7 Networking Hands-On Config

Key Concepts

Ping: A network diagnostic tool using ICMP echo request/reply to verify connectivity and measure round-trip time
Traceroute (tracert): A tool that reveals the path packets take through the network by exploiting TTL expiry at each hop
Netstat: A command that displays active network connections, listening ports, and routing table information
Wireshark: A packet capture tool that displays raw network frames with protocol decoding for each layer
Iperf: A network performance measurement tool that measures achievable TCP/UDP throughput between two hosts
Nmap: A network scanner that discovers active hosts and open ports in a subnet
tcpdump: A command-line packet capture tool; lightweight alternative to Wireshark, suitable for remote SSH sessions

7.1 In 60 Seconds

This hands-on chapter walks through configuring ESP32 devices on Wi-Fi networks, understanding port numbers used by IoT protocols (MQTT on 1883, CoAP on 5683, HTTP on 80/443), applying layer-by-layer troubleshooting methodology, and implementing basic network security practices for IoT deployments.

7.2 Learning Objectives

By the end of this chapter, you will be able to:

Configure IoT Networks: Set up ESP32 devices with proper Wi-Fi, IP, and DHCP network configuration
Identify and Classify Port Numbers: Differentiate common IoT protocol ports (MQTT 1883/8883, CoAP 5683/5684, HTTP 80/443) by range and security properties
Troubleshoot Networks: Apply systematic layer-by-layer troubleshooting to diagnose and resolve IoT connectivity failures
Implement Security Controls: Apply TLS encryption, credential management, and network segmentation practices to harden IoT deployments
Calculate Data Budgets: Evaluate bandwidth and latency trade-offs by computing protocol overhead ratios and monthly data consumption for IoT device fleets

For Beginners: Networking Hands-On Practice

This chapter gives you practical experience configuring network settings on real devices. Think of it as learning to drive by actually getting behind the wheel – you will set up IP addresses, test connections, and see firsthand how devices find and talk to each other on a network.

Sensor Squad: Getting Our Hands Dirty!

“Enough theory – let’s actually configure a real device!” said Max the Microcontroller, powering up an ESP32 board. “First, we tell it which Wi-Fi network to join and give it the password. Then it gets an IP address and we are connected!”

Sammy the Sensor watched excitedly. “Once we are on the network, we need to know which PORT to send data to. The MQTT broker listens on port 1883, like an apartment number in a building. If I send to the wrong port, my data goes nowhere!”

“When something goes wrong – and it WILL go wrong – troubleshoot from the bottom up,” advised Lila the LED. “First check Physical: is the device powered on and the antenna working? Then Data Link: can it see the Wi-Fi access point? Then Network: did it get an IP address? And finally Application: is the MQTT connection established?”

“That layered approach saves so much time,” agreed Bella the Battery. “Instead of randomly guessing, you systematically check each layer until you find the problem. And do not forget security – always change default passwords, use encrypted connections, and never send sensitive data over plain HTTP!”

7.3 Prerequisites

Before diving into this chapter, you should be familiar with:

Networking Basics: Introduction: Core networking concepts including layers, IP addressing, and network types
Networking Basics: Protocols and MAC: Understanding protocol layers and MAC classification

7.4 Hands-On: Network Configuration

Time: ~15 min | Intermediate | P07.C14.U04

7.4.1 ESP32 Network Configuration Example

ESP32 Configuration Workflow

Instead of memorizing a sketch, focus on the evidence a correct sketch should print.

Stage	What the ESP32 should do	Evidence to record
Join Wi-Fi	Connect to the intended SSID with the correct password	`WiFi.status()` reports connected
Receive DHCP settings	Get an IP address, subnet mask, gateway, and DNS server	IP is not `0.0.0.0` or `169.254.x.x`
Identify the device	Report the device MAC address and optional hostname	MAC address is unique on the LAN
Check signal quality	Measure RSSI after association	Better than about `-70 dBm` for stable Wi-Fi
Test reachability	Try a simple outbound connection to a known host/port	Gateway or internet test succeeds

Key Configuration Parameters:

Parameter	Purpose	Example
IP Address	Device’s unique network identity	192.168.1.100
Subnet Mask	Defines local network size	255.255.255.0 (/24 = 254 hosts)
Gateway	Router to reach other networks	192.168.1.1
DNS	Converts names to IP addresses	8.8.8.8 (Google DNS)
MAC Address	Hardware identifier	DC:A6:32:AB:CD:EF

Try It: ESP32 Network Configuration Explorer

Objective: Read the network configuration an ESP32 receives from DHCP and understand which fields prove that the device is ready to communicate.

Setup: Use the diagnostic activities in this chapter to understand the fields. If you later run an ESP32 sketch, make it print the evidence below rather than treating the code as the learning goal.

Explorer Output Checklist:

Field	Healthy output	What it proves
Wi-Fi status	Connected	SSID/password and association worked
IP address	Private address such as `192.168.1.45`	DHCP or static IP assignment worked
Subnet mask	Usually `/24` in small LANs	Device knows which IPs are local
Gateway	Router address such as `192.168.1.1`	Device has a path off the subnet
DNS server	Router or resolver address	Hostnames can be resolved
RSSI	Better than about `-70 dBm`	Signal is likely stable enough
Outbound test	Known host/port succeeds	Routing, NAT, and firewall permit traffic

What to Observe:

Watch the Serial Monitor for DHCP-assigned IP, subnet mask, and gateway
The MAC address is a unique hardware identifier – every ESP32 has a different one
RSSI updates show signal strength over time (-30 dBm = excellent, -70 dBm = acceptable)
Try changing WiFi.getHostname() before WiFi.begin() with WiFi.setHostname("my-sensor") to customize the device name on the network

7.4.2 Python Network Scanner

Python Network Scanner: Safe Planning View

A scanner should be used only on networks where you have permission. The learning objective is to understand the investigation logic:

Step	Question	Evidence
Define scope	Which subnet is approved for testing?	Example: `192.168.1.0/24` with owner approval
Choose ports	Which IoT services are you checking?	MQTT `1883/8883`, CoAP `5683/5684`, HTTP `80/443`, SSH `22`
Test one host first	Does a known device respond as expected?	Confirms the tool and firewall behavior
Scan carefully	Are results limited to approved hosts and ports?	Avoids noisy or unauthorized probing
Interpret results	Are any insecure services exposed?	Plain MQTT, HTTP, Telnet, or unexpected open ports need review

Try It: Subnet & IP Address Explorer

Enter a base IP address and subnet mask to see how many hosts fit in the network, the valid IP range, and the broadcast address.

