table of content

1 Introduction to the CCNA

1.1 What is the CCNA?

1.1.1 The six domains of the CCNA exam

1.1.2 Format of the CCNA Exam

1.1.3 Scheduling and taking the exam

1.2 Why get CCNA-certified?

1.3 The structure of this book

1.4 How to study for the CCNA

1.4.1 Using a book

1.4.2 Using a video course

1.4.3 Lab exercises

1.4.4 Using multiple resources together

Summary

Part 1. Network fundamentals

2 Network devices

2.1 What is a network?

2.2 Types of network devices

2.2.1 Clients and servers

2.2.2 Switches

2.2.3 Routers

2.2.4 Firewalls

Summary

3 Cables, connectors, and ports

3.1 Network standards

3.2 Binary: Bits and bytes

3.3 Copper UTP connections

3.3.1 IEEE 802.3 standards (copper)

3.3.2 Straight-through and crossover cables

3.4 Fiber-optic connections

3.4.1 The anatomy of a fiber-optic cable

3.4.2 UTP vs. fiber

Summary

4 The TCP/IP networking model

4.1 Conceptual models of networking

4.2 The OSI reference model

4.3 The TCP/IP model

4.3.1 The layers of the TCP/IP model

4.3.2 Data encapsulation and de-encapsulation

Summary

5 The Cisco IOS CLI

5.1 Shells: GUI and CLI

5.1.1 GUI and CLI

5.1.2 Accessing the CLI of a Cisco device

5.2 Navigating the Cisco IOS CLI

5.2.1 The EXEC modes

5.2.2 Global configuration mode

5.2.3 Keyboard shortcuts

5.2.4 Context-sensitive help

5.3 IOS configuration files

5.4 Password-protecting privileged EXEC mode

5.4.1 Configuring the enable password

5.4.2 Configuring the enable secret

Summary

6 Ethernet LAN switching

6.1 Local area networks

6.2 The Ethernet header and trailer

6.2.1 Preamble and SFD

6.2.2 Destination and source

6.2.3 Type/Length

6.2.4 Frame Check Sequence

6.3 Frame switching

6.3.1 MAC address learning

6.3.2 Frame flooding and forwarding

6.3.3 The MAC address table in Cisco IOS

6.4 Address Resolution Protocol

6.5 Ping

Summary

7 IPv4 addressing

7.1 The IPv4 header

7.1.1 The Version field

7.1.2 The IHL field

7.1.3 The DSCP and ECN fields

7.1.4 The Total Length field

7.1.5 The Identification, Flags, and Fragment Offset fields

7.1.6 The TTL field

7.1.7 The Protocol field

7.1.8 The Header Checksum field

7.1.9 The Source Address and Destination Address fields

7.1.10 The Options field

7.2 The binary number system

7.2.1 Decimal

7.2.2 Binary

7.3 IPv4 addressing

7.3.1 The structure of an IPv4 address

7.3.2 Configuring IPv4 addresses on a router

7.3.3 Attributes of an IPv4 network

7.3.4 IPv4 address classes

Summary

8 Router and switch interfaces

8.1 Configuring interfaces

8.1.1 Interface descriptions

8.1.2 Interface speed

8.1.3 Interface duplex

8.2 Autonegotiation

8.3 Interface errors

8.3.1 Speed mismatches

8.3.2 Duplex mismatches

Summary

Part 2. Routing fundamentals and subnetting

9 Routing fundamentals

9.1 How end hosts send packets

9.2 The basics of routing

9.2.1 The routing table

9.2.2 Route selection

9.3 Static routing

9.3.1 Configuring static routes

9.3.2 Configuring a default route

Summary

10 The life of a packet

10.1 The life of a packet from PC1 to PC3

10.1.1 PC1 to R1

10.1.2 R1 to R2

10.1.3 R2 to R3

10.1.4 R3 to PC3

10.2 The life of a packet from PC3 to PC1

Summary

11 Subnetting IPv4 networks

11.1 What is subnetting?

11.2 FLSM subnetting

11.2.1 Subnetting /24 address blocks

11.2.2 Subnetting /16 address blocks

11.2.3 Subnetting /8 address blocks

11.2.4 FLSM scenarios

11.3 VLSM subnetting

11.3.1 Assigning Toronto LAN A’s subnet

11.3.2 Assigning Tokyo LAN A’s subnet

11.3.3 Assigning Toronto LAN B’s subnet

11.3.4 Assigning Tokyo LAN B’s subnet

