Networking Fundamentals
Complete Notes

What is a Host?

A host is any device that sends or receives traffic on a network.

Clients vs Servers

These are relative roles, not fixed device types:

IP Addresses

An IP address is the identity of each host — like a phone number or mailing address. Every host needs one to send and receive data.

• IP address = 32 bits (ones and zeros)
• Split into 4 octets, each converted to decimal (0–255)
• Example: 192.168.1.100
• Every packet is stamped with a source IP and a destination IP

  192      .    168     .    1      .    100
  ┌────────────┐  ┌────────────┐  ┌──────────┐  ┌──────────┐
  │  Octet 1   │  │  Octet 2   │  │ Octet 3  │  │ Octet 4  │
  │  00-255    │  │  00-255    │  │  00-255  │  │  00-255  │
  └────────────┘  └────────────┘  └──────────┘  └──────────┘
       8 bits          8 bits         8 bits        8 bits
  ══════════════════════════════════════════════════════════
                       Total: 32 bits

IP Hierarchy (Subnetting Concept)

IP addresses are assigned hierarchically. Example — ACME Corporation:

  ACME owns:  10.x.x.x  (anything starting with 10)
  │
  ├── New York Office:   10.20.x.x
  │     ├── Sales:       10.20.55.x
  │     ├── Engineering: 10.20.66.x
  │     └── Marketing:   10.20.77.x
  │
  ├── London Office:     10.30.x.x
  │     └── Sales:       10.30.55.x  ← 10.30.55.127 = London Sales host
  │
  └── Tokyo Office:      10.40.x.x

Networks

A network = a logical grouping of hosts that require similar connectivity.

• The simplest network: two hosts connected by a wire
• Networks can contain sub-networks (subnets)
• The Internet = interconnected networks, tied together by ISPs

Why Devices Exist

Data (electrical signal) decays over distance. Also, directly connecting every host to every other host doesn't scale. Network devices solve both problems.

Repeater

Sole purpose: regenerate a signal. Anything entering one side comes out the other, amplified. Allows communication across greater distances.

  Host A ──[weak signal]──► REPEATER ──[fresh signal]──► Host B

Hub

A multi-port repeater. Solves the scaling problem by giving all hosts a central point to connect to. But: it duplicates every incoming packet to all ports — every host receives everything.

                  ┌──── Host A
                  │
  [packet from A] HUB ─── Host B  ← also gets packet
                  │
                  └──── Host C  ← also gets packet

Bridge

Sits between two hub-connected segments. Has exactly 2 ports. Learns which hosts are on each side, and only forwards packets across when needed — containing traffic within its segment.

  Segment A:              Segment B:
  Host1 ─┐               ┌─ Host3
  Host2 ─┤ HUB-A ──[Bridge]── HUB-B ┤─ Host4

  • Host1 ↔ Host2: Bridge does NOT forward (same side)
  • Host1 ↔ Host3: Bridge DOES forward (cross-side)

Switch

Combines Hub (multiple ports) + Bridge (learns per-port). A switch learns which host is on which port and sends data only to the correct port.

• Facilitates communication within a network
• All connected hosts share the same IP address space (e.g. 192.168.1.x)
• A Layer 2 device

           ┌── Port 1: Host A (192.168.1.10)
           ├── Port 2: Host B (192.168.1.20)
  SWITCH ──┤── Port 3: Host C (192.168.1.30)
           └── Port 4: Host D (192.168.1.40)

  Host A → Host C: Switch sends packet ONLY to Port 3

Router

Facilitates communication between networks. Lives at the boundary of networks and directs traffic using routing tables.

• Has an IP address in each network it connects to
• Acts as the gateway — the exit point for hosts trying to reach other networks
• Stores a routing table: a list of all known networks and which interface leads there
• Security policies can be applied at router boundaries

Routing vs Switching

Why the OSI Model?

Networking needs rules, just like languages have grammar. The OSI model divides networking rules into 7 layers. If every layer does its job, the goal — two hosts sharing data — is achieved.

Think of it like the human body: the skeletal, respiratory, and cardiovascular systems each have their own function, and together they achieve "life." The OSI layers each have a function, and together they achieve "data sharing."

  Layer 7 │ Application  │ What the app uses (HTTP, DNS, FTP...)
  Layer 6 │ Presentation │ Encoding, encryption, compression
  Layer 5 │ Session      │ Connection management
  ─────────────────────────────────────────────────────
  Layer 4 │ Transport    │ Service-to-service (ports, TCP/UDP)
  Layer 3 │ Network      │ End-to-end delivery (IP addresses)
  Layer 2 │ Data Link    │ Hop-to-hop delivery (MAC addresses)
  Layer 1 │ Physical     │ Bits on the wire (cables, Wi-Fi)

Layer 1 — Physical

Goal: Transport bits (1s and 0s) between hosts.

