Study Set 4
Client-server
-Administration paradigm where some host machines are designated as providing server and services and other machines are designated as client devices that only consume server services. -one where some nodes, such as PCs, laptops, and smartphones, act mostly as clients. The servers are more powerful computers. Application services and resources are centrally provisioned, managed, and secured.
A network architect is looking at the topology and metrics used to build and update a routing information base. Most routing information bases get classified as which of the following?
-Distance vector is one of the most classed algorithms. Some protocols use a hybrid of different methods to perform path selection more efficiently. -Link state is also one of the most classed algorithms. The algorithms for path selection get built according to the topology and metrics that they use to build and update a routing information base.
On modern networks, hybrid topologies are often used to implement redundancy and fault tolerance or to connect sites in WANs:
-Hierarchical star -Hierarchical star-mesh -Star of stars -Star with ring
Core layer
-Highest tier in a hierarchical network topology providing interconnections between blocks. -Devices such as client and server computers should not be attached directly to the core. Its purpose should be kept simple: provide redundant traffic paths for data to continue to flow around the access and distribution layers of the network. Routers or layer 3 switches in the core layer establish a full mesh topology with switches in distribution layer blocks.
A network comprises nodes and links.
-Intermediate system nodes perform a forwarding function, while -end system nodes are those that send and receive data traffic. End system nodes can be classified as either clients or servers
Distribution/Aggregation Layer
-Intermediate tier in a hierarchical network topology providing interconnections between the access layer and the core. -Each access switch has full or partial mesh links to each router or layer 3 switch in its distribution layer block. The distribution layer is often used to implement traffic policies, such as routing boundaries, filtering, or quality of service (QoS).
access or edge layer
-Lowest tier in a hierarchical network topology acting as the attachment point for end systems. -allows end-user devices, such as computers, printers, and smartphones to connect to the network.
port tagging
-On a switch with VLANs configured, a port with an end station host connected operates in untagged mode (access port). A tagged port will normally be part of a trunk link. --If a frame is addressed to a port in the same VLAN on the same switch, no tag needs to be added to the frame. --If the frame needs to be transported over a trunk link, the switch adds the relevant 802.1Q tag to identify the VLAN, and then forwards the frame over the trunk port. --If the switch receives an 802.1Q tagged frame on an access port, it strips the tag before forwarding it.
Three-tiered hierarchy
-Paradigm to simplify network design by separating switch and router functionality and placement into three tiers each with a separate role, performance requirements, and physical topology. -access, distribution, and core.
Spanning Tree Protocol (STP)
-Protocol that prevents layer 2 network loops by dynamically blocking switch ports as needed. -is a means for the bridges or switches to organize themselves into a hierarchy. The switch at the top of the hierarchy is the root. The switch with the lowest ID, comprising a priority value and the MAC address, will be selected as the root.
the following represent some of the main types of scanning that Nmap can perform:
-TCP SYN (-sS)-This is a fast technique (also referred to as half-open scanning) as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state. -TCP connect (-sT)-A half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets. If privileged access is not available, Nmap must use the OS to attempt a full TCP connection. This type of scan is less stealthy. -UDP scans (-sU)-Scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan. -Port range (-p)-By default, Nmap scans 1,000 commonly used ports. Use the -p argument to specify a port range. You can also use --top-ports n , where n is the number of commonly used ports to scan. The frequency statistics for determining how commonly a port is used are stored in the nmap-services configuration file.
A network architect is researching distance vector protocols to use. Which of the following should the architect look into?
-The Routing Information Protocol (RIP) is a distance vector type that is part of the IGP class and runs over User Datagram Protocol (UDP) ports 520 or 521. -The Enhanced Interior Gateway Routing Protocol (EIGRP) is a distance vector/hybrid type that is part of the Interior Gateway Protocol (IGP) class and runs over native IP (88).
