Routing, switching, and enterprise network design
Networking from Scratch (lesson 5) — the difference between switches and routers in plain English, with the MAC table vs routing table side by side, a packet walked end-to-end through both, and why your home box is secretly two devices crammed into one chassis.
Networking from Scratch (lesson 4) — the DHCP DORA four-packet exchange, lease and renewal mechanics, common DHCP options, the cross-subnet relay agent, and the ARP request/reply that turns an IP into the MAC the wire actually delivers to. Plus the symptoms of common failure modes.
Networking from Scratch (lesson 3) — the four-line magic-number method for finding the network ID, broadcast, usable range, and next subnet for any /N. Three worked examples (including the awkward one across an octet boundary), a size cheat sheet, and five practice problems with answers.
Networking from Scratch (lesson 2) — what an IPv4 address actually is, why it has four numbers, what a subnet mask does, what CIDR notation means, and how a computer uses it to decide whether to deliver locally or send to the gateway. Plus the special address ranges every admin should recognise on sight.
Networking from Scratch (lesson 1) — an end-to-end walkthrough of the eight things that happen between clicking a link and seeing the page on your screen. DNS, ARP, routing, TCP, TLS, HTTP, render, and where to look when each one breaks. No prior experience required.
Working reference for IS-IS on Cisco IOS. What makes IS-IS different (runs on Layer 2 / CLNS not IP, doesn't need IP addresses to form adjacencies, carries multiple address families in one process). The NET address breakdown (AFI, area, system-id, SEL) and convention of deriving System ID from loopback. Levels: L1 intra-area, L2 backbone, L1/L2 ABR-equivalent routers, with circuit-type per-interface control. Basic configuration (net, is-type, ip router isis on interface), loopback inclusion for /32 propagation, default cost of 10 and metric-style wide for headroom, MD5 authentication. Verification (show isis neighbors / topology / database, show clns commands). IS-IS vs OSPF comparison. Pitfalls: wrong NET, circuit-type mismatch, narrow metric overflow, missing ip router isis, discontiguous L2 backbone.
Working reference for RIPv2 on Cisco IOS. The protocol basics (distance-vector, hop-count metric max 15, UDP 520, multicast 224.0.0.9, AD 120, 30s/180s/180s/240s timer model), why RIP is mostly retired (15-hop max, slow convergence, routing-by-rumor) and where it still fits (tiny stub networks, legacy gear). Basic configuration with the essential version 2 + no auto-summary commands, network statement (classful, no wildcard mask), passive-interface default + selective unpassive, default-information originate, MD5 authentication via key-chain, timer tuning. Loop prevention (split horizon, route poisoning, holddown), the no ip split-horizon trick on Frame Relay multipoint, RIPng per-interface enablement for IPv6. Pitfalls: forgetting version 2, no auto-summary, mismatched timers, MD5 key-id mismatch.
Working reference for the three Cisco IOS route-filtering tools. Distribution lists with ACL or prefix-list reference for inbound/outbound filtering at the routing process boundary. Prefix lists with ge/le qualifiers for prefix-length range matching, common patterns (default route only, any prefix, host routes, /24-/28 of a /8). Route-maps with sequenced clauses, the implicit final deny and the explicit permit-anything-else fallthrough, the menu of match conditions (ip address, next-hop, route-source, interface, metric, tag, as-path, community) and set actions (next-hop, metric, local-preference, community, as-path prepend, tag, weight). Where route-maps plug in: BGP neighbors, redistribution, PBR. Route tags as the glue between protocols to prevent redistribution loops. Pitfalls: missing fallthrough, prefix-list ge/le defaults, OSPF flood-can't-be-filtered, redistribution loops without tags.
Working reference for Cisco IOS path-control. Policy-Based Routing (PBR) with route-maps and ACLs to override the routing table for specific traffic on inbound interfaces, locally-originated PBR via ip local policy. IP SLA active measurement with icmp-echo / tcp-connect / http probes plus the schedule command. Track objects bound to IP SLA reachability or interface line-protocol, with delay debouncing to prevent flapping. Tying a static route to a track for automatic dual-WAN failover. Offset lists to add/subtract from routing protocol metrics. The combined PBR + IP SLA + floating static pattern for resilient dual-WAN. Pitfalls: PBR applied outbound, missing fallthrough, IP SLA without schedule, track delay too short, set ip next-hop without verify-availability.
Working reference for static routing on Cisco IOS. The three forms (recursive next-hop, interface-only for point-to-point, fully-specified for multi-access), default routes (0.0.0.0/0), administrative distance values across sources (Connected 0, Static 1, eBGP 20, EIGRP 90, OSPF 110, IS-IS 115, RIP 120, EIGRP-external 170, iBGP 200, Unknown 255), floating static routes for backup paths (AD set higher than protocol), the permanent keyword and why you usually shouldn't use it, the Null0 trick for black-holing and for keeping summary advertisements alive in BGP, ODR for hub-and-spoke. Pitfalls: ARP pressure from recursive routes on Ethernet, floating AD set too low, wrong default-route gateway, longest-prefix-match surprises.
Working reference for legacy Cisco WAN encapsulations. HDLC as the Cisco-only proprietary default with no authentication, PPP as the standards-based alternative with PAP and CHAP authentication (cross-username pattern, challenge-response hash for CHAP), PPP compression and multilink, PPPoA for DSL access. Frame Relay configuration with DLCI / LMI / map statements, the multipoint vs point-to-point sub-interface decision (sub-interfaces sidestep split-horizon issues), Frame Relay verification commands. Pitfalls: HDLC mismatch with non-Cisco peers, CHAP password mismatch, Frame Relay split-horizon on multipoint, missing Inverse ARP, DCE clocking on lab serials, LMI type mismatch.
Working reference for Cisco IOS device-access hardening. The bare-minimum local-auth setup (enable secret, login local, transport input ssh, access-class on VTY, service password-encryption, security passwords min-length), SSH config (2048-bit RSA, ip ssh version 2, public-key auth via pubkey-chain), brute-force defense with login block-for, full AAA stack with RADIUS and the critical local fallback, NTP with authentication and Loopback source-interface, privilege levels vs the modern parser-view RBAC alternative, and the 10-item hardening checklist (no Telnet, weak keys, missing fallback, default communities, etc.).
