CCNA: Network Fundamentals

Network Fundamentals

Domain 1 of the CCNA 200-301 exam (~20% of questions). Covers the building blocks every network engineer needs: the OSI model, TCP/IP protocols, IPv4/IPv6 addressing, and basic switching concepts.

~20% of Exam · ~24 Questions

Exam Domain Breakdown (CCNA 200-301)

Domain	Weight	Key Topics
1. Network Fundamentals	20%	OSI, TCP/IP, IPv4/IPv6, TCP/UDP, switching, cloud
2. Network Access	20%	VLANs, STP, wireless, L2 security
3. IP Connectivity	25%	Routing, OSPF, static routes, FHRP
4. IP Services	10%	NAT, DHCP, DNS, NTP, SNMP, QoS
5. Security Fundamentals	15%	ACLs, VPN, AAA, threats, hardening
6. Automation & Programmability	10%	REST APIs, Python, Ansible, SD-WAN

Core Concepts at a Glance

OSI Model (7 Layers)

Mnemonic: "Please Do Not Throw Sausage Pizza Away"
Physical · Data Link · Network · Transport · Session · Presentation · Application
Devices: Hub (L1), Switch (L2), Router (L3), Firewall/Gateway (L4+)

TCP vs UDP

TCP: Connection-oriented, reliable, ordered, flow control, 3-way handshake (SYN→SYN-ACK→ACK). Used by HTTP, HTTPS, FTP, SSH.
UDP: Connectionless, fast, no guarantee. Used by DNS, DHCP, VoIP, streaming.

IPv4 Subnetting Essentials

Hosts per subnet = 2ⁿ − 2 (n = host bits).
/24 → 254 hosts · /25 → 126 · /26 → 62 · /27 → 30 · /28 → 14 · /29 → 6 · /30 → 2
Private: 10.x.x.x · 172.16–31.x.x · 192.168.x.x

IPv6 Basics

128-bit address, written as 8 groups of 4 hex digits separated by colons.
Abbreviation: drop leading zeros, replace consecutive zero groups with :: (once).
Types: Unicast (GUA, LLA, ULA) · Multicast · Anycast

Switching Fundamentals

Switch builds a CAM table (MAC → port mapping) by learning source MACs from incoming frames. Forwards to known destination, floods unknown unicast/broadcast/multicast to all ports except source.

Cloud Deployment Models

Public: Shared infrastructure, provider-managed (AWS, Azure).
Private: Dedicated to one org, on-prem or hosted.
Hybrid: Mix of public + private.
Community: Shared by orgs with common needs.

Exam Tips

Subnetting Speed

Memorize the "magic number" table: /24=256, /25=128, /26=64, /27=32, /28=16, /29=8, /30=4. Block size − 2 = usable hosts. The network ID is always the first address; broadcast is always the last.

OSI Layer Traps

Exam loves asking which device/protocol operates at which layer. Remember: ARP = L2/L3 boundary (uses both MAC and IP), Switches = L2, Routers = L3, Transport = L4 (TCP/UDP port numbers).

TCP/IP vs OSI

TCP/IP has 4 layers: Application (= OSI App+Pres+Sess), Transport (= L4), Internet (= L3), Network Access (= L1+L2). Don't confuse the two models on the exam — know which model the question is using.

OSI Model & TCP/IP Stack

The OSI model provides a universal framework for understanding how network protocols work. The TCP/IP model is the practical implementation used on the internet.

OSI Model — All 7 Layers

Layer	Name	PDU	Protocols / Devices	Key Function
7	Application	Data	HTTP, HTTPS, FTP, SSH, DNS, SMTP	User-facing services
6	Presentation	Data	TLS/SSL, JPEG, MPEG	Encryption, compression, format translation
5	Session	Data	NetBIOS, RPC, SQL sessions	Establish, manage, terminate sessions
4	Transport	Segment	TCP, UDP	End-to-end delivery, flow control, error recovery
3	Network	Packet	IP, ICMP, OSPF, BGP — Router	Logical addressing, routing
2	Data Link	Frame	Ethernet, Wi-Fi, PPP — Switch, Bridge	MAC addressing, frame delivery within LAN
1	Physical	Bits	RJ-45, fiber, coax — Hub, Repeater	Bit transmission over physical medium

TCP/IP Model vs OSI Mapping

TCP/IP Layer	OSI Equivalent	Protocols
Application	Application, Presentation, Session (5–7)	HTTP, DNS, SMTP, FTP, SSH, SNMP
Transport	Transport (4)	TCP, UDP
Internet	Network (3)	IPv4, IPv6, ICMP, ARP
Network Access	Data Link + Physical (1–2)	Ethernet, Wi-Fi, PPP

