31 Days Before Your CCNA Security Exam


Author: Patrick Gargano
Publisher: Cisco Press
ISBN: 978-0-13-442406-4
Copyright © 2017 Cisco Systems, Inc.

Contents at a Glance


Day 31. Common Security Principles

Day 30. Common Security Threats

Day 29. Cryptographic Technologies

Day 28. PKI and Network Security Architectures

Day 27. Secure Management Systems

Day 26. AAA Concepts

Day 25. TACACS+ and RADIUS Implementation

Day 24. 802.1X

Day 23. BYOD

Day 22. IPsec Technologies

Day 21. Clientless Remote-Access VPN

Day 20. AnyConnect Remote Access VPN

Day 19. Site-to-Site VPN

Day 18. VPN Advanced Topics

Day 17. Secure Device Access

Day 16. Secure Routing Protocols

Day 15. Control Plane Security

Day 14. Layer 2 Infrastructure Security

Day 13. Layer 2 Protocols Security

Day 12. VLAN Security

Day 11. Firewall Technologies

Day 10. Cisco ASA NAT Implementation

Day 9. Cisco IOS Zone-Based Policy Firewall

Day 8. Cisco ASA Firewall Concepts

Day 7. ASA Firewall Configuration

Day 6. IDS/IPS Concepts

Day 5. IDS/IPS Technologies

Day 4. Email-based Threat Mitigation

Day 3. Web-based Threat Mitigation

Day 2. Endpoint Protection

Day 1. CCNA Security Skills Review and Practice

Exam Day

Post-Exam Information


If you’re reading this Introduction, you’ve probably already spent a considerable amount of time and energy pursuing your CCNA Security certification. Regardless of how you got to this point in your travels through your networking studies, 31 Days Before Your CCNA Security Exam most likely represents the last leg of your journey on your way to the destination: to become CCNA Security certified.

However, if you happen to be reading this book at the beginning of your studies, then this book provides you with an excellent overview of the material you must now spend a great deal of time studying and practicing. But, I must warn you: Unless you are extremely well-versed in network security technologies and have considerable experience as a network technician or administrator, this book will not serve you well as the sole resource for CCNA Security exam preparation. I know this first hand. I recently took the CCNA Security exam and was impressed with both the breadth and depth of knowledge required to pass. I have been teaching, writing about, and implementing networks for almost two decades. And yet, there was a moment during the CCNA Security exam where I thought, “Wow, this is really a tough exam!”

You see, Cisco states that for the CCNA Security exam, you must “demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.” You simply cannot just study this content. You must practice it. Although I have a solid understanding of network security concepts and technologies, I also have extensive experience implementing and troubleshooting network security. That’s why I was able to successfully pass the exam. There really is no other way to correctly answer the many scenario-based questions a candidate will receive during the exam than to have experienced the same or similar scenario in the real world or a lab simulation.

Now that I’ve sufficiently challenged you, let me spend some time discussing my recommendations for study resources.

Study Resources

Cisco Press offers an abundance of network security books and resources to serve you well as you learn how to install, troubleshoot, and monitor network devices to maintain the integrity, confidentiality, and availability of data and devices. Most of the resources can be purchased in book form or as eBooks for your tablet reader or mobile device by visiting www.ciscopress.com.

Safari Books Online

All the resources I reference in the book are available with a subscription to Safari Books Online (https://www.safaribooksonline.com). If you don’t have an account, you can try it free for ten days.

Primary Resources

31 Days Before Your CCNA Security Exam

First on the list is the CCNA Security 210-260 Official Cert Guide, written by Omar Santos and John Stuppi. The authors have done an outstanding job of gathering together and organizing all the material you need to study for the CCNA Security certification exam. It is available in print (ISBN: 9781587205668) and Premium Edition eBook (ISBN: 9780134077895) versions. The print version comes with the Pearson IT Certification Practice Test engine and two practice exams, as well as 90 minutes of video training. The Premium Edition eBook version comes with four practice exams, multiplatform accessibility, and performance tracking.

If you are a Cisco Networking Academy student, you are blessed with access to the online version of the CCNA Security curriculum and the wildly popular Packet Tracer network simulator. The course provides an introduction to the core security concepts and skills needed for the installation, troubleshooting, and monitoring of network devices to maintain the integrity, confidentiality, and availability of data and devices. The course helps students learn how to secure Cisco routers, implement AAA, configure ACLs, mitigate common Layer 2 attacks, implement Cisco IOS firewall features, implement site-to-site VPNs, and implement remote-access VPNs. To learn more about the CCNA Security course and to find an Academy near you, visit http://www.netacad.com. Cisco Press also produces a printed course booklet (ISBN: 9781587133510) and lab manual (ISBN: 9781587133503) to accompany the CCNA Security Networking Academy course.

Supplemental Resources

In addition to the book you hold in your hands and to those mentioned previously, there are three more supplemental resources I would recommend to augment your final 31 days of review and preparation.

