Course 2

Bits and Bytes of Networking

TCP/IP & OSI models · IP addressing & subnetting · Ethernet · Transport layer · Application services · Troubleshooting

▶

1 · TCP/IP & OSI Models

Complete

Key Concepts

The OSI model (Open Systems Interconnection) is a conceptual 7-layer framework for understanding how network communication works. It's a teaching tool - real protocols don't map perfectly to it.
The TCP/IP model (4 layers) is the practical implementation used on the internet today. It merges OSI layers 5-7 into one Application layer.
Encapsulation - each layer wraps data with its own header (and sometimes trailer) as it travels down the stack toward the wire.
Decapsulation - headers are stripped at each layer as data moves up the stack at the receiving end.
A PDU (Protocol Data Unit) is the name for data at each layer: bit → frame → packet → segment → data.
Mnemonic (top→bottom): "All People Seem To Need Data Processing" → Application, Presentation, Session, Transport, Network, Data Link, Physical.

OSI Model - 7 Layers

#	Layer	PDU	Key Protocols / Devices	Role
7	Application	Data	HTTP, HTTPS, FTP, DNS, SMTP, SSH	User-facing network services
6	Presentation	Data	TLS/SSL, JPEG, MP3, ASCII	Encoding, encryption, compression
5	Session	Data	NetBIOS, RPC, SIP	Establish, manage & tear down sessions
4	Transport	Segment / Datagram	TCP, UDP - ports	End-to-end delivery, flow & error control
3	Network	Packet	IP, ICMP, ARP* - Routers	Logical addressing & routing
2	Data Link	Frame	Ethernet, Wi-Fi (802.11) - Switches	MAC addressing, framing, error detection
1	Physical	Bit	Cables, hubs, repeaters, NICs	Raw bit transmission over physical media

TCP/IP Model - 4 Layers

TCP/IP Layer	Maps to OSI	Key Protocols
Application	7, 6, 5	HTTP, HTTPS, DNS, DHCP, FTP, SMTP, SSH, Telnet
Transport	4	TCP, UDP
Internet	3	IP (v4/v6), ICMP, OSPF, BGP
Link (Network Access)	2, 1	Ethernet, Wi-Fi, ARP, PPP

Encapsulation Flow

Application data \to HTTP payload + TCP/UDP header = Segment + IP header = Packet + Ethernet hdr/trailer = Frame Transmitted as Bits (0s and 1s)

Key Terms

PDUProtocol Data Unit - the name for data at each OSI layer

EncapsulationWrapping data with headers as it moves down the stack toward the wire

DecapsulationStripping headers as data moves up the stack at the destination

MTUMaximum Transmission Unit - largest frame payload allowed; 1500 bytes for standard Ethernet

PayloadThe data portion of a PDU (everything after the headers)

ProtocolA set of rules that govern communication between devices

At which OSI layer does a switch operate?
What is the PDU at the Network layer called?
Which TCP/IP layer combines OSI layers 5, 6, and 7?
What does the Transport layer add to data during encapsulation?
Which OSI layer handles encryption and data formatting (e.g., JPEG, TLS)?
Name two differences between the OSI model and the TCP/IP model.

Layer 2 - Data Link (switches use MAC addresses to forward frames)
Packet
The Application layer
A TCP or UDP header (creating a segment or datagram), which adds source/destination port numbers and sequencing info
Layer 6 - Presentation
OSI has 7 layers; TCP/IP has 4. OSI is conceptual/academic; TCP/IP is the working model used on the real internet. OSI separates Session/Presentation/Application; TCP/IP merges them.

▶

2 · Network Layer & IP Addressing

Complete

IPv4 Basics

32-bit address written as four octets in dotted-decimal notation (e.g., 192.168.1.100).
Each octet ranges from 0–255.
Two portions: network part (identifies the subnet) + host part (identifies the device).
The subnet mask determines where the network/host boundary falls. Written as dotted-decimal (e.g., 255.255.255.0) or CIDR prefix (/24 = 24 network bits).
The logical AND of an IP and its mask gives the network address.

