OSI Reference Model
7-layer framework for understanding network communication
7
Application
Data
HTTP, HTTPS, FTP, DNS, SMTP, SNMP, Telnet, SSH
6
Presentation
Data
TLS/SSL encryption, JPEG, MPEG, ASCII encoding
5
Session
Data
NetBIOS, RPC, SQL sessions, dialog control
4
Transport
Segment
TCP (reliable), UDP (unreliable), port numbers
3
Network
Packet
IP, ICMP, OSPF, EIGRP, routing between networks
2
Data Link
Frame
Ethernet, 802.11 Wi-Fi, VLANs, STP, MAC addresses
1
Physical
Bit
Cables, hubs, RJ45, fiber, radio waves, voltages
Mnemonic (top→down): "All People Seem To Need Data Processing"
Mnemonic (bottom→up): "Please Do Not Throw Sausage Pizza Away"
Mnemonic (bottom→up): "Please Do Not Throw Sausage Pizza Away"
TCP/IP Model (4-Layer)
Practical model used in real implementations
4
Application
Data
≡ OSI Layers 5, 6, 7 — HTTP, DNS, SMTP, FTP
3
Transport
Segment
≡ OSI Layer 4 — TCP, UDP
2
Internet
Packet
≡ OSI Layer 3 — IP, ICMP, ARP
1
Network Access
Frame/Bit
≡ OSI Layers 1 & 2 — Ethernet, Wi-Fi
Encapsulation Flow
Application → creates DATA
↓ Transport adds TCP/UDP header
Transport → SEGMENT (TCP header + data)
↓ Network adds IP header
Network → PACKET (IP header + segment)
↓ Data Link adds frame header + trailer
Data Link → FRAME (MAC header + packet + FCS)
Key Layer 2 Concepts
Ethernet frame structure and MAC addressing
Ethernet frameDst MAC · Src MAC · EtherType · Payload · FCS
MAC address48 bits — OUI (24b) + Device ID (24b)
Unicast MACBit 0 of first byte = 0
Multicast MACBit 0 of first byte = 1
Broadcast MACFF:FF:FF:FF:FF:FF
ARPResolves IP → MAC (Layer 2↔3 glue)
ARP RequestBroadcast — "Who has 192.168.1.1?"
ARP ReplyUnicast — "I have it, here's my MAC"
ARP cachearp -a (Windows/Linux) — show mappings
Switch CAM tableMAC → port mappings (show mac address-table)
Layer 3 — IP Packet Header
Key fields in an IPv4 packet header
Version4 (IPv4) or 6 (IPv6)
IHLHeader length in 32-bit words (min=5, 20 bytes)
DSCP / ToSQoS marking — traffic class
Total LengthEntire packet size including header
TTLTime-to-Live — decremented at each hop, drops at 0
Protocol6=TCP · 17=UDP · 1=ICMP · 89=OSPF
Src IP / Dst IP32-bit source and destination addresses
ICMPType 0=Echo Reply · 8=Echo Req · 3=Dest Unreachable
ICMP Type 11TTL Exceeded — used by traceroute
pingSends ICMP echo request (type 8), expects reply (type 0)
DNS
Domain Name System · Port 53 (UDP/TCP)
Translates hostnames to IP addresses. UDP for queries ≤512 bytes; TCP for larger responses or zone transfers.
A recordHostname → IPv4
AAAA recordHostname → IPv6
MX recordMail server for domain
PTR recordIP → Hostname (reverse DNS)
CNAMEAlias to another hostname
TTLHow long to cache the record
Root servers → TLD servers (.com, .net) → Authoritative servers → Local resolver → Client
DHCP
Dynamic Host Config Protocol · UDP 67/68
Automatically assigns IP address, subnet mask, default gateway, DNS server, and lease time to clients.
DORA: Discover → Offer → Request → Ack
DiscoverClient broadcasts (255.255.255.255)
OfferServer offers an IP address
RequestClient accepts the offer (broadcast)
AckServer confirms the lease
ip helper-addressRelay DHCP across subnets
Lease renewalAt 50% of lease time (T1)
HTTP / HTTPS
Hypertext Transfer Protocol · Port 80 / 443
Application-layer protocol for web traffic. HTTPS adds TLS encryption over TCP.
GETRetrieve a resource
POSTSubmit data to server
200 OKRequest succeeded
301/302Redirect
404Not found
500Server error
TLS handshakeHello → Cert → Key exchange → Symmetric
FTP / TFTP / SFTP
File Transfer Protocols
FTP controlTCP 21 — commands
FTP dataTCP 20 — file data (active mode)
FTP passiveClient opens data connection (NAT-friendly)
TFTPUDP 69 — simple, no auth, used for IOS upgrade
SFTPSSH-based FTP — encrypted, TCP 22
SCPSecure copy over SSH — TCP 22
Cisco uses TFTP (UDP 69) to copy IOS images and config files to/from TFTP server.
