IPv4 Subnet Calculator
Enter any IP address with a prefix to get full subnet details
Input Beginner Friendly
💡 Type an IP address like 192.168.1.0 and a prefix like /24 — or use the examples below.
Invalid IP address — enter 4 numbers 0–255 separated by dots
Prefix must be /0 to /32
32-Bit Visual Map
Network bits
Host bits
Step-by-Step Explanation
Enter an IP above to see the working shown step by step...
Results
Network Address
—
Broadcast Address
—
First Usable Host
—
Last Usable Host
—
Usable Hosts
—
Total IPs
—
Subnet Mask
—
Wildcard Mask
—
IP Class
—
CIDR Notation
—
Network (Binary)
—
Mask (Binary)
—
Address Type Checker
VLSM Planner Intermediate
Variable Length Subnet Masking — allocate different-sized subnets from one block
💡 What is VLSM? Instead of splitting a network into equal subnets, VLSM lets you carve out different sizes. Great for real networks where a WAN link needs only 2 hosts but a user VLAN needs 100.
Base Network
Invalid IP address
Invalid prefix
Subnet Requirements
Allocation Result
Fill in requirements and click Plan Subnets...
IPv6 Suite Expert
Complete IPv6 toolkit — address analysis, subnetting, SLAAC, transition, and more
IPv6 Address Analyzer
💡 IPv6 = 128 bits, written as 8 groups of 4 hex digits (e.g.
2001:0db8::1). The :: replaces one or more groups of all zeros.
Invalid IPv6 address
128-Bit Visual Map
Blue = network prefix bits · Pink = interface identifier bits (last 64)
Address Compressor / Expander
💡 RFC 5952 compression rules: leading zeros removed per group, longest run of all-zero groups →
::
PTR Record Builder
💡 Reverse DNS for IPv6 reverses every hex nibble and appends
.ip6.arpa
Address Validator
IPv6 Prefix Calculator
💡 IPv6 prefix hierarchy: RIR → ISP /32 → Customer /48 → Site /56 → LAN /64 → Host /128
Subnet Divider
How many subnets of a given size fit inside a larger prefix?
ISP Allocation Hierarchy
Visual breakdown of how a /32 ISP block gets delegated down to individual /64 LANs.
Prefix Aggregation
Find the summary route for a list of IPv6 prefixes (like BGP aggregation).
Scope Classifier
Every IPv6 address belongs to a specific scope. Enter any address to get a full classification.
Solicited-Node Multicast Builder
💡 NDP uses a special multicast address derived from the last 24 bits of a unicast address. Used for Neighbor Discovery instead of broadcasts.
Multicast Address Explorer
IPv6 multicast addresses start with
ff. The next byte encodes flags and scope.
Address Type Comparison
EUI-64 Generator
💡 EUI-64 creates a 64-bit Interface Identifier from a 48-bit MAC: split MAC in half, insert
FF:FE in the middle, then flip bit 7 (the U/L bit).
Privacy Extension Address (RFC 4941)
💡 Privacy extensions generate a random IID instead of EUI-64 to prevent device tracking across networks.
SLAAC Step-by-Step Simulator
Stateless Address Autoconfiguration — how a device configures its own IPv6 address without DHCP.
DHCPv6 vs SLAAC Comparison
IPv4-Mapped / Dual-Stack Decoder
💡 Dual-stack hosts represent IPv4 addresses as
::ffff:x.x.x.x (IPv4-mapped) or ::x.x.x.x (IPv4-compatible, deprecated).
6to4 Address Decoder
💡 6to4 tunneling embeds an IPv4 address in a /48 prefix starting with
2002::. The next 32 bits ARE the IPv4 address.
NAT64 / DNS64 Explainer
💡 NAT64 allows IPv6-only hosts to reach IPv4 servers. The gateway maps IPv4 addresses into the
64:ff9b::/96 prefix.
Transition Mechanism Comparison
| IPv6 Address Type Reference | ||
|---|---|---|
| Prefix | Type | Scope / Use |
| ::1/128 | Loopback | Same as 127.0.0.1 in IPv4 |
| ::/128 | Unspecified | Source before address assigned |
| 2000::/3 | Global Unicast | Publicly routable (like public IPv4) |
| fc00::/7 | Unique Local (ULA) | Private, not globally routed (RFC 4193) |
| fe80::/10 | Link-Local | Auto-assigned, single link only |
| ff00::/8 | Multicast | One-to-many delivery |
| ::ffff:0:0/96 | IPv4-Mapped | IPv4 addresses in IPv6 apps |
| 2002::/16 | 6to4 | Automatic IPv4 tunnel (deprecated) |
| 64:ff9b::/96 | NAT64 | IPv6→IPv4 translation gateway |
| 100::/64 | Discard | Traffic sink, RFC 6666 |
| Well-Known Multicast Addresses | ||
|---|---|---|
| Address | Name | Use |
| ff02::1 | All Nodes | All link-local nodes |
| ff02::2 | All Routers | All link-local routers |
| ff02::5 | OSPFv3 | All OSPF routers |
| ff02::6 | OSPFv3 DR | Designated routers |
| ff02::9 | RIPng | RIPng routers |
| ff02::a | EIGRP | All EIGRP routers |
| ff02::1:2 | DHCPv6 | All DHCP relay agents |
| ff02::1:ff00::/104 | Solicited-Node | NDP neighbor discovery |
| IPv4 vs IPv6 Header Comparison | ||
|---|---|---|
| Field | IPv4 | IPv6 |
| Address size | 32 bits | 128 bits |
| Header size | 20–60 bytes | Fixed 40 bytes |
| Fragmentation | Routers + hosts | Hosts only |
| Checksum | Header checksum | None (upper layer) |
| Broadcast | Yes | No (Multicast) |
| ARP | Yes | NDP (ICMPv6) |
| NAT required | Usually | Not needed |
| IPsec | Optional | Built-in |
| Config | Manual/DHCP | SLAAC / DHCPv6 |
| Flow label | No | Yes (QoS) |
| Standard Prefix Sizes & Uses | |
|---|---|
| Prefix | Typical Use |
| /23, /24 | Allocated to Regional Internet Registries |
| /32 | Minimum ISP allocation from RIR |
| /48 | Standard customer/site allocation |
| /56 | Small customer (some ISPs) |
| /64 | Standard LAN segment (required for SLAAC) |
| /80 | Uncommon, breaks SLAAC |
| /127 | Point-to-point links (RFC 6164) |
| /128 | Single host / loopback |
IP Overlap Checker Intermediate
Detect conflicting address space — critical for network design
Networks to Check
💡 Enter multiple networks (one per line, CIDR format). We'll check every pair for overlap.
