CCNA 200-301 Deep-Dive Masterclass: From Network Fundamentals to Automation

List the six CCNA 200-301 exam domains.

1. Network Fundamentals 2. Network Access 3. IP Connectivity 4. IP Services 5. Security Fundamentals 6. Automation and Programmability

Why do domain percentage weights matter for your study plan?

They indicate how much of the exam will test each area, so you can allocate more study time to high-weight domains like Network Fundamentals and IP Connectivity while still covering lower-weight domains.

Define VLAN (CCNA canonical definition).

A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.

Define default gateway (CCNA canonical definition).

A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

Define NAT (CCNA canonical definition).

Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.

Define ACL (CCNA canonical definition).

An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.

Default gateway (canonical definition)

A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

Collision domain

A collision domain is the set of network interfaces where Ethernet collisions can occur. Modern switches create one collision domain per port; hubs share a single collision domain across all ports.

Broadcast domain

A broadcast domain is the set of devices that receive a Layer 2 broadcast frame. Switches forward broadcasts within a VLAN, while routers (and Layer 3 switches) separate broadcast domains.

Primary role of a Layer 2 switch

A Layer 2 switch forwards Ethernet frames based on MAC addresses, creating separate collision domains per port while maintaining a single broadcast domain per VLAN.

Primary role of a router

A router forwards packets between different IP networks using a routing table, and it separates broadcast domains at each interface.

Primary role of a firewall

A firewall inspects traffic and enforces security policies, often using ACLs and stateful inspection, and may perform NAT between private and public networks.

List the OSI model layers from top to bottom.

Application, Presentation, Session, Transport, Network, Data Link, Physical.

List the TCP/IP model layers.

Application, Transport, Internet, Network Access.

Define encapsulation in networking.

Encapsulation is the process of adding protocol-specific headers (and sometimes trailers) to data as it moves down the protocol stack from higher to lower layers.

At which OSI layer do MAC addresses operate, and what are they used for?

MAC addresses operate at the Data Link (Layer 2) and are used for local forwarding on the same network segment, allowing switches to deliver frames to the correct device.

What is the typical unit name at each of these layers: Transport, Network, Data Link, Physical?

Transport: segment. Network: packet. Data Link: frame. Physical: bits.

Which TCP/IP layer corresponds to the OSI Network layer?

The TCP/IP Internet layer corresponds to the OSI Network layer.

How many bits are in an IPv4 address, and how are they usually written?

IPv4 uses 32 bits. They are usually written in dotted‑decimal notation as four 8‑bit octets, each 0–255, for example 192.168.1.10.

What is the default mask and prefix length for a Class A IPv4 unicast address?

Default mask 255.0.0.0, which is prefix length /8.

What is the default mask and prefix length for a Class B IPv4 unicast address?

Default mask 255.255.0.0, which is prefix length /16.

What is the default mask and prefix length for a Class C IPv4 unicast address?

Default mask 255.255.255.0, which is prefix length /24.

Formula for usable hosts per IPv4 subnet?

Usable hosts per subnet = 2^(number of host bits) − 2.

How do you compute the number of subnets when subnetting a classful network?

Borrowed bits = new prefix − default classful prefix. Number of subnets = 2^(borrowed bits).

Standard IPv6 LAN prefix length

/64 is the standard prefix length for IPv6 LAN segments, with 64 bits for the network and 64 bits for the interface ID.

Prefix identifying link-local IPv6 addresses

Link-local IPv6 addresses use prefix fe80::/10 and are only valid on the local link (not routed).

Prefix range for global unicast IPv6 addresses

Global unicast IPv6 addresses typically fall in 2000::/3, which includes prefixes like 2001:, 2400:, and others.

Prefix identifying unique local IPv6 addresses (ULA)

Unique local addresses use fc00::/7 (commonly seen as fdxx:), providing private, non-internet-routable IPv6 space.

IPv6 unspecified and loopback addresses

The unspecified address is :: (all zeros). The loopback address is ::1, the IPv6 equivalent of IPv4 127.0.0.1.

Two main IPv6 compression rules

1) Remove leading zeros in each hextet. 2) Replace one contiguous run of all-zero hextets with :: (used only once per address).

Two-tier (collapsed core) campus design

A campus architecture with access switches connected directly to a pair of distribution/core switches that provide aggregation and routing, suitable for small to medium sites.

Three-tier campus design

A scalable architecture with distinct access, distribution, and core layers, where access connects to distribution, distribution enforces policies and routing, and core provides a fast backbone.

