Network Models, Addressing, and Routing Clues

Networking questions on the ISC2 Certified in Cybersecurity exam are usually not asking you to configure a router from memory. They are asking whether you can read a short scenario and identify the layer, address type, protocol behavior, or likely control. The current ISC2 CC exam outline is effective October 1, 2025, and the next outline is effective September 1, 2026. The exam is computer adaptive testing, allows 2 hours, includes 100 to 125 items, and uses a 700 out of 1000 passing grade. The five current domain weights are 26 percent, 10 percent, 22 percent, 24 percent, and 18 percent; Domain 4, Network Security, is the 24 percent domain.

OSI and TCP/IP Models

The OSI model separates network activity into seven layers: physical, data link, network, transport, session, presentation, and application. The TCP/IP model is simpler: link, internet, transport, and application. For CC-level questions, the exact model matters less than recognizing the clue. A broken cable, weak signal, or unplugged port points to physical. A MAC address table, Ethernet frame, or VLAN points to data link. An IP address, subnet, or router points to network. TCP, UDP, ports, and sessions point to transport. DNS, DHCP, HTTP, SSH, SMTP, FTP, SNMP, and RDP point to application.

Think of a help desk ticket: "The workstation has a link light, can ping its gateway, but cannot reach websites by name." The link light suggests physical is up. The gateway ping suggests local Layer 2 and Layer 3 are working. The name failure points toward DNS, an application-layer dependency. Another ticket says, "The system has an address beginning 169.254." That is an automatic private address often seen when DHCP did not provide an IPv4 lease.

IPv4 Essentials

IPv4 uses 32-bit addresses usually written as four decimal octets, such as 192.168.10.25. A host normally needs an IP address, subnet mask, default gateway, and DNS server. The subnet mask tells the host which destinations are local. The default gateway is the router used for destinations outside the local subnet. DNS turns names into IP addresses.

Private IPv4 ranges are common in internal networks: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These are not routed on the public internet and are often translated through NAT at the network edge. Loopback addresses begin with 127, and 127.0.0.1 refers to the local host. An address in 169.254.0.0/16 suggests the device could not get a DHCP lease.

IPv6 Essentials

IPv6 uses 128-bit addresses written in hexadecimal groups, such as 2001:db8:10:20::25. Double colon compression can shorten one run of zeros. IPv6 has a much larger address space and commonly uses prefixes rather than dotted subnet masks. Link-local IPv6 addresses begin with fe80 and are used on the local link. Global unicast addresses are routable. The documentation prefix 2001:db8 is used in examples.

An IPv6 scenario may not require calculations. Look for whether the device has only a link-local address, whether routing is missing, whether DNS has an AAAA record, or whether a firewall rule allows IPv6 as well as IPv4. A security mistake is assuming "we do not use IPv6" while systems still have IPv6 enabled and unmonitored.

Reading Network Clues

Use the symptom to narrow the layer. No link light, no Wi-Fi association, or damaged cable is physical. Duplicate IP warnings, wrong subnet mask, or missing gateway are addressing issues. A host that reaches IP addresses but not names points to DNS. A host that reaches the local subnet but not remote networks points to gateway or routing. A single blocked application may point to a port, protocol, firewall, or service issue.

The security value of this model is triage. If a user cannot reach an internal web application, the first question is not "Which attack happened?" It is whether the path exists, whether name resolution works, whether the right port is open, and whether authentication or encryption is expected. Good analysts separate evidence from assumptions and do not jump to malware when a failed DHCP lease, wrong gateway, or blocked port explains the symptoms.

High-Yield Checkpoints

• The OSI and TCP/IP models help organize where a network problem or security control fits.
• IPv4 addresses, subnet masks, gateways, and private ranges are core clues in connectivity scenarios.
• IPv6 uses 128-bit hexadecimal addressing and depends heavily on correct prefix and gateway behavior.
• Layer 2 clues often involve MAC addresses, switches, VLANs, and local delivery; Layer 3 clues involve IP addressing and routing.
• ISC2 CC currently uses an outline effective October 1, 2025, with a new outline effective September 1, 2026; Domain 4 is weighted 24 percent.