// Networking Concepts — Section 1

Network+ Complete
Course Module

Everything you need to know about networking concepts for the CompTIA Network+ exam. OSI model, protocols, topologies, IPv4, cloud, and more — all in one place.

9Major Topics
7OSI Layers
14Key Protocols
23%Exam Weight
// 01 — OSI Model

The OSI Model

The Open Systems Interconnection (OSI) model is a conceptual framework that standardizes network communication into seven distinct layers. Each layer has a specific role and communicates with the layers above and below it. Think of it as a recipe — each step depends on the one before it.

📡 Memory Aid Top-down: "All People Seem To Need Data Processing" (Application → Physical)
Bottom-up: "Please Do Not Throw Sausage Pizza Away" (Physical → Application)
7
Application
PDU: Data
Protocols / Examples HTTP, HTTPS, FTP, DNS, SMTP, SNMP, DHCP, SSH, Telnet, RDP
6
Presentation
PDU: Data
Protocols / Examples TLS/SSL, JPEG, MPEG, ASCII, EBCDIC, encryption, compression
5
Session
PDU: Data
Protocols / Examples NetBIOS, SOCKS, SIP, RPC, NFS — manages sessions/dialogs
4
Transport
PDU: Segment
Protocols / Examples TCP (reliable), UDP (fast) — ports, flow control, segmentation
3
Network
PDU: Packet
Protocols / Examples IP, ICMP, OSPF, BGP, EIGRP — routers, logical addressing
2
Data Link
PDU: Frame
Protocols / Examples Ethernet, 802.11 Wi-Fi, ARP, PPP, STP — switches, MAC addresses
1
Physical
PDU: Bit
Protocols / Examples Ethernet cables, fiber, hubs, repeaters, voltage signals, 1s and 0s

Layer Deep Dives

Layer 1 — Physical

Deals with raw bit transmission over a physical medium. Defines electrical, optical, and radio specifications. Devices: hubs, repeaters, cables. When there's a "bad cable," that's a Layer 1 problem.

KEY EXAM POINT: Hubs operate at Layer 1 — they broadcast all traffic to all ports (collision domain).

Layer 2 — Data Link

Provides node-to-node transfer and error detection using MAC addresses. Split into two sublayers: LLC (Logical Link Control) for flow control, and MAC (Media Access Control) for addressing. Devices: switches, bridges.

MAC addresses = 48-bit hardware address (e.g., AA:BB:CC:DD:EE:FF) — burned into NICs.

Layer 3 — Network

Handles logical addressing and routing. IP addresses live here. Routers inspect Layer 3 headers to make forwarding decisions. Protocols: IP, ICMP (ping), OSPF, BGP. This is where subnetting lives.

Routers break up broadcast domains. Each router interface is a separate network.

Layer 4 — Transport

TCP provides reliable, ordered, error-checked delivery (3-way handshake: SYN, SYN-ACK, ACK). UDP is connectionless and fast — no guarantees. Port numbers live at Layer 4 to multiplex services.

TCP: SYN → SYN-ACK → ACK to open. FIN/RST to close. Window size controls flow.

Layer 5 — Session

Manages sessions between applications — opening, maintaining, and terminating conversations. Enables full-duplex vs half-duplex modes. Examples: NetBIOS for Windows networking, SIP for VoIP, RPC.

Layer 6 — Presentation

Translates, encrypts, and compresses data. Converts from application format to network format and back. TLS/SSL encryption happens here. File formats like JPEG, MP4, and character encoding like ASCII.

TLS happens at Layer 6 (encryption) but TLS handshake negotiation touches Layer 4-7 interaction.

Encapsulation / Decapsulation

Data travels down the OSI stack on the sending side (encapsulation) and up the stack on the receiving side (decapsulation). Each layer wraps data with its own header (and sometimes trailer).

App (L7):
DATA
Transport (L4):
TCP/UDP Header
DATA
Network (L3):
IP Header
TCP Header
DATA
Data Link (L2):
Eth Header
IP Hdr
TCP Hdr
DATA
FCS
Physical (L1):
1010110100101011 ... (raw bits on wire)

FCS = Frame Check Sequence (CRC error detection at Layer 2)

// 02 — Network Appliances

Networking Appliances

Physical or virtual devices that perform specific network functions. Knowing which OSI layer each device operates at is crucial — it determines what they can "see" and what decisions they can make.

