Back to CCNA 200-301

CCNA 200-301 · Cheat Sheet

Security Fundamentals (15%)

Tip: Use your browser's print function (Ctrl+P / Cmd+P) to save as PDF for offline study.

CCNA 200-301 Security Fundamentals (15%) — CHEAT SHEET

Quick Cue-Answer Guide

|-----|--------|

---

Access Control Lists (ACLs)

Standard vs. Extended

|---------|----------|----------|

Key Rules

  • Wildcard mask = inverse of subnet mask (e.g., /24 → 0.0.0.255)
  • Implicit deny at end = any traffic not explicitly matched is dropped
  • order matters = first match wins; more specific rules first
  • host keyword = 0.0.0.0 wildcard (single IP)
  • any keyword = 0.0.0.0 0.0.0.0 (all traffic)

VTY Access (Critical for SSH/Telnet)

`` access-list 100 permit tcp 10.0.0.0 0.0.0.255 any eq 22 line vty 0 4 access-class 100 in `

  • in = filter incoming connections
  • out = filter outgoing (rare)
  • SSH = port 22 | Telnet = port 23

---

Device Access & Passwords

Enable Secret vs. Password

|--------|------------------|-----------------|

SSH Configuration (6-Step Sequence) — SIMULATION CRITICAL

`

  • hostname R1
  • (MUST set hostname first — RSA key needs it)

  • ip domain-name example.com
  • (Required for RSA key generation)

  • crypto key generate rsa
  • (Creates public/private key pair; 2048-bit minimum recommended)

  • username admin privilege 15 secret P@ssw0rd
  • (Local user for authentication)

  • line vty 0 4
  • transport input ssh login local (SSH only on VTY lines 0–4)

  • ip ssh version 2
  • (Force SSHv2; v1 is deprecated)
    `

    Telnet = insecure; SSH = encrypted — always use SSH on exam.

    ---

    Layer 2 Security

    Port Security

    |---|---|---|

    Port Security Config

    ` switchport port-security maximum 1 switchport port-security violation shutdown switchport port-security mac-address sticky ``

    Other Layer 2 Defenses

    |---------|---------|

    ---

    VPN Fundamentals

    Site-to-Site vs. Remote-Access

    |------|----------|---|---|

    IPsec Components

    |----------|-------|----------|

    Common Alternatives

    • GRE = unencrypted tunnel; often combined with IPsec
    • SSL/TLS VPN = web-browser based; port 443
    • WireGuard = modern, lightweight (not on CCNA but trending)

    ---

    Security Concepts (Threat-to-Mitigation Mapping)

    Common Attacks & Counters

    |--------|-----------|---|
    CueAnswer
    CIA triadConfidentiality, Integrity, Availability
    AAA orderAuthentication → Authorization → Accounting
    Malware typesVirus, Worm, Trojan, Ransomware, Botnet, Rootkit
    DoS vs. DDoSDoS = single attacker; DDoS = multiple sources
    Social engineeringPhishing, Vishing, Pretexting, Baiting (non-technical attack)
    FeatureStandardExtended
    Number range1–99, 1300–1999100–199, 2000–2699
    Filter bySource IP onlySource, destination, protocol, port
    PlacementClose to destinationClose to source
    Typical useRoute filteringInterface access control
    Aspectenable passwordenable secret
    EncryptionCisco Type 7 (weak)Cisco Type 5/9 (strong bcrypt)
    Override?enable secret wins if both setAlways used
    Current bestDeprecatedUse Type 9 (best)
    Violation ModeActionUse Case
    shutdownErr-disable port (default)Maximum security; manual recovery
    restrictDrop offending frames; logMonitor without downtime
    protectDrop only offending frames (silent)Least disruptive
    FeaturePurpose
    DHCP SnoopingBlock rogue DHCP servers; trust upstream only
    DAI (Dynamic ARP Inspection)Validate ARP requests against DHCP bindings
    802.1X (Port-Based NAC)EAP authentication before network access
    Spanning Tree PortFast + BPDU GuardPrevent VLAN hopping; fast convergence
    TypeTopologyAuthenticationUse Case
    Site-to-SiteNetwork-to-NetworkCertificates/Pre-shared keyBranch-to-HQ
    Remote-AccessClient-to-NetworkUsername/password or certificateVPN client to corporate
    ProtocolLayerFunction
    AH (Authentication Header)Layer 3Integrity only (no encryption)
    ESP (Encapsulating Security Payload)Layer 3Encryption + integrity
    IKE (Internet Key Exchange)Control planeNegotiate SA parameters
    AttackMechanismCountermeasure
    MAC SpoofingFake Layer 2 addressPort security; DHCP snooping
    DHCP StarvationExhaust IP poolDHCP snooping; rate limit
    ARP SpoofingFake ARP replyDAI; static ARP entries
    VLAN HoppingTrunk negotiation exploitDisable DTP; hardcode access ports
    802.1X Bypass

    Aligned to the Cisco CCNA 200-301 exam topics.

    Make this cheat sheet yours

    Personalize this sheet — focus it however you study, or build one from the exact questions you keep getting wrong.

    Sign up free to create a personalized cheat sheet.