Address Classes (classful - historical context)

Class	First Octet Range	Default Mask	Notes
A	1 – 126	/8 (255.0.0.0)	Large networks; 126 networks × ~16M hosts
B	128 – 191	/16 (255.255.0.0)	Medium networks; 16,384 networks × 65,534 hosts
C	192 – 223	/24 (255.255.255.0)	Small networks; 2M networks × 254 hosts
D	224 – 239	-	Multicast only
E	240 – 255	-	Experimental / reserved

Today we use CIDR (Classless Inter-Domain Routing) - subnet masks aren't tied to class boundaries. This dramatically slowed IPv4 exhaustion.

Special / Private Ranges

Range	CIDR	Purpose
10.0.0.0 – 10.255.255.255	/8	Private (RFC 1918)
172.16.0.0 – 172.31.255.255	/12	Private (RFC 1918)
192.168.0.0 – 192.168.255.255	/16	Private (RFC 1918)
127.0.0.0 – 127.255.255.255	/8	Loopback - `127.0.0.1` = localhost
169.254.0.0 – 169.254.255.255	/16	APIPA - self-assigned when DHCP fails
0.0.0.0	-	Unspecified / default route
255.255.255.255	-	Limited broadcast

Subnetting Math

Host bits = 32 - prefix length Total addresses = 2 ^ (host bits) Usable hosts = 2 ^ (host bits) - 2 Network address = all host bits = 0 (first address) Broadcast address = all host bits = 1 (last address) First usable host = network address + 1 Last usable host = broadcast address - 1

Worked Example - 192.168.1.0 /26

Prefix /26 \to subnet mask 255.255.255.192 Host bits 32 - 26 = 6 Total addresses 2⁶ = 64 Usable hosts 64 - 2 = 62 Network address 192.168.1.0 Broadcast 192.168.1.63 First host 192.168.1.1 Last host 192.168.1.62

Common CIDR Prefix Reference

Prefix	Subnet Mask	Addresses	Usable Hosts
/8	255.0.0.0	16,777,216	16,777,214
/16	255.255.0.0	65,536	65,534
/24	255.255.255.0	256	254
/25	255.255.255.128	128	126
/26	255.255.255.192	64	62
/27	255.255.255.224	32	30
/28	255.255.255.240	16	14
/29	255.255.255.248	8	6
/30	255.255.255.252	4	2
/32	255.255.255.255	1	1 (host route)

IPv6 Basics

128-bit address - written as 8 groups of 4 hex digits separated by colons.
Leading zeros within a group can be omitted; consecutive all-zero groups can be replaced with :: (once per address).
::1 - loopback (equivalent to IPv4 127.0.0.1)
fe80::/10 - link-local (auto-configured, not routable)
2000::/3 - global unicast (public routable range)
No broadcast - replaced by multicast and anycast.
IPv6 uses NDP (Neighbor Discovery Protocol) instead of ARP.

IPv6 Address Compression - Rules

Rule 1 Drop leading zeros within each group - 0db8 → db8 · 0001 → 1 · 0000 → 0

Rule 2 Replace the longest consecutive run of all-zero groups with :: - only once per address

Tiebreaker When two runs are equal length, :: goes to the leftmost run

Worked Examples

Full Address	Step 1 - strip leading zeros	Step 2 - apply ::
`2001:0db8:0000:0000:0000:0000:0000:0001`	`2001:db8:0:0:0:0:0:1`	`2001:db8::1`
`0000:0000:0000:0000:0000:0000:0000:0001`	`0:0:0:0:0:0:0:1`	`::1`
`fe80:0000:0000:0000:0200:f8ff:fe21:67cf`	`fe80:0:0:0:200:f8ff:fe21:67cf`	`fe80::200:f8ff:fe21:67cf`
`2001:0db8:0000:0000:0001:0000:0000:0001`	`2001:db8:0:0:1:0:0:1`	`2001:db8::1:0:0:1` (tie at pos 2 & 5 → leftmost wins)

