Executive Summary
Networking in 2026 is defined by three major transitions: HTTP/3 (QUIC) has surpassed HTTP/2 with 55% adoption, IPv6 has reached 50% globally on Google measurements, and Wi-Fi 7 (802.11be) is shipping in mainstream devices with 320 MHz channels and multi-link operation (MLO). DNS over HTTPS is enabled by default in major browsers, zero-trust networking has replaced perimeter-based security in most enterprises, and WireGuard has become the standard VPN protocol. This guide provides a comprehensive reference for every layer of the networking stack.
- HTTP/3 reached 55% adoption in 2026. QUIC eliminates TCP head-of-line blocking, provides 0-RTT connection resumption, and includes mandatory TLS 1.3 encryption. Cloudflare, Google, and Meta serve the majority of HTTP/3 traffic.
- IPv6 adoption hit 50% globally (Google measurements), with the US at 62% and India at 70%. IPv4 exhaustion continues to drive adoption, though NAT and carrier-grade NAT extend IPv4 life.
- Wi-Fi 7 (802.11be) delivers 46 Gbps theoretical speeds with 320 MHz channels, 4096-QAM modulation, and multi-link operation. WPA3 is mandatory for Wi-Fi 6E and Wi-Fi 7 devices.
- WireGuard replaced OpenVPN as the standard VPN protocol with ~4,000 lines of code (vs 100K+ for OpenVPN), built-in Linux kernel support, and faster handshakes.
55%
HTTP/3 adoption
50%
IPv6 (Google)
100+
Ports documented
60+
HTTP status codes
Part 1: OSI Model
The OSI (Open Systems Interconnection) model describes network communication in seven layers, from physical cables (Layer 1) to application protocols (Layer 7). Each layer serves a specific function and communicates with adjacent layers. When data travels down the stack (sending), each layer adds its header (encapsulation). When data travels up (receiving), each layer processes and removes its header (decapsulation). The model is essential for troubleshooting: identifying the layer where a problem occurs narrows the solution space.
OSI Model — 7 Layers
7 rows
| Layer | Name | Function | Protocols | Devices |
|---|---|---|---|---|
| 7 | Application | End-user services and interfaces. Provides network services directly to applications. | HTTP, HTTPS, FTP, SMTP, DNS, DHCP, SSH, SNMP, POP3, IMAP, LDAP, MQTT, WebSocket, gRPC | Proxy, WAF, Load balancer (L7) |
| 6 | Presentation | Data formatting, encryption, and compression. Translates data between application and network formats. | TLS/SSL, MIME, JPEG, PNG, MP4, ASCII, Unicode, gzip, Brotli | N/A (handled in software) |
| 5 | Session | Establishes, manages, and terminates sessions between applications. Controls dialog (simplex, half-duplex, full-duplex). | NetBIOS, RPC, PPTP, L2TP, SIP, SOCKS | N/A (handled in software) |
| 4 | Transport | Reliable (TCP) or unreliable (UDP) data transfer. Segmentation, flow control, error recovery, port addressing. | TCP, UDP, QUIC, SCTP, DCCP | Load balancer (L4), Firewall (stateful) |
| 3 | Network | Logical addressing (IP) and routing. Determines the best path for data across networks. | IPv4, IPv6, ICMP, IGMP, IPsec, OSPF, BGP, RIP, ARP (sometimes L2) | Router, L3 switch, Firewall |
| 2 | Data Link | Physical addressing (MAC), frame creation, error detection (CRC), and media access control. | Ethernet (802.3), Wi-Fi (802.11), PPP, HDLC, ARP, STP, VLAN (802.1Q) | Switch, Bridge, NIC, Access Point |
| 1 | Physical | Physical transmission of raw bits over the medium. Defines cables, connectors, voltages, frequencies. | Ethernet physical (1000BASE-T), Wi-Fi radio (802.11ax), USB, Bluetooth, Fiber optic | Hub, Repeater, Cable, Modem, Antenna |
Part 2: TCP/IP and Transport Protocols
TCP provides reliable, ordered, connection-oriented communication. The three-way handshake (SYN, SYN-ACK, ACK) establishes a connection. TCP uses sequence numbers, acknowledgments, and retransmission for reliability. Flow control (sliding window) prevents overwhelming receivers. Congestion control (slow start, cubic, BBR) prevents overwhelming the network. UDP provides unreliable, connectionless communication with minimal overhead (8-byte header). QUIC combines UDP transport with TCP reliability, built-in TLS, and multiplexed streams.
