Downloadable Official CompTIA Network+ Student Guide
Downloadable Official CompTIA Network+ Student Guide
Downloadable Official CompTIA Network+ Student Guide
CompTIA
Network+
Student Guide
(Exam N10-008)
Course Edition: 1.0
Acknowledgments
Notices
Disclaimer
While CompTIA, Inc. takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy,
and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose. The use of screenshots, photographs of another entity's products, or
another entity's product name or service in this book is for editorial purposes only. No such use should be construed to imply
sponsorship or endorsement of the book by nor any affiliation of such entity with CompTIA. This courseware may contain links
to sites on the Internet that are owned and operated by third parties (the "External Sites"). CompTIA is not responsible for
the availability of, or the content located on or through, any External Site. Please contact CompTIA if you have any concerns
regarding such links or External Sites.
Trademark Notice
CompTIA®, Network+®, and the CompTIA logo are registered trademarks of CompTIA, Inc., in the U.S. and other countries.
All other product and service names used may be common law or registered trademarks of their respective proprietors.
Copyright Notice
Copyright © 2021 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software
proprietor. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed
in any form or by any means, or stored in a database or retrieval system, without the prior written permission of CompTIA,
3500 Lacey Road, Suite 100, Downers Grove, IL 60515-5439.
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software
or other products is the responsibility of the user according to terms and conditions of the owner. If you believe that this
book, related materials, or any other CompTIA materials are being reproduced or transmitted without permission, please call
1-866-835-8020 or visit help.comptia.org.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Table of Contents | iii
Table of Contents
No
Topic 4B: Troubleshoot Common Cable Connectivity Issues .......................... 85
Table of Contents
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
iv | Table of Contents
Topic 7B: Compare and Contrast Dynamic Routing Concepts ...................... 156
Topic 9B: Use Appropriate Tools to Scan Network Ports .............................. 216
Topic 10A: Explain the Use of Network Addressing Services ........................ 226
Topic 10B: Explain the Use of Name Resolution Services ............................. 233
Topic 11A: Explain the Use of Web, File/Print, and Database Services ........ 248
Topic 11B: Explain the Use of Email and Voice Services ................................ 256
Topic 12A: Explain the Use of Network Management Services .................... 268
Topic 12B: Use Event Management to Ensure Network Availability ........... 274
Topic 12C: Use Performance Metrics to Ensure Network Availability ......... 284
Table of Contents
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Table of Contents | v
Lesson 16: Comparing WAN Links and Remote Access Methods ........................... 375
Topic 16B: Compare and Contrast Remote Access Methods ........................ 383
Lesson 17: Explaining Organizational and Physical Security Concepts ................. 395
Topic 17C: Compare and Contrast Internet of Things Devices ..................... 416
Lesson 18: Explaining Disaster Recovery and High Availability Concepts ............ 423
Table of Contents
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
vi | Table of Contents
Glossary .........................................................................................................................G-1
Table of Contents
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
1
About This Course
CompTIA is a not for profit trade association with the purpose of advancing
the interests of IT professionals and IT channel organi ations, and its industry
leading IT certifications are an important part of that mission. CompTIA s
Network+ Certification is an entry level certification designed for professionals
with months work e perience in roles such as a unior network administrator
or network support technician.
The CompTIA Network+ certification e am will verify the successful candidate
has the knowledge and skills re uired to
• stablish network connectivity by deploying wired and wireless devices.
Course Description
Course Objectives
This course can benefit you in two ways. If you intend to pass the CompTIA
Network+ am N certification e amination, this course can be a significant
part of your preparation. ut certification is not the only key to professional success
in the field of network support. Today s ob market demands individuals have
demonstrable skills, and the information and activities in this course can help you
build your network administration skill set so that you can confidently perform your
duties in any entry level network support technician role.
n course completion, you will be able to
• Deploy and troubleshoot thernet networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
viii | Preface
Target Student
The Official CompTIA Network+ Guide (Exam N10-008) is the primary course you will
need to take if your ob responsibilities include network administration, installation,
and security within your organi ation. ou can take this course to prepare for the
CompTIA Network+ am N certification e amination.
Prerequisites
To ensure your success in this course, you should have basic IT skills comprising
nine to twelve months e perience. CompTIA A+ certification, or the e uivalent
knowledge, is strongly recommended.
The prerequisites for this course might differ significantly from the prerequisites for
the CompTIA certification exams. For the most up-to-date information about the exam
prerequisites, complete the form on this page: www.comptia.org/training/resources/
exam-objectives.
As You Learn
At the top level, this course is divided into lessons, each representing an area of
competency within the target ob roles. ach lesson is composed of a number of
topics. A topic contains sub ects that are related to a discrete ob task, mapped
to ob ectives and content e amples in the CompTIA e am ob ectives document.
ather than follow the e am domains and ob ectives se uence, lessons and topics
are arranged in order of increasing proficiency. ach topic is intended to be studied
within a short period typically minutes at most . ach topic is concluded by one
or more activities, designed to help you to apply your understanding of the study
notes to practical scenarios and tasks.
Additional to the study content in the lessons, there is a glossary of the terms and
concepts used throughout the course. There is also an inde to assist in locating
particular terminology, concepts, technologies, and tasks within the lesson and
topic content.
In many electronic versions of the book, you can click links on key words in the topic
content to move to the associated glossary definition, and on page references in the
index to move to that term in the content. To return to the previous location in the
document after clicking a link, use the appropriate functionality in your eBook viewing
software.
atch throughout the material for the following visual cues.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Preface | ix
As You Review
Any method of instruction is only as e ective as the time and e ort you, the
student, are willing to invest in it. In addition, some of the information that you
learn in class may not be important to you immediately, but it may become
important later. or this reason, we encourage you to spend some time reviewing
the content of the course after your time in the classroom.
ollowing the lesson content, you will find a table mapping the lessons and
topics to the e am domains, ob ectives, and content e amples. ou can use this
as a checklist as you prepare to take the e am, and review any content that you
are uncertain about.
As A Reference
The organi ation and layout of this book make it an easy to use resource for future
reference. uidelines can be used during class and as after class references when
you re back on the ob and need to refresh your understanding. Taking advantage
of the glossary, inde , and table of contents, you can use this book as a first source
of definitions, background information, and summaries.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 1
Comparing OSI Model Network
Functions
1
LESSON INTRODUCTION
Computer networks are complex systems that incorporate multiple functions,
standards, and proprietary technologies. The Open Systems Interconnection
(OSI) model is used to try to simplify some of this complexity. It divides network
technologies between seven functional layers. This makes it easier to separate and
focus on individual concepts and technologies while retaining an understanding of
relationships to the functions of technologies placed in other layers.
This lesson uses the OSI model to give you an overview of the technologies that
you will be studying in the rest of the course. You will compare the functions of
these layers in the OSI model and apply those concepts to the installation and
configuration of a small office home office network.
Lesson Objectives
In this lesson, you will:
• Compare and contrast OSI model layers.
• Configure S networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
2 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 1A
Compare and Contrast OSI
del a e
2
Networks are built on common standards and models that describe how devices
and protocols interconnect. In this topic, you will identify how the implementation
and support of these systems refer to an important common reference model:
the Open Systems Interconnection (OSI) model. The OSI model breaks the data
communication process into discrete layers. Being able to identify the OSI layers
and compare the functions of devices and protocols working at each layer will help
you to implement and troubleshoot networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 3
Although not all network systems implement layers using this precise structure,
they all implement each task in some way. The OSI model is not a standard or a
specification it serves as a functional guideline for designing network protocols,
software, and appliances and for troubleshooting networks.
To remember the seven layers, use the following mnemonic: All People eem To Need
ata Processing.
A network will involve the use of many di erent protocols operating at di erent
layers of the OSI model. At each layer, for two nodes to communicate they must be
running the same protocol. The protocol running at each layer communicates with
its e uivalent or peer layer on the other node. This communication between nodes
at the same layer is described as a same layer interaction. To transmit or receive a
communication, on each node, each layer provides services for the layer above and
uses the services of the layer below. This is referred to as adjacent layer interaction.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
4 | The Official CompTIA Network+ Student Guide (Exam N10-008)
When a message is sent from one node to another, it travels down the stack of
layers on the sending node, reaches the receiving node using the transmission
media, and then passes up the stack on that node. At each level (except the physical
layer), the sending node adds a header to the data payload, forming a “chunk” of
data called a protocol data unit (PDU). This is the process of encapsulation.
For example, on the sending node, data is generated by an application, such as the
yperTe t Transfer rotocol TT , which will include its own application header.
At the transport layer, a Transport Control Protocol (TCP) header is added to this
application data. At the network layer, the TCP segment is wrapped in an Internet
Protocol (IP) header. The IP packet is encapsulated in an Ethernet frame at the
data link layer, then the stream of bits making up the frame is transmitted over the
network at the physical layer as a modulated electrical signal.
