Skip to main content

Architecture Layering Cheatsheet

Debug any infrastructure problem by knowing which layer you’re in — and which tools belong there.

Why Layers Matter

Every infrastructure failure lives at a specific layer. The reason most debugging sessions take hours instead of minutes is layer confusion — using Layer 7 tools to debug a Layer 3 problem, or blaming DNS when it’s actually TCP, or assuming the application is broken when the auth protocol changed underneath it. This cheatsheet gives you the tools, the commands, and the mental model to locate the failure layer in minutes. It was born from a real debugging session where an SSH connection failed silently across five layers, with no error at any single one. The rule: Work bottom-up. Confirm each layer is clean before moving to the next. The bug lives at the first layer that breaks — or between two layers that individually look fine.

The Full Stack: 7 Layers, 4 Languages

Each layer in a network stack can be debugged using tools from different language ecosystems. The layering patterns are consistent across languages, but the tools and failure modes differ. Plain English: This is the full debugging stack. Start at the bottom (is the cable plugged in? is WiFi connected?), move up through IP routing (can packets reach the host?), TCP (can a connection be established?), protocol-specific auth (is the handshake completing?), TLS/session (is encryption negotiating?), and finally the application itself. Each layer has tools in each language ecosystem. The arrow direction shows the debugging order — always start from the bottom.

Layer-by-Layer Reference

Layer 1: Physical

“Is the wire connected?”
CheckCommandExpectedFailure Means
Interface upip link showstate UPCable/WiFi disconnected
WiFi signaliwconfig or nmcliSignal strength > -70 dBmMove closer to AP
DC statusProvider status pageAll greenWait or call support
When to suspect Layer 1: Nothing works. Not even ping to your gateway.
“Can frames reach the next hop?”
CheckCommandExpectedFailure Means
ARP resolutionarp -n or ip neighGateway MAC visibleL2 isolation, VLAN issue
MTUip link show dev eth01500 (or your configured value)Jumbo frame mismatch
Path MTUping -M do -s 1472 <host>Replies receivedMTU blackhole on path
When to suspect Layer 2: Ping works to gateway but not beyond. Or large packets fail while small ones succeed. Trap: MTU issues cause intermittent failures. Small requests work, large payloads die. This looks like an app bug.

Layer 3: Network / IP

“Can packets reach the destination?”
CheckCommandExpectedFailure Means
Reachabilityping <host>Replies receivedRouting or firewall
Route pathtraceroute <host>Complete path, no * * *Hop dropping packets
Route + latencymtr <host>Consistent latency, no lossCongestion or blackhole
DNS resolutiondig <host> +shortIP address returnedDNS misconfiguration
Reverse DNSdig -x <ip>Hostname returnedPTR record missing
Language-specific tools: 
# Python — raw ICMP with scapy
python3 -c "from scapy.all import *; print(sr1(IP(dst='1.1.1.1')/ICMP()))"

# Go
go run -c "net.Dial('ip4:icmp', '1.1.1.1')"
When to suspect Layer 3: Ping fails or traceroute shows hops going dark. DNS returns wrong IP. Route is asymmetric. Real-world example: We created a DNS A record for vps.devarno.cloud pointing to 187.124.113.147. Before this, the hostname didn’t resolve at all — looked like a server problem, was actually a DNS problem.

Layer 4: Transport / TCP

“Can a connection be established?”
CheckCommandExpectedFailure Means
TCP connectnc -zv <host> <port>”Connection succeeded”Port closed or filtered
TCP connect (timeout)nc -zv -w5 <host> <port>Success within 5sFirewall dropping SYN
Open ports (local)ss -tlnpPort listed and LISTENService not running
Open ports (remote)nmap -sT <host> -p <port>”open”Firewall or service down
TCP dumptcpdump -i any port <port>SYN/SYN-ACK/ACK visibleHandshake failing
Language-specific tools: 
# Python — raw socket connect test
import socket
s = socket.create_connection(("host", 22), timeout=5)
print(f"Connected: {s.getpeername()}")
s.close()

// Node.js — TCP connect test
const net = require("net");
const s = net.connect(22, "host", () => {
  console.log("Connected");
  s.end();
});
s.on("error", (e) => console.error(e.message));
s.setTimeout(5000);

// Rust — TCP connect test
use std::net::TcpStream;
use std::time::Duration;
let stream = TcpStream::connect_timeout(
    &"host:22".parse().unwrap(),
    Duration::from_secs(5)
);

// Go — TCP connect test
conn, err := net.DialTimeout("tcp", "host:22", 5*time.Second)
if err != nil { log.Fatal(err) }
defer conn.Close()
When to suspect Layer 4: nc fails but ping works. Or connections establish but reset immediately.

