Chapter 1 โ The OSI Model
The OSI (Open Systems Interconnection) model provides a conceptual framework for how network communications work. It has 7 layers โ memorise them with: "All People Seem To Need Data Processing" (top-down) or "Please Do Not Throw Sausage Pizza Away" (bottom-up).
| Layer | Name | Function | Protocols/Devices | PDU |
|---|---|---|---|---|
| 7 | Application | User interface, application services | HTTP, FTP, SMTP, DNS, SSH | Data |
| 6 | Presentation | Encryption, encoding, compression | SSL/TLS, JPEG, ASCII | Data |
| 5 | Session | Session establishment and management | NetBIOS, RPC | Data |
| 4 | Transport | End-to-end delivery, flow control | TCP, UDP | Segment |
| 3 | Network | Logical addressing, routing | IP, ICMP, OSPF ยท Routers | Packet |
| 2 | Data Link | Physical addressing, error detection | Ethernet, 802.11 ยท Switches | Frame |
| 1 | Physical | Bits on the wire/air | Cables, hubs, NICs | Bit |
Security mapping: Firewalls operate at L3/L4. WAFs at L7. Switches at L2. Routers at L3. When a security tool is described, always ask: "what OSI layer does it operate at?"
Chapter 2 โ TCP/IP Model & Key Protocols
The TCP/IP model is what actually runs the internet. It collapses OSI layers 5โ7 into "Application."
| TCP/IP Layer | OSI Equivalent | Protocols |
|---|---|---|
| Application | 5, 6, 7 | HTTP(S), FTP, SSH, Telnet, SMTP, POP3, IMAP, DNS, DHCP, SNMP |
| Transport | 4 | TCP, UDP |
| Internet | 3 | IPv4, IPv6, ICMP, ARP, OSPF, EIGRP, BGP |
| Network Access | 1, 2 | Ethernet, 802.11 Wi-Fi, PPP |
TCP vs UDP
| Feature | TCP | UDP |
|---|---|---|
| Connection | Connection-oriented (3-way handshake) | Connectionless |
| Reliability | Guaranteed delivery, ACKs, retransmission | Best-effort, no ACKs |
| Order | Sequenced (sequence numbers) | No ordering |
| Speed | Slower (overhead) | Faster |
| Use cases | HTTP, FTP, SSH, email | DNS, VoIP, video streaming, DHCP |
Common Port Numbers (Must Know)
| Port | Protocol | Port | Protocol |
|---|---|---|---|
| 20/21 | FTP (data/control) | 110 | POP3 |
| 22 | SSH | 143 | IMAP |
| 23 | Telnet | 161/162 | SNMP |
| 25 | SMTP | 389 | LDAP |
| 53 | DNS | 443 | HTTPS |
| 67/68 | DHCP | 445 | SMB |
| 80 | HTTP | 3389 | RDP |
Chapter 3 โ Ethernet & Switching
MAC Addresses
MAC (Media Access Control) addresses are 48-bit hardware addresses burned into NICs. Written as AA:BB:CC:DD:EE:FF. First 24 bits = OUI (manufacturer), last 24 bits = unique device ID.
