Roadmap

Network Administrator

The professional who designs, implements, and maintains an organization's network infrastructure. Manages routers, switches, firewalls, wireless access points, and VPNs while ensuring network availability, performance, and security.

OPTIMISTIC 18–24 monthsREALISTIC 2–3 years

Stage 00

Computer & IT Fundamentals

Network administrators work with physical infrastructure. Understanding hardware and systems provides context for everything the network connects.

Hardware & Systems Basics

Server hardware — rack form factors, NIC types, storage interfaces
Workstations — desktop, laptop, mobile — the endpoints the network serves
Operating systems — Windows, Linux, macOS — client network configuration in each
Network interface cards — physical (RJ-45), wireless (Wi-Fi), fiber (SFP/SFP+)

Network Hardware Components

Hubs (legacy) — broadcasts to all ports; replaced by switches
Switches — forward frames based on MAC address table; the foundation of LAN infrastructure
Routers — forward packets based on IP routing table; connect networks
Firewalls — filter traffic based on rules; stateful vs stateless
Access Points (WAP) — wireless network extension; controller-based vs autonomous
Modems — ISP connectivity; DSL, cable, fiber ONT
Network printers, IP phones, IoT devices — endpoints on the network

Cabling

Ethernet categories — Cat5e (1G/100M), Cat6 (1G/10G), Cat6A (10G), Cat8 (40G)
Straight-through vs crossover cables — modern switches handle both via Auto-MDI/MDIX
Fiber types — single-mode (long distance, yellow), multimode (short distance, orange/aqua)
Fiber connectors — SC, LC, ST, MPO — small form-factor vs standard
RJ-45 crimping — 568A vs 568B wiring standard (must be consistent within a run)
Patch panels — horizontal cable management in wiring closets
TIA/EIA-568 structured cabling standard — backbone, horizontal, work area wiring
Cable length limits — Cat6 100m maximum; fiber distances by type
Cable certification — Fluke cable tester, certification reporting

Resources

Professor Messer CompTIA A+ (free YouTube)
CompTIA Network+ course materials
Cisco Packet Tracer (free)

Stage 01

Networking Fundamentals — Deep

This is the intellectual foundation of network administration. Everything in subsequent stages builds on these concepts.

OSI Model — Full Depth

Layer 1 — Physical: electrical signals, cable types, hubs, repeaters, bit transmission
Layer 2 — Data Link: MAC addresses, Ethernet frames, switches, ARP, VLANs, spanning tree
Layer 3 — Network: IP addresses, routing, packets, routers, ICMP, fragmentation
Layer 4 — Transport: TCP (connection-oriented, reliable), UDP (connectionless, fast), segments, port numbers
Layer 5 — Session: session establishment, maintenance, termination; NetBIOS
Layer 6 — Presentation: encoding, compression, encryption; SSL/TLS context
Layer 7 — Application: HTTP, DNS, SMTP, FTP, SSH, SNMP, DHCP; what users interact with
Encapsulation — data wraps in headers at each layer going down; unwraps going up
PDU names — bits (L1), frames (L2), packets (L3), segments (L4), data (L5-7)
Where attacks operate — per-layer attack surface understanding

IP Addressing — Complete Mastery Required

IPv4 structure — 32-bit, four octets, dotted decimal notation
Address classes — Class A (1–126, /8), Class B (128–191, /16), Class C (192–223, /24)
Private ranges — 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Loopback — 127.0.0.0/8, typically 127.0.0.1
APIPA — 169.254.0.0/16 — assigned when DHCP fails
Broadcast — directed (subnet broadcast), limited (255.255.255.255)
Multicast — 224.0.0.0/4 — one-to-many delivery

Subnetting — Must Be Fast and Accurate

Subnet masks — purpose: separating network from host portion
CIDR notation — /24, /16, /8, /30, /29, /27, /25
Subnetting formula — 2^n hosts (minus 2 for network and broadcast), 2^m subnets
Practice targets: - Given 192.168.10.0/26: network 192.168.10.0, broadcast 192.168.10.63, usable .1–.62, 62 hosts - Given 10.0.0.0/20: 4094 usable hosts, subnet mask 255.255.240.0 - Variable Length Subnet Masking (VLSM) — allocating different subnet sizes to different segments
Supernetting / route summarization — combining smaller subnets into one route advertisement
CIDR (Classless Inter-Domain Routing) — modern addressing, eliminates class boundaries

IPv6 — Growing Requirement

IPv6 address format — 128-bit, eight groups of four hex digits, colon-separated
Simplification rules — omit leading zeros, collapse consecutive zero groups to ::
Address types: - Global unicast — 2000::/3, globally routable - Link-local — FE80::/10, automatically assigned, required for IPv6 operation - Unique local — FC00::/7, private addressing equivalent - Multicast — FF00::/8, replaces broadcast - Anycast — same address, multiple hosts, nearest responds
EUI-64 — automatically generating interface ID from MAC address
DHCPv6 — stateful (assigns address) vs stateless (provides options only)
SLAAC (Stateless Address Autoconfiguration) — self-configuring IPv6 using router advertisements
Dual-stack — running IPv4 and IPv6 simultaneously
Tunneling — 6to4, ISATAP, Teredo — IPv6 over IPv4 infrastructure
IPv6 in routing — OSPFv3, BGP multiprotocol extensions, IS-IS

