' commands instead of 'ipv6 address' on IOS
Shutting down the interface to change IPv6 config (not required)

IPv6 Ping & Traceroute — Reachability Checks

Use 'ping ipv6 <addr>' and 'traceroute ipv6 <addr>' to verify ICMPv6 reachability and map the path; read responses for L

Key Insight

ICMPv6 success confirms L3 reachability only; compare 'unreachable' vs 'time‑exceeded' vs no‑reply to pinpoint routing, ACL, or NDP issues.

Often Confused With

IPv4 ping behaviorApplication-level connectivity tests (TCP/HTTP)

Common Mistakes

Using wrong syntax ('ping' vs 'ping ipv6') or assuming IPv4 defaults apply
Treating ICMPv6 reply as proof the application/service works
Skipping traceroute because you think it doesn't support IPv6

IPv6 Prefixing — the /64 Rule

128-bit IPv6 uses network prefixes; use /64 subnets for LANs and SLAAC to work.

Key Insight

/64 is the de facto LAN subnet — SLAAC and many IPv6 features expect /64; other sizes break auto-config.

Often Confused With

IPv4 subnetting/128 host addresses

Common Mistakes

Treat IPv6 like IPv4 and pick arbitrary subnet sizes instead of defaulting to /64
Use /128 for regular LAN hosts — /128 is a single-host address, not a subnet
Assume SLAAC works on non-/64 prefixes — it will fail or be unsupported

IPv6 Link-Local — fe80::/10

fe80::/10 addresses valid only on the local link; used for neighbor discovery and local router comms.

Key Insight

Link-local is mandatory for ND/ICMPv6 and is never routed — used for immediate-link control and troubleshooting.

Often Confused With

Global Unicast Address (GUA)Unique Local Address (ULA)

Common Mistakes

Assume link-local can be routed between subnets — it cannot
Expect link-local to be globally unique — uniqueness is per-link only
Ping remote host using link-local without specifying interface/scope — you must include the interface

IPv6 Address Types & Router Advertisements (RAs)

Global, link-local, unique-local addresses; RAs advertise prefixes and the default gateway info.

Key Insight

RAs (flags M/O) decide if hosts use SLAAC or DHCPv6 for addresses/DNS — RAs can provide the gateway and prefix.

Often Confused With

SLAACDHCPv6Link-local address

Common Mistakes

Assuming SLAAC always supplies DNS — RA flags or DHCPv6 are needed for DNS info.
Believing DHCPv6 is required for a default gateway — RAs can advertise the gateway/prefix.
Using link-local to test remote reachability — link-local only works on the local link.

Default Gateway (Next‑Hop Router)

The router IP used when no specific route matches; host must reach that gateway on-link to exit network.

Key Insight

Gateway must be reachable (on-link/ARP or proxy); a listed gateway alone doesn't guarantee Internet access.

Often Confused With

Default route (0.0.0.0/0)Static routeNAT gateway

Common Mistakes

Thinking the gateway can be in a different subnet — it must be reachable on the same link or via proxy/ARP.
Assuming a gateway entry = Internet access — routing, NAT, DNS, and firewall matter too.
Relying on a successful ping to gateway as proof of full Internet reachability.

WLAN Encryption (WEP / WPA / WPA2 / WPA3)

Wi‑Fi encryption evolution: WEP broken; WPA (TKIP), WPA2 (AES/CCMP), WPA3 (SAE/GCMP) — affects auth and confidentiality.

Key Insight

WEP is fundamentally broken; WPA2-PSK ≠ WPA2-Enterprise (802.1X); WPA3 (SAE) stops offline dictionary attacks — pick by auth needs.

Often Confused With

WPA2 PersonalWPA2 Enterprise

Common Mistakes

Assuming WEP is secure with a strong key — WEP is cryptographically broken.
Treating WPA2-Personal (PSK) as equal to WPA2-Enterprise (802.1X) for strong authentication.
Assuming WPA3 is universally usable — many clients and devices lack support.

Nonoverlapping Channels — 2.4 GHz: 1, 6, 11

Use truly nonoverlapping channels to cut interference — on 2.4 GHz pick 1,6,11 for 20 MHz; 5 GHz offers many nonoverlaps

Key Insight

20 MHz channels on 2.4 GHz overlap unless you use 1,6,11; adjacent‑channel interference (overlap) often hurts more than co‑channel contention.

Often Confused With

Adjacent-channel interferenceCo-channel interference

Common Mistakes

Assuming any two different channels are nonoverlapping — adjacent channels still overlap and interfere.
Believing more channels automatically raise capacity — client density and reuse determine real throughput.
Ignoring channel width: 40/80 MHz links reduce available nonoverlap slots and increase overlap risk.

Hypervisors — Type 1 vs Type 2

Two hypervisor models: Type‑1 runs on hardware, Type‑2 on a host OS; impacts performance, security, and networking.

Key Insight

Type‑1 (bare‑metal) gives lower latency, stronger isolation and direct NIC/driver access; Type‑2 adds host OS overhead and dependencies.

Often Confused With

ContainerizationVirtual Machines

Common Mistakes

Assuming Type‑2 is always slower — performance depends on workload and host
Treating all hypervisors as having identical security boundaries

Containers — namespaces & cgroups

Process-level isolation using kernel namespaces and cgroups; shares host kernel—fast startup, different security/network

Key Insight

Containers share the host kernel: higher density and fast boot, but isolation and networking are host-mediated, not hypervisor-enforced.

Often Confused With

Virtual MachinesHypervisor types

Common Mistakes

Assuming containers provide VM-level kernel isolation
Calling containers 'lightweight VMs' — different architecture and isolation model

MAC-Based Switching (VLAN-aware)

Switch forwards, drops, or floods frames using destination MAC + VLAN-scoped MAC-table lookup.

Key Insight

Lookup is per‑VLAN: known MAC->forward to port, same-port->drop, unknown->flood to that VLAN.

Often Confused With

Layer 3 routingHub behavior

Common Mistakes

Thinking the switch reads the IP header—switching uses MAC (Layer 2) only.
Assuming unknown destination is dropped—switch floods unknown MACs to the VLAN.
Believing MAC table is global—MAC entries are VLAN-scoped unless bridged.

MAC Aging Timer

Dynamic MAC entries expire after an inactivity timer so the switch can relearn and free CAM space.

Key Insight

Only dynamic entries age out after inactivity; static entries persist and link flaps don't immediately clear them.

Often Confused With

Static MAC entriesPort security (sticky MAC)

Common Mistakes

Thinking a link flap instantly clears dynamic MACs—entries are removed only when the timer expires.
Expecting static MACs to age out—static entries remain until manually removed.
Assuming the aging timer is global—timer tracks inactivity per MAC entry and resets on activity.

Router — Inter‑Network Forwarder

Forwards IP packets between networks using routing tables/protocols; enables segmentation and WAN connectivity.

Key Insight

Operates at Layer 3 (IP) — forwards by network prefix; not a MAC switch and not automatically a firewall/NAT.

Often Confused With

Layer 3 switchLayer 2 switch

Common Mistakes

Assuming routers forward using MAC addresses (they route by IP prefixes).
Believing routers always provide firewalling or NAT out of the box.

L3 Switch — Inter‑VLAN Engine

High‑speed multilayer switch that performs wire‑speed switching plus inter‑VLAN routing via SVIs and routing protocols.

Key Insight

Built for campus LANs: SVIs give fast inter‑VLAN routing and it can run routing protocols, but it lacks many router WAN/NAT features.

Often Confused With

RouterLayer 2 switch

Common Mistakes

Assuming L3 switches can't run routing protocols like OSPF/EIGRP.
Thinking L3 switches always replace routers — they miss some WAN and NAT capabilities.

Spine‑Leaf Fabric (ECMP East‑West)

Data‑center fabric: leaf switches attach servers, spines provide equal‑cost L3 paths for low‑latency east‑west traffic.

Key Insight

Built for east‑west traffic: uses L3 routing + ECMP across spines — leaves don’t need a full mesh and routing remains required.

Often Confused With

three-tier architecturetwo-tier architecture

Common Mistakes

Believing spine‑leaf removes routing — it still uses L3 at leaves/spines.
Thinking leaves require a full mesh — spines provide the fabric; leaves connect to spines only.
Assuming ECMP = proprietary feature — ECMP is a standard path distribution pattern, not vendor magic.

Two‑Tier / Collapsed Core

Collapsed core: combines access and aggregation for small/medium sites to cut cost and complexity at the expense of long

Key Insight

Combines access + aggregation to simplify wiring and equipment — tradeoff is fewer policy enforcement points and reduced scalability.

Often Confused With

three-tier architecturespine-leaf architecture

Common Mistakes

Assuming it’s as scalable as three‑tier — collapsed core limits growth and traffic segmentation.
Thinking redundancy is impossible — you can use link aggregation, dual devices, HSRP/VRRP for resiliency.
Believing collapsed core removes routing — inter‑VLAN and uplink routing still required.