• Anything that moves bits from A to B is a Layer 1 technology
• Examples: Ethernet cables, fiber optic cables, Wi-Fi radio signals
• Devices: Repeaters, Hubs

Layer 2 — Data Link

Goal: Hop-to-hop delivery — move data from one NIC to the next NIC.

• A "hop" = one NIC to another NIC
• Addressing scheme: MAC addresses
• Devices: NICs, Wi-Fi cards, Switches

MAC Addresses

• 48 bits, displayed as 12 hex digits
• Every NIC has a globally unique MAC address
• Three common display formats:

Windows:  A1-B2-C3-D4-E5-F6   (dashes)
Linux:    A1:B2:C3:D4:E5:F6   (colons)
Cisco:    A1B2.C3D4.E5F6      (dots, groups of 4)

Layer 3 — Network

Goal: End-to-end delivery — get data from the source host all the way to the destination host, regardless of how many hops are in between.

• Addressing scheme: IP addresses
• Devices: Routers and any host with an IP address

Why both MAC and IP addresses?

They serve different scopes:

ARP — Address Resolution Protocol

ARP is the glue between L3 and L2. When a host knows the IP address of its next hop but needs the MAC address, it uses ARP to find it.

Layer 4 — Transport

Goal: Service-to-service delivery — get data to the right application on the destination host.

A single host runs many programs simultaneously (browser, Slack, a game). All of them share the same IP address. Layer 4 uses port numbers to tell them apart.

Port Numbers

• Range: 0–65535
• Two protocols: TCP and UDP (each has its own 0–65535 space)
• Well-known ports (servers): assigned ahead of time, standardized
• Ephemeral ports (clients): randomly chosen for each connection

TCP vs UDP

Well-Known Port Numbers

How Client-Server Port Communication Works

  Client IP: 1.1.1.1                  Servers
  ┌─────────────────────────┐
  │  Browser tab 1          │──[src:1.1.1.1:9999  dst:2.2.2.2:80 ]──► site.com (HTTP)
  │  Browser tab 2          │──[src:1.1.1.1:11000 dst:2.2.2.2:80 ]──► site.com (same site, diff tab)
  │  Banking app            │──[src:1.1.1.1:7777  dst:3.3.3.3:443]──► bank.com (HTTPS)
  │  Chat (IRC)             │──[src:1.1.1.1:4444  dst:4.4.4.4:6667]─► chat server (UDP)
  └─────────────────────────┘

  Server responses come back to the CLIENT's random source port.
  Each connection tracked by: Src IP + Src Port + Dst IP + Dst Port (4-tuple)

Layers 5, 6, 7 — Session, Presentation, Application

In the original OSI model these had distinct roles, but in practice modern applications blend them together freely:

Encapsulation

When a host sends data, it goes down the OSI stack, with each layer wrapping the data with its own header:

  Application data:   [ DATA ]
                           ↓ Layer 4 adds port header
  Segment:            [ L4 Header | DATA ]
                           ↓ Layer 3 adds IP header
  Packet:             [ L3 Header | L4 Header | DATA ]
                           ↓ Layer 2 adds MAC header + trailer
  Frame:              [ L2 Header | L3 Header | L4 Header | DATA | L2 Trailer ]
                           ↓ Layer 1: converted to bits and transmitted

  ─────────────────────────────────────────────────────────────
  Receiving host De-encapsulates (strips each header going up)

What a Host Does Before Sending a Packet

Before any data leaves your computer, the host must figure out:

1. Does the destination IP live on my network or a different network?
2. What is the MAC address of the next hop?

Step 1 — Is it local or remote?

The host compares the destination IP to its own subnet. If the destination is in the same subnet → send directly. If it's in a different subnet → send to the default gateway (the router's IP on that network).

Step 2 — ARP (Address Resolution Protocol)

The host knows the IP of the next hop (either the destination or the gateway). But Layer 2 needs a MAC address. ARP resolves this:

  Host A wants to reach IP 192.168.1.20 (local)

  1. Host A broadcasts: "Who has 192.168.1.20? Tell 192.168.1.10"
     [src MAC: A, dst MAC: FF:FF:FF:FF:FF:FF (broadcast)]

  2. Host B (192.168.1.20) replies: "I have 192.168.1.20. My MAC is B."
     [src MAC: B, dst MAC: A] (unicast reply)

  3. Host A caches "192.168.1.20 → MAC B" in its ARP table.

  4. Host A sends the actual packet to MAC B.

Default Gateway

Every host has a configured default gateway — the IP of the router interface on its local network. When the destination is on another network, the host sends the packet to the gateway. The gateway (router) then forwards it onward.