TCP — Deep

TCP header fields — source port, destination port, sequence number, acknowledgment number, flags, window size, checksum, urgent pointer
Three-way handshake — SYN → SYN-ACK → ACK; importance for stateful firewall
Four-way teardown — FIN → FIN-ACK → FIN → ACK
TCP flags — SYN, ACK, FIN, RST, PSH, URG, ECE, CWR
Sequence and acknowledgment numbers — tracking data flow, out-of-order detection
Window size — flow control mechanism, sliding window
Congestion control — slow start, congestion avoidance, fast retransmit, fast recovery
Keep-alive — detecting dead connections
TCP states — LISTEN, SYN_SENT, SYN_RECEIVED, ESTABLISHED, FIN_WAIT_1/2, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSED

UDP — Deep

Connectionless — no handshake, no reliability guarantee
Header fields — source port, destination port, length, checksum (only four fields)
Use cases — DNS queries, DHCP, TFTP, SNMP, NTP, VoIP, video streaming, gaming
Why UDP — lower overhead, lower latency for time-sensitive or loss-tolerant applications

ICMP

Type 0 — Echo Reply (ping response)
Type 3 — Destination Unreachable (code 0–15 specify reason)
Type 5 — Redirect
Type 8 — Echo Request (ping)
Type 11 — Time Exceeded (TTL expired — used by traceroute)
Type 12 — Parameter Problem
ICMP flooding — DoS implications
PMTUD (Path MTU Discovery) — uses Type 3 Code 4 (Fragmentation Needed)

Switching Fundamentals

MAC address — 48-bit, OUI (first 24 bits, vendor identifier) + device ID (last 24 bits)
MAC address table (CAM table) — switch learns source MAC on incoming port
Flooding — unknown unicast, multicast, broadcast all flood out all ports except ingress
Forwarding — known unicast forwarded to specific port only
Filtering — frames destined for port they originated on are dropped
ARP (Address Resolution Protocol): - ARP request — broadcast "who has IP X? tell IP Y" - ARP reply — unicast "IP X is at MAC AA:BB:CC:DD:EE:FF" - ARP cache — local table mapping IP to MAC, timeout ~20 minutes - Gratuitous ARP — announcing your own IP-to-MAC mapping; failover and IP conflict detection - ARP poisoning — attacker sends false ARP replies; man-in-the-middle attack

VLANs — Critical Skill

What VLANs do — logically segment a physical switch into multiple broadcast domains
VLAN ID — 802.1Q standard, 12-bit VLAN ID, VLANs 1–4094 (1 is default, 1002–1005 reserved)
Access ports — assigned to one VLAN; connects end devices
Trunk ports — carries multiple VLANs using 802.1Q tagging; connects switches to switches and routers
Native VLAN — untagged traffic on trunk; default is VLAN 1; change for security
Voice VLAN — dedicated VLAN for VoIP traffic; enables QoS and security separation
VLAN database (vlan.dat) — VLAN configuration file on Cisco switches
VTP (VLAN Trunking Protocol) — synchronizes VLAN database across switches; VTP modes (server/client/transparent); VTP pruning
Inter-VLAN routing — Layer 3 switch (SVI — Switched Virtual Interface) or router-on-a-stick (subinterfaces)
VLAN design — separate VLANs for: users, servers, management, VoIP, IoT, guest Wi-Fi, printers

Spanning Tree Protocol (STP)

Why STP exists — prevents Layer 2 loops that would crash a switched network
STP process — elect root bridge → elect root ports → elect designated ports → block others
Bridge ID — priority (default 32768) + MAC address; lowest wins root bridge election
Port states — Blocking, Listening, Learning, Forwarding, Disabled
Port roles — Root, Designated, Non-Designated (Blocking), Disabled
Timers — Hello (2s), Forward Delay (15s), Max Age (20s)
RSTP (802.1w) — Rapid Spanning Tree; convergence in seconds instead of ~50 seconds
PVST+ (Per-VLAN Spanning Tree+) — Cisco proprietary; separate STP instance per VLAN; allows load balancing
MSTP (802.1s) — Multiple Spanning Tree; maps multiple VLANs to fewer STP instances
PortFast — immediately puts access port in Forwarding; bypasses Listening/Learning; only on end-device ports
BPDU Guard — disables PortFast port if STP BPDUs received; prevents rogue switches
Root Guard — prevents a port from becoming a root port; protects designated root
Loop Guard — prevents alternate/root ports from becoming designated ports if BPDUs stop arriving
Topology changes — MAC table flush, reconvergence process

EtherChannel / Link Aggregation

Purpose — bundle multiple physical links into one logical link; bandwidth and redundancy
LACP (802.3ad) — IEEE standard, open standard, active/passive negotiation
PAgP — Cisco proprietary, desirable/auto negotiation
Static EtherChannel (on/on) — no negotiation; mismatches can cause loops
Load balancing methods — src-mac, dst-mac, src-dst-mac, src-ip, dst-ip, src-dst-ip