Fiber Core: SMF (single‑mode) vs MMF (multi‑mode)

SMF ≈9 µm core for long‑reach, low‑loss links; MMF (50/62.5 µm) for short reach but higher modal dispersion.

Key Insight

Core diameter affects modal behavior and bandwidth; attenuation is set by wavelength and fiber type, not core size alone.

Often Confused With

Connector types (LC/SC/ST)Modal dispersion

Common Mistakes

Don't assume larger core = lower attenuation.
Connector choice is independent of core diameter.
Ignoring wavelength: 1310 nm vs 1550 nm have different attenuation profiles.

Link Length Limits: Copper (~100 m) vs Fiber (m→km)

Copper Ethernet ~100 m limit (varies by speed); fiber reach spans meters to kilometers depending on SMF/MMF and transce

Key Insight

Distance = media + Ethernet standard + PHY + transceiver/link budget—always check spec'd distance for the exact combo.

Often Confused With

Throughput vs distanceLink budget / attenuation

Common Mistakes

Believing 'fiber has no practical distance limits.'
Thinking copper >100 m only reduces speed; it causes CRC errors and link failure.
Skipping transceiver/link‑budget checks when planning longer links.

Duplex Mismatch (Half vs Full)

Link endpoints using different duplex modes, producing collisions, CRCs, and severe throughput loss.

Key Insight

Mixing auto and forced settings usually causes it — one side shows collisions/late collisions, the other shows CRC/input errors.

Often Confused With

AutonegotiationSpeed mismatch

Common Mistakes

Thinking duplex mismatch only occurs on switches
Treating CRC/input errors as definitive proof of duplex mismatch

Autonegotiation (Auto-Neg, 802.3u)

Ethernet process where endpoints advertise and agree speed/duplex to avoid manual mismatches.

Key Insight

If one side is autoneg and the peer is forced (10/100), autoneg often sets speed but defaults duplex to half — a common cause of duplex mismatch; GigE

Often Confused With

Duplex mismatchManual speed/duplex

Common Mistakes

Assuming autoneg always picks identical/optimal settings
Thinking disabling autoneg solves all link faults
Forgetting Gigabit (1000BASE-T) requires autoneg to negotiate properly

UDP — User Datagram Protocol (low-overhead, message-based)

Connectionless, minimal-overhead transport for latency-sensitive or multicast apps (DNS, VoIP, streaming).

Key Insight

No built-in retransmit, ordering, or flow control — pick UDP when latency or multicast matters and apps handle reliability.

Often Confused With

TCP (Transmission Control Protocol)SCTP (Stream Control Transmission Protocol)

Common Mistakes

Believing UDP has no integrity checks — it uses a checksum (required in IPv6; apps may add more).
Assuming UDP is always faster than TCP — real performance depends on loss, retransmits, and app logic.

Reliability Mechanisms — ACKs, Seq#s, Timers, Retransmit

ACKs, sequence numbers, timers and retransmits used by transport protocols to detect loss and ensure correct delivery.

Key Insight

Recovery depends on timers and ACK behavior (cumulative vs SACK); retransmission isn't instantaneous and affects latency.

Often Confused With

Flow ControlCongestion Control

Common Mistakes

Expecting retransmission to recover losses instantly — it waits for timeouts or duplicate-ACK thresholds.
Thinking ACKs are only sent by the receiver — ACKs can be piggybacked and occur both directions.

Subnet Zero & All‑Ones

Old first/last-subnet rules vs modern practice: routers usually allow both, but check device defaults.

Key Insight

Historically forbidden due to ambiguity; today most vendors permit subnet-zero/all-ones—legacy devices may require explicit enable.

Often Confused With

Network addressBroadcast address

Common Mistakes

Assuming subnet-zero is always forbidden
Believing all-ones subnets are never usable
Not checking vendor default (some legacy routers need 'ip subnet-zero')

Network ID (IP & Mask)

Compute the network ID by bitwise AND of IP and mask — it's the subnet's identifier used in routing.

Key Insight

Network ID = IP AND mask (binary). It's the subnet's address (not a usable host) and stays fixed for that mask/IP range.

Often Confused With

Broadcast addressFirst host address

Common Mistakes

Using the first host as the network address
Assuming network ID changes with different host assignments in same subnet
Skipping binary conversion for non‑/8,/16,/24 masks (e.g., /25, /27)

NAT (Network Address Translation)

Rewrites private RFC1918 IPv4 to public/other addresses so internal hosts can reach external networks; PAT shares one IP

Key Insight

NAT changes IP (and sometimes port) mappings: static = 1:1, PAT/overload = many-to-1. It's translation, not a firewall.

Often Confused With

PAT (Port Address Translation)Static NATFirewall

Common Mistakes

Treating NAT as a security solution — it doesn't block or filter traffic by default
Expecting end-to-end transparency for protocols that embed IP/port (they break without ALG)
Counting public IPs wrong — PAT lets many hosts share one public address

VLSM (Variable-Length Subnet Mask) Subnetting

Right-size RFC1918 subnets using different masks per need to minimize waste and enable route summarization.

Key Insight

Allocate largest host blocks first, work down to smallest; align boundaries to enable contiguous summarization.

Often Confused With

CIDRClassful addressingRoute summarization

Common Mistakes

Designing all subnets the same size — wastes addresses and hinders scaling
Subnetting small-to-large instead of largest-first, causing overlapping/inefficient allocations
Ignoring summarization when choosing masks, bloating routing tables

IPv6 Interface Setup — Static, SLAAC, DHCPv6

Assign IPv6 on interfaces: static with 'ipv6 address', SLAAC with 'ipv6 address autoconfig'; enable routing with 'ipv6 l

Key Insight

Routers don't auto-route IPv6 — you must enable 'ipv6 unicast-routing'; link‑local (fe80::) and NDP handle neighbor reachability.

Often Confused With

IPv4 interface addressingSLAAC (Stateless Address Autoconfiguration)DHCPv6

Common Mistakes

Thinking assigning a global address auto‑enables IPv6 routing
Using IPv4 'ip address' commands instead of 'ipv6 address' on IOS
Shutting down the interface to change IPv6 config (not required)

IPv6 Ping & Traceroute — Reachability Checks

Use 'ping ipv6 <addr>' and 'traceroute ipv6 <addr>' to verify ICMPv6 reachability and map the path; read responses for L

Key Insight

ICMPv6 success confirms L3 reachability only; compare 'unreachable' vs 'time‑exceeded' vs no‑reply to pinpoint routing, ACL, or NDP issues.

Often Confused With

IPv4 ping behaviorApplication-level connectivity tests (TCP/HTTP)

Common Mistakes

Using wrong syntax ('ping' vs 'ping ipv6') or assuming IPv4 defaults apply
Treating ICMPv6 reply as proof the application/service works
Skipping traceroute because you think it doesn't support IPv6

IPv6 Prefixing — the /64 Rule

128-bit IPv6 uses network prefixes; use /64 subnets for LANs and SLAAC to work.

Key Insight

/64 is the de facto LAN subnet — SLAAC and many IPv6 features expect /64; other sizes break auto-config.

Often Confused With

IPv4 subnetting/128 host addresses

Common Mistakes

Treat IPv6 like IPv4 and pick arbitrary subnet sizes instead of defaulting to /64
Use /128 for regular LAN hosts — /128 is a single-host address, not a subnet
Assume SLAAC works on non-/64 prefixes — it will fail or be unsupported

IPv6 Link-Local — fe80::/10

fe80::/10 addresses valid only on the local link; used for neighbor discovery and local router comms.

Key Insight

Link-local is mandatory for ND/ICMPv6 and is never routed — used for immediate-link control and troubleshooting.

Often Confused With

Global Unicast Address (GUA)Unique Local Address (ULA)

Common Mistakes

Assume link-local can be routed between subnets — it cannot
Expect link-local to be globally unique — uniqueness is per-link only
Ping remote host using link-local without specifying interface/scope — you must include the interface

IPv6 Address Types & Router Advertisements (RAs)

Global, link-local, unique-local addresses; RAs advertise prefixes and the default gateway info.

Key Insight

RAs (flags M/O) decide if hosts use SLAAC or DHCPv6 for addresses/DNS — RAs can provide the gateway and prefix.

Often Confused With

SLAACDHCPv6Link-local address

Common Mistakes

Assuming SLAAC always supplies DNS — RA flags or DHCPv6 are needed for DNS info.
Believing DHCPv6 is required for a default gateway — RAs can advertise the gateway/prefix.
Using link-local to test remote reachability — link-local only works on the local link.

Default Gateway (Next‑Hop Router)

The router IP used when no specific route matches; host must reach that gateway on-link to exit network.

Key Insight

Gateway must be reachable (on-link/ARP or proxy); a listed gateway alone doesn't guarantee Internet access.

Often Confused With

Default route (0.0.0.0/0)Static routeNAT gateway

Common Mistakes

Thinking the gateway can be in a different subnet — it must be reachable on the same link or via proxy/ARP.
Assuming a gateway entry = Internet access — routing, NAT, DNS, and firewall matter too.
Relying on a successful ping to gateway as proof of full Internet reachability.