Layer 5: Auth / Protocol Negotiation

“Is the handshake completing?” This is the layer most people skip — and where the ghosts live.
CheckCommandExpectedFailure Means
SSH verbosessh -vvv user@host”Authentication succeeded”Key/password/method issue
SSH server debugsshd -d -p 2222Full handshake logSee what server receives
SSH auth methodCheck for publickey-hostbound-v00Standard publickeyNew OpenSSH extension
TLS handshakeopenssl s_client -connect host:443Certificate chain shownCert/cipher mismatch
Language-specific tools — and why they matter here: 
# Python paramiko — uses traditional publickey auth
import paramiko
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect('host', username='root', key_filename='/path/to/key')
# If this works but `ssh` doesn't → protocol extension issue

// Node ssh2 — also uses traditional publickey
const { Client } = require("ssh2");
const conn = new Client();
conn.on("ready", () => {
  console.log("Connected");
  conn.end();
});
conn.connect({
  host: "host",
  username: "root",
  privateKey: fs.readFileSync("/path/to/key"),
});

// Rust russh — control over auth method
use russh::*;
// Explicit key auth without hostbound extension

// Go x/crypto/ssh — explicit auth method selection
config := &ssh.ClientConfig{
    User: "root",
    Auth: []ssh.AuthMethod{ ssh.PublicKeys(signer) },
}
conn, err := ssh.Dial("tcp", "host:22", config)
When to suspect Layer 5: TCP connects fine, but the session/auth handshake fails or hangs. Server accepts the key but the signed response never arrives. TLS negotiation stalls on cipher selection. Real-world example: OpenSSH 10.2 defaults to publickey-hostbound-v00@openssh.com. The server accepted our key, but the signed auth response packet — larger than the key exchange packets — was silently dropped by a middlebox on the network path. Paramiko (using traditional publickey) connected instantly. The protocol layer was the problem.

Layer 6: Presentation / Session (TLS, Encryption, Encoding)

“Is the encrypted channel working?”
CheckCommandExpectedFailure Means
TLS cert validopenssl s_client -connect host:443 2>/dev/null | openssl x509 -noout -datesValid datesExpired cert
TLS versionopenssl s_client -connect host:443 -tls1_3Handshake succeedsTLS version mismatch
Cipher suitesnmap --script ssl-enum-ciphers -p 443 hostStrong ciphers listedWeak/unsupported ciphers
Certificate chainopenssl s_client -showcerts -connect host:443Full chain to root CAMissing intermediate cert
SSH key exchangeCheck ssh -v for kex linesAlgorithm agreedIncompatible algorithms
When to suspect Layer 6: Connection establishes but data is garbled, or handshake fails specifically at cipher negotiation. Certificate errors in browsers. “SSL routines” errors in logs.

Layer 7: Application

“Is the app doing what it should?”
CheckCommandExpectedFailure Means
HTTP statuscurl -sI <url>200 OK (or expected code)App error
Response bodycurl -s <url> | head -20Expected contentLogic error or empty response
Health endpointcurl -sf <url>/healthz200Service unhealthy
API authcurl -H "Authorization: Bearer $TOKEN" <url>Authenticated responseToken/credential issue
DNS + HTTPcurl -v <url>Full negotiation logMulti-layer visibility
When to suspect Layer 7: Everything below works. TCP connects, TLS negotiates, auth succeeds. But the application returns wrong data, errors, or nothing.