Routing Fundamentals

What routers do — forward packets between different networks based on routing table
Routing table — network prefix, subnet mask, next-hop, outgoing interface, metric, admin distance
Administrative distance — trustworthiness of route source; lower = more trusted - Connected (0), Static (1), EIGRP summary (5), BGP eBGP (20), EIGRP internal (90), OSPF (110), RIP (120), EIGRP external (170), BGP iBGP (200)
Metric — cost to reach destination; varies by routing protocol (hops, bandwidth, delay, load, reliability)
Longest prefix match — most specific route wins
Default route — 0.0.0.0/0 — gateway of last resort

Static Routing

Configuration — ip route [destination] [mask] [next-hop or interface]
When to use static routes — small networks, specific traffic steering, stub networks
Floating static routes — higher AD than dynamic route; backup when primary fails
Summarization with static routes — reducing routing table size
Null0 routes — black-holing traffic, preventing routing loops with summarization

OSPF (Open Shortest Path First)

Link-state routing protocol — routers build complete topology map
Dijkstra algorithm — Shortest Path First (SPF) — calculates optimal path
Areas — backbone (area 0), regular areas, OSPF area types: - Standard area — full LSA types - Stub area — no external LSAs (Type 5); uses default route instead - Totally Stubby — no external or inter-area LSAs; Cisco proprietary extension - NSSA (Not-So-Stubby Area) — allows redistribution into stub area
Router types — backbone (area 0), internal, ABR (Area Border Router), ASBR (Autonomous System Boundary Router)
LSA types — 1 (Router), 2 (Network), 3 (Summary), 4 (ASBR Summary), 5 (External), 7 (NSSA External)
DR/BDR election — Designated Router and Backup DR on multi-access networks
OSPF neighbor states — Down → Init → 2-Way → Exstart → Exchange → Loading → Full
OSPFv3 — IPv6 support, instance-based configuration per interface
OSPF metric — cost = reference bandwidth / interface bandwidth; default ref BW = 100 Mbps
OSPF authentication — plain text, MD5, SHA (OSPFv3)

BGP (Border Gateway Protocol)

EGP — Exterior Gateway Protocol; the routing protocol of the internet
iBGP vs eBGP — internal (same AS) vs external (different AS)
Autonomous System (AS) — collection of networks under single administrative control; AS number
BGP path attributes — AS_PATH (loop prevention), NEXT_HOP, LOCAL_PREF, MED, ORIGIN, WEIGHT (Cisco)
BGP best path selection — order of attribute evaluation
BGP peering — manually configured neighbors (no auto-discovery like OSPF)
BGP route filtering — prefix lists, route maps, AS_PATH ACLs
Route reflectors — iBGP scalability solution; eliminates full mesh requirement
BGP communities — tagging routes for policy-based treatment

EIGRP (Enhanced Interior Gateway Routing Protocol)

Cisco proprietary advanced distance-vector protocol
DUAL algorithm — Diffusing Update Algorithm; loop-free convergence
Neighbor discovery via Hello packets on multicast 224.0.0.10
Feasible distance (FD), reported distance (RD), feasible condition
Successor and feasible successor routes — active and backup routes
Partial updates — only changed routes advertised, not full table
EIGRP for IPv6 — separate process, configured per interface

RIP (Routing Information Protocol)

Distance-vector, hop count metric, maximum 15 hops (16 = unreachable)
RIPv1 — classful, no subnet mask in updates, broadcasts
RIPv2 — classless, subnet mask included, multicasts 224.0.0.9, authentication support
RIPng — IPv6 support
Convergence issues — count-to-infinity, split horizon, route poisoning, poison reverse, holddown timers
Use case — mostly legacy and educational; rarely deployed in modern networks

DNS (Domain Name System) — Deep

Resolution process — stub resolver → recursive resolver → root servers → TLD servers → authoritative servers
Record types: - A — hostname to IPv4 address - AAAA — hostname to IPv6 address - CNAME — alias pointing to another hostname - MX — mail server for a domain (priority value) - NS — nameservers for a domain - SOA — Start of Authority; zone serial number, refresh, retry, expire, negative TTL - PTR — reverse DNS, IP to hostname - TXT — arbitrary text; used for SPF, DKIM, DMARC, domain verification - SRV — service location records; used by AD, SIP, XMPP - CAA — Certificate Authority Authorization; controls which CAs can issue for domain
TTL — Time to Live; how long resolvers cache the record
Zone transfer — AXFR (full), IXFR (incremental); must be restricted to authorized secondaries
DNSSEC — digitally signs DNS records; prevents cache poisoning
DNS over HTTPS (DoH), DNS over TLS (DoT) — encrypted DNS queries

DHCP (Dynamic Host Configuration Protocol)