Switching loop
-Troubleshooting issue where layer 2 frames are forwarded between switches or bridges in an endless loop. -Without intervention, this loop will continue indefinitely, causing a broadcast storm
application-specific integrated circuit (ASIC)
-Type of processor designed to perform a specific function, such as switching. -layer 3 switches use this
Port numbers 0 through 1,023
-are preassigned by the Internet Assigned Numbers Authority (IANA) to "well-known" server applications. -Other server applications have been registered in the port range 1,024 through 49,151. -The remaining ports (up to 65,535) are designated for private or dynamic use
TCP connection teardown
1. The client sends a FIN segment to the server and enters the FIN-WAIT1 state. 2. The server responds with an ACK segment and enters the CLOSE-WAIT state. 3. The client receives the ACK segment and enters the FIN-WAIT2 state. The server sends its own FIN segment to the client and goes to the LAST-ACK state. 4. The client responds with an ACK and enters the TIME-WAIT state. After a defined period, the client closes its connection. 5. The server closes the connection when it receives the ACK from the client.
A security engineer is looking at IPv6 packets and observes packets for a default route. Which of the following represent a default route?
::/0
Star of stars
A WAN might be configured as a hub-and-spoke between a central office and branch offices, with each site implementing a star topology to connect end systems. This is also referred to as a snowflake topology.
A network administrator is looking at a network where network utilization approaches maximum capacity, and the CPU utilization of the switches jumps to 80 percent or more. What is this called?
A broadcast storm will cause network utilization to approach maximum capacity and the CPU utilization of the switches to jump to 80 percent or more.
Bus network topology
A bus network does allow cables to be connected using a device called a repeater.
A technician has identified an undocumented host using an IP address in a range set aside as unallocated. The technician is going to run a fingerprinting scan. What type of information could this yield about the host?
A fingerprinting scan compares specific responses to known information about hardware platforms, OS types and versions, and application/service types and versions.
Nmap security scanner
A highly adaptable, open-source network scanner used primarily to scan hosts and ports to locate services and detect vulnerabilities
A network operator is reviewing a network topology where all nodes share the bandwidth of the media. What is this called?
A physical bus topology with more than two nodes is a shared access topology, meaning that all nodes share the bandwidth of the media.
A router must forward traffic received over a single physical interface connected to a switch trunk port to the appropriate virtual LAN (VLAN). What feature must be configured on the router?
A subinterface for each VLAN carried over the trunk. Each subinterface must be configured with an IP address and mask for the subnet mapped to the VLAN.
a tagged port will normally be one that is operating as a trunk; that is, capable of transporting traffic addressed to multiple VLANs using the 802.1Q frame format
A trunk might be used to connect switches or to connect a switch to a router. In some circumstances, a host attached to a port might need to be configured to use multiple VLANs and would need to be attached to a trunk port, rather than an access port
A security analyst wants to reconstruct the packet contents for a Transmission Control Protocol (TCP) session in Wireshark. Which function should the security analyst use?
A useful option is to use the Follow TCP Stream context command to reconstruct the packet contents for a TCP session.
Hierarchical star
corporate networks are often designed in a hierarchy, also known as a tree topology. This can be combined with a star topology to implement each node in the overall tree. The links between nodes in the tree are referred to as backbones or trunks because they aggregate and distribute traffic from multiple different areas of the network.
Border gateway protocol
is a path vector type that is part of the Exterior Gateway Protocol (EGP) class and runs over Transmission Control Protocol (TCP) port 179.
TCP connection
is used to establish a transfer of a single file during a client session, such as a web page (HTTP). It might involve multiple TCP connections being opened with the server. These connections are managed using handshake transactions, which make use of a number of TCP flags.
Asymmetrical routing
refers to a topology where the return path is different to the forward path
When inspecting a routing table, you can use show ip route w.x.y.z
to check for the presence of a route to a specific IP network.
peer-to-peer
Administration paradigm whereby any computer device may be configured to operate as both server and client.
A network technician is looking at the route configurations for the organization's environment. What is it called when the IP network or subnet for each active router interface gets automatically added to the routing table?
Directly connected routes
True or False? User Datagram Protocol (UDP), like TCP, uses flow control in the sending of data packets.
False
True or false? A broadcast storm can only be resolved by investigating interface configurations
False. A broadcast storm could be caused by a physical layer issue, such as improper cabling.
True or false? Layer 3 capable switches are interchangeable with routers.
False. A layer 3 capable switch can perform fast routing and switching between subnets and virtual LANs (VLANs) on a local network. However, a layer 3 switch does not typically support WAN interface cards and so cannot be used as an edge router.
True or false? Any occurrence of an asterisk in traceroute output indicates that there is no connectivity the destination along that path.
