Back to Academy

VCA-NET-301: Advanced Networking

Virtus Academy · Part-II Networking-Track Capstone

NET-201 closed at the small-enterprise scale: a student who can architect a 30-employee network, run its routing protocols, sign its DNS zones, and monitor its traffic with Suricata signatures and Zeek scripts. NET-301 takes the same student to carrier scale, datacenter scale, and adversary scale. Carrier and WAN protocols (MPLS, Segment Routing, SRv6) at the depth a transit provider runs them. Datacenter fabrics (Clos topology, VXLAN-EVPN, route-reflector hierarchies) on Containerlab spine-leaf labs. Internet-scale BGP (route reflectors, communities, RPKI, prefix hijacking detection). Network automation (Ansible, Salt, Nornir; Python network-automation as a first-class engineering discipline). Performance engineering at line rate (eBPF, XDP, DPDK; the in-kernel networking layer the modern Linux datacenter runs on). Network security at scale (Suricata clustering, Zeek log-pipeline integration with SIEM, threat-hunting in production NSM corpora). Network forensics (Liska-anchored). Wireless / 802.11 deep-dive (4-way handshake, enterprise WPA3, captive-portal mechanics). Modern protocols (QUIC, HTTP/3, WebTransport, MASQUE). And a capstone that integrates network design with reverse engineering and operational monitoring in a single end-to-end exercise. This is the academy's networking-track terminal course.

Total time: ~165 hours
Lecture: ~25 hr
Practical / lab: ~50 hr
Independent practice: ~90 hr
Position: After NET-201 + CSA-201 (or equivalent intermediate networking + computer-architecture)
Prereq: VCA-NET-201 + VCA-CSA-201
Equipment: Laptop-only; primary tooling delivered in-browser via the academy workbench (Wireshark/tshark Wasm + pcap filter-learning visualizer = TIR-1, in engineering; academy network simulator on GNS3/Containerlab/Mininet/netlab = TIR-2, in engineering); Containerlab + Docker for spine-leaf fabric labs; eBPF/XDP labs require a recent Linux kernel (academy lab Linux env supplied); RTL-SDR (~$25; carryover from vca-wir-101) for the 802.11 capture lab; Liska Network Forensics + Stevens + Kurose-Ross textbooks library-acquired or paperback (see hardware platform · we update this as the kit firms up)
Credential: VCA-NET-301 Certificate of Completion
Register interest. We're not taking enrollments yet. Email interested@virtuscyberacademy.org.

Course Overview

NET-301 is the academy's networking-track capstone. It assumes NET-201's graduates: students who have shipped a small-enterprise operational playbook, built and broken multi-router OSPF / BGP topologies in GNS3 or Containerlab, dissected a TLS 1.3 handshake against Rescorla's annotation, and authored Suricata signatures and Zeek scripts against the academy NSM corpus. The pedagogical contract is that NET-301 is networking at the scales where the abstractions break. Carrier scale (where BGP convergence times matter), datacenter scale (where fabric topology and ECMP determine application latency), line rate (where eBPF/XDP move packet-processing into the kernel because user-space is too slow), and adversary scale (where the NSM corpus is a 24/7 stream and threat-hunting is a discipline).

Closes the NET-201 forward-promises. NET-201's OSPF / BGP / IS-IS module closes against NET-301's Internet-scale BGP module (route reflectors, communities, RPKI, prefix-hijacking detection in production traffic). NET-201's NSM-lite Suricata + Zeek authoring closes against NET-301's NSM-at-scale module (clustering, log-pipeline integration with SIEM, threat-hunting in production corpora). NET-201's SDN fundamentals close against NET-301's eBPF/XDP module (the in-kernel control + data plane that the modern Linux datacenter runs on). NET-201's small-enterprise capstone closes against NET-301's end-to-end design + RE + monitoring capstone.

Position relative to peer offerings. NET-301 is the only formal curriculum at this course that crosses the four scales (carrier, datacenter, line-rate, adversary) in one course. University-level advanced networking courses (CMU 15-744 Computer Networks, MIT 6.829, Stanford CS244) cover overlapping territory but typically pick one or two scales rather than the full set; NET-301's breadth is calibrated against students who have taken the academy's NET-101 + NET-201 + CSA-201 substrate and are heading into RE-201 / ADV-101 capstones where the full breadth is operationally relevant.

