2.4 CompTIA A+ · Core 1 (220-1201) · Domain 2 — Networking

Explain Common Network
Configuration Concepts

Objective 2.4 Domain weight: 20% DNS · DHCP · VLAN · VPN

OVERVIEWIntroduction to Network Configuration

Every functional network depends on a small set of foundational services that operate silently behind the scenes. When you type a website address into a browser, a chain of automated systems translates that name to a numeric address, assigns your device a valid network configuration, routes your packets through the correct network segment, and — when needed — encrypts your traffic across an untrusted link. These services are DNS, DHCP, VLANs, and VPNs.

For the A+ technician, these concepts appear constantly in the field. A device that "can't connect to the internet" is almost always a DNS, DHCP, or default gateway problem. A user who needs to access corporate resources from home requires a VPN. Segmenting a company's employee traffic from guest Wi-Fi requires VLANs. Understanding how each service works — not just what acronym it stands for — is the difference between guessing and diagnosing.

Core Concept

The four technologies in this objective work as a layered system: DHCP automatically assigns IP addresses, subnet masks, default gateways, and DNS server addresses to devices when they join the network. DNS translates human-readable hostnames into IP addresses so devices can actually reach each other. VLANs logically segment a single physical network into isolated broadcast domains. VPNs create encrypted tunnels across untrusted networks so remote devices can participate in a private network securely.

SECTION 1DNS — Domain Name System

The Domain Name System (DNS) is the internet's distributed phonebook. Every device on a network is identified by a numeric IP address — but humans cannot reasonably memorize millions of IP addresses. DNS solves this by maintaining a globally distributed, hierarchical database that maps human-readable hostnames (like www.example.com) to their corresponding IP addresses.

DNS is a critical dependency for nearly all network activity. When DNS fails, users perceive it as "the internet is down" — even though the underlying network connectivity is intact. Diagnosing DNS failures (using tools like nslookup and ping) is a fundamental A+ skill. A device that can ping 8.8.8.8 but cannot reach www.google.com has a DNS problem, not a connectivity problem.

How DNS Resolution Works

DNS Resolution — Step-by-Step (Iterative Query)
01
Client checks local cache. Before querying any server, the client OS checks its DNS cache (ipconfig /displaydns on Windows) for a recently resolved record. If a valid cached record exists, it is returned immediately — no network query needed.
02
Client queries its configured DNS resolver. If the cache misses, the client sends a recursive query to the DNS server configured by DHCP (or manually set). This is typically the ISP's DNS server, a corporate DNS server, or a public resolver like Google (8.8.8.8) or Cloudflare (1.1.1.1).
03
Resolver queries Root servers. The recursive resolver, if it doesn't have the answer cached, contacts one of the 13 root server clusters. Root servers don't know the final answer — they direct the resolver to the correct Top-Level Domain (TLD) server (e.g., the .com TLD server for example.com).
04
Resolver queries the TLD server. The TLD server (.com, .org, .net, etc.) knows which authoritative name server is responsible for the specific domain (example.com) and directs the resolver there.
05
Resolver queries the authoritative name server. The authoritative name server is the definitive source of truth for the domain's DNS records. It returns the actual requested record (e.g., the A record mapping www.example.com to 93.184.216.34).
06
Resolver returns answer to client and caches it. The resolver sends the final answer back to the client and stores it in cache for the duration of the record's TTL (Time to Live) — typically minutes to hours — so future queries for the same name can be answered from cache without repeating the full lookup chain.

DNS Record Types

A DNS zone is composed of individual resource records (RRs). Each record type stores a different kind of information about a domain. The A+ exam requires familiarity with the five most common record types: A, AAAA, CNAME, MX, and TXT.

DNS Zone File — Example Records for example.com
NameTypeValue / DataPurpose
example.com. A 93.184.216.34 Maps domain to IPv4 address
www A 93.184.216.34 www subdomain → IPv4
example.com. AAAA 2606:2800:21f:cb07:6820:80da:af6b:8b2c Maps domain to IPv6 address
shop CNAME storefront.shopify.com. Alias → canonical hostname
example.com. MX 10 mail.example.com. Mail server; priority 10
example.com. TXT v=spf1 include:_spf.google.com ~all SPF record for email auth
_dmarc TXT v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com DMARC policy record

A Record — IPv4 Address Mapping

The A record (Address record) is the most fundamental DNS record type. It maps a hostname to a 32-bit IPv4 address. When your browser resolves www.google.com, it is ultimately retrieving an A record that contains a numeric IPv4 address like 142.250.80.36.

Format hostname → IPv4 address (e.g., 93.184.216.34). A single hostname can have multiple A records (for load balancing — clients cycle through them), and a single IP can be pointed to by multiple A records (multiple domains hosted on one server).
TTL (Time to Live) Every A record includes a TTL value in seconds. DNS resolvers cache the record for this duration before re-querying. A low TTL (e.g., 300 seconds) allows rapid DNS changes but increases query load. A high TTL (e.g., 86400 = 24 hours) reduces queries but slows propagation of changes.
Round-Robin DNS A common technique for basic load distribution: the same hostname has multiple A records with different IPs. Each DNS query returns the records in a rotating order, distributing client connections across multiple servers — a simple alternative to dedicated load balancers for lower-traffic scenarios.