Results
Enter networks and click Check All...
Supernetting / Route Summarization Expert
Aggregate multiple routes into a single summary advertisement
💡 Why supernet? Instead of advertising 4 routes (192.168.0.0/24, .1.0/24, .2.0/24, .3.0/24), you advertise one: 192.168.0.0/22. This reduces routing table size and convergence time.
Networks to Summarize
Summary Route
Enter networks and click Summarize...
Binary Basics Beginner
Understanding binary is the foundation of all subnetting math
💡 Why binary? IP addresses are actually 32-bit binary numbers. Subnet masks work by using AND operations on these bits. Once you understand binary, subnetting becomes straightforward.
Live Decimal ↔ Binary Converter
⇄
Interactive Bit Builder
Click the bits to toggle them ON/OFF. Watch the decimal value update!
0
Decimal value (0–255)
AND Operation — How Subnetting Works
Finding the network address = IP address AND subnet mask. Each bit pair: 1 AND 1 = 1, anything else = 0.
—
Subnet Masks Beginner
See how prefix length controls the network size
Mask Builder Slider
255.255.255.0
Host Bits
8
Total IPs
256
Usable Hosts
254
What This Means
CIDR Deep Dive Intermediate
Classless Inter-Domain Routing — the modern way to describe networks
💡 CIDR replaced classful addressing in 1993. Instead of Class A/B/C having fixed masks, CIDR lets you use any prefix length. 10.0.0.0/8 means "first 8 bits are the network."
CIDR Block Explorer
Subnet Division Calculator
How many subnets of size /X fit into your network?
IP Address Classes Beginner
Classful addressing — the original scheme before CIDR
⚠️ Classful addressing is largely historical — modern networks use CIDR. But you still need to know classes for CCNA exams and understanding legacy configs.
Class Lookup
| Class | First Octet | Range | Default Mask | Private Range | Use |
|---|---|---|---|---|---|
| A | 0xxx xxxx | 1.0.0.0 – 126.x.x.x | /8 (255.0.0.0) | 10.0.0.0/8 | Large enterprises, ISPs |
| B | 10xx xxxx | 128.0.0.0 – 191.255.x.x | /16 (255.255.0.0) | 172.16.0.0/12 | Medium/large networks |
| C | 110x xxxx | 192.0.0.0 – 223.255.255.x | /24 (255.255.255.0) | 192.168.0.0/16 | Small networks (≤254 hosts) |
| D | 1110 xxxx | 224.0.0.0 – 239.x.x.x | N/A | None | Multicast groups |
| E | 1111 xxxx | 240.0.0.0 – 255.x.x.x | N/A | None | Research / Reserved |
Special Addresses
| Address | Meaning |
|---|---|
| 0.0.0.0 | This network / default route |
| 127.0.0.0/8 | Loopback (127.0.0.1 = localhost) |
| 169.254.0.0/16 | Link-local / APIPA (no DHCP) |
| 255.255.255.255 | Limited broadcast |
| x.x.x.0 | Network address (not usable) |
| x.x.x.255 | Broadcast address (not usable) |
RFC 1918 Private Ranges
| Range | CIDR | Addresses |
|---|---|---|
| 10.x.x.x | 10.0.0.0/8 | 16.7 million |
| 172.16–31.x.x | 172.16.0.0/12 | 1.05 million |
| 192.168.x.x | 192.168.0.0/16 | 65,536 |
Quiz Mode
Test your knowledge from beginner to expert level
0
Score
0
Streak 🔥
0
Answered
—
Accuracy
Question 1
Loading...
Cheat Sheet Reference
Quick-reference tables for subnetting calculations
| IPv4 Subnet Reference | ||||
|---|---|---|---|---|
| CIDR | Subnet Mask | Hosts | Block Size | Subnets/C |
| /32 | 255.255.255.255 | 1 (host) | 1 | 256 |
| /31 | 255.255.255.254 | 2 (P2P) | 2 | 128 |
| /30 | 255.255.255.252 | 2 | 4 | 64 |
| /29 | 255.255.255.248 | 6 | 8 | 32 |
| /28 | 255.255.255.240 | 14 | 16 | 16 |
| /27 | 255.255.255.224 | 30 | 32 | 8 |
| /26 | 255.255.255.192 | 62 | 64 | 4 |
| /25 | 255.255.255.128 | 126 | 128 | 2 |
| /24 | 255.255.255.0 | 254 | 256 | 1 |
| /23 | 255.255.254.0 | 510 | 512 | — |
| /22 | 255.255.252.0 | 1,022 | 1024 | — |
| /21 | 255.255.248.0 | 2,046 | 2048 | — |
| /20 | 255.255.240.0 | 4,094 | 4096 | — |
| /19 | 255.255.224.0 | 8,190 | 8192 | — |
| /18 | 255.255.192.0 | 16,382 | 16384 | — |
| /16 | 255.255.0.0 | 65,534 | 65536 | — |
| /8 | 255.0.0.0 | 16,777,214 | 16M | — |
| Powers of 2 (Host Calculation) | |
|---|---|
| 2^n | Usable Hosts (n>1) |
| 2^1 = 2 | 0 (P2P only) |
| 2^2 = 4 | 2 |
| 2^3 = 8 | 6 |
| 2^4 = 16 | 14 |
| 2^5 = 32 | 30 |
| 2^6 = 64 | 62 |
| 2^7 = 128 | 126 |
| 2^8 = 256 | 254 |
| 2^10 = 1024 | 1,022 |
| 2^16 = 65536 | 65,534 |
| 2^24 = 16,777,216 | 16,777,214 |
| Common Subnet Math Tips | ||
|---|---|---|
| Hosts needed → prefix | Find smallest 2^n ≥ hosts+2, prefix = 32-n | |
| Block size | 256 - last octet of mask | |
| Subnets in /24 | 2^(new prefix - 24) | |
| Network addr | IP AND subnet mask | |
| Broadcast addr | Network OR wildcard mask | |
More Tools
Wildcard masks, host ranges, decimal conversions
Wildcard Mask Calculator Intermediate
Wildcard masks are the inverse of subnet masks. Used in ACLs and OSPF to match address ranges.
