CCNA Certification Study Guide Volume 2: Exam 200-301 v1.1

CCNA®

Certification

Study Guide

Volume 2

Exam 200-301v1.1

Second Edition

Todd Lammle

Donald Robb

Copyright © 2025 by John Wiley & Sons, Inc. All rights, including for text and data mining, AI training, and similar technologies, are reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada and the United Kingdom.

ISBNs: 9781394302154 (paperback), 9781394302178 (ePDF), 9781394302161 (ePub)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: WILEY, the Wiley logo, and Sybex are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CCNA is a registered trademark of Cisco Technologies, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572- 3993. For product technical support, you can find answers to frequently asked questions or reach us via live chat at https://sybexsupport.wiley.com.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2024948041

Cover image: © Jeremy Woodhouse/Getty Images

Cover design: Wiley

Acknowledgments

There were many people who helped us build the new CCNA books in 2024 and 2025. First, Kenyon Brown helped me put together the book direction and managed the internal editing at Wiley, so thank you, Ken, for working diligently for many months to keep these books moving along.

Thanks also to Kim Wimpsett, my most excellent and highly dependable developmental editor at Wiley for well over a decade. She always does an excellent job, and I refuse to work on a book without her now!

We’d also like to thank John Sleeva and Tiffany Tayler for their hard work and edits in books one and two, respectively. They really helped us create fine-tuned books.

In this book, I enjoyed collaborating with Donald Robb from Canada. He played a crucial role in crafting the new table of contents and was instrumental in writing, editing, and thoroughly addressing the latest exam topics across various chapters. His expertise is unparalleled, and he worked tirelessly alongside me daily to bring this book to life. I’m confident you’ll appreciate his contributions as much as I do. You can connect with Donald through his well-known blog at https://the-packet-thrower.com. He also serves as a leading moderator and contributor on Reddit: https://www.reddit.com/r/ccna.

About the Authors

Todd Lammle is widely regarded as one of the foremost authorities on Cisco certification and internetworking, holding certifications across nearly every Cisco certification category. With a career spanning over three decades, Todd has established himself as a globally recognized author, speaker, trainer, and consultant. His expertise extends across a broad range of technologies, including LANs, WANs, and large-scale enterprise wireless networks, both licensed and unlicensed. In recent years, he has specialized in implementing extensive Cisco security networks, particularly utilizing Firepower/FTD and ISE.

What sets Todd apart is his deep, hands-on experience, which is evident in his writing and training materials. He’s not just an author; he’s a seasoned networking engineer with practical knowledge gained from working on some of the largest and most complex networks in the world. His experience includes significant contributions to companies such as Xerox, Hughes Aircraft, Texaco, AAA, Cisco, and Toshiba, among many others. This real-world experience allows Todd to bring a unique, practical perspective to his work, making his books and training sessions invaluable resources for IT professionals at all levels.

Todd has authored more than 120 books, solidifying his reputation as a leading voice in the industry. Some of his most popular titles include the CCNA: Cisco Certified Network Associate Study Guide, CCNA Wireless Study Guide, CCNA Data Center Study Guide, CCNP SNCF (Firepower), and CCNP Security. All of these works are published by Sybex, a respected name in technical publishing.

In addition to his writing and speaking engagements, Todd runs an international consulting and training company based in Idaho. His company provides expert guidance and training to organizations around the world, helping them to navigate the complexities of modern networking technologies. Despite his busy professional life, Todd still finds time to enjoy the natural beauty of Idaho, often spending his free time at the lake in the mountains, where he enjoys the outdoors with his beloved golden retrievers.

For those looking to dive deeper into Todd Lammle’s work, you can find his extensive range of books at https://www.lammle.com/order-our-books. Additionally, Todd is accessible to his readers and clients through his website at www.lammle.com, where you can find more resources, updates, and ways to connect with him directly.

Donald Robb, widely recognized online as the-packet-thrower, brings over two decades of experience in the IT industry. His career has spanned a diverse array of roles, beginning with help desk support and evolving into a position as one of the most respected consultants in the field. Donald has honed expert-level skills across various IT domains, including networking, security, collaboration, data center management, wireless technologies, and service providers. His depth of knowledge and technical expertise have made him a sought-after professional in the industry.

Currently, Donald is a principal network architect for Walt Disney Studios. In this role, he serves as a subject matter expert on various technologies, playing a critical role in shaping the company’s network architecture and ensuring its reliability and performance. His work involves leading the design and implementation of complex networks and guiding teams and stakeholders through the technical intricacies of modern IT infrastructures.

Over the years, Donald has collaborated with major industry vendors and smaller, specialized companies, earning many advanced certifications along the way. His achievements include becoming a double JNCIE and obtaining most of Cisco’s professional-level certifications, demonstrating his deep technical proficiency and commitment to continuous learning. His expertise has also been recognized through his selection as a Cisco Champion for four consecutive years, an honor awarded to top influencers in the networking community.

