Module 5 Flashcards

Question

Firewalls - Stateless Packet Filtering - Stateful Packet Filtering - Application Layer Packet Filtering

Answer 1

A ﬁrewall is a hardware or software system that prevents unauthorized access into or out of a network. Typically, ﬁrewalls are used to prevent unauthorized internet users from accessing internal networks. Therefore, all data leaving or entering the protected internal network must pass through the ﬁrewall to reach its destination, and any unauthorized data is blocked. The role of the ﬁrewall in any network is critical. - Stateless Packet Filtering: The most basic (and the original) type of ﬁrewall is a stateless packet ﬁltering ﬁrewall. You create static rules that permit or deny packets, based on packet header information. The ﬁrewall examines packets as they traverse the ﬁrewall, compares them to static rules, and permits or denies trafﬁc accordingly. This stateless packet ﬁltering can be based on several packet header ﬁelds, including the following: * Source and/or destination IP address * IP protocol ID * Source and/or destination TCP or UDP Port number * ICMP message type * Fragmentation flags * IP option settings This type of ﬁrewall tends to work best for TCP applications that use the same static ports every time, or for ﬁltering that is purely based on Layer 3 information such as source or destination IP address. The static rules are fairly simple, but they do not work well for applications that dynamically use different sets of TCP and/or UDP port numbers. This is because they cannot track the state of TCP or UDP sessions as they transition from initial request, to fulﬁlling that request, and then the closing of the session. Also, these static rules are built using a restrictive approach. In other words, you write explicit rules to permit the specific traffic deemed acceptable, and deny everything else. - Stateful Packet Filtering: The stateful packet ﬁltering ﬁrewall performs the same header inspection as the stateless packet ﬁltering ﬁrewall but also keeps track of the connection state. This is a critical difference. To keep track of the state, these ﬁrewalls maintain a state table. A typical simple conﬁguration works as follows. Any sessions or trafﬁc initiated by devices on trusted, inside networks are permitted through the ﬁrewall. This includes the TCP connection request for destination port 80. The ﬁrewall keeps track of this outbound request in its state table. The ﬁrewall understands that this is an initial request, and so an appropriate response from the server is allowed back in through the ﬁrewall. The ﬁrewall tracks the speciﬁc source port used and other key information about this request. This includes various IP and TCP ﬂags and other header ﬁelds. This adds a certain amount of intelligence to the ﬁrewall. It will allow only valid response packets that come from the speciﬁc server. The response packets must have all the appropriate source and destination IP addresses, ports, and ﬂags set. The stateful packet filtering ﬁrewall understands standard TCP/IP packet ﬂow including the coordinated change of information between inside and outside hosts that occurs during the life of the connection. The ﬁrewall allows untrusted outside servers to respond to inside host requests, but will not allow untrusted servers to initiate requests. - Application Layer Packet Filtering: The most advanced type of ﬁrewall is the application layer ﬁrewall which can perform deep inspection of the packet all the way up to the OSI model’s Layer 7. This gives you more reliable and capable access control for OSI Layers 3–7, with simpler conﬁguration. This additional inspection capability can impact performance. Limited buffering space can hinder deep content analysis. The application layer ﬁrewall can determine a File Transfer Protocol (FTP) session, just like a stateless or stateful ﬁrewall can. However, this ﬁrewall can look deeper, into the application layer to see that this is speciﬁcally an FTP “put” operation, to upload a ﬁle. You could have rules that deny all FTP uploads. Or you can configure a more granular rule such as one that denies all FTP uploads except those from a speciﬁc source IP and only if the ﬁlename is “os.bin”. The deeper packet inspection capability of the application layer ﬁrewall enables it to verify adherence to standard HTTP protocol functionality. It can deny requests that do not conform to these standards, or otherwise meet criteria established by the security team.