The receiving node performs the reverse process, referred to as decapsulation. It
receives the stream of bits arriving at the physical layer and decodes an Ethernet
frame. It extracts the IP packet from this frame and resolves the information in
the IP header, then does the same for the TCP and application headers, eventually
e tracting the TT application data for processing by a software program, such as
a web browser or web server.
You might notice that this example seems to omit some OSI layers. This is because
real-world protocols do not conform exactly to the O I model.
Layer 1—Physical
The physical layer (PHY) of the OSI model (layer 1) is responsible for the transmission
and receipt of the signals that represent bits of data from one node to another node.
Di erent types of transmission media can be classified as cabled or wireless
• Cabled—A physical signal conductor is provided between two nodes. Examples
include cable types such as copper or fiber optic cable. Cabled media can also be
described as bounded media.
• The process of transmitting and receiving signals over the network medium,
including modulation schemes and timing synchroni ation.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 5
• Hub A multiport repeater, deployed as the central point of connection for nodes.
• Media converter A device that converts one media signaling type to another.
Nodes that send and receive information are referred to as end systems or as host
nodes. This type of node includes computers, laptops, servers, oice over IP ( oIP)
phones, smartphones, and printers. A node that provides only a forwarding function is
referred to as an intermediate system or infrastructure node.
The data link layer organizes the stream of bits arriving from the physical layer into
structured units called frames. Each frame contains a network layer packet as its
payload. The data link layer adds control information to the payload in the form of
header fields. These fields include source and destination hardware addresses, plus
a basic error check to test if the frame was received intact.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
6 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• Switch—An advanced type of bridge with many ports. A switch creates links
between large numbers of nodes more efficiently.
• Wireless access point (AP)—An AP allows nodes with wireless network cards to
communicate and creates a bridge between wireless networks and wired ones.
Layer 3—Network
The network layer (layer 3) is responsible for moving data around a network of
networks, known as an internetwork or the Internet. While the data link layer is
capable of forwarding data by using hardware addresses within a single segment,
the network layer moves information around an internetwork by using logical
network and host IDs. The networks are often heterogeneous that is, they use a
variety of physical layer media and data link protocols. The main appliance working
at layer 3 is the router.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 7
Layer 4—Transport
The first three layers of the SI model are primarily concerned with moving frames
and datagrams between nodes and networks. At the transport layer—also known
as the end to end or host to host layer the content of the packets becomes
significant. Any given host on a network will be communicating with many other
hosts using many di erent types of networking data. ne of the functions of the
transport layer is to identify each type of network application by assigning it a
port number. or e ample, data re uested from an TT web application can be
identified as port , while data sent to an email server can be identified as port .
At the transport layer, on the sending host, data from the upper layers is packaged
as a series of layer 4 PDUs, referred to as segments. Each segment is tagged with
the application’s port number. The segment is then passed to the network layer
for delivery. Many di erent hosts could be transmitting multiple TT and email
packets at the same time. These are multiplexed using the port numbers along with
the source and destination network addresses onto the same link.
At the network and data link layers, the port number is ignored—it becomes part of the
data payload and is invisible to the routers and switches that implement the addressing
and forwarding functions of these layers. At the receiving host, each segment is
decapsulated, identified by its port number, and passed to the relevant handler at the
application layer. ut another way, the traffic stream is de multiple ed.
The transport layer can also implement reliable data delivery mechanisms, should
the application re uire it. eliable delivery means that any lost or damaged packets
are resent.
Devices working at the transport layer include multilayer switches—usually working
as load balancers—and many types of security appliances, such as more advanced
firewalls and intrusion detection systems IDSs .
Upper Layers
The upper layers of the SI model are less clearly associated with distinct real
world protocols. These layers collect various functions that provide useful interfaces
between software applications and the transport layer.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
8 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Layer 5—Session
Most application protocols re uire the e change of multiple messages between
the client and server. This e change of such a se uence of messages is called a
session or dialog. The session layer (layer 5) represents functions that administer
the process of establishing a dialog, managing data transfer, and then ending (or
tearing down the session.
Layer 6—Presentation
The presentation layer (layer 6) transforms data between the format re uired
for the network and the format re uired for the application. or e ample, the
presentation layer is used for character set conversion, such as between American
Standard Code for Information Interchange (ASCII) and Unicode. The presentation
layer can also be conceived as supporting data compression and encryption.
owever, in practical terms, these functions are often implemented by encryption
devices and protocols running at lower layers of the stack or simply within a
homogenous application layer.
Layer 7—Application
The application layer (layer 7) is at the top of the SI stack. An application
layer protocol doesn’t encapsulate any other protocols or provide services to any
protocol. Application layer protocols provide an interface for software programs
on network hosts that have established a communications channel through the
lower level protocols to e change data.
More widely, upper layer protocols provide most of the services that make a
network useful, rather than just functional, including web browsing, email and
communications, directory lookup, remote printing, and database services.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 9
e ie cti it
3
OS del a e
Answer the following uestions
4. Which OSI layer packages bits of data from the Physical layer into
frames?
5. True or False? The Session layer is responsible for passing data to the
Network layer at the lower bound and the Presentation layer at the
upper bound.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
10 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 1B
n u e SO O et
SOHO Routers
Networks of di erent si es are classified in di erent ways. A network in a single
location is often described as a local area network (LAN). This definition
encompasses many di erent si es of networks with widely varying functions and
capabilities. It can include both residential networks with a couple of computers,
and enterprise networks with hundreds of servers and thousands of workstations.
Small o ce home o ce SOHO is a category of LAN with a small number of
computing hosts that typically rely on a single integrated appliance for local and
Internet connectivity.
Networks such as the Internet that are located in di erent geographic regions but
with shared links are called wide area networks (WANs). The intermediate system
powering S networks is usually described as a S router because one of
its primary functions is to forward traffic between the LAN and the AN. owever,
routing is actually just one of its functions. We can use the OSI model to analyze
each of these in turn.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 11
At this layer, each host interface is identified by a media access control MAC
address.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
12 | The Official CompTIA Network+ Student Guide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 13
Configuring the AN (internet) interface on a wireless router. These parameters are supplied by
the I P. any I P services use CP to allocate a dynamic AN address, but some offer static
addressing. ( creenshot courtesy of TP- ink Technologies Co., td.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
14 | The Official CompTIA Network+ Student Guide (Exam N10-008)
The Internet
The AN interface of the router connects the S network to the Internet.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 15
Internet Standards
Although no single organization owns the Internet or its technologies, several
organizations are responsible for the development of the internet and agreeing
common standards and protocols.
• Internet Assigned Numbers Authority (IANA) (iana.org)—manages allocation
of I addresses and maintenance of the top level domain space. IANA is
currently run by Internet Corporation for Assigned Names and Numbers
(ICANN). IANA allocates addresses to regional registries who then allocate
them to local registries or IS s. The regional registries are Asia acific A NIC ,
North America and Southern Africa (ARIN), Latin America (LACNIC), and Europe,
Northern Africa, Central Asia, and the Middle East (RIPE NCC).
eferences to FCs in this course are for your information should you want to read
more. ou do not need to learn them for the certification exam.
The O I model has a stricter definition of the ession, Presentation, and Application
layers than is typical of actual protocols used on networks. The Internet model (tools.
ietf.org/html/rfc1122) uses a simpler four layer hierarchy, with a link layer representing
OSI layers 1 and 2, layer 3 referred to as the Internet layer, a Transport layer mapping
approximately to layers and , and an Application layer corresponding to layers
6 and 7.
Hexadecimal Notation
To interpret network addresses, you must understand the concept of base
numbering systems. To start with the familiar decimal numbering is also referred
to as base . ase means that each digit can have one of ten possible values
through . A digit positioned to the left of another has times the value of the
digit to the right. or e ample, the number can be written out as follows
(2x10x10)+(5x10)+5
Binary is base 2, so a digit in any given position can only have one of two values
or , and each place position is the ne t power of . The binary value
can be converted to the decimal value by the following sum
(1x2x2x2x2x2x2x2)+(1x2x2x2x2x2x2)+(1x2x2x2x2x2)+
(1x2x2x2x2)+(1x2x2x2)+(1x2x2)+(1x2)+1
As you can see, it takes binary digits to represent a decimal value up to . This
number of bits is called a byte or an octet. The four decimal numbers in the S
router s AN I address . . . are octets.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
16 | The Official CompTIA Network+ Student Guide (Exam N10-008)
While computers process everything in binary, the values make for very long strings
if they have to be written out or entered into configuration dialogs. e adecimal
notation or he is a convenient way of referring to the long se uences of bytes
used in some other types of network addresses. e is base with the possible
values of each digit represented by the numerals through and the characters
A, , C, D, , and .
Use the following table to help to convert between decimal, binary, and
hexadecimal values.
