Chapter 11

Hot Spare

A duplicate component that is already installed in a device and can assume the original component's functions in case that component fails.

Incident Response Policies

Specifically define the characteristics of an event that qualifies as a formal incident and the steps that should be followed as a result.

Which of the following features of a network connection between a switch and server is not improved by link aggregation?

Speed

What are the two main categories of UPSes?

Standby, Online

Load Balancing

A distribution of traffic over multiple components or links to optimize performance and fault tolerance.

Disaster

An extreme type of incident, involving a network outage that affects more than a single system or limited group of users.

Snapshot

An infrequently saved, incremental backup of the data's state at a specific point in time, even as the data continues to be modified by users; sometimes only contains info about changed made since the last backup, and so could not fully restore lost data.

Managed Object

Any characteristic of a device that is monitored, including components such as processor, memory, hard disk, or NIC.

Cold Site

Computers, devices, and connectivity required to rebuild a network exist, but they are not appropriately configured, updated, or connected; could take a long time.

Fault Management

Detecting and signaling of a device, link or component faults.

What are the physical links involved in creating one logical link called?

LAG (Link Aggregation Group), bundle, or team.

What kind of network is DiffServ well suited to?

Large, heavily trafficked networks.

Once a device has failed, what metric measures the average amount of time to repair?

Mean Time to Repair (MTTR)

Performance Management

Monitoring how well links and devices are keeping up with the demands placed on them

What are two things to account for when gathering data for a Baseline?

Normal network variations throughout the day, week, month, and different seasons; changes to the network that might be unpredictable in the resulting impact.

How does syslog report levels of security for logged events?

Numerically; 0 is an emergency situation, and 7 points to specific information that might help debugging a problem.

Each managed object on a managed device using SNMP is assigned which of the following?

Object Identifier (OID)

Group Master

One device in a CARP protocol that receives requests for an IP address, then parcels the requests to one of several devices in the group.

Which power backup method will continually provide power to a server if the power goes out during a thunderstorm?

Online UPS

What are three advantages of NAS devices?

Optimization, adaptability, and expansion.

LACP (Link aggregation Control Protocol)

Originall defined by the 802.3AD standard, now defined by the 802.1AX standard. LACP dynamically coordinates communications between hosts on aggregated connections.

Packet Loss

Packets lost due to an unknown protocol, unrecognized port, network noise, or some other anomaly.

What port do SNMP agents listen on?

Port 161

What are the six stages of an incident response?

Preparation, detection and identification, containment, remediation, recovery, and review.

What 3-bit field in a 802.1Q tag is modified to set a frame's Class of Service (CoS)?

Priority Code Point (PCP)

What are the most common forms of RAID used on a NAS server pool?

RAID 0, RAID 1, RAID5, and RAID 10

CoS (Class of Service)

Refers only to techniques performed at Layer 2, on ethernet frames, and is one method of implementing QoS.

HA (High Availabilitty)

Refers to a system that functions reliably nearly all the time.

Availability

Refers to how consistently and reliably a connection, system, or other network resource can be accessed by authorized personnel. Often expressed as a percentage.

Interface Resets

Repeated resets of the connection, resulting in lower-quality utilization; caused by an interface misconfiguration.

Jitter

When successive packets experience varying amounts of latency, resulting in their arriving out of order, the user experience is degraded. Can be addressed through traffic management techniques.

Cold Spare

A duplicate component that is not installed, but can be installed in case of a failure; reliance on a cold spare results in an interruption of service.

Dual Power Supplies

A form of power redundancy; provides at least one backup in case a power supply fails.

QoS (Quality of Service)

A group of techniques for adjusting the priority a network assigns to various types of transmissions.

Event Log

A log on which a device monitors information and can communicate it in real time.

Fault

A malfunction of one component of a system; can result in a failure.

Brownout

A momentary decrease in voltage, also known as a sag.

Surge

A momentary increase in voltage due to lightning strikes, solar flares, or electrical problems.

FCoE (Fibre Channel over Ethernet)

A newer technology that allows FC to travel over Ethernet hardware and connections; FC is encapsulated inside an FCoE frame, which is then encapsulated inside an Ethernet frame.

Baseline

A report of the network's normal state of operation and might include a range of acceptable measurements.

Port Mirroring

A setting where all traffic sent to any port on the switch is also sent to the mirrored port.

Syslog (System Log)

A standard for generating, storing, and processing messages about events on a system in Linux or UNIX.

FC (Fibre Channel)

A storage networking architecture that runs separately from Ethernet networks to maximuze speed of data storage and access.

