Key Networking Concepts and Definitions

Layer 7 - Application Layer

The top layer of the OSI model that provides network services directly to end-user applications. It's where protocols like HTTP, FTP, SMTP, and DNS operate to format and exchange data.

Physical vs. Virtual Appliances

A physical appliance is a dedicated hardware device (e.g., a hardware firewall). A virtual appliance is a software-based version that runs on a virtual machine (VM).

IDS vs. IPS

An Intrusion Detection System (IDS) only detects and alerts on potential threats. An Intrusion Prevention System (IPS) can detect, alert, and actively block or prevent the threat.

Proxy Server

An intermediary server that sits between a client and a destination server. It forwards client requests and can be used for filtering, logging, and caching content.

Storage Area Network (SAN)

A dedicated, high-speed network that provides block-level network access to consolidated, block-level data storage.

Wireless LAN Controller (WLC)

A centralized device that manages, configures, and monitors multiple 'lightweight' access points (APs) within a network.

Content Delivery Network (CDN)

A geographically distributed network of proxy servers that caches content close to users to deliver it more quickly and efficiently.

Quality of Service (QoS)

A set of technologies used to manage network traffic and ensure the performance of critical applications by prioritizing certain types of data (e.g., voice and video) over less time-sensitive traffic.

Network Functions Virtualization (NFV)

The concept of replacing dedicated hardware appliances (like routers and firewalls) with virtualized software equivalents that run on standard commercial off-the-shelf (COTS) servers.

Virtual Private Cloud (VPC)

A logically isolated section of a public cloud where you can launch cloud resources in a virtual network that you define.

Network Security Group (NSG) / Security List

A virtual firewall for your virtual machines (VMs) and subnets within a cloud environment. It contains a list of security rules (allow/deny) that control inbound and outbound network traffic based on IP address, port, and protocol.

Internet Gateway vs. NAT Gateway

An Internet Gateway allows two-way communication between a VPC and the internet. A NAT Gateway allows instances in a private subnet to initiate outbound traffic to the internet but prevents inbound connections.

Cloud Connectivity Options

Methods to connect an on-premises network to the cloud, including VPN (over the internet) and Direct Connect/ExpressRoute (a dedicated private connection).

Unicast

A one-to-one communication between a single sender and a single receiver.

Anycast

A communication method where a message is sent from one source to the topologically nearest node out of a group of potential receivers that all share the same destination address.

Internet Control Message Protocol (ICMP)

A network layer protocol used by network devices to send error messages and operational information. It is the protocol behind common utilities like ping and traceroute.

Generic Routing Encapsulation (GRE)

A tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.

Internet Protocol Security (IPSec)

A secure network protocol suite that authenticates and encrypts data packets sent over an IP network. It operates in Tunnel mode (encrypts entire packet) and Transport mode (encrypts only the payload).

Authentication Header (AH)

The part of the IPSec suite that provides data integrity and authentication for IP packets but does NOT provide encryption.

Encapsulating Security Payload (ESP)

The part of the IPSec suite that provides confidentiality (encryption), data integrity, and authentication.

Internet Key Exchange (IKE)

The protocol used to set up a Security Association (SA) in the IPSec protocol suite by negotiating algorithms and generating keys.

Direct Attach Copper (DAC) cable

Short, fixed-length twinaxial cables with transceivers already attached on both ends. Used for short-distance, high-speed connections in data centers.

Twinaxial cable

A type of cable similar to coaxial cable, but with two inner conductors instead of one.

Ethernet transceiver

A module that converts a router's or switch's electrical signals to optical/electrical signals to send and receive data over the network media.

Fibre Channel (FC) transceiver

A transceiver specifically designed for use in a Fibre Channel Storage Area Network (SAN).

SFP (Small Form-factor Pluggable)

A compact, hot-pluggable transceiver. Standard speed is 1 Gbps (SFP) or 10 Gbps (SFP+).

QSFP (Quad Small Form-factor Pluggable)

A transceiver providing 4 channels, allowing for higher speeds like 40 Gbps (QSFP+) or 100 Gbps (QSFP28).

Fibre optic connectors

Common types include LC (Lucent Connector), SC (Subscriber Connector), and ST (Straight Tip).

Hybrid topology

A network topology that is a combination of two or more different basic topologies (e.g., a star-bus topology).