In addition to his hands-on work in the field, Donald has made significant contributions to IT education. He has had the privilege of working alongside Todd Lammle, a legendary figure in the IT world, co-authoring several books and developing courses that have helped countless professionals advance their careers. Through his extensive experience, certifications, and educational efforts, Donald Robb has solidified his reputation as a leading authority in the IT industry.

Introduction

Welcome to the exciting world of Cisco certification! If you’ve picked up this book because you want to improve yourself and your life with a better, more satisfying, and secure job, you’ve done the right thing. Whether your plan is to enter the thriving, dynamic IT sector or to enhance your skill set and advance your position within it, being Cisco certified can seriously stack the odds in your favor to help you attain your goals.

Cisco certifications are powerful instruments of success that also just happen to improve your grasp of all things internetworking. As you progress through this book, you’ll gain a complete understanding of networking that reaches far beyond Cisco devices. By the end of this book, you’ll comprehensively know how disparate network topologies and technologies work together to form the fully operational networks that are vital to today’s very way of life in the developed world. The knowledge and expertise you’ll gain here are essential for and relevant to every networking job. It’s why Cisco certifications are in such high demand—even at companies with few Cisco devices!

For up-to-the-minute updates covering additions or modifications to the Cisco certification exams, as well as additional study tools, review questions, videos, and bonus materials, be sure to visit the Todd Lammle website and forum at www.lammle.com/ccna.

Cisco’s Network Certifications

Way back in 1998, obtaining the Cisco Certified Network Associate (CCNA) certification was the first pitch in the Cisco certification climb. It was also the official prerequisite to each of the more advanced levels. But that changed in 2007, when Cisco announced the Cisco Certified Entry Network Technician (CCENT) certification. Then again, in May 2016, Cisco announced new updates to the CCENT and CCNA Routing and Switching (R/S) tests. Today, things have changed dramatically again.

In July 2019, Cisco switched up the certification process more than it has in the last 20 years! Cisco announced all new certifications that started in February 2020, and then again, an update and revision in the summer of 2024, which is probably why you’re reading this book!

So what’s changed? For starters, the CCENT course and exam (ICND1 and ICND2) no longer exist, nor do the terms Routing & Switching (rebranded to Enterprise). On top of that, the CCNA is no longer a prerequisite for any of the higher certifications at all, meaning that you’ll be able to jump straight to CCNP without having to take the new CCNA exam if you have already achieved the CCNA or have enough background to skip the CCNA.

The new Cisco certification process will look like Figure I.1.

FIGURE I.1 The Cisco certification path

First, the CCST entry-level certification was added, and you can find the Wiley study guide for the CCST Network book authored by Todd Lammle and Donald Robb as well as this study guide at https://www.lammle.com/order-our-books.

If you have an entry-level network background, you will want to head directly to CCNA, using this book and the abundant resources on www.lammle.com/ccna, of course!

The Todd Lammle CCNA program, starting with this book, is a powerful tool to get you started in your CCNA studies, and it’s vital to understand that material found in this book and at www.lammle.com/ccna before you go on to conquer any other certifications!

What Does This Book Cover?

This second book in the CCNA series covers everything you need to know to pass the new CCNA 200-301 v1.1 exam and starts right where the first book in the series left off.

But regardless of which Cisco Certification path you choose, as I’ve said, taking plenty of time to study and practice with routers or a router simulator is the real key to success.

You will learn the following information in this book:

Chapter 1: Enhanced Switched Technologies This chapter will start off with STP protocols and dive into the fundamentals, covering the modes as well as the various flavors of STP. VLANs, trunks, and troubleshooting are covered as well. Finally, PortFast will also be discussed.

Chapter 2: Security with ACLs This chapter covers security and access lists, which are created on routers to filter the network. IP standard, extended, and named access lists are covered in detail. Written and hands-on labs, along with review questions, will help you study for the security and access-list portion of the Cisco exams.

Chapter 3: Internet Protocol Version 6 (IPv6) This is a fun chapter chock-full of some great information. IPv6 is not the big, bad scary creature that most people think it is, and it’s a really important objective on the latest exam, so study this chapter carefully—don’t just skim it.

Chapter 4: Troubleshooting IP, IPv6, and VLANs This chapter will cover detailed troubleshooting, and because this is such a major focus of the Cisco CCNA objectives I’d be letting you down if I didn’t make sure you’ve got this important topic down. So to ensure that your skills are solid, we’re going to begin by diving deep into troubleshooting with IP, IPv6, and now. You absolutely must also have the fundamentals of IP and IPv6 routing and knowledge of VLANs and trunking nailed down tight if you’re going to win at this.

Chapter 5: Network Address Translation (NAT) In this chapter, we’re going to dig into Network Address Translation (NAT), Dynamic NAT, and Port Address Translation (PAT), also known as NAT Overload. Of course, I’ll demonstrate all the NAT commands.