False. Some routers along the path might not respond to probes. If there is no route to the destination, an unreachable notification will be displayed.
True or false? When configuring a voice VLAN, the voice VLAN ID must be lower than the access VLAN ID.
False. The IDs only need to be distinct and synchronized with the IDs expected by the switch.
voice or auxiliary VLAN
Feature of VoIP handsets and switches to segregate data and voice traffic while using a single network wall port to attach the handset and the computer.
TCP Flags
Field in the header of a TCP segment designating the connection state, such as SYN, ACK, or FIN.
In what STP-configured state(s) are all ports when a network running STP is converged?
Forwarding or blocking.
Which values can be used to assign a port to a specific VLAN?
From 2 to 4,094. The all zeros and all ones (0 and 4,095) are reserved and VLAN ID 1 is the default for all unconfigured ports.
A network architect is comparing RIP vs. EIGRP. What is a key difference between the two?
Full vs incremental routing updates
A network technician is looking at various protocols which support subnetting and supernetting. Which of the following protocols does NOT support subnetting and supernetting?
IGRP
What type of scanning tool outputs a "Host is up" status report.
IP scanner. Note that while most IP scanners can also function as port scanners they are distinct types of scanning activity.
A systems administrator needs network visibility to establish the logical topology of routers and subnets. Which of the following is a lightweight standalone tool which will allow the administrator to easily scan for IPs?
IP scanning uses lightweight standalone open source or commercial tools, such as Nmap, AngryIP, or PRTG. An IP scanner is a tool that performs host discovery.
A network administrator is configuring the handling of frames addressed to ports within the same VLAN on the same switch. In this context, what happens to the frame when it reaches its destination port?
If the frame gets addressed to a port in the same VLAN on the same switch, then the administrator does not need to add a tag to the frame.
What is the purpose of the window field in a TCP segment?
It is used for flow control. The window indicates the amount of data that the host can receive before sending another acknowledgement.
A network operator is calculating the amount of loss suffered by all components along a fiber transmission path. What is this called?
Loss budget
A network administrator is setting up Virtual Local Area Networks (VLANs) for various segments, such as voice and data. Which of the following IDs is the default VLAN?
The VLAN with ID 1 is known as the default VLAN. Unless configured differently, all ports on a switch default to being in VLAN 1.
A server administrator is analyzing a normal Transmission Control Protocol (TCP) Teardown connection to their servers. How many FIN-WAIT states does the client go through during this process?
The client goes through two FIN-WAIT states. In the first step, the client sends a FIN segment to the server and then enters the FIN-WAIT1 state.
A network technician does not have enough ports on a single switch and has to connect multiple switches. What should the technician research for interconnections between switches?
The interconnections between switches are known as trunks. The network technician should configure one of the ports on each switch as a trunk port for this purpose.
A network administrator wants to set up a switch with a voice or auxiliary Virtual Local Area Network (VLAN) to distinguish the PC and VoIP traffic without having to set up a trunk port. Which of the following commands should the administrator perform first?
The interface GigabitEthernet0/0 is the first command. Normally, for a switch interface to process tagged frames, it would have to be configured as a trunk port. This adds a lot of configuration complexity.
You need operations to continue if one link fails. How many links does it take to connect three sites?
The number of links is n(n-1)/2, so with three sites, the sum is 3*2/2, which works out to three.
A security engineer is looking at Transmission Control Protocol (TCP) traffic headers. Which of the following allows the receiver to rebuild the message correctly?
The sequence number allows the receiver to rebuild the message correctly and deal with out-of-order packets.
A network analyst is looking at traffic from switches to other switches, which determines the shortest path. What is this called?
The spanning tree protocol (STP) information gets packaged as bridge protocol data unit (BPDU) multicast frames. Each switch then determines the shortest path to the root bridge by exchanging information with other switches.
Sharing a single physical wall port between a PC and VoIP handset. The handset and switch interface configuration allow VoIP traffic to be assigned to a different VLAN than the PC's data traffic.
The switch will only accept tagged frames that match the configured voice VLAN ID. To avoid having to configure this manually, the voice VLAN ID and other configuration parameters can be communicated to the handset using a protocol such as Cisco Discovery Protocol (CDP).