Host Range Lister
Decimal ↔ Hex ↔ Binary Converter
Subnet Size Finder
How many hosts do you need? We'll find the right prefix.
Visual Subnet Tree Interactive
Divide any network into subnets — click Divide to split, Join to merge back
💡 Start with any network (e.g. 192.168.0.0/24). Hit Divide to split a subnet into two equal halves. Hit Join to merge two siblings back. Like the davidc.net Visual Subnet Calculator — but built right in.
Starting Network
| Subnet | Mask | Range | Usable IPs | Hosts | Divide | Join |
|---|
Total subnets: 0 ·
Covered: —
Packet Tracer Simulator
Simulate how a packet travels from source to destination across subnets
💡 Add routers and their connected subnets, if required use routing protocols like EIGRP, OSPF, bgp (ASN), then trace a packet from a source IP to a destination IP. See exactly which router forwards it and why.
Network Topology
Packet
Trace Results
Configure routers and click Trace Packet to simulate forwarding...
Network Diagram
ACL Builder Interactive
Build Standard & Extended Access Control Lists — Cisco IOS syntax, top-down evaluation, implicit deny
Standard ACL (1–99)
Extended ACL (100–199)
⚙ Standard ACL — Source IP Filtering
⚙ Extended ACL — 5-Tuple Filtering
▸ Source
▸ Destination
▸ Destination Port
▸ ICMP Type (optional)
📖 Quick Reference
Standard (1–99): Filters on Source IP only — place close to destination
Extended (100–199): Src/Dst IP + Protocol + Port — place close to source
host keyword = /32 mask (0.0.0.0 wildcard)
any keyword = 0.0.0.0 255.255.255.255
⚠ Implicit deny all at end of every ACL
📄 ACL Entries
No entries yet — add a rule using the form on the left
! (implicit) deny any
💻 Generated Config
Vendor
Add entries to generate config...
🔌 Apply to Interface
Cisco IOS
Router(config)# interface GigabitEthernet0/1 Router(config-if)# ip access-group <ACL-ID/NAME> in|out # Verify: Router# show ip access-lists Router# show ip interface Gi0/1
Juniper JunOS
set interfaces ge-0/0/1 unit 0 family inet filter input <FILTER-NAME> set interfaces ge-0/0/1 unit 0 family inet filter output <FILTER-NAME> # Commit and verify: commit check show firewall filter <FILTER-NAME> show interfaces ge-0/0/1 detail | match filter
⚡ ACL Simulator — Packet Walk
Define a test packet below. The simulator walks your ACL entries top-down and highlights the first matching rule.
Evaluation Order ↓ (first match wins)
🚫
IMPLICIT DENY — Packet DROPPED
No rule matched. The implicit deny at the end of every ACL blocked this packet.
Add ACL entries first, then run the simulator.
Chaithanya Kumar Katari
Network Implementation Manager
🌐 Akamai Technologies · Bengaluru, India 🇮🇳
🌐 IPv4 / IPv6
🛡️ CCNA Certified
💻 Network Infra
⚡ 8+ Years Exp
🏢 Akamai · Microland · Synophic
8+
Years Experience
3
Companies
🌍
Global Deployments
CCNA
Certified
3K+
Lines of Code
About Me
Hi! I'm Chaithanya Kumar Katari, a Network Implementation Manager at Akamai Technologies based in Bengaluru, India. With over 8 years in networking, I specialize in server and switch deployments and configurations worldwide — working directly with ISPs, Accelerated Network Partners, and global infrastructure teams.
My day-to-day involves troubleshooting escalated network, hardware, and performance issues; managing new hardware deployments; and designing, configuring, and maintaining Akamai installations globally. I've worked closely with network partners on racking, cabling, and configuration of Akamai hardware at scale.
I built SubnetLab Pro to give networking students, engineers, and CCNA/CCNP candidates a free, offline, fully-featured subnetting and protocol toolkit — no ads, no logins, no server needed. Now at v17.0 with 63+ interactive simulators spanning ARP, NAT, MTU, TLS, ICMP, TCP, DHCP Relay, Password Generator, Interview Prep, BGP Regex, and more. Everything I wish I had when I was learning networking myself.
Work Experience
Manager, Network Implementation
🌐 Akamai Technologies
📅 2023 – Present · Bengaluru, India
Leading global server and switch deployments. Managing network implementation projects,
coordinating with ISPs and partners worldwide to expand and maintain Akamai's global edge network.
Network Infrastructure Engagement Consultant
🌐 Akamai Technologies
📅 2020 – 2023 · Bengaluru, India
Worked with Akamai Accelerated Network Partners and ISPs globally. Troubleshot escalated
network, hardware, and performance issues. Managed new hardware deployments — racking, cabling,
configuration. Analyzed network trends and maintained Akamai installations.
Network Administrator
🏢 Microland Limited
📅 2020 · India
Provided network administration services for enterprise clients, managing custom software
and IT infrastructure deployments.
Network Engineer
🏢 Synophic Systems Pvt. Ltd.
📅 2017 – 2020 · India
Network design, engineering, and NOC services for leading OEMs, ISVs, and enterprises.
