Network Fundamentals — CCNA Portal

Network Device Roles

Know what each device does, which OSI layer it operates at, and when to use it. Exam topic 1.1.

Routers

Layer 3 — IP packet forwarding between networks

Routers connect different IP networks together. Forwarding decisions are based on the destination IP address and the routing table. Each interface sits on a different subnet.

OSI LayerLayer 3 (Network)

PDUPacket

Decision basisDestination IP → routing table

BreaksBroadcast domains ✓ and Collision domains ✓

Default gatewayHosts send off-subnet traffic to their router's IP

Inter-VLANRouter-on-a-stick or Layer 3 switch SVI

Layer 2 vs Layer 3 Switches

LAN switching with optional routing capability

L2 SwitchForwards frames by MAC address (CAM table)

L2 breaksCollision domains ✓ — broadcast domains ✗

L3 SwitchCan route between VLANs using SVIs or routed ports

SVISwitched Virtual Interface — virtual L3 interface per VLAN

ip routingMust enable on L3 switch to route between VLANs

Use caseL3 switch = faster inter-VLAN than router-on-a-stick

Exam tip: Hub = L1 (repeats all). Switch = L2 (forwards by MAC). Router = L3 (routes by IP).

Next-Gen Firewalls & IPS

Security inspection at multiple OSI layers

Traditional firewalls filter by IP/port. NGFWs add deep packet inspection, application awareness, user identity, and integrated IPS.

Stateful FWTracks connection state — allows return traffic

NGFWApp-aware, user-aware, SSL inspection

IDSIntrusion Detection — monitors and alerts, passive

IPSIntrusion Prevention — inline, actively blocks traffic

Cisco ASATraditional stateful firewall platform

Cisco FTDFirepower Threat Defense — NGFW + IPS combined

PoE — Power over Ethernet

Deliver electrical power via Ethernet cable

PoE eliminates separate power adapters for IP phones, APs, and IP cameras by delivering power through Cat5e/Cat6 cables.

IEEE 802.3afPoE — up to 15.4W per port

IEEE 802.3atPoE+ — up to 30W per port

IEEE 802.3btPoE++ — up to 60W or 100W per port

PSEPower Sourcing Equipment — the switch

PDPowered Device — phone, AP, camera

show power inlineCheck PoE budget and per-port draw

Network Topology Architectures

Exam topic 1.2 — know the purpose and characteristics of each design.

Campus LAN

Two-Tier (Collapsed Core)

Core and Distribution layers are merged into one. Access switches connect directly to this layer. Used in smaller campus networks where cost matters more than scalability.

[Distribution / Core]

↑↑↑↑↑↑

[Access Switches]

↑↑↑↑↑↑

[End Devices]

ProsSimple, lower cost

ConsLess scalable, single congestion point

Enterprise

Three-Tier (Hierarchical)

Dedicated Core, Distribution, and Access layers. Core = high-speed backbone with no policy. Distribution = ACLs, routing, QoS. Access = end-user ports.

[Core — Fast backbone]

↑↑↑↑

[Distribution — Policy]

↑↑↑↑

[Access — Users]

Core ruleNo ACLs/QoS — just fast forwarding

Dist roleSTP boundary, inter-VLAN routing, ACLs

Data Centre

Spine-Leaf

Every Leaf connects to every Spine. No Leaf-to-Leaf or Spine-to-Spine links. Predictable latency — always exactly 2 hops. Scales horizontally by adding Leaf switches.

[Spine 1]———[Spine 2]

↑↑ ↑↑ ↑↑ ↑↑

[Leaf][Leaf][Leaf][Leaf]

↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑

[Servers / VMs]

Max hopsAlways 2 (leaf → spine → leaf)

ScaleAdd leaf switches to increase port count

Wide Area

WAN Topologies

Connect geographically separate sites. Design choices balance redundancy, bandwidth, and cost.

