Table of Contents

Click Here to Return To the Cisco CCNA Course Page

Security Fundamentals is 15% of the Cisco CCNA (200-301) exam. This module covers how you protect devices, traffic, and access. Security questions blend with configuration tasks, so know both the theory and the commands.

This domain mixes concepts with hands-on configuration. You define the threats, then lock down devices, filter traffic, and secure both wired and wireless access.

Core Security Concepts

You separate four related terms.

TermMeaning
ThreatA potential cause of harm
VulnerabilityA weakness that can be exploited
ExploitThe method used against a vulnerability
MitigationA control that reduces the risk

Security program elements include user awareness, training, and physical access control. People are the most common entry point, so training matters as much as technology.

Device Access Control

You protect device access with strong local credentials and a clear password policy. Cover management, complexity, and alternatives such as MFA, certificates, and biometrics.

! Secure privileged access and console
Router(config)# enable secret StrongSecret123
Router(config)# username admin secret AdminPass456
Router(config)# service password-encryption

To build credentials that resist cracking, read how to create strong passwords .

AAA and VPNs

AAA separates three functions:

  • Authentication confirms who you are.
  • Authorization decides what you can do.
  • Accounting records what you did.

A RADIUS or TACACS+ server centralizes AAA across many devices. VPNs protect traffic across untrusted networks. IPsec secures both remote access and site-to-site tunnels with encryption and integrity.

Access Control Lists

ACLs filter traffic by source, destination, protocol, and port. Standard ACLs match source only, while extended ACLs match much more.

! Extended ACL allowing web traffic, denying the rest
Router(config)# access-list 110 permit tcp any host 10.1.1.10 eq 80
Router(config)# interface g0/0
Router(config-if)# ip access-group 110 in

Order matters, because the router reads top to bottom and stops at the first match. An implicit deny any sits at the end of every ACL.

Layer 2 Security

Switches need their own protections against local attacks.

FeatureProtects against
Port securityMAC flooding and rogue devices
DHCP snoopingRogue DHCP servers
Dynamic ARP inspectionARP poisoning
! Limit a port to one learned MAC
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown

Wireless Security

Wireless protocols improved over time. WPA is legacy, WPA2 uses AES with CCMP, and WPA3 adds stronger key exchange with SAE. In the WLC GUI you create a WLAN and apply WPA2 PSK for a pre-shared key network.

Next Steps

Finish the blueprint with Automation and Programmability , built on the services from IP Services . Strengthen your fundamentals with the CompTIA Security+ Course and return to the Cisco CCNA Course .