Chapter 6: IP Services This chapter covers how to find neighbor device information using the proprietary Cisco Discovery Protocol (CDP) and the industry-standard Link Layer Discovery Protocol (LLDP). I’ll also discuss how to make sure our times are synchronized with our devices using Network Time Protocol (NTP). After that, I’ll show you the Simple Network Management Protocol (SNMP) and the type of alerts sent to the network management station (NMS). You’ll learn about the oh-so-important syslog logging and configuration, and then, finally, I’ll cover how to configure Secure Shell (SSH).

Chapter 7: Security Fundamentals This chapter will help you to define key security concepts (threats, vulnerabilities, exploits, and mitigation techniques) as well as describe security program elements (user awareness, training, and physical access control). We’ll also cover authentication, authorization and accounting, and password policies.

Chapter 8: First Hop Redundancy Protocol (HSRP) This chapter will start off by telling you the reasons why we need a layer 3 redundancy protocol and then move into how to build redundancy and load-balancing features into your network elegantly with routers that you might even have already. You really don’t need to buy some overpriced load-balancing device when you know how to configure and use Hot Standby Router Protocol (HSRP).

Chapter 9: Quality of Service (QoS) Quality of service (QoS) refers to the way resources are controlled so that the quality of services is maintained. In this chapter I’m going to cover how QoS solves problems by using classification and marking tools, policing, shaping and re-marking, providing congestion management and scheduling tools, and finally, link-specific tools.

Chapter 10: Wireless Technologies Because I know you’ve crushed all of the previous chapters, you’re ready to dive into this one! If that’s not exactly you, just know that the two chapters on switching provide a really nice review on switching and VLANs. So, let’s start this chapter by defining a basic wireless network as well as basic wireless principles. We’ll talk about different types of wireless networks, the minimum devices required to create a simple wireless network, and some basic wireless topologies as well. After that, I’ll get into basic security by covering WPA, WPA2, and WPA3.

Chapter 11: Configuring Legacy Wireless Controllers After Chapter 10 you now know how wireless works, so now we’re going to guide you through configuring a wireless network from beginning to end. We’ll start by telling you all about how to get a Cisco Wireless LAN Controller up and running before showing you how to join access points to our new WLC. We’ll also dig deep into how to configure the WLC to support wireless networks. By the end of this chapter, you’ll triumph by having an actual endpoint join your wireless LAN!

Chapter 12: Configuring Modern Wireless Controllers This chapter walks you through setting up a virtual Cisco 9800 controller and using port channels. Then, we will create a simple WPA2 WLAN using PSK, just as we did with the WLC. Then, we will join our new wireless network with my test PC to confirm everything works as advertised! Finally, we will finish up the chapter by exploring how to work with cloud-managed access points.

Chapter 13: Virtualization, Containers, and VRFs In this chapter, we’ll begin to address modern challenges by introducing you to virtualization basics. We’ll then walk you through its common components and features to close the topic by comparing some of the virtualization products on the market as of this writing. After that, we’ll explore important automation concepts and components to provide you with sure footing to jump into the SDN and configuration management chapters following this one.

Chapter 14: Software-Defined Networking (SDN) Automation has gotten popular enough to be included on the CCNA exam—it even has its own DevNet certification track! Even so, most companies still aren’t keen on fully managing their network with a bunch of Python scripts on a shared drive. So a better solution is to go with something called a software-defined networking (SDN) controller to centrally manage and monitor the network instead of doing everything manually, and that is what this chapter is all about!

Chapter 15: Automation and REST APIs When preparing for the CCNA, manually configuring everything while practicing the topics in this book is a great way to gain hands-on experience and become proficient with IOS commands. However, by the time you’re nearing the exam, you might find that repeating basic configurations, like adding VLANs over and over, becomes tedious. This is why automation is gaining traction in the workplace—it helps prevent these errors and saves time by reducing the need for repetitive tasks. In this chapter, we’ll introduce the concept of automation and explore REST APIs, which are the preferred method for automating network devices today.

Chapter 16: Configuration Management In this chapter we’re going to take things to a whole new level, diving deeper into configuration management tools like Ansible, Puppet, and Terraform. These great features make it possible to automate almost everything in your infrastructure!

Appendix A: Answers to the Written Labs This appendix provides the answers to the end-of-chapter written lab.

Appendix B: Answers to the Review Questions This appendix provides the answers to the end-of-chapter review questions.

Interactive Online Learning Environment and Test Bank

The interactive online learning environment that accompanies the CCNA Certification Study Guide: Exam 200-301 v1.1 provides a test bank with study tools to help you prepare for the certification exams and increase your chances of passing them the first time! The test bank includes the following elements:

Sample tests All of the questions in this book are provided, including the assessment test, which you’ll find at the end of this introduction, and the review questions at the end of each chapter. In addition, you’ll find a practice exam for each book in the series. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.

