← All Certifications Cisco

Cisco Certification Prep

Domain guides, lab strategies, and practice questions for Cisco certifications — CCNA, CCNP Security, CyberOps Associate, and CCIE. Built for network engineers and security professionals working with Cisco infrastructure.

200-301 · 120 minutes · 100-120 questions

CCNA — Cisco Certified Network Associate

The industry-standard entry-level networking certification. CCNA validates the ability to install, configure, operate, and troubleshoot medium-sized routed and switched networks. It is a prerequisite (recommended or required) for most Cisco professional-level certifications and many network engineer roles.

Exam domains

Domain 1 · 20%

Network Fundamentals

OSI and TCP/IP models, Layer 2 vs Layer 3 operation, common network topologies (star, mesh, hybrid), switching concepts (CAM tables, MAC learning, flooding, forwarding), cabling types, and IPv4 and IPv6 addressing including subnetting from memory (CIDR notation, subnet masks, variable-length subnet masking).

Domain 2 · 20%

Network Access

VLANs (configuration, trunking with 802.1Q, native VLAN), EtherChannel (LACP, PAgP), Rapid PVST+ Spanning Tree Protocol (STP port states, root bridge election, port roles), wireless fundamentals (802.11 standards, SSID, BSS, ESS, WPA2/WPA3), and Cisco Wireless LAN Controller (WLC) basics.

Domain 3 · 25%

IP Connectivity

Static routing, OSPFv2 (single area, neighbour relationships, DR/BDR election, LSA types), IPv4 and IPv6 routing, first-hop redundancy (HSRP), and inter-VLAN routing (Router-on-a-Stick, Layer 3 switches). Key lab: configuring OSPF, verifying neighbour adjacencies with show ip ospf neighbor.

Domain 4 · 10%

IP Services

NAT (static, dynamic, PAT/overload), NTP (client/server configuration), DHCP (server configuration and DHCP relay), QoS concepts (classification, marking, queuing), SNMP, syslog, and FTP/TFTP/SCP for IOS image management.

Domain 5 · 15%

Security Fundamentals

AAA concepts, ACLs (standard, extended, named; numbered; IPv4 and IPv6), port security configuration and violation modes, DHCP snooping, Dynamic ARP Inspection (DAI), 802.1X port-based authentication, VPN types (site-to-site, remote access, SSL VPN), and SSH vs Telnet.

Domain 6 · 10%

Automation & Programmability

Benefits of automation, controller-based vs traditional networking, Cisco DNA Centre overview, REST API concepts (HTTP methods, JSON, YANG), Puppet vs Chef vs Ansible vs Python for network automation, and software-defined networking (SDN) architecture.

Key CCNA CLI commands to memorise

  • show ip interface brief — Check interface status and IP addresses
  • show ip route — Display the routing table
  • show vlan brief — List all VLANs and assigned ports
  • show interfaces trunk — Verify trunking configuration
  • show ip ospf neighbor — Confirm OSPF neighbour adjacencies
  • show spanning-tree — Display STP topology and root bridge
  • show cdp neighbors detail — Discover directly connected Cisco devices
  • show access-lists — View ACL entries and match counters
  • debug ip ospf adj — Troubleshoot OSPF adjacency formation
Core exam + one concentration

CCNP Security — Cisco Certified Network Professional Security

Professional-level security certification covering enterprise security solutions, network access control, and threat defence. CCNP Security requires passing the core exam (350-701 SCOR) plus one concentration exam of your choice. No prerequisites required officially, but CCNA-level knowledge is strongly assumed.

Core Exam 350-701 SCOR

Implementing & Operating Core Security Technologies

Security concepts (20%), network security (25%), cloud security (20%), content security (15%), endpoint protection and detection (10%), secure network access, visibility, and enforcement (10%). Covers Cisco Firepower, Cisco SecureX, Cisco Umbrella, ISE, and Cisco Secure Email.

Concentration: 300-715 SISE

Implementing Cisco Identity Services Engine

ISE architecture, 802.1X wired and wireless, MAB (MAC Authentication Bypass), guest access, BYOD and device onboarding, profiling, TrustSec and Security Group Tags (SGT), and ISE troubleshooting using radius and ISE logs.