WLAN Encryption (WEP / WPA / WPA2 / WPA3)

Wi‑Fi encryption evolution: WEP broken; WPA (TKIP), WPA2 (AES/CCMP), WPA3 (SAE/GCMP) — affects auth and confidentiality.

Key Insight

WEP is fundamentally broken; WPA2-PSK ≠ WPA2-Enterprise (802.1X); WPA3 (SAE) stops offline dictionary attacks — pick by auth needs.

Often Confused With

WPA2 PersonalWPA2 Enterprise

Common Mistakes

Assuming WEP is secure with a strong key — WEP is cryptographically broken.
Treating WPA2-Personal (PSK) as equal to WPA2-Enterprise (802.1X) for strong authentication.
Assuming WPA3 is universally usable — many clients and devices lack support.

Nonoverlapping Channels — 2.4 GHz: 1, 6, 11

Use truly nonoverlapping channels to cut interference — on 2.4 GHz pick 1,6,11 for 20 MHz; 5 GHz offers many nonoverlaps

Key Insight

20 MHz channels on 2.4 GHz overlap unless you use 1,6,11; adjacent‑channel interference (overlap) often hurts more than co‑channel contention.

Often Confused With

Adjacent-channel interferenceCo-channel interference

Common Mistakes

Assuming any two different channels are nonoverlapping — adjacent channels still overlap and interfere.
Believing more channels automatically raise capacity — client density and reuse determine real throughput.
Ignoring channel width: 40/80 MHz links reduce available nonoverlap slots and increase overlap risk.

Hypervisors — Type 1 vs Type 2

Two hypervisor models: Type‑1 runs on hardware, Type‑2 on a host OS; impacts performance, security, and networking.

Key Insight

Type‑1 (bare‑metal) gives lower latency, stronger isolation and direct NIC/driver access; Type‑2 adds host OS overhead and dependencies.

Often Confused With

ContainerizationVirtual Machines

Common Mistakes

Assuming Type‑2 is always slower — performance depends on workload and host
Treating all hypervisors as having identical security boundaries

Containers — namespaces & cgroups

Process-level isolation using kernel namespaces and cgroups; shares host kernel—fast startup, different security/network

Key Insight

Containers share the host kernel: higher density and fast boot, but isolation and networking are host-mediated, not hypervisor-enforced.

Often Confused With

Virtual MachinesHypervisor types

Common Mistakes

Assuming containers provide VM-level kernel isolation
Calling containers 'lightweight VMs' — different architecture and isolation model

MAC-Based Switching (VLAN-aware)

Switch forwards, drops, or floods frames using destination MAC + VLAN-scoped MAC-table lookup.

Key Insight

Lookup is per‑VLAN: known MAC->forward to port, same-port->drop, unknown->flood to that VLAN.

Often Confused With

Layer 3 routingHub behavior

Common Mistakes

Thinking the switch reads the IP header—switching uses MAC (Layer 2) only.
Assuming unknown destination is dropped—switch floods unknown MACs to the VLAN.
Believing MAC table is global—MAC entries are VLAN-scoped unless bridged.

MAC Aging Timer

Dynamic MAC entries expire after an inactivity timer so the switch can relearn and free CAM space.

Key Insight

Only dynamic entries age out after inactivity; static entries persist and link flaps don't immediately clear them.

Often Confused With

Static MAC entriesPort security (sticky MAC)

Common Mistakes

Thinking a link flap instantly clears dynamic MACs—entries are removed only when the timer expires.
Expecting static MACs to age out—static entries remain until manually removed.
Assuming the aging timer is global—timer tracks inactivity per MAC entry and resets on activity.

Inter-VLAN Routing (SVI vs Router-on-a-Stick)

Route traffic between VLANs via L3 switch SVIs or router subinterfaces (router‑on‑a‑stick); required for cross‑VLAN comm

Key Insight

You must provide an L3 gateway per VLAN: SVIs scale and distribute forwarding; router‑on‑a‑stick uses subinterfaces on a trunk and can be a single‑hop

Often Confused With

Layer 2 switchingSVIRouter-on-a-stick

Common Mistakes

Expecting a pure L2 switch to route between VLANs
Believing multiple IPs on a host replace the need for an SVI/router
Configuring router‑on‑a‑stick without matching 802.1Q trunk encapsulation

Voice VLAN (Tagged Voice, Untagged Data)

Dedicated VLAN on access ports: IP phones tag voice frames while attached PCs use the untagged access VLAN to separate &

Key Insight

Voice VLAN isolates voice traffic and signaling but does NOT provide QoS — still configure DSCP/COS trust and bandwidth/priority on ports

Often Confused With

Access VLANNative VLANQoS

Common Mistakes

Assuming voice VLAN removes the need to configure QoS
Using the same VLAN ID for voice and data on phone ports
Forgetting to enable phone tagging (CDP/LLDP or manual switch config) on the access port

Trunk Verification — show commands

Run show interfaces trunk, show interface switchport, and show vlan together to confirm trunk state, native and allowed‑

Key Insight

No single command shows everything — correlate switchport (mode), interfaces trunk (tagged/allowed/native) and show vlan (membership).

Often Confused With

show vlanshow running-config

Common Mistakes

Using show vlan to determine trunk status — it shows VLAN membership only.
Relying on one show command; failing to correlate switchport + interfaces trunk + vlan outputs.

Trunk vs Access Ports — single vs multi-VLAN

Access ports carry one untagged VLAN for hosts; trunks carry multiple VLANs and tag frames (native VLAN untagged).

Key Insight

Native VLAN is untagged — native or allowed‑VLAN mismatches break interswitch traffic even if the trunk shows up.

Often Confused With

Dynamic Trunking Protocol (DTP)Voice VLAN

Common Mistakes

Configuring multiple VLANs on an access port and expecting trunk behavior.
Assuming trunks tag every VLAN — native VLAN is untagged; mismatch causes silent failures.
Leaving DTP enabled and accidentally forming trunks with neighbors.

CDP Neighbor Table

Cisco Layer‑2 neighbor DB: device ID, local/remote interfaces, holdtime, platform, capabilities — use for topologychecks

Key Insight

Shows only Layer‑2 neighbors and transient entries that expire by holdtime — not routing adjacencies or permanent records

Often Confused With

LLDP neighbor tableMAC address table

Common Mistakes

Treating CDP entries as routing adjacencies
Assuming entries are permanent; they expire per holdtime
Expecting discovery from non‑Cisco devices (CDP is Cisco‑proprietary)

LLDP Configuration & TLVs

Enable/tune LLDP globally or per‑interface: set tx/recv behavior, timers and TLVs for multi‑vendor Layer‑2 discovery

Key Insight

Vendor‑neutral but vendor CLIs/features differ; enabling LLDP does NOT auto‑enable LLDP‑MED — match tx/hold and TLVs with peers

Often Confused With

CDPLLDP‑MED

Common Mistakes

Assuming LLDP commands/settings are identical across vendors
Thinking 'enable LLDP' automatically enables LLDP‑MED features
Changing timers globally but forgetting interface‑level enable/disable

L2 vs L3 Port-Channel — Switchport vs Routed

Port-channel runs as Layer‑2 (switchport/trunk carrying VLANs) or Layer‑3 (routed with IP); members must match.

Key Insight

Members must share type — all switchport for L2 OR all no‑switchport for L3; IPs belong on the port‑channel, not on members.

Often Confused With

SVI (Switch Virtual Interface)Individual routed physical ports

Common Mistakes

Mixing L2 and L3 member ports — prevents port-channel formation.
Putting an IP on physical members instead of the port-channel.
Assuming member configs (like trunk mode) are automatically consistent.

EtherChannel Bundle Failures — Quick Troubleshoot

Links remain suspended when protocol, speed/duplex, trunk/native/allowed VLANs, or L2/L3 mismatches exist.

Key Insight

A single mismatch on a candidate port blocks bundling; 'suspended' indicates trouble — use show etherchannel summary/detail and interface runs to find

Often Confused With

PAgP (Port Aggregation Protocol)Spanning Tree (STP)

Common Mistakes

Assuming one mismatch is ignored — any mismatch can stop bundling.
Configuring both ends LACP passive — passive+passive won't form a session.
Ignoring STP — STP can place member ports into blocking after bundle events.

RPVST+ show — Root, Roles & Port States

Use 'show spanning-tree vlan <id>' to read Root ID, Bridge ID, per‑VLAN root port, port roles, priority and path cost.

Key Insight

STP output is per‑VLAN in RPVST+: root/port roles can differ VLAN‑by‑VLAN — always read the VLAN header and Root ID lines first.

Often Confused With

Root bridge electionPort roles/states

Common Mistakes

Assuming bridge ID == Root ID means the switch is root for all VLANs — must check each VLAN section.
Treating any 'blocked' port as a protection event — it may be normal designated blocking.
Reading global summary only and missing per‑VLAN root and port entries.