Show code

viewof subnetBase = Inputs.text({
  label: "Base IP Address",
  value: "192.168.1.0",
  placeholder: "e.g. 192.168.1.0"
})

viewof subnetBits = Inputs.range([8, 30], {
  label: "Subnet Prefix Length (CIDR)",
  step: 1,
  value: 24
})

Show code

{
  const parts = subnetBase.split(".").map(Number);
  const valid = parts.length === 4 && parts.every(p => !isNaN(p) && p >= 0 && p <= 255);
  if (!valid) {
    return html`<div style="padding:12px;background:#fef3cd;border-radius:6px;color:#856404;">
      Please enter a valid IPv4 address (e.g. 192.168.1.0)
    </div>`;
  }

  const prefix = subnetBits;
  const hostBits = 32 - prefix;
  const totalHosts = Math.pow(2, hostBits);
  const usableHosts = hostBits >= 2 ? totalHosts - 2 : (hostBits === 1 ? 0 : 1);

  // Calculate subnet mask
  const maskNum = (0xFFFFFFFF << hostBits) >>> 0;
  const mask = [(maskNum >>> 24) & 0xFF, (maskNum >>> 16) & 0xFF, (maskNum >>> 8) & 0xFF, maskNum & 0xFF];

  // Calculate network and broadcast
  const ipNum = (parts[0] << 24 | parts[1] << 16 | parts[2] << 8 | parts[3]) >>> 0;
  const netNum = (ipNum & maskNum) >>> 0;
  const bcastNum = (netNum | (~maskNum >>> 0)) >>> 0;
  const firstHost = hostBits >= 2 ? netNum + 1 : netNum;
  const lastHost = hostBits >= 2 ? bcastNum - 1 : bcastNum;

  const toIP = n => [(n >>> 24) & 0xFF, (n >>> 16) & 0xFF, (n >>> 8) & 0xFF, n & 0xFF].join(".");

  // Visual bar showing used vs available space
  const barWidth = 400;
  const filledRatio = Math.min(usableHosts / 254, 1);

  return html`<div style="font-family:Arial,sans-serif;background:#f8f9fa;padding:20px;border-radius:8px;border-left:4px solid #16A085;">
    <h4 style="margin-top:0;color:#2C3E50;">Subnet Calculation Results</h4>
    <table style="border-collapse:collapse;width:100%;margin-bottom:16px;">
      <tr><td style="padding:6px 12px;font-weight:bold;color:#2C3E50;">Network Address</td><td style="padding:6px 12px;font-family:monospace;color:#16A085;">${toIP(netNum)}</td></tr>
      <tr style="background:#fff;"><td style="padding:6px 12px;font-weight:bold;color:#2C3E50;">Subnet Mask</td><td style="padding:6px 12px;font-family:monospace;color:#16A085;">${mask.join(".")} (/${prefix})</td></tr>
      <tr><td style="padding:6px 12px;font-weight:bold;color:#2C3E50;">Broadcast Address</td><td style="padding:6px 12px;font-family:monospace;color:#16A085;">${toIP(bcastNum)}</td></tr>
      <tr style="background:#fff;"><td style="padding:6px 12px;font-weight:bold;color:#2C3E50;">First Usable Host</td><td style="padding:6px 12px;font-family:monospace;color:#16A085;">${hostBits >= 2 ? toIP(firstHost) : "N/A"}</td></tr>
      <tr><td style="padding:6px 12px;font-weight:bold;color:#2C3E50;">Last Usable Host</td><td style="padding:6px 12px;font-family:monospace;color:#16A085;">${hostBits >= 2 ? toIP(lastHost) : "N/A"}</td></tr>
      <tr style="background:#fff;"><td style="padding:6px 12px;font-weight:bold;color:#2C3E50;">Total Addresses</td><td style="padding:6px 12px;font-family:monospace;color:#E67E22;">${totalHosts.toLocaleString()}</td></tr>
      <tr><td style="padding:6px 12px;font-weight:bold;color:#2C3E50;">Usable Host IPs</td><td style="padding:6px 12px;font-family:monospace;color:#E67E22;font-weight:bold;">${usableHosts.toLocaleString()}</td></tr>
    </table>
    <div style="margin-top:8px;">
      <div style="font-size:0.85em;color:#7F8C8D;margin-bottom:4px;">Host capacity (relative to /24 = 254 hosts):</div>
      <svg width="${barWidth + 20}" height="30">
        <rect x="0" y="5" width="${barWidth}" height="20" rx="4" fill="#ecf0f1" stroke="#bdc3c7"/>
        <rect x="0" y="5" width="${barWidth * filledRatio}" height="20" rx="4" fill="#16A085"/>
        <text x="${barWidth + 5}" y="20" font-size="12" fill="#2C3E50" font-family="Arial">${usableHosts}</text>
      </svg>
    </div>
    <div style="font-size:0.8em;color:#7F8C8D;margin-top:8px;">
      ${prefix <= 24 ? `This /${prefix} network could hold ${Math.floor(totalHosts / 256)} typical IoT subnets (/24 each).` : `A /${prefix} subnet is suitable for small IoT deployments with up to ${usableHosts} devices.`}
    </div>
  </div>`;
}

7.5 Port Numbers

Time: ~8 min | Foundational | P07.C14.U05

Port numbers identify specific applications or services on a device. They range from 0 to 65535.

7.5.1 Common IoT Protocol Ports

Port	Protocol	Description	Security
80	HTTP	Web servers, REST APIs	Unencrypted
443	HTTPS	Secure web, TLS	Encrypted
1883	MQTT	IoT messaging	Unencrypted
8883	MQTTS	MQTT over TLS	Encrypted
5683	CoAP	Constrained devices	Unencrypted
5684	CoAPS	CoAP over DTLS	Encrypted
22	SSH	Secure shell access	Encrypted
23	Telnet	Remote access	Unencrypted (avoid!)
502	Modbus TCP	Industrial protocols	Unencrypted
5353	mDNS	Local device discovery	N/A
123	NTP	Time synchronization	N/A
53	DNS	Domain name resolution	Usually unencrypted

Security Best Practice

Always use encrypted ports in production:

Use 8883 instead of 1883 for MQTT
Use 5684 instead of 5683 for CoAP
Use 443 instead of 80 for HTTP
Never use Telnet (port 23) - use SSH (port 22) instead

Unencrypted ports are acceptable only for development and testing on isolated networks.

7.5.2 Port Number Ranges

Range	Type	Examples
0-1023	Well-known ports	HTTP (80), HTTPS (443), SSH (22)
1024-49151	Registered ports	MQTT (1883), CoAP (5683)
49152-65535	Dynamic/private	Client-side connections

Try It: IoT Port Number Explorer

Select an IoT protocol to see its port number, security status, and where it falls in the port range. You can also enter any port number to classify it.

