🏠 home · reset

⟨⟩ sidebar

Aa text size

▾ subnetting

▾ route/switch

▾ wireless

▾ reference

Build your network. One slice at a time.

A toolkit for network engineers, built on the STTP (Straight to the Point) approach—fast, focused tools with no fluff.
Browse by subnetting, routing/switching, wireless, and reference.
Your one-stop hub for essential tools and bookmarks.

subnetting

Subnet Calculator

Enter a CIDR block and get network address, broadcast, host range, wildcard mask, usable hosts, and binary breakdown.

subnetting

VLSM Planner

Variable Length Subnet Masking — allocate multiple subnets of different sizes from a single address block, sorted by host requirement.

subnetting

Subnet List

Divide a network into equal-size subnets. Lists all subnets with their network/broadcast addresses and host ranges.

subnetting

Cloud Subnet Calculator

Cloud-aware subnet planning for AWS, Azure, and GCP. Accounts for provider-reserved addresses and shows usable host counts.

subnetting

Overlap Checker

Paste a list of CIDR ranges and instantly detect overlapping or duplicate subnets — essential for route table audits.

route / switch

route/switch

Route Summarization

Enter a list of subnets and calculate the optimal summary route (supernet) that covers all of them with minimal waste.

🔒 PRO

route/switch

VLAN / Trunk Planner

Build VLAN tables, assign ports, visualize trunk/access port configurations, and parse Aruba AOS-CX running config to detect mismatches.

🔒 PRO

route/switch

PoE Planner

Plan switch PoE budgets. Reference for 802.3af/at/bt standards, per-device power draw for Aruba, Cisco, and Ruckus APs, cameras, and phones.

🔒 PRO

route/switch

Route Preference / AD

Administrative Distance quick reference across Cisco, Aruba, and Juniper. Interactive route conflict resolver — compare two routes, see which wins and why.

🔒 PRO

route/switch

OSPF Planner

Area type reference (stub/NSSA/totally-stub), OSPF cost calculator with reference bandwidth, DR/BDR election rules, and LSA type quick reference.

🔒 PRO

route/switch

BGP Cheatsheet

11-step path selection order with memory aid, well-known communities, FSM states, common techniques (prepending, LOCAL_PREF, MED, route reflectors, RTBH).

🔒 PRO

route/switch

SD-WAN Comparison

Side-by-side comparison of Cisco Viptela, Meraki, Aruba EdgeConnect, Fortinet, VeloCloud, and Versa. NSA vs SA 5G deployment modes and SASE component breakdown.

🔒 PRO

route/switch

WAN Sizing Calculator

Enter branch user count and traffic mix, get recommended per-link circuit size with IPsec overhead, growth buffer, and SD-WAN path split recommendation.

🔒 PRO

route/switch

Path Selection

How SD-WAN picks paths step by step, SLA metric thresholds for voice/video/data, path strategies (active/standby, app-aware, FEC, packet duplication), and BFD reference.

🔒 PRO

route/switch

IPv6 Cheatsheet

Address types (GUA/ULA/link-local/multicast), EUI-64 generation, NDP vs ARP, SLAAC vs DHCPv6, prefix sizing (/48/56/64/127), and well-known multicast addresses.

🔒 PRO

route/switch

VPN Reference

IPsec IKEv2 phases, tunnel vs transport mode, ESP vs AH, DMVPN phases 1/2/3 with NHRP, GRE overhead and gotchas, WireGuard quick reference, and port/protocol table.

🔒 PRO

route/switch

SNMP / Syslog / NTP

SNMPv3 security levels, GET/TRAP/INFORM operations, useful OIDs, syslog severity levels 0–7, facility codes, NTP stratum hierarchy, and NTP best practices.

🔒 PRO

route/switch

Switching Cheatsheet

L2 forwarding, MAC tables, 802.1Q trunking, EtherChannel (LACP/PAgP), STP states and roles, inter-VLAN routing, port security, BPDU guard, storm control, and troubleshooting.

🔒 PRO

route/switch

Routing Cheatsheet

IP routing fundamentals, LPM, CEF/FIB, AD table across Cisco/Aruba/Juniper, static route types, ECMP, OSPF quick reference, redistribution/filtering, PBR, and troubleshooting.

🔒 PRO

route/switch

VoIP Cheatsheet

SIP methods and response codes, call flow, RTP/RTCP/SRTP, codec reference (G.711/G.722/G.729/Opus), DSCP/QoS, voice VLAN design, DHCP provisioning options, and troubleshooting.

wireless

Wi-Fi Channel Visualizer

Visual map of 2.4 GHz, 5 GHz, and 6 GHz channels showing width, overlap, and non-overlapping channel sets.

🔒 PRO

wireless

MCS / RSSI Mapper

Maps RSSI signal levels to MCS index and PHY rates for 802.11n/ac/ax. Shows minimum SNR requirements per MCS.

🔒 PRO

wireless

802.11 Frame Calculator

Calculate frame overhead, payload efficiency, and throughput for 802.11 frames at different MCS rates and frame sizes.

🔒 PRO

wireless

Roam Threshold Advisor

Calculates recommended RSSI roaming thresholds based on environment, AP density, and application type (voice, video, data).

wireless

EIRP Calculator

Calculate Effective Isotropic Radiated Power: Tx power + antenna gain − cable loss. Check against regulatory EIRP limits.

🔒 PRO

wireless

Airtime Utilization

Calculate channel airtime consumed by your client mix. Shows how low-MCS clients starve high-MCS clients and estimates max clients before saturation.

wireless

WPA2 vs WPA3

Side-by-side comparison of WPA2 and WPA3 security modes, authentication methods, encryption, and use-case recommendations.

🔒 PRO

wireless

Power & dB Guide

Reference for dB, dBm, dBi, SNR. Includes dBm-to-mW table, the 3 dB / 10 dB rules, link budget walkthrough, and RF loss values for common building materials.

wireless

802.11 Amendments

Full timeline of 802.11 amendments from original to Wi-Fi 7 (be). Feature comparison table, key non-speed amendments (k/r/v/w), and MLO / 6 GHz notes.

🔒 PRO

wireless

802.11 Frame Cheatsheet

Frame types (management/control/data), MAC header fields, management subtype reference, association process step-by-step, reason codes, and status codes.

🔒 PRO

wireless

EAP / 802.1X Guide

802.1X architecture (supplicant, authenticator, RADIUS), EAP method comparison (PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM), certificate requirements, and step-by-step auth flow per method.

🔒 PRO

wireless

Wi-Fi Troubleshooting

Layer-by-layer troubleshooting flowchart — RF/signal, association, 802.1X authentication, DHCP, and routing/DNS. Expandable checks with pass/fail criteria and quick triage commands.

🔒 PRO

wireless

WLC CLI Comparison

Wireless controller CLI reference for Cisco 9800 (IOS-XE), Aruba Mobility Controller (AOS8), Ruckus SmartZone, and Juniper Mist. Covers clients, APs, SSIDs, RF, auth/AAA, management, and debug.

security

🔒 PRO

security

ACL Builder

Build standard and extended ACLs with wildcard mask generation, permit/deny logic, and exportable CLI output for Cisco and Aruba syntax.

🔒 PRO

security

802.1X / NAC Deep Dive

802.1X architecture (supplicant, authenticator, RADIUS), EAP method comparison (PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM), certificate requirements, and step-by-step auth flow per method.

🔒 PRO

security

Firewall Cheatsheet

Firewall types, zone-based design, NAT types, rule order and implicit deny, common port reference, attack patterns and mitigations, and troubleshooting quick reference.

reference

Ethernet Guide

Cable categories (Cat5e–Cat8), PoE support by cable, Ethernet speeds timeline (10BASE-T → 400GbE), and a quick cable selection guide by scenario.

reference

SFP / Transceiver Guide

Form factor comparison (SFP to QSFP-DD), common module types (SR/LR/ER/DAC/AOC/BiDi) with reach and connector info, plus breakout/fan-out guide.

🔒 PRO

reference

IP Ports & Protocols

IP protocol numbers (TCP/UDP/OSPF/GRE/ESP/VRRP) and common TCP/UDP port reference with network-engineer notes (RADIUS, SNMP, TFTP, Syslog, 802.1X).

🔒 PRO

reference

DSCP / QoS Reference

Full DSCP table with PHB class and drop precedence, WMM access categories (AC_VO/VI/BE/BK) with AIFS/CWmin, and DSCP ↔ 802.1p ↔ WMM mapping.

🔒 PRO

reference

Wireshark Cheatsheet

Display filter cheatsheet, common protocol filters (DHCP, ARP, EAPOL, RADIUS, STP), 802.11 wireless capture & monitor mode tips, built-in statistics tools, and follow stream / export / tshark workflow tips.

🔒 PRO

reference

OS Networking

Networking commands for Linux, macOS, and Windows — tabbed reference covering interface management, routing, DNS, packet capture, port testing, and firewall per OS.

🔒 PRO

reference

4G / 5G Guide

LTE and 5G architecture, radio access technologies (FDD/TDD), frequency bands, NR vs LTE feature comparison, 5G NR sub-6 GHz vs mmWave, network slicing, and carrier aggregation basics.

🔒 PRO

reference

DHCP Cheatsheet

DORA exchange, message types, common options (1/3/6/43/50/51/82/121), lease timers, packet fields, DHCP snooping/DAI/IP Source Guard, and troubleshooting quick reference.

🔒 PRO

reference

VoIP Cheatsheet

SIP methods and response codes, call flow, RTP/RTCP/SRTP, codec reference (G.711/G.722/G.729/Opus), DSCP/QoS, voice VLAN design, DHCP provisioning options, and troubleshooting.

🔒 PRO

reference

Vendor CLI Comparison

Side-by-side CLI reference for Cisco IOS/IOS-XE, Aruba AOS-CX, Juniper JunOS, and Arista EOS. Covers interfaces, switching, routing, OSPF, BGP, show commands, and management. Filter by category or search.

$ calc

10.0.0.0/8 172.16.0.0/12 192.168.1.0/24 10.10.50.0/26 100.64.0.0/10 CGNAT

supernet

$ supernet

subnets needed

parent block

$ block

split into

/ 192.168.0.0/22 → /24 10.0.0.0/20 → /26

cidr blocks to check

routes to summarize

cloud provider

AWS VPC

5 reserved

Azure VNet

5 reserved

GCP VPC

3 reserved

Standard

2 reserved

cidr block

$ cloud

/16 /24 /25 /26 /27 /28

region / country

FCC

frequency band

channel width

channels

spectrum

DFS required

indoor only

overlap zone

summary

overlap analysis

standard

channel width

spatial streams

signal

RSSI dBm noise floor dBm

-45 excellent -60 good -70 fair -75 poor -85 very poor

result

MCS index

—

data rate

—

SNR / signal quality

0 dB1020304050 dB

full MCS table

MCS	modulation	coding	min SNR	min RSSI	rate	vs current

parameters

std ?

MCS ?

width ?

streams ?

payload ? bytes

64B 512B 1500B MTU 9000B jumbo

frame type ?

A-MPDU frames ? subframes

what each parameter means

frame breakdown

results

airtime breakdown

Each 802.11 transmission consumes airtime well beyond the data itself. DIFS (Distributed Inter-Frame Space) is the mandatory idle time before any station may transmit — 802.11ac = 34 µs. Backoff is a random additional wait (0–CWmin slots) to reduce collisions. Preamble (PLCP header) is the sync sequence every receiver must decode before the data — legacy rates make this expensive. MAC header is the 802.11 addressing overhead. Data is your actual payload. SIFS (Short IFS = 16 µs) is the gap before the ACK. ACK is the receiver’s acknowledgement frame. The ratio of Data to Total airtime is your frame efficiency — A-MPDU aggregation improves this dramatically by amortising DIFS + preamble + ACK across many subframes.

component	duration (μs)	% of total

Reading the airtime breakdown DIFS (DCF Interframe Space) — mandatory quiet time before any station may attempt to transmit (~34 µs for 802.11ac). No one can transmit during DIFS.
Backoff — random wait slots added on top of DIFS to avoid collisions when multiple stations are ready. Each failed transmission doubles the contention window (binary exponential backoff).
Preamble — fixed training sequence at the start of every transmission. Lets the receiver synchronize timing, measure channel, and decode the SIGNAL field. 802.11ac HT preamble = 32+ µs depending on configuration.
SIGNAL / Header — PLCP header containing the data rate, length, and other PHY parameters — transmitted at the base rate so all stations can read it.
Data — the actual payload transmission time. This is the only part carrying user data. Notice how small this slice is relative to the total at low MCS or small payloads.
SIFS (Short Interframe Space) — mandatory gap between data frame and its ACK (~16 µs). Shorter than DIFS so the ACK gets priority over other stations.
ACK — the receiver's acknowledgement frame. If this is A-MPDU, a Block ACK bitmap (64-bit) acknowledges multiple subframes at once — this is why A-MPDU efficiency is so much higher than per-frame ACK.

Efficiency % = Data time ÷ Total airtime. At MCS 0 (BPSK 1/2) with 64-byte packets, efficiency can drop below 5% — 95% of the channel is spent on overhead. A-MPDU with 64 subframes at high MCS can push efficiency above 80%.

throughput vs payload size

deployment type

client type

coverage overlap (AP cell edge SNR)

overlap RSSI at edge

-67 dBm

noise floor

-95 dBm

recommended thresholds

roaming timeline

-90 dBm-80-70-60-50 dBm

good coverage

roam candidate zone

sticky / kick zone

no coverage

aruba AOS settings

parameter	value	location in AOS	status

aruba CLI

region

band / channel

frequency band

inputs

TX power (conducted) dBm

antenna gain dBi

cable / connector loss dB

number of TX chains

EIRP result

EIRP

—

effective isotropic radiated power

EIRP vs regulatory limit

regulatory limits —

band / sub-band	max EIRP	max mW	notes	status

PoE budget (W)

port count

quick fill

0 W / 370 W used 370W

0 W

allocated

370 W

remaining

0

ports used

0%

utilization

port #

device type

draw (W)

standard

port map — click to remove ■ af ■ at ■ bt ■ over budget

802.3 PoE standards

standard	class	switch port output	device max	pairs used	min cable	common use
802.3af (PoE)	0–3	15.4W	12.95W	2-pair	Cat3+	Basic APs, VoIP phones, cameras
802.3at (PoE+)	4	30W	25.5W	2-pair	Cat5e+	Wi-Fi 6 APs, PTZ cameras, thin clients
802.3bt Type 3 (PoE++)	5–6	45–60W	40–51W	4-pair	Cat5e+ (Cat6a recommended)	Wi-Fi 6E/7 tri-radio APs, video phones
802.3bt Type 4 (PoE++)	7–8	71.3–90W	62–71.3W	4-pair	Cat6a required	High-end APs, digital displays, pan-tilt cameras
Cisco uPoE / HPE HPoE	vendor	60W	~51W	4-pair	Cat6a recommended	Cisco pre-bt solution, Aruba 655/730 series

⚡ Always plan with ~16% line loss between switch port and device. A 25.5W device requires ~30W switch port allocation. Cable length and quality affect actual delivery.

power requirements by device type — APs · cameras · VoIP phones

model	Wi-Fi gen	radios	PoE standard	switch port W	device W	reduced functionality if underpowered
AP-305	Wi-Fi 5 (ac)	2.4+5	802.3af	15.4W	12.5W	Full functionality on af
AP-315	Wi-Fi 5 (ac)	2.4+5	802.3at	30W	14.4W	Runs on af with IPM
AP-325	Wi-Fi 5 (ac)	2.4+5	802.3at	30W	20W max	On af: 2.4GHz drops to 1x1:1. Dual E0/E1 PoE-in — two af sources can be combined.
AP-375	Wi-Fi 5 (ac)	2.4+5	802.3at	30W	23W max	Outdoor omni. 802.3at required — af insufficient for full operation.
AP-377	Wi-Fi 5 (ac)	2.4+5	802.3at	30W	23W max	Outdoor directional. Same power profile as AP-375. 802.3at required.
AP-387	Wi-Fi 5 (ac)	2.4+5	802.3at	30W	22W max	Outdoor IP67. PoE+ required. Cable run <80m recommended.
AP-505	Wi-Fi 6 (ax)	2.4+5	802.3af	15.4W	12.5W	Full functionality on af
AP-515	Wi-Fi 6 (ax)	2.4+5	802.3bt	~36W	25.5W typ / 30W max	On at: limited to 2x2 on 5GHz, USB disabled. On af: minimal operation.
AP-518	Wi-Fi 6 (ax)	2.4+5	802.3at / 802.3bt	30W (at) / 60W (bt)	26.1W (1 port) / 32W (2 port)	Hardened outdoor. Dual E0/E1 PoE-in. Combine two 802.3at ports for full power. IPM supported.
AP-535	Wi-Fi 6 (ax)	2.4+5	802.3at	30W	26.4W	On af: reduced spatial streams, 1Gbps eth only.
AP-555	Wi-Fi 6 (ax)	2.4+5+5	802.3bt	45W	30W+	On at: operates as 4x4 single 5GHz only.
AP-575	Wi-Fi 6 (ax)	2.4+5	802.3at / 802.3bt	30W (at) / 60W (bt)	26.1W (1 port) / 32W (2 port)	Outdoor omni Wi-Fi 6. Dual E0/E1 PoE-in. Single 802.3at = full operation with IPM.
AP-577	Wi-Fi 6 (ax)	2.4+5	802.3at / 802.3bt	30W (at) / 60W (bt)	26.1W (1 port) / 32W (2 port)	Outdoor directional Wi-Fi 6. Same power profile as AP-575. Dual E0/E1 PoE-in.
AP-635	Wi-Fi 6E (ax)	2.4+5+6	802.3at	30W	23.8W	USB disabled on at. 802.3bt for USB + full power.
AP-655	Wi-Fi 6E (ax)	2.4+5+6	802.3bt	45–60W	~40W	On 802.3at: 6GHz radio disabled — operates as dual-band only.
AP-675	Wi-Fi 6E (ax)	2.4+5+6	802.3bt	60W	45.5W max	Outdoor tri-radio omni. 802.3bt required. Cat6a strongly recommended.
AP-677	Wi-Fi 6E (ax)	2.4+5+6	802.3bt	60W	45.5W max	Outdoor tri-radio directional. Same power profile as AP-675. 802.3bt required. Cat6a required.
AP-730	Wi-Fi 7 (be)	2.4+5+6	802.3bt	60W	~50W	Full 802.3bt required for tri-radio at full capability.

Source: Aruba datasheets and Airheads community PoE quick reference. IPM = Intelligent Power Monitoring — Aruba APs negotiate power via LLDP and reduce functionality gracefully when underpowered.

model	Wi-Fi gen	radios	PoE standard	switch port W	device W	reduced functionality if underpowered
C9105AX	Wi-Fi 6 (ax)	2.4+5	802.3af	15.4W	13.8W	Full functionality on af
C9115AX	Wi-Fi 6 (ax)	2.4+5	802.3at	30W	21.4W	On af: USB disabled, eth 1Gbps, radios 2x2
C9120AX	Wi-Fi 6 (ax)	2.4+5	802.3at	30W	25.5W	On af: USB disabled, eth 1Gbps, radios 1x1
C9130AX	Wi-Fi 6 (ax)	2.4+5	802.3at / uPoE	30–60W	30.5W	On af: eth 1Gbps, radios 1x1. USB requires uPoE/bt
C9162	Wi-Fi 6E (ax)	2.4+5+6	802.3bt	60W	~45W	On at: reduced spatial streams on 6GHz
C9164	Wi-Fi 6E (ax)	2.4+5+6	802.3bt	60W	~50W	On at: 6GHz radio degraded
C9166	Wi-Fi 6E (ax)	2.4+5+6	802.3bt	60W	~55W	Full bt required for beacon protection + GCMP-256

Source: Cisco AP Power Requirements Quick Reference (cisco.com). Note: Most Cisco switches require CDP or LLDP to be enabled to deliver more than 802.3af power — LLDP is disabled by default on many Cisco switches.

model	Wi-Fi gen	radios	min PoE	switch port W (full)	device W	reduced functionality if underpowered
AP24	Wi-Fi 6E (ax)	2.4+5+6 2x2	802.3af	15.4W	13W	Full functionality on af
AP32	Wi-Fi 6 (ax)	2.4+5 2x2	802.3af	15.4W	~15W	On af: 5GHz 2x2, eth0 1Gbps, eth1 off
AP33	Wi-Fi 6 (ax)	2.4+5 4x4	802.3at	30W	19.5W	On af: 5GHz reduces to 2x2, eth1 disabled
AP34	Wi-Fi 6E (ax)	2.4+5+6 2x2	802.3at	30W	20.9W	On af: connects to cloud only to report low power
AP43	Wi-Fi 6 (ax)	2.4+5 4x4	802.3at	30W	25.5W	On af: 5GHz 2x2, eth1 disabled. Always use at.
AP45	Wi-Fi 6E (ax)	2.4+5+6 4x4	802.3bt	45W	29.3W	On at: 2x2 on 2.4+6GHz, 4x4 on 5GHz only
AP63	Wi-Fi 6 (ax)	2.4+5 outdoor	802.3at	30W	25.2W	Always use at. Outdoor — check cable run length.
AP64	Wi-Fi 6E (ax)	2.4+5+6 outdoor	802.3af	15.4W	13W	Full functionality on af

Source: Juniper Mist official PoE requirements documentation (juniper.net). APs use LLDP to negotiate power — ensure LLDP is enabled on the upstream switch. Cisco switches may require manual LLDP enable.

model	Wi-Fi gen	radios	min PoE	switch port W (full)	device W	reduced functionality if underpowered
R350	Wi-Fi 6 (ax)	2.4+5 2x2	802.3af	15.4W	12.5W	Full functionality on af
R550	Wi-Fi 6 (ax)	2.4+5 2x2+4x4	802.3at	30W	22W	On af: reduced 5GHz spatial streams
R650	Wi-Fi 6 (ax)	2.4+5 4x4	802.3at	30W	24W	On af: degraded performance
R750	Wi-Fi 6 (ax)	2.4+5 4x4+4x4	802.3at	30W	26W	On af: IoT radios may be disabled
R850	Wi-Fi 6 (ax)	2.4+5 2x2+8x8	uPoE/PoH	60W	~35W+	On at (Mode 1): 4x4 on 5GHz. On af: minimal
R560	Wi-Fi 6E (ax)	2.4+5+6 2x2	802.3at	30W	25.5W	Tri-radio requires 25.5W minimum. Auto-reboot if insufficient for 10+ min.
R760	Wi-Fi 6E (ax)	2.4+5+6 4x4	802.3at	30W	25.5W	Tri-radio requires 25.5W minimum. Auto-reboot if insufficient for 10+ min.
R770	Wi-Fi 6E (ax)	2.4+5+6 4x4	802.3bt	45–60W	~40W	On at: same 25.5W min restriction as R760
T350 outdoor	Wi-Fi 6 (ax)	2.4+5 2x2	802.3at	30W	25W	Outdoor rated. Keep cable run <80m. Surge protection recommended.
T750 outdoor	Wi-Fi 6 (ax)	2.4+5 4x4	uPoE/bt	60W	~40W	Requires bt or uPoE for full operation. Outdoor rated IP67.
T760 outdoor	Wi-Fi 6E (ax)	2.4+5+6 4x4	802.3bt	60W	~45W	Tri-radio outdoor. bt required. Use Cat6a for runs over 60m.