Root Bridge Election (RPVST+ — per VLAN)

Lowest bridge priority wins; lowest MAC breaks ties — election runs independently for each VLAN in Rapid PVST+.

Key Insight

Priority decides the root; MAC is only a tiebreaker — interface path cost or port settings do NOT influence root selection.

Often Confused With

Interface path costPort priority

Common Mistakes

Believing lowest MAC always wins — bridge priority is evaluated first.
Thinking changing interface costs affects root selection — it does not.
Assuming a priority change is global for all VLANs without verifying per‑VLAN configuration.

Lightweight AP (CAPWAP‑managed)

AP that offloads control to a WLC over CAPWAP; data forwarding behavior depends on AP mode.

Key Insight

Control plane lives on the WLC; data plane may be tunneled to WLC or locally switched (FlexConnect exception).

Often Confused With

Autonomous APFlexConnect mode

Common Mistakes

Calling LWAP 'dumb' — it still handles local functions and client traffic in some modes.
Assuming all client traffic is always CAPWAP‑tunneled — FlexConnect/local switching can avoid tunneling.
Forgetting CAPWAP/DTLS requirements (WLC certs and time) when troubleshooting joins.

AP Join Process: Discover → DTLS → Config

Sequence an AP follows to find, authenticate to, and download config from a WLC (discovery, CAPWAP/DTLS, config).

Key Insight

Discovery uses multiple methods (broadcast, DHCP option 43, DNS, static); DTLS/auth and cert validation are common failure points.

Often Confused With

CAPWAP discoveryDTLS authentication

Common Mistakes

Thinking discovery is broadcast‑only — DHCP option 43, DNS and static IP are valid paths.
Assuming WLC reachability guarantees a join — auth, cert or NTP/time issues can block it.
Skipping DNS/controller name resolution checks when using DNS discovery.

WLC (Wireless LAN Controller) — Central WLAN Control

Manages APs and policies; can locally switch or tunnel client traffic and needs management/data VLANs on trunks.

Key Insight

Local vs central switching changes where client VLANs terminate—ensure switch trunks carry management + SSID VLANs.

Often Confused With

Access Point (AP)Cloud-managed WLAN

Common Mistakes

Assuming WLC always forwards client traffic locally.
Skipping VLAN/trunk config for management and SSID traffic on upstream switches.
Putting WLC and APs in different subnets without correct gateway/routing.

PoE Standards (802.3af/at/bt) & Budgeting

Power APs over Ethernet—match AP watt draw and power class to switch per-port type and total power budget.

Key Insight

Per-port wattage, device power class, and the switch's total budget limit how many APs can run; negotiation method (LLDP/Cisco) affects delivery.

Often Confused With

Passive PoE802.3at (PoE+) vs 802.3bt (PoE++)

Common Mistakes

Assuming any PoE port can supply required watts—ignore per-port and total switch budget at your peril.
Relying on auto-negotiation to always succeed—legacy APs or bad cables can prevent power.
Overlooking PoE mode (LLDP vs Cisco) and per-port limits when mixing vendor gear.

AAA — Authentication, Authorization, Accounting (AAA)

Centralized control of who logs in, what they can do, and audit trails — essential for secure, auditable admin access.

Key Insight

Authentication = who; Authorization = what they can do; Accounting = what they did — all three must be enforced to maintain security and auditability.

Often Confused With

RADIUSTACACS+local user database

Common Mistakes

Treating AAA as only authentication and skipping authorization/accounting.
Assuming AAA automatically encrypts credentials; pick/configure secure protocol (TACACS+, RADIUS with TLS).
Using local fallbacks without accounting — you lose centralized audit trails.

Console Port — OOB Serial Management

Local out-of-band serial interface used for first-time setup, recovery, and emergency access — physical access required.

Key Insight

Console is local OOB access (serial) — not reachable over the network unless routed through a console server; use for initial config and password-recv

Often Confused With

SSHTelnetAUX port

Common Mistakes

Assuming console is reachable remotely by default; it's local-only unless a console server is used.
Believing console traffic is encrypted; serial is not encrypted — use SSH/VPN for secure remote access.

SSID → VLAN Mapping (WLAN → VLAN / RADIUS)

Bind a WLAN/SSID to a VLAN tag or RADIUS-assigned VLAN so wireless traffic is segmented and policed.

Key Insight

SSID points traffic to a VLAN/tag only; VLAN subnet, SVI and DHCP must exist upstream—SSID won't auto-create a subnet.

Often Confused With

RADIUS dynamic VLANNative VLANVLAN trunking

Common Mistakes

Assuming an SSID auto-creates a unique IP subnet—SVI/DHCP needed on switch/router
Believing every client on an SSID will always land in the same VLAN—RADIUS can assign per-user VLANs
Mixing up SSID name and VLAN tag—ensure AP switch port trunk/native settings match the tag

WMM & DSCP Mapping (Wireless QoS)

Map DSCP to 802.11 user priorities and WMM Access Categories; use airtime policies to favor voice/video.

Key Insight

WMM is a local Wi‑Fi priority mechanism; true end‑to‑end QoS needs DSCP↔802.1p mapping across AP → switch → router.

Often Confused With

Airtime policiesWired QoS (DSCP/802.1p)

Common Mistakes

Thinking WMM alone guarantees end-to-end QoS—wired QoS markings and trust must be aligned
Expecting DSCP values to always be preserved across wireless bridges—mapping or rewrites can change them
Treating airtime fairness as the same as WMM—they prioritize different layers and traffic metrics

Network Prefix (CIDR /n)

Destination network in CIDR form (e.g., 192.168.1.0/24); used for route matching and longest‑prefix decisions.

Key Insight

Prefix length = number of network bits; when multiple routes match, the largest /n (most bits) wins.

Often Confused With

prefix-length notationdotted-decimal subnet mask

Common Mistakes

Reading /24 as 24 hosts — it denotes 24 network bits, not host count.
Assuming a shorter prefix (smaller /n) is more specific; longest /n is chosen.

Prefix-Length Notation (/n — CIDR)

/n is the count of leading 1 bits in the mask (network bits); essential for subnet math and route specificity.

Key Insight

Higher /n = more network bits = smaller subnet and more specific route; convert to dotted mask for calculations.

Often Confused With

network_prefix_and_prefix_lengthdotted-decimal subnet mask

Common Mistakes

/n is mask length (network bits), not the number of hosts.
Thinking larger /n gives a larger network — larger /n means smaller subnet.

Next‑Hop Reachability (ARP / ND)

Confirm next-hop has an L2 mapping (ARP for IPv4, ND for IPv6) and outgoing interface is up — otherwise packets drop.

Key Insight

A RIB entry alone doesn't forward traffic — FIB + adjacency (ARP/ND) + interface/up state are required for egress.

Often Confused With

RIB vs FIBARP cacheNeighbor Discovery (ND)

Common Mistakes

Treating a RIB route as proof traffic can be forwarded; skipping ARP/ND checks
Ignoring ARP/ND failures — route stays installed but packets are dropped

Routing Metric (cost / hop / bandwidth)

Protocol-specific cost (hop count, bandwidth, delay, etc.) used to pick the best path among routes from the same routing

Key Insight

Metrics are only comparable inside the same protocol; Administrative Distance decides which protocol's route wins first.

Often Confused With

Administrative Distance (AD)Inter-protocol metric comparisonMetric vs route preference

Common Mistakes

Comparing OSPF cost to EIGRP metric as if they're equivalent
Choosing lower metric without checking Administrative Distance
Assuming metric units are uniform (hop count ≠ bandwidth cost)

Default Route — Gateway of Last Resort

Catch‑all static route (IPv4 0.0.0.0/0, IPv6 ::/0) used when no more specific route exists.

Key Insight

Only used if no longer match exists; must resolve to a reachable next‑hop or exit interface; specific routes beat it.

Often Confused With

specific static routefloating static route

Common Mistakes

Thinking default is IPv4‑only — IPv6 default is ::/0 too.
Expecting default to override specific routes — longest‑prefix wins.
Configuring a next‑hop that isn't resolvable; router ignores the default.

Longest‑Prefix Match (Most Specific Wins)

Routers forward using the routing table entry with the most specific matching prefix (most mask bits).

Key Insight

Most specific prefix (largest prefix length) is chosen first; AD/metrics only break ties among equal prefixes.

Often Confused With

administrative distancedefault route

Common Mistakes

Thinking administrative distance beats prefix length when prefixes differ.
Believing 0.0.0.0/0 overrides /24 — /24 (longer prefix) wins.

OSPF Network Types & DR Behavior

Interface types (broadcast, P2P, P2M, NBMA) determine adjacency model and DR/BDR behavior.

Key Insight

Broadcast and point-to-multipoint elect DR/BDR; point-to-point never elects a DR; NBMA may need manual neighbor or emulate broadcast.