IPv6 Compression Practice

0 / 8

Has leading zeros

All-zero group

Routing Concepts

Default gateway - the router IP your device sends traffic to when the destination is outside the local subnet.
Routing table - an ordered list of network prefixes and their next-hop addresses. Routers consult this for every packet.
TTL (Time To Live) - decremented by each router. Packet is dropped at 0 to prevent routing loops. Starting value is typically 64 (Linux/Mac) or 128 (Windows).
Static routes - manually configured; predictable but don't auto-adjust to failures.
Dynamic routing - protocols like OSPF (interior), BGP (exterior), and EIGRP automatically discover routes and adapt to changes.

What is the subnet mask for a /26 prefix?
How many usable hosts does a /28 network provide?
What is the network address for host 10.0.1.100 on a /27 network?
A host shows the address 169.254.1.50. What does this indicate?
You need to subnet a /24 into blocks of exactly 30 usable hosts. What prefix length do you use?
What is the broadcast address of 192.168.10.64/26?

255.255.255.192
14 (2⁴ – 2 = 14)
/27 block size = 32. 100 ÷ 32 = 3 remainder 4 → block starts at 96. Network address: 10.0.1.96
DHCP failed or no DHCP server was reachable. The host auto-assigned an APIPA address (169.254.0.0/16).
/27 (2⁵ – 2 = 30 usable hosts)
Block starts at .64, size = 64 addresses. Broadcast = .64 + 63 = 192.168.10.127

▶

3 · Data Link Layer & Ethernet

Complete

MAC Addresses

48-bit (6-byte) address burned into the NIC by the manufacturer. Written in hex - e.g., AA:BB:CC:DD:EE:FF.
First 3 bytes = OUI (Organizationally Unique Identifier) - identifies the manufacturer.
Last 3 bytes = device-unique identifier assigned by the manufacturer.
Broadcast MAC: FF:FF:FF:FF:FF:FF - received by every device on the segment.
MACs operate only within a single network segment (they're not routed).
Can be spoofed in software - important for security.

Ethernet Frame Structure

Field	Size	Purpose
Preamble	7 bytes	Alternating 1/0 bits for clock synchronization
SFD (Start Frame Delimiter)	1 byte	Marks end of preamble, start of frame
Destination MAC	6 bytes	Who should receive this frame
Source MAC	6 bytes	Who sent this frame
EtherType / Length	2 bytes	`0x0800`=IPv4 · `0x0806`=ARP · `0x86DD`=IPv6
Payload (data)	46–1500 bytes	IP packet or other upper-layer data
FCS (Frame Check Sequence)	4 bytes	CRC checksum for error detection

The minimum Ethernet frame payload is 46 bytes. If data is smaller, padding is added. Maximum payload = MTU = 1500 bytes.

ARP - Address Resolution Protocol

Resolves IP addresses to MAC addresses on the local network (Layer 3 → Layer 2).
ARP Request: broadcast to FF:FF:FF:FF:FF:FF asking "Who has 192.168.1.1?"
ARP Reply: unicast response "I have 192.168.1.1 - my MAC is AA:BB:CC:DD:EE:FF"
Mappings are stored in the ARP cache (view with arp -a) to avoid repeated lookups.
Gratuitous ARP: a device broadcasts its own IP→MAC mapping. Used in failover/HA and (maliciously) for ARP spoofing.

Switches vs Hubs

Hub (Layer 1)Broadcasts all traffic to all ports. Every device shares one collision domain. No intelligence - just a repeater.

Switch (Layer 2)Learns MAC addresses and builds a MAC address table. Forwards frames only to the relevant port. Each port = its own collision domain.

Collision domainSegment where only one device can transmit at a time. Switches isolate collision domains per port.

Broadcast domainAll devices that receive a broadcast frame. A switch creates one broadcast domain (unless VLANs are used).

CSMA/CDCarrier Sense Multiple Access / Collision Detection - half-duplex Ethernet mechanism to detect and handle collisions (hubs/legacy). Modern switches are full-duplex and don't use it.

