Quick Reference Scope
Use this independent Quick Reference for fast review before practicing CompTIA Network+ (N10-009) exam questions. Prioritize:
- Ports and protocols: know default ports, TCP/UDP use, and secure alternatives.
- Subnetting: identify network, broadcast, usable range, mask, and block size quickly.
- Layered troubleshooting: map symptoms to OSI layers, then choose the best tool or command.
- Infrastructure decisions: switch vs router vs firewall, VLAN vs subnet, IDS vs IPS, RADIUS vs TACACS+, WPA2 vs WPA3.
- Operations: monitoring, logging, change control, backups, diagrams, baselines, and documentation.
OSI, Encapsulation, and Traffic Scope
OSI Layer Reference
| Layer | Name | PDU | Common devices/functions | High-yield exam cues |
|---|
| 7 | Application | Data | DNS, DHCP, HTTP, SMTP, SNMP, SMB | User-facing network services; URLs, names, application errors |
| 6 | Presentation | Data | TLS, encryption, compression, encoding | Certificate, cipher, format, encoding, compression issues |
| 5 | Session | Data | Session setup/teardown, RPC, NetBIOS session | Authentication/session persistence issues |
| 4 | Transport | Segment/datagram | TCP, UDP, ports, flow control | Port numbers, retransmissions, TCP handshake, UDP loss |
| 3 | Network | Packet | IP, ICMP, routers, L3 switches, routing | Subnets, default gateway, routing, TTL, fragmentation |
| 2 | Data Link | Frame | Ethernet, Wi-Fi MAC, VLANs, STP, switches | MAC addresses, frames, VLAN tags, loops, duplex |
| 1 | Physical | Bits | Cabling, optics, RF, connectors, hubs | Link lights, pinouts, attenuation, interference, damaged cable |
Encapsulation and Addressing
| Concept | Address used | Scope | Common trap |
|---|
| MAC address | Layer 2 hardware address | Local broadcast domain/VLAN | MAC changes at each routed hop |
| IP address | Layer 3 logical address | End-to-end across routed networks | IP usually stays same across hops unless NAT occurs |
| TCP/UDP port | Layer 4 service identifier | Host application/process | Port identifies the service, not the host |
| Frame | L2 unit | Local segment/VLAN | Frames do not cross routers unchanged |
| Packet | L3 unit | Routed path | Routers forward packets based on routing table |
Broadcast, Collision, and Failure Domains
| Device/design | Broadcast domain impact | Collision domain impact | Notes |
|---|
| Hub | One shared broadcast domain | One shared collision domain | Legacy; half-duplex behavior; collisions expected |
| Switch | Same VLAN is one broadcast domain | Each switch port is separate collision domain | Full-duplex eliminates normal collisions |
| VLAN | Separates broadcast domains logically | Depends on switch ports | Inter-VLAN traffic requires L3 routing |
| Router/L3 switch | Separates broadcast domains | Separates L2 segments | Default gateway for hosts |
| Firewall | Separates and filters networks | Depends on interfaces/zones | Policy controls allowed traffic |
| Wireless AP | Bridges WLAN to LAN | Shared RF medium per channel | Contention/interference affects all clients |
Ports and Protocols
Default Port Reference
| Protocol/service | Port(s) | Transport | Purpose | Exam traps |
|---|
| FTP data/control | 20/21 | TCP | File transfer | Credentials/data not encrypted; active/passive behavior matters |
| SSH | 22 | TCP | Secure remote shell | Also used by SCP/SFTP |
| SFTP | 22 | TCP | File transfer over SSH | Not the same as FTPS |
| Telnet | 23 | TCP | Remote CLI | Insecure plaintext |
| SMTP | 25 | TCP | Mail transfer server-to-server | Submission often uses 587; encrypted variants differ |
| DNS | 53 | UDP/TCP | Name resolution | UDP common; TCP for zone transfers/large responses |
| DHCP server/client | 67/68 | UDP | Dynamic addressing | Client uses 68, server uses 67; needs relay across routers |
| TFTP | 69 | UDP | Simple file transfer | No authentication; often boot/config transfer |
| HTTP | 80 | TCP | Web traffic | Plaintext |
| Kerberos | 88 | TCP/UDP | Authentication tickets | Time synchronization is critical |
| POP3 | 110 | TCP | Mail retrieval | Client downloads mail; secure POP3 uses 995 |
| NTP | 123 | UDP | Time synchronization | Critical for logs, Kerberos, certificates |
| NetBIOS | 137-139 | TCP/UDP | Legacy Windows name/session services | Often replaced by SMB over 445 |