Wireshark

A type of protocol analyzer that monitors traffic on the interface between a single device and the network.

CARP (Common Address Redundancy Protocol)

Allows a pool of computers or interfaces to share one or more IP addresses; known as a group of redundancy or redundancy group.

Standby UPS

Also called an SPS (Standby Pwer Supply) provides continuous voltage to a device by switching virtually instantaneously to the battery when it detects a loss of power.

What are some factors applicable to a UPS?

Amount of power needed, period of time to keep a device running, line conditioning, and cost.

VIP (virtual IP address)

An IP address that represents the entire cluster; to the client, a cluster looks like a single web server.

How is an MIB designed?

A top-down, hierarchical structure, where the root is unnamed.

Spiceworks

A type of network monitoring software that multiple devices on a network at one time.

Traffic Shaping

Also called packet shaping, involves manipulating certain characteristics of packets, data streams, or connections to manage the type and amount of traffic traversing a network or interface at any moment.

What field in an IPv4 packet is altered to prioritize video streaming traffic over web surfing traffic?

DiffServ

A snapshot is similar to which type of backup scheme?

Incremental Backup

What does the Common Address Redundancy Protocol do?

It allows a pool of computers or interfaces to share the same IP address.

At what point is a packet considered to be a giant?

It becomes a giant when it exceeds the medium's maximum packet size.

How does a line conditioning UPS protect network equipment?

It filters line noise from incoming power.

What protocol is most often used to bond ports between a switch and a busy server?

LACP

Packet Drops

Packets that are damaged beyond use, arrive after their expiration, or are not allowed through an interface.

Discarded Packets

Packets that arrive at their destination, but are then deliberately discarded, or dropped, because issues such as buffer overflow, latency, bottlenecks, or other forms of network congestion.

What must be enabled for a computer to "see" all traffic?

Promiscuous mode; a device driver directs the NIC to pass all wireless frames to the OS and onto the monitoring software.

What are some of the characteristics of traffic prioritization?

Protocol, IP address, user group, DiffServ flag in an IP packet, VLAN tag in a Data Link Layer frame, service or application.

A TAP...

Provides a mirrored port for monitoring traffic between other ports.

If taskkill does not work, what can you try next?

Taking ownership with takedown /f <filename>.

What is SNMP part of?

The TCP/IP Suite of protocols; it typically runs over UDP on ports 161 and 162.

Network Management

The assessment, monitoring, and maintenance of all aspects of a network.

Fault Tolerance

The capacity for a system to continue performing despite an unexpected hardware of software malfunction.

Collector

The computer that gathers event messages from generators.

Generator

The computer that is monitored by a syslog-compatible application and that issues event information.

In planning for disaster recovery, what is the ultimate goal?

The continuation of the business.

MIB (Management Information Base)

The list of objects managed by the NMS, as well as the descriptions of these objects, are kept here. Also contains data about an object's performance in a database format.

SNMPv1

The original version, released in 1988. It is rarely used on modern networks.

Utilization

This metric refers to the actual throughput used as a percentage of available bandwidth

SNMPv2

This version improved on SNMPv1 with increased performance and slightly better security.

SNMPv3

This version is similar to SNMPv2, but adds authentication, validation, and encryption for messages exchanged between managed devices and the network management console; it is the most secure version of the protocol.

Most UNIX and Linux desktop operating systems provide a GUI application for easily viewing and filtering the information in system logs.

True

The SNMP version 3 protocol introduces authentication, validation, and encryption for messages exchanged between devices and the network management console.

True

iSCSI (Internet SCSI)

A Transport layer protocol that runs on top of TCP to allow fast transmissions over LANs, WANs, and the Internet.

UPS (Uninterruptible Power Supply)

A battery-operated power source directly attached to one or more devices and to a power supply that provides undesired fluctuations of the wall outlet's AC power from harming the device or interrupting its services.

Blackout

A complete power loss.

Backup

A copy of data or program files created for archiving or safekeeping.

EF (Expedited Forwarding)

A data stream is assigned a minimum departure rate from a given node; this technique circumvents delays that slow normal data.

Failure

A deviation from a specified level of system performance for a given period of time.

Load Balancer

A device dedicated to the task of distributing traffic intelligently among multiple computers.

Jabber

A device that handles electrical signals improperly, usually affecting the rest of the network.

DiffServ (Differentiated Services)

A simple techniques that addresses QoS issues by prioritizing traffic at Layer 3 (Network); takes into account all types of network traffic, not just time-sensitive services.

