Featured

New CCNA Exam 200-301

Should You Certify Now or Later?

It is a question of your current timeline. If you do not have a lot of experience then the study time for CCNA is typically 3–6 months. You could study for CCNA in say two months with experience.

The new CCNA 200–301 exam is not available for registration until Feb. 24, 2020 and the earliest any study guides will be available is typically two months before that. The other consideration is that very little is often known about new certification exams and it takes around 6 months at least for an abundance of new training course, videos, books etc. to appear online. Something to consider as well is that there will only be a single exam instead of two exams so that will make it difficult as well.

Exam Description

CCNA 200-301 is a 120-minute exam associated with CCNA certification that replaces all current CCNA exams with only a single exam effective Feb. 24, 2020.

Current CCNA Exams

CCNA 200-125, ICND1 100-105, and ICND2 200-105 are available for registration until Feb. 23, 2020. Study for the current CCNA exam now before it expires.

CCNA 200-301 Knowledge Domains

     20%      Network Fundamentals

     20%      Network Access

     25%      IP Connectivity

     10%      IP Services

     15%      Security Fundamentals

     10%      Automation and Programmability

Curriculum Alert!

CCNA 200-301 exam includes a significant amount of wireless and network programmability. That is attributed to the popularity of mobile devices, cloud computing and SDN architecture. Cisco is aligning the CCNA certification exam with a shift to internet-based connectivity model and OSPF for routing IP protocol only. EIGRP was previously created for multiprotocol routing and RIP is not scalable for mobile and cloud connections.

There are significant changes in how WAN services are delivered with the advent of SD-WAN and management of network infrastructure. Newer WAN services are often based on broadband DSL and cable instead of older leased lines and Frame Relay. In addition Metro Ethernet is replacing MPLS for data center connectivity.

The management and troubleshooting of network infrastructure is being radically changed with SDN open source architecture. Cisco has enabled programmable features on their devices and virtualization from physical equipment to software services. They have virtual appliances and CCNA engineers now support private and cloud data center connections. It is helpful to know AWS routing as well considering cloud implements VRFs or multiple routing tables within a customer private network.

CCNA Exam Whiteboard

Access Control Lists (ACL)

Standard ACL

The number range is from 1-99 and 1300-1999. It is comprised of permit or deny statement/s from a source address with a wildcard mask only. The single deny statement requires that you add permit any as a last statement for any standard ACL or all packet are denied from all sources.

            access-list 99 deny host 172.33.1.1

            access-list 99 permit any

Standard Named ACL

They are defined with a name instead of number and have the same rules as a standard ACL. The following ACL is named internet and will deny all traffic from all hosts connected to 192.168.1.0/24 subnet. It will log any packets that are denied.

            ip access-list internet log

            deny 192.168.1.0 0.0.0.255

            permit any

Extended Named ACL

They are defined with a name and supports all syntax commands available with extended ACLs. You can dynamically add or delete statements to any named ACL without having to delete and rewrite all lines. They are easier to manage and troubleshoot based on naming conventions. The following named ACL permits http traffic from hosts assigned to 192.168.0.0 subnets access to server 192.168.3.1

            ip access-list extended http-filter

            remark permit http to web server  

            permit tcp 192.168.0.0 0.0.255.255 host 192.168.3.1 eq 80

            permit ip any any

Extended ACL

The number range is from 100-199 and 2000-2699. It supports multiple permit/deny statements with source / destination IP address or subnet. In addition you can filter on IP, TCP or UDP protocols and destination port. Extended ACL must have a permit all source and destination traffic with permit ip any any as a last statement.

Cisco best practices for creating and applying ACLs

  • apply extended ACL near source
  • apply standard ACL near destination
  • order ACL with multiple statements from most specific to least specific
  • one ACL can be applied inbound or outbound per interface per Layer 3 protocol
  • ACL is applied to an interface with ip access-group in | out command

The following are primary differences between IPv4 and IPv6 for ACLs

  • IPv6 supports only named ACLs
  • IPv6 permits ICMP neighbor discovery (ARP) as implicit default
  • IPv6 denies all traffic as an implicit default for the last line of the ACL

Extended ACL Example 1

The following command permits http traffic from host 10.1.1.1/24 to host 10.1.2.1/24

            access-list 100 permit tcp host 10.1.1.1 host 10.1.2.1 eq 80

The access control list (ACL) statement reads from left to right as – permit all tcp traffic from source host only to destination host that is http (80). The tcp keyword refers to an application (http) that is TCP-based. The udp keyword is used for applications that are UDP-based such as SNMP for example.


Extended ACL Example 2

What is the purpose or effect of applying the following ACL?

            access-list 100 deny ip host 192.168.1.1 host 192.168.3.1

            access-list 100 permit ip any any

The first statement denies all application traffic from host-1 (192.168.1.1) to web server (host 192.168.3.1). The ip keyword refers to Layer 3 and affects all protocols and applications at layer 3 and higher. The last statement is required to permit all other traffic.


Extended ACL Example 3

What is the purpose or effect of applying the following ACL?

            access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq telnet

            access-list 100 permit ip any any

The first statement permits Telnet traffic from all hosts assigned to subnet 192.168.1.0/24 subnet. The tcp keyword is Layer 4 and affects all protocols and applications at Layer 4 and higher. The permit tcp configuration allows the specified TCP application (Telnet). The any keyword allows Telnet sessions to any destination host. The last statement is mandatory and required to permit all other traffic.


Extended ACL Example 4

What is the purpose or effect of applying the following ACL?

            access-list 100 permit ip 172.16.1.0 0.0.0.255 host 192.168.3.1

            access-list 100 deny ip 172.16.2.0 0.0.0.255 any

            access-list 100 permit ip any any

  • The first ACL permits only hosts assigned to subnet 172.16.1.0/24 access to all applications on server-1 (192.168.3.1)
  • The second statement denies hosts assigned to subnet 172.16.2.0/24 access to any server. That would include any additional hosts added to that subnet and any new servers added.
  • The last ACL statement is required to permit all other traffic not matching previous filtering statements.
  • ACL is applied to an interface with ip access-group command. Most routers often have multiple interfaces (subnets) with hosts assigned. Any ACL applied outbound to a WAN interface shared by multiple subnets for example, will filter traffic from all hosts for each subnet.