Source: Ruckus SmartZone release notes, Ruckus One AP power documentation. R560/R760/R770 will auto-reboot after 10 minutes if PoE supply is insufficient. R850 supports uPoE/PoH via 5Gbps Ethernet interface.

model	type	resolution	PoE class	switch port W	typical W	max W	notes
M3106-L Mk II	Indoor fixed dome	4MP	Class 2	8W	4.5W	7.5W	Basic indoor dome. af fully sufficient.
M4216-LV	Indoor varifocal dome	4MP	Class 3	10W	6W	8.5W	IR + varifocal. af fully sufficient.
P3255-V	Indoor fixed dome	2MP	Class 2	8W	4.7W	8.0W	Latest ARTPEC-8 SoC. Deep learning analytics.
P3265-V	Indoor varifocal dome	2MP	Class 3	10W	5.5W	9.5W	ARTPEC-8, Lightfinder 2.0, Forensic WDR.
P3265-LV	Indoor IR varifocal	2MP	Class 3	13W	7.0W	11.0W	IR illumination increases draw. af sufficient.
P3265-LVE	Outdoor IR varifocal	2MP	Class 3	15.4W	8.5W	14.0W	Outdoor IP66/67. Heater in cold weather adds ~3W.
M3158-V	Indoor panoramic	8MP	Class 3	12W	6.5W	9.0W	180° panoramic. af sufficient for most deployments.
Q6135-LE	Outdoor PTZ 32x	1080p	Class 4	30W	18W	30W	High-speed PTZ + OptimizedIR 250m. PoE+ required.
Q6100-E	Outdoor 360° PTZ	4K	Class 4	30W	20W	30W	Multidirectional outdoor. PoE+ required.
P5676-LE	Outdoor PTZ	4K	Class 4	30W	22W	30W	4K outdoor PTZ. PoE+ required.

Source: Axis Communications datasheets and Axis power consumption white paper. Typical values are measured with heaters and IR off at room temperature. Maximum includes heaters at full power, IR at 100%, and all motors running. Plan with maximum values for switch budget. Outdoor cameras with heaters draw significantly more in cold climates — add 3–5W buffer per outdoor camera.

model	lines	PoE class	switch port W	typical W	notes
Cisco 7841	4-line	Class 1	5W	4.5W	Basic af phone. Very low draw.
Cisco 8841	5-line	Class 2	8W	6.5W	Mid-range. af sufficient.
Cisco 8851	5-line + USB	Class 3	12W	9.5W	USB charging port adds draw. af sufficient.
Cisco 8861	5-line + Wi-Fi + BT	Class 4	15.4W	13W	Wi-Fi + Bluetooth + 2 USB. Class 4 required for full feature set.
Cisco 8865	5-line + video + Wi-Fi	Class 4	15.4W	15W	Video phone. Class 4 / PoE+ for KEM expansion modules.
Poly VVX 311	6-line	Class 1	5W	4.5W	Entry level. Very low draw. af more than sufficient.
Poly VVX 411	12-line	Class 2	9W	7.5W	Mid-range color. af sufficient.
Poly VVX 501	12-line color	Class 3	12W	10W	Higher-end color display. af sufficient.
Poly VVX 601	16-line color	Class 3	12W	10W	High-end. Optional USB camera adds ~2W.
Poly Edge E300	6-line	Class 2	8W	6W	Modern replacement for VVX 311. af sufficient.
Poly Edge E500	12-line	Class 3	12W	9W	Modern replacement for VVX 411/501. af sufficient.
Yealink T46U	16-line	Class 1	6W	5.5W	Very efficient. af more than sufficient.
Yealink T58W	16-line + Wi-Fi	Class 3	11W	9W	Wi-Fi + BT. af sufficient.

Source: Cisco IP Phone 8800 series datasheet, Poly/Polycom product datasheets, Yealink datasheets. VoIP phones are generally very PoE-efficient — most run comfortably on 802.3af. Plan 7–12W per phone for budget calculations. Key expansion modules add 2–3W each.

PoE planning tips

tip	detail
16% line loss	IEEE 802.3 allows up to 16% power loss in the cable. A 25.5W device needs ~30.4W allocated at the switch port. Use Cat5e or better — Cat5 degrades efficiency.
LLDP negotiation	Most modern APs negotiate power via LLDP. Cisco switches have LLDP disabled by default — enable it or APs may only get 802.3af. Aruba and Juniper APs also fall back gracefully but with reduced features.
Cable length matters	Maximum PoE cable run is 100m (Cat5e+). Longer runs increase resistance and power loss — keep outdoor cable runs under 80m where possible for reliable PoE delivery.
Plan for 80% utilization	Never plan to use 100% of switch PoE budget. A 740W switch should only be loaded to ~592W. Power supplies degrade over time and emergency load spikes happen.
Tri-radio APs need PoE+/bt	Wi-Fi 6E APs with 3 simultaneous radios (2.4+5+6GHz) typically require 802.3at (30W) minimum and often 802.3bt (45-60W) for full performance. Plan accordingly when upgrading infrastructure.
USB + IoT radio adds ~2–5W	Enabling USB devices or IoT radios (BLE/Zigbee) adds 2–5W to AP power draw. Factor this in when using APs with IoT capabilities in dense deployments.
Outdoor cable runs	Keep outdoor PoE cable runs under 80m (not 100m) to account for increased resistance in outdoor-rated cables and conduit. Always use Cat5e minimum — Cat6a for 802.3bt outdoor deployments. Add surge protection/lightning arrestors at both ends.
Midspan injectors as fallback	If your switch cannot deliver sufficient PoE, midspan injectors (e.g. Aruba H1 or Cisco AIR-PWRINJ6) can deliver full power to individual APs without replacing switch infrastructure.

authentication

setting	WPA2	WPA3	notes
Personal auth	PSK	SAE (Dragonfly)	SAE is resistant to offline dictionary attacks — captured handshake cannot be brute-forced
Enterprise auth	802.1X + EAP	802.1X + EAP	Same EAP methods. WPA3-Ent 192-bit mode adds GCMP-256 + ECDH/ECDSA requirements
Forward secrecy	✗ none	✓ per-session PMK	SAE generates a unique PMK each session — past sessions stay protected if PSK is later compromised
Open / unauthenticated	Open (no encryption)	OWE (encrypted, no auth)	OWE encrypts traffic without a password. OWE-Transition keeps legacy clients working alongside
Transition / mixed mode	—	SAE-Transition	Both WPA3-SAE and WPA2-PSK on same SSID. Same passphrase. Requires controller support (see vendor table)

encryption

setting	WPA2	WPA3	notes
Unicast cipher (Personal)	CCMP-128 (AES)	CCMP-128 or GCMP-128	GCMP is faster on hardware with AES-GCM acceleration
Unicast cipher (Enterprise)	CCMP-128	GCMP-256 (192-bit mode)	WPA3-Ent 192-bit mandates GCMP-256 — not supported on all AP hardware (see vendor notes)
TKIP	allowed (deprecated)	removed entirely	WPA3 removes TKIP. TKIP-only clients cannot connect to WPA3 SSIDs
Management frame cipher	BIP-CMAC-128 (optional)	BIP-CMAC-128 / BIP-GMAC-256	Mgmt frame encryption is optional in WPA2, mandatory in WPA3

protected management frames (802.11w / PMF)

setting	WPA2	WPA3	notes
PMF requirement	optional	required	WPA3 mandates PMF. SAE and OWE will not negotiate without it
Deauth / disassoc attack	✗ vulnerable	✓ protected	PMF encrypts deauth/disassoc — prevents forced roam and evil twin attacks
Legacy client impact	none	may break pre-2018 clients	Some older drivers reject pmf-required. Use transition mode with pmf-optional for mixed environments

vendor version requirements

feature	Aruba AOS	Cisco IOS-XE (C9800)	Juniper Mist	Ruckus SmartZone
WPA3-Personal (SAE)	8.6+	16.12+	FW 0.8.x+	SZ 5.2+ (Wave2 APs)
SAE Transition (WPA2+WPA3)	8.11+ only	16.12+	FW 0.8.x+	SZ 5.2+
WPA3-Enterprise	8.7+	16.12+	FW 0.8.x+	SZ 5.2+
WPA3-Enterprise 192-bit	8.7+	17.1+ (not on 9105/9115/9120)	FW 0.14.29091+	Limited AP support
OWE / OWE-Transition	8.11+ only	16.12+	FW 0.8.x+	SZ 5.2+
WPA3 default on new WLANs	no	no	yes (Nov 2025)	no
Known bugs / caveats	Multicast bug 8.11.0–8.11.1 → min 8.11.2.1	Wave 1 APs not supported. GCMP-256 not on 9105/9110/9115/9120	No major known bugs	R310 Wave1 is exception. WPA3+DPSK limited
Fast roaming (802.11r) + WPA3	FT-SAE supported	FT-Adaptive not supported with SAE	FT-SAE supported	WPA3+DPSK limits 802.11r

client device compatibility

platform	WPA2	WPA3-Personal (SAE)	WPA3-Enterprise / OWE
Windows 11	✓	✓	✓
Windows 10 (1903+)	✓	✓	✓
Windows 10 (pre-1903)	✓	✗	✗
macOS 10.15+ (Catalina+)	✓	✓	✓
iOS 13+	✓	✓	✓
Android 10+	✓	✓	✓
Android 9 and below	✓	✗	✗
Linux (wpa_supplicant 2.9+)	✓	✓	✓
Chromebook (Chrome OS 79+)	✓	✓	✓
IoT / embedded (most)	✓	✗ (rare support)	✗
Legacy / pre-2018 devices	✓	✗	✗

vulnerability / attack surface

attack	WPA2	WPA3	notes
Offline dictionary / brute-force	✗ vulnerable	✓ mitigated (SAE)	SAE requires live exchange per attempt — offline cracking is not possible
KRACK (CVE-2017-13077)	✗ vulnerable (patched)	✓ not applicable	SAE + PMF design prevents the nonce reuse that KRACK exploited
PMKID offline attack	✗ vulnerable	✓ mitigated	WPA2 PMKID can be captured without a client. SAE has no equivalent attack vector
Deauth / disassoc flood	✗ vulnerable	✓ protected (PMF)	Unprotected mgmt frames in WPA2 allow forced disconnection attacks
Evil twin / rogue AP	✗ partial	✓ harder	PMF prevents forced roam; SAE prevents credential capture at rogue AP
Dragonblood (SAE side-channel)	N/A	patched in WPA3-R2 (2019)	Early SAE had timing/cache side-channels. Fixed in Wi-Fi Alliance WPA3 R2 spec revision

vendor cli — wpa3-personal (sae transition mode)

Aruba AOS 8.11.2.1+ · WPA3-SAE Transition mode · Mobility Master CLI

! WPA3-SAE Transition — Aruba AOS 8.11.2.1+
! Minimum safe build: 8.11.2.1 (avoids multicast encryption bug)

wlan ssid-profile "Corp-WPA3-Trans"
  essid "Corp-WiFi"
  opmode wpa3-personal-transition
  wpa-passphrase <your-passphrase>
  pmf-optional
!
wlan virtual-ap "Corp-VAP"
  ssid-profile "Corp-WPA3-Trans"
  vlan <your-vlan>
!
ap-group "<your-ap-group>"
  virtual-ap "Corp-VAP"

⚠ AOS 8.10 and below: use opmode wpa2-personal only — transition mode not supported

Cisco Catalyst 9800 · IOS-XE 16.12+ · WPA3-SAE Transition mode

! WPA3-SAE Transition — Cisco IOS-XE 16.12+
! Note: Fast Transition Adaptive not supported with WPA3 SAE

configure terminal
 wlan Corp-WiFi 1 Corp-WiFi
  security wpa wpa3
  security wpa wpa2
  security wpa akm sae
  security wpa akm psk
  security wpa wpa3 ciphers aes
  security pmf optional
  no shutdown
 exit
!
! Apply to policy profile:
wireless profile policy Corp-Policy
  vlan <your-vlan>
  no shutdown
!
wireless tag policy Corp-Tag
  wlan Corp-WiFi policy Corp-Policy

⚠ WPA3 not supported on Wave 1 APs. GCMP-256 not available on C9105/9110/9115/9120.

Juniper Mist · Cloud GUI config (API equivalent shown) · FW 0.8.x+ required

// Juniper Mist — WPA3-SAE Transition via API (PATCH /api/v1/sites/{site_id}/wlans)
// GUI: Site > WLANs > Add WLAN > Security: WPA3/PSK (+WPA-2)

{
  "ssid": "Corp-WiFi",
  "auth": {
    "type": "psk",
    "psk": "<your-passphrase>",
    "multi_psk_only": false
  },
  "wpa3_enabled": true,          // enables SAE
  "wpa2_enabled": true,          // enables transition mode
  "pmf": "optional",
  "vlan_id": <your-vlan>,
  "enabled": true
}

// Note: As of Nov 2025, WPA3 is the DEFAULT security type for new WLANs in Mist.
// WPA3-Enterprise 192-bit requires FW 0.14.29091+ and EAP-TLS only.

✓ No major known WPA3 bugs in Mist. WPA3 is now default for new WLANs.

Ruckus SmartZone 5.2+ · WPA3-SAE Transition · GUI path shown

! Ruckus SmartZone 5.2+ — WPA3/WPA2 Mixed Mode
! GUI: Wireless LANs > Create > Security Options > WPA3/WPA2 Mixed

! SmartZone CLI equivalent:
no aaa wlan <wlan-id>

! Configure via SmartZone GUI:
! Wireless LANs > Add
!   SSID: Corp-WiFi
!   Authentication: WPA3/WPA2 Mixed (SAE + PSK)
!   Passphrase: <your-passphrase>
!   PMF: Optional
!   VLAN: <your-vlan>

! Ruckus One (R1) / Cloud — same options via cloud portal
! Navigate to: Configure > WLANs > Add WLAN > Security: WPA3+WPA2

! Caveats:
! - WPA3 requires 802.11ac Wave2 or newer APs (R310 Wave1 is the one exception)
! - WPA3 + DPSK combined not supported on SZ 6.1.x and below
! - WPA3 + 802.11r: supported in mixed mode; WPA3-Enterprise 192-bit has no fast roaming

⚠ WPA3+DPSK not supported on SZ 6.1.x and below. Most Wave2+ APs supported from SZ 5.2.

quick decision reference

scenario	WPA2	WPA3	recommendation
Corporate — modern clients + 802.1X	WPA2-Enterprise	WPA3-Enterprise	All vendors support from their respective minimums above
Corporate — mixed clients + 802.1X	WPA2-Enterprise	WPA3-Ent Transition	pmf-optional. Aruba needs 8.11.2.1+
PSK — modern clients only	WPA2-Personal	WPA3-SAE	Pure SAE if all clients are 2019+
PSK — mixed legacy + modern	WPA2-Personal	SAE-Transition	Aruba: needs 8.11.2.1+. Others: 2020+ builds
Guest / captive portal	Open	OWE-Transition	Aruba 8.11+. Cisco 16.12+. Mist FW 0.8.x+
IoT / legacy only	WPA2-Personal	not compatible	Stay WPA2-PSK — isolate on dedicated VLAN
6 GHz / Wi-Fi 6E / Wi-Fi 7	not permitted	WPA3 mandatory	Wi-Fi Alliance mandates WPA3 + OWE for 6 GHz operation

ethernet cable categories

category	max speed	bandwidth	max length	shielding	PoE support	best for
Cat5	100 Mbps	100 MHz	100m	UTP	802.3af only	Legacy — avoid for new installs
Cat5e	1 Gbps	100 MHz	100m	UTP / STP	802.3af / 802.3at	Minimum standard for new deployments. Supports PoE+.
Cat6	1 Gbps (10G up to 55m)	250 MHz	100m (55m at 10G)	UTP / STP	802.3af / 802.3at / 802.3bt	Good general-purpose cable. 10G limited to short runs.
Cat6a	10 Gbps	500 MHz	100m	UTP / STP / SFTP	802.3af / at / bt (Type 3 & 4)	Recommended for Wi-Fi 6E/7 APs, 802.3bt deployments, future-proof installs.
Cat7	10 Gbps	600 MHz	100m	SFTP (shielded required)	bt capable (shielded)	Proprietary connectors (GG45/TERA) — avoid unless required. Not a TIA standard.
Cat8	25 / 40 Gbps	2000 MHz	30m	S/FTP (shielded required)	Not designed for PoE	Data center switch-to-switch and server connections only. Very short runs.

⚡ Cat6a is the recommended minimum for 802.3bt (PoE++) deployments. At high power loads, lower-grade cables generate more heat — bundled cable runs amplify this significantly. TIA-568-C.2 recommends derating PoE budgets for bundled cables.

PoE support by cable type

cable	802.3af (15.4W)	802.3at / PoE+ (30W)	802.3bt Type 3 (60W)	802.3bt Type 4 (90W)	notes
Cat5	✓	⚠ marginal	✗	✗	Higher resistance — voltage drop on long runs. Replace for PoE+.
Cat5e	✓	✓	⚠ possible, not recommended	✗	Adequate for PoE+. For bt, use Cat6a to avoid heat buildup in bundles.
Cat6	✓	✓	✓	⚠ check bundle size	Supports bt Type 3. Type 4 at full 90W requires careful bundle derating.
Cat6a	✓	✓	✓	✓	Recommended for all PoE++ deployments. Lower resistance = less heat.
Cat7 / Cat8	✓	✓	⚠ possible	✗ not designed for PoE	Cat8 is optimized for short high-speed runs, not PoE delivery.

Bundle derating rule: IEEE 802.3bt recommends reducing per-port PoE budget when cables are bundled. A bundle of 24 Cat5e cables at full 802.3bt load should be derated by ~40%. Use Cat6a to minimize this effect.

ethernet speeds timeline

standard	speed	introduced	medium	max copper distance	status
10BASE-T	10 Mbps	1990	Cat3+, UTP	100m	legacy
100BASE-TX (Fast Ethernet)	100 Mbps	1995	Cat5+, UTP	100m	legacy / IoT
1000BASE-T (GbE)	1 Gbps	1999	Cat5e+, 4-pair	100m	ubiquitous
2.5GBASE-T	2.5 Gbps	2016	Cat5e+	100m	common — Wi-Fi 6/6E APs
5GBASE-T	5 Gbps	2016	Cat5e+	100m	growing — high-end APs
10GBASE-T	10 Gbps	2006	Cat6a+ (100m), Cat6 (55m)	100m (Cat6a)	standard for uplinks / servers
25GBASE-T	25 Gbps	2018	Cat8	30m	data center / ToR switches
40GBASE-T	40 Gbps	2016	Cat8	30m	data center
100GbE	100 Gbps	2010	Fiber / DAC	fiber only (copper DAC ~3m)	data center / core
400GbE	400 Gbps	2018	Fiber / DAC	fiber only	data center spine

2.5G and 5G (NBASE-T / IEEE 802.3bz) were introduced specifically to bridge the gap between 1G and 10G over existing Cat5e/Cat6 cabling — crucial for Wi-Fi 6/6E AP deployments where replacing cabling is costly.

quick selection guide

scenario	recommended cable	reason
Wi-Fi 6 AP (802.3at)	Cat5e minimum, Cat6 preferred	1G or 2.5G uplink, PoE+ sufficient
Wi-Fi 6E / 7 AP (802.3bt)	Cat6a required	2.5G–5G uplink, bt PoE++ heat management
IP camera (indoor)	Cat5e	100M–1G, low PoE draw, af sufficient
IP camera (outdoor PTZ)	Cat5e outdoor-rated, Cat6a preferred	PoE+ required, UV/moisture rated jacket
VoIP phone	Cat5e	100M, very low PoE, af more than sufficient
Switch uplink (1–10G)	Cat6a or fiber SFP+	10G over Cat6a up to 100m; fiber for longer runs
Server / NIC (10G)	Cat6a or fiber DAC	10GBASE-T up to 100m, DAC for rack-to-rack
New building install (future-proof)	Cat6a everywhere	Handles 10G, full 802.3bt PoE++, Wi-Fi 7 ready

vlans

quick add

ports

port	mode	native VLAN	tagged VLANs	untagged VLANs

paste aruba AOS-CX config

Supports: vlan X, interface 1/1/X, vlan trunk allowed, vlan access, vlan trunk native

transceiver form factors

form factor	max speed	lanes	hot-swap	typical use
SFP	1 Gbps	1	✓	GbE uplinks, access switches
SFP+	10 Gbps	1	✓	10G uplinks, server connections, distribution
SFP28	25 Gbps	1	✓	25G server NIC uplinks, leaf-spine fabric
SFP56	50 Gbps	1 (PAM4)	✓	50G high-density data center
QSFP+	40 Gbps	4 × 10G	✓	40G uplinks, spine switches, breakout to 4×10G
QSFP28	100 Gbps	4 × 25G	✓	100G spine/core, breakout to 4×25G or 2×50G
QSFP56	200 Gbps	4 × 50G (PAM4)	✓	200G high-density spine
QSFP-DD	400 Gbps	8 × 50G (PAM4)	✓	400G data center core, AI/ML fabric
OSFP	400 / 800 Gbps	8 × 50/100G	✓	800G next-gen data center (competing with QSFP-DD)
CFP / CFP2 / CFP4	100–400 Gbps	varies	✓	Long-haul DWDM, service provider edge

common SFP / SFP+ module types

module	speed	fiber type	wavelength	max reach	connector
SX	1G	MMF OM1/OM2	850nm	550m	LC duplex
LX / LX10	1G	SMF	1310nm	10km	LC duplex
ZX	1G	SMF	1550nm	80km	LC duplex
SR (10G)	10G	MMF OM3/OM4	850nm	300m (OM3) / 400m (OM4)	LC duplex
LR (10G)	10G	SMF	1310nm	10km	LC duplex
ER (10G)	10G	SMF	1550nm	40km	LC duplex
ZR (10G)	10G	SMF	1550nm	80km	LC duplex
DAC (passive)	10 / 25 / 40 / 100G	Copper twinax	—	1–5m	SFP+/QSFP integral
AOC (active)	10 / 25 / 40 / 100G	MMF fiber	850nm	up to 100m	SFP+/QSFP integral
BiDi (WDM)	1G / 10G	SMF single strand	TX 1310 / RX 1490nm	10–20km	LC simplex

⚡ DAC cables are the most cost-effective for rack-to-rack within the same row. AOC for longer inter-rack runs. Use SMF for anything over 550m. BiDi halves fiber strand usage — great for patching efficiency.

breakout / fan-out guide

source port	breakout to	cable / module	notes
QSFP+ (40G)	4 × 10G SFP+	QSFP+ to 4× LC or 4× SFP+ DAC	Most common breakout. Supported on most data center switches.
QSFP28 (100G)	4 × 25G SFP28	QSFP28 to 4× LC or 4× SFP28 DAC	Leaf-spine breakout for 25G server connections.
QSFP28 (100G)	2 × 50G SFP56	QSFP28 to 2× SFP56	Less common. Check switch support.
QSFP-DD (400G)	8 × 50G SFP56	QSFP-DD to 8× SFP56 DAC	High-density 400G breakout for AI/ML GPU fabric.
QSFP-DD (400G)	4 × 100G QSFP28	QSFP-DD breakout cable	Spine to 100G leaf switches.