The Debugging Flowchart

Plain English: Start at the top: can you even reach the machine? If not, it’s a low-level network issue. If you can reach it, can you open a connection on the right port? If not, it’s a firewall or service issue. If you can connect, does the security handshake complete? If not, it’s a protocol/auth issue (this is where our SSH ghost packet lived). If the handshake works, it’s an application problem. Follow the arrows — you’ll find the layer in four questions.

Quick Reference: Tools by Scenario

”I can’t connect to anything"

ip link show                    # Is the interface up?
ping 8.8.8.8                   # Can you reach the internet at all?
ping <gateway-ip>              # Can you reach your router?
dig google.com                 # Is DNS working?
traceroute <target>            # Where do packets die?

"I can ping but can’t connect to the service"

nc -zv <host> <port>           # Is the port open?
ss -tlnp                       # Is the service listening? (on server)
iptables -L -n                 # Is a firewall blocking it? (on server)
ufw status                     # UFW firewall rules (Ubuntu)

"Connection establishes but auth fails"

ssh -vvv user@host             # Client-side auth debug
sshd -d -p 2222               # Server-side auth debug (run on server)
openssl s_client -connect h:443 # TLS handshake debug
ssh -V                         # Check OpenSSH version (10.2+ uses new auth)

"SSH specifically: ‘Connection closed [preauth]‘"

# THE cheatsheet for this exact problem:
sshd -d -p 2222                      # 1. Server debug — see what actually arrives
ssh -v -p 2222 user@host             # 2. Client verbose — see what's sent
ssh -V                                # 3. Check version — 9.8+ uses publickey-hostbound
pip install paramiko && python3 -c "
import paramiko
c = paramiko.SSHClient()
c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
c.connect('host', username='root', key_filename='~/.ssh/id_rsa')
print('paramiko connected')
c.close()
"                                     # 4. If paramiko works → protocol extension issue
cat /etc/os-release                   # 5. Ubuntu 24.04? Service is 'ssh' not 'sshd'

"It works locally but not from CI/CD or another server”

# Check what the OTHER machine sees:
curl -s ifconfig.me                   # What's my public IP?
mtr <target>                          # What path do my packets take?
ssh -o PreferredAuthentications=publickey user@host  # Force specific auth method

Language Comparison: Connection Debugging Patterns

The Same Bug, Four Ways

This table shows how you’d diagnose a “connection works, auth fails” problem in each ecosystem:
StepBash/OpenSSHPythonNode.jsGo
TCP testnc -zv host 22socket.create_connection()net.connect()net.DialTimeout()
TLS testopenssl s_clientssl.wrap_socket()tls.connect()tls.Dial()
SSH connectssh -vparamiko.SSHClient()ssh2.Client()ssh.Dial()
Auth methodReads ~/.ssh/configExplicit in .connect()Explicit in .connect()Explicit in ClientConfig
Key formatOpenSSH native + PEMPEM, OpenSSH (paramiko 2.10+)PEM, OpenSSHPEM, OpenSSH
Debug output-v / -vvv flaglogging.basicConfig(level=DEBUG)debug: console.log in configCustom ssh.Logger

Key Insight: Library vs. System Implementation

This is the lesson that burned four hours into my memory:
PropertySystem SSH (OpenSSH)Library SSH (paramiko/ssh2/x-crypto)
Auth defaultpublickey-hostbound-v00 (10.2+)Traditional publickey
Packet sizeLarger (host-key binding included)Standard
Config source~/.ssh/config, system sshd_configProgrammatic only
Middlebox riskHigher (new extension, unfamiliar packets)Lower (well-known packet format)
Best forInteractive use, standard adminAutomation, CI/CD, middlebox-hostile paths
When OpenSSH fails and paramiko succeeds, the network path is the problem, not your keys.

Infra Patterns: Boxes and Arrows

Every architecture diagram has two types of elements: boxes (services, servers, databases) and arrows (connections between them). Most debugging guides focus on the boxes. This cheatsheet focuses on the arrows. Plain English: This is a real architecture. n8n (our orchestration brain) sends a webhook, which eventually needs to SSH into a VPS to run Claude Code CLI. The red and orange boxes are the network path — the middleboxes and transit providers that sit between the two services. These are invisible in most architecture diagrams, but they’re where our ghost packet was dropped. Lesson: When you draw architecture diagrams, the arrows are not free. Each arrow crosses real network infrastructure with real failure modes. The more arrows, the more ghosts.