| IMAP | 143 | TCP | Mail access/sync | Secure IMAP uses 993 |
| SNMP | 161 | UDP | Monitoring queries | Use SNMPv3 for authentication/encryption |
| SNMP traps | 162 | UDP | Device-generated alerts | Trap receiver listens here |
| LDAP | 389 | TCP/UDP | Directory queries | LDAPS uses 636 |
| HTTPS | 443 | TCP | HTTP over TLS | Certificate/name/trust errors common |
| SMB/CIFS | 445 | TCP | File/print sharing | Common lateral movement target |
| Syslog | 514 | UDP/TCP | Log forwarding | TLS-secured syslog commonly uses 6514 |
| SMTPS | 465 | TCP | SMTP over TLS | 587 is common for submission with STARTTLS |
| SMTP submission | 587 | TCP | Authenticated mail submission | Preferred over unauthenticated relay |
| LDAPS | 636 | TCP | LDAP over TLS | Certificate trust matters |
| IMAPS | 993 | TCP | IMAP over TLS | Secure mail access |
| POP3S | 995 | TCP | POP3 over TLS | Secure mail retrieval |
| Microsoft SQL Server | 1433 | TCP | Database access | Know as common application service port |
| RADIUS auth/accounting | 1812/1813 | UDP | AAA for network access | Centralized auth; encrypts password, not full packet |
| MySQL/MariaDB | 3306 | TCP | Database access | Common server application port |
| RDP | 3389 | TCP/UDP | Remote desktop | Secure with VPN/MFA/restricted access |
| PostgreSQL | 5432 | TCP | Database access | Common server application port |
| SIP | 5060/5061 | TCP/UDP | VoIP signaling | 5061 is TLS-secured SIP |
| Syslog over TLS | 6514 | TCP | Encrypted log forwarding | Prefer for sensitive logs |
| Technology | Port/protocol | Use | Distinction |
|---|
| IPsec AH | IP protocol 51 | Integrity/authentication | Does not encrypt payload |
| IPsec ESP | IP protocol 50 | Encryption/integrity | Common IPsec payload protection |
| IKE | UDP 500 | IPsec negotiation | Used before tunnel establishment |
| IPsec NAT-T | UDP 4500 | IPsec through NAT | Encapsulates IPsec for NAT traversal |
| L2TP | UDP 1701 | Tunneling | Often paired with IPsec |
| OpenVPN | Often UDP/TCP 1194 | SSL/TLS VPN | Port can vary by configuration |
| HTTPS VPN portal | TCP 443 | SSL/TLS remote access | Often firewall-friendly |
| TACACS+ | TCP 49 | Device administration AAA | Encrypts full payload; separates auth/accounting/authorization |
| RADIUS | UDP 1812/1813 | Network access AAA | Common for 802.1X, VPN, Wi-Fi enterprise |
IPv4, IPv6, and Subnetting
For a subnet with \(h\) host bits:
\[
\text{usable IPv4 hosts} = 2^{h} - 2
\]
For borrowed subnet bits \(b\):
\[
\text{number of subnets} = 2^{b}
\]
For the interesting mask octet:
\[
\text{block size} = 256 - \text{mask octet}
\]
Exceptions: /31 is commonly used for point-to-point links, and /32 identifies a single host route.
Private and Special IPv4 Ranges
| Range | Purpose | Exam cue |
|---|
| 10.0.0.0/8 | Private RFC 1918 | Large internal networks |
| 172.16.0.0/12 | Private RFC 1918 | 172.16.0.0-172.31.255.255 only |
| 192.168.0.0/16 | Private RFC 1918 | Home/small office common |
| 127.0.0.0/8 | Loopback | Tests local TCP/IP stack |
| 169.254.0.0/16 | APIPA/link-local | DHCP failure clue |
| 224.0.0.0/4 | Multicast | One-to-many group traffic |
| 255.255.255.255 | Limited broadcast | Local segment only |
| 0.0.0.0 | Unspecified/default | Default route or unconfigured source |
Common CIDR Reference
| CIDR | Mask | Total addresses | Usable hosts | Increment |
|---|
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 | 1 in 1st octet |
| /16 | 255.255.0.0 | 65,536 | 65,534 | 1 in 2nd octet |
| /20 | 255.255.240.0 | 4,096 | 4,094 | 16 in 3rd octet |
| /21 | 255.255.248.0 | 2,048 | 2,046 | 8 in 3rd octet |
| /22 | 255.255.252.0 | 1,024 | 1,022 | 4 in 3rd octet |
| /23 | 255.255.254.0 | 512 | 510 | 2 in 3rd octet |
| /24 | 255.255.255.0 | 256 | 254 | 1 in 3rd octet |
| /25 | 255.255.255.128 | 128 | 126 | 128 in 4th octet |
| /26 | 255.255.255.192 | 64 | 62 | 64 in 4th octet |
| /27 | 255.255.255.224 | 32 | 30 | 32 in 4th octet |
| /28 | 255.255.255.240 | 16 | 14 | 16 in 4th octet |
| /29 | 255.255.255.248 | 8 | 6 | 8 in 4th octet |
| /30 | 255.255.255.252 | 4 | 2 | 4 in 4th octet |
| /31 | 255.255.255.254 | 2 | Special | Point-to-point use |
| /32 | 255.255.255.255 | 1 | 1 host route | Single host |
Fast Subnetting Process
- Convert prefix to dotted mask.
