Top 100 Most Asked Questions on Cisco Branch & Campus Networking
Every network engineer has a list of questions they Google at least once a month. Some are “why did this break” questions. Some are certification prep. Some come from a ticket that’s been open too long. This is a curated collection of the 100 questions that appear most often across search engines and AI platforms for Cisco branch and campus networking — organized by category, with direct answers that skip the preamble.
April 2026 | ⏱ 25 min read | IOS-XE • Catalyst • ISR • Meraki • SD-WAN • Wireless | ⚙ All experience levels
10 Categories — 10 Questions Each
|
① Switching & VLANs (Q1–Q10) ② Routing & WAN (Q11–Q20) ③ SD-WAN (Q21–Q30) ④ Wireless & Wi-Fi (Q31–Q40) ⑤ Security & Access Control (Q41–Q50) |
⑥ QoS (Q51–Q60) ⑦ DHCP, DNS & IP Services (Q61–Q70) ⑧ Network Management (Q71–Q80) ⑨ Troubleshooting (Q81–Q90) ⑩ Meraki & Cloud Networking (Q91–Q100) |
|
Category 1 — Q1 to Q10 Switching & VLANs |
|
Q1. What is the difference between an access port and a trunk port on a Cisco switch?
An access port belongs to a single VLAN and carries untagged traffic. Devices connected to access ports — workstations, printers, IP phones — don’t see any VLAN tags. A trunk port carries multiple VLANs simultaneously using 802.1Q tags, and is typically used between switches, between a switch and a router, or between a switch and a wireless AP that needs to serve multiple SSIDs on different VLANs.
! Access port interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 10 ! Trunk port interface GigabitEthernet1/0/2 switchport mode trunk switchport trunk allowed vlan 10,20,30
Q2. How do I configure inter-VLAN routing on a Cisco Catalyst switch?
Two approaches: Router on a Stick uses a single router interface with sub-interfaces per VLAN (common with ISR routers). Layer 3 switch SVIs (Switch Virtual Interfaces) are the preferred method on Catalyst switches with an IP Services license. Create an SVI for each VLAN, assign it an IP, and enable ip routing globally. The switch itself does the routing without needing an external router hop.
ip routing interface Vlan10 ip address 192.168.10.1 255.255.255.0 no shutdown interface Vlan20 ip address 192.168.20.1 255.255.255.0 no shutdown
Q3. What is VTP and should I use it?
VLAN Trunking Protocol synchronizes VLAN databases across switches in the same VTP domain. In theory it’s convenient. In practice, a new switch with a higher revision number accidentally introduced into a domain has wiped production VLAN databases more than once. Most engineers run VTP transparent mode or disable it entirely and manage VLANs manually or with automation. If you use it, always set new switches to client or transparent mode before connecting them to your trunk.
Q4. How does Spanning Tree Protocol prevent loops in a switched network?
STP (802.1D) uses BPDUs to elect a Root Bridge, then calculates the lowest-cost path to the root from every switch. Ports that would create loops are placed in a blocking state. Traffic flows only on the loop-free topology. Modern Cisco deployments use Rapid PVST+ (per-VLAN Rapid Spanning Tree) which converges in under a second compared to 30–50 seconds for classic STP. Always configure spanning-tree portfast on access ports and spanning-tree bpduguard enable on those same ports to prevent rogue switches from causing issues.
Q5. What is EtherChannel and how do I configure LACP on Catalyst switches?
EtherChannel bundles multiple physical links into a single logical interface for bandwidth aggregation and redundancy. LACP (802.3ad) is the IEEE standard for dynamic negotiation. PAgP is Cisco proprietary. Use LACP in new deployments for interoperability. Configure both ends with channel-group X mode active; the switch with passive mode waits for LACP negotiation from the peer.
interface range GigabitEthernet1/0/1 - 2 channel-group 1 mode active channel-protocol lacp interface Port-channel1 switchport mode trunk switchport trunk allowed vlan 10,20,30
Q6. What is the native VLAN on a trunk and why does it matter for security?
The native VLAN carries untagged traffic on a trunk link. By default it’s VLAN 1. If an attacker on VLAN 1 sends double-tagged frames, the outer tag gets stripped at the first switch and the inner tag delivers the frame to the target VLAN — a VLAN hopping attack. Change the native VLAN to an unused VLAN (e.g., VLAN 999) on all trunk ports and never put user devices in VLAN 1.
Q7. How do I configure a voice VLAN for IP phones on a Cisco Catalyst switch?
The switchport voice vlan command tells the switch to send CDP announcements to the IP phone instructing it to tag voice traffic with the specified VLAN. The phone connects to the switch port, the PC connects to the phone’s PC port. Data traffic stays untagged (access VLAN); voice traffic is tagged with the voice VLAN. The port looks like an access port to the PC but handles both VLANs.
interface GigabitEthernet1/0/5 switchport mode access switchport access vlan 10 switchport voice vlan 100 spanning-tree portfast
Q8. What is the difference between RSTP and MSTP?
Rapid PVST+ (Cisco’s implementation of RSTP) runs a separate STP instance per VLAN. In a large campus with 100 VLANs, that’s 100 spanning tree processes. MSTP (Multiple Spanning Tree, 802.1s) maps multiple VLANs to a smaller number of spanning tree instances. In environments with many VLANs and powerful switches, MSTP reduces control plane overhead. For most branch and small campus deployments, Rapid PVST+ is simpler and perfectly adequate.
Q9. How does DHCP snooping protect a campus network?
DHCP snooping prevents rogue DHCP servers from assigning IP addresses to clients. You designate uplinks toward your legitimate DHCP server as trusted ports. All other ports are untrusted — DHCP offers and replies arriving on untrusted ports are dropped. It also builds a binding table mapping IP-to-MAC-to-port-to-VLAN that Dynamic ARP Inspection and IP Source Guard use for additional protection.
Q10. What Cisco Catalyst models are commonly used in branch vs campus deployments?
Branch access: Catalyst 1000 or 2960-X/XR for simple Layer 2. Branch with routing: Catalyst 9200 series. Campus access: Catalyst 9300 (PoE, stacking, full IOS-XE feature set). Campus distribution/core: Catalyst 9400 (modular) or Catalyst 9500 (high-density fixed). Large campus core: Catalyst 9600. Each step up adds switching capacity, uplink density, PoE budget, and software feature depth.
|
Category 2 — Q11 to Q20 Routing & WAN |
|
Q11. What is the difference between OSPF and EIGRP for branch routing?
