CCDA Certification and training tutorials | Cisco Certified Design Associate

What is CCDA?

Cisco Certified Design Associate (CCDA) certification is about designing the Cisco network in most efficient way. CCDA course is for validating all fundaments related to network designing, its cover void Variety of route and switch design and covers LAN, WAN, broadband, campus, data-center and wireless network design.Cisco recommends before you attempt the CCDA exam you should have CCNA level knowledge especially in basic routing and switching area and multi-layer switching.

CCDA Prerequisite:

Cisco recommendation for CCDA that you should have CCNA level knowledge but still there is not prerequisite for CCDA. But now from October 1, 2013, the CCENT certification will become a prerequisite prior to achieving the CCDA certification.

CCDA Exam Details

For CCDA certification you have to pass only one Cisco exam 640-863, this exam detail is as follows:

  • Types of Questions: Multiple Choice (single and multiple answer), drag-and-drop.
  • Number of Questions: 55
  • Passing score: 790, on a scale of 300 to 1000
  • Time Limit: 75 minutes

For taking CCDA exam Cisco recommends that you should have at least CCNA level knowledge in order to understand the CCDA concepts and for designing a networks. CCDA professionals perform basic functions required to design Cisco converged networks, including basic campus, data center, security, voice, and wireless networks.While designing a network you should familiar with different Cisco Network Devices, like router, Switch, hub ATM etc.

CCDA Course Outline


Network Design Methodology | CCDA

Network design is getting more complex with complexity of our network with different type of multimedia and data traffic, so it is necessity that we have a proper design methodology that support out plan. In this article we will see some network design methodology. Some of the design approaches are as follows:

 Designing topology with Top-Down Approach

After selecting the network design methodology, you need to design you network topology. You can use the top-down design approach for designing the network topology. Top-down design just means starting your design from the top layer of the OSI model and working your way down. Top-down design adapts the network and physical infrastructure to the network application’s needs. With a top-down approach, network devices and technologies are not selected until the applications’ requirements are analyzed. To complete a top-down design, the following is accomplished:

  • Analysis of application and organization requirements (As discussed in Eight steps design )
  • Design from the top of the OSI reference model
  • Define requirements for upper layers (Application, Presentation, Session)
  • Specify infrastructure for lower OSI layers (transport, network, data link, physical)
  • Gather additional data on the network

Network prototype or Pilot test:

Pilot or prototype is the simple implementation or testing network solutions that you have implemented in your network deployment. A pilot site is small live test site before the solution deployed. This is the real world approach for discovering problems before you deploy the network design solution for rest of network. Pilot test can be implemented on sub module, some campus or remote office site. With pilot or prototype you can perform the testing and experiment that you can’t do on the real environment so it is good way for testing things before deployments. Successful test will prove your design and in case of any failure you can go back to previous phase and can modify the plan and design phase.

 Network Design document:

network Design document

The design document describes the business requirements, old network architecture, network requirements; and design, plan, and configuration information for the new network. The network designers, architects and analysts use it to document the new network changes, and it serves as documentation for the enterprise. The design document should include the following sections:

  • Introduction
  • Design requirement
  • Existing network infrastructure
  • Design selection Logical design, routing protocols, IPv6 etc
  • Proof of concepts
  • Implementation plan
  • appendix

Introduction: describes all the information related to project’s purpose and the reasons for the network design.

Design Requirements is an important part of the network design document which includes the lists of organization’s requirements, constraints, and goals.

Existing Network Infrastructure define the current network including Layer 3 topology diagrams, physical topology diagrams, audit results,  routing protocols, a summary of all applications, a list of network routers, switches, and other devices configurations  and a description of issues. Design contains the specific design information, such as logical and physical topology, IP addressing, routing protocols, and security configurations.

Proof of Concept is the results from live pilot or prototype testing.

Implementation Plan includes the detailed steps for the network staff to implement the new installation and changes.

Appendixes contains list of exiting network devices, configurations, and additional information used in the design of the network.

Wireless LAN Design Things that should be consider

Wireless Local Area Network Design

This article is related to the wireless LAN, there are some prerequisite concepts which should be familiar to you and need to understand for better wireless design.  You should be aware with:

When we start to explore our WLAN we have to address the following aspects of wireless network for best wireless network design.