Show code

viewof selectedProtocol = Inputs.select(
  ["HTTP (80)", "HTTPS (443)", "MQTT (1883)", "MQTTS (8883)", "CoAP (5683)", "CoAPS (5684)", "SSH (22)", "Telnet (23)", "Modbus TCP (502)", "mDNS (5353)", "NTP (123)", "DNS (53)", "Custom..."],
  { label: "Select Protocol", value: "MQTT (1883)" }
)

viewof customPort = Inputs.range([0, 65535], {
  label: "Or explore any port number",
  step: 1,
  value: 1883
})

Show code

{
  const protocols = {
    "HTTP (80)": { port: 80, name: "HTTP", desc: "Web servers, REST APIs", encrypted: false, secure_alt: "HTTPS (443)" },
    "HTTPS (443)": { port: 443, name: "HTTPS", desc: "Secure web, TLS encrypted", encrypted: true, secure_alt: null },
    "MQTT (1883)": { port: 1883, name: "MQTT", desc: "IoT publish-subscribe messaging", encrypted: false, secure_alt: "MQTTS (8883)" },
    "MQTTS (8883)": { port: 8883, name: "MQTTS", desc: "MQTT over TLS encryption", encrypted: true, secure_alt: null },
    "CoAP (5683)": { port: 5683, name: "CoAP", desc: "Constrained Application Protocol (UDP)", encrypted: false, secure_alt: "CoAPS (5684)" },
    "CoAPS (5684)": { port: 5684, name: "CoAPS", desc: "CoAP over DTLS encryption", encrypted: true, secure_alt: null },
    "SSH (22)": { port: 22, name: "SSH", desc: "Secure shell remote access", encrypted: true, secure_alt: null },
    "Telnet (23)": { port: 23, name: "Telnet", desc: "Unencrypted remote access (AVOID!)", encrypted: false, secure_alt: "SSH (22)" },
    "Modbus TCP (502)": { port: 502, name: "Modbus TCP", desc: "Industrial automation protocol", encrypted: false, secure_alt: "Modbus/TCP with TLS" },
    "mDNS (5353)": { port: 5353, name: "mDNS", desc: "Multicast DNS local device discovery", encrypted: false, secure_alt: null },
    "NTP (123)": { port: 123, name: "NTP", desc: "Network Time Protocol", encrypted: false, secure_alt: "NTS (4460)" },
    "DNS (53)": { port: 53, name: "DNS", desc: "Domain name resolution", encrypted: false, secure_alt: "DoH (443) / DoT (853)" }
  };

  const isCustom = selectedProtocol === "Custom...";
  const port = isCustom ? customPort : protocols[selectedProtocol].port;
  const info = isCustom ? null : protocols[selectedProtocol];

  // Port range classification
  let rangeLabel, rangeColor;
  if (port <= 1023) { rangeLabel = "Well-Known"; rangeColor = "#16A085"; }
  else if (port <= 49151) { rangeLabel = "Registered"; rangeColor = "#3498DB"; }
  else { rangeLabel = "Dynamic/Private"; rangeColor = "#9B59B6"; }

  // Visual port range bar
  const barW = 500;
  const portPos = Math.round((port / 65535) * barW);

  const securityBadge = info
    ? (info.encrypted
        ? `<span style="background:#16A085;color:white;padding:3px 10px;border-radius:12px;font-size:0.85em;">Encrypted</span>`
        : `<span style="background:#E74C3C;color:white;padding:3px 10px;border-radius:12px;font-size:0.85em;">Unencrypted</span>`)
    : "";

  const altNote = info && info.secure_alt && !info.encrypted
    ? `<div style="margin-top:10px;padding:8px 12px;background:#fef3cd;border-radius:6px;color:#856404;font-size:0.9em;">
        <strong>Security recommendation:</strong> Use <strong>${info.secure_alt}</strong> instead in production.
       </div>`
    : "";

  return html`<div style="font-family:Arial,sans-serif;background:#f8f9fa;padding:20px;border-radius:8px;border-left:4px solid #3498DB;">
    <h4 style="margin-top:0;color:#2C3E50;">Port ${port} ${info ? `- ${info.name}` : ""}</h4>
    ${info ? `<p style="color:#7F8C8D;margin:4px 0;">${info.desc}</p>` : ""}
    <div style="margin:10px 0;">
      <span style="background:${rangeColor};color:white;padding:3px 10px;border-radius:12px;font-size:0.85em;">${rangeLabel} Port</span>
      ${securityBadge}
    </div>
    <div style="margin-top:16px;">
      <div style="font-size:0.8em;color:#7F8C8D;margin-bottom:4px;">Position in port range (0 - 65535):</div>
      <svg width="${barW + 20}" height="50" style="overflow:visible;">
        <rect x="0" y="15" width="${Math.round(barW * 1023/65535)}" height="20" fill="#16A085" opacity="0.2" rx="2"/>
        <rect x="${Math.round(barW * 1024/65535)}" y="15" width="${Math.round(barW * (49151-1024)/65535)}" height="20" fill="#3498DB" opacity="0.2"/>
        <rect x="${Math.round(barW * 49152/65535)}" y="15" width="${Math.round(barW * (65535-49152)/65535)}" height="20" fill="#9B59B6" opacity="0.2" rx="2"/>
        <line x1="${portPos}" y1="8" x2="${portPos}" y2="42" stroke="${rangeColor}" stroke-width="3"/>
        <circle cx="${portPos}" cy="25" r="5" fill="${rangeColor}"/>
        <text x="${portPos}" y="5" text-anchor="middle" font-size="11" fill="#2C3E50" font-family="Arial" font-weight="bold">${port}</text>
        <text x="0" y="48" font-size="9" fill="#16A085" font-family="Arial">Well-Known (0-1023)</text>
        <text x="${Math.round(barW * 0.35)}" y="48" font-size="9" fill="#3498DB" font-family="Arial">Registered (1024-49151)</text>
        <text x="${Math.round(barW * 0.78)}" y="48" font-size="9" fill="#9B59B6" font-family="Arial">Dynamic (49152+)</text>
      </svg>
    </div>
    ${altNote}
  </div>`;
}

Quick Check: Port Numbers and Security

7.6 Network Troubleshooting

Time: ~12 min | Intermediate | P07.C14.U06

7.6.1 Layer-by-Layer Troubleshooting Approach

When an IoT device won’t connect, work systematically from Physical layer up:

Flowchart showing layer-by-layer IoT troubleshooting: start at Physical (power, signal), then Data Link (SSID, auth), Network (IP/DHCP), and Application (port, firewall), with pass/fail branches at each layer leading to a root-cause fix — Figure 7.1: Layer-by-layer troubleshooting flowchart for IoT connectivity issues

7.6.2 Troubleshooting Checklist by Layer

Layer 1 (Physical):

Is the device powered on?
Is RSSI > -70 dBm? (e.g., -55 dBm is good; -85 dBm is too weak)
Is the antenna connected properly?
Any physical obstacles (metal, concrete)?
Is the device within range?

Layer 2 (Data Link):

Correct SSID? (case-sensitive)
Correct password? (case-sensitive)
MAC address whitelisted? (if MAC filtering enabled)
Correct Wi-Fi channel? (2.4 GHz vs 5 GHz - ESP32 only supports 2.4 GHz)
Channel congestion?

Layer 3 (Network):

Did device get IP address? (check DHCP lease)
IP address conflict? (two devices with same IP)
Correct subnet mask?
Correct gateway configured?

Layer 4 (Transport) / Layer 7 (Application):

Can ping the gateway? (ping 192.168.1.1)
Can ping external IP? (ping 8.8.8.8)
DNS resolution working? (nslookup google.com)
Firewall blocking ports?
Correct protocol port configured?