- Find the interesting octet: the octet that is not 0 or 255.
- Calculate block size: 256 minus the mask value in that octet.
- Count subnets in block-size increments.
- Network address is the lower boundary; broadcast is one less than next boundary.
- Usable range is network + 1 through broadcast - 1, except special /31 and /32 cases.
Example: 10.10.18.76/27
| Item | Value |
|---|
| Mask | 255.255.255.224 |
| Block size | 32 |
| Subnet boundaries | .0, .32, .64, .96, .128, .160, .192, .224 |
| Network | 10.10.18.64 |
| Broadcast | 10.10.18.95 |
| Usable hosts | 10.10.18.65-10.10.18.94 |
IPv6 Quick Reference
| IPv6 concept | Reference | Exam cue |
|---|
| Address length | 128 bits | Written in hexadecimal hextets |
| Compression | :: replaces one run of zeros | Can be used once per address |
| Loopback | ::1/128 | Local host test |
| Unspecified | ::/128 | No address assigned |
| Link-local | fe80::/10 | Local link only; required for IPv6 operations |
| Unique local | fc00::/7 | Private-like internal addressing |
| Global unicast | 2000::/3 | Routable IPv6 Internet space |
| Multicast | ff00::/8 | IPv6 has multicast, not broadcast |
| SLAAC | Router Advertisements | Host self-configures address |
| DHCPv6 | Stateful or stateless options | Can provide addresses or options |
| NDP | ICMPv6-based neighbor discovery | Replaces ARP functions |
Switching, VLANs, and Ethernet
Layer 2 Feature Reference
| Feature | Purpose | Choose/use when | Common trap |
|---|
| Access port | Carries one VLAN untagged | End-user device, printer, access point management VLAN | Wrong VLAN causes DHCP/gateway failure |
| Trunk port | Carries multiple VLANs with tags | Switch-to-switch, switch-to-router, switch-to-hypervisor | Allowed VLAN list or native VLAN mismatch |
| 802.1Q | VLAN tagging standard | Mark frames across trunks | Native VLAN is typically untagged |
| Native VLAN | Untagged VLAN on trunk | Compatibility/control-plane design | Mismatches can create leakage/security risk |
| Port security | Limits MACs on a switch port | Prevent unauthorized device swaps | Can shut down port after violation |
| STP/RSTP | Prevents L2 loops | Redundant switch paths | Blocking port may look like unused link |
| BPDU Guard | Protects edge ports | Shut down port receiving BPDUs | Use on access/PortFast-style ports |
| LACP | Dynamic link aggregation | Increase bandwidth and redundancy | Both sides must be compatible/configured |
| Port mirroring/SPAN | Copy traffic to analyzer | Packet capture/IDS sensor | Does not normally alter traffic flow |
| LLDP/CDP | Neighbor discovery | Map connected devices | CDP is vendor-specific; LLDP is open standard |
| Jumbo frames | Larger Ethernet frames | Storage/backup/high-throughput networks | MTU mismatch causes drops/fragmentation symptoms |
| QoS | Prioritize traffic | Voice/video/latency-sensitive apps | QoS does not create bandwidth; it schedules traffic |
STP Essentials
| STP item | Meaning |
|---|
| Root bridge | Central reference switch selected by lowest bridge ID |
| Bridge ID | Priority plus MAC address |
| Root port | Best path toward root bridge on non-root switch |
| Designated port | Forwarding port for a segment |
| Blocking/discarding | Prevents loops by not forwarding user frames |
| Loop symptom | Broadcast storm, MAC table flapping, high CPU, network-wide outage |
| Medium/component | Use | Exam cues |
|---|
| UTP | General copper Ethernet | Susceptible to EMI compared with shielded cable |
| STP/FTP | Shielded copper | Industrial/EMI-prone environments; grounding matters |
| Plenum-rated cable | Air-handling spaces | Fire/smoke rating scenario |
| Riser-rated cable | Vertical building runs | Between floors/risers |
| Coaxial | Cable broadband/CCTV/legacy | F-type, BNC depending on use |
| Multimode fiber | Shorter fiber runs | LED/VCSEL, larger core, common in campus/datacenter |
| Single-mode fiber | Longer fiber runs | Laser, smaller core, WAN/long-distance |
| RJ45 | Twisted-pair Ethernet | 8P8C connector |
| LC | Fiber connector | Small form factor, very common |
| SC/ST | Fiber connectors | SC push-pull; ST twist-lock |
| MPO/MTP | Multi-fiber connector | High-density fiber trunks |
| SFP/SFP+/QSFP | Modular transceivers | Match speed, fiber type, wavelength, connector |
| DAC | Direct attach copper | Short datacenter interconnect |