VLANs

Virtual LANs logically segment a switch into separate broadcast domains without needing separate physical hardware.
IEEE 802.1Q - standard for VLAN tagging; inserts a 4-byte tag into the Ethernet frame.
Access port: carries traffic for a single VLAN; used for end devices.
Trunk port: carries traffic for multiple VLANs between switches or switch-to-router; tags identify the VLAN.
Native VLAN: traffic on a trunk port that arrives untagged is assigned to the native VLAN (default VLAN 1).

What protocol maps an IP address to a MAC address?
How many bytes is a MAC address, and how is it written?
What is the broadcast MAC address?
What is the maximum payload size of an Ethernet frame, and what is this called?
What does the OUI in a MAC address tell you?
How does a switch differ from a hub in terms of collision domains?

ARP (Address Resolution Protocol)
6 bytes (48 bits), written as 6 pairs of hex digits separated by colons or dashes (e.g., AA:BB:CC:DD:EE:FF)
FF:FF:FF:FF:FF:FF
1500 bytes - this is the MTU (Maximum Transmission Unit) for standard Ethernet
The first 3 bytes (OUI) identify the device manufacturer (e.g., Intel, Cisco)
Each port on a switch is its own collision domain; only one device can collide with itself. A hub has a single shared collision domain for all ports.

▶

4 · Transport Layer - TCP vs UDP

Complete

TCP vs UDP

Feature	TCP	UDP
Connection	Connection-oriented (handshake)	Connectionless (fire and forget)
Reliability	Guaranteed delivery, retransmits lost segments	No guarantee - best effort
Ordering	Sequence numbers ensure in-order delivery	No ordering
Flow control	Yes - sliding window	No
Speed	Slower (overhead)	Faster (minimal overhead)
Use cases	HTTP, HTTPS, SSH, FTP, email - reliability critical	DNS, DHCP, VoIP, streaming, gaming - speed critical
Header size	20 bytes minimum	8 bytes

TCP Three-Way Handshake

Step 1 - Client \to Server SYN (synchronize - "I want to connect") Step 2 - Server \to Client SYN-ACK (synchronize-acknowledge - "OK, ready") Step 3 - Client \to Server ACK (acknowledge - "Connection established")

Connection teardown uses a four-way FIN exchange: FIN → ACK → FIN → ACK. Either side can initiate.

TCP Flags

SYNSynchronize - initiates a connection

ACKAcknowledge - confirms receipt of data

FINFinish - gracefully closes a connection

RSTReset - abruptly terminates a connection

PSHPush - send buffered data immediately to the application

URGUrgent - data should be prioritized

Port Numbers

Well-known0 – 1,023 - reserved for common system services

Registered1,024 – 49,151 - registered by applications (e.g., databases)

Dynamic/ephemeral49,152 – 65,535 - assigned temporarily to client-side connections

Common Port Numbers to Memorize

Port(s)	Protocol	Transport	Notes
20 / 21	FTP	TCP	20 = data, 21 = control
22	SSH / SCP / SFTP	TCP	Secure remote shell & file transfer
23	Telnet	TCP	Unencrypted - avoid; use SSH instead
25	SMTP	TCP	Sending email between mail servers
53	DNS	TCP+UDP	UDP for queries; TCP for zone transfers and large responses
67 / 68	DHCP	UDP	67 = server, 68 = client
80	HTTP	TCP	Unencrypted web traffic
110	POP3	TCP	Receive email (downloads to client)
123	NTP	UDP	Network Time Protocol
143	IMAP	TCP	Receive email (syncs with server)
161 / 162	SNMP	UDP	161 = queries, 162 = traps
389	LDAP	TCP	Directory lookups (Active Directory)
443	HTTPS	TCP	HTTP over TLS
445	SMB	TCP	Windows file sharing
465 / 587	SMTPS / Submission	TCP	Secure/authenticated email sending
636	LDAPS	TCP	LDAP over TLS
993 / 995	IMAPS / POP3S	TCP	Secure email retrieval
1433	MS SQL Server	TCP
3306	MySQL	TCP
3389	RDP	TCP	Remote Desktop Protocol (Windows)
5432	PostgreSQL	TCP
5900	VNC	TCP	Remote desktop (cross-platform)
8080 / 8443	HTTP / HTTPS alt	TCP	Common non-privileged web service ports

Walk through the TCP three-way handshake in order.
What port does HTTPS use, and what does it add over HTTP?
Which protocol would you use for live video streaming, and why?
What port does RDP use?
A firewall blocks all traffic to port 22. What functionality is lost?
What are the three port number ranges and their boundaries?

