This chapter covers a NEW objective in the CCNA v2 exam (200-301 v2.0, 2026 blueprint): 'Hypervisors, Virtual Machines, and Containers.' Cisco added this topic because modern networks are increasingly virtualized and containerized; network engineers must understand how virtual switches, virtual NICs, and container networking operate. This chapter explains the differences between Type 1 and Type 2 hypervisors, how virtual machines (VMs) and containers provide isolated environments, and how networking is abstracted in each case. You'll learn the key concepts tested on the exam, including the role of the hypervisor in packet forwarding and the security implications of container versus VM isolation.
Jump to a section
Imagine you run a large apartment building (a physical server). Each apartment (a virtual machine) has its own walls, plumbing, electrical system, and front door. Tenants can install any fixtures they want, paint walls, and even run their own small appliances. The building superintendent (the hypervisor) manages access to shared resources like water mains, electrical panels, and the building's internet connection. If one tenant floods their bathroom, the water is contained to that apartment—other tenants are unaffected. This is Type 1 hypervisor isolation: each VM runs its own full operating system (OS) and is completely independent.
Now consider a shipping container terminal (a host running containers). The terminal has a standardized grid of container slots (the host OS kernel). Each shipping container (a container) shares the same underlying structure—the crane, the road, the port infrastructure—but its contents are isolated. Containers are lightweight; they don't have their own engines or drivers; they rely on the terminal's cranes and trucks (the host kernel). If one container leaks toxic fumes, the fumes might seep into adjacent containers unless the container is specially sealed (namespaces and cgroups). Containers share the host OS kernel, so a kernel vulnerability could affect all containers. This analogy highlights the fundamental difference: VMs provide strong isolation via separate OS instances, while containers share the host OS and are more lightweight but less isolated. On the CCNA exam, you need to know when to use each and how virtual switches (vSwitches) connect VMs and containers to the physical network.
What Are Hypervisors, Virtual Machines, and Containers?
Hypervisors, virtual machines (VMs), and containers are technologies that enable virtualization—running multiple isolated computing environments on a single physical host. The CCNA exam focuses on understanding how these technologies affect network design, particularly at the access layer and in data center networks.
A hypervisor is software that creates and runs VMs. It sits between the physical hardware and the VMs, managing access to CPU, memory, storage, and network resources. There are two types: - Type 1 (bare-metal) hypervisor: Runs directly on the physical hardware without a host OS. Examples: VMware ESXi, Microsoft Hyper-V, KVM. Used in data centers. - Type 2 (hosted) hypervisor: Runs on top of an existing operating system. Examples: VMware Workstation, Oracle VirtualBox. Used for testing or desktop virtualization.
A virtual machine (VM) is a software-based computer that runs its own guest operating system. Each VM includes virtual hardware: virtual CPU (vCPU), virtual RAM, virtual disk, and virtual NIC (vNIC). The hypervisor translates guest OS instructions to physical hardware.
A container is a lightweight, standalone executable package that includes everything needed to run a piece of software: code, runtime, system tools, libraries, and settings. Containers share the host OS kernel and do not require a full guest OS. Examples: Docker, containerd.
How Networking Works for VMs and Containers
For VMs, each VM has one or more virtual NICs (vNICs) that connect to a virtual switch (vSwitch). The vSwitch is a software switch running inside the hypervisor. It forwards frames between VMs on the same host and between VMs and the physical network via the host's physical NICs (pNICs). Common vSwitches: VMware vSphere Standard Switch, Cisco Nexus 1000V (though deprecated), Open vSwitch.
Key points about vSwitches:
They operate at Layer 2 (MAC address learning, forwarding, flooding).
They can support VLANs (802.1Q tagging) to segment traffic.
They can be configured with port security, ACLs, and other features.
They may support NIC teaming (multiple pNICs for redundancy/load balancing).
For containers, networking is more varied. Docker uses several networking modes: - Bridge mode (default): Containers connect to a virtual bridge (docker0) on the host. They get private IPs (e.g., 172.17.0.0/16) and communicate via NAT for external access. - Host mode: Container shares the host's network stack (no isolation). - Overlay mode: For multi-host container networking (e.g., Docker Swarm, Kubernetes). Uses VXLAN encapsulation. - Macvlan mode: Assigns a MAC address to each container, making them appear as separate devices on the physical network.
Key States and Defaults
VM states: Powered On, Powered Off, Suspended, Saved.
Hypervisor defaults: VMware ESXi default vSwitch has 120 ports. VLAN ID 0 means no tagging (access port).