Three-tier hierarchical model

A traditional network design with three layers: Core (high-speed backbone), Distribution (policy enforcement), and Access (end-user connectivity).

Collapsed core architecture

A network design where the Core and Distribution layer functions are combined into a single layer, often used in smaller networks.

Spine and leaf architecture

A modern data center network topology where every Leaf switch (access layer) connects to every Spine switch (core layer). This provides high bandwidth and low latency.

North-south and east-west traffic

North-south traffic flows into and out of the data center. East-west traffic flows between servers within the data center.

Private IP address ranges

The ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 used for internal networks.

APIPA IP range

The 169.254.0.0/16 range. A host assigns itself an address from this range when it cannot contact a DHCP server.

Loopback address

The IPv4 address 127.0.0.1 (or ::1 in IPv6). It refers to the current device and is used for testing the local TCP/IP stack.

Variable Length Subnet Mask (VLSM)

A technique that allows network administrators to divide an IP address space into subnets of different sizes, avoiding wasted IP addresses.

Classless Inter-domain Routing (CIDR)

A method for allocating IP addresses and IP routing that uses a 'slash notation' (e.g., /24) to represent the network prefix, abandoning traditional A/B/C classes.

Class A B C octet ranges

The first octet ranges of 1-126 (Class A), 128-191 (Class B), and 192-223 (Class C) in classful addressing.

Software-Defined Networking (SDN)

A network architecture approach that decouples the network control plane (decision-making) from the data plane (forwarding), enabling central management.

SD-WAN

An application of SDN principles to Wide Area Networks (WANs) to manage and optimize traffic across multiple WAN connections from a central controller.

Virtual Extensible LAN (VXLAN)

A network virtualization technology that creates a logical Layer 2 network on top of a physical Layer 3 network, supporting over 16 million logical networks.

Zero Trust Architecture (ZTA)

A security model based on the principle of 'never trust, always verify,' requiring strict identity verification for every person and device.

Secure Access Service Edge (SASE)

A cloud-native architecture that combines network security functions with WAN capabilities to securely connect users and systems to applications anywhere.

Infrastructure as Code (IaC)

The process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration.

Border Gateway Protocol (BGP)

The primary exterior gateway protocol used to make routing decisions on the Internet between different autonomous systems (AS).

Enhanced Interior Gateway Routing Protocol (EIGRP)

A Cisco-proprietary, advanced distance-vector routing protocol known for fast convergence.

Open Shortest Path First (OSPF)

An open standard, link-state routing protocol. It creates a map of the network and calculates the best path based on cost.

Administrative Distance

A value from 0-255 used by routers to select the best path when there are two or more different routes to the same destination from different routing protocols. The lower the value, the more trustworthy the protocol.

Metric (routing)

A value used by a routing protocol to determine the best path to a destination. Different protocols use different metrics (e.g., OSPF uses cost, EIGRP uses bandwidth and delay).

Network Address Translation (NAT)

Translates private IP addresses to public IP addresses.

Port Address Translation (PAT)

A type of NAT that maps multiple private IP addresses to a single public IP address by using different source port numbers.

First Hop Redundancy Protocol (FHRP)

A class of protocols (like HSRP, VRRP) that allows two or more routers to share a single virtual IP address and act as a single virtual router, providing redundancy.

Virtual IP (VIP)

A shared IP address used by an FHRP that is not tied to a specific physical interface and serves as the default gateway for a subnet.

Subinterfaces

Logical divisions of a physical router interface, used to allow a single physical interface to route traffic for multiple VLANs (a 'router on a stick' configuration).

VLAN (Virtual LAN)

A logical grouping of devices in the same broadcast domain, configured on switches to segment a network.

VLAN database

A file on a switch (vlan.dat) that stores VLAN configuration information.

Switch Virtual Interface (SVI)

A virtual Layer 3 interface on a Layer 3 switch that allows the switch to perform inter-VLAN routing.

Native VLAN

A special VLAN on an 802.1Q trunk link where traffic is sent and received in its original, untagged format.

Trunk link

A link between two switches (or a switch and a router) that is configured to carry traffic for multiple VLANs.

Voice VLAN

A separate VLAN configured on a switch port specifically for carrying voice traffic from an IP phone.

802.1Q tagging

The IEEE standard for VLAN trunking that works by inserting a 4-byte tag into the Ethernet frame to identify which VLAN the frame belongs to.