Answer 2

Load balancing improves the distribution of workloads across multiple computing resources, such as servers, cluster of servers, network links, and more. Server load balancing helps ensure the availability, scalability, and security of applications and services by distributing the work of a single server across multiple servers. The load balancer decides which server should receive a client request such as a web page or a ﬁle. The load balancer selects a server that can successfully fulﬁll the client request most effectively, without overloading the selected server or the overall network. At the device level, the load balancer provides the following features to support high network availability: * Device redundancy — Redundancy allows you to set up a peer load balancer device in the configuration so that if one load balancer becomes inoperative, the other load balancer can take its place immediately. * Scalability — Virtualization allows running the load balancers as independent virtual devices, each with its own resource allocation. * Security — Access control lists restrict access from certain clients or to certain network resources. At the network service level, a load balancer provides the following advanced services: * High services availability — High-performance server load balancing allows distribution of client requests among physical servers and server farms. In addition, health monitoring occurs at the server and server farm levels through implicit and explicit health probes. * Scalability — Virtualization allows the use of advanced load-balancing algorithms (predictors) to distribute client requests among the virtual devices configured in the load balancer. Each virtual device includes multiple virtual servers. Each server forwards client requests to one of the server farms. Each server farm can contain multiple physical servers. * Services-level security — This allows establishment and maintenance of a Secure Sockets Layer (SSL) session between the load balancer and its peer, which provides secure data transactions between clients and servers. Although the load balancer can distribute client requests among hundreds or even thousands of physical servers, it can also maintain server persistence. With some e-commerce applications, all client requests within a session are directed to the same physical server so that all the items in one shopping cart are contained on one server. You can configure a virtual server to intercept web traffic to a website and allow multiple real servers (physical servers) to appear as a single server for load-balancing purposes. You can distribute incoming client requests among the servers in a server farm by deﬁning load-balancing rules called predictors using IP address and port information.

Answer 3

Network diagrams are part of the documentation that goes with a network deployment and play just as an important role as the documentation steps in programming code. Network diagrams typically display a visual and intuitive representation of the network, depicting how are all the devices are connected, and in which buildings, ﬂoors, closets are they located, as well as what interface connects to each device. As networks get built and conﬁgured and go through their lifecycle of ordering the devices, receiving them on site, bringing them online and conﬁguring them, maintaining and monitoring them, upgrading them, all the way to decommissioning them, and starting the process over again, network diagrams need to be updated and maintained to document all these changes. There are generally two types of network diagrams: * Layer 2 physical connectivity diagrams * Layer 3 logical connectivity diagrams Layer 2, or physical connectivity diagrams are network diagrams representing how devices are physically connected in the network. It is basically a visual representation of which network port on a network device connects to which network port on another network device. Protocols like Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) can be used to display the physical network port connectivity between two or more devices. This network diagram is useful especially when troubleshooting direct network connectivity issues. Layer 3, or logical connectivity diagrams are network diagrams that display the IP connectivity between devices on the network. Switches and Layer 2 devices are usually not even displayed in these diagrams as they do not perform any Layer 3 functions and from a routing perspective, they are the equivalent of a physical wire. This type of network diagram is useful when troubleshooting routing problems. Redundant connections and routing protocols are usually present in networks that require high availability.

Answer 4

Each protocol meets a need and uses standard port values. You should know when to use a particular protocol and know the standard port for connections. Many developers have been puzzled by a mismatched port value; therefore, checking these values can be a ﬁrst line of attack when troubleshooting. - Telnet and Secure Shell (SSH) Telnet and SSH are both used to connect to a remote computer and log in to that system using credentials. Telnet is less prevalent today because SSH uses encryption to protect data going over the network connection. Telnet should only be used in non-production environments. SSH connections can use a public key for authentication, rather than sending a username and password over the network. This authentication method means that SSH is a good choice to connect to network devices, to cloud devices, and to containers. By default, SSH uses port 22 and Telnet uses port 23. - HTTP and HTTPS HTTP and its secure version, HTTPS, are both protocols recognized by web browsers and are used to connect to web sites. HTTPS uses TLS or SSL to make a secure connection. You can see the http: or https: in the address bar on your browser. Many browsers also recognize ssh: and ftp: protocols and allow you to connect to remote servers in that way as well. - NETCONF and RESTCONF NETCONF uses port 830. RESTCONF does not have a reserved port value. You may see various implementations of different values. Commonly the port value is in the 8000s. To have multiple network operations, you want to make sure each protocol has a default port and use standards to try to avoid conﬂicts. TCP and UDP trafﬁc requires a destination port be specified for each packet. The source port is automatically generated by the sending device.