Concentration: 300-710 SNCF

Securing Networks with Cisco Firepower

Cisco Firepower Management Centre (FMC) administration, Firepower Threat Defence (FTD) policy configuration (access control, intrusion, file, malware, SSL), NAT on FTD, site-to-site and remote access VPN on FTD, and HA configuration.

Concentration: 300-730 SVPN

Implementing Secure Solutions with VPN

Site-to-site VPN (IPsec IKEv2), FlexVPN, DMVPN (hub-and-spoke, spoke-to-spoke), AnyConnect remote access VPN, SSL VPN, and VPN troubleshooting on IOS and FTD platforms.

200-201 CBROPS · 120 minutes

CyberOps Associate

Entry-level SOC analyst certification covering security monitoring, threat detection, incident analysis, and response. Designed for Tier 1 and Tier 2 SOC analyst roles. Highly practical — covers real-world analysis skills like packet capture analysis and log correlation.

Domain 1 · 20%

Security Concepts

CIA triad, security terminology (threat, vulnerability, exploit, risk, countermeasure), cryptography fundamentals, PKI, authentication, authorisation, access control, and the Windows and Linux security models relevant to SOC analysis.

Domain 2 · 25%

Security Monitoring

Data types monitored in a SOC (NetFlow, PCAP, logs, alerts), TCP/IP analysis, common attack signatures, application protocol analysis (HTTP, DNS, SMTP, ICMP), log sources and SIEM integration, and network behaviour analysis (baseline vs anomaly).

Domain 3 · 20%

Host-Based Analysis

Windows and Linux operating system artefacts (registry, file system, processes, network connections), endpoint security tools (AV, EDR), Windows event log analysis (critical event IDs), and Linux syslog and audit log analysis.

Domain 4 · 20%

Network Intrusion Analysis

Snort/Firepower IDS/IPS rule analysis, Wireshark packet analysis, network forensics, identifying attack patterns in traffic captures (port scans, exfiltration, C2 beaconing), and correlating network and host artefacts.

Domain 5 · 15%

Security Policies and Procedures

Incident response procedures, SOC processes and escalation workflows, NIST CSF and Cyber Kill Chain mapping, compliance frameworks relevant to SOC operations, and evidence handling basics.

Expert level

CCIE Security — Cisco Certified Internetwork Expert

The CCIE is one of the most respected and difficult technical certifications in the industry. The CCIE Security track requires passing a qualifying exam (350-701 SCOR) followed by an 8-hour practical lab exam administered at a Cisco authorised lab location. Most candidates have 5–7 years of hands-on Cisco security experience before attempting.

Lab Exam Focus Area 1

Perimeter Security

Cisco ASA and FTD configuration, zone-based firewall (ZBF), NAT policies, Firepower access control policies, IPS and malware defence, and SSL decryption configuration and troubleshooting.

Lab Exam Focus Area 2

Secure Connectivity & Network Access

IPsec IKEv2, FlexVPN, DMVPN Phase 1/2/3, AnyConnect VPN with advanced profiles, 802.1X with ISE, SGT and TrustSec micro-segmentation, and MACsec (802.1AE) for data link layer encryption.

Lab Exam Focus Area 3

Advanced Threat Protection

Cisco Secure Endpoint (AMP), Cisco Umbrella integration, Cisco SecureX orchestration, threat intelligence feeds, Stealthwatch network detection, and integration with SIEM/SOAR platforms.

Preparation Strategy

CCIE Lab Preparation

Most candidates dedicate 6–18 months to CCIE lab preparation using: Cisco's official lab preparation programme, INE CCIE Security bootcamps, and a personal Cisco lab (or CML/EVE-NG simulation). Expect to spend 1,000+ hours in hands-on configuration and troubleshooting practice before the lab exam.

CCNA 200-301 sample questions

Practice Questions — CCNA

1. You configure an extended ACL on a router to block HTTP traffic from host 192.168.1.10 to any destination. Where should you apply this ACL?