Distributed Switching

A single, distributed vSwitch that services VMs across multiple hosts. It centralizes control of VMs, simplifies network operations, and minimizes the chances for configuration errors.

Network Management Agent

A software routine that collects information about the device's operation and provides it to the NMS. Agents demand minimal processing resources.

NAS (Network Attached Storage)

A specialized storage device or group of storage devices that provides centralized, fault-tolerant data storage for a network; can be though of as a type of server dedicated to data sharing.

Static Configuration

Both hosts are manually configured to handle the division of labor between the redundant links according to particular rules without the ability to compensate for errors.

What are the first 6 bits of the DiffServ field in an IPv4 packet called?

DSCP (Differentiated Services Code Points)

A differential backup covers what kind of data on a system?

Data that has changed since the last full backup.

Ghosts

Frames that are not actually data frames, but aberrations caused by a device misinterpreting stray voltage on the wire. Ghosts have an invalid pattern at the beginning of the frame pattern.

Wireshark or any other monitoring software running on a single computer connected to a switch doesn't see all the traffic on a network, but only the traffic the switch sends to it, which includes broadcast traffic and traffic specifically addressed to the computer.

True

You can find out where various logs are kept on some UNIX and Linux systems by viewing the /etc/syslog.conf or /etc/rsyslog.conf files.

True

Redundancy

Two or more of the same item, service, or connection filling the same role on the network.

Online UPS

Uses the AC power from the wall outlet to continuously charge its battery, while providing power to a network device through its battery. It can handle noise, surges, and sags before the power reaches the attached device.

What are some examples of a distributed switch product?

VMWare's VDS (vSphere Distributed Switch), along with Cisco's Nexus 1000v.

CARP is a free alternative to other redundancy protocols. What are two others?

VRRP (Virtual Router Redundancy Protocol,) or Cisco's proprietary HSRP (Hot Standby Routing Protocol); these two are used solely for routers.

Event Viewer

Views event logs.

What command will resolve process names?

netstat -b

What command displays the PID associated with a network connection?

netstat -o

What command will stop a process that refuses to stop by normal means?

taskkill /f /pid

If you wish to maintain a "four nines" availability rating, what is the maximum amount of downtime you can have per day?

8 Seconds

A highly available server is available what percentage of the time?

99.999%, or Five Nines

SAN (Storage Area Network)

A distinct network of storage devices that communicate directly with each other and with other networks.

Incident

Any event, large or small, that has adverse effects on a network's availability or resources; security breach, a hacker gaining access to a user's account, an infection, or an environmental issue.

Managed Device

Any network node monitored by the NMS.

NMS (Network Management System) Server

At least one network management console that collects data from multiple managed devices at regular intervals in a process called polling.

Differential Backup

Backs up data that has changed since the last full backup

Full Backup

Backs up everything every time a backup is done

Incremental Backup

Backs up only data that has changed since the last backup

When you arrive at work one morning, your inbox is full of messages complaining of a network slowdown. You collect a capture from your network monitor. What can you compare it to in order to determine what has changed?

Baseline

Error Rate

Bits can be damaged in transpit due to EMI or other interference.

How does DiffServ prioritize traffic?

By placing information in the DiffServ field of an IPv4.

Where can you find the location of a log in a UNIX or Linux system?

By viewing the /etc/syslog.conf file

What type of adapters are required on servers in an FCoE storage network?

CNAs (Converged Network Adapters)

Which QoS technique operates at Layer 2 to more efficiently route Ethernet traffic between VLANs?

COS

The grouping of multiple servers so that they appear as a single device to the rest of the network is known as which term?

Clustering

Which type of disaster recovery site contains all the equipment you would need to get up and running again after a disaster, and yet would require several weeks to implement?

Cold Site

Hot Site

Computers, devices, and connectivity necessary to rebuild a network exist, and are all appropriately configured, updated, and connected to match your network's current state.

Warm Site

Computers, devices, and connectivity necessary to rebuild a network exist, with some pieces appropriately configured, updates, or connected; much more expensive, but much quicker.

AF (Assured Forwarding)

Different levels of router resources can be assigned by data streams. Prioritizes data handling, but provides no guarantee that it will arrive on time and in sequence.

What are the two types of forwarding defined by DiffServ?

EF (Expedited Forwarding,) and AF (Assured Forwarding)

Traffic Analysis

Examines the glow of network traffic for patterns and exceptions to those patterns.

Setting a NIC to run in promiscuous mode will allow it to see all network traffic passing through a network switch.