TCP vs UDP vs QUIC Comparison
12 rows
| Feature | TCP | UDP | QUIC |
|---|---|---|---|
| Connection | Connection-oriented (three-way handshake: SYN, SYN-ACK, ACK) | Connectionless (no handshake, just send) | Connection-oriented (0-RTT or 1-RTT handshake over UDP) |
| Reliability | Reliable (retransmission, acknowledgments, sequence numbers) | Unreliable (no retransmission, packets may be lost) | Reliable (built-in retransmission per stream) |
| Ordering | Ordered (data delivered in sequence) | Unordered (packets may arrive out of order) | Ordered per stream (multiple independent streams) |
| Flow Control | Yes (sliding window) | No | Yes (per stream and connection level) |
| Congestion Control | Yes (slow start, AIMD, cubic/BBR) | No (application must implement) | Yes (pluggable: cubic, BBR, Reno) |
| Head-of-Line Blocking | Yes (one lost packet blocks all data) | No (independent packets) | No (streams are independent, one lost packet blocks only its stream) |
| Encryption | Optional (TLS on top, separate handshake) | Optional (DTLS on top) | Mandatory (TLS 1.3 built-in, single handshake) |
| Multiplexing | No (one stream per connection, HTTP/2 multiplexes but has HOL blocking) | N/A | Yes (multiple independent streams per connection) |
| Header Size | 20-60 bytes | 8 bytes | Variable (encrypted, ~20+ bytes) |
| Speed | Slower (handshake, acks, retransmission) | Fastest (minimal overhead) | Fast (0-RTT resumption, efficient multiplexing) |
| Use Cases | Web (HTTP/1.1, HTTP/2), email, file transfer, SSH, databases | DNS, DHCP, VoIP, video streaming, gaming, IoT, NTP | HTTP/3, web browsing, video streaming, real-time communication |
| Port Range | 0-65535 (well-known: 0-1023) | 0-65535 (well-known: 0-1023) | Uses UDP port 443 typically |
Part 3: DNS
DNS translates domain names to IP addresses through a hierarchical system. Query flow: client resolver => recursive resolver => root servers (13 clusters worldwide) => TLD servers (.com, .org, .net) => authoritative servers (specific domain). Caching at every level (based on TTL) ensures most queries resolve quickly. DNS record types serve different purposes: A/AAAA for IP addresses, CNAME for aliases, MX for mail, TXT for verification and email security (SPF/DKIM/DMARC), NS for delegation, and CAA for certificate authority restrictions.
DNS Record Types (15+)
15 rows
| Type | Name | Description | Priority |
|---|---|---|---|
| A | Address | Maps domain name to IPv4 address (32-bit) | Essential |
| AAAA | IPv6 Address | Maps domain name to IPv6 address (128-bit) | Essential (IPv6) |
| CNAME | Canonical Name | Alias that points one domain to another. Cannot coexist with other records at same name. | Common |
| MX | Mail Exchange | Specifies mail servers for the domain. Priority number determines server preference (lower = higher priority). | Essential (email) |
| TXT | Text | Arbitrary text data. Used for: SPF (email auth), DKIM (email signing), DMARC (email policy), domain verification, ACME challenges. | Essential (email/verify) |
| NS | Name Server | Specifies authoritative DNS servers for the domain. Delegates DNS resolution to these servers. | Essential |
| SOA | Start of Authority | Primary DNS server, admin email, serial number, refresh/retry/expire timers. One per zone. | Essential (auto-created) |
| SRV | Service | Specifies hostname and port for specific services. Format: _service._proto priority weight port target. | Specialized |
| PTR | Pointer | Reverse DNS lookup: maps IP address to domain name. Used for email server verification and network diagnostics. | Important (email) |
| CAA | Certificate Authority Authorization | Specifies which CAs are allowed to issue certificates for the domain. Prevents unauthorized certificate issuance. | Recommended |
| HTTPS/SVCB | Service Binding | Provides connection parameters (alpn, port, ipv4hint, ech) for HTTPS services. Eliminates extra DNS lookups and enables Encrypted Client Hello. | Modern (growing) |
| DNSKEY | DNS Public Key | Contains public key for DNSSEC validation. Used to verify signed DNS responses. | DNSSEC |
| DS | Delegation Signer | Hash of child zone DNSKEY in parent zone. Links DNSSEC trust chain from parent to child zone. | DNSSEC |
| TLSA | TLS Authentication | DANE (DNS-based Authentication of Named Entities). Associates TLS certificate with domain via DNSSEC. | Advanced |
| NAPTR | Naming Authority Pointer | Regular expression-based rewriting rules. Used in VoIP (ENUM), SIP, and URI resolution. | Specialized (VoIP) |
Part 4: DHCP
DHCP automatically assigns IP addresses and network configuration. The DORA process: Discover (client broadcasts), Offer (server proposes), Request (client accepts), Acknowledge (server confirms). DHCP assigns: IP address, subnet mask, default gateway, DNS servers, and lease time. DHCP relay agents forward requests across subnets. DHCP snooping prevents rogue DHCP servers. IPv6 uses DHCPv6 or SLAAC (Stateless Address Autoconfiguration) where devices generate their own addresses from router advertisements and interface identifiers.
