TCP is connection-oriented and reliable: a 3-way handshake (SYN → SYN-ACK → ACK) sets up the connection, then sequence numbers, acknowledgements, retransmission, and flow control guarantee ordered, complete delivery. UDP is connectionless: no handshake, no acknowledgements, no ordering — just a datagram, fired and forgotten. TCP for "every byte must arrive" (web, email, file transfer); UDP for "speed beats perfection" (DNS, DHCP, VoIP, video, gaming). A port (0-65535) says which application a segment belongs to; an IP + port is a socket.
Layer 4 — the transport layer — sits between the application that wants to send data and the network that carries it. It has exactly two jobs on the CCNA: identify the application with a port number, and decide how much the network promises about delivery. Two protocols answer that second question in opposite ways: TCP promises everything; UDP promises nothing. The whole topic is understanding that trade-off and knowing which services made which choice.
The fastest way to make this stick is to see it. The Packet Flow Visualizer steps a TCP or UDP message across a real topology so you can watch the handshake happen (or not). Open it in another tab and keep it next to this article.
★ TCP — RELIABLE, CONNECTION-ORIENTED
TCP (Transmission Control Protocol) treats a conversation like a phone call: you establish a connection, talk with confirmation that you're being heard, then hang up. It guarantees that every byte arrives, exactly once, in order. It does this with four mechanisms you must be able to name:
- Connection setup — the 3-way handshake negotiates starting sequence numbers and window sizes before any data flows.
- Sequencing — every byte is numbered, so the receiver can reassemble segments in the right order even if they arrive scrambled.
- Acknowledgement & retransmission — the receiver ACKs what it got; anything not ACK'd within the timer is resent. Nothing is silently lost.
- Flow control — the receiver advertises a window (how much it can buffer) so a fast sender can't overrun a slow receiver.
The cost of all that is overhead: a 20-byte header (minimum), a round trip just to set up, and state kept on both ends. Worth it for a file you can't afford to corrupt; wasteful for a voice packet that's useless by the time it could be retransmitted.
1. SYN — client → server: "I want to talk, my sequence number starts at X."
2. SYN-ACK — server → client: "I acknowledge X+1, and my sequence starts at Y."
3. ACK — client → server: "I acknowledge Y+1." Connection established.
Teardown is a four-way FIN/ACK exchange (each side closes its half independently). The handshake is why a TCP connection costs a full round trip before the first byte of data — exactly the latency UDP avoids.
You can watch all three segments cross the network, hop by hop, in the visualizer — pick TCP → HTTP and step through SYN (1/3), SYN-ACK (2/3), ACK (3/3) before the GET request even appears.
★ UDP — FAST, CONNECTIONLESS
UDP (User Datagram Protocol) treats a message like a postcard: write it, drop it in the mailbox, move on. There's no setup, no acknowledgement, no ordering, and no retransmission. The header is a tiny 8 bytes — source port, destination port, length, checksum — and that's the entire feature set.
That sounds worse until you remember what reliability costs. For a VoIP call, a retransmitted audio packet arrives too late to play — better to drop it and keep going. For a DNS lookup, the whole exchange is two small packets; a handshake would triple the traffic for no benefit. For these, UDP's "send and forget" is exactly right, and any reliability the app truly needs (like TFTP's per-block ACKs) it builds itself on top.
Ask: "If a packet is lost, is it better to resend it late, or skip it and move on?" Resend late → TCP. Skip and move on → UDP. That single question predicts the right protocol for almost every service.
★ TCP vs UDP — SIDE BY SIDE
| PROPERTY | TCP | UDP |
|---|---|---|
| Connection | Connection-oriented (handshake) | Connectionless (no setup) |
| Reliability | Acknowledged + retransmitted | Best-effort (none) |
| Ordering | Sequenced, reassembled in order | No ordering guarantee |
| Flow control | Sliding window | None |
| Header size | 20 bytes minimum | 8 bytes |
| Data unit | Segment | Datagram |
| Use when | Every byte must arrive | Speed beats perfection |
★ PORTS & SOCKETS — HOW THE RIGHT APP GETS THE DATA
One host runs dozens of conversations at once — a browser, an email client, an SSH session. IP gets the packet to the host; the port number gets it to the right application on that host. A port is a 16-bit number (0-65535). Servers listen on a fixed well-known port; clients pick a random high-numbered ephemeral port (typically 49152-65535) as their source.