🔀
Router
OSI LAYER 3 — NETWORK
Connects different networks together and forwards packets based on IP addresses. Uses routing tables (static or dynamic via OSPF, BGP, EIGRP). Separates broadcast domains. Every interface is a separate subnet.
Key: Routers use IP (L3) addresses. They strip and rebuild frames (L2) at each hop.
Switch
OSI LAYER 2 — DATA LINK (L3 for managed)
Connects devices within a LAN using MAC address tables (CAM table). Learns MAC addresses from incoming frames and forwards unicast traffic only to the correct port. Reduces collisions. Layer 3 switches can also route between VLANs.
STP: Spanning Tree Protocol prevents loops. VLANs segment traffic logically.
🛡️
Firewall
OSI LAYER 3–7 (depending on type)
Filters traffic based on rules. Stateless (packet filtering, L3-4) or Stateful (tracks connection state, L4-5) or NGFW — Next-Gen (deep packet inspection, L7, app awareness). Can be hardware, software, or cloud-based.
NGFW: Inspects application layer, blocks specific apps (Facebook, BitTorrent), performs SSL inspection.
🔍
IDS / IPS
OSI LAYER 3–7 — PASSIVE / INLINE
IDS (Intrusion Detection System): Monitors and alerts only — does not block. Placed out-of-band (passive/tap mode). IPS (Intrusion Prevention System): Actively blocks malicious traffic — placed inline. Both use signature-based and anomaly-based detection.
⚖️
Load Balancer
OSI LAYER 4–7
Distributes incoming traffic across multiple servers to prevent overload. Algorithms: Round Robin, Least Connections, IP Hash, Weighted. Provides high availability, session persistence (sticky sessions), and health checking.
🔗
Proxy Server
OSI LAYER 7 — APPLICATION
Forward Proxy: Sits between clients and internet. Provides caching, content filtering, anonymity. Reverse Proxy: Sits in front of servers — hides backend infrastructure, provides SSL termination, caching, load balancing.
💾
NAS
NETWORK ATTACHED STORAGE
File-level storage connected to a network. Uses protocols like NFS, SMB/CIFS. Accessible by multiple clients simultaneously. Acts as a dedicated file server. Common for home/SMB file sharing and backups. Has its own IP address.
🏗️
SAN
STORAGE AREA NETWORK
Block-level storage over a dedicated high-speed network. Uses Fibre Channel (FC) or iSCSI. Appears to servers as a local disk. Extremely fast, low latency. Used in enterprise environments for databases and VMs. More complex and expensive than NAS.
NAS vs SAN: NAS = file-level (smarter, over Ethernet). SAN = block-level (faster, dedicated network).
📡
Wireless Devices
OSI LAYER 1–2
WAP (Wireless Access Point): Extends wired network wirelessly. Wireless Controller (WLC): Centrally manages multiple WAPs (thin APs). LWAPP/CAPWAP: Protocol used between controller and APs. Supports roaming, load balancing, and centralized policy enforcement.
🧠 Exam Quick Reference Hub (L1) → dumb, broadcasts everywhere | Switch (L2) → MAC table, smart unicast | Router (L3) → IP routing, breaks broadcasts | Firewall (L3–7) → filters by rules | IDS → passive, alerts only | IPS → inline, blocks actively
// 03 — Network Topologies

Network Topologies

A network topology defines how devices are physically and logically connected. Physical topology is the actual cable/hardware layout. Logical topology is how data flows through the network, which may differ from physical.

⭐ Star / Hub-and-Spoke

HUB

All devices connect to a central hub/switch. Single point of failure at the center, but individual node failures don't affect others. Most common LAN topology today.

✓ Easy to troubleshoot ✗ Center = SPOF

🕸 Full Mesh

n(n-1)/2 connections

Every device connects directly to every other device. Highly redundant — no SPOF. Used in WANs and critical backbone networks. Formula: n(n-1)/2 connections needed.

✓ High redundancy ✗ Expensive to scale

⭕ Ring (Logical)

token

Data travels in one direction around a ring. Token Ring uses a token-passing system — only device holding the token can transmit. Single break can break the whole ring. Largely historical (Token Ring, FDDI).

✓ No collisions ✗ One break = failure

🍃 Spine and Leaf

SPINE SPINE SPINE LEAF LEAF LEAF

Modern data center topology. Every leaf switch connects to every spine switch. Provides predictable latency (always 2 hops), east-west traffic optimization, and easy horizontal scaling. Replace the Three-Tier model in modern DCs.

✓ Equal latency ✓ Scales easily

🏢 Three-Tier Hierarchical

CORE DISTRIBUTION DISTRIBUTION ACCESS ACCESS ACCESS ACCESS

Traditional enterprise topology with Core (fast backbone), Distribution (routing/policies), and Access (endpoint connection) layers. Predictable, well-understood, but more latency for east-west traffic than Spine-Leaf.

↔ Point-to-Point

A B dedicated link

A direct connection between exactly two devices. Used in WAN links (leased lines, T1/T3), serial connections, and PPP. Simple but doesn't scale. Very common in WAN environments and wireless backhaul.

✓ Simple, dedicated bandwidth

🔀 Hybrid

WAN

Combines two or more topology types. Most real-world networks are hybrid — e.g., a star LAN connected via a mesh WAN. Provides flexibility to optimize different parts of the network for their specific needs.

🗜 Collapsed Core

CORE + DISTRIBUTION (collapsed into one layer) ACCESS ACCESS ACCESS

Merges the Core and Distribution layers into one. Used in smaller networks where the cost and complexity of separate layers isn't justified. Reduces hardware cost but may become a bottleneck as the network grows.

✓ Cost effective ✗ Bottleneck risk
// 04 — Ports & Protocols

Ports & Protocols

Port numbers identify specific services running on a device. Well-known ports are 0–1023, registered ports 1024–49151, dynamic/ephemeral ports 49152–65535. Know these cold for the exam.