AAAA Record — IPv6 Address Mapping

The AAAA record (pronounced "quad-A") is the IPv6 equivalent of the A record. It maps a hostname to a 128-bit IPv6 address. The name "AAAA" reflects that an IPv6 address is four times the size of an IPv4 address (128 bits vs. 32 bits).

Modern dual-stack networks publish both A and AAAA records for the same hostname. When a client that supports IPv6 queries DNS, it typically requests both record types simultaneously. If an AAAA record is available, the operating system will prefer the IPv6 address for the connection (per RFC 6724 address selection rules). If AAAA is unavailable, it falls back to the A record and uses IPv4.

A vs. AAAA — The Key Difference

A record → 32-bit IPv4 address (e.g., 192.168.1.1). AAAA record → 128-bit IPv6 address (e.g., 2001:db8::1). Both serve the same purpose — hostname-to-IP mapping — but for different protocol versions. On the A+ exam, if a question involves IPv6 name resolution, the answer involves AAAA records.

CNAME Record — Canonical Name (Alias)

A CNAME record (Canonical Name record) creates an alias — it maps one hostname to another hostname rather than directly to an IP address. The alias is resolved by following the chain: the CNAME points to the canonical name, which is then resolved to an IP via its own A or AAAA record.

Example: A company hosts its online store on Shopify's platform. Shopify assigns them a canonical address of storefront-12345.myshopify.com. The company creates a CNAME record mapping shop.example.comstorefront-12345.myshopify.com. Customers can visit shop.example.com and DNS transparently resolves it through Shopify's infrastructure without the company managing Shopify's IP addresses directly.

CNAME Restrictions

A CNAME cannot exist for the zone apex (the root domain itself, e.g., example.com with no subdomain). A CNAME at the apex would conflict with required SOA and NS records. A CNAME also cannot point to an MX or NS record — only to another hostname. Using a CNAME where an A record is required is a common configuration error that causes complete name resolution failure for the aliased resource.

MX Record — Mail Exchanger

The MX record (Mail Exchanger record) specifies which mail server(s) are responsible for accepting inbound email for a domain. When someone sends email to user@example.com, the sending mail server queries DNS for the MX records of example.com to determine where to deliver the message.

MX records include a priority value (a lower number = higher priority). If a domain has multiple MX records, sending servers try the highest-priority (lowest-numbered) server first, falling back to lower-priority servers if the primary is unavailable. This provides built-in mail delivery redundancy.

MX Records — Priority Example
example.com.  MX  10  mail1.example.com.  ← Primary (tried first)
example.com.  MX  20  mail2.example.com.  ← Secondary fallback
example.com.  MX  30  mail3.example.com.  ← Tertiary fallback

TXT Record — Text Data

The TXT record stores arbitrary human-readable or machine-readable text data associated with a domain. Originally intended for annotations, TXT records have become the de facto standard for domain verification and email authentication because they are easy to create and are globally queryable by any mail server or service.

Common uses of TXT records include domain ownership verification (proving to Google or Microsoft that you control a domain), email authentication policies (SPF, DKIM, DMARC — covered in the next subsection), and service configuration metadata.

SECTION 2Spam Management — DKIM, SPF, and DMARC

Email was designed in the 1970s with no sender authentication whatsoever. Anyone can configure a mail server to send email claiming to be from @anybank.com or @yourcompany.com — a practice called email spoofing that enables phishing, business email compromise, and spam campaigns. Three complementary DNS-based standards were developed to address this: SPF, DKIM, and DMARC. Together, they form the modern email authentication framework used by virtually every major organization.

The Problem These Standards Solve

The SMTP protocol that delivers email has no built-in mechanism to verify that a sender is who they claim to be. A spoofed email claiming to be from ceo@company.com is indistinguishable at the protocol level from a legitimate email sent by the actual CEO — unless the receiving server checks SPF, DKIM, and DMARC records in DNS. These three standards allow receiving mail servers to cryptographically verify sender authenticity and take policy-defined action on failures.

SPF — Sender Policy Framework

SPF (Sender Policy Framework) is a DNS TXT record that lists which IP addresses and mail servers are authorized to send email on behalf of a domain. When a receiving mail server gets a message claiming to be from user@example.com, it queries DNS for the SPF record of example.com and checks whether the sending server's IP address is on the authorized list.