7.6.3 ESP32 Diagnostic Commands

ESP32 Diagnostic Evidence

When debugging an ESP32, collect these observations in order:

Check	Healthy result	If it fails
Wi-Fi status	Connected	Recheck SSID, password, channel, and MAC filtering
RSSI	Better than about `-70 dBm`	Move closer, change antenna, or reduce obstruction
IP address	Valid LAN address	Check DHCP server or static IP settings
Gateway	Router address in same subnet	Fix DHCP option or static gateway
DNS	Resolver address present	Set a working DNS server
External service	Known host/port reachable	Check firewall, NAT, and upstream internet

7.6.4 Common Issues and Solutions

Problem	Symptoms	Solution
Weak signal	RSSI < -70 dBm, frequent disconnects	Move closer, add antenna, use extender
Wrong credentials	Connection timeout, auth failure	Verify SSID/password case
No IP address	IP shows 0.0.0.0 or 169.254.x.x	Check DHCP server, try static IP
Can’t reach gateway	Ping gateway fails	Check subnet mask, gateway IP
Can’t reach internet	Ping 8.8.8.8 fails	Check ISP, router, NAT
DNS not working	Names fail, IPs work	Check DNS server configuration
Port blocked	Connection refused	Check firewall rules

Try It: Layer-by-Layer Troubleshooting Simulator

Select a failure scenario and step through the OSI layers to diagnose the problem, just as you would with a real IoT device. Each layer check reveals whether the issue is at that layer or if you should continue up the stack.

Show code

viewof scenario = Inputs.select(
  [
    "Scenario 1: Device can't connect to Wi-Fi",
    "Scenario 2: Connected to Wi-Fi but no internet",
    "Scenario 3: Internet works but MQTT broker unreachable",
    "Scenario 4: DNS fails but IP pings succeed",
    "Scenario 5: Weak signal causing intermittent drops"
  ],
  { label: "Choose a failure scenario", value: "Scenario 1: Device can't connect to Wi-Fi" }
)

viewof currentLayer = Inputs.range([0, 4], {
  label: "Step through layers (0 = Start, 1-4 = Layers)",
  step: 1,
  value: 0
})

Show code

{
  const scenarios = {
    "Scenario 1: Device can't connect to Wi-Fi": {
      faultLayer: 2,
      desc: "ESP32 sensor reports WL_CONNECT_FAILED repeatedly.",
      layers: [
        { name: "Start", status: "pending", detail: "Begin troubleshooting from the bottom up." },
        { name: "L1 Physical", status: "pass", detail: "Device powered ON. RSSI = -45 dBm (strong signal detected from nearby AP). Antenna OK.", cmd: "WiFi.RSSI() => -45 dBm" },
        { name: "L2 Data Link", status: "fail", detail: "SSID is 'MyNetwork' but device config has 'mynetwork'. SSIDs are CASE-SENSITIVE! Also check: password may have trailing space.", cmd: 'WiFi.begin("mynetwork", "pass") => WL_CONNECT_FAILED' },
        { name: "L3 Network", status: "skip", detail: "Cannot test -- device never associates with AP.", cmd: "WiFi.localIP() => 0.0.0.0" },
        { name: "L4-7 Application", status: "skip", detail: "Cannot test -- no network connectivity.", cmd: "N/A" }
      ],
      fix: "Correct the SSID to match exactly: 'MyNetwork' (capital M and N). SSIDs are case-sensitive strings."
    },
    "Scenario 2: Connected to Wi-Fi but no internet": {
      faultLayer: 3,
      desc: "ESP32 shows WL_CONNECTED but cannot reach any external server.",
      layers: [
        { name: "Start", status: "pending", detail: "Device reports connected but all outbound connections fail." },
        { name: "L1 Physical", status: "pass", detail: "Device powered ON. RSSI = -52 dBm (good signal). No physical issues.", cmd: "WiFi.RSSI() => -52 dBm" },
        { name: "L2 Data Link", status: "pass", detail: "Wi-Fi associated. MAC authenticated. Got DHCP lease.", cmd: "WiFi.status() => WL_CONNECTED (3)" },
        { name: "L3 Network", status: "fail", detail: "IP address is 169.254.x.x (link-local), meaning DHCP failed to provide a valid gateway. Device has no route to external networks.", cmd: "WiFi.localIP() => 169.254.12.45, Gateway => 0.0.0.0" },
        { name: "L4-7 Application", status: "skip", detail: "Cannot test -- no valid IP route.", cmd: "connect() => timeout" }
      ],
      fix: "DHCP server is not responding. Check router DHCP settings, or assign a static IP: WiFi.config(staticIP, gateway, subnet, dns)."
    },
    "Scenario 3: Internet works but MQTT broker unreachable": {
      faultLayer: 4,
      desc: "ESP32 can ping 8.8.8.8 and resolve DNS, but MQTT connection to broker on port 8883 times out.",
      layers: [
        { name: "Start", status: "pending", detail: "All lower layers seem fine. MQTT specifically fails." },
        { name: "L1 Physical", status: "pass", detail: "Signal strong at -48 dBm. Hardware OK.", cmd: "WiFi.RSSI() => -48 dBm" },
        { name: "L2 Data Link", status: "pass", detail: "Wi-Fi connected, stable association.", cmd: "WiFi.status() => WL_CONNECTED (3)" },
        { name: "L3 Network", status: "pass", detail: "Valid IP 192.168.1.105, can reach 8.8.8.8.", cmd: "ping 8.8.8.8 => OK, WiFi.localIP() => 192.168.1.105" },
        { name: "L4-7 Application", status: "fail", detail: "Port 8883 (MQTT over TLS) is BLOCKED by corporate firewall. ICMP ping passes but TCP to port 8883 is rejected. The firewall allows only ports 80 and 443 outbound.", cmd: "connect(broker, 8883) => TIMEOUT" }
      ],
      fix: "Use MQTT over WebSocket on port 443, or ask network admin to allow port 8883 through the firewall."
    },
    "Scenario 4: DNS fails but IP pings succeed": {
      faultLayer: 4,
      desc: "ESP32 can ping 8.8.8.8 by IP but cannot resolve hostnames like mqtt.example.com.",
      layers: [
        { name: "Start", status: "pending", detail: "IP connectivity works but name resolution fails." },
        { name: "L1 Physical", status: "pass", detail: "Device powered and signal adequate at -60 dBm.", cmd: "WiFi.RSSI() => -60 dBm" },
        { name: "L2 Data Link", status: "pass", detail: "Wi-Fi connected normally.", cmd: "WiFi.status() => WL_CONNECTED (3)" },
        { name: "L3 Network", status: "pass", detail: "Valid IP, gateway reachable, can ping external IPs.", cmd: "WiFi.localIP() => 10.0.1.50, ping 8.8.8.8 => OK" },
        { name: "L4-7 Application", status: "fail", detail: "DNS server configured as 10.0.1.1 (the router), but router DNS forwarding is broken. Queries to port 53 of 10.0.1.1 time out.", cmd: "hostByName('mqtt.example.com') => FAILED" }
      ],
      fix: "Set DNS to a public server: WiFi.config(ip, gateway, subnet, IPAddress(8,8,8,8)); This bypasses the broken local DNS forwarder."
    },
    "Scenario 5: Weak signal causing intermittent drops": {
      faultLayer: 1,
      desc: "ESP32 connects but drops connection every few minutes, causing data loss.",
      layers: [
        { name: "Start", status: "pending", detail: "Intermittent connectivity suggests a physical layer issue." },
        { name: "L1 Physical", status: "fail", detail: "RSSI fluctuates between -75 dBm and -90 dBm. Device is at edge of Wi-Fi range. Metal enclosure attenuates signal further. Connection drops when RSSI falls below -80 dBm.", cmd: "WiFi.RSSI() => -82 dBm (varies)" },
        { name: "L2 Data Link", status: "skip", detail: "Intermittent -- works when signal is strong enough.", cmd: "WiFi.status() => alternates 3 and 6" },
        { name: "L3 Network", status: "skip", detail: "Intermittent -- IP obtained when connected.", cmd: "Fluctuates" },
        { name: "L4-7 Application", status: "skip", detail: "Intermittent -- MQTT reconnects but loses messages.", cmd: "Reconnect loop" }
      ],
      fix: "Move device closer to AP, add external antenna, install a Wi-Fi range extender, or switch to a protocol with better range (LoRa, Zigbee)."
    }
  };