🔑 Quick Rule TCP = connection-oriented, reliable, ordered, error-checked (handshake) — used when data integrity matters.
UDP = connectionless, fast, no guarantees — used for DNS, streaming, gaming, VoIP.
Port Protocol Transport Full Name Description
20/21 FTP TCP File Transfer Protocol Port 21 = control (commands). Port 20 = data transfer (active mode). Cleartext — not secure. Use SFTP or FTPS instead.
22 SSH / SFTP TCP SECURE Secure Shell / Secure FTP Encrypted remote access shell. SFTP tunnels file transfers over SSH. Replaced Telnet and FTP for secure management. Uses public key or password auth.
23 Telnet TCP Teletype Network Remote access — CLEARTEXT. Credentials and data sent in plain text. Never use in production. Replaced by SSH. Still appears on exam — know it's insecure.
25 SMTP TCP Simple Mail Transfer Protocol Sends outbound email between mail servers. Also used by clients to submit email. Port 587 (STARTTLS) or 465 (SMTPS) for secure submission.
53 DNS TCP+UDP Domain Name System Resolves hostnames to IP addresses. UDP for queries (fast, small). TCP for zone transfers between DNS servers (large data). Hierarchical: root → TLD → authoritative.
67/68 DHCP UDP Dynamic Host Config Protocol Port 67 = server, 68 = client. Auto-assigns IP config. Process: DORA — Discover, Offer, Request, Acknowledge. Leases IPs for a time period.
80 HTTP TCP Hypertext Transfer Protocol Unencrypted web traffic. Request/response model. Methods: GET, POST, PUT, DELETE, HEAD. Stateless — cookies maintain sessions. OSI Layer 7.
443 HTTPS TCP SECURE HTTP Secure (over TLS) HTTP encrypted via TLS. Uses certificates (PKI) for authentication. TLS 1.3 is current standard. HSTS forces HTTPS. Essential for any production web service.
161/162 SNMP UDP Simple Network Mgmt Protocol 161 = queries to devices (GET). 162 = traps sent FROM devices to NMS (unsolicited alerts). v1/v2c use community strings (insecure). v3 adds encryption and auth.
389 LDAP TCP+UDP Lightweight Directory Access Protocol Queries/modifies directory services (Active Directory). LDAPS on port 636 adds TLS encryption. Used for authentication, user/group lookup. Think "phone book for the network."
3389 RDP TCP Remote Desktop Protocol Microsoft's remote GUI access protocol. Full graphical desktop session over the network. Should always be behind VPN or have NLA enabled. Common attack target — keep it off the public internet.
5060/5061 SIP TCP+UDP Session Initiation Protocol Initiates, modifies, terminates VoIP sessions. Port 5060 = cleartext, 5061 = TLS encrypted. Works with RTP (Real-Time Transport, UDP) for actual voice/video payload.

Protocol Analysis Tips

Secure vs Insecure Pairs

Telnet :23SSH :22 ✓
FTP :21SFTP :22 ✓
HTTP :80HTTPS :443 ✓
LDAP :389LDAPS :636 ✓
SIP :5060SIPS :5061 ✓

UDP Protocols

These use UDP because speed matters more than reliability:

:53 DNS queries :67/68 DHCP :69 TFTP :123 NTP :161 SNMP :5060 SIP (also TCP)

DHCP DORA Process

D – Discover: Client broadcasts, seeking DHCP server
O – Offer: Server responds with IP offer
R – Request: Client accepts the offered IP
A – Acknowledge: Server confirms, lease begins
// 05 — Traffic Types

Traffic Types

Network traffic is classified by how it's addressed and delivered. Understanding these distinctions is key for designing efficient networks and configuring devices correctly.

Unicast

One-to-one communication. Traffic sent from a single source to a single specific destination. Most normal web browsing, file transfers, and connections are unicast. Every device has a unique IP address for unicast.

1 → 1
Multicast

One-to-many (specific group) communication. A single source sends to a defined multicast group. Efficient for streaming, video conferencing, routing protocol updates. IPv4 multicast range: 224.0.0.0–239.255.255.255 (Class D).

1 → group
nearest
Anycast

One-to-nearest communication. Traffic is sent to one address but multiple nodes share it — routing sends traffic to the topologically nearest one. Used in CDNs, DNS (Cloudflare 1.1.1.1, Google 8.8.8.8), and IPv6. Provides redundancy and performance.

1 → nearest
Broadcast

One-to-all communication within a broadcast domain. Delivered to all devices on the local subnet. IPv4 broadcast address: 255.255.255.255 (limited) or subnet directed (e.g., 192.168.1.255). Routers do NOT forward broadcasts — they stop at router boundaries. IPv6 has no broadcast (uses multicast instead).

1 → all
⚠️ Broadcast Domains vs Collision Domains Collision Domain: Devices that can cause collisions (Layer 1 — hub ports). Each switch port breaks collision domains.
Broadcast Domain: Devices that receive broadcasts. Only routers break broadcast domains. Switches do NOT reduce broadcasts (unless VLANs are configured).
// 06 — Transmission Media

Transmission Media

The physical or wireless medium used to carry network signals. Different media have different bandwidth, range, interference susceptibility, and cost characteristics.

