RED HAT ENTERPRISE LINUX

TCP/IP Networking Basics

Network Concepts and Configuration Investigation

CIS126RH | RHEL System Administration 1
Mesa Community College

Learning Objectives

Understand TCP/IP layers

Describe the network model and how data flows between layers

Work with IP addressing

Understand IPv4/IPv6 addresses, subnet masks, and CIDR notation

Investigate network configuration

Use ip, ss, and other tools to examine network settings

Test and diagnose connectivity

Use ping, traceroute, and DNS tools to verify and troubleshoot

The TCP/IP Model

Application Layer

HTTP, HTTPS, SSH, DNS, FTP, SMTP

Transport Layer

TCP, UDP

Internet Layer

IP, ICMP, ARP

Link Layer

Ethernet, Wi-Fi, MAC addresses

Data Encapsulation: Data flows down through layers when sending (each layer adds a header) and up through layers when receiving (each layer strips its header).

TCP vs UDP

TCP — Transmission Control Protocol

Connection-oriented — establishes session first
Reliable delivery — acknowledges every packet
Ordered — data arrives in sequence
Error checking — retransmits lost packets
Flow control — prevents overwhelming receiver

Used by: HTTP, SSH, FTP, SMTP, databases

UDP — User Datagram Protocol

Connectionless — no session setup overhead
Fast — no acknowledgment or retransmit
Unordered — packets may arrive out of order
No guaranteed delivery — fire and forget
Low overhead — minimal header size

Used by: DNS, NTP, streaming, VoIP, gaming

Ports and Services

A port is a 16-bit number (0–65535) that identifies a specific service or application on a host. Combined with an IP address, it forms a socket.

SSH — Secure Shell

HTTP — Web (unencrypted)

443

HTTPS — Web (encrypted)

DNS — Domain Name System

SMTP — Email delivery

3306

MySQL — Database

# View well-known port assignments
[student@server ~]$ cat /etc/services | grep -E "^ssh|^http|^dns|^ftp"
# Check what is listening on a port
[root@server ~]# ss -tlnp | grep :22

IPv4 Addresses

An IPv4 address is a 32-bit number, written as four decimal octets separated by dots. Each octet ranges from 0–255.

192

168

100

■ Network portion ■ Host portion

Network Portion

Identifies which network the host belongs to. All hosts on the same network share this prefix.

Host Portion

Identifies the specific host within that network. Must be unique on the local network.

Subnet Masks and CIDR

A subnet mask defines which bits of an IP address are the network portion (1s) and which are the host portion (0s). CIDR notation expresses this as a prefix length: /24 means 24 network bits.

CIDR	Subnet Mask	Network Bits	Host Bits	Max Hosts
/8	255.0.0.0	8	24	16,777,214
/16	255.255.0.0	16	16	65,534
/24	255.255.255.0	24	8	254
/28	255.255.255.240	28	4	14
/30	255.255.255.252	30	2	2

Example: 192.168.1.100/24 → network 192.168.1.0, broadcast 192.168.1.255, hosts .1–.254

Private vs Public Addresses

Private Address Ranges

Reserved for internal networks — not routed on the Internet:

10.0.0.0/8	~16M addresses
172.16.0.0/12	~1M addresses
192.168.0.0/16	~65K addresses

Require NAT to reach the Internet

Special Addresses

127.0.0.1	Loopback (localhost)
169.254.0.0/16	APIPA (no DHCP)
0.0.0.0	All interfaces (bind)
255.255.255.255	Broadcast

169.254.x.x address? Your host couldn't reach a DHCP server and self-assigned an address — network connectivity will fail.

IPv6 Addresses

IPv6 uses 128-bit addresses written as eight groups of four hex digits separated by colons. Two consecutive groups of zeros can be replaced with :: (once per address).

# Full IPv6 address
2001:0db8:0000:0000:0000:0000:0000:0001

# Simplified (leading zeros removed, :: for consecutive zero groups)
2001:db8::1

# Link-local address (auto-configured, always starts with fe80)
fe80::a00:27ff:fe4e:66a1

# Loopback (equivalent to 127.0.0.1)
::1

IPv6 Benefits

Vastly larger address space (2¹²⁸)
Built-in IPsec support
Auto-configuration (SLAAC)
No need for NAT

Common Prefixes

fe80::/10 — Link-local
fc00::/7 — Unique local (private)
2001:db8::/32 — Documentation
::1/128 — Loopback

DNS — Domain Name System

DNS translates human-readable hostnames into IP addresses. Without DNS, you would need to know the IP address of every server you want to reach.