11.3.5 Assigning the WAN connection’s subnet

11.4 Additional subnetting practice

Summary

Part 3. Layer 2 concepts

12 VLANs

12.1 Why we need VLANs

12.1.1 Layer 3 segmentation with subnets

12.1.2 Layer 2 segmentation with VLANs

12.2 Configuring VLANs and access ports

12.2.1 Creating and naming VLANs

12.2.2 Assigning ports to VLANs

12.3 Connecting switches with trunk ports

12.3.1 The IEEE 802.1Q tag

12.3.2 Configuring trunk ports

12.4 Inter-VLAN routing

12.4.1 Router on a stick

12.4.2 Multilayer switching

Summary

13 Dynamic Trunking Protocol and VLAN Trunking Protocol

13.1 Dynamic Trunking Protocol

13.1.1 DTP negotiation

13.1.2 Disabling DTP

13.2 VLAN Trunking Protocol

13.2.1 VTP synchronization

13.2.2 VTP modes

13.2.3 VTP versions

13.2.4 Is VTP dangerous?

Summary

14 Spanning Tree Protocol

14.1 The need for STP

14.2 How STP works

14.3 The STP algorithm

14.3.1 Root bridge election

14.3.2 Root port selection

14.3.3 Designated port selection

14.4 STP port states and timers

14.4.1 STP port states

14.4.2 STP timers

14.5 PortFast and BPDU Guard

14.5.1 PortFast

14.5.2 BPDU Guard

Summary

15 Rapid Spanning Tree Protocol

15.1 Spanning Tree Protocol versions

15.2 STP and RSTP comparison

15.2.1 Port costs

15.2.2 Port states

15.2.3 Port roles

15.2.4 RSTP topology changes

15.3 RSTP link types

15.4 Root Guard, Loop Guard, and BPDU Filter

15.4.1 Root Guard

15.4.2 Loop Guard

15.4.3 BPDU Filter

Summary

16 EtherChannel

16.1 How EtherChannel works

16.2 EtherChannel configuration

16.2.1 Dynamic EtherChannel

16.2.2 Static EtherChannel

16.2.3 Physical port configurations

16.3 EtherChannel load balancing

16.4 Layer 3 EtherChannel

Summary

Part 4. Dynamic routing and first hop redundancy protocols

17 Dynamic routing

17.1 Dynamic routing vs. static routing

17.1.1 Adaptability

17.1.2 Scalability

17.2 Types of routing protocols

17.2.1 Interior gateway protocols

17.2.2 Exterior gateway protocols

17.3 Route selection

17.3.1 The metric parameter

17.3.2 The administrative distance parameter

17.3.3 Route selection examples

17.4 The network command

Summary

18 Open Shortest Path First

18.1 OSPF foundations

18.1.1 The link-state database

18.1.2 OSPF areas

18.1.3 OSPF cost

18.2 OSPF configuration

18.2.1 The router ID

18.2.2 Activating OSPF on interfaces

18.2.3 Passive interfaces

18.2.4 Advertising a default route

18.3 Neighbors and adjacencies

18.3.1 Neighbor states

18.3.2 OSPF network types

18.3.3 Neighbor requirements

18.4 LSA types

Summary

19 First hop redundancy protocols

19.1 FHRP concepts

19.1.1 Providing a redundant default gateway

19.1.2 FHRP neighbor relationships

19.1.3 Failover

19.2 Comparing FHRPs

19.2.1 Hot Standby Router Protocol

19.2.2 Virtual Router Redundancy Protocol

19.2.3 Gateway Load Balancing Protocol

19.3 Basic HSRP configuration

Summary

Part 5. IPv6

20 IPv6 addressing

20.1 The need for IPv6

20.2 Hexadecimal

20.3 IPv6 addressing

20.3.1 IPv6 header

20.3.2 IPv6 address structure

20.3.3 Abbreviating IPv6 addresses

20.3.4 Identifying the IPv6 prefix

20.4 IPv6 address configuration

20.4.1 Manually assigning an IPv6 address

20.4.2 Modified EUI-64

20.5 IPv6 address types

20.5.1 Global unicast

20.5.2 Unique local

20.5.3 Link-local

20.5.4 Multicast

20.5.5 Anycast addresses

20.5.6 Other reserved addresses

Summary

21 IPv6 routing

21.1 Neighbor Discovery Protocol

21.1.1 Solicited-node multicast

21.1.2 Address resolution with NDP

21.1.3 Router discovery with NDP

21.1.4 Duplicate Address Detection

21.2 The IPv6 routing table

