009

Question 1

(1.1) OSI layer

Answer 1

Please Do Not Throw Sausage Pizza Away

Question 2

(1.2) What is Content Delivery Network?

Answer 2

A network of interconnected servers that speeds up webpage loading for data-heavy applications.

Question 3

(1.2) How does Content Delivery work?

Answer 3

When a user visits a website, data from that website’s server has to travel across the internet to reach the user’s computer. If the user is located far from that server, it will take a long time to load a large file, such as a video or website image. Instead, the website content is stored on CDN servers geographically closer to the users and reaches their computers much faster.

Question 4

(1.3) What is Virtual Private Cloud?

Answer 4

A secure, isolated private cloud hosted within a public cloud.

Question 5

(1.3) Network security group vs. network security list

Answer 5

A “network security group” (NSG) allows you to define security rules for a specific group of virtual network interface cards (VNICs), providing more granular control over traffic compared to a “network security list” which applies security rules to all VNICs within an entire subnet, offering a broader security policy across a subnet

Question 6

(1.3) What is cloud gateway?

Answer 6

A network device or service that acts as an intermediary between a local network (on-premises) and a cloud infrastructure. It facilitates the secure, seamless, and efficient flow of data between the on-premises network and cloud services or between different cloud environments. Cloud gateways typically support various protocols, including VPN (Virtual Private Network), API-based integrations, and direct connections, allowing organizations to extend their on-premises infrastructure to the cloud, integrate cloud services into their existing environment, and securely manage cloud-based resources.

Question 7

(1.3) What is Cloud Internet gateway?

Answer 7

“internet gateway” specifically allows resources within a cloud network to access the public internet, acting as the connection point between a virtual private cloud (VPC) and the wider internet; essentially, an internet gateway is a type of cloud gateway focused solely on internet access.

Question 8

(1.3) What is Cloud NAT gateway?

Answer 8

A managed service that allows cloud resources, such as virtual machines (VMs) or instances in private subnets, to access the internet or other external resources without exposing their private IP addresses. Only handles outbound traffic.

Question 9

(1.3) VPN for cloud connectivity option?

Answer 9

A cloud VPN connects a user’s device or corporate network to cloud environments (e.g., AWS, Azure, or Google Cloud). Cloud providers often offer managed VPN services to securely connect on-premises infrastructure to their cloud resources.

Question 10

(1.3) Direct Connect for cloud connectivity option?

Answer 10

A dedicated, private network connection established between an organization’s on-premises infrastructure and a cloud provider’s data center, essentially bypassing the public internet to provide a more secure and high-performance connection for accessing cloud resources like AWS, Azure, or Google Cloud; it allows for faster data transfer and lower latency compared to standard internet connections.

Question 11

(1.4) Internet Protocol type: Internet Control Message Protocol

Answer 11

A network layer protocol that allows devices to communicate data transmission errors and network information.

Question 12

(1.4) Internet Protocol type - GRE

Answer 12

A protocol that encapsulates packets in order to route various routing protocols over Internet Protocol (IP) networks.

Question 13

(1.4) Internet Protocol type: IPSec

Answer 13

A set of protocols that encrypts and authenticates data packets to enable secure communication over a network. IPsec is often used in virtual private networks (VPNs) to create encrypted tunnels between devices and transmit data securely over unsecured networks.

Question 14

(1.4) Internet Protocol type: IPSec - Internet Key Exchange

Answer 14

IPsec uses the Internet Key Exchange (IKE) protocol to establish secure virtual private network (VPN) tunnels between network devices. IKE is a key management protocol that automates the negotiation and establishment of security associations (SAs) for IPsec. IKE ensures that both parties in a communication use the same encryption and authentication methods.

Question 15

(1.4) Internet Protocol type: IPSec - AH vs. ESP

Answer 15

AH protects the data with authentication algorithm. ESP protects the data with encryption algorithm.