  const s = scenarios[scenario];
  const step = currentLayer;

  const statusIcon = (st) => {
    if (st === "pass") return `<span style="color:#16A085;font-weight:bold;">PASS</span>`;
    if (st === "fail") return `<span style="color:#E74C3C;font-weight:bold;">FAIL -- Issue Found!</span>`;
    if (st === "skip") return `<span style="color:#7F8C8D;">Skipped (blocked by lower layer)</span>`;
    return `<span style="color:#3498DB;">Ready to test...</span>`;
  };

  const statusColor = (st) => {
    if (st === "pass") return "#16A085";
    if (st === "fail") return "#E74C3C";
    if (st === "skip") return "#7F8C8D";
    return "#3498DB";
  };

  let layerRows = "";
  for (let i = 1; i <= 4; i++) {
    const layer = s.layers[i];
    const revealed = i <= step;
    const bg = revealed ? (layer.status === "fail" ? "#fdedec" : layer.status === "pass" ? "#eafaf1" : "#f8f9fa") : "#f8f9fa";
    layerRows += `<div style="padding:10px 14px;margin:6px 0;border-radius:6px;background:${bg};border-left:4px solid ${revealed ? statusColor(layer.status) : '#bdc3c7'};">
      <strong style="color:#2C3E50;">${layer.name}</strong>: ${revealed ? statusIcon(layer.status) : '<span style="color:#bdc3c7;">Move slider to reveal...</span>'}
      ${revealed ? `<div style="margin-top:6px;color:#2C3E50;font-size:0.92em;">${layer.detail}</div>` : ""}
      ${revealed ? `<div style="margin-top:4px;font-family:monospace;font-size:0.82em;color:#7F8C8D;background:#ecf0f1;padding:4px 8px;border-radius:4px;">${layer.cmd}</div>` : ""}
    </div>`;
  }

  const showFix = step >= s.faultLayer;

  return html`<div style="font-family:Arial,sans-serif;background:#f8f9fa;padding:20px;border-radius:8px;border-left:4px solid #E67E22;">
    <h4 style="margin-top:0;color:#2C3E50;">${scenario}</h4>
    <p style="color:#7F8C8D;font-style:italic;">${s.desc}</p>
    ${layerRows}
    ${showFix ? `<div style="margin-top:12px;padding:12px;background:#d5f5e3;border-radius:6px;border-left:4px solid #16A085;">
      <strong style="color:#16A085;">Root Cause & Fix:</strong>
      <div style="margin-top:4px;color:#2C3E50;">${s.fix}</div>
    </div>` : `<div style="margin-top:12px;padding:10px;background:#fef9e7;border-radius:6px;color:#856404;font-size:0.9em;">
      Move the layer slider to step through each layer and find the fault.
    </div>`}
  </div>`;
}

7.7 Security Basics

Time: ~10 min | Foundational | P07.C14.U07

IoT Security Fundamentals

IoT devices are prime targets for attacks due to:

Often deployed in physical locations with no supervision
Many use default credentials
Limited resources for security features
Long deployment lifetimes with infrequent updates

7.7.1 Essential Security Practices

1. Change Default Credentials

Credential Pattern

Weak pattern	Safer pattern
Shared default username such as `admin`	Unique device identity such as `sensor_temp_001`
Shared default password such as `admin`	Random per-device secret stored outside source code
One credential reused across a fleet	Rotate or revoke one device without breaking the fleet
Credentials committed to a repository	Provision through a secure setup process

2. Use TLS Encryption

TLS Connection Pattern

Insecure choice	Production choice	Why it matters
MQTT on port `1883`	MQTTS on port `8883`	Encrypts credentials and sensor payloads
CoAP on port `5683`	CoAPS on port `5684`	Adds DTLS protection for constrained devices
HTTP on port `80`	HTTPS on port `443`	Prevents plain-text API traffic
No certificate validation	Validate broker/server certificate	Prevents impersonation and man-in-the-middle attacks

3. Network Segmentation

Diagram showing network segmentation with IoT devices on a dedicated VLAN, separated from corporate LAN and internet by a firewall, preventing lateral movement of attacks between zones — Figure 7.2: Network segmentation isolates IoT devices from corporate networks

4. Firmware Updates

Implement secure OTA (Over-The-Air) updates
Sign firmware images cryptographically
Validate signatures before applying updates
Have rollback mechanism for failed updates

5. Minimal Attack Surface

Disable unused services and ports
Remove debugging interfaces in production
Use principle of least privilege
Log security events for monitoring

7.7.2 Security Checklist

Changed all default passwords
Using TLS/DTLS for all network communications
IoT devices on separate VLAN
Firmware signed and update mechanism secure
Unnecessary ports and services disabled
Logging and monitoring enabled
Regular security audits scheduled

Try It: IoT Security Score Calculator

Rate your IoT deployment against the seven security checklist items to get an instant security score and prioritized recommendations.