| AOC | Active optical cable | Short optical interconnect with fixed optics |
Ethernet and PoE
| Topic | Key point |
|---|
| Auto-negotiation | Speed/duplex negotiation; mismatch can cause errors and poor throughput |
| Full duplex | Send and receive simultaneously; no normal collisions |
| Half duplex | Legacy/shared media; collisions possible |
| Auto-MDI-X | Reduces need for crossover cables |
| PoE | Sends power over Ethernet cabling |
| 802.3af / 802.3at / 802.3bt | PoE standards with increasing power capability |
| Common PoE devices | APs, VoIP phones, cameras, badge readers |
| PoE troubleshooting | Check power budget, cable pairs, switch support, device class, injector/midspan |
Routing, NAT, WAN, and Remote Access
Routing Selection Reference
| Routing type/protocol | Category | Best use | Exam cue |
|---|
| Connected route | Automatic | Directly attached networks | Appears when interface is up/up with IP |
| Static route | Manual | Small/stable paths, specific override | No automatic convergence |
| Default route | Static/dynamic | Unknown destinations | 0.0.0.0/0 or ::/0 |
| OSPF | Link-state IGP | Enterprise internal routing | Areas, cost, fast convergence |
| EIGRP | Advanced distance-vector IGP | Vendor-specific enterprise routing | Feasible successor terminology may appear |
| RIP | Distance-vector IGP | Legacy/simple networks | Hop-count metric; slower convergence |
| BGP | Path-vector EGP | Internet/ISP or large multi-domain routing | Autonomous systems and policy-based routing |
NAT and Address Translation
| NAT type | Mapping | Use | Trap |
|---|
| Static NAT | One private to one public | Publish internal service or fixed mapping | Consumes one public address per host |
| Dynamic NAT | Private to pool of public IPs | Outbound access from pool | Pool can be exhausted |
| PAT/NAT overload | Many private to one/few public IPs using ports | Typical Internet edge NAT | Port translation differentiates sessions |
| Destination NAT/port forwarding | Public IP:port to internal host:port | Publish selected service | Firewall rule must also allow traffic |
WAN and Connectivity Choices
| Technology | Use when | Notes |
|---|
| Leased line | Dedicated predictable private connectivity | Higher reliability/control than shared broadband |
| MPLS | Provider-managed private WAN | Label switching; often used for enterprise WANs |
| Broadband cable/DSL/fiber | Internet access/backup | Shared service characteristics vary |
| Cellular/5G | Backup, mobile, temporary sites | Consider signal, data plans, antennas |
| Satellite | Remote areas | Higher latency; weather/line-of-sight concerns |
| SD-WAN | Policy-based multi-link WAN | Uses overlays, path selection, centralized control |
| VPN over Internet | Encrypted private connectivity | Depends on Internet path quality |
VPN Decision Table
| VPN type | Best fit | Common technologies | Exam distinction |
|---|
| Site-to-site | Connect offices/networks | IPsec tunnel mode | Usually always-on between gateways |
| Remote-access | Individual users to network | SSL/TLS VPN, IPsec client VPN | User authentication and endpoint posture matter |
| Clientless VPN | Browser-based app access | HTTPS portal | Limited to supported applications |
| Split tunnel | Only corporate traffic via VPN | Remote-access optimization | Internet traffic bypasses VPN; security tradeoff |
| Full tunnel | All traffic via VPN | Stronger central inspection | More bandwidth/latency impact |
Wireless Networking
Wi-Fi Standards
| Standard | Wi-Fi name | Bands | Key exam cue |
|---|
| 802.11a | Legacy | 5 GHz | Older 5 GHz standard |
| 802.11b | Legacy | 2.4 GHz | Slow legacy 2.4 GHz |
| 802.11g | Legacy | 2.4 GHz | Backward compatibility with b |
| 802.11n | Wi-Fi 4 | 2.4/5 GHz | MIMO introduced broadly |
| 802.11ac | Wi-Fi 5 | 5 GHz | Wider channels, higher throughput |
| 802.11ax | Wi-Fi 6/6E | 2.4/5/6 GHz | OFDMA, efficiency, dense environments |
| 802.11be | Wi-Fi 7 | 2.4/5/6 GHz | Newer high-throughput/low-latency generation |
Wireless Security
| Security mode | Status/use | Exam cue |
|---|
| Open | No encryption | Use only with captive portal/guest isolation if required |
| WEP | Deprecated/insecure | Do not choose except to identify legacy risk |
| WPA | Legacy improvement over WEP | Superseded by WPA2/WPA3 |
| WPA2-Personal | PSK-based | Shared passphrase; use AES/CCMP |