Point-to-pointDirect dedicated link between two sites

Hub-and-spokeCentral hub, branches connect only to hub

Full meshEvery site connects to every other — most resilient

Partial meshSome redundant links — balance of cost and resilience

MPLSProvider-managed WAN with label-switched paths

SD-WANSoftware-defined overlay on any WAN transport

Home / Branch

SOHO

Small Office/Home Office — one all-in-one device (router + switch + WAP + firewall) connects users to the internet via broadband.

DeviceIntegrated home router / CPE

WANCable, DSL, fibre ONT, LTE/5G

NATSingle public IP shared via PAT/overload

DHCPRouter acts as DHCP server for LAN

Modern

On-Premises vs Cloud

On-prem: company owns all hardware in its own DC. Cloud: resources hosted by a provider (AWS, Azure, GCP).

IaaSVMs, storage, networking on demand

PaaSRuntime, DB, middleware as a service

SaaSComplete app — Office 365, Salesforce

Hybrid cloudOn-prem + cloud resources integrated

Cisco MerakiCloud-managed switches, APs, firewalls

Physical Interfaces & Cabling

Exam topics 1.3 and 1.4 — cabling types, distances, speeds, and interface errors.

Copper Ethernet — UTP Categories

Switching Concepts

Exam topic 1.13 — MAC learning, aging, frame switching modes, and flooding.

MAC Learning & Aging

How a switch builds its CAM table

When a frame arrives, the switch reads the source MAC and records it with the ingress port. This is MAC learning — it builds the Content Addressable Memory (CAM) table.

Learn: Frame arrives on Fa0/1 with src MAC AA:BB → switch adds AA:BB → Fa0/1 to CAM.

Forward: Dst MAC in CAM → send frame only to that port.

Flood: Dst MAC not in CAM → send to all ports except source.

Age: Entries not refreshed for 300 seconds are removed.

Default aging300 seconds (5 minutes)

CAM overflowTable full → all frames flooded (MAC flood attack)

show mac address-table
show mac address-table dynamic
clear mac address-table dynamic

Frame Switching Modes

Store-and-Forward

Receives entire frame, checks FCS, then forwards. Filters corrupt frames. Adds latency. Default on modern Cisco switches.

Cut-Through

Reads only the first 6 bytes (dst MAC) then forwards immediately. Very low latency but forwards corrupt frames — no FCS check.

Fragment-Free

Reads first 64 bytes then forwards. Filters runts (collision fragments). Compromise between the other two modes.

Frame Flooding

Unicast floodUnknown dst MAC — not in CAM table

BroadcastAlways flooded — dst FF:FF:FF:FF:FF:FF

MulticastFlooded unless IGMP snooping is enabled

MAC flood attackFill CAM table → all traffic flooded → attacker sniffs

MitigationPort Security — limit MACs per port

Switch vs Hub vs Router Summary

Device	OSI Layer	Broadcast Domain	Collision Domain	Forwarding
Hub	L1	1 shared	1 shared	Repeats all bits
Switch	L2	1 per switch	1 per port ✓	MAC address
Router	L3	1 per interface ✓	1 per interface ✓	IP address

Virtualization Fundamentals

Exam topic 1.12 — server virtualization, containers, and VRFs.

Server Virtualization & Hypervisors

A hypervisor abstracts physical hardware and lets multiple VMs share one server. Each VM has its own OS, virtual CPU, RAM, and virtual NICs.

Type 1 — Bare Metal

Runs directly on hardware. No host OS. Most efficient. Examples: VMware ESXi, Hyper-V, KVM.

Type 2 — Hosted

Runs on top of a host OS. Less efficient. Examples: VirtualBox, VMware Workstation. Labs and dev use.

vNICVirtual NIC — each VM has its own MAC

vSwitchVirtual switch inside hypervisor connects VMs

vMotionLive VM migration between hosts without downtime

Containers vs VMs

Feature	VMs	Containers
OS	Full guest OS each	Share host kernel
Size	GBs	MBs
Startup	Minutes	Seconds / ms
Isolation	Strong (full OS)	Process-level
Use case	Full OS, legacy apps	Microservices, CI/CD

DockerMost popular container runtime

KubernetesOrchestration — manages container clusters

VRF — Virtual Routing and Forwarding

VRF creates multiple completely isolated routing tables on a single router. Traffic in one VRF cannot reach another without explicit inter-VRF routing.