OSPF is an open standard link-state protocol — it works across any vendor. EIGRP is Cisco proprietary (though an IETF informational RFC exists) and uses a diffused computation algorithm (DUAL) for fast convergence. EIGRP is easier to configure in pure Cisco environments and has lower overhead on small branch networks. OSPF is better when you have non-Cisco routers or need exam-standard knowledge. Both work well for branch deployments; OSPF tends to win in organizations planning for multi-vendor or long-term vendor flexibility.
Q12. How do I configure a default route on a Cisco ISR router?
Static default route pointing to the upstream ISP gateway or next-hop IP. If the interface connecting to the WAN is dynamically addressed (PPPoE or DHCP), use the interface name instead of a next-hop IP. For branch offices sending default toward the WAN edge, distribute the default into OSPF or EIGRP with the default-information originate command.
! Static default via IP next-hop ip route 0.0.0.0 0.0.0.0 203.0.113.1 ! Via dialer interface (PPPoE) ip route 0.0.0.0 0.0.0.0 Dialer0
Q13. What is NAT and how do I configure PAT on a Cisco router?
PAT (Port Address Translation, or NAT overload) maps many private IP addresses to a single public IP by tracking port numbers. Define an access-list matching inside addresses, create a pool or use the interface IP, then bind them with ip nat inside source. Mark the LAN-facing interface as ip nat inside and the WAN-facing as ip nat outside.
access-list 1 permit 192.168.0.0 0.0.255.255 ip nat inside source list 1 interface GigabitEthernet0/0/0 overload interface GigabitEthernet0/0/0 ip nat outside interface GigabitEthernet0/0/1 ip nat inside
Q14. How does HSRP provide gateway redundancy at a branch?
Hot Standby Router Protocol runs between two (or more) routers sharing a virtual IP and MAC. Clients use the virtual IP as their default gateway. One router is Active and handles all traffic; the other is Standby and monitors the Active with hello messages. If Active fails, Standby takes over within seconds. Configure priority to control which router is Active. HSRP version 2 supports IPv6 and more group numbers. GLBP is the Cisco alternative that load-balances across both routers simultaneously.
Q15. What Cisco ISR models are used in branches in 2026?
The ISR 1000 series (1101, 1109, 1111, 1117) covers small branches with integrated LTE or DSL WAN options. The ISR 1100X adds dual SIM 4G/5G. The ISR 4000 series (4221, 4321, 4331, 4351, 4431, 4461) scales for mid-to-large branches with NIM (Network Interface Module) slots for WAN cards, voice modules, and security features. All run IOS-XE and support Cisco SD-WAN (Viptela) deployment modes.
Q16. How do I verify BGP neighbor status on a Cisco router?
The show bgp summary command shows all neighbor IPs, their AS numbers, and their state. An Established state with a non-zero prefix count means healthy. States like Active mean the router is trying to connect but hasn’t succeeded — check ACLs, TCP 179 reachability, and AS number configuration on both sides.
Q17. What is IP SLA and how do I use it to monitor WAN links?
IP SLA generates synthetic test traffic (ICMP echo, UDP jitter, HTTP) to measure latency, jitter, and packet loss between a source and a target. Combined with Tracking objects and Floating static routes, IP SLA can trigger automatic WAN failover: if the primary link’s SLA probe fails, the tracked object goes down, the primary static route is removed from the routing table, and a backup route with higher administrative distance takes over.
Q18. How do I configure dual WAN failover on a Cisco ISR?
The classic approach: IP SLA probe on the primary WAN path, a Track object watching the SLA, and two static default routes where the primary has lower administrative distance (AD 1) and the backup has higher AD (e.g., 5). When IP SLA detects failure, it marks the track as Down. The primary route is removed, the backup route (AD 5) takes over. When the primary recovers, the lower-AD route returns and preempts the backup.
Q19. What is the purpose of route redistribution and what are the risks?
Redistribution imports routes from one routing protocol into another — for example, pulling OSPF routes into EIGRP at a domain boundary. The risk is routing loops when routes cycle between protocols, and suboptimal routing when metrics don’t translate meaningfully. Use route maps and prefix lists to filter what gets redistributed, set explicit metrics, and document the redistribution points carefully. Bidirectional redistribution between two protocols requires extra care to avoid feedback loops.
Q20. How do I configure a site-to-site VPN on a Cisco ISR?
Site-to-site IPsec VPN requires: an ISAKMP policy (Phase 1 — IKEv1 or IKEv2), a transform set (Phase 2 encryption/hash), a crypto ACL matching interesting traffic, and a crypto map applied to the WAN interface. IKEv2 is preferred in new deployments for better security and simpler configuration. FlexVPN (also IKEv2-based) is Cisco’s modern framework for scalable VPN that handles site-to-site and remote access in the same framework.
|
Category 3 — Q21 to Q30 Cisco SD-WAN (Viptela / Catalyst SD-WAN) |
|
Q21. What are the four components of Cisco SD-WAN?
vManage — centralized management, configuration, monitoring, and policy GUI/API. vSmart — the control plane controller that distributes routing and policy information using OMP (Overlay Management Protocol). vBond — the orchestrator that authenticates and connects new vEdge/cEdge routers. vEdge / cEdge — the data plane routers at branch sites (vEdge = Viptela hardware; cEdge = Cisco IOS-XE routers running the SD-WAN software). All control plane communication uses DTLS or TLS; data plane uses IPsec.
Q22. What is OMP in Cisco SD-WAN?
Overlay Management Protocol is the routing protocol used between vEdge/cEdge routers and the vSmart controller. Unlike BGP or OSPF which routers use to talk to each other, OMP uses vSmart as a route reflector — edges send their routes and policies to vSmart, and vSmart distributes them back to other edges. OMP carries routes, TLOC (Transport Location) information, and service routes. There’s no direct OMP peering between edge routers.
Q23. What is a TLOC in Cisco SD-WAN?
Transport Location is a unique identifier for a WAN transport attachment on an edge router. A TLOC is represented as a tuple: System IP + Color + Encapsulation (IPsec or GRE). Color is a label for the transport type (mpls, biz-internet, lte, etc.). A router with two WAN links (MPLS and broadband) has two TLOCs. The SD-WAN control plane uses TLOCs to build IPsec tunnels between sites and to make application-aware routing decisions.
Q24. How does Application-Aware Routing work in Cisco SD-WAN?
AAR continuously measures latency, jitter, and packet loss on all available WAN transports using BFD (Bidirectional Forwarding Detection) probes. Policy rules define SLA thresholds per application (e.g., “voice requires jitter <30ms and loss <1%”). When a path’s measured performance violates the SLA, AAR shifts that application’s traffic to a transport that meets the criteria. The shift happens in seconds without human intervention.