| WPA2-Enterprise | 802.1X/RADIUS | Per-user or certificate-based authentication |
| WPA3-Personal | SAE | Stronger protection against offline PSK attacks |
| WPA3-Enterprise | Enterprise authentication | Stronger enterprise wireless security |
| Captive portal | Web-based access acceptance/login | Not a replacement for encryption |
| MAC filtering | Allows/blocks listed MACs | Weak control; MACs can be spoofed |
Wireless Design and Troubleshooting
| Issue/design point | What to check |
|---|
| Channel overlap | Use non-overlapping 2.4 GHz channels where applicable; prefer 5/6 GHz for capacity |
| Interference | Microwaves, Bluetooth, cordless devices, neighboring WLANs, industrial equipment |
| Low RSSI | AP placement, antenna orientation, transmit power, obstacles |
| Poor SNR | Noise floor and interference, not just signal strength |
| Roaming problems | AP density, power levels, controller settings, sticky clients |
| Hidden node | Clients cannot hear each other; causes contention/retransmissions |
| DFS events | 5 GHz radar detection can force channel changes |
| Guest WLAN | Separate VLAN, firewall rules, captive portal, client isolation |
| Voice over Wi-Fi | QoS, roaming, low latency/jitter, adequate coverage |
| Antenna choice | Omnidirectional for broad coverage; directional for focused links |
Core Network Services
DHCP
| DHCP item | Meaning |
|---|
| DORA | Discover, Offer, Request, Acknowledge |
| Scope | Pool of assignable addresses |
| Exclusion | Addresses not handed out from a scope |
| Reservation | Specific IP for a client, usually by MAC/client identifier |
| Lease | Time-bound address assignment |
| Options | Gateway, DNS servers, domain name, NTP, PXE boot options |
| Relay/IP helper | Forwards DHCP across routers/VLANs |
| Failure clue | APIPA address, no default gateway, stale lease, wrong VLAN |
DNS Records
| Record | Purpose | Example use |
|---|
| A | Name to IPv4 | host.example.com to IPv4 |
| AAAA | Name to IPv6 | IPv6 host resolution |
| CNAME | Alias to canonical name | www alias to another name |
| MX | Mail exchanger | Domain mail routing |
| NS | Authoritative name server | Delegation/zone authority |
| SOA | Start of authority | Zone metadata |
| PTR | Reverse lookup | IP to name |
| TXT | Text metadata | SPF, DKIM, DMARC, verification |
| SRV | Service locator | Directory/VoIP/service discovery |
| CAA | Certificate authority authorization | Limits which CAs may issue certs |
| TTL | Cache lifetime | Long TTL slows propagation of changes |
Infrastructure Services and Components
| Service/component | Purpose | Choose/check when |
|---|
| NTP | Time sync | Authentication, logs, certificates, Kerberos failures |
| PKI/CA | Certificate issuance/trust | TLS, VPN, 802.1X certificate authentication |
| Load balancer | Distribute client requests | High availability, scale-out applications |
| Reverse proxy | Front-end application publishing | TLS offload, filtering, app routing |
| Forward proxy | Client egress mediation | URL filtering, caching, logging |
| DHCP snooping | Validates DHCP servers | Prevent rogue DHCP |
| IPAM | Address management | Avoid overlaps, document allocations |
| Directory service | Identity source | Centralized users/groups/devices |
| RADIUS/TACACS+ | AAA | Network access or device administration |
| CDN | Content distribution | Reduce latency for static/global content |
Security Controls and Threats
Control Selection Matrix
| Control | Primary function | Choose when | Do not confuse with |
|---|
| Stateless firewall | Filters by packet fields | Simple ACL-style filtering | Stateful session tracking |
| Stateful firewall | Tracks sessions | Perimeter/internal segmentation | Application-layer inspection by default |
| NGFW | App/user-aware filtering | Need app visibility, IPS, URL/category controls | Basic port-only firewall |
| WAF | Protects web apps | SQL injection/XSS-style web attacks | Network firewall for all protocols |
| IDS | Detects and alerts | Monitoring without inline blocking | IPS |
| IPS | Detects and blocks inline | Active prevention | Passive IDS |
| NAC | Controls network admission | Posture checks, 802.1X, guest access | Simple switch port security |
| 802.1X | Port-based access control | Enterprise wired/wireless auth | PSK-only Wi-Fi |
| RADIUS | AAA for access | VPN, Wi-Fi, switch authentication | TACACS+ device admin focus |