Show code

viewof sec_passwords = Inputs.checkbox(["Changed all default credentials (no 'admin/admin')"], { value: [] })
viewof sec_tls = Inputs.checkbox(["Using TLS/DTLS for all communications (ports 8883, 5684, 443)"], { value: [] })
viewof sec_vlan = Inputs.checkbox(["IoT devices isolated on a dedicated VLAN"], { value: [] })
viewof sec_firmware = Inputs.checkbox(["Firmware updates are cryptographically signed"], { value: [] })
viewof sec_ports = Inputs.checkbox(["Unused ports and services disabled"], { value: [] })
viewof sec_logging = Inputs.checkbox(["Security event logging and monitoring enabled"], { value: [] })
viewof sec_audits = Inputs.checkbox(["Regular security audits scheduled"], { value: [] })

Show code

{
  const checks = [
    { label: "Changed all default credentials", done: sec_passwords.length > 0, priority: "Critical", detail: "Default credentials are the #1 attack vector. Change immediately on every device." },
    { label: "TLS/DTLS encryption in use", done: sec_tls.length > 0, priority: "Critical", detail: "Unencrypted MQTT (port 1883) sends credentials and data in plain text. Switch to port 8883." },
    { label: "IoT devices on dedicated VLAN", done: sec_vlan.length > 0, priority: "High", detail: "Network segmentation prevents a compromised IoT device from attacking corporate systems." },
    { label: "Firmware updates signed", done: sec_firmware.length > 0, priority: "High", detail: "Unsigned OTA updates can be hijacked to install malware. Always verify cryptographic signatures." },
    { label: "Unused ports disabled", done: sec_ports.length > 0, priority: "Medium", detail: "Every open port is an attack surface. Disable Telnet (23), HTTP (80), and unused services." },
    { label: "Logging and monitoring enabled", done: sec_logging.length > 0, priority: "Medium", detail: "Without logs, breaches go undetected. Log authentication failures, connection attempts, anomalies." },
    { label: "Regular security audits", done: sec_audits.length > 0, priority: "Low", detail: "New vulnerabilities are discovered continuously. Schedule quarterly reviews and CVE monitoring." }
  ];

  const done = checks.filter(c => c.done).length;
  const total = checks.length;
  const score = Math.round((done / total) * 100);

  const scoreColor = score >= 85 ? "#16A085" : score >= 57 ? "#E67E22" : "#E74C3C";
  const scoreLabel = score >= 85 ? "Secure" : score >= 57 ? "Needs Improvement" : "At Risk";

  const barW = 400;
  const fillW = Math.round(barW * score / 100);

  const priorityColor = { "Critical": "#E74C3C", "High": "#E67E22", "Medium": "#3498DB", "Low": "#7F8C8D" };

  const remaining = checks.filter(c => !c.done);
  let recs = "";
  for (const c of remaining) {
    recs += `<div style="margin:6px 0;padding:8px 12px;border-left:4px solid ${priorityColor[c.priority]};background:#fff;border-radius:0 4px 4px 0;">
      <div style="font-weight:bold;color:#2C3E50;">${c.label} <span style="font-size:0.8em;color:${priorityColor[c.priority]};font-weight:normal;">[${c.priority}]</span></div>
      <div style="font-size:0.88em;color:#7F8C8D;margin-top:2px;">${c.detail}</div>
    </div>`;
  }

  return html`<div style="font-family:Arial,sans-serif;background:#f8f9fa;padding:20px;border-radius:8px;border-left:4px solid ${scoreColor};">
    <div style="display:flex;align-items:center;gap:24px;margin-bottom:16px;">
      <div style="text-align:center;">
        <div style="font-size:2.5em;font-weight:bold;color:${scoreColor};line-height:1;">${score}%</div>
        <div style="font-size:0.85em;color:${scoreColor};font-weight:bold;">${scoreLabel}</div>
      </div>
      <div style="flex:1;">
        <div style="font-size:0.85em;color:#7F8C8D;margin-bottom:4px;">${done} of ${total} controls implemented:</div>
        <svg width="${barW}" height="24">
          <rect x="0" y="2" width="${barW}" height="20" rx="4" fill="#ecf0f1" stroke="#bdc3c7"/>
          <rect x="0" y="2" width="${fillW}" height="20" rx="4" fill="${scoreColor}"/>
        </svg>
      </div>
    </div>
    ${remaining.length > 0 ? `<h4 style="color:#2C3E50;margin:0 0 8px 0;">Recommended Actions (prioritized):</h4>${recs}` : `<div style="padding:12px;background:#d5f5e3;border-radius:6px;color:#16A085;font-weight:bold;">All security controls implemented -- excellent posture!</div>`}
  </div>`;
}

7.8 Bandwidth and Latency Considerations

Time: ~8 min | Foundational | P07.C14.U08

7.8.1 IoT vs Traditional IT: Key Differences

Aspect	Traditional IT	IoT
Data Size	MB to GB	Bytes to KB
Traffic Pattern	Continuous	Bursty, periodic
Latency Tolerance	Seconds OK	ms to seconds
Bandwidth Priority	High throughput	Low power
Reliability	High availability	Graceful degradation

7.8.2 Typical IoT Data Sizes

Data Type	Size	Frequency	Daily Data
Temperature reading	4 bytes	Every 5 min	1.2 KB
GPS coordinates	16 bytes	Every 30 sec	46 KB
Accelerometer sample	12 bytes	100 Hz	4.3 MB
Image capture	50 KB	Every hour	1.2 MB
Audio clip (10s)	160 KB	On event	Variable

Putting Numbers to It

Calculate the data budget for a wearable health monitor transmitting heart rate (2 bytes), step count (2 bytes), and GPS position (16 bytes) every 15 seconds over a cellular LTE-M connection:

Total payload per sample:

$\text{Payload} = 2 + 2 + 16 = 20 \text{ bytes}$

Add CoAP/UDP/IP headers (4 + 8 + 20 = 32 bytes overhead):

$\text{Total packet} = 20 + 32 = 52 \text{ bytes}$

Daily transmission count:

$\text{Transmissions per day} = \frac{86400 \text{ s}}{15 \text{ s}} = 5,760$

Daily data volume:

$\text{Daily data} = 5,760 \times 52 = 299,520 \text{ bytes} \approx 293 \text{ KB/day}$

Monthly data (30 days):

$\text{Monthly data} = 293 \times 30 = 8,790 \text{ KB} \approx 8.6 \text{ MB/month}$

For a 10 MB/month cellular plan at $5/month, this device consumes 86% of the data cap just for sensor telemetry, leaving 1.4 MB for firmware updates or emergency alerts. Reducing reporting frequency to 30 seconds would halve the data usage to 4.3 MB/month (43% utilization).

7.8.3 Protocol Overhead Comparison

Protocol	Header Size	Typical Payload	Overhead Ratio
HTTP	~300 bytes	10 bytes	30:1
MQTT	2-5 bytes	10 bytes	0.5:1
CoAP	4 bytes	10 bytes	0.4:1
UDP raw	8 bytes	10 bytes	0.8:1

Putting Numbers to It

For a 10-byte temperature reading sent via HTTP vs CoAP, calculate the total bandwidth consumed and transmission time over a 9600 bps serial link:

HTTP over TCP/IP:

$\text{HTTP packet} = 10 \text{ (data)} + 300 \text{ (HTTP headers)} + 20 \text{ (TCP)} + 20 \text{ (IP)} = 350 \text{ bytes}$

Transmission time:

$\text{Time}_\text{HTTP} = \frac{350 \text{ bytes} \times 8 \text{ bits/byte}}{9600 \text{ bps}} = 0.292 \text{ seconds}$

CoAP over UDP/IP:

$\text{CoAP packet} = 10 \text{ (data)} + 4 \text{ (CoAP)} + 8 \text{ (UDP)} + 20 \text{ (IP)} = 42 \text{ bytes}$

Transmission time:

$\text{Time}_\text{CoAP} = \frac{42 \times 8}{9600} = 0.035 \text{ seconds}$

Efficiency comparison:

$\text{Speedup} = \frac{0.292}{0.035} = 8.3\times \text{ faster}$

For battery-powered sensors transmitting every 60 seconds, HTTP keeps the radio active for ~0.3s per transmission (0.5% duty cycle), while CoAP uses only 0.035s (0.06% duty cycle) – an 8× reduction in radio-on time and proportional battery savings.