Q25. What is the difference between vEdge and cEdge routers?
vEdge routers were the original Viptela hardware platform — the vEdge 100, 1000, 2000, and 5000 series. Cisco acquired Viptela in 2017 and began building SD-WAN capability into standard IOS-XE routers, which became cEdge (ISR 1000, ISR 4000, ASR 1000, Catalyst 8000). vEdge hardware reached end-of-sale; all new deployments use cEdge. The platform names still appear in exam materials and documentation.
Q26. How does Cisco SD-WAN handle Direct Internet Access for SaaS?
DIA (Direct Internet Access) sends SaaS traffic (Office 365, Salesforce, Zoom) directly to the internet from the branch instead of backhauling it to the data center. Combined with Cisco Umbrella integration, the SD-WAN router can tunnel DNS and web traffic through Umbrella’s security PoP as the first hop, providing security without the backhaul penalty. Configure a data policy to match SaaS prefixes and route them to the internet-facing transport rather than the MPLS path.
Q27. What is a Cisco SD-WAN VPN segment and how is it different from a VLAN?
In SD-WAN terminology, a VPN (not to be confused with IPsec VPN) is a virtual routing and forwarding (VRF) instance that segments traffic across the overlay. VPN 0 is reserved for transport (WAN interfaces); VPN 512 is management. VPNs 1–511 are service VPNs (user, voice, guest). Traffic in different service VPNs is kept separate end-to-end across the WAN — the same concept as a VRF in traditional routing, but applied globally across the SD-WAN fabric.
Q28. How do I onboard a new cEdge router to the SD-WAN fabric?
The process: load the bootstrap configuration (or use ZTP via PnP), which includes the vBond address and organization name. The router contacts vBond, authenticates using its certificate, gets introduced to vSmart and vManage. vManage pushes device templates. The device comes up in vManage as reachable. Attach a template; the router builds OMP sessions to vSmart and IPsec tunnels to other sites. Day-0 onboarding with Plug-and-Play requires a Cisco Smart Account and PnP cloud access.
Q29. What is the Catalyst 8000 series and how does it fit in SD-WAN?
The Catalyst 8000 family is Cisco’s current-generation branch and edge router line, purpose-built for SD-WAN deployments. The C8200 handles small to mid-size branches. The C8300 targets mid-size branches with modular NIM slots. The C8500 handles large branch and WAN aggregation. All run IOS-XE with the SD-WAN (Viptela) software stack and support application-aware routing, DIA, and full vManage template management.
Q30. How does SD-WAN compare to traditional MPLS for branch connectivity?
MPLS provides guaranteed SLAs, low latency, and quality-of-service contracts from the provider. It’s predictable but expensive and slow to provision. SD-WAN runs over any transport (MPLS, broadband, LTE) and provides application-aware path selection across all available links. Many organizations use SD-WAN over a mix of cheaper broadband plus a thin MPLS circuit for latency-sensitive traffic. SD-WAN doesn’t eliminate the need for good transports — it makes better use of the transports you have.
|
Category 4 — Q31 to Q40 Wireless & Wi-Fi |
|
Q31. What is the difference between a Cisco WLC and Cisco DNA Center for wireless?
A Wireless LAN Controller (WLC) manages APs in a controller-based (centralized) architecture. It handles roaming, RF management, and client authentication. Cisco DNA Center (now Cisco Catalyst Center) is an overarching network management and automation platform that manages wired and wireless infrastructure, provides intent-based networking, analytics, and integrates with ISE for policy. DNA Center can manage WLCs, or manage APs directly in a cloud-managed or controller-less architecture depending on the deployment model.
Q32. What Cisco AP models are current for branch and campus deployments?
The Catalyst 9100 series is Cisco’s current Wi-Fi 6 (802.11ax) and Wi-Fi 6E AP line for enterprise. The CW9162I and CW9164I target indoor campus deployments. The CW9166I handles high-density environments like auditoriums and stadiums. The CW9163E is an outdoor/ruggedized option. All support 802.11ax, WPA3, and integrate with the Catalyst Wireless management stack.
Q33. How does 802.11ax (Wi-Fi 6) improve performance over 802.11ac?
Wi-Fi 6 introduces OFDMA (Orthogonal Frequency Division Multiple Access) which allows a single AP to serve multiple clients simultaneously in the same transmission. BSS Coloring reduces co-channel interference by marking transmissions from different networks so clients can ignore irrelevant traffic. TWT (Target Wake Time) reduces battery consumption for IoT devices. MU-MIMO expands to 8x8. The combined effect is roughly 4x the throughput in high-density environments compared to 802.11ac Wave 2, even on similar channel widths.
Q34. How do I configure a Guest SSID on a Cisco WLC?
Create a WLAN profile with the guest SSID name, associate it with a separate interface/VLAN (isolated from the corporate network), enable a web authentication policy (built-in Web Auth or ISE redirect), and set client isolation so guests cannot talk to each other. Use P2P Blocking: Drop to prevent guest-to-guest traffic. Map the SSID to a VLAN that routes only to the internet, not to internal subnets.
Q35. What is FlexConnect mode and when should I use it at a branch?
FlexConnect (formerly H-REAP) allows APs at remote sites to switch client traffic locally — directly to the local VLAN — instead of tunneling everything back to the WLC at headquarters. When the WAN link to the WLC goes down, FlexConnect APs continue to service clients using locally cached configuration. This is critical for branch sites where a WAN outage shouldn’t take down the entire wireless network. Local switching mode handles data locally; central switching tunnels data back to the WLC.
Q36. How does 802.1X authentication work for wireless clients?
The client (supplicant) authenticates to the AP (authenticator), which relays the request to a RADIUS server (authentication server — usually Cisco ISE). The RADIUS server validates credentials via AD, certificate, or other methods and returns an Access-Accept with optional VLAN assignment and policy attributes. The client is placed in the appropriate VLAN and network access is granted. WPA3-Enterprise with 802.1X is the current recommended standard for corporate wireless.
Q37. What is RRM in Cisco wireless and should I let it run automatically?
Radio Resource Management automatically adjusts AP transmit power and channel assignments based on RF conditions. It reduces co-channel interference and helps balance load. In most deployments, RRM works well on auto. Situations where manual intervention helps: very dense deployments where power needs fine-tuning, environments with persistent RF interference sources, or deployments where clients have poor roaming behavior due to RRM-driven power changes. Start with automatic and tune manually only when specific problems appear.