Part 5: HTTP/HTTPS
HTTP evolved from a simple document retrieval protocol to the backbone of the modern web. HTTP/1.1 (1997): persistent connections, pipelining (rarely used). HTTP/2 (2015): multiplexing multiple requests over one TCP connection, header compression (HPACK), server push. HTTP/3 (2022): QUIC transport (UDP-based), independent stream multiplexing (no HOL blocking), 0-RTT resumption, built-in TLS 1.3. HTTPS wraps HTTP in TLS encryption; 96% of web traffic uses HTTPS in 2026.
HTTP Version Usage (2018-2026)
Source: OnlineTools4Free Research
Part 6: WebSocket and Real-time Communication
WebSocket provides full-duplex communication over a single TCP connection. The initial HTTP handshake upgrades to the WebSocket protocol (101 Switching Protocols). Unlike HTTP request-response, both client and server can send messages at any time. Use cases: real-time chat, live notifications, collaborative editing, stock tickers, gaming, IoT telemetry. Alternatives: Server-Sent Events (SSE) for server-to-client only (simpler, auto-reconnect), HTTP long polling (fallback), WebTransport (HTTP/3-based, experimental).
Part 7: IPv4, IPv6, and Subnetting
IPv4 uses 32-bit addresses (4.3 billion, exhausted). Private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. NAT extends IPv4 by sharing public IPs. Subnetting divides networks: /24 = 254 hosts, /25 = 126, /26 = 62, /27 = 30, /28 = 14. IPv6 uses 128-bit addresses (3.4x10^38). Features: no NAT needed, simplified header, auto-configuration (SLAAC), mandatory IPsec, no broadcast (multicast instead), no fragmentation by routers. IPv6 adoption reached 50% globally in 2026.
IPv6 Adoption (2016-2026)
Source: OnlineTools4Free Research
Part 8: Routing
Routing determines the path packets take across networks. Static routing: manually configured, suitable for simple networks. Dynamic routing: protocols automatically discover and adapt to network changes. Interior protocols (within an AS): OSPF (link-state, fast convergence, most common), RIP (distance-vector, legacy), EIGRP (Cisco proprietary). Exterior protocol (between ASes): BGP (the internet routing protocol, path-vector, policy-based). The routing table maps destination networks to next-hop addresses and outgoing interfaces.
Part 9: Firewalls
Firewalls filter traffic based on rules. Types: packet filtering (stateless, L3/L4), stateful inspection (tracks connections), application-level (L7 deep packet inspection), and next-generation (NGFW: combines all + IDS/IPS + malware detection). Rules: typically default-deny (block all, allow specific). Placement: perimeter, between network segments, and host-based. Tools: iptables/nftables (Linux), pf (BSD), Windows Firewall. Enterprise: Palo Alto, Fortinet, Cisco, cloud security groups (AWS SG, Azure NSG).
Part 10: VPN Protocols
VPN protocols create encrypted tunnels between endpoints. WireGuard is the modern standard: ~4,000 lines of code, ChaCha20 encryption, built into the Linux kernel, fast handshakes. OpenVPN is established but complex (~100K lines). IKEv2/IPsec provides fast reconnection (ideal for mobile). IPsec is used for site-to-site corporate VPNs. PPTP is broken and must not be used. All major VPN providers now default to WireGuard.