Often Confused With

OSPF adjacency statesDR/BDR election

Common Mistakes

Assuming point-to-point links elect a DR — they do not; adjacencies form directly.
Treating all multiaccess links the same — NBMA and broadcast differ in neighbor discovery and DR rules.
Forgetting NBMA needs static neighbors or proper network type to form adjacencies.

OSPF Show/Debug — Read Outputs Fast

Key show/debug commands to verify neighbors, interfaces, LSDB (LSAs), and which OSPF routes are installed.

Key Insight

'show ip route' shows installed OSPF routes (RIB); 'show ip ospf database' shows LSAs; 'show ip ospf neighbor' shows all neighbor states (NOT onlyFULL

Often Confused With

RIB vs LSDBOSPF neighbor states

Common Mistakes

Relying on 'show ip route' to view LSDB details — use 'show ip ospf database' for LSAs.
Expecting 'show ip ospf neighbor' to list only FULL adjacencies — it shows all neighbor states.
Ignoring 'show ip ospf interface' output (timers/MTU) that often explains adjacency failures.

First-Hop Redundancy (Virtual Gateway)

Virtual default gateway (IP+MAC) so hosts keep a next-hop when the physical router fails.

Key Insight

Hosts rely on the virtual IP/MAC — FHRP ensures gateway availability, not route selection.

Often Confused With

Routing protocolsVRRPGLBP

Common Mistakes

Expecting hosts to switch to a physical router IP without a virtual gateway
Confusing FHRP with routing protocols; FHRP doesn't exchange or choose routes
Assuming instant failover — timers and preemption determine switchover behavior

HSRP — Cisco Active/Standby FHRP

Cisco proprietary FHRP that elects an active and standby router using a shared virtual IP/MAC.

Key Insight

HSRP is active/standby by default; true load‑sharing requires extra steps (GLBP or multiple groups).

Often Confused With

VRRPGLBPFirst-Hop Redundancy

Common Mistakes

Expecting HSRP to load-balance traffic by default; it's active/standby unless you use other techniques
Applying v1 commands to v2 (and vice versa) — HSRP versions differ in behavior and config
Forgetting to enable preemption on the preferred router so it can reclaim active status

NAT Translations — show ip nat translations

Displays active NAT translation entries: inside/outside local & global IPs and ports for verification.

Key Insight

Shows only active (live) translations; a blank table usually means no matching traffic, not misconfig.

Often Confused With

show ip nat statisticsclear ip nat translationdebug ip nat translation

Common Mistakes

Assuming output shows historical translations — it lists only active mappings.
Treating an empty table as misconfiguration — there may be no matching traffic yet.
Expecting immediate entries right after config — translations require matching traffic.

Inside-source Static NAT (one-to-one)

One-to-one mapping that translates an inside-local IP to a fixed inside-global IP so the host is reachable externally.

Key Insight

Static inside-source fixes only the source IP (one-to-one); it won't rewrite destinations or ports unless explicitly configured.

Often Confused With

dynamic NATPAT (overload)

Common Mistakes

Believing static inside-source rewrites destination traffic — it's source-only.
Expecting port translation by default — static maps keep ports unless you configure port mapping.
Omitting a route to the global IP on the outside network; static NAT doesn't create routes.

NTP Server Selection & Redundancy

Choose multiple geographically and stratum-diverse NTP servers (odd count) for reliable UTC sync.

Key Insight

Use ≥3 diverse servers (odd number); mix stratum 1/2; time zones don't matter—NTP uses UTC.

Often Confused With

Time zonesNTP authentication

Common Mistakes

Choosing servers by time zone (irrelevant — NTP uses UTC)
Assuming more servers always improves accuracy; conflicts can cause instability
Using only same-stratum servers; include mixed stratum for hierarchy/redundancy

Interpreting 'show ntp status'

Check 'Clock is synchronized', stratum, reference, offset and root delay to assess NTP health and accuracy.

Key Insight

'Clock is synchronized' means linked to a source; offset/rootdelay show real accuracy; stratum shows distance.

Often Confused With

show clockntp associations

Common Mistakes

Treating 'Clock is synchronized' as perfect accuracy — it only means synced to a source
Misreading stratum: larger number = further from authoritative source
Ignoring offset/root delay; small offset (<1ms) indicates good sync

DNS Record Types — A/AAAA/CNAME/PTR/MX/SRV

Maps names to IPs and services: A/AAAA IPs, CNAME alias, PTR reverse, MX mail host, SRV service locators.

Key Insight

CNAME is a pure alias and must be the only record for that name; MX points to a mail server hostname, not an email address.

Often Confused With

CNAMEA/AAAAPTR

Common Mistakes

Thinking CNAME can coexist with other records for the same name.
Putting an email address in an MX record instead of the mail server hostname.
Expecting PTR records in forward zones instead of reverse (in-addr.arpa / ip6.arpa).

DNS Transport & Port — UDP 53 / TCP 53

DNS uses UDP/53 for normal lookups; TCP/53 is used for zone transfers and responses too large/truncated for UDP.

Key Insight

UDP is the default for speed; TCP is required for AXFR/zone transfers or when responses exceed UDP/EDNS0 limits—firewalls must allow both.

Often Confused With

UDPTCPEDNS0

Common Mistakes

Believing DNS uses only UDP and blocking TCP/53.
Assuming different DNS record types use different port numbers.
Ignoring EDNS0: large UDP responses may change behavior but can still fall back to TCP or hit MTU/firewall limits.

SNMP Agent vs Manager (Collector)

Agents on devices expose MIB data; managers poll, receive notifications (traps/informs), and store/visualize it.

Key Insight

Managers initiate GET/GETNEXT polls; agents only respond or send agent-initiated traps/informs.

Often Confused With

SyslogNetFlow

Common Mistakes

Thinking agents poll the manager — managers send GETs; agents reply or send traps.
Assuming a single central manager is required — distributed collectors/hierarchies are valid.
Believing traps are always reliable — use INFORM for acknowledgements.

SNMP Versions: v1, v2c, v3

v1/v2c use community strings (no real auth/enc); v3 adds user-based auth and optional encryption — config required.

Key Insight

v1/v2c lack strong security; SNMPv3 provides auth/privacy only after you configure users, auth, and priv.

Often Confused With

SNMP v2cSNMP v3

Common Mistakes

Assuming v2c is 'secure' compared to v1 — both use community strings and lack strong security.
Believing v3 is secure by default — you must enable/configure users, auth algorithms, and privacy.
Confusing 'v2' vs 'v2c' naming — use 'v2c' when referencing community-string based v2.

Syslog Severity (0–7) — Urgency Scale

Numeric urgency scale 0 (emergency) → 7 (debug); use to prioritize alerts and filters.

Key Insight

Lower number = higher urgency (0 is top). Use severity for alert priority, not as a root-cause label.

Often Confused With

facility codepriority value (pri)

Common Mistakes

Reading higher number as higher priority (0 is most urgent)
Using severity to identify exact cause instead of urgency
Ignoring 'debug' messages that can show config/runtime issues

PRI — Facility*8 + Severity (Syslog Header)

Compact header number encoding facility and severity; PRI = facility×8 + severity.

Key Insight

Decode PRI: facility = floor(PRI/8); severity = PRI mod 8 — decode before filtering/alerting.

Often Confused With

syslog severity levelfacility code

Common Mistakes

Treating PRI as an arbitrary tag instead of encoded facility+severity
Assuming PRI identifies the device or app
Filtering on PRI value without decoding => wrong facility/severity matches

DHCP Relay Agent — GIADDR & Option 82

Forwards DHCP broadcasts across subnets by inserting GIADDR; may add Option 82 for circuit info.

Key Insight

Relay sets GIADDR to the client-facing interface IP (server uses it to pick the subnet) and may append Option 82; it does NOT change the client's IP.

Often Confused With

DHCP ServerDHCP Snooping

Common Mistakes

Thinking relay changes the client's source IP — it sets GIADDR but leaves client source IP intact.
Assuming relay forwards DHCP unchanged — it inserts GIADDR and can add Option 82 (circuit info).

DHCP Message Flow — DISCOVER→OFFER→REQUEST→ACK

Core DHCP packets and roles: DISCOVER, OFFER, REQUEST, ACK, NAK, RELEASE — know who sends and why.

Key Insight

Client broadcasts DISCOVER; server replies with OFFER; client sends REQUEST to accept; server's ACK finalizes the lease — OFFER is a proposal, ACK is

Often Confused With

BOOTPARP

Common Mistakes

Assuming client always sends DISCOVER directly to server — initial DISCOVER is broadcast or sent via relay (uses GIADDR).
Mixing OFFER and ACK — OFFER proposes a lease; ACK commits it (NAK denies).

PHB Types — EF / AF / BE

Standardized per‑hop behaviors: Expedited Forwarding, Assured Forwarding, Best Effort; dictates queuing/drop treatment.

Key Insight

EF gives low-latency/loss only with bandwidth+policing; AF = classes + 3 drop‑precedences; BE = no guarantees.