Controller Redundancy Design:

For good wireless design we need to have the dynamic controller redundancy, it is good for your wireless design that you have a primary wireless controller and a secondary controller. Dynamic redundancy actually uses the LWAPP and load balance the traffic across the redundant wireless controllers.

Radio Frequency Management:

Since the wireless network have no physical boundary and data travel across the wireless medium. This wireless medium is based on different frequency bands. For better wireless design and to avoid the interference between the different access points you need the proper frequency management. You need to manage the radio frequency cannels, for different wireless standard you have different non overlapping cannels, for example in 802.11b you have three non-overlapping cannels 1 6 and 11. Cisco have the RRM (Radio Resource management) in wireless LAN controllers for configuring the automatically configure radio group of wireless LAN controller. In below figure you can see that if you use the cannel “1 & 6” in one cluster or place then it is recommended that you should use this cannel again after in distant area to minimize the interference. Every access point has different frequency cannel you can select these according to your design.

wireless frequency management

Figure Ref:

RF Site Survey:

Radio frequency site survey are very important for frequency management and help you for avoiding the interference between different wireless devices. RF site survey have the five steps :

  • Define your customer requirement
  • Identify the coverage area and user density (how many users you have in coverage area)
  • Which access point need power and which need access to your wired network
  • Find out the interference devices in your wireless network boundary like microwave oven and elevator which may interference the wireless signal.
  • The final step is to document your process, record the location of your APs, record your data rates and record your signal reading at different locations.

Wireless Mess For Outdoor Wireless:

For the outdoor network mess topology is the best option for redundancy. You can use the devices like Cisco WCS, WCC, RAP and MAP for outdoor wireless communication. For good mesh design you have a latency rate from 2-3ms per hop.

Campus Design Considerations:

wireless AP controller

Number of APs: The design should have enough APs to provide full RF coverage for wireless clients for all the expected locations in the enterprise. Cisco recommends 20 data devices per AP and 7 G.711 concurrent or 8 G.729 concurrent VoWLAN calls.

Placement of APs: APs are placed in a centralized location of the expected area for which they are to provide access. APs are placed in conference rooms to accommodate peak requirements.

Power for APs: Traditional wall power can be used, but the preferred solution is to use Power-over Ethernet (PoE) to power APs and provide wired access.

Number WLCs: The number of Wireless LAN controller depends on the selected redundancy model based on theclient’s requirements. The number of controllers is also dependent on the number of required APs and the number of APs supported by the differing WLC models.

Placement of WLCs: WLCs are placed on secured wiring closets or in the data center. Deterministic redundancy is recommended, and intercontroller roaming should be minimized. WLCs can be placed in a central location or distributed in the campus distribution layer.

how do wifi extenders work.

Cisco Unified Wireless network | Cisco Wireless Design

Cisco Unified Wireless network is methodology for designing the wireless network and it have the following components:

  • Wireless Clients
  • Access points
  • Network management
  • Network Unification
  • Network Services

Wireless Clients: Wireless Clients includes the laptops, PC, Mobiles Phone, PDAs and IP phones. These all end devices are the part of access network.

Access points: AP provides the wireless access to network. You need to place the access point at the best place to avoid the interference with other access point and to provide the best access to your wireless clients.

cisco wireless architecture

Network management

Network management related to wireless control system (WCS), WCS is the central management tool for design and monitoring of our wireless network.

Network Unification: According to Network Unification our WLAN should be able to support the wireless application by offering the security policies, unified services, IPS and manage of radio frequency.

Network services are also referring to mobility services and this includes the things like guess access, location services and threat detection services.

LWAPP (light weights access point protocol) Overview

LWAPP is the standard for WLAN controllers and LWAPP operate at layer-2 and at layer-3. Wireless LAN controllers are very important part of Cisco wireless network and wireless LAN controller is used in combination with the Lightweight Access Point Protocol (LWAPP) to manage the multiple light weight APs. The WLAN controller automatically handles the configuration of anywhere from 6 to 6000 wireless access-points, depending on the model. The concept of LWAPP is we are moving the intelligence away from access point and sharing it with some type of WLAN controller. WLAN controller can handle the intelligence and can implement different policies, control messaging, authentication and operations between the access point and WLAN controller.