VPN Protocols Comparison
7 rows
| Protocol | Year | Speed | Security | Best For |
|---|---|---|---|---|
| WireGuard | 2018 | Very Fast | Very High | Default choice for new VPN deployments |
| OpenVPN | 2001 | Medium | High (proven) | Legacy compatibility, complex configurations |
| IKEv2/IPsec | 2005 | Fast | High | Mobile (reconnects fast), always-on VPN |
| IPsec | 1995 | Fast | High | Site-to-site VPN between offices/datacenters |
| SSTP | 2008 | Medium | High | Windows environments behind restrictive firewalls |
| L2TP/IPsec | 1999 | Medium | Medium (double encapsulation overhead) | Avoid for new deployments (overhead, NSA concerns) |
| PPTP | 1999 | Fast | Broken (do not use) | Never. Cracked in minutes. Remove from all systems. |
Part 11: Wi-Fi Standards
Wi-Fi Standards Comparison (Wi-Fi 4 to Wi-Fi 7)
5 rows
| Standard | IEEE | Year | Frequency | Max Speed | Security | Key Feature |
|---|---|---|---|---|---|---|
| Wi-Fi 4 | 802.11n | 2009 | 2.4/5 GHz | 600 Mbps | WPA2 | First dual-band, MIMO |
| Wi-Fi 5 | 802.11ac | 2013 | 5 GHz only | 6.9 Gbps | WPA2 | Wide channels, beamforming |
| Wi-Fi 6 | 802.11ax | 2020 | 2.4/5 GHz | 9.6 Gbps | WPA3 | OFDMA, BSS coloring, TWT |
| Wi-Fi 6E | 802.11ax | 2021 | 2.4/5/6 GHz | 9.6 Gbps | WPA3 required | 6 GHz band (1200 MHz spectrum) |
| Wi-Fi 7 | 802.11be | 2024 | 2.4/5/6 GHz | 46 Gbps | WPA3 required | MLO, 320 MHz channels, 4K-QAM |
Part 12: Network Troubleshooting
Systematic approach: (1) ping localhost (verify TCP/IP stack). (2) ping default gateway (verify local network). (3) ping external IP like 8.8.8.8 (verify routing). (4) ping domain like google.com (verify DNS). If step 3 works but 4 fails, the problem is DNS. Tools: ping (connectivity/latency), traceroute/mtr (path mapping), nslookup/dig (DNS queries), curl -v (HTTP debugging), netstat/ss (connections/ports), tcpdump/Wireshark (packet capture), iperf3 (bandwidth), nmap (port scanning).
Part 13: Network Ports Reference (100+)
Common Network Ports Reference (47 Ports)
47 rows
| Port | Protocol | Service | Description |
|---|---|---|---|
| 20 | TCP | FTP Data | FTP data transfer (active mode) |
| 21 | TCP | FTP Control | FTP command/control channel |
| 22 | TCP | SSH | Secure Shell (remote access, SFTP, SCP, port forwarding) |
| 23 | TCP | Telnet | Unencrypted remote access (deprecated, use SSH) |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol (email sending between servers) |
| 53 | TCP/UDP | DNS | Domain Name System queries and zone transfers |
| 67 | UDP | DHCP Server | Dynamic Host Configuration Protocol (server to client) |
| 68 | UDP | DHCP Client | DHCP client responses |
| 69 | UDP | TFTP | Trivial File Transfer Protocol (simple, no auth) |
| 80 | TCP | HTTP | Hypertext Transfer Protocol (unencrypted web) |
| 110 | TCP | POP3 | Post Office Protocol v3 (email retrieval) |
| 123 | UDP | NTP | Network Time Protocol (clock synchronization) |
| 143 | TCP | IMAP | Internet Message Access Protocol (email retrieval, sync) |
| 161 | UDP | SNMP | Simple Network Management Protocol (monitoring) |
| 162 | UDP | SNMP Trap | SNMP notifications from agents to managers |
| 179 | TCP | BGP | Border Gateway Protocol (internet routing between ISPs) |
| 389 | TCP | LDAP | Lightweight Directory Access Protocol (directory services) |
| 443 | TCP | HTTPS | HTTP over TLS (encrypted web traffic, also HTTP/3 over QUIC/UDP) |
| 445 | TCP | SMB | Server Message Block (Windows file sharing, Active Directory) |
| 465 | TCP | SMTPS | SMTP over TLS (implicit TLS, email submission) |
Page 1 of 3
Part 14: HTTP Status Codes (60+)
HTTP Status Codes Reference (36 Codes)
36 rows
| Code | Status | Category | Description |
|---|---|---|---|
| 100 | Continue | 1xx Informational | Server received request headers, client should send body. Used with Expect: 100-continue header. |
| 101 | Switching Protocols | 1xx Informational | Server is switching protocols as requested (e.g., WebSocket upgrade from HTTP). |
| 103 | Early Hints | 1xx Informational | Allows preloading resources while server prepares response. Sends Link headers before final response. |
| 200 | OK | 2xx Success | Request succeeded. Response body contains the requested resource. Most common status code. |
| 201 | Created | 2xx Success | Request succeeded and a new resource was created. Typically returned for POST requests. Location header has the new resource URL. |
| 204 | No Content | 2xx Success | Request succeeded but no response body. Common for DELETE, PUT, and PATCH responses. |
| 206 | Partial Content | 2xx Success | Server is delivering only part of the resource due to Range header. Used for resumable downloads and video streaming. |
| 301 | Moved Permanently | 3xx Redirection | Resource permanently moved to new URL. Browsers cache this redirect. Search engines transfer ranking to new URL. |
| 302 | Found (Temporary Redirect) | 3xx Redirection | Resource temporarily at different URL. Browser does not cache. Method may change to GET (ambiguous). |