1 1
2 2
3 3
4 4
7 7
A
11 B
12 C
13 D
14 E
F 1111
As you can see from the table, every hex digit lines up neatly with four binary digits
(a nibble). Each byte or octet can be expressed as two hex digits. For example, the
decimal value is in he . This would sometimes be written as for clarity.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 17
e ie cti it
7
SO O et
Answer the following uestions
1. True or false? The WAN port on a SOHO router is connected to the LAN
ports by an internal switch.
3. True or false? The DHCP server in the SOHO router assigns an IP address
to the WAN interface automatically.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
18 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Lesson 1
Summa
7
You should be able to compare and contrast OSI model layers and encapsulation
concepts and apply them to analyzing the function of networks and networking
components.
• Use the data link layer to plan logical segments to isolate groups of hosts for
performance or security reasons.
• At the network layer, map data link segments to logical network IDs and work
out rules for how hosts in one network should be permitted or denied access to
other networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 2
Deploying Ethernet Cabling
1
LESSON INTRODUCTION
At the physical layer, networks are made from di erent cabling types and their
connectors and transceivers. These establish direct links between nodes in a local
segment. At the data link layer, nodes in these segments are given a standard means
of e changing data as frames.
As they are closely related, networking products often define standards for both the
physical and data link layers. hile plenty of products have been used in the past,
many cabled networks are now based on the thernet standards. nderstanding
the options and specifications for thernet is essential to building and supporting
networks of all sizes.
In this topic, you will summari e standards for deploying thernet over copper and
fiber optic media types and identify the tools and techni ues re uired to deploy
thernet cabling.
Lesson Objectives
In this lesson, you will
• Summari e thernet standards
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
20 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 2A
Summarize Ethernet Standards
2
In this topic, you will identify the components used in an thernet network
implementation. thernet dominates the wired LAN product market. Its popularity
is largely based on its ease of installation and upgradability. Large and small
networks use thernet technology to provide both backbone and end user services.
Due to the wide deployment of thernet today, you will undoubtedly be re uired to
manage and troubleshoot thernet networks.
The narrow definition of bandwidth is a frequency range measured in cycles per second
or ert ( ), but the term is very widely used in data networking to mean the amount
of data that can be transferred, measured multiples of bits per second (bps). Encoding
methods mean that, for instance, a signal with 100 frequency bandwidth can
transfer much more than 100 bps.
Copper Cable
Copper cable is used to transmit electrical signals. The cable between two nodes
creates a low voltage electrical circuit between the interfaces on the nodes. There
are two main types of copper cable twisted pair and coa ial coa . Copper cable
su ers from high attenuation, meaning that the signal uickly loses strength over
long links. Twisted pair cable is rated to Cat standards.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 21
Conse uently, fiber optic cable supports higher bandwidth over longer links than
copper cable. iber optic cabling is divided into Single Mode SM and MultiMode
MM types, and MM is categori ed by ptical Mode designations M , M ,
M , and M .
Ethernet Standards
ver the years, many protocols, standards, and products have been developed to
implement the functions of the physical and data link layers of the SI model. The
most important of these are the Institute of lectrical and lectronics ngineers
I 802.3 Ethernet standards ieee .org .
thernet standards provide assurance that network cabling will meet the bandwidth
re uirements of applications. The standards specify the bit rate that should be
achieved over di erent types of media up to the supported distance limitations.
These thernet media specifications are named using a three part convention,
which is often referred to as AS y. This describes
• The bit rate in megabits per second Mbps or gigabits per second bps .
• The signal mode baseband or broadband . All mainstream types of thernet use
baseband transmissions, so you will only see specifications of the form AS y.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
22 | The Official CompTIA Network+ Student Guide (Exam N10-008)
The collision detection mechanism means that only half duple transmission is
possible. This means that a node can transmit or receive, but it cannot do both at
the same time.
In the AS T wiring topology, each node is cabled to an thernet hub. The
hub repeats incoming signals to each connected node. Conse uently, every host
connected to the same hub is within the same collision domain. The AS T
standard dates from . ou are very unlikely to find it deployed to any networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 23
when it is not transmitting data to confirm the viability of the link. ast thernet
codes a bit data packet into this signal advertising its service capabilities. This
is called a ast Link ulse. A node that does not support autonegotiation can be
detected by one that does and sent ordinary link integrity test signals, or Normal
Link ulses.
ast thernet would not be deployed on new networks, but you may need to
maintain it in legacy installations.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
24 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
Ethernet Standards
Answer the following uestions
1. With CSMA/CD, what will happen if a host has data to transmit and there
is already data on the cable
2. Which Ethernet standard works at 100 Mbps over Cat 5 or better copper
cable?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 25
Topic 2B
Summarize Copper Cabling Types
5
Copper wire twisted pair cabling is the most popular choice for access networks in
offices. ou are likely to work with this network media daily as part of your duties as
a network professional. nderstanding the characteristics of twisted pair will enable
you to properly install and service your networks.
Twisted pair cable Each color-coded pair is twisted at a different rate to reduce interference.
(Image by Thuansak rilao 1 F.com.)
The pairs are twisted at di erent rates to reduce e ternal interference and
crosstalk. Crosstalk is a phenomenon whereby one pair causes interference in
another as a result of their pro imity.
Twisted pair can use either solid or stranded conductor wires. Solid cabling uses
a single thick wire per conductor and is used for cables that run behind walls or
through ducts. Stranded cabling uses thin filament wires wrapped around one
another and is used to make e ible patch cords for connecting computers to wall
ports and switch ports to patch panel ports. Copper wire thickness is measured
using American ire auge A . Increasing A numbers represent thinner wire.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
26 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Solid cable uses thicker to A , while the stranded cable used for patch
cords is often A . The attenuation of stranded wire is higher than solid wire, so
it cannot be used over e tended distances.
Most twisted pair cable used in office networks is unshielded twisted pair (UTP).
Modern buildings are often ood wired using T cabling. This involves cables
being laid to every location in the building that may need to support a telephone
or computer.
• ully shielded cabling has a braided outer screen and foil shielded pairs and is
referred to as shielded foiled twisted pair S T . There are also variants with a
foil outer shield T .
sing screened or shielded cable means that you must also use screened/shielded
connectors. creened/shielded cable elements should not be mixed with unscreened/
unshielded elements.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 27
Network Max.
Cat/Class Cable Type Application Distance Frequency Connector
T AS T 100 m M J
ft
5 T AS T 100 m M J
ft
e Class D T or T AS T 100 m M J
ft
Class T , T , AS T 100 m M J
or T ft
AS T 55 m
ft
a Class a T , T , AS T 100 m M J
T , or ft
S T
Class S T or AS Tv 100 m M
T ft T A
. Class I T or AS T m M J
T ft
. Class II T or AS T m M
S T ft T A
For 1000BA E-T, Cat is also acceptable (if properly installed), but Cat cable is no longer
available commercially. nlike Ethernet and Fast Ethernet, Gigabit Ethernet uses all four
pairs for transmission and is thus more sensitive to crosstalk between the wire pairs.
ere are some details about the categories used for network media
• Cat cable is no longer available. Cat e is tested at fre uencies up to M
like Cat was but to higher overall specifications for attenuation and crosstalk,
meaning that the cable is rated to handle igabit thernet throughput. Cat e
would still be an acceptable choice for providing network links for workstations.
• Cat can support bps but over shorter distances nominally m, but
often less if cables are closely bundled together.
Cabling is not the only part of the wiring system that must be rated to the appropriate
category. For faster network applications (Gigabit Ethernet and better), the performance
of connectors becomes increasingly critical. For example, if you are installing Cat A
wiring, you must also install Cat A patch panels, wall plates, and connectors.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
28 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• Cat is intended for use in datacenters only for short patch cable runs that
make top of rack connections between ad acent appliances. IS define two
variants . Class I is e uivalent to TIA AI Cat and uses J connectors
while . Class II must use outer shielding or screening and or T A
connectors.
RJ-45 Connectors
J connectors are used with pair wire cables. The connectors are also
referred to as C, standing for position contact. This means that all eight
potential wire positions are supplied with contacts, so that they can all carry
signals if needed. J is used for thernet twisted pair cabling.
- plugs have a plastic retaining clip. This is normally protected by a rubber boot.
This type of cable construction is also referred to as snagless.
RJ-11 Connectors
The smaller J connectors are used with or pair T . There is room for si
wires, but the four center wires are most commonly used. Typically, the innermost
pair, wired to pins and , carries the dial tone and voice circuit. These are also
called the Tip and ing wires after the way older phone plugs were wired. The other
pair is usually unused but can be deployed for a secondary circuit. J connectors
are used for telephone systems for e ample, to connect a modem to a phone ack.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 29
An J connector has only two contacts C . To use more pairs, the ack can be
wired as J C or J C.
