TCP/IP Model (4 Layers)

TCP vs UDP

3-Way Handshake: SYN → SYN-ACK → ACK. Connection teardown: FIN → FIN-ACK → FIN → ACK.

Encapsulation (Top-Down)

• L7-5 (Application data) → just Data
• L4 (Transport) → adds TCP/UDP header → Segment
• L3 (Network) → adds IP header (src/dst IP) → Packet
• L2 (Data Link) → adds MAC header + trailer → Frame
• L1 (Physical) → converts to bits → Bits

Decapsulation = reverse (bottom-up) at the receiving end.

Network Device Layers

• Hub — Layer 1. Dumb repeater. Broadcasts to all ports. NEVER use.
• Switch — Layer 2. Forwards by MAC address. Builds MAC table.
• Router — Layer 3. Forwards by IP address. Separates broadcast domains.
• Multilayer Switch — Layer 3. Switches + routes. Inter-VLAN routing via SVI.
• Firewall — Layer 3–7. Inspects packets/sessions/applications.
• WAP — Layer 2. Wireless access point. Connects wireless to wired.
• IDS/IPS — Layer 3–7. Detects/prevents intrusions inline or passively.

Private IP Ranges (RFC 1918)

APIPA: 169.254.0.0/16 — auto-assigned when DHCP fails. Not routable.

Loopback: 127.0.0.0/8 — 127.0.0.1 = localhost.

Subnetting Formula

• Hosts per subnet = 2^{host bits} − 2
• Subnets = 2^{borrowed bits}
• Block size = 256 − last octet of mask
• Network address = first address (host bits all 0)
• Broadcast = last address (host bits all 1)
• Usable hosts = Network+1 to Broadcast−1

Example /26: Block=64. Subnets: .0, .64, .128, .192. Each has 62 hosts.

IPv6 Basics

• 128-bit address, written as 8 groups of 4 hex digits
• Consecutive zero groups → compressed with :: (once only)
• Leading zeros in each group can be omitted
• Global Unicast — 2000::/3 — routable on internet
• Link-local — FE80::/10 — auto-configured, non-routable
• Loopback — ::1/128 — equivalent to 127.0.0.1
• Multicast — FF00::/8 — replaces IPv4 broadcast
• EUI-64 — generates host portion from 48-bit MAC address
• No NAT needed — every device gets a global address

VLSM — Variable Length Subnet Masking

• Allocate subnet sizes based on need — no wasted addresses
• Start with the largest subnet requirement first
• Work from the highest address block down
• P2P links typically use /30 (2 hosts) or /31
• Loopbacks use /32 (host routes)
• Required by all classless routing protocols (OSPF, EIGRP, BGP)

OSPF Key Concepts

• Link-state — each router has full topology map
• Cost = 10⁸ / bandwidth (lower = better path)
• Area 0 — backbone; all non-backbone areas connect to it
• DR/BDR — elected on multi-access networks to reduce LSA flooding
• Hello packets — discover neighbors (default: 10s Ethernet, 30s NBMA)
• Dead interval — 4× hello interval; neighbor declared down if missed
• Router ID — highest IP on loopback; or highest active interface IP
• States: Down → Init → 2-Way → ExStart → Exchange → Loading → Full
• Packet types: Hello, DBD, LSR, LSU, LSAck

Static Routing

• Default route: ip route 0.0.0.0 0.0.0.0 [next-hop]
• Floating static: higher AD than dynamic route — acts as backup
• Next-hop: IP of the next router's interface
• Exit interface: specify outgoing interface instead of next-hop
• Static routes AD = 1 (more trusted than any IGP)

Longest Prefix Match

• Router always picks the most specific route (longest prefix/highest mask)
• /30 beats /24 beats /16 beats /8 beats 0.0.0.0/0
• If no match → uses default route (0.0.0.0/0)

Inter-VLAN Routing

• Router-on-a-Stick — single router port + subinterfaces per VLAN + trunk to switch
• Multilayer Switch SVI — Switch Virtual Interface per VLAN; ip routing enabled
• Layer 3 EtherChannel — SVI + port-channel interface for redundant links

Router-on-a-Stick config: int G0/0.10 → encapsulation dot1Q 10 → ip address

show ip route Legend

• C — Connected (directly connected network)
• L — Local (host route for router's own interface)
• S — Static route
• O — OSPF
• D — EIGRP
• R — RIP
• B — BGP
• * — Candidate default route

VLANs & Trunking

• VLAN — logical broadcast domain; Layer 2 segmentation
• Access port — carries ONE VLAN; switchport mode access
• Trunk port — carries MULTIPLE VLANs; 802.1Q tags frames
• Native VLAN — untagged on trunk (default VLAN 1; change it!)
• VTP — Cisco proprietary VLAN sync (be careful — can wipe VLANs)
• 802.1Q tag — 4-byte tag inserted in Ethernet frame (12-bit VLAN ID)
• VLAN range: 1-4094 (1 = default; 1002-1005 = legacy; 2-1001 = normal)
• Extended VLANs: 1006-4094 (require VTP transparent or off)

EtherChannel

• Bundles multiple physical links into ONE logical link
• STP sees it as single interface — no blocking
• LACP (802.3ad) — IEEE standard; mode active/passive
• PAgP — Cisco proprietary; mode desirable/auto
• Static (On) — no negotiation; both sides must be mode on
• All ports must match: speed, duplex, VLAN config, trunk mode
• Load balancing by: src-mac, dst-mac, src-dst-mac, src-ip, dst-ip

Switch MAC Table

• Switch learns MACs from source address of incoming frames
• Forwards to known MAC; floods unknown unicast to all ports
• MAC table ages out (default 300s)
• MAC flooding attack — fill MAC table → switch acts like hub
• Port security — limit MACs per port; violation: protect/restrict/shutdown
• show mac address-table — view MAC table

FHRP — First Hop Redundancy

HSRP priority: default 100. Higher wins active role. preempt allows higher-priority router to take over.

ACL Types

• Standard ACL (1-99, 1300-1999) — match src IP only; place close to destination
• Extended ACL (100-199, 2000-2699) — match src/dst IP, port, protocol; place close to source
• Named ACLs — more flexible; can delete individual entries
• ACL processed top-down; first match wins
• Implicit deny any at end of every ACL
• Apply per interface per direction (in or out)
• Wildcard mask = inverse of subnet mask (0=match, 1=any)

Layer 2 Security

• Port Security — limits MACs per port; violation: protect/restrict/shutdown
• DHCP Snooping — filters DHCP messages; allows offers only from trusted ports
• DAI (Dynamic ARP Inspection) — validates ARP against DHCP snooping binding table; prevents ARP spoofing
• 802.1X — port-based NAC; requires authentication before network access
• BPDU Guard — shuts port if STP BPDU received on Portfast port
• Root Guard — prevents unauthorized root bridge election on a port

VPN & Remote Access

• IPsec — Layer 3 encryption framework; uses AH + ESP protocols
• IKE Phase 1 — establishes ISAKMP SA; negotiates encryption/auth
• IKE Phase 2 — establishes IPsec SA; encrypts data traffic
• GRE over IPsec — tunnel IP multicast + routing protocols over IPsec
• DMVPN — dynamic multipoint VPN; spoke-to-spoke tunnels
• SSL/TLS VPN — clientless; web browser-based; easier for remote users
• Site-to-Site VPN — connects two networks permanently
• Remote Access VPN — individual user connects to corporate network

Wireless Security

SAE (Simultaneous Authentication of Equals) replaces PSK in WPA3 — prevents offline dictionary attacks.