| 303 | See Other | 3xx Redirection | Response to the request is at another URL. Always use GET for the redirect. Used after POST to prevent resubmission. |
| 304 | Not Modified | 3xx Redirection | Resource has not changed since last request. Browser uses cached version. Response has no body. |
| 307 | Temporary Redirect | 3xx Redirection | Same as 302 but guarantees the HTTP method is not changed in the redirect (POST stays POST). |
| 308 | Permanent Redirect | 3xx Redirection | Same as 301 but guarantees the HTTP method is not changed in the redirect. |
| 400 | Bad Request | 4xx Client Error | Server cannot process the request due to malformed syntax, invalid parameters, or missing required fields. |
| 401 | Unauthorized | 4xx Client Error | Authentication required. Client must provide valid credentials. Response includes WWW-Authenticate header. |
| 403 | Forbidden | 4xx Client Error | Server understood request but refuses to authorize it. Different from 401: authentication will not help. |
| 404 | Not Found | 4xx Client Error | Requested resource does not exist. Most recognized error code. Custom 404 pages improve user experience. |
| 405 | Method Not Allowed | 4xx Client Error | HTTP method not supported for this resource. Response includes Allow header listing supported methods. |
| 406 | Not Acceptable | 4xx Client Error | Server cannot produce response matching Accept headers (content negotiation failure). |
| 408 | Request Timeout | 4xx Client Error | Server timed out waiting for the request. Client took too long to send the complete request. |
Page 1 of 2
Glossary (60+ Terms)
IP Address
AddressingA numerical label assigned to each device on a network. IPv4: 32-bit, dotted decimal (192.168.1.1), ~4.3 billion addresses (exhausted). IPv6: 128-bit, hexadecimal (2001:0db8::1), ~3.4x10^38 addresses. Every device needs an IP to communicate on IP networks. Private IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are used behind NAT. Public IPs are globally routable.
Subnet Mask
AddressingDetermines which portion of an IP address identifies the network and which identifies the host. Example: 255.255.255.0 (/24 in CIDR) means the first 24 bits are the network portion, leaving 8 bits for hosts (254 usable hosts). Subnetting divides a network into smaller segments for security, performance, and organization.
CIDR (Classless Inter-Domain Routing)
AddressingA method for allocating IP addresses and routing. Notation: IP/prefix-length (192.168.1.0/24). Replaced classful addressing (Class A/B/C). Allows flexible subnet sizes. /32 = single host, /24 = 254 hosts, /16 = 65,534 hosts, /8 = 16 million hosts. CIDR enables efficient IP allocation and route aggregation (supernetting).
NAT (Network Address Translation)
AddressingTranslates private IP addresses to public IP addresses. Allows multiple devices to share one public IP. Types: SNAT (source NAT, outbound), DNAT (destination NAT, port forwarding), PAT (port address translation, most common). NAT extends IPv4 address space but complicates peer-to-peer connections, VoIP, and some protocols.
DNS (Domain Name System)
Name ResolutionThe hierarchical, distributed naming system that translates domain names (example.com) to IP addresses (93.184.216.34). Hierarchy: root servers -> TLD servers (.com, .org) -> authoritative servers. Query types: recursive (resolver does full lookup), iterative (server refers to next server). DNS is critical infrastructure; its compromise (DNS hijacking, poisoning) redirects all traffic.
DHCP (Dynamic Host Configuration Protocol)
Network ServicesAutomatically assigns IP addresses and network configuration to devices. DORA process: Discover (client broadcasts), Offer (server proposes IP), Request (client accepts), Acknowledge (server confirms). Assigns: IP address, subnet mask, default gateway, DNS servers, lease time. Without DHCP, every device would need manual IP configuration.
TCP (Transmission Control Protocol)
TransportA connection-oriented, reliable transport protocol. Three-way handshake (SYN, SYN-ACK, ACK) establishes connection. Features: sequencing, acknowledgments, retransmission, flow control (sliding window), congestion control. Used by: HTTP, HTTPS, SSH, SMTP, FTP, databases. Overhead is higher than UDP but guarantees delivery and ordering.
UDP (User Datagram Protocol)
TransportA connectionless, unreliable transport protocol. No handshake, no acknowledgments, no retransmission. Minimal overhead (8-byte header vs TCP 20+ bytes). Used for: DNS, DHCP, VoIP, video streaming, gaming, NTP, SNMP. Applications handle reliability if needed. QUIC builds reliability on top of UDP for HTTP/3.
HTTP (Hypertext Transfer Protocol)
ApplicationThe application protocol for the web. Request-response model: client sends request (method, URL, headers, body), server sends response (status code, headers, body). Methods: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS. Versions: HTTP/1.1 (persistent connections), HTTP/2 (multiplexing, header compression), HTTP/3 (QUIC, UDP-based).