Question 16

(1.5) Wireless - Cellular

Answer 16

4G LTE:
Converged GSM and CDMA.
Based on GSM and EDGE.
Download 150 Mbps.
LTE-A:
Download 300Mbps.
5G:
100-900 Mbps.
Eventually to 10 Gbps.
Uses higher frequency, which means more cycles per second that results in faster processing.

Question 17

(1.5) Wired - DAC cable

Answer 17

A Direct Attach Copper cable or a DAC cable is a twin-axial copper cable with factory terminated transmission modules that enable it to connect directly into the ports (or line cards) within active equipment, such as switches, routers, servers or data storage devices, in a data network.

Question 18

(1.6) Collapsed core

Answer 18

Core layer and distribution layer combined into a single layer. Ideal for smaller networks due to its simplified design and cost-effectiveness; however, it can have limitations in terms of scalability and resiliency compared to a full three-tier model.

Question 19

(1.8) Software Defined Network

Answer 19

Using software to direct traffic on a network.
SDN is a part of Infrastructure as Code.

Control Plane: makes decisions about how traffic is prioritized and secured and where it should be switched to in the network. Decides where data goes.
Data Plane: Moves the data.
Management Plane: provides oversight of the network and allows for config changes.

Open SDN: relies on open source technology.
Hybrid SDN: Network that employs traditional SDN protocols to operate itself.

Question 20

(1.8) Software Defined WAN

Answer 20

Virtualized approach to managing and optimizing WAN connections to efficiently route traffic between remote sites, data centers, and cloud environments.

Question 21

(1.8) Application aware

Answer 21

A Software-Defined Networking (SDN) architecture where the network controller can identify and understand individual applications running on the network, allowing it to make intelligent decisions about traffic management, resource allocation, and policy enforcement based on the specific application needs, rather than just relying on IP addresses or port numbers alone; essentially, the network can tailor its behavior to optimize performance for different applications.

Question 22

(1.8) Zero-touch provisioning

Answer 22

The automated process of configuring and setting up network devices like switches and routers within a Software-Defined Network (SDN) environment without any manual intervention, essentially allowing new devices to “self-configure” when plugged in, significantly reducing the time and effort needed for network deployment and management.

Question 23

(1.8) Transport agnostic

Answer 23

A Software Defined Network (SDN) architecture is designed to operate independently of the underlying transport protocol used, like TCP or UDP, allowing it to manage traffic flows across different network layers without being limited by specific transport protocols; essentially, the SDN controller can make routing decisions without needing to know the specific transport mechanism used by the data stream.

Question 24

(1.8) Central policy management

Answer 24

The ability to centrally define and enforce network policies across an entire network using a Software-Defined Networking (SDN) controller, allowing administrators to manage access control, security rules, and traffic prioritization from a single point, providing greater flexibility and automation compared to traditional device-based configurations.

Question 25

(1.8) VXLAN

Answer 25

Network virtualization technology that addresses the limitations posed by traditional network infrastructures.

A network overlay technology designed to encapsulate Ethernet frames within a UDP packet.

Operates by encapsulating Layer 2 Ethernet frames within Layer 4 UDP packets.

Two parts when setting up VXLAN:
VXLAN Tunnel End Points:
Encapsulation and de-encapsulation of Ethernet frames into VXLAN packets.

VXLAN Segments:
Layer 2 network overlaid onto a Layer 3 network that is then identified by a unique 24-bit VNI.

Question 26

(1.8) Zero trust architecture

Answer 26

Demands verification for every device, user, and transaction within the network, regardless of its origin.

Question 27

(1.8) SASE/SSE

Answer 27

SASE uses SDN to provide security and networking services from the cloud.