Wireless

📶 Wi-Fi (802.11)
Standards Comparison
802.11a5 GHz, 54 Mbps
802.11b2.4 GHz, 11 Mbps
802.11g2.4 GHz, 54 Mbps
802.11n (Wi-Fi 4)2.4/5 GHz, 600 Mbps
802.11ac (Wi-Fi 5)5 GHz, 3.5 Gbps
802.11ax (Wi-Fi 6)2.4/5/6 GHz, 9.6 Gbps
2.4 GHz = longer range, more interference
5 GHz = shorter range, faster, less congested
📱 Cellular
Generations
2G (GSM/CDMA)Voice + SMS, <0.1 Mbps
3G (UMTS/HSPA)7.2–21 Mbps
4G LTE100+ Mbps, low latency
5G10 Gbps, <1ms latency

Uses licensed spectrum bands. Network divided into cells with base stations (towers). Handoff between cells as device moves. 5G uses millimeter wave (mmWave) for ultra-fast short range and sub-6GHz for broad coverage.

🛰 Satellite
Orbit Types
GEO (35,786 km)600+ ms latency
MEOGPS, 50–150 ms
LEO (550–1,200 km)20–40 ms (Starlink)

GEO: traditional, high latency, good coverage. LEO: Starlink/OneWeb, low latency, better for realtime traffic. Used for remote/rural connectivity where no terrestrial option exists. Weather-sensitive. Line-of-sight required.

Wired

Fiber Optic
🔆 Fiber
MediumLight pulses in glass/plastic
SpeedUp to 100 Tbps+
DistanceSMF: 100 km+ / MMF: ~2 km
EMIImmune — light, not electricity
SMF (Single-Mode)Yellow jacket, long distance, laser
MMF (Multi-Mode)Orange/aqua jacket, shorter range
SMF: Single ray of light, OS2 standard, used in WANs, ISP backbones.
MMF: Multiple light paths, OM1–OM5, used in data centers. OM5 supports SWDM.
Coaxial
📡 Coax
MediumCopper core, metallic shield
SpeedUp to 10 Gbps (DOCSIS 3.1)
Distance~500 m (10BASE5)
ConnectorsBNC, F-type
Use CasesCable TV, broadband internet, RF
RG-6Cable TV/broadband (better shielding)
RG-59CCTV, older TV (thinner)
The metallic shield provides noise immunity. "Thicknet" (10BASE5) and "Thinnet" (10BASE2) are historical Ethernet coax implementations.
Direct Attach Copper
⚡ DAC
MediumTwinaxial copper cable
Speed10G, 25G, 40G, 100G
DistanceUp to ~15 m (passive) / 25 m (active)
ConnectorsSFP+, QSFP, QSFP+
Passive DACNo signal boosting, shorter range
Active DACHas signal amplifiers built in
Used to connect switches/servers in data centers. Much cheaper than fiber for short distances. Plugs into SFP+ ports just like optical modules.
// 07 — Connectors & Transceivers

Connectors & Transceivers

Physical connectors terminate cables and mate with ports. Transceivers convert between electrical and optical signals. Knowing connector types is critical for real-world work and the exam.

Fiber Connectors

SC
Subscriber/Square Connector. Push-pull mechanism. Popular in older fiber installations. Larger form factor — two SC connectors side by side (SC duplex).
LC
Lucent Connector. Small form factor — half the size of SC. Latch mechanism. Most common modern fiber connector in data centers and enterprise. Preferred in high-density environments.
ST
Straight Tip. Bayonet twist-lock mechanism (like a BNC). Older standard, still found in legacy fiber installations. Round form factor. Being replaced by LC in newer deployments.
MPO/MTP
Multi-fiber Push On. Carries 12 or 24 fibers in a single connector. Used for high-density 40G/100G connections in data centers. MTP is a brand name for high-performance MPO.

Copper Connectors

RJ45
8P8C (8 Position 8 Contact). Standard Ethernet connector for twisted-pair cabling (Cat5e, Cat6, Cat6a). Used in all modern wired networking.
RJ11
6P2C or 6P4C connector. Smaller than RJ45. Used for telephone lines (POTS), DSL modems. Not compatible with Ethernet — different pin count and configuration.
F-Type
Screw-on coaxial connector. Used for cable TV, satellite dishes, and broadband internet (DOCSIS). Thread provides secure connection to prevent RF signal loss.
BNC
Bayonet Neill–Concelman. Twist-lock coaxial connector. Used in CCTV/security cameras, 10BASE2 (Thinnet) legacy Ethernet, test equipment, RF applications. Quick-connect bayonet mechanism.

Transceivers (SFP / QSFP)

SFP / SFP+

Small Form-factor Pluggable. Hot-swappable transceiver module used in switches, routers, and NICs. SFP supports up to 1 Gbps. SFP+ supports 10 Gbps. Can carry fiber or copper (via DAC). Enables flexible, modular port design.

QSFP / QSFP+

Quad Small Form-factor Pluggable. Carries 4 lanes of data. QSFP supports 40G (4×10G). QSFP+ also 40G. QSFP28 supports 100G (4×25G). Used in spine switches, high-bandwidth server links, and data center interconnects.

BiDi (Bidirectional)

Transmits and receives on a single fiber strand using two different wavelengths (WDM — Wavelength Division Multiplexing). Useful when fiber runs are expensive or limited. Must be paired with matching BiDi on other end (TX wavelength A ↔ RX wavelength B).

// 08 — IPv4 Addressing

IPv4 Addressing

IPv4 uses 32-bit addresses written in dotted decimal notation (four octets, each 0–255). Understanding address types, classes, and special ranges is foundational to networking.