Client sends SYN → Server replies SYN-ACK → Client sends ACK. Connection is now established.
Port 443. HTTPS = HTTP wrapped in TLS, which provides encryption, authentication (server certificate), and data integrity.
UDP - because it's faster (no handshake, no retransmission) and a dropped frame is less noticeable than jitter caused by waiting for retransmits.
3389
SSH access is lost, meaning secure remote shell, SCP file transfers, and SFTP would all be blocked.
Well-known: 0–1023 | Registered: 1024–49151 | Dynamic/ephemeral: 49152–65535

▶

5 · Application Layer Services - DNS, DHCP, NAT, HTTP

Complete

DNS - Domain Name System

Translates human-readable hostnames (example.com) into IP addresses. Often called "the phonebook of the internet."
Hierarchical structure: root (.) → TLD (.com) → authoritative nameserver → record.
DNS queries use UDP port 53 (most common); TCP port 53 for large responses and zone transfers.
TTL (Time To Live): how long a record is cached before re-querying.

DNS Record Types

Type	Maps / Returns	Example
A	Hostname → IPv4 address	`example.com → 93.184.216.34`
AAAA	Hostname → IPv6 address	`example.com → 2606:2800:220:1:248:1893:25c8:1946`
CNAME	Alias → canonical name	`www.example.com → example.com`
MX	Domain → mail server(s)	`example.com → mail.example.com (priority 10)`
PTR	IP → hostname (reverse lookup)	`34.216.184.93.in-addr.arpa → example.com`
NS	Domain → authoritative nameserver(s)	`example.com → ns1.example.com`
SOA	Zone metadata - serial, refresh, retry, expire	Each zone has exactly one
TXT	Free-form text	SPF, DKIM, domain verification

DNS Resolution Process

1. Check local cache Browser / OS cache 2. Check /etc/hosts Local override file 3. Query recursive resolver ISP DNS or 8.8.8.8 (Google) 4. Resolver \to root Root returns TLD nameserver address 5. Resolver \to TLD TLD returns authoritative NS address 6. Resolver \to authoritative NS Returns the actual A/AAAA record 7. Resolver caches + replies Client gets the IP, answer cached per TTL

DHCP - Dynamic Host Configuration Protocol

Automatically assigns IP configuration to devices on a network.
Assigns: IP address, subnet mask, default gateway, DNS servers, and a lease time.
Uses UDP: client listens on port 68, server on port 67.
Initial discovery uses broadcasts (source: 0.0.0.0, dest: 255.255.255.255).

DORA Process

D - Discover Client broadcasts "Anyone have an IP for me?" O - Offer Server replies with an available IP lease offer R - Request Client broadcasts "I'll take 192.168.1.50 from Server X" A - Acknowledge Server confirms "It's yours until [lease time]"

Lease renewal: client tries to renew at 50% of lease time (T1), then again at 87.5% (T2).
DHCP reservation: server assigns a fixed IP based on the client's MAC address.
DHCP relay agent: forwards DHCP broadcasts across router boundaries so one server can serve multiple subnets.

NAT - Network Address Translation

Translates private IP addresses to a public IP (and back) as packets cross the router. Extends IPv4 address space.
Static NAT: one-to-one mapping - one private IP always maps to one specific public IP.
Dynamic NAT: many-to-many - private IPs share a pool of public IPs.
PAT (Port Address Translation) / NAT overload / masquerade: many-to-one - all private devices share a single public IP, differentiated by port numbers. This is what home routers do.

