Course Code: VCA-NET-201 Track position: Part-II Networking-Track Anchor Prerequisites: VCA-NET-101 (Networks and Packet Analysis) + VCA-CSA-101 (or equivalent computing-systems foundation) Belt: 4/5 Advanced Duration: 14 weeks (~145 hr: ~22 lec / ~45 lab / ~78 indep) Credential: VCA-NET-201 Certificate of Completion
Mission
NET-201 pays the forward promises NET-101 made. Every protocol NET-101 introduced at first-encounter depth arrives here at production-grade inspection depth. A student who finishes NET-201 can stand up a multi-router OSPF/BGP topology in GNS3, dissect a TLS 1.3 handshake byte-by-byte against Rescorla's annotation, author a DNSSEC-signed zone, measure bufferbloat and fix it, and write Suricata signatures and Zeek scripts that detect named threat scenarios. The capstone is the structural precursor to the PEN-101 engagement report: the student attacks a network they first learned to build.
Foundational Anchors
Primary pair (continued from NET-101 at intermediate depth):
| Book | Track role | Library path |
|---|---|---|
| Kurose & Ross, Computer Networking: A Top-Down Approach, 9th ed. (Pearson, 2021) | Top-down narrative; control/data plane; wireless + security chapters | /media/laptop/data4t/books-master/Calibre_Library/James F. Kurose/Computer Networking_ A Top-Down Approach, 9th Edition (674)/ |
| W. Richard Stevens & Kevin Fall, TCP/IP Illustrated, Vol. 1: The Protocols, 2nd ed. (Addison-Wesley, 2011) | Byte-level wire-protocol depth; TCP internals; DNS; ARP; DHCP | Not in master library; library-acquire or paperback |
Module-specific anchors (NET-201 introduces):
| Book | Module | Status |
|---|---|---|
| Jeff Doyle & Jennifer Carroll, Routing TCP/IP, Vols 1-2 (Cisco Press) | Ch 1-2 (OSPF, IS-IS, BGP) | Not in master library |
| Eric Rescorla, SSL and TLS: Designing and Building Secure Systems (Addison-Wesley) | Ch 4 (TLS) | Not in master library |
| Richard Bejtlich, The Practice of Network Security Monitoring (No Starch, 2013) | Ch 8 (NSM-lite) | Library id 320 |
| Chris Sanders, Practical Packet Analysis, 3rd ed. (No Starch, 2017) | Continues at advanced depth | Library id 687 |
Petzold CODE is the CSA-track anchor; it does not appear in NET-201.
Course-Wide Architecture Comparison Sidebars
Four structured sidebars cross-reference existing handouts; two are new NET-201 originals:
| Sidebar | Handout | Status |
|---|---|---|
| BGP vs OSPF vs EIGRP vs IS-IS | handouts/net-201-routing-protocol-families.md (new) |
Write |
| TLS 1.2 vs TLS 1.3 vs QUIC-TLS | handouts/net-201-tls-generations.md (new) |
Write |
| SDN vs traditional vs intent-based networking | handouts/cross-chapter-control-plane-architectures.md |
Exists (D10) |
| WPA2-SAE vs WPA3-SAE vs 5G-AKA | handouts/cross-chapter-wireless-aka-progression.md |
Exists (D10) |
| DOCSIS link-layer | handouts/cross-chapter-docsis-quad-cross-cut.md |
Exists (D10) |
Learning Outcomes (Bloom's Taxonomy)
-
Remember. State the four major IGP routing-protocol families (OSPF, IS-IS, EIGRP, RIP) and BGP's role as the inter-AS protocol; the three TLS generations (1.2, 1.3, QUIC-TLS) and their handshake RTT counts; the IPv6 transition mechanisms (dual-stack, 6to4, NAT64) and when each is used.
-
Understand. Explain why a centralised SDN control plane buys per-flow visibility and per-flow policy at the cost of controller-availability dependency, and why distributed routing protocols persist in environments where that trade-off is unfavorable.