Address Classes

Class First Octet Range First Bits Default Subnet Mask Private Range (RFC 1918) Networks / Hosts Purpose
A 1–126 0xxxxxxx 255.0.0.0 /8 10.0.0.0–10.255.255.255 128 networks / 16.7M hosts Large organizations, ISPs
B 128–191 10xxxxxx 255.255.0.0 /16 172.16.0.0–172.31.255.255 16,384 networks / 65,534 hosts Medium-large orgs
C 192–223 110xxxxx 255.255.255.0 /24 192.168.0.0–192.168.255.255 2M+ networks / 254 hosts Small networks, home/office
D 224–239 1110xxxx N/A N/A N/A Multicast groups only
E 240–255 1111xxxx N/A N/A N/A Reserved / Experimental

Special Address Ranges

Special Purpose Addresses

127.0.0.1 — Loopback
Refers to the local machine itself. Range: 127.0.0.0/8. Used for testing TCP/IP stack without sending traffic over the network.
169.254.x.x — APIPA
Automatic Private IP Addressing. Assigned when DHCP fails. Range: 169.254.0.0/16. Device can only communicate with other APIPA devices on the same segment. Means DHCP is broken.
0.0.0.0 — Unspecified
Used before IP is assigned (DHCP Discover source), or as default route (0.0.0.0/0 = "route to anywhere").
255.255.255.255 — Limited Broadcast
Sent to all devices on the local subnet. Routers never forward this. DHCP Discover uses this as destination.

Public vs Private

Private IPs (RFC 1918): Not routable on the public internet. Used internally. Translated to public IPs via NAT (Network Address Translation) at the router/firewall.

10.0.0.0/8 — 16.7 million addresses (Class A private)
172.16.0.0/12 — 1M addresses (Class B private range)
192.168.0.0/16 — 65,536 addresses (most common home/office)

Public IPs are assigned by IANA and RIRs (ARIN, RIPE, APNIC). Every public address is globally unique. NAT allows thousands of internal devices to share a single public IP.

NAT Types: Static NAT (1:1), Dynamic NAT (pool), PAT/NAT overload (many:1 using ports) — PAT is what home routers do.
// 09 — Subnetting & CIDR

Subnetting & CIDR

Subnetting divides a large network into smaller sub-networks. CIDR (Classless Inter-Domain Routing) replaces class-based addressing with flexible prefix lengths. VLSM (Variable Length Subnet Masking) allows different subnet sizes within the same address space.

The subnet mask determines which bits are the network portion and which are the host portion.

IP: 192.168.1.100
1
1
0
0
0
0
0
0
1
0
1
0
1
0
0
0
0
0
0
0
0
0
0
1
0
1
1
0
0
1
0
0
Mask: /24
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
0
0
0
0
0
0
0
0
■ = Network bits (24 bits)    ■ = Host bits (8 bits = 256 addresses, 254 usable)
CIDR Subnet Mask Wildcard Hosts (Usable) Addresses Subnets from /24 Notes
/8255.0.0.00.255.255.25516,777,21416,777,216Class A size
/9255.128.0.00.127.255.2558,388,6068,388,608
/16255.255.0.00.0.255.25565,53465,536Class B size
/17255.255.128.00.0.127.25532,76632,768
/20255.255.240.00.0.15.2554,0944,09616 subnets
/21255.255.248.00.0.7.2552,0462,0488 subnets
/22255.255.252.00.0.3.2551,0221,0244 subnets
/23255.255.254.00.0.1.2555105122 subnets
/24255.255.255.00.0.0.2552542561 subnetMost common LAN
/25255.255.255.1280.0.0.1271261282 subnets
/26255.255.255.1920.0.0.6362644 subnets
/27255.255.255.2240.0.0.3130328 subnets
/28255.255.255.2400.0.0.15141616 subnets
/29255.255.255.2480.0.0.76832 subnetsSmall segments
/30255.255.255.2520.0.0.32464 subnetsPoint-to-point links
/31255.255.255.2540.0.0.12 (no net/bcast)2128 subnetsP2P (RFC 3021)
/32255.255.255.2550.0.0.011Host route (loopback)

How to Subnet — Step by Step

Example: You have 192.168.10.0/26. Find the network, broadcast, host range, and number of subnets from /24.

Step 1: Determine the block size
/26 = 26 network bits, 6 host bits
Host bits: 6 → 2^6 = 64 addresses per subnet
Usable hosts: 64 - 2 = 62 hosts

Step 2: Find subnet mask
256 - 64 = 192 → mask is 255.255.255.192

Step 3: List subnets (block size = 64)
192.168.10.0 → 192.168.10.0 – 192.168.10.63 (subnet 1)
192.168.10.64 → 192.168.10.64 – 192.168.10.127 (subnet 2)
192.168.10.128 → 192.168.10.128 – 192.168.10.191 (subnet 3)
192.168.10.192 → 192.168.10.192 – 192.168.10.255 (subnet 4)

Step 4: For 192.168.10.0/26:
Network address: 192.168.10.0
First host: 192.168.10.1
Last host: 192.168.10.62
Broadcast: 192.168.10.63
Magic Number Trick Block size = 256 - last octet of subnet mask. Subnets start at multiples of block size.
/25 → block = 128 → subnets: .0, .128
/26 → block = 64 → subnets: .0, .64, .128, .192
/27 → block = 32 → subnets: .0, .32, .64, .96, .128, .160, .192, .224

VLSM — Variable Length Subnet Masking

VLSM allows using different subnet sizes within the same network. Instead of giving every subnet the same size (wasting addresses), you allocate exactly what's needed. Key principle: allocate largest subnets first.