DNS — Domain Name System

Before any of the above, if the destination is a hostname (like google.com), the host needs to resolve it to an IP via DNS.

  1. User types: https://google.com
  2. Host checks DNS cache → not found
  3. Host sends DNS query to configured DNS server (UDP, port 53)
  4. DNS server returns: google.com → 142.250.x.x
  5. Host now has destination IP → proceeds with ARP / routing
  6. TCP 3-way handshake (if TCP)
  7. HTTP/HTTPS request sent
  8. Response received → page rendered

Switch's Core Function

A switch maintains a MAC Address Table (also called CAM table): a mapping of MAC addresses to ports.

How a Switch Learns

  Initial state: MAC table is empty.

  1. Host A (MAC: AAAA) sends a frame from Port 1.
     Switch records: AAAA → Port 1.
     Switch doesn't know where BBBB is → FLOODS frame to all other ports.

  2. Host B (MAC: BBBB) receives, replies from Port 3.
     Switch records: BBBB → Port 3.
     Switch now knows AAAA and BBBB.

  3. Next frame from A to B:
     Switch looks up BBBB → Port 3. Sends ONLY to Port 3.  ← UNICAST FORWARDING

VLANs (Virtual LANs)

A switch can be logically divided into multiple VLANs. Each VLAN acts as its own broadcast domain — hosts in VLAN 10 cannot communicate with VLAN 20 at Layer 2; they need a router (or Layer 3 switch) to cross VLAN boundaries.

Spanning Tree Protocol (STP)

When you have multiple switches for redundancy, you create loops. STP automatically blocks redundant paths to prevent infinite loops, and re-enables them if the primary path fails.

Routing Table

A router stores a table of known networks. Each entry (a route) includes:

• Destination network (e.g., 10.20.0.0/16)
• Next hop IP or outgoing interface
• Metric (cost/preference)

Types of Routes

Longest Prefix Match

When multiple routes match a destination, the router picks the most specific one (the one with the longest prefix / highest subnet mask).

Routes: 10.0.0.0/8, 10.20.0.0/16, 10.20.55.0/24
Destination: 10.20.55.100
Winner: 10.20.55.0/24 (most specific)

DNS — Domain Name System

Resolves human-readable names to IP addresses. Hierarchical system: Root → TLD (.com, .org) → Authoritative nameserver.

DHCP — Dynamic Host Configuration Protocol

Automatically assigns IP addresses to hosts. The DORA process:

  Client                          DHCP Server
    │──── Discover (broadcast) ──────────►│
    │◄─── Offer (IP offer) ───────────────│
    │──── Request (accept offer) ─────────►│
    │◄─── Acknowledge (confirmed) ────────│

  Client receives: IP, Subnet Mask, Default Gateway, DNS Server

HTTP / HTTPS

HTTP (port 80): HyperText Transfer Protocol — transfers web content. Plaintext.

HTTPS (port 443): HTTP + TLS encryption. The same protocol, but wrapped in SSL/TLS.

SSL/TLS: Provides encryption, authentication, and integrity. TLS is the modern, more secure version of SSL.

FTP — File Transfer Protocol

Transfers files between hosts. Uses port 21 for control, port 20 for data. Plaintext — use SFTP or FTPS in production.

SMTP — Simple Mail Transfer Protocol

Sends email (port 25). Use SMTPS (port 465) or SMTP with STARTTLS (port 587) for secure mail.

Key Network Attributes Every Host Has

Verification Commands

# Windows
ipconfig /all        # Show all network config
ipconfig /flushdns   # Clear DNS cache
nslookup google.com  # DNS lookup
route print          # Routing table
arp -a               # ARP table

# Linux / macOS
ip addr              # Show IP addresses (modern)
ifconfig             # Older alternative
ip route             # Routing table
cat /etc/resolv.conf # DNS config
arp -n               # ARP table
nmcli                # NetworkManager CLI (Linux)

# macOS
networksetup -listallnetworkservices

Ping

Ping uses ICMP (Internet Control Message Protocol) to test connectivity. It sends an Echo Request and waits for an Echo Reply.

ping 8.8.8.8           # Basic ping (ICMP echo)
ping -c 4 google.com   # Send 4 packets (Linux/Mac)
ping -n 4 google.com   # Send 4 packets (Windows)
traceroute google.com  # Linux/Mac: trace route hops
tracert google.com     # Windows equivalent

Wireshark — Packet Analysis

Wireshark is a packet capture tool that lets you see every frame going in and out of your NIC. Essential for debugging network issues.