HTTPS (HTTP Secure)
SecurityHTTP encrypted with TLS (Transport Layer Security). The TLS handshake authenticates the server (certificate), negotiates encryption keys, and establishes an encrypted channel. All data is encrypted in transit. TLS 1.3 is the current standard (one round-trip handshake, mandatory forward secrecy). Certificate authorities (CAs) like Let's Encrypt issue free certificates. 96% of web traffic uses HTTPS in 2026.
TLS (Transport Layer Security)
SecurityThe cryptographic protocol that secures HTTPS, email, VPN, and other network communications. TLS 1.3: simplified handshake (1-RTT), removed weak ciphers, mandatory forward secrecy. Key exchange: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral). Cipher: AES-256-GCM or ChaCha20-Poly1305. Certificate verification ensures server identity. Replaces SSL (all SSL versions are deprecated and insecure).
WebSocket
ApplicationA protocol providing full-duplex communication over a single TCP connection. Starts as HTTP upgrade (101 Switching Protocols), then switches to binary frame protocol. Used for: real-time chat, live notifications, collaborative editing, live data feeds, gaming. Lower overhead than HTTP polling. Libraries: Socket.IO, ws (Node.js). Alternative: Server-Sent Events (SSE) for server-to-client only.
QUIC
TransportA transport protocol built on UDP that provides reliable, encrypted, multiplexed connections. Developed by Google, standardized as RFC 9000. Features: 0-RTT connection resumption, independent stream multiplexing (no head-of-line blocking), built-in TLS 1.3, connection migration (survives IP changes). Used by HTTP/3. Faster than TCP for lossy networks and mobile connections.
Firewall
SecurityA network security device/software that filters traffic based on rules. Types: packet filtering (L3/L4, stateless), stateful inspection (tracks connections), application-level gateway (L7, deep packet inspection), next-generation (NGFW, combines all with IDS/IPS). Rules: allow/deny based on source/destination IP, port, protocol. Software: iptables/nftables (Linux), pf (BSD), Windows Firewall. Hardware: Palo Alto, Fortinet, Cisco ASA.
Router
DevicesA network device that forwards packets between networks based on IP addresses (Layer 3). Routers maintain routing tables that map destination networks to next-hop addresses. Routing protocols: OSPF (internal), BGP (internet-wide), RIP (legacy). Home routers combine: router + switch + access point + NAT + firewall + DHCP server.
Switch
DevicesA network device that forwards frames within a network based on MAC addresses (Layer 2). Learns MAC-to-port mappings automatically (MAC address table). Provides dedicated bandwidth per port (vs shared on a hub). Types: unmanaged (plug-and-play), managed (VLAN, STP, QoS, SNMP), L3 switch (routing + switching). VLANs create virtual network segments on a single switch.
Load Balancer
InfrastructureDistributes incoming traffic across multiple servers. L4 (transport): routes based on IP/port, fast but basic. L7 (application): routes based on HTTP content (URL, headers, cookies), enables path-based routing, SSL termination, and A/B testing. Algorithms: round-robin, least connections, weighted, IP hash, least response time. Software: Nginx, HAProxy, Envoy, Traefik. Cloud: AWS ALB/NLB, GCP Load Balancing.
CDN (Content Delivery Network)
InfrastructureA geographically distributed network of servers that caches and delivers content from locations closest to the user. Reduces latency (lower round-trip time), offloads origin server traffic, provides DDoS protection, and improves availability. Providers: Cloudflare, Fastly, AWS CloudFront, Akamai, Vercel Edge. CDNs cache: static assets (images, CSS, JS), API responses, video streams, and even server-rendered HTML.
BGP (Border Gateway Protocol)
RoutingThe routing protocol that makes the internet work. BGP is used between ISPs and large networks (autonomous systems) to exchange routing information. Each AS announces its IP prefixes. BGP selects the best path based on: AS path length, local preference, and policy. BGP hijacking (announcing someone else IP prefix) can redirect internet traffic. RPKI (Resource Public Key Infrastructure) validates BGP announcements.
VLAN (Virtual Local Area Network)
LANLogically segments a physical network into isolated broadcast domains. Devices on different VLANs cannot communicate without a router (inter-VLAN routing). Configured on managed switches using VLAN IDs (802.1Q tagging). Use cases: separate departments, guest networks, IoT devices, voice traffic. Trunk ports carry multiple VLANs between switches.
ARP (Address Resolution Protocol)
LANResolves IPv4 addresses to MAC (hardware) addresses on a local network. Process: device broadcasts "Who has 192.168.1.1?", owner responds with its MAC address. Results are cached in the ARP table. ARP spoofing: attacker sends fake ARP replies to redirect traffic (man-in-the-middle). Not used in IPv6 (replaced by NDP, Neighbor Discovery Protocol).