Q38. How many APs can a Cisco 9800 WLC support?
The C9800-L (cloud-ready, small form factor) supports up to 1,000 APs and 10,000 clients. The C9800-40 supports 2,000 APs and 32,000 clients. The C9800-80 supports 6,000 APs and 64,000 clients. The C9800-CL is a virtual WLC that scales based on the VM resource allocation. All 9800 series run IOS-XE, which makes them manageable with the same tools and automation pipelines as Catalyst switches and ISR routers.
Q39. What is the difference between local mode and monitor mode for Cisco APs?
Local mode is the default — the AP serves clients on its assigned channels while periodically scanning other channels for rogue detection and RF measurement. Monitor mode dedicates the AP entirely to scanning all channels for rogue APs, IDS events, and spectrum analysis. A monitor mode AP doesn’t serve any clients. It’s used as a dedicated sensor in high-security environments or for RF troubleshooting. Sniffer mode is a third option that captures 802.11 frames to a remote Wireshark session.
Q40. How do I troubleshoot a client that keeps disconnecting from a Cisco WLAN?
Start with show wireless client detail mac <MAC> on the WLC to see the disconnect reason code. Common causes: DHCP failures (check DHCP pool exhaustion and lease time), 802.1X reauthentication timeouts (check RADIUS server response time), aggressive AP transmit power causing hidden node problems, sticky client issues (client refusing to roam from a distant AP), or driver-related issues on the endpoint. The WLC client event log shows the disconnect reason for the last several events per client.
|
Category 5 — Q41 to Q50 Security & Access Control |
|
Q41. What is Cisco ISE and what does it do?
Identity Services Engine is Cisco’s policy engine for network access control. It authenticates wired and wireless users and devices via 802.1X, MAB (MAC Authentication Bypass), and web auth. Based on identity, device posture, and context, ISE assigns the endpoint to a VLAN, applies a downloadable ACL, or applies a Security Group Tag (SGT). It integrates with Active Directory for user lookup, with MDM systems for device compliance, and with TACACS+ for device administration.
Q42. What is MAB (MAC Authentication Bypass) and when is it used?
MAB authenticates a device by its MAC address when it can’t perform 802.1X. Printers, IP cameras, medical equipment, and IoT devices typically don’t have 802.1X supplicants. MAB allows these devices to authenticate — the switch sends the MAC address to ISE as the username, and ISE looks it up in an internal or external database and applies the appropriate policy. MAB is not secure in isolation (MAC addresses are easy to spoof), but combined with profiling and posture assessment, it provides reasonable control.
Q43. How do I configure port security on a Cisco Catalyst switch?
Port security limits the number of MAC addresses learned on a port. Configure the maximum allowed MACs and the violation action (shutdown, restrict, or protect). Static MAC entries can be pre-defined; sticky learning automatically adds the first MAC learned to the config. However, 802.1X with ISE is the preferred approach for modern deployments. Port security alone doesn’t prevent MAC spoofing and creates operational overhead when devices change.
interface GigabitEthernet1/0/10 switchport mode access switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky
Q44. What is TrustSec and how does SGT work?
TrustSec uses Security Group Tags — numeric labels (1–65535) assigned to traffic when it enters the network (from ISE authentication or static assignment). SGT-based access control (SGACL) then permits or denies traffic based on the source and destination tag pair, rather than IP addresses. This simplifies security policy dramatically: instead of managing hundreds of IP-based ACLs, you define a matrix of which groups can communicate. Policies are centrally defined in ISE and pushed to the network.
Q45. How does Dynamic ARP Inspection protect against ARP spoofing?
DAI validates ARP packets against the DHCP snooping binding table. When an ARP arrives on an untrusted port, DAI checks whether the IP-to-MAC mapping in the ARP matches what’s in the binding table. If it doesn’t match (indicating a spoofed ARP), the packet is dropped. Uplink ports connected to switches or routers are marked as trusted. Enable DHCP snooping first — DAI depends on its binding table.
Q46. What is Cisco Umbrella and how does it work for branch security?
Umbrella is a cloud-delivered DNS security and SWG (Secure Web Gateway) platform. At its simplest level, it intercepts DNS queries and blocks requests to malicious or policy-violating domains before a TCP connection is ever made. At the network level, a Cisco router or SD-WAN device can forward all DNS queries to Umbrella and optionally tunnel web traffic through Umbrella’s PoP for full SWG inspection. This provides security for branch direct internet traffic without a local firewall appliance at every site.
Q47. What is the purpose of ZBFW (Zone-Based Firewall) on Cisco IOS-XE?
Zone-Based Firewall organizes interfaces into security zones and defines stateful traffic policies between zones. Traffic within a zone is permitted by default; traffic between zones is denied by default unless a policy explicitly permits it. ZBFW replaces the older ip inspect (CBAC) and is the preferred stateful inspection method on IOS-XE routers. For branch routers doing direct internet access, ZBFW on the WAN interface prevents unsolicited inbound connections from the internet.
Q48. How do I configure SSH on a Cisco switch or router?
Minimum requirements: a hostname and domain name (for key generation), a local user account or AAA configuration, and SSH version 2 enabled. Generate the RSA keys with crypto key generate rsa modulus 4096. Restrict VTY lines to SSH only with transport input ssh. Disable Telnet everywhere. Apply an ACL to the VTY lines to restrict which source IPs can connect.
Q49. What is 802.1X multi-auth mode and when is it needed?
Multi-auth mode allows multiple authenticated sessions on a single switch port — each device on that port authenticates independently and can receive different VLAN and policy assignments. This is used on IP phone + PC ports (one port, two authenticated devices) and on shared ports where multiple endpoints connect through an unmanaged hub or access-layer device. Compare to single-host mode (one MAC, one session) and multi-domain mode (one data device, one voice device per port).
Q50. How does Cisco MACsec (802.1AE) secure a campus network?
MACsec encrypts traffic at Layer 2 — between a switch and an endpoint, or between two switches. Unlike IPsec (Layer 3) or TLS (Layer 7), MACsec operates on the Ethernet frame itself. Every frame is encrypted and authenticated with a 128-bit or 256-bit key derived from the MACsec Key Agreement (MKA) protocol. On Catalyst 9000 switches, MACsec is supported on access ports (endpoint-to-switch) and uplinks (switch-to-switch). It satisfies compliance requirements for data-in-motion encryption even within the physical data center or campus.
|
Category 6 — Q51 to Q60 Quality of Service (QoS) |
|
Q51. What are the three models of QoS and which does Cisco use?