Answer 5

DHCP was designed to dynamically configure devices with IP addressing information. DHCP works within a client/server model, where designated DHCP servers allocate IP addresses and deliver conﬁguration information to devices that are configured to dynamically request addressing information. In addition to the IP address for the device itself, a DHCP server can also provide additional information, like the IP address of the DNS server, default router, and other conﬁguration parameters. Some of the beneﬁts of using DHCP instead of manual conﬁgurations are: * Reduced client configuration tasks and costs - By not having to physically walk up to the device and manually configure the network settings, large cost savings are possible. This especially applies in the case of ISPs that can remotely and dynamically assign IP addresses to the cable or Digital Subscriber Line (DSL) modems of their clients without having to dispatch a person each time a network configuration change is necessary. * Centralized management - A DHCP server typically maintains the configuration settings for several subnets. Therefore, an administrator only needs to configure and update a single, central server. DHCP allocates IP addresses in three ways: * Automatic allocation - The DHCP server assigns a permanent IP address to the client. * Dynamic allocation - DHCP assigns an IP address to a client for a limited period of time (lease time). * Manual allocation - The network administrator assigns an IP address to a client and DHCP is used to relay the address to the client.

Answer 6

In cases in which the DHCP client and server are located in different subnets, a DHCP relay agent can be used. A relay agent is any host that forwards DHCP packets between clients and servers. Relay agent forwarding is different from the normal forwarding that an IP router performs, where IP packets are routed between networks transparently. Relay agents receive inbound DHCP messages and then generate new DHCP messages on another interface. Clients use port 67 to send DHCP messages to DHCP servers. DHCP servers use port 68 to send DHCP messages to clients. DHCP operations includes four messages between the client and the server: * DHCPDISCOVER - Server discovery * DHCPPOFFER - IP lease offer * DHCPREQUEST - IP lease request * DHCPACK - IP lease acknowledgment The client broadcasts a DHCPDISCOVER message looking for a DHCP server. The server responds with a unicast DHCPOFFER. If there is more than one DHCP server on the local network, the client may receive multiple DHCPOFFER messages. Therefore, it must choose between them, and broadcast a DHCPREQUEST message that identifies the explicit server and lease offer that the client is accepting. DHCPv6 has a set of messages that is similar to those for DHCPv4. The DHCPv6 messages are SOLICIT, ADVERTISE, INFORMATION REQUEST, and REPLY.

Answer 7

In data networks, devices are labelled with numeric IP addresses to send and receive data over networks. Domain names were created to convert the numeric address into a simple, recognizable name. The DNS protocol defines an automated service that matches domain names to IP addresses. It includes the format for queries, responses, and data. DNS uses a single format called a DNS message. - DNS Message Format The DNS server stores different types of resource records that are used to resolve names. These records contain the name, address, and type of record. Some of these record types are as follows: * A – An end device IPv4 address * NS – An authoritative name server * AAAA – An end device IPv6 address (pronounced quad-A) * MX – A mail exchange record When a client makes a query to its configured DNS server, the DNS server first looks at its own records to resolve the name. If it is unable to resolve the name by using its stored records, it contacts other servers to resolve the name. After a match is found and returned to the original requesting server, the server temporarily stores the numbered address in the event that the same name is requested again. DNS uses the same message format between servers. It consists of a question, answer, authority, and additional information for all types of client queries and server responses, error messages, and transfer of resource record information. - DNS Hierarchy DNS uses a hierarchical system based on domain names to create a database to provide name resolution. The naming structure is broken down into small, manageable zones. Each DNS server maintains a specific database file and is only responsible for managing name-to-IP mappings for that small portion of the entire DNS structure. When a DNS server receives a request for a name translation that is not within its DNS zone, the DNS server forwards the request to another DNS server within the proper zone for translation. DNS is scalable because hostname resolution is spread across multiple servers. The different top-level domains represent either the type of organization or the country of origin.

Answer 8

SNMP was developed to allow administrators to manage devices such as servers, workstations, routers, switches, and security appliances. It enables network administrators to monitor and manage network performance, find and solve network problems, and plan for network growth. SNMP is an application layer protocol that provides a message format for communication between managers and agents. SNMPv3 includes authentication, encryption, and message integrity. The SNMP system consists of three elements: * SNMP manager: network management system (NMS) * SNMP agents (managed device) * Management Information Base (MIB) To configure SNMP on a networking device, it is first necessary to define the relationship between the SNMP manager and the device (the agent). The SNMP manager is part of a network management system (NMS). The SNMP manager runs SNMP management software. The SNMP manager can collect information from an SNMP agent by using the “get” action. It can also change configurations on an agent by using the “set” action. In addition, SNMP agents can forward information directly to the SNMP manager by using “traps”.