802.11 amendment timeline

amendment	wi-fi gen	year	bands	max PHY rate	key tech	status
802.11	—	1997	2.4 GHz	2 Mbps	DSSS / FHSS	obsolete
802.11b	Wi-Fi 1	1999	2.4 GHz	11 Mbps	DSSS, CCK	obsolete
802.11a	Wi-Fi 2	1999	5 GHz	54 Mbps	OFDM, 52 subcarriers	obsolete
802.11g	Wi-Fi 3	2003	2.4 GHz	54 Mbps	OFDM (backward compat b)	legacy
802.11n	Wi-Fi 4	2009	2.4 / 5 GHz	600 Mbps	MIMO (4×4), 40 MHz ch, A-MPDU	legacy / IoT
802.11ac	Wi-Fi 5	2013	5 GHz only	6.9 Gbps	MU-MIMO DL, 160 MHz, 256-QAM, beamforming	widely deployed
802.11ax	Wi-Fi 6 / 6E	2021	2.4 / 5 / 6 GHz	9.6 Gbps	OFDMA, MU-MIMO UL+DL, BSS Color, TWT, 1024-QAM	current standard
802.11be	Wi-Fi 7	2024	2.4 / 5 / 6 GHz	46 Gbps	MLO, 320 MHz ch, 4K-QAM, 16×16 MU-MIMO, Multi-RU	emerging

key feature comparison

feature	Wi-Fi 4 (n)	Wi-Fi 5 (ac)	Wi-Fi 6/6E (ax)	Wi-Fi 7 (be)
Modulation	64-QAM	256-QAM	1024-QAM	4096-QAM
Max channel width	40 MHz	160 MHz	160 MHz	320 MHz
Max spatial streams	4	8	8	16
MU-MIMO (DL)	✗	✓ (4 users)	✓ (8 users)	✓ (16 users)
MU-MIMO (UL)	✗	✗	✓	✓
OFDMA	✗	✗	✓	✓ + Multi-RU
Target Wake Time (TWT)	✗	✗	✓	✓
BSS Coloring	✗	✗	✓	✓
Multi-Link Operation	✗	✗	✗	✓ (MLO)
6 GHz band	✗	✗	✓ (6E only)	✓
Security minimum	WPA2	WPA2	WPA3 (6E mandatory)	WPA3 mandatory

📡 Wi-Fi 6E = 802.11ax extended to 6 GHz. Adds up to 1200 MHz of clean spectrum (channels 1–233) with no legacy device interference. Wi-Fi 7's MLO lets clients bond channels across 2.4/5/6 GHz simultaneously for lower latency and higher throughput.

notable amendments (non-speed)

amendment	year	purpose
802.11e	2005	QoS / WMM — voice and video priority queues (EDCA)
802.11i	2004	Security — basis for WPA2 (CCMP/AES)
802.11r	2008	Fast BSS Transition (FT) — faster roaming handoffs
802.11k	2008	Radio Resource Measurement — neighbor reports for assisted roaming
802.11v	2011	BSS Transition Management — AP can suggest clients roam
802.11w	2009	Management Frame Protection (MFP) — protects deauth/disassoc frames
802.11u	2011	Interworking — basis for Hotspot 2.0 / Passpoint
802.11s	2011	Mesh networking standard
802.11p	2010	WAVE — vehicular / V2X communications (DSRC)
802.11ai	2016	Fast Initial Link Setup (FILS) — sub-100ms association

IP protocol numbers

number	protocol	description	common use
1	ICMP	Internet Control Message Protocol	ping, traceroute, unreachable messages
2	IGMP	Internet Group Management Protocol	multicast group membership
6	TCP	Transmission Control Protocol	reliable, connection-oriented transport
17	UDP	User Datagram Protocol	low-latency, connectionless transport
41	IPv6	IPv6 encapsulation	IPv6-in-IPv4 tunnels (6in4)
47	GRE	Generic Routing Encapsulation	VPN tunnels, PPTP, ERSPAN
50	ESP	Encapsulating Security Payload	IPsec encrypted payload
51	AH	Authentication Header	IPsec integrity / authentication
58	ICMPv6	ICMP for IPv6	NDP, router discovery, ping6
89	OSPF	Open Shortest Path First	link-state routing protocol
112	VRRP	Virtual Router Redundancy Protocol	gateway redundancy
132	SCTP	Stream Control Transmission Protocol	telecom / signaling (SS7, Diameter)

common TCP / UDP ports

port	proto	service	notes
20 / 21	TCP	FTP	Data / control. Unencrypted — avoid on production
22	TCP	SSH	Secure remote shell, SCP, SFTP
23	TCP	Telnet	unencrypted — legacy only
25	TCP	SMTP	Email delivery between servers
53	TCP/UDP	DNS	UDP for queries, TCP for zone transfers / large responses
67 / 68	UDP	DHCP	Server:67, Client:68
69	UDP	TFTP	Firmware upgrades, PXE boot, config backups
80	TCP	HTTP	Web — unencrypted. Redirect to 443 in production.
123	UDP	NTP	Time sync — critical for certificates, logs, Kerberos
161 / 162	UDP	SNMP	Poll:161, Trap:162. Use v3 with auth+priv in production.
389	TCP/UDP	LDAP	Directory services. Use 636 (LDAPS) in production.
443	TCP	HTTPS	TLS web traffic, REST APIs, WebSockets
445	TCP	SMB	Windows file sharing, Active Directory
514	UDP	Syslog	Network device logging. Use 6514 (TLS syslog) for secure.
636	TCP	LDAPS	LDAP over TLS — use instead of 389
1812 / 1813	UDP	RADIUS	Auth:1812, Accounting:1813. Used by 802.1X / WPA2/3-Ent
3389	TCP	RDP	Windows Remote Desktop Protocol
4500	UDP	IKE NAT-T	IPsec NAT traversal (alongside UDP 500)
8080 / 8443	TCP	Alt HTTP/HTTPS	Dev/proxy web traffic. Common on Aruba Central, NMS tools.

DSCP values & per-hop behaviors

DSCP name	decimal	binary (6-bit)	IP Prec	PHB class	traffic type	drop precedence
CS0 / BE	0	000000	0	Default	Best effort — unclassified traffic	—
EF	46	101110	5	Expedited Forwarding	VoIP RTP, real-time video, latency-sensitive	Low (prioritized queue)
CS6	48	110000	6	Network Control	Routing protocols (OSPF, BGP, EIGRP)	—
CS7	56	111000	7	Network Control	Reserved — rarely used in practice	—
AF11	10	001010	1	AF Class 1	Bulk data, low-priority transfers	Low
AF12	12	001100	1	AF Class 1	Bulk data	Medium
AF13	14	001110	1	AF Class 1	Bulk data	High
AF21	18	010010	2	AF Class 2	Transactional / interactive data	Low
AF22	20	010100	2	AF Class 2	Transactional data	Medium
AF23	22	010110	2	AF Class 2	Transactional data	High
AF31	26	011010	3	AF Class 3	Streaming / mission-critical apps	Low
AF32	28	011100	3	AF Class 3	Streaming apps	Medium
AF33	30	011110	3	AF Class 3	Streaming apps	High
AF41	34	100010	4	AF Class 4	Video conferencing, interactive video	Low
AF42	36	100100	4	AF Class 4	Video conferencing	Medium
AF43	38	100110	4	AF Class 4	Video conferencing	High
CS1	8	001000	1	Scavenger	Low-priority / scavenger class (P2P, backup)	—
CS2–CS5	16/24/32/40	varies	2–5	Class Selector	Legacy IP precedence mapping	—

DSCP = 6 most significant bits of the IP ToS byte (DSCP value × 4 = ToS byte value). AF drop precedence: within the same AF class, higher precedence = dropped first under congestion. EF at DSCP 46 is the standard for VoIP — it gets a dedicated low-latency queue.

802.11e / WMM access categories

WMM AC	priority	802.1p	DSCP	traffic type	AIFS	CWmin
AC_VO	Highest	6–7	EF (46), CS6/7	VoIP, voice calls	2	3
AC_VI	High	4–5	AF41 (34)	Video streaming, conferencing	2	7
AC_BE	Normal	0, 3	CS0 (0), AF21	Best effort — web, email, data	3	15
AC_BK	Low	1–2	CS1 (8)	Background — backup, P2P, print	7	15

AIFS = Arbitration InterFrame Space. Lower AIFS = less wait before transmitting = higher priority. CWmin = minimum contention window — smaller window = fewer backoff slots = faster access. WMM maps wired DSCP/802.1p markings to wireless access categories at the AP.

DSCP to 802.1p mapping (common)

traffic class	DSCP	decimal	802.1p (CoS)	WMM AC
VoIP / voice	EF	46	5 or 6	AC_VO
Call signaling (SIP)	CS3	24	3	AC_VI
Video conferencing	AF41	34	4	AC_VI
Streaming video	AF31	26	4	AC_VI
Routing protocols	CS6	48	6	AC_VO
Transactional / ERP	AF21	18	2	AC_BE
Best effort / web	CS0	0	0	AC_BE
Scavenger / P2P	CS1	8	1	AC_BK

dB & dBm — what the numbers actually mean

unit	definition	reference point	used for	example
dB	Decibel — a ratio between two values on a logarithmic scale. Not an absolute value.	Relative — compares two power levels	Gain, loss, difference between two signals	Antenna gain: +6 dB (4× more power than reference)
dBm	Decibels relative to 1 milliwatt. An absolute power measurement.	0 dBm = 1 mW	Tx power, RSSI, received signal strength	AP Tx power: 20 dBm = 100 mW
dBi	Decibels relative to an isotropic antenna (theoretical perfect radiator).	0 dBi = isotropic radiator	Antenna gain specification	Dipole antenna: 2.14 dBi gain over isotropic
dBd	Decibels relative to a dipole antenna. Add 2.14 to convert to dBi.	0 dBd = dipole antenna	Antenna gain (older spec sheets)	3 dBd = 5.14 dBi

Key insight: dB is always a ratio (gain or loss). dBm is an absolute power level. You can add dB to dBm to get dBm — e.g. 20 dBm Tx + 6 dBi antenna = 26 dBm EIRP. You cannot add dBm to dBm.

dBm ↔ milliwatt conversion

dBm	milliwatts (mW)	watts	typical meaning
30 dBm	1000 mW	1 W	Maximum allowed EIRP in many regions (FCC outdoor)
27 dBm	500 mW	0.5 W	High-power outdoor AP Tx power
23 dBm	200 mW	0.2 W	High indoor AP Tx — typically reduced to avoid co-channel
20 dBm	100 mW	0.1 W	Common indoor AP Tx power on 5 GHz
17 dBm	50 mW	0.05 W	Moderate AP Tx power — good for dense deployments
14 dBm	25 mW	0.025 W	Reduced power for high-density / co-channel control
10 dBm	10 mW	0.01 W	Low Tx — short range, IoT devices
0 dBm	1 mW	0.001 W	Reference point — 0 dBm by definition
−10 dBm	0.1 mW	100 µW	Very low power
−30 dBm	0.001 mW	1 µW	Excellent received signal (very close to AP)
−70 dBm	0.0000001 mW	100 pW	Marginal received signal — near edge of coverage

Formula: dBm = 10 × log₁₀(mW). Reverse: mW = 10^(dBm/10). A useful anchor: 0 dBm = 1 mW, 10 dBm = 10 mW, 20 dBm = 100 mW, 30 dBm = 1000 mW (1 W).

the 3 dB & 10 dB rules of thumb

rule	effect on power	direction	real-world example
+3 dB	2× power	increase	20 dBm → 23 dBm doubles radiated power (100 mW → 200 mW)
−3 dB	½ power	decrease	20 dBm → 17 dBm halves power (100 mW → 50 mW). Lossy cable, splitter.
+10 dB	10× power	increase	20 dBm → 30 dBm = 10× more power (100 mW → 1000 mW)
−10 dB	÷10 power	decrease	20 dBm → 10 dBm = 10× less power. Each wall adds ~3–15 dB of loss.
+6 dB	4× power	increase	High-gain directional antenna vs omni. Doubles range in open space.
−6 dB	¼ power	decrease	Doubling distance in free space loses ~6 dB (inverse square law).
+20 dB	100× power	increase	High-gain dish vs dipole. −50 dBm vs −70 dBm RSSI = 100× stronger signal.
−20 dB	÷100 power	decrease	Typical loss through a concrete wall + floor in a multi-story building.

Memory trick: 3 dB = double/half, 10 dB = ×10/÷10. Chain them: +13 dB = +10 dB + +3 dB = ×10 × ×2 = ×20 power. −7 dB = −10 dB + +3 dB = ÷10 × ×2 = ÷5 power.

common dB math — worked examples

scenario	calculation	result	takeaway
AP link budget	20 dBm Tx + 3 dBi antenna − 2 dB cable loss	= 21 dBm EIRP	Just add and subtract — dB math is arithmetic on the log scale
Client receives −65 dBm, noise floor −95 dBm	−65 − (−95) = 30 dB	= 30 dB SNR	Good SNR — supports MCS 9+ (256-QAM)
Doubling Tx power from 100 mW to 200 mW	+3 dB	= +3 dBm	Barely noticeable to a client — human perception threshold ~6 dB
Client moves from −55 dBm to −61 dBm	6 dB drop = ÷4 power	= 4× weaker signal	May trigger MCS rate drop — watch for throughput impact
Wall penetration loss (drywall)	~3 dB loss	= ½ signal power	Concrete: 10–15 dB. Brick: 8–12 dB. Glass: 2–3 dB. Metal: 20–30 dB.
Free space path loss (doubling distance)	~6 dB additional loss	= ¼ signal power	Every time you double the distance, you lose 6 dB (inverse square law)
Co-channel interference threshold	Desired signal − interference > 20 dB	= 100:1 ratio	802.11 needs ~20 dB SIR to decode reliably at higher MCS rates

quick reference — dB multiplier table

dB change	power multiplier	signal stronger/weaker
+1 dB	×1.26	26% more power
+3 dB	×2	double
+6 dB	×4	4× — doubles usable range in free space
+10 dB	×10	10×
+13 dB	×20	20× (10 + 3)
+20 dB	×100	100×
+30 dB	×1000	1000×
−1 dB	×0.79	21% less power
−3 dB	×0.5	half
−6 dB	×0.25	quarter
−10 dB	×0.1	tenth
−20 dB	×0.01	hundredth

dB & dBm — what the numbers actually mean

unit	definition	reference point	used for	example
dB	Decibel — a ratio between two values on a logarithmic scale. Not an absolute value.	Relative — compares two power levels	Gain, loss, difference between two signals	Antenna gain: +6 dB (4× more power than reference)
dBm	Decibels relative to 1 milliwatt. An absolute power measurement.	0 dBm = 1 mW	Tx power, RSSI, received signal strength	AP Tx power: 20 dBm = 100 mW
dBi	Decibels relative to an isotropic antenna (theoretical perfect radiator).	0 dBi = isotropic radiator	Antenna gain specification	Dipole antenna: 2.14 dBi gain over isotropic
dBd	Decibels relative to a dipole antenna. Add 2.14 to convert to dBi.	0 dBd = dipole antenna	Antenna gain (older spec sheets)	3 dBd = 5.14 dBi

Key insight: dB is always a ratio (gain or loss). dBm is an absolute power level. You can add dB to dBm to get dBm — e.g. 20 dBm Tx + 6 dBi antenna = 26 dBm EIRP. You cannot add dBm to dBm.

dBm ↔ milliwatt conversion

dBm	milliwatts (mW)	watts	typical meaning
30 dBm	1000 mW	1 W	Maximum allowed EIRP in many regions (FCC outdoor)
27 dBm	500 mW	0.5 W	High-power outdoor AP Tx power
23 dBm	200 mW	0.2 W	High indoor AP Tx — typically reduced to avoid co-channel
20 dBm	100 mW	0.1 W	Common indoor AP Tx power on 5 GHz
17 dBm	50 mW	0.05 W	Moderate AP Tx power — good for dense deployments
14 dBm	25 mW	0.025 W	Reduced power for high-density / co-channel control
10 dBm	10 mW	0.01 W	Low Tx — short range, IoT devices
0 dBm	1 mW	0.001 W	Reference point — 0 dBm by definition
−10 dBm	0.1 mW	100 µW	Very low power
−30 dBm	0.001 mW	1 µW	Excellent received signal (very close to AP)
−70 dBm	0.0000001 mW	100 pW	Marginal received signal — near edge of coverage

Formula: dBm = 10 × log₁₀(mW). Reverse: mW = 10^(dBm/10). A useful anchor: 0 dBm = 1 mW, 10 dBm = 10 mW, 20 dBm = 100 mW, 30 dBm = 1000 mW (1 W).

the 3 dB & 10 dB rules of thumb

rule	effect on power	direction	real-world example
+3 dB	2× power	increase	20 dBm → 23 dBm doubles radiated power (100 mW → 200 mW)
−3 dB	½ power	decrease	20 dBm → 17 dBm halves power (100 mW → 50 mW). Lossy cable, splitter.
+10 dB	10× power	increase	20 dBm → 30 dBm = 10× more power (100 mW → 1000 mW)
−10 dB	÷10 power	decrease	20 dBm → 10 dBm = 10× less power. Each wall adds ~3–15 dB of loss.
+6 dB	4× power	increase	High-gain directional antenna vs omni. Doubles range in open space.
−6 dB	¼ power	decrease	Doubling distance in free space loses ~6 dB (inverse square law).
+20 dB	100× power	increase	High-gain dish vs dipole. −50 dBm vs −70 dBm RSSI = 100× stronger signal.
−20 dB	÷100 power	decrease	Typical loss through a concrete wall + floor in a multi-story building.

Memory trick: 3 dB = double/half, 10 dB = ×10/÷10. Chain them: +13 dB = +10 dB + +3 dB = ×10 × ×2 = ×20 power. −7 dB = −10 dB + +3 dB = ÷10 × ×2 = ÷5 power.

common dB math — worked examples

scenario	calculation	result	takeaway
AP link budget	20 dBm Tx + 3 dBi antenna − 2 dB cable loss	= 21 dBm EIRP	Just add and subtract — dB math is arithmetic on the log scale
Client receives −65 dBm, noise floor −95 dBm	−65 − (−95) = 30 dB	= 30 dB SNR	Good SNR — supports MCS 9+ (256-QAM)
Doubling Tx power from 100 mW to 200 mW	+3 dB	= +3 dBm	Barely noticeable to a client — human perception threshold ~6 dB
Client moves from −55 dBm to −61 dBm	6 dB drop = ÷4 power	= 4× weaker signal	May trigger MCS rate drop — watch for throughput impact
Wall penetration loss (drywall)	~3 dB loss	= ½ signal power	Concrete: 10–15 dB. Brick: 8–12 dB. Glass: 2–3 dB. Metal: 20–30 dB.
Free space path loss (doubling distance)	~6 dB additional loss	= ¼ signal power	Every time you double the distance, you lose 6 dB (inverse square law)
Co-channel interference threshold	Desired signal − interference > 20 dB	= 100:1 ratio	802.11 needs ~20 dB SIR to decode reliably at higher MCS rates

quick reference — dB multiplier table

dB change	power multiplier	signal stronger/weaker
+1 dB	×1.26	26% more power
+3 dB	×2	double
+6 dB	×4	4× — doubles usable range in free space
+10 dB	×10	10×
+13 dB	×20	20× (10 + 3)
+20 dB	×100	100×
+30 dB	×1000	1000×
−1 dB	×0.79	21% less power
−3 dB	×0.5	half
−6 dB	×0.25	quarter
−10 dB	×0.1	tenth
−20 dB	×0.01	hundredth

dB & dBm — what the numbers mean

term	definition	formula	key point
dB	Decibel — a ratio between two power levels. Not an absolute unit.	dB = 10 × log₁₀(P₂ / P₁)	Always relative. "3 dB gain" means 2× the power of a reference — but what reference?
dBm	Decibels relative to 1 milliwatt. An absolute power level.	dBm = 10 × log₁₀(mW / 1mW)	0 dBm = 1 mW. Every +10 dBm = 10× more power. Every +3 dBm ≈ 2× more power.
dBi	Antenna gain relative to an isotropic (perfect omnidirectional) radiator.	dBi = gain vs theoretical point	An antenna with 6 dBi gain focuses power 4× more than a perfect sphere radiator.
dBd	Antenna gain relative to a dipole antenna.	dBd = dBi − 2.15	Dipole ≈ 2.15 dBi. Always clarify which reference an antenna spec uses.
RSSI	Received Signal Strength Indicator — vendor-specific scale, often maps to dBm.	unitless (0–255 or 0–100)	Not standardized. Most Wi-Fi tools display RSSI as dBm for clarity. Always verify units.
SNR	Signal-to-Noise Ratio — how far signal is above the noise floor.	SNR (dB) = RSSI − noise floor	Noise floor is typically −95 to −100 dBm. SNR >25 dB is needed for high MCS rates.