DNS over HTTPS (DoH)
PrivacyEncrypts DNS queries by sending them over HTTPS. Prevents ISPs and network operators from seeing which domains you query. Supported by: Firefox (default with Cloudflare), Chrome, Edge, iOS, Android. DNS providers: Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 (9.9.9.9). Alternative: DNS over TLS (DoT, port 853). Controversy: bypasses corporate/parental DNS filtering.
mDNS (Multicast DNS)
Name ResolutionZero-configuration DNS for local networks. Resolves .local hostnames without a DNS server. Used by: Bonjour (Apple), Avahi (Linux). Enables devices to discover each other on the LAN (e.g., printer.local, server.local). Works by multicasting DNS queries to 224.0.0.251 (IPv4) or ff02::fb (IPv6) on port 5353.
MTU (Maximum Transmission Unit)
Data LinkThe largest packet size that can be transmitted without fragmentation. Ethernet default: 1500 bytes. Jumbo frames: 9000 bytes (data centers, higher throughput). If a packet exceeds MTU, it is either fragmented (IPv4) or dropped with ICMP "Packet Too Big" (IPv6, path MTU discovery). VPN/tunnel overhead reduces effective MTU (WireGuard overhead: ~60 bytes). Incorrect MTU causes mysterious connectivity issues.
SSL/TLS Certificate
SecurityA digital certificate that authenticates a server identity and enables encryption. Contains: subject (domain), issuer (CA), public key, validity period, and digital signature. Types: DV (domain validated, automated), OV (organization validated), EV (extended validation, green bar removed). Let's Encrypt provides free automated DV certificates. Certificates are checked against CA trust stores in browsers/OS.
Proxy Server
InfrastructureAn intermediary server between client and destination. Forward proxy: client-side, used for: privacy (hides client IP), caching, content filtering, access control. Reverse proxy: server-side, used for: load balancing, SSL termination, caching, security (WAF). Software: Nginx, HAProxy, Envoy, Traefik, Caddy, Squid. Transparent proxies intercept traffic without client configuration.
Traceroute
TroubleshootingA network diagnostic tool that maps the path packets take from source to destination. Works by sending packets with incrementing TTL values; each router decrements TTL and responds when it reaches 0. Shows: each hop IP, hostname, and round-trip time. Tools: traceroute (Linux/macOS), tracert (Windows), mtr (combines traceroute + ping). Useful for finding where packet loss or latency occurs.
Ping
TroubleshootingA network diagnostic tool that tests connectivity by sending ICMP Echo Request packets and measuring round-trip time. Usage: ping destination (IP or hostname). Measures: latency (ms), packet loss (%), jitter (variation in latency). Does not guarantee application connectivity (only ICMP). Some hosts block ICMP (firewall). Tools: ping, fping (parallel), hping (TCP/UDP ping).
ICMP (Internet Control Message Protocol)
NetworkA network layer protocol for error reporting and diagnostics. Messages: Echo Request/Reply (ping), Destination Unreachable, Time Exceeded (traceroute), Redirect, Source Quench (deprecated). ICMP is not a transport protocol (no ports). ICMPv6 is more important than ICMPv4: it handles Neighbor Discovery, Router Solicitation, and path MTU discovery. Blocking all ICMP breaks important network functionality.
MAC Address
Data LinkA 48-bit (6-byte) hardware address uniquely identifying a network interface. Format: XX:XX:XX:XX:XX:XX (hexadecimal). First 24 bits: OUI (manufacturer identifier). Used at Layer 2 for frame delivery within a LAN. MAC addresses do not cross router boundaries (only IP addresses do). MAC address randomization (privacy): iOS/Android/Windows randomize MAC for Wi-Fi scanning and connections.
Latency
PerformanceThe time delay between sending a request and receiving a response. Measured in milliseconds (ms). Components: propagation delay (speed of light in medium), transmission delay (data on wire), queuing delay (router buffers), processing delay (router/server processing). Typical values: LAN <1ms, same city 5-20ms, cross-country 30-80ms, intercontinental 100-300ms. CDNs, edge computing, and HTTP/3 reduce latency.
Bandwidth
PerformanceThe maximum data transfer rate of a network connection, measured in bits per second (bps). Not the same as throughput (actual achieved rate). Typical values: 100 Mbps Ethernet, 1 Gbps Ethernet, 10 Gbps data center, 100+ Mbps broadband, 1-10 Gbps fiber. Bandwidth is shared among devices on a network segment. QoS (Quality of Service) prioritizes critical traffic.