Answer 9

An SNMP agent running on a device collects and stores information about the device and its operation. This information is stored locally by the agent in the MIB. The SNMP manager then uses the SNMP agent to access information within the MIB and make changes to the device configuration. There are two primary SNMP manager requests, get and set. A get request is used by the SNMP manager to query the device for data. A set request is used by the SNMP manager to change configuration variables in the agent device. A set request can also initiate actions within a device. The NMS can be configured to periodically have the SNMP managers poll the SNMP agents that are residing on managed devices using the get request. The SNMP manager queries the device for data. Using this process, a network management application can collect information to monitor traffic loads and to verify the device configurations of managed devices. The information can be displayed via a GUI on the NMS. Periodic SNMP polling does have disadvantages. First, there is a delay between the time that an event occurs and the time that it is noticed (via polling) by the NMS. Second, there is a trade-off between polling frequency and bandwidth usage. To mitigate these disadvantages, it is possible for SNMP agents to generate and send traps to inform the NMS immediately of certain events. Traps are unsolicited messages alerting the SNMP manager to a condition or event on the network. Examples of trap conditions include, but are not limited to, improper user authentication, restarts, link status (up or down), MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant events.

Answer 10

For SNMP to operate, the NMS must have access to the MIB. To ensure that access requests are valid, some form of authentication must be in place. SNMPv1 and SNMPv2c use community strings that control access to the MIB. Community strings are plaintext passwords. SNMP community strings authenticate access to MIB objects. There are two types of community strings: * Read-only (ro) - This type provides access to the MIB variables, but does not allow these variables to be changed. Because security is minimal in version 2c, many organizations use SNMPv2c in read-only mode. * Read-write (rw) - This type provides read and write access to all objects in the MIB. To get or set MIB variables, the user must specify the appropriate community string for read or write access. The agent captures data from MIBs, which are data structures that describe SNMP network elements as a list of data objects. Think of the MIB as a "map" of all the components of a device that are being managed by SNMP. To monitor devices, the SNMP manager must compile the MIB ﬁle for each equipment type in the network. Given an appropriate MIB, the agent and SNMP manager can use a relatively small number of commands to exchange a wide range of information with one another. The MIB is organized in a tree-like structure with unique variables represented as terminal leaves. An Object IDentiﬁer (OID) is a long numeric tag. It is used to distinguish each variable uniquely in the MIB and in the SNMP messages. Variables that measure things such as CPU temperature, inbound packets on an interface, fan speed, and other metrics, all have associated OID values. The MIB associates each OID with a human-readable label and other parameters, serving as a dictionary or codebook. SNMP traps are used to generate alarms and events that are happening on the device. SNMP community names are used to group SNMP trap destinations. When community names are assigned to SNMP traps, the request from the SNMP manager is considered valid if the community name matches one conﬁgured on the managed device. If so, all agent-managed MIB variables are made accessible. If the community name does not match, however, SNMP drops the request. SNMP uses the following messages to communicate between the manager and the agent: * Get * GetNext * GetResponse * Set * Trap The Get and GetNext messages are used when the manager requests information for a speciﬁc variable. When the agent receives a Get or GetNext message it will issue a GetResponse message back to the manager. The response message will contain either the information requested or an error message indicating why the request cannot be processed. A Set message is used by the manager to request that a change should be made to the value of a speciﬁc variable. Similarly, to the Get and GetNext requests, the agent will respond with a GetResponse message indicating either that the change has been successfully done or an error message indicating why the requested change cannot be implemented. The Trap message is used by the agent to inform the manager when important events take place. An SNMP Trap is a change of state message.