21.2.1 Connected and local routes

21.2.2 Route selection

21.3 IPv6 static routing

21.3.1 Configuring IPv6 static routes

21.3.2 Link-local next hops

21.3.3 Configuring a default route

21.3.4 Floating static routes

Summary

Part 6. Layer 4 and IP access control lists

22 Transmission Control Protocol and User Datagram Protocol

22.1 The role of Layer 4

22.1.1 Port numbers

22.1.2 Session multiplexing

22.2 TCP and UDP

22.2.1 Transmission Control Protocol

22.2.2 User Datagram Protocol

22.2.3 Comparing TCP and UDP

Summary

23 Standard access control lists

23.1 How ACLs work

23.1.1 Matching and acting on packets

23.1.2 The implicit deny

23.1.3 Applying ACLs

23.1.4 ACL types

23.2 Configuring standard ACLs

23.2.1 Numbered ACLs

23.2.2 Named ACLs

23.3 Example scenario

Summary

24 Extended access control lists

24.1 Configuring extended ACLs

24.1.1 Matching protocol, source, and destination

24.1.2 Matching TCP/UDP port numbers

24.2 Example security requirements

24.3 Editing ACLs

24.3.1 Deleting ACEs

24.3.2 Resequencing ACEs

Summary

Appendixes

Appendix A: Exam topics reference table

Appendix B: CLI command reference table

Appendix C: Chapter quiz questions

Chapter 2: Network devices

Chapter 3: Cables, connectors, and ports

Chapter 4: The TCP/IP networking model

Chapter 5: The Cisco IOS CLI

Chapter 6: Ethernet LAN switching

Chapter 7: IPv4 addressing

Chapter 8: Router and switch interfaces

Chapter 9: Routing fundamentals

Chapter 10: The life of a packet

Chapter 11: Subnetting IPv4 networks

Chapter 12: VLANs

Chapter 13: Dynamic Trunking Protocol and VLAN Trunking Protocol

Chapter 14: Spanning Tree Protocol

Chapter 15: Rapid Spanning Tree Protocol

Chapter 16: EtherChannel

Chapter 17: Dynamic routing

Chapter 18: Open Shortest Path First

Chapter 19: First hop redundancy protocols

Chapter 20: IPv6 addressing

Chapter 21: IPv6 routing

Chapter 22: Transmission Control Protocol and User Datagram Protocol

Chapter 23: Standard access control lists

Chapter 24: Extended access control lists

Appendix D: Chapter quiz answers

Chapter 2: Network devices

Chapter 3: Cables, connectors, and ports

Chapter 4: The TCP/IP networking model

Chapter 5: The Cisco IOS CLI

Chapter 6: Ethernet LAN switching

Chapter 7: IPv4 addressing

Chapter 8: Router and switch interfaces

Chapter 9: Routing fundamentals

Chapter 10: The life of a packet

Chapter 11: Subnetting IPv4 networks

Chapter 12: VLANs

Chapter 13: Dynamic Trunking Protocol and VLAN Trunking Protocol

Chapter 14: Spanning Tree Protocol

Chapter 15: Rapid Spanning Tree Protocol

Chapter 16: EtherChannel

Chapter 17: Dynamic routing

Chapter 18: Open Shortest Path First

Chapter 19: First hop redundancy protocols

Chapter 20: IPv6 addressing

Chapter 21: IPv6 routing

Chapter 22: Transmission Control Protocol and User Datagram Protocol

Chapter 23: Standard access control lists

Chapter 24: Extended access control lists

Overview

24 Extended ACLs

Extended ACLs build on the fundamentals of standard ACLs to offer far more granular traffic control. Like all ACLs, they evaluate packets top-down and end with an implicit deny, and they only take effect when applied inbound or outbound on an interface. Whereas standard ACLs match solely on source IP, extended ACLs can match on protocol, source and destination addresses, and even transport-layer ports. Because they can precisely target specific flows, extended ACLs are best placed as close to the source as possible, preventing unwanted traffic from traversing the network.

