Course Code: VCA-NET-301 Track position: Part-II Networking-Track Capstone (Belt 5/5) Prerequisites: VCA-NET-201 + VCA-CSA-201 (or equivalent intermediate networking + computer-architecture) Duration: ~14 weeks (~165 hr: ~25 hr lecture / ~50 hr lab / ~90 hr independent) Credential: VCA-NET-301 Certificate of Completion
Mission
NET-301 takes the NET-201 graduate -- a student who can architect a 30-employee network, run its routing protocols, sign its DNS zones, and monitor traffic with Suricata signatures and Zeek scripts -- to carrier scale, datacenter scale, line-rate engineering, and adversary scale. Each of the twelve chapters is NET-201 scaled: the same discipline, the same wire-format reading habits, the same operational mindset, at the level where the abstractions stop hiding the complexity.
Foundational Anchors
Primary pair (continued from NET-101 / NET-201 at advanced depth):
| Book | Track role | Library path |
|---|---|---|
| Kurose & Ross, Computer Networking: A Top-Down Approach, 9th ed. (Pearson, 2021) | 5G Core (§7.4), 5G-AKA (§8.8.2), QUIC/HTTP3 (Ch 3+), wireless (Ch 7-8) | /media/laptop/data4t/books-master/Calibre_Library/James F. Kurose/Computer Networking_ A Top-Down Approach, 9th Edition (674)/ |
| W. Richard Stevens & Kevin Fall, TCP/IP Illustrated, Vol. 1, 2nd ed. | Advanced TCP, congestion control (Ch 16+) | Library-acquire or paperback |
Chapter-specific anchors (NET-301 introduces):
| Book | Chapter(s) | Library path |
|---|---|---|
| Richard Bejtlich, The Practice of Network Security Monitoring (No Starch, 2013) | Ch 6-7 NSM at scale + threat-hunting | Library id 320 |
| Sherri Davidoff & Jonathan Ham, Network Forensics (Prentice Hall, 2012) | Ch 7 forensics deep-dive | Not in master library |
| Liz Rice, Learning eBPF (O'Reilly, 2023) | Ch 5 eBPF/XDP | Not in master library |
| Dinesh G. Dutt, Cloud Native Data Center Networking (O'Reilly, 2019) | Ch 2 datacenter fabrics | Not in master library |
| Russ White & Ethan Banks, Computer Networking Problems and Solutions (Addison-Wesley) | Ch 1+3 carrier/WAN + BGP | Not in master library |
The NET-301 anchor reading guide is published as a separate handout: handouts/cross-chapter-net-301-anchor-reading-guide.md. That guide specifies reading order, suggested depth per pass, and cross-links to capstone artifacts for each of the five primary anchors.
Petzold CODE does not appear in NET-301 (NET/security track; not hardware track). Kurose-Ross 9e is the primary narrative spine.
Course-Wide Architecture Comparison Sidebars
Six structured sidebars. The wireless-AKA and control-plane sidebars reference existing cross-chapter handouts (already landed; build ON them, do not duplicate):
| Sidebar | Handout | Status |
|---|---|---|
| Snort vs Suricata vs Zeek (NSM tool architectures) | handouts/net-301-nsm-architectures.md |
Write in Week 6 |
| QUIC vs HTTP/3 vs WebTransport (modern-protocol generations) | handouts/net-301-modern-protocols.md |
Write in Week 9 (continuation) |
| Clos vs three-tier vs collapsed-core (datacenter fabrics) | handouts/net-301-datacenter-fabrics.md |
Write in Week 2 |
| eBPF/XDP vs DPDK vs kernel-bypass (line-rate packet processing) | handouts/net-301-line-rate-models.md |
Write in Week 5 |
| 5G Core vs SDN vs Mobile-IP (control-plane architectures) | handouts/cross-chapter-control-plane-architectures.md |
Exists (D10); reference in Week 1+8 |
| WPA2-SAE vs WPA3-SAE vs 5G-AKA (wireless AKA progression) | handouts/cross-chapter-wireless-aka-progression.md |
Exists (D10); reference in Week 8 |
12-Chapter Spine + 14-Week Schedule
NET-301 maps 12 chapters to 14 weeks by expanding Chapters 3 (BGP), 6 (NSM), and 8 (wireless) to 2 weeks each.