Built a strong foundation in routing, switching, and network infrastructure.
Education
Bachelor of Science — Computer Science
🎓 MTDS College
📅 Graduated 2017
Certifications
CCNA — Routing & Switching
Cisco Systems · Cisco Certified Network Associate
Network Implementation Specialist
Akamai Technologies · Internal Certification
Technical Skills
IPv4 / IPv6 Networking
97%
Subnetting & VLSM
97%
Network Implementation
95%
Routing & Switching (CCNA)
93%
ISP / CDN Infrastructure
90%
Network Troubleshooting
92%
Hardware Deployment & Config
95%
Web Dev / JavaScript / SVG
78%
Get In Touch
💼
LinkedIn
chaithanya-katari-58a4189a
🏢
Current Employer
Akamai Technologies
Email
[email protected]
WhatsApp
Chat directly
📍
Location
Bengaluru, Karnataka, India 🇮🇳
🧰 About SubnetLab Pro
v17.0
100% Offline
SubnetLab Pro is a fully offline, single-file networking toolkit built by Chaithanya Kumar Katari — a Network Implementation Manager at Akamai Technologies with 8+ years of hands-on global network deployments. No ads. No login. No internet needed. Open the HTML file and everything works instantly.
🌐 IP Tools
IPv4 Calculator & VLSM Planner
Visual Subnet Tree Builder
IPv6 Full Suite (EUI-64, SLAAC, NAT64, 6to4)
IP Classes & CIDR Deep Dive
Binary / Hex / Octet Converter
Subnet Masks Reference
Visual Subnet Tree Builder
IPv6 Full Suite (EUI-64, SLAAC, NAT64, 6to4)
IP Classes & CIDR Deep Dive
Binary / Hex / Octet Converter
Subnet Masks Reference
🔀 Switching / Routing
STP / RSTP Topology Simulator
↳ Multi-link & Parallel Cable Support
↳ Step-by-Step Election Walkthrough
VLAN 802.1Q Tag Visualizer
BGP Path Selection Simulator
Prefix-List & Route-Map Builder
↳ Multi-link & Parallel Cable Support
↳ Step-by-Step Election Walkthrough
VLAN 802.1Q Tag Visualizer
BGP Path Selection Simulator
Prefix-List & Route-Map Builder
📡 Protocols & Labs
DHCP DORA & DHCP Relay Agent (Option 82)
DNS Recursive / Iterative Chain Animator
BGP Mastery Suite + Animation Studio (12 topics)
TCP / TLS Handshake Deep Dive (6 scenarios)
ICMP · Traceroute · PMTUD Simulator
CCNA / CCNP / CCIE Course (30+ modules)
DNS Recursive / Iterative Chain Animator
BGP Mastery Suite + Animation Studio (12 topics)
TCP / TLS Handshake Deep Dive (6 scenarios)
ICMP · Traceroute · PMTUD Simulator
CCNA / CCNP / CCIE Course (30+ modules)
🔬 New in v17.0
🌐 BGP Mastery roadmap + guided learning flow
🧭 NEXT_HOP Reachability + Communities lab modules
🎬 Rebuilt BGP Animation Studio (scene timelines + advanced RR/Multihoming)
🧭 NEXT_HOP Reachability + Communities lab modules
🎬 Rebuilt BGP Animation Studio (scene timelines + advanced RR/Multihoming)
63+
Interactive Tools
35K+
Lines of Code
0
Dependencies
Free
Forever · No Ads
📋 Version History
v17.0
BGP Mastery & Animation Studio Rebuild — 🌐 Dedicated BGP Mastery track with roadmap navigation · 🧭 NEXT_HOP Reachability Simulator + Communities/Large Communities lab · 🎬 Rebuilt BGP Animations Hub with scene-driven storytelling, manual scene controls, synced operator/exam panels, richer canvas visuals, and expanded advanced scenarios (Route Reflector visibility/HA + Multihoming provider communities + hot-potato vs cold-potato)
v16.0
Utility & Career Tools Drop — 🔐 Password Generator (network-grade passwords with strength meter & copy) · 🎯 Interview Prep (CCNA/CCNP/CCIE Q&A with difficulty filter) · 🔀 BGP Regex Tester (AS-path & community regex live tester)
v15.0
Protocol Labs Mega-Drop — ARP Simulator (Basic, GARP, ARP Spoofing, Proxy ARP) · NAT/PAT Simulator (Static NAT, Dynamic NAT, PAT/Overload with live translation table) · MTU/Fragmentation Deep Dive (IP Fragmentation, PMTUD, PMTUD Black Hole, GRE Tunnel overhead) · TLS Handshake Animator (TLS 1.3, TLS 1.2, Session Resumption, Certificate Validation, mTLS, Alerts) · ICMP/Traceroute Simulator (Ping, Traceroute TTL walk, PMTUD) · TCP Segment Deep Dive (6 scenarios: Handshake, Data Transfer, Congestion, Teardown, Retransmit, RST) · DHCP Relay Agent (Basic, Option 82, Multi-server, Renewal, Decline/NAK) · ACL Simulator v2 Enhanced (Custom Packet Builder, Rule Editor, Hit Counter Dashboard, Quiz Mode, Packet Log)
v14.0
DHCP & DNS Simulators + BGP Animations Hub — Full DORA process animator with packet fields & DHCP option numbers · Complete DNS recursive/iterative resolution chain (browser cache → root → TLD → authoritative) · 8-animation BGP Hub (FSM, Message Types, Best Path, Route Reflector, Hijack Sim, MPLS Walker, Tunnel Builder, Convergence Calc)
v13.0
STP Multi-Link + Step Walkthrough · Add parallel/redundant links between any switches with custom costs · Full 6-step election walkthrough with BPDU internals, RP/DP/AP/BP logic, STP vs RSTP convergence · Real developer photo · About page overhaul
v12.0
STP/RSTP Topology Simulator · VLAN 802.1Q Visualizer · TCP Handshake · Prefix-List & Route-Map Builder · BGP Path Selection
v10.0
CCNA/CCNP/CCIE Course modules (30+ topics) · OSPF SPF & LSA Explorer · Network Security Reference · Quiz Mode · Flashcard Engine
v6.0
IPv6 full suite · EUI-64 · SLAAC · NAT64 · 6to4 tunnel calculator
v1.0
Initial release — IPv4 Calculator, VLSM Planner, Subnet Tree, Binary Basics
Built with ❤️ by Chaithanya Kumar Katari
Network Implementation Manager · Akamai Technologies · Bengaluru, India 🇮🇳
SubnetLab Pro v17.0
100% offline · No ads · Free forever
BGP Mastery Expert Track
A guided path from BGP foundations to policy, scale, traffic engineering, and security using the interactive labs already in SubnetLab Pro.