Spine-leaf architecture

A fabric design where every leaf switch connects to every spine switch, providing predictable latency and high bandwidth; common in data centers and large campus cores.

CAM (MAC address) table

A hardware-based table on a switch that stores MAC address, VLAN, and port mappings, used to decide which port to use when forwarding Ethernet frames.

Forwarding vs flooding

Forwarding sends frames with known unicast destination MACs out a single port; flooding sends unknown unicast, broadcast, or some multicast frames out all ports in the same VLAN except the incoming port.

SOHO network

A Small Office/Home Office network, often built around a single wireless router that performs switching, routing, NAT, and DHCP for a small number of devices.

VLAN (canonical definition)

A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.

Broadcast domain

A set of interfaces that receive a Layer 2 broadcast frame. In a switched network with VLANs, each VLAN is a separate broadcast domain.

Access port

A switch port configured to carry traffic for a single data VLAN (plus optional voice VLAN). Frames are sent to the host untagged; the switch internally associates them with the configured VLAN.

Voice VLAN

A special VLAN configured on an access port (using `switchport voice vlan <id>`) used for IP phone traffic, usually tagged, while PC data on the same port uses the access VLAN.

Default VLAN on Cisco switches

VLAN 1. All switch ports are in VLAN 1 by default until explicitly assigned to another VLAN. Many control-plane protocols historically use VLAN 1.

Command: switchport mode access

Forces a switch interface into access mode, disabling dynamic negotiation and ensuring it carries a single data VLAN (plus optional voice VLAN).

802.1Q trunk

A Layer 2 link that uses IEEE 802.1Q tagging to carry traffic for multiple VLANs over a single physical connection between devices such as switches, routers, or firewalls.

Native VLAN (on 802.1Q trunk)

The single VLAN on a trunk whose frames are sent untagged by default. Untagged frames received on the trunk are associated with this VLAN. Both ends of the trunk must agree on the same native VLAN.

Allowed VLAN list

The configured set of VLAN IDs that are permitted to traverse a trunk port. VLANs not in this list are filtered and their frames are not forwarded over the trunk.

Dynamic Trunking Protocol (DTP)

A Cisco-proprietary protocol that negotiates whether a switchport becomes a trunk or access port, based on the configured switchport mode on each side of the link.

switchport mode trunk

Cisco IOS interface command that forces a port to operate as an 802.1Q trunk and actively sends DTP frames unless `switchport nonegotiate` is also configured.

switchport mode access

Cisco IOS interface command that forces a port to operate as an access port in a single VLAN and disables trunk negotiation.

Spanning Tree Protocol (STP)

Spanning Tree Protocol (STP) is a Layer 2 protocol that prevents loops in a bridged network by placing redundant paths into a blocking state while maintaining a loop-free logical topology.

Root Bridge

The switch with the lowest Bridge ID (priority + extended system ID + MAC address). It is the logical center of the spanning tree; all path costs are calculated relative to it.

Root Port (RP)

On a non-root switch, the single port that has the lowest-cost path to the root bridge. It forwards traffic toward the root.

Designated Port (DP)

For each network segment, the port that advertises the best path to the root bridge. It forwards traffic for that segment.

Alternate Port (RSTP)

An RSTP port role representing a loop-free backup path toward the root bridge. It is normally in Discarding state and can quickly move to Forwarding if the Root Port fails.

RSTP Definition

Rapid Spanning Tree Protocol (RSTP, 802.1w) is the modern STP variant that provides faster convergence.

Access Point (AP)

A device that provides 802.11 wireless connectivity to clients and bridges their traffic to the wired Ethernet network, often managed by a Wireless LAN Controller in campus designs.

Wireless LAN Controller (WLC)

A centralized device that manages multiple lightweight APs, pushing SSID, security, and RF configurations and often terminating CAPWAP tunnels that carry client traffic.

SSID (Service Set Identifier)

The network name that identifies a WLAN to users; each SSID is associated with specific security settings and is typically mapped to a single VLAN on the wired network.

VLAN (definition)

A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.

Common wireless security standards (full list)

The three common wireless security standards you must know, in order, are: WPA2-PSK, WPA2-Enterprise, WPA3.

WPA2-PSK

A Wi‑Fi security mode (WPA2-Personal) where all clients share a single pre-shared passphrase; simple to deploy but harder to manage securely and not tied to individual identities.

Routing

A Layer 3 function where a router forwards packets between different IP networks based on destination IP addresses and its routing table.