DORA process — Discover (broadcast) → Offer (unicast from server) → Request (broadcast) → Acknowledge (unicast)
Lease time — how long client holds the IP; renewal at 50% of lease time
DHCP scope — range of addresses to assign; exclusions for static-assigned devices
DHCP reservations — binding MAC address to always receive specific IP
DHCP relay agent — ip helper-address on router interface; forwards broadcasts to DHCP server on different subnet
DHCP options — 003 (default gateway), 006 (DNS servers), 015 (domain name), 051 (lease time), 043 (vendor-specific)
DHCP snooping — switch security feature; only allows DHCP offers from trusted ports; builds binding table for DAI
Dynamic ARP Inspection (DAI) — uses DHCP snooping binding table to validate ARP packets
IP Source Guard — uses DHCP snooping binding table to validate IP/MAC mapping

NTP (Network Time Protocol)

Why time synchronization matters — logging, authentication (Kerberos), certificates, distributed systems
Stratum hierarchy — Stratum 0 (atomic clocks/GPS) → Stratum 1 (primary servers) → Stratum 2+ (secondary servers)
NTP modes — server, client, symmetric peer, broadcast
NTPv4 improvements — improved security, IPv6 support
PTP (Precision Time Protocol, IEEE 1588) — sub-microsecond accuracy for financial and industrial

SNMP (Simple Network Management Protocol)

Architecture — managed devices, agents, management stations
SNMP versions: - SNMPv1 — community strings (public/private) in plaintext; insecure - SNMPv2c — community strings, improved error handling; still insecure - SNMPv3 — authentication and encryption; the only secure version
OID (Object Identifier) — hierarchical identifier for managed objects
MIB (Management Information Base) — database of manageable objects
Operations — Get, GetNext, GetBulk, Set, Response, Trap, InformRequest
SNMPv3 security — authNoPriv (MD5/SHA auth, no encryption), authPriv (auth + AES encryption)
Community string security — change from default "public"/"private"; use SNMPv3 for production

Resources

Subnetting.org (free practice)
Professor Messer Network+ (free YouTube)
CBT Nuggets Network+ (paid)
Jeremy's IT Lab (free YouTube, excellent for Cisco and CCNA)
Cisco Packet Tracer (free)

Stage 02

Cisco IOS — Configuration & Troubleshooting

Cisco dominates enterprise networking. CCNA is the baseline credential for network administration. IOS command proficiency is tested in every networking interview.

IOS Navigation

Console connection — terminal emulator (PuTTY, SecureCRT), COM port, 9600 baud
SSH access — crypto key generate rsa, ip ssh version 2, line vty login local
Privilege levels — User EXEC (>), Privileged EXEC (#), Global Config ((config)#), Interface Config ((config-if)#)
Context navigation — enable, configure terminal, interface, line, router ospf, exit, end, Ctrl+Z
Help — ?, tab completion, command syntax review
IOS versions — IOS, IOS-XE, IOS-XR, NX-OS — differences in syntax and platform

Basic Device Configuration

hostname — sets device name
enable secret — encrypted privileged EXEC password (instead of enable password)
service password-encryption — encrypts Type 7 passwords in running config
banner motd — login warning banner
no ip domain-lookup — prevents IOS from trying to resolve typos as DNS hostnames
clock timezone, clock set — time configuration; ntp server for NTP sync
logging — synchronous on console/vty lines, buffered logging, logging to syslog server
ip domain-name — required for SSH key generation
username [name] privilege [level] secret [password] — local user account for SSH

Interface Configuration

interface [type] [number] — enter interface config mode
ip address [ip] [mask] — assign IP address
ipv6 address [ipv6prefix/length] — assign IPv6 address
no shutdown — administratively enable interface (default is shutdown on unused ports)
description — label for documentation
duplex auto/full/half — duplex negotiation
speed auto/10/100/1000 — speed negotiation (prefer auto for copper)
interface range — configuring multiple interfaces simultaneously
show interface [name] — counters, errors, input/output rates, duplex, speed
show ip interface brief — quick status summary of all interfaces
Loopback interfaces — logical, always up; used for management IP, routing protocol source

Switch Configuration — Deep

Default VLAN (VLAN 1) — all ports start here; change for security
vlan [id] name [name] — create VLAN
interface [type/number] switchport mode access — configure access port
switchport access vlan [id] — assign access port to VLAN
interface [type/number] switchport mode trunk — configure trunk port
switchport trunk encapsulation dot1q — 802.1Q tagging
switchport trunk native vlan [id] — change native VLAN from default 1
switchport trunk allowed vlan [list] — restrict VLANs on trunk
show vlan brief — all VLANs and their access ports
show interfaces trunk — trunk ports and allowed/active VLANs

STP Configuration

spanning-tree mode rapid-pvst — enable RSTP (default on most Cisco switches)
spanning-tree vlan [id] priority [value] — manipulate root bridge election
spanning-tree portfast — enable on access ports for faster convergence
spanning-tree bpduguard enable — enable on PortFast ports
show spanning-tree vlan [id] — STP topology for specific VLAN
show spanning-tree detail — full STP state including timers and transitions

Layer 3 Switch Configuration

ip routing — enable Layer 3 routing on multilayer switch
interface vlan [id] — create SVI; assign IP address for inter-VLAN routing
show ip route — verify routing table entries
no switchport — convert a switch port to Layer 3 routed port

