MODULE 02 — NETWORKING

LAN Basics

Switches, routers, IP addresses, MAC addresses, and ARP — the fundamental building blocks that make every network tick.

What is a LAN?

A LAN (Local Area Network) is a network that connects devices within a limited physical area — like an office, a home, or a school building. When you connect your laptop to your home Wi-Fi, you're joining a LAN. All the devices on your LAN can communicate directly with each other at high speed (typically 1 Gbps over Ethernet).

Real-world analogy: Think of a LAN like an apartment building. Each apartment (device) has a mailbox number (MAC address) and an apartment number (IP address). The building's front desk (switch) routes packages within the building. The building's exit (router/default gateway) connects to the city's mail system (the internet).

Understanding LANs is foundational to all of cybersecurity. Most attacks — ARP spoofing, DHCP starvation, VLAN hopping, Man-in-the-Middle — happen at the LAN level. If you don't understand how devices find and talk to each other locally, you can't understand how those attacks work or how to defend against them.

Key Terms

MAC Address — A 48-bit hardware identifier burned into every network card (NIC).
IP Address — A logical address assigned to a device, used for routing between networks.
ARP — Protocol that maps IP addresses to MAC addresses on local networks.
DHCP — Protocol that automatically assigns IP addresses to devices when they connect.

Key Network Devices

  • Switch: Operates at Layer 2 (Data Link). When a frame arrives, the switch reads the destination MAC address and forwards it only to the correct port. It learns MAC→port mappings by examining source MACs of incoming frames and stores them in its MAC address table (CAM table). This is what makes switches smarter and more secure than hubs.
  • Router: Operates at Layer 3 (Network). Routes packets between different networks using IP addresses and its routing table. Your router connects your LAN to the internet. It also performs NAT — translating your private IPs to its public IP for outbound traffic.
  • Hub (Legacy): A Layer 1 device that broadcasts every frame to every port. If Port 1 sends data, all other ports receive it. This means anyone on the hub can sniff all traffic — a major security risk. Hubs are obsolete; switches replaced them.
  • Wireless Access Point (WAP): Bridges wireless clients (phones, laptops) to the wired LAN. Operates at Layer 2. Think of it as a switch for Wi-Fi devices. WAPs can be targets for rogue AP attacks and deauthentication attacks.

Addressing — How Devices Find Each Other

  • MAC Address: A 48-bit hardware identifier (e.g., AA:BB:CC:11:22:33). The first 3 bytes (OUI) identify the manufacturer (e.g., Apple, Intel). Think of it as the permanent name tag on your network card. Used by switches to forward frames within the local network. MAC addresses can be spoofed in software.
  • IP Address (v4): A 32-bit logical address (e.g., 192.168.1.10) divided into a network portion and a host portion. Unlike MAC addresses, IPs are assigned dynamically by DHCP or manually (static). Used by routers at Layer 3 to route between networks.
  • Subnet Mask: A bitmask that tells the device which part of the IP is the "network address" and which part is the "host address." For example, 255.255.255.0 (or /24) means the first 24 bits are the network, leaving 8 bits for 254 usable hosts. If two devices share the same network portion, they're on the same subnet and can communicate directly.
  • Default Gateway: The router's IP on your subnet (typically .1, like 192.168.1.1). When you want to reach something outside your network (like google.com), your device sends the packet to the default gateway, which forwards it onward. Without a gateway, you're stuck on your local network.

DHCP — How Your Device Gets an IP

When you connect to a network, you need an IP address, a subnet mask, a default gateway, and a DNS server. Instead of configuring all this manually, DHCP automates the process. Here's the 4-step "DORA" process:

D — Discover

Your device broadcasts: "Is there a DHCP server? I need an IP!"

O — Offer

DHCP server replies: "I can offer you 192.168.1.50 for 24 hours."

R — Request

Your device broadcasts: "I'll take 192.168.1.50, please."

A — Acknowledge

Server confirms: "Done! Your IP is 192.168.1.50, gateway is .1, DNS is .1."

Security Risks: Rogue DHCP Server — An attacker sets up their own DHCP server that hands out a malicious gateway (routing all traffic through the attacker). DHCP Starvation — Attacker floods the DHCP server with fake requests, exhausting all available IPs so legitimate users can't connect.

ARP — Address Resolution Protocol

ARP solves a critical problem: your device knows the IP address it wants to reach, but the switch only understands MAC addresses. ARP translates between the two. Here's how it works step by step:

  1. Check ARP cache: Host A first checks its local ARP table (a temporary memory of recent IP→MAC mappings). If it already knows Host B's MAC, it skips ARP and sends the frame directly.
  2. ARP Request (broadcast): If the MAC isn't cached, Host A broadcasts a Layer 2 frame to FF:FF:FF:FF:FF:FF (every device on the subnet): "Who has 192.168.1.20? Tell 192.168.1.10."
  3. All hosts receive it: Every device on the subnet processes the ARP request. Only the device with the matching IP (Host B) responds.
  4. ARP Reply (unicast): Host B sends a directed reply back to Host A only: "192.168.1.20 is at AA:BB:CC:22:33:44."
  5. Cache & send: Host A stores the mapping in its ARP cache (with a timeout, usually 60-300 seconds) and now sends the data frame using Host B's MAC address.
Security Risk — ARP Spoofing: ARP has zero authentication. Any device can claim to be any IP. An attacker sends fake ARP replies saying "192.168.1.1 (the gateway) is at MY MAC address". Now all traffic from the victim goes to the attacker first — a classic Man-in-the-Middle attack. The attacker reads the traffic and forwards it to the real gateway, so the victim doesn't notice anything unusual.
Defenses: Dynamic ARP Inspection (DAI) on managed switches validates ARP packets against the DHCP snooping table. Static ARP entries can be set for critical servers. Network segmentation with VLANs limits the broadcast domain an attacker can reach.