💡 The key insight: dB is a ratio (dimensionless), dBm is an absolute level. You add dB gains and subtract dB losses. You cannot add two dBm values together — that would be like adding two temperatures to get a combined temperature.

dBm to milliwatt conversion table

dBm	milliwatts	description	typical context
30 dBm	1000 mW (1W)	Maximum legal EIRP in some bands	Outdoor bridge / high-power AP
27 dBm	500 mW	High-power outdoor AP	Point-to-multipoint deployments
24 dBm	250 mW	High indoor / outdoor AP Tx	Common max for enterprise indoor APs
23 dBm	200 mW	Common enterprise AP Tx power	Aruba, Cisco, Extreme at full power
20 dBm	100 mW	Typical indoor AP, medium power	Most enterprise APs at reduced power
17 dBm	50 mW	Moderate power — high density	Typical in high-density deployments
14 dBm	25 mW	Low power — dense AP placement	Stadium / conference room deployments
10 dBm	10 mW	Very low power	IoT devices, BLE beacons
0 dBm	1 mW	Reference point	Definition of 0 dBm
−10 dBm	0.1 mW	Very weak transmit / strong receive	Near-AP client RSSI
−30 dBm	0.001 mW	Excellent RSSI	Client 1–2m from AP
−67 dBm	0.0000002 mW	Good RSSI threshold	Minimum for voice / video
−70 dBm	0.0000001 mW	Acceptable data RSSI	Typical roaming trigger point
−80 dBm	0.00000001 mW	Weak — low MCS only	Edge of coverage, MCS 0–1
−90 dBm	0.000000001 mW	Near noise floor	Unusable for data

💡 The mW values get tiny fast because the dB scale is logarithmic. A -67 dBm signal is 200 picowatts — your AP is detecting signals 50 billion times weaker than its own transmit power. This is why antenna placement and avoiding interference sources matters so much.

the 3 dB and 10 dB rules

rule	power effect	example	practical meaning
+3 dB	≈ 2× more power	20 dBm → 23 dBm	100 mW → ~200 mW. Doubling Tx power only adds 3 dB — often not worth the interference increase.
−3 dB	≈ half the power	23 dBm → 20 dBm	A 3 dB cable loss cuts your signal in half before it reaches the antenna.
+10 dB	10× more power	20 dBm → 30 dBm	100 mW → 1000 mW. Huge jump. Regulatory EIRP limits exist to prevent this being abused.
−10 dB	1/10th the power	−60 dBm → −70 dBm	RSSI dropping 10 dB is a massive degradation. Client drops 2–3 MCS tiers.
+6 dB	4× more power	Antenna upgrade: 0 → 6 dBi	A 6 dBi directional antenna quadruples effective radiated power vs an isotropic source.
−6 dB	1/4 the power	Distance doubles (free space)	In free space, every time distance doubles, signal drops ~6 dB. Indoors is much worse.

🧮 Quick mental math: memorize +3 dB = ×2 and +10 dB = ×10. Everything else follows. +6 dB = ×4, +7 dB ≈ ×5, +13 dB = ×20, +20 dB = ×100. For negative values, flip it: −20 dB = 1/100th the power.

link budget example — adding dB in practice

element	dB value	running total	notes
AP Tx power	+20 dBm	20 dBm	100 mW transmit power
Cable / connector loss	−1 dB	19 dBm	Short pigtail cable
Antenna gain	+5 dBi	24 dBm EIRP	Directional antenna — EIRP is the number that matters for regulatory limits
Free-space path loss (50m, 5GHz)	−88 dB	−64 dBm	Signal received at the client
Wall penetration loss (×2 walls)	−14 dB	−78 dBm	~7 dB per drywall partition
Client antenna gain	+2 dBi	−76 dBm RSSI	Typical laptop internal antenna

📐 EIRP (Effective Isotropic Radiated Power) = Tx Power (dBm) + Antenna Gain (dBi) − Cable Loss (dB). This is the number regulators care about. In the US, max EIRP on 5 GHz UNII-1 is 23 dBm (200 mW). You can use a high-gain antenna as long as you reduce Tx power to stay within the EIRP limit.

common RF loss values — quick reference

material / obstacle	typical loss (dB)	notes
Free space (distance doubles)	−6 dB	Theoretical. Real-world is worse due to reflections.
Drywall / partition	3–5 dB	Most common office obstacle
Wooden door	3–5 dB	Similar to drywall
Brick / concrete block wall	8–15 dB	Significant loss — one wall can kill coverage
Reinforced concrete	15–25 dB	Parking garages, bunkers — plan extra APs
Metal door / filing cabinet	20–30 dB	Near-complete block. Creates RF dead zones.
Glass window (standard)	2–3 dB	Low loss — but reflections cause multipath
Low-E glass (energy efficient)	20–30 dB	Metallic coating blocks RF almost entirely
Human body	3–5 dB	Crowds absorb RF — factor in for high-density
Floor / ceiling (concrete)	10–15 dB	Between floors in a multi-storey building
LMR-400 coax (per metre)	~0.23 dB/m @ 2.4GHz	Low-loss cable — use the shortest run possible
LMR-400 coax (per metre)	~0.44 dB/m @ 5GHz	Loss doubles at 5 GHz vs 2.4 GHz

⚠ Low-E glass is the most commonly overlooked RF blocker in modern buildings. A floor-to-ceiling energy-efficient window can cause 20–30 dB loss — equivalent to a concrete wall. Always ask about glazing spec during site surveys.

airtime utilization calculator

Calculates channel airtime consumed by clients at different MCS rates. Lower MCS (weaker signal) clients consume more airtime, starving higher-rate clients and reducing overall AP capacity.

presets:

ap configuration

Wi-Fi standard

Channel width

Spatial streams (AP)

Overhead factor

client mix

Enter number of clients per signal quality tier. Each tier maps to a typical MCS index.

Excellent (MCS 9–11, >-65 dBm) clients

Good (MCS 5–8, -65 to -70 dBm) clients

Fair (MCS 2–4, -70 to -75 dBm) clients

Poor (MCS 0–1, <-75 dBm) clients

Avg traffic per client Mbps

Add switches with their bridge priority and MAC address. Add links between them with path cost. The tool calculates root bridge election, port roles, and visualizes the spanning tree topology.

switches

name

bridge priority

MAC address

links

from switch

to switch

path cost

STP / RSTP / MSTP comparison

feature	STP (802.1D)	RSTP (802.1w)	MSTP (802.1s)
Standard	IEEE 802.1D-1998	IEEE 802.1w → merged into 802.1D-2004	IEEE 802.1s → merged into 802.1Q
Convergence time	30–50 seconds	< 1 second	< 1 second per instance
Port states	Blocking, Listening, Learning, Forwarding, Disabled	Discarding, Learning, Forwarding	Discarding, Learning, Forwarding (per instance)
Port roles	Root, Designated, Blocked	Root, Designated, Alternate, Backup	Root, Designated, Alternate, Backup, Master
VLAN support	Single instance (all VLANs)	Single instance (all VLANs)	Multiple instances — per VLAN group
BPDU handling	Relays BPDUs from root	Each switch generates BPDUs	Each switch generates BPDUs per instance
Topology change	TCN floods entire network, 30s+ to reconverge	Rapid transition, port-by-port handshake	Per-instance topology change
Cisco proprietary variants	PVST+ (per-VLAN STP)	Rapid PVST+	—
Use today	Legacy only	Default on most modern switches	Enterprise multi-VLAN environments

STP timers & bridge ID

parameter	default value	range	description
Hello time	2 seconds	1–10s	Interval between BPDUs sent by root bridge
Forward delay	15 seconds	4–30s	Time spent in Listening and Learning states each
Max age	20 seconds	6–40s	Time before a BPDU is considered stale
Convergence (STP)	30–50 seconds	—	Max age + 2× forward delay = 50s worst case
Convergence (RSTP)	< 1 second	—	Proposal/agreement handshake replaces timers
Bridge priority	32768	0–61440 (steps of 4096)	Lower = more likely to become root bridge
Bridge ID	priority + MAC	—	8-byte value: 2 bytes priority + 6 bytes MAC. Lower Bridge ID wins root election.
Path cost (10G)	2	—	IEEE 802.1D-2004 long path cost
Path cost (1G)	4	—	IEEE 802.1D-2004 long path cost
Path cost (100M)	19	—	IEEE 802.1D-1998 short path cost (still widely used)
Path cost (10M)	100	—	IEEE 802.1D-1998 short path cost

Root bridge election: lowest Bridge Priority wins. Tie → lowest MAC address wins. To influence election: set priority to 0 or 4096 on the desired root. Use spanning-tree vlan X priority 0 on Cisco or spanning-tree priority 0 on Aruba AOS-CX.

port roles explained

role	per switch	state	description
Root Port (RP)	One per non-root switch	Forwarding	Port with the lowest root path cost on a non-root switch. Best path toward root bridge.
Designated Port (DP)	One per segment	Forwarding	Forwards frames on a given segment. All root bridge ports are designated. One per link.
Blocked / Alternate (BLK)	Remaining ports	Blocking	Discards frames to prevent loops. In RSTP called Alternate port — takes over if root port fails.
Backup Port	RSTP only	Discarding	RSTP only. Redundant path to a segment where this switch already has a designated port (hub scenario).

CIDR subnet mask reference — /0 to /32

prefix	subnet mask	wildcard	total hosts	usable hosts	binary mask ■ network ■ host	common use
/0	0.0.0.0	255.255.255.255	4295.0M	4295.0M	00000000.00000000.00000000.00000000	entire internet
/1	128.0.0.0	127.255.255.255	2147.5M	2147.5M	10000000.00000000.00000000.00000000
/2	192.0.0.0	63.255.255.255	1073.7M	1073.7M	11000000.00000000.00000000.00000000
/3	224.0.0.0	31.255.255.255	536.9M	536.9M	11100000.00000000.00000000.00000000
/4	240.0.0.0	15.255.255.255	268.4M	268.4M	11110000.00000000.00000000.00000000
/5	248.0.0.0	7.255.255.255	134.2M	134.2M	11111000.00000000.00000000.00000000
/6	252.0.0.0	3.255.255.255	67.1M	67.1M	11111100.00000000.00000000.00000000
/7	254.0.0.0	1.255.255.255	33.6M	33.6M	11111110.00000000.00000000.00000000
/8	255.0.0.0	0.255.255.255	16.8M	16.8M	11111111.00000000.00000000.00000000	class A
/9	255.128.0.0	0.127.255.255	8.4M	8.4M	11111111.10000000.00000000.00000000
/10	255.192.0.0	0.63.255.255	4.2M	4.2M	11111111.11000000.00000000.00000000
/11	255.224.0.0	0.31.255.255	2.1M	2.1M	11111111.11100000.00000000.00000000
/12	255.240.0.0	0.15.255.255	1.0M	1.0M	11111111.11110000.00000000.00000000
/13	255.248.0.0	0.7.255.255	524.3K	524.3K	11111111.11111000.00000000.00000000
/14	255.252.0.0	0.3.255.255	262.1K	262.1K	11111111.11111100.00000000.00000000
/15	255.254.0.0	0.1.255.255	131.1K	131.1K	11111111.11111110.00000000.00000000
/16	255.255.0.0	0.0.255.255	65.5K	65.5K	11111111.11111111.00000000.00000000	class B (65K hosts)
/17	255.255.128.0	0.0.127.255	32.8K	32.8K	11111111.11111111.10000000.00000000
/18	255.255.192.0	0.0.63.255	16.4K	16.4K	11111111.11111111.11000000.00000000
/19	255.255.224.0	0.0.31.255	8.2K	8.2K	11111111.11111111.11100000.00000000
/20	255.255.240.0	0.0.15.255	4.1K	4.1K	11111111.11111111.11110000.00000000	4K hosts
/21	255.255.248.0	0.0.7.255	2.0K	2.0K	11111111.11111111.11111000.00000000	2K hosts
/22	255.255.252.0	0.0.3.255	1.0K	1.0K	11111111.11111111.11111100.00000000	1K hosts
/23	255.255.254.0	0.0.1.255	512	510	11111111.11111111.11111110.00000000	512 hosts (2 x /24)
/24	255.255.255.0	0.0.0.255	256	254	11111111.11111111.11111111.00000000	class C — most common
/25	255.255.255.128	0.0.0.127	128	126	11111111.11111111.11111111.10000000	2 x /25 from /24
/26	255.255.255.192	0.0.0.63	64	62	11111111.11111111.11111111.11000000	4 x /26 from /24
/27	255.255.255.224	0.0.0.31	32	30	11111111.11111111.11111111.11100000	8 x /27 (30 hosts)
/28	255.255.255.240	0.0.0.15	16	14	11111111.11111111.11111111.11110000	16 x /28 (14 hosts)
/29	255.255.255.248	0.0.0.7	8	6	11111111.11111111.11111111.11111000	8 hosts — point-to-point+
/30	255.255.255.252	0.0.0.3	4	2	11111111.11111111.11111111.11111100	4 hosts — p2p links
/31	255.255.255.254	0.0.0.1	2	—	11111111.11111111.11111111.11111110	2 hosts — RFC3021 p2p
/32	255.255.255.255	0.0.0.0	1	—	11111111.11111111.11111111.11111111	single host / loopback

💡 Usable hosts = total − 2 (network address + broadcast). /31 is a special case per RFC 3021 — used for point-to-point links with no network/broadcast waste. /32 is a host route (single IP). /24 = 255.255.255.0 is the most common subnet in enterprise networks.

802.1X architecture — supplicant · authenticator · RADIUS

supplicant

Client Device

The end device requesting network access. Runs an EAP supplicant (built into Windows, macOS, iOS, Android). Presents credentials or certificates to the authenticator.

Examples: Windows native supplicant, Cisco AnyConnect NAM, SecureW2, Jamf Connect

authenticator

AP or Switch

The network access device that enforces 802.1X. It does NOT validate credentials itself — it acts as a relay between supplicant and RADIUS. Controls port access via PAE (Port Access Entity).

Examples: Aruba AP/switch, Cisco WLC/switch, Ruckus AP, Juniper EX

authentication server

RADIUS Server

Validates credentials, certificates, or SIM. Returns Access-Accept or Access-Reject. Can return VLAN, ACL, and role assignments via RADIUS attributes (VSAs).

Examples: Aruba ClearPass, Cisco ISE, Microsoft NPS, FreeRADIUS, Jumpcloud

802.1X AUTHENTICATION FLOW
Supplicant ──────────────────────────────── Authenticator (AP/Switch) ────────────────── RADIUS Server
  ──── EAPOL-Start ────────────────────────────►
                ◄─── EAP-Request/Identity ────────
  ──── EAP-Response/Identity ─────────────────► ─── RADIUS Access-Request ──────────────────────► 
                                                                       ◄─── RADIUS Access-Challenge ─
                ◄─── EAP-Request (method) ────────
  ... EAP method exchange (TLS tunnel / challenge-response) ...
  ──── EAP-Response ───────────────────────────► ─── RADIUS Access-Request ──────────────────────► 
                                                                       ──── RADIUS Access-Accept ────►
                ◄─── EAP-Success ───────────────── (+ optional: VLAN, ACL, role via VSAs)
  ◄─── 802.1X port opens / network access granted ────────────────────

The authenticator uses RADIUS (UDP 1812 for auth, 1813 for accounting) to communicate with the RADIUS server. It never sees the actual credentials — it only relays EAP messages. This separation is what makes 802.1X secure even on untrusted network equipment.

EAP method comparison

method	inner auth	outer tunnel	client cert req?	server cert req?	identity protection	complexity	common use
PEAP Protected EAP	MSCHAPv2 (usually)	TLS tunnel	✗ not required	✓ required	✓ outer identity anonymous	Low	Most common enterprise Wi-Fi. Username/password via AD/LDAP. Windows native.
EAP-TLS TLS mutual auth	Certificate (no inner)	TLS mutual auth	✓ required (client PKI)	✓ required	✓ strongest protection	High	Highest security. Requires PKI for every device. Passwordless. MDM/SCEP typically used.
EAP-TTLS Tunneled TLS	PAP, CHAP, MSCHAPv2, or others	TLS tunnel	✗ not required	✓ required	✓ outer identity anonymous	Medium	More flexible inner auth than PEAP. Common on Linux/Android. Less Windows-native support.
EAP-FAST Flexible Auth via Secure Tunneling	MSCHAPv2, GTC, or TLS	PAC (Protected Access Credential)	✗ not required	✓ optional (PAC provisioning)	✓ PAC-based tunnel	Medium	Cisco proprietary alternative to PEAP. Used where cert infrastructure isn't available. Less common.
EAP-SIM SIM card auth	SIM GSM challenge-response	None (SIM provides security)	✗ uses SIM instead	✗ not required	⚠ limited (IMSI exposed)	Low (for carrier)	Carrier Wi-Fi offload. Hotspot 2.0 / Passpoint. Seamless auth using SIM credentials.
EAP-AKA Auth & Key Agreement	USIM AKA challenge-response (3G/4G)	None	✗ uses USIM	✗ not required	✓ improved vs EAP-SIM	Low (for carrier)	Evolved SIM auth for UMTS/LTE. More secure than EAP-SIM. Used in carrier Wi-Fi offload.

PEAP-MSCHAPv2 is the most deployed enterprise EAP method due to its low client-side complexity (no client cert needed). EAP-TLS is the gold standard for security but requires a full PKI with certificate enrollment for every device — typically via SCEP/ACME through an MDM like Jamf, Intune, or ClearPass Onboard.

certificate requirements by EAP method

EAP method	RADIUS server cert	client cert	CA cert (on client)	deployment complexity	notes
PEAP-MSCHAPv2	✓ required	✗ not needed	⚠ should validate	Low — creds only	Clients MUST validate server cert to prevent MITM. Many deployments skip this — a critical security gap.
EAP-TLS	✓ required	✓ required (per device)	✓ required	High — full PKI needed	Every device needs a unique cert. Use MDM + SCEP/ACME for automated enrollment. Revocation via OCSP/CRL.
EAP-TTLS	✓ required	✗ not needed	⚠ should validate	Medium	Same cert risks as PEAP if server cert not validated. Better inner auth flexibility.
EAP-FAST	⚠ optional	✗ not needed	⚠ depends on provisioning	Medium	Anonymous PAC provisioning (phase 0) can be vulnerable. Use authenticated PAC provisioning where possible.
EAP-SIM / EAP-AKA	✗ not used	✗ not used	✗ not used	Low (carrier managed)	Auth is handled by SIM / USIM cryptography. No certificates involved — carrier PKI handles security.

⚠ PEAP without server cert validation is one of the most common Wi-Fi security misconfigurations. Without it, any rogue AP with a self-signed cert can perform a man-in-the-middle attack and capture MSCHAPv2 hashes (which can be cracked offline). Always configure trusted CA and server name validation on supplicants.

auth flow — how each method works

method	phase 1 (outer)	phase 2 (inner)	what's protected	credential type
PEAP	TLS tunnel established using server cert. Outer identity = anonymous@domain	MSCHAPv2 challenge-response with AD username/password inside the tunnel	Inner identity + credentials hidden	Username + password (AD/LDAP)
EAP-TLS	Mutual TLS handshake — both client and server present certificates	No phase 2 — certificate IS the credential	Full mutual auth, no password ever sent	X.509 client certificate (device or user)
EAP-TTLS	TLS tunnel using server cert. Anonymous outer identity.	Any inner method: PAP, CHAP, MSCHAPv2, or even another EAP	Inner identity + credentials hidden	Username + password (flexible inner methods)
EAP-FAST	Phase 0: PAC (Protected Access Credential) provisioning. Phase 1: PAC establishes tunnel	MSCHAPv2, GTC (token), or EAP-TLS inside tunnel	Depends on PAC provisioning security	PAC file + inner credentials
EAP-SIM	No tunnel. RADIUS sends GSM triplets (RAND, SRES, Kc) from HLR/HSS	No phase 2 — SIM card performs RAND challenge-response	IMSI can be exposed in early exchanges	SIM card (GSM A3/A8 algorithm)

PEAP and EAP-TTLS both use a TLS tunnel to protect inner credentials — the key difference is PEAP is primarily designed for MSCHAPv2 while EAP-TTLS supports any inner method including PAP (plaintext over the encrypted tunnel). EAP-TLS has no inner phase — the mutual certificate exchange is the entire authentication.

AAA — authentication · authorization · accounting

authentication

Who are you?

Verifies the identity of a user or device before granting any access. The supplicant presents credentials — password, certificate, SIM, or token — and the authentication server validates them.

Methods: Password (MSCHAPv2), Certificate (EAP-TLS), SIM (EAP-SIM), Token (OTP/GTC)

Protocols: RADIUS (UDP 1812), TACACS+ (TCP 49), Diameter (SCTP/TCP 3868)

authorization

What can you do?

Determines what network resources and permissions a successfully authenticated identity receives. Applied after auth succeeds, before network access is granted.

Outputs: VLAN assignment, ACL/dACL, downloadable policy, QoS profile, role/group, session timeout, bandwidth limit

Mechanisms: RADIUS attributes (VSAs), ClearPass roles, ISE authorization profiles, CoA (Change of Authorization)

accounting

What did you do?

Records session activity — when a user connected, disconnected, how much data was transferred, which device/port was used. Used for auditing, billing, and troubleshooting.

Records: Session start/stop, bytes in/out, session duration, NAS IP, calling-station-ID (MAC), framed-IP

Protocol: RADIUS Accounting (UDP 1813), TACACS+ accounting (TCP 49)

AAA protocols comparison — RADIUS · TACACS+ · Diameter

feature	RADIUS	TACACS+	Diameter
Transport	UDP 1812 (auth) / 1813 (acct)	TCP 49 (reliable)	TCP / SCTP 3868
Encryption	Password only (MD5)	Full packet body encrypted	TLS / DTLS
AAA separation	Auth + Authz combined	Auth / Authz / Acct fully separate	Fully modular
Protocol origin	Open standard (RFC 2865/2866)	Cisco proprietary (extended)	IETF RFC 6733 (RADIUS successor)
Primary use	Network access (802.1X, VPN, Wi-Fi)	Device administration (CLI, SSH, enable)	Mobile/carrier (LTE, IMS, Hotspot 2.0)
Command authorization	✗ not supported	✓ per-command authorization	✗ not applicable
Attribute extensibility	VSAs (vendor-specific attributes)	Flexible — any attribute	AVPs (attribute-value pairs) — fully extensible
Change of Authorization	✓ RFC 5176 (CoA / Disconnect)	✗ not standard	✓ native re-auth
Failover	Client retries to backup server	Client retries to backup server	Native peer failover
Common servers	ClearPass, ISE, NPS, FreeRADIUS	ClearPass, ISE, ACS (legacy), TACACS Pro	Diameter base on carrier gear

RADIUS vs TACACS+: Use RADIUS for network access control (802.1X, VPN, Wi-Fi auth). Use TACACS+ for device administration — it encrypts the entire packet and supports per-command authorization, making it significantly better for auditing SSH/CLI access to switches and routers. Many enterprises run both: RADIUS for user/device NAC, TACACS+ for admin access.

common RADIUS attributes for network access

attribute	type #	direction	value / example	use
User-Name	1	Request	[email protected]	Identity sent to RADIUS. For 802.1X, outer identity is often anonymous@domain.
Framed-IP-Address	8	Accept	192.168.10.50	Assign specific IP to user (used with some VPN/PPP scenarios).
Framed-MTU	12	Accept	1400	Set MTU for the session.
Session-Timeout	27	Accept	28800 (seconds)	Force re-authentication after N seconds. Common: 8h = 28800.
Idle-Timeout	28	Accept	600	Disconnect idle sessions after N seconds.
Calling-Station-Id	31	Request	AA-BB-CC-DD-EE-FF	Client MAC address. Used by ClearPass/ISE for device profiling and policy lookup.
NAS-IP-Address	4	Request	10.0.0.1	IP of the AP or switch sending the RADIUS request.
NAS-Port-Type	61	Request	19 = Wireless-802.11	Access method. 15 = Ethernet, 19 = Wireless.
Tunnel-Type	64	Accept	13 = VLAN	Used with VLAN assignment. Must be set to 13 (VLAN) for dynamic VLAN.
Tunnel-Medium-Type	65	Accept	6 = 802	Always 6 (IEEE 802) for VLAN assignment.
Tunnel-Private-Group-Id	81	Accept	"100" (VLAN ID)	The VLAN ID to assign. All three Tunnel-* attributes must be present for dynamic VLAN to work.
Reply-Message	18	Reject/Challenge	"Invalid credentials"	Human-readable message returned on failure. Useful in RADIUS logs.