Often Confused With

IntServQueuing/Scheduling

Common Mistakes

Treating EF as a magic pipe — it helps only if bandwidth and policing support it.
Assuming AF is single‑priority — AF has classes and 3 drop‑precedence levels.
Expecting BE to provide any delivery guarantees.

Packet Marking — DSCP / IP Precedence / 802.1p

Tag packets with DSCP, IP Precedence or 802.1p CoS to signal desired PHB; marks must be trusted and mapped to matter.

Key Insight

Marking is intent signaling — devices must be configured to trust/translate marks (L2 CoS ↔ L3 DSCP) for end‑to‑end effect.

Often Confused With

Traffic classification802.1p CoS

Common Mistakes

Assuming marking alone guarantees treatment — nodes may ignore or remark packets.
Interchanging DSCP and CoS without mapping — L2/L3 translations are required.

SSH (Secure Shell) — Remote Mgmt & Tunneling

Encrypted remote administration, SFTP and port forwarding; preferred over Telnet for device management.

Key Insight

SSH secures the transport (interactive shell, SFTP, tunnels) but does NOT protect compromised endpoints.

Often Confused With

TelnetSCPSSL/TLS

Common Mistakes

Thinking SSH is only for file transfers — it also provides interactive shells and port forwarding.
Assuming SSH protects endpoints — it only encrypts the transport channel.

SSH Verification & Troubleshooting

Verify with operational commands, a real client attempt, and logs on both client and device to find failures.

Key Insight

Config presence ≠ working: always confirm with show ip ssh/show sessions, an actual SSH client test, and both-side logs.

Often Confused With

show running-configoperational show commandsclient-side logs

Common Mistakes

Relying only on show running-config to assume SSH is operational.
Checking only device-side logs and ignoring client-side error messages.
Skipping an actual SSH client test and using ping/config checks alone.

Image & Config Transfer (TFTP/FTP/SCP/HTTP)

Transfer OS images and configs via TFTP/FTP/HTTP/SCP; stage images, verify checksums, then set boot and reload.

Key Insight

Boot order + checksum matter: correct boot system filename/location and MD5 verification prevent ROMMON fallbacks.

Often Confused With

Bootloader/ROMMON recoverySCP/SFTP

Common Mistakes

Assuming any protocol can bootstrap — ROMMON or boot commands may require specific access methods
Skipping MD5/checksum after transfer — corrupted images lead to boot failure
Forgetting to write running-config to startup-config before backing up or restoring

FTP/TFTP Firewall & NAT Gotchas

FTP uses TCP/21 plus dynamic data channels (active/passive); TFTP uses UDP/69 then ephemeral UDP ports — NAT/firewalls/`

Key Insight

FTP needs ALG or pinholes for the data channel; TFTP uses ephemeral UDP ports so permitting UDP/69 alone will still fail transfers.

Often Confused With

FTP active vs passiveSFTP (SSH File Transfer)

Common Mistakes

Opening only TCP/21 and expecting FTP data connections to succeed
Assuming TFTP uses only UDP/69 — ignores ephemeral transfer ports
Relying on NAT without FTP/TFTP ALG or explicit dynamic port handling

Vulnerability — The Weak Link

A flaw in systems, configs, or processes attackers can exploit to compromise assets.

Key Insight

It's the weakness (not the attack) — map vulnerability → exploit → impact to prioritize fixes.

Often Confused With

exploitthreat

Common Mistakes

Calling an exploit a vulnerability (weakness ≠ attack mechanism)
Assuming vulnerabilities are only software bugs; configs and processes count
Fixing code only while ignoring misconfigurations and process gaps

Threat — Potential Source of Harm

An actor, event, or condition that can potentially cause harm; it's about possibility, not a breach.

Key Insight

Threat = potential cause; risk = likelihood of threat × presence of vulnerability × impact.

Often Confused With

attackvulnerability

Common Mistakes

Treating a threat as an actual breach or incident
Assuming threats are only external — overlooking insiders and supply-chain risks
Focusing on motive alone and ignoring capability/likelihood

Physical Access Control (Locks, Badges, Biometrics)

Hardware and procedures (locks, badges, biometrics) that limit facility/asset entry; choose by risk and auditability.

Key Insight

Balance deterrence, detection and audit: badges give logs, biometrics verify ID; pick fail‑secure vs fail‑safe per asset.

Often Confused With

Logical access controlNetwork Access Control (NAC)

Common Mistakes

Treating physical security as separate from IT
Relying solely on biometrics as a foolproof factor
Selecting controls by cost alone, ignoring failure mode and logging

Security Awareness Training (Continuous & Measured)

Ongoing, role-based user education (phishing sims, microlearning) to reduce human-driven incidents and provide metrics.

Key Insight

Make training continuous, role-specific and measurable — use simulated phishing and tracking metrics to prove impact.

Often Confused With

Security policiesTechnical controls

Common Mistakes

Relying on one annual training session to change behavior
Assuming technical controls remove the need for user training
Using generic content instead of role-based, scenario-driven exercises

Local User Account (username + secret, priv level)

Device-local admin accounts (username + secret) used to authenticate admins and assign privilege levels.

Key Insight

User exists but has no admin rights unless given privilege (e.g., 15) or mapped to an admin role.

Often Confused With

enable secretAAA server (RADIUS/TACACS+)

Common Mistakes

Assuming creating a user auto-grants full admin — must set privilege or role
Using 'password' (clear) instead of 'secret' (hashed) for admin accounts
Expecting local users to sync across devices — they're local only

Line Passwords & login local (console / vty binding)

Bind console/VTY login to the local user DB with 'login local'; line passwords alone don't secure SSH access.

Key Insight

'login local' forces username/password auth from local DB; plain 'login' uses the line password instead.

Often Confused With

enable passwordSSH configuration

Common Mistakes

Thinking a line password alone secures SSH — SSH requires users, 'login local' and SSH enabled
'login local' authenticates with usernames, not the enable password
Forgetting 'transport input ssh' and crypto keys when enabling SSH access

Password Complexity Rules

Composition rules (length, char classes, banned patterns) — tradeoff: strength vs usability on devices/systems.

Key Insight

Length and unpredictability matter more than forced character tricks; prefer long passphrases, breached-password checks, or MFA.

Often Confused With

Password expiration policyAccount lockout policyPassword hashing and salt

Common Mistakes

Believing more required character classes always equals stronger passwords
Relying on complexity alone; ignores reuse, breaches, and credential stuffing
Forcing short complex passwords instead of encouraging long passphrases

Password Hashing + Salt

Store passwords as one-way hashes with a unique per-user salt and an adaptive KDF to prevent cracking.

Key Insight

Salt makes identical passwords produce different hashes; use slow/adaptive algorithms (bcrypt/scrypt/Argon2), not fast hashes.

Often Confused With

EncryptionPepperPassword complexity requirement

Common Mistakes

Storing unsalted hashes — vulnerable to rainbow-table attacks
Using fast hashes (MD5/SHA1) instead of adaptive KDFs like bcrypt/Argon2
Assuming hashing alone stops credential stuffing or reuse across breached sites

IPsec VPN: Secure Remote & Site-to-Site Links

Encrypts/authenticates IP traffic to protect confidentiality, integrity, and endpoints for remote-access or site-to-site

Key Insight

Remote-access = client↔gateway (user); site-to-site = gateway↔gateway (networks); IPsec protects payloads but not all packet metadata

Often Confused With

SSL VPNGRE tunnelMPLS VPN

Common Mistakes

Assuming IPsec hides all packet metadata (it encrypts payload, not all headers)
Believing IPsec is only for corporate on‑prem links — it's also used for cloud and branch connectivity
Mixing up remote‑access (user/client) with site‑to‑site (gateway/gateway) roles

AH vs ESP (Authentication Header vs Encapsulating Security Payload)

AH = integrity/authentication only; ESP = confidentiality plus optional integrity/authentication; ESP tolerates NAT

Key Insight

AH authenticates headers/payload but provides no encryption and breaks NAT; ESP provides encryption (and can add integrity/auth) and is NAT‑friendly

Often Confused With

IPsec Transport ModeIPsec Tunnel ModeTLS/SSL

Common Mistakes

Thinking AH encrypts packets (it does not)
Assuming ESP always encrypts and authenticates — ESP can be configured without encryption
Trying to use AH through NAT — NAT changes headers AH protects, so it will fail

ACL Verify: global vs per-interface

Exact IOS show commands to list ACL entries, hit counters, and which interfaces/directions use them.

Key Insight

show access-lists / show ip access-lists shows ACL entries and aggregate hit counts; use show ip interface <iface> to see which ACL/direction is bound

Often Confused With

show running-configshow ip interface

Common Mistakes

Expecting show access-lists to give per-interface hit counts — counts are aggregated across bindings.
Relying only on show ip access-list NAME and missing which interface/direction it’s applied to.
Forgetting to use show ip interface <iface> to confirm the ACL and per-interface stats.