False

True or false; a piece of monitoring software can see all devices on the network.

False; it only sees the traffic the switch sends to it.

Noise

Fluctuation in voltage levels caused by other devices on the network or EMI. Power that is free from noise is called clean power.

In-Line Monitoring Devices typically have...

Four ports; two to send and receive all traffic, one to mirror the traffic and send it to a computer running monitoring software, and one for device configuration.

What are the priority classes of traffic?

High, normal, low, and slow. Can also be rated from 0 (lowest priority) to 7 (highest priority)

When shopping for a new router, what does the MTBF tell you?

How long devices like this one will last on average until the next failure.

The Link Aggregation Control Protocol was initially defined by what IEEE standard?

IEEE 802.3ad

Hot-Swappable

Identical components that can be changed (or swapped) while a machine is still running (hot.)

Packet Analysis

Identifies protocols, errors, and misconfigurations within a packet.

Public Relations Specialist

If necessary, this team member learns about the situation and the response and then acts as official spokesperson for the organization to the public or other interested parties.

Automatic Failover

In the event of a component failure, the ability of a redundant component to immediately assume the duties of the failed component.

What advantages does a LAG offer?

Increased total throughput, automatic failover between aggregated NICs, and load balancing.

What are some advantages of iSCSI over Fibre Channel?

It is not as expensive, can run over established Ethernet LAN by installed iSCSI software (called an iSCSI initiator) on network clients and servers, and doesn not require as much training for IT personnel.

IB (InfiniBand)

Requires specialized network hardware. InfiniBand tends to serve a few niche markets rather than being widely available; falls on the difficult end of the installation and configuration of the spectrum, and runs on the expensive size as well.

What is the primary goal of disaster recovery?

Restoring critical functionality and data after an outage affects more than s ingle system or a limited group of users.

Redundant Power Circuits

Runs to data servers so if a circuit breaker trips, the servers can keep running on the other power circuit.

Packets that are smaller than a medium's minimum packet size are known by what term below?

Runts

What command requests the next record in an SNMP log?

SNMP Get Next

Business Continuity

The ability of the company to continue doing business with the least amount of interuption possible.

MTBF (Mean Time Between Failures)

The average amount of time that will pass for devices exactly like this one before the next failure is expected to occur.

MTTR (Mean Time to Repair)

The mean time required to repair a device.

First Responders

The people with training and/or certifications that prepare them to handle evidence in such a way to preserve its admissibility in court.

Dispatcher

The person on call who first notices or is alerted to the problem.

Active Mode

The port is set to automatically and actively negotiate for link aggregation using LACP. This allows for fault tolerance should one or more links fail; LACP will automatically reconfigure active links to compensate.

Passive Mode

The port passively listens for LACP-defined link aggregation requests, but will not initiate the request.

Disaster Recovery

The process of restoring your critical functionality and data after an outage that affects more than a single system or a limited group of users. The main focus is to ensure business continuity.

Link Aggregation

The seamless combination of multiple network interfaces or ports to act as one logical interface. Also known as port aggregation on Cisco devices, NIC teaming on Windows devices, and bonding, bundling, or Cisco's EtherChannel. Causes two or more NICs to work in tandem handling traffic between two or more devices.

Manager

The team member who coordinates the resources necessary to solve the problem.

Technical Support Specialist

The team member who focuses on only one thing: solving the problem as quickly as possible.

Clustering

The technique of grouping multiple devices so they appear as a single device to the rest of the network.

One of your coworkers downloaded several, very large video files for a special project she's working on for a new client. When you run your network monitor later this afternoon, what list will your coworker's computer likely show up on?

Top Listeners

In IPv6, what field does DiffServ use to prioritize traffic?

Traffic Class Field

Which fields are modified in IPv4 and IPv6 packets to help prioritize traffic for QoS?

Traffic Class Fields, DiffServ

Your roommate has been hogging the bandwidth on your router lately. What feature should you configure on the router to limit the amount of bandwidth his computer can utilize at any one time?

Traffic Shaping

Traffic Policing

Traffic Shaping techniques such as limiting the volume of traffic flowing in or out of an interface during a specified time period, or limited the momentary throughput rate of an interface.

Delay-Sensitive Transmissions

Transmissions that are cannot cope with occasional loss of data.

Loss-Tolerant Transmissions

Transmissions that can can cope with occasional loss of data.

While troubleshooting a recurring problem on your network, you will want to examine the TCP messages being exchanged between a server and a client. Which tool should you use?

Wireshark