Dynamic VLAN assignment requires three RADIUS attributes returned in Access-Accept: Tunnel-Type = VLAN(13), Tunnel-Medium-Type = IEEE-802(6), and Tunnel-Private-Group-Id = "VLAN_ID". Missing any one of these will cause the AP/switch to ignore the VLAN assignment and fall back to the default VLAN.

change of authorization (CoA) — RFC 5176

CoA type	RADIUS code	direction	what it does	common use case
CoA-Request	43	RADIUS server → NAS	Changes session attributes mid-session without disconnect	Push new VLAN/ACL/role after posture check completes
CoA-ACK	44	NAS → RADIUS server	CoA accepted and applied	Confirms the NAS applied the new policy
CoA-NAK	45	NAS → RADIUS server	CoA rejected	Session not found, attribute unsupported, or NAS error
Disconnect-Request (PoD)	40	RADIUS server → NAS	Forcibly disconnects a session (Packet of Death)	Quarantine a compromised device, force re-auth after password change
Disconnect-ACK	41	NAS → RADIUS server	Session disconnected successfully	Device will need to re-authenticate to regain access
Disconnect-NAK	42	NAS → RADIUS server	Disconnect failed	Session not found or NAS doesn't support PoD

CoA is initiated by the RADIUS server (ClearPass/ISE) toward the NAS (AP/switch) on UDP port 3799. The NAS must have CoA enabled and the RADIUS server IP whitelisted. CoA is used in posture-based NAC workflows — device connects to a quarantine VLAN, passes health check, CoA pushes the production VLAN without disconnecting the session.

display filter cheatsheet

filter	description	example
IP / ADDRESS
`ip.addr == x.x.x.x`	Any packet to or from IP	ip.addr == 192.168.1.10
`ip.src == x.x.x.x`	Source IP only	ip.src == 10.0.0.1
`ip.dst == x.x.x.x`	Destination IP only	ip.dst == 8.8.8.8
`ip.addr == x.x.x.x/24`	Entire subnet	ip.addr == 192.168.1.0/24
`eth.addr == xx:xx:xx:xx:xx:xx`	MAC address (src or dst)	eth.addr == aa:bb:cc:dd:ee:ff
`eth.src == xx:xx:xx:xx:xx:xx`	Source MAC	eth.src == 00:11:22:33:44:55
TCP / UDP / PORTS
`tcp.port == 443`	TCP src or dst port	tcp.port == 443
`tcp.dstport == 80`	TCP destination port only	tcp.dstport == 80
`udp.port == 53`	UDP port	udp.port == 53
`tcp.flags.syn == 1`	TCP SYN packets only	tcp.flags.syn==1 && tcp.flags.ack==0
`tcp.flags.reset == 1`	TCP RST — connection resets	tcp.flags.reset == 1
`tcp.analysis.retransmission`	TCP retransmissions	tcp.analysis.retransmission
`tcp.analysis.zero_window`	Zero window — receiver buffer full	tcp.analysis.zero_window
APPLICATION PROTOCOLS
`dns`	All DNS traffic	dns.qry.name contains "google"
`dns.flags.response == 0`	DNS queries only	dns.flags.response == 0
`http`	All HTTP traffic	http.request.method == "GET"
`tls`	TLS/SSL traffic	tls.handshake.type == 1
`icmp`	Ping / ICMP	icmp.type == 8 (echo request)
OPERATORS & COMBINING
`&&` or `and`	Both conditions must match	ip.src==10.0.0.1 && tcp.port==443
`\|\|` or `or`	Either condition matches	dns \|\| dhcp
`!` or `not`	Exclude matches	!arp && !icmp
`contains`	Field contains string	http.host contains "example"
`matches`	Regex match	dns.qry.name matches "\.local$"
`in {}`	Match any value in set	tcp.port in {80 443 8080}

💡 Display filters use field names (ip.addr, tcp.port) — not BPF syntax. Use Ctrl+Space in the filter bar for autocomplete. Right-click any field in a packet → Apply as Filter to build filters interactively.

common protocol filters — DHCP · ARP · ICMP · STP · EAPOL · RADIUS

protocol	display filter	what to look for	notes
DHCP	`dhcp` or `bootp`	Discover → Offer → Request → ACK sequence. NAK = address conflict.	Filter by MAC: `dhcp.hw.mac_addr == xx:xx:xx:xx:xx:xx`
ARP	`arp`	Gratuitous ARP, duplicate IP (ARP probes with no reply), ARP storms.	`arp.duplicate-address-detected` flags IP conflicts automatically
ICMP	`icmp`	Echo req/reply (ping), unreachable, TTL exceeded, redirect messages.	Type 3 = unreachable, Type 11 = TTL exceeded (traceroute), Type 5 = redirect
ICMPv6	`icmpv6`	NDP (neighbor discovery), router advertisements, DAD (duplicate address detection).	`icmpv6.type == 135` = Neighbor Solicitation, 136 = Neighbor Advertisement
DNS	`dns`	Failed lookups (NXDOMAIN), slow response times, unexpected resolvers.	`dns.flags.rcode != 0` = DNS errors. `dns.time > 0.5` = slow DNS
STP / RSTP	`stp`	BPDUs, topology change notifications (TCN), root bridge changes.	TCN floods cause MAC table flushes — look for `stp.flags.tc == 1`
EAPOL	`eapol`	802.1X auth frames — EAPOL-Start, EAP-Request/Response, EAP-Success/Failure.	`eap` shows inner EAP. Look for EAP-Failure to debug auth issues.
RADIUS	`radius`	Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting.	`radius.code == 3` = Access-Reject. Capture on RADIUS server or authenticator uplink.
LLDP / CDP	`lldp` / `cdp`	Neighbor discovery, VLAN IDs advertised, port descriptions, system capabilities.	Useful for verifying what VLAN an AP or phone is advertising via LLDP-MED
OSPF	`ospf`	Hello packets, LSAs, neighbor state changes, DR/BDR election.	`ospf.msg == 1` = Hello. Watch for neighbor drops and LSA flooding storms.
VRRP	`vrrp`	Virtual router advertisements, master/backup transitions.	Multiple masters on same VRIDs = split-brain. Check advertisement intervals match.

802.11 wireless capture — monitor mode & filters

topic	detail
Monitor mode (Linux)	`sudo ip link set wlan0 down && sudo iw wlan0 set monitor none && sudo ip link set wlan0 up` Or: `sudo airmon-ng start wlan0` → creates wlan0mon
Monitor mode (macOS)	Hold Option → click Wi-Fi icon → Open Wireless Diagnostics → Window menu → Sniffer. Or use `tcpdump -I -i en0`
Lock to channel	`sudo iwconfig wlan0mon channel 6` (2.4GHz) or `sudo iw dev wlan0mon set channel 36 HT40+` (5GHz)
Filter by BSSID	`wlan.bssid == aa:bb:cc:dd:ee:ff`
Filter by SSID	`wlan.ssid == "MyNetwork"` or `wlan.ssid contains "Corp"`
Management frames only	`wlan.fc.type == 0` — beacons, probes, auth, assoc, deauth, disassoc
Beacon frames	`wlan.fc.type_subtype == 8`
Probe requests	`wlan.fc.type_subtype == 4` — shows clients probing for networks
Authentication frames	`wlan.fc.type_subtype == 11`
Deauth / Disassoc frames	`wlan.fc.type_subtype == 12 \|\| wlan.fc.type_subtype == 10` — rogue deauth attacks or roaming events
4-way handshake (WPA)	`eapol && wlan.bssid == xx:xx:xx:xx:xx:xx` — capture all 4 EAPOL frames to crack offline (educational)
Signal strength (RSSI)	`wlan_radio.signal_dbm` — filter weak clients: `wlan_radio.signal_dbm < -75`
Data frames only	`wlan.fc.type == 2`
Retry frames	`wlan.fc.retry == 1` — high retries = RF interference or poor signal

📡 On Wi-Fi 6 (HE) captures, use wlan_radio.phy == he to isolate 802.11ax frames. For encrypted captures you need the PSK or PMK to decrypt — add via Edit → Preferences → Protocols → IEEE 802.11 → Decryption keys.

built-in statistics tools

tool	menu path	what it shows	best for
Protocol Hierarchy	Statistics → Protocol Hierarchy	Breakdown of all protocols in capture by packet count and bytes %	Quickly identify unexpected protocols or traffic composition
Conversations	Statistics → Conversations	All TCP/UDP/IP conversations with bytes transferred, duration	Find top talkers, high-volume flows, unexpected connections
Endpoints	Statistics → Endpoints	All unique IPs/MACs with tx/rx bytes	Identify noisy devices, rogue hosts, broadcast sources
IO Graph	Statistics → IO Graph	Throughput over time graph. Can overlay multiple filters.	Visualize traffic bursts, retransmission spikes, utilization over time
TCP Stream Graph	Statistics → TCP Stream Graphs	Time-sequence, round trip time, window scaling, throughput graphs	TCP performance analysis, identify slow-start, window issues
DNS	Statistics → DNS	DNS query types, response codes, response times	Identify DNS failures, slow lookups, unusual query types
HTTP	Statistics → HTTP	HTTP request/response counters, load distribution	Web traffic analysis, response code distribution
WLAN Traffic	Wireless → WLAN Traffic	Per-SSID/BSSID stats, retry rates, data rates in 802.11 captures	Wi-Fi performance analysis, retry rate per AP/client
Expert Information	Analyze → Expert Information	Auto-detected issues: retransmissions, resets, out-of-order, malformed	Fast triage — start here on any capture to spot anomalies
Capture File Properties	Statistics → Capture File Properties	Duration, packet count, avg packet rate, avg packet size	High-level summary before deep analysis

follow stream · export objects · IO graphs · workflow tips

action	how to	use case
Follow TCP Stream	Right-click packet → Follow → TCP Stream. Or: `Analyze → Follow → TCP Stream`	Reconstruct full conversation (HTTP requests, SMTP, Telnet). Shows client bytes in red, server in blue.
Follow UDP Stream	Right-click → Follow → UDP Stream	DNS, TFTP, SNMP conversations. Less common than TCP but useful for TFTP debugging.
Export HTTP Objects	`File → Export Objects → HTTP`	Save files downloaded over HTTP (images, scripts, configs). Essential for malware analysis.
Export SMB Objects	`File → Export Objects → SMB`	Extract files transferred over SMB file shares.
IO Graph — overlay filters	Statistics → IO Graph → click + to add lines → set display filter per line	Compare retransmissions vs total traffic: line 1 = all, line 2 = `tcp.analysis.retransmission`
Mark / Ignore packets	`Ctrl+M` to mark, `Ctrl+D` to ignore	Highlight key packets for reference or remove noise from analysis.
Time reference	`Ctrl+T` on a packet — sets it as time zero	Measure relative timing from a specific event (e.g., DHCP Discover as T=0).
Coloring rules	`View → Coloring Rules`	Add custom colors for protocols or filters. Default rules already color TCP errors red.
tshark (CLI)	`tshark -i eth0 -Y "dns" -T fields -e dns.qry.name`	Command-line Wireshark. Pipe output to grep/awk. Ideal for remote captures via SSH.
Remote capture (rpcapd)	`File → Capture Options → Manage Interfaces → Remote`	Capture on a remote host and view locally. Or use `ssh user@host tcpdump -w - \| wireshark -k -i -`
Decrypt TLS (with key log)	`Edit → Preferences → Protocols → TLS → Pre-Master-Secret log file`	Set `SSLKEYLOGFILE=~/tls.log` env var in Chrome/Firefox, then load the file in Wireshark to decrypt HTTPS.

🔧 Keyboard shortcuts: Ctrl+F find, Ctrl+G go to packet, Ctrl+E collapse all details, Space scroll, Ctrl+Shift+X expert info. Use Analyze → Expert Information as your first stop on any unknown capture — it surfaces retransmissions, resets, and malformed packets automatically.

interface & address management

command	description	example
`ip addr show`	Show all interfaces and IPs	ip addr show eth0
`ip addr add`	Add IP to interface	ip addr add 192.168.1.10/24 dev eth0
`ip link set eth0 up/down`	Bring interface up or down	ip link set eth0 up
`ip link set mtu`	Change MTU	ip link set eth0 mtu 9000
`ip -s link show`	Interface stats (tx/rx bytes, errors)	ip -s link show eth0
`ethtool eth0`	Link speed, duplex, autoneg status	ethtool eth0 \| grep Speed
`ethtool -S eth0`	NIC driver statistics	ethtool -S eth0 \| grep drop

routing

command	description	example
`ip route show`	Show routing table	ip route show table main
`ip route add`	Add static route	ip route add 10.0.0.0/8 via 192.168.1.1
`ip route get`	Which route used for destination	ip route get 8.8.8.8
`ip neigh show`	ARP / NDP neighbor table	ip neigh show dev eth0
`ip neigh flush`	Clear ARP cache	ip neigh flush dev eth0
`mtr -n`	Live traceroute + packet loss per hop	mtr -n --report 8.8.8.8

DNS

command	description	example
`dig`	DNS lookup with full detail	dig google.com A / dig @8.8.8.8 google.com
`dig +short`	Quick answer only	dig +short google.com MX
`dig -x`	Reverse DNS (PTR)	dig -x 8.8.8.8
`resolvectl status`	systemd-resolved DNS status	resolvectl query google.com

packet capture & connectivity

command	description	example
`tcpdump -i eth0`	Capture on interface	tcpdump -i eth0 host 10.0.0.1 -nn
`tcpdump -w file.pcap`	Write to pcap for Wireshark	tcpdump -i eth0 -w /tmp/cap.pcap
`ss -tulnp`	Show listening sockets + process	ss -tulnp \| grep :443
`nc -zv host port`	Test TCP port reachability	nc -zv 10.0.0.1 443
`iperf3 -s / -c`	Bandwidth test	iperf3 -c 10.0.0.1 -t 30
`nmap -p-`	Port scan all ports	nmap -p- -T4 10.0.0.1

firewall

command	description	example
`iptables -L -n -v`	List rules with counters	iptables -L INPUT -n -v --line-numbers
`iptables -A INPUT`	Append inbound rule	iptables -A INPUT -p tcp --dport 22 -j ACCEPT
`iptables -t nat -L`	Show NAT rules	iptables -t nat -L POSTROUTING -n -v
`nft list ruleset`	Modern nftables rules	nft list ruleset
`ufw status verbose`	UFW firewall status (Ubuntu)	ufw allow 443/tcp

wireless (Linux)

command	description	example
`iw dev`	Show wireless interfaces and mode	iw dev wlan0 info
`iw wlan0 scan`	Scan for nearby networks	sudo iw wlan0 scan \| grep -E "SSID\|signal\|freq"
`iw wlan0 link`	Current connection info (SSID, signal, bitrate)	iw wlan0 link
`iw wlan0 station dump`	Connected client stats (AP mode)	iw wlan0 station dump
`iw wlan0 set channel`	Set channel (monitor mode)	sudo iw wlan0mon set channel 36 HT40+
`iwconfig`	Legacy wireless config (older systems)	iwconfig wlan0
`nmcli dev wifi`	List and connect to Wi-Fi networks	nmcli dev wifi connect "SSID" password "pass"
`nmcli dev wifi list`	Scan results with signal strength	nmcli -f SSID,BSSID,CHAN,SIGNAL dev wifi list
`airmon-ng start wlan0`	Enable monitor mode (aircrack-ng)	sudo airmon-ng start wlan0
`airodump-ng wlan0mon`	Scan all channels in monitor mode	sudo airodump-ng wlan0mon --band a

frequency fundamentals

low band <1 GHz

Coverage: 10-50 km radius, excellent building penetration
Speed: 10-80 Mbps
Bands: 600, 700, 850 MHz
Use: Rural coverage, indoor, IoT

mid band 1-6 GHz

Coverage: 1-5 km, good penetration
Speed: 50-600 Mbps
Bands: 1900, 2100, 2500, 3.5 GHz C-Band
Use: Urban capacity, primary 5G

mmWave >24 GHz

Coverage: <200m LoS only, blocked by walls
Speed: 1-4 Gbps
Bands: 28, 39 GHz
Use: Stadiums, venues, fixed wireless

US carrier band summary

carrier	low band (coverage)	mid band (capacity)	5G NR primary	5G mmWave
AT&T	B5 (850 MHz) B12 (700 MHz) B14 (FirstNet 758 MHz)	B2 (1900 MHz) B30 (2300 MHz) B66 (AWS 1700/2100)	n77 (3.45 GHz C-Band) n14 (FirstNet 5G) n5 (850 MHz)	n257 (28 GHz)
Verizon	B13 (700 MHz upper C) B5 (850 MHz)	B4/B66 (AWS) B2 (1900 MHz)	n77 (3.7 GHz C-Band) n5 (850 MHz)	n257 (28 GHz) n260 (39 GHz) n261 (28 GHz)
T-Mobile	B71 (600 MHz) B12 (700 MHz)	B41 (2500 MHz) B66 (AWS) B2 (1900 MHz)	n41 (2.5 GHz — "Ultra Capacity") n71 (600 MHz) n66 (AWS)	n258/n260

US LTE band reference

band	frequency	carrier(s)	duplex	typical BW	purpose
B2	1900 MHz PCS	AT&T, T-Mobile	FDD	5-20 MHz	Urban capacity
B4 / B66	AWS-1/3 (1700/2100 MHz)	T-Mobile, AT&T, Verizon	FDD	5-20 MHz	Capacity + coverage
B5	850 MHz	AT&T, Verizon	FDD	5-10 MHz	Coverage / rural
B12 / B17	700 MHz lower	T-Mobile, AT&T	FDD	5-10 MHz	Coverage / rural / indoor
B13	700 MHz upper C	Verizon	FDD	10 MHz	Verizon primary coverage
B14	758/788 MHz FirstNet	AT&T (FirstNet)	FDD	10 MHz	Public safety priority
B25	1900 MHz PCS (extended)	T-Mobile (ex-Sprint)	FDD	5-10 MHz	Urban capacity
B30	2300 MHz WCS	AT&T	FDD	10 MHz	Urban capacity
B41	2500 MHz TDD	T-Mobile (ex-Sprint)	TDD	20 MHz	High-capacity urban / 5G anchor
B48 / CBRS	3.5 GHz (3550-3700 MHz)	Private LTE/5G enterprise	TDD	10-100 MHz	Enterprise private LTE/5G
B71	600 MHz	T-Mobile	FDD	5-20 MHz	Rural / wide-area coverage

5G NR bands — US

NR band	frequency	carrier(s)	max BW	mode	notes
n5	850 MHz	AT&T, Verizon	10 MHz	FDD	5G coverage layer — re-farmed LTE spectrum
n14	758 MHz FirstNet	AT&T	10 MHz	FDD	FirstNet 5G for public safety
n41	2.5 GHz (2496-2690 MHz)	T-Mobile	100 MHz	TDD	T-Mobile primary capacity "Ultra Capacity 5G" — best mid-band 5G in US
n66	AWS (1700/2100 MHz)	T-Mobile, AT&T	25 MHz	FDD	5G capacity — widespread coverage
n71	600 MHz	T-Mobile	20 MHz	FDD	5G rural coverage — nationwide extended reach
n77	3.45 GHz (AT&T) / 3.7 GHz (Verizon)	AT&T, Verizon	100 MHz	TDD	C-Band — primary 5G NR capacity for AT&T and Verizon
n257	28 GHz mmWave	AT&T, T-Mobile, Verizon	400 MHz	TDD	mmWave — stadiums, airports, street-level hotspots. LoS only.
n260	39 GHz mmWave	Verizon	400 MHz	TDD	Verizon mmWave — ultra-dense urban venues
n261	28 GHz mmWave (upper)	Verizon	400 MHz	TDD	Verizon secondary mmWave band

expected speeds — US carriers

technology	typical download	typical upload	latency	real-world notes
4G LTE (single band)	20-50 Mbps	5-15 Mbps	20-50ms	Baseline LTE. Typical in rural or lightly loaded suburban areas.
4G LTE-A (carrier agg)	50-200 Mbps	15-50 Mbps	15-40ms	Multi-band aggregation. Most modern smartphones in urban areas.
5G NSA (low band n71/n5)	30-100 Mbps	10-30 Mbps	15-40ms	Extended coverage. Similar to LTE speeds but better latency headroom.
5G NSA mid-band (n41)	100-500 Mbps	30-100 Mbps	10-25ms	T-Mobile Ultra Capacity 5G. Best real-world 5G experience in US suburbs/cities.
5G C-Band (n77 AT&T/Verizon)	150-600 Mbps	30-100 Mbps	10-20ms	Rapidly expanding. Outstanding in coverage zones. Speeds vary by congestion.
5G SA sub-6 (T-Mobile)	200-800 Mbps	50-150 Mbps	5-15ms	Standalone core — lower latency than NSA. T-Mobile leads SA deployment in US.
5G mmWave (n257/n260)	1-4 Gbps	500 Mbps+	<5ms	Extraordinary speeds but near LoS only. Stadiums, airports, Verizon fixed wireless.
5G Fixed Wireless (FWA)	100-500 Mbps	20-75 Mbps	10-30ms	T-Mobile Home Internet / Verizon 5G Home. Highly location dependent.

Speeds are heavily dependent on distance from tower, time of day, number of connected users, and device capabilities. C-Band (n77) is now the defining 5G experience for AT&T and Verizon — areas without C-Band coverage will see speeds closer to LTE. T-Mobile's n41 (2.5 GHz) network from the Sprint merger is their key competitive advantage for 5G capacity.

5G deployment modes

mode	anchor	core	latency	US status	notes
NSA Option 3x	LTE anchor	4G EPC	15-40ms	Majority of US 5G	5G NR data + LTE signaling. Fast to deploy. Limited 5G-specific features.
SA Option 2	5G NR only	5G core	5-15ms	T-Mobile (leader), Verizon/AT&T rolling out	Full 5G features: slicing, URLLC. Lower latency. Requires 5G core investment.