TCP vs UDP — Deep Dive

Feature	TCP	UDP
Connection type	Connection-oriented (3-way handshake)	Connectionless
Reliability	Guaranteed delivery, ACKs, retransmit	Best-effort, no retransmit
Ordering	Sequenced (sequence numbers)	No ordering
Flow control	Yes (sliding window)	No
Speed	Slower (overhead)	Faster (low overhead)
Use cases	HTTP/S, FTP, SSH, email	DNS, DHCP, VoIP, video streaming, TFTP
Header size	20–60 bytes	8 bytes

TCP 3-Way Handshake

Step 1 — SYN

Client sends SYN (synchronize) to server, proposes initial sequence number (ISN).

Step 2 — SYN-ACK

Server replies with SYN-ACK: acknowledges client ISN+1, provides its own ISN.

Step 3 — ACK

Client sends ACK: acknowledges server ISN+1. Connection established. Data transfer begins.

Key Protocol Port Numbers

Protocol	Port	Transport	Purpose
FTP Data / Control	20 / 21	TCP	File Transfer Protocol
SSH	22	TCP	Secure remote shell
Telnet	23	TCP	Remote shell (insecure)
SMTP	25	TCP	Email sending
DNS	53	TCP/UDP	Name resolution
DHCP Client / Server	67 / 68	UDP	Dynamic IP assignment
TFTP	69	UDP	Simple file transfer
HTTP	80	TCP	Web traffic
HTTPS	443	TCP	Encrypted web traffic
SNMP	161 / 162	UDP	Network monitoring
NTP	123	UDP	Time synchronization
Syslog	514	UDP	Log messages

IPv4 Addressing & Subnetting

IPv4 uses 32-bit addresses written in dotted-decimal notation. Subnetting divides address space into smaller networks. IPv6 uses 128-bit addresses to replace IPv4 exhaustion.

IPv4 Address Classes (Historical)

Class	First Octet	Default Mask	Range	Use
A	1–126	/8	1.0.0.0–126.255.255.255	Large networks
B	128–191	/16	128.0.0.0–191.255.255.255	Medium networks
C	192–223	/24	192.0.0.0–223.255.255.255	Small networks
D	224–239	N/A	224.0.0.0–239.255.255.255	Multicast
E	240–255	N/A	240.0.0.0–255.255.255.255	Reserved/Research

Private IP Address Ranges (RFC 1918)

10.0.0.0/8

Range: 10.0.0.0 – 10.255.255.255
Class A private block — 16,777,216 addresses. Common in large enterprises.

172.16.0.0/12

Range: 172.16.0.0 – 172.31.255.255
Class B private block — 1,048,576 addresses. Common in medium businesses.

192.168.0.0/16

Range: 192.168.0.0 – 192.168.255.255
Class C private block — 65,536 addresses. Common in homes and small offices.

CIDR Subnet Reference Table

CIDR	Subnet Mask	Block Size	Usable Hosts	Example Network ID
/24	255.255.255.0	256	254	192.168.1.0
/25	255.255.255.128	128	126	192.168.1.0 / .128
/26	255.255.255.192	64	62	192.168.1.0 / .64 / .128 / .192
/27	255.255.255.224	32	30	192.168.1.0, .32, .64…
/28	255.255.255.240	16	14	192.168.1.0, .16, .32…
/29	255.255.255.248	8	6	192.168.1.0, .8, .16…
/30	255.255.255.252	4	2	Point-to-point links
/32	255.255.255.255	1	0 (host route)	Loopback, host route

Subnetting Example — 192.168.10.0/26

Step 1: Block Size

/26 → 256 − 192 = 64 addresses per subnet. Four subnets fit in /24: .0, .64, .128, .192

Step 2: Usable Hosts

64 − 2 = 62 usable hosts. Network ID = .0, Broadcast = .63, First host = .1, Last host = .62

Step 3: Identify Subnet

IP 192.168.10.75 → falls in 192.168.10.64/26 (64–127). Network = .64, Broadcast = .127, Host range = .65–.126

Special IPv4 Addresses

Address	Purpose
0.0.0.0	Unspecified / default route (all networks)
127.0.0.1	Loopback — tests local TCP/IP stack
169.254.0.0/16	APIPA — auto-assigned when DHCP fails
255.255.255.255	Limited broadcast (stays on local segment)
x.x.x.255 (in /24)	Directed broadcast for that subnet

IPv6 Essentials

IPv6 Notation

128 bits = 8 groups of 4 hex digits: 2001:0db8:0000:0000:0000:ff00:0042:8329
Compressed: 2001:db8::ff00:42:8329
Rule: drop leading zeros; use :: once for longest consecutive zero group.