-
Understand. Distinguish DNSSEC (cryptographic origin authentication of DNS records) from DoH/DoT (transport encryption of DNS queries) and explain why a network can have one without the other.
-
Apply. Stand up a multi-router OSPF or BGP topology in GNS3 or Containerlab; observe convergence with packet captures; intentionally break a peering and recover it.
-
Apply. Capture and dissect a TLS 1.3 handshake byte-by-byte; identify ClientHello, ServerHello, EncryptedExtensions, Certificate, Finished records; correlate with Rescorla's annotation.
-
Apply. Author a DNSSEC-signed zone for a lab domain; observe chain-of-trust validation in
dig +dnssec; deliberately break the trust chain and observe the validation failure. -
Analyze. Given a captured trace of a misbehaving network (slow pages, intermittent connectivity, partial DNS), identify the layer at which the fault is occurring and propose targeted instrumentation to confirm the diagnosis.
-
Synthesize. Author a 25-35 page operational playbook for a small enterprise network: routing-protocol choice and rationale; switching topology; DNS architecture; TLS-everywhere policy; NSM signature and Zeek-script roster; IPv6-transition timeline.
14-Week Course Shape
| Week | Chapter | Topic | Anchor readings |
|---|---|---|---|
| 1 | Ch 1 | Routing I: OSPF principles, link-state fundamentals | Kurose-Ross 9e Ch 5.2-5.3; Doyle-Carroll Vol 1 Ch 4 |
| 2 | Ch 1 | Routing I: IS-IS, OSPF multi-area, convergence measurement | Kurose-Ross 9e Ch 5.4; Stevens Vol 1 Ch 5 (ARP revisited) |
| 3 | Ch 2 | Routing II: BGP path-vector, AS topology, iBGP | Kurose-Ross 9e Ch 5.4; Doyle-Carroll Vol 1 Ch 8 |
| 4 | Ch 2 | Routing II: BGP attributes, prefix hijacking, RIP context | Doyle-Carroll Vol 1 Ch 9; RPKI overview |
| 5 | Ch 3 | Switching: VLAN trunking, STP, RSTP, link aggregation | Kurose-Ross 9e Ch 6.3-6.4 |
| 6 | Ch 4 | TLS: 1.2 vs 1.3 handshake, QUIC-TLS, certificate chains | Rescorla Ch 2-5; Kurose-Ross 9e Ch 8.5 |
| 7 | Ch 5 | DNS: DNSSEC chain of trust, DoH, DoT, zone authoring | Kurose-Ross 9e Ch 2.4; Stevens Vol 1 Ch 11 |
| 8 | Ch 6 | NAT and IPv6 transition: dual-stack, 6to4, NAT64 | Kurose-Ross 9e Ch 4.3.4; Ch 4.4 |
| 9 | Ch 7 | SDN: OpenFlow, P4, intent-based networking | Kurose-Ross 9e Ch 5.5; see CT-B handout |
| 10 | Ch 8 | NSM-lite: Wireshark deep-dive, Suricata, Zeek | Bejtlich Ch 1, 9-11; Sanders Ch 8-10 |
| 11 | Ch 9 | Performance: bufferbloat, TCP variants, QUIC transport | Kurose-Ross 9e Ch 3.7; Stevens Vol 1 Ch 21 |
| 12 | Ch 10 | Cloud networking: VXLAN-EVPN, overlays, Containerlab | Kurose-Ross 9e Ch 6.6; datacenter networking |
| 13 | Ch 11-12 | RE-track cross-cut + PT-track/SB6141 cross-cut | See handouts: docsis-quad-cross-cut.md, cross-chapter-wireless-aka-progression.md |
| 14 | Capstone | Enterprise Operational Playbook workshop | All anchor pairs; topology build + report |
Time Budget
| Week | Lecture (min) | Lab (min) | Indep (min) | Indep (hrs) |
|---|---|---|---|---|
| 1 | 100 | -- | 120 | 2.0 |
| 2 | 50 | 90 | 300 | 5.0 |
| 3 | 100 | -- | 120 | 2.0 |
| 4 | 50 | 90 | 300 | 5.0 |
| 5 | 100 | 90 | 240 | 4.0 |
| 6 | 100 | 90 | 360 | 6.0 |
| 7 | 100 | 90 | 360 | 6.0 |
| 8 | 50 | 90 | 240 | 4.0 |
| 9 | 100 | 90 | 300 | 5.0 |
| 10 | 100 | 90 | 360 | 6.0 |
| 11 | 100 | 90 | 300 | 5.0 |
| 12 | 50 | 90 | 300 | 5.0 |
| 13 | 100 | 90 | 300 | 5.0 |
| 14 | 50 | 270 | 600 | 10.0 |
| TOTAL | ~1250 (21 hr) | ~1350 (22.5 hr) | ~4104 (68 hr) | ~145 hr |
Note: independent practice is largely self-directed Kurose-Ross + Stevens reading + GNS3/Containerlab topology experiments and is counted at a compressed rate relative to the public-page headline figure.