SSH & Telnet
Remote access protocols
Telnet (port 23) sends data in clear text — never use in production. Always use SSH (port 22) instead.
TelnetTCP 23 · plaintext · insecure
SSH v2TCP 22 · encrypted · preferred
# Enable SSH on Cisco IOS
R1(config)# ip domain-name ccna.local
R1(config)# crypto key generate rsa modulus 2048
R1(config)# ip ssh version 2
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local
SNMP
Simple Network Management Protocol · UDP 161/162
Framework for monitoring and managing network devices. Agent runs on devices; Manager collects data.
GETManager requests value from agent
SETManager writes value to agent
TRAPAgent sends unsolicited alert to manager (UDP 162)
MIBManagement Information Base — object database
OIDObject Identifier — unique ID for each MIB object
SNMPv1/v2cCommunity string auth (insecure plaintext)
SNMPv3Auth + encryption — use this in production
NTP
Network Time Protocol · UDP 123
Synchronizes clocks across network devices. Critical for log correlation, security certificates, and Kerberos.
Stratum 0Atomic clocks, GPS — reference source
Stratum 1Directly connected to Stratum 0
Stratum 2+Each hop adds 1 stratum level
Max stratum15 (16 = unsynchronized)
# Configure NTP client
R1(config)# ntp server 216.239.35.0
R1# show ntp status
R1# show ntp associations
Syslog
System Logging · UDP 514
Standard for logging device messages to a central server. Severity levels 0–7.
| Level | Name | Description |
|---|---|---|
| 0 | Emergency | System unusable |
| 1 | Alert | Immediate action needed |
| 2 | Critical | Critical condition |
| 3 | Error | Error condition |
| 4 | Warning | Warning condition |
| 5 | Notice | Normal but significant |
| 6 | Info | Informational |
| 7 | Debug | Debug messages |
CDP & LLDP
Layer 2 Discovery Protocols
Discovery protocols let network devices advertise themselves and learn about directly connected neighbours — without IP.
CDPCisco Discovery Protocol — Cisco proprietary
LLDPLink Layer Discovery Protocol — IEEE 802.1AB open standard
ScopeLayer 2 only — not forwarded by routers
CDP timerSends every 60s, holdtime 180s
# CDP commands
R1# show cdp neighbors
R1# show cdp neighbors detail
R1(config)# no cdp run (disable globally)
# LLDP commands
R1(config)# lldp run
R1# show lldp neighbors
QoS
Quality of Service — traffic prioritization
Manages bandwidth, delay, jitter, and loss for different traffic types. Voice and video require priority treatment.
ClassificationIdentify traffic type (ACL, DSCP, NBAR)
MarkingTag packets (DSCP in IP header, CoS in 802.1Q)
QueuingPlace traffic in priority queues
ShapingDelay excess traffic to conform to rate
PolicingDrop excess traffic above rate
DSCP EFExpedited Forwarding (46) — voice RTP
DSCP AFAssured Forwarding (video, data tiers)
CoS values0–7 in 802.1Q tag — 5=voice, 4=video
Network Automation
Programmability & APIs
REST APIHTTP verbs: GET, POST, PUT, DELETE, PATCH
JSONKey-value data format used by REST APIs
YANGData modelling language for network config
NETCONFXML-based protocol, SSH transport (port 830)
RESTCONFREST-based, HTTP/HTTPS, uses YANG models
AnsibleAgentless, YAML playbooks, SSH
PuppetAgent-based, Ruby DSL, pull model
ChefAgent-based, Ruby, cookbook/recipe model
SDN: Separates control plane (decisions) from data plane (forwarding). Controller (e.g. Cisco APIC-EM) programs devices via southbound APIs.
Well-Known Port Numbers
Ports 0–1023 are well-known. Memorise these for the CCNA exam — especially for ACL rules.