Pedagogy. The three NET-track teaching habits continue at advanced depth. Foundational readings (~18-22 weaves across NET-301's twelve chapters; Stevens for advanced-TCP and congestion-control passages, Kurose-Ross for the cellular and wireless chapters of the 9th edition, Bejtlich's Practice of Network Security Monitoring as primary anchor for the NSM and threat-hunting modules, Sherri Davidoff and Jonathan Ham's Network Forensics for the forensics module). Tool Journal (~12 new entries: BGP route-reflector, FRR-at-scale, Cilium / Calico, BPFtrace, Tetragon, flowmon-style flow-record tooling, threat-hunting platforms, DPDK testpmd, kismet at advanced register). Architecture comparison sidebars (Snort vs Suricata vs Zeek NSM architectures; QUIC vs HTTP/3 vs WebTransport modern-protocol generations; Clos vs three-tier vs collapsed-core datacenter fabrics; eBPF/XDP vs DPDK vs kernel-bypass packet-processing models).

What Belt-5 Networking Graduates Recognize

NET-301 reads paired anchors at advanced depth: Stevens Volume 1 Chapter 16 onward for advanced TCP and congestion control (Reno, NewReno, CUBIC, BBR), Kurose-Ross 9th edition for the 5G Core decomposition (AMF, SMF, UDM, AUSF, UPF, plus the NRF and NSSF helpers), Bejtlich's Practice of Network Security Monitoring for NSM-at-scale and threat-hunting, and Davidoff and Ham's Network Forensics for the forensics arc. The 5G work pairs with the WPA-AKA wireless module so students compare two AKA instantiations side by side, and the Mobile-IP architectural baseline reads alongside SDN and 5G Core as three architectural answers to the same per-flow-state question. Graduates leave able to discuss carrier-grade routing (BGP, RPKI, MPLS-SR, SRv6), datacenter fabric (Clos topology, VXLAN-EVPN), kernel-bypass forwarding (eBPF, XDP, DPDK), and the cellular-stack security surface that adversarial-RE and pentest tracks cross-cut into.

The teaching method uses paired textbook readings at advanced depth, with the per-chapter reading guide published as a separate handout (handouts/cross-chapter-net-301-anchor-reading-guide.md) so the catalog page stays thin. Twelve hands-on labs anchor each chapter to a measurable artifact, and the capstone is an end-to-end network design plus reverse-engineering plus monitoring deliverable graded on a two-tier rubric. Graduates carry the four-data-types NSM framework, the per-protocol congestion-control fingerprint, and the 5G Core architectural decomposition into pentest, threat-hunting, and forensics work; the cross-architecture comparison sidebar (5G Core vs SDN vs Mobile-IP, shared with vca-rf-301) becomes a reusable lens for future control-plane decompositions they encounter in production environments.

Curriculum Outline

Twelve chapters across ~14 weeks. Each chapter takes a NET-201 module and scales it.

ChTopicWhat NET-201 module it scales
1Carrier and WAN protocols, MPLS, Segment Routing, SRv6NET-201 Ch 1-2 routing
2Datacenter networking, Clos topology, VXLAN-EVPN, fabric designNET-201 Ch 3 switching
3Internet-scale BGP. Route reflectors, communities, RPKI, prefix-hijackingNET-201 Ch 2 BGP basics
4Network automation, Ansible, Salt, Nornir; Python network-automationNET-201 manual-config era
5Performance engineering. EBPF, XDP, DPDK; in-kernel networkingNET-201 Ch 9 performance tuning
6Network security at scale, Suricata clustering, Zeek log-pipeline + SIEMNET-201 Ch 8 NSM-lite
7Network forensics deep-dive, Davidoff & Ham anchorNET-201 Lab 7 mystery-pcap, scaled
8Wireless / 802.11 deep-dive, 4-way handshake, WPA3-Enterprise, captive portalsCross-cut to vca-wir-101 + rf-201
9Modern protocols, QUIC, HTTP/3, WebTransport, MASQUENET-201 Ch 4 TLS
10Cross-cut to PT-track advanced lateral-movementForward pointer to vca-adv-101
11Cross-cut to RE-track advanced protocol REForward pointer to vca-re-201
12Capstone. End-to-end network design + RE + monitoring exerciseThe synthesis deliverable

Architecture Comparison Sidebars

NET-301 carries five structured comparison sidebars. The full set publishes as handouts/cross-chapter-net-301-architecture-sidebars.md.