Electronic flashcards The flashcards are included for quick reference and are great tools for learning quick facts. You can even consider these additional simple practice questions, which is essentially what they are.

PDF of glossary of terms There is a glossary included that covers the key terms used in this book.

The Sybex Interactive Online Test Bank, flashcards, and glossary can be accessed at http://www.wiley.com/go/Sybextestprep.

Todd Lammle Bonus Material and Labs Be sure to check www.lammle.com/ccna for directions on how to download all the latest bonus materials created specifically to help you study for your CCNA exam.

Todd Lammle Videos I have created a full CCNA series of videos that can be purchased at www.lammle.com/ccna.

Like all exams, the CCNA certification from Cisco is updated periodically and may eventually be retired or replaced. At some point after Cisco is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available.

CCNA Exam Overview

Cisco has designed the new CCNA program to prepare you for today’s associate-level job roles in IT technologies. The CCNA 200-301 v1.1 exam now includes security and automation and programmability, and there is even a new CCNA DevNet certification. The new CCNA program has one certification that covers a broad range of fundamentals for IT careers.

The new CCNA certification covers a huge amount of topics, including

Network fundamentals

Network access

IP connectivity

IP services

Security fundamentals

Wireless

Automation and programmability

Are There Any Prerequisites for Taking the CCNA Exam?

Not really, but having experience is really helpful. Cisco has no formal prerequisites for CCNA certification, but you should have an understanding of the exam topics before taking the exam.

CCNA candidates often also have

One or more years of experience implementing and administering Cisco solutions

Knowledge of basic IP addressing

A good understanding of network fundamentals

How to Use This Book

If you want a solid foundation for the serious effort of preparing for the new CCNA exam, then look no further. I’ve spent hundreds of hours putting together this book with the sole intention of helping you to pass the Cisco exams as well as really learning how to correctly configure Cisco routers and switches!

This book is loaded with valuable information, and you will get the most out of your study time if you understand the way in which this book is organized.

So to maximize your benefit from this book, I recommend the following study method:

Take the assessment test that’s provided at the end of this introduction. (The answers are at the end of the test.) It’s okay if you don’t know any of the answers; that’s why you bought this book! Carefully read over the explanations for any questions you get wrong and note the chapters in which the relevant material is covered. This information should help you plan your study strategy.

Study each chapter carefully, making sure you fully understand the information and the test objectives listed at the beginning of each one. Pay extra-close attention to any chapter that includes material covered in questions you missed.

Answer all of the questions related to each chapter. (The answers appear in Appendix A and Appendix B.) Note the questions that confuse you and study the topics they cover again until the concepts are crystal clear. And again—do not just skim these questions! Make sure you fully comprehend the reason for each correct answer. Remember, these will not be the exact questions you will find on the exam, but they’re written to help you understand the chapter material and ultimately pass the exam!

Try your hand at the practice questions that are exclusive to this book. The questions can be found only at http://www.wiley.com/go/sybextestprep. Don’t forget to check out www.lammle.com/ccna for the most up-to-date Cisco exam prep questions, videos, hands-on labs, and Todd Lammle boot camps.

Test yourself using all the flashcards, which are also found on the download link listed in the Sybex downloads. These are brand-new and updated flashcards to help you prepare for the CCNA exam and a wonderful study tool!

To learn every bit of the material covered in this book, you’ll have to apply yourself regularly and with discipline. Try to set aside the same time period every day to study, and select a comfortable and quiet place to do so. I’m confident that if you work hard, you’ll be surprised at how quickly you learn this material!

If you follow these steps and really study—doing hands-on labs every single day in addition to using the review questions, the practice exams, the Todd Lammle video sections, and the electronic flashcards, as well as all the written labs—it would actually be hard to fail the Cisco exams. But understand that studying for the Cisco exams is a lot like getting in shape—if you do not go to the gym every day, it’s not going to happen!

Where Do You Take the Exam?

You may take the CCNA Composite or any Cisco exam at any of the Pearson VUE authorized testing centers. For information, check www.vue.com or call 877-404-EXAM (3926).

To register for a Cisco exam, follow these steps:

Determine the number of the exam you want to take. (The CCNA exam number is 200-301.)

Register with the nearest Pearson VUE testing center. At this point, you will be asked to pay for the exam in advance. You can schedule exams up to six weeks in advance or as late as the day you want to take them—but if you fail a Cisco exam, you must wait five days before you will be allowed to retake it. If something comes up and you need to cancel or reschedule your exam appointment, contact Pearson VUE at least 24 hours in advance.

When you schedule the exam, you’ll get instructions regarding all appointment and cancellation procedures, the ID requirements, and information about the testing center location.

Tips for Taking Your Cisco Exams

The Cisco exams contain about 50 or more questions and must be completed in about 90 minutes or so. It’s hard to write this information down today because it changes so often. You must get a score of about 85 percent to pass this exam, but again, each exam can be different.