  • A) Inbound on the destination interface, closest to the destination
  • B) Outbound on the source interface, closest to the source
  • C) Inbound on the source interface, closest to the source
  • D) Outbound on the destination interface, closest to the destination
Answer: C Extended ACLs should be placed as close to the source as possible to prevent unnecessary traffic from traversing the network. The inbound direction on the interface closest to the source (192.168.1.10's network) filters the traffic before it is routed. Standard ACLs should be placed close to the destination.

2. Two routers in the same OSPF area are not forming a neighbour adjacency. Router A shows the neighbour in "INIT" state. What is the most likely cause?

  • A) The routers have mismatched area IDs
  • B) Router A can see Router B's Hello packets but Router B is not receiving Router A's Hellos (unidirectional communication)
  • C) The routers have mismatched OSPF process IDs
  • D) The Hello and Dead timers are mismatched between the routers
Answer: B OSPF "INIT" state means Router A has received a Hello from Router B, but Router A's own Router ID does not appear in Router B's neighbour list — indicating one-way communication. Mismatched area IDs or timers (A, D) would prevent even "INIT" state from forming. Mismatched OSPF process IDs (C) do not prevent adjacency.

3. Which VTP mode allows a switch to create, modify, and delete VLANs and passes VTP advertisements to other switches?

  • A) VTP Transparent
  • B) VTP Server
  • C) VTP Client
  • D) VTP Off
Answer: B VTP Server mode is the default Cisco switch VTP mode. It can create, modify, and delete VLANs, originates and forwards VTP advertisements, and saves VLAN configuration to NVRAM. VTP Client (C) receives updates but cannot create VLANs. VTP Transparent (A) does not participate in the VTP domain but forwards advertisements.

4. A network engineer runs show ip ospf neighbor and sees the neighbour is stuck in "EXSTART" state. What is the MOST likely cause?

  • A) Mismatched Hello and Dead timers
  • B) MTU mismatch between the two routers
  • C) Mismatched OSPF area IDs
  • D) The neighbour is in a different autonomous system
Answer: B EXSTART is the state where routers negotiate the DBD master/slave relationship and exchange Database Description packets. A stuck EXSTART state almost always indicates an MTU mismatch — one router tries to send a DBD packet larger than the other can receive, causing the exchange to fail. Fix with ip ospf mtu-ignore or by aligning interface MTUs. Mismatched timers (A) prevent reaching even INIT state. Mismatched area IDs (C) prevent reaching 2-WAY state.

5. Which command on a Cisco switch verifies that DHCP snooping is enabled and shows the binding table of MAC-to-IP mappings?

  • A) show ip dhcp pool
  • B) show ip dhcp snooping binding
  • C) show mac address-table
  • D) show arp
Answer: B show ip dhcp snooping binding displays the DHCP snooping binding database — the table of MAC address, IP address, VLAN, and interface mappings built from snooped DHCP transactions. This table is also used by Dynamic ARP Inspection (DAI) to validate ARP replies. show ip dhcp snooping (no "binding") shows the feature status and interface trust states. This command pair appears directly on the CCNA 200-301 exam blueprint.

6. A network uses the 10.0.0.0/8 address space. You need 30 subnets with at least 500 hosts each. Which subnet mask meets both requirements?

  • A) /23 — 2 subnets per octet, 510 usable hosts
  • B) /22 — up to 64 subnets in the 10.x range, 1,022 usable hosts
  • C) /24 — 256 subnets, but only 254 hosts
  • D) /21 — 32 subnets, 2,046 usable hosts
Answer: B /22 mask: 2^(22−8) = 2^14 = 16,384 possible subnets from 10.0.0.0/8 (more than 30 ✓). Hosts per subnet: 2^(32−22) − 2 = 1,022 (more than 500 ✓). /23 gives 510 hosts (✓ for hosts) but only 2^(23−8) = 32,768 subnets — both work mathematically, however /22 is the more efficient allocation for 500+ hosts. /24 (C) only gives 254 hosts — fails the host requirement. Always verify both constraints: subnets needed and hosts needed.