; SPF TXT record for example.com example.com. IN TXT "v=spf1 ip4:203.0.113.0/24 include:_spf.google.com -all" ; Breaking it down: ; v=spf1 = SPF version 1 ; ip4:203.0.113.0/24 = authorize this IPv4 range to send mail ; include:_spf.google = authorize all Google Workspace servers ; -all = FAIL (reject) all other senders ("hard fail")
v=spf1 Required prefix declaring this is an SPF version 1 record. Every SPF TXT record must begin with this tag.
ip4 / ip6 mechanism Explicitly authorizes an IPv4 or IPv6 address or CIDR range. Example: ip4:203.0.113.10 authorizes a single IP; ip4:203.0.113.0/24 authorizes a /24 subnet.
include: mechanism Includes the SPF record of another domain. Used when using a third-party email provider: include:_spf.google.com imports Google's full list of authorized sending IPs for Google Workspace.
-all qualifier Hard fail — instructs receiving servers to reject mail from any IP not authorized by the preceding mechanisms. This is the most restrictive and recommended for production domains. ~all (soft fail) marks unauthorized senders as suspicious but doesn't reject. ?all (neutral) takes no action.
SPF Limitation SPF only validates the envelope sender (the technical MAIL FROM: address used during SMTP), not the From: header that users see in their email client. Sophisticated phishing attacks can pass SPF while still displaying a spoofed From address. This is why DKIM and DMARC are needed in addition to SPF.

DKIM — DomainKeys Identified Mail

DKIM (DomainKeys Identified Mail) uses public-key cryptography to digitally sign outgoing emails. The sending mail server adds a DKIM-Signature header to each outgoing message, containing a cryptographic signature of selected message headers and the message body. The corresponding public key is published in a DNS TXT record. Receiving servers retrieve the public key and use it to verify that the signature is valid — proving the message was sent by a server holding the private key and that the signed portions have not been modified in transit.

; DKIM public key published as DNS TXT record ; Selector "mail" + _domainkey + domain = full record name mail._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ..." ; v=DKIM1 = DKIM version ; k=rsa = key type (RSA) ; p=... = the actual Base64-encoded RSA public key

How DKIM Signing Works

Sending side: The outgoing mail server uses its private key to generate a cryptographic hash of selected message headers (From, Subject, Date) and body content. This hash is encoded and attached to the message as the DKIM-Signature header. Receiving side: The receiving server reads the DKIM-Signature header, fetches the domain's public key from DNS, and attempts to verify the signature. If the signature verifies successfully, the message is authentic and unmodified. If verification fails, the message may have been tampered with or was not sent by an authorized server.

Selector A DKIM selector is a label that allows a domain to publish multiple DKIM keys simultaneously — useful when using multiple email providers or rotating keys. The selector appears in the DKIM-Signature header (s=mail) and in the DNS record name (mail._domainkey.example.com).
What DKIM proves DKIM proves two things: (1) the email was sent by a server holding the private key associated with the domain's published public key, and (2) the signed portions of the message have not been altered since signing. This survives email forwarding — unlike SPF, which breaks when a message is forwarded through another server.
DKIM Limitation DKIM by itself doesn't tell a receiving server what to do when verification fails — it only provides the mechanism to check. DKIM also doesn't prevent header spoofing of the visible From: address if the attacker controls a domain that has valid DKIM configured. DMARC ties DKIM and SPF together and adds the policy enforcement layer.

DMARC — Domain-based Message Authentication, Reporting, and Conformance

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer that ties SPF and DKIM together. A DMARC TXT record published by a domain tells receiving mail servers two things: (1) how to handle messages that fail SPF and/or DKIM alignment, and (2) where to send reports about authentication results. DMARC closes the gap that SPF and DKIM leave individually — it enforces that the visible From: address is aligned with an authenticated domain.

; DMARC policy record — always at _dmarc.yourdomain _dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic@example.com; adkim=s; aspf=s" ; v=DMARC1 = DMARC version (required) ; p=quarantine = policy: none | quarantine | reject ; pct=100 = apply policy to 100% of failing messages ; rua= = aggregate report destination (daily XML digest) ; ruf= = forensic report destination (per-failure copy) ; adkim=s = DKIM alignment: strict (s) or relaxed (r) ; aspf=s = SPF alignment: strict or relaxed
p=none Monitor mode. No action taken on failing messages — they are delivered normally. Reports are still sent so domain owners can see who is sending email on their behalf before tightening policy. The recommended starting point for deploying DMARC on an existing domain.
p=quarantine Quarantine mode. Messages that fail DMARC are placed in the recipient's spam/junk folder rather than the inbox. Allows recipients to still access potentially legitimate messages that were misconfigured, while filtering out clearly fraudulent email.
p=reject Reject mode. The receiving mail server outright refuses to accept messages that fail DMARC alignment. The most secure policy — spoofed emails from the protected domain are never delivered. Recommended for domains that have fully deployed SPF and DKIM.
Alignment DMARC requires that the domain in either the SPF MAIL FROM or DKIM signature aligns (matches) with the From: header domain that users see. This is the key feature that prevents sophisticated spoofing — even an attacker with a valid SPF record for a different domain cannot pass DMARC alignment for example.com.
Aggregate Reports (rua) Receiving servers send daily XML reports to the rua address summarizing all mail processed for the domain — how many messages passed/failed SPF and DKIM, what IP addresses sent them, and what policy was applied. These reports are essential for discovering unauthorized senders before moving to p=reject.

