NetworkingCCNA

CCNA TCP vs UDP: Ports, Reliability, Handshake & Protocol Use Cases

TCP and UDP are the two transport layer protocols that virtually all application traffic uses. The CCNA 200-301 exam tests the differences between them — reliability, ordering, flow control, connection establishment — and which well-known applications use each protocol. You also need to know port numbers for common services. This guide covers both protocols in depth, including the TCP 3-way handshake, windowing, and exactly when each protocol is the right choice.

9 min

5 sections · 6 exam key points

5 practice questions

TCP: reliable, connection-oriented transport

TCP (Transmission Control Protocol) is defined in RFC 793 and operates at Layer 4 of the OSI model. TCP provides reliable, ordered, and error-checked delivery of a byte stream between applications. 'Reliable' means the receiver acknowledges every segment; the sender retransmits anything not acknowledged within a timeout window.

TCP is connection-oriented — a logical connection must be established before data transfer begins, using the 3-way handshake, and explicitly torn down afterward with a 4-way FIN exchange. The connection tracks state on both sides: sequence numbers, acknowledgment numbers, window sizes, and connection state (LISTEN, SYN_SENT, ESTABLISHED, TIME_WAIT, etc.).

TCP features: sequencing (segments are numbered so the receiver can reorder out-of-order delivery), acknowledgment (receiver sends ACKs for received data), retransmission (sender retransmits unacknowledged segments), flow control (sliding window prevents the sender from overwhelming the receiver), and congestion control (TCP backs off when it detects network congestion).

The TCP 3-way handshake

Before any TCP application data is exchanged, both sides establish a connection using the 3-way handshake: SYN → SYN-ACK → ACK.

Step 1 (SYN): the client sends a TCP segment with the SYN flag set and a randomly chosen Initial Sequence Number (ISN). This tells the server: 'I want to start a connection; my sequence numbers start at X.'

Step 2 (SYN-ACK): the server responds with SYN and ACK flags set. It acknowledges the client's ISN (ACK = client ISN + 1) and includes its own ISN. This tells the client: 'I accept the connection; your sequence was received; my sequence numbers start at Y.'

Step 3 (ACK): the client acknowledges the server's ISN (ACK = server ISN + 1). The connection is now ESTABLISHED and data transfer can begin.

Connection teardown uses a 4-way exchange: FIN from one side, ACK, FIN from the other, ACK. The TIME_WAIT state (typically 2 × Maximum Segment Lifetime = 4 minutes) ensures delayed packets from the old connection don't confuse a new one on the same port pair.

UDP: fast, connectionless transport

UDP (User Datagram Protocol, RFC 768) is the minimal transport protocol. It has no connection establishment, no sequencing, no acknowledgment, and no retransmission. A UDP datagram is sent and the sender has no built-in way to know if it arrived.

What UDP does provide: a checksum for basic error detection, source and destination port numbers for multiplexing (identifying which application on each host), and a length field. That's it — the header is only 8 bytes vs TCP's minimum 20 bytes.

UDP is not 'unreliable' in a pejorative sense — it's 'best-effort.' For applications where speed matters more than guaranteed delivery — DNS queries, video streaming, VoIP, online gaming — UDP's lack of overhead is a feature, not a bug. DNS uses UDP because query/response pairs are tiny and a retry is cheap. VoIP uses UDP because a retransmitted voice packet would arrive too late to be useful — silence is better than a stutter.

Applications that need reliability over UDP implement their own mechanisms. QUIC (used by HTTP/3) is a notable example — it provides reliable delivery and TLS encryption but uses UDP to avoid TCP's head-of-line blocking.

TCP windowing and flow control

TCP flow control prevents a fast sender from overwhelming a slow receiver. The receiver advertises a receive window size in every ACK — the maximum number of bytes it can buffer before the sender must stop and wait. As the receiver processes data and frees buffer space, it advertises a larger window. This is the sliding window mechanism.

TCP windowing also affects throughput on high-latency links. The bandwidth-delay product (BDP) = bandwidth × round-trip time. A 1 Gbps link with 100 ms RTT has a BDP of 12.5 MB — the sender needs a window size of at least 12.5 MB to keep the link fully utilized. Old TCP window sizes were limited to 65,535 bytes; the Window Scale option (RFC 7323) extends this to several GB.

TCP congestion control (slow start, congestion avoidance, fast retransmit, fast recovery) dynamically adjusts the send rate based on network conditions. When packets are dropped (detected by timeout or duplicate ACKs), TCP reduces its send rate — this is the mechanism that prevents TCP flows from overwhelming network links.

Well-known port numbers

Ports 0–1023 are well-known ports assigned by IANA. Ports 1024–49151 are registered ports. Ports 49152–65535 are ephemeral (dynamic) ports used as source ports by clients.

Critical TCP ports for CCNA: FTP data = 20, FTP control = 21, SSH = 22, Telnet = 23, SMTP = 25, HTTP = 80, HTTPS = 443, RDP = 3389.

Critical UDP ports: DNS = 53, DHCP server = 67, DHCP client = 68, TFTP = 69, SNMP = 161, SNMP trap = 162, Syslog = 514, NTP = 123.

Some services use both TCP and UDP: DNS uses UDP 53 for normal queries (responses under 512 bytes) and TCP 53 for zone transfers and large responses. NTP uses UDP 123. RADIUS uses UDP 1812/1813. TACACS+ uses TCP 49.

