CCNA: IP Services & Security Fundamentals

Topic Overview

IP Services and Security Fundamentals together represent ~25% of the CCNA 200-301 exam — a major combined domain covering NAT, DHCP, DNS, NTP, SNMP, QoS, ACLs, VPN, AAA, and device hardening.

Exam Domain Weights

Domain	Topic	Weight	~Questions
1	Network Fundamentals	20%	~24
2	Network Access	20%	~24
3	IP Connectivity	25%	~30
4	IP Services	10%	~12
5	Security Fundamentals	15%	~18
6	Automation & Programmability	10%	~12

Domains 4 + 5 combine for ~25% (~30 questions). Mastering NAT/PAT, ACLs, and device hardening gives strong returns across both domains.

Core Concept Summary

NAT / PAT

Translates private (RFC 1918) addresses to public IPs. PAT (NAT overload) maps many inside hosts to one public IP using port numbers — the standard for home/office routers.

DHCP DORA

Four-step process: Discover → Offer → Request → Acknowledge. Use ip helper-address to forward DHCP broadcasts across subnets.

ACLs

Standard (src IP only) vs Extended (src + dst + protocol + port). Implicit deny at end. Standard near destination, Extended near source. First match wins.

VPN Types

Site-to-site (IPsec, permanent tunnel) vs Remote-access (AnyConnect/SSL). IPsec uses IKE for key exchange; ESP provides authentication + encryption (preferred over AH).

AAA

Authentication (who?), Authorization (what?), Accounting (history). RADIUS (UDP 1812/1813) for network access. TACACS+ (TCP 49) for device administration — encrypts full payload.

QoS Basics

Prioritizes delay-sensitive traffic (VoIP/video). DSCP EF=VoIP (46). LLQ best for VoIP (strict priority). Policing drops excess; Shaping buffers/delays excess traffic.

IP Services

Key IP services tested on CCNA: NAT, DHCP, DNS, NTP, SNMP, Syslog, and QoS. Know the purpose, ports, config commands, and verification commands for each.

NAT — Network Address Translation

Purpose: Translate private RFC 1918 IPs to public IPs, conserving IPv4 address space.

Static NAT: One-to-one permanent mapping. Used for servers needing a fixed public IP.
Dynamic NAT: Pool of public IPs assigned first-come-first-serve. Pool can be exhausted.
PAT (NAT Overload): Many-to-one using unique port numbers per flow — most common in homes/offices.

NAT terminology: Inside local = private IP of inside device. Inside global = public IP seen by outside. Outside global = destination public IP.

! Mark interfaces
interface GigabitEthernet0/0
 ip nat inside
interface GigabitEthernet0/1
 ip nat outside

! PAT (NAT overload) — single public IP
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload

! Verify
show ip nat translations
show ip nat statistics

DHCP — Dynamic Host Configuration Protocol

DORA Process: Discover (client broadcast, find server) → Offer (server proposes IP) → Request (client accepts offer) → Acknowledge (server confirms lease).

DHCP relay: ip helper-address SERVER-IP on the router interface facing clients — forwards broadcasts to a DHCP server on a different subnet.
Option 3: Default gateway | Option 6: DNS server | Option 15: Domain name

! Verify leases and pools
show ip dhcp binding
show ip dhcp pool
show ip dhcp conflict

DNS — Domain Name System

Port 53, UDP (queries) / TCP (zone transfers, large responses)
Recursive query: Client asks resolver, resolver does all lookups and returns final answer.
Iterative query: Resolver refers client to other servers step-by-step.
ip domain-lookup — enabled by default on Cisco devices
ip name-server 8.8.8.8 — set DNS server for the device

NTP — Network Time Protocol

Port 123, UDP. Synchronizes clocks across network devices. Essential for log correlation, digital certificates, and Kerberos authentication.

Stratum 0: Atomic/GPS reference clock (not networked directly)
Stratum 1: Server directly connected to stratum 0
Stratum 2: Synced from a stratum 1 server
Lower stratum = more accurate. Stratum 16 = unsynchronized.

ntp server 192.0.2.1       ! Configure NTP client
show ntp status             ! Check sync status and stratum
show clock                  ! View current time

SNMP — Simple Network Management Protocol

Port 161 (agent), Port 162 (trap receiver), UDP.