IPv6 Address Types

GUA (2000::/3): Globally routable, public internet.
LLA (FE80::/10): Link-local, auto-configured, not routed.
ULA (FC00::/7): Unique local — like private IPv4.
Multicast (FF00::/8): One-to-many. Replaces broadcast.

IPv6 vs IPv4 Key Differences

No broadcast (replaced by multicast/anycast). No ARP — uses NDP (Neighbor Discovery Protocol). No fragmentation at routers. Built-in IPsec support. EUI-64 auto-configures interface IDs from MAC.

Switching & Ethernet

Switches operate at Layer 2, using MAC addresses to intelligently forward frames within a LAN. Understanding the CAM table, frame structure, and basic switching behavior is foundational for the CCNA exam.

How a Switch Works

Learning

Switch reads the source MAC of every incoming frame and records it in the CAM table (also called MAC address table) with the ingress port. CAM entries age out (default: 300 seconds).

Forwarding

If the destination MAC is in the CAM table, the frame is forwarded only to that port. This reduces unnecessary traffic compared to a hub, which broadcasts everything.

Flooding

If destination MAC is unknown, or the frame is a broadcast (FF:FF:FF:FF:FF:FF) or multicast, the switch floods out all ports except the source port.

Ethernet Frame Structure

Field	Size	Purpose
Preamble + SFD	8 bytes	Synchronization, start-of-frame delimiter
Destination MAC	6 bytes	MAC address of next-hop or destination device
Source MAC	6 bytes	MAC address of sending interface
EtherType / Length	2 bytes	Identifies upper-layer protocol (0x0800=IPv4, 0x86DD=IPv6, 0x0806=ARP)
Data / Payload	46–1500 bytes	IP packet or upper-layer PDU
FCS (CRC)	4 bytes	Error detection (cyclic redundancy check)

ARP — Address Resolution Protocol

Purpose

ARP resolves a known IP address to an unknown MAC address on the local subnet. Required before a device can send a frame to another device on the same LAN.

Process

1. Device broadcasts: "Who has IP 192.168.1.1? Tell 192.168.1.10"
2. Target device unicasts its MAC back.
3. Sender caches the mapping in its ARP table (temporary).

Gratuitous ARP

Device sends ARP reply without a request — used to announce a new IP/MAC binding (e.g., after failover). Can be exploited for ARP spoofing attacks.

Hub vs Switch vs Router

Device	OSI Layer	Forwarding Logic	Collision Domain	Broadcast Domain
Hub	L1	Repeats all bits to all ports	One shared	One shared
Switch	L2	Forwards by MAC address	Per port (full duplex)	One per switch (unless VLANs)
Router	L3	Routes by IP address	Per interface	Per interface (separates BDs)

Duplex & Speed

Half Duplex

Device can either send or receive — not simultaneously. Older technology (hubs). Uses CSMA/CD to detect collisions.

Full Duplex

Device can send and receive simultaneously. Modern switches support full duplex on every port. No collisions — CSMA/CD disabled. Much higher throughput.

Duplex Mismatch

One side set to full, other to half. Results in late collisions, CRC errors, poor performance — a common misconfiguration. Always set speed and duplex explicitly or use autonegotiation consistently.

Cloud Service Models

Model	Full Name	Customer Manages	Provider Manages	Example
IaaS	Infrastructure as a Service	OS, apps, data	Hardware, networking, storage	AWS EC2, Azure VMs
PaaS	Platform as a Service	Applications, data	OS, runtime, middleware	Heroku, Google App Engine
SaaS	Software as a Service	Data, some settings	Everything else	Salesforce, Office 365

Memory Hooks

Six sticky mental anchors for the highest-yield Network Fundamentals concepts.

🍕

OSI Mnemonic

"Please Do Not Throw Sausage Pizza Away"

Physical → Data Link → Network → Transport → Session → Presentation → Application. Remember bottom-up for troubleshooting (start at Physical Layer 1).

📞

TCP vs UDP

TCP = "Telephone Call" · UDP = "USB Drive"

TCP is like a phone call — you must connect first, confirm the other side is there, and hang up properly. UDP is like dropping a USB drive in a mailbox — you send it and hope they get it. DNS uses UDP; SSH uses TCP.