Answer 11

Accurate time and making sure all devices in the network have a uniform and correct view of time has always been a critical component to ensuring a smooth operation of the infrastructure. Every second of downtime or unavailability of services over the network can be extremely expensive. Service Level Agreements (SLAs) are contracts between parties that consume infrastructure services and parties that provide these services. Time is fundamental to measuring SLAs and enforcing contracts. Network Time Protocol (NTP) enables a device to update its clock from a trusted network time source, compensating for local clock drift. A device receiving authoritative time can be conﬁgured to serve time to other machines, enabling groups of devices to be closely synchronized. NTP uses UDP port 123 as source and destination. An authoritative time source is usually a radio clock, or an atomic clock attached to a time server. It is the role of NTP to distribute the time across the network. NTP uses the concept of strata (layers) to describe how far away a host is from an authoritative time source. The most authoritative sources are in stratum 1. These are generally servers connected directly to a very accurate time source, like a rubidium atomic clock. A stratum 2 time server receives time from a stratum 1 server, and so on. NTP avoids synchronizing with upstream servers whose time is not accurate. It does this in two ways: * NTP never synchronizes with a NTP server that is not itself synchronized. * NTP compares time reported by several NTP servers, and will not synchronize to a server whose time is an outlier, even if its stratum is lower than the other servers' stratum. The time kept on a device is a critical resource. It is strongly recommended to use the security features that come with NTP to avoid the accidental or malicious conﬁguration of incorrect time. Clients usually synchronize with the lowest stratum server they can access. But NTP incorporates safeguards as well: it prefers to have access to at least three lower-stratum time sources (giving it a quorum), because this helps it determine if any single source is incorrect. When all servers are well synchronized, NTP chooses the best server based on a range of variables: lowest stratum, network distance (latency), and precision claimed. In order to determine if a server is reliable, the client applies many sanity checks. If any one of these checks fail, the device declares the source insane.

Answer 12

* Client/Server Mode Client/server mode is most common. In this mode, a client or dependent server can synch with a group member, but not the reverse, protecting against protocol attacks or malfunctions. Client-to-server requests are made via asynchronous remote procedure calls. On the client side, client/server mode can be turned on with a single command or conﬁg-ﬁle change, followed by a restart of the NTP service on the host. * Symmetric Active/Passive Mode In this mode, a group of low stratum peers work as backups for one another. Each peer derives time from one or more primary reference sources or from reliable secondary servers. Should a peer lose all reference sources or stop working, the other peers automatically reconﬁgure to support one another. This is called a 'push-pull' operation in some contexts: peers either pull or push time, depending on self-conﬁguration. * Broadcast and/or Multicast Mode When only modest requirements for accuracy exist, clients can use NTP broadcast and/or multicast modes, where many clients are conﬁgured the same way, and one broadcast server (on the same subnet) provides time for them all. Broadcast messages are not propagated by routers, meaning that this mode cannot be used beyond a single subnet.

Answer 13

Network Address Translation (NAT) helps with the problem of IPv4 address depletion. NAT works by mapping many private internal IPv4 addresses to a range of public addresses or to one single address (as is done in most home networks). NAT identifies trafﬁc to and from a speciﬁc device, translating between external/public and internal/private IPv4 addresses. NAT can be conﬁgured on hosts and routers requiring it, without requiring any changes to hosts or routers that do not need NAT. By mapping between external and internal IPv4 addresses, NAT allows an organization with non-globally-routable IPv4 addresses to connect to the internet by translating addresses into a globally-routable IPv4 address.

Answer 14

NAT typically runs on a router. Before packets are forwarded between networks, NAT translates the private (inside local) addresses within the internal network into public (inside global) addresses. This functionality gives the option to conﬁgure NAT so that it advertises only a single address to the outside world, for the entire internal network. By so doing, NAT effectively hides the internal network from the world. Types of NAT include: * Static address translation (static NAT) – This is one-to-one mapping between global and local IPv4 addresses. * Dynamic address translation (dynamic NAT) – This maps registered IPv4 addresses from a pool to registered IP addresses. * Overloading (also called Port Address Translation or PAT) – This maps many unregistered IPv4 addresses to a single registered address (many to one) on different ports. Through overloading, thousands of users can be connected to the internet by using only one real global IP address. IPv6 was developed with the intention of making NAT unnecessary. However, IPv6 does include its own IPv6 private address space called unique local addresses (ULAs). NAT includes four types of addresses: * Inside local address * Inside global address * Outside local address * Outside global address When determining which type of address is used, it is important to remember that NAT terminology is always applied from the perspective of the device with the translated address: * Inside address – This is the address of the device which is being translated by NAT. * Outside address – This is the address of the destination device. NAT also uses the concept of local or global with respect to addresses: * Local address – This is any address that appears on the inside portion of the network. * Global address - This is any address that appears on the outside portion of the network. IPv4 addresses can be translated into globally-unique IPv4 addresses when communicating outside the internal network. There are two options to accomplish this: * Static translation - This method sets up a one-to-one mapping between an inside local address and an inside global address. This is useful when a host on the inside must be accessed from a ﬁxed outside address. * Dynamic translation - This method maps between inside local addresses and a global address pool. Using a single global address for multiple local addresses is known as overloading. When overloading is conﬁgured, the NAT device gathers information from higher-level protocols (for example, TCP or UDP port numbers) to translate global addresses back to correct local addresses. To map multiple local addresses to one global address, TCP or UDP port numbers are used to distinguish local addresses. This NAT process is called Port Address Translation (PAT).

