Network Models, Addressing, and Routing Clues

What Domain 4 Actually Tests

Networking questions on the ISC2 Certified in Cybersecurity (CC) exam rarely ask you to subnet by hand or configure a router. They ask whether you can read a short scenario and name the layer, the address type, the protocol behavior, or the likely control. Know the logistics so you pace yourself: the current outline is effective October 1, 2025, the next outline takes effect September 1, 2026, the exam is Computerized Adaptive Testing (CAT), you get 2 hours for 100 to 125 items, and you need 700 out of 1000 to pass. The five domain weights are 26, 10, 22, 24, and 18 percent.

Domain 4, Network Security, is the 24 percent domain — second-largest, so these clues earn real points.

OSI and TCP/IP Models

The Open Systems Interconnection (OSI) model splits network activity into seven layers. The Transmission Control Protocol/Internet Protocol (TCP/IP) model collapses them into four. Match the clue to the layer rather than memorizing definitions.

A memory hook for OSI top-to-bottom is All People Seem To Need Data Processing. Read a help-desk ticket like a layer detective: "The workstation has a link light, can ping its gateway, but cannot reach websites by name." The link light means Layer 1 is up; the gateway ping means Layers 2 and 3 work locally; the name failure points to DNS, an application-layer dependency.

IPv4 Essentials

IPv4 uses 32-bit addresses written as four decimal octets such as 192.168.10.25. A host normally needs four settings: an IP address, a subnet mask (which destinations are local), a default gateway (the router for everything non-local), and a DNS server (names to addresses).

Memorize these ranges — they appear as scenario clues:

• 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 — private (RFC 1918), not routed on the public internet, usually translated by Network Address Translation (NAT) at the edge.
• 127.0.0.0/8, especially 127.0.0.1 — loopback, meaning "this same host."
• 169.254.0.0/16 — Automatic Private IP Addressing (APIPA), a self-assigned address that signals DHCP failed to deliver a lease.

IPv6 Essentials

IPv6 uses 128-bit addresses in eight hexadecimal groups, such as 2001:db8:10:20::25, where the double colon (::) compresses one run of zeros. IPv6 uses prefixes (for example /64) instead of dotted masks. fe80::/10 is link-local (valid only on the local link); a global unicast address is internet-routable; and 2001:db8::/32 is reserved for documentation only — never live traffic.

Most IPv6 exam items need no math. Look for whether a device has only a link-local address (no routing), whether DNS has an AAAA record, or whether a firewall rule covers IPv6 as well as IPv4. A classic trap: assuming "we don't use IPv6" while hosts still have it enabled and unmonitored — an attacker can ride that ignored stack.

Reading Network Clues (Triage)

Use the symptom to narrow the layer, then act:

• No link light, no Wi-Fi association, damaged cable — physical.
• Duplicate-IP warning, wrong mask, missing gateway — addressing.
• Reaches IPs but not names — DNS.
• Reaches the local subnet but not remote networks — gateway or routing.
• One application fails only — port, protocol, firewall, or service.

The security value is disciplined triage. When a user cannot reach an internal web app, the first question is not "Which attack happened?" but "Does the path exist, does name resolution work, is the right port open, and is encryption expected?" Strong CC reasoning separates evidence from assumption and resists jumping to malware when a failed DHCP lease, wrong gateway, or blocked port already explains the symptom.

Switches, Routers, and How Delivery Works

Two devices anchor most addressing questions. A switch operates at Layer 2 (data link), forwarding Ethernet frames using a Media Access Control (MAC) address table; it keeps traffic local and can divide a physical network into logical Virtual Local Area Networks (VLANs). A router operates at Layer 3 (network), forwarding packets between subnets based on IP destination. The mental model: a host compares the destination IP against its own address and subnet mask.

If the destination is on the same subnet, the host delivers the frame directly using the destination MAC (resolved by the Address Resolution Protocol, ARP). If the destination is on a different subnet, the host hands the packet to its default gateway (the router) for forwarding. This is why a missing or wrong gateway breaks remote access while local communication still works — a frequent exam scenario.

Subnet Mask Quick Reference

You will not subnet by hand, but recognize what a mask signals about network size:

A host with the wrong mask may think a remote host is local (and never use the gateway) or think a local host is remote (and waste a hop through the router) — both surface as partial connectivity failures, another classic distractor pattern on Domain 4 items.