Many questions on the exam have answer choices that at first glance look identical—especially the syntax questions! So remember to read through the choices carefully because close just doesn’t cut it. If you get commands in the wrong order or forget one measly character, you’ll get the question wrong. So, to practice, do the hands-on exercises at the end of this book’s chapters over and over again until they feel natural to you.

Also, never forget that the right answer is the Cisco answer. In many cases, more than one appropriate answer is presented, but the correct answer is the one that Cisco recommends. On the exam, you will always be told to pick one, two, or three options, never choose all that apply. The Cisco exam may include the following test formats:

Multiple-choice single answer

Multiple-choice multiple answer

Drag-and-drop

Router simulations

Cisco proctored exams will not show the steps to follow in completing a router interface configuration, but they do allow partial command responses. For example, show run, sho running, or sh running-config would be acceptable.

Here are some general tips for exam success:

Arrive early at the exam center so you can relax and review your study materials.

Read the questions carefully. Don’t jump to conclusions. Make sure you’re clear about exactly what each question asks. Read twice, answer once, is what I always tell my students.

When answering multiple-choice questions that you’re not sure about, use the process of elimination to get rid of the obviously incorrect answers first. Doing this greatly improves your odds if you need to make an educated guess.

You can no longer move forward and backward through the Cisco exams, so double-check your answer before clicking Next because you can’t change your mind.

After you complete an exam, you’ll get an immediate, online notification of your pass or fail status, a printed examination score report that indicates your pass or fail status, and your exam results by section. (The test administrator will give you the printed score report.)

Test scores are automatically forwarded to Cisco within five working days after you take the test, so you don’t need to send your score to the company. If you pass the exam, you’ll receive confirmation from Cisco, typically within two to four weeks, sometimes a bit longer.

CCNA Certification Exam 200-301 v1.1 Objectives

The following table shows where each objective is covered in this book series:

How to Contact the Publisher

If you believe you have found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts, an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at wileysupport@wiley.com with the subject line Possible Book Errata Submission.

Assessment Test

What is the sys-id-ext field in a BPDU used for?

It is a 4-bit field inserted into an Ethernet frame to define trunking information between switches.

It is a 12-bit field inserted into an Ethernet frame to define VLANs in an STP instance.

It is a 4-bit field inserted into a non-Ethernet frame to define EtherChannel options.

It is a 12-bit field inserted into an Ethernet frame to define STP root bridges.

You have four RSTP PVST+ links between switches and want to aggregate the bandwidth. What solution will you use?

EtherChannel

PortFast

BPDU Channel

VLANs

EtherBundle

What configuration parameters must be configured the same between switches for LACP to form a channel? (Choose three.)

Virtual MAC address

Port speeds

Duplex

PortFast enabled

Allowed VLAN information

Which router command allows you to view the entire contents of all access lists?

show all access-lists

show access-lists

show ip interface

show interface

You receive notice that packets on an interface appear to be allowed through an IPv4 ACL. You verify that the ACL is applied to the correct interface. Which misconfigurations cause this behavior? (Choose two.)

The ACL is empty.

A matching permit statement is too broadly defined.

The packets fail to match any permit statement.

A matching deny statement is too high in the access list.

A matching permit statement is too high in the access list.

What are the main types of access control lists (ACLs)? (Choose two.)

Standard

IEEE

Extended

Specialize

You need to connect to a remote IPv6 server in your virtual server farm. You can connect to the IPv4 servers but not the critical IPv6 server you desperately need. Based on the following output, what could your problem be?

C:\>ipconfig  Connection-specific DNS Suffix  . : localdomain  IPv6 Address. . . . . . . . . . . : 2001:db8:3c4d:3:ac3b:2ef:1823:8938  Temporary IPv6 Address. . . . . . : 2001:db8:3c4d:3:2f33:44dd:211:1c3d  Link-local IPv6 Address . . . . . : fe80::ac3b:2ef:1823:8938%11  IPv4 Address. . . . . . . . . . . : 10.1.1.10  Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 10.1.1.1     

The global address is in the wrong subnet.

The IPv6 default gateway has not been configured or received from the router.

The link-local address has not been resolved, so the host cannot communicate with the router.

There are two IPv6 global addresses configured. One must be removed from the configuration.

What command is used to view the IPv6-to-MAC-address resolution table on a Cisco router?

show ip arp

show ipv6 arp

show ip neighbors

show ipv6 neighbors

show arp

An IPv6 ARP entry is listed with a status of REACH. What can you conclude about the IPv6-to-MAC-address mapping?

The interface has communicated with the neighbor address, and the mapping is current.

The interface has not communicated within the neighbor-reachable time frame.

The ARP entry has timed out.

IPv6 can reach the neighbor address, but the addresses have not yet been resolved.

Which protocol is used to send a destination network unknown message back to originating hosts?

