Skip to content

Packet Path

← Back to all decks

16 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard

🟢 Easy (3)

1. Which four OSI layers matter most for daily troubleshooting, and what breaks at each?

Show answer L2 (Data Link): VLAN misconfig, STP loops, ARP storms. L3 (Network): wrong subnet, missing route, asymmetric routing. L4 (Transport): firewall rules, connection timeouts, port exhaustion. L7 (Application): DNS resolution, certificate errors, proxy misconfig.

Remember: The packet path is "APP → Socket → TCP/UDP → IP → NIC → Wire." Think "A STUN Wire" — App, Socket, Transport, Unstoppable Network, Interface, Wire.

Example: When curl sends a request, it writes to a socket fd, the kernel handles TCP segmentation, IP routing, and the NIC driver puts frames on the wire.

2. What is a VLAN, and why does traffic between VLANs require a router?

Show answer A VLAN (Virtual LAN) segments a physical switch into multiple logical broadcast domains. Because each VLAN is a separate Layer 2 network, a router (or L3 switch doing inter-VLAN routing) is needed to forward traffic between them.

Gotcha: ARP cache poisoning can redirect traffic by sending fake ARP replies. Check with: arp -a or ip neigh show.

Remember: ARP = "Address Resolution Protocol" — resolves IP to MAC, not the other way around.

3. What modern Linux command replaces ifconfig, route, and arp, and what does it do?

Show answer The "ip" command replaces all three. It handles interface configuration (ip addr), routing tables (ip route), and neighbor/ARP entries (ip neigh).

Remember: "NAT = Network Address Translation." Three types: SNAT (source), DNAT (destination), masquerade (dynamic SNAT). Example: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.

Fun fact: Your home router does NAT for every device — all share one public IP.

Name origin: The `ip` command is part of the iproute2 package, written by Alexey Kuznetsov. It replaced net-tools (ifconfig, route, arp) which are unmaintained since 2001.

🟡 Medium (4)

1. What does Spanning Tree Protocol (STP) prevent, and how does RSTP improve on classic STP?

Show answer STP prevents Layer 2 loops in redundant topologies by blocking redundant paths. Classic STP takes 30-50 seconds to converge after a topology change. RSTP (Rapid STP) converges in seconds, significantly reducing downtime during failover.

Remember: "DNS is the phone book of the internet." Query flow: stub resolver → recursive resolver → root → TLD → authoritative.

Gotcha: DNS caching means changes take time to propagate. Check TTL with: dig +noall +answer example.com

Name origin: STP was invented by Radia Perlman at DEC in 1985. She famously wrote: "I think that I shall never see / A graph more lovely than a tree."

2. What is the correct layer-by-layer troubleshooting order for network connectivity issues?

Show answer L1: Check cable/link (ethtool, link LED). L2: Check ARP/MAC (ip neigh, arping). L3: Ping gateway, then destination (ping, ip route). L4: Check port reachability (ss -tlnp, curl). DNS: Verify name resolution (dig). Always start from the bottom — if L1 is down, nothing above matters.

Remember: "Start from the bottom." If L1 (physical) is down, nothing above it matters. Check cables and link lights first.

3. What is OSPF, and why would a DevOps engineer care about OSPF adjacency status?

Show answer OSPF (Open Shortest Path First) is a link-state routing protocol where each router knows the full topology of its area and uses cost (based on bandwidth) to pick the best path. If the server's default gateway is an OSPF router and the OSPF adjacency drops, the route disappears and the server loses connectivity to remote subnets.

Name origin: OSPF = Open Shortest Path First. Uses Dijkstra\'s algorithm (1956) to calculate shortest paths.

4. How does BGP differ from OSPF, and when is BGP used?

Show answer BGP is a path-vector protocol that is policy-based rather than choosing just the shortest path. eBGP runs between different organizations (autonomous systems) and is the protocol of the internet. iBGP runs within an organization. BGP is used at enterprise network edges and in cloud environments (e.g., AWS VPC peering).

Number anchor: BGP manages ~900,000+ routes in the global internet routing table (2024). It\'s the glue that holds the internet together.

🔴 Hard (3)

1. What is the native VLAN on a trunk port, and what security risk does the default native VLAN present?

Show answer The native VLAN carries untagged traffic on a trunk port. The default is VLAN 1. The security risk is that VLAN 1 is commonly used for management traffic, so leaving it as native can expose management traffic to VLAN-hopping attacks. Best practice is to change the native VLAN to an unused VLAN.

Gotcha: VLAN 1 is the default native VLAN on most switches. Changing it to an unused VLAN prevents VLAN hopping attacks.

2. When would you use tcpdump vs mtr for network troubleshooting, and what does each tool do?

Show answer tcpdump captures raw packets on an interface for protocol-level debugging (handshakes, payload inspection, retransmits). mtr combines continuous traceroute and ping to show per-hop latency and packet loss over time. Use tcpdump when you need to see exactly what is on the wire; use mtr when you need to find where in the path packets are being lost or delayed.

Remember: "tcpdump = what\'s on the wire (packet-level). mtr = where packets are lost (path-level)." Use both for different questions.

3. What is the difference between static and dynamic routing, and when is each appropriate?

Show answer Static routes are manually configured and do not adapt to topology changes — good for simple stub networks with a single exit path. Dynamic routing uses protocols (OSPF, BGP) that exchange route information automatically and adapt to failures. Use static for simplicity where redundancy is not needed; use dynamic for complex topologies where automatic failover and path optimization are required.

Analogy: Static routing is like printing directions from Google Maps. Dynamic routing is like having GPS that reroutes when there\'s traffic.