Campaign: Cross-Platform Strategy

Twitter/X Thread (4 tweets)

Tweet 1 (Hook):
I made an infrastructure debugging cheatsheet that maps every network layer to its tools — in Bash, Python, Node, Rust, and Go. Born from 4 hours of debugging a ghost packet that vanished between two servers. Bookmark this. :thread:
Tweet 2:
The flowchart: Can you ping it? No → Layer 1-3 Can you TCP connect? No → Layer 4 Does the handshake complete? No → Layer 5-6 Does the app respond? No → Layer 7 Four questions. That’s all you need.
Tweet 3:
The insight that changed my debugging forever: When OpenSSH fails but paramiko succeeds with the same key to the same server — it’s not your key. It’s the PROTOCOL EXTENSION. OpenSSH 10.2+ uses a different (larger) auth packet. Some network paths drop it.
Tweet 4 (CTA):
Full cheatsheet with mermaid diagrams, language comparisons, and copy-paste command blocks: [link] Plus the companion blog post telling the full debugging story: [link]

LinkedIn Post

Every infrastructure failure lives at a specific layer. I just published an Architecture Layering Cheatsheet — a practical guide to debugging any infrastructure problem by working through the network stack layer by layer. It maps each layer to its debugging tools across Bash, Python, Node, Rust, and Go. Includes a four-question flowchart that locates the failure layer in under a minute. Born from a real debugging session where an SSH connection failed silently — no error at any individual layer. The failure existed between layers, in the interaction between a new protocol extension and the network path. Bookmark it, print it, tape it to your monitor. The next time something breaks and “everything looks fine,” this will save you hours. [link] #DevOps #Networking #Debugging #InfraEngineering #Cheatsheet #SSH #Architecture
  1. Cover: “ARCHITECTURE LAYERING CHEATSHEET” — clean, terminal-aesthetic design
  2. The Rule: “Work bottom-up. Confirm each layer before moving up.” — minimal text, bold
  3. Layer 1-3: Physical / Data Link / Network — key commands (ping, traceroute, dig)
  4. Layer 4: Transport — TCP debugging (nc, ss, tcpdump)
  5. Layer 5-6: Auth / TLS — the ghost layer (ssh -v, sshd -d, openssl)
  6. Layer 7: Application — app-level debugging (curl, health checks)
  7. The Flowchart: Simplified 4-question decision tree
  8. CTA: “Full cheatsheet with language comparisons at [link]” — save this post

Short-Form Video (45-60s)

Hook (0-5s): Whiteboard with 7 boxes stacked. “Every infra failure lives at one of these layers.” Body (5-45s): Fast marker-on-whiteboard walkthrough:
  • Cross out Layer 1 (“cable’s plugged in”)
  • Cross out Layer 3 (“ping works”)
  • Cross out Layer 4 (“TCP connects”)
  • Circle Layer 5 in red (“THE HANDSHAKE. This is where the ghosts are.”)
  • Show the four-question flowchart
Close (45-60s): “Four questions. Seven layers. Full cheatsheet linked in bio. Bookmark it before you need it.”

Newsletter Section

New Reference: Architecture Layering Cheatsheet I’ve published the companion piece to this week’s debugging story — a practical cheatsheet that maps every network layer to its debugging tools across five language ecosystems. The core insight: work bottom-up, confirm each layer is clean before moving up, and when “everything looks fine” at every layer individually, look at the interactions between layers. That’s where the ghosts live. This is designed as an evergreen reference — the kind of thing you bookmark and pull up six months from now when something breaks at 3am. [Architecture Layering Cheatsheet →]

SEO Strategy: Making This the Reference

Target SERP Position

This cheatsheet targets informational intent queries where someone is actively debugging and searching for help. These are high-engagement, high-bookmark queries:
Target QueryMonthly Volume (est.)DifficultyOur Angle
”ssh connection closed preauth”~2,400MediumDirect solution + context
”network debugging tools”~1,900HighMulti-language comparison (unique)
“osi model practical guide”~1,300MediumReal debugging examples (not textbook)
“ssh debugging methodology”~800LowStep-by-step with real story
”infrastructure troubleshooting guide”~1,600HighFlowchart + cheatsheet format
”tcp connection debugging linux”~900MediumCopy-paste commands
”paramiko vs openssh”~400LowDirect comparison table
”mtu troubleshooting”~700LowWhen it matters + when it doesn’t
”publickey-hostbound-v00”~100 (growing)Very LowFirst-mover SEO on new OpenSSH feature