Router Configuration — Deep

Static routes — ip route [dest] [mask] [next-hop or interface]
ip route 0.0.0.0 0.0.0.0 [next-hop] — default route
OSPF configuration: - router ospf [process-id] - network [address] [wildcard] area [area-id] - router-id [ip address] — explicitly set router ID - ip ospf cost [value] — set interface cost - auto-cost reference-bandwidth [mbps] — adjust for high-bandwidth links - show ip ospf neighbor — verify adjacencies - show ip ospf database — LSDB contents - show ip route ospf — OSPF-learned routes
Router-on-a-stick (inter-VLAN routing): - interface [type/number].[subint] — create subinterface - encapsulation dot1q [vlan-id] — assign VLAN to subinterface - ip address [ip] [mask] — IP for that VLAN's gateway

ACLs (Access Control Lists)

Standard ACL — matches source IP only; applied close to destination
Extended ACL — matches source, destination, protocol, ports; applied close to source
Named vs numbered ACLs — named preferred for readability
Wildcard masks — inverse of subnet mask (0.0.0.255 = /24 match)
ACL application — ip access-group [acl-name] in/out on interface
Implicit deny all — unstated rule at end of every ACL; add explicit permit any if needed
Show ip access-lists — view ACL with match counters
Common uses — restricting management access, blocking specific traffic, VPN interesting traffic, QoS matching

NAT (Network Address Translation)

Static NAT — one-to-one mapping of private to public IP
Dynamic NAT — pool of public IPs dynamically mapped
PAT (Port Address Translation) / NAT Overload — many-to-one; most common; all users share one public IP
NAT configuration: - ip nat inside on internal interface - ip nat outside on external interface - ip nat inside source list [acl] interface [ext-int] overload — PAT config
show ip nat translations — active NAT table
show ip nat statistics — translation counts and hit rates
NAT troubleshooting — ip nat translation timeout, clearing translations

DHCP on Cisco Routers/Switches

ip dhcp pool [name] — create DHCP pool
network [ip] [mask] — address range for pool
default-router [ip] — default gateway to assign
dns-server [ip] — DNS server to assign
lease [days] [hours] [minutes] — lease duration
ip dhcp excluded-address [start] [end] — exclude from assignment
show ip dhcp binding — assigned leases
show ip dhcp pool — pool statistics
ip helper-address [dhcp-server-ip] — relay DHCP to remote server

Device Management and Security

Management plane security: - ip access-class [acl] in on vty lines — restrict SSH access to management IPs - exec-timeout [minutes] [seconds] — disconnect idle sessions - ip ssh time-out — SSH session timeout - ip ssh authentication-retries — limit failed attempts
Control plane security: - Control Plane Policing (CoPP) — rate-limit traffic destined for the router CPU
Syslog — logging host [server-ip], logging trap [level]
SNMP — snmp-server community [string] ro/rw, snmp-server host [ip] version 3
NetFlow — ip flow ingress/egress on interfaces, ip flow-export destination for traffic analysis
Configuration management: - show running-config — current running configuration - show startup-config — configuration saved in NVRAM - copy running-config startup-config — save config - copy running-config tftp — backup config to TFTP server - copy tftp running-config — restore configuration

Cisco Troubleshooting Commands

show ip interface brief — interface status summary
show interfaces — detailed interface statistics and errors
show ip route — routing table
show arp — ARP cache
show mac address-table — CAM table
show vlan brief — VLAN assignments
show interfaces trunk — trunk status
show spanning-tree — STP topology
show ip ospf neighbor — OSPF neighbors
show ip protocols — routing protocol summary
debug ip ospf events — OSPF debugging (use cautiously in production)
ping [ip] — connectivity test
ping [ip] source [ip] — ping from specific source IP
traceroute [ip] — path tracing
traceroute [ip] source [ip] — trace from specific source
show cdp neighbors — Cisco Discovery Protocol; maps adjacent Cisco devices

Resources

Jeremy's IT Lab (free YouTube, best free CCNA content)
Cisco Packet Tracer (free)
GNS3 (free)
Neil Anderson CCNA Udemy course (paid, highly rated)
Cisco CCNA Official Cert Guide (book)
CBT Nuggets CCNA (paid)

Stage 03

Security Fundamentals

Network administrators increasingly own network security configuration. Firewall management and VPN are core responsibilities.

Security Fundamentals

CIA Triad, AAA, threat/vulnerability/risk
Network security concepts — defense in depth, DMZ design, network segmentation
Common network attacks — ARP spoofing, VLAN hopping, STP manipulation, MAC flooding, DHCP starvation, DNS poisoning, DDoS
AAA (Authentication, Authorization, Accounting) — RADIUS, TACACS+ for network device management
Layer 2 security — DHCP snooping, DAI, port security, 802.1X
PKI — certificates for VPN, 802.1X, HTTPS management
Firewall concepts — stateful inspection, zone-based, application layer
VPN types — site-to-site, remote access (SSL VPN)

Resources

Professor Messer Security+ SY0-701 (free YouTube)
CompTIA Security+ study materials

Stage 04

Firewalls & Network Security Appliances

Firewall management is a core network admin responsibility. Real-world firewall configuration is tested in interviews.