💡 Best flow: start with session behavior and attributes, move into policy controls, then finish with scale, multihoming, and security. Each card below jumps directly into the matching tool.
Phase 1 · Foundations CCNA+
Build protocol intuition before touching policy.
1. Neighbor establishment and FSM transitions
2. OPEN, UPDATE, KEEPALIVE, and NOTIFICATION message flow
3. eBGP vs iBGP behavior, TTL, next-hop, and loop prevention
Phase 2 · Decision & Policy CCNP
Understand why one route wins and how engineers intentionally change that outcome.
1. Best-path decision order and attribute comparison
2. NEXT_HOP reachability and recursive lookup behavior
3. Communities, large communities, and policy intent
4. Prefix-lists, route-maps, and AS-path filtering
Phase 3 · Scale & Design CCIE
Move from single decisions to large-scale topology design.
1. Route reflectors vs full mesh
2. Aggregation, summarization, and policy boundaries
3. Multihoming and traffic-engineering tradeoffs
Phase 4 · Security & Operations Ops
Finish with real-world failure modes, abuse cases, and defensive thinking.
1. Hijacks, leaks, and accidental policy blast radius
2. Blackhole communities, export control, and safe signaling
3. Validation mindset: filtering, max-prefix, and sanity checks
4. Troubleshooting: why the session is down, why the path changed, why traffic moved
Recommended Order
1. BGP Animations Hub
2. BGP Best Path Lab
3. NEXT_HOP Reachability Lab
4. Communities Lab
5. Prefix-List / Policy Lab
6. AS-Path Regex Lab
7. BGP Hijack & Security Lab
Next Modules To Build
1. Multihoming Traffic Engineering Sandbox
2. Route Reflector Topology Builder
3. RPKI / Origin Validation Visualizer
4. BGP Troubleshooting CLI Drill
5. Confederations and Scale Lab
BGP NEXT_HOP Reachability Simulator Intermediate
See when a BGP route is usable, when it stays hidden, and how next-hop-self changes the outcome.
💡 Core rule: BGP can prefer a path by attributes, but it still cannot install that path unless the receiving router can resolve the advertised NEXT_HOP recursively in its RIB.
Quick Presets
Advertisement Controls
Operational Meaning
Route Outcome
Topology View
Loading simulator...
Show-Style Output
Loading simulator...
BGP Communities & Large Communities Lab Intermediate
See how tags express policy intent, control export behavior, trigger blackholing, and carry scalable metadata across large networks.
💡 Communities do not change forwarding by themselves. They become useful only when a route-map or policy engine matches them and takes action.
Quick Presets
Tagging Controls
Policy Walk
Outcome
Route View
Loading simulator...
CLI / Config Hint
Loading simulator...
Decision Result
Best path selected
—
Step-by-step decision walkthrough
Attribute comparison
Generated Cisco IOS config
Scenario timeline
Load a scenario or fire events manually
Current state
—
What's happening
Select a protocol and fire an event.
Progress
0/0
State diagram
Packet / message detail
Fire an event to see packet fields.
🃏 Flashcard Engine Study
Timed flip-card study mode — covers CCNA through CCIE topics
0
Correct
0
Wrong
0
Remaining
0%
Score
—
Select a deck above to begin
Click to reveal answer
🔬 Packet Decoder Lab Tool
Paste a hex dump and decode it field-by-field — supports Ethernet, IP, TCP, UDP, ICMP, OSPF Hello, DHCP
Protocol — Select Sample or Paste Hex
Decoded Fields
Select a sample or paste hex bytes to decode...
Byte Map — Click to Highlight
Click canvas to place a router
Selected Element
Nothing selected — click a router or link
RID:
Area:
Type:
Cost:
OSPF cost = 10⁸ / bw
Place routers and links to see OSPF state.
Network topology — animated packet
Label stack at current hop
Hop detail — what this router does
Press play or use step buttons.
Timeline
MPLS operations
PUSH — Ingress LER adds label(s)
SWAP — Transit LSR swaps top label
POP — Penultimate or egress removes label
IP — Egress routes natively
LFIB entry at current hop
—
Encapsulated packet — click any layer to explore
Layer detail
Click a header layer above to see its fields.
Overhead analysis
Configure packet
Tunnel info
Internet topology — watch traffic flow change
Current step explanation
Select a scenario and press play.
Attack timeline
Routing tables
Prevention
Paste "show ip route" output
Route statistics
Paste a routing table to analyze.
Protocol breakdown
AD / metric anomalies
—
Paste any show command output
Paste show output above to see annotated interpretation.
Detected command
—
Field-by-field explanation
Paste output to begin.
Anomalies & flags
—
Suggested next commands
—
Convergence timeline
Phase breakdown
Recommendations
← Select a challenge
Generated configuration
Complete the wizard steps to generate configurations.