Docker defaults: Default bridge network subnet 172.17.0.0/16. Container can only be reached by IP; no DNS by default.
Interaction with Related Protocols
VLANs: vSwitches can trunk VLANs to physical switches. Each VM can be assigned to a specific VLAN for segmentation.
STP: vSwitches typically do not run STP; they rely on the physical network for loop prevention (but some support STP BPDU filtering).
VXLAN: Used in overlay networks for container and VM mobility across data centers. Encapsulates Layer 2 frames in UDP (port 4789).
IOS CLI Verification Commands (for Cisco virtual switches)
On a Cisco Nexus 1000V or similar (if used), you can verify:
show module
show vm
show interface
show vlanExample output for show vm:
VM Name State vNIC VLAN IP Address
WebServer Powered On 1 10 192.168.1.10
DBServer Powered On 1 20 192.168.2.10For Docker networking, use:
docker network ls
docker network inspect bridge
docker inspect <container>Example docker network inspect bridge output:
[
{
"Name": "bridge",
"Id": "...",
"Scope": "local",
"Driver": "bridge",
"IPAM": {
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
}
}
]Exam Tips
Know the difference between Type 1 and Type 2 hypervisors.
Understand that VMs have full OS isolation; containers share the host OS.
Recognize that vSwitches are Layer 2 devices and can support VLANs.
Remember that container networking often uses NAT or overlay networks.
Be aware that the CCNA v2 exam may ask about virtual networking components (vNIC, vSwitch) and their configuration.
Identify the hypervisor type
Determine whether the scenario uses a Type 1 (bare-metal) or Type 2 (hosted) hypervisor. Type 1 runs directly on hardware (e.g., VMware ESXi, Microsoft Hyper-V, KVM). Type 2 runs on an OS (e.g., VMware Workstation, VirtualBox). The exam may ask which type is more suitable for a data center (Type 1) vs. a developer's laptop (Type 2). Type 1 has lower overhead and better performance because it doesn't rely on a host OS. Type 2 is easier to set up but less efficient.
Create a virtual switch (vSwitch)
On a hypervisor, create a vSwitch to connect VMs. In VMware ESXi, you create a vSwitch via the vSphere client. You assign physical NICs (uplinks) to the vSwitch. For example, you might create a vSwitch with two uplinks for redundancy. The vSwitch learns MAC addresses and forwards frames. You can configure VLANs: set VLAN ID 0 for access mode (no tagging) or a specific VLAN ID for trunking. The vSwitch does not run STP by default; loops are prevented at the physical network.
Attach a VM to the vSwitch
Each VM has one or more virtual NICs (vNICs). When you configure a VM, you select a vNIC and connect it to a port group on the vSwitch. A port group defines VLAN membership and other policies (e.g., traffic shaping, security). For example, you might create a port group for VLAN 10 and attach the VM's vNIC to it. The VM then receives an IP address via DHCP or static assignment, and its traffic is tagged with VLAN 10 when sent to the physical switch.
Configure container networking (bridge mode)
In Docker, the default bridge network (docker0) is created automatically. When you run a container without specifying a network, it connects to this bridge. The container gets an IP in the 172.17.0.0/16 range. To expose a container's port to the host, use `-p` flag (e.g., `docker run -p 8080:80 nginx`). This creates a NAT rule mapping host port 8080 to container port 80. For inter-container communication, containers on the same bridge can communicate by IP. Use `docker network create` to create custom bridge networks for isolation.
Verify connectivity and configuration
Use CLI commands to verify. For VMs on a hypervisor, log into the hypervisor management interface (e.g., ESXi shell) and run `esxcli network vswitch list` to see vSwitches. For Docker, run `docker network ls` to list networks, `docker network inspect bridge` to see details, and `docker exec <container> ip addr` to see container IP. On the physical switch, verify that the trunk port connecting to the hypervisor has the correct allowed VLANs. Use `show interfaces trunk` on a Cisco switch to verify.
Troubleshoot common issues
Common issues: VM cannot reach external network – check vSwitch uplink status and VLAN configuration. Container cannot be reached from outside – check port mapping and firewall rules. IP address conflicts – ensure DHCP scopes don't overlap with static IPs. To troubleshoot, use `ping`, `traceroute`, and check ARP tables. On the hypervisor, check vSwitch statistics for dropped packets. For containers, use `docker logs <container>` and `docker network inspect` to see if the container is attached to the correct network.