Firewall Fundamentals

Packet filtering — stateless, matches individual packets against ACL rules
Stateful inspection — tracks connection state; allows return traffic automatically
Application layer inspection (NGFW) — deep packet inspection, application identification, user identity
Zones — trust, untrust, DMZ — traffic policies between zones
Implicit deny — all traffic not explicitly permitted is blocked

Cisco ASA

Zone model — inside, outside, DMZ — security levels (inside = 100, outside = 0)
Security level — higher security can initiate connections to lower; not vice versa without ACL
Access control lists — apply to interfaces
NAT on ASA — auto-NAT, manual NAT, identity NAT
VPN — site-to-site IKEv2/IPsec, AnyConnect SSL VPN
High availability — active/standby failover, stateful failover

Cisco Firepower (FTD)

Next-generation firewall — application visibility and control, IPS, URL filtering, AMP
FMC (Firepower Management Center) — centralized management for multiple FTDs
Access Control Policy — rules based on zones, networks, applications, users, URLs
Intrusion Policy — Snort-based IPS rules, inspection settings
File Policy — AMP for Networks, file blocking
SSL Policy — decryption inspection of encrypted traffic
Prefilter Policy — fast path for high-volume trusted traffic

Palo Alto Networks

Zone-based security policy — source zone, destination zone, application, user
App-ID — application identification regardless of port
User-ID — user identity integration for policy
Content-ID — threat prevention, URL filtering, file blocking
Security Profiles — antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, WildFire
Panorama — centralized management
PA-VM — virtual firewall for private cloud and hypervisor deployment
Certificates — CA chain, OCSP, CRL — firewall certificate management

Fortinet FortiGate

FortiOS — security fabric approach
NGFW features — application control, web filtering, antivirus, IPS
FortiManager — centralized management
FortiAnalyzer — logging and reporting
SD-WAN features — built-in WAN optimization and application steering

pfSense / OPNsense

Open-source firewalls — common in home labs, SMB, and as secondary devices
Interface-based rules — LAN, WAN, DMZ, VLANs
Packages — Suricata/Snort IDS, pfBlockerNG, Squid proxy, HAProxy
OpenVPN and IPsec VPN configuration
Traffic shaping — QoS and bandwidth management

Intrusion Detection/Prevention Systems (IDS/IPS)

IDS — passive detection; alerts but does not block
IPS — inline; can block detected attacks in real time
Signature-based detection — matching known attack patterns
Anomaly-based detection — deviating from baseline behavior
Snort — open-source IDS/IPS; rules syntax; community rules
Suricata — high-performance multi-threaded IDS/IPS; compatible with Snort rules

Resources

Palo Alto Networks ACE study materials (free)
Cisco firewall documentation (free)
pfSense documentation (free)
home lab pfSense deployment

Stage 05

VPN & Remote Access

VPN is a daily network admin responsibility. Site-to-site and remote access VPN configuration is tested in interviews.

IPsec VPN

IPsec framework — authentication, integrity, encryption for IP traffic
IKE (Internet Key Exchange): - IKEv1 — two phases; Phase 1 (ISAKMP SA) + Phase 2 (IPsec SA) - IKEv2 — simpler, more efficient, required for modern deployments
IKEv1 Phase 1 modes — Main mode (6 messages, ID protected) vs Aggressive mode (3 messages, ID unprotected)
IKE Phase 1 parameters — encryption (AES-256), hash (SHA-256), DH group (14+), lifetime
IKE Phase 2 parameters — ESP vs AH, encryption, hash, perfect forward secrecy
ESP vs AH — ESP encrypts payload; AH provides integrity only; ESP preferred
IPsec modes — Tunnel mode (entire IP packet encrypted, new IP header) vs Transport mode (payload only)
NAT traversal (NAT-T) — encapsulates IPsec in UDP 4500 when NAT is present
Crypto maps vs VTI — legacy crypto maps vs Virtual Tunnel Interfaces (modern, dynamic routing support)

Site-to-Site VPN

Configuration — IKE policy, pre-shared key or PKI, IPsec transform set, crypto map, interesting traffic ACL
VTI tunnel configuration — tunnel interface, tunnel mode ipsec ipv4, ip address, routing over tunnel
Troubleshooting — show crypto isakmp sa, show crypto ipsec sa, debug crypto isakmp, debug crypto ipsec
Redundancy — dual ISP with BGP or IP SLA tracking failover

SSL/TLS VPN (Remote Access)

Cisco AnyConnect — the dominant enterprise SSL VPN client - WebVPN configuration — connection profiles, group policies, split tunneling - User authentication — local, RADIUS, LDAP/AD, certificate - Split tunneling vs full tunnel — traffic routing decisions - IP address pool assignment for VPN clients - Troubleshooting — DAP (Dynamic Access Policies), connection logs
Pulse Secure / Ivanti — common in enterprise environments
GlobalProtect (Palo Alto) — integrates with PAN-OS security policy
Fortinet SSL VPN — FortiClient-based

SD-WAN

What SD-WAN is — software-defined overlay WAN; application-aware routing over multiple transports
Use case — replacing or augmenting expensive MPLS with broadband/LTE at branch offices
Key vendors — Cisco SD-WAN (Viptela), VMware VeloCloud, Fortinet SD-WAN, Meraki
Concepts — controller-based, overlay tunnels, application performance monitoring, policy-based routing
Growing relevance — hybrid work and cloud adoption driving SD-WAN adoption

Resources

Cisco VPN documentation (free)
IPsec VPN lab guides
Jeremy's IT Lab VPN content (free YouTube)

Stage 06

Wireless Networking

Wireless is increasingly primary. Wi-Fi 6/6E is the standard enterprise deployment in 2026.