31 Days Before Your CCNA Security Exam

Omar Santos, Aaron Woland, and Mason Haris recorded more than 13 hours of video in their CCNA Security 210-260 Complete Video Course (ISBN: 9780134499314), which is available free with your Safari Books Online account. You can also purchase it separately from Cisco Press. The authors talk you through the full range of topics on the CCNA Security exam using a variety of presentation styles, including live instructor whiteboarding, real-world demonstrations, animations of network activity, dynamic KeyNote presentations, and doodle videos. They also demonstrate router, switch, and ASA CLI/ASDM configuration and troubleshooting in real lab environments, enabling you to learn both the concepts and the hands-on application.

31 Days Before Your CCNA Security Exam

Cisco Press has recently published the second edition of the very popular CCNA Security Portable Command Guide (ISBN: 9781587205750), by Bob Vachon. This book summarizes all the relevant Cisco IOS Software security commands, keywords, command arguments, and associated prompts, and offers tips and examples for applying these commands to real-world security challenges. Bob also includes ASDM screenshots to help when configuring the Cisco ASA.

31 Days Before Your CCNA Security Exam

The second book I would suggest is Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition (ISBN: 9781587143076), written by Jazib Frahim, Omar Santos, and Andrew Ossipov. This is an amazingly detailed resource (1248 pages!) on configuring, monitoring, and troubleshooting the entire Cisco ASA firewall family. True, it goes beyond the CCNA Security exam topics, but if you’re a geek like me, you’ll enjoy delving more deeply into the ASA with this book.

I occasionally reference other Cisco Press books for more specific topics. The simplest way to access this extra content is with a Safari Books Online subscription.

So, which resources should you buy? That question is largely up to how deep your pockets are or how much you like books. If you’re like me, you want it all...online access for mobile and tablet reading, as well as hard copies for intensive study sessions with a pencil in hand. I admit it; my bookcase is a testament to my “geekness.” But that’s not practical for most students. So if you are on a budget, then choose one of the primary study resources and one of the supplemental resources, such as the CCNA Security 210-260 Official Cert Guide and the CCNA Security Portable Command Guide. Whatever you choose, you will be in good hands. Any or all of these authors will serve you well.

Goals and Methods

The main goal of this book is to provide you with a clear and succinct review of the CCNA Security exam objectives. Each day’s exam topics are grouped into a common conceptual framework and uses the following format:

  • A title for the day that concisely states the overall topic
  • A list of one or more CCNA Security IINS 210-260 exam topics to be reviewed
  • A Key Topics section to introduce the review material and quickly orient you to the day’s focus
  • An extensive review section consisting of short paragraphs, lists, tables, examples, and graphics
  • A Study Resources section to provide you a quick reference for locating more in-depth treatment of the day’s topics (as introduced in the previous section)

The book counts down starting with Day 31 and continues through exam day to provide post-test information.


Use the calendar to enter each actual date beside the countdown day and the exact day, time, and location of your CCNA Security exam. The calendar provides a visual for the time that you can dedicate to each CCNA Security exam topic.


The checklist highlights important tasks and deadlines leading up to your exam. Use it to help map out your studies.

Who Should Read This Book?

The audience for this book is anyone finishing their preparation for taking the CCNA Security IINS 210-260 exam. A secondary audience is anyone who needs a refresher review of CCNA Security exam topics, perhaps before attempting to recertify.

Getting to Know the CCNA Security IINS 210-260 Exam

Cisco launched the newest version of the CCNA Security exam, numbered 210-260, on September 1, 2015. The exam tests the candidate’s knowledge of secure network infrastructure, core security concepts, managing secure access, VPN encryption, firewalls, intrusion prevention, web and email content security, and endpoint security. It also validates skills for installation, troubleshooting, and monitoring of a secure network to maintain integrity, confidentiality, and availability of data and devices. As a prerequisite, Cisco states that a candidate must be CCENT or CCNA Routing and Switching certified before attempting the exam.

Currently for the CCNA Security exam, you are allowed 90 minutes to answer 60 to 70 questions. Most recently, a passing score is 860 on a scale of 300 to 1000, but the passing score often rises as the exam matures. If you’ve never taken a certification exam before with Pearson VUE, there is a 2 minute 45 second video titled What to Expect in a Pearson VUE Test Center that nicely summarizes the experience: https://home.pearsonvue.com/test-taker/security.aspx. You can also search for it on YouTube.

When you get to the testing center and check in, the proctor verifies your identity, gives you some general instructions, and then takes you into a quiet room containing a PC. When you’re at the PC, you have a few things to do before the timer starts on your exam. For instance, you can take the tutorial to get accustomed to the PC and the testing engine. Every time I sit for an exam, I go through the tutorial even though I know how the test engine works. It helps me settle my nerves and get focused. Anyone who has user-level skills in getting around a PC should have no problems with the testing environment.

What Topics Are Covered on the CCNA Security

Table I-1 summarizes the seven domains of the CCNA Security exam.


Table I-1 CCNA Security IINS 210-260 Exam Domains and Weightings

Registering for the CCNA Security IINS 210-260 Exam

If you are starting 31 Days Before Your CCNA Security Exam today, register for the exam right now. In my testing experience, there is no better motivator than a scheduled test date staring me in the face. I’m willing to bet it’s the same for you. Don’t worry about unforeseen circumstances. You can cancel your exam registration for a full refund up to 24 hours before taking the exam. So if you’re ready, then you should gather the following information and register right now!