Optimization Strategies

Reduce Overhead:

Use MQTT or CoAP instead of HTTP for small payloads
Use binary formats (CBOR, MessagePack) instead of JSON
Aggregate multiple readings into single transmission

Manage Bandwidth:

Adjust reporting frequency based on data change rate
Use compression for larger payloads
Implement local filtering/aggregation

Optimize Latency:

Use UDP for non-critical real-time data
Keep persistent connections when possible
Colocate edge processing near devices

Try It: IoT Data Budget Calculator

Configure your IoT device parameters to calculate daily and monthly data usage, compare protocol overhead, and see whether your deployment fits within a cellular data plan.

Show code

viewof payloadSize = Inputs.range([1, 1024], {
  label: "Sensor payload size (bytes)",
  step: 1,
  value: 20
})

viewof sendInterval = Inputs.range([1, 3600], {
  label: "Reporting interval (seconds)",
  step: 1,
  value: 15
})

viewof protocol = Inputs.select(
  ["CoAP/UDP", "MQTT/TCP", "HTTP/TCP"],
  { label: "Protocol", value: "CoAP/UDP" }
)

viewof dataPlanMB = Inputs.range([1, 500], {
  label: "Monthly data plan (MB)",
  step: 1,
  value: 10
})

viewof deviceCount = Inputs.range([1, 100], {
  label: "Number of devices",
  step: 1,
  value: 1
})

Show code

{
  const overheads = {
    "CoAP/UDP": { proto: 4, transport: 8, ip: 20, name: "CoAP + UDP + IP" },
    "MQTT/TCP": { proto: 4, transport: 20, ip: 20, name: "MQTT + TCP + IP" },
    "HTTP/TCP": { proto: 300, transport: 20, ip: 20, name: "HTTP + TCP + IP" }
  };

  const oh = overheads[protocol];
  const headerTotal = oh.proto + oh.transport + oh.ip;
  const packetSize = payloadSize + headerTotal;
  const overheadRatio = (headerTotal / payloadSize).toFixed(1);

  const txPerDay = Math.floor(86400 / sendInterval);
  const dailyBytes = txPerDay * packetSize;
  const dailyKB = (dailyBytes / 1024).toFixed(1);
  const monthlyBytes = dailyBytes * 30;
  const monthlyKB = (monthlyBytes / 1024).toFixed(1);
  const monthlyMB = (monthlyBytes / (1024 * 1024)).toFixed(2);

  const totalMonthlyMB = (monthlyMB * deviceCount).toFixed(2);
  const planBytes = dataPlanMB * 1024 * 1024;
  const usagePercent = ((totalMonthlyMB / dataPlanMB) * 100).toFixed(1);
  const overBudget = totalMonthlyMB > dataPlanMB;

  const barW = 400;
  const fillRatio = Math.min(totalMonthlyMB / dataPlanMB, 1);
  const barColor = overBudget ? "#E74C3C" : (usagePercent > 75 ? "#E67E22" : "#16A085");

  // Protocol comparison
  const allProtos = ["CoAP/UDP", "MQTT/TCP", "HTTP/TCP"];
  let compRows = "";
  for (const p of allProtos) {
    const o = overheads[p];
    const h = o.proto + o.transport + o.ip;
    const pkt = payloadSize + h;
    const mb = ((txPerDay * pkt * 30 * deviceCount) / (1024 * 1024)).toFixed(2);
    const isCurrent = p === protocol;
    compRows += `<tr style="background:${isCurrent ? '#eafaf1' : '#fff'};">
      <td style="padding:6px 10px;font-weight:${isCurrent ? 'bold' : 'normal'};color:#2C3E50;">${p}${isCurrent ? ' (selected)' : ''}</td>
      <td style="padding:6px 10px;font-family:monospace;text-align:right;">${h} B</td>
      <td style="padding:6px 10px;font-family:monospace;text-align:right;">${pkt} B</td>
      <td style="padding:6px 10px;font-family:monospace;text-align:right;">${mb} MB</td>
    </tr>`;
  }

  return html`<div style="font-family:Arial,sans-serif;background:#f8f9fa;padding:20px;border-radius:8px;border-left:4px solid #9B59B6;">
    <h4 style="margin-top:0;color:#2C3E50;">Data Budget Results</h4>

    <div style="display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-bottom:16px;">
      <div style="background:#fff;padding:12px;border-radius:6px;text-align:center;">
        <div style="font-size:0.8em;color:#7F8C8D;">Packet Size</div>
        <div style="font-size:1.5em;font-weight:bold;color:#2C3E50;">${packetSize} B</div>
        <div style="font-size:0.75em;color:#7F8C8D;">${payloadSize}B payload + ${headerTotal}B headers</div>
      </div>
      <div style="background:#fff;padding:12px;border-radius:6px;text-align:center;">
        <div style="font-size:0.8em;color:#7F8C8D;">Overhead Ratio</div>
        <div style="font-size:1.5em;font-weight:bold;color:${overheadRatio > 5 ? '#E74C3C' : '#16A085'};">${overheadRatio}:1</div>
        <div style="font-size:0.75em;color:#7F8C8D;">${oh.name}</div>
      </div>
      <div style="background:#fff;padding:12px;border-radius:6px;text-align:center;">
        <div style="font-size:0.8em;color:#7F8C8D;">Daily (per device)</div>
        <div style="font-size:1.5em;font-weight:bold;color:#3498DB;">${dailyKB} KB</div>
        <div style="font-size:0.75em;color:#7F8C8D;">${txPerDay.toLocaleString()} transmissions</div>
      </div>
      <div style="background:#fff;padding:12px;border-radius:6px;text-align:center;">
        <div style="font-size:0.8em;color:#7F8C8D;">Monthly (${deviceCount} device${deviceCount > 1 ? 's' : ''})</div>
        <div style="font-size:1.5em;font-weight:bold;color:${overBudget ? '#E74C3C' : '#16A085'};">${totalMonthlyMB} MB</div>
        <div style="font-size:0.75em;color:#7F8C8D;">${usagePercent}% of ${dataPlanMB} MB plan</div>
      </div>
    </div>