# View MAC address
ip link show eth0
ifconfig eth0
# Cisco switch: show MAC address table
show mac address-table
show mac address-table dynamicSwitch Operation
- Learn โ When a frame arrives, the switch learns the source MAC โ port mapping
- Forward โ If destination MAC is in table, forward to that port only
- Flood โ If destination MAC is unknown, flood to all ports except the source
- Filter โ If source and destination are same port, drop the frame
Chapter 4 โ IP Addressing
See the Subnetting Lab for detailed practical exercises. Key concepts here:
Private Address Ranges (RFC 1918)
| Range | Class | CIDR |
|---|---|---|
| 10.0.0.0 โ 10.255.255.255 | A | 10.0.0.0/8 |
| 172.16.0.0 โ 172.31.255.255 | B | 172.16.0.0/12 |
| 192.168.0.0 โ 192.168.255.255 | C | 192.168.0.0/16 |
Special Addresses
127.0.0.1โ Loopback (localhost)169.254.x.xโ APIPA (no DHCP available)0.0.0.0โ Default route / all networks255.255.255.255โ Limited broadcast
Chapter 5 โ Subnetting & VLSM
Covered in depth in the Subnetting Lab. Quick reference:
/24 = 254 hosts /27 = 30 hosts
/25 = 126 hosts /28 = 14 hosts
/26 = 62 hosts /30 = 2 hosts (point-to-point links)Chapter 6 โ Static Routing
# Cisco IOS static route syntax:
ip route [network] [mask] [next-hop | exit-interface]
# Route to 192.168.2.0/24 via next-hop 10.0.0.2
ip route 192.168.2.0 255.255.255.0 10.0.0.2
# Default route (gateway of last resort)
ip route 0.0.0.0 0.0.0.0 203.0.113.1
# Verify routing table
show ip route
# Route codes in output:
# C = Connected, S = Static, O = OSPF
# R = RIP, D = EIGRP, B = BGP, * = default routeChapter 7 โ OSPF (Open Shortest Path First)
OSPF is a link-state routing protocol. Routers share LSAs (Link State Advertisements) to build a complete topology map, then run Dijkstra's SPF algorithm to find the best paths.
Key OSPF Concepts
- AD (Administrative Distance) โ OSPF = 110
- Metric โ Cost based on bandwidth (reference BW 100 Mbps by default)
- Router ID โ Highest loopback IP, or highest active interface IP
- DR/BDR โ On multi-access networks, elected to reduce LSA flooding
- Area 0 โ The backbone area. All other areas must connect to it
# Enable OSPF single-area
router ospf 1
router-id 1.1.1.1
network 192.168.1.0 0.0.0.255 area 0
network 10.0.0.0 0.0.0.3 area 0
# Verify OSPF
show ip ospf neighbor
show ip ospf database
show ip route ospf
# Set OSPF cost on an interface
interface GigabitEthernet0/0
ip ospf cost 10Chapter 8 โ EIGRP
EIGRP (Enhanced Interior Gateway Routing Protocol) is a Cisco advanced distance-vector protocol. Fast convergence, supports unequal-cost load balancing.
# Enable EIGRP (AS number must match on all routers)
router eigrp 100
network 192.168.1.0 0.0.0.255
network 10.0.0.0 0.0.0.3
no auto-summary
# Verify
show ip eigrp neighbors
show ip eigrp topology
show ip route eigrp
# Key metrics: Bandwidth + Delay (by default)
# AD: internal = 90, external = 170, summary = 5Chapter 9 โ VLANs & Trunking
VLANs (Virtual LANs) logically segment a network at Layer 2 without needing separate physical switches.
# Create a VLAN
vlan 10
name SALES
vlan 20
name IT
# Assign port to VLAN (access port)
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
# Configure trunk port (carries multiple VLANs)
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 99
# Verify
show vlan brief
show interfaces trunk
# Router-on-a-stick (inter-VLAN routing)
interface GigabitEthernet0/0.10
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/0.20
encapsulation dot1q 20
ip address 192.168.20.1 255.255.255.0Chapter 10 โ Spanning Tree Protocol (STP)
STP prevents Layer 2 loops by blocking redundant paths. Without STP, a broadcast loop would bring down a switched network instantly.
STP Port States
| State | Learns MACs? | Forwards? |
|---|---|---|
| Blocking | No | No |
| Listening | No | No |
| Learning | Yes | No |
| Forwarding | Yes | Yes |
| Disabled | No | No |
# Show STP status
show spanning-tree
show spanning-tree vlan 10
# Set bridge priority (lower = more likely to become root)
spanning-tree vlan 10 priority 4096
# PortFast โ skip listening/learning for access ports
interface FastEthernet0/1
spanning-tree portfast
# RSTP (802.1w) โ much faster convergence than classic STP
spanning-tree mode rapid-pvstChapter 11 โ Access Control Lists (ACLs)
ACLs filter traffic on routers. An implicit deny all sits at the end of every ACL โ if traffic doesn't match any permit statement, it's dropped.