STP / RSTP Topology Simulator Expert
Add multiple links between switches · Step-by-step election walkthrough · Drag switches · Fail links in real time
Protocol
Switches
➕ Add Custom Link
Connect any two switches with a custom cost (parallel links supported)
↔
Cost:
Switch Config
Simulation
Legend
Root Port (RP)
Designated Port (DP)
Alternate Port (AP)
Backup Port (BP)
Failed Link
💡 Drag switches · Right-click link to remove · Parallel links allowed
Topology Canvas
STP 802.1D
✓ Converged
Idle — press Run Election
⚡ Toggle Link Failure
◉ Event Log
👣 Step-by-Step Election Walkthrough
Step 0 / 6
Press 👣 Step-by-Step Mode to start the guided walkthrough, or ▶ Run Election to auto-animate.
VLAN Trunk & 802.1Q Tag Visualizer Intermediate
Create VLANs, assign access/trunk ports, animate frames and see 4-byte tags inserted and stripped
VLAN Setup
💡 Define up to 6 VLANs. Each VLAN gets a colour-coded frame so you can see tags being added/removed as packets traverse the trunk.
Switch Topology
💡 Two switches connected by a trunk. Assign ports as Access (single VLAN) or Trunk (all VLANs). Select native VLAN on trunk ports — mismatch causes silent forwarding errors!
Frame Simulation
Live Topology & Frame Animation
802.1Q Frame Structure
Select ports and click Send Frame to see the 802.1Q tag detail.
Event Log
TCP State Machine Animator Intermediate
Live sequence numbers, ACK values and state transitions — trigger RST, FIN or packet loss
Connection Parameters
Trigger Events
State Machine
Packet Timeline
CLOSED
LISTEN
Packet Detail
Click any packet arrow on the diagram to inspect its headers.
Prefix-List & Route-Map Builder Expert
Build BGP policy, validate with a test prefix, export IOS & JunOS configs
Prefix-List Entries
💡 Each entry has a sequence number, permit/deny action, a network prefix, and optional ge/le length qualifiers. Lower sequence = evaluated first.
Route-Map Clauses
💡 Route-maps apply to matched prefixes. Each clause can set local-preference, MED, community, next-hop, or AS-path prepend.
Test Prefix Validator
Generated Config
Configure entries above to generate config...
Policy Walk Visualizer
Enter a test prefix above to see the match walk.
BGP Policy Reference
ge (≥) — MINIMUM prefix length · more specific · greater-or-equal
le (≤) — MAXIMUM prefix length · less specific · less-or-equal
exact — no ge/le = matches that prefix length only
0.0.0.0/0 le 32 — matches ALL prefixes
implicit deny — unmatched prefixes denied at end
Configure entries on the left to see the analysis here.
DHCP — Dynamic Host Configuration Protocol
DORA Process Animation · IP Pool Management · RFC 2131 · UDP Ports 67/68
DISCOVER
OFFER
REQUEST
ACK
Network Topology — Watch the packet travel with DHCP options
D — DISCOVER
→
O — OFFER
→
R — REQUEST
→
A — ACK
READY
Press ▶ Play or Next to begin the DORA process
Select scenario mode to view either successful T1 renewal or failed renew/rebind path ending in lease expiry.
📦 Packet Header Fields
Start the animation to see packet details & DHCP option numbers…
🗄️ DHCP Pool — 192.168.1.100 to 192.168.1.110
Waiting for lease negotiation…
📚 DORA Process — How it Works
D — DISCOVER
Client broadcasts to find DHCP servers. Source: 0.0.0.0 → Dest: 255.255.255.255
O — OFFER
Server offers an IP from its pool. Includes subnet, gateway, DNS, lease time.
R — REQUEST
Client broadcasts acceptance. Tells all servers which offer was chosen (server ID).
A — ACKNOWLEDGE
Server confirms the IP assignment. Lease timer starts. Client configures interface.
DNS — Domain Name System
Complete Real-World Resolution Chain · Recursive vs Iterative · RFC 1034/1035 · UDP/TCP Port 53
🔄 Recursive Query
↔️ Iterative Query
❌ NXDOMAIN Scenario
DNS Query
DNS Response
Referral
Final Answer
Cache MISS
DNS Resolution Topology — Full Chain from Browser to Authoritative NS
READY
Select a query mode and press ▶ Play to begin DNS resolution
Watch the complete real-world DNS journey for www.google.com: Browser Cache → OS Cache → Router DNS Cache → Resolver Cache → Root NS → .com TLD NS → Authoritative NS → Final Answer.
📦 Query / Response Details
Start the animation to see query details…
🗃️ DNS Cache (Resolver)
| Domain | Type | Value | TTL |
|---|
Cache is empty — resolution not started
📚 Key DNS Record Types — Hover to flip
A Record
IPv4 address mapping
hover to flip ↺
A — Address Record
Maps a hostname to its 32-bit IPv4 address. Most common DNS record type.
google.com → 142.250.182.100
AAAA Record
IPv6 address mapping
hover to flip ↺
AAAA — IPv6 Address
Maps a hostname to its 128-bit IPv6 address. Four times the size of an A record.
google.com → 2607:f8b0::200e
CNAME
Canonical name alias
hover to flip ↺
CNAME — Alias Record
Points one domain name to another. Cannot coexist with other records at same name.
www → example.com (A record)
MX Record
Mail exchange server
hover to flip ↺
MX — Mail Exchange
Specifies mail servers for a domain. Priority value determines order (lower = higher priority).
Priority 10 → mail.google.com
NS Record
Nameserver delegation
hover to flip ↺
NS — Name Server
Delegates a DNS zone to an authoritative name server. Essential for domain delegation.
google.com → ns1.google.com
PTR Record
Reverse DNS lookup
hover to flip ↺
PTR — Pointer Record
Reverse lookup — maps an IP address back to a hostname. Used in spam filtering & logs.
100.182.250.142.in-addr.arpa
🎬 BGP Animations Hub
A rebuilt BGP animation studio with guided scene timelines, operator context, exam traps, and deeper protocol storytelling across all core topics.
💡 Treat this like a flight deck, not a gallery. Pick one topic, watch the control-plane behavior, then use the learning panels below to connect the animation to real operator decisions and exam-level reasoning.