Scenario: Given 172.16.0.0/16, create subnets for:

Dept A: 500 hosts → needs 512 addresses → /23
Dept B: 100 hosts → needs 128 addresses → /25
Dept C: 25 hosts → needs 32 addresses → /27
WAN Link: 2 hosts → needs 4 addresses → /30
Allocate largest first:
Dept A: 172.16.0.0/23 (172.16.0.0 – 172.16.1.255, 510 hosts)
Dept B: 172.16.2.0/25 (172.16.2.0 – 172.16.2.127, 126 hosts)
Dept C: 172.16.2.128/27 (172.16.2.128 – 172.16.2.159, 30 hosts)
WAN: 172.16.2.160/30 (172.16.2.160 – 172.16.2.163, 2 hosts)
Without VLSM, giving everyone /23 would waste 480+ addresses for the WAN link. VLSM lets you be precise.
// 10 — Cloud Concepts

Cloud Concepts

Cloud networking extends traditional networking concepts into virtualized, on-demand infrastructure. Understanding cloud deployment and service models, virtual networking constructs, and security is increasingly important for modern network professionals.

Deployment Models

☁️ Public Cloud

Infrastructure owned and managed by a third party (AWS, Azure, GCP). Resources shared across multiple customers (multi-tenant). Pay-as-you-go. No upfront hardware cost. Highly scalable. Data leaves your premises — security/compliance concern for some industries.

Examples: AWS EC2, Azure VMs, Google Cloud Compute

🏢 Private Cloud

Infrastructure dedicated exclusively to one organization. Can be on-premises (owned hardware) or hosted by a third party. Full control over security, compliance, and customization. Higher upfront cost. Common in government, healthcare, finance. OpenStack, VMware vSphere.

Examples: On-prem VMware, OpenStack, AWS Outposts

🔀 Hybrid Cloud

Combination of public and private cloud, connected via VPN or dedicated link (AWS Direct Connect, Azure ExpressRoute). Sensitive workloads stay on-prem; scalable burst workloads move to public cloud. Requires consistent network policies and identity across both.

Requires: VPN or dedicated circuits between environments

Service Models

IaaS — Infrastructure as a Service

Provider manages hardware, networking, and storage. You manage: OS, middleware, runtime, applications, and data. Most control, most responsibility. Think AWS EC2, Azure VMs. Good for custom configurations and migrations.

You manage: OS → Runtime → App → Data

PaaS — Platform as a Service

Provider manages infrastructure AND OS and middleware. You only manage applications and data. Faster development — no server patching. Examples: Heroku, Google App Engine, AWS Elastic Beanstalk. Less control over underlying environment.

You manage: App → Data only

SaaS — Software as a Service

Everything managed by the provider. You just use the application. No infrastructure management whatsoever. Examples: Google Workspace, Microsoft 365, Salesforce, Zoom. Least control, least responsibility. Pay per user/subscription.

You manage: Nothing. Just use the app.

Cloud Networking Concepts

VPC — Virtual Private Cloud

An isolated, logically segmented section of a cloud provider's network. You define IP ranges (CIDR), subnets, route tables, and gateways. VPCs are isolated by default — traffic doesn't cross between VPCs unless explicitly peered. Think of it as your own virtual data center in the cloud.

Contains: subnets (public and private), internet gateways, NAT gateways, route tables, security groups, and NACLs.

Network Security Groups (NSGs)

Virtual firewall that controls inbound and outbound traffic at the VM/instance level or subnet level. Rules specify: protocol, port range, source/destination IP. Stateful — if you allow inbound, return traffic is automatically allowed.

NACLs vs Security Groups: NACLs are stateless (must define both in/out), applied at subnet level. SGs are stateful, applied at instance level. NACLs have numbered rules processed in order.

NFV — Network Functions Virtualization

Replaces dedicated hardware appliances with software running on standard servers/VMs. Virtual routers, firewalls, load balancers, IDS/IPS, WAN optimization — all virtualized. Benefits: faster deployment, lower cost, flexibility, centralized management. Examples: Cisco CSR, Palo Alto VM-Series, F5 Virtual Edition.

Cloud Gateways

Internet Gateway

Allows VPC resources to connect to the internet. Required for public subnets.

NAT Gateway

Allows private subnet instances to reach the internet without being directly accessible. Outbound only.

VPN Gateway

Connects VPC to on-premises network over encrypted IPsec VPN tunnel.

Transit Gateway / VPC Peering

Connects multiple VPCs. Transit Gateway is a hub; VPC Peering is direct 1:1.

VPC Architecture Visual

INTERNET Internet GW VPC: 10.0.0.0/16 Public Subnet 10.0.1.0/24 NAT Gateway Web Servers Security Group (HTTP 80, 443 IN) Load Balancer Private Subnet 10.0.2.0/24 App Servers RDS Database Security Group (8080 from subnet only) VPN Gateway ← on-premises On-Premises Data Center
// Reference

Glossary of Terms

Quick-reference definitions for all key networking concepts covered in this module.

OSI Model

Open Systems Interconnection model — 7-layer framework standardizing how network communication functions are divided and defined.