Configuration options include both numbered (100–199, 2000–2699) and named extended ACLs, with most admins preferring named ACL mode for flexibility. ACEs can match payload protocol (ip, tcp, udp, icmp, and others), source/destination IPs using wildcard masks, the any and host keywords, and TCP/UDP ports using operators such as eq, gt, lt, neq, and range. All specified fields must match for an ACE to apply. Extended ACLs also support well-known port keywords (for example, ntp for UDP/123), and they require using host or a /32 wildcard to match a single IP. The chapter demonstrates assembling practical policies—such as permitting specific HTTPS flows, allowing NTP to a single server while denying it elsewhere, and combining targeted denies with a final permit ip any any—to meet business requirements.

Because ACE order determines behavior, editing is critical. Deleting ACEs from a numbered ACL in global configuration removes the entire ACL, so the recommended method is to use named ACL configuration mode, where you can delete an ACE by its sequence number and insert new ACEs exactly where needed. When space between sequence numbers runs out, the ip access-list resequence command renumbers ACEs with a new starting value and increment, creating room for future edits. Together, these techniques let you safely maintain ACL logic over time while verifying results with show access-lists.

Possible matching parameters. The protocol argument specifies the protocol of the packet’s payload. The source and destination arguments specify the packet’s source and destination IP addresses, respectively.

Extended ACL TEST1 is applied outbound on R1 G0/2. TEST1 permits ICMP traffic from PC1 to 192.168.3.0/24, denies ICMP traffic from 192.168.1.0/24 and 192.168.2.0/24, denies all UDP traffic, and permits all other IPv4 packets.

Configuring an ACE that matches packets based on protocol (TCP/UDP), source/destination IP addresses, and source/destination ports.

ACEs that match packets based on protocol, source IP, source port, destination IP, and destination port. Not all ACEs specify both the source and destination ports.

Extended ACL TEST2 is applied outbound on R1 G0/2. TEST2 permits HTTPS traffic from the Engineering department to Server LAN A, denies all other HTTPS traffic, permits all NTP traffic to SRV2, denies all other NTP traffic, and permits all other IPv4 packets.

Requirements to be fulfilled by configuring extended ACLs.

Four ACLs configured on R1 and R2 fulfill the requirements. ACLs ICMP_1 and ICMP1 fulfill requirement 1, ACL NO_HTTP fulfills requirement 2, and ACL 100 fulfills requirement 3.

The ip access-list resequence command. The starting-seq-num argument specifies the new sequence number of the ACL’s first ACE, and the increment argument specifies the increment for each subsequent ACE.

Summary

Extended ACLs can filter packets based on parameters such as the protocol of the packet’s payload (TCP, UDP, ICMP, OSPF, etc.), source/destination IP addresses, and source/destination ports.
Extended ACL configuration is similar to standard ACL configuration. You can configure extended ACLs in global config mode with the access-list command (numbered only), or in named ACL config mode with ip access-list.
You can configure an extended numbered ACL with access-list number {permit | deny} protocol source destination. Extended numbered ACLs must use a number from ranges 100–199 or 2000–2699.
You can configure an extended ACL in named ACL config mode with ip access-list extended {name | number}. From there, configure each ACE with [seq-num] {permit | deny} protocol source destination.
For the protocol argument, you can specify a keyword like icmp, tcp, udp, or ospf to match packets that carry the specified protocol in its payload. Or, you can specify ip to match all IPv4 packets, regardless of the encapsulated protocol.
The options for the source and destination arguments are: any (to match any IP address), host ip-addr (to match only the specified IP address), and ip-addr wildcard-mask (to match the specified range of IP addresses).
Whereas standard ACLs should be applied as close to the destination as possible, extended ACLs should be applied as close to the source as possible.
When tcp or udp are specified for the protocol argument, you can also specify TCP/UDP port number(s) as matching conditions.
The command syntax to configure an ACE that specifies a port number is {permit|deny} {tcp|udp} src-ip [operator src-port] dst-ip [operator dst-port].
The options for the operator argument are eq (equal to X), gt (greater than X), lt (lower than X), neq (not equal to X), and range (from X to Y). Some examples:

eq 80 = equal to 80
gt 80 = greater than 80 (but not including 80)
lt 80 = less than 80 (but not including 80)
neq 80 = not equal to 80 (anything other than 80)
range 80 100 = from 80 to 100 (including 80 and 100)