7. Which Cisco IOS command creates a local user account with privilege level 15 (full access) and a securely hashed password?

  • A) username admin password cisco
  • B) username admin privilege 15 secret Str0ngP@ss!
  • C) username admin enable secret Str0ngP@ss!
  • D) username admin level 15 password Str0ngP@ss!
Answer: B The correct syntax is username [name] privilege [0-15] secret [password]. Using secret stores the password as a Cisco Type 5 (MD5) or Type 9 (scrypt) hash — never in cleartext. Using password (option A) stores in reversible Type 7 encoding which is trivially decoded. Privilege 15 is the highest level, equivalent to enable mode access. This is a frequently tested CCNA hardening command — also appears in the CCNA security fundamentals domain.

8. You need to configure a router to use Python scripts for network automation. Which Cisco feature and related standard enables this?

  • A) Telnet with script parsing
  • B) NETCONF/YANG — structured network configuration via SSH using XML data models
  • C) SNMP v2c for configuration push
  • D) CLI scripting with Expect
Answer: B NETCONF (RFC 6241) is a network management protocol that uses SSH as transport and XML as its encoding. YANG (RFC 6020) defines data models describing device configurations. NETCONF + YANG is the modern programmatic interface that Python libraries (ncclient, Netmiko, Ansible cisco.ios collection) use to configure Cisco devices reliably — structured data in, structured data out. SNMP (C) was designed for monitoring, not configuration. CCNA 200-301 Domain 6 (Automation & Programmability, 15%) now tests NETCONF/RESTCONF/YANG awareness. Reference: Cisco DevNet — NETCONF & YANG.
Hands-on learning

Lab Strategy for Cisco Certification

Cisco certifications heavily reward hands-on practice. Questions describe network scenarios and require interpreting CLI output. Build a consistent lab habit from week one.

Simulation options

  • Cisco Packet Tracer (free): Sufficient for CCNA. Covers routing, switching, wireless, and basic security. Download from Cisco NetAcad.
  • GNS3 (free, open source): Runs actual Cisco IOS images. More realistic for CCNP+ labs. Requires IOS images (licence required).
  • Cisco Modelling Labs (CML): Official Cisco simulator with full IOS XE, IOS XR, and NX-OS support. Subscription-based.
  • EVE-NG: Network emulation environment popular for CCNP and CCIE prep. Community edition free.

Daily lab habit (CCNA)

  • 30 minutes minimum per day — consistency beats marathon sessions
  • Build every topology from scratch rather than loading saved configs
  • Practice troubleshooting scenarios: break a working topology, then fix it
  • Learn show commands before configuration commands — verification is the exam skill
  • Build a personal reference document of every lab scenario and outcome

Explore other certification tracks

← All Certifications CompTIA Prep → Cloud Certs →
SCOR 350-701 · CCNP Security core exam

Practice Questions — CCNP Security (SCOR)

The SCOR core exam covers network security, cloud security, content security, endpoint protection, and secure network access. Questions test conceptual understanding and product family selection, not CLI syntax.

1. An enterprise wants to prevent malware-infected endpoints from accessing sensitive network segments while allowing clean devices full access. Which Cisco solution provides this capability through device posture assessment?

  • A) Cisco Umbrella
  • B) Cisco Identity Services Engine (ISE) with posture module
  • C) Cisco Secure Email Gateway
  • D) Cisco Firepower Threat Defense (FTD)
Answer: B Cisco ISE with the posture module evaluates endpoint compliance (OS patches, antivirus, disk encryption) during network authentication. Non-compliant devices are placed in a remediation VLAN or denied access to sensitive segments through dynamic policy enforcement via 802.1X, MAB, or web authentication. Umbrella (A) provides DNS security. FTD (D) is a next-generation firewall — it enforces policies but doesn't assess device health.

2. Which technology protects against DNS-based data exfiltration and blocks connections to newly registered domains associated with malware command-and-control?