  • Snort vs Suricata vs Zeek. Three NSM tool architectures, the signature-vs-anomaly-vs-protocol-aware distinction, where each is deployed in production. Anchored on Bejtlich's Practice of Network Security Monitoring.
  • QUIC vs HTTP/3 vs WebTransport. Three modern-protocol generations, the transport-layer integration, the connection-migration story, why each matters. Anchored on Kurose-Ross 9th ed.
  • Clos vs three-tier vs collapsed-core fabrics. Three datacenter topology generations, the bisection-bandwidth story, why the leaf-spine Clos won.
  • eBPF/XDP vs DPDK vs kernel-bypass. Three line-rate packet-processing models, the user-space-vs-kernel divide, where each is deployed in production.
  • 5G Core vs SDN vs Mobile-IP control-plane architectures. Three contemporary control-plane decompositions compared on three explicit axes (control-plane decomposition, routing model, state-management strategy). Cross-chapter shared sidebar with vca-rf-301 Ch 5; published as handouts/cross-chapter-control-plane-architectures.md. Anchored on Kurose-Ross 9e §7.4 + §7.5.4 + §5; the central comparison when Ch 8's wireless module pairs 5G against the 802.11 substrate.
  • WPA2-SAE vs WPA3-SAE vs 5G-AKA (wireless AKA progression) three contemporary wireless Authentication-and-Key-Agreement protocols compared on three explicit axes (trust-anchor model, long-term-identity privacy, forward-secrecy + replay-protection mechanism); the design-evolution arc from 802.11i (2004) through WPA3 / Dragonfly (2018) to 5G-AKA (3GPP Rel-15, 2018), with KRACK / Dragonblood / IMSI-catcher named as the attack classes driving each redesign. Cross-chapter shared sidebar with vca-wir-101 Week 4 + vca-rf-301 Ch 4 + vca-net-201 security module + cross-reference from vca-sec-101; published as handouts/cross-chapter-wireless-aka-progression.md. Anchored on Kurose-Ross 9e §8.8.1 + §8.8.2; the wireless-control-plane lens onto the AKA-progression story. Companion sidebar to the 5G Core control-plane comparison above; 5G-AKA appears in both, and the joint reading in NET-301 is that 5G-AKA's home-network anchoring (CT-A Axis 1) is what enables the 5G Core's UDM/AUSF decomposition (CT-B Axis 1), the two architectural decisions are joint, not independent.

NET-301 also draws on one cross-chapter reference handout. A different artifact class from the comparison sidebars above, published as a single canonical reference rather than a compare-N-implementations sidebar: handouts/cross-chapter-docsis-quad-cross-cut.md. The DOCSIS handout is the carrier / RF-front-end lens onto a four-track shared reference cross-cited by NET-201 (link-layer protocol), NET-301 (carrier / RF-front-end / late-DOCSIS-3.x modulation case study), RF-301 Ch 5 (advanced waveform RE), and RE-201 (SB6141 hardware lab), with chip-by-chip mapping for the MaxLinear MxL261 tuner and Broadcom DOCSIS PHY blocks. Anchored on Kurose-Ross 9e §6.3.4.

Learning Outcomes

step-by-step.

  1. Remember. State the Segment Routing label-stack model; the VXLAN-EVPN control plane; RPKI's role in BGP origin validation; the four NSM data types per Bejtlich; the eBPF program-type taxonomy; the WPA3-Enterprise handshake.
  2. Understand. Explain why a Clos fabric scales linearly while a three-tier fabric scales logarithmically with respect to bisection bandwidth, and why this drove every hyperscaler datacenter to spine-leaf in the 2010s.
  3. Understand. Distinguish QUIC's connection migration from TCP's connection-tuple lock-in; explain why this matters on a mobile device transitioning between Wi-Fi and LTE.
  4. Apply. Stand up a Containerlab spine-leaf VXLAN-EVPN fabric with three leaves and two spines; demonstrate VM mobility across leaves.
  5. Apply. Author an eBPF/XDP program that drops malformed packets at line rate; load it against an interface; measure the cost.
  6. Apply. Stand up a clustered Suricata + Zeek + SIEM pipeline against a multi-sensor traffic source; detect three named threat scenarios using Bejtlich's four-data-types framework.
  7. Analyze. Given a captured trace of a sophisticated multi-stage intrusion (with C2, lateral movement, and exfiltration phases), reconstruct the attack timeline and identify the NSM signatures that would have caught each phase.
  8. Synthesize. Ship the end-to-end capstone. Design a multi-site enterprise network, RE an unknown protocol observed on its traffic, deploy NSM coverage detecting it, and report.