Best effort — no QoS, everything treated equally (default state of most networks). IntServ (Integrated Services) — per-flow resource reservation using RSVP; does not scale. DiffServ (Differentiated Services) — traffic marked at the edge and treated according to the DSCP marking throughout the network. Cisco uses DiffServ as the primary QoS model. Packets are marked with DSCP values in the IP header and queued accordingly at each hop.
Q52. What is DSCP and how does it relate to CoS?
DSCP (Differentiated Services Code Point) is a 6-bit value in the IP header’s ToS byte that marks traffic priority. Common values: EF (46) for voice, CS6 (48) for routing protocols, AF41 (34) for interactive video. CoS (Class of Service) is a 3-bit marking in the 802.1Q VLAN tag header — valid only on trunk links, not IP packets. At trust boundaries, CoS values are typically mapped to DSCP values and vice versa. CoS 5 maps to DSCP EF for voice.
Q53. What is the Cisco recommended 12-class QoS model for branch WAN?
Cisco’s recommended enterprise QoS model groups traffic into classes: Voice (DSCP EF, 1%), Call Signaling (CS3/AF31, 1%), Interactive Video (AF41, 15%), Streaming Video (CS4, 10%), Mission-Critical Data (AF21–AF23, 20%), Transactional Data (AF11–AF13, 10%), Bulk Data (AF11, 4%), Scavenger (CS1, 1%), and Default/Best Effort (remainder). The exact percentages depend on the WAN link capacity and the mix of traffic at that specific site.
Q54. How does LLQ (Low Latency Queuing) work for voice traffic?
LLQ is essentially CBWFQ (Class-Based Weighted Fair Queuing) with a strict priority queue for voice. The priority queue drains before all other queues, guaranteeing that voice packets never have to wait behind data traffic. The priority command in the policy-map class creates the strict priority queue. The bandwidth assigned is policed — if voice exceeds its allocation, packets are dropped, which is preferable to having voice wait in a data queue and incur high jitter.
Q55. How do I verify QoS policy is working on a Cisco router?
show policy-map interface <interface> shows the packet and byte counts for each class, queuing statistics, and how much traffic has been dropped. Drops in the priority queue usually indicate voice over-subscription. Drops in CBWFQ classes indicate link congestion. Compare the class distribution to what you expected — unexpectedly large counts in the default class suggest traffic is not being classified correctly upstream.
Q56. What is traffic shaping vs policing in Cisco QoS?
Policing enforces a rate limit by dropping or remarking packets that exceed the defined rate. The excess traffic is discarded immediately. Shaping buffers excess traffic and delays it to conform to the defined rate. Shaping introduces latency but doesn’t drop. Use policing on inbound traffic from untrusted sources (ISP handoff) and for traffic you want to meter. Use shaping on outbound WAN traffic to avoid tail drops at the ISP head end and to smooth bursts.
Q57. What is a QoS trust boundary and where should it be set in a campus?
The trust boundary is the point at which QoS markings from endpoints are trusted or reset. Cisco recommends trusting markings at the access switch port for IP phones (CDP negotiates the phone to mark voice at DSCP EF). PC traffic arriving through the phone’s PC port should be untrusted and remarked at the switch, because PCs can set any DSCP value they want. Access switches should be the trust boundary for endpoint traffic; marking should not be deferred to the WAN edge.
Q58. How does DSCP marking work through a Cisco SD-WAN fabric?
Cisco SD-WAN can copy the inner packet’s DSCP marking to the outer IPsec header, preserving QoS across the WAN transport. On the receiving end, the inner DSCP is restored for LAN-side treatment. vManage data policies can also reclassify traffic by DSCP values and map specific applications to specific forwarding classes. MPLS-based transports honor the DSCP-to-MPLS EXP mapping for carrier QoS; broadband transports may not honor DSCP, which is why AAR-based path selection is important for latency-sensitive traffic.
Q59. What is WRED and when is it used?
Weighted Random Early Detection proactively drops packets as a queue fills, before it reaches maximum capacity. By dropping lower-priority TCP flows early, WRED signals congestion and allows TCP’s congestion control to back off — preventing full queue drops that affect all traffic. WRED is applied to data classes in CBWFQ; it should not be applied to the voice priority queue (voice is UDP and doesn’t respond to congestion signals). WRED uses DSCP weights to determine which traffic gets dropped first.
Q60. What is AutoQoS on Cisco Catalyst switches?
AutoQoS generates a QoS policy based on a template appropriate for the connected device. auto qos voip cisco-phone on an access port detects Cisco IP phones via CDP and creates appropriate marking and queuing policies. auto qos trust dscp on an uplink trusts DSCP markings. AutoQoS is a reasonable starting point but should be reviewed — the generated policies are templates, not necessarily optimal for your specific traffic profile. Run show auto qos to see what was generated.
|
Category 7 — Q61 to Q70 DHCP, DNS & IP Services |
|
Q61. How do I configure a DHCP server on a Cisco router?
Define an exclusion range for static addresses, then configure a pool with the network, default router, DNS server, and lease time. The router serves addresses from the defined range minus exclusions. For multiple VLANs, create a separate pool per VLAN subnet and ensure the router interface for that VLAN is the default-router address in the pool.
ip dhcp excluded-address 192.168.10.1 192.168.10.20 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 8.8.4.4 lease 1
Q62. What is a DHCP relay agent and how do I configure it?
When clients are on a different subnet than the DHCP server, their broadcast DHCP Discover packets won’t cross the router. The ip helper-address command on the SVI or routed interface converts the broadcast to a unicast directed to the DHCP server’s IP. Configure ip helper-address <DHCP-server-IP> on each VLAN interface that needs to reach a remote DHCP server.
Q63. How do I troubleshoot DHCP not working on a Cisco network?
Check in order: Is the DHCP server reachable (ping from the router SVI)? Is ip helper-address configured on the correct SVI? Is the DHCP pool exhausted (show ip dhcp pool)? Is DHCP snooping blocking the offer (show ip dhcp snooping statistics)? Are DHCP packets being blocked by an ACL on the SVI or routed interface? Use debug ip dhcp server events on the server-side router to see what the server is doing with incoming requests.
Q64. What is IPv6 SLAAC and how does it work?
Stateless Address Autoconfiguration allows IPv6 hosts to configure their own addresses without a DHCP server. The router sends Router Advertisements (RA) containing the IPv6 prefix for the network. The host appends its interface identifier (derived from its MAC using EUI-64 or a random privacy address) to the prefix to form a full /128 address. The router’s link-local address becomes the default gateway. DHCPv6 (stateful or stateless) can supplement SLAAC to provide DNS server information.