PDU

Protocol Data Unit — the form data takes at each OSI layer. Bit (L1), Frame (L2), Packet (L3), Segment (L4), Data (L5-7).

MAC Address

48-bit hardware address burned into NIC. Used at Layer 2 for local network communication. Format: AA:BB:CC:DD:EE:FF.

IP Address

32-bit (IPv4) or 128-bit (IPv6) logical address used at Layer 3 to identify devices globally and enable routing across networks.

Subnet Mask

32-bit value that defines the network and host portions of an IP address. Written in dotted decimal (255.255.255.0) or CIDR notation (/24).

CIDR

Classless Inter-Domain Routing — flexible IP address allocation using prefix length notation (/24) replacing fixed class boundaries.

VLSM

Variable Length Subnet Masking — using different prefix lengths within the same network to allocate address space efficiently based on actual needs.

Broadcast Domain

Group of devices that receive each other's broadcast messages. Routers separate broadcast domains; switches do not (without VLANs).

Collision Domain

Network segment where data packets can collide. Each switch port creates its own collision domain. Hubs share one collision domain.

Router

Layer 3 device that forwards packets between different networks based on IP addresses. Maintains routing tables. Breaks broadcast domains.

Switch

Layer 2 device that forwards frames using MAC address CAM table. Creates separate collision domains per port. Supports VLANs.

Firewall

Security device that filters network traffic based on rules. Stateless (packet-by-packet) or stateful (connection-aware). NGFW adds L7 inspection.

IDS

Intrusion Detection System — passive monitoring tool that detects and alerts on suspicious activity. Does not block traffic.

IPS

Intrusion Prevention System — active inline device that detects AND blocks malicious traffic in real time.

Load Balancer

Distributes incoming traffic across multiple servers to optimize performance, availability, and prevent overload.

Proxy Server

Intermediary server between clients and the internet. Forward proxy hides clients; reverse proxy hides servers.

NAS

Network Attached Storage — file-level storage device on a network. Uses NFS/SMB. Has own IP. Multiple clients can access simultaneously.

SAN

Storage Area Network — dedicated high-speed network for block-level storage. Uses Fibre Channel or iSCSI. Appears as local disk to servers.

WAP

Wireless Access Point — device that allows wireless clients to connect to a wired network. Operates at Layer 1-2.

TCP

Transmission Control Protocol — connection-oriented Layer 4 protocol. Provides reliable, ordered delivery via 3-way handshake and acknowledgments.

UDP

User Datagram Protocol — connectionless Layer 4 protocol. Fast but no delivery guarantees. Used for DNS, streaming, gaming, DHCP.

FTP

File Transfer Protocol — TCP port 20 (data) and 21 (control). Transfers files over a network. Cleartext — insecure. Replaced by SFTP/FTPS.

SFTP

SSH File Transfer Protocol — secure file transfer over SSH (port 22). Encrypts all data and credentials. Replacement for FTP.

SSH

Secure Shell — encrypted protocol (TCP 22) for remote command-line access. Replaced Telnet. Uses public/private key or password auth.

Telnet

TCP port 23. Remote access protocol that transmits all data in cleartext. Insecure — should never be used in production. Replaced by SSH.

SMTP

Simple Mail Transfer Protocol — TCP port 25. Sends outbound email between mail servers. Port 587 for TLS submission, 465 for SMTPS.

DNS

Domain Name System — resolves hostnames to IP addresses. UDP port 53 for queries, TCP 53 for zone transfers. Hierarchical distributed database.

DHCP

Dynamic Host Configuration Protocol — UDP 67/68. Auto-assigns IP config. Process: DORA (Discover, Offer, Request, Acknowledge).

HTTP

Hypertext Transfer Protocol — TCP port 80. Unencrypted web protocol. Stateless request/response model. Layer 7 application protocol.

HTTPS

HTTP Secure — TCP port 443. HTTP over TLS encryption. Uses SSL/TLS certificates for authentication and encryption.

SNMP

Simple Network Management Protocol — UDP 161/162. Monitors and manages network devices. v3 adds encryption. Traps are unsolicited alerts.

LDAP

Lightweight Directory Access Protocol — TCP/UDP 389. Queries directory services like Active Directory. LDAPS (636) adds TLS encryption.

RDP

Remote Desktop Protocol — TCP 3389. Microsoft's GUI remote access protocol. Keep behind VPN; common attack target on public internet.

SIP

Session Initiation Protocol — TCP/UDP 5060 (5061 for TLS). Sets up, modifies, terminates VoIP/video sessions. Works with RTP for media.

Unicast

One-to-one network communication. Traffic sent from single source to single specific destination. Most internet traffic is unicast.

Multicast

One-to-many communication to a defined group. Efficient for streaming. IPv4 range: 224.0.0.0–239.255.255.255 (Class D).

Anycast

Traffic sent to one address shared by multiple nodes — delivered to the topologically nearest one. Used in CDNs and DNS.

Broadcast

One-to-all within a broadcast domain. Address 255.255.255.255. Routers do not forward broadcasts. IPv6 eliminates broadcast in favor of multicast.

Fiber Optic

Transmission medium using light pulses through glass/plastic. Immune to EMI. SMF for long distance, MMF for short range. Extremely high bandwidth.

Coaxial

Cable with copper core surrounded by metallic shield. Used for cable TV (F-type) and legacy Ethernet. RG-6 for broadband, RG-59 for CCTV.