An IP address plus a port is a socket (e.g. 192.168.2.20:80). A connection is uniquely identified by the 4-tuple — source IP, source port, destination IP, destination port — plus the protocol. That's how a server tells your two browser tabs apart even though both target port 80: the source ports differ. You can see exactly this in the visualizer's transport layer row (e.g. TCP src:49152 dst:80).
★ THE WELL-KNOWN PORTS YOU MUST KNOW
Memorise this table — it is free marks on the exam and daily knowledge on the job. The protocol column is the part people forget.
| SERVICE | PORT | PROTOCOL | WHY THAT PROTOCOL |
|---|---|---|---|
| FTP data / control | 20 / 21 | TCP | File integrity matters |
| SSH | 22 | TCP | Encrypted remote CLI |
| Telnet | 23 | TCP | Plaintext remote CLI (avoid) |
| SMTP | 25 | TCP | Mail must not be lost |
| DNS | 53 | UDP (TCP for big) | Tiny query — handshake wasteful |
| DHCP | 67 / 68 | UDP | Broadcast, no IP yet to handshake |
| TFTP | 69 | UDP | Simple; app-layer ACKs |
| HTTP | 80 | TCP | Pages must arrive complete |
| NTP | 123 | UDP | One-shot time sync |
| SNMP | 161 / 162 | UDP | Lightweight polling / traps |
| HTTPS | 443 | TCP | Encrypted web (TLS over TCP) |
| Syslog | 514 | UDP | High-volume, lossy-tolerant logs |
Service → port and port → service, both directions. The Cisco IOS command lookup includes the matching ACL/NAT syntax (e.g. permit tcp any any eq 443), and today's Daily Drill rotates port questions into the mix.
★ HOW IT LOOKS ON THE WIRE
The transport header doesn't ride alone — it's encapsulated inside IP, which is encapsulated inside Ethernet. The application data is wrapped top-to-bottom: data → TCP/UDP → IP → Ethernet, then sent. Each router along the path strips the Ethernet frame, reads the IP header, decrements the TTL, and re-wraps the packet in a fresh frame for the next link — but the TCP/UDP segment never changes in transit. Only the endpoints touch Layer 4.
If "encapsulation" is still abstract, this is the single best thing to go look at: the Packet Flow Visualizer shows the encapsulation stack live, with the transport layer highlighted as it's added at the source and read at the destination. Pair it with the hands-on Packet Flow & Encapsulation lab to trace TCP and UDP yourself.
The TCP header carries an MSS (Maximum Segment Size) option in the SYN, negotiating how big each segment can be. Get it wrong across a tunnel and connections hang on large transfers — the classic VPN black-hole. Full breakdown in MTU, MSS & the VPN Black Hole.
★ CCNA EXAM GOTCHAS
UDP being connectionless doesn't mean apps using it are flaky. TFTP, QUIC, and many others build their own reliability on top of UDP. The protocol is best-effort; the application can add guarantees if it wants them.
Default answer for DNS is UDP 53, but it uses TCP 53 for responses too large for one datagram and for zone transfers. Exam questions love this nuance.
Setup = 3-way (SYN, SYN-ACK, ACK). Graceful close = 4-way (FIN, ACK, FIN, ACK) because each direction closes independently. Don't conflate them.
ICMP (ping, traceroute) lives at Layer 3 alongside IP — it uses no ports and no transport protocol. A favourite trick question. See it isolated in the visualizer's ICMP scenario.
★ VERIFY IT YOURSELF
On any host, watch real sockets and which protocol they use:
Then go step a connection through the visualizer and the abstract becomes concrete: you'll see the SYN leave, get routed, and the SYN-ACK come back before any data moves.
★ THE TAKEAWAY
TCP and UDP are two answers to one question: how much should the network promise about delivery? TCP promises everything and pays for it with a handshake, headers, and state. UDP promises nothing and wins on speed and simplicity. Know the four TCP reliability mechanisms, the 3-way handshake, the well-known ports with their protocol, and the one-line test — "resend late, or skip and move on?" — and the transport layer is a guaranteed-marks topic.
Then prove you've got it: trace a packet end to end and watch the handshake happen._
Wendell Odom's transport-layer and fundamentals chapters are the canonical written reference for everything here. Amazon affiliate.