Scenario 1: Data Center Server Virtualization
A company virtualizes its web servers using VMware ESXi (Type 1 hypervisor) on a blade server. Each VM runs a separate web application. The hypervisor has two 10GbE physical NICs connected to a pair of top-of-rack (ToR) switches. The network engineer creates a vSwitch with both NICs as active uplinks for load balancing and failover. Each VM is assigned to a different VLAN for security (e.g., VLAN 10 for production, VLAN 20 for staging). The ToR switches are configured with trunk ports carrying these VLANs. This setup provides isolation and high availability. If one physical NIC fails, traffic continues over the other. The engineer monitors vSwitch statistics to ensure no packet drops.
Scenario 2: Containerized Microservices
A development team deploys a microservices application using Docker on a single Linux host. Each microservice (e.g., frontend, backend, database) runs in a separate container. They use the default bridge network initially. However, they find that containers need to communicate by service name instead of IP. The engineer creates a custom bridge network (docker network create mynet) and runs all containers on that network. Docker's embedded DNS resolves container names to IPs. For external access, they map ports using -p. They also set up a reverse proxy container (Nginx) that listens on port 80 and routes to the appropriate service. This setup is lightweight and easy to scale by adding more containers.
Scenario 3: Mixed VM and Container Environment
An enterprise runs both VMs and containers on the same hypervisor. They use VMware ESXi with VMs for legacy applications and Docker containers in a VM (Docker-in-VM) for new microservices. The network engineer configures a vSwitch with multiple port groups: one for the Docker host VM, and others for other VMs. The Docker host VM has two vNICs: one for management (VLAN 1) and one for container traffic (VLAN 100). Inside the Docker host, containers use bridge networking. This approach leverages VM isolation for the Docker host while still gaining container efficiency. However, it adds overhead because each container's traffic goes through two virtual switches (vSwitch inside VM and hypervisor vSwitch).
Common Pitfalls:
Forgetting to configure VLANs correctly on both vSwitch and physical switch, causing connectivity issues.
Using default Docker bridge and expecting containers to be reachable by hostname without custom DNS.
Overloading a single vSwitch with too many VMs, causing performance degradation.
Not securing container networking: containers on the same bridge can communicate freely, which may be a security risk.
New in CCNA v2
This objective is entirely new in the 200-301 v2.0 exam (2026). The previous v1.1 blueprint did not include hypervisors, VMs, or containers. Cisco added this to reflect the reality that modern networks are heavily virtualized. Candidates who studied v1.1 materials will miss this topic. The new 5-domain blueprint allocates 'Network Infrastructure and Connectivity' 25% of the exam. This topic falls under that domain. Expect 2-3 questions on basic concepts, hypervisor types, and virtual networking components.
What the Exam Tests
The CCNA v2 exam tests your understanding of:
Hypervisor types (Type 1 vs. Type 2)
Virtual switches and their role
VM networking (vNIC, port groups, VLANs)
Container networking basics (bridge, host, overlay modes)
Differences between VMs and containers (isolation, overhead, use cases)
Basic troubleshooting of virtual networking
Common Wrong Answers and Why
'Containers provide the same isolation as VMs.' Wrong. Containers share the host OS kernel; a kernel exploit can compromise all containers. VMs have separate OS instances, stronger isolation.
'A Type 2 hypervisor is used in data centers.' Wrong. Type 1 is preferred for data centers due to lower overhead and better performance. Type 2 is for desktops/laptops.
'Virtual switches operate at Layer 3.' Wrong. vSwitches are Layer 2 devices (MAC learning, VLAN tagging). They do not perform routing unless integrated with a router.
'Docker containers can communicate across hosts without any configuration.' Wrong. By default, containers on different hosts cannot communicate unless you set up overlay networking or route the traffic.
Specific Values and Commands
Default Docker bridge subnet: 172.17.0.0/16
VMware ESXi default vSwitch port count: 120
VLAN ID 0 on a vSwitch means access port (no tagging)
Command to list Docker networks: docker network ls
Command to inspect Docker network: docker network inspect <name>
Decision Rule for Scenario Questions
If the question asks which technology to use for strong isolation (e.g., multi-tenant environments), choose VMs. If the question emphasizes lightweight, fast deployment, choose containers. If the question involves a hypervisor that runs directly on hardware, it's Type 1. If it runs on an OS, it's Type 2. For virtual networking questions, remember that vSwitches are Layer 2 and support VLANs.
Type 1 hypervisor runs directly on hardware (bare-metal); Type 2 runs on an OS.