Exam Focus — SPF, DKIM, DMARC

SPF = TXT record listing authorized sending IPs; validated against the SMTP envelope sender. DKIM = cryptographic signature on outgoing email; public key published as TXT record; survives forwarding. DMARC = policy TXT record at _dmarc.domain; ties SPF and DKIM together; defines what to do with failures (none / quarantine / reject); sends aggregate reports. All three are DNS TXT records. DMARC is the "enforcement" layer — SPF and DKIM are the mechanisms it evaluates.

StandardDNS RecordWhat It ChecksWhat It ProvesLimitation
SPFTXT at domain rootSending server IP vs. authorized listMail came from an authorized serverBreaks on forwarding; only checks envelope, not From: header
DKIMTXT at selector._domainkey.domainCryptographic signature in email headerMessage was signed by a key holder and wasn't modifiedNo policy enforcement; doesn't reject failures on its own
DMARCTXT at _dmarc.domainSPF + DKIM alignment with From: headerPolicy-enforced alignment; reports unauthorized sendersRequires SPF and DKIM to be correctly configured first

SECTION 3DHCP — Dynamic Host Configuration Protocol

The Dynamic Host Configuration Protocol (DHCP) automates network configuration for client devices. Without DHCP, every device joining a network would require manual configuration of its IP address, subnet mask, default gateway, and DNS server addresses. DHCP eliminates this administrative burden by automatically assigning these parameters to devices when they connect — a process that takes milliseconds and requires no user interaction.

DHCP operates on a client-server model. A DHCP server maintains a pool of available IP addresses and configuration parameters. A DHCP client (any device that needs an IP address) broadcasts a request when it connects to the network. The server selects an available address, assigns it to the client for a defined period (called a lease), and delivers it along with all other network parameters.

The DORA Process — How DHCP Works

DHCP address assignment follows a four-step handshake known by the acronym DORA: Discover, Offer, Request, Acknowledge. This process completes automatically in milliseconds each time a DHCP client connects to a network.

D Discover Client broadcasts to 255.255.255.255 (all networks). "I need an IP address — is there a DHCP server out there?"
O Offer Server responds with an available IP address, lease duration, subnet mask, gateway, and DNS servers — "I offer you this configuration."
R Request Client broadcasts acceptance of the offer. "I am requesting the IP and configuration you offered." (Broadcast so other servers know which offer was accepted.)
A Acknowledge Server confirms the lease, records the assignment, and the client configures its network interface. Lease timer starts.

Why the Discover is a Broadcast

When a client first connects, it has no IP address — therefore it cannot address a unicast packet to a specific server. DHCP Discover messages are sent from source 0.0.0.0 to destination 255.255.255.255 (limited broadcast). All devices on the local network segment receive the broadcast. Only DHCP servers respond with Offers. If the DHCP server is on a different subnet, a DHCP relay agent (often configured on the router) forwards the broadcast as a unicast to the remote server.

DHCP Leases

A DHCP lease is the period of time for which a client is authorized to use an assigned IP address. The DHCP server sets the lease duration; typical values range from 1 hour (for high-turnover environments like hotel Wi-Fi) to 8 days (for stable corporate networks).

Lease Renewal (50%) When 50% of the lease time has elapsed, the client attempts to unicast a DHCP Request directly to the server that issued the lease, asking to renew. If the server responds with an Acknowledge, the lease is reset to full duration. This is a T1 renewal attempt.
Lease Renewal (87.5%) If the T1 renewal at 50% fails (server unreachable), the client tries again at 87.5% of lease time — this time broadcasting to find any available DHCP server (in case the original server is down). This is the T2 rebinding attempt.
Lease Expiration If neither renewal attempt succeeds and the lease expires, the client must immediately stop using the IP address, release its network configuration, and restart the DORA process from the beginning. The client loses network connectivity until a new lease is acquired.
APIPA Fallback If no DHCP server responds to the Discover, Windows clients self-assign an APIPA (Automatic Private IP Addressing) address in the range 169.254.0.0/16. An APIPA address means DHCP has failed — the device can communicate only with other APIPA-addressed devices on the same segment, not with the internet or other network resources. APIPA addresses are the primary symptom of DHCP failure to recognize on the A+ exam.
ipconfig /release Windows command that immediately releases the current DHCP lease, sending a DHCP Release message to the server and clearing the IP configuration from the interface. Used in troubleshooting to force a fresh DHCP exchange.
ipconfig /renew Windows command that initiates a new DHCP lease request after release, or attempts renewal of an existing lease. Combining /release followed by /renew forces a full DORA cycle and is the standard first step for DHCP troubleshooting.

DHCP Scope

A DHCP scope is the full range of IP addresses that a DHCP server is configured to assign for a given subnet. The scope defines the boundaries of address assignment — the server will only issue addresses within the scope to clients.