Cisco LWAPP Design

For better understanding of LWAPP please consider the following diagram where we have light weight access points which include indoor or outdoor access points those are handled with the Cisco WLAN controller (Cisco 2100 series and 4400 series WLAN controllers). LWAPP is use for management and control between these lightweight APs and wireless controllers. With split MAC operation data messages are split up in the wireless network, wireless access point communicate with wireless controller using control messages over the wired back bone network and then LWAPP data messages are forwarded to wireless clients. Wireless LAN controller can manage and handle the multiple access points at a time.

LWAPP Discovery of WLC

When LWAPs are placed on the network, they first perform DHCP discovery to obtain anIP address. Then Layer 3 LWAPP discovery is attempted. If there is no WLC response, theAP reboots and repeats this process. The Layer 3 LWAPP discovery algorithm is as follows:

  • The AP sends a Layer 3 LWAPP discovery request.
  • All WLCs that receive the discovery request reply with a unicast LWAPP discoveryresponse message.
  • The AP compiles a list of WLCs.
  • The AP selects a WLC based on certain criteria.
  • The AP validates the selected WLC and sends an LWAPP join response. An encryptionkey is selected, and future messages are encrypted.

At the layer-3 we have the LWAPP tunnels which are used between the wireless controller and access points. Messages from wireless controller are send to access point using the UDP port 12223 for control and port 12222 for data message.

LWAPP Modes:

LWAPP can operate in six different modes, for CCDA exam these modes are very important.

  • Local mode
  • REAP Mode
  • Monitor mode
  • Rogue Detector Mode
  • Sniffer mode
  • Bridge Mode

Local mode:this is the default mode of operation in LWAPP access points. Every 180s the access point spin 60ms on cannel, during this 60ms time period the access point perform the noise measurements, interference and scan for intrusion detection system events.

REAP Mode:Remote edge access point mode allow the LWAPP to reside across the WAN link and still be able to communicate with the wireless LAN controller and provide the functionality of regular LWAPP. REAP mode is only supported on Cisco 1030 light weight access points.

Monitor mode: Monitor mode is the special feature of LWAPP, this allow LWAPP enabled access point to exclude themselves from dealing with data traffic between clients.

Rogue Detector Mode:  This is used to monitor the rogue access point, rogue detector’s goal is find and to see all the VLAN in the network because rogue access point is connected to any of VLAN in the network. The switch sends the entire rogue MAC address list to rogue detector and then forward it to wireless LAN controller to compare the MAC address of the clients and if the MAC is matched then it mean that client is on the wired.

Sniffer mode: With sniffer mode access point can capture and sniff all the packets and then shadow then to a machine running Sniffer application. You can enable the sniffer mode with the help of airopeek(a third party software).

Bridge Mode:  this mode operates on Cisco 1030 and 1500 series access points. You can use the bridge mode for point to point connection and bridge connection between the two access points.

Wireless LAN controller components:

There are the three main components of wireless LAN controllers that are

  • Wireless LANs
  • Interfaces
  • Ports

Wireless LANs is basically your wireless SSID or wireless network name and it is a logical entity. Each wireless LAN interface is assign in the wireless controller and each wireless LAN is configure for RF policies and Qos.

Interfaces are logical connection to each LAN controller and each interface is configured with an IP address, a default gateway, physical ports, VLAN tagging and a DHCP server.

Ports are the physical connection to neighboring switch or router and by default each port is a dot1q trunk port. You may have the multiple ports on wireless LAN controller and these port can also be aggregate with link aggregation.

On the wireless LAN controller you have the five types of the interfaces:

  • Management interface
  • Services port Interface
  • AP manager interface
  • Dynamic interface
  • Virtual interface

Also each wireless LAN controller have different number of AP support, for example Cisco 2100 series support 6 access point, the 4400 series support 100 APs and wireless services module for 6500 series support 300 access points.


Platform Number of Supported Access Points
Cisco 2100 series WLC


Cisco WLC for ISRs 25
Catalyst 3750 Integrated WLC 50
Cisco 4400 series WLC 100
Cisco 6500/7600 series WLC module 300
Cisco 5500 series WLC 500

 Roaming and Mobility IN WLAN:

Roaming happens when your wireless client changes their association from one access point to other access point, as a network designer we have to think that how we can scale our network for supporting roaming process. There are two type of wireless roaming that are

WLAN Security | The Best Practices

Security in wireless network is a very essential and while designing a WLAN you have to focus and consider the following important aspects of security.