Hands-On Labs

Twelve labs, one capstone. Each lab takes a NET-201 substrate to advanced scale.

  • Lab 1. MPLS LSP setup in Containerlab; LDP signaling observed; traffic-engineered tunnel demonstrated.
  • Lab 2. Spine-leaf Clos VXLAN-EVPN fabric in Containerlab; VM mobility across leaves demonstrated.
  • Lab 3. RPKI deployment lab; valid / invalid / unknown ROA states observed; reject-invalid policy demonstrated.
  • Lab 4. Ansible network-automation playbook authoring; multi-device idempotent config push.
  • Lab 5. eBPF/XDP program authoring; line-rate packet drop measured against a non-XDP baseline.
  • Lab 6. Cilium service-mesh deployment on Kubernetes; observe eBPF-driven service-to-service connectivity.
  • Lab 7. Suricata cluster + Zeek log-pipeline + SIEM (Elasticsearch/Kibana or Wazuh); ingest the academy NSM corpus.
  • Lab 8. Threat-hunt against a production-corpus pcap stash using Bejtlich's four-data-types framework; detect three named scenarios.
  • Lab 9. CUBIC vs BBR congestion-control comparison; goodput-over-time curves plotted; divergence explained.
  • Lab 10. 802.11 4-way handshake capture against a lab AP; key derivation walked from Stevens-style byte annotation; WPA3-Enterprise variant observed.
  • Lab 11. QUIC handshake dissection; HTTP/3 over QUIC capture; observe connection migration between two interfaces.
  • Lab 12 (capstone). End-to-end network design + RE + monitoring capstone, the synthesis deliverable. See the Capstone section below.

Capstone: End-to-End Network Design + RE + Monitoring

The student designs a multi-site enterprise network of their own choice (the canonical exemplar: a 200-employee company with three sites, a public cloud presence, and remote-work population), deploys it in Containerlab plus Kubernetes for the cloud presence, identifies an unknown protocol observed on its traffic (the instructor seeds the lab with a deliberately-crafted unknown-protocol stream), reverse-engineers the protocol's structure, and deploys NSM coverage detecting it. The capstone integrates network-architecture, network-protocol-RE, and operational-monitoring in one end-to-end exercise.

Required artifacts

  • Multi-site network architecture diagram with WAN underlay (MPLS or SRv6), datacenter fabric (spine-leaf VXLAN-EVPN), Internet-edge BGP, RPKI deployment, NSM coverage.
  • Live Containerlab + Kubernetes topology that boots the chosen architecture; demonstrates VM mobility, service-mesh connectivity, and a deliberate-failure recovery.
  • Network-protocol-RE write-up of the seeded unknown protocol: hex-level frame dissection, inferred state machine, identified message types, validation against captured traffic.
  • Suricata + Zeek pipeline detecting the unknown protocol (a custom Suricata rule + a custom Zeek script); detection demonstrated against the captured traffic stream end-to-end.
  • A 35-50 page lab-notebook capstone report covering: design decisions and rationale, spine-leaf bring-up procedures, RPKI deployment story, RE methodology and findings, NSM coverage rationale, day-2 operational runbooks, the threat-model the design defends against, and an explicit limit-of-defence statement (what this design does not protect against).

Two-tier grading rubric

First, your project must work. The Containerlab+Kubernetes topology converges; the spine-leaf fabric demonstrates VM mobility; the RPKI deployment rejects an invalid ROA; the RE write-up correctly identifies the protocol's state machine; the Suricata+Zeek pipeline detects the protocol on captured traffic. Reports below this threshold do not pass.

Then we score the report on three dimensions.