In T A, the green pairs are wired to pins and and the orange pairs are
wired to pins and . In T A, these pairs swap places, so orange is terminated
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
30 | The Official CompTIA Network+ Student Guide (Exam N10-008)
to pins and and green to and . rgani ations should try to avoid using a
mi ture of the two standards. T A is mandated by the S government and by
the residential cabling standard TIA , but T is probably the more widely
deployed of the two.
Cat and Cat 8 are so sensitive to noise that the secondary wire in each pair is solid
white with no stripe, as the coloring process reduces the effectiveness of the insulation.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 31
Coa cables are categori ed using the adio rade standard, which
represents the thickness of the core conductor and the cable s characteristic
impedance. is A cable with ohm impedance typically used as
drop cable for Cable Access T CAT and broadband cable modems. or this
application, coa is usually terminated using F-type connectors, which are
secured by screwing into place.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
32 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Twinaxial or twina is similar to coa but contains two inner conductors. Twina
is used for datacenter b unofficially referred to as AS C and b
AS C interconnects of up to about meters for passive cable types and
meters for active cable types. Twina for b is terminated using S +
Direct Attach Copper DAC and S + DAC transceivers.
irect Attach Copper ( AC) twinax cabling with FP+ termination. (Image created by absy and
reproduced under the Creative Commons Attribution hareAlike .0 license.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 33
Review Activity:
Copper Cabling Types
6
5. 100BASE-T transmit pins are 1 and 2. What color code are the wires
terminated to these pins under T568A and T568B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
34 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 2C
Summarize Fiber Optic Cabling Types
8
iber optic media can support higher bandwidths over longer distances than
copper wire. These advantages make it a popular choice for long distance
telecommunications networks and for reliable, high speed networking within
datacenters. nderstanding the characteristics of fiber optic media will help you to
support e isting installations and upgrades.
In basic operation modes, each fiber optic strand can only transfer light in a single
direction at a time. Therefore, multiple fibers are often bundled within a cable to
allow simultaneous transmission and reception of signals or to provide links for
multiple applications.
There are many di erent outer acket designs and materials suited for di erent
installations indoor plenum, outdoor, underground, undersea, and so on . Kevlar
Aramid strands and sometimes fiberglass rods strength members are often used
to protect the fibers from e cessive bending or kinking when pulling the cable to
install it. or e posed outdoor applications, a steel shield armor may be added to
deter rodents from gnawing the cable.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 35
Optical transceivers for F are now only slightly more expensive than ones for F.
Consequently, F is often used for short range applications in datacenters, as well as
for long distance links. F still comes at a slight price premium, but it provides better
support for 0 Gbps and 100 Gbps Ethernet standards.
Straight Tip
Straight Tip (ST) is an early bayonet style connector that uses a push and twist
locking mechanism. ST was used mostly for multimode networks, but it is not widely
used for thernet installations anymore.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
36 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Subscriber Connector
The Subscriber Connector (SC) is a push pull design, allowing for simple insertion
and removal. It can be used for single or multimode. It is commonly used for
igabit thernet.
Local Connector
The Local Connector (LC) is a small form factor connector with a tabbed push pull
design. LC is similar to SC, but the smaller si e allows for higher port density. LC is a
widely adopted form factor for igabit thernet and b .
Patch cord with duplex C format connectors (left) and C connectors (right).
(Image by ANA T NTO N I 1 F.com.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 37
Maximum
Specification Optics Cable Distance Connectors
AS nm MM M km . miles ST, SC, MT J
MM M
AS S 850 nm MM M 550 m ST, SC, LC
MM M feet
AS S 850 nm MM M m feet ST, SC, LC, MT J
MM M 550 m
MM M feet
AS L nm MM M 550 m SC, LC
nm M M feet
SM S S km . miles
AS S 850 nm MM M m feet SC, LC
MM M m feet
MM M m feet
MM M m
feet
AS L nm SM S S 10 km SC, LC
. miles
iber is often used for backbone cabling in office networks and for workstations
with high bandwidth re uirements, such as video editing. The principal applications
of b and better are
• Increasing bandwidth for server interconnections and network backbones,
especially in datacenters and for storage area networks SAN .
• eplacing e isting switched public data networks based on proprietary
technologies with simpler thernet switches Metro thernet .
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
38 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Most connectors are keyed to prevent incorrect insertion, but if in doubt, an optical
power meter can be used to determine whether an optical signal is being received
from a particular fiber.
Transmitted optical signals are visible as bright white spots when viewed through a
smartphone camera. This can be used to identify which adapter on an optical interface is
transmitting and which fiber patch cord is receiving a signal from the other end of the cable.
Finishing Type
The core of a fiber optic connector is a ceramic or plastic ferrule that holds the glass
strand and ensures continuous reception of the light signals. The tip of the ferrule
can be finished in one of three formats
• Physical Contact (PC) The faces of the connector and fiber tip are polished so
that they curve slightly and fit together better, reducing return loss interference
caused by light re ecting back down the fiber .
• Ultra Physical Contact (UPC) This means the cable and connector are
polished to a higher standard than with C.
• Angled Physical Contact (APC) The faces are angled for an even tighter
connection and better return loss performance. A C cannot be mi ed with C
or C. These connectors are usually deployed when the fiber is being used
to carry analog signaling, as in Cable Access T CAT networks. They are
also increasingly used for long distance transmissions and for assive ptical
Networks N , such as those used to implement iber to the TT multiple
subscriber networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 39
It is important to match the finishing type when you are selecting a connector type.
A C finishing is often not supported by the patch panels, transceivers, and switch
ports designed for thernet.
here there are multiple strands within a single cable, the strands are color
coded TIA IA to di erentiate them. Also, by convention, cable ackets and
connectors use the following color coding
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
40 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
9
Fiber Optic Cabling Types
Answer the following uestions
1. What type of fiber optic cable is suited for long distance links
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 41
Topic 2D
Deploy Ethernet Cabling
6
• Hori ontal Cabling Connects user work areas to the nearest hori ontal
cross connect. A cross connect can also be referred to as a distribution frame.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
42 | The Official CompTIA Network+ Student Guide (Exam N10-008)
ori ontal cabling is so called because it typically consists of the cabling for a
single oor and so is made up of cables run hori ontally through wall ducts or
ceiling spaces.
• Backbone Cabling Connects hori ontal cross connects CCs to the main
cross connect optionally via intermediate cross connects . These can also be
described as vertical cross connects, because backbone cabling is more likely to
run up and down between oors.
Cable Management
Cable management techni ues and tools ensure that cabling is reliable and easy
to maintain. Copper wiring is terminated using a distribution frame or punchdown
block. A punchdown block comprises a large number of insulation-displacement
connection (IDC) terminals. The IDC contains contacts that cut the insulation
from a wire and hold it in place. This design allows large numbers of cables to
be terminated within a small space. Several di erent punchdown block and IDC
formats have been used for telecommunications and data cabling.
66 Block
A block is an older style distribution frame used to terminate telephone cabling
and legacy data applications pre Cat . A block comprises rows of IDC
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 43
terminals. The pair cable from the access provider is terminated on one side
of the block. n the other side of the block, the terminals terminate the wiring
from the . A umper bridging clip is installed over the middle two terminals to
complete the connection.
A private branch exchange (PB ) is a telephone system serving the local extensions of an
office.
110 Block
The block developed by AT T is a type of distribution frame supporting
M operation Cat and better. A wiring block is arranged hori ontally
rather than vertically, o ering better density than a block. There is also more
space for labeling the connectors and each column of connectors is color coded,
making management simpler. The incoming wire pairs are fed into channels on the
wiring block, then a connector block or wafer is installed to terminate the incoming
wiring. utgoing wire pairs are then punched into the terminals on the connector
blocks to complete the circuit.
The structured cabling running from the work area or forming a backbone is
terminated at the back of the patch panel on the IDCs. An J patch cord is
used to connect the port to another network port, typically a switch port housed
in the same rack. This greatly simplifies wiring connections and is the most
commonly installed type of wiring distribution where connections need to be
changed often.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
44 | The Official CompTIA Network+ Student Guide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 45
Termination Tools
i ed cable is terminated using a punchdown tool. This tool fi es conductors into
an IDC. There are di erent IDC formats , , I , and Krone , and these re uire
di erent blades. Many punchdown tools have replaceable blades, though. lades are
double sided one side pushes the wire into the terminal while the other side cuts the
e cess. Make sure the blade marked cut is oriented correctly to cut the e cess wire.
Alternatively, a block tool terminates a group of connectors in one action. or a
format panel, there are four position blocks suitable for terminating pair data
cabling and five position blocks for pair telephony cable .
A patch cord is created using a cable crimper. This tool fi es a plug to a cable.