Wireless Standards

802.11 standards timeline: - 802.11a — 5 GHz, 54 Mbps, OFDM (1999) - 802.11b — 2.4 GHz, 11 Mbps, DSSS (1999) - 802.11g — 2.4 GHz, 54 Mbps, OFDM (2003) - 802.11n (Wi-Fi 4) — 2.4 and 5 GHz, 600 Mbps, MIMO, 40 MHz channels (2009) - 802.11ac (Wi-Fi 5) — 5 GHz only, 6.9 Gbps, MU-MIMO, 80/160 MHz channels (2013) - 802.11ax (Wi-Fi 6) — 2.4 and 5 GHz, 9.6 Gbps, OFDMA, BSS Coloring, TWT (2019) - 802.11ax 6 GHz (Wi-Fi 6E) — extends Wi-Fi 6 to 6 GHz band; less interference (2021) - 802.11be (Wi-Fi 7) — 2.4/5/6 GHz, 46 Gbps, MLO (Multi-Link Operation) (2024)
MIMO and MU-MIMO — multiple antennas; multiple simultaneous clients
OFDMA — efficient channel sharing in Wi-Fi 6; subdivides channels
Channel bonding — 20/40/80/160 MHz channels in 5 GHz

Wireless Security

WEP — deprecated; broken; never use
WPA — TKIP; deprecated; vulnerable
WPA2 — CCMP/AES encryption; enterprise (802.1X) vs personal (PSK)
WPA3 — SAE (Simultaneous Authentication of Equals) replaces PSK; forward secrecy; mandatory for Wi-Fi 6
802.1X — port-based NAC; EAP methods: PEAP, EAP-TLS, EAP-FAST, EAP-TTLS
RADIUS — centralized authentication for 802.1X; Cisco ISE, FreeRADIUS
SSID management — separate SSIDs for corporate, guest, IoT
Rogue AP detection — wireless IDS/IPS, WIPS (Wireless Intrusion Prevention System)
Evil twin attacks — attacker AP impersonating legitimate SSID

Wireless Architecture

Autonomous APs — self-contained; each AP configured individually; no controller
Lightweight APs (LWAP) — forward traffic to controller; centralized configuration - Split MAC — management functions at controller, real-time at AP - CAPWAP (Control And Provisioning of WAP) — tunnel protocol between AP and controller
Cisco Wireless Controller (WLC) — on-premises controller
Cisco Meraki — cloud-managed wireless; intuitive web dashboard; subscription model
Cisco Catalyst Center (formerly DNA Center) — enterprise network management and automation
Aruba (HPE) — major enterprise wireless vendor; Aruba Central cloud management
Ubiquiti UniFi — popular in SMB and prosumer environments; free controller software

Wireless Troubleshooting

RF (Radio Frequency) concepts — signal strength (dBm), SNR (signal-to-noise ratio), interference
Channel selection — non-overlapping 2.4 GHz channels (1, 6, 11); 5 GHz has many non-overlapping channels
Site survey — heat maps, coverage analysis, AP placement
Common wireless issues — co-channel interference, hidden node problem, near-far problem, multipath
Spectrum analyzers — identifying RF interference sources (microwave ovens, Bluetooth, neighboring networks)

Resources

Cisco Wireless documentation (free)
CWNA study guide
Meraki trial account (free)
Ubiquiti community resources (free)

Stage 07

Network Monitoring & Troubleshooting

Network administrators need systematic troubleshooting approaches and solid monitoring infrastructure.

Troubleshooting Methodology

Structured approach — top-down (L7 to L1), bottom-up (L1 to L7), or divide-and-conquer
OSI model as a troubleshooting framework — identify which layer the problem is at
Gather information — what is working, what is not, when did it start, what changed
Establish baseline — know what normal looks like before diagnosing abnormal
Test connectivity — ping, traceroute, telnet to port, curl

Packet Analysis

Wireshark — the essential network analysis tool: - Capture interfaces — choosing correct physical or virtual interface - Capture filters — BPF syntax (host 1.2.3.4, port 80, tcp, src net 192.168.0.0/24) - Display filters — ip.addr==1.2.3.4, tcp.port==443, http, dns, arp - Follow TCP/UDP stream — reassemble entire conversation - Statistics — IO graphs, conversations, protocol hierarchy, endpoints - Expert Information — automated anomaly detection - Dissect protocols — read each protocol header field by field
tcpdump — CLI packet capture; writing to .pcap, reading .pcap files
Remote capture — capturing on remote device and analyzing locally