A network administrator is trying to figure out which switch will be rooted in a spanning tree protocol set up. Which of the following would determine the root?
The switch with the lowest ID, comprising a priority value and the MAC address, will be selected as the root.
To add a route, the syntax for the Windows version of the routing table tool is: route [-f -p] add DestinationIP mask Netmask GatewayIP metric MetricValue if Interface
The variables in the syntax are defined as: DestinationIP is a network or host address. Netmask is the subnet mask for DestinationIP. GatewayIP is the router to use to contact the network or host. MetricValue is the cost of the route. Interface is the adapter the host should use (used if the host is multihomed).
Which two topologies are used in the three-tier hierarchical model?
This is a hybrid topology with mesh and star elements. The core layer is a mesh and the links between core and distribution and distribution and access are also a mesh or partial mesh. The access switches use a star topology to connect end systems.
If a switch port will only ever participate in a single VLAN, that port can be configured as untagged
This is also referred to as an access port or host port.
hub and spoke topology
This is the same layout as a star topology. The hub-and-spoke terminology is used when speaking about WANs with remote sites.
Your network monitor is recording high numbers of ICMP Time Exceeded notifications. What type of routing issue does this typically indicate?
This is typical of a routing loop, where packets circulate between two routers until the time to live (TTL) is exceeded.
You need to analyze the information saved in a .pcap file. What type of command-line tool or other utility is best suited to this task?
This type of file will contain a network packet capture. You could use a command-line protocol analyzer such as tcpdump to display the contents, but a graphical tool such as Wireshark will make analysis easier.
Broadcast storm
Traffic that is recirculated and amplified by loops in a switching topology, causing network slowdowns and crashing switches.
missing route
Troubleshooting issue where a routing table does not contain a required entry due either to manual misconfiguration or failure of a dynamic routing protocol update.
True or false? A VLAN is a single broadcast domain
True
IEEE 802.1Q
Trunking protocols enable switches to exchange data about VLAN configurations. The 802.1Q protocol is often used to tag frames destined for different VLANs across trunk links.
How many port numbers are required to establish a connection at the Transport layer?
Two-a server port and a client port.
What port and protocol does TFTP use at the Transport layer?
UDP 69
Protocol analyzer
Utility that can parse the header fields and payloads of protocols in captured frames for display and analysis. -parse each frame in a stream of traffic to reveal its header fields and payload contents in a readable format. This is referred to as packet analysis. -perform traffic analysis
IP scanner
Utility that can probe a network to detect which IP addresses are in use by hosts.
A penetration tester has performed a quick service enumeration with Nmap and now wants to further enumerate the findings. Which parameter should the pen tester use in the command?
When services get discovered, the pen tester can use Nmap with the -sV switch to probe a host more intensively to discover the software or software version operating each port.
A network administrator is looking at a switch where the network is not converged. What does this mean?
When the network is not converged, no communications can take place. Under the original 802.1D standard, this made the network unavailable for extended periods (tens of seconds) during configuration changes.
tracert can be used with several switches, which must precede the target IP address or host.
You can use the -d switch to suppress name resolution, -h to specify the maximum number of hops (the default is 30), and -w to specify a timeout in ms (the default is 4000).
point-to-point link
-A point-to-point topology is one where two nodes have a dedicated connection to one another. -Because only two devices share the connection, they are guaranteed a level of bandwidth.
Star with ring
Alternatively, a ring topology might be used to connect geographically separate sites, with each site implementing a star topology to connect end systems.
Hierarchical star-mesh
Alternatively, nodes at the top of the hierarchy can be configured in a partial or full mesh for redundancy. Switches lower in the hierarchy establish star topologies that connect end systems to the network.
Helpful Help is a charitable organization that operates out of numerous small offices spread all over the country. Each office has a team of 10-20 people who currently use a network of PCs and Apple Macs running various applications. Each office is connected back to a main site, which has a connection to the Internet via an ISP. Staff at each local office uses the link for web access and to access an online email service. Each office has a 192.168.x.0/24 subnet allocated to it. The East region is shown in the graphic.
As the link is only used for web browsing and online email, the local office routers would just be configured with a static route/default gateway/gateway of last resort to forward all traffic to the main site, which would forward the web traffic on.
The show route, show ip route , show ipv6 route , or similar command will output the active routing table.