Answer 15

Network troubleshooting usually follows the OSI layers. You can start either top to bottom beginning at the application layer and making your way down to the physical layer. Or you can go from the bottom to the top. First and foremost, from a client perspective, it is very important to determine how the client connects to the network. Is it a wired or wireless connection? If the client connects via an Ethernet cable, make sure the NIC comes online and there are electrical signals being exchanged with the switch port to which the cable is connected. Troubleshooting at the physical layer basically boils down to making sure there are four uninterrupted pairs of twisted copper cables between the network client and the switch port. If the client wirelessly connects to the network, make sure that the wireless network interface is turned on and it can send and receive wireless signals to and from the nearest wireless access point. Moving up to the data link layer, or Layer 2, make sure the client is able to learn destination MAC addresses (using ARP) and also that the switch to which the client is connecting is able to learn the MAC addresses received in its ports. At the network layer, or Layer 3, make sure the client obtains the correct IP address from the DHCP server, or is manually conﬁgured with the correct IP address and the correct default gateway. Make sure the client can access the port on which the application is running. One additional thing to verify is trafﬁc load and network delay. Maybe you are lucky to begin with and are verifying a web server access or a REST API endpoint and the server returns a 500 status code. In that case you can start troubleshooting the web server and skip all of the network troubleshooting steps. If you got this far in your network troubleshooting, there is a good chance that the problem is not with the network and a closer look at the application server is in order.

Answer 16

ifconfig is a software utility for UNIX-based operating systems. There is also a similar utility for Microsoft Windows-based operating systems called ipconfig. The main purpose of this utility is to manage, conﬁgure, and monitor network interfaces and their parameters. ifconfig runs as a command-line interface tool and comes by default installed with most operating systems. Common uses for ifconfig are the following: * Configure IP address and subnet mask for network interfaces. * Query the status of network interfaces. * Enable/disable network interfaces. * Change the MAC address on an Ethernet network interface. Issuing the ifconfig --help command in the command line interface will display all the options that are available with this version of ifconfig. If ifconfig is issued without any parameters, it just returns the status of all the network interfaces on that host. Note: The ifconfig command has been used within Linux for many years. However, some Linux distributions have deprecated the ifconfig command. The ip address command is becoming the new alternative.

Answer 17

Similar to ifconfig, ping is a software utility used to test IP network reachability for hosts and devices connected to a speciﬁc network. It is also available on virtually all operating systems and is extremely useful for troubleshooting connectivity issues. The ping utility uses Internet Control Message Protocol (ICMP) to send packets to the target host and then waits for ICMP echo replies. Based on this exchange of ICMP packets, ping reports errors, packet loss, roundtrip time, time to live (TTL) for received packets, and more. By default, ping (or ping -help in Linux) will display all the options it has available. Some of the options you can specify include: * Count of how many ICMP echo requests you want to send * Source IP address in case there are multiple network interfaces on the host * Timeout to wait for an echo reply packet * Packet size, if you want to send larger packet sizes than the default 64 bytes. This option is very important when determining what is the MTU on an interface. Keep in mind that if you do not receive any replies from the destination you are trying to reach with ping it does not mean that the host is ofﬂine or not reachable. It could simply mean that ICMP echo-request packets are ﬁltered by a ﬁrewall and are not allowed to reach the destination host. It is actually a best practice to expose only the services needed to be available on the hosts in the network. For IPv6 there exists a similar utility on Linux and MacOS that is called ping6 and is also available on most operating systems. Windows and Cisco IOS uses the same ping command for both IPv4 and IPv6.

