Networking Protocols Explained in 5 Practical Steps

The internet's phonebook. When you enter a hostname, your device asks a DNS server: "What IP address belongs to this name?" The DNS server looks up the answer and replies with the IP. Without DNS, you would need to memorize the IP address of every website you visit.

DNS gives you the IP. But on a local network, devices communicate by MAC address — the physical hardware ID of each network card. ARP bridges that final gap: it broadcasts to the local network asking "Who has this IP address? Tell me your MAC."

"If ping works to an IP but fails to a hostname, DNS is the problem — not the network. Use dig to verify what your DNS server is returning and whether it matches the expected IP."

A website loads on some servers but not others after a migration. Root cause: DNS TTL caching. One server still holds the old IP. Run dig on both and compare results instantly.

When your device connects to a network, it does not yet have an IP address. DHCP solves this automatically. Your device broadcasts a request: "I just joined — can someone give me an IP?" The DHCP server responds with an IP address, subnet mask, default gateway, and DNS server. All in one exchange.

In enterprise networks, just having the right cable is not enough. 802.1X enforces authentication at the switch port level — before your device is allowed any network access at all. It is the security guard at the door. Common in corporate Wi-Fi and wired office networks.

DHCP issues are one of the most common causes of "server has no IP" tickets. Know the DHCP lease lifecycle — Discover, Offer, Request, Acknowledge (DORA). If a server has a 169.254.x.x address, DHCP failed and it self-assigned. That is your first clue.

New VM spun up but has no network connectivity. Check ip address show — it shows a 169.254.x.x address. DHCP did not respond. Either the DHCP server is down, the VM is on the wrong VLAN, or the DHCP lease pool is exhausted.

ICMP is the protocol behind ping and traceroute. It is how network devices send error messages and operational information. Not for carrying data — purely for diagnostics and control.

HTTP is the application-layer protocol for web communication. HTTPS is the same thing wrapped in TLS encryption. When you test whether a web service is responding, you are working at the HTTP layer — which is why curl is so essential.

"The classic question is TCP vs UDP. The deeper answer is: TCP guarantees delivery and order at the cost of speed. UDP trades reliability for low latency. The real skill is knowing which your application uses — and what breaks when packets are lost."

TLS is the encryption layer that makes HTTPS work. Every modern website uses it. TLS establishes an encrypted tunnel — even if someone intercepts the traffic, they see only scrambled data. Certificates verify identity. When your browser shows the padlock icon, TLS is doing its job.

SSH is how Linux admins access remote servers securely. It provides an encrypted command-line session across an untrusted network. Every Linux admin uses SSH daily. Key-based authentication eliminates passwords entirely — far more secure and convenient.

A VPN creates an encrypted tunnel across an untrusted network. IPSec operates at the network layer — encrypting packets themselves. SSL/TLS VPNs work at the application layer. In enterprise environments, VPNs connect remote workers to internal networks and link office locations securely.

Kerberos handles ticket-based authentication in enterprise environments — Active Directory runs on it. LDAP is the directory service for storing and querying user and group information. Together they form the backbone of enterprise identity management.

"TLS and SSH are both encrypted — but for different things. TLS protects data in transit for web applications. SSH protects your administrative access to the server itself. Both are non-negotiable in production. If SSH is misconfigured, you can lose access to your entire fleet."

An application throws TLS handshake errors. First check: is the certificate expired? Second: is the hostname matching the certificate's CN or SAN field? Third: are the intermediate certificates complete in the chain? curl -v https://yoursite.com shows you the full TLS handshake in real time.

SNMP polls devices and collects metrics — CPU load, bandwidth usage, interface errors, memory. It is how network monitoring tools like Nagios, Zabbix, and Prometheus exporters gather data from routers, switches, and servers. Think of it as a health check broadcast for your infrastructure.

Syslog is the standard for collecting and shipping system and application logs to a central location. Every Linux server generates syslog events. Tools like rsyslog, journald, and Elasticsearch/Kibana stacks are built on this foundation. When an incident happens at 3am, Syslog is where you find the truth.

NetFlow captures metadata about every traffic flow — source, destination, ports, bytes, duration. Not the content of packets, but the pattern of who is talking to whom and how much. Invaluable for capacity planning, anomaly detection, and security investigations. Modern equivalents include IPFIX and sFlow.

NTP synchronizes clocks across all devices in your network. This sounds trivial until it breaks. Distributed systems, log correlation, TLS certificates, Kerberos authentication — all depend on accurate time. A clock drift of just a few minutes can break authentication entirely and make log analysis impossible.

"Observability is the difference between knowing your system is broken versus discovering it from a user tweet. SNMP gives you metrics, Syslog gives you events, NetFlow gives you traffic patterns. Together they give you the full picture. An SRE without observability is flying blind."

A Kerberos authentication failure surfaces at 9am. The root cause: NTP drifted by 8 minutes overnight. Kerberos has a strict 5-minute clock skew tolerance. All authentication breaks silently. The fix: restart the NTP service and force a time sync. Without centralized syslog, this would take hours to diagnose.