802.11 frame types

type	bits	purpose	common subtypes
Management	`00`	Control STA-AP relationships — discovery, auth, association. Never carry user data.	Beacon, Probe Req/Resp, Auth, Deauth, Assoc Req/Resp, Reassoc, Disassoc, Action
Control	`01`	Assist delivery of frames — medium access, ACKs. Sent without encryption.	RTS, CTS, ACK, Block ACK (BA), BAR, PS-Poll, CF-End
Data	`10`	Carry user payload (IP packets). May be encrypted.	Data, Null, QoS Data, QoS Null

MAC header fields

field	size	description
Frame Control	2 B	Protocol ver (2b), Type (2b), Subtype (4b), To/From DS, Retry, Power Mgmt, Protected Frame flags
Duration / ID	2 B	NAV: time in microseconds medium is reserved. PS-Poll uses as AID.
Address 1	6 B	Receiver address (RA) -- immediate next hop
Address 2	6 B	Transmitter address (TA) -- station that placed frame on air
Address 3	6 B	DA or SA depending on To DS / From DS bits
Sequence Control	2 B	Fragment number (4b) + Sequence number (12b) -- detect duplicates and reassemble
Address 4	6 B	Only present in WDS/mesh (To DS=1 AND From DS=1) -- original SA in 4-address mode
QoS Control	2 B	QoS data frames only: TID, ACK policy, A-MSDU flag, TXOP limit
Frame Body	0-7951 B	IEs for management, encrypted MSDU for data
FCS	4 B	CRC-32 over entire frame -- receiver discards on error

To DS / From DS bits: 0/0 IBSS 0/1 AP-to-STA (DA=A1, BSSID=A2, SA=A3) 1/0 STA-to-AP (BSSID=A1, SA=A2, DA=A3) 1/1 WDS 4-addr

management frame subtypes (type=00)

subtype	name	direction	key fields / notes
`0000`	Association Request	STA to AP	Capability info, listen interval, SSID, supported rates, RSN IE, HT/VHT/HE caps
`0001`	Association Response	AP to STA	Status code, AID (1-2007), supported rates, HT/VHT/HE info
`0010`	Reassociation Request	STA to AP	Same as Assoc Req + current AP BSSID -- used during roaming
`0011`	Reassociation Response	AP to STA	New AP responds, may trigger context transfer from old AP
`0100`	Probe Request	STA to broadcast	Active scan -- wildcard or specific SSID, supported rates and capabilities
`0101`	Probe Response	AP to STA	SSID, BSSID, beacon interval, capabilities, rates, RSN IE, country IE
`1000`	Beacon	AP to broadcast	Every 102.4 ms (default). SSID, BSSID, timestamp, TIM, rates, RSN IE, HT/VHT/HE info
`1010`	Disassociation	AP or STA	Reason code. STA returns to authenticated-not-associated state.
`1011`	Authentication	STA and AP	Open: 2 frames (seq 1+2). SAE (WPA3): commit+confirm. Auth algorithm, seq, status code.
`1100`	Deauthentication	AP or STA	Reason code. STA returns to unauthenticated-unassociated state.
`1101`	Action	AP or STA	Block ACK setup, 802.11k measurement, 802.11v BSS transition, 802.11w SA Query

control frame subtypes (type=01)

subtype	name	purpose
`1011`	RTS	Request To Send -- reserves medium. Receiver replies CTS. Mitigates hidden node.
`1100`	CTS	Clear To Send -- grants permission, sets NAV on all overhearing stations.
`1101`	ACK	Acknowledges unicast frame receipt. Sent after each frame unless Block ACK in use.
`1000`	Block ACK Request (BAR)	Requests Block ACK for a range of frames -- used with A-MPDU aggregation.
`1001`	Block ACK (BA)	Acks multiple frames via bitmap -- essential for throughput with aggregation.
`1010`	PS-Poll	Sleeping station wakes, asks AP to deliver buffered frames (legacy power save).

association process -- step by step

Probe Request (STA to broadcast) / Beacon (passive scan)

Client broadcasts Probe Requests advertising its supported rates and capabilities. All APs with a matching supported rate reply with Probe Responses (SSID, rates, encryption, capabilities). Passive scan: client listens for Beacons instead.

Authentication (open) -- Auth seq 1 then Auth seq 2

Client sends Open System Auth (algorithm=0, seq=0x0001). AP replies seq=0x0002, status=success. Always succeeds -- this is a legacy formality from WEP. Real security (WPA2/WPA3) happens AFTER association. State after: authenticated, not associated. A client can pre-auth to multiple APs for faster roaming.

Association Request then Association Response

Client sends Assoc Request: SSID, capability info, supported rates, RSN IE, HT/VHT/HE caps. AP validates, allocates AID (1-2007), replies with Assoc Response (status=0 success). State after: authenticated and associated.

EAPOL 4-Way Handshake (WPA2/WPA3-PSK)

AP sends EAPOL Msg 1 (ANonce). Client computes PTK from PMK + ANonce + SNonce, replies Msg 2 (SNonce + MIC). AP verifies MIC, sends Msg 3 (GTK encrypted). Client installs keys, sends Msg 4. Encryption now active. For 802.1X: EAP exchange with RADIUS completes before this step.

Data Transfer

Encrypted data flows. DHCP begins. For 802.1X networks, data is blocked by the AP until EAP Success is received from RADIUS, even though 802.11 association is already complete.

Three 802.11 connection states: (1) Unauthenticated + Unassociated --Deauth-- (2) Authenticated + Unassociated --Disassoc-- (3) Authenticated + Associated. Deauth returns to state 1; Disassoc returns to state 2.

reason codes -- deauth & disassoc

code	meaning	typical cause
`1`	Unspecified	Check AP logs for detail
`2`	Previous auth no longer valid	Session timeout, AP reboot
`3`	STA leaving BSS (disassoc)	Client-initiated roam or disconnect
`4`	Inactivity timeout	Client left without deauthing
`5`	AP capacity exceeded	Max client limit reached
`6`	Class 2 frame from non-authed STA	Client sent data before auth complete
`7`	Class 3 frame from non-assoc STA	Client sent data before assoc complete
`8`	STA leaving BSS (deauth)	Client roaming or shutting down
`15`	4-Way Handshake timeout	Wrong PSK, client too slow, or rogue AP deauth attack
`16`	Group Key Handshake timeout	GTK renewal failure
`17`	IE in (Re)Assoc differs from auth IE	Security capability mismatch between frames
`23`	802.1X auth failed	RADIUS rejected credentials

Reason code 15 in Wireshark almost always means wrong PSK. Reason code 7 = client tried to send data before completing association -- look for missing Auth or Assoc frames earlier in the capture.

status codes -- assoc & auth responses

code	meaning	notes
`0`	Success	Association or auth succeeded
`1`	Unspecified failure	Generic rejection
`10`	Cannot support all requested capabilities	Client asked for capability AP cannot provide
`12`	Assoc denied -- no common rates	No overlapping supported rates
`13`	Auth algorithm not supported	Client tried SAE on WPA2-only AP
`17`	Assoc denied -- AP too busy	Max client limit reached
`23`	Cipher suite rejected by policy	Client tried TKIP on WPA3 AP

DHCP overview

attribute	detail
Protocol	UDP — client port 68, server port 67
IPv6 equivalent	DHCPv6 — client port 546, server port 547
RFC	RFC 2131 (DHCPv4), RFC 8415 (DHCPv6)
Relay agent	Forwards broadcasts across subnets — runs on L3 switch or router. Adds Option 82 (circuit/remote ID).
Lease	Time-limited IP assignment. Client renews at T1 (50% of lease), rebinds at T2 (87.5%) if no response.

DORA — the four-message exchange

Discover — client to 255.255.255.255 (broadcast)

Client has no IP. Broadcasts DHCPDISCOVER from 0.0.0.0:68 to 255.255.255.255:67. Contains: client MAC (chaddr), hostname (Option 12), requested parameters list (Option 55), optionally a requested IP (Option 50) from a previous lease.

Offer — server to 255.255.255.255 (broadcast)

Server reserves an IP and broadcasts DHCPOFFER. Contains: offered IP (yiaddr), lease time (Option 51), server ID (Option 54), subnet mask (Option 1), gateway (Option 3), DNS servers (Option 6). Multiple servers may reply — client picks the first offer.

Request — client to 255.255.255.255 (broadcast)

Client broadcasts DHCPREQUEST accepting a specific offer (Option 54 = chosen server ID, Option 50 = requested IP). Still a broadcast so all other servers know their offers were declined and can release the reserved addresses.

Acknowledge — server to client (broadcast or unicast)

Server confirms the lease with DHCPACK. Client now owns the IP for the lease duration. If the server finds a problem (IP conflict detected), it sends DHCPNAK instead, forcing the client to restart DORA. Client performs ARP probe before using the IP.

All four DORA messages are broadcast at L2 (destination MAC ff:ff:ff:ff:ff:ff) because the client has no IP yet. After receiving ACK, the client does a gratuitous ARP to check for IP conflicts. If a conflict is found, it sends DHCPDECLINE and restarts.

message types (Option 53)

value	message	direction	purpose
`1`	DHCPDISCOVER	Client to broadcast	Initial request for an IP address
`2`	DHCPOFFER	Server to broadcast	Server proposes an IP and lease parameters
`3`	DHCPREQUEST	Client to broadcast	Accept an offer, or renew/rebind an existing lease
`4`	DHCPDECLINE	Client to server	Client found IP conflict via ARP probe — rejecting offered IP
`5`	DHCPACK	Server to client	Lease confirmed — client may use the IP
`6`	DHCPNAK	Server to client	Lease rejected — client must restart DORA (wrong network, expired lease)
`7`	DHCPRELEASE	Client to server	Client is done — release the IP back to the pool
`8`	DHCPINFORM	Client to server	Client already has an IP (static) but wants config options (DNS, NTP, etc.)

common DHCP options

option	name	type	description
`1`	Subnet Mask	IPv4 addr	e.g. 255.255.255.0
`3`	Router (Default Gateway)	IPv4 addr list	First entry used as default route
`6`	Domain Name Server	IPv4 addr list	Up to 8 DNS servers, tried in order
`12`	Hostname	String	Client's hostname sent in Discover/Request
`15`	Domain Name	String	DNS search domain suffix (e.g. corp.example.com)
`28`	Broadcast Address	IPv4 addr	Subnet broadcast address
`33`	Static Route	Route list	Classful static routes (legacy — use Option 121 instead)
`42`	NTP Servers	IPv4 addr list	Network Time Protocol server addresses
`43`	Vendor-Specific Info	Binary	Used by APs (Cisco, Aruba, Ruckus) for controller discovery, Cisco IP phones for TFTP server
`50`	Requested IP Address	IPv4 addr	Client requests a specific IP (from previous lease)
`51`	Lease Time	uint32 (seconds)	Total lease duration
`53`	DHCP Message Type	uint8	Discover/Offer/Request/ACK etc. (see table above)
`54`	Server Identifier	IPv4 addr	IP of the DHCP server — used by client to select an offer
`55`	Parameter Request List	Option list	Client lists the options it wants the server to return
`58`	Renewal Time (T1)	uint32 (seconds)	When to unicast DHCPREQUEST to server (default 50% of lease)
`59`	Rebinding Time (T2)	uint32 (seconds)	When to broadcast DHCPREQUEST to any server (default 87.5% of lease)
`60`	Vendor Class Identifier	String	Client describes itself — e.g. "MSFT 5.0" (Windows), "udhcp" (Linux). Used for class-based pools.
`61`	Client Identifier	Binary	Usually type 01 + MAC. Overrides chaddr for pool selection.
`66`	TFTP Server Name	String	Used by IP phones and APs for config file retrieval
`67`	Bootfile Name	String	PXE boot filename, or AP/phone config filename
`82`	Relay Agent Information	Sub-options	Added by relay agent: Circuit ID (sub-opt 1) = port/VLAN, Remote ID (sub-opt 2) = relay MAC. Used for tracking and policy.
`119`	Domain Search List	Domain list	Multiple DNS search suffixes (RFC 3397)
`121`	Classless Static Route	Route list	Classless routes with prefix length — supersedes Option 33. Must include default route if used.
`150`	TFTP Server Address	IPv4 addr list	Cisco-proprietary — used by Cisco IP phones and APs for TFTP
`255`	End	—	Marks end of options field

lease lifecycle & timers

timer	default	action	notes
T1 (renewal)	50% of lease	Client unicasts DHCPREQUEST to original server	Option 58. If server responds with DHCPACK, lease is renewed. Clock restarts.
T2 (rebinding)	87.5% of lease	Client broadcasts DHCPREQUEST to any server	Option 59. Original server unreachable — any server may extend the lease.
Expiry	100% of lease	Client must stop using IP, restart DORA	If no ACK received by expiry, client loses IP and returns to INIT state.

Common lease time recommendations: 8h for wired corporate, 4h for Wi-Fi (high turnover), 24h for servers/printers. Very short leases (under 1h) increase DHCP server load significantly and can cause IP exhaustion on busy wireless networks.

DHCP packet fields (RFC 2131)

field	size	description
op	1 B	1 = BOOTREQUEST (client), 2 = BOOTREPLY (server)
htype	1 B	Hardware type: 1 = Ethernet
hlen	1 B	Hardware address length: 6 for Ethernet MAC
hops	1 B	Incremented by each relay agent (max 16)
xid	4 B	Transaction ID — random value chosen by client to match replies to requests
secs	2 B	Seconds since client started current attempt (for server priority)
flags	2 B	Bit 0 = broadcast flag. If set, server must broadcast reply (client can't receive unicast yet).
ciaddr	4 B	Client IP — only filled if client has a valid IP (renewal/rebind)
yiaddr	4 B	"Your" IP — the IP being offered or assigned to client
siaddr	4 B	Next server IP for TFTP/PXE bootstrap
giaddr	4 B	Gateway/relay agent IP — server uses this to select the right pool and send reply back
chaddr	16 B	Client hardware (MAC) address — first 6 bytes used
sname	64 B	Optional server hostname
file	128 B	Boot filename for PXE
options	variable	Magic cookie (0x63825363) + TLV-encoded options

DHCP snooping & security

feature	what it does	notes
DHCP Snooping	Switch inspects DHCP traffic — only trusted ports may send DHCPOFFER/DHCPACK. Untrusted ports (access ports) can only send client messages.	Prevents rogue DHCP servers. Builds binding table (MAC, IP, port, VLAN) used by DAI and IP Source Guard.
DAI (Dynamic ARP Inspection)	Validates ARP packets against DHCP snooping binding table. Drops ARP replies where MAC/IP don't match a known binding.	Prevents ARP spoofing/poisoning. Requires DHCP snooping to be enabled first.
IP Source Guard	Blocks IP traffic from a port unless the source IP matches the DHCP snooping binding for that port.	Prevents IP spoofing. Can combine with MAC filtering. Overrides ACLs on data plane.
Rogue DHCP server	Unauthorized server handing out wrong gateway/DNS — all traffic goes through attacker (MITM) or clients get wrong routes.	Detected via DHCP snooping or packet capture. Look for unexpected DHCPOFFER sources in Wireshark.
DHCP starvation	Attacker sends thousands of DHCPDISCOVER with spoofed MACs, exhausting the pool.	Mitigated by port security (limit MACs per port) + DHCP snooping rate limiting.

troubleshooting quick reference

symptom	likely cause	check
APIPA address (169.254.x.x)	No DHCP response received	Is DHCP server reachable? Is relay agent configured on SVI? Is pool exhausted?
DHCPNAK received	Client on wrong subnet or lease expired	Client moved VLANs. Check giaddr vs pool scope. Force DORA restart.
Pool exhausted	All IPs leased, no room for new clients	Check lease time — reduce if clients are transient (Wi-Fi). Check for stale leases. Expand scope.
Client gets wrong gateway/DNS	Rogue DHCP server, wrong pool config	Capture DHCPOFFER — check server ID (Option 54). Enable DHCP snooping.
Slow DHCP (3-5 seconds)	Server slow, relay round-trip, or client retrying	Check secs field in Discover. Capture on server side to see if packets arrive. Check relay agent config.
DHCPDECLINE loop	IP conflict — offered IP already in use	ARP conflict on segment. Find device using the IP. Check for static IP assignments in pool range.
Option 82 drops	Server not configured to accept relayed requests	Enable "trust" for Option 82 on DHCP server, or configure relay to strip it.

Wireshark filter for all DHCP: dhcp or bootp. Filter by specific message type: dhcp.option.dhcp == 1 (Discover), dhcp.option.dhcp == 6 (NAK). Filter by client MAC: dhcp.hw.mac_addr == xx:xx:xx:xx:xx:xx.

Administrative Distance — quick reference

source	Cisco IOS	Aruba AOS-CX	Juniper JunOS	notes
Connected	0	0	0	Always preferred — directly attached interface
Static	1	1	5	Manually configured — very high priority
Static (default route)	1	1	5	0.0.0.0/0
EIGRP (summary)	5	—	—	Cisco-proprietary
eBGP	20	20	170	External BGP (different AS)
EIGRP (internal)	90	—	—	Cisco-proprietary
IGRP	100	—	—	Legacy Cisco — deprecated
OSPF	110	110	10	Most common IGP — Juniper prefers OSPF strongly
IS-IS	115	115	15	Common in large SP/DC networks
RIP	120	120	100	Legacy — max 15 hops, slow convergence
EIGRP (external)	170	—	—	Redistributed into EIGRP from another protocol
iBGP	200	200	170	Internal BGP (same AS) — lowest priority of routing protocols
Unknown / unreachable	255	255	255	Never installed in routing table

Lower AD wins. If two routes to the same destination exist from different protocols, the one with the lower AD is installed. AD only breaks ties between protocols — within a single protocol, metric decides.

route conflict resolver

Enter two competing routes to the same prefix and see which one wins.

Route A

Protocol

Custom AD (if custom)

Metric

Route B

Protocol

Custom AD (if custom)

Metric

Select protocols above to compare.

route selection order (Cisco IOS)

step	criterion	notes
1	Longest prefix match	10.1.1.0/24 beats 10.0.0.0/8 for destination 10.1.1.5 — always checked first regardless of AD or metric
2	Administrative Distance	Lower AD wins between routes from different protocols to same prefix
3	Metric	Within the same protocol, lower metric wins (OSPF cost, BGP path attributes, RIP hop count)
4	ECMP (tie)	If prefix, AD, and metric are all equal — load balance across paths (default 4 paths on Cisco)

BGP fundamentals

attribute	detail
Protocol	Path-vector routing protocol. RFC 4271. Uses TCP port 179.
iBGP	Between routers in the same AS. AD = 200. Requires full mesh or route reflectors. Does NOT increment AS_PATH.
eBGP	Between routers in different ASes. AD = 20. TTL = 1 by default (multihop requires ebgp-multihop). Increments AS_PATH.
ASN	16-bit (1–65535) or 32-bit (1–4294967295). Private range: 64512–65534 (16-bit), 4200000000–4294967294 (32-bit).
NLRI	Network Layer Reachability Information — the prefix being advertised (IP + prefix length).

BGP path selection order (Cisco) — higher wins unless noted

step	attribute	prefer	scope	notes
1	Weight	Higher	Local (Cisco only)	Cisco-proprietary. Set per-neighbor. Not advertised. Default 0 (32768 for locally originated).
2	LOCAL_PREF	Higher	iBGP (same AS)	Influences outbound path from your AS. Shared with all iBGP peers. Default 100.
3	Locally originated	Local wins	Local	network/redistribute command preferred over learned routes.
4	AS_PATH length	Shorter	eBGP	Number of ASes in the path. Commonly manipulated via AS_PATH prepending to influence inbound traffic.
5	ORIGIN	IGP > EGP > Incomplete	Any	i = network statement, e = EGP (legacy), ? = redistributed.
6	MED	Lower	eBGP (same neighbor AS)	Multi-Exit Discriminator. Hints to neighbor AS which entry point to use. Only compared between routes from same AS.
7	eBGP over iBGP	eBGP wins	Any	Externally learned routes preferred over internally learned.
8	IGP metric to next-hop	Lower	iBGP	Shortest interior path to the BGP next-hop address.
9	Oldest eBGP route	Oldest wins	eBGP	Prefers the more stable path (reduces churn).
10	Router ID	Lowest	Any	Tiebreaker — lowest BGP Router ID wins.
11	Neighbor IP	Lowest	Any	Final tiebreaker — lowest neighbor IP address.

Memory aid: W-L-L-A-O-M-E-I-O-R-N — Weight, Local-pref, Locally-originated, AS-path, Origin, Med, External, IGP-metric, Oldest, Router-id, Neighbor-ip. Or: "We Love Oranges AS Oranges Mean Pure Refreshment" (Weight, Local-pref, Originated, AS-path, Origin, MED, Paths-eBGP, Router-id)

well-known BGP communities

community	value	effect
NO_EXPORT	`0xFFFFFF01`	Do not advertise to eBGP peers — stays within the confederation or AS.
NO_ADVERTISE	`0xFFFFFF02`	Do not advertise to ANY BGP peer (iBGP or eBGP). Local use only.
LOCAL_AS	`0xFFFFFF03`	Do not send outside the local AS, even to confederation peers.
BLACKHOLE	`0xFFFF029A`	RFC 7999. Signals upstream to drop traffic to this prefix (used for DDoS mitigation / RTBH).

BGP states (FSM)

state	meaning
Idle	Initial state. BGP waiting to start. May be held here after error (idle hold timer).
Connect	Waiting for TCP connection to complete. If connect timer expires, moves to Active.
Active	TCP failed — trying again. Often seen when neighbor is unreachable or misconfigured.
OpenSent	TCP connected, OPEN message sent. Waiting for OPEN from peer.
OpenConfirm	OPEN received and validated. Exchanging KEEPALIVEs to confirm.
Established	Session up. UPDATEs flowing. This is the only state where routes are exchanged.