SASE combines networking and security services, while SSE focuses solely on security

Question 28

(1.8) IaC

Answer 28

Automation: the practice of managing and provisioning network infrastructure, like routers, switches, firewalls, and other devices, using code instead of manual configuration, allowing for automated deployment, scaling, and updates to network components.
playbooks: They outline the tasks needed to configure network devices, including things like creating interfaces, setting IP addresses, defining security policies, and managing routing protocols, all within a structured and organized format.
templates: Contain a series of configuration files that are applied to the different devices being deployed in the environment.
reusable tasks
configuration drift/compliance
upgrades
dynamic inventories: a system that automatically updates and maintains a list of network devices (like servers, routers, and switches) in real-time, pulling information directly from external sources like cloud providers or network management systems, eliminating the need for manual updates whenever infrastructure changes occur; essentially, it’s a live, constantly refreshing view of your network devices, crucial for managing large, fluctuating environments like cloud-based infrastructure.
Source control:
version control
central policy
conflict identification
branching

Question 29

(1.8) IPv6 addressing - compatibility requirements

Answer 29

Dual stack: IPv4 and IPv6 protocols coexist on the same network infrastructure. Network devices are configured to understand both IPv4 and IPv6.

Tunneling: Enable communication of one network protocol within another by encapsulating packets of a different protocol.

NAT64: NAT mechanism that allows IPv6-only devices to communicate with IPv4 servers and services.

Question 30

(2.1) Dynamic routing - Border Gateway Protocol

Answer 30

Exterior gateway protocol: Connects different AS.
Hybrid

Question 31

(2.1) Dynamic routing - Enhanced Interior Gateway Routing Protocol

Answer 31

Hybrid.
Mostly Cisco-centric.
Easy to setup.
Converge quickly.
Loop free.
Efficient discovery of neighbor routers.
Sends updates over minimum bandwidth traffic.

Question 32

(2.1) Dynamic routing - Open Shortest Path First

Answer 32

A common interior gateway protocol.
Used within a single autonomous system. AS = where you have the complete control of systems.
Available on many different manufacturers.
Link-state protocol.
Each link has a cost which includes throughput, reliability, roundtrip time.
Lowest cost and fastest route wins.

Question 33

(2.1) Port Address Translation

Answer 33

A network technology that allows multiple devices on a local area network (LAN) to share a single public IP address. It’s a type of network address translation (NAT) that uses port numbers to map private IP addresses to a public IP address.

Question 34

(2.1) First Hop Redundancy Protocol

Answer 34

A networking protocol that allows for fail-over when a network’s first hop fails. The first hop is the first router or switch that a device connects to when it enters a network. FHRP ensures that if the first hop fails, another device can take over and keep the network operational

Question 35

(2.3) Autonomous vs. lightweight access point

Answer 35

Autonomous: These APs are standalone devices that work independently and don’t need a WLC. They’re managed individually and are best suited for small networks.

Lightweight: These APs require a WLC to function and are designed for centralized control and management. They’re best suited for large and complex networks.

Question 36

(3.4) Name resolution - DNS

Answer 36

Domain Name Security Extensions (DNSSEC):
It uses digital signatures to verify the origin and integrity of DNS data, allowing users to trust that the IP address they are being directed to is the correct one for the domain they entered.

DNS over HTTPS (DoH):
a protocol that encrypts Domain Name System (DNS) traffic by sending DNS queries through a secure HTTPS connection, essentially hiding the websites a user is trying to access from potential eavesdroppers and improving online privacy and security by preventing the interception of DNS requests.

DNS over TLS (DoT):
a protocol that encrypts Domain Name System (DNS) queries using the Transport Layer Security (TLS) standard, essentially protecting the privacy of your internet activity by preventing eavesdroppers from seeing which websites you are trying to access by obscuring the DNS requests sent from your device to a DNS resolver.

Question 37

(3.4) Time protocols - Precision Time Protocol (PTP)

Answer 37

A protocol for clock synchronization throughout a computer network with relatively high precision and therefore potentially high accuracy.

Question 38

(3.5) API - REST and SOAP

Answer 38

REST:
An architectural style, meaning it defines principles for designing APIs.
Can use various data formats like JSON, XML, or plain text.
Typically stateless, meaning each request is treated independently.
Considered easier to implement and understand due to its simpler design.

When to use REST:
When you need a flexible and lightweight API.
For public APIs where a wide range of clients might access data.
When you want to leverage standard HTTP methods like GET, POST, PUT, and DELETE.