TCP Ports
Connection-oriented — reliable delivery
| Port | Protocol | Description |
|---|---|---|
| 20 | FTP-data | File Transfer data channel (active) |
| 21 | FTP | File Transfer control channel |
| 22 | SSH / SCP / SFTP | Secure Shell and secure file transfer |
| 23 | Telnet | Remote terminal (insecure — avoid) |
| 25 | SMTP | Simple Mail Transfer Protocol (send) |
| 80 | HTTP | HyperText Transfer Protocol |
| 110 | POP3 | Post Office Protocol v3 (receive mail) |
| 143 | IMAP | Internet Message Access Protocol |
| 443 | HTTPS | HTTP over TLS/SSL |
| 445 | SMB | Server Message Block (file sharing) |
| 3389 | RDP | Remote Desktop Protocol |
UDP Ports
Connectionless — low overhead, best-effort
| Port | Protocol | Description |
|---|---|---|
| 53 | DNS | Domain Name System queries (also TCP for large) |
| 67 | DHCP server | DHCP server receives from clients |
| 68 | DHCP client | DHCP client receives from server |
| 69 | TFTP | Trivial File Transfer Protocol |
| 123 | NTP | Network Time Protocol |
| 161 | SNMP | SNMP agent (receives GET/SET) |
| 162 | SNMP Trap | SNMP manager (receives TRAPs) |
| 514 | Syslog | System logging to remote server |
| 5246 | CAPWAP ctrl | WLC control plane for lightweight APs |
| 5247 | CAPWAP data | WLC data plane tunnel |
DNS uses UDP 53 for normal queries but TCP 53 for responses >512 bytes or zone transfers.
STP — How It Works
IEEE 802.1D — prevents Layer 2 loops
STP builds a loop-free logical topology by electing a Root Bridge and placing redundant links into a Blocking state. BPDUs (Bridge Protocol Data Units) are exchanged to share topology info.
Election Process
1. Elect Root Bridge — lowest Bridge ID wins.
Bridge ID = Priority (default 32768) + VLAN ID + MAC. Lowest wins.
Bridge ID = Priority (default 32768) + VLAN ID + MAC. Lowest wins.
2. Elect Root Ports — on every non-root switch.
Best (lowest cost) path to Root Bridge. One per switch.
Best (lowest cost) path to Root Bridge. One per switch.
3. Elect Designated Ports — one per segment.
Best path for the segment toward Root. Forwards frames.
Best path for the segment toward Root. Forwards frames.
4. Block remaining ports — all others become Alternate.
Prevents loops. Still receives BPDUs but drops data frames.
Prevents loops. Still receives BPDUs but drops data frames.
| Port Role | State | Action |
|---|---|---|
| Root | Forwarding | Best path to Root Bridge |
| Designated | Forwarding | Forwards on segment |
| Alternate | Blocking | Backup — receives BPDUs only |
| Backup | Blocking | Redundant designated port |
STP Port States & Timers
802.1D vs Rapid PVST+
802.1D States (Classic STP)
| State | Sends BPDUs | Learns MACs | Forwards | Duration |
|---|---|---|---|---|
| Blocking | No | No | No | 20s (Max Age) |
| Listening | Yes | No | No | 15s (Fwd Delay) |
| Learning | Yes | Yes | No | 15s (Fwd Delay) |
| Forwarding | Yes | Yes | Yes | Stable |
| Disabled | No | No | No | Admin down |
Classic STP convergence: up to 50 seconds (20s max age + 15s listening + 15s learning)
Rapid PVST+ (802.1w) Improvements
Convergence~1–2 seconds (vs 30–50s for classic)
Port rolesAdds Alternate + Backup roles
PortFastEdge ports skip Listening/Learning
BPDU Guarderr-disables if BPDU received on PortFast port
Link typesPoint-to-point (full duplex) converges instantly
# Force Rapid PVST+
S1(config)# spanning-tree mode rapid-pvst
S1(config)# spanning-tree vlan 10 root primary
S1(config-if)# spanning-tree portfast
S1(config-if)# spanning-tree bpduguard enable
TCP — Transmission Control Protocol
Connection-oriented · Reliable · Ordered · Error-checked
TCP establishes a connection before data exchange. Uses a 3-way handshake and acknowledges every segment. If packets are lost, they are retransmitted.
3-Way Handshake
Client → Server: SYN (seq=100)
Server → Client: SYN-ACK (seq=300, ack=101)
Client → Server: ACK (ack=301) — connection established
TCP Header Fields
Src/Dst Port16-bit port numbers each
Sequence #Track byte ordering
Ack #Next expected byte from sender
FlagsSYN, ACK, FIN, RST, PSH, URG
Window sizeFlow control — how much data receiver can buffer
FIN / FIN-ACK4-way connection teardown
UDP — User Datagram Protocol
Connectionless · Best-effort · No ordering · Low overhead
UDP sends datagrams without establishing a connection. No ACKs, no retransmission. Application layer handles reliability if needed. Best for real-time traffic where speed matters more than completeness.