Inside local	Inside global	Explanation
192.168.1.10:50001	203.0.113.5:10001	Private IP:port → public IP:port (PAT)
192.168.1.11:50002	203.0.113.5:10002	Different port used on the same public IP

HTTP / HTTPS

HTTP methods: GET (retrieve), POST (submit), PUT (replace), PATCH (partial update), DELETE, HEAD (headers only), OPTIONS (capabilities).
HTTPS = HTTP + TLS - adds encryption, server authentication via certificates, and data integrity (port 443).

HTTP Status Codes

Range	Category	Common Codes
1xx	Informational	100 Continue, 101 Switching Protocols
2xx	Success	200 OK · 201 Created · 204 No Content
3xx	Redirection	301 Moved Permanently · 302 Found · 304 Not Modified
4xx	Client Error	400 Bad Request · 401 Unauthorized · 403 Forbidden · 404 Not Found · 429 Too Many Requests
5xx	Server Error	500 Internal Server Error · 502 Bad Gateway · 503 Service Unavailable · 504 Gateway Timeout

What DNS record type maps a hostname to an IPv4 address?
Spell out and explain each step of the DHCP DORA process.
An HTTP response returns status 403. What does this mean, and what's the difference from 401?
What type of NAT is used in a typical home router? How does it allow multiple devices to share one IP?
You try to access a site by IP and it works, but using the domain name it fails. What is the likely problem?
What is the DNS TTL and why does it matter for troubleshooting?

A record
Discover (client broadcasts looking for a DHCP server) → Offer (server offers an IP lease) → Request (client formally requests that specific offer) → Acknowledge (server confirms the lease)
403 = Forbidden (you are authenticated but not permitted to access the resource). 401 = Unauthorized (authentication is required and was not provided or failed - misleading name).
PAT (Port Address Translation) / NAT overload. The router translates each private IP:port pair to the public IP with a unique port number, tracking each session in the NAT table.
DNS resolution is failing. The IP-based request bypasses DNS entirely. Check the DNS configuration or try nslookup / dig on the domain.
TTL is how long a DNS record is cached. A low TTL means changes propagate quickly but cause more DNS queries. A high TTL reduces queries but means stale entries linger longer after a change - important when troubleshooting after a DNS update.

▶

6 · Connectivity, VPNs & Troubleshooting Tools

Complete

Systematic Connectivity Troubleshooting

Step 1 Physical - check cable, NIC link light, Wi-Fi signal Step 2 IP config - ipconfig / ip addr - verify IP/mask/GW/DNS Step 3 Loopback - ping 127.0.0.1 - tests TCP/IP stack itself Step 4 Default gateway - ping 192.168.1.1 - tests local LAN Step 5 External IP - ping 8.8.8.8 - tests routing & internet Step 6 DNS - ping google.com or nslookup google.com - tests name resolution Step 7 Path - traceroute / tracert - identify where packets stop

Windows Troubleshooting Commands

ipconfig                 # Show IP configuration (all adapters)
ipconfig /all            # Detailed - includes MAC, DHCP server, lease times
ipconfig /release        # Release DHCP lease
ipconfig /renew          # Request new DHCP lease
ipconfig /flushdns       # Clear the local DNS cache

ping 8.8.8.8             # Test ICMP connectivity
ping -t 8.8.8.8         # Continuous ping (Ctrl+C to stop)
ping -n 10 8.8.8.8     # Send exactly 10 packets

tracert google.com       # Trace route hop-by-hop
pathping google.com      # Combined ping + tracert with statistics

nslookup google.com     # DNS lookup
nslookup -type=MX gmail.com  # Query specific record type

arp -a                   # Show ARP table (IP ↔ MAC mappings)
route print             # Show routing table
netstat -an             # Show all connections and listening ports
netstat -b              # Show which executable owns each connection