| TACACS+ | Device administration AAA | Granular command authorization | RADIUS network access focus |
| SIEM | Log correlation/alerting | Central security monitoring | Packet analyzer |
| DLP | Prevent data exfiltration | Sensitive data controls | Firewall allow/deny only |
| VPN | Encrypted tunnel | Remote/site connectivity over untrusted networks | VLAN segmentation |
| Zero trust | Continuous verification/least privilege | Identity-centric access | Single product or simple VPN |
Network Attack and Mitigation Matrix
| Threat | Symptom/goal | Mitigations |
|---|
| ARP poisoning | MITM on local subnet | Dynamic ARP inspection, static entries for critical systems, segmentation |
| DNS poisoning | Wrong name resolution | DNSSEC where applicable, secure resolvers, monitor changes |
| Rogue DHCP | Wrong gateway/DNS, outages | DHCP snooping, authorized DHCP servers |
| VLAN hopping | Access to unintended VLAN | Disable unused trunks, set native VLAN safely, explicit allowed VLANs |
| MAC spoofing | Bypass MAC-based controls | 802.1X, port security, monitoring |
| Evil twin AP | Users connect to fake AP | WPA2/3-Enterprise, certificate validation, WIDS/WIPS |
| Deauthentication attack | Wireless disconnects | WPA3/management frame protection where supported, monitoring |
| DoS/DDoS | Service/resource exhaustion | Rate limiting, upstream filtering, redundancy, DDoS protection |
| Credential attack | Unauthorized login | MFA, lockout/rate limits, strong auth, monitoring |
| On-path/MITM | Traffic interception | TLS, VPN, certificate validation, secure protocols |
| Malware/ransomware | Lateral movement/data loss | Segmentation, least privilege, backups, EDR, patching |
| Social engineering | User compromise | Training, MFA, verification procedures |
| Misconfiguration | Outage or exposure | Change control, review, backups, least privilege |
Operations, Monitoring, and Resilience
Monitoring and Telemetry
| Tool/protocol | Use | Best for |
|---|
| SNMP polling | Query device counters/status | Interface utilization, errors, CPU, memory |
| SNMP traps | Device sends alert | Link down, threshold events |
| Syslog | Central log collection | Device events, authentication, config changes |
| NetFlow/sFlow/IPFIX | Traffic flow metadata | Top talkers, protocols, conversations |
| Packet capture | Full packet inspection | Protocol analysis, retransmissions, handshake failures |
| Synthetic monitoring | Simulated transactions | User-experience checks |
| Baselines | Normal performance reference | Identifying abnormal latency/utilization |
| SIEM | Correlation and security alerting | Multi-source security events |
Metrics to Recognize
| Metric | Meaning | Common cause when abnormal |
|---|
| Latency | Delay | Distance, congestion, queuing, poor path |
| Jitter | Variation in delay | Congestion, unstable wireless/WAN |
| Packet loss | Dropped packets | Congestion, errors, bad cable, RF issues |
| Throughput | Actual achieved data rate | Bottleneck, duplex mismatch, shaping |
| Bandwidth | Theoretical/available capacity | Not the same as throughput |
| Errors/CRC | Frame corruption | Cabling, optics, duplex, EMI |
| Discards | Dropped by device queue/policy | Congestion, QoS, buffer pressure |
| Utilization | Link/device usage | Saturation, backups, malware, top talkers |
| Tool | Use |
|---|
| Cable tester | Wiremap, opens, shorts, split pairs |
| Certifier | Validates cable category/performance |
| Toner/probe | Locate cable runs |
| Loopback plug | Test interface transmit/receive |
| TDR | Locate copper cable faults by distance |
| OTDR | Locate fiber faults/loss events |
| Light meter/source | Measure fiber optical power/loss |
| Spectrum analyzer | RF interference analysis |
| Wi-Fi analyzer | SSIDs, channels, signal strength |
| Multimeter | Electrical checks |
| Network tap | Passive traffic capture |
| Console cable | Out-of-band device management |
Documentation and Change Control
| Item | Why it matters |
|---|
| Logical diagram | Subnets, VLANs, routing, firewall zones |
| Physical diagram | Cabling, racks, ports, circuits |
| IP address management | Prevent overlaps and stale allocations |
| Rack elevation | Space, power, cabling planning |
| Asset inventory | Lifecycle, support, ownership |
| Configuration backup | Fast rollback/recovery |