UDP Header (only 8 bytes)
Src Port16-bit source port
Dst Port16-bit destination port
LengthDatagram length including header
ChecksumError detection (optional in IPv4)
TCP vs UDP Use Cases
| TCP — use when | UDP — use when |
|---|---|
| Data must arrive intact | Speed matters more than completeness |
| HTTP, FTP, SSH, SMTP | VoIP, video streaming, DNS, DHCP |
| File downloads | Online gaming, live streams |
| Database transactions | TFTP, NTP, SNMP |
Essential IOS Command Reference
The most important show and config commands for the CCNA exam and Packet Tracer labs.
Router — Verification
# Interface status
R1# show ip interface brief
R1# show interfaces GigabitEthernet0/0/0
# Routing table
R1# show ip route
R1# show ip route ospf
R1# show ip route static
# OSPF
R1# show ip ospf neighbor
R1# show ip ospf interface brief
R1# show ip ospf database
# NAT
R1# show ip nat translations
R1# show ip nat statistics
# ACLs
R1# show access-lists
R1# show ip interface Gi0/0/0
# General
R1# show version
R1# show running-config
R1# show startup-config
Switch — Verification
# VLANs and trunking
S1# show vlan brief
S1# show interfaces trunk
S1# show interfaces Fa0/1 switchport
# MAC address table
S1# show mac address-table
S1# show mac address-table dynamic
# STP
S1# show spanning-tree
S1# show spanning-tree vlan 10
S1# show spanning-tree summary
# EtherChannel
S1# show etherchannel summary
S1# show etherchannel port-channel
# Port security
S1# show port-security interface Fa0/1
S1# show port-security
# CDP / LLDP
S1# show cdp neighbors detail
IPv6 Verification
# Interface info
R1# show ipv6 interface brief
R1# show ipv6 interface GigabitEthernet0/0/0
# Routing table
R1# show ipv6 route
R1# show ipv6 route ospf
# Neighbors (NDP table = like ARP table)
R1# show ipv6 neighbors
# DHCPv6
R1# show ipv6 dhcp binding
R1# show ipv6 dhcp pool
# OSPFv3
R1# show ipv6 ospf neighbor
R1# show ipv6 ospf database
Troubleshooting Commands
# Connectivity testing
R1# ping 192.168.1.1
R1# ping 192.168.1.1 repeat 100
R1# ping ipv6 2001:DB8::1
R1# traceroute 192.168.2.10
# Debug (use carefully!)
R1# debug ip ospf events
R1# debug ip packet
R1# no debug all ← always turn off
# CDP layer-2 neighbour check
R1# show cdp neighbors
# Interface errors
R1# show interfaces ← check Input/Output errors
R1# clear counters
# Save and reload
R1# copy running-config startup-config
R1# reload
IOS Navigation & Modes
# Mode prompts
Router> ← User EXEC (show only)
Router# ← Privileged EXEC (all show)
Router(config)# ← Global Config
Router(config-if)# ← Interface Config
Router(config-router)# ← Router Config
# Mode transitions
Router> enable → privileged
Router# configure terminal → global config
Router(config)# interface Gi0/0 → if config
Router(config-if)# exit → back one level
Router(config-if)# end → back to privileged
Router# disable → user exec
# Helpful shortcuts
? context-sensitive help
Tab auto-complete
Ctrl+Z return to privileged
Ctrl+C abort command
show history past commands
Password & Security Hardening
# Set hostname
Router(config)# hostname R1
# Console password
R1(config)# line console 0
R1(config-line)# password cisco
R1(config-line)# login
# Enable secret (encrypted)
R1(config)# enable secret Str0ngP@ss
# Encrypt all plaintext passwords
R1(config)# service password-encryption
# Banner
R1(config)# banner motd # Authorized access only #
# Local user for SSH
R1(config)# username admin secret Str0ng
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
# Disable unused services
R1(config)# no cdp run (if not needed)
R1(config)# no ip http server
SDN Architecture
Exam 6.2 + 6.3 — controller-based networking concepts
Software-Defined Networking separates the control plane (routing decisions) from the data plane (packet forwarding). A centralised controller programs the data plane.
Control planeMakes routing/forwarding decisions — runs on controller
Data planeForwards packets based on control plane instructions
Management planeOut-of-band management — SSH, SNMP, NETCONF
Overlay / Underlay / Fabric
UnderlayPhysical network — routers, switches, links (IP routing)
OverlayVirtual network tunnelled over underlay (VXLAN, GRE)
FabricCombined underlay + overlay + controller — e.g. Cisco SD-Access
Controller APIs
Northbound APIController ↔ Applications — REST/JSON (what apps use)
Southbound APIController ↔ Network devices — OpenFlow, NETCONF, RESTCONF
East/WestboundController ↔ Controller — multi-domain federation
Cisco DNA Center (now Catalyst Center) is the enterprise SDN controller for SD-Access. Uses RESTCONF/NETCONF southbound and REST API northbound.
