Exam topic 3.5 — HSRP, VRRP, and GLBP provide default gateway redundancy. If one router fails, another takes over transparently.
The Problem: End hosts are configured with a single default gateway IP. If that router fails, all traffic stops — even if a backup router is available. FHRP protocols solve this by creating a virtual IP and virtual MAC shared between multiple routers.
HSRP — Hot Standby Router Protocol
Cisco proprietary · RFC 2281 / 7 (v2)
One Active router handles all traffic. One Standby router monitors the Active and takes over if it fails. All other routers are in Listen state. Hosts point to the Virtual IP.
Virtual IPShared IP used as default gateway by hosts
Virtual MAC0000.0C07.ACxx (xx = group number in hex)
ElectionHighest priority wins (default 100). Tie → highest IP.
PreemptHigher-priority router reclaims Active role when it recovers
Hello timer3 seconds (default)
Hold timer10 seconds (default) — 3x hello
HSRPv1Groups 0–255, multicast 224.0.0.2
HSRPv2Groups 0–4095, multicast 224.0.0.102
# HSRP configuration
R1(config-if)# standby 1 ip 192.168.1.254
R1(config-if)# standby 1 priority 110
R1(config-if)# standby 1 preempt
R1(config-if)# standby version 2
R1# show standby
R1# show standby brief
HSRP States
InitialListenSpeakStandbyActive
VRRP — Virtual Router Redundancy Protocol
Open standard · IEEE · RFC 5798
Open standard equivalent of HSRP. One Master, multiple Backups. The Master with the virtual IP can also be the real IP owner. Vendor-neutral — works across Cisco, Juniper, etc.
RolesMaster (Active) + Backups (not Standby like HSRP)
Virtual MAC0000.5E00.01xx (xx = group number in hex)
ElectionHighest priority wins (default 100). Tie → highest IP.
PreemptEnabled by default (unlike HSRP)
AdvertisementMulticast 224.0.0.18, every 1 second
IP ownerRouter whose real IP = virtual IP is always Master
GLBP — Gateway Load Balancing Protocol
Cisco proprietary · Load balances across multiple gateways
Unlike HSRP/VRRP where only one router forwards traffic, GLBP actively load-balances across multiple Active Virtual Forwarders (AVFs). One AVG coordinates virtual MAC assignments.
Load balanceRound-robin, weighted, or host-dependent
Virtual MACsUp to 4 per group — one per AVF
Multicast224.0.0.102
FHRP Comparison Summary
Feature
HSRP
VRRP
GLBP
Standard
Cisco proprietary
Open (RFC 5798)
Cisco proprietary
Active role
Active
Master
AVG + AVFs
Backup role
Standby
Backup
AVF (secondary)
Load balance
No (one active)
No (one master)
Yes (multiple AVFs)
Default priority
100
100
100
Preempt default
Disabled
Enabled
Disabled
Multicast addr
224.0.0.102 (v2)
224.0.0.18
224.0.0.102
Virtual MAC prefix
0000.0C07.AC
0000.5E00.01
0007.B400.xx
Exam tip: HSRP is most common on Cisco exams. Know: virtual IP = default gateway for hosts, Active/Standby roles, priority + preempt, and the virtual MAC format.
IPsec VPNs
Exam topic 5.5 — understand the purpose, types, and components of IPsec site-to-site and remote access VPNs.
VPN purpose: Create an encrypted tunnel over an untrusted network (the internet) to connect remote users or sites securely. VPNs provide confidentiality (encryption), integrity (hashing), and authentication.
Site-to-Site VPN
Connects two networks permanently — router to router
A permanent encrypted tunnel between two routers (or firewalls). End users are unaware of the VPN — their traffic is automatically encrypted by the gateway. Replaces expensive MPLS or leased lines.
[Branch PC] → [VPN Router] ═══╗ LAN encrypts Encrypted tunnel over the Internet
╚═══ [VPN Router] → [HQ Server] decrypts LAN
EndpointsTwo routers or firewalls
Tunnel modeEntire original IP packet is encrypted + encapsulated
Transport modeOnly the payload is encrypted — L3 header preserved
Use caseBranch-to-HQ, DC interconnect
# Site-to-site VPN verification
R1# show crypto isakmp sa
R1# show crypto ipsec sa
R1# show crypto map
Remote Access VPN
Connects individual users to the corporate network
Remote workers use VPN client software to establish an encrypted tunnel to a VPN concentrator (firewall or dedicated VPN appliance). Once connected, they appear to be on the corporate LAN.
ClientVPN software on laptop/phone (Cisco AnyConnect)
ServerVPN concentrator / Cisco ASA / FTD
SSL VPNUses TLS (port 443) — works through most firewalls
IPsec VPNUses IKE (UDP 500) and ESP (protocol 50)
Split tunnelingOnly corporate traffic through VPN; internet goes direct
Full tunnelAll traffic through VPN — more secure, slower
IPsec Protocol Suite
The building blocks of IPsec tunnels
IKE — Internet Key Exchange
Negotiates and establishes the Security Association (SA). Phase 1: authenticates peers and establishes encrypted channel. Phase 2: negotiates IPsec SA for actual data protection.
IKEv1 Phase 1ISAKMP SA — authenticate peers (PSK or PKI)
IKEv1 Phase 2IPsec SA — negotiate ESP/AH, encryption, lifetime
PortUDP 500 (IKE) / UDP 4500 (NAT-T)
ESP — Encapsulating Security Payload
Provides encryption + authentication + anti-replay. Most commonly used IPsec protocol. Identified as IP Protocol 50.
Provides authentication and integrity only — NO encryption. Rarely used alone. Identified as IP Protocol 51. Incompatible with NAT because it authenticates the entire packet including IP header.
ProtocolIP Protocol 51
ProvidesIntegrity + Authentication (no encryption)
Encryption & Hashing Algorithms
AES-256Symmetric encryption — strong, preferred
3DESSymmetric — older, 168-bit, still common
SHA-256Hashing — integrity check
MD5Hashing — weak, avoid
DH GroupDiffie-Hellman key exchange — Group 14+ preferred
AAA — Authentication, Authorization, and Accounting
Exam topics 5.4 and 5.8 — AAA framework, TACACS+ vs RADIUS, MFA, certificates, and biometrics.
The AAA Framework
Three functions for controlling access to network devices
Authentication — Who are you?
Verifies the identity of a user or device. Methods: username/password, MFA, certificates, biometrics. "Prove you are who you claim to be."
Authorization — What can you do?
Determines what an authenticated user is permitted to access or do. Example: NOC staff can view but not change config. Admins have full access.
Accounting — What did you do?
Records what authenticated users actually did — commands run, login/logout times, sessions. Used for auditing, compliance, and billing.
TACACS+ vs RADIUS
Two common AAA server protocols
Feature
TACACS+
RADIUS
Developer
Cisco proprietary
Open standard (RFC 2865)
Transport
TCP 49
UDP 1812 (auth) / 1813 (acct)
Encryption
Entire packet encrypted
Only password encrypted
AAA separation
Authentication, Authorization, and Accounting are separate
Auth + Authz combined
Best for
Device administration (CLI access)
Network access (VPN, Wi-Fi, 802.1X)
Command authz
Yes — per-command
Limited
Multiprotocol
No
Yes (EAP, 802.1X)
Memory trick:TACACS+ → TCP, Totally encrypted, used for Terminal (device admin). RADIUS → UDP, used for Remote Access and 802.1X wireless.
Password historyPrevent reuse of previous N passwords
Account lockoutLock after N failed attempts
Password expiryForce periodic changes (90 days typical)
MFA — MULTIFACTOR AUTHENTICATION
MFA requires two or more independent factors. Even if a password is compromised, access is denied without the second factor.
Something you knowPassword, PIN
Something you havePhone (OTP app), hardware token, smart card
Something you areFingerprint, face scan, retina — biometrics
MFA dramatically reduces the risk of credential theft attacks. At minimum, combine password + OTP (Google Authenticator, Cisco Duo).
Digital Certificates & PKI
Certificate-based authentication
Digital certificates bind a public key to an identity, verified by a trusted Certificate Authority (CA). Used in HTTPS (TLS), IPsec, 802.1X EAP-TLS, and SSH.
CACertificate Authority — issues and signs certs
CertificateContains: public key, identity, CA signature, expiry
Public keyShared openly — encrypt or verify signature
Private keyNever shared — decrypt or sign
PKIPublic Key Infrastructure — system of CAs + certs
Self-signedSigned by itself — not trusted by others (lab use)
RevocationCRL (Certificate Revocation List) or OCSP
# AAA with TACACS+ on Cisco IOS
R1(config)# aaa new-model
R1(config)# tacacs server TACACS-SRV
R1(config-server-tacacs)# address ipv4 10.0.0.10
R1(config-server-tacacs)# key MySecretKey
R1(config)# aaa authentication login default group tacacs+ local
R1(config)# aaa authorization exec default group tacacs+ local
R1(config)# aaa accounting exec default start-stop group tacacs+
STP Security Features
Exam topic 2.5d — STP guards protect the spanning tree topology from accidental misconfiguration and deliberate attacks.
BPDU Guard
Protect PortFast ports from unexpected BPDUs
PortFast ports should connect to end devices, never to other switches. BPDU Guard immediately err-disables a PortFast port if any BPDU is received — preventing an attacker or misconfigured switch from influencing the STP topology.
TriggerBPDU received on a PortFast-enabled port
ActionPort goes into err-disabled state immediately
RecoveryManual — shutdown then no shutdown the port
Use onAll access ports connected to end devices
# Enable per interface
S1(config-if)# spanning-tree portfast
S1(config-if)# spanning-tree bpduguard enable# Enable globally on all PortFast ports
S1(config)# spanning-tree portfast bpduguard default# Check err-disabled ports
S1# show interfaces status err-disabled
BPDU Filter
Stop sending or receiving BPDUs on a port
BPDU Filter stops BPDUs being sent or processed on a port. Unlike BPDU Guard, it does not err-disable the port — it just ignores BPDUs entirely. Use with extreme care — can create loops.
Interface modeStops ALL BPDUs in and out — can cause loops!
Global modeWorks on PortFast ports — sends initial BPDUs then stops
Use caseProvider edge ports where STP must not pass to customer
# Per-interface (dangerous — disables STP!)
S1(config-if)# spanning-tree bpdufilter enable# Global (safer — only on PortFast ports)
S1(config)# spanning-tree portfast bpdufilter default
Warning: Enabling BPDU Filter per-interface effectively disables STP on that port. If two switches are connected this way, a loop will form. Prefer BPDU Guard for end-device ports.
Root Guard
Prevent unauthorised root bridge elections
Root Guard prevents a port from becoming a root port. If a superior BPDU is received (one that would cause this switch to give up its root bridge role), the port is put into root-inconsistent state — blocking traffic without err-disabling.
TriggerSuperior BPDU received — another switch claiming to be root
ActionPort enters root-inconsistent (blocking) state
RecoveryAutomatic — when superior BPDUs stop arriving
Use onPorts toward the network edge (access / distribution)
S1(config-if)# spanning-tree guard root
S1# show spanning-tree inconsistentports
Loop Guard
Prevent loops from missing BPDUs
A non-designated port in Blocking state moves to Forwarding when it stops receiving BPDUs — normally indicating the upstream switch failed. But if BPDUs stop due to a unidirectional link failure, a loop forms. Loop Guard prevents this by placing the port in loop-inconsistent state instead of forwarding.
TriggerBPDUs stop arriving on a non-designated port
Without Loop GuardPort transitions to Forwarding → loop possible
With Loop GuardPort enters loop-inconsistent (blocking) state
RecoveryAutomatic — when BPDUs resume
Use onAll non-designated/root ports on trunk links
Root Guard vs Loop Guard: Root Guard protects who is root bridge (superior BPDUs). Loop Guard protects against ports going forwarding when BPDUs go missing.
Security Threats, Concepts & Mitigation
Exam topics 5.1 and 5.2 — key security concepts, attack types, and mitigation strategies.
Core Security Concepts
VulnerabilityA weakness in a system (e.g. unpatched software, weak password)
ThreatAny potential danger that could exploit a vulnerability
ExploitThe actual mechanism used to leverage a vulnerability
RiskLikelihood × Impact of a threat occurring
MitigationActions taken to reduce vulnerability or impact
CIA TriadConfidentiality · Integrity · Availability
ConfidentialityData visible only to authorised parties (encryption)
IntegrityData not modified in transit (hashing, digital signatures)
AvailabilitySystems accessible when needed (HA, backups, DDoS mitigation)
Security Program Elements
Exam topic 5.2 — defence requires people, process, and technology
User awarenessTrain staff to recognise phishing, social engineering
Security trainingRole-based training — admins, devs, general users
Physical accessBadge access, locked server rooms, cable locks, cameras
PoliciesAcceptable Use Policy, password policy, incident response
Patch managementKeep software/firmware up to date
Least privilegeGive users only the access they need for their role
Defence in depthMultiple layers of security — no single point of failure
Common Network Attack Types
Phishing
Fraudulent emails/messages that trick users into revealing credentials or clicking malicious links. Spear phishing targets specific individuals.
DoS / DDoS
Denial of Service — flood a target with traffic to make it unavailable. DDoS uses thousands of compromised hosts (botnet). Mitigation: traffic scrubbing, rate limiting, blackhole routing.
MITM — Man in the Middle
Attacker intercepts and potentially alters traffic between two parties without their knowledge. ARP poisoning is a classic MITM technique. Mitigation: encryption, Dynamic ARP Inspection.
ARP Poisoning / Spoofing
Attacker sends fake ARP replies to map their MAC to a legitimate IP. Other hosts then send traffic to the attacker. Mitigation: Dynamic ARP Inspection (DAI).
MAC Address Spoofing
Attacker changes their MAC to impersonate a legitimate device. Can bypass MAC-based access control. Mitigation: 802.1X port authentication.
Social Engineering
Manipulating people rather than systems — pretexting, baiting, tailgating (following someone through a secured door). Mitigation: security awareness training.
Ransomware / Malware
Malicious software that encrypts files and demands payment, or steals data, creates backdoors, or destroys systems. Mitigation: AV, EDR, backups, patch management.
VLAN Hopping
Switch spoofing: attacker negotiates a trunk with a switch to access all VLANs. Double tagging: send frames with two 802.1Q tags to reach a different VLAN. Mitigation: disable DTP, change native VLAN to unused VLAN, prune allowed VLANs.
DHCP Starvation / Spoofing
Starvation: exhaust DHCP pool with fake MACs. Spoofing: set up rogue DHCP server to give clients wrong gateway (→ MITM). Mitigation: DHCP Snooping.
AI, Machine Learning & Modern Automation
Exam topics 6.4 and 6.6 — new in CCNA v1.1 (August 2024). AI/ML in networking, Ansible, and Terraform.
AI & Machine Learning in Networking
Exam topic 6.4 — new v1.1 addition
AI and ML are increasingly used in network operations to automate analysis, detect anomalies, predict failures, and optimise performance at a scale that humans cannot match manually.
Machine Learning (ML)
Algorithms that learn patterns from data without being explicitly programmed. Two types relevant to networking: supervised (labelled training data) and unsupervised (finds patterns in unlabelled data).
Predictive AI
Uses historical data to predict future outcomes. In networking: predict link failures before they happen, forecast bandwidth demand, anticipate security incidents based on behavioural patterns.
Generative AI
Creates new content — text, code, configurations. In networking: auto-generate device configs, summarise log files, answer natural-language questions about the network. Example: Cisco AI Assistant in Cisco DNA Center.
Agentless configuration management and automation tool by Red Hat. Uses SSH (or NETCONF) to connect to devices. Playbooks written in YAML define desired state.
AgentlessNo software needed on managed devices
TransportSSH / NETCONF / REST APIs
LanguageYAML playbooks — human-readable
Push modelControl node pushes config to devices
IdempotentRunning playbook multiple times = same result
InventoryList of devices to manage (hosts file)
# Example Ansible playbook snippet- name:Configure NTP hosts:routers tasks:- name:Set NTP serverios_config:lines:- ntp server 10.0.0.1
Terraform
Infrastructure as Code (IaC) tool by HashiCorp. Provisions and manages cloud and on-prem infrastructure. Declarative — you define what you want, Terraform figures out how to get there.
IaCInfrastructure as Code — provision via code
LanguageHCL (HashiCorp Configuration Language)
ProvidersAWS, Azure, GCP, Cisco, VMware plugins
State fileTracks current infrastructure state
Plan → ApplyPreview changes before applying them
vs AnsibleTerraform = provision infra. Ansible = configure it.
Ansible vs Terraform vs Puppet vs Chef
Feature
Ansible
Terraform
Puppet
Chef
Agent
Agentless
Agentless
Agent-based
Agent-based
Language
YAML
HCL
Puppet DSL (Ruby)
Ruby (Recipes)
Model
Push
Declarative IaC
Pull
Pull
Primary use
Config management
Infra provisioning
Config management
Config management
Network use
Strong (CCNA)
Cloud/IaC (CCNA v1.1)
Limited
Limited
CCNA v1.1 key change: Puppet and Chef were removed from the exam. Ansible and Terraform are now the tools to know. Focus on Ansible for device config automation and Terraform for infrastructure provisioning.
Packet Tracer Labs
Hands-on security walkthroughs — open Cisco Packet Tracer alongside these steps.
Question 1 of 14
60s
✓ 0 correct
🎯
Drills Complete!
Score:
Topic Checklist
Tick each topic as you learn it. Progress saves automatically.