Linux / macOS Commands

ip addr                  # Show IP addresses (modern Linux)
ip route                 # Show routing table
ifconfig                 # Show IP config (legacy, still common on macOS)

ping -c 4 8.8.8.8       # Send 4 ICMP echo requests
traceroute google.com   # Trace route (Linux/macOS)

dig google.com          # Detailed DNS lookup
dig MX gmail.com        # Query MX records
dig +short google.com  # Just the answer
nslookup google.com     # Simpler DNS lookup

ss -tulpn               # Show listening ports and processes (modern)
netstat -tulpn          # Same, legacy command

arp -n                   # Show ARP table
curl -I https://example.com  # Show HTTP response headers only
tcpdump -i eth0 -n     # Capture packets on interface eth0

VPNs - Virtual Private Networks

Purpose: create an encrypted tunnel over an untrusted network (the internet), allowing secure communication as if on a private network.
Site-to-site VPN: connects two entire networks (e.g., HQ ↔ branch office). Always-on tunnel between routers/firewalls.
Remote access VPN: individual device connects to a corporate network. The user's device gets a virtual IP on the remote subnet.
Split tunneling: only traffic destined for the remote network goes through the VPN; other traffic goes direct. Reduces VPN load but reduces security.

VPN Protocols

IPsecLayer 3. Two modes: Tunnel (encrypts entire packet, used for site-to-site) vs Transport (encrypts payload only). Often combined with IKEv2.

SSL/TLS VPNRuns over TCP/443. Works through firewalls that block non-HTTP. Common for remote access (e.g., OpenVPN, Cisco AnyConnect).

WireGuardModern, minimal codebase, fast. Uses UDP. Increasingly replacing OpenVPN in new deployments.

L2TP/IPsecL2TP provides the tunnel (Layer 2), IPsec provides encryption. Built into most OSes.

PPTPOld, insecure - should not be used. Only included for historical/exam context.

Proxy Servers

Forward proxySits between clients and the internet. Can filter, cache, and log outbound requests. Clients know about it.

Reverse proxySits in front of servers (e.g., Nginx, HAProxy). Handles load balancing, SSL termination, and caching. Clients don't know the backend servers.

Firewalls

StatelessFilters based on static rules (src/dst IP, port, protocol). Each packet is evaluated independently - no awareness of connection state.

StatefulTracks the state of active connections (connection table). Allows return traffic for established sessions automatically. More secure.

NGFWNext-Generation Firewall - adds deep packet inspection, application awareness, IDS/IPS, and user identity into a stateful firewall.

Wireless Troubleshooting Notes

2.4 GHz non-overlapping channels: 1, 6, 11 (US). Use these to avoid co-channel interference.
5 GHz: more channels, less interference, shorter range.
RSSI (Received Signal Strength Indicator): measure of signal strength. More negative = weaker (e.g., -70 dBm is weaker than -50 dBm).
Authentication failures: wrong passphrase, expired certificate (WPA2-Enterprise), or mismatch in security standard.
Check DHCP exhaustion if new devices can't get an IP - the pool may be full.

What command shows the ARP cache on Windows? On Linux?
You can ping 8.8.8.8 successfully but cannot load google.com in a browser. What is most likely wrong and what command would you run next?
What does ipconfig /flushdns do and when would you use it?
What is the difference between a site-to-site VPN and a remote access VPN?
A stateless firewall rule permits TCP traffic from any source to port 80. Why might a stateful firewall be preferable here?
What are the non-overlapping channels on the 2.4 GHz band (US), and why does this matter?

Windows: arp -a. Linux: arp -n or ip neigh
DNS resolution is failing - the device can reach the internet but can't translate domain names to IPs. Run nslookup google.com or dig google.com to verify.
It clears the local DNS resolver cache. Useful when DNS records have changed (e.g., server migration) but the old cached entry is still being used.
Site-to-site connects two full networks permanently (e.g., two offices), handled by router/firewall appliances. Remote access VPN connects a single user's device to a network, typically initiated on-demand by the user.
A stateful firewall automatically permits the TCP reply traffic (RST, ACK, established sessions) for connections it initiated, and blocks unsolicited inbound packets. A stateless firewall would need explicit rules for return traffic, creating security gaps.
Channels 1, 6, and 11 are the only three non-overlapping 20 MHz channels in the US 2.4 GHz band. Using the same or adjacent channels as a neighbor causes co-channel or adjacent-channel interference, reducing throughput.