Switching

A Layer 2 function where a switch forwards frames within the same network based on destination MAC addresses and its MAC address table.

default gateway (host view)

A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

Default route (router view)

A routing table entry (0.0.0.0/0 for IPv4, ::/0 for IPv6) that matches all destinations not covered by more specific routes and points to a next-hop or exit interface.

Administrative distance

A Cisco-specific value that ranks the trustworthiness of a route source; lower values are preferred when multiple routes to the same prefix exist.

Metric

A value used within a routing protocol to compare paths; examples include hop count (RIP) and cost based on bandwidth (OSPFv2). Lower metric is preferred.

OSPFv2 (canonical definition)

Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.

Link-state protocol

A routing protocol in which each router describes the state of its own links in LSAs, floods these LSAs to all routers in the area, builds a link-state database, and independently runs SPF to compute best paths.

Distance-vector protocol

A routing protocol in which routers share routing information (distance and direction) with neighbors, typically by sending periodic routing table updates, without maintaining a full topology map.

OSPF area

A logical grouping of routers and networks within an OSPF domain. All routers in an area share the same link-state database for that area. Every OSPF network includes a backbone Area 0.

Link-State Database (LSDB)

The collection of all LSAs that describe the topology of an OSPF area. All routers in the same area must maintain identical LSDB contents.

Router LSA (Type 1)

An OSPF LSA generated by each router for every area it belongs to. It describes the router’s interfaces, their states, and OSPF costs within that area and is flooded only inside the area.

OSPFv2 (definition)

Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.

Router ID selection order

1) Manually configured `router-id` under `router ospf`; 2) Highest IP address on any up loopback interface; 3) Highest IP address on any up physical interface.

Purpose of OSPF `network` statements

In OSPF, `network` statements select which interfaces run OSPF based on their IP addresses and wildcard masks; those interfaces then advertise their connected networks.

Effect of `passive-interface` in OSPF

OSPF stops sending and receiving hellos on that interface (no neighbors form), but the connected network is still advertised to other OSPF routers.

Command: show ip ospf neighbor

Displays OSPF neighbors, their router IDs, states (Full, 2-Way, etc.), and the interfaces over which adjacencies are formed.

Command: show ip ospf interface

Shows OSPF settings per interface, including area ID, network type, hello and dead intervals, and whether the interface is passive.

VLAN (definition)

A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.

default gateway (definition)

A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

Router-on-a-stick

A design where a single physical router interface is configured as an 802.1Q trunk with multiple subinterfaces, each subinterface acting as the Layer 3 gateway for a VLAN to provide inter-VLAN routing.

Subinterface

A logical interface created under a physical router interface (for example, G0/0.10) that can be assigned its own encapsulation type and IP address, often used for router-on-a-stick.

802.1Q trunk

A Layer 2 link that carries traffic for multiple VLANs by tagging frames with a VLAN ID, allowing switches and routers to distinguish which VLAN each frame belongs to.

SVI (Switch Virtual Interface)

A logical Layer 3 interface on a switch that is associated with a VLAN and typically provides the default gateway IP address for hosts in that VLAN.

First-hop redundancy protocols (list all 3 in order)

The first-hop redundancy protocols are: HSRP, VRRP, GLBP.

Definition of default gateway

A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

Virtual IP (VIP)

A virtual IP is an IP address shared by a group of routers running an FHRP. Hosts use it as their default gateway, while one router at a time owns and answers for it.

Virtual MAC address

A virtual MAC address is a MAC shared by an FHRP group. The active/master router uses it in ARP replies so frames sent to the gateway can transparently move between routers.

HSRP: Active vs Standby

In HSRP, the Active router forwards traffic for the virtual IP and MAC. The Standby router monitors hellos and takes over the virtual addresses if the Active fails.

VRRP: Master vs Backup

In VRRP, the Master router forwards traffic for the virtual IP and MAC. Backup routers listen and take over if the Master becomes unavailable.

NAT (Network Address Translation)

Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.

Inside interface vs Outside interface

Inside interface faces the internal network (usually using private RFC 1918 addresses). Outside interface faces the external network or ISP (using public addresses).

Inside local vs Inside global

Inside local: private IP of an internal host (for example 192.168.10.10). Inside global: public IP that represents that host on the internet (for example 203.0.113.10).

Static NAT

A 1:1, fixed mapping between a single inside local address and a single inside global address. Often used to publish internal servers to the internet.

Dynamic NAT

Uses a pool of public addresses. Inside local addresses are mapped to available inside global addresses from the pool on demand, without overloading ports.