Throughput
PerformanceThe actual data transfer rate achieved, which is always less than bandwidth due to protocol overhead, congestion, and errors. Measured in bits per second or bytes per second. Factors reducing throughput: TCP overhead (~3%), encryption overhead, packet loss, congestion, router processing. Tools to measure: iperf3, speedtest-cli, fast.com. Throughput is the practical measure of network performance.
Zero Trust Network
SecurityA security architecture that assumes no implicit trust for any user, device, or network segment. Every access request is verified: user identity (MFA), device health (patched, compliant), network context, and requested resource. Microsegmentation limits lateral movement. BeyondCorp (Google) and Azure AD Conditional Access are zero trust implementations. Replaces the traditional trusted perimeter model.
SDN (Software-Defined Networking)
ArchitectureAn approach that separates the control plane (routing decisions) from the data plane (packet forwarding). A centralized controller manages network behavior programmatically. Benefits: dynamic configuration, automated provisioning, network virtualization, and centralized policy management. Used in data centers and cloud environments. Technologies: OpenFlow, VXLAN, NSX (VMware), Calico/Cilium (K8s).
SSH (Secure Shell)
ApplicationA cryptographic network protocol for secure remote access, file transfer, and port forwarding. Uses public-key or password authentication. SSH replaces insecure protocols: Telnet (plaintext), rsh, rlogin. Features: remote shell (ssh user@host), file transfer (scp, sftp), port forwarding (local, remote, dynamic/SOCKS), X11 forwarding, agent forwarding. Default port: 22. Key types: Ed25519 (recommended), RSA (legacy).
SNMP (Simple Network Management Protocol)
ManagementA protocol for monitoring and managing network devices (routers, switches, servers, printers). Components: manager (NMS), agent (on device), MIB (Management Information Base, defines metrics). Versions: SNMPv1 (plaintext, insecure), SNMPv2c (community strings), SNMPv3 (authentication, encryption, recommended). Used for: bandwidth monitoring, uptime tracking, error detection, and configuration management.
QoS (Quality of Service)
PerformanceNetwork mechanisms that prioritize certain traffic types over others. Methods: classification (identify traffic type), marking (DSCP/CoS tags), queuing (weighted fair, priority), shaping (limit bandwidth), policing (enforce limits). Use cases: prioritize voice/video over bulk downloads, guarantee bandwidth for critical applications, prevent single user from consuming all bandwidth. Technologies: DiffServ, IntServ, MPLS.
Anycast
RoutingA network addressing method where the same IP address is assigned to multiple servers in different locations. The network routes traffic to the nearest (topologically closest) instance. Used by: CDNs, DNS root servers, Cloudflare (1.1.1.1), Google Public DNS (8.8.8.8). Benefits: reduced latency, automatic failover, DDoS mitigation (distributes attack across locations).
DNSSEC
SecurityDomain Name System Security Extensions. Adds authentication to DNS responses using digital signatures. Prevents DNS spoofing/poisoning. Chain of trust: root zone (signed) -> TLD (signed) -> authoritative zone (signed). Records: DNSKEY (public key), RRSIG (signature), DS (delegation signer), NSEC/NSEC3 (authenticated denial). Does not provide privacy (queries still visible); use DoH/DoT for that.
FAQ (20 Questions)
Try It Yourself
Use these embedded networking tools for IP lookup, subnet calculation, and DNS record reference.
Try it yourself
Ip Lookup
Tool preview unavailable.
Open Ip Lookup in a new pageTry it yourself
Subnet Mask Reference
Tool preview unavailable.
Open Subnet Mask Reference in a new pageTry it yourself
Dns Record Types
Tool preview unavailable.
Open Dns Record Types in a new pageRaw Data Downloads
Citations and Sources
Try These Tools for Free
Put this knowledge into practice with our browser-based tools. No signup needed.
Related Research Reports
The Complete DNS & Networking Guide 2026: DNS Records, Propagation, Cloudflare, Route53 & DNSSEC
The definitive DNS and networking reference for 2026. Covers DNS records, propagation, Cloudflare, Route53, DNSSEC, CDN architecture, and troubleshooting. 30,000+ words.
The Complete SSL/TLS Certificates Guide 2026: Certificate Types, ACME, Let's Encrypt, TLS 1.3 & HSTS
The definitive SSL/TLS reference for 2026. Covers certificate types, ACME protocol, Let's Encrypt, Certificate Transparency, TLS 1.3, HSTS, and cipher suites. 30,000+ words.
The Complete HTTP Protocol Guide 2026: HTTP/1.1, HTTP/2, HTTP/3, QUIC, Headers, Caching & Cookies
The definitive HTTP protocol reference for 2026. Covers HTTP/1.1, HTTP/2 multiplexing, HTTP/3 QUIC, request/response headers, caching strategies, cookies, CORS, and security headers. 28,000+ words.