Extended ACL — protocol & port filters

IPv4 ACL that matches source, destination, protocol and ports for service-level control; placement and order matter.

Key Insight

Extended ACLs inspect L3/L4 (protocol + ports); matching is first-match—place them near the traffic source to block unwanted flows early.

Often Confused With

standard access control listnamed ACLs

Common Mistakes

Assuming extended ACLs only match IP addresses — they also match protocol and TCP/UDP ports.
Trying to use port operators on ICMP — ICMP uses types/codes, not TCP/UDP ports.
Placing extended ACLs at the destination by default — usually place near the source to filter early.

DHCP Snooping — DHCP Binding Guard

Switch feature that filters DHCP messages and builds MAC–IP–VLAN–port bindings to block rogue servers.

Key Insight

Must enable globally and per-VLAN; mark DHCP server/uplink ports as trusted; bindings enable DAI/IPSG.

Often Confused With

Port SecurityIP Source Guard (IPSG)Dynamic ARP Inspection (DAI)

Common Mistakes

Thinking it blocks all DHCP on untrusted ports — it still allows legitimate client requests.
Assuming it's enabled by default — you must enable it on the switch and per VLAN.
Forgetting to mark the DHCP server/uplink as trusted — valid server replies get blocked.

DHCP Snooping → DAI: Binding Dependency

DAI uses DHCP snooping's MAC–IP bindings to validate ARP; absent bindings can cause valid ARP to be dropped.

Key Insight

DAI will drop ARP when no snooping bindings exist — populate bindings (DHCP or static) before enabling DAI.

Often Confused With

Dynamic ARP Inspection (DAI)IP Source Guard (IPSG)Port Security

Common Mistakes

Assuming DAI works independently of DHCP snooping — it often relies on the binding DB.
Believing enabling DAI auto-creates snooping bindings — it does not.
Turning on DAI without populated bindings — you will block legitimate ARP traffic.

RADIUS — Remote Authentication Dial‑In User Service (UDP)

UDP AAA protocol (auth + accounting) for network access (802.1X, VPN); encrypts only passwords, uses shared secret.

Key Insight

Runs over UDP (ports 1812/1813); only the password in Access‑Request is encrypted — other attributes are cleartext. Use TACACS+ for per‑command device

Often Confused With

TACACS+Diameter

Common Mistakes

Thinking RADIUS encrypts the entire payload — it only encrypts the user password.
Assuming RADIUS uses TCP by default — RADIUS typically uses UDP (1812 auth, 1813 acct).
Expecting TACACS+‑style per‑command authorization from RADIUS (it combines auth/authz).

Multi‑Factor Authentication (MFA)

Access control requiring two or more independent factor types (knowledge, possession, inherence) to reduce credential‑dr

Key Insight

True MFA = factors from different categories; two‑step on same factor/device isn't MFA. SMS OTP is weaker than hardware/app tokens.

Often Confused With

Two‑step verificationSingle‑factor authentication

Common Mistakes

Equating two‑step (same factor or same device) with true multi‑factor authentication.
Assuming SMS OTP has equal security to hardware tokens or authenticator apps.
Counting password + PIN as MFA (both are knowledge factors).

PMF (802.11w) — Protect Management Frames

Shields management frames (deauth/disassoc) from spoofing/injection to stop common denial/hijack attacks.

Key Insight

PMF only protects management (control) frames; it negotiates as 'optional' or 'required' — required in WPA3, optional in WPA2.

Often Confused With

WPA2WPA3

Common Mistakes

Thinking PMF eliminates all Wi‑Fi attacks (it doesn't protect data-frame crypto or other layers).
Assuming PMF breaks all legacy clients—it can be 'optional' or 'required'; choose based on client support.
Enabling PMF as 'optional' then expecting full protection — use 'required' to block deauth spoofing when supported.

RADIUS + EAP — Enterprise Wi‑Fi Auth

Centralized RADIUS + EAP methods provide mutual auth and dynamic per-session keys; EAP‑TLS is strongest.

Key Insight

EAP‑TLS = mutual, cert-based auth (best); PEAP/EAP‑TTLS = server cert + tunneled inner auth (passwords or inner certs possible); RADIUS issues dynamic

Often Confused With

802.1XPSK (Pre‑Shared Key)

Common Mistakes

Assuming all EAP methods offer equal security—EAP‑TLS (certs) > PEAP/EAP‑TTLS (tunneled password) in exam answers.
Believing RADIUS removes the need for certificates—EAP‑TLS needs client certs; PEAP needs at least a server cert.
Thinking RADIUS encrypts wireless payloads end‑to‑end—RADIUS handles auth and key derivation; Wi‑Fi uses session keys (CCMP/GCMP).

WPA2-PSK (Personal) — Passphrase & 4‑Way Handshake

WPA2 Personal: single shared passphrase that derives AES keys via the 4‑way handshake; used for small networks.

Key Insight

PSK is never sent over the air — the passphrase derives PTK/GTK in the 4‑way handshake; weak passphrases break security.

Often Confused With

WPA2-Enterprise (802.1X)WPA3-SAE

Common Mistakes

Treating PSK as equally secure as 802.1X in large deployments
Thinking the passphrase is transmitted during association
Using short/common passphrases or the same PSK across many sites

AES‑CCMP vs TKIP — Force AES (CCMP)

AES‑CCMP is the modern WPA2 cipher (strong); TKIP is legacy, weaker, and should only appear for legacy compatibility.

Key Insight

Allowing TKIP or mixed WPA/WPA2 enables downgrade attacks—set GUI to AES‑CCMP only for WPA2.

Often Confused With

TKIPWEP

Common Mistakes

Leaving the AP in mixed WPA/WPA2 mode (TKIP fallback enabled)
Assuming WPA2 always uses AES regardless of GUI encryption setting
Choosing TKIP for compatibility without noting the security downgrade

Automation: Consistency, Scale & Audit Trail

Automates repeatable network tasks for faster, scalable ops with fewer errors and built-in audit trails.

Key Insight

Upfront templates/tests pay off: automation cuts per-task time/errors, enables scale and auditable changes — justify with task frequency and error‑re/

Often Confused With

OrchestrationManual scripting

Common Mistakes

Thinking automation removes all human oversight
Expecting immediate cost savings without upfront investment
Assuming automation fixes flawed network design

Orchestration vs Automation: Tasks vs Workflows

Automation executes single tasks; orchestration sequences and manages multiple tasks into end-to-end network workflows.

Key Insight

Automation = single-task execution (push config); orchestration = sequencing, error-handling and conditional logic across systems. On exams, pick orch

Often Confused With

AutomationConfiguration management

Common Mistakes

Treating orchestration as identical to automation
Believing orchestration only applies to cloud or virtual environments
Using orchestration when a simple script suffices

Scaling & Resiliency Tradeoffs

Weigh controller clustering vs distributed device control for scale and uptime; identify single-point risks.

Key Insight

Centralized controllers simplify consistent policy at scale but require clustering/geo-placement or local agents to avoid control‑plane outages; data‑

Often Confused With

Distributed control planeSingle centralized controllerHybrid control model

Common Mistakes

Treating one controller as an unavoidable bottleneck
Assuming controller failure equals total network outage
Scaling only by adding hardware, not clustering or placement

Automation & Programmability Toolbox

APIs/protocols and tools (REST/RESTCONF/NETCONF, Ansible, SDKs) to automate telemetry, config, and orchestration; pickBy

Key Insight

Match tool to intent: REST/RESTCONF for API/telemetry, NETCONF+YANG for model-driven config, Ansible for idempotent push playbooks, SDKs for custom/复杂

Often Confused With

CLI scriptingSDN controller APIsDevOps CI/CD tools

Common Mistakes

Expecting one tool to solve every automation need
Believing deep programming is required for simple playbooks
Using imperative scripts instead of idempotent automation

Controller Architecture — Centralized • Distributed • Hybrid

Where controllers run; model choice drives latency, scale, resilience and failure-domain behavior.

Key Insight

Centralized eases logic but creates latency/SPOF; distributed lowers latency but forces state sync and partition handling.

Often Confused With

NFV (Network Function Virtualization)Overlay vs Underlay

Common Mistakes

Assuming centralized is always simpler — overlooks latency and single-point-of-failure risk
Believing distributed removes consistency issues — ignores synchronization and partition tradeoffs
Placing controllers by geography only — forgets failure domains and control-plane load balancing

Southbound APIs — OpenFlow, NETCONF, gNMI

Controller-to-device protocols for programming forwarding, config, and telemetry; pick by capability and device support.

Key Insight

Not interchangeable: OpenFlow targets flow/forwarding control; NETCONF/gNMI handle config, state, and telemetry with different data models.

Often Confused With

Northbound APIsDevice CLI/SSH

Common Mistakes

Thinking southbound only programs flows — it also configures devices and reads state/telemetry
Assuming all devices support the same southbound protocol — always verify device compatibility
Expecting OpenFlow commands to map to NETCONF/gNMI — protocols use different schemas and models

APIs & Data Formats — REST/gRPC; JSON, YAML, YANG, Protobuf

Transports and schemas to move telemetry, model I/O, and config — choose for latency, size, and validation.