▶

7 · What Actually Matters - Key Takeaways

Complete

The mental model - OSI layers for troubleshooting

Use the 4-layer TCP/IP model bottom-up. Every real-world problem maps to one of these layers - it stops you from chasing DNS when the cable is unplugged.

1 Physical Is the cable / signal good? 2 Data Link Is the MAC address / switch doing its job? 3 Network Is IP routing correct? 4 Transport Is the right port open? Is the connection establishing? 5 Application Is the service itself responding?

IP addressing & subnetting - needs to be automatic

CIDR notation, what the prefix length means, how to derive the network address, broadcast address, and usable host range from any prefix.
Memorize the private RFC 1918 ranges cold: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Understanding why subnetting exists - traffic segmentation, security boundaries, broadcast domain control - matters more long-term than binary math speed. But the math still needs to be solid.

TCP vs UDP - know when each is appropriate

TCP Connection-oriented. Three-way handshake (SYN → SYN-ACK → ACK), guaranteed delivery, ordered, flow-controlled. Used where integrity matters - HTTP, SSH, FTP.

UDP Fire-and-forget. No handshake, low overhead. Used where speed matters more than perfection - DNS queries, streaming, VoIP, gaming.

Knowing which protocol is involved tells you what kind of problem to look for.

DNS - the system everything depends on

Resolution chain: recursive resolver → root → TLD → authoritative.
Record types in practical priority order: A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail routing), PTR (reverse lookup), NS (delegation).
TTL as an operational lever - lower it before migrations so changes propagate quickly.
The real skill: isolating "is this DNS or connectivity?" quickly with nslookup or dig.

DHCP - understand the lease lifecycle

DORA: Discover → Offer → Request → Acknowledge. Discover and Request are broadcasts; Offer and Acknowledge come from the server.
Lease renewal behavior: client tries at 50% of lease time (T1), then at 87.5% (T2).
Reservations (MAC-to-IP binding) give devices a stable address without full static config.
IP helper addresses forward DHCP broadcasts across subnets so one server can serve multiple VLANs.

NAT - the bridge between private and public

PAT (the common form) maps many internal hosts to one public IP via port tracking.
The NAT table is what makes return traffic work - if the entry times out or the device reboots, return traffic has nowhere to go.
Inbound connections to NATted hosts require explicit port forwarding rules.

Routing fundamentals

Static routes: manually configured, predictable, fragile at scale.
Dynamic routing protocols (OSPF interior, BGP exterior): know the names and use cases even before you configure them.
The default gateway is the "if I don't know where else to send it" rule.
TTL is both a routing safety mechanism (drops loops) and the engine behind traceroute.

Troubleshooting tools - daily instruments

pingLayer 3 reachability, round-trip time

traceroute / tracertPath mapping - find where packets stop

nslookup / digDNS verification independent of the browser

netstat / ssWhat's listening, what's connected

ipconfig / ip addrLocal config sanity check

Ping the gateway Fails \to local problem Gateway OK, destination fails Somewhere in the path IP works, hostname fails DNS

That sequence gets you to the answer faster than reaching for any individual tool first.

IPv6 - know it well enough to work with it

128-bit addresses, colon-hex notation. Two compression rules: drop leading zeros per group; replace the longest consecutive all-zero run with :: once (leftmost on ties).
Address types that matter: global unicast (2000::/3, publicly routable), link-local (fe80::/10, auto-configured, non-routable, always present on every interface), loopback (::1).
No broadcast - replaced by multicast. No NAT needed at scale.
Dual-stack is the real-world transition reality - most production networks run both IPv4 and IPv6 simultaneously.

The bigger picture

Networks are layered systems and every problem has a layer. Verify each layer before assuming the problem is higher up. That instinct - checking bottom-up systematically before jumping to conclusions - is worth more than memorizing any individual fact on this list.