AnalogyLike VLANs — but for routing tables

Use caseMulti-tenant networks, MPLS VPNs, overlapping IPs

VRF-LiteVRF without MPLS — simpler enterprise use

Default VRFGlobal routing table for interfaces not in any VRF

# Create VRF and assign interface
R1(config)# ip vrf CUSTOMER-A
R1(config-vrf)# rd 100:1
R1(config-if)# ip vrf forwarding CUSTOMER-A
R1(config-if)# ip address 10.1.1.1 255.255.255.0
R1# show ip route vrf CUSTOMER-A

NFV — Network Function Virtualization

NFV moves traditional network appliances (firewalls, routers, load balancers) from dedicated hardware onto VMs or containers running on standard servers.

VNFVirtual Network Function — software appliance

ExamplesVirtual router, virtual firewall, virtual IPS

BenefitFaster deployment, elastic scaling, lower cost

SDN + NFV: SDN controls the network programmatically; NFV virtualises the network appliances themselves. Often used together in modern DC and WAN designs.

Verifying IP on Client Operating Systems

Exam topic 1.10 — verify IP address, subnet mask, gateway, and DNS on Windows, macOS, and Linux.

🪟 Windows

# Basic IP info
ipconfig
IPv4: 192.168.1.50
Mask: 255.255.255.0
GW:   192.168.1.1

# Full detail (DNS, DHCP, MAC)
ipconfig /all

# DHCP release / renew
ipconfig /release
ipconfig /renew

# Flush DNS cache
ipconfig /flushdns

# Routing table
route print
netstat -r

# Test connectivity
ping 8.8.8.8
tracert 8.8.8.8

🍎 macOS

# Interface info
ifconfig en0
inet 192.168.1.50
netmask 0xffffff00
broadcast 192.168.1.255

# Get IP only
ipconfig getifaddr en0

# Default gateway
netstat -rn | grep default
route -n get default

# DNS servers
scutil --dns
cat /etc/resolv.conf

# Test connectivity
ping -c 4 8.8.8.8
traceroute 8.8.8.8

🐧 Linux

# Modern (iproute2)
ip addr show eth0
inet 192.168.1.50/24

# Routing table
ip route show
default via 192.168.1.1

# DNS
cat /etc/resolv.conf
nameserver 8.8.8.8

# Legacy commands
ifconfig eth0
route -n

# Test connectivity
ping -c 4 8.8.8.8
traceroute 8.8.8.8

Systematic Connectivity Troubleshooting — Bottom-Up OSI

L1 Physical: Cable plugged in? Link light on? No CRC errors?

L2 Data Link: Right VLAN? Trunk configured? STP blocking?

L3 Network: Correct IP/mask/GW? Can ping gateway? Route in table?

L4 Transport: Firewall/ACL blocking the port?

L7 Application: DNS resolving? Service running? Correct credentials?

Key ping sequence: ping 127.0.0.1 (stack OK) → ping own IP (NIC OK) → ping gateway (L3 path OK) → ping remote IP (routing OK) → ping by hostname (DNS OK)

TCP/IP Model vs OSI Model

How the two reference models map to each other

The OSI model is a 7-layer theoretical framework used for understanding and troubleshooting. The TCP/IP model is the 4-layer practical model that modern networks actually implement. Cisco exams expect you to map between both and know which protocols live at each layer.

OSI Layer	Name	TCP/IP Layer	PDU	Key Protocols	Cisco Device
7	Application	Application	Data	HTTP, HTTPS, FTP, DNS, DHCP, SSH, Telnet, SNMP	—
6	Presentation		Data	SSL/TLS, JPEG, ASCII	—
5	Session		Data	NetBIOS, RPC, SIP	—
4	Transport	Transport	Segment	TCP, UDP	Firewall (port)
3	Network	Internet	Packet	IP, ICMP, OSPF, EIGRP, BGP	Router, L3 Switch
2	Data Link	Network Access	Frame	Ethernet, 802.11, PPP, HDLC, ARP	Switch, Bridge
1	Physical	Network Access	Bits	Cables, RJ-45, SFP, radio waves	Hub, Repeater

Exam tip: "Please Do Not Throw Sausage Pizza Away" = Physical, Data Link, Network, Transport, Session, Presentation, Application (bottom to top).