Key Insight

Mapping layer is mandatory: use gRPC/HTTP2 for streaming, REST for request/response; schema (YANG/Proto) drives validation and payload size.

Often Confused With

REST vs gRPCJSON vs YAMLYANG vs Protobuf

Common Mistakes

Assuming formats are interchangeable — skipping schema mapping/transform
Treating gRPC and REST as identical for streaming telemetry
Using verbose JSON for high-throughput telemetry instead of compact Protobuf

RCA — Correlate Alarms, KPIs, Logs & Topology

Combine signal correlation, topology context and causal reasoning (ML/LLM as assist) to surface likely causes and fixes.

Key Insight

RCA yields probabilistic, often multi-causal hypotheses — validate with timelines, topology paths and targeted tests, not just scores.

Often Confused With

Anomaly DetectionEvent CorrelationPostmortem Analysis

Common Mistakes

Expecting a single definitive cause from RCA results
Equating correlation with causation — skip hypothesis validation at your peril
Blindly trusting ML/LLM outputs without explainability or sanity checks

HTTP Verbs ↔ CRUD Mapping

Map methods to CRUD quickly: GET=read, POST=create, PUT/PATCH=update, DELETE=delete, OPTIONS=metadata.

Key Insight

Idempotency is the exam pivot: GET/PUT/DELETE/OPTIONS are retriable; POST usually isn't; PATCH = partial update (semantics may vary).

Often Confused With

PUT vs PATCHPOST vs PUT

Common Mistakes

Assuming POST is always non-idempotent and PUT always creates resources.
Mixing PATCH and PUT — PATCH is partial; PUT typically replaces the whole resource.
Retrying POST without idempotency keys → duplicate resource creation.

TLS — Secure API Transport (HTTPS)

Use TLS/HTTPS to encrypt API traffic and protect tokens; always validate certificates and prefer modern ciphers.

Key Insight

TLS protects data in transit and prevents MITM/eavesdropping — it does NOT replace auth, scopes, token lifecycle, or input validation.

Often Confused With

HTTPS vs HTTPTLS vs SSL

Common Mistakes

Using plain HTTP for credentialed APIs — tokens and passwords can be intercepted.
Relying on TLS alone — it doesn't fix broken auth, excessive privileges, or missing input validation.
Skipping certificate validation (e.g., 'trust-all') to simplify clients — creates MITM risk.

Declarative (Desired‑State) vs Imperative (Procedural)

Declarative: state-first, idempotent; Imperative: step-by-step commands — impacts ordering, idempotence, and rollback.

Key Insight

Declarative guarantees reconciliation/idempotence; imperative requires explicit sequencing and can fail partially.

Often Confused With

IdempotenceOrchestration

Common Mistakes

Assuming declarative tools never execute actions — they compute diffs then apply changes.
Believing imperative is always simpler — it breaks at scale without state tracking.
Expecting built-in transactional rollback from declarative systems — many apply partial changes.

Config Drift: Detection & Remediation

Continuously compare running config to desired state; alert, schedule, or auto-fix to maintain uptime and compliance.

Key Insight

Tune detection cadence and remediation policy: fast alerts + human approval for risky changes; auto-fix only for safe, idempotent ops.

Often Confused With

Change ManagementMonitoring

Common Mistakes

Thinking drift only matters in cloud — routers, switches, and on‑prem systems drift too.
Defaulting to automatic remediation for every drift — high‑risk changes need manual review.
Running infrequent or overly broad checks — causes missed drift or alert fatigue without scoped baselines.

JSON SerDes (serialize ↔ parse)

Convert in-memory structures to JSON text and back — essential for API payloads, logging, and automation.

Key Insight

JSON keeps basic types (number/string/boolean/null/arrays/objects); language-specific types (Date, functions, undefined) are lost or altered.

Often Confused With

Data encodingSchema validation

Common Mistakes

Assuming serialization preserves Date objects or functions
Relying on deserializer to coerce incompatible types ("123" → 123)
Skipping parse errors and schema validation (no try/catch or JSON schema check)

JSON Array — Ordered list [ ]

Bracketed ordered collection ([...]) used for sequences; indexable, zero-based, and can nest objects/arrays.

Key Insight

Order is preserved in arrays — use indices for position; arrays are not key→value maps and don't enforce uniqueness.

Often Confused With

JSON objectSets/Maps

Common Mistakes

Treating arrays as unordered (indexing as if position doesn't matter)
Using arrays to represent key→value pairs instead of objects
Expecting arrays to enforce uniqueness or provide set semantics

CCNA Exam v1.1 (200-301) Practice Questions

Access Mock Exams & Comprehensive Question Bank

Listen to Audio Podcasts

Expert summaries for CCNA Exam v1.1 (200-301)

Certification Overview

Duration:120 min

Questions:60

Passing:70%

Level:Intermediate

Cheat Sheet Content

106Key Concepts

6Exam Domains

CCNA Exam v1.1 (200-301) Ultimate Cheat Sheet

Your Quick Reference Study Guide

CCNA Exam v1.1 (200-301)

Network Fundamentals

Network Fundamentals

Router — Inter‑Network Forwarder

L3 Switch — Inter‑VLAN Engine

Spine‑Leaf Fabric (ECMP East‑West)

Two‑Tier / Collapsed Core

Fiber Core: SMF (single‑mode) vs MMF (multi‑mode)

Link Length Limits: Copper (~100 m) vs Fiber (m→km)

Duplex Mismatch (Half vs Full)

Autonegotiation (Auto-Neg, 802.3u)

UDP — User Datagram Protocol (low-overhead, message-based)

Reliability Mechanisms — ACKs, Seq#s, Timers, Retransmit

Subnet Zero & All‑Ones

Network ID (IP & Mask)

NAT (Network Address Translation)

VLSM (Variable-Length Subnet Mask) Subnetting

IPv6 Interface Setup — Static, SLAAC, DHCPv6

IPv6 Ping & Traceroute — Reachability Checks

IPv6 Prefixing — the /64 Rule

IPv6 Link-Local — fe80::/10

IPv6 Address Types & Router Advertisements (RAs)

Default Gateway (Next‑Hop Router)

WLAN Encryption (WEP / WPA / WPA2 / WPA3)

Nonoverlapping Channels — 2.4 GHz: 1, 6, 11

Hypervisors — Type 1 vs Type 2

Containers — namespaces & cgroups

MAC-Based Switching (VLAN-aware)

MAC Aging Timer

Router — Inter‑Network Forwarder

L3 Switch — Inter‑VLAN Engine

Spine‑Leaf Fabric (ECMP East‑West)

Two‑Tier / Collapsed Core

Fiber Core: SMF (single‑mode) vs MMF (multi‑mode)

Link Length Limits: Copper (~100 m) vs Fiber (m→km)

Duplex Mismatch (Half vs Full)

Autonegotiation (Auto-Neg, 802.3u)

UDP — User Datagram Protocol (low-overhead, message-based)

Reliability Mechanisms — ACKs, Seq#s, Timers, Retransmit

Subnet Zero & All‑Ones

Network ID (IP & Mask)

NAT (Network Address Translation)

VLSM (Variable-Length Subnet Mask) Subnetting

IPv6 Interface Setup — Static, SLAAC, DHCPv6

IPv6 Ping & Traceroute — Reachability Checks

IPv6 Prefixing — the /64 Rule

IPv6 Link-Local — fe80::/10

IPv6 Address Types & Router Advertisements (RAs)

Default Gateway (Next‑Hop Router)

WLAN Encryption (WEP / WPA / WPA2 / WPA3)

Nonoverlapping Channels — 2.4 GHz: 1, 6, 11

Hypervisors — Type 1 vs Type 2

Containers — namespaces & cgroups

MAC-Based Switching (VLAN-aware)

MAC Aging Timer

Network Access

Network Access

Inter-VLAN Routing (SVI vs Router-on-a-Stick)

Voice VLAN (Tagged Voice, Untagged Data)

Trunk Verification — show commands

Trunk vs Access Ports — single vs multi-VLAN

CDP Neighbor Table

LLDP Configuration & TLVs

L2 vs L3 Port-Channel — Switchport vs Routed

EtherChannel Bundle Failures — Quick Troubleshoot

RPVST+ show — Root, Roles & Port States

Root Bridge Election (RPVST+ — per VLAN)

Lightweight AP (CAPWAP‑managed)

AP Join Process: Discover → DTLS → Config

WLC (Wireless LAN Controller) — Central WLAN Control

PoE Standards (802.3af/at/bt) & Budgeting

AAA — Authentication, Authorization, Accounting (AAA)

Console Port — OOB Serial Management

SSID → VLAN Mapping (WLAN → VLAN / RADIUS)

WMM & DSCP Mapping (Wireless QoS)

IP Connectivity

IP Connectivity

Network Prefix (CIDR /n)