  • Architecture-decision rationale and integration depth (40%). Are the carrier-scale, datacenter-scale, and adversary-scale decisions defended in terms of the alternatives? Does the capstone read as one coherent design rather than three glued pieces?
  • RE methodology + NSM coverage (30%). Is the unknown-protocol RE work systematic and reproducible? Does the NSM coverage match the threat model the design defends against?
  • Operational realism + limit-of-defence honesty (30%). Do the day-2 runbooks match what a working network architect at this scale actually does? Is the limit-of-defence statement complete and honest about residual risk?

B− minimum on Tier 2 for the certificate. The capstone is the structural precursor to a working architect role at scale; combined with NET-201's playbook capstone and PEN-101's engagement-report capstone, it produces a portfolio object hiring managers at network-equipment vendors, hyperscalers, and security-product vendors specifically look for.

Tool Journal: NET-301 Originating Entries

~12 new tools enter the diary in NET-301; the NET-101 + NET-201 corpus continues at advanced depth.

  • FRR-at-scale + route reflectors. Internet-scale BGP topology authoring.
  • RPKI / Routinator / RTRTR. Origin-validation deployment toolchain.
  • Cilium. The eBPF-native Kubernetes service-mesh; the modern Linux datacenter networking stack.
  • Calico. Alternative Kubernetes networking plugin; BGP-in-the-cluster deployment model.
  • BPFtrace. Dynamic-tracing language for eBPF; the "dtrace for Linux".
  • Tetragon. Cilium's eBPF-based runtime-security observability tool.
  • DPDK testpmd. User-space packet processing reference; line-rate forwarding measurement.
  • Ansible Network / Nornir / Salt-NAPALM. Network-automation orchestrators.
  • Wazuh / Elastic SIEM. NSM log-pipeline integration target.
  • Velociraptor / GRR. Endpoint-side forensic correlation tools (cross-cut).
  • Kismet (advanced users). Wireless network discovery with WPA3 awareness.
  • quiche / quinn / Cloudflare quiche CLI. QUIC / HTTP/3 client and server tools.

Recommended Readings

Primary anchor pair (continued from NET-101 / NET-201 at advanced depth)

  • W. Richard Stevens and Kevin Fall, TCP/IP Illustrated, Volume 1, 2nd ed. Addison-Wesley, 2011. Chapters 16+ (advanced TCP, congestion control, performance).
  • James Kurose and Keith Ross, Computer Networking: A Top-Down Approach, 9th ed. Pearson, 2021 (ISBN 978-0-13-592861-5). Wireless and mobile chapters (9e expands Ch 7 with new §7.2 wireless PHY + §7.4 wireless core network + §7.5 mobility split into WiFi/5G/Internet-mobility, plus Ch 8.8 split into 802.11 AKA + 5G AKA. Direct anchor for the cellular-modernity coverage NET-301 needs); the SDN-evolution and modern-protocol chapters.

Module-specific anchors (NET-301 introduces)

  • Richard Bejtlich, The Practice of Network Security Monitoring. No Starch, 2013 (ISBN 978-1-59327-509-9). Primary anchor for Chapters 6-7 (NSM at scale + threat-hunting).
  • Sherri Davidoff and Jonathan Ham, Network Forensics: Tracking Hackers Through Cyberspace. Prentice Hall, 2012. Primary anchor for Chapter 7 (network-forensics deep-dive).
  • Liz Rice, Learning eBPF. O'Reilly, 2023. Primary anchor for Chapter 5 (eBPF/XDP).
  • Russ White and Ethan Banks, Computer Networking Problems and Solutions. Addison-Wesley. Carrier-and-WAN protocol depth; complement to Doyle and Carroll.
  • Dinesh G. Dutt, Cloud Native Data Center Networking. O'Reilly, 2019. Datacenter-fabric primary anchor.

Practitioner training (parallel credential pathway)

  • Cisco CCNP / CCIE prep. The advanced-Cisco track. Students who complete NET-301 are positioned to sit CCNP-Enterprise or CCNP-Service-Provider.
  • SANS SEC503 Intrusion Detection In-Depth + GIAC GCIA. The high-cost forward-stretch alternative for students with employer training budget; ~$8,000+. Pairs with NET-301's NSM-at-scale modules.
  • SANS FOR572 Advanced Network Forensics + GIAC GNFA. Similar high-cost alternative for the network-forensics specialty.