Components: Manager (NMS) — polls devices; Agent (on device) — responds/sends traps; MIB (Management Information Base) — database of managed objects.
Operations: Get, GetNext, Set (manager→agent), Trap (unsolicited agent→manager alert)
SNMPv2c: Community strings (plaintext, insecure). SNMPv3: Authentication (MD5/SHA) + Encryption (AES/3DES) — always prefer v3 in production.
SNMPv3 security modes: noAuthNoPriv, authNoPriv, authPriv (most secure)

Syslog

Port 514, UDP. Sends log messages to a centralized syslog server.

Level	Name	Description
0	Emergencies	System unusable
1	Alerts	Immediate action needed
2	Critical	Critical conditions
3	Errors	Error conditions
4	Warnings	Warning conditions
5	Notifications	Normal but significant
6	Informational	Informational messages
7	Debugging	Debug-level messages

Mnemonic: "Every Awesome Cisco Engineer Will Need Debugging"

logging host 10.0.0.100     ! Send logs to syslog server
logging trap warnings        ! Send levels 0–4
show logging                 ! View log buffer

QoS — Quality of Service

Purpose: Prioritize delay-sensitive traffic (VoIP, video) over bulk data on congested links.

DSCP (Differentiated Services Code Point): 6-bit field in IP header. EF (46) = VoIP. AF41 = video. CS0 = best effort.
Queuing: FIFO (default), WFQ, CBWFQ (class-based), LLQ (Low Latency — strict priority, best for VoIP)
Policing: Drops or re-marks excess traffic (hard limit, no delay)
Shaping: Buffers excess traffic, smooths bursts (introduces delay)
Trust boundary: Mark traffic as close to the source as possible — defines where markings are accepted.

Security Fundamentals

Security Fundamentals accounts for ~15% (~18 questions). Focus on threat recognition, ACL basics, VPN types, AAA protocols, and device hardening techniques.

Common Threats

Malware Types

Virus: Requires a host file to spread
Worm: Self-propagating, no host needed
Trojan: Disguised as legitimate software
Ransomware: Encrypts data, demands payment

Network Attacks

DoS: Single source overwhelms a target
DDoS: Distributed botnet, harder to block
MITM: Intercepts/alters communications
Reconnaissance: Port scanning (nmap), OSINT

Social Engineering

Phishing: Mass email targeting many users
Spear phishing: Targeted, personalized email
Whaling: Targets executives/senior staff
Vishing: Voice/phone-based phishing

Web Application Attacks

SQL Injection: Injects SQL to manipulate DB
XSS (Cross-Site Scripting): Injects malicious scripts into web pages
CSRF: Forces authenticated user actions

VPN Types

Site-to-site VPN: Permanent tunnel between two networks (HQ ↔ Branch). Uses IPsec. Transparent to end users.
Remote-access VPN: Individual user connects to corporate network. Client-based (Cisco AnyConnect) or clientless (SSL/TLS browser-based).

IPsec Components:

IKE (Internet Key Exchange): Negotiates keys and security associations
AH (Authentication Header): Provides authentication + integrity, NO encryption. Incompatible with NAT.
ESP (Encapsulating Security Payload): Authentication + integrity + encryption. Works with NAT-T. Preferred on CCNA.
SA (Security Association): One-directional agreement on algorithms/keys
GRE: Tunnels non-IP traffic — NOT encrypted on its own. Often wrapped in IPsec.

AAA — Authentication, Authorization, Accounting

Authentication: Who are you? (username/password, certificate, MFA)
Authorization: What can you do? (privilege levels, command sets)
Accounting: What did you do? (logs commands, sessions, duration)

Feature	RADIUS	TACACS+
Protocol	UDP	TCP
Ports	1812 (auth), 1813 (acct)	49
Encryption	Password only	Full payload
Standard	Open standard	Cisco proprietary
Best for	802.1X network access	Device administration
AuthN/AuthZ	Combined	Separated

Device Hardening

Disable Telnet — use SSH: transport input ssh
Generate RSA key: crypto key generate rsa modulus 2048
Force SSH v2: ip ssh version 2
Use enable secret (MD5 hash) — never enable password (cleartext)
Encrypt all passwords: service password-encryption
Set minimum password length: security passwords min-length 8
Console/VTY: login local, exec-timeout 5 0, logging synchronous
Legal banner: banner motd — warning message, NOT a welcome message
Disable CDP on untrusted (external) interfaces: no cdp enable
Disable unused HTTP server: no ip http server

! Enable SSH step-by-step
hostname ROUTER1
ip domain-name example.com
crypto key generate rsa modulus 2048
ip ssh version 2
username admin privilege 15 secret Str0ngP@ss

line vty 0 4
 transport input ssh
 login local
 exec-timeout 10 0

enable secret Str0ngS3cret
service password-encryption
banner motd # Authorized access only. All sessions are logged. #

ACLs Deep Dive

Access Control Lists (ACLs) filter traffic on Cisco devices. Understanding placement, wildcard masks, and processing order is critical for the exam.

