Stage 4 · Summary

Summary, revision, and practice

A short recap stage for fast recall, scenario drilling, and a cleaner next-step plan. Covers 16+ key concepts across 3 stages and 15 assessment domains with 45 practice questions.

Network Models revision poster

A single visual recap of models, identifiers, request flow, transport, security, and evidence.

The whole course on one page: 21 modules, three stages A three-column revision poster. Each column is a course stage with a stage banner at top and module cards below. Foundations (modules 1-8) on the left, Applied (modules 9-16, emphasised) in the middle, Practice-Strategy (modules 17-21) on the right. Each card shows the module number and slug, the title, a one-line takeaway, and the primary source standard. Reading down a column walks the stage in module order. FOUNDATIONS Modules 1 to 8 MOD 1 · F1 OSI vs TCP-IP Two models, one job: name where eviden ce lives. RFC 1122, 1123 MOD 2 · F2 Encapsulation and hop rewr ite L2 frame is rewritten at every hop; L3 packet survives. RFC 791, 9293 MOD 3 · F3 Model mismatch in practice Layers blur in TLS and QUIC; name the responsibility instead. RFC 8446, 9000 MOD 4 · F4 Layer responsibility map Each layer owns one observable test. RFC 1122, 9110 MOD 5 · F5 Identifiers and scope MAC, IP, port, name: each has scope an d rewrite point. IEEE 802.3, RFC 791 MOD 6 · F6 CIDR and subnetting Prefix length defines local vs remote; off-by-one is a real bug. RFC 4632 MOD 7 · F7 URL to first byte DNS, TCP, TLS, HTTP each add measurabl e cost. RFC 9110, W3C RT MOD 8 · F8 Diagnosis note format Symptom, hypothesis, evidence, next sa fe test. NIST SP 800-115 APPLIED Modules 9 to 16 MOD 9 · A1 TCP reliability and flow c ontrol Throughput is bounded by window over R TT. RFC 9293, 5681 MOD 10 · A2 DNS in practice Hierarchy walk on miss; cache on TTL; precise RCODEs. RFC 1034, 1035, 9499 MOD 11 · A3 UDP, QUIC, real-world trad eoffs Each transport draws its own protocol- vs-app line. RFC 768, 9000, 9114 MOD 12 · A4 Routing and forwarding Control plane learns; data plane spend s; longest prefix wins. RFC 4271, 1812 MOD 13 · A5 NAT and state PAT works because the gateway remember s; entries time out. RFC 3022, 5382 MOD 14 · A6 TLS, what it protects Channel only; endpoints and east-west need their own controls. RFC 8446 MOD 15 · A7 Troubleshooting method Diagnose by loop, not by guess. One ch ange, one test. NIST SP 800-115 MOD 16 · A8 Applied capstone Slow page is a measurement problem bef ore it is a config problem. RFC 9110, curl PRACTICE-STRATEGY Modules 17 to 21 MOD 17 · P1 Security controls by layer Place each control at the layer where the threat is visible. NIST SP 800-53, 800-207 MOD 18 · P2 Observability signals Pick the signal that best answers the question you have. OTel, RFC 3954 MOD 19 · P3 Packet captures A capture point sees only what crosses it; capture with discipline. BPF, tcpdump MOD 20 · P4 Segmentation and blast rad ius Default deny, explicit allow. Pre-inci dent geometry caps the spread. IEEE 802.1Q, NIST SP 800-41 MOD 21 · P5 Practice capstone Reconcile green dashboards with red us ers by walking the stack. NIST SP 800-61 R3 Read down any column to walk a stage. Read across to see how the same skill develops from vocabulary to operations. built by ransfordsnotes.com

21 modules, three stages, one method. Foundations name the model. Applied walk every protocol. Practice-Strategy add controls, signals, and segmentation.

Troubleshooting routine poster

A reusable request diagnosis routine for future incidents and practice notes.

Troubleshooting routine + per-layer commands · pin this next to your screen Two regions. Top region THE LOOP shows four phase pills (Step 1 Observe emphasis, Step 2 Pick, Step 3 Test, Step 4 Read) connected by red arrows; a curved dashed loop-back arrow with the label 'pass goes to next function, fail names fault here'. Bottom region is a six-row command shelf with columns LAYER, QUESTION, COMMAND TO RUN, PASS / FAIL interpretation. Rows: DNS (dig +trace), IP path (mtr), TCP (nc), TLS (openssl s_client), HTTP (curl -v), App / capture (tcpdump). THE LOOP One change. One test. Loop until the layer is named. STEP 1 Observe who, where, when STEP 2 Pick first unproven function STEP 3 Test one safe command STEP 4 Read literal output pass → next function, fail → fault here LAYER QUESTION COMMAND TO RUN PASS DNS Does the name resolve? dig +trace example.com PASS · ANSWER section returned FAIL · NXDOMAIN / SERVFAIL / timeout IP path Does the path complete? mtr -rwbc 100 example.com PASS · 0% loss, stable RTT FAIL · loss at hop, asymmetric jump TCP Does the port accept? nc -vz example.com 443 PASS · succeeded FAIL · refused / timed out TLS Does the cert verify? openssl s_client -connect host:443 -servername hos t PASS · Verify return code: 0 (ok) FAIL · alert 42 / 48, chain incomplete HTTP What does the server return? curl -v -o /dev/null https://example.com PASS · 2xx, time_starttransfer < SLO FAIL · 5xx, slow TTFB, redirect loop App / capture What is on the wire? tcpdump -i any -w cap.pcap 'tcp port 443 and host x' PASS · expected SYN, data, FIN sequence FAIL · RST mid-flow, no response built by ransfordsnotes.com