BGP Finite State Machine
SPEED
Scene 1
/
4
FSM
Idle State
The BGP process has just started. No peer connections exist. Waiting for a ManualStart or AutomaticStart event to begin the connection process.
ARP — Address Resolution Protocol
4 Scenarios · Request/Reply · Gratuitous ARP · Spoofing/MITM · Proxy ARP · RFC 826
Basic ARP — The fundamental L2/L3 glue. A client broadcasts "Who has IP X?" and the target replies with its MAC address.
ARP Request
ARP Reply
Cache Miss / Spoof
Cache Updated
Flooding / Proxy
Network Topology — Animated packet with ARP frame fields
READY
Select a scenario and press ▶ Play to begin ARP simulation
Watch the complete ARP flow — packet animation, live ARP cache updates, and Wireshark-style field breakdown for every frame. Four scenarios: Basic Request/Reply, Gratuitous ARP, ARP Spoofing (MITM), and Proxy ARP.
📦 ARP Frame Fields
Start the animation to see ARP frame field details…
🗂️ Live ARP Cache (per device)
| Device | IP Address | MAC Address | Type |
|---|---|---|---|
| ARP caches are empty — start simulation | |||
Windows: arp -a | Linux: ip neigh show | Cisco: show ip arp
📚 ARP Reference — Key Concepts
ARP Request (Opcode 1)
Broadcast. Src MAC = sender, Dst MAC = FF:FF:FF:FF:FF:FF. Target MAC = 00:00. EtherType = 0x0806.
ARP Reply (Opcode 2)
Unicast. Sent directly to requester's MAC. Contains sender's MAC-IP mapping. ARP Reply is always unicast!
Gratuitous ARP
Sender IP = Target IP. Used for IP change announcements, HSRP/VRRP failover, duplicate IP detection.
ARP Spoofing Defense
Dynamic ARP Inspection (DAI) on switches. Validate against DHCP snooping binding table. Static ARP for GW.
TCP — Segment Deep Dive
6 Scenarios · Handshake · Data Transfer · Congestion Control · Teardown · Retransmit · RST · CCIE Level
3-Way Handshake — SYN → SYN-ACK → ACK. Watch the ISN math, option negotiation, and TCP state transitions.
SYN / Request
ACK / OK
Data / PSH
FIN / Close
RST / Lost
SACK / Recovery
Topology + Wireshark Ladder Diagram — past steps dimmed · current step animated · TCP state badges live
READY
Select a scenario and press ▶ Play to begin TCP deep dive
The diagram shows both visual styles: a topology header (Client ↔ Server nodes with live TCP state badges) and a Wireshark-style ladder sequence diagram below it. Every past step stays visible — dimmed — so you can see the full segment history at once.
📦 TCP Segment Fields
Start the animation to see detailed TCP segment field breakdown…
📚 TCP State Machine Quick Reference
SYN_SENT
Client sent SYN, waiting for SYN-ACK. Active open.
SYN_RCVD
Server got SYN, sent SYN-ACK. Waiting for final ACK.
ESTABLISHED
Full duplex open. Data can flow in both directions.
FIN_WAIT_1/2
Active close. Sent FIN, waiting for ACK then peer FIN.
CLOSE_WAIT
Got peer FIN. App still sending. Must call close()!
TIME_WAIT
2×MSL wait. Absorb late segs. Common TAC issue.
Linux: ss -tanp | netstat -anp |
Cisco: show tcp brief |
Wireshark: tcp.flags.syn==1 | tcp.analysis.retransmission
🔒 TLS Handshake Deep Dive
Beginner → TAC → CCIE level — TLS 1.3, TLS 1.2, Resumption, Cert Validation, mTLS, Alerts
TLS 1.3 Handshake — 1 RTT. ClientHello with key share, encrypted certificate, PFS by default, 0-RTT session tickets. The modern standard.
ClientHello / Request
ServerHello / ACK
Encrypted Record
CertVerify / Finished
mTLS Client Auth
Alert / Error
Topology + Wireshark Ladder Diagram — past steps dimmed · current step animated · TLS state badges live
READY
Select a scenario and press ▶ Play to begin TLS deep dive
Each step shows the exact TLS record being exchanged, with live cipher suite negotiation state and certificate chain validation panel updating at every step.
📦 TLS Record Fields
Start the animation to see TLS record field breakdown…
🔐 Cipher Suite (Live)
Cipher suite details appear here during the handshake…
📜 Certificate Chain
Certificate details appear when a certificate is present in this step…
📚 TLS Quick Reference — TAC / CCIE
TLS 1.3 vs 1.2
1.3: 1 RTT, cert encrypted, PFS mandatory, no RSA KEX, no CBC. 1.2: 2 RTT, cert plaintext, optional PFS.
ECDHE / PFS
Ephemeral keys — past sessions safe even if private key stolen. TLS 1.3 mandates PFS. x25519 is fastest.
OCSP Stapling
Server attaches signed OCSP response. Eliminates client round-trip. Must-Staple cert forces it. Best practice.
mTLS / Zero Trust
Both sides authenticate. Istio/Envoy automates via SPIFFE SVID. Short-lived certs (1hr) = no revocation needed.
Common TAC Alerts
certificate_unknown (46): missing intermediate. handshake_failure (40): cipher mismatch. decrypt_error (51): tamper/key mismatch.
Debug Commands
openssl s_client -connect h:443 -showcerts · SSLKEYLOGFILE for Wireshark · Cisco: debug ssl · show ssl
Wireshark: tls.handshake.type==1 | tls.alert_message.desc | tls.record.content_type==23 |
OpenSSL: openssl s_client -tls1_3 -connect host:443 |
Cipher check: nmap --script ssl-enum-ciphers -p 443 host
NAT / PAT — Network Address Translation
4 Scenarios · Static NAT · Dynamic NAT · PAT Overload · Port Forwarding · Live Translation Table
Static NAT — Permanent 1:1 mapping. Learn all four NAT address types.