An ACE can specify only the source port, only the destination port, both, or neither. If you don’t specify the source/destination ports as matching conditions, all source/destination ports will match.
A packet must match all of an ACE’s conditions to be considered a match. If the ACE specifies the protocol, source IP, source port, destination IP, and destination port, all five parameters must match.
When specifying port numbers in an ACE, some common protocols have keywords that can be used instead of numbers. Some examples:

TCP 20 (FTP data) = ftp-data
TCP 21 (FTP control) = ftp
TCP 23 (Telnet) = telnet
TCP/UDP 53 (DNS) = domain
UDP 69 (TFTP) = tftp
TCP 80 (HTTP) = www

When a host uses a protocol to access resources on another host (a server), it uses the protocol’s port number as the destination port, not the source port. To filter that traffic, make sure to filter based on the destination port, not the source port.
When editing a numbered ACL from global config mode, you can’t delete individual ACEs; you can only delete the entire ACL.
Deleting an ACE in named ACL config mode is easy: use no followed by the sequence number, such as no 30 to delete the ACE with sequence number 30.
Named ACL config mode also allows you to insert new ACEs in between existing ones by specifying a sequence number at the beginning of the command.
You can renumber an ACL’s ACEs with the ip access-list resequence {name | number} starting-seq-num increment command. starting-seq-num specifies the sequence number of the first ACE, and increment specifies the increment for each additional ACE. For example, ip access-list 1 resequence 5 5 will set ACL 1’s first ACE to sequence number 5, the second to 10, the third to 15, etc.

FAQ

What additional matching options do extended ACLs provide compared to standard ACLs?

Extended ACLs can match on protocol (IP, TCP, UDP, ICMP, etc.), source and/or destination IP addresses, and source and/or destination TCP/UDP port numbers. Like standard ACLs, they process entries top-down and end with an implicit deny.

Which number ranges are valid for extended numbered ACLs?

Use 100–199 or 2000–2699 for extended numbered ACLs.

What is the basic syntax for an extended ACE that matches protocol, source, and destination?

Numbered mode: access-list {permit|deny} . Named mode: ip access-list extended then [seq] {permit|deny} .

How do I match a single host IP in an extended ACL?

Use host or 0.0.0.0. Unlike standard ACLs, you cannot specify just the IP without host or a /32 wildcard.

Where should extended ACLs be placed and in which direction should they be applied?

Place extended ACLs as close to the source as practical to stop unwanted traffic early. Apply them inbound or outbound on an interface based on where you want the filtering to occur along the packet’s path.

How do I match TCP/UDP ports in extended ACLs and what do eq, gt, lt, neq, and range mean?

After the source/destination IPs, specify ports using operators: eq X (equal), gt X (greater than), lt X (less than), neq X (not equal), range X Y (inclusive range). Example: permit tcp any any eq 443.

Should I match the source or destination port to block client access to a server (e.g., HTTP or TFTP)?

Match the destination port used by the server (e.g., HTTP tcp/80, TFTP udp/69) when filtering client-to-server traffic.

How are ACL entries evaluated and what is the effect of the implicit deny?

ACEs are evaluated top to bottom; the first match wins. Any packet that doesn’t match an explicit permit will be dropped by the implicit deny at the end.

How do I delete or insert specific ACEs without removing the whole ACL?

Use named ACL configuration mode (ip access-list extended|standard ) so you can reference sequence numbers. Delete with no , and insert by specifying a new sequence number (for example, 30 permit ...).

How do I resequence ACEs to create spacing for new entries?

Use ip access-list resequence {name|number} . This renumbers ACEs so you have room between sequence numbers to insert new entries.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$49.99 $34.99

you save $15.00 (30%)

include audio $24.99 $17.49

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$49.99 $34.99

you save $15.00 (30%)

include audio $24.99 $17.49

eBook

pdf, ePub, online

$49.99 $34.99

you save $15.00 (30%)

include audio $24.99 $17.49

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more