Link aggregation

The practice of combining multiple network connections into a single logical link to increase throughput and provide redundancy.

Maximum Transmission Unit (MTU)

The largest size packet or frame, specified in bytes, that can be sent in a packet- or frame-based network. The standard for Ethernet is 1500 bytes.

Jumbo frame

An Ethernet frame with a payload greater than the standard 1500-byte MTU, typically up to 9000 bytes, used to increase throughput.

Wi-fi channel

A specific frequency range within a Wi-Fi band (e.g., 2.4 GHz or 5 GHz) that is used for communication.

Channel width

The size of a Wi-Fi channel. Wider channels (e.g., 40, 80, 160 MHz) can carry more data but are more susceptible to interference.

802.11h

An IEEE standard that adds Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) to the 802.11a standard.

6 GHz Wi-Fi band

The newest Wi-Fi band, opened up by the Wi-Fi 6E standard, offering a large amount of uncongested spectrum.

Band steering

A feature on dual-band access points that encourages dual-band capable clients to connect to the less congested 5 GHz band instead of the 2.4 GHz band.

Basic Service Set Identifier (BSSID)

The MAC address of a single Access Point (AP).

Extended Service Set Identifier (ESSID)

The human-readable name of the Wi-Fi network (the SSID). An ESSID can be shared by multiple APs in the same network to allow for roaming.

Ad Hoc Mode

A peer-to-peer mode where wireless clients connect directly to each other without an AP.

Infrastructure Mode (Wi-Fi)

The standard Wi-Fi mode where wireless clients connect to a central Access Point (AP), which then connects them to the wired network.

Autonomous access point

A self-contained, standalone AP that is managed individually. Also known as a 'fat' AP.

Lightweight access point

An AP that requires a Wireless LAN Controller (WLC) for its configuration and management. Also known as a 'thin' AP.

MDF (Main Distribution Frame)

The primary wiring point for a building's network where outside lines terminate and where the main network equipment (routers, core switches) is located.

IDF (Intermediate Distribution Frame)

A secondary wiring closet used to connect devices in a specific area (like a floor) back to the MDF.

Rack Unit

A unit of measure for the height of devices designed for a 19-inch rack. One rack unit (1U) is 1.75 inches.

Fiber Distribution Panel

A patch panel that terminates and manages fiber optic cable connections within a network rack.

Power Load

A calculation of the total power consumption of all devices in a rack to ensure it does not exceed the circuit's capacity.

Asset inventory

The tracking of key information for every network device, typically including its name, location, owner, and lifecycle status.

Service-Level Agreement (SLA)

A contract between a service provider and a customer that defines the specific level of service to be provided, including metrics for uptime, performance, and support.

Configuration Management

The process of tracking and controlling changes to the configuration of network devices. This includes maintaining a baseline, documenting changes, and performing audits.

Flow Data

Summarized network traffic data collected from devices like routers and switches, often used for traffic analysis and monitoring (e.g., NetFlow).

Management Information Base (MIB)

A database of objects on a managed device that can be queried or set by a network management system using SNMP.

SNMP community string

A password-like string that provides access to a device's MIB data in older versions of SNMP.

Security Information and Event Management (SIEM)

A solution that collects and analyzes security alerts, logs, and event data from across the network in real-time to identify and respond to threats.

Four main types of monitoring solutions

Common solution types include those for monitoring performance (bandwidth/latency), faults (failures/errors), configuration (changes), and security (threats).

DHCP options

Extra information provided by DHCP beyond an IP address, such as the subnet mask, default gateway, and DNS server addresses.

Stateless Address Autoconfiguration (SLAAC)

A method used by IPv6 hosts to automatically generate their own IP address without a DHCP server, using their MAC address and the network prefix.

Domain Name Security Extensions (DNSSEC)

A suite of security protocols that adds a layer of security to the DNS system by enabling responses to be validated with digital signatures.

DNS Records

Different types include 'A' (hostname to IPv4), 'AAAA' (hostname to IPv6), 'CNAME' (alias), 'MX' (mail server), and 'PTR' (IP to hostname).

Primary vs Secondary DNS server

A Primary DNS server holds the master read/write copy of a zone's records. A Secondary DNS server holds a read-only copy for redundancy.

Recursive DNS Server

A DNS server that accepts requests from clients and does the full work of finding the answer by querying other DNS servers if necessary.