Stuck in Active = TCP can't complete (check reachability, ACLs, source IP). Stuck in OpenSent/OpenConfirm = OPEN mismatch (AS number wrong, hold time incompatible, auth mismatch).

common BGP techniques

technique	how	use case
AS_PATH prepend	Append your own ASN multiple times to the AS_PATH on outbound updates	Make a path look longer to influence inbound traffic from a specific peer to prefer your other link
LOCAL_PREF	Set higher value on preferred exit point in route-map	Influence outbound traffic — all iBGP peers prefer the exit with highest LOCAL_PREF
MED	Set lower MED on preferred entry point advertised to upstream AS	Hint to upstream which link they should use to reach your network (only works within same upstream AS)
Route reflector	Designate an RR to redistribute iBGP routes — eliminates full mesh requirement	Scales iBGP in large AS — without RR need n(n-1)/2 sessions
Confederation	Split AS into sub-ASes, use private ASNs internally	Alternative to RR for scaling iBGP — common in large ISPs
RTBH	Advertise attacked prefix with BLACKHOLE community to upstream	Remotely triggered black hole — upstream drops traffic before it hits your network
Soft reconfiguration	bgp soft-reconfig inbound — store received routes before policy	Allows clear ip bgp soft without dropping session — needed for policy changes

SD-WAN overview

concept	detail
What it is	Software-defined overlay that abstracts physical WAN links (MPLS, broadband, LTE) into a unified fabric with centralized policy control.
Key benefit	Application-aware path selection — route voice over low-latency MPLS, bulk data over cheap broadband, failover automatically on degradation.
Underlay	The physical WAN transport (MPLS, internet, LTE/5G). SD-WAN builds IPsec tunnels over the underlay.
Overlay	Virtual topology of IPsec tunnels — hub-spoke, full mesh, or hybrid. Managed by the controller.
vEdge / Edge device	CPE at branch — terminates tunnels, enforces policy, measures SLA metrics per path.
Controller / Orchestrator	Centralised management plane — distributes policy, topology, and certificates to all edge devices.

platform comparison

platform	vendor	controller	underlay support	standout features
Cisco Catalyst SD-WAN (Viptela)	Cisco	vManage (cloud/on-prem)	MPLS, Internet, LTE, DOCSIS	Deep IOS-XE integration, mature enterprise feature set, OMP routing protocol, strong security policy (ZBFW, IDS/IPS, SIG)
Cisco Meraki SD-WAN	Cisco	Meraki Dashboard (cloud-only)	Internet, LTE, MPLS	Zero-touch provisioning, simple UI, auto VPN (hub-spoke), tightly integrated with Meraki switching/wireless — best for SMB/distributed retail
Aruba EdgeConnect	HPE Aruba	Orchestrator (cloud/on-prem)	MPLS, Internet, LTE, DOCSIS	BusinessIntent Overlays, first-packet iQ (no flow learning delay), strong WAN optimisation heritage (Silver Peak), SASE integration
Fortinet Secure SD-WAN	Fortinet	FortiManager / FortiCloud	MPLS, Internet, LTE	NGFW + SD-WAN in single FortiGate device — eliminates separate security appliance, lowest TCO for security-first deployments
VMware VeloCloud (VCG)	Broadcom	VCO (cloud/on-prem)	MPLS, Internet, LTE	Strong carrier/MSP ecosystem, dynamic multipath optimisation (DMPO), widely deployed in telco-managed SD-WAN services
Versa Networks	Versa	Versa Director	MPLS, Internet, LTE	SASE-native, multi-tenancy, strong for MSPs, integrated SSE (SWG, CASB, ZTNA)

NSA vs SA deployment (5G / SD-WAN context)

	NSA (Non-Standalone)	SA (Standalone)
Control plane	Anchored on 4G LTE EPC	Native 5G Core (5GC)
Data plane	5G NR radio, LTE anchor	Full 5G NR + 5GC
Latency	~10–20 ms	~1–5 ms (with edge compute)
Network slicing	Not supported	Supported — critical for SD-WAN SLA guarantees
SD-WAN relevance	Good LTE fallback / augmentation	Enables 5G as primary WAN with SLA-backed slices

SASE components (Secure Access Service Edge)

component	function	replaces
SD-WAN	Underlay abstraction, path selection, WAN optimisation	MPLS + legacy WAN routers
SWG (Secure Web Gateway)	URL filtering, SSL inspection, malware scanning for internet traffic	On-prem web proxy
CASB	Cloud Access Security Broker — visibility and control over SaaS apps	DLP appliances
ZTNA	Zero Trust Network Access — identity-based access, replaces VPN	Remote access VPN
FWaaS	Firewall-as-a-Service — cloud-delivered NGFW inspection	Branch perimeter firewall

SD-WAN path selection — how it works

step	mechanism	detail
1	SLA probe / BFD	Each edge device continuously measures per-path metrics using BFD or ICMP/HTTP probes. Measurement interval typically 100–500 ms. Metrics: latency, jitter, packet loss.
2	Application identification	DPI classifies flows — matches by port, protocol, DPI signature, or IP prefix. First packet may use default path; subsequent packets use classified path (some vendors: first-packet iQ avoids this delay).
3	SLA policy match	Application class mapped to SLA policy (e.g. Voice SLA: latency <150ms, loss <1%, jitter <30ms). Controller pushes policies to all edges.
4	Path scoring	All available paths scored against the SLA policy. Paths that meet SLA thresholds are eligible. Among eligible paths, preference order applied (e.g. MPLS first, then broadband, then LTE).
5	Forwarding decision	Best path selected. If path degrades mid-flow (SLA violation detected), traffic rerouted to next-best path — typically sub-second failover.

SLA metrics reference

metric	what it measures	voice threshold	video threshold	data threshold
Latency (RTT)	Round-trip time in ms	< 150 ms	< 200 ms	< 500 ms
Jitter	Variation in packet delay (ms)	< 30 ms	< 50 ms	Not critical
Packet loss	% of packets dropped	< 1%	< 2%	< 5%
MOS score	Mean Opinion Score (1–5) for voice quality	> 3.6	—	—

ITU-T G.114 recommends one-way delay <150ms for voice. At >400ms one-way, conversations become unnatural. Jitter buffers can absorb 20–50ms of jitter but add latency in exchange.

path preference strategies

strategy	how it works	best for
Active/Standby	All traffic on primary path; secondary only used on failure. Simple but underutilises backup bandwidth.	Sites with limited broadband, MPLS-primary designs
Active/Active (load balance)	Traffic distributed across multiple paths per policy. Maximises utilisation but complicates troubleshooting.	Dual broadband sites, high-throughput branches
App-aware (tiered)	Voice/video on MPLS (low latency, guaranteed), bulk on broadband, LTE as last resort. Each app class has its own SLA.	Mixed-criticality enterprise branches — most common production design
Packet duplication	Send same packet on multiple paths simultaneously, receiver keeps first copy. Eliminates loss at cost of 2× bandwidth.	Ultra-critical real-time apps (trading, 911 dispatch) over lossy paths
FEC (Forward Error Correction)	Add redundant packets so receiver can reconstruct lost packets without retransmission.	Voice/video over high-loss consumer broadband or LTE

BFD (Bidirectional Forwarding Detection) reference

parameter	typical value	notes
Hello interval	100–300 ms	How often BFD probes are sent. Lower = faster detection, higher CPU/bandwidth.
Detection multiplier	3–5	Missed hellos before declaring path down. Detection time = interval × multiplier.
Detection time (example)	300 ms × 3 = 900 ms	Sub-second failover. Aggressive: 100ms × 3 = 300ms detection.
Async mode	Most common	Both sides send probes independently. Session down when multiplier × interval expires without receipt.
Echo mode	Optional	Loopback probes test forwarding plane only — lower CPU on remote end.

WAN / SD-WAN bandwidth sizing calculator

Enter your branch traffic profile to calculate required WAN capacity, with SD-WAN path recommendations.

branch profile

Concurrent users

Avg browsing/emailMbps/user

Video calls (HD)Mbps/user

VoIP callsMbps/user

Cloud / SaaS appsMbps/user

Backup / bulk transferMbps total

SD-WAN factors

Concurrency factor

Overhead + growth

IPsec tunnel overhead

Redundant path (N+1)

Raw demand—

After concurrency—

After IPsec overhead—

With growth buffer—

Recommended per-link circuit—

Total provisioned (with redundancy)—

SD-WAN path recommendation

common circuit types and characteristics

type	typical speed	latency	SLA	best for
MPLS (L3VPN)	10–10,000 Mbps	5–30 ms	Yes — carrier SLA	Voice, video, ERP — mission-critical, predictable performance
Business Broadband (cable/fibre)	100–10,000 Mbps	10–50 ms	Best-effort	Internet, cloud apps — low cost, high bandwidth
DIA (Dedicated Internet Access)	100–10,000 Mbps	5–20 ms	Yes — symmetrical	Hybrid WAN primary — guaranteed symmetrical, SLA-backed internet
4G LTE	10–150 Mbps	20–60 ms	Best-effort	Failover, temporary sites, pop-up branches
5G (sub-6 GHz)	100–1,000 Mbps	10–30 ms	Improving	Primary WAN for branches without fibre, replacing LTE failover
SD-WAN over internet	Aggregated	Varies	App-level SLA	Replacing MPLS for non-latency-sensitive apps — 60–80% cost reduction

circuit types reference

circuit type	speeds	latency	SLA	topology	cost	best for
DIA Dedicated Internet Access	10M–100G	< 5ms local	99.99% typical	Point-to-point to carrier POP	$$–$$$	Primary internet for enterprise, SD-WAN underlay, cloud connectivity. Symmetrical bandwidth.
MPLS Multiprotocol Label Switching	2M–10G	< 10ms site-to-site	99.99%+ with guarantees	Any-to-any private WAN	$$$–$$$$	Private site-to-site WAN, voice/video with QoS guarantees. Legacy but still common in regulated industries.
SD-WAN Software-Defined WAN	Any (overlay)	Depends on underlay	Managed SLA varies	Overlay on DIA/broadband/LTE	$–$$	Multi-site WAN over internet. Application-aware routing, failover, centralised management. Replaces MPLS for many.
Broadband / Cable DOCSIS / HFC	100M–2.5G down / asymmetric	5–30ms typical	Best-effort, no SLA	Shared last mile	$	SD-WAN secondary/backup, small branches, home office. Asymmetric — low upload limits.
Dark Fiber Unlit fiber lease	1G–400G+ (you provide optics)	< 1ms local	Physical only — you manage	Point-to-point or ring	$$$$	Campus/metro inter-site links. You supply the equipment (DWDM, transponders). Maximum control, maximum capex.
DWDM / WDM Dense Wavelength Division Multiplexing	100G–400G per lambda, 80+ lambdas	Speed of light	Carrier-grade 99.999%	Long-haul fiber rings	$$$$+	Data center interconnect, metro rings, carrier backbone. Multiple 100G wavelengths on single fiber pair.
4G/LTE Mobile broadband	10–150 Mbps typical	20–60ms typical	Best-effort, no SLA	Point-to-multipoint (tower)	$	OOB management, SD-WAN failover, temporary sites, pop-up events. Data caps apply.
5G Sub-6 / mmWave	100M–4G (sub-6), up to 10G (mmWave)	< 10ms (sub-6)	Carrier-dependent	Point-to-multipoint	$–$$	Fixed wireless access, SD-WAN primary in areas without fiber, private 5G campus networks.
VPLS / EVPN L2 VPN over carrier	10M–10G	< 10ms metro	Carrier SLA	Any-to-any L2	$$$	Layer 2 extension between sites. Data centre interconnect at L2. Transparent to routing.

DIA vs MPLS: DIA gives you raw internet bandwidth at lower cost; MPLS gives you guaranteed QoS and private routing but at premium pricing. SD-WAN over DIA is now the default choice for most enterprises, with MPLS retained only where strict latency/loss SLAs are contractually required.

bandwidth sizing calculator

user & app inputs

concurrent users

general browsing / email Mbps/user

video calls (HD) Mbps/user

VoIP calls Mbps/user

cloud apps (SaaS/ERP) Mbps/user

backup / file transfer Mbps total

concurrency factor

overhead / growth buffer

sizing results

—

raw demand

—

after concurrency

—

recommended circuit

—

with redundancy (×2)

OSPF area types reference

area type	LSA types allowed	external routes	default route	use case
Backbone (Area 0)	1,2,3,4,5	Yes (Type 5)	Optional	Required hub — all other areas must connect to Area 0 directly or via virtual link
Normal area	1,2,3,4,5	Yes (Type 5)	Optional	Standard non-backbone area — full LSA database
Stub	1,2,3	No — blocked	Injected by ABR	Leaf areas with no ASBR — reduces LSA database size significantly
Totally Stub	1,2	No	Injected by ABR	Most aggressive size reduction — only intra-area routes + default. Cisco-proprietary.
NSSA	1,2,3,7	Type 7 (internal)	Optional	Stub area that also has an ASBR redistributing external routes (e.g. connected to internet)
Totally NSSA	1,2,7	Type 7 (internal)	Injected by ABR	NSSA with default route injection — Cisco-proprietary

OSPF cost calculator

OSPF cost = reference bandwidth / interface bandwidth. Default reference = 100 Mbps (Cisco). Adjust reference to differentiate modern link speeds.

Reference BW

interface type	bandwidth	cost @ selected ref BW

* Cost floors at 1 — IOS cannot represent fractional costs. Set auto-cost reference-bandwidth 10000 (or higher) to differentiate GE from 10GE. Always set the same reference bandwidth on ALL OSPF routers in the domain.

DR / BDR election reference

step	criterion	notes
1	OSPF priority	Highest priority wins (0–255). Default 1. Priority 0 = never elected DR/BDR. Set on interface: `ip ospf priority X`
2	Router ID	Tiebreaker — highest Router ID wins. Router ID = highest loopback IP, else highest interface IP, or manually configured.

DR/BDR election only occurs on multi-access networks (Ethernet broadcast segments). Point-to-point links skip election entirely. DR reduces LSA flooding — instead of n(n-1)/2 adjacencies, all routers form adjacency only with DR and BDR. Election is non-preemptive — changing priority does not force re-election without clearing the OSPF process.

OSPF LSA types quick reference

LSA type	name	generated by	scope	carries
`1`	Router LSA	Every router	Single area	Links and states of the originating router
`2`	Network LSA	DR	Single area	List of routers on a broadcast segment
`3`	Summary LSA	ABR	Other areas	Inter-area routes — blocked in stub/totally-stub areas
`4`	ASBR Summary LSA	ABR	Other areas	Location of ASBR — blocked in stub areas
`5`	External LSA	ASBR	Entire OSPF domain	External routes (E1/E2) — blocked in all stub types
`7`	NSSA External LSA	ASBR in NSSA	NSSA area only	External routes within NSSA — converted to Type 5 by ABR

IPv6 address structure

component	detail
Length	128 bits — written as 8 groups of 4 hex digits separated by colons. Example: `2001:0db8:85a3:0000:0000:8a2e:0370:7334`
Compression rules	Leading zeros in each group may be omitted. One contiguous sequence of all-zero groups may be replaced with `::` (only once per address).
Prefix notation	CIDR-style: `2001:db8::/32`. Prefix length replaces subnet mask.
Interface ID	Typically the lower 64 bits. Can be EUI-64 derived, random (RFC 4941 privacy), or manually assigned.

address types

type	prefix	scope	notes
Global Unicast (GUA)	`2000::/3`	Internet-routable	Equivalent to public IPv4. IANA allocates from 2001::/32 upward. Your ISP gives you a /48 or /56.
Link-Local	`fe80::/10`	Single link	Auto-configured on every IPv6 interface. Never routed. Used for NDP, DHCPv6, routing protocol adjacencies. Required even if no GUA assigned.
Unique Local (ULA)	`fc00::/7`	Organization	Roughly equivalent to RFC 1918. Not routable on internet. `fd00::/8` is locally assigned (randomly generated 40-bit prefix). Use for internal services.
Loopback	`::1/128`	Host	Equivalent to 127.0.0.1. Single address.
Unspecified	`::/128`	—	Source address used before interface has an address (DHCPv6 solicit, DAD). Never destination.
Multicast	`ff00::/8`	Varies	No IPv6 broadcast — multicast replaces it. See table below for well-known groups.
Anycast	From unicast space	Nearest node	Same address assigned to multiple nodes — routed to closest. Used for DNS root servers, CDN, load balancing.
Documentation	`2001:db8::/32`	Examples only	Reserved for documentation and examples (RFC 3849). Never routed.

well-known multicast addresses

address	group	notes
`ff02::1`	All nodes (link-local)	Equivalent to 224.0.0.1. Reaches all IPv6 nodes on the link.
`ff02::2`	All routers (link-local)	Used by hosts to find routers for SLAAC (RS messages).
`ff02::5`	OSPFv3 all routers	OSPFv3 hello messages.
`ff02::6`	OSPFv3 DR/BDR	OSPFv3 designated router.
`ff02::9`	RIPng	RIPng routing updates.
`ff02::a`	EIGRP	EIGRP hellos and updates.
`ff02::1:2`	All DHCPv6 relay/servers	DHCPv6 client sends Solicit to this address.
`ff02::1:ffxx:xxxx`	Solicited-node multicast	Derived from last 24 bits of unicast address. Used for NDP neighbor solicitation (replaces ARP).

EUI-64 interface ID generation

step	detail
1	Take the 48-bit MAC address: `00:1A:2B:3C:4D:5E`
2	Split in half and insert `FF:FE` in the middle: `00:1A:2B:FF:FE:3C:4D:5E`
3	Flip bit 7 of the first byte (Universal/Local bit): `00` → `02`
4	Result: `021a:2bff:fe3c:4d5e` — append to /64 prefix for full address.

Privacy concern: EUI-64 embeds your MAC address in the IPv6 address, making you trackable across networks. RFC 4941 (privacy extensions) generates random Interface IDs instead and is default on most modern OS.

NDP — Neighbor Discovery Protocol (replaces ARP)

message type	ICMPv6 type	purpose	IPv4 equivalent
Router Solicitation (RS)	`133`	Host asks routers to send RA immediately	—
Router Advertisement (RA)	`134`	Router announces prefix, default gateway, M/O flags	DHCP offer (partial)
Neighbor Solicitation (NS)	`135`	Resolve IPv6 address to MAC (like ARP request), also used for DAD	ARP request
Neighbor Advertisement (NA)	`136`	Reply with MAC address	ARP reply
Redirect	`137`	Router tells host of better next-hop	ICMP Redirect

address configuration methods

method	M flag	O flag	how it works	best for
SLAAC	0	0	Host combines /64 prefix from RA with self-generated Interface ID (EUI-64 or random). No server needed.	Simple networks, IoT, home
SLAAC + Stateless DHCPv6	0	1	SLAAC for address, DHCPv6 for other options (DNS, NTP). Server assigns no address.	Enterprise where DNS control needed
Stateful DHCPv6	1	1	DHCPv6 server assigns full address + options. Like DHCPv4. Requires relay on routed segments.	Enterprise requiring address control
Static	—	—	Manually configured. Always needed for router interfaces and servers.	Servers, routers, infrastructure

DAD (Duplicate Address Detection) runs automatically before any unicast address is used — sends NS to the solicited-node multicast address; if NA received, address is a duplicate and not assigned.

common IPv6 prefixes reference

prefix	allocation	notes
`/32`	ISP allocation	Typical block assigned to an ISP from RIR
`/48`	Site / customer	Typical allocation to an end-site. Allows 65,536 subnets of /64.
`/56`	Residential / small site	Common ISP allocation for home/SOHO — 256 subnets of /64.
`/64`	Single subnet	Standard subnet size. Required for SLAAC and EUI-64. 18.4 quintillion host addresses.
`/127`	Point-to-point links	RFC 6164. Use instead of /64 on router-to-router links to prevent subnet-router anycast issues.
`/128`	Host / loopback	Single address — used for loopbacks, anycast, and host routes.

VPN types overview

type	layer	common use	key protocols
IPsec (tunnel mode)	L3	Site-to-site, remote access	IKEv1/v2, ESP, AH
IPsec (transport mode)	L3	Host-to-host encryption	ESP, AH
GRE	L3	Tunnel multicast/routing protocols	GRE (IP proto 47)
GRE over IPsec	L3	Site-to-site with routing protocol support	GRE + ESP
DMVPN	L3	Hub-spoke with dynamic spoke-to-spoke	mGRE, NHRP, IPsec
FlexVPN	L3	Modern Cisco VPN framework	IKEv2, VTI
SSL/TLS VPN	L4-L7	Remote access, clientless	TLS, DTLS
WireGuard	L3	Modern simple VPN	UDP, Curve25519, ChaCha20
L2TP/IPsec	L2 in L3	Legacy remote access (Windows built-in)	L2TP + IPsec ESP
MPLS L3VPN	L2.5	Service provider enterprise VPN	MPLS, MP-BGP, VRF

IPsec — IKEv2 negotiation phases

phase	name	what happens	output
Phase 1	IKE_SA_INIT	Exchange DH public keys, nonces, SA proposals (encryption, integrity, PRF, DH group). Establishes a secure authenticated channel.	IKE SA — encrypted management channel
Phase 2	IKE_AUTH	Authenticate peers (pre-shared key or certificates), negotiate first Child SA (IPsec tunnel parameters).	Child SA — the actual data tunnel (ESP/AH)
Rekey	CREATE_CHILD_SA	Renew Child SAs before lifetime expires without dropping traffic. Can also add new tunnels.	New Child SA, old removed

IKEv2 is faster (2 exchanges vs IKEv1's 6–9), supports MOBIKE (mobility), EAP authentication, and asymmetric authentication. Always prefer IKEv2 for new deployments.

IPsec modes — tunnel vs transport

	Tunnel mode	Transport mode
What's encrypted	Entire original IP packet (header + payload) encapsulated in new IP packet	Only the IP payload (TCP/UDP data); original IP header preserved
New IP header	Added — outer header uses tunnel endpoints (gateway IPs)	None — original header used
Use case	Site-to-site VPN, remote access (gateway encrypts on behalf of hosts)	Host-to-host encryption (both endpoints run IPsec stack)
Overhead	Higher — extra IP header + ESP header (~50–60 bytes)	Lower — no extra IP header (~30–40 bytes)

IPsec — ESP vs AH

	ESP (Encapsulating Security Payload)	AH (Authentication Header)
IP protocol	50	51
Encryption	Yes — AES-GCM, AES-CBC, ChaCha20-Poly1305	No
Authentication	Yes (of payload)	Yes (of entire packet including IP header)
NAT traversal	Yes — ESP-in-UDP (port 4500) for NAT-T	No — AH covers IP header, broken by NAT
Used in practice	Always — ESP is the standard	Rare — AH is mostly legacy

DMVPN — Dynamic Multipoint VPN

component	role	notes
Hub	Central site	Runs mGRE and NHRP server. All spokes register their NBMA (real) address here on boot.
Spoke	Branch site	Registers with hub. Can dynamically build direct spoke-to-spoke tunnels without hub forwarding.
mGRE	Multipoint GRE	Single GRE interface on hub that terminates tunnels from all spokes. Eliminates hub config scaling problem.
NHRP	Next Hop Resolution Protocol	Spoke queries hub for another spoke's real IP. Hub responds so spokes can build direct tunnel. Like ARP for DMVPN.
Phase 1	Hub-and-spoke only	All traffic flows through hub. Simple. No direct spoke-to-spoke.
Phase 2	Spoke-to-spoke (same subnet)	Spokes learn each other's IPs via NHRP and build direct tunnels. Hub in same subnet as spokes.
Phase 3	Spoke-to-spoke (hierarchical)	Uses NHRP redirect/shortcut. Spokes can be in different subnets. Most scalable.

GRE — Generic Routing Encapsulation

attribute	detail
IP protocol	47
Overhead	24 bytes (20 outer IP + 4 GRE header). MTU considerations: reduce inner MTU to 1476 (1500 − 24) or enable PMTUD.
Supports multicast	Yes — can carry OSPF, EIGRP, PIM hellos. IPsec alone cannot carry multicast.
Encryption	None — GRE is an encapsulation protocol only. Combine with IPsec for security.
Keepalives	Supported (Cisco). Send GRE keepalives to detect far-end tunnel failure even if routing still up.
Recursive routing	Common misconfiguration — tunnel destination reachable only via the tunnel itself. Fix: use a static route for the tunnel destination via the physical interface.