✂️

Subnet Host Formula

Block Size − 2 = Usable Hosts

/27 → block=32 → 32−2=30 hosts. /26 → 64−2=62. /28 → 16−2=14. Subtract 1 for network ID, 1 for broadcast. Always block size = 2^{(32−prefix)}.

🔒

Private IP Ranges

"10 large · 172 medium · 192 small"

10.0.0.0/8 (Class A — 16M hosts), 172.16–31.x.x/12 (Class B — 1M hosts), 192.168.x.x/16 (Class C — 65K hosts). Not routable on the public internet — require NAT to reach outside.

🗂️

Switch CAM Table

Learn Source → Forward Known → Flood Unknown

A switch ALWAYS learns from source MAC on ingress. It ONLY forwards to a specific port if the destination MAC is known. Unknown unicast, broadcast, and multicast are FLOODED to all ports except source.

🌐

IPv6 Address Types

"2=Global · FE80=Link-Local · FF=Multicast"

GUA starts with 2 or 3 (2000::/3) — publicly routable. LLA starts with FE80 — stays on local link, never routed. FF00::/8 = Multicast. No broadcast in IPv6 — replaced by multicast and anycast.

Flashcards & Study Advisor

Click any card to flip it. 8 high-yield concept cards for rapid review.

👆 Click a card to reveal the answer

OSI Layer 4

What protocol operates here and what does it guarantee?

Transport layer. TCP provides reliable, ordered, error-checked delivery with flow control via sliding window. UDP provides fast, connectionless, best-effort delivery. Both use port numbers to identify applications.

TCP 3-Way Handshake

What are the three steps to establish a TCP connection?

1. Client → SYN (proposes ISN)
2. Server → SYN-ACK (acknowledges ISN+1, sends own ISN)
3. Client → ACK (acknowledges server ISN+1)
Connection is now established. To close: 4-way FIN/ACK exchange.

/27 Subnet Math

Block size, usable hosts, and example host range?

Block size = 32 (256−224). Usable hosts = 30 (32−2).
Example: 192.168.1.0/27
Network: .0 | Broadcast: .31
Hosts: .1–.30
Next subnet: 192.168.1.32/27

ARP vs DNS

What does each resolve, and at which OSI layer?

ARP (L2/L3): Resolves IP address → MAC address. Operates locally within a subnet. Uses broadcast request, unicast reply.
DNS (L7): Resolves hostname → IP address. Uses UDP port 53 (TCP for zone transfers).

IPv6 LLA

What is a Link-Local Address and how is it formed?

Link-Local Address (FE80::/10): Auto-configured on every IPv6 interface. Never routed beyond the local link. Used by NDP (replaces ARP). Interface ID formed via EUI-64 (insert FF:FE into middle of MAC) or randomly.

CAM Table Flooding

When does a switch flood instead of forward?

Switch floods (out all ports except source) when:
1. Destination MAC is unknown (not in CAM table)
2. Frame is a broadcast (FF:FF:FF:FF:FF:FF)
3. Frame is multicast (no specific entry)
CAM entries age out after 300 seconds by default.

Cloud Service Models

What does the customer manage in IaaS, PaaS, and SaaS?

IaaS: Customer manages OS, apps, data. Provider manages hardware.
PaaS: Customer manages apps and data only. Provider manages runtime/OS.
SaaS: Customer manages data (and some settings). Provider manages everything. Think: IaaS=rent hardware, PaaS=rent platform, SaaS=rent software.

APIPA Address

When is 169.254.x.x assigned and why?

Automatic Private IP Addressing (169.254.0.0/16): Auto-assigned by OS when DHCP server is unreachable and no static IP is configured. Allows local communication but no internet access. Seeing 169.254.x.x = DHCP failure diagnostic indicator.

Study Advisor

Select a topic for targeted exam-day guidance.

OSI Model — Exam Strategy

Know the mnemonic both top-down (App→Physical) and bottom-up (Physical→App, used in troubleshooting).
Routers operate at L3. Switches at L2. Hubs at L1. Firewalls typically at L4+. Multilayer switches operate at L2 and L3.
Encapsulation adds headers going down the stack; decapsulation strips them going up. PDU names: Data → Segment → Packet → Frame → Bits.
ARP is technically L2 but uses L3 (IP) info — often described as L2/L3 boundary protocol.
Port numbers (TCP/UDP) live at L4. IP addresses at L3. MAC addresses at L2. Voltage/signals at L1.