The tools are specific to the type of connector and cable, though some may have
modular dies to support a range of J type plugs.
ou must untwist the ends of the wire pairs and place them into the connector die in
the correct order for the wiring configuration (T 8A or T 8B) you want to use. ou
must not untwist the wires too much, however. Cat is demanding in this respect and
requires no more than 0. (1 cm) of untwisting.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
46 | The Official CompTIA Network+ Student Guide (Exam N10-008)
sing connectors does reduce the overall performance of the cable. ach connector
will cost a certain amount of insertion loss typically budgeted as . d and
re ection loss. Conse uently, in some circumstances it may be preferable to splice
two cables together, either to repair damage or to e tend the cable run. Cables can
be spliced mechanically using an adhesive unction bo containing inde matching
uid that ensures a continuous path between the two fiber strands. A fusion
splicer achieves a more permanent oin with lower insertion loss . d . The
fusion splicing machine performs a precise alignment between the two strands
and then permanently oins them together using an arc weld. A fusion splicer is a
high precision instrument and must be kept clean and maintained following the
manufacturer s guidelines.
Splicing may also be used to attach a pigtail a segment of cable with a factory fitted
connector at one end only or to field terminate to a connector splicing a factory
prepared SC or LC connector to an incoming cable . A spliced cable or pigtail must
be protected with a special cover and supported by a splice tray. Connectors for
field terminated splicing do not re uire a tray and the protective cover is built into
the connector.
Transceivers
A network might involve the use of multiple types of cabling. hen this occurs,
switch and router e uipment must be able to terminate di erent cable and
connector types, and devices must convert from one media type to another.
nterprise switches and routers are available with modular, hot swappable
transceivers/media converters for di erent types of fiber optic patch cord
connections.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 47
SFP/SFP+
S uses LC connectors and is also designed for igabit thernet. nhanced S
S + is an updated specification to support b but still uses the LC form
factor. There are di erent modules to support the various thernet standards and
fiber mode type AS S versus AS L , for instance . Conse uently, a
transceiver is designed to support a specific wavelength. The transceivers must be
installed as matched pairs.
ou will often see the term A in conjunction with modular transceivers. ulti- ource
Agreement ( A) is intended to ensure that a transceiver from one vendor is compatible
with the switch/router module of another vendor.
QSFP/QSFP+
Quad small form-factor pluggable (QSFP) is a transceiver form factor that
supports bps links, typically aggregated to a single bps channel.
nhanced uad small form factor pluggable S + is designed to support
b by provisioning bps links. S + is typically used with parallel fiber
and multi fiber push on M termination. An M backbone ribbon cable
bundles or more strands with a single compact terminator the cables are
all manufactured and cannot be field terminated . hen used with S +, four
strands transmit a full duple bps link, four strands receive, and the other
four strands are unused.
S + can also be used with avelength Division Multiple ing DM thernet
standards.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
48 | The Official CompTIA Network+ Student Guide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 49
Review Activity:
Ethernet Cabling
Answer the following uestions
4. At what layer of the OSI model does a fiber distribution panel work
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
50 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Lesson 2
Summary
ou should be able to summari e the properties of copper and fiber optic media
and connectors and match them to an appropriate thernet standard for a
particular solution.
• ave division multiple ing to get more bandwidth from e isting fiber.
• Consider the factors that can a ect the performance of network media, such as
electromagnetic interference and attenuation and whether shielded copper or
fiber optic cable will be re uired to ensure reliable performance.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 3
Deploying Ethernet Switching
1
LESSON INTRODUCTION
Cabling establishes the links between nodes on the network, but each node also
requires a network interface. Not many networks are established by directly
connecting each end system to every other local system. Cabling and support costs
are reduced by using intermediate systems to establish local networks. These
intermediate systems are deployed as network appliances such as hubs, bridges,
and switches. Installing and configuring, these devices will be a regular task for you
during your career in network administration.
Lesson Objectives
In this lesson, you will:
• Deploy networking devices.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
52 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 3A
Deploy Networking Devices
2
Most networks use intermediate systems to reduce cabling costs and complexity. In
this topic, you will summarize the functions of various connectivity devices working
at the physical and data link layers.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 53
Hubs
Most Ethernet networks are implemented so that each end system node is wired
to a central intermediate system. In early types of Ethernet, this function was
performed by a hub. While hubs are no longer widely deployed as standalone
appliances, it is important to understand the basic functions they perform.
A hub acts like a multiport repeater so that every port receives transmissions
sent from any other port. As a repeater, the hub works only at the Physical
layer. Electrically, the network segment still looks like a single length of cable.
Consequently, every hub port is part of the same shared media access area and
within the same collision domain. All node interfaces are half-duplex, using the
CSMA/CD protocol, and the media bandwidth (10 Mbps or 100 Mbps) is shared
between all nodes.
When Ethernet is wired with a hub there needs to be a means of distinguishing
the interface on an end system (a computing host) with the interface on an
intermediate system (the hub). The end system interface is referred to as medium
dependent interface (MDI); the interface on the hub is referred to as MDI
crossover (MDI-X). This means that the transmit (Tx) wires on the host connect to
receive (Rx) wires on the hub.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
54 | The Official CompTIA Network+ Student Guide (Exam N10-008)
There are no configuration options for a hub. ou ust connect the device to a
power source and then connect the network cables for the hosts that are going to
be part of the network segment served by the hub.
Bridges
An Ethernet bridge works at the data link layer (layer 2) to establish separate physical
network segments while keeping all nodes in the same logical network. This reduces
the number of collisions caused by having too many nodes contending for access.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 55
This figure shows how a bridge creates separate collision domains. ach hub is a
shared access media area. The nodes connected to the hubs share the available
bandwidth—a 100 Mbps Ethernet for domain A and a 10 Mbps Ethernet for domain
B—because only one node within each collision domain can communicate at any
one time. The bridge isolates these segments from each other, so nodes in domain
B do not slow down or contend with nodes in domain A. The bridge does allow
nodes to communicate with the other collision domain, by forwarding only the
appropriate traffic. This creates a single logical network, referred to as a layer
broadcast domain.
An Ethernet bridge builds a MAC address table in memory to track which addresses
are associated with which of its ports. When the bridge is initialized, the bridging
table is empty, but information is constantly added as the bridge listens to the
connected segments. ntries are ushed out of the table after a period to ensure
the information remains current.
Layer Switches
The problems created by contention can be more completely resolved by moving
from a shared Ethernet system to switched Ethernet. Hubs and bridges are
replaced with switches. Gigabit Ethernet and Ethernet 10 GbE cannot be deployed
without using switches.
An Ethernet layer 2 switch performs the same sort of function as a bridge, but
in a more granular way and for many more ports than are supported by bridges.
ach switch port is a separate collision domain. In e ect, the switch establishes
a point-to-point link between any two network nodes. This is referred to as
microsegmentation.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
56 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Because each port is in a separate collision domain, collisions can occur only if
the port is operating in half-duplex mode. This would only be the case if a legacy
network card or a hub is attached to it. ven then, collisions a ect only the
microsegment between the port and the connected interface; they do not slow
down the whole network. As with a bridge, though, traffic on all switch ports is in
the same broadcast domain, unless the switch is configured to use virtual LANs
(VLANs).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 57
Review Activity:
3
Networking Devices
Answer the following questions:
2. True or false All the nodes shown in the following figure are in the same
collision domain.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
58 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 3B
Explain Network Interfaces
6
A network interface is the means by which a node is connected to the media and
exchanges data with other network hosts. As a network technician, you will frequently
be involved with installing, configuring, and troubleshooting network interfaces. ou
must also be able to capture and analy e network traffic, using a packet sni er.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 59
Each Ethernet network interface port has a unique hardware address known as the
Media Access Control (MAC) address. This may also be referred to as the Ethernet
address (EA) or, in IEEE terminology, as the extended unique identifier EUI . A
MAC address is also referred to as a local or physical address.
Preamble
The preamble and Start Frame Delimiter (SFD) are used for clock synchronization
and as part of the CSMA/CD protocol to identify collisions early. The preamble
consists of 8 bytes of alternating 1s and 0s with the SFD being two consecutive 1s at
the end. This is not technically considered to be part of the frame.
Error Checking
The error checking field contains a bit byte checksum called a Cyclic
Redundancy Check CRC or Frame Check Sequence (FCS). The CRC is calculated
based on the contents of the frame; the receiving node performs the same
calculation and, if it matches, accepts the frame. There is no mechanism for
retransmission if damage is detected nor is the CRC completely accurate at
detecting damage; these are functions of error checking in protocols operating at
higher layers.
Burned in Addresses
The IEEE gives each card manufacturer a range of numbers, and the manufacturer
hard codes every interface produced with a unique number from their range. This is
called the burned in address or the universal address. The first si he digits
bytes or octets , also known as the rgani ationally ni ue Identifier I,
identify the manufacturer of the adapter. The last six digits are a serial number.