TCP

ARP

ICMP

BootP

Which of the following is considered to be the inside host’s address after translation?

Inside local

Outside local

Inside global

Outside global

You connect to your NGFW, and your inside local addresses are not being translated to the inside global addresses. Which of the following commands will show you if your inside globals are allowed to use the NAT pool?

ip nat pool Corp 198.18.41.129 198.18.41.134 netmask 255.255.255.248ip nat inside source list 100 int pool Corp overload

debug ip nat

show access-list

show ip nat translation

show ip nat statistics

You want to send a console message to a syslog server, but you only want to send status messages of 3 and lower. Which of the following commands will you use?

logging trap emergencies

logging trap errors

logging trap debugging

logging trap notifications

logging trap critical

logging trap warnings

logging trap alerts

You want to enable SSH on a switch. Which conditions must be met before SSH can operate normally on a Cisco IOS switch? (Choose two.)

IP routing must be enabled on the switch.

A console password must be configured on the switch.

Telnet must be disabled on the switch.

The switch must be running a k9 (crypto) IOS image.

The ip domain-name command must be configured on the switch.

Which of the following defines the differences between AAA authentication and authorization?

Authentication identifies and verifies a user attempting to access a system, and authorization controls the tasks the user can perform.

Authentication controls the system processes a user can access, and authorization logs the activities the user initiates.

Authentication verifies a username and password, and authorization handles the communication between the authentication agent and the user database.

Authentication identifies a user who is attempting to access a system, and authorization validates the user’s password.

You want to use a password manager application to make administration easier. In which ways does a password manager reduce the chance of a hacker stealing a user’s password? (Choose two.)

It automatically provides a second authentication factor that is unknown to the original user.

It uses an internal firewall to protect the password repository from unauthorized access.

It protects against keystroke logging on a compromised device or website.

It stores the password repository on the local workstation with built-in antivirus and anti-malware functionality.

It encourages users to create stronger passwords.

You want to use HSRP version 2, but you need to know the multicast address and port number for configuration on the NGFW. What’s the multicast and port number?

224.0.0.2, UDP port 1985

224.0.0.2. TCP port 1985

224.0.0.102, UDP port 1985

224.0.0.102, TCP port 1985

Which command displays the status of all HSRP groups on a Cisco router or layer 3 switch?

show ip hsrp

show hsrp

show standby hsrp

show standby

show hsrp groups

Which QoS mechanism will drop traffic if a session uses more than the allotted bandwidth?

Congestion management

Shaping

Policing

Marking

Which QoS per-hop behavior changes the value of the ToS field in the IPv4 packet header?

Shaping

Classification

Policing

Marking

WPA3 replaced the default open authentication with which of the following enhancements?

AES

OWL

OWE

TKIP

What’s the maximum data rate for the 802.11a standard?

6 Mbps

11 Mbps

22 Mbps

54 Mbps

What DNS record do you need to create for APs to automatically discover the WLC?

CISCO-WLC-CONTROLLER

WLC-CONTROLLER

CISCO-AP-CONTROLLER

CISCO-DISCOVER-CONTROLLER

CISCO-CAPWAP-CONTROLLER

What’s the default QoS queue for a WLAN?

Gold

Platinum

Bronze

Silver

Diamond

Your boss read about WPA3 and wants you to explain it to them. What replaced the default open authentication with which of the following enhancements?

AES

OWL

OWE

TKIP

Which AP modes serve wireless traffic? (Choose two.)

Local

Monitor

FlexConnect

Sniffer

SE-Connect

What is zero-touch provisioning (ZTP) in the context of Meraki devices?

Automatic network diagram generation.

Preconfigured devices automatically download their configurations upon connection.

Manual setup of each device in the network.

Automated backup of device configurations to the cloud.

Why would you install virtualization in your data center over physical server deployment?

Reduced need for power and cooling

Easier physical access to servers

Faster deployment of applications

Improved physical security

Why is configuring a standard hardware switch harder than a distributed virtual switch?

Lack of VLAN support

No trunking capability

Manual configuration on each hypervisor

Inability to connect virtual machines to the network

Which protocol is commonly used as a southbound interface in SDN environments to communicate between the SDN controller and network devices?

SNMP

NETCONF

HTTP

SMTP

Which protocol is commonly used for REST APIs in Catalyst Center?

SSH

SMTP

SNMP

HTTP

Which of the following is a key constraint of a RESTful API?

The server must store the session state.

The client initiates requests to the server.

Only XML data can be used.

All requests must use the GET method.

In REST APIs, which of the following best describes HATEOAS?

It requires clients to manage the server state.

It mandates the use of the JSON data format.

It ensures that the API is self-discoverable.

It is a method for encrypting API requests.

What is a key benefit of using infrastructure as code (IaC) in network management?

It allows network devices to be configured manually.

It ensures that network configurations are consistently applied across environments.

It requires no initial setup for automation.

It replaces the need for monitoring tools in network management.