  • Legal name
  • Social Security or passport number
  • Company name
  • Valid email address
  • Method of payment

You can schedule your exam at any time by visiting www.pearsonvue.com/cisco/. I recommend you schedule it now for 31 days from now. The process and available test times will vary based on the local testing center you choose.

Packet Tracer

To get your copy of Packet Tracer software please go to the companion website for instructions. To access this companion website, follow these steps:

1. Go to www.ciscopress.com/register and log in or create a new account.

2. Enter the ISBN: 9781587205781.

3. Answer the challenge question as proof of purchase.

4. Click on the Access Bonus Content link in the Registered Products section of your account page, to be taken to the page where your downloadable content is available.

About the Author

Patrick Gargano has been an educator since 1996 and a Cisco Networking Academy Instructor since 2000. He currently heads the Networking Academy program at Collège La Cité in Ottawa, Canada, where he teaches CCNA/CCNP-level courses. Patrick has twice led the Cisco Networking Academy student Dream Team deploying the wired and wireless networks supporting the U.S. Cisco Live conferences. In 2014 he co-authored CCNP Routing and Switching Portable Command Guide. Recognitions of his teaching include prizes from Collège La Cité for innovation and excellence and from the Ontario Association of Certified Engineering Technicians and Technologists for excellence in technology education. Previously, Patrick was a Cisco Networking Academy instructor at Cégep de l’Outaouais (Gatineau, Canada) and Louis-Riel High School (Ottawa, Canada) and a Cisco instructor (CCSI) for Fast Lane UK (London). His certifications include CCNA (R&S), CCNA Wireless, CCNA Security, and CCNP (R&S). He holds Bachelor of Education and Bachelor of Arts degrees from the University of Ottawa. Find him on Twitter @PatrickGargano.

About the Technical Reviewer

John Stuppi, CCIE No. 11154 (Security), is a technical leader in the Cisco Security Solutions (CSS) organization at Cisco, where he consults Cisco customers on protecting their network against existing and emerging cybersecurity threats. In this role, John is responsible for providing effective techniques using Cisco product capabilities to provide identification and mitigation solutions for Cisco customers who are concerned with current or expected security threats to their network environments. Current projects include helping customers leverage DNS and NetFlow data to identify and subsequently mitigate network-based threats. John has presented multiple times on various network security topics at Cisco Live, Black Hat, and other customer-facing cybersecurity conferences. In addition, John contributes to the Cisco Security Portal through the publication of white papers, security blog posts, and cyber risk report articles. He is also the co-author of CCNA Security 210-260 Official Cert Guide with Omar Santos. Before joining Cisco, John worked as a network engineer for JPMorgan and then as a network security engineer at Time, Inc. John is also a CISSP (No. 25525) and holds an Information Systems Security (INFOSEC) professional certification. In addition, John has a BSEE from Lehigh University and an MBA from Rutgers University. John lives in Ocean Township, New Jersey (a.k.a. the “Jersey Shore”) with his wife, two kids, and dog.


To my wife Kathryn, who is always happy to explain that when in doubt, “that” is always better than “which,” and to our son Samuel who, at age 7, already knows that (not which) Mummy is usually right but Daddy is usually more fun.

To my father, who can’t read this.

To my mother, who has devoted everything to our family.

To Albert, who has endured with courage.


My first thank-you’s have to go to Mary Beth Ray for suggesting that I write this book, and to Scott Empson and Hans Roth for making my first Cisco Press project such a thoroughly enjoyable collaboration that I was happy to accept her offer. Mary Beth is a remarkable executive editor, but then everyone at Cisco Press has been fantastic to work with: Ellie Bru, the development editor, has kept the SS Gargano on an even keel, and Tonya Simpson, the project editor, has ensured that everything is shipshape, while Bill McManus, the copy editor, has kept the good ship from sinking under an avalanche of mixed metaphors and grammatical missteps. I confess that I was a bit intimidated when I found out John Stuppi would be the technical editor, because he co-wrote one of my primary sources, the Cisco Press CCNA Security 210-260 Official Cert Guide, but in addition to being a true authority, he was a pleasure to work with. Allan Johnson, who initiated the 31 Days series, was my trusty guide on this, and Troy McMillan, who produced the fantastic material used in the Digital Study Guide version of the book, deserves sincere thanks as well.

Alongside the Cisco Press team, I want to offer my sincere gratitude to my colleagues at La Cité, especially Georges Absi, who has been generous with advice, moral support, and his wife’s authentic tabbouleh.

My past, present, and future students at La Cité are the inspiration for this book. I had them in mind with every word that I wrote, and if I’ve produced something that they’ll find useful and easy to understand, then I’ve met my loftiest goal.

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows:

  • Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).
  • Italic indicates arguments for which you supply actual values.
  • Vertical bars (|) separate alternative, mutually exclusive elements.
  • Square brackets ([ ]) indicate an optional element.
  • Braces ({ }) indicate a required choice.
  • Braces within brackets ([{ }]) indicate a required choice within an optional element.