  • A) Cisco Secure Web Appliance (proxy)
  • B) Cisco Umbrella (DNS-layer security)
  • C) Cisco Email Security Appliance
  • D) Cisco Secure Endpoint (AMP)
Answer: B Cisco Umbrella operates at the DNS layer, inspecting all DNS queries before IP connections are made. It blocks queries to malicious domains (including C2 infrastructure, phishing sites, and newly registered domains) before any traffic reaches the malicious server. This works for all ports and protocols because it intercepts at DNS resolution — before the connection attempt. No on-premises appliance is needed; Umbrella uses cloud DNS resolvers.

3. A security team needs to enforce consistent security policy for users accessing corporate applications from branch offices and home locations. Which framework best addresses this requirement?

  • A) Traditional hub-and-spoke VPN with central firewall
  • B) Secure Access Service Edge (SASE) combining SD-WAN with cloud-delivered security
  • C) Per-user SSL VPN with split tunnelling
  • D) MPLS-based private WAN with perimeter firewalls
Answer: B SASE (Secure Access Service Edge) converges SD-WAN with cloud-delivered security services (SWG, CASB, ZTNA, FWaaS) into a unified architecture. It delivers consistent policy enforcement for users regardless of location without backhauling traffic to a central data centre — addressing both performance and security for distributed workforces. Hub-and-spoke VPN (A) creates latency and bottleneck issues at scale.

4. Which Cisco firewall deployment mode allows the FTD to inspect traffic without requiring changes to the existing network routing?

  • A) Routed mode
  • B) Transparent (bridge) mode
  • C) Inline mode with IP addresses on all interfaces
  • D) Passive monitoring mode
Answer: B Transparent (bridge) mode inserts the FTD into the traffic path as a Layer 2 device — it forwards traffic between connected segments without needing IP addresses on its inspection interfaces, requiring no routing changes. Routed mode (A) acts as a Layer 3 hop and requires IP addresses and routing changes. Passive mode (D) only monitors — it cannot block traffic.
200-201 CBROPS · Cisco CyberOps Associate

Practice Questions — CyberOps Associate (CBROPS)

CBROPS focuses on SOC analyst workflows — security monitoring, host-based analysis, network intrusion analysis, and security policies and procedures. Heavy emphasis on log interpretation and event triage rather than configuration syntax.

1. A SOC analyst is reviewing an alert showing an HTTP request to /admin/../../../../etc/passwd from an external IP. What type of attack is this?

  • A) SQL injection
  • B) Path/directory traversal attack
  • C) Cross-Site Scripting (XSS)
  • D) Server-Side Request Forgery (SSRF)
Answer: B The pattern ../ (or %2e%2e%2f URL-encoded) attempting to traverse upward in the directory hierarchy to access files outside the web root is the classic directory traversal signature. The target /etc/passwd is the Unix user account file commonly probed during initial exploitation. Defence: input validation, canonicalisation of paths, chroot jails, and least-privilege filesystem permissions for the web server process.

2. Which type of evidence has the HIGHEST priority for collection during incident response, due to its volatile nature?

  • A) Disk image of the affected system
  • B) Memory (RAM) contents and active network connections
  • C) Firewall logs
  • D) Backup archives
Answer: B RFC 3227's order of volatility: collect most volatile first. Order: 1) CPU registers and cache, 2) RAM and routing tables, 3) network connections and running processes, 4) temporary files, 5) disk, 6) remote logs, 7) physical configuration. Memory captures may contain unencrypted credentials, malware artefacts unpacked at runtime, and active network sockets that disappear at shutdown. Tools: Volatility, Rekall, LiME, FTK Imager (memory mode).

3. An analyst sees an event in the SIEM showing a Windows process spawning powershell.exe with the parameter -EncodedCommand followed by a long Base64 string. Which MITRE ATT&CK technique does this MOST likely represent?