Which configuration management tool does not require agents to be installed on target systems and uses SSH for applying configurations?

Puppet

Chef

Ansible

Terraform

Answers to Assessment Test

B. To allow for the PVST+ to operate, there’s a field inserted into the BPDU to accommodate the extended system ID so that PVST+ can have a root bridge configured on a per-STP instance. The extended system ID (VLAN ID) is a 12-bit field, and we can even see what this field is carrying via show spanning-tree command output. See Chapter 1 for more information.

A. Cisco’s EtherChannel can bundle up to eight ports between switches to provide resiliency and more bandwidth between switches. See Chapter 1 for more information.

B, C, E. All the ports on both sides of every link must be configured exactly the same between switches or it will not work. Speed, duplex, and allowed VLANs must match. See Chapter 1 for more information.

B. To see the contents of all access lists, use the show access-lists command. See Chapter 2 for more information.

B, E. If all or too much traffic is being allowed, your permit statements are configured too broadly, and/or the statement is too high in the ACL. See Chapter 2 for more information.

A, C. Standard and extended access control lists (ACLs) are used to configure security on a router. See Chapter 2 for more information.

B. There is no IPv6 default gateway listed in the output, which will be the link-local address of the router interface sent to the host as a router advertisement. Until this host receives the router address, the host will communicate with IPv6 only on the local subnet. See Chapter 3 for more information.

D. The command show ipv6 neighbors provides the ARP cache on a router. See Chapter 3 for more information.

A. If the state is STALE when the interface has not communicated within the neighbor-reachable time frame, the next time the neighbor communicates, the state will be REACH. See Chapter 4 for more information.

C. ICMP is the protocol at the Network layer that is used to send messages back to an originating router. See Chapter 4 for more information.

C. An inside global address is considered to be the IP address of the host on the private network after translation. See Chapter 5 for more information.

B. Once you create your pool, the command ip nat inside source must be used to say which inside locals are allowed to use the pool. In this question, we need to see if access list 100 is configured correctly, if at all, so show access-list is the best answer. See Chapter 5 for more information.

B. There are eight different trap levels. If you choose, for example, level 3, level 0 through level 3 messages will be displayed. See Chapter 6 for more information.

D, E. To use SSH in Cisco Router, the IOS image must a k9 (crypto) image, and you must configure the IP DNS domain for the router. See Chapter 6 for more information.

A. AAA stands for authentication, authorization, and accounting. Authentication: Specify who you are (usually via login username and password). Authorization: Specify what actions you can do and what resources you can access. Accounting: Monitor what you do and how long you do it (can be used for billing and auditing). See Chapter 7 for more information.

C, E. It protects against keystroke logging on a compromised device or website and encourages users to create stronger passwords. See Chapter 7 for more information.

C. In version 1, HSRP messages are sent to the multicast IP address 224.0.0.2 and UDP port 1985. HSRP version 2 uses the multicast IP address 224.0.0.102 and UDP port 1985. See Chapter 8 for more information.

D. Show standby is your friend when dealing with HSRP. See Chapter 8 for more information.

C. When traffic exceeds the allocated rate, the policer can take one of two actions. It can either drop traffic or re-mark it to another class of service. The new class usually has a higher drop probability. See Chapter 9 for more information.

D. QoS marking changes the value of the ToS field in the IPv4 packet header. See Chapter 9 for more information.

A. The IEEE 802.11i standard replaced Wired Equivalent Privacy (WEP) with a specific mode of the Advanced Encryption Standard (AES) known as the Counter Mode Cipher Block Chaining-Message Authentication Code (CBC-MAC) protocol. This allows AES-Counter Mode CBC-MAC Protocol (AES-CCMP) to provide both data confidentiality (encryption) and data integrity. See Chapter 10 for more information.

C. IEEE 802.11b and IEEE 802.11g both run in the 2.4 GHz RF range. See Chapter 10 for more information.

E. For the DNS method, you need to create an A record for CISCO-CAPWAP-CONTROLLER that points to the WLC management IP. See Chapter 11 for more information.

D. WLANs default to the Silver queue, which effectively means no QoS is being utilized. See Chapter 11 for more information.

C. The 802.11 open authentication support has been replaced with Opportunistic Wireless Encryption (OWE) enhancement, which is an enhancement, not a mandatory certified setting. See Chapter 11 for more information.

A, C. The two AP modes listed that can serve wireless traffic are local and FlexConnect. See Chapter 11 for more information.

B. ZTP allows Meraki devices to automatically download their preconfigured settings from the cloud once connected to the network, simplifying deployment. See Chapter 12 for more information.

C. Virtualization allows us to deploy applications much faster than physical deployments. See Chapter 13 for more information.

C. Standard switches require each hypervisor to be configured manually. See Chapter 13 for more information.

B. NETCONF is a popular protocol used for communication between the SDN controller and network devices. It allows the controller to configure and manage the devices programmatically. See Chapter 14 for more information.