Key Concepts

• Capture filter: Filter at capture time (e.g., only TCP port 80)
• Display filter: Filter what you see after capture
• Each packet shows all layers: Frame → Ethernet → IP → TCP/UDP → Application

# Common Wireshark display filters
tcp.port == 80          # HTTP traffic
ip.addr == 192.168.1.5  # Traffic to/from specific IP
icmp                    # Only ping traffic
dns                     # Only DNS
http.request            # HTTP requests only
tcp.flags.syn == 1      # TCP SYN packets (new connections)

Why NAT Exists

IPv4 has ~4.3 billion addresses — not enough for every device. NAT allows many devices to share a single public IP by mapping private IPs to public ones.

Private IP Ranges (RFC 1918)

Types of NAT

  Internal                     Router (NAT)              Internet
  192.168.1.10:5000 ──►  translate ──► 203.0.113.5:40001 ──► Server
  192.168.1.20:6000 ──►  translate ──► 203.0.113.5:40002 ──► Server
  192.168.1.30:7000 ──►  translate ──► 203.0.113.5:40003 ──► Server

  Router NAT table:
  40001 → 192.168.1.10:5000
  40002 → 192.168.1.20:6000
  40003 → 192.168.1.30:7000

  Replies come back to 203.0.113.5:4000x → router translates back

How Wi-Fi Works

Wi-Fi uses radio waves to transmit data. It's still Layer 1 — just wireless instead of wired. An Access Point (AP) bridges wireless hosts to a wired network.

• 2.4 GHz: Better range, more interference, slower (used by older devices)
• 5 GHz: Less interference, faster, shorter range
• 6 GHz (Wi-Fi 6E): Newest, fastest, shortest range

Wi-Fi Security Standards

SSID, BSSID, Association

• SSID: The human-readable Wi-Fi network name
• BSSID: The MAC address of the Access Point
• Devices associate with an AP and get an IP via DHCP

Typical Home Network

  Internet
      │
  [Modem] ──── ISP provides public IP
      │
  [Router/Gateway]  192.168.1.1
      │         \
  [Switch]      [Wi-Fi AP]
   /    \            \
Host A  Host B     Phone/Laptop

  All internal hosts: 192.168.1.x/24
  Router does NAT: translates private IPs to public IP

Network Segmentation

Dividing a network into smaller parts for security and performance:

• Isolates broadcast domains
• Limits blast radius of security incidents
• Enables different policies per segment
• Implemented via VLANs or separate physical networks

Scaling Network Capacity

• More switches: Add ports / more hosts
• Link aggregation (LACP): Bundle multiple cables between switches for more bandwidth and redundancy
• Hierarchical design: Access → Distribution → Core switch layers
• Spine-leaf: Modern data-center design for horizontal scale

A protocol is a set of rules that define how two parties communicate. Protocols define: message format, sequence of messages, error handling, and connection establishment/teardown.

TCP 3-Way Handshake

  Client                    Server
    │──── SYN ─────────────►│  "I want to connect, my seq=X"
    │◄─── SYN-ACK ──────────│  "OK, my seq=Y, your seq+1 acknowledged"
    │──── ACK ─────────────►│  "Your seq+1 acknowledged"
    │                        │
    │ [Data exchange]        │
    │                        │
    │──── FIN ─────────────►│  "Done sending"
    │◄─── FIN-ACK ──────────│
    │──── ACK ─────────────►│  Connection closed

Layer 5 — Session

Manages sessions between applications — starting, maintaining, and ending conversations. Examples: NetBIOS, RPC, SQL sessions.

Layer 6 — Presentation

Handles data translation: encoding (ASCII, Unicode), encryption (SSL/TLS operates here conceptually), compression (gzip). Ensures data sent by one app can be understood by another.

Layer 7 — Application

The layer that user-facing applications and protocols operate at: HTTP, FTP, DNS, SMTP, SSH, DHCP. This is where developers spend most of their time.

Classes of IP Addresses (Classful, historical)

Classful addressing is obsolete. Modern networking uses CIDR (Classless Inter-Domain Routing). But you'll still see the terms "Class A/B/C" in the wild.