DAC

Direct Attach Copper — twinaxial cable with SFP+/QSFP connectors. Cheaper than fiber for short data center connections. Passive or active variants.

SMF

Single-Mode Fiber — single light path, 9μm core, yellow jacket. Long-distance (100+ km). Used in WAN and ISP infrastructure. OS2 standard.

MMF

Multi-Mode Fiber — multiple light paths, 50/62.5μm core, orange/aqua jacket. Short range (~2km). OM1–OM5 grades. Used in data centers.

802.11

IEEE standard for Wi-Fi wireless networking. Multiple amendments (a/b/g/n/ac/ax) define frequencies, speeds, and features.

SC Connector

Subscriber Connector — square push-pull fiber connector. Older standard, still found in legacy fiber deployments. Larger than LC.

LC Connector

Lucent Connector — small form-factor fiber connector with latch. Most common modern fiber connector. Half the size of SC. Used in high-density environments.

MPO/MTP

Multi-fiber connector carrying 12 or 24 fibers. Used for 40G/100G high-density connections. MTP is a high-performance MPO brand.

RJ45

8P8C connector for Ethernet twisted-pair cabling (Cat5e, Cat6, Cat6a). Standard wired network connector in offices and homes.

RJ11

6P2C/4C connector smaller than RJ45. Used for telephone lines and DSL modems. Not compatible with Ethernet.

BNC

Bayonet Neill-Concelman — twist-lock coaxial connector. Used in CCTV cameras, legacy 10BASE2 Ethernet, and test equipment.

F-Type

Screw-on coaxial connector used for cable TV, satellite dishes, and broadband internet (DOCSIS modems).

SFP

Small Form-factor Pluggable — hot-swappable transceiver for 1 Gbps (SFP) or 10 Gbps (SFP+). Fiber or copper via DAC cable.

QSFP

Quad SFP — 4-lane transceiver. QSFP28 = 100G. Used in high-bandwidth spine switches and server links.

Star Topology

All devices connect to a central switch/hub. Most common LAN topology. Easy troubleshooting but center is a single point of failure.

Mesh Topology

Every device connects to every other. Highly redundant. n(n-1)/2 connections needed. Used in WAN/critical networks.

Spine and Leaf

Modern data center topology. Every leaf connects to every spine. Equal latency (2 hops), optimized for east-west traffic.

Three-Tier

Core/Distribution/Access layers. Traditional enterprise design. Core for speed, Distribution for routing/policy, Access for endpoints.

Collapsed Core

Core and Distribution layers merged. Cost-effective for smaller networks. Risk of becoming a bottleneck as network grows.

RFC 1918

Defines private IP address ranges not routable on the internet: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.

APIPA

Automatic Private IP Addressing — 169.254.0.0/16. Self-assigned when DHCP fails. Indicates DHCP is broken. Only communicates locally.

NAT

Network Address Translation — translates private IPs to public IPs at the router/firewall. PAT (Port Address Translation) shares one public IP among many devices.

VPC

Virtual Private Cloud — isolated virtual network in a cloud provider. You control subnets, routing, gateways, and security rules.

NFV

Network Functions Virtualization — replacing dedicated hardware appliances (routers, firewalls) with software on commodity servers.

Security Group

Virtual firewall at instance level in cloud environments. Stateful — return traffic automatically permitted. Applied to VMs/instances.

NACL

Network Access Control List — stateless firewall at subnet level in cloud. Rules processed in numbered order. Must define both inbound and outbound rules.

IaaS

Infrastructure as a Service — cloud model where provider manages hardware; you manage OS, runtime, and applications.

PaaS

Platform as a Service — provider manages infrastructure and OS; you manage applications and data only.

SaaS

Software as a Service — provider manages everything; you just use the application. Examples: Gmail, Microsoft 365, Salesforce.

Internet Gateway

Cloud component that allows VPC resources in public subnets to communicate with the internet.

NAT Gateway

Cloud component that lets private subnet instances reach the internet for outbound traffic without being publicly accessible.

ARP

Address Resolution Protocol — maps IP addresses to MAC addresses on a local network. Broadcasts "who has IP x.x.x.x?" and caches responses.

OSPF

Open Shortest Path First — link-state interior routing protocol. Uses Dijkstra algorithm. Fast convergence. Hierarchical with areas.

BGP

Border Gateway Protocol — the internet's routing protocol. Path-vector. Used between ISPs and for cloud multi-homing. Exterior Gateway Protocol.

VLAN

Virtual LAN — logically segments a switch into separate networks. Devices on different VLANs cannot communicate without a router (Layer 3 switch).

STP

Spanning Tree Protocol — prevents Layer 2 loops in switched networks by blocking redundant paths and electing a root bridge.

TLS/SSL

Transport Layer Security / Secure Sockets Layer — cryptographic protocol providing encryption, authentication, and integrity. TLS 1.3 is current standard.

WDM

Wavelength Division Multiplexing — transmitting multiple wavelengths of light simultaneously on a single fiber. DWDM for ultra-dense deployments.

CAPWAP

Control And Provisioning of Wireless Access Points — protocol used between wireless LAN controller and lightweight access points.

Course Module
Network+ Networking Concepts — 23%
OSI • Appliances • Topologies • Protocols • IPv4 • Cloud