D. REST APIs in Catalyst Center typically use HTTP or HTTPS as the transport protocol for managing and interacting with network devices programmatically. See Chapter 14 for more information.

B. In RESTful APIs, the communication is client-server based, where the client initiates the requests and the server processes and responds to these requests. See Chapter 15 for more information.

C. HATEOAS (Hypermedia as the Engine of Application State) is a constraint of REST APIs that ensures the API can guide the client on how to interact with it by providing links to other related resources dynamically. See Chapter 15 for more information.

B. IaC helps to automate network management by defining configurations in code, ensuring that they are applied consistently across environments, and reducing configuration drift and human errors. See Chapter 16 for more information.

C. Ansible is an agentless configuration management tool that uses SSH to connect to and configure target systems, making it simple to use and widely supported in network management. See Chapter 16 for more information.

Chapter 1

Enhanced Switched Technologies

THE FOLLOWING CCNA EXAM TOPICS ARE COVERED IN THIS CHAPTER:

2.0 Network Access

2.4 Configure and verify (Layer 2/Layer 3) EtherChannel (LACP)

2.5 Interpret basic operations of Rapid PVST+ Spanning Tree Protocol

2.5.a Root port, root bridge (primary/secondary), and other port names

2.5.b Port states and roles

2.5.c PortFast

2.5.d Root guard, loop guard, BPDU filter, and BPDU guard

Long ago, a company called Digital Equipment Corporation (DEC) created the original version of the Spanning Tree Protocol (STP). The IEEE later created its own version of STP called 802.1d. Cisco has moved toward another industry standard in its newer switches, called 802.1w. We’ll explore both the old and new versions of STP in this chapter, but first, I’ll define some important STP basics.

Routing protocols like RIP and OSPF have processes for preventing loops from occurring at the Network layer, but if you have redundant physical links between your switches, these protocols won’t do a thing to stop loops from occurring at the Data Link layer. That’s exactly why STP was developed—to put an end to loop issues in a layer 2 switched network. This is why, in this chapter, we’ll be thoroughly exploring the key features of this vital protocol as well as how it works within a switched network.

After covering STP in detail, we’ll move on to explore EtherChannel at the end of this chapter.

To find up-to-the-minute updates for this chapter, please see www.lammle.com/ccna.

Spanning Tree Protocol (STP)

STP achieves its primary objective of preventing network loops on layer 2 network bridges or switches by monitoring the network to track all links and shut down the redundant ones. STP uses the spanning-tree algorithm (STA) to first create a topology database and then search out and disable redundant links. With STP running, frames will be forwarded on only premium, STP-chosen links.

The STP is a great protocol to use in networks like the one shown in Figure 1.1.

FIGURE 1.1 A switched network with switching loops

This is a switched network with a redundant topology that includes switching loops. Without some type of layer 2 mechanism in place to prevent a network loop, this network is vulnerable to nasty issues like broadcast storms, multiple frame copies, and MAC table thrashing! Figure 1.2 shows how this network would work with STP working on the switches.

FIGURE 1.2 A switched network with STP

There are a few types of spanning-tree protocols, but I’ll start with the IEEE version 802.1d, which happens to be the default on all Cisco IOS switches.

Spanning-Tree Terms

Now, before I get into describing the details of how STP works within a network, it would be good for you to have these basic ideas and terms down first:

Root bridge The root bridge is the bridge with the lowest and, therefore, the best bridge ID. The switches within the STP network elect a root bridge, which becomes the focal point in the network. All other decisions in the network, like which ports on the non-root bridges should be blocked or put in forwarding mode, are made from the perspective of the root bridge, and once it has been elected, all other bridges must create a single path to it. The port with the best path to the root bridge is called the root port.

Non-root bridges These are all bridges that aren’t the root bridge. Non-root bridges exchange BPDUs with all the other bridges and update the STP topology database on all switches. This prevents loops and helps defend against link failures.

BPDU All switches exchange information to use for the subsequent configuration of the network. Each switch compares the parameters in the Bridge Protocol Data Unit (BPDU) that it sends to a neighbor with the parameters in the BPDU that it receives from other neighbors. Inside the BPDU is the bridge ID.

Bridge ID The bridge ID is how STP keeps track of all the switches in the network. It’s determined by a combination of the bridge priority, which is 32,768 by default on all Cisco switches, and the base MAC address. The bridge with the lowest bridge ID becomes the root bridge in the network. Once the root bridge is established, every other switch must make a single path to it. Most networks benefit by forcing a specific bridge or switch to be on the root bridge by setting its bridge priority lower than the default value.

Port cost Port cost determines the best path when multiple links are used between two switches. The cost of a link is determined by the bandwidth of a link, and this path cost is the deciding factor used by every bridge to find the most efficient path to the root bridge.

Path cost A switch may encounter one or more switches on its path