An organization can decide to use locally administered addresses in place of
the manufacturers universal coding systems. This can be used to make MACs
meaningful in terms of location on the network, but it adds a significant amount
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
60 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Captured Ethernet frame showing the resolved O I and I/G and / bits in the destination
(broadcast) and source addresses. ( creenshot courtesy of ireshark.)
Broadcast Address
The I/G bit of a MAC address determines whether the frame is addressed to an
individual node (0) or a group (1). The latter is used for broadcast and multicast
transmissions. A MAC address consisting entirely of 1s is the broadcast address
and should be processed by all nodes within the same broadcast
domain.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 61
Often the terms sniffer and protocol analy er are used interchangeably but be aware
that they might be implemented separately.
A basic software based sni er installed to a host will simply interrogate the frames
received by the network adapter by installing a special driver. This allows the frames
to be read from the network stack and saved to a file on disk. They also support
filters to reduce the amount of data captured.
There are three main options for connecting a sni er to the appropriate point in the
network:
• SPAN switched port analy er mirror port—this means that the sensor
is attached to a specially configured port on the switch that receives copies
of frames addressed to nominated access ports (or all the other ports). This
method is not completely reliable. Frames with errors will not be mirrored and
frames may be dropped under heavy load.
• Passive test access point (TAP)—this is a box with ports for incoming and
outgoing network cabling and an inductor or optical splitter that physically
copies the signal from the cabling to a monitor port. There are types for copper
and fiber optic cabling. nlike a S AN, no logic decisions are made so the
monitor port receives every frame—corrupt or malformed or not—and the
copying is una ected by load.
A TAP will usually output two streams to monitor a full-duplex link (one channel
for upstream and one for downstream). Alternatively, there are aggregation TAPs,
which rebuild the streams into a single channel, but these can drop frames under
very heavy load.
tcpdump
tcpdump is a command-line packet capture utility for Linux, providing a user
interface to the libpcap library. The basic syntax of the command is:
tcpdump -i eth0
Where eth0 is the interface to listen on (you can substitute with the keyword any to
listen on all interfaces of a multi-homed host). The utility will then display captured
packets until halted manually (by pressing Ctrl+C). The operation of the basic
command can be modified by switches. or e ample, the -w and -r switches write
output to a file and read the contents of a capture file respectively. The -v, -vv,
and -vvv can be used to increase the amount of detail shown about each frame
while the -e switch shows the Ethernet header.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
62 | The Official CompTIA Network+ Student Guide (Exam N10-008)
efer to tcpdump.org for the full help and usage examples. ngrep (github.com/jpr /
ngrep) is another useful packet capture and analysis tool. As well as the standard filter
syntax, it supports use of regular expressions (regexr.com) to search and filter capture
output. You can also use the netcat tool (nmap.org/ncat) to copy network traffic from
one host to another for analysis.
Wireshark
Wireshark (wireshark.org) is an open source graphical packet capture and analysis
utility, with installer packages for most operating systems. Having chosen the
interfaces to listen on, the output is displayed in a three-pane view, with the top
pane showing each frame, the middle pane showing the fields from the currently
selected frame, and the bottom pane showing the raw data from the frame in hex
and ASCII.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 63
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
64 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
7
Network Interfaces
Answer the following questions:
2. What is an I bit
3. What is an MTU
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 65
Topic 3C
Deploy Common Ethernet
Switching Features
6
Switches are now used in almost all Ethernet networks, so you are certain to
encounter them in the environments that you support. There are many models
of Ethernet switches, however. Understanding the range of capabilities of these
devices will prepare you to support a wide variety of network environments.
The market is dominated by Ciscoʼs Catalyst and Nexus platforms (over 55% of
sales), but other notable vendors include HP® Enterprise, Huawei, Juniper®, Arista,
Linksys®, D-Link, NETGEAR®, and NEC.
Hour
Ethernet switches can be distinguished using the following general categories:
⑪• Unmanaged versus managed—On a SOHO network, switches are more likely Unmanaged
to be unmanaged, standalone units that can be added to the network and run =everythee
without any configuration. The switch functionality might also be built into an is
firwall
Internet router/modem. On a corporate network, switches are most likely to be
no
CJOHOS cannot
managed. This means the switch settings can be configured. If a managed switch settings
is left unconfigured, it functions the same as an unmanaged switch does.
ver
configured
Lesson 3: Deploying Ethernet Switching | Topic 3C
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
66 | The Official CompTIA Network+ Student Guide (Exam N10-008)
of
• Modular versus fixed—A fixed switch comes with a set number of ports that
no I
③ cannot be changed or upgraded. A modular switch has slots for plug-in cards,
meaning they can be configured with different numbers and types of ports.
port O
↳ • Desktop versus rack-mounted—Simple unmanaged switches with five or
- - . . -
eight ports might be supplied as small freestanding units that can be placed on
a desktop. Most larger switches are designed to be fitted to the standard-size
d
-
Sizes duktop
size
desktop whichin
mounted jit
-rast rack
becau only be
switches can
in-
·an
hierarchies. For example, Cisco IOS has three principal modes:
• User EXEC mode—This is a read-only mode where commands can be used to
>
report the configuration, show system status, or run basic troubleshooting tools.
diagnostic
• Privileged EXEC mode/enable mode—This allows the user to reboot or shut
-
-
down the appliance and to backup and restore the system configuration.
"copy
to
-"interface"
access a
specific
interface
-
"Vlan"to
create van
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 67
In user mode, a variety of show commands can be used to display the current
configuration. There are usually many show commands, but two of particular
Gewe
importance are as follows:
• show config displays the switchʼs configuration. The startup configuration
(show startup-config) could be different from the running configuration
(show running-config). If there has been some undocumented change
to the switch, using these commands and comparing the output may reveal the
source of a problem. will show the current config
o
shows
status
the •
↓
show interface lists the state of all interfaces or the specified interface.
Interfaces are identified by type, slot, and port number. For example,
-
-
GigabitEthernet 0/2 (or G0/2) is port #2 on the first 10/100/1000 slot (or only
ponts >
slot). An interface has a line status (up if a host is connected via a good cable)
and a protocol status (up if an Ethernet link is established). Down indicates a
line
statoananwdase fault while administratively down indicates that the port has been purposefully
disabled. show interface will also report configuration details and traffic statistics
etde if the link is up/up.
upitted) heitt
ret
Stackable switches precede interface identifiers with a module ID. For example,
GigabitEthernet 3/0/2 is the second port on first slot in the third module in the stack.
Note that this numbering does vary between manufacturers. Also, some start from zero
and some from one.
Viewing interface configuration on a Cisco switch. (Image © and Courtesy of Cisco Systems, Inc.
Unauthorized use not permitted.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
68 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Switches normally support a range of Ethernet standards so that older and newer
network adapters can all be connected to the same network. In most cases, the port
on the switch is set to autonegotiate speed (10/100/1000) and full- or half-duplex
operation. A static configuration can be applied manually if necessary.
E
Auto MDI/MDI-X
Under 100BASE-T, an end system uses media dependent interface (MDI) to transmit
on pins 1 and 2 and receive on pins 3 and 6. This is also referred to as an uplink
port. As an intermediate system, a switch port uses MDI-X and receives on pins 1
and 2 and transmits on pins 3 and 6. The cable between the host interface port
and switch interface port should be straight through (either T568A on both ends or
Beardening
T568B on both ends).
When a switch needs to be connected to another switch, communications would
fail if both interfaces used MDI-X. Historically (in the days of hubs and very early
10/100 switches), dedicated uplink ports and/or crossover cables were used to
make these connections. A crossover cable has T568A termination at one end
and T568B termination at the other end. Nowadays, most switch interfaces are
vie
configured to use auto-MDI/MDIX by default. This means that the switch senses
the configuration of the connected device and cable wiring and ensures that an MDI
⑱
uplink to an MDIX port gets configured. This will also ensure a link if a crossover
cable is used to connect an end system by mistake.
The same principle applies to Gigabit Ethernet and faster. While all four pairs carry
bidirectional signals, the interfaces still use an MDI to MDI-X link. In practical terms, all
Gigabit Ethernet interfaces must support auto MDI/MDI-X.
andthe Consequently, the MAC address table is often also referred to as the CAM table. Entries
CAM-* Memory
remain in the MAC address table for a period before being flushed. This ensures
problems are not encountered when network cards (MAC addresses) are changed.
1
If a MAC address cannot be found in the MAC address table, then the switch acts
like a hub and transmits the frame out of all the ports, except for the source port.
This is referred to as flooding.
X memory for *A
optimizarching
ed
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 69
You can query the MAC address table of a switch to find the MAC address or
addresses associated with a particular port using a command such as:
show mac address-table *
Displaying dynamic entries in the MAC address table of a Cisco switch. (Image © and Courtesy of
Cisco Systems, Inc. Unauthorized use not permitted.)
A port security configuration validates the MAC address of end systems that
connect to a switch port. In most scenarios, you would not expect the MAC address
of servers and workstations to change often, except for predictable upgrade cycles.