1EEE 802.11i/WPA2:

In WLAN we have different security protocols for security. One of the famous protocol is WEP (Wired Equivalent Privacy) that emerge with 802.11b standard but it is faulty and vulnerable to several attaches. WPA2 is a better option as compare to WEP where you have more security. WPA2 involves 802.1x which work on the top 802.3 and 802.11 and provide you the authentication to individual users and devices using the protocol EAP and with some authentication server like RADIUS. WPA2 also involve RSN (Robust Security Network) which keep track of your the association to each access point. For confidentially and integrity we have AES (Advanced Encryption Standard), which have strong encryption like 128bit or 256 bit or more.

Unauthorized Access:

Another security design issue we have to deal with that is unauthorized access. Remember in WLAN there is no physical boundary of a network, so an attacker can access your network from outside of your physical security with using mobile devices or with laptop having Wi-Fi. We have MAC address filtering using this we can provide access to only authorize users and devices but now a day there are number of software out their which can spoof MAC addresses into your Access point (AP). Also MAC filter is not a scalable way and it is difficult to manage and control with large number of users.  You can use the 802.1x for limiting unauthorized access.


802.1x provide the port base security and it is the best for handling unauthorized access and good alternative for MAC address filtering. 802.1x authenticate the user before providing the access to network.

Authentication Choices for WLAN:

In WLAN you can understand the authentication process with the following figure:

Wireless authentication process

In 802.1x you have a supplicant as a end device like computer or laptop and you have a authenticator which can be a switch or an access point. Also you have an authentication server which may a Radius server. Authenticator has control channels which are used for authentication the supplicant (Laptop) to Radius Server and have uncontrolled cannels which authenticate the supplicant by using different security protocols.  These security protocols are very important for choosing the final security protocol for you wireless design and as follows:

  • PEAP
  • LEAP


EAP-TLS (Extensible Authentication Protocol- Transport layer security):

It is commonly use EAP wireless network, you need to a certificates at supplicant and authentication server end and it is the most secure available method. You need to have the key pair for these certificates which have to sign by some certificate authority.  You can place your CA server with authentication server or in server form. The EAP-TLS use a communication method like the SSL and you have a secure tunnel for sending these user certificates. Although EAL-TLS is most secure method but it is more complex and expensive to deploy as compare to other security protocols.  EAP-TLS is the complete security solution for large organization.

 PEAP (Protected Extensible Authentication Protocol)

PEAP is a wireless security protocol. In PEAP as compare to EAP-TLS you only have the server side certificates and these certificates are used to create the tunnel and real authentication are take place inside that tunnel. PEAP is the mostly used by Cisco and Microsoft, in Microsoft windows-PEAP uses the CHAP and MS-CHAP for authenticating users inside the tunnel.

EAP-TTLS (Extensible Authentication Protocol- Tunneled Transport Layer Security):

EAP-TTLS is a one of the old security protocol which is use for the wireless security and only used where you the old authentication devices or in Windows NT environment. It is like the PEAP and use a TLS tunnel for protection. EAP-TTLS mostly use the CHAP, MS-CHAP and EAP-MD5. Although EAP-TTLS are introduces earlier but Microsoft and Cisco are mostly using the PEAP.

 LEAP (Lightweight Extensible Authentication Protocol)

LEAP is a Cisco Property security protocols for wireless network, it work with the 802.1x standard. It is support by Cisco Aironet products and other wireless devices and also support by most Microsoft and Linux operating systems. LEAP has some vulnerability and can be crack with different software but it is still used by different organization having Cisco devices.


EAP-FAST is security protocol use for wireless network.

This is flexible security via a tunneling and it also develops for overcoming the weakness and vulnerabilities of the LEAP. With EAP-FAST server certificates are optional but it gives you a lower cost solution as compare to PEAP and EAP-TLS. EAP-EAST use the PAC (Protected access credentials) for establishes the TLS tunnel for protection of credentials and transfer. PAC (Protected access credentials) is basically a strong shared secret key and it is unique on every single client. EAP-FAST is the best option for small to medium wireless network.