Ethernet Frame Structure

Layer 2 PDU fields and sizes

Every Ethernet frame wraps a payload with addressing and error-checking fields. Understanding the frame helps with troubleshooting CRC errors, MTU issues, and 802.1Q tagging.

PREAMBLE

SFD

DST MAC

SRC MAC

TYPE/LEN

PAYLOAD (DATA)

46–1500B

FCS/CRC

Min frame size64 bytes (incl. FCS)

Max frame size1518 bytes (1522 with 802.1Q tag)

Jumbo framesUp to 9000 bytes (non-standard)

FCS purposeCRC error detection — frame discarded if mismatch

EtherType 0x0800IPv4 payload

EtherType 0x86DDIPv6 payload

EtherType 0x0806ARP

EtherType 0x8100802.1Q VLAN tag

ARP — Address Resolution Protocol

Mapping IPv4 addresses to MAC addresses

Before a device can send a frame, it must know the MAC address of the next-hop destination. ARP resolves an IP address to a MAC address on the local network segment.

ARP Process (4 steps):
1. Sender checks ARP cache — if entry found, use it
2. If not found → sends ARP Request as broadcast (FF:FF:FF:FF:FF:FF)
3. Target with matching IP replies with ARP Reply (unicast) containing its MAC
4. Sender caches the MAC:IP mapping (typically 4-hour TTL)

ARP RequestBroadcast — all devices on segment receive it

ARP ReplyUnicast — sent only to requester

Gratuitous ARPDevice ARPs for its own IP — announces presence, detects conflicts

Proxy ARPRouter replies on behalf of host in another subnet

ARP SpoofingAttacker poisons ARP cache — mitigated by DAI

View ARP Cache

! Router
R1# show arp
Protocol  Address     Age  Hardware Addr   Type  Interface
Internet  10.0.0.1    —    aabb.cc00.0100  ARPA  Gi0/0
Internet  10.0.0.10   3    0050.7966.6800  ARPA  Gi0/0

! Windows PC
C:\> arp -a

! Linux/Mac
$ arp -n

DHCP — Dynamic Host Configuration Protocol

DORA: Discover → Offer → Request → Acknowledge

DHCP automates IP configuration. A client broadcasts to find a server, which offers an IP lease. The 4-way DORA handshake must complete before the client can communicate on the network.

D — DISCOVER

Client broadcasts to 255.255.255.255 looking for any DHCP server

O — OFFER

Server offers IP address, mask, gateway, DNS, lease time

R — REQUEST

Client broadcasts acceptance of the offered address

A — ACKNOWLEDGE

Server confirms the lease. Client configures its interface

DHCP portUDP 67 (server), UDP 68 (client)

DHCP relayip helper-address — forwards broadcasts to server across router

APIPA fallback169.254.x.x/16 — client self-assigns when no server found

Lease renewalClient attempts renewal at 50% of lease time (T1)

DHCP Server on Router

R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10
R1(config)# ip dhcp pool LAN_POOL
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1
R1(dhcp-config)# dns-server 8.8.8.8
R1(dhcp-config)# lease 7

! Relay on interface closest to clients:
R1(config-if)# ip helper-address 10.0.0.5

! Verify:
R1# show ip dhcp binding
R1# show ip dhcp pool

DNS — Domain Name System

Resolving hostnames to IP addresses

DNS translates human-readable names (like cisco.com) to IP addresses. It uses a hierarchical distributed database. Understanding DNS query types is tested in network troubleshooting scenarios.