# Standard ACL (filters source IP only, numbers 1-99)
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny any
# Apply to interface (inbound or outbound)
interface GigabitEthernet0/0
ip access-group 10 in
# Extended ACL (src, dst, protocol, port โ numbers 100-199)
access-list 110 permit tcp 10.0.0.0 0.0.0.255 any eq 80
access-list 110 permit tcp 10.0.0.0 0.0.0.255 any eq 443
access-list 110 deny ip any any
# Named ACL (preferred โ easier to edit)
ip access-list extended BLOCK_TELNET
deny tcp any any eq 23
permit ip any any
interface GigabitEthernet0/1
ip access-group BLOCK_TELNET in
# Verify
show access-lists
show ip interface GigabitEthernet0/0ACL Placement Rule: Place standard ACLs close to the destination. Place extended ACLs close to the source. This minimises unnecessary traffic traversal.
Chapter 12 โ NAT & PAT
NAT (Network Address Translation) converts private IPs to public IPs, allowing many devices to share one public IP address.
# PAT (Port Address Translation / NAT Overload)
# Most common โ many-to-one translation
# Define inside/outside interfaces
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
# Create ACL for traffic to translate
access-list 1 permit 192.168.0.0 0.0.255.255
# Enable PAT (overload)
ip nat inside source list 1 interface GigabitEthernet0/1 overload
# Verify NAT translations
show ip nat translations
show ip nat statisticsChapter 13 โ DHCP & DNS
# Configure DHCP server on Cisco router
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
# Verify
show ip dhcp pool
show ip dhcp binding
# DNS resolution process:
# 1. Client checks local cache
# 2. Client asks configured DNS server
# 3. DNS server checks its cache
# 4. DNS server queries root, then TLD, then authoritative server
# 5. Answer returned and cached
# DNS record types
# A = hostname โ IPv4
# AAAA = hostname โ IPv6
# MX = mail server
# CNAME = alias
# PTR = reverse lookup (IP โ hostname)
# NS = authoritative name server
# TXT = arbitrary text (SPF, DKIM)Chapter 14 โ Network Security
Layer 2 Attacks & Mitigations
| Attack | Description | Mitigation |
|---|---|---|
| MAC Flooding | Fill switch CAM table โ switch broadcasts all traffic | Port security (limit MAC count per port) |
| VLAN Hopping | Double-tagging or DTP exploit to access other VLANs | Disable DTP, set native VLAN to unused |
| ARP Spoofing | Fake ARP replies โ MitM position | Dynamic ARP Inspection (DAI) |
| DHCP Starvation | Exhaust DHCP pool โ DoS | DHCP Snooping (trust only uplinks) |
| STP Attack | Send superior BPDUs โ become root bridge | BPDU Guard on access ports |
# Port Security โ limit MACs per port
interface FastEthernet0/1
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
# DHCP Snooping
ip dhcp snooping
ip dhcp snooping vlan 10,20
interface GigabitEthernet0/1
ip dhcp snooping trust # uplink to real DHCP server
# Dynamic ARP Inspection
ip arp inspection vlan 10
interface GigabitEthernet0/1
ip arp inspection trustChapter 15 โ IPv6 Basics
IPv4 is exhausted. IPv6 uses 128-bit addresses providing 340 undecillion unique addresses.
# IPv6 address format: 8 groups of 4 hex digits
2001:0db8:85a3:0000:0000:8a2e:0370:7334
# Can compress consecutive zeros with ::
2001:db8:85a3::8a2e:370:7334
# Special addresses:
::1/128 = loopback
fe80::/10 = link-local (always starts with fe80)
ff02::1 = all-nodes multicast
2001:db8::/32 = documentation/examples
# Configure IPv6 on Cisco interface
ipv6 unicast-routing
interface GigabitEthernet0/0
ipv6 address 2001:db8:1::1/64
ipv6 address fe80::1 link-local
# Show IPv6 info
show ipv6 interface brief
show ipv6 routeWorkbook Complete! You've covered all major CCNA topics. Practice with the subnetting and OSPF labs, then try Cisco Packet Tracer or GNS3 for hands-on router/switch configuration.