Unknown or frequently changing host MAC addresses might indicate an intrusion
attempt. A port security configuration has two elements:
• Specify a static MAC address or allow the port to learn and accept a certain
number of sticky addresses.
Gessprefer
• Specify an enforcement action when a policy violation is detected (alert only or
shutdown the port, for instance). ↳specify th
dange
Port Aggregation
3
has
Port aggregation means combining two or more separate cabled links into a single
logical channel. From the host end, this can also be called NIC teaming. The term
switch
a
bonding is also widely substituted for aggregation. For example, a single network -> GB ports
c,
adapter and cable segment might support 1 Gbps; bonding this with another has
server
adapter and cable segment gives a link of 2 Gbps. one
Port aggregation is often implemented by the Link Aggregation Control Protocol 2 link
connection
(LACP). LACP can be used to autonegotiate the bonded link between the switch ther
this
with more
ports and the end system, detect configuration errors, and recover from the failure
for
of one of the physical links. will combine
make re
Sandwidth
G
Port Mirroring
a
~
Unlike a hub, a switch forwards unicast traffic only to the specific port connected
to the intended destination interface. This prevents sniffing of unicast traffic by
were
hosts attached to the same switch. There are circumstances in which capturing
and analyzing network traffic is a legitimate activity, however, and port mirroring
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
70 | The Official CompTIA Network+ Student Guide (Exam N10-008)
provides the facility to do this. Port mirroring copies all packets sent to one or more
source ports to a mirror (or destination) port. On a Cisco switch, this is referred to
as a switched port analyzer (SPAN).
in
the legitimate Configuring port mirroring on a switch. (Screenshot courtesy of Nvidia.)
switters The mirror port would be used by management or monitoring software, such as a
packet sniffer, network analyzer, or intrusion detection system (IDS) sensor. Either
ingress or egress traffic, or both, can be captured. Optionally, in order to avoid
overloading the monitoring system, packets may be filtered based on criteria such
as protocol ID or TCP/UDP port number.
Port mirroring demands a lot of processing and can lead to the switch hardware
becoming overloaded and consequently crashing. If possible, test any security solution
that requires port mirroring under typical loads before deploying it on a production
network.
-1800 bytes
Jumbo Frames and Flow Control
Some types of hosts, such as those implementing storage area networks (SANs)
have special requirements. Traffic processed by these hosts can be optimized by
configuring port settings for jumbo frames and flow control.
Jumbo Frames
e Ordinarily, an Ethernet frame can carry a data payload or maximum transmission
cost
unit (MTU) of up to 1,500 bytes. When you are transferring data around a storage
made
network with a 10 Gbps switching fabric, a 1500-byte limit means using a lot of
frames. A jumbo frame is one that supports a data payload of up to around 9,000
bytes. This reduces the number of frames that need to be transmitted, which can
I reduce the amount of processing that switches and routers need to do. It also
reduces the bandwidth requirement somewhat, as fewer frame headers are being
abs--lee
soredspaced,
transmitted. The benefits of jumbo frames are somewhat disputed, however.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 71
When implementing jumbo frames, it is critical that all hosts and appliances
(switches and routers) along the communications path be able and configured to
support them. It is also vital to ensure that each device supports the same MTU.
Also, it can be complex to calculate the MTU if any additional headers are used
(for IPSec, for instance).
The MTU value in the show interface output will indicate whether jumbo
frames are accepted on a particular port. A
Flow Control
IEEE 802.3x flow control allows a server to instruct the switch to pause traffic -> PAUSE
HARSH
temporarily to avoid overwhelming its buffer and causing it to drop frames. A
switch port can be configured to enable or disable (ignore) use of PAUSE frames.
The 802.3x global PAUSE mechanism does not distinguish between traffic types,
however, which can pose problems with voice/video traffic and infrastructure-
critical traffic, such as routing protocol updates. Class of service (CoS) and quality
of service (QoS) mechanisms ensure reliable performance for these time-sensitive
EASY
applications by marking and policing traffic. The updated priority flow control PASE
(PFC) mechanism (IEEE802.1Qbb) allows PAUSE frames to apply to certain traffic
- >
classes only.
selflamatory
Power over Ethernet (PoE) is a means of supplying electrical power from a switch
port over ordinary data cabling to a connected powered device (PD), such as a VoIP
handset, IP camera, or wireless access point. PoE is defined in two IEEE standards y
(now both rolled into 802.3-2018):
• 802.3af—Powered devices can draw up to about 13 W over the link. Power is
supplied as 350mA@48V and limited to 15.4 W, but the voltage drop over the
maximum 100 feet of cable results in usable power of around 13 W.
PoE switches are referred to as endspan (or endpoint) power sourcing equipment
(PSE). If an existing switch does not support PoE, a device called a power injector (or
midspan) can be used.
-
When a device is connected to a port on a PoE switch, the switch goes through a
detection phase to determine whether the device is PoE-enabled. If not, it does not
supply power over the port and, therefore, does not damage non-PoE devices. If
so, it determines the deviceʼs power consumption and sets the supply voltage level
appropriately.
Powering these devices through a switch is more efficient than using a wall-socket
AC adapter for each appliance. It also allows network management software to
control the devices and apply schemes, such as making unused devices go into
sleep states and power capping.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
72 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
7
Common Ethernet Switching Features
Answer the following questions:
6. Can you safely connect a server to a PoE+ enabled port or should you
disable PoE first?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 73
Lesson 3
Summary
7
• Create a management plan for legacy hub and bridge appliances to ensure they
do not impact overall network performance.
• Identify any need for physical layer repeater or media converter functions that
cannot be met by installing a switch.
• Make a plan for capturing network traffic at strategic points in the network,
either through port mirroring or via a network TAP.
• Optionally, use known or locally administered MAC addresses and port security
to mitigate the risk of unknown devices connecting to the network.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 4
Troubleshooting Ethernet Networks
1
LESSON INTRODUCTION
Whether you are dealing with support cases or validating an installation or
configuration, problem solving is a critical competency for all network technicians.
Effective problem solving requires a mixture of technical knowledge, soft skills, and
intuition, plus the discipline to apply a structured approach.
In this lesson you will explain the steps in CompTIA s Network troubleshooting
methodology and apply these steps to solving common cable and connectivity
issues.
Lesson Objectives
In this lesson, you will:
• Explain network troubleshooting methodology.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
76 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 4A
Explain Network Troubleshooting
Methodology
2
Network problems can arise from a variety of sources outside your control. As
a network professional, your users, your managers, and your colleagues will all
look to you to identify and resolve those problems efficiently. To do that, you will
need a strong fundamental understanding of the tools and processes involved
in troubleshooting a network. Being able to resolve problems in these areas is a
crucial skill for keeping your network running smoothly.
Troubleshooting requires a best practice approach to both problem solving and
customer/client communication. A troubleshooting model provides you with proven
processes on which to base your techniques and approach.
• Gather information.
⑲ •
•
Duplicate the problem, if possible.
Question users.
• Identify symptoms.
Dri
• Consider multiple approaches.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 77
4. Establish a plan of action to resolve the problem and identify potential effects.
7. ↑
Document findings, actions, and outcomes.
⑲ The first step in the troubleshooting process is to identify the problem. There are
several techniques and approaches that can assist with this step.
Gather Information
At the outset, define the scope of the problem (that is, the area affected). This is
helpful in two ways. First, if it s a single user, then it s not as urgent as the other
outstanding call you have. But if it s the whole third floor, then it s more urgent. In
addition, the fact that the problem affects a wider area means that it is unlikely to
be a problem with one user s workstation. nowing the scope of the problem can
help to identify its source and prioritize the issue in relation to other incidents.
As well as the information-gathering techniques discussed here, consider what
indirect sources of information there may be:
• Check the system documentation, such as installation or maintenance logs, for
useful information.
• Check recent job logs or consult any other technicians who might have worked
on the system recently or might be working on some related issue.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
78 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• Duplicate the problem on the user s system or a test system. You will need to
try to follow the same steps as the user. Issues that are transitory or difficult to
reproduce are often the hardest to troubleshoot.
Question Users
The first report of a problem will typically come from a user or another technician,
and they will be one of the best sources of information, if you can ask the right
questions. The basis of getting troubleshooting information from users is asking
good questions. Questions are commonly divided into two types:
• Open questions invite someone to explain in their own words. Examples are:
What is the problem or What happens when you try to switch the computer
on Open questions are good to start with, as they help to avoid making your
own assumptions about what is wrong, and they encourage the user to give you
all the information they can.
• What has changed since it was last working The change that caused the
problem may not be obvious. Maybe the window cleaners were in the building,
and one of them tripped over a cable and now the user can t log in. Maybe
someone has moved the user s workstation from one end of his desk to another
and plugged the cable into a different port. Check for documented changes
using the system inventory, but if this does not reveal anything, look for
undocumented changes in the local area of the incident.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 79
&
Methodical validation of network components can be approached by testing at each
layer of the OSI model in sequence. There are many components which go to make
up a network.