As well as destination, gateway, AD/metric, and interface, the output will show the source of the route, identified as a letter code (C = connected, S = static, R = RIP, B = BGP, D = EIGRP, O = OSPF, and so on).
Optical link budget
Assessment of allowable signal loss over a fiber optic link.
At which layer of the OSI model do VLANs establish network segments?
At the data link layer or layer 2.
Optical link budget is calculated using the following parameters:
Attenuation-This is the loss over the length of the cable, based on fiber type and the wavelength used. Single mode has a loss of up to 0.4 dB/km, while multimode can be from 0.8 dB/km to 3 dB/km. Connectors-Each connector in the path incurs a loss, usually assumed to be 0.75 dB. Splices-Additional splices in the cable are budgeted at around 1 dB for mechanical and 0.3 dB for fusion. -The loss budget must be less than the power budget
A network administrator is setting up an Exterior Gateway Protocol (EGP). Which of the following protocols is part of the EGP class?
BGP
trunks
Backbone link established between switches and routers to transport frames for multiple virtual LANs (VLANs).
A network architect is reviewing a network where application services and resources are centrally provisioned, managed, and secured. What is this called?
Client server
socket
Combination of a TCP/UDP port number and IP address. A client socket can form a connection with a server socket to exchange data.
What type of frames are carried over tagged ports?
Tagged ports typically operate as trunks to carry frames between VLANs on different switches. Frames are transported over the trunk link with an 802.1Q header to indicate the VLAN ID.
netstat command
Cross-platform command tool to show network information on a machine running TCP/IP, notably active connections and the routing table. -you can use the switches for Internet connections for TCP ( -t ) and UDP ( -u ), raw connections ( -w ), and UNIX® sockets/local server ports ( -x ). Using the -a switch includes ports in the listening state in the output. -l shows only ports in the listening state, omitting established connections. -On both Windows and Linux, -n displays ports and addresses in numerical format. -Using the -a switch includes ports in the listening state in the output. The netstat command allows the administrator to check the state of ports on the local host.
route command
Cross-platform command tools used display and manage the routing table on a Windows or Linux host.
Routing protocols use various mechanisms to prevent loops. For example, distance vector protocols use the following mechanisms:
Maximum hop count-If the cost exceeds a certain value (16 in RIP), the network is deemed unreachable. A poison route is one advertised with a hop count of 16. This can provide an explicit failure notice to other routers. Holddown timer-If a node declares a network unreachable, its neighbors start a holddown timer. Any updates about that route received from other nodes are discarded for the duration of the timer. This is designed to ensure that all nodes have converged information about an unreachable network. Split horizon-Prevents a routing update from being copied back to the source. In the example above, this would prevent router C from sending an update about a route to router A via router B to router B. -You can use traceroute to diagnose a routing loop by looking for IP addresses that appear multiple times in the output.
A security analyst is looking at traffic from older devices between ports 2,000 - 3,000. What is this traffic most likely?
OS implementations of Transmission Control Protocol/Internet Protocol (TCP/IP) have not always conformed to recommendations. For example, earlier versions of Windows and UNIX/Linux used 1,024—5,000 for client ports.
You are auditing the service configuration of a Linux server. Which command can you use to check the PID associated with a TCP port, even if there are no active connections?
Run netstat with the -p switch to show the process ID (PID), -a switch to show all active and listening sockets, and optionally -t to filter by TCP and -n to suppress name resolution and display output quicker: netstat -patn
A network engineer is looking at a local area network (LAN) which uses structured cabling, two 24-port switches and a router to provide connectivity. What type of LAN is this most likely?
Small and medium-sized enterprise (SME) networks are networks supporting dozens of users. Such networks would use structured cabling and multiple switches and routers to provide connectivity.
Spanning tree has been deployed without the administrator setting a priority value. Which of the following switches will be selected as the root? Switch A with base MAC f062.81ff.0001 and a 10 Gbps uplink Switch B with base MAC f062.81ff.0002 and a 40 Gbps uplink Switch C with base MAC f062.81ff.0003 and a 40 Gbps uplink
Switch A. The switch with the lowest value MAC address is selected if priority values are equal.
What are the sizes of TCP and UDP headers?
TCP is 20 bytes (or more) while UDP is 8 bytes.