DHCP Scope — Example Configuration (192.168.10.0/24)
Scope Range 192.168.10.1 – 192.168.10.254 — the full subnet range eligible for DHCP assignment (excluding network address .0 and broadcast .255)
Subnet Mask 255.255.255.0 — defines the network boundary for all assigned addresses; delivered to every client with its lease
Default Gateway 192.168.10.1 — the router interface address delivered to clients; required for internet and inter-subnet routing
DNS Servers 8.8.8.8, 8.8.4.4 — DNS resolver addresses delivered to clients; can be corporate DNS servers or public resolvers
Lease Duration 8 days (691,200 seconds) — how long each assigned address is reserved for the client; T1 renewal at 4 days, T2 rebind at 7 days

DHCP Exclusions

A DHCP exclusion is a specific address or range of addresses within the scope that the DHCP server will never assign dynamically. Exclusions are used to protect static IP addresses that have been manually configured on devices within the same subnet range — preventing the DHCP server from accidentally assigning those addresses to a different device and causing an IP address conflict.

Common devices requiring static IPs (and therefore DHCP exclusions) include routers, switches, servers, printers, access points, and network-attached storage devices. Best practice is to either use exclusions at the bottom of the scope range for static devices or to place all static devices in an entirely separate range outside the DHCP scope.

IP Address Conflict — What Happens

An IP address conflict occurs when two devices on the same network have the same IP address. Both devices will experience intermittent connectivity failures — whichever device's ARP reply arrives second is rejected. Windows detects conflicts and disables the NIC with an error. This is the consequence of not using exclusions for statically-configured devices. Always exclude all static IP addresses from DHCP scopes.

DHCP Reservations

A DHCP reservation is a permanent lease assignment that always gives the same IP address to a specific device, identified by its MAC address. The DHCP server sees the device's MAC address in its DHCP Discover, matches it to a reservation record, and always offers that device the reserved IP address.

Reservations are the best of both worlds: the device's IP address is stable and predictable (like a static IP), but the address is still managed and distributed by DHCP (no manual interface configuration on the device). This makes reservations ideal for printers, servers, network cameras, and other devices that need a consistent IP but benefit from centralized DHCP management.

DHCP Reservation
Consistent IP — same address every time, tied to MAC address in DHCP server
Centrally managed — IP configuration lives in the DHCP server; easy to update
No device config needed — device still uses "Obtain automatically" in OS
⚠️
Requires MAC address — must know the device's MAC to create the reservation
⚠️
DHCP dependent — if DHCP server is down, device gets no IP until resolved
Static IP (Manual)
Consistent IP — same address every time; no DHCP dependency
DHCP independent — device retains IP even if DHCP server fails
⚠️
Manual configuration — must configure IP, mask, gateway, DNS on device itself
⚠️
Must exclude from DHCP — or risk address conflicts with dynamically assigned clients
⚠️
Decentralized management — tracking is done outside the DHCP server; easy to lose track

Exam Focus — DHCP

DORA = Discover, Offer, Request, Acknowledge — memorize this sequence. APIPA (169.254.x.x) = DHCP failure symptom. Scope = the full IP range a server manages. Exclusion = address(es) within the scope that will never be dynamically assigned (for static devices). Reservation = always assigns the same IP to a specific MAC address. ipconfig /release + ipconfig /renew = DHCP troubleshooting commands. A question about a device always needing the same IP → reservation, not static (on the A+ exam, reservation is the preferred enterprise answer).

DHCP ConceptDefinitionExam Tip
ScopePool of addresses DHCP server manages and assigns for a subnetA scope must exist before DHCP can assign any addresses on that subnet
ExclusionAddress range inside the scope the server will never assign dynamicallyUse for devices with manually-configured static IPs within the scope range
ReservationAlways assigns a specific IP to a device identified by MAC addressDevice still uses "DHCP" mode; IP is consistent without static config on device
LeaseDuration an assigned IP is valid; renewed at 50% and 87.5% elapsed timeExpired lease = no IP; APIPA appears when DHCP is unreachable
APIPA169.254.0.0/16 self-assigned address when DHCP fails169.254.x.x address on a device = DHCP server not found/not responding

SECTION 4VLAN — Virtual Local Area Network

A VLAN (Virtual Local Area Network) is a logical network segmentation technique that divides a single physical network infrastructure into multiple isolated virtual networks. Devices on different VLANs cannot communicate with each other at Layer 2 — they behave as though they are on entirely separate physical networks, even though they may share the same switches, cables, and access points.

VLANs are configured on managed switches and operate at Layer 2 (Data Link Layer) of the OSI model. The switch tags each Ethernet frame with a VLAN ID (VID) — a 12-bit field in the IEEE 802.1Q tag header — allowing the switch to enforce separation between VLAN members. Inter-VLAN routing requires a Layer 3 device (router or Layer 3 switch) and is deliberate and policy-controlled.