Answer 18

You have seen how ping can display host reachability on the network. traceroute builds on top of that functionality and displays the route that the packets take on their way to the destination. The Microsoft Windows alternative is also a command-line utility and is called tracert. Observing the path the network trafﬁc takes from its source to the destination is extremely important from a troubleshooting perspective, as routing loops and non-optimal paths can be detected and then remedied. traceroute uses ICMP packets to determine the path to the destination. The Time to Live (TTL) ﬁeld in the IP packet header is used primarily to avoid inﬁnite loops in the network. For each hop or router that an IP packet goes through, the TTL ﬁeld is decremented by one. When the TTL ﬁeld value reaches 0, the packet is discarded, avoiding the dreaded inﬁnite loops. Use traceroute --help to see the available options. Several options are available with traceroute including: * Specifying the TTL value of the first packet sent. By default this is 1. * Specifying the maximum TTL value. By default, it will increase the TTL value up to 64 or until the destination is reached. * Specifying the source address in case there are multiple interfaces on the host. * Specifying QoS value in the IP header. * Specifying the packet length.

Answer 19

nslookup is another command-line utility used for querying DNS to obtain domain name to IP address mapping. Like other tools mentioned in this section, nslookup is widely available on most all operating systems. This tool is useful to determine if the DNS server conﬁgured on a speciﬁc host is working as expected and actually resolving hostnames to IP addresses. It could be that maybe a DNS server is not conﬁgured at all on the host, so make sure you check /etc/resolv.conf on UNIX-like operating systems and that you have at least a nameserver deﬁned. You can enter man nslookup to learn more about the available options.