TCP vs UDP comparison

Feature	TCP	UDP
Connection	Connection-oriented (3-way handshake)	Connectionless (no handshake)
Reliability	Guaranteed delivery with retransmission	Best-effort, no retransmission
Ordering	Segments sequenced and reordered	No sequencing
Flow control	Sliding window	None
Congestion control	Slow start, AIMD	None (app must implement)
Header size	20–60 bytes (minimum 20)	8 bytes
Speed	Slower (overhead of reliability)	Faster (minimal overhead)
Use cases	HTTP, HTTPS, SSH, FTP, SMTP	DNS, DHCP, TFTP, VoIP, video streaming, NTP

Key exam facts — CCNA

TCP: reliable, ordered, connection-oriented, flow control, retransmission
UDP: best-effort, connectionless, no ordering, no retransmission — 8-byte header
3-way handshake: SYN → SYN-ACK → ACK
TCP ports: FTP 20/21, SSH 22, Telnet 23, HTTP 80, HTTPS 443
UDP ports: DNS 53, DHCP 67/68, TFTP 69, NTP 123, SNMP 161/162, Syslog 514
DNS uses UDP 53 for queries; TCP 53 for zone transfers and large responses

Common exam traps

UDP is unreliable and should be avoided

UDP is intentionally best-effort for use cases where speed matters more than guaranteed delivery. VoIP, DNS, and streaming correctly choose UDP — a retransmitted VoIP packet arrives too late to be useful.

The TCP 3-way handshake is SYN → ACK → SYN-ACK

The correct order is SYN (client) → SYN-ACK (server) → ACK (client). The server's SYN and ACK are combined into a single segment in step 2.

Port 53 is always UDP

DNS uses UDP 53 for standard queries but switches to TCP 53 for responses exceeding 512 bytes and for zone transfers between DNS servers.

Practice questions — TCP vs UDP

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.Which transport layer protocol provides reliable, ordered delivery using acknowledgments and retransmission?

A.UDP

B.IP

C.TCP

D.ICMP

Explanation: TCP provides reliable, ordered, connection-oriented delivery using acknowledgment numbers and retransmission of unacknowledged segments. UDP provides best-effort connectionless delivery with no retransmission.

Q2.A VoIP application needs to minimize latency and can tolerate occasional lost packets. Which transport protocol is most appropriate?

A.TCP, because it guarantees delivery

B.UDP, because its low overhead minimizes delay

C.Both TCP and UDP equally

D.ICMP, because it is faster than both

Explanation: VoIP uses UDP because low latency is critical for voice quality. A retransmitted voice packet would arrive too late to be played — silence is preferable to a stutter. UDP's 8-byte header minimizes overhead.

Q3.During a TCP connection setup, a client sends a SYN segment. What does the server send in response?

A.ACK only

B.SYN only

C.SYN-ACK

D.FIN-ACK

Explanation: In the TCP 3-way handshake, the server responds to the client's SYN with a SYN-ACK — acknowledging the client's sequence number and including its own Initial Sequence Number. The client then completes the handshake with an ACK.

Q4.Which port number does TFTP use?

A.TCP 21

B.TCP 69

C.UDP 69

D.UDP 21

Explanation: TFTP (Trivial File Transfer Protocol) uses UDP port 69. Unlike FTP which uses TCP 20/21, TFTP uses UDP for its simplicity — it implements its own basic reliability (stop-and-wait ACK) over UDP.

Q5.What TCP mechanism prevents the sender from transmitting more data than the receiver can buffer?

A.Congestion control

B.Flow control (sliding window)

C.Slow start

D.3-way handshake

Explanation: TCP flow control uses the sliding window mechanism. The receiver advertises a window size in each ACK — the maximum bytes it can accept. The sender cannot transmit beyond this window until the receiver acknowledges data and advertises a larger window.

Frequently asked questions — TCP vs UDP

What is the TCP 3-way handshake?

The TCP 3-way handshake establishes a connection before data transfer: (1) Client sends SYN with its Initial Sequence Number. (2) Server responds with SYN-ACK, acknowledging the client's ISN and including its own ISN. (3) Client sends ACK, acknowledging the server's ISN. After this exchange, the connection is ESTABLISHED and application data can flow.

Why does DNS use UDP instead of TCP?

DNS queries and responses are typically small (under 512 bytes for standard queries), and a single round-trip is all that's needed. UDP is faster because there's no connection setup overhead. If a UDP DNS response is lost, the resolver simply retries. DNS switches to TCP 53 only for large responses and zone transfers between servers.

What is the difference between flow control and congestion control in TCP?

Flow control (sliding window) prevents the sender from overwhelming the receiver — it's end-to-end. The receiver advertises how much buffer space it has. Congestion control (slow start, AIMD) prevents the sender from overwhelming the network — it infers network congestion from packet loss and adjusts the send rate accordingly.

Which well-known applications use TCP and which use UDP?

TCP: HTTP (80), HTTPS (443), SSH (22), Telnet (23), FTP (20/21), SMTP (25), RDP (3389). UDP: DNS (53), DHCP (67/68), TFTP (69), NTP (123), SNMP (161/162), Syslog (514), VoIP/RTP. Some use both: DNS uses UDP for queries, TCP for zone transfers.

What are ephemeral ports and why are they used?

Ephemeral (dynamic) ports are temporary source ports used by clients — typically in the range 49152–65535 (IANA standard) though OS implementations vary. When a browser opens a connection to a web server on TCP 80, it uses an ephemeral source port like 54321 so the OS can track which application the return traffic belongs to. The server's response goes to port 54321 on the client.

Practice this topic

CCNApractice questions

Test yourself on TCP vs UDP

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime