CCNA 200-301 · Cheat Sheet
| Cue | Answer | ||
| CIA triad | Confidentiality, Integrity, Availability | ||
|---|---|---|---|
| AAA order | Authentication → Authorization → Accounting | ||
| Malware types | Virus, Worm, Trojan, Ransomware, Botnet, Rootkit | ||
| DoS vs. DDoS | DoS = single attacker; DDoS = multiple sources | ||
| Social engineering | Phishing, Vishing, Pretexting, Baiting (non-technical attack) | ||
| Feature | Standard | Extended | |
| Number range | 1–99, 1300–1999 | 100–199, 2000–2699 | |
| Filter by | Source IP only | Source, destination, protocol, port | |
| Placement | Close to destination | Close to source | |
| Typical use | Route filtering | Interface access control | |
| Aspect | enable password | enable secret | |
| Encryption | Cisco Type 7 (weak) | Cisco Type 5/9 (strong bcrypt) | |
| Override? | enable secret wins if both set | Always used | |
| Current best | Deprecated | Use Type 9 (best) | |
| Violation Mode | Action | Use Case | |
| shutdown | Err-disable port (default) | Maximum security; manual recovery | |
| restrict | Drop offending frames; log | Monitor without downtime | |
| protect | Drop only offending frames (silent) | Least disruptive | |
| Feature | Purpose | ||
| DHCP Snooping | Block rogue DHCP servers; trust upstream only | ||
| DAI (Dynamic ARP Inspection) | Validate ARP requests against DHCP bindings | ||
| 802.1X (Port-Based NAC) | EAP authentication before network access | ||
| Spanning Tree PortFast + BPDU Guard | Prevent VLAN hopping; fast convergence | ||
| Type | Topology | Authentication | Use Case |
| Site-to-Site | Network-to-Network | Certificates/Pre-shared key | Branch-to-HQ |
| Remote-Access | Client-to-Network | Username/password or certificate | VPN client to corporate |
| Protocol | Layer | Function | |
| AH (Authentication Header) | Layer 3 | Integrity only (no encryption) | |
| ESP (Encapsulating Security Payload) | Layer 3 | Encryption + integrity | |
| IKE (Internet Key Exchange) | Control plane | Negotiate SA parameters | |
| Attack | Mechanism | Countermeasure | |
| MAC Spoofing | Fake Layer 2 address | Port security; DHCP snooping | |
| DHCP Starvation | Exhaust IP pool | DHCP snooping; rate limit | |
| ARP Spoofing | Fake ARP reply | DAI; static ARP entries | |
| VLAN Hopping | Trunk negotiation exploit | Disable DTP; hardcode access ports | |
| 802.1X Bypass |
Aligned to the Cisco CCNA 200-301 exam topics.
Personalize this sheet — focus it however you study, or build one from the exact questions you keep getting wrong.