Subnet Calculation Walkthrough

Subnetting is the process of dividing a network into smaller sub-networks. It's one of the most tested topics in networking and security certifications. Let's walk through a real example:

Given: 192.168.10.0/26 — How many usable hosts? What are the subnets?
# /26 means 26 network bits, leaving 32-26 = 6 host bits
# 2^6 = 64 total addresses per subnet
# 64 - 2 = 62 usable hosts (subtract network + broadcast)
Subnet 1: 192.168.10.0/26 → Hosts: .1 to .62 (Broadcast: .63)
Subnet 2: 192.168.10.64/26 → Hosts: .65 to .126 (Broadcast: .127)
Subnet 3: 192.168.10.128/26 → Hosts: .129 to .190 (Broadcast: .191)
Subnet 4: 192.168.10.192/26 → Hosts: .193 to .254 (Broadcast: .255)

Why subnetting matters for security: Subnetting creates network boundaries. Devices on different subnets can't communicate without a router, which means you can apply firewall rules at subnet boundaries. A well-subnetted network with proper access controls can contain a breach to a single subnet instead of the entire network.

Quick Reference: /24 = 254 hosts, /25 = 126 hosts, /26 = 62 hosts, /27 = 30 hosts, /28 = 14 hosts, /29 = 6 hosts, /30 = 2 hosts (point-to-point links)

Private IP Ranges (RFC 1918)

RFC 1918 defines three IP ranges reserved for private (internal) use. These addresses are not routable on the internet — your router uses NAT to translate them to your public IP when traffic leaves the network. If you see any of these ranges on the internet, something is misconfigured.

Class Range CIDR Hosts Typical Use
A 10.0.0.0 — 10.255.255.255 10.0.0.0/8 16.7M Enterprise / Cloud
B 172.16.0.0 — 172.31.255.255 172.16.0.0/12 1M Medium Networks
C 192.168.0.0 — 192.168.255.255 192.168.0.0/16 65K Home / Small Office

Ethernet Frame Structure

Every piece of data sent on a LAN is wrapped in an Ethernet frame. The frame has a strict structure — the switch reads the destination MAC to decide where to forward it, and the FCS at the end verifies the data wasn't corrupted in transit:

Preamble
7 bytes
SFD
1 byte
Dest MAC
6 bytes
Src MAC
6 bytes
EtherType
2 bytes
Payload
46-1500 bytes
FCS
4 bytes

VLANs (Virtual LANs)

VLANs logically segment a physical switch into multiple isolated broadcast domains. Even if devices are plugged into the same physical switch, they can be placed on different VLANs and treated as if they were on completely separate networks.

  • Example — Office Segmentation: VLAN 10 = HR department, VLAN 20 = Finance, VLAN 30 = Guest Wi-Fi. A device on VLAN 10 can't see or communicate with devices on VLAN 20, even though they're on the same switch. This is critical for compliance (HR data must be isolated) and security (compromising a guest laptop doesn't give access to financial systems).
  • 802.1Q Tagging: When a frame travels between switches (on a "trunk" port), a 4-byte VLAN tag is inserted into the Ethernet frame header containing the VLAN ID (1-4094). This tells the receiving switch which VLAN the frame belongs to.
  • Inter-VLAN Routing: Since VLANs are separate networks, a Layer 3 device (router or Layer 3 switch) is required for them to communicate. This gives you a chokepoint where you can apply firewall rules — for example, allowing Finance to reach the printer VLAN but not the server VLAN.
Security Risk — VLAN Hopping: Attackers can exploit switch misconfigurations to jump between VLANs. The two main techniques are switch spoofing (pretending to be a switch to negotiate a trunk port) and double tagging (nesting VLAN tags to escape the native VLAN). Defense: disable unused ports, set access mode explicitly, change the native VLAN from default.

Switch Security Features

Managed switches provide several security features that are essential for securing a LAN:

Port Security

Limits the number of MAC addresses allowed on a port. If an attacker tries MAC flooding (sending thousands of fake MACs to overflow the CAM table), port security shuts down the port.

DHCP Snooping

Builds a trusted table of legitimate DHCP transactions. Prevents rogue DHCP servers from handing out malicious configurations. Only the port connected to the real DHCP server is marked as "trusted."

Dynamic ARP Inspection (DAI)

Uses the DHCP snooping database to validate ARP packets. If an ARP reply doesn't match the known IP→MAC mapping, it's dropped — blocking ARP spoofing attacks.

802.1X (Port-Based NAC)

Requires authentication before a device is granted network access. The device must present valid credentials (usually via RADIUS) before the switch port is activated. This prevents unauthorized devices from connecting to the LAN.

Network Topology Visualizer

Click on any device to see its configuration. Hit "Send ARP" to watch an ARP request/reply flow.

Router Switch A Switch B PC-1 PC-2 Server PC-3

Knowledge Check

All certification names are referenced for educational purposes only. This project is not affiliated with any certification body.