Special IP Ranges

What is Subnetting?

Subnetting = dividing a large IP block into smaller, manageable sub-blocks. It controls which hosts are in the same network and which need a router to communicate.

Subnet Mask

A 32-bit number that defines the network portion vs host portion of an IP address.

IP:   192.168.1.100  →  11000000.10101000.00000001.01100100
Mask: 255.255.255.0  →  11111111.11111111.11111111.00000000
                        ─────────── Network ───────────  ── Host ──
CIDR: /24 (24 ones in the mask)

CIDR Notation

Instead of writing 255.255.255.0, we write /24 — the number of 1-bits in the subnet mask.

Subnetting Example: Split /24 into /26s

  Original: 192.168.1.0/24 (256 IPs, 254 usable)

  Subnet 1: 192.168.1.0/26   →  .0   to .63   (62 usable)
  Subnet 2: 192.168.1.64/26  →  .64  to .127  (62 usable)
  Subnet 3: 192.168.1.128/26 →  .128 to .191  (62 usable)
  Subnet 4: 192.168.1.192/26 →  .192 to .255  (62 usable)

  Each subnet gets: Network addr, 62 hosts, Broadcast addr

Static NAT (1-to-1)

One private IP permanently mapped to one public IP. Used for servers that must be reachable from the internet with a consistent public IP (e.g., a web server behind a corporate firewall).

# Example (Cisco-style concept)
ip nat inside source static 10.0.0.10 203.0.113.10
# 10.0.0.10 always appears as 203.0.113.10 externally

Static PAT (Port Forwarding)

A specific external port is mapped to an internal host. Very common in home routers and small office setups.

# Port forward: external 203.0.113.5:8080 → internal 192.168.1.100:80
# Used for: hosting a web server at home, game servers, remote access

Dynamic PAT (NAT Overload / Masquerade)

Multiple internal hosts share one public IP. The NAT device tracks connections using source port numbers.

NAT and DevOps

Cloud Networking Basics

Cloud providers implement software-defined versions of all the same concepts:

Firewall / Security Groups

Control which traffic is allowed in/out of a network or host.

• Stateful firewall (Security Groups in AWS): tracks connection state. If you allow outbound, the reply is automatically allowed inbound.
• Stateless firewall (NACLs in AWS): each packet evaluated independently. You must allow both directions explicitly.

Load Balancers

Container & Kubernetes Networking

  Pod A ──── (same node, L2) ──────► Pod B
  Pod A ──── (diff node, L3 overlay) ► Pod C
                    │
              CNI Plugin (Calico/Flannel/Cilium)
              handles pod IP assignment + routing

  Service (ClusterIP):
    Virtual IP (VIP) → iptables/ipvs DNAT → Pod IPs (load balanced)

  NodePort:
    Node:30080 → DNAT → ClusterIP → Pod

  LoadBalancer:
    Cloud LB → NodePort → ClusterIP → Pod

Important Linux Networking Commands

# Interface and IP
ip addr show                    # All interfaces and IPs
ip link show                    # Link status
ip addr add 10.0.0.5/24 dev eth0  # Assign IP

# Routing
ip route show                   # Routing table
ip route add 10.0.0.0/8 via 192.168.1.1  # Add static route

# Connections
ss -tulpn                       # Open sockets (better than netstat)
netstat -tulpn                  # Open sockets (older)
curl -v http://example.com      # Test HTTP with verbose output

# DNS
dig google.com                  # DNS lookup (full detail)
nslookup google.com             # Simpler DNS lookup
resolvectl status               # systemd-resolved status

# Firewall (iptables)
iptables -L -n -v               # List all rules
iptables -t nat -L -n -v        # List NAT rules

# Traffic capture
tcpdump -i eth0 port 80         # Capture HTTP traffic
tcpdump -i any host 10.0.0.5    # All traffic to/from host

SSL/TLS Certificates

• Certificate: Contains public key + identity info, signed by a CA
• CA (Certificate Authority): Trusted third party that signs certificates (Let's Encrypt, DigiCert)
• TLS handshake: Client and server negotiate cipher suite, exchange keys, establish encrypted channel
• mTLS: Mutual TLS — both client AND server present certificates. Used heavily in service meshes (Istio, Linkerd)

# Check a certificate
openssl s_client -connect google.com:443
openssl x509 -in cert.pem -text -noout

# Common cert formats
.pem / .crt   — Base64 encoded certificate
.key          — Private key (keep secret!)
.csr          — Certificate Signing Request
.p12 / .pfx   — PKCS12 bundle (cert + key together)