Content Structure for SEO

  1. H1: Architecture Layering Cheatsheet (matches “cheatsheet” queries)
  2. H2s: Each layer name (matches “Layer N debugging” queries)
  3. Tables: Scannable, featured-snippet friendly
  4. Code blocks: Copy-paste commands (matches “how to debug X” queries)
  5. Flowchart: Visual, shareable, linkable anchor
  6. Language comparison: Unique differentiator vs. existing cheatsheets (most are Bash-only)
  7. Real-world examples: Not textbook OSI — real failures from a real session

Backlinking Strategy

SourceActionExpected
Companion blog postLinks to cheatsheet as “the reference”Internal link equity
GitHub README (atlas)Link from docs indexDirect traffic
Dev.to cross-postRepublish with canonical URLCommunity backlinks
Hacker NewsSubmit companion blog (story-first)Discussion + organic links
Reddit r/sysadmin, r/devopsPost cheatsheet directly (value-first)Community traffic
OpenSSH mailing listBug report referencing the publickey-hostbound findingAuthority backlink
Stack Overflow answersAnswer “connection closed preauth” questions, link to cheatsheetHigh-intent referrals

Schema Markup Recommendations

{
  "@type": "TechArticle",
  "name": "Architecture Layering Cheatsheet",
  "description": "Debug any infrastructure problem layer by layer",
  "proficiencyLevel": "Expert",
  "dependencies": "Linux, SSH, TCP/IP networking",
  "about": ["Network debugging", "SSH troubleshooting", "Infrastructure"]
}

Virality Boosters

Emojis

  • :mag: for debugging steps
  • :ghost: for the ghost packet reference
  • :bookmark: for “save this” CTAs
  • :white_check_mark:/:x: for pass/fail in checklists
  • :brain: for the mental model / flowchart

GIF Ideas

  • “It’s a series of tubes” (Senator Stevens) — for the “arrows matter” section
  • “Enhance” CSI zoom — for going layer by layer
  • “I’m in” hacker movie trope — for when the flowchart finally locates the layer

Content Cadence Placement

Position: Evergreen reference (publish same week as companion blog post)
PieceTypeLifespan
The Packet That Never Arrived (blog)Narrative/topical2-4 weeks of peak traffic, then long tail
This cheatsheetEvergreen referenceMonths to years — becomes the bookmarked resource
The blog post drives initial traffic and social engagement. The cheatsheet captures the long-tail SEO traffic from people actively debugging. They reinforce each other: the blog links to the cheatsheet (“here’s the systematic version”), the cheatsheet links to the blog (“here’s the real story that produced this”).

Extra Opportunities

Spin-Off Content

  1. “Architecture Layering Cheatsheet: Cloud Edition” — AWS/GCP/Azure-specific tools per layer (VPC flow logs, Cloud Armor, etc.)
  2. “Architecture Layering Cheatsheet: Kubernetes Edition” — Pod networking, service mesh, CNI plugin debugging
  3. Printable PDF version — gated download for email list building
  4. Interactive web version — click a layer, see the tools + examples expand (Mintlify interactive blocks)

Interactive Audience Prompts

  • “Which layer do YOU get stuck on most? (Poll: DNS / Firewall / Auth / App)”
  • “What’s your go-to first debugging command when something breaks? Drop it below.”
  • “Has anyone else hit the publickey-hostbound-v00 issue? I want to map which ISP/hosting combos trigger it.”

Collaboration Angles

  • Julia Evans (b0rk) — her zine format + this content = perfect match. She’s done networking zines before.
  • Cloudflare blog — they write about middlebox/protocol issues regularly. Pitch a guest post.
  • Hostinger blog — “Debugging SSH on Hostinger VPS” version targeted at their customer base.