PAT (NAT overload)

Many-to-one NAT that maps multiple inside local addresses to a single inside global address by using different TCP/UDP source ports. Enabled with the `overload` keyword.

DHCP (canonical definition)

The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients.

DNS (canonical definition)

The Domain Name System (DNS) is a distributed database that maps human-readable hostnames to IP addresses and other resource records.

Default gateway (canonical definition)

A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

DORA in DHCP

Discover, Offer, Request, Acknowledge – the four main steps of the DHCP lease process.

Command: Configure DHCP relay on a Cisco interface

`ip helper-address <DHCP-server-IP>` on the client-facing interface or SVI.

Command: View DHCP leases on Cisco IOS

`show ip dhcp binding` – lists current DHCP bindings (IP to MAC).

SNMP Manager

The network management system (NMS) that polls SNMP agents, reads/writes MIB objects, and receives traps or informs from devices.

SNMP Agent

Software running on a network device (router, switch, firewall) that exposes management information via SNMP to an external manager.

SNMPv3 auth+priv

The secure SNMPv3 mode that provides both authentication and encryption of SNMP messages, recommended for production networks.

Syslog Severity 0–7

Numeric levels where 0 is emergencies, 1 alerts, 2 critical, 3 errors, 4 warnings, 5 notifications, 6 informational, and 7 debugging.

Classification (QoS)

The process of identifying and grouping traffic into classes based on attributes such as IP, ports, protocol, VLAN, or existing DSCP/CoS markings.

Marking (QoS)

Writing QoS values (such as DSCP in the IP header or CoS in the 802.1Q VLAN tag) into packets so that downstream devices know how to treat them.

Confidentiality

Ensuring that only authorized people or systems can access data. Example: using SSH instead of Telnet to protect router login credentials.

Integrity

Ensuring data is accurate and unaltered except by authorized changes. Example: preventing unauthorized changes to routing tables or configuration files.

Availability

Ensuring systems and data are accessible when needed. Example: protecting against DoS attacks that overwhelm a router or server.

Least privilege

Security principle that users and systems should be given the minimum level of access necessary to perform their tasks, and no more.

Defense in depth

An approach that uses multiple, overlapping security controls so that if one fails, others still provide protection.

Spoofing

A type of attack where an attacker forges information (such as IP, MAC, or ARP data) to appear as another device or user.

Canonical ACL definition (exact wording)

An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.

Standard ACL (concept)

A standard ACL matches only on source IPv4 address. It cannot specify destination, protocol, or port, and is often used for simple filtering and device management access control.

Extended ACL (concept)

An extended ACL can match on source and destination IP addresses, protocol (IP, TCP, UDP, ICMP, etc.), and TCP/UDP ports, allowing fine-grained traffic control.

Implicit deny

Every ACL ends with an implicit "deny any" (for IP ACLs) that is not shown in the configuration. Any packet that does not match a permit or deny line is dropped by this implicit rule.

ACL processing rule

ACLs are processed top to bottom, first match wins. As soon as a packet matches a line, the corresponding permit or deny is applied and no further lines are checked.

Best placement: extended ACLs

Place extended ACLs close to the source of the traffic you want to control, to drop unwanted packets as early as possible.

Port security (switch feature)

A Layer 2 switch feature that restricts which MAC addresses are allowed on a port by setting limits, defining secure MAC addresses, and specifying what happens when a violation occurs.

Port security violation modes

protect: silently drops violating traffic. restrict: drops violating traffic and increments counters/logs. shutdown: places the port in err-disabled state on violation (default).

DHCP snooping (purpose)

A Layer 2 security feature that classifies ports as trusted or untrusted, blocks DHCP server messages on untrusted ports, and builds a DHCP snooping binding table of legitimate IP–MAC–VLAN–port mappings.

DHCP snooping binding table

A database created by DHCP snooping that records each client's MAC address, IP address, VLAN, interface, and lease time, used to validate traffic and support features like Dynamic ARP Inspection.

Dynamic ARP Inspection (DAI)

A Layer 2 security feature that inspects ARP packets on untrusted ports and drops those that do not match trusted IP–MAC bindings, helping prevent ARP spoofing attacks.

WPA2-PSK

A wireless security mode where all clients share a pre-shared key (passphrase) with the access point, commonly used in home and small office networks.

software-defined networking (SDN)

Software-defined networking (SDN) is an architectural approach that separates the control plane from the data plane, enabling centralized control of network behavior through software-based controllers and APIs.