Network Monitoring Platforms

PRTG Network Monitor — Windows-based; SNMP, WMI, Ping, SNMP Trap sensors; common in SMB enterprise
SolarWinds NPM — enterprise network monitoring; NetPath, Network Topology Mapper, Orion platform
Nagios — open-source; plugin-based; alerting; highly customizable
Zabbix — open-source; SNMP, agent, JMX; scalable to large environments
LibreNMS — open-source; auto-discovery; real-time graphs; good for network devices
Grafana + Prometheus — metrics and visualization; increasingly used alongside traditional tools
NetFlow analysis — SolarWinds NTA, ntopng, Elastiflow — analyzing traffic patterns

Network Documentation

Network topology diagrams — Visio, draw.io, Lucidchart — physical and logical topologies
IP address management (IPAM) — tracking IP allocations, subnet utilization, DHCP reservations
Device inventory — hostname, IP, model, OS version, location, purpose, contacts
VLAN table — VLAN ID, name, IP range, purpose
Firewall rule documentation — source, destination, service, purpose, owner, review date
Change management — documenting network changes, rollback procedures

Performance Monitoring

Interface utilization — input/output rates, error counts, discards
CPU and memory on network devices — elevated CPU = potential attack or configuration issue
Latency and jitter — especially critical for VoIP/video
QoS (Quality of Service): - DSCP marking — differentiated services code point; 6-bit field in IP header - Class of Service (CoS) — 802.1p tagging in Ethernet frames; 3-bit field - QoS queuing mechanisms — CBWFQ, LLQ, WFQ - Traffic shaping and policing — limiting bandwidth to/from specific traffic classes - VoIP QoS — prioritizing voice traffic, jitter buffers

Resources

Wireshark documentation (free)
PRTG free trial
LibreNMS documentation (free)
Cisco packet troubleshooting guides (free)

Stage 08

Hands-On Practice & Portfolio

Lab Build

GNS3 (free) — emulates real Cisco IOS images; full-featured network lab - Requires: legitimate Cisco IOS images (from Cisco Learning Network or CCO) - Topologies: multi-router OSPF, VLANs, ACLs, NAT, VPN
Cisco Packet Tracer (free) — simplified Cisco simulation; good for learning, limited for advanced
EVE-NG (free community edition) — similar to GNS3; web-based interface
Physical equipment — used Cisco switches (2960, 3560) and routers (2811, 1841) available for $20–50 on eBay
pfSense home lab — install on old PC or VM; practice firewall rules, VPN, VLAN routing

Lab Projects to Build

Three-tier architecture — core switch, distribution switches, access switches with VLANs
OSPF multi-area — two areas with ABR, summarization configured
Site-to-site VPN — two remote sites connected via IPsec over simulated internet
VLAN segmentation — corporate, guest, IoT, management VLANs with inter-VLAN routing
QoS lab — marking and queuing VoIP traffic
BGP basics — two AS numbers, eBGP peering, prefix advertisement

What to Document on LabList

Network topology diagrams — Visio or draw.io diagrams of your lab builds
Configuration files — router/switch configs demonstrating protocols configured
Troubleshooting write-ups — documented diagnosis and resolution of network problems
CCNA study progress — noting modules completed, practice exam scores
Cert progression — A+ → Network+ → CCNA documented with context

FAQ

Common questions

How long does it take to become a Network Administrator?

18–24 months optimistic at 20–25 hours/week, 2–3 years realistic. CCNA preparation alone takes 4–6 months of structured study. The path rewards hands-on lab work — Cisco Packet Tracer, GNS3, EVE-NG — over textbook reading. Career-changers from help desk and sysadmin roles transition fastest because they already have operational instincts. Cloud adoption shifted focus toward hybrid networking but didn't eliminate network administration.

Which certifications matter for network admin?

CCNA is the canonical entry-level network cert and tracks 6,700–7,200 active job postings per week in early 2026. CCNP for senior roles. CompTIA Network+ as a vendor-neutral alternative. JNCIA for Juniper environments. AWS Advanced Networking Specialty for cloud-heavy organizations. The cert market is dominated by Cisco; CCNA + 2–3 years experience opens most doors.

Do I need a degree?

No. Network administration is one of the more meritocratic IT paths. Self-taught and bootcamp candidates with CCNA + lab portfolio compete effectively. What you do need: subnetting fluency (the screen at most network interviews), routing protocol depth (OSPF, BGP basics), switching fundamentals (VLANs, STP, port security), and at least basic familiarity with cloud networking (VPCs, security groups). Average salaries around $82,000 entry, $95,000+ senior.

What separates a hired Network Administrator?

A documented home lab. GNS3 or EVE-NG topologies showing OSPF, BGP, VLAN design, with documented configurations and troubleshooting writeups. Generic 'I have CCNA' candidates lose to candidates with portfolio evidence. Other differentiators: at least one cloud networking project (AWS VPC + Transit Gateway, or Azure vNet + ExpressRoute), automation basics (Ansible playbooks for switch configuration), and SD-WAN exposure.

Network Administrator

Common questions

Related roles