Inside (Private)
Outside (Public)
Translated / OK
Port Forwarding
PAT Session
Network Topology — watch packets transform at the NAT boundary (dashed yellow line)
READY
Select a scenario and press ▶ Play to begin NAT simulation
Packets are animated across the NAT boundary. Watch the source/destination IP and port fields change as they cross the router. The live translation table below updates exactly like
show ip nat translations.📦 Packet Fields (Before / After NAT)
Start the animation to see how NAT rewrites packet headers…
🗂️ Live NAT Translation Table
=
show ip nat translations| Inside Local | Inside Global | Outside Local | Outside Global | Type | Status |
|---|---|---|---|---|---|
| Translation table empty — start simulation | |||||
Cisco: show ip nat translations | show ip nat statistics | debug ip nat | clear ip nat translation *
📚 NAT / PAT Quick Reference
Inside Local
Private IP assigned to the inside host. e.g. 10.0.0.10. Real IP, never seen on Internet.
Inside Global
Public IP representing inside host to the Internet. e.g. 203.0.113.10. This is what the server sees.
Outside Global
Real public IP of outside host. e.g. 8.8.8.8. The actual destination on the Internet.
Outside Local
How outside host appears to inside devices. Usually = Outside Global unless double-NAT.
Static: ip nat inside source static 10.0.0.10 203.0.113.10
PAT: ip nat inside source list 1 interface Gi0/1 overload
Dynamic: ip nat pool POOL 203.0.113.10 203.0.113.13 prefix-length 24
Port Fwd: ip nat inside source static tcp 10.0.0.10 8080 203.0.113.10 80
DHCP Relay Agent — ip helper-address
Cross-Subnet DHCP · Option 82 · Multi-Server · Lease Renewal · DECLINE & NAK · RFC 3046
Basic Relay — DORA across subnets. How ip helper-address works, giaddr field, relay unicast to server, server pool selection. The core concept.
DISCOVER
Relay Forward/Back
OFFER / ACK
REQUEST
Option 82
DECLINE / NAK
Network Topology — Two subnets separated by Relay Agent (Router)
READY
Select a scenario above and press ▶ Play
Watch how DHCP Relay Agent (ip helper-address) enables DHCP across subnets, with Option 82 subscriber identity, multi-server redundancy, lease renewal, and error handling.
📦 Packet Header Fields
Start the animation to see packet fields & DHCP options…
🗄️ DHCP Pool — 10.1.1.100 to 10.1.1.110
Waiting for lease negotiation…
📚 DHCP Relay — TAC Quick Reference
Cisco IOS Config
interface Gi0/0
ip helper-address 10.2.2.1
ip helper-address 10.2.2.2
! Multiple = redundancy
ip helper-address 10.2.2.1
ip helper-address 10.2.2.2
! Multiple = redundancy
giaddr (Gateway IP)
Set by relay to its interface IP on client subnet. DHCP server uses this to select the right address pool. Critical field — must match a pool scope.
Option 82 Config
ip dhcp relay info option
ip dhcp relay info policy replace
ip dhcp snooping
ip dhcp snooping vlan 10
interface Gi0/24
ip dhcp snooping trust
ip dhcp relay info policy replace
ip dhcp snooping
ip dhcp snooping vlan 10
interface Gi0/24
ip dhcp snooping trust
T1 / T2 Timers
T1 (50%): Unicast renewal directly to server. No relay needed.
T2 (87.5%): Broadcast rebind — relay invoked again.
Expiry: Client goes to INIT state, loses IP.
T2 (87.5%): Broadcast rebind — relay invoked again.
Expiry: Client goes to INIT state, loses IP.
Common TAC Issues
No ip helper-address → clients get 169.254.x.x
Wrong giaddr pool → server sends NAK
Opt 82 mismatch → requests dropped
IP conflict → DECLINE → restart DORA
Wrong giaddr pool → server sends NAK
Opt 82 mismatch → requests dropped
IP conflict → DECLINE → restart DORA
Debug Commands
debug ip dhcp server events
debug ip dhcp server packet
show ip dhcp binding
show ip dhcp conflict
clear ip dhcp conflict *
debug ip dhcp server packet
show ip dhcp binding
show ip dhcp conflict
clear ip dhcp conflict *
Wireshark: bootp | bootp.option.dhcp == 1 (DISC) | bootp.option.dhcp == 6 (NAK) | bootp.option.dhcp == 4 (DECLINE) |
UDP Ports: Client→67 (Discover/Request) | Relay→67 (forward to server) | Server→68 (Offer/ACK to client)
OSPF Neighbor State Machine CCIE
2-Router P2P · 3-Router Broadcast (DR/BDR) · 4-Router Broadcast · 7 Troubleshoot Scenarios · Wireshark Packet Panel
OSPF DR/BDR Election CCIE
5 Scenarios · Priority Sliders · Non-Preemption · DR Failure · RFC 2328 §9.4
OSPF LSA Flooding CCIE
Types 1–7 · Multi-Area · LSDB per Router · Type 7→5 Translation · RFC 2328/3101
OSPF Area Type Comparator CCIE
Standard · Stub · Totally Stub · NSSA · Totally NSSA — live toggle
OSPF Path Selection CCIE
O · O IA · E1 · E2 · N1 · N2 — interactive cost sliders
OSPF Route Summarization CCIE
ABR Type-3 collapse · ASBR Type-5 aggregate · Discontiguous troubleshoot · Null0 discard route
OSPF Virtual Link + BFD Fast Convergence CCIE
Virtual Link adjacency · BFD 50ms detection · SPF throttle timers · Convergence timeline
OSPF Route Filtering & Policy CCIE
distribute-list · prefix-list · filter-list · route-map · T3/T5 control · loop prevention
OSPF Special Link Types CCIE
Broadcast · Point-to-Point · P2MP · NBMA · Loopback · GRE Tunnel
OSPF Stub Area Variants CCIE
Stub · Totally Stub · NSSA · Totally NSSA · LSA presence · configuration & troubleshoot