Diagnose by loop: OBSERVE, PICK, TEST, READ. At each layer run the canonical command and read its output literally. Never change two things at once.

Scenario decision map

Common symptoms map to different first tests and different owners.

First three minutes by symptom · the on-call cheatsheet A six-row, four-column decision matrix. Columns: SYMPTOM (what users report) plus detail, WHO TO CALL (primary plus secondary), CHECK FIRST (specific safe test), REVISIT MODULE. Rows cover the most common symptoms (domain does not load, browser cert warning, slow only for one region (emphasis), 503 spikes, long-idle SSH drops, dashboards green users red). Each row names a single concrete first action. SYMPTOM (what users report) WHO TO CALL CHECK FIRST REVISIT MODULE Domain does not load anywhere users see 'this site can't be reached' DNS owner + platform dig +trace from a clean resolver ; verify NS records MODULE 10 Browser warns 'not secure' cert error red bar in chrome TLS owner + security openssl s_client to see full cha in; check SAN, expiry MODULE 14 Slow only for one region EU OK, US slow today network + edge / CDN real-user metrics sliced by regi on; mtr from affected MODULE 21 503 service unavailable spikes 30% of checkouts failing app on-call + platform app logs for upstream errors; se curity-group recent changes MODULE 16 + 20 Long-idle SSH or TCP drops session 'hangs' after 30 min yourself + network NAT mapping expiry; enable TCP k eepalives MODULE 13 Dashboards green, users red internal checks pass, external probes fail comms + network external synthetic + BGP monitor s (Module 18 lesson) MODULE 18 + 21 If the symptom does not match a row, write it on this poster after the incident. Future-you will thank present-you. built by ransfordsnotes.com

Each symptom has a first three minutes. Look it up; do not guess. The first action determines whether the next hour is investigation or recovery.

Next-action checklist

A concise checklist for applying the course to real systems.

Incident runbook · what to do, in order, at each phase A four-column kanban runbook. Columns: DETECT (first 5 minutes), TRIAGE (first 15 minutes, emphasis), INVESTIGATE (next 30 minutes), RECOVER + LEARN (after restoration). Each column has a header (phase, time budget, why) and a stack of checkbox items. Emphasis items mark the steps most often skipped: confirm impact size in DETECT, roll back the most recent deploy in TRIAGE, write the diagnosis note before the standup in RECOVER + LEARN. DETECT FIRST 5 MINUTES Confirm a real impact exists Open the external probe dash board, not the internal one Confirm impact size: request s/min, regions, tenants Open the incident channel an d post the first sentence Page the on-call for the mos t likely owning team TRIAGE FIRST 15 MINUTES Stabilise users before chasing root cause Roll back the most recent de ploy in the affected path Re-route traffic away from b roken region or instance Publish the status-page note with a one-sentence claim Decide if this is a sev1 / s ev2 / sev3 (impact + duratio n) INVESTIGATE NEXT 30 MINUTES Find the layer, not the line o f code Walk the layers (DNS, IP, TC P, TLS, HTTP, app) One change, one test. Record each test verbatim Pull a focused tcpdump only if the layer is identified Slice every metric by the af fected segment RECOVER + LEARN AFTER RESTORATION Capture the lesson before memo ry fades Verify the fix with the same observable that proved the fault Write the diagnosis note bef ore the standup File the postmortem with tim eline + ticked decisions Add the alert that would hav e caught this 10 min earlier Treat this as a runbook, not a recommendation. Print it; tick the checkboxes as you go. The emphasised items are the ones that get skipped most often. built by ransfordsnotes.com

Each phase has a small number of explicit actions. Tick them in order. Skipping ahead is how incidents become outages.


Test what you remember

Each card shows a concept prompt. Click to reveal the answer. If you can recall the answer before flipping, move on. If not, that topic needs revision.

Foundations
Applied
Practice

Practice by domain

Expand any domain to run 3 quick scenario questions with instant feedback. Domains you struggle with are the ones to revisit in the course modules.


Assess and certify

When you feel confident, take the practice assessment (untimed, with feedback) or the stage test (timed, pass/fail). Both contribute to your CPD evidence record.

LearnReviseCertify