# DNS resolver configuration
[student@server ~]$ cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
search example.com

# Local static hostname resolution (/etc/hosts takes priority)
[student@server ~]$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain
::1         localhost localhost.localdomain
192.168.1.10 webserver.example.com webserver

DNS — Resolution Order

# Name Service Switch — controls resolution order
[student@server ~]$ grep hosts /etc/nsswitch.conf
hosts:      files dns myhostname
# files = /etc/hosts first, then dns (nameservers), then hostname

Common DNS Record Types

A	IPv4 address for a hostname
AAAA	IPv6 address for a hostname
CNAME	Alias to another hostname
MX	Mail server for domain
NS	Authoritative nameservers
PTR	Reverse lookup (IP → name)

Key Files

`/etc/resolv.conf`	DNS servers to query
`/etc/hosts`	Static name mappings
`/etc/nsswitch.conf`	Resolution order

Network Interfaces

A network interface represents a network connection — physical (Ethernet, Wi-Fi) or virtual (loopback, bridge, VLAN). Modern RHEL uses predictable network interface names.

Name Pattern	Type	Example
lo	Loopback (localhost)	lo
eno*	Onboard Ethernet	eno1, eno2
ens*	PCI Express hotplug slot	ens33, ens192
enps	PCI bus location	enp0s3, enp3s0
enwXXX	MAC-based stable name	enx001122334455
wl*	Wireless LAN	wlp2s0

Predictable names: Replace eth0/eth1 from older Linux. Names encode the hardware location so they are stable across reboots and hardware changes.

The ip Command — Addresses

# Show all interfaces and addresses
[student@server ~]$ ip addr show
[student@server ~]$ ip a                    # Short form

# Show specific interface
[student@server ~]$ ip addr show ens33

# Show only IPv4 or IPv6
[student@server ~]$ ip -4 addr
[student@server ~]$ ip -6 addr

# Brief one-line-per-interface output
[student@server ~]$ ip -br addr
lo               UNKNOWN        127.0.0.1/8 ::1/128
ens33            UP             192.168.1.100/24 fe80::a00:27ff:fe4e:66a1/64

ip -br addr is the quickest way to see all interface addresses at a glance — one line per interface.

The ip Command — Link Layer

# Show link layer info (MAC addresses, state)
[student@server ~]$ ip link show
[student@server ~]$ ip l                    # Short form

# Brief link status
[student@server ~]$ ip -br link
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
ens33            UP             00:0c:29:4e:66:a1 <BROADCAST,MULTICAST,UP,LOWER_UP>

Interface Flags

`UP`	Interface is enabled
`LOWER_UP`	Physical link detected (cable connected)
`BROADCAST`	Supports broadcast (Ethernet)
`MULTICAST`	Supports multicast

Useful ip Subcommands

`ip addr`	Layer 3 addresses
`ip link`	Layer 2 (MAC, state)
`ip route`	Routing table
`ip neigh`	ARP/neighbor table

Understanding ip addr Output

2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:4e:66:a1 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.1.100/24 brd 192.168.1.255 scope global dynamic noprefixroute ens33 valid_lft 86400sec preferred_lft 86400sec inet6 fe80::a00:27ff:fe4e:66a1/64 scope link noprefixroute

Interface name: ens33

Flags: UP (enabled), LOWER_UP (link detected)

MTU: 1500 bytes (standard Ethernet)

MAC address: 00:0c:29:4e:66:a1

IPv4: 192.168.1.100/24 (dynamic = DHCP)

IPv6: fe80:: (link-local, auto-config)

scope global: address is routable

valid_lft: DHCP lease time remaining

Viewing Routes

# Show routing table (two equivalent forms)
[student@server ~]$ ip route show
[student@server ~]$ ip r                    # Short form
default via 192.168.1.1 dev ens33 proto dhcp metric 100
192.168.1.0/24 dev ens33 proto kernel scope link src 192.168.1.100 metric 100

# Show IPv6 routes
[student@server ~]$ ip -6 route

# Show which route a specific destination would use
[student@server ~]$ ip route get 8.8.8.8
8.8.8.8 via 192.168.1.1 dev ens33 src 192.168.1.100 uid 1000

Key routes explained:
default via 192.168.1.1 — all traffic not matching a specific route goes to gateway 192.168.1.1
192.168.1.0/24 dev ens33 — this network is directly connected on ens33

Viewing Connections: ss

# Show all sockets
[student@server ~]$ ss

# Show TCP connections
[student@server ~]$ ss -t

# Show listening TCP sockets
[student@server ~]$ ss -lt

# Show listening UDP sockets
[student@server ~]$ ss -lu

# Show numeric (don't resolve names/ports)
[student@server ~]$ ss -n

ss flag reference: t=TCP, u=UDP, l=listening, n=numeric, p=process name, a=all states
Combine freely: ss -tlnp = listening TCP, numeric, with process names

Reading ss -tlnp Output

# Show listening TCP sockets with process names (requires root)
[root@server ~]# ss -tlnp
State  Recv-Q Send-Q Local Address:Port  Peer Address:Port Process
LISTEN 0      128    0.0.0.0:22         0.0.0.0:*         users:(("sshd",pid=1234,fd=3))
LISTEN 0      128    0.0.0.0:80         0.0.0.0:*         users:(("httpd",pid=5678,fd=4))
LISTEN 0      128       [::]:22            [::]:*         users:(("sshd",pid=1234,fd=4))