  • A) T1059.001 PowerShell — Command and Scripting Interpreter (frequently used for execution and obfuscation)
  • B) T1003 OS Credential Dumping
  • C) T1486 Data Encrypted for Impact (ransomware)
  • D) T1078 Valid Accounts
Answer: A Base64-encoded PowerShell (-EncodedCommand or -e flag) is one of the most common adversary execution techniques — it bypasses simple keyword filters and obfuscates the actual command. Decode the Base64 to reveal the payload (often downloading and executing additional malware). This maps directly to MITRE ATT&CK T1059.001. SIEM rules should alert on any encoded PowerShell execution; mitigation includes PowerShell Constrained Language Mode and Script Block Logging.

4. Which document type defines the technical details an analyst should follow when responding to a specific type of incident (e.g., "Ransomware Response Procedure")?

  • A) Policy
  • B) Standard
  • C) Procedure / Playbook
  • D) Guideline
Answer: C Document hierarchy: Policy states intent at the executive level ("we will protect data"). Standard defines mandatory rules ("all data classified Confidential must be encrypted with AES-256"). Procedure (or playbook/runbook) provides step-by-step instructions for executing a task. Guideline offers recommended best practice — not mandatory. SOC runbooks are procedures. Cisco and most SOC frameworks use this exact hierarchy.

5. A NIDS sensor generates an alert for a known SQL injection signature but the targeted server does not run a database. How should this alert be classified?

  • A) True Positive
  • B) False Positive
  • C) True Negative
  • D) False Negative
Answer: B The alert correctly identified malicious activity (the SQL injection attempt is real) but the activity could not cause harm because the target lacks a database. The exam considers this a false positive from a SOC operational perspective — the alert generates analyst work without representing actionable risk. Tune the rule to filter targets where the attack cannot succeed. Distinguish from a false negative (missed real attack) and true negative (correctly not alerting on benign activity).
Interactive · Timed · Fully explained

Interactive Practice Exam — CCNA 200-301

Eighteen scenario-style items covering subnetting, OSPF, VLANs, EtherChannel, port security, NAT, QoS, and the automation/programmability domain that trips up most candidates. Every question carries a written rationale plus links to Cisco documentation and IETF RFCs. Your progress auto-saves between sessions.

Loading the interactive practice exam… If it does not load, ensure JavaScript is enabled.

Interactive · Timed · Fully explained · Exam #2

Practice Exam #2 — CCNA 200-301

A second 20-question practice exam with all-new CCNA scenarios. Covers interface status troubleshooting, PortFast, 802.1Q tagging, longest-prefix match, OSPF cost, PAT, IPv6 link-local, WPA3 SAE, DHCP snooping, NTP, RSTP, EIGRP metrics, ACL placement, QoS marking, YANG/RESTCONF, and network automation.

Loading practice exam… If it does not load, ensure JavaScript is enabled.

Case study · Apply what you study

Real-World Walkthrough: Cisco IOS XE Web UI Zero-Day (CVE-2023-20198)

In October 2023, an unauthenticated remote attacker created privileged accounts on more than 40,000 internet-exposed Cisco IOS XE devices in less than a week. Every failure traces to CCNA-level fundamentals — management-plane exposure, port hardening, and disciplined patching. Map each phase back to the exam blueprint.

Timeline

  • September 18, 2023: First exploitation evidence — attackers create a local user via the IOS XE web UI (HTTP/HTTPS management service). Cisco TALOS publishes nothing yet; the activity is silent.
  • October 16, 2023: Cisco PSIRT publishes advisory cisco-sa-iosxe-webui-privesc-j22SaA4z. CVE-2023-20198 receives CVSS 10.0 — a maximum-severity unauthenticated privilege escalation in the IOS XE Web Services UI.
  • October 17–19, 2023: Internet scans identify ~41,000 compromised devices. A second vulnerability CVE-2023-20273 is chained to install a custom Lua-based implant for persistence.
  • October 22, 2023: Cisco releases the first fixed builds (17.9.4a, 17.6.6a, 17.3.8a, 16.12.10a). Detection guidance: run curl -k -X POST https://[device]/webui/logoutconfirm.html?logon_hash=1; a hex response indicates implant presence.
  • October 30, 2023: Many implants self-delete or get cleaned, but the unauthorised local admin accounts remain. Organisations that simply rebooted (without account audit) stay compromised.