Why VLANs Matter

🔒
Security and isolation Separating sensitive systems (finance, HR, executive) from general employee traffic and guest Wi-Fi prevents lateral movement by attackers. Even if a guest device is compromised, it cannot reach internal servers on a different VLAN without passing through a firewall and router — attack surface is dramatically reduced.
📡
Broadcast domain reduction Every device in a VLAN shares a broadcast domain. Broadcasts (ARP, DHCP Discover) reach only devices in the same VLAN — not the entire physical network. In a flat network of 500 devices, every ARP broadcast reaches all 500 devices. With VLANs splitting that into five groups of 100, broadcasts reach only 100 devices, significantly reducing unnecessary traffic and improving performance.
🏗️
Simplified administration VLANs allow logical grouping of users by function (Sales VLAN, Engineering VLAN, Servers VLAN) regardless of physical location. Moving an employee to a different department requires changing their VLAN assignment in the switch — no physical recabling needed. QoS (Quality of Service) policies can prioritize VoIP VLAN traffic with a single switch configuration change.
💰
Cost efficiency VLANs enable multiple logically separate networks over shared physical infrastructure — fewer switches, fewer cables, fewer network closets. A single managed switch can host VLANs for every department in a building. A single uplink cable carries all VLAN traffic between floors using 802.1Q trunking, replacing what would otherwise require a separate physical cable per VLAN.

Access Ports vs. Trunk Ports

Access Port
🖥️
One VLAN only — carries traffic for a single VLAN; untagged frames to end devices
🔌
Connects end devices — computers, phones, printers, cameras
🏷️
No 802.1Q tag visible to device — switch strips tag before sending to end device
⚙️
Configured with switchport mode access + switchport access vlan [ID]
Trunk Port
🌐
Multiple VLANs — carries tagged traffic for many VLANs simultaneously on one link
🔌
Connects switches, routers, APs — infrastructure-to-infrastructure links
🏷️
802.1Q tags preserved — each frame carries its VLAN ID tag so receiving device knows which VLAN
⚙️
Configured with switchport mode trunk + switchport trunk allowed vlan [list]

VLAN Example — Office Segmentation

The following diagram shows a typical small-business VLAN deployment. All devices connect to the same physical switch but are logically separated into four VLANs. A router (or Layer 3 switch) handles inter-VLAN routing and enforces firewall rules between segments.

VLAN 10 — Staff
192.168.10.0/24
💻 Workstations
🖨️ Staff Printers
📞 IP Phones
VLAN 20 — Servers
192.168.20.0/24
🖥️ File Server
🗄️ Database Server
🔐 Active Directory
VLAN 30 — Guest
192.168.30.0/24
📱 Guest Phones
💻 Visitor Laptops
☁️ Internet only
VLAN 40 — Cameras
192.168.40.0/24
📷 IP Cameras
🎥 DVR/NVR
🔒 Isolated from staff

Native VLAN

On a trunk port, the native VLAN is the VLAN whose traffic is sent untagged. When a frame arrives on a trunk port with no 802.1Q tag, the switch assigns it to the native VLAN. By default this is VLAN 1 on Cisco equipment. Mismatched native VLANs on trunk ports can cause subtle connectivity issues and are a security concern (VLAN hopping attacks exploit native VLAN mismatches). Best practice: change the native VLAN from VLAN 1 to an unused VLAN and use a dedicated management VLAN.

Exam Focus — VLANs

VLANs operate at Layer 2 and create separate broadcast domains. The IEEE standard for VLAN tagging is 802.1Q. Access ports carry one VLAN for end devices; trunk ports carry multiple VLANs between switches. Inter-VLAN routing requires a Layer 3 device (router or L3 switch). A question about isolating guest Wi-Fi from corporate traffic → VLANs. A question about reducing broadcast traffic on a large flat network → VLANs.

SECTION 5VPN — Virtual Private Network

A VPN (Virtual Private Network) creates a secure, encrypted communications tunnel over an untrusted public network — typically the internet. The VPN allows a remote device to communicate as if it were physically connected to the private network, with all traffic encrypted and unreadable to anyone intercepting it on the path between the client and the VPN server.

From the user's perspective, a VPN makes their device appear to be "inside" the corporate network, on the home network, or in a different geographic location. From the network's perspective, the VPN creates a logical point-to-point connection between two endpoints that routes all traffic through an encrypted tunnel, regardless of the physical path the packets take across the internet.

Why VPNs Are Essential

Public networks — hotel Wi-Fi, airport networks, coffee shop hotspots — are untrusted environments where attackers can potentially intercept unencrypted traffic. A VPN encrypts all traffic leaving the device before it enters the public network, so even if an attacker captures every packet, they see only encrypted ciphertext. VPNs also allow remote workers to access internal corporate resources (file servers, printers, internal web applications) that are not exposed to the public internet.