Control plane

The part of a network device or system that builds and maintains forwarding information, using protocols like OSPFv2, STP, and ARP, and makes decisions about where traffic should go.

Data plane

The part of a network device that forwards actual user traffic (frames and packets) based on tables and rules created by the control plane, often implemented in hardware for speed.

Controller-based architecture

A network design where a central controller maintains a global view of the network and programs the forwarding behavior and policies of multiple devices, rather than configuring each device independently.

Cisco DNA Center

Cisco’s enterprise campus controller and management platform that provides design, policy, provisioning, and assurance for wired, wireless, and branch networks, acting as the SDN controller in Cisco SD-Access.

REST API

A Representational State Transfer (REST) API is a web-based interface that uses HTTP methods and resource-oriented URIs to enable programmatic access to network devices and controllers.

JSON object

A collection of key-value pairs enclosed in `{ }`. Keys are strings, followed by a colon and a value. Used to represent structured data such as a device, interface, or VLAN in API responses.

JSON array

An ordered list of values enclosed in `[ ]`. Often used by APIs to return lists of resources, such as multiple devices or interfaces.

REST API (canonical definition)

A Representational State Transfer (REST) API is a web-based interface that uses HTTP methods and resource-oriented URIs to enable programmatic access to network devices and controllers.

HTTP GET vs POST

GET retrieves data without changing it (read-only). POST sends data to create a new resource or trigger an action on the server, often with a JSON body.

HTTP PUT vs PATCH

PUT typically replaces an entire resource with the data provided. PATCH applies a partial update, modifying only specified fields of the resource.

Role of a controller (e.g., Cisco DNA Center)

Centralizes the control plane for many devices and exposes REST APIs so tools and scripts can discover devices, read status, and push configurations programmatically.

Ansible (at a high level)

An agentless automation tool that connects to devices over SSH or APIs and uses YAML playbooks and modules to configure many devices consistently and in parallel.

Terraform (at a high level)

An Infrastructure as Code tool that uses declarative HCL configuration, providers, and a state file to provision and manage the lifecycle of infrastructure resources such as networks, subnets, and gateways.

Playbook (Ansible)

A YAML file that defines one or more plays, each containing tasks that call modules to perform configuration or operational actions on groups of devices.

Inventory (Ansible)

A file or data source that lists managed devices (hosts), often grouped by role or location, along with connection parameters used by Ansible.

Provider (Terraform)

A plugin that knows how to communicate with a specific platform or API, such as AWS, Azure, or Cisco SD-WAN, and exposes resources that Terraform can manage.

Resource (Terraform)

A specific infrastructure object managed by Terraform, such as a virtual network, subnet, VPN gateway, or firewall rule, defined in HCL configuration.

software-defined networking (SDN)

Software-defined networking (SDN) is an architectural approach that separates the control plane from the data plane, enabling centralized control of network behavior through software-based controllers and APIs.

REST API

A Representational State Transfer (REST) API is a web-based interface that uses HTTP methods and resource-oriented URIs to enable programmatic access to network devices and controllers.

Cisco DNA Center: Automation

The Automation function in Cisco DNA Center focuses on centralized provisioning, configuration templates, software image management, and executing changes at scale across many devices.

Cisco DNA Center: Assurance

Assurance in Cisco DNA Center uses telemetry, analytics, and baselines to continuously monitor network, client, and application health, providing insights and suggested remediation for issues.

Cisco DNA Center: Policy

Policy in Cisco DNA Center lets you express business intent (who can talk to whom, segmentation, QoS) and translates it into underlying configurations such as ACLs and segmentation rules.

Northbound API (in controllers)

A northbound API is an interface used by external applications and scripts to communicate with a controller like Cisco DNA Center, typically via REST over HTTPS.

VLAN

A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.

Spanning Tree Protocol (STP)

Spanning Tree Protocol (STP) is a Layer 2 protocol that prevents loops in a bridged network by placing redundant paths into a blocking state while maintaining a loop-free logical topology.

default gateway

A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

OSPFv2

Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.

DHCP

The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients.

DNS

The Domain Name System (DNS) is a distributed database that maps human-readable hostnames to IP addresses and other resource records.

Define VLAN.

A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.

Define Spanning Tree Protocol.

Spanning Tree Protocol (STP) is a Layer 2 protocol that prevents loops in a bridged network by placing redundant paths into a blocking state while maintaining a loop-free logical topology.

Define default gateway.

A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

Define OSPFv2.

Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.

Define NAT.

Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.

Define DHCP.

The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients.