50 CCNA Questions and Answers: Complete Beginner-Friendly Study Guide for CCNA 200-301-Part 2

SSH is preferred because it encrypts remote management traffic. Telnet sends usernames, passwords, and commands in clear text, which makes it unsafe on real networks.

In a CCNA lab, Telnet may look simple, but in a production environment, it is a serious weakness. If someone captures Telnet traffic, they may read the login details without needing advanced skills.

hostname SW1
ip domain-name techknowsolution.local
crypto key generate rsa
username admin secret StrongPassword123
line vty 0 4
 login local
 transport input ssh

Port security limits which MAC addresses can use a switch port. It helps prevent unauthorized devices from connecting to the network through open wall ports.

You can configure a port to allow a specific MAC address, a limited number of MAC addresses, or sticky learning, where the switch learns and saves the connected device’s MAC address.

interface FastEthernet0/10
 switchport mode access
 switchport port-security
 switchport port-security maximum 1
 switchport port-security mac-address sticky
 switchport port-security violation restrict

DHCP snooping is a switch security feature that helps stop rogue DHCP servers. It classifies ports as trusted or untrusted and blocks DHCP server replies from untrusted ports.

This matters because a rogue DHCP server can give users the wrong gateway or DNS server, redirecting traffic or breaking connectivity.

ip dhcp snooping
ip dhcp snooping vlan 10

interface GigabitEthernet0/24
 ip dhcp snooping trust

Dynamic ARP Inspection, often called DAI, helps protect against ARP spoofing attacks. It checks ARP messages against trusted information, commonly the DHCP snooping binding table.

ARP spoofing can trick devices into sending traffic to the wrong MAC address. DAI helps stop that by validating whether ARP replies are believable before allowing them through.

Authentication confirms who a user is. Authorization determines what that user is allowed to do. Accounting records what the user did.

A simple way to remember it: authentication asks “Who are you?”, authorization asks “What are you allowed to access?”, and accounting asks “What did you do?”

The enable secret protects privileged EXEC mode on a Cisco device. It is stronger than the older enabled password because it is stored in a hashed form rather than plain text.

Privileged EXEC mode allows powerful commands, including configuration changes. That is why protecting it is one of the first basic hardening steps on Cisco routers and switches.

enable secret MyStrongEnableSecret

IPv6 was created mainly because IPv4 has limited address space. IPv4 uses 32-bit addresses, while IPv6 uses 128-bit addresses, giving the internet a much larger pool of addresses.

IPv6 also includes features such as simplified header structure, built-in neighbor discovery, and improved support for modern network growth.

A link-local IPv6 address is used only on the local network segment. It usually begins with FE80::/10 and is not routed beyond the local link.

A global unicast IPv6 address is routable on IPv6 networks and can be used for normal communication beyond the local link. These addresses commonly begin with 2000::/3.

SLAAC means Stateless Address Autoconfiguration. It allows an IPv6 device to create its own address using information received from router advertisements.

In simple terms, the router announces the network prefix, and the host builds its own IPv6 address. This reduces the need for manual addressing in many IPv6 environments.

The command is ipv6 unicast-routing. Without it, a Cisco router may have IPv6 addresses on interfaces but still not forward IPv6 traffic between networks.

conf t
ipv6 unicast-routing

This is a common lab mistake. A learner configures IPv6 addresses correctly, then wonders why routing does not work. Always verify that IPv6 forwarding is enabled.

An SSID is the visible or configured name of a wireless network. It is what users select when connecting their phones, laptops, tablets, or IoT devices to Wi-Fi.

In enterprise networks, different SSIDs may map to different VLANs. For example, a staff SSID may use an internal VLAN, while a guest SSID may use a separate internet-only VLAN.

The 2.4 GHz band usually covers a wider area and penetrates walls better, but it is more crowded and often slower. The 5 GHz band usually provides higher speeds and less congestion, but it has a shorter range.

WPA2 and WPA3 are wireless security standards used to protect Wi-Fi networks. They help encrypt wireless traffic and prevent unauthorized access.

For modern networks, open Wi-Fi should be avoided unless it is properly isolated and controlled, such as in a guest portal environment. A weak Wi-Fi password can expose the whole LAN to unnecessary risk.

A wireless LAN controller, or WLC, centrally manages multiple access points. It can handle SSIDs, authentication, roaming, radio settings, and policy enforcement.

In small offices, one standalone access point may be enough. In larger organizations, centralized wireless management makes the network easier to monitor, secure, and scale.

NTP, or Network Time Protocol, synchronizes time across network devices. Accurate time is important for logs, troubleshooting, certificates, authentication, and security investigations.

If router, switch, firewall, and server logs show different times, tracing an incident becomes confusing. NTP keeps events aligned.

ntp server 192.168.1.10

Syslog is used to collect and store log messages from network devices. Routers, switches, firewalls, and servers can send logs to a central syslog server.

This helps administrators see errors, interface changes, login attempts, configuration events, and warnings from one place instead of checking every device manually.

SNMP, or Simple Network Management Protocol, is used to monitor and manage network devices. It allows monitoring tools to collect information such as interface status, CPU usage, memory usage, uptime, and traffic levels.

In real operations, SNMP helps network teams notice problems before users complain. For example, a monitoring system can alert you when a switch uplink is overloaded.

QoS, or Quality of Service, is used to manage traffic priority. It helps important or delay-sensitive traffic, such as voice and video, receive better treatment during congestion.

Without QoS, a large file download can compete with voice calls. With QoS, the network can prioritize voice traffic so calls remain clearer.

Network automation means using scripts, tools, APIs, or platforms to perform network tasks with less manual effort. This can include backups, configuration changes, compliance checks, monitoring, and device onboarding.

For CCNA, you do not need to become a full software developer, but you should understand why automation matters. Manual configuration is slow and can introduce human errors, especially when many devices are involved.

An API, or Application Programming Interface, allows software systems to communicate. In networking, APIs can let scripts or controllers read information from devices or push configuration changes.

For example, instead of logging into a device manually, a tool may use an API to retrieve interface status or update a policy.

JSON, or JavaScript Object Notation, is a lightweight data format commonly used by APIs. It is easy for humans to read and easy for programs to parse.

{
  "hostname": "SW1",
  "management_ip": "192.168.10.2",
  "status": "online"
}

CCNA learners should recognize basic JSON structure: key-value pairs, braces, strings, numbers, arrays, and nested objects.

Controller-based networking uses a central controller to manage network devices and policies. Instead of configuring every device separately, administrators can define intent or policy from a central platform.

This approach supports automation, visibility, and consistency. It is common in modern enterprise networking, wireless management, SD-WAN, and cloud-managed network platforms.

Start with the basics: physical connection, Wi-Fi status, IP address, subnet mask, default gateway, and DNS. Many problems that look complicated are caused by simple configuration or connectivity issues.

A practical troubleshooting order is:

1. Check the cable, Wi-Fi signal, or link light.
2. Run ipconfig or ifconfig To confirm IP settings.
3. Ping the default gateway.
4. Ping a public IP such as 8.8.8.8.
5. Test DNS using a domain name.

If the PC can ping an IP address but cannot open websites by name, suspect DNS. If it cannot ping the gateway, suspect the local LAN, VLAN, cable, Wi-Fi, or IP settings.

Possible causes include wrong IP addressing, wrong subnet mask, wrong VLAN assignment, port security violation, shutdown interface, bad cable, firewall rules, or duplicate IP address.

On a Cisco switch, you can check VLAN membership and interface status using commands like:

show vlan brief
show interfaces status
show mac address-table
show port-security interface FastEthernet0/10

In a real lab, I usually start by confirming that both ports are in the expected VLAN. Then I confirm that both devices are in the same IP subnet.

Routing is only one part of connectivity. If ping fails despite a route existing, check return routing, ACLs, NAT, firewall rules, interface status, wrong gateway, duplicate addresses, and whether ICMP is blocked.

Many learners check only the forward path. But traffic must return too. If Router A knows how to reach Router B’s network, but Router B does not know how to return traffic, communication will still fail.

show ip route
show access-lists
show ip interface brief
traceroute 192.168.20.10
ping 192.168.20.10 source 192.168.10.1