ACL Fundamentals

Purpose: Permit or deny traffic based on criteria. Applied to interface in a specific direction (in or out).
Processing: Top-down, first match wins. Put specific entries before general ones.
Implicit deny: Every ACL ends with an invisible deny any — unmatched traffic is always dropped.
Direction: in = filter traffic entering the interface. out = filter traffic leaving the interface.

Standard vs Extended ACLs

Feature	Standard ACL	Extended ACL
Numbers	1–99 and 1300–1999	100–199 and 2000–2699
Matches	Source IP only	Src IP, Dst IP, Protocol, Port
Placement	Closest to destination	Closest to source
Granularity	Low — can over-block	High — precise filtering
Named support	Yes	Yes

Placement rule explained: Standard ACLs match only source IP, so placing them near the source would block all traffic from that host everywhere. Place near destination to minimize collateral blocking. Extended ACLs match both source and destination, so placing near the source stops unwanted traffic immediately, saving bandwidth.

Wildcard Masks

0 bit = must match | 1 bit = ignore (opposite of subnet mask)
0.0.0.0 = exact host match (same as host keyword)
0.0.0.255 = match any host in a /24 subnet
0.0.255.255 = match any host in a /16 subnet
255.255.255.255 = match any host (same as any keyword)
Formula: Wildcard = 255.255.255.255 − subnet mask

ACL Configuration Examples

! Standard numbered ACL
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny any

! Apply to interface (standard — near destination)
interface GigabitEthernet0/1
 ip access-group 10 out

! Extended numbered ACL
access-list 110 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.10 eq 80
access-list 110 permit tcp 10.0.0.0 0.0.0.255 host 203.0.113.10 eq 443
access-list 110 deny ip any any

! Apply to interface (extended — near source)
interface GigabitEthernet0/0
 ip access-group 110 in

! Named ACL (easier to edit — can delete specific lines)
ip access-list extended FILTER-OUTBOUND
 permit tcp 192.168.0.0 0.0.0.255 any eq 80
 permit tcp 192.168.0.0 0.0.0.255 any eq 443
 deny ip any any log

! Verify
show access-lists
show ip interface GigabitEthernet0/0
show running-config | include access

ACL Troubleshooting Tips

Check match counts: show access-lists — each entry shows hit count
Verify direction and interface: show ip interface Gi0/0
Remember implicit deny — add permit ip any any at end if needed
Edit named ACLs with sequence numbers to insert/delete specific lines
no ip access-group removes ACL from interface without deleting it

Memory Hooks

Six memorable mnemonics and mental models to lock in the most exam-critical IP Services and Security concepts.

🔄

DHCP DORA

"Dogs Often Run Away"

Discover (client broadcast, find server) → Offer (server proposes IP) → Request (client accepts) → Acknowledge (server confirms lease). If DHCP server is on another subnet, ip helper-address on the router interface facing clients forwards the broadcast.

📋

Syslog Severity

"Every Awesome Cisco Engineer Will Need Debugging"

0=Emergencies, 1=Alerts, 2=Critical, 3=Errors, 4=Warnings, 5=Notifications, 6=Informational, 7=Debugging. Lower number = more severe. logging trap 4 sends levels 0–4 to the syslog server.

🎯

ACL Placement Rule

"Standard=Near Dest · Extended=Near Source"

Standard ACLs match only source IP — place near destination so traffic isn't blocked too early. Extended ACLs match source+dest+protocol — place near source to stop unwanted traffic immediately, saving bandwidth across the network.

🔐

AAA: Auth vs AuthZ vs Acct

"Who · What · History"

Authentication=verify identity (who are you?). Authorization=check permissions (what can you do?). Accounting=log actions (what did you do?). RADIUS=network access (encrypts password only). TACACS+=device admin (encrypts everything, TCP 49).

📦

PAT / NAT Overload

"One Public IP, Many Private Hosts"

PAT tracks connections using unique source port numbers per flow. Inside local 192.168.1.10:1025 → Inside global 203.0.113.1:5000. The NAT table maps port numbers back to original hosts. This is how home routers connect hundreds of devices with a single public IP.