Map to CCNA 200-301 domains

  • Domain 5 — Security Fundamentals (15%): Management-plane services (HTTP, HTTPS, Telnet, SNMP v1/v2c, SSH v1) MUST be disabled on internet-facing interfaces. The exam explicitly tests ip http server, ip http secure-server, and no forms — these are the exact services that were exploited.
  • Domain 5 — Device Hardening: Restrict management access with VTY ACLs (access-class), out-of-band management, and AAA. None of the compromised devices had a management-VLAN ACL preventing public reach.
  • Domain 4 — IP Services: Logging and syslog (Cisco's logging host) would have surfaced the unauthorised user creation events. Most victims had no centralised syslog.
  • Domain 2 — Network Access: Putting management interfaces in a separate management VLAN that is NOT routed to the public Internet is a CCNA design fundamental. Many compromised devices had the management UI bound to a publicly reachable address.
  • Domain 6 — Automation & Programmability: Programmable patching with Ansible playbooks (cisco.ios collection) lets an operator push fixed builds to 1,000 devices in hours instead of weeks. The campaign succeeded primarily because patch deployment was slow.
  • Domain 1 — Fundamentals: Asset inventory — knowing how many internet-facing IOS XE devices you operate — is the prerequisite to every other control. CISA's BOD 23-02 now requires removal of management interfaces from public Internet exposure within 14 days of discovery.

Five lessons CCNA candidates can take to the lab today

  1. Disable unused management servicesno ip http server / no ip http secure-server unless required. If required, scope with ACLs.
  2. VTY ACLs are mandatoryaccess-class MGMT-ACL in on every VTY line, permitting only operator subnets.
  3. Out-of-band management — segregate management traffic onto a dedicated VLAN/interface that is not reachable from user or Internet networks.
  4. Centralise syslog and authenticationlogging host + AAA via RADIUS/TACACS+ so user creation events are visible and auditable.
  5. Patch within the CVSS-driven window — CVSS 10.0 = patch within 72 hours; CISA KEV (Known Exploited Vulnerabilities) is the operational catalogue to track.

Cisco PSIRT advisory cisco-sa-iosxe-webui-privesc-j22SaA4z → · Cisco TALOS post-incident analysis →

Curated resources · Verified links

Helpful Materials — Cisco CCNA / CCNP / CyberOps

A short, opinionated list. Pick one book, one video series, one lab platform, and one practice-test source — then drill on the official objectives. More resources rarely produce more knowledge.

Free video courses & references

Official free documentation

Community

Additional free practice

Quick reference · Memorise before exam day

CCNA 200-301 Cheatsheet

High-frequency facts that recur on every CCNA exam form. Print, scan the morning of the test, and re-run the subnetting drills until the numbers are muscle memory.

Subnetting magic numbers

  • /24 = 255.255.255.0 — 256 host block
  • /25 = 255.255.255.128 — 128 block
  • /26 = 255.255.255.192 — 64 block
  • /27 = 255.255.255.224 — 32 block
  • /28 = 255.255.255.240 — 16 block
  • /29 = 255.255.255.248 — 8 block
  • /30 = 255.255.255.252 — 4 block (P2P links)
  • Usable hosts = 2^h − 2 (network + broadcast)
  • Magic number = 256 − mask octet

Administrative distance

  • Connected — 0 · Static — 1
  • eBGP — 20 · EIGRP internal — 90
  • OSPF — 110 · IS-IS — 115
  • RIP — 120 · EIGRP external — 170
  • iBGP — 200 · Unreachable — 255

Cabling & signal

  • Cat5e — 1 Gbps · Cat6 — 10 Gbps up to 55 m · Cat6a — 10 Gbps full 100 m
  • Single-mode fibre = long-haul · Multi-mode = inside a building
  • Console = light-blue rollover (RJ-45 to DB-9) or USB-C on modern switches