PortUDP 53 (queries) / TCP 53 (zone transfers, large responses)

Recursive queryClient asks resolver to do all work — resolver queries other servers on its behalf

Iterative queryServer returns best answer it has (referral) — client does the follow-up

A recordHostname → IPv4 address

AAAA recordHostname → IPv6 address

PTR recordReverse lookup — IP → hostname

MX recordMail exchange server for a domain

CNAME recordAlias — one name points to another name

TTLHow long resolvers cache the record (seconds)

Troubleshooting: nslookup cisco.com or dig cisco.com to test resolution. If ping by IP works but ping by name fails → DNS issue, not routing.

DNS on Router

R1(config)# ip domain-lookup
R1(config)# ip name-server 8.8.8.8 8.8.4.4
R1(config)# ip domain-name corp.local
R1# show hosts

TCP vs UDP

Transport layer protocol comparison

TCP provides reliable, ordered, connection-oriented delivery. UDP is lightweight and connectionless — used when speed matters more than reliability.

Feature	TCP	UDP
Connection	Connection-oriented (3-way handshake)	Connectionless
Reliability	Guaranteed delivery, retransmission on loss	Best-effort, no retransmission
Ordering	Sequence numbers ensure in-order delivery	No ordering
Flow control	Sliding window, congestion control	None
Header size	20–60 bytes	8 bytes
Speed	Slower (overhead)	Faster (low overhead)
Use cases	HTTP/S, FTP, SSH, Telnet, SMTP	DNS, DHCP, TFTP, SNMP, VoIP, video streaming

TCP 3-way handshake: SYN → SYN-ACK → ACK. Connection established. Termination uses FIN-ACK → FIN-ACK (4-way).

TCP window sizeBytes sender can transmit before requiring ACK

Sequence numberTracks byte position — enables reordering and retransmission

ACK numberNext expected byte — confirms receipt

Well-Known Port Numbers

Layer 4 ports the CCNA exam tests directly

Ports 0–1023 are well-known (IANA assigned). Ports 1024–49151 are registered. Ports 49152–65535 are ephemeral (dynamic client ports). ACL configuration requires knowing port numbers precisely.

Port	Protocol	Transport	Notes
20/21	FTP	TCP	20=data, 21=control
22	SSH	TCP	Secure remote management
23	Telnet	TCP	Cleartext — avoid
25	SMTP	TCP	Email sending
53	DNS	UDP/TCP	UDP for queries, TCP for transfers
67/68	DHCP	UDP	67=server, 68=client
69	TFTP	UDP	Trivial FTP — no auth
80	HTTP	TCP	Web cleartext
110	POP3	TCP	Email retrieval
143	IMAP	TCP	Email retrieval (folder sync)
161/162	SNMP	UDP	161=agent polling, 162=trap
443	HTTPS	TCP	Web encrypted (TLS)
514	Syslog	UDP	Log forwarding
1812/1813	RADIUS	UDP	Auth/Accounting

Collision Domains vs Broadcast Domains

How network devices segment traffic

A collision domain is a network segment where simultaneous transmissions cause collisions. A broadcast domain is the set of all devices that receive a Layer 2 broadcast. Reducing both improves performance and security.

Device	Collision Domains	Broadcast Domains	Notes
Hub	1 (all ports share)	1	Half-duplex, CSMA/CD required
Bridge (2-port)	2 (one per port)	1	Segments collision domains
Switch (24-port)	24 (one per port)	1 per VLAN	Full-duplex, no collisions
Router	One per interface	One per interface	Breaks both domains

Key rule: Switches break collision domains (one per port). Routers break broadcast domains. VLANs also break broadcast domains on the same switch.

Full-duplexSimultaneous send/receive — no collisions possible (switches)

Half-duplexOne direction at a time — CSMA/CD needed (hubs, old wireless)

CSMA/CDCarrier Sense Multiple Access / Collision Detection — Ethernet collision handling

Packet Tracer Labs

Hands-on fundamentals walkthroughs — open Cisco Packet Tracer alongside these steps.

Question 1 of 12

60s

✓ 0 correct

Topic Checklist

Tick each topic as you learn it. Progress saves automatically.

Complete