| Week | Ch | Topic | Scales NET-201 | Anchor |
|---|---|---|---|---|
| 1 | 1 | Carrier and WAN: MPLS, Segment Routing, SRv6 | Ch 1-2 routing | White & Banks; Kurose-Ross §5 |
| 2 | 2 | Datacenter networking: Clos, VXLAN-EVPN, spine-leaf | Ch 3 switching | Dutt Cloud Native |
| 3-4 | 3 | Internet-scale BGP: route reflectors, communities, RPKI, hijacking | Ch 2 BGP basics | Kurose-Ross §5.4; RFC 8205 |
| 5 | 4 | Network automation: Ansible, Salt, Nornir, Python netauto | Manual-config era | Docs-primary; no anchor book |
| 6 | 5 | Performance engineering: eBPF, XDP, DPDK | Ch 9 perf tuning | Rice Learning eBPF |
| 7-8 | 6 | NSM at scale: Suricata clustering, Zeek log-pipeline, SIEM, threat-hunting | Ch 8 NSM-lite | Bejtlich Chs 1+5+6 |
| 9 | 7 | Network forensics deep-dive | Lab 7 mystery-pcap | Davidoff & Ham Chs 1-3 |
| 10 | 8 | Wireless deep-dive: 4-way handshake, WPA3-Enterprise, 5G-AKA | Cross-cut wir-101+rf-201 | Kurose-Ross §8.8.1+§8.8.2 |
| 11 | 9 | Modern protocols: QUIC, HTTP/3, WebTransport, MASQUE | Ch 4 TLS | Kurose-Ross §3 (QUIC) |
| 12 | 10 | Cross-cut: PT-track advanced lateral movement | Forward pointer adv-101 | ADV-101 CAPSTONE cross-ref |
| 13 | 11 | Cross-cut: RE-track advanced protocol RE | Forward pointer re-201 | RE-201 cross-ref |
| 14 | 12 | Capstone: end-to-end network design + RE + monitoring | Synthesis | All |
Time Budget
| Week | Lecture (min) | Lab (min) | Indep (min) | Total (hr) |
|---|---|---|---|---|
| 1 | 100 | 90 | 300 | 8.2 |
| 2 | 100 | 90 | 300 | 8.2 |
| 3 | 100 | 90 | 360 | 9.2 |
| 4 | 50 | -- | 360 | 6.8 |
| 5 | 100 | 90 | 300 | 8.2 |
| 6 | 100 | 90 | 360 | 9.2 |
| 7 | 100 | 90 | 360 | 9.2 |
| 8 | 50 | 90 | 360 | 8.3 |
| 9 | 100 | 90 | 300 | 8.2 |
| 10 | 100 | 90 | 360 | 9.2 |
| 11 | 100 | 90 | 300 | 8.2 |
| 12 | 50 | -- | 300 | 5.8 |
| 13 | 50 | -- | 300 | 5.8 |
| 14 | 50 | 360 | 600 | 16.8 |
| TOTAL | ~1250 (21 hr) | ~1260 (21 hr) | ~4860 (81 hr) | ~165 hr |
Lab Index
| Lab | Chapter | Topic | Primary tools | Points |
|---|---|---|---|---|
| Lab 1 | Ch 1 | MPLS LSP setup; LDP signaling; TE tunnel | Containerlab + FRR + MPLS | 20 |
| Lab 2 | Ch 2 | Spine-leaf Clos VXLAN-EVPN fabric; VM mobility | Containerlab + FRR EVPN | 20 |
| Lab 3 | Ch 3 | RPKI deployment; ROA states; reject-invalid policy | Routinator + Containerlab + FRR | 20 |
| Lab 4 | Ch 4 | Ansible + Nornir playbook; multi-device idempotent push | Ansible + Nornir + Containerlab | 20 |
| Lab 5 | Ch 5 | eBPF/XDP packet-drop program; line-rate measurement | libbpf/XDP + iproute2 | 25 |
| Lab 6a | Ch 5 | Cilium service-mesh on Kubernetes; eBPF-driven service connectivity | Cilium + kind | 15 |
| Lab 7 | Ch 6 | Suricata cluster + Zeek pipeline + SIEM; 3 threat scenarios | Suricata + Zeek + Wazuh | 20 |
| Lab 8 | Ch 6 | Threat-hunt against production-corpus pcap stash; 4-data-types framework | Zeek + Wireshark + Elasticsearch | 20 |
| Lab 9 | Ch 7 | Forensics exercise: reconstruct multi-phase intrusion timeline | Wireshark + Zeek + NetworkMiner | 20 |
| Lab 10 | Ch 8 | 802.11 4-way handshake capture; key derivation walk; WPA3-Enterprise | aircrack-ng + Wireshark + hostapd | 20 |
| Lab 11 | Ch 9 | QUIC handshake dissection; HTTP/3 capture; connection migration | quiche CLI + Wireshark + curl | 20 |
| Lab 12 | Ch 9 | CUBIC vs BBR congestion-control comparison; goodput curves | Containerlab + iperf3 + ss | 15 |
| Lab 13 | Capstone | End-to-end network design + RE + monitoring | All | Per CAPSTONE.md |
| Total lab | ~215 pts |
NET-301-Originating Toolchain Diary Entries (~12 new)
| Tool | First-introduce week | What it does |
|---|---|---|
| FRR-at-scale (route-reflector topology) | Week 3 | Internet-scale BGP topology authoring |
| RPKI / Routinator / RTRTR | Week 3 | Origin-validation deployment toolchain |
| Ansible Network / Nornir / Salt-NAPALM | Week 5 | Network-automation orchestrators |
| Cilium | Week 6 | eBPF-native Kubernetes service-mesh |
| Calico | Week 6 | Alternative Kubernetes networking; BGP-in-cluster model |
| BPFtrace | Week 6 | Dynamic-tracing language for eBPF; "dtrace for Linux" |
| Tetragon | Week 6 | Cilium's eBPF-based runtime-security observability |
| DPDK testpmd | Week 6 | User-space packet processing; line-rate forwarding measurement |
| Wazuh / Elastic SIEM | Week 7-8 | NSM log-pipeline integration target |
| NetworkMiner | Week 9 | Forensic packet-capture analysis and reconstruction |
| Kismet (advanced) | Week 10 | Wireless network discovery with WPA3 awareness |
| quiche / quinn CLI | Week 11 | QUIC/HTTP/3 client and server tooling |
Assessment Overview
| Component | Weight |
|---|---|
| Labs 1-12 (individual, weekly) | 215 pts |
| Capstone Lab 13 | Two-tier rubric per CAPSTONE.md |
| Participation / Tool Journal | Ongoing |
Capstone is pass/fail on Tier 1 (topology must converge; RE write-up must identify state machine; NSM must detect protocol). Tier 2 scores 40/30/30 on architecture-rationale + RE-methodology + operational-realism.
B- minimum on Tier 2 for the NET-301 certificate.
Continuation Note
v0.1 shipped Weeks 1-7 (Chapters 1-6) with full lecture content + labs. The remaining weeks (Chapters 7-12) shipped in the v0.2 round and are live in this classroom.