WireGuard quick reference

attribute	detail
Transport	UDP — port 51820 default (configurable)
Crypto	Curve25519 (key exchange), ChaCha20-Poly1305 (encryption + auth), BLAKE2s (hash), SipHash24 (hashtable)
Authentication	Public/private key pairs — no certificates, no PKI, no CA needed
Handshake	1-RTT — much faster than IKEv2's 2-RTT. Initiator sends first packet, responder replies, tunnel up.
Roaming	Built-in — IP address changes handled transparently. Endpoint updates on valid packet receipt.
Stealth	No response to unauthenticated packets — appears as closed port to scanners.
vs IPsec	Far simpler config, smaller attack surface (~4K LoC vs ~400K), faster, but fewer enterprise features (no IKEv2 EAP, no RADIUS integration).

common IPsec port / protocol reference

protocol/port	purpose	notes
`UDP 500`	IKE (Internet Key Exchange)	Phase 1 and Phase 2 negotiation. Used when no NAT detected.
`UDP 4500`	IKE NAT-Traversal + ESP-in-UDP	Used when NAT detected between peers. ESP packets wrapped in UDP for NAT compatibility.
`IP proto 50`	ESP	The actual encrypted data. Used directly when no NAT. Becomes UDP 4500 with NAT-T.
`IP proto 51`	AH	Authentication only. Rarely used. Incompatible with NAT.
`IP proto 47`	GRE	GRE tunnel encapsulation. Often combined with IPsec.

SNMP versions comparison

	SNMPv1	SNMPv2c	SNMPv3
Authentication	Community string (cleartext)	Community string (cleartext)	Username + MD5/SHA hash
Encryption	None	None	DES / AES-128/256
Bulk operations	No	Yes — GetBulk	Yes — GetBulk
64-bit counters	No	Yes (Counter64)	Yes
Use today	Legacy only	Common (monitoring)	Required for security

Use SNMPv3 with authPriv security level for any device accessible beyond your management VLAN. Community strings in v1/v2c are transmitted in cleartext and visible in packet captures.

SNMPv3 security levels

level	authentication	encryption	use case
noAuthNoPriv	Username only	None	Avoid — no real security
authNoPriv	MD5 or SHA	None	Verifies source but data is cleartext
authPriv	MD5 or SHA	DES or AES	Recommended — full security

SNMP operations

operation	direction	port	purpose
GET	Manager → Agent	UDP 161	Retrieve a specific OID value
GET-NEXT	Manager → Agent	UDP 161	Walk the MIB tree — get next OID in sequence
GET-BULK	Manager → Agent	UDP 161	v2c/v3 — retrieve multiple OIDs in one request. Efficient for tables.
SET	Manager → Agent	UDP 161	Write a value to the agent. Requires read-write community / access.
TRAP	Agent → Manager	UDP 162	Unsolicited alert from agent (link down, threshold exceeded). No acknowledgement.
INFORM	Agent → Manager	UDP 162	Like TRAP but manager acknowledges. Reliable delivery. v2c/v3 only.

useful OIDs — quick reference

OID	name	description
`1.3.6.1.2.1.1.1.0`	sysDescr	Device description string (OS version, model)
`1.3.6.1.2.1.1.3.0`	sysUpTime	Time since last reboot (in hundredths of a second)
`1.3.6.1.2.1.1.5.0`	sysName	Configured hostname
`1.3.6.1.2.1.2.2.1.8`	ifOperStatus	Interface operational status (1=up, 2=down)
`1.3.6.1.2.1.2.2.1.10`	ifInOctets	Inbound octets on interface (32-bit, wraps on high-speed links)
`1.3.6.1.2.1.2.2.1.16`	ifOutOctets	Outbound octets on interface
`1.3.6.1.2.1.31.1.1.1.6`	ifHCInOctets	64-bit inbound octet counter — use this for interfaces above 100 Mbps
`1.3.6.1.2.1.4.21`	ipRouteTable	IP routing table
`1.3.6.1.4.1.9`	Cisco enterprise MIB	Cisco-specific OIDs (CPU, memory, temperature)

Syslog severity levels

level	name	meaning	examples
0	Emergency	System unusable	Kernel panic, total hardware failure
1	Alert	Immediate action required	Database corruption, all redundancy lost
2	Critical	Critical conditions	Dual PSU failure, hardware error
3	Error	Error conditions	Interface error, BGP session down, config apply fail
4	Warning	Warning conditions	High CPU, link flap, interface error rate
5	Notice	Normal but significant	Config change, user login, interface up/down
6	Informational	Informational messages	STP topology change, OSPF adjacency up
7	Debug	Debug-level messages	Per-packet detail — never send to syslog server in production

Cisco IOS default logging: severity 6 (informational) to console and buffer. Recommended syslog server level: 5 (notice) or 6 (informational) to capture events without flooding. logging trap <level> on Cisco sets the threshold sent to the syslog server.

Syslog — facility codes (common)

facility	code	typical source
kern	0	Kernel messages
user	1	User-level messages
mail	2	Mail system
daemon	3	System daemons
auth	4	Security/authentication (login, sudo)
syslog	5	Syslog daemon itself
local0–local7	16–23	Custom use — network devices commonly use local6 or local7

NTP — Network Time Protocol

concept	detail
Port	UDP 123
Stratum 0	Reference clock (atomic, GPS, radio). Not directly accessible on network.
Stratum 1	Directly connected to stratum 0. Public NTP servers (time.cloudflare.com, pool.ntp.org). Most accurate on internet.
Stratum 2	Syncs from stratum 1. Your internal NTP server should be stratum 2.
Stratum 3–15	Each level adds ~1ms jitter. Avoid deep chains.
Stratum 16	Unsynchronized — device does not have a valid time source.
NTPv4	Current version. Supports IPv6, improved security, up to nanosecond precision.
PTP (IEEE 1588)	Precision Time Protocol — sub-microsecond accuracy for financial, telecom, 5G. Hardware timestamping required.

Why NTP matters for networks: syslog timestamps across devices must match to correlate events during incidents. Certificate validation requires accurate time. Kerberos authentication fails if clocks are skewed >5 minutes. OSPF/BGP can be affected by timestamp issues in some implementations.

NTP best practices

practice	detail
Minimum sources	Configure at least 3 NTP servers so NTP can use majority voting to detect a bad time source. 4+ preferred.
Internal hierarchy	Point all network devices to 2–3 internal NTP servers (your core routers or dedicated appliances). Internal servers sync to 2+ public stratum 1/2 sources.
Authentication	Use NTP MD5 authentication between internal servers and clients to prevent rogue NTP server attacks.
Restrict access	NTP ACL — only allow queries from your management network. Prevents NTP amplification DDoS abuse.
Cisco quick config	`ntp server <IP> prefer` / `ntp source <interface>` / `show ntp status` / `show ntp associations`

Work through each layer in order. Click a layer to expand its checks. Most Wi-Fi issues resolve at L1 or L2 — don't skip to DHCP before verifying association.

Physical / RF — Can the client see the AP?

L1 RF ▶

→Client RSSI at AP — use AP CLI or controller dashboard. Minimum for reliable data: −70 dBm. Below −75 dBm: expect degraded performance. Below −80 dBm: likely disconnects.

→SNR — Signal-to-Noise Ratio. Below 20 dB is marginal, below 10 dB will cause heavy retransmissions. Check noise floor too: a −70 dBm signal with −65 dBm noise floor (5 dB SNR) is worse than −80 dBm with −95 dBm noise (15 dB SNR).

→Channel utilization — above 70% causes contention delays. Check on controller or AP CLI. If high, check for non-Wi-Fi interference (microwave, Bluetooth, radar, baby monitors on 2.4 GHz).

→Client is on wrong band — if client capable of 5 GHz but stuck on 2.4 GHz, check band steering config. 2.4 GHz is more congested and limited to HT40 max (300 Mbps theoretical).

→AP seeing the client — run show wireless client detail mac <MAC> (Cisco) or equivalent. If AP doesn't see client at all, the client can't hear the AP's beacon — move closer or check AP operational status.

✓ Pass if: client RSSI ≥ −70 dBm, SNR ≥ 20 dB, channel utilization < 70%, client on appropriate band.

✗ Fail symptoms: client can't see SSID, sees SSID but can't connect, very slow speeds, high retry rate.

Association — Is the client joining the BSSID?

L2 802.11 ▶

→Association state — check client state on controller: should be "Associated" before authentication begins. States: Idle → Authenticating → Associated → (8021X) → DHCP → Connected.

→SSID mismatch — confirm the client is connecting to the right SSID and BSSID. A client may associate to the correct SSID name on a neighboring AP in a different VLAN.

→Deauthentication / disassociation storms — look for reason codes in association logs. Common: Reason 1 (unspecified), Reason 2 (prev auth no longer valid), Reason 3 (left BSS), Reason 4/5 (AP deauth/disassoc). Frequent deauths = signal issue or client driver bug.

→Client exclusion / blacklist — many controllers auto-exclude clients after repeated failed auths. Check exclusion list. Common trigger: wrong PSK entered 3–5 times.

→Max client limit — APs have a max concurrent client limit (typically 100–200 per radio). Check current client count on the AP radio.

✓ Pass if: client state = Associated, no deauth loops, not excluded, AP below client limit.

✗ Fail symptoms: client associates then immediately disconnects, stuck in "authenticating" state, not visible on controller.

Authentication — Is 802.1X / PSK passing?

L2 Auth ▶

→PSK networks — if client associates but doesn't get IP, check the PSK. A wrong PSK causes a 4-way handshake failure — client associates at L2 but EAPOL MIC check fails, AP deauths client. On Wireshark: look for EAPOL frame 2 followed by deauth.

→802.1X — RADIUS reachability — AP/WLC must reach the RADIUS server. Check show aaa servers (Cisco). Confirm UDP 1812 is open between WLC and RADIUS. A RADIUS timeout causes client auth failure with no useful error to the client.

→RADIUS reject vs timeout — reject means credentials wrong or policy failure (check NPS/ISE logs). Timeout means RADIUS unreachable or shared secret mismatch (packet sent but no reply, or RADIUS gets packet but MAC mismatch on shared secret).

→Certificate errors (EAP-TLS / PEAP) — client not trusting server cert: ensure root CA is installed on client. Server not trusting client cert (EAP-TLS): check cert expiry, CRL reachability, RADIUS auth store. Most common EAP-TLS failure: expired cert or CRL server unreachable.

→VLAN assignment — RADIUS can return a VLAN attribute (Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=VLAN-ID). If VLAN doesn't exist on AP/WLC trunk, client may be dropped or placed in default VLAN.

✓ Pass if: RADIUS Access-Accept received, VLAN assigned, client moves to DHCP state.

✗ Fail symptoms: "Authentication failed" on client, repeated deauths after association, stuck at "Getting network address" (skipped to DHCP but then re-auth loop).

DHCP — Is the client getting an IP?

L3 DHCP ▶

→Client IP address — does the client have a valid IP (not 169.254.x.x APIPA, not 0.0.0.0)? APIPA = DHCP failed. Check client DHCP logs.

→DHCP relay — the AP/WLC converts client DHCP broadcasts to unicast DHCP relay (giaddr = WLC SVI IP or AP management IP). Check the relay agent config on the SVI: ip helper-address <DHCP server IP>. If missing, DHCP broadcasts never reach the server.

→Correct VLAN / pool — DHCP server pool must match the client VLAN subnet. A client in VLAN 20 (10.20.0.0/24) won't get an IP if only a VLAN 10 pool exists. Check DHCP server binding table and scope.

→Pool exhaustion — check remaining DHCP leases. On Cisco: show ip dhcp binding / show ip dhcp pool. Common in high-density venues — shorten lease times or expand scope.

→DHCP snooping — if enabled on the switch/WLC VLAN, check that the DHCP server port is trusted. If the WLC uplink is not trusted, DHCP offers will be dropped.

✓ Pass if: client has valid IP in correct subnet with gateway and DNS populated.

✗ Fail symptoms: 169.254.x.x address, "Limited connectivity", stuck at "Getting IP address".

Routing / DNS — Can the client reach its destination?

L3 Routing ▶

→Default gateway reachable? — ping <default gateway> from client. If this fails: check the SVI is up, ACL not blocking ICMP, client ARP table has gateway MAC (run arp -a).

→DNS resolution — nslookup google.com <DNS IP>. If DNS fails but gateway pings: check firewall rules allowing UDP/TCP 53 to the DNS server. Also verify DHCP Option 6 (DNS) is populated correctly.

→Internet reachable but internal resources not? — likely a routing or firewall issue between the wireless VLAN and internal subnets. Check inter-VLAN routing on the core switch/router and firewall policies.

→Client isolation / peer blocking — many SSIDs enable AP client isolation (blocks client-to-client traffic on same SSID). If clients can't reach each other or local printers, check client isolation setting. Normal for guest networks, problematic for corporate.

→Captive portal loop — if client gets IP and gateway pings but HTTP redirects to captive portal indefinitely: check portal reachability, DNS pre-auth whitelist, and whether the client already has a valid session. HTTPS-only sites will show cert error instead of portal — ensure HTTP redirect is in place.

✓ Pass if: gateway pings, DNS resolves, target resources reachable. Issue is resolved.

✗ If all 5 layers pass but user still complains: check application-layer issues, proxy config, or client firewall/VPN software.

quick triage commands

platform	command	purpose
Cisco WLC (IOS-XE)	`show wireless client detail mac <MAC>`	Full client state, AP, RSSI, VLAN, auth method
Cisco WLC	`show wireless client summary`	All connected clients — count, SSID, AP
Cisco AP (local)	`show dot11 associations`	Clients associated to this AP
Aruba Controller	`show user-table mac <MAC>`	Client table — IP, VLAN, role, AP
Aruba Controller	`show ap association`	AP association table
Wireshark (client side)	`wlan.fc.type_subtype == 12`	Filter deauthentication frames — shows reason code
Wireshark	`eapol`	Show 4-way handshake — useful for PSK failure diagnosis
Windows client	`netsh wlan show interfaces`	Current SSID, BSSID, signal, channel, Rx/Tx rate
macOS client	`⌥-click Wi-Fi menu`	Shows RSSI, noise, channel, PHY mode, rate

task	🟦 Cisco IOS / IOS-XE	🟩 Aruba AOS-CX	🟧 Juniper JunOS	🟥 Arista EOS

task	🟦 Cisco 9800 (IOS-XE)	🟩 Aruba MC (AOS8)	🟧 Ruckus SmartZone	🟣 Juniper Mist

command	description	example
`ifconfig`	Show all interfaces and IPs	ifconfig en0
`networksetup -listallhardwareports`	List hardware interfaces with BSD names	networksetup -listallhardwareports
`networksetup -setmanual`	Set static IP	networksetup -setmanual "Wi-Fi" 192.168.1.10 255.255.255.0 192.168.1.1
`networksetup -setdhcp`	Set interface to DHCP	networksetup -setdhcp "Wi-Fi"
`ifconfig en0 up/down`	Bring interface up/down	sudo ifconfig en0 down && sudo ifconfig en0 up
`ifconfig en0 mtu 9000`	Set MTU	sudo ifconfig en0 mtu 9000
`system_profiler SPNetworkDataType`	Full network config details	system_profiler SPNetworkDataType \| grep -A5 "Wi-Fi"

command	description	example
`netstat -rn`	Show routing table	netstat -rn -f inet
`route add`	Add static route	sudo route add -net 10.0.0.0/8 192.168.1.1
`route delete`	Remove route	sudo route delete 10.0.0.0/8
`route get`	Which route used for destination	route get 8.8.8.8
`arp -a`	Show ARP cache	arp -a
`arp -d`	Delete ARP entry	sudo arp -d 192.168.1.1
`traceroute`	Trace hops to destination	traceroute -n 8.8.8.8

command	description	example
`dig`	DNS lookup (installed with Xcode CLT)	dig google.com A / dig @1.1.1.1 google.com
`nslookup`	DNS lookup (built-in)	nslookup google.com 8.8.8.8
`host`	Simple DNS query	host -t AAAA google.com
`dscacheutil -flushcache`	Flush DNS cache (macOS 10.10.4+)	sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder
`networksetup -getdnsservers`	Show DNS servers for interface	networksetup -getdnsservers "Wi-Fi"
`networksetup -setdnsservers`	Set DNS servers	networksetup -setdnsservers "Wi-Fi" 1.1.1.1 8.8.8.8

command	description	example
`tcpdump -i en0`	Capture on interface	sudo tcpdump -i en0 host 10.0.0.1 -nn
`tcpdump -D`	List capture interfaces	tcpdump -D
`nc -zv host port`	Test TCP port	nc -zv 10.0.0.1 443
`lsof -i :port`	What process is using port	lsof -i :443
`netstat -an`	All connections	netstat -an \| grep ESTABLISHED
`curl -v`	HTTP/HTTPS connectivity test	curl -v --max-time 5 https://example.com
`ping -c 4`	ICMP echo test	ping -c 4 8.8.8.8

command	description	example
`pfctl -s all`	Show all pf rules and state	sudo pfctl -s all
`pfctl -e / -d`	Enable / disable pf firewall	sudo pfctl -e
`pfctl -f /etc/pf.conf`	Load pf rules from file	sudo pfctl -f /etc/pf.conf
`socketfilterfw`	Application firewall (GUI layer)	sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

command	description	example
`airport -s`	Scan nearby Wi-Fi networks with signal	/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s
`airport -I`	Current connection info (SSID, BSSID, RSSI, channel, MCS)	airport -I
`airport --channel=`	Set channel (requires monitor mode)	airport --channel=6
`networksetup -listpreferredwirelessnetworks`	Show saved Wi-Fi profiles	networksetup -listpreferredwirelessnetworks en0
`networksetup -addpreferredwirelessnetworkatindex`	Add Wi-Fi profile	networksetup -addpreferredwirelessnetworkatindex en0 "SSID" 0 WPA2 "password"
`networksetup -removepreferredwirelessnetwork`	Remove saved Wi-Fi network	networksetup -removepreferredwirelessnetwork en0 "SSID"
`networksetup -setairportpower en0 on/off`	Toggle Wi-Fi on/off	networksetup -setairportpower en0 off
`Option + Wi-Fi icon`	Show detailed Wi-Fi info (RSSI, noise, channel, PHY mode)	Hold Option key then click Wi-Fi icon in menu bar
`Wireless Diagnostics sniffer`	Monitor mode packet capture	Option + Wi-Fi icon > Open Wireless Diagnostics > Window > Sniffer

command	description	example
`ipconfig /all`	Show all adapters, IPs, MACs, DHCP info	ipconfig /all
`ipconfig /release`	Release DHCP lease	ipconfig /release "Ethernet"
`ipconfig /renew`	Renew DHCP lease	ipconfig /renew "Wi-Fi"
`netsh interface show interface`	List interfaces and state	netsh interface show interface
`netsh interface ip set address`	Set static IP	netsh interface ip set address "Ethernet" static 192.168.1.10 255.255.255.0 192.168.1.1
`Get-NetAdapter`	List adapters (PowerShell)	Get-NetAdapter \| Select Name, Status, LinkSpeed
`Get-NetIPAddress`	Show IP addresses (PowerShell)	Get-NetIPAddress -AddressFamily IPv4
`Disable-NetAdapter / Enable-NetAdapter`	Disable/enable adapter (PowerShell, admin)	Disable-NetAdapter -Name "Ethernet" -Confirm:$false

command	description	example
`route print`	Show routing table	route print -4
`route add`	Add persistent static route	route -p add 10.0.0.0 mask 255.0.0.0 192.168.1.1
`route delete`	Remove route	route delete 10.0.0.0
`arp -a`	Show ARP cache	arp -a
`arp -d *`	Flush ARP cache (admin)	arp -d *
`tracert`	Trace hops (ICMP)	tracert -d 8.8.8.8
`Get-NetRoute`	Routing table (PowerShell)	Get-NetRoute -AddressFamily IPv4

command	description	example
`ping`	ICMP echo test	ping -n 4 8.8.8.8
`ping -6`	IPv6 ping	ping -6 -n 4 2001:4860:4860::8888
`Test-NetConnection`	Test TCP port (PowerShell)	Test-NetConnection -ComputerName 10.0.0.1 -Port 443
`netstat -ano`	All connections with PID	netstat -ano \| findstr :443
`Get-NetTCPConnection`	TCP connections (PowerShell)	Get-NetTCPConnection -State Established
`pktmon start`	Built-in packet capture (Win 10+)	pktmon start --capture -f c:\cap.etl
`pktmon etl2pcap`	Convert pktmon capture to pcap	pktmon etl2pcap c:\cap.etl -o c:\cap.pcap
`netsh trace start`	Network trace (ETL format)	netsh trace start capture=yes tracefile=c:\trace.etl

command	description	example
`netsh advfirewall show allprofiles`	Show firewall state for all profiles	netsh advfirewall show allprofiles state
`netsh advfirewall set allprofiles state off`	Disable firewall (admin, troubleshoot only)	netsh advfirewall set allprofiles state off
`netsh advfirewall firewall add rule`	Add inbound allow rule	netsh advfirewall firewall add rule name="Allow 443" protocol=TCP dir=in localport=443 action=allow
`Get-NetFirewallRule`	List firewall rules (PowerShell)	Get-NetFirewallRule \| Where {$_.Enabled -eq "True"}
`New-NetFirewallRule`	Create rule (PowerShell)	New-NetFirewallRule -DisplayName "Block 23" -Direction Inbound -LocalPort 23 -Protocol TCP -Action Block

command	description	example
`netsh wlan show all`	All WLAN interfaces, profiles, and nearby networks	netsh wlan show all
`netsh wlan show networks mode=bssid`	Scan with BSSID, signal, channel	netsh wlan show networks mode=bssid
`netsh wlan show interfaces`	Current connection (SSID, BSSID, channel, signal, Rx/Tx rate)	netsh wlan show interfaces
`netsh wlan show profiles`	List saved Wi-Fi profiles	netsh wlan show profiles
`netsh wlan show profile key=clear`	Show saved password for a profile	netsh wlan show profile name="SSID" key=clear
`netsh wlan connect`	Connect to a saved profile	netsh wlan connect name="SSID"
`netsh wlan disconnect`	Disconnect from Wi-Fi	netsh wlan disconnect interface="Wi-Fi"
`netsh wlan delete profile`	Remove saved Wi-Fi profile	netsh wlan delete profile name="SSID"
`netsh wlan export profile`	Export Wi-Fi profile to XML	netsh wlan export profile name="SSID" folder=C:\profiles
`Get-NetAdapter \| where {$_.Name -like "Wi-Fi"}`	Wi-Fi adapter info (PowerShell)	Get-NetAdapter \| where {$_.Name -like "Wi-Fi"} \| fl *

Pro Feature

VLAN / Trunk Planner