Q65. How do I configure NTP on Cisco devices?
Point the device at an NTP server with ntp server <IP>. Use ntp server <IP> prefer for the primary source. Configure core infrastructure devices to act as NTP servers for downstream devices. Always configure ntp authenticate with MD5 keys in environments where NTP spoofing is a concern. Verify sync with show ntp status — look for “Clock is synchronized” and stratum ≤3.
Q66. What is SNMP v3 and why is it preferred over v1/v2c?
SNMP v1 and v2c use community strings transmitted in plaintext — anyone who captures the community string can poll or configure your devices. SNMPv3 adds authentication (MD5 or SHA) and privacy (DES or AES encryption). The three security levels are: noAuthNoPriv (still no security, pointless), authNoPriv (authenticated but unencrypted), and authPriv (authenticated and encrypted). Use authPriv in production. Configure unique users with strong passphrases for auth and encryption keys.
Q67. How do I configure syslog on a Cisco device to send logs to a remote server?
Use logging host <syslog-server-IP> to send syslog messages to a remote server. Set the trap level with logging trap informational (or warnings/errors for less verbose output). Add service timestamps log datetime msec to include millisecond-precision timestamps — critical for correlating events across devices. Configure logging source-interface <loopback> so logs always arrive from a consistent, routable address.
Q68. What is CDP and LLDP and should I disable them?
CDP (Cisco Discovery Protocol) and LLDP (Link Layer Discovery Protocol) advertise device identity, capabilities, IP address, and native VLAN to neighbors. They’re invaluable for network documentation and troubleshooting. The security concern: they reveal device model, software version, and IP addresses to anyone connected to the network. Disable CDP and LLDP on edge-facing ports (ports connecting to untrusted devices or external networks). Leave them enabled on infrastructure ports (switch-to-switch, switch-to-router, switch-to-AP uplinks).
Q69. What is PoE and how does Cisco implement PoE+ and UPoE?
Power over Ethernet delivers power through the Ethernet cable to IP phones, APs, cameras, and IoT devices. Standard PoE (802.3af) provides up to 15.4W per port. PoE+ (802.3at) provides up to 30W. UPOE (Cisco Universal PoE, 802.3bt Type 3) provides up to 60W — enough for dual-radio Wi-Fi 6 APs, industrial IoT devices, and small switches. UPOE+ (802.3bt Type 4) provides up to 90W. Catalyst 9300 switches support UPoE; verify the switch’s total power budget versus the connected devices’ combined draw before deployment.
Q70. How does Cisco DNA Center (Catalyst Center) differ from traditional SNMP-based management?
Traditional SNMP-based NMS (SolarWinds, PRTG) polls devices periodically for MIB values — a passive, reactive approach. Cisco Catalyst Center uses RESTCONF/NETCONF, gRPC streaming telemetry, and an intent-based model where you describe desired network behavior and the platform translates it to device configuration. It includes path trace for connectivity troubleshooting, AI/ML-driven assurance that baselines normal behavior and flags anomalies, and network automation for provisioning, software management, and compliance checking.
|
Category 8 — Q71 to Q80 Network Management & Automation |
|
Q71. What is Cisco Plug-and-Play (PnP) and how does it automate branch deployment?
Cisco PnP is a zero-touch provisioning mechanism. A new router or switch powers on, has no configuration, and contacts the PnP server (Cisco DNA Center or a cloud PnP server) via DHCP option 43, DNS redirect, or cloud redirect. The server authenticates the device by serial number and pushes a day-0 configuration automatically. The branch technician only needs to rack, cable, and power on the device — no CLI access required. PnP works for Catalyst switches, ISR routers, and Catalyst 8000 series.
Q72. What is NETCONF and how does it differ from CLI-based management?
NETCONF (RFC 6241) is an XML-based protocol for network configuration and retrieval, running over SSH (port 830). Unlike CLI which produces unstructured text that must be screen-scraped, NETCONF returns structured XML that can be programmatically processed. RESTCONF (RFC 8040) provides the same functionality over HTTP using JSON or XML. Both use YANG data models to define the structure of configuration and operational data. Modern Cisco IOS-XE devices support both. For automation, RESTCONF with JSON is often more accessible.
Q73. How do I use Python and Netmiko to automate Cisco switch configuration?
Netmiko is a Python library that handles SSH connections to Cisco (and other vendor) devices. Connect with a device dictionary specifying device_type, host, username, and password. Use send_command() for show commands and send_config_set() for configuration commands. The output is a string you can parse or log. Netmiko handles enable mode, pagination, and connection timeouts. For structured output, use Genie/pyATS which parses Cisco CLI output into Python dictionaries.
Q74. What is Ansible and how is it used for Cisco network automation?
Ansible is an agentless automation platform that uses YAML playbooks to describe desired state. For Cisco IOS-XE, the cisco.ios collection provides modules for running commands, managing configuration, and retrieving facts. Ansible connects over SSH, sends CLI commands or NETCONF RPCs, and validates the results. Because it’s agentless, nothing runs on the Cisco device itself. Playbooks are idempotent — running them multiple times produces the same result, making them safe for automated continuous compliance checking.
Q75. How does Cisco Streaming Telemetry work and why is it better than SNMP polling?
Model-Driven Telemetry (MDT) pushes operational data from the device to a collector at configurable intervals — typically every 10–30 seconds instead of the 5-minute SNMP polling cycle. Data streams over gRPC to collectors like Telegraf, which stores it in InfluxDB for Grafana dashboards, or directly to Cisco Catalyst Center. The result is near-real-time visibility into interface counters, CPU, memory, BGP state, and QoS statistics without the polling overhead. Configure MDT with a telemetry ietf subscription on IOS-XE 16.10+.
Q76. What is Cisco Catalyst Center and what happened to DNA Center?
Cisco renamed DNA Center to Catalyst Center in 2023 as part of a broader branding consolidation. Functionally it’s the same platform — same product, same appliance hardware (DN2-HW-APL), same software features. The platform provides network design and provisioning, AI-driven assurance, network automation, and integration with ISE for policy. The rename is cosmetic; documentation and exam materials may reference either name depending on their age.
Q77. How do I manage Cisco device software upgrades at scale?