SOAP:
A specific protocol for data transmission.
Strictly uses XML.
Can maintain state information on the server.
Can be more complex with its strict messaging structure.

When to use SOAP:
When strict security and complex transactional requirements are necessary.
For enterprise-level integrations where robust data validation and standardized communication are crucial.

Question 39

(3.5) Jump box

Answer 39

Hardened server that provides access to other hosts within the screened subnet.

Question 40

(4.1) Logical security - Encryption - Data in transit and Data at rest

Answer 40

Encryption plays a major role in data protection and is a popular tool for securing data both in transit and at rest. For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving and/or use encrypted connections (HTTPS, SSL, TLS, FTPS, etc) to protect the contents of data in transit. For protecting data at rest, enterprises can simply encrypt sensitive files prior to storing them and/or choose to encrypt the storage drive itself.

Question 41

(4.1) Logical security - Certificates - Public Key Infrastructure

Answer 41

Public key by sender and private key receiver. Private key can decrypt.

Question 42

(4.1) Logical security - Certificates - Self-signed

Answer 42

A self-signed TLS/SSL certificate is not signed by a publicly trusted certificate authority (CA) but instead by the developer or company that is responsible for the website; as they are not signed by a publicly trusted CA, they are usually considered unsafe for public applications and websites.

Question 43

(4.1) Identity and access management

Answer 43

A system that controls and manages how users access digital resources, ensuring only authorized individuals have the appropriate level of access to specific information and applications within a network, essentially verifying who a user is and what they are allowed to do within the system.

Question 44

(4.1) Security Assertion Markup Language (SAML)

Answer 44

An open standard protocol that enables users to access multiple applications with a single set of credentials. SAML is a key component of single sign-on (SSO) systems, which allow users to log in once and access multiple applications, services, or websites.

Question 45

(4.1) Honeypot vs. Honeynet

Answer 45

A honeypot is a single service or computer on a network, that is configured to act as a decoy, attracting and trapping would-be attackers. A honeynet on the other hand is a network of honeypots that are used to lure in attackers and study their activities across multiple honeypots.

Question 46

(4.1) Data locality

Answer 46

The practice of storing and processing data on the same or nearby computing node where it is most likely to be accessed, minimizing the need to transfer large amounts of data across the network and thereby improving performance by reducing latency and network congestion.

Question 47

(4.1) Payment Card Industry Data Security Standards (PCI DSS)

Answer 47

Refers to a set of security standards that businesses must follow to protect customer credit card information when storing, processing, or transmitting it, ensuring the safety of cardholder data within computer networks by implementing measures like strong access controls, secure network configurations, regular vulnerability scanning, and data encryption across public networks.

Question 48

(4.1) General Data Protection Regulation (GDPR)

Answer 48

Refers to a set of European Union (EU) laws that govern how personal data is collected, stored, and processed within computer systems, requiring organizations to implement robust security measures to protect individuals’ privacy and give them control over their personal information when it is transmitted or stored on a network.

Question 49

(4.2) MAC flooding

Answer 49

In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing a different source MAC address, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table.

Question 50

(4.3) 802.1x

Answer 50

A port-based network access control (PNAC) protocol that authenticates devices connecting to a LAN or WLAN. It prevents unauthorized clients from connecting to a LAN through publicly accessible ports.

Question 51

(5.5) Link Layer Discovery Protocol vs. Cisco Discovery Protocol

Answer 51

LLDP: a vendor-neutral protocol operating at the data link layer (Layer 2) that allows network devices to advertise their identity, capabilities, and neighbor information to other directly connected devices on a local area network (LAN), essentially helping network administrators easily discover and map network topology by gathering details like device type, port information, and IP addresses.

CDP: a proprietary Layer 2 protocol developed by Cisco that allows Cisco devices on a network to automatically discover and share information about each other, including device type, operating system version, and interface details, with neighboring devices directly connected to them, essentially enabling network administrators to map out their Cisco network topology easily.