| Standard operating procedure | Repeatable operations |
| Change request | Risk, approval, rollback, communication |
| Maintenance window | Limits user impact |
| Post-change validation | Confirms intended result and no regressions |
Resilience Terms
| Term | Meaning |
|---|
| High availability | Design to reduce downtime |
| Fault tolerance | Continue operating after component failure |
| Redundancy | Extra components/paths |
| Load balancing | Distribute work across resources |
| Clustering | Multiple systems act together |
| FHRP | First-hop gateway redundancy concept |
| Backup | Copy for recovery |
| RPO | Maximum acceptable data loss window |
| RTO | Maximum acceptable recovery time |
| MTBF | Average time between failures |
| MTTR | Average time to repair/restore |
| UPS | Short-term battery power |
| Generator | Longer-duration backup power |
Troubleshooting Method and Commands
Practical Troubleshooting Flow
| Step | Action | Exam focus |
|---|
| 1 | Identify the problem | Gather symptoms, question users, identify scope |
| 2 | Establish a theory | Start with likely/simple causes |
| 3 | Test the theory | Confirm or revise; do not randomly change many things |
| 4 | Establish a plan | Consider impact, approval, rollback |
| 5 | Implement the solution | Apply fix during appropriate window if needed |
| 6 | Verify functionality | Confirm service works and preventive controls are in place |
| 7 | Document findings | Record cause, fix, changes, lessons learned |
Command Reference
| Command/tool | Platform | Use |
|---|
ipconfig /all | Windows | IP, mask, gateway, DNS, DHCP lease, MAC |
ipconfig /release / ipconfig /renew | Windows | Renew DHCP lease |
ipconfig /flushdns | Windows | Clear DNS resolver cache |
ping | Windows/Linux/macOS | Basic reachability and latency |
tracert | Windows | Path to destination |
traceroute | Linux/macOS | Path to destination |
pathping | Windows | Path plus packet loss over time |
nslookup | Windows/Linux/macOS | DNS queries |
dig | Linux/macOS | Detailed DNS queries |
arp -a | Windows/Linux | ARP cache |
route print | Windows | Routing table |
ip route | Linux | Routing table |
ip addr | Linux | Interface addresses |
ss / netstat | Linux/Windows varies | Listening ports and sessions |
tcpdump | Linux/macOS | Packet capture CLI |
| Wireshark | GUI | Packet analysis |
nmap | Cross-platform | Port scanning/service discovery |
netcat / nc | Linux/macOS | Test TCP/UDP connectivity |
ethtool | Linux | Interface speed/duplex/link details |
mtr | Linux/macOS | Continuous traceroute-style diagnostics |
Compact Command Snippets
ipconfig /all
ipconfig /release
ipconfig /renew
ipconfig /flushdns
nslookup www.example.com
tracert 8.8.8.8
route print
arp -a
ip addr
ip route
dig example.com A
dig example.com MX
ping -c 4 8.8.8.8
traceroute 8.8.8.8
ss -tulpen
sudo tcpdump -i eth0 host 10.0.0.5
Symptom-to-Layer Troubleshooting
| Symptom | Likely layer(s) | First checks |
|---|
| No link light | 1 | Cable, patch panel, transceiver, port disabled, power |
| Link up, no IP | 2/3/7 | VLAN, DHCP scope, DHCP relay, APIPA, switch port |
| Can ping IP, not name | 7 | DNS server, record, suffix, cache, firewall to DNS |
| Can reach local subnet only | 3 | Default gateway, mask, route, ACL |
| One VLAN cannot reach another | 2/3/4 | Trunk allowed VLANs, SVI/router subinterface, ACL/firewall |
| Intermittent slow network | 1/2/3 | Errors, duplex mismatch, congestion, loops, RF interference |
| High latency to remote site | 3/4 | WAN utilization, routing path, QoS, provider issue |
| VoIP choppy | 2/3/4 | Jitter, loss, QoS, VLAN, WAN congestion |
| Web app fails but ping works | 4/7 | TCP port, TLS certificate, proxy, app service |
| Duplicate IP warning | 3 | Static overlap, DHCP reservation/scope issue |
| Users get wrong gateway/DNS | 2/3/7 | Rogue DHCP, wrong VLAN, DHCP options |
| Wireless users disconnect | 1/2 | Signal, interference, roaming, channel, authentication |
| Certificate warning | 6/7 | Expired cert, wrong name, untrusted CA, time skew |
| File share inaccessible | 4/7 | SMB port 445, permissions, name resolution, firewall |
Cloud, Virtualization, and Modern Network Architectures
| Concept | What it does | Exam distinction |
|---|
| IaaS | Virtual machines, networks, storage | Customer manages OS and above |
| PaaS | Managed runtime/platform | Less OS/network control |