Lab Index
| Lab | Chapter | Topic | Primary tool |
|---|---|---|---|
| Lab 1 | Ch 1 | OSPF multi-area topology; LSDB convergence; neighbor 3-step handshake | GNS3 + FRRouting |
| Lab 2 | Ch 2 | BGP iBGP/eBGP peering; path-vector advertisement; sandboxed prefix hijack | GNS3 + FRRouting |
| Lab 3 | Ch 3 | VLAN trunk + STP root-bridge election; forced topology change; capture | Containerlab or GNS3 |
| Lab 4 | Ch 4 | TLS 1.3 handshake dissection; reproduce Rescorla annotation; mitmproxy interception | Wireshark + openssl s_client |
| Lab 5 | Ch 5 | DNSSEC zone authoring + chain-of-trust validation; key-rotation error; resolution failure | BIND + dig |
| Lab 6 | Ch 6 | Dual-stack + NAT64; IPv4 and IPv6 paths to same service from NAT64-only client | Containerlab |
| Lab 7 | Ch 7 | OpenFlow Mininet; install flow rule programmatically; observe per-packet path | Mininet + OpenFlow controller |
| Lab 8 | Ch 8 | Suricata signature authoring + Zeek script-as-pipeline; detect named TTP in NSM corpus | Suricata + Zeek |
| Lab 9 | Ch 7+10 | SDN-vs-OSPF convergence comparison; measure and report on same physical substrate | Containerlab |
| Lab 10 | Ch 9 | Bufferbloat measurement with Flent; tune FQ-CoDel; measure latency improvement | Flent + tc qdisc |
| Lab 11 | Ch 10 | VXLAN-EVPN multi-tenant fabric in Containerlab; observe encap/decap | Containerlab + FRRouting |
| Lab 12 | Capstone | Enterprise operational playbook: routing + switching + DNS + TLS + NSM | All tools |
NET-201-Originating Toolchain Diary Entries (~12 new)
First-introduce in NET-201 (added to the toolchain diary initiated in NET-101):
| Tool | First-introduce week |
|---|---|
| FRRouting (FRR) | Week 1 |
| GNS3 advanced topologies | Week 1 |
| BGP looking-glass tools (RIPEstat, HE BGP, Cloudflare Radar) | Week 3 |
| Containerlab | Week 5 |
| EVE-NG community edition | Week 5 |
OpenSSL s_client / s_server |
Week 6 |
| BIND (authoritative DNS + DNSSEC) | Week 7 |
| Knot DNS + Unbound (DoH/DoT) | Week 7 |
| Suricata (advanced rule authoring) | Week 10 |
| Zeek (advanced script-as-pipeline) | Week 10 |
mitmproxy |
Week 6 |
| Flent / iperf3 / netperf | Week 11 |
SB6141 and Cross-Track Threads
The SB6141 cable modem lab target runs as a forward thread across three chapters:
- Ch 3 (Switching): SB6141 bridges Ethernet (LAN-side) to DOCSIS (cable-side) -- see
handouts/cross-chapter-docsis-quad-cross-cut.mdfor chip-by-chip mapping (MaxLinear RF demod, Broadcom DOCSIS PHY, TI PDSP coprocessors, ARM1176JZ-S Linux application layer) - Ch 6 (NAT): SB6141 runs a NAT instance; its default DHCP/NAT behavior is the first thing an SB6141 owner interacts with from the LAN side
- Ch 13 (PT cross-cut): SB6141 as adversarial target; routes into vca-re-101 + vca-arm-201 + vca-emb-201 pipeline
The wireless-AKA progression thread (WPA2-SAE vs WPA3-SAE vs 5G-AKA) runs through:
- Ch 4 (TLS): TLS handshake as structural companion to key-derivation protocols in wireless AKA
- Ch 13 (RE/PT cross-cuts): Full CT-A AKA-progression sidebar as a synthetic protocol-analysis exercise
Decisions + Pedagogy + Supplement Candidates
Decisions made
-
12 chapters across 14 weeks (not 12+2): Routing (Ch 1-2) gets 2 weeks each; TLS and DNS each get their own full week given the depth of material. Ch 11-12 (cross-cuts) share Week 13 as they are forward-pointer weeks, not new-material weeks.