🛡️

Device Hardening Checklist

"SSH, Secret, Shutdown, Banner"

Use SSH (not Telnet): crypto key generate rsa. Use enable secret (not enable password). Encrypt passwords: service password-encryption. Set exec-timeout. Add legal banner motd. Disable unused ports and CDP on external interfaces.

Flashcards & Study Advisor

Click any card to flip it and reveal the full explanation. Use the Study Advisor below for targeted exam tips.

Click a card to flip it ↓

Static vs Dynamic NAT vs PAT

Three types of NAT — when to use each?

Static: Permanent 1-to-1 (servers needing fixed public IP). Dynamic: Pool, first-come-first-serve, 1-to-1 from pool (can run out). PAT: M-to-1, uses unique ports — most scalable. All require ip nat inside/ip nat outside on interfaces.

SNMP Traps vs Polling

Two ways NMS learns about device state

Polling: NMS sends Get to agent on demand — proactive. Trap: Agent sends unsolicited alert to NMS (port 162) when threshold crossed — reactive. Use both: poll for metrics, rely on traps for alerts. SNMPv3 authPriv = most secure mode.

ACL Wildcard Masks

How to read and calculate wildcard masks

0.0.0.255 = any host in /24. 0.0.0.0 = exact host (= host keyword). 255.255.255.255 = any host (= any). 0.0.255.255 = any host in /16. Formula: wildcard = 255.255.255.255 − subnet mask.

IPsec AH vs ESP

Two IPsec encapsulation protocols

AH: Authentication + integrity, NO encryption. Incompatible with NAT (signs entire IP header). ESP: Authentication + integrity + encryption. Works with NAT-T. Always use ESP in CCNA exam scenarios — preferred in real deployments.

QoS DSCP Values

Key DSCP markings for voice and video

EF (46): VoIP — strict priority, lowest latency. AF41/42/43: Video, drop preference 41<42<43. CS0: Best effort (default). CS6/CS7: Network control (OSPF/BGP). Mark at trust boundary — as close to source as possible.

NTP Stratum

How NTP hierarchy works

Stratum 0: Atomic/GPS reference (not networked directly). Stratum 1: Directly connected to stratum 0. Stratum 2: Synced from stratum 1. Lower = more accurate. Stratum 16 = unsynchronized. show ntp status reveals current stratum.

SSH Hardening Steps

Step-by-step SSH configuration on Cisco IOS

1. hostname ROUTER-NAME 2. ip domain-name domain.com 3. crypto key generate rsa modulus 2048 4. ip ssh version 2 5. VTY: transport input ssh 6. login local 7. username admin secret PASSWORD

RADIUS vs TACACS+

Which AAA protocol for which use case?

RADIUS: UDP 1812/1813, open standard, encrypts only password, combines AuthN+AuthZ. Best for 802.1X wireless/wired access. TACACS+: TCP 49, Cisco proprietary, encrypts full payload, separates AuthN/AuthZ/Acct. Best for Cisco device administration.

Study Advisor

NAT & DHCP — Exam Tips

PAT = NAT overload = the same thing — all three terms appear on the exam
Inside local is always the private IP; inside global is always the public IP
Static NAT is used for servers — they need consistent inbound access
show ip nat translations — memorize this verification command
DHCP DORA: client uses broadcast for Discover and Request; server uses unicast for Offer and Acknowledge
ip helper-address is configured on the router interface closest to DHCP clients, not the server
DHCP option 3 = default gateway, option 6 = DNS — these are common exam facts
If two DHCP servers exist, the client accepts the first Offer it receives

IP Services & Security Fundamentals

Topic Overview

Core Concept Summary

NAT / PAT

DHCP DORA

ACLs

VPN Types

AAA

QoS Basics

IP Services

NAT — Network Address Translation

DHCP — Dynamic Host Configuration Protocol

DNS — Domain Name System

NTP — Network Time Protocol

SNMP — Simple Network Management Protocol

Syslog

QoS — Quality of Service

Security Fundamentals

Common Threats

Malware Types

Network Attacks

Social Engineering

Web Application Attacks

VPN Types

AAA — Authentication, Authorization, Accounting

Device Hardening

ACLs Deep Dive

ACL Fundamentals

Standard vs Extended ACLs

Wildcard Masks

ACL Configuration Examples

ACL Troubleshooting Tips

Practice Quiz

Memory Hooks

Flashcards & Study Advisor

Study Advisor

NAT & DHCP — Exam Tips

Ready to Ace CCNA IP Services & Security?