    <div style="margin:16px 0;">
      <div style="font-size:0.85em;color:#7F8C8D;margin-bottom:4px;">Data plan usage (${totalMonthlyMB} MB / ${dataPlanMB} MB):</div>
      <svg width="${barW + 80}" height="30">
        <rect x="0" y="5" width="${barW}" height="20" rx="4" fill="#ecf0f1" stroke="#bdc3c7"/>
        <rect x="0" y="5" width="${barW * fillRatio}" height="20" rx="4" fill="${barColor}"/>
        <text x="${barW + 5}" y="20" font-size="12" fill="${barColor}" font-family="Arial" font-weight="bold">${usagePercent}%</text>
      </svg>
      ${overBudget ? `<div style="color:#E74C3C;font-size:0.85em;margin-top:4px;font-weight:bold;">Over budget! Consider reducing frequency to ${Math.ceil(sendInterval * (totalMonthlyMB / dataPlanMB))}s or switching to a lighter protocol.</div>` : ""}
    </div>

    <h4 style="color:#2C3E50;margin-top:20px;">Protocol Comparison (same payload & frequency)</h4>
    <table style="border-collapse:collapse;width:100%;font-size:0.9em;">
      <tr style="background:#2C3E50;color:white;">
        <th style="padding:6px 10px;text-align:left;">Protocol</th>
        <th style="padding:6px 10px;text-align:right;">Header</th>
        <th style="padding:6px 10px;text-align:right;">Packet</th>
        <th style="padding:6px 10px;text-align:right;">Monthly</th>
      </tr>
      ${compRows}
    </table>
  </div>`;
}

7.9 Best Practices Summary

Time: ~5 min | Intermediate | P07.C14.U09

7.9.1 Network Design

Choose the right protocol for your constraints (power, range, bandwidth)
Design for failure - networks are unreliable, buffer data locally
Plan IP addressing - use static IPs for critical devices, document allocations
Segment networks - isolate IoT from corporate networks

7.9.2 Implementation

Test in realistic conditions - not just on your desk
Monitor signal strength - RSSI should be > -70 dBm for reliability
Implement reconnection logic - networks will drop, handle gracefully
Log network events - aids troubleshooting and security monitoring

7.9.3 Security

Encrypt everything - TLS/DTLS is mandatory in production
Authenticate everything - no anonymous connections
Update regularly - vulnerabilities are discovered continuously
Assume breach - design for detection and containment

7.10 Review: Match Protocols to Ports

7.11 Review: Order Troubleshooting Steps

7.12 Knowledge Check

Quiz: Networking Hands-On Config

Worked Example: Troubleshooting IoT Device Connection Failure

Scenario: An ESP32 temperature sensor successfully connects to Wi-Fi but cannot send MQTT messages to broker at mqtt.example.com:8883.

Given:

Device: ESP32 with correct SSID/password
Wi-Fi: Connected, RSSI = -52 dBm (excellent)
IP address: 10.0.1.45 (obtained via DHCP)
Gateway: 10.0.1.1
MQTT broker: mqtt.example.com port 8883 (TLS)

Systematic Troubleshooting (Layer-by-Layer):

Layer 1 (Physical): ✓ PASS - Signal strength excellent (-52 dBm) - Device powered and antenna functional

Layer 2 (Data Link): ✓ PASS - Wi-Fi connected - Obtained IP via DHCP

Layer 3 (Network): Test connectivity

Test	Result	Meaning
Reach gateway `10.0.1.1`	Pass	Local subnet and default gateway are reachable
Reach external IP `8.8.8.8`	Pass	Routing and NAT are working

✓ PASS - Network layer working

Layer 4-7 (Transport/Application): Test service

Test	Result	Meaning
Resolve `mqtt.example.com`	Pass, returns broker IP	DNS is working
Connect to broker port `8883`	Fail	Firewall or broker policy blocks secure MQTT

Root Cause Identified: Firewall blocks port 8883

Solution Options:

Open firewall port 8883 (requires network admin)
Use MQTT-over-WebSocket on port 443 (works immediately):

Workaround	When to use it	Trade-off
Open port `8883`	You control the network firewall	Cleanest standard MQTTS path
MQTT over WebSocket on `443`	Corporate firewall only allows HTTPS-like outbound traffic	Requires broker and client WebSocket support
HTTP REST fallback	MQTT cannot be permitted	Simpler firewall path, but usually more overhead

Use HTTP REST API (fallback if MQTT unavailable)

Key Insight: Layer-by-layer testing isolated the exact failure point (port 8883 blocked), avoiding guesswork. WebSocket tunneling over port 443 bypasses most firewalls.

Common Pitfalls

1. Interpreting Ping Round-Trip Time as One-Way Latency

Ping RTT measures round-trip time (sender to receiver and back). One-way latency is approximately RTT/2 for symmetric paths. Fix: never quote RTT as “the latency” in system design documents; always specify one-way or round-trip explicitly.

2. Not Filtering Wireshark Captures on Busy Networks

Capturing on a busy network produces millions of packets per minute, making analysis impossible. Fix: always apply a capture filter (e.g., host 192.168.1.100 and port 1883) before starting a capture.

3. Running Iperf Without Matching Protocol Settings on Both Sides

Running Iperf in TCP mode on the client and UDP mode on the server gives nonsensical results. Fix: explicitly specify the same protocol (-u for UDP) on both client and server, and verify the server is in listening mode before starting the client.

7.13 What’s Next

Now that you can configure, troubleshoot, and secure IoT networks, continue with the chapters below:

Topic	Chapter	Description
Labs and Practice	Networking Basics: Labs	Interactive labs, Python implementations, and comprehensive knowledge checks with detailed answers
Network Topologies	Topologies Introduction	Star, mesh, tree, and hybrid topologies — trade-offs for IoT scale and reliability
Transport Protocols	Transport Fundamentals	TCP vs UDP, reliability guarantees, and which to choose for sensor data
Application Protocols	MQTT Deep Dive	Publish-subscribe messaging, QoS levels, and broker configuration for IoT
Security Fundamentals	Threat Modeling Fundamentals	Common attack vectors on IoT networks and systematic threat modelling
Edge Computing	Edge and Fog Computing	Moving computation closer to devices to reduce bandwidth and latency

7 Networking Hands-On Config

7.1 In 60 Seconds

7.2 Learning Objectives

7.3 Prerequisites

7.4 Hands-On: Network Configuration

7.4.1 ESP32 Network Configuration Example

7.4.2 Python Network Scanner

7.5 Port Numbers

7.5.1 Common IoT Protocol Ports

7.5.2 Port Number Ranges

7.6 Network Troubleshooting

7.6.1 Layer-by-Layer Troubleshooting Approach

7.6.2 Troubleshooting Checklist by Layer

7.6.3 ESP32 Diagnostic Commands

7.6.4 Common Issues and Solutions

7.7 Security Basics

7.7.1 Essential Security Practices

7.7.2 Security Checklist

7.8 Bandwidth and Latency Considerations

7.8.1 IoT vs Traditional IT: Key Differences

7.8.2 Typical IoT Data Sizes

7.8.3 Protocol Overhead Comparison

7.9 Best Practices Summary

7.9.1 Network Design

7.9.2 Implementation

7.9.3 Security

7.10 Review: Match Protocols to Ports

7.11 Review: Order Troubleshooting Steps

7.12 Knowledge Check

Common Pitfalls

7.13 What’s Next

7.14 Label the Diagram

7.15 Code Challenge