OSPF essentials

  • Cost = 100 / interface bandwidth (Mbps); set auto-cost reference-bandwidth
  • Areas: 0 (backbone), normal, stub, totally stubby, NSSA
  • DR/BDR elected on broadcast & NBMA only (not P2P)
  • Hello/Dead timers: 10/40 (broadcast), 30/120 (NBMA) — must match
  • States: Down → Init → 2-Way → Exstart → Exchange → Loading → Full

STP & EtherChannel

  • Root = lowest Bridge ID (priority 32768 default, ext. system ID)
  • Port roots: Root → Designated → Non-designated/Alt
  • States (RSTP): Discarding → Learning → Forwarding
  • EtherChannel: LACP active/passive · PAgP desirable/auto · Static on

DHCP & ACL

  • DHCP DORA: Discover → Offer → Request → Ack
  • DHCP relay = ip helper-address on SVI
  • Standard ACL 1–99/1300–1999 — src only — place near destination
  • Extended ACL 100–199/2000–2699 — full 5-tuple — place near source
  • Implicit deny at end of every ACL — always end with permit or allow

Wireless 802.11

  • 2.4 GHz — channels 1, 6, 11 (non-overlapping)
  • 5 GHz — many channels, DFS may be required
  • WPA3 mandatory for new deployments; WPA2-Personal still acceptable
  • WLC modes: Local (centralised) · FlexConnect (local switching) · Mesh
Common questions

Cisco Certification FAQ

How hard is the CCNA 200-301 exam?

CCNA 200-301 is considered intermediate difficulty. The exam covers networking fundamentals, IP addressing/subnetting, routing and switching, wireless, security basics, and automation. Most candidates need 3–6 months of study. Hands-on lab practice using Cisco Packet Tracer (free) is essential — the exam includes simulation questions that cannot be answered from theory alone.

Does CCNP Security require CCNA first?

Cisco removed the CCNA prerequisite for CCNP in 2020. You can pursue CCNP Security directly. However, CCNA-level networking knowledge is practically required — CCNP Security builds extensively on routing, switching, VPN, and network architecture concepts you would learn in CCNA preparation.

What are the CCNP Security exam requirements?

CCNP Security requires passing the SCOR core exam (350-701) plus one concentration exam: SISE (Identity Services Engine), SNCF (Firepower/FTD), SVPN (VPN Solutions), or SASE. Both exams must be active simultaneously for the CCNP to be awarded. Either exam can be taken in any order.

Is Cisco CyberOps Associate worth getting?

The Cisco Certified CyberOps Associate (formerly CCNA CyberOps) is designed for SOC analyst roles. It is vendor-specific and Cisco-ecosystem focused, making it most valuable if your organisation uses Cisco security products (Secure Endpoint, SecureX, Stealthwatch). For vendor-neutral SOC analyst credentials, CompTIA CySA+ is typically more widely recognised across diverse environments.

Study tools · Active recall · Cisco CCNA

Flashcards & Term-Matching Game

Active recall beats passive reading for long-term retention. Use the flashcards to drill definitions and the matching game to reinforce connections between concepts. Shuffle to mix domains and reset to start fresh. Keyboard navigation supported on flashcards.

Flashcard Deck — Key Terms

Loading flashcards… ensure JavaScript is enabled.

Term-Matching Game

Click a term on the left, then click its matching definition on the right. Correct pairs lock in green; wrong pairs flash red. Complete all pairs to advance to the next round.

Loading matching game… ensure JavaScript is enabled.

Speed Round — True or False

You have 10 seconds per statement. Answer TRUE or FALSE before the timer runs out. Build a combo multiplier for consecutive correct answers and beat your session high score.

Loading speed round… ensure JavaScript is enabled.

Fill in the Blank

Read the clue and type the missing term. One typo is forgiven for longer answers. Use the hint button if you're stuck — but it costs half the question's points.

Loading fill-in-the-blank… ensure JavaScript is enabled.

Domain Sprint — Categorise the Term

A term appears — click the correct exam domain it belongs to. Correct selections score 100 pts; wrong selections deduct 25 pts. Master domain knowledge before exam day.

Loading domain sprint… ensure JavaScript is enabled.