| SaaS | Complete application service | Vendor manages most stack |
| Public cloud | Shared provider infrastructure | Elastic, provider-managed physical layer |
| Private cloud | Dedicated organization-controlled cloud | More control/customization |
| Hybrid cloud | Mix of on-prem and cloud | Connectivity, identity, routing matter |
| VPC/VNet | Isolated virtual network | Cloud equivalent of logical network boundary |
| Security group | Instance/NIC-level filtering concept | Often stateful in cloud platforms |
| Network ACL | Subnet-level filtering concept | Often stateless in cloud platforms |
| Virtual router/gateway | Routes between networks | Cloud/on-prem connectivity |
| Load balancer | Distributes traffic to targets | Layer 4 or Layer 7 behavior |
| SDN | Software-defined control plane | Centralized programmability |
| NFV | Network functions as software | Virtual firewalls/routers/load balancers |
| Overlay network | Logical network over physical underlay | VXLAN/encapsulation concepts |
| Spine-leaf | Datacenter topology | Predictable east-west traffic paths |
| North-south traffic | Client/server into or out of datacenter/cloud | Perimeter/security inspection |
| East-west traffic | Server-to-server internal traffic | Segmentation/microsegmentation |
High-Yield Distinctions and Common Traps
| Distinction | Remember |
|---|
| TCP vs UDP | TCP is connection-oriented with acknowledgments; UDP is connectionless and lower overhead |
| DNS over UDP vs TCP | UDP is common; TCP is used for zone transfers and large responses |
| DHCP ports | Server UDP 67, client UDP 68 |
| SFTP vs FTPS | SFTP uses SSH on 22; FTPS is FTP secured with TLS |
| SSH vs Telnet | SSH encrypted; Telnet plaintext |
| HTTPS vs TLS | HTTPS is HTTP over TLS; TLS can protect many protocols |
| IDS vs IPS | IDS alerts; IPS blocks inline |
| Stateful firewall vs ACL | Stateful tracks sessions; ACL filters mainly by defined packet criteria |
| VLAN vs subnet | VLAN is Layer 2 segmentation; subnet is Layer 3 addressing |
| Switch vs router | Switch forwards frames by MAC; router forwards packets by IP |
| Same subnet communication | Does not require default gateway |
| Inter-subnet communication | Requires router/L3 switch/default gateway |
| APIPA vs private IP | APIPA 169.254.0.0/16 implies local auto-addressing, often DHCP failure |
| Loopback vs default route | 127.0.0.1 tests local stack; 0.0.0.0/0 is default route |
| NAT vs firewall | NAT translates addresses; firewall permits/denies traffic |
| Proxy vs firewall | Proxy intermediates application requests; firewall controls traffic flow |
| RADIUS vs TACACS+ | RADIUS common for access; TACACS+ common for device admin and command authorization |
| WPA2-Personal vs Enterprise | Personal uses shared passphrase; Enterprise uses 802.1X/RADIUS |
| Bandwidth vs latency | Bandwidth is capacity; latency is delay |
| Jitter vs packet loss | Jitter is delay variation; loss is missing packets |
| MTU issue vs bandwidth issue | MTU causes fragmentation/black-hole symptoms; bandwidth causes saturation |
| STP blocking vs failed link | STP may intentionally block a redundant path |
| Native VLAN mismatch | Can cause leakage or unexpected untagged traffic behavior |
| Duplex mismatch | Link works but has errors, collisions, and poor throughput |
| DHCP relay | Required when clients and DHCP server are separated by routers |
| DNS failure vs connectivity failure | If IP works but names fail, troubleshoot DNS |
| Certificate failure vs network failure | Network may be fine while TLS trust/name/date validation fails |
Final Review Checklist
- Memorize common ports, especially secure vs insecure protocol pairs.
- Practice subnetting until network/broadcast/usable range can be found without hesitation.
- For any scenario, identify the OSI layer before choosing a tool or fix.
- Know when to segment with VLANs, subnets, ACLs, firewalls, and NAC.
- Review wireless bands, security modes, interference, and roaming symptoms.
- Tie monitoring tools to evidence: SNMP counters, syslog events, flow data, and packet captures.
- Apply the troubleshooting method in order, including verification and documentation.
Next step: use this Quick Reference as a checklist while completing timed CompTIA Network+ (N10-009) practice questions, then revisit any row that explains a missed decision point.