Virtual switches (vSwitches) are Layer 2 devices that forward frames between VMs and to the physical network.
Each VM has its own guest OS; containers share the host OS kernel.
Docker default bridge network uses subnet 172.17.0.0/16 and provides NAT for external access.
Containers use namespaces and cgroups for isolation; VMs use hardware virtualization.
vSwitches support VLAN tagging (802.1Q) to segment VM traffic.
[CCNA v2 NEW] This topic is new in the 2026 exam; candidates must understand virtual networking components.
Container networking modes: bridge (default), host, overlay, macvlan.
These come up on the exam all the time. Here's how to tell them apart.
Virtual Machines (VMs)
Each VM runs a full guest OS
Strong isolation via separate OS instances
Higher resource overhead (CPU, RAM, disk)
Slower startup (minutes)
Hypervisor provides hardware abstraction
Containers
Containers share the host OS kernel
Weaker isolation (kernel shared)
Lower resource overhead
Fast startup (seconds)
Container engine provides OS-level virtualization
Mistake
Containers provide the same level of isolation as VMs.
Correct
Containers share the host OS kernel; a kernel exploit can affect all containers. VMs have separate OS instances and stronger isolation.
Because containers are lightweight and share resources, many assume they are equally secure, but the shared kernel is a single point of failure.
Mistake
A Type 2 hypervisor is typically used in enterprise data centers.
Correct
Type 1 hypervisors (bare-metal) are used in data centers for better performance and lower overhead.
Type 2 hypervisors are easier to install on a desktop, so candidates may think they are more common, but enterprises prefer Type 1.
Mistake
Virtual switches operate at Layer 3 and can route between VLANs.
Correct
Virtual switches are Layer 2 devices; they forward frames based on MAC addresses and can tag VLANs, but they do not route.
The term 'switch' may imply Layer 3 capabilities, but vSwitches are purely Layer 2.
Mistake
Docker containers can communicate with each other across different hosts without any additional configuration.
Correct
By default, containers on different hosts cannot communicate unless you configure overlay networking or route traffic.
Docker's default bridge network is host-local; cross-host communication requires additional setup like Docker Swarm or Kubernetes.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Type 1 hypervisors run directly on the physical hardware (bare-metal), without a host OS. Examples: VMware ESXi, Microsoft Hyper-V, KVM. They are used in data centers for performance and efficiency. Type 2 hypervisors run on top of an existing operating system (hosted). Examples: VMware Workstation, Oracle VirtualBox. They are easier to set up but have more overhead and are typically used for testing or desktop virtualization.
A vSwitch is a software switch running inside the hypervisor. It connects virtual NICs (vNICs) of VMs to physical NICs (pNICs) of the host. It learns MAC addresses by inspecting incoming frames and forwards frames based on the destination MAC. It can support VLANs (802.1Q tagging) to segment traffic. Some vSwitches also support features like NIC teaming, traffic shaping, and security policies. The vSwitch does not run STP by default; loop prevention is handled at the physical network.
Docker supports several networking modes: bridge (default), host, overlay, macvlan, and none. Bridge mode creates a virtual bridge (docker0) and assigns private IPs to containers; external access requires port mapping. Host mode shares the host's network stack (no isolation). Overlay mode enables multi-host communication via VXLAN encapsulation. Macvlan assigns a MAC address to each container, making them appear as separate devices on the physical network. None mode disables networking.
Yes, it is common to run containers inside a VM. For example, you might have a VM running Docker, and then run multiple containers inside that VM. This provides the isolation of a VM while still leveraging the lightweight nature of containers. However, it adds overhead because each container's traffic goes through two virtual networking layers.
The default bridge network (docker0) uses the subnet 172.17.0.0/16. The host gets 172.17.0.1, and containers get IPs in that range via DHCP. This subnet can be changed by configuring the Docker daemon.
You can use the esxcli command: `esxcli network vswitch list` to list all vSwitches. To see details of a specific vSwitch, use `esxcli network vswitch standard list -v <vswitch_name>`. For port group details, use `esxcli network vswitch standard portgroup list`. These commands show uplinks, VLAN IDs, and other settings.
A vNIC is a software-emulated NIC assigned to a VM. It appears as a physical NIC to the guest OS but is implemented by the hypervisor. A pNIC is a physical network interface card installed in the host server. The hypervisor uses pNICs to connect vSwitches to the physical network. Multiple vNICs can share a single pNIC through the vSwitch.
You've just covered Hypervisors, Virtual Machines, and Containers — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?