# Show all connections with details
[student@server ~]$ ss -tulna

Column Meanings

`State`	Socket state (LISTEN, ESTAB)
`Recv-Q`	Bytes in receive queue
`Send-Q`	Bytes in send queue

Common Uses

`ss -tlnp`	What services are listening?
`ss -tn`	Active TCP connections
`ss -unlp`	Listening UDP services

Testing Connectivity: ping

# Ping a host (Ctrl+C to stop)
[student@server ~]$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.543 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.412 ms
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.412/0.477/0.543/0.065 ms

# Send exactly 4 packets
[student@server ~]$ ping -c 4 google.com

# Quick check with 1-second timeout
[student@server ~]$ ping -c 1 -W 2 192.168.1.1 && echo "Host is up"

# Ping IPv6
[student@server ~]$ ping -6 ::1
[student@server ~]$ ping6 fe80::1%ens33    # Link-local needs %interface

Tracing Routes

# Trace the path to a destination (hop by hop)
[student@server ~]$ traceroute google.com
traceroute to google.com (142.250.80.46), 30 hops max, 60 byte packets
 1  gateway (192.168.1.1)  0.543 ms  0.412 ms  0.389 ms
 2  10.0.0.1 (10.0.0.1)  5.234 ms  5.112 ms  5.089 ms
 3  isp-router.example.net (203.0.113.1)  12.456 ms
 4  * * *
 5  google-peer.example.net (198.51.100.1)  15.678 ms
 6  142.250.80.46 (142.250.80.46)  16.789 ms

# Use ICMP (often passes firewalls better than default UDP)
[student@server ~]$ traceroute -I google.com

# Test TCP to specific port
[student@server ~]$ traceroute -T -p 443 google.com

# mtr — combines ping and traceroute (real-time updating)
[student@server ~]$ mtr google.com

* * * means a router at that hop did not respond — this is normal for many ISP routers. The route continues past them.

DNS Diagnostic Tools — host and dig

# Simple lookup with host
[student@server ~]$ host google.com
google.com has address 142.250.80.46
google.com has IPv6 address 2607:f8b0:4004:800::200e
google.com mail is handled by 10 smtp.google.com.

# Detailed query with dig
[student@server ~]$ dig google.com
;; ANSWER SECTION:
google.com.             300     IN      A       142.250.80.46

# Query specific record types
[student@server ~]$ dig google.com MX          # Mail servers
[student@server ~]$ dig google.com NS          # Nameservers
[student@server ~]$ dig google.com AAAA        # IPv6 address

DNS Tools — dig Advanced Usage

# Query a specific DNS server (bypass resolv.conf)
[student@server ~]$ dig @8.8.8.8 google.com

# Reverse lookup: IP address to hostname
[student@server ~]$ dig -x 8.8.8.8
[student@server ~]$ host 8.8.8.8
8.8.8.8.in-addr.arpa domain name pointer dns.google.

# Short output only (just the answer)
[student@server ~]$ dig +short google.com
142.250.80.46

# Trace the DNS delegation from root
[student@server ~]$ dig +trace google.com

Exam tip: Use dig @8.8.8.8 hostname to bypass local DNS and test against a known-good resolver — isolates local DNS configuration problems.

NetworkManager Overview

# Check NetworkManager status
[student@server ~]$ systemctl status NetworkManager

# List all connections
[student@server ~]$ nmcli connection show
NAME     UUID                                  TYPE      DEVICE
ens33    a1b2c3d4-e5f6-7890-abcd-ef1234567890  ethernet  ens33

# Show device status
[student@server ~]$ nmcli device status
DEVICE  TYPE      STATE      CONNECTION
ens33   ethernet  connected  ens33
lo      loopback  unmanaged  --

# Show detailed connection info
[student@server ~]$ nmcli connection show ens33

# Show general network status
[student@server ~]$ nmcli general status

NetworkManager manages network configuration persistently. Changes made with nmcli survive reboots. Direct edits to ip commands do not.

Troubleshooting Workflow

Check interface: ip addr — Is the interface UP? Does it have an IP? (169.254.x.x = DHCP failed)

Check gateway: ip route — Is there a default route? ping <gateway IP>

Check DNS: cat /etc/resolv.conf — Are nameservers configured? dig 8.8.8.8 to bypass DNS

Check service: ss -tlnp — Is the service listening on the expected port?

Check firewall: firewall-cmd --list-all — Is the port allowed through the firewall?

Key Takeaways

TCP/IP Model: Four layers — Application, Transport, Internet, Link. TCP for reliability, UDP for speed.

IP Addressing: IPv4 (32-bit, dotted decimal), IPv6 (128-bit, hex). CIDR /24 = 254 hosts. Private ranges need NAT.

Investigation: ip addr for interfaces, ip route for routing, ss -tlnp for listening services.

Testing: ping for connectivity, traceroute for path, dig for DNS queries.

Next: Managing Network Configuration