-
GNS3 + FRRouting as primary routing lab substrate (not Cisco IOSv): Open-source-first per TIR-2. FRRouting runs OSPF/BGP/IS-IS identically to the commercial stack for these exercises. Students on free GNS3 without a Cisco license can complete every routing lab. Cisco Packet Tracer remains an EXTERNAL optional for NetAcad-credential-track students.
-
Containerlab joins GNS3 starting Week 5: Containerlab is the modern successor pattern for Docker-container-based topologies (Arista cEOS, SR Linux, FRR). Week 5 (Switching) introduces it for the first time; Labs 6, 9, 11 use it as the primary substrate.
-
Rescorla as TLS anchor even though it is not in the master library: The Rescorla book is explicitly named in the public page and is available paperback. The TLS module requires page-number citations, so students must acquire the book or use the TLS 1.3 RFC (RFC 8446) as a free substitute. Lab 4 annotations are anchored on the RFC structure (which is freely available) with Rescorla references bracketed as "see Rescorla Ch N for background."
-
NSM corpus: A pre-built academy NSM pcap corpus (20-30 traffic files representing named TTPs) ships as a course artifact with Lab 8. This is the same infrastructure that NET-101 mystery-pcap labs used; extended to include Suricata + Zeek processing.
Pedagogical implications
-
Every lab opens a NET-101 first-encounter: Lab 1 opens Week 3's "routing is about finding a path" with OSPF's actual LSDB convergence. Lab 4 opens Week 12's TLS sketch with a byte-by-byte handshake dissection. Students who kept their NET-101 captures can compare the same protocol at two levels of inspection.
-
Capstone = operational playbook (not attack): The NET-201 capstone is explicitly constructive: build a network, defend it, document it. The PEN-101 capstone follows and attacks a network matching this profile. The two capstones are designed to be experienced in sequence.
-
BGP looking-glass tools anchor real-world context: Reading the global BGP table via RIPEstat or HE.net gives students evidence that the routing protocols they are simulating in a GNS3 sandbox underpin the actual Internet. Lab 2's sandboxed prefix hijack becomes conceptually serious when students can observe real-world BGP hijacking events via Cloudflare Radar.
Supplement candidates
-
eBPF/XDP packet processing: High student-interest topic; forward-pointer into NET-301. NET-201 introduces the concept in Ch 7 (SDN) but does not build an eBPF program. A dedicated eBPF lab supplement would bridge NET-201 → NET-301.
-
HTTP/3 and QUIC deep-dive: NET-201 covers QUIC as a transport-layer protocol in Ch 9 (Performance). A dedicated QUIC lab (capturing HTTP/3 traffic from a QUIC-enabled server) would complement Lab 4 (TLS) and is a candidate for v0.2.
-
RPKI and BGP route origin validation: Lab 2 covers BGP prefix hijacking conceptually but does not implement RPKI validation. RPKI is the production defense; a lab exercising RPKI-enabled FRRouting would be NET-201's contribution to the BGP-security story.