How a VPN Tunnel Works

VPN Connection — Step-by-Step
01
Client initiates connection. The VPN client software (or built-in OS VPN client) connects to the VPN concentrator / server at the corporate network edge. The connection is made over the public internet using the VPN server's public IP address.
02
Authentication. The client authenticates to the VPN server using credentials: username/password, digital certificate, multi-factor authentication token, or a pre-shared key. This verifies the client's identity before the tunnel is established.
03
Tunnel establishment and key exchange. The client and server negotiate encryption parameters and exchange cryptographic keys (using protocols like IKE for IPsec or TLS for SSL VPNs). This establishes the encrypted tunnel.
04
IP assignment. The VPN server assigns the client a private IP address from the corporate address space (often via an internal DHCP scope). The client now has two IPs — its public internet address and its VPN tunnel address.
05
Encapsulation and encryption. All outbound packets from the client are encapsulated inside the VPN tunnel protocol (encrypted) and sent to the VPN server. The VPN server decrypts them and forwards them to their internal destination. Return traffic is encrypted by the server and sent back through the tunnel.
06
Client appears as internal device. From the perspective of internal servers, the VPN client is just another device on the corporate network — its VPN-assigned IP is on the corporate subnet. Access controls, shared drives, and internal applications work as if the user were on-site.

VPN Types

Remote Access VPN Connects an individual client device to a remote private network over the internet. This is the most common VPN type for remote workers — a technician or employee installs VPN client software, authenticates, and gains access to internal company resources from home or while traveling. The VPN concentrator at the company's edge terminates the client connections. Also called client-to-site VPN.
Site-to-Site VPN Connects two entire networks (typically two office locations or a branch office to a headquarters) through a permanent encrypted tunnel. Two VPN gateways (routers or firewalls) handle the encryption/decryption; end-user devices on either side are unaware the VPN exists — they see the remote network as if it were a local subnet. More scalable than remote access for fixed locations.
Split Tunneling A VPN configuration where only traffic destined for the corporate network goes through the encrypted VPN tunnel, while internet-bound traffic goes directly out the user's local connection. Split tunneling ON: better performance, less load on corporate bandwidth. Split tunneling OFF (full tunnel): all traffic goes through corporate — better security and content filtering control, but higher bandwidth consumption at the VPN concentrator.
Always-On VPN Automatically establishes the VPN tunnel whenever the device connects to a non-corporate network, without requiring user action. The device is always protected and always has access to corporate resources. Used in enterprise managed devices to ensure consistent security policy enforcement regardless of user location.

VPN Protocols

IPsec Internet Protocol Security. A suite of protocols operating at Layer 3 (Network Layer). Encrypts and authenticates IP packets directly. Supports two modes: Transport mode (encrypts payload only; used for host-to-host) and Tunnel mode (encrypts entire original IP packet inside a new packet; used for VPN gateways). Used by most enterprise VPN solutions. Requires UDP ports 500 (IKE) and 4500 (NAT-T).
SSL/TLS VPN Operates at Layer 4–7. Uses standard TLS (the same encryption behind HTTPS) to create the VPN tunnel. The major advantage: works through firewalls and NAT on TCP port 443 (HTTPS), which is almost never blocked. No special client software needed for clientless deployments (browser-based). OpenVPN is a common open-source SSL VPN. Used heavily for remote access VPNs because of universal firewall traversal.
L2TP/IPsec Layer 2 Tunneling Protocol over IPsec. L2TP creates the tunnel structure; IPsec provides the encryption (L2TP itself has no encryption). Common in Windows built-in VPN client configurations. Uses UDP port 1701 for L2TP and IPsec ports for the security layer. Being largely replaced by IKEv2/IPsec and WireGuard in modern deployments.
WireGuard Modern, lightweight VPN protocol. Significantly simpler codebase than IPsec (~4,000 lines vs. ~400,000), making it easier to audit for security vulnerabilities. Uses state-of-the-art cryptography (ChaCha20, Curve25519). Faster connection establishment and better performance than IPsec in many scenarios. Increasingly adopted by consumer VPN services and enterprise solutions.
PPTP Point-to-Point Tunneling Protocol. An older Microsoft-developed VPN protocol. Considered insecure and deprecated. Uses MS-CHAPv2 for authentication which has known cryptographic weaknesses. Should never be used for production VPNs. Appears on the A+ exam in the context of knowing it is not recommended — prefer IPsec, SSL/TLS, or WireGuard instead.

Exam Focus — VPN

A VPN creates an encrypted tunnel over an untrusted public network. Remote access VPN = one user to one site (client-to-site). Site-to-site VPN = two networks connected permanently. Split tunneling = corporate traffic goes through VPN; internet traffic goes direct. IPsec operates at Layer 3; SSL VPN uses port 443 (TLS/HTTPS). PPTP is insecure — the A+ exam treats it as deprecated. VPN concentrator = the enterprise device that terminates VPN connections at the network edge.

