Cable goes into the switchport. The NIC and switch auto-negotiate speed/duplex, the link light comes up, and the port state moves from down to up.
LinkIf STP is running, the port cycles Blocking → Listening → Learning → Forwarding (~30-50s on classic 802.1D) — unless it's an access/edge port with PortFast enabled, which jumps straight to Forwarding since a single PC can't form a loop. The switch also starts learning the PC's source MAC off the very first frame it transmits, whatever that frame turns out to be.
L2 PortThe PC has no IP yet, so everything here is broadcast: Discover ("any DHCP server out there?") → server replies with an Offer (192.168.10.55) → PC broadcasts a Request to accept it, which also tells any other server on the segment its offer wasn't taken → server sends an Ack confirming the lease. If the DHCP server isn't on this subnet, the gateway relays the broadcast as a unicast (ip helper-address).
IP: 192.168.10.55/24 Gateway: 192.168.10.1 DNS: 8.8.8.8 Lease time: e.g. 24h. Every step from here on is built on these four values — nothing else has happened yet.
CheckpointThe PC compares the destination (an internet address) against its own /24 — it's not local, so the frame needs to go to the gateway's MAC, not the destination's. ARP request broadcast: "who has 192.168.10.1?" → gateway replies with its MAC → cached locally (commonly ~4 hours).
ARPBefore anything meaningful can be requested, the domain name (e.g. example.com) needs an IP. The resolver query to 8.8.8.8 (UDP/53) travels this exact same switch → gateway → NAT → firewall → internet path — DNS traffic isn't special-cased, it's just another flow.
DNSThe frame is addressed to the gateway's MAC (from step 5). The switch looks that MAC up in its table and sends the frame out one specific port — no flooding, because it's a known unicast destination now.
L2 ForwardThe gateway strips the L2 header, reads the destination IP, matches its default route, and forwards the packet toward the firewall/WAN edge.
L3 RouteThe private source 192.168.10.55:51422 gets rewritten to a public IP:port, e.g. 203.0.113.9:40551. A translation table entry is created — this entry is exactly what makes the return trip possible later.
NATState table lookup finds no existing session, so the rule base is evaluated top-down. A matching allow rule (LAN→WAN) creates a new session entry, and the packet is forwarded out the WAN interface.
FirewallFrom here it's routed between autonomous systems via BGP-learned paths — outside your network's control. In an interview, acknowledging this exists is enough; it's not where the depth is expected.
InternetThe destination server replies, addressed to your public IP:port — 203.0.113.9:40551.
ResponseThe firewall matches this against the session created in step 10 — no separate inbound rule is needed — un-NATs the destination back to 192.168.10.55, and routes it back through the gateway.
ReturnThe switch already has 192.168.10.55's MAC in its table from step 2 — no flooding, no ARP needed on this leg. The frame goes straight out the PC's port, and the loop closes.
Delivered| Term | Meaning |
|---|---|
| DORA | Discover, Offer, Request, Ack — the four-step DHCP lease process |
| ARP | Address Resolution Protocol — maps a known IP to its Layer 2 MAC address on the local segment |
| MAC / CAM Table | The switch's mapping of learned source MACs to the port they arrived on |
| PortFast / Edge Port | STP setting that skips Listening/Learning delay on ports known to only ever face end hosts |
| RFC 1918 | The private IP ranges (10/8, 172.16/12, 192.168/16) that require NAT to reach the internet |
| NAT vs PAT | NAT translates one IP to another; PAT (overload) shares one public IP across many sessions using different ports |
| State Table | The firewall's live record of established sessions, used to auto-permit return traffic |
| APIPA | 169.254.0.0/16 — the self-assigned range a host falls back to when DHCP fails |
| Gratuitous ARP | An unsolicited ARP reply used to immediately update other hosts' caches, e.g. after a gateway failover |
| BGP | The routing protocol that determines paths between networks (autonomous systems) across the internet |