Career Outcomes & Cross-Course Bridges

  • → VCA-RE-201 (network-protocol reverse engineering). The capstone's unknown-protocol RE module is the structural precursor to RE-201's burst-radio-signal RE work; the same byte-level discipline applies above and below the modulation layer.
  • → VCA-ADV-101 (adversarial techniques). NET-301's NSM-at-scale + threat-hunting + lateral-movement primitives feed adv-101's engagement work; CVE reproduction at scale becomes operationally tractable.
  • → VCA-AI-301 (agentic-security capstone). The eBPF/XDP module is the substrate for the agent-on-the-wire research projects AI-301's capstone draws on.
  • Industry. Senior network engineers; network architects at hyperscalers (AWS, GCP, Azure, Meta, Cloudflare); senior NSM analysts and threat-hunters; security-engineering leads at security-product vendors; field engineers at network-equipment vendors (Cisco, Arista, Juniper, Nokia); SRE / DevOps with deep networking; senior security researchers focused on network-protocol attacks.
  • Credential paths. Cisco CCNP-Enterprise / CCNP-Service-Provider / CCIE; (ISC)² CISSP for the broader security-architect track; SANS GIAC GCIA / GNFA for the NSM and forensics specialties; Offensive Security OSCE for the cross-cut into ADV-101's adversary track.

Certification Alignment

Cisco CCNP SANS GCIA SANS GNFA CCIE (forward-pointer)

Primary: Cisco CCNP-Enterprise or CCNP-Service-Provider. NET-301 covers the substantive carrier-and-datacenter and security territory at greater depth on operational realism than the CCNP exams require, and at comparable depth on the protocol catalogue. Students who complete NET-101 + NET-201 + NET-301 are positioned to sit CCNP within four months of completion. Exam fee ~$300 per concentration exam.

Alternative (security specialty): SANS GIAC GCIA (Intrusion Analyst) or GNFA (Network Forensic Analyst). High-cost SANS-track credentials with substantial employer-funded adoption; pair with NET-301's NSM-at-scale and forensics modules.

Forward-pointer: NET-301 is the prerequisite-skill base for CCIE (expert Cisco; ~600 hr study), the highest-prestige networking credential. Students who continue into the future vca-re-201 elective will be positioned for both technical-architect and security-research career paths.

Before You Start

  1. Have you completed NET-201 and shipped its small-enterprise playbook capstone? (If no → NET-201's capstone is central prereq.)
  2. Have you completed CSA-201 (or equivalent intermediate computer-architecture)? (If no → the eBPF/XDP and DPDK modules assume you can read kernel-fast-path descriptions; CSA-201's MMU and CSR work is the prereq mental model.)
  3. Are you comfortable with Docker + Containerlab + Kubernetes concepts? (If no → first-week prereq install discipline; Containerlab tutorial walked in Module 1.)
  4. Can you read modern Wireshark TLS 1.3 and QUIC dissections? (If no → NET-201 Ch 4 + Lab 4 review.)
  5. Do you have access to Bejtlich PNSM and Davidoff & Ham Network Forensics? (If no → library-acquire pathway; the academy library carries institutional copies.)

Format Prescriptions

Hour budget: ~25 lec hr + ~50 lab hr + ~90 indep hr (= ~165 hr total).

Live (standard cadence)

2 sessions/wk × 90 min over 14 weeks. Best for advanced-elective post-NET-201.

Night class

1-2 sessions/wk evenings; ~30 weeks. The eBPF/XDP and capstone modules need extended-evening blocks.

Bootcamp

40 hr/wk × ~4 weeks intensive. Compressed but feasible; capstone may extend an extra week.

Async self-paced

Recorded video; per-student academy network simulator (TIR-2) access; AI-assistant tier add-on; 1:1 tutoring premium for the eBPF/XDP and capstone modules.

High school / homeschool co-op

Year-long cadence at HS scheduling. Recommended for the most advanced students; pairing with CSA-201 in the prior year is central.

Interested in VCA-NET-301?

Email interested@virtuscyberacademy.org.

Email interested@virtuscyberacademy.org

Virtus Academy is the educational arm of Virtus Cybersecurity, LLC. An SDVOSB. Virtus Academy is an independent program; no affiliation with any government academy or university is claimed or implied.