Answer 20

- Introduction to Network Fundamentals A protocol suite is a set of protocols that work together to provide comprehensive network communication services. Both the OSI and the TCP/IP reference models use layers to describe the functions and services that can occur at that layer. The form that a piece of data takes at any layer is called a protocol data unit (PDU). At each stage of the encapsulation process, a PDU has a different name to reflect its new functions: data, segment, packet, frame, and bits. The OSI reference model layers are described here from bottom to top: 1. The physical layer is responsible with the transmission and reception of raw bit streams. 2. The data link layer provides NIC-to-NIC communications on the same network. 3. The network layer provides services to allow end devices to exchange data across networks. 4. The transport layer provides the possibility of reliability and flow control. 5. The session layer allows hosts to establish sessions between them. 6. The presentation layer speciﬁes context between application-layer entities. 7. The application layer is the OSI layer that is closest to the end user and contains a variety of protocols usually needed by users. - Network Interface Layer Ethernet is a set of guidelines and rules that enable various network components to work together. In Ethernet terminology, the container into which data is placed for transmission is called a frame. The frame contains header information, trailer information, and the actual data that is being transmitted. Important fields of a MAC address frame include preamble, SFD, destination MAC Address, source MAC address, type, data, and FCS. Each NIC card has a unique Media Access Control (MAC) address that identiﬁes the physical device, also known as a physical address. The MAC address identifies the location of a specific end device or router on a LAN. The three major types of network communications are: unicast, broadcast, and multicast. The switch builds and maintains a table (called the MAC address table) that matches the destination MAC address with the port that is used to connect to a node. The switch forwards frames by searching for a match between the destination MAC address in the frame and an entry in the MAC address table. Depending on the result, the switch will decide whether to ﬁlter or ﬂood the frame. If the destination MAC address is in the MAC address table, it will send it out the specified port. Otherwise, it will flood it out all ports except the incoming port. A VLAN groups devices on one or more LANs that are conﬁgured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. VLANs deﬁne Layer 2 broadcast domains. VLANs are often associated with IP networks or subnets. A trunk is a point-to-point link between two network devices that carries more than one VLAN. A VLAN trunk extends VLANs across an entire network. VLANs are organized into three ranges: reserved, normal, and extended. - Internetwork Layer An IPv4 address is 32 bits, with each octet (8 bits) represented as a decimal value separated by a dot. This representation is called dotted decimal notation. There are three types of IPv4 addresses: network address, host addresses, and broadcast address. The IPv4 subnet mask (or prefix length) is used to differentiate the network portion from the host portion of an IPv4 address. IPv6 is designed to be the successor to IPv4. IPv6 has a larger 128-bit address space, providing 340 undecillion possible addresses. IPv6 preﬁx aggregation, simpliﬁed network renumbering, and IPv6 site multihoming capabilities provide an IPv6 addressing hierarchy that allows for more efﬁcient routing. IPv6 addresses are represented as a series of 16-bit hexadecimal ﬁelds (hextet) separated by colons (:) in the format: x:x:x:x:x:x:x:x. A router is a networking device that functions at the internet layer of the TCP/IP model or Layer 3 network layer of the OSI model. Routing involves the forwarding packets between different networks. Routers use a routing table to route between networks. A router generally has two main functions: Path determination, and Packet routing or forwarding. A routing table may contain the following types of entries: directly connected networks, static routes, default routes, and dynamic routes. - Network Devices A key concept in Ethernet switching is the broadcast domain. A broadcast domain is a logical division in which all devices in a network can reach each other by broadcast at the data link layer. Switches can now simultaneously transmit and receive data. Switches have the following functions: * Operate at the network access layer of the TCP/IP model and the Layer 2 data link layer of the OSI model * Filter or flood frames based on entries in the MAC address table * Have a large number of high speed and full-duplex ports The switch operates in either of the following switching modes: cut-through, and store-and-forward. Routers are needed to reach devices that are not on the same local LAN. Routers use routing tables to route trafﬁc between different networks. Routers have the following functions: * They operate at the internet layer of TCP/IP model and Layer 3 network layer of the OSI model. * The route packets between networks based on entries in the routing table. * They have support for a large variety of network ports, including various LAN and WAN media ports which may be copper or fiber. The number of interfaces on routers is usually much smaller than switches but the variety of interfaces supported is greater. IP addresses are configured on the interfaces. There are three packet-forwarding mechanisms supported by routers: process switching, fast switching, and CEF. A ﬁrewall is a hardware or software system that prevents unauthorized access into or out of a network. The most advanced type of ﬁrewall is the application layer ﬁrewall. With this type, deep inspection of the packet occurs all the way up to the OSI model’s Layer 7. Server load balancing helps ensure the availability, scalability, and security of applications and services by distributing the work of a single server across multiple servers. Network diagrams display a visual and intuitive representation of the network. There are generally two types of network diagrams: Layer 2 physical connectivity diagrams, and Layer 3 logical connectivity diagrams. - Networking Protocols Telnet and SSH, or Secure SHell, are both used to connect to a remote computer and log in to that system using credentials. Telnet is less prevalent today because SSH uses encryption to protect data going over the network connection and data security is a top priority. NETCONF does have a standardized port value, 830. RESTCONF does not have a reserved port value. Dynamic Host Conﬁguration Protocol (DHCP) is used to pass conﬁguration information to hosts on a TCP/IP network. DHCP allocates IP addresses in three ways: automatic, dynamic, and manual. DHCP operations includes four messages between the client and the server: server discovery, IP lease offer, IP lease request, and IP lease acknowledgment. The DNS protocol defines an automated service that matches resource names with the required numeric network address. The SNMP system consists of three elements: * SNMP manager: network management system (NMS) * SNMP agents (managed node) * Management Information Base (MIB) There are two primary SNMP manager requests, get and set. A get request is used by the NMS to query the device for data. A set request is used by the NMS to change configuration variables in the agent device. Traps are unsolicited messages alerting the SNMP manager to a condition or event on the network. NTP is used to distribute and synchronize time among distributed time servers and clients Network Address Translation (NAT) helps with the problem of IPv4 address depletion. NAT works by mapping thousands of private internal addresses to a range of public addresses. NAT includes four types of addresses: * Inside local address * Inside global address * Outside local address * Outside global address Types of NAT include: static NAT, dynamic NAT, and port address translation (PAT). - Troubleshooting Application Connectivity Issues Network troubleshooting usually follows the OSI layers. If you cannot find any network connectivity issues at any of the OSI model layers, it might be time to look at the application server. Common uses for ifconfig are the following: * Configure IP address and subnet mask for network interfaces. * Query the status of network interfaces. * Enable/disable network interfaces. * Change the MAC address on an Ethernet network interface. ping is a software utility used to test IP network reachability for hosts and devices connected to a speciﬁc network. traceroute uses ICMP packets to determine the path to the destination. nslookup is another command-line utility used for querying DNS to obtain domain name to IP address mapping.

Module 5 Flashcards

(44 cards)