Subnetting — Exam Strategy

Memorize the block size powers of 2: /24=256, /25=128, /26=64, /27=32, /28=16, /29=8, /30=4.
Usable hosts = block size − 2. Network ID (first) and broadcast (last) are not assignable.
To find which subnet an IP belongs to: divide the host octet by block size, floor it, multiply back. E.g., .75 ÷ 64 = 1 → subnet .64, broadcast .127.
Practice identifying: network ID, broadcast, first host, last host, and next subnet for any given CIDR prefix.
VLSM (Variable Length Subnet Masking) allows different subnet sizes within the same major network — allocate largest subnets first.

TCP & UDP — Exam Strategy

Memorize which common protocols use TCP vs UDP. DNS=UDP (53), DHCP=UDP (67/68), TFTP=UDP (69), HTTP=TCP (80), HTTPS=TCP (443), SSH=TCP (22).
TCP well-known traps: "reliable" = acknowledgments + retransmission, not just error detection. UDP = no retransmit.
TCP flow control uses a sliding window. If receiver buffer fills, it sends a window size of 0 (pause).
TCP connection teardown: 4-way FIN/ACK (not the same as 3-way handshake). FIN→ACK→FIN→ACK.
Wireshark tip: SYN=connection start, RST=abrupt reset/refused, FIN=graceful close.

Switching Basics — Exam Strategy

Always remember: switch learns from SOURCE MAC, forwards to DESTINATION MAC. It never learns from the destination.
Unknown unicast = flood. Broadcast = flood. Known unicast = forward to single port. Multicast = flood (unless IGMP snooping configured).
A CAM table is per-VLAN. If VLANs are configured, the switch maintains separate MAC tables per VLAN.
Full duplex eliminates collisions — CSMA/CD is disabled. Duplex mismatch causes late collisions and poor throughput.
show mac address-table — Cisco command to view the CAM table. Useful for troubleshooting unknown device locations.

IPv6 — Exam Strategy

Key prefix ranges to memorize: 2000::/3 = GUA (global), FE80::/10 = LLA (link-local), FF00::/8 = multicast, FC00::/7 = ULA (private).
IPv6 has NO broadcast. Replaced by all-nodes multicast (FF02::1), all-routers multicast (FF02::2).
NDP (Neighbor Discovery Protocol) replaces ARP in IPv6. Uses ICMPv6 messages: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement.
EUI-64: Take 48-bit MAC, split in half, insert FF:FE in the middle, then flip bit 7 (universal/local bit) to form a 64-bit interface ID.
Dual-stack: device runs both IPv4 and IPv6 simultaneously — most common transition mechanism on CCNA exam.

Network Fundamentals

Network Fundamentals

Exam Domain Breakdown (CCNA 200-301)

Core Concepts at a Glance

OSI Model (7 Layers)

TCP vs UDP

IPv4 Subnetting Essentials

IPv6 Basics

Switching Fundamentals

Cloud Deployment Models

Exam Tips

Subnetting Speed

OSI Layer Traps

TCP/IP vs OSI

OSI Model & TCP/IP Stack

OSI Model — All 7 Layers

TCP/IP Model vs OSI Mapping

TCP vs UDP — Deep Dive

TCP 3-Way Handshake

Step 1 — SYN

Step 2 — SYN-ACK

Step 3 — ACK

Key Protocol Port Numbers

IPv4 Addressing & Subnetting

IPv4 Address Classes (Historical)

Private IP Address Ranges (RFC 1918)

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

CIDR Subnet Reference Table

Subnetting Example — 192.168.10.0/26

Step 1: Block Size

Step 2: Usable Hosts

Step 3: Identify Subnet

Special IPv4 Addresses

IPv6 Essentials

IPv6 Notation

IPv6 Address Types

IPv6 vs IPv4 Key Differences

Switching & Ethernet

How a Switch Works

Learning

Forwarding

Flooding

Ethernet Frame Structure

ARP — Address Resolution Protocol

Purpose

Process

Gratuitous ARP

Hub vs Switch vs Router

Duplex & Speed

Half Duplex

Full Duplex

Duplex Mismatch

Cloud Service Models

Practice Quiz — Network Fundamentals

Memory Hooks

Flashcards & Study Advisor

Study Advisor

OSI Model — Exam Strategy

Subnetting — Exam Strategy

TCP & UDP — Exam Strategy

Switching Basics — Exam Strategy

IPv6 — Exam Strategy

Ready to pass the CCNA?