ProtocolLayerPort(s)EncryptionStatus
PPTPLayer 2TCP 1723Weak (MS-CHAPv2)⛔ Deprecated / insecure
L2TP/IPsecLayer 2 + 3UDP 1701, 500, 4500IPsec (AES)✅ Acceptable; being replaced
IPsec (IKEv2)Layer 3UDP 500, 4500AES (configurable)✅ Standard enterprise choice
SSL/TLS (OpenVPN)Layer 4–7TCP/UDP 443 or 1194TLS (AES)✅ Best firewall traversal
WireGuardLayer 3UDP 51820ChaCha20 / AES✅ Modern; fast; simple

Master Reference — Objective 2.4 Key Concepts

DNS — A recordMaps hostname → IPv4 address; most common record type
DNS — AAAA recordMaps hostname → IPv6 address; "quad-A"; 128-bit address
DNS — CNAMEAlias → canonical hostname; cannot be at zone apex; no IP directly
DNS — MX recordSpecifies mail servers for domain; lower priority number = higher priority
DNS — TXT recordArbitrary text; used for SPF, DKIM, DMARC, domain verification
DNS — TTLTime to Live; how long resolvers cache a record before re-querying
SPFTXT record listing authorized sending IPs; -all = reject unauthorized
DKIMCryptographic signature on email; public key in TXT record; survives forwarding
DMARCPolicy layer at _dmarc.domain; p=none/quarantine/reject; aggregate reports
DHCP DORADiscover → Offer → Request → Acknowledge; automatic IP assignment
DHCP ScopeFull range of IP addresses DHCP server manages for a subnet
DHCP ExclusionAddresses inside the scope that will never be dynamically assigned
DHCP ReservationAlways assigns same IP to a device by MAC address; device uses DHCP mode
DHCP LeaseDuration IP is valid; renews at 50% (T1) and 87.5% (T2) of lease time
APIPA169.254.x.x = DHCP failure; self-assigned; no internet connectivity
VLANLayer 2 logical segmentation; separate broadcast domains; 802.1Q tagging
VLAN — Access PortOne VLAN per port; for end devices; frames untagged to device
VLAN — Trunk PortMultiple VLANs on one link; 802.1Q tags preserved; connects switches/routers
VPN — Remote AccessClient-to-site; individual user to corporate network; VPN client software
VPN — Site-to-SiteTwo networks connected via permanent tunnel; transparent to end users
Split TunnelingOnly corporate traffic through VPN; internet traffic goes direct; performance tradeoff
IPsecLayer 3; UDP 500/4500; AES encryption; enterprise standard; Tunnel + Transport modes
SSL VPNLayer 4–7; TCP 443; traverses firewalls easily; OpenVPN; browser-based option
PPTPDeprecated; insecure; do not use; MS-CHAPv2 weakness

REFERENCEQuick Reference Cards

DNS Record Types

  • A — hostname → IPv4 (32-bit)
  • AAAA — hostname → IPv6 (128-bit)
  • CNAME — alias → canonical hostname
  • MX — mail servers; lower # = higher priority
  • TXT — text data; SPF / DKIM / DMARC / verification
  • PTR — reverse DNS; IP → hostname (not on exam list but common)

Email Authentication Stack

  • SPF — authorized sending IPs in TXT at domain root
  • DKIM — crypto signature; public key in TXT at selector._domainkey
  • DMARC — policy enforcement; TXT at _dmarc.domain
  • p=none — monitor only; no enforcement
  • p=quarantine — failing mail → spam folder
  • p=reject — failing mail → refused entirely

DHCP Key Values

  • DORA — Discover, Offer, Request, Acknowledge
  • Scope — address pool for a subnet
  • Exclusion — never assigned; protects static IPs
  • Reservation — consistent IP tied to MAC address
  • APIPA range — 169.254.0.0/16 (DHCP failure)
  • T1 renewal — at 50% lease elapsed (unicast to server)

VPN Protocols — At a Glance

  • IPsec / IKEv2 — Layer 3; UDP 500 & 4500; enterprise
  • SSL/TLS (OpenVPN) — Layer 4–7; TCP 443; best traversal
  • L2TP/IPsec — Layer 2+3; UDP 1701; Windows built-in
  • WireGuard — modern; fast; UDP 51820
  • PPTP — ⛔ insecure; deprecated; avoid

Final Exam Reminders

A record = IPv4; AAAA record = IPv6; CNAME = alias to another hostname (never an IP directly); MX = mail server (lower priority number = tried first).

SPF, DKIM, DMARC are all DNS TXT records used for email authentication. SPF = authorized IPs. DKIM = cryptographic signature. DMARC = policy enforcement (none / quarantine / reject) + reporting.

DHCP DORA = Discover (broadcast) → Offer → Request (broadcast) → Acknowledge. The client discovers and requests via broadcast because it has no IP address yet.

APIPA = 169.254.x.x — always means DHCP failed. Follow up with ipconfig /release then ipconfig /renew.

Exclusion = never assign this address to anyone. Reservation = always assign this address to this specific MAC address.

VLANs work at Layer 2, use 802.1Q tagging, reduce broadcast domains, and require Layer 3 routing (router or L3 switch) for inter-VLAN communication. Access port = one VLAN. Trunk port = many VLANs.

VPN = encrypted tunnel over untrusted network. Remote access = user to site. Site-to-site = network to network. Split tunneling = only corporate traffic in VPN. PPTP = insecure and deprecated.

SSL VPN advantage: runs on TCP 443 (HTTPS) and traverses virtually all firewalls without special configuration — ideal when corporate VPN must work from restrictive networks.