Catalyst Center’s Software Image Management (SWIM) feature can push IOS-XE images to hundreds of devices in a maintenance window, with pre-checks (compatibility, disk space, config diff) before upgrade and automatic rollback if the device doesn’t come back online. For smaller environments, the classic approach is: copy image to TFTP or HTTP server, use software install add on IOS-XE packages mode, then software install activate followed by software install commit after verification.
Q78. What is Cisco ThousandEyes and how is it used in campus/branch monitoring?
ThousandEyes is a network intelligence platform (acquired by Cisco in 2020) that runs synthetic tests from endpoints, cloud agents, and Cisco routers to measure internet path performance, SaaS application reachability, and DNS resolution quality. For branch networks, ThousandEyes agents on Catalyst 8000 routers measure the WAN path to SaaS applications from the branch perspective. When users report “Teams is slow,” ThousandEyes can show whether the problem is on your WAN, the ISP, or inside Microsoft’s network.
Q79. How do I use Terraform to manage Cisco network infrastructure?
HashiCorp Terraform manages Cisco ACI, NSO, and IOS-XE via provider plugins. The Cisco ACI Terraform provider manages fabric policy as code. The Cisco IOS-XE Terraform provider uses RESTCONF to configure interfaces, VLANs, routing, and services. Define resources in HCL (HashiCorp Configuration Language), run terraform plan to see what would change, and terraform apply to push changes. State is tracked, so subsequent runs only modify what’s changed from the declared state.
Q80. What is Cisco NSO (Network Services Orchestrator)?
NSO is a network automation platform that maintains a synchronized model of the network’s configuration across all managed devices. It uses NEDs (Network Element Drivers) to communicate with different device types — Cisco IOS, IOS-XE, NX-OS, ASA, and hundreds of third-party devices. Service packages define business-level services (e.g., “provision a VPN”) that NSO translates into device configurations across multiple vendors. NSO tracks all changes, provides rollback capability, and enforces compliance by detecting configuration drift.
|
Category 9 — Q81 to Q90 Troubleshooting |
|
Q81. A user cannot access the internet but can ping their default gateway. Where do I look?
Check in order: Can you ping the ISP gateway from the router? If not, check the WAN interface state and IP assignment. Can you ping 8.8.8.8 from the router? If yes but not from the PC, check NAT (show ip nat translations). Can you resolve DNS? If ping works but names don’t resolve, the DNS server is unreachable or misconfigured. Check the DHCP-assigned DNS server on the client. Check ACLs that might block DNS (UDP/TCP 53) toward the DNS server.
Q82. How do I use traceroute to diagnose a network path problem on Cisco?
traceroute <destination> from the router shows each hop and its round-trip time. Three asterisks (*) mean ICMP TTL-exceeded messages are being blocked at that hop — not necessarily a path failure. A consistently high RTT at a specific hop indicates latency at that device. If traceroute stops at a hop, the next hop is dropping or not responding. Use traceroute source <interface> to source the probe from a specific interface to verify routing from different paths.
Q83. How do I diagnose a duplex mismatch on a Cisco switch port?
A duplex mismatch causes excessive late collisions and CRC errors on the half-duplex end. Run show interfaces <int> and look at “Late collision” and “CRC” counters — incrementing CRC and late collisions on what should be a full-duplex Gigabit link are the classic signature. Also check show interfaces <int> status to see the negotiated duplex. Fix by explicitly setting speed and duplex on both ends, or ensuring both sides use auto-negotiation consistently.
Q84. How do I find which switch port a specific MAC address is on?
show mac address-table address <MAC> shows the port and VLAN the MAC was learned on. If the MAC appears on an uplink port (toward another switch), the device is downstream on that switch — log into the next switch and repeat. show mac address-table dynamic shows all dynamically learned MACs. If you have CDP-enabled switches, Cisco Catalyst Center can trace a MAC end-to-end through the topology automatically.
Q85. How do I diagnose high CPU on a Cisco switch or router?
show processes cpu sorted shows the top CPU consumers. Check if the load is interrupt-driven (hardware path’s overload due to punted packets) or process-driven (software running in CPU). show processes cpu history shows a 72-hour trend. Common causes: STP TCN storms flooding the CPU with MAC flush events, OSPF or BGP reconvergence, a debug command left running, ARP flooding, or a software bug causing a process loop. Never leave debug commands running unattended on production devices.
Q86. What does “err-disabled” mean on a Cisco port and how do I recover?
Err-disabled is a self-protective state that shuts a port when a policy violation is detected. Common triggers: BPDU guard (a switch is connected to a portfast-enabled access port), port security violation (too many MACs), UDLD (UniDirectional Link Detection failure), or a loop detected by LoopGuard. Run show interfaces status err-disabled to see the reason. Fix the underlying cause, then recover with shutdown / no shutdown or configure errdisable recovery for automatic recovery.
Q87. How do I capture and analyze traffic on a Cisco switch using SPAN?
SPAN (Switched Port Analyzer) mirrors traffic from a source port or VLAN to a destination port where a packet capture device (Wireshark laptop, TAP) is connected. Local SPAN mirrors traffic to a destination port on the same switch. RSPAN uses a dedicated VLAN to mirror traffic across switches. ERSPAN (Encapsulated RSPAN) encapsulates mirrored traffic in GRE and sends it to a remote IP — useful for sending captures to a centralized analysis server. SPAN doesn’t affect forwarding on the source port.
Q88. A trunk link is not passing traffic for a specific VLAN. What do I check?
Check in order: Is the VLAN in the allowed list on the trunk? (show interfaces trunk — look at the “VLANs allowed and active in management domain” column). Is the VLAN defined in the VLAN database? (show vlan brief). Is the SVI for that VLAN in UP/UP state? Is the VLAN active on both sides of the trunk? Is it the native VLAN (untagged) when it should be tagged? VLANs that exist on one switch but not the other will show as “VLANs allowed and active” on one side but not pass traffic to the far side.
Q89. How do I use EEM (Embedded Event Manager) for automated troubleshooting responses?
EEM is a framework on IOS-XE that triggers actions when events occur — syslog messages, interface state changes, SNMP threshold crossings, or timers. A practical use: when a specific syslog message appears (e.g., interface going down), EEM runs a TCL script or CLI commands automatically — collecting show outputs, sending email alerts, or attempting a corrective action. EEM applets are simpler than scripts for straightforward actions. Use it carefully in production: automated corrective actions can make things worse if the trigger condition is misinterpreted.
Q90. What commands should I run first when a remote branch site loses connectivity?