Configuration Management Tools
Exam 6.6 — Ansible and Terraform
ANSIBLE — Configuration Management
Agentless · YAML · Push model
No agent on managed devices. Uses SSH/NETCONF to push config. Playbooks written in YAML. Idempotent — safe to run repeatedly. Best for configuring existing devices.
Inventory → Playbook → Tasks → Modules
TERRAFORM — Infrastructure as Code
Declarative · HCL · Provisioning
Provisions infrastructure — VMs, networks, cloud resources. Declarative HCL (HashiCorp Config Language). State file tracks what's deployed. Best for spinning up new infrastructure.
Write HCL → terraform plan → terraform apply
| Aspect | Ansible | Terraform |
|---|---|---|
| Language | YAML | HCL |
| Agent | Agentless | Agentless |
| Model | Procedural / imperative | Declarative |
| Focus | Config management | Infrastructure provisioning |
| State | No state file | terraform.tfstate |
REST API Concepts
Exam 6.5 — CRUD operations and HTTP verbs
| CRUD | HTTP Verb | Action | Idempotent? |
|---|---|---|---|
| Create | POST | Create new resource | No |
| Read | GET | Retrieve resource | Yes |
| Update | PUT | Replace full resource | Yes |
| Update | PATCH | Partial update | No |
| Delete | DELETE | Remove resource | Yes |
JSON — Exam 6.7
{
"interface": {
"name": "GigabitEthernet0/0/0",
"ip-address": "192.168.1.1",
"prefix-length": 24,
"enabled": true,
"description": "LAN interface"
}
}
// JSON structure rules:
// Objects: { "key": value }
// Arrays: [ value1, value2 ]
// Types: string, number, boolean, null, object, array
// Keys must be strings in double quotes
Traditional vs Controller-Based
Exam 6.2 — key differences
| Aspect | Traditional | Controller-Based |
|---|---|---|
| Config method | Per-device CLI | Centralised controller |
| Control plane | Distributed (each device) | Centralised (controller) |
| Consistency | Manual — error-prone | Automated — uniform |
| Visibility | Per-device show cmds | Single-pane dashboard |
| Scaling | Slow — touch each device | Fast — push to all |
| Vendor | Any | Often vendor-specific |
NETCONFXML over SSH (port 830) — structured config
RESTCONFHTTP/S REST API — uses YANG models
YANGData modelling language for network config/state
OpenFlowEarly SDN southbound API — flow table programming
AI & Machine Learning in Networking
Exam topic 6.4 — new in CCNA v1.1 (August 2024). Understand the concepts, not the maths.
AI Categories — Generative vs Predictive
Know the distinction for the v1.1 exam
PREDICTIVE AI / ML
Analyses patterns to forecast outcomes
Trained on historical data to predict future events. Used in network operations for anomaly detection, traffic forecasting, and failure prediction. Examples: detecting unusual traffic volumes, predicting link saturation.
Learns from past data → predicts/classifies
GENERATIVE AI
Creates new content from learned patterns
Generates text, code, configurations, or synthetic data. In networking: auto-generating device configs, writing troubleshooting runbooks, translating natural language to CLI commands.
Generates new outputs → config, text, code
ML in Network Operations
Real use cases in modern network management
🔍 Anomaly Detection
ML baselines normal traffic patterns. Alerts when behaviour deviates significantly — potential intrusion, misconfiguration, or DDoS.
📈 Predictive Maintenance
Analyses interface error trends, optical power levels, CPU/memory to predict failures before they happen.
⚡ Network Optimisation
ML-driven traffic engineering, dynamic QoS adjustments, automated path selection based on real-time conditions.
🛡 Security Threat Detection
Identifies malware C2 traffic, zero-day exploits, insider threats by correlating NetFlow, DNS, and endpoint telemetry.
Key ML Concepts for CCNA
You need to recognise these terms — not implement them
Supervised learningTrained on labelled data — predicts outcomes
Unsupervised learningFinds patterns in unlabelled data — clustering
Reinforcement learningAgent learns by reward/penalty — optimisation
Training dataHistorical dataset used to build the model
InferenceUsing a trained model to make predictions
Neural networkML model loosely inspired by brain neurons
Cisco DNA Center / Catalyst Center uses ML for: network assurance, client experience scoring, proactive issue detection, and AI-driven root cause analysis.
Exam focus: Know the difference between generative AI (creates content) and predictive AI/ML (forecasts based on data). Know 2–3 use cases for each in a networking context.