If out-of-band access (console server or 4G management) is available: show ip interface brief (interface states), show ip route (is the default route present?), ping <ISP-gateway>, show log | tail (recent events), show processes cpu sorted, and show version (uptime — check for unexpected reload). If the router is up but routing is missing, check if the WAN interface lost its IP (PPPoE re-auth failure, DHCP lease expiry), or if IP SLA failed over incorrectly.
|
Category 10 — Q91 to Q100 Meraki & Cloud-Managed Networking |
☁️ |
Q91. What is Cisco Meraki and how is it different from traditional Cisco networking?
Meraki is Cisco’s cloud-managed networking platform — acquired in 2012. Every Meraki device (MX security appliance, MS switch, MR wireless AP, MG cellular gateway) is managed entirely through the Meraki Dashboard, a cloud SaaS application. There’s no local controller, no CLI for day-to-day operations, and no complex licensing model for base functionality. The trade-off: the dashboard is the only management interface, and without an active Meraki license, devices go into a limited mode. Traditional Cisco gear requires on-prem management but doesn’t phone home for operation.
Q92. What is the Meraki MX and what features does it provide for branches?
The Meraki MX is a cloud-managed security and SD-WAN appliance. It provides unified threat management (UTM) including stateful firewall, IPS, content filtering, AMP (Advanced Malware Protection), and SSL inspection. For WAN, MX supports Auto VPN — Meraki’s zero-touch mesh VPN that automatically builds IPsec tunnels between MX devices without any manual configuration of peer addresses or IKE settings. MX also supports dual-WAN failover, traffic shaping, and SD-WAN path steering.
Q93. How does Meraki Auto VPN work?
Auto VPN uses the Meraki dashboard as a registry. Each MX registers its WAN IPs with the dashboard. When two MX devices are in the same organization and both have Auto VPN enabled, the dashboard distributes WAN IP information to each device, and they automatically establish an IPsec tunnel between them. No IKE configuration, no crypto maps, no peer addresses to manage. Adding a new branch just requires connecting an MX with internet access and claiming it in the dashboard — it builds VPN tunnels to all other sites automatically.
Q94. What Meraki MS switch models are used in campus and branch deployments?
The MS120 series covers small branch access switching with basic L2 features. The MS250 and MS350 provide L3 routing for medium branches and campus access. The MS390 targets large campus access with Cisco ASIC-based hardware (Catalyst DNA in a Meraki management skin). The MS450 provides high-density 10G uplinks for campus distribution. The MS550 handles core switching. All are managed through the Meraki Dashboard with no CLI required for configuration.
Q95. Can Meraki devices be managed offline or without internet access?
Meraki devices cache their configuration locally and continue operating normally without dashboard connectivity. They pass traffic, enforce firewall rules, and maintain VPN tunnels. What you lose during a dashboard outage: the ability to make configuration changes from the dashboard. You can’t push policy updates, add users, or change VPN settings until connectivity to the Meraki cloud is restored. For disaster recovery, some organizations configure an out-of-band management connection to the MX to enable local SSH access for emergencies.
Q96. How does Meraki Systems Manager (MDM) integrate with network policy?
Meraki Systems Manager is an MDM/EMM platform that manages mobile devices and laptops. It integrates with the Meraki network to enable posture-based access control: only devices enrolled in Systems Manager and meeting compliance criteria (OS version, encryption enabled, no jailbreak) receive full network access. Non-compliant devices are quarantined to a restricted VLAN. This gives Meraki environments a lightweight NAC capability without ISE, useful for smaller organizations that don’t need ISE’s full feature set.
Q97. What is the Cisco Catalyst 9800-CL and how does it relate to Meraki wireless?
The Catalyst 9800-CL is a virtual WLC that runs as a VM and manages Cisco Catalyst APs using the traditional IOS-XE management stack. Meraki MR APs use the Meraki Dashboard exclusively and cannot be managed by a 9800-CL. The two ecosystems are separate: Meraki wireless is cloud-managed; Catalyst wireless (9800+Catalyst APs) is on-prem or cloud-managed via Catalyst Center. Some organizations run both: Meraki for small branches (simpler ops) and Catalyst 9800 for campus (more features, local control).
Q98. How does Meraki licensing work and what happens when it expires?
Meraki uses per-device annual or multi-year licenses tied to the device serial number. Each device needs an active license to receive full dashboard management, security updates, and support. If a license expires, the device enters a 30-day grace period. After that, the dashboard may restrict management access and the device may lose cloud-based features. The hardware still passes traffic, but you lose the ability to make configuration changes. Unlike traditional perpetual licenses, there’s no option to use the hardware without a subscription after the grace period.
Q99. What are the Meraki API capabilities and how do I use them?
The Meraki Dashboard API is a REST API that provides full read and write access to the dashboard configuration programmatically. Authentication uses an API key set in the user profile. Common use cases: bulk SSID configuration across hundreds of sites, automated network inventory exports, client connection analytics, and integrating Meraki data with SIEM or ITSM platforms. The API documentation at developer.cisco.com/meraki includes Postman collections and Python SDK examples. The Meraki API is significantly simpler to use than the APIC or IOS-XE RESTCONF APIs.
Q100. When should an organization choose Meraki over traditional Cisco IOS-XE networking?
Meraki wins on operational simplicity. If you have many branch sites with limited IT staff, the zero-touch deployment and single-pane dashboard management is genuinely faster to operate than managing hundreds of IOS-XE devices. It’s well-suited for retail chains, distributed offices, K–12 schools, and healthcare clinics where the network team manages networking part-time. Traditional IOS-XE wins when you need deep protocol control, complex QoS, advanced SD-WAN features, full TACACS+ device administration, or features that Meraki’s simplified model doesn’t expose. Many large organizations use both: Meraki for small branches and Catalyst/ISR for the campus and data center.
Quick Reference: Essential Cisco Branch & Campus Show Commands
| Command | What It Shows |
| show ip interface brief | All interface IPs and line/protocol state |
| show interfaces status | Port speed, duplex, VLAN, connected/notconnect |
| show ip route | Full routing table with protocol, metric, AD |
| show vlan brief | All VLANs and their member ports |
| show interfaces trunk | Trunk ports, allowed VLANs, native VLAN |
| show spanning-tree | STP topology, root bridge, port states |
| show mac address-table | MAC-to-port mappings for all VLANs |
| show ip bgp summary | BGP neighbor states and prefix counts |
| show ip ospf neighbor | OSPF adjacencies and their states |
| show ip nat translations | Active NAT table entries |
| show policy-map interface | QoS class statistics and drop counters |
| show processes cpu sorted | Top CPU consumers by process |
| show sdwan control connections | SD-WAN control plane session states |