Some, or several, of these components may be at fault when a problem is reported
to you. It is important that you tackle the problem logically and methodically.
Unless a problem is trivial, break the troubleshooting process into compartments
2 approach
a I
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
80 | The Official CompTIA Network+ Student Guide (Exam N10-008)
or categories, using the OSI model as a guide. Start from either the top or bottom
and only move up or down when you have discounted a layer as the source of the
problem. For example, when troubleshooting a client workstation, you might work
as follows:
1. Decide whether the problem is hardware or software related
(Hardware).
4. Test your theory (replace the cable with a known good one).
When you have drilled down like this, the problem should become obvious. Of
course, you could have made the wrong choice at any point, so you must be
prepared to go back and follow a different path.
If you are really unlucky, two (or more) components may be faulty. Another difficulty lies
in assessing whether a component itself is faulty or if it is not working because a related
component is broken.
⑭-
Divide and Conquer Approach
In a divide and conquer approach, rather than starting at the top or bottom,
you start with the layer most likely to be causing the problem and then work
either down or up depending on what your tests reveal. For example, if you
start diagnosis at layer 3 and cannot identify a problem, you would then test at
layer 4. Conversely, if you discovered a problem at layer 3, you would first test
layer 2. If there is no problem at layer 2, you can return to layer 3 and work from
there up.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 81
• The problem falls under a system warranty and would be better dealt with by
the supplier.
• The scope of the problem is very large and/or the solution requires some major
reconfiguration of the network.
When you escalate a problem, you should have established the basic facts, such
as the scope of the problem and its likely cause and be able to communicate these
clearly to the person to whom you are referring the incident.
If you can prove the cause of the problem, you can start to determine the next
steps to resolve the problem.
A basic technique when you are troubleshooting a cable, connector, or device is to have
a known good duplicate on hand (that is, another copy of the same cable or device that
you know works) and to test by substitution.
• Ignore—Not all problems are critical. If neither repair nor replace is cost-
effective, it may be best either to find a workaround or just to document the
issue and move on.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
82 | The Official CompTIA Network+ Student Guide (Exam N10-008)
When you consider solutions, you must assess the cost and time required. Another
consideration is potential effects on the rest of the system. A typical example
is applying a software patch, which might fix a given problem but cause other
programs not to work. This is where an effective configuration management system
comes into play, as it should help you to understand how different systems are
interconnected and cause you to seek the proper authorization for your plan.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 83
When you complete a problem log, remember that people other than you
may come to rely on it. Also, logs may be presented to customers as proof of
troubleshooting activity. Write clearly and concisely, checking for spelling and
grammar errors.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
84 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
Network Troubleshooting
Methodology
3
1. Which step has been omitted from the following list of activities related
to identifying the problem? Gather information • Duplicate the problem,
if possible • Question users • Identify symptoms • Determine if anything
has changed
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 85
Topic 4B
Troubleshoot Common Cable
Connectivity Issues
6
Throughput is typically measured at the network or transport layer. Often the term
goodput is used to measure an averaged data transfer rate at the application layer. This
takes account of the effect of packet loss. Throughput is also sometimes measured as
packets per second.
As well as bandwidth or throughput and packet loss, the speed at which packets
are delivered is also an important network performance characteristic. Speed is
measured as a unit of time—typically milliseconds (ms)—and is also referred to as
latency, or delay. Latency can occur at many layers of the OSI model. It is not usually
a critical factor on local Ethernets, however.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
86 | The Official CompTIA Network+ Student Guide (Exam N10-008)
The term speed is also used to describe how well or badly a link is performing in terms
of throughput but do be aware of the distinction between bandwidth and latency.
• Noise is anything that gets transmitted within or close to the channel that isn t
the intended signal. This serves to make the signal itself difficult to distinguish,
causing errors in data and forcing retransmissions. This is expressed as the
signal to noise ratio (SNR).
Cable Issues
When troubleshooting cable connectivity, you are focusing on issues at the physical
layer. At layer one, a typical Ethernet link for an office workstation includes the
following components:
• Network transceiver in the host (end system).
• Structured cable between the wall port and a patch panel (the permanent link).
• Patch cable between the patch panel port and a switch port.
The entire cable path (patch cords plus permanent link) is referred to as a channel link.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 87
Assuming you are investigating link failure (complete loss of connectivity), the first
step is to check that the patch cords are properly terminated and connected to
the network ports. If you suspect a fault, substitute the patch cord with a known
good cable.
If you cannot isolate the problem to the patch cords, test the transceivers. You can
use a loopback tool to test for a bad port.
If you don t have a loopback tool available, another approach is to substitute known
working hosts (connect a different computer to the link or swap ports at the switch). This
approach may have adverse impacts on the rest of the network, however, and issues
such as port security may make it an unreliable method.
If you can discount faulty patch cords and bad network ports/NICs, you will need
to use tools to test the structured cabling. The solution may involve installing a
new permanent link, but there could also be a termination or external interference
problem.
• Blinking amber—A fault has been detected (duplex mismatch or spanning tree
blocking, for instance).
If there are no obvious hardware failure issues, you should verify the settings on
the switch port and NIC. Most adapters and switches successfully autonegotiate
port settings. If this process fails, the adapter and port can end up with mismatched
speed or duplex settings. In most cases, this will be because either the adapter
or the switch port has been manually configured. If a host is set to a fixed
configuration and the switch is set to autonegotiate, the switch will default to
10 Mbps/half-duplex because the host will not negotiate with it So, if the host
is manually configured to 100 Mbps/full duplex, the link will fail. Setting both to
autonegotiate will generally solve the problem. A speed mismatch will cause the link
to fail, while a duplex mismatch will slow the link down (it will cause high packet loss
and late collisions).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
88 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Cable Testers
When troubleshooting a permanent link, you should verify that the cable type is
appropriate to the application. For example, you cannot expect 10 GbE Ethernet to
run over an 80 m Cat 5e link. You may also need to verify that unshielded cable has
not been installed where shielded or screened cable would be more suitable. Using
an incorrect cable type might result in lower-than-expected speed and/or numerous
checksum errors and link resets. Check the identifier printed on the cable jacket to
verify the type that has been used.
From a safety point -of -view, you must also ensure that the cable jacket type is
suitable for the installation location, such as using plenum-rated cable in plenum
spaces and riser-rated cable in riser spaces.
If the cable is not accessible, cable testing tools can also be used to diagnose
intermittent connectivity or poor performance issues. The best time to verify wiring
installation and termination is just after you have made all the connections. This
means you should still have access to the cable runs. Identifying and correcting
errors at this point will be much simpler than when you are trying to set up end
user devices.
A cable tester reports detailed information on the physical and electrical
wh
properties of the cable. For example, it can test and report on cable conditions,
crosstalk, attenuation, noise, resistance, and other characteristics of a cable run.
Devices classed as certifiers can be used to test and certify cable installations to
a performance category—for example, that a network is TIA/EIA 568 Category 6A
compliant. They use defined transport performance specifications to ensure an
installation exceeds the required performance characteristics for parameters such
as attenuation and crosstalk.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 89
• Short—Two conductors are joined at some point, usually because the insulating
wire is damaged, or a connector is poorly wired.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
90 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• Crossed pair (TX/RX reverse)—The conductors from one pair have been
connected to pins belonging to a different pair (for example, from pins 3 and
6 to pins 1 and 2). This may be done deliberately to create a crossover cable,
but such a cable would not be used to link a host to a switch.
Another potential cable wiring fault is a split pair. This is where both ends of a single
wire in one pair are wired to terminals belonging to a different pair. This type of fault
can only be detected by a wire map tester that also tests for excessive crosstalk. This is
generally the kind of functionality associated with a cable tester or certifier.
A network tone generator and probe are used to trace a cable from one end to
the other. This may be necessary when the cables are bundled and have not been
labeled properly. This device is also known as a Fox and Hound or tone probe. The
tone generator is used to apply a signal on the cable to be traced where it is used to
follow the cable over ceilings and through ducts.
The maximum value allowed for insertion loss depends on the link category. For
example, Cat 5e at 100 MHz allows up to 24 dB, while Cat 6 allows up to 21.7 dB
at 250 MHz. When you are measuring insertion loss itself, smaller values are
better (20 dB insertion loss is better than 22 dB, for instance). A cable certifier is
likely to report the margin, which is the difference between the actual loss and
the maximum value allowed for the cable standard. Consequently, higher margin
values are better. For example, if the insertion loss measured over a Cat 5e cable
is 22 dB, the margin is 2 dB; if another cable measures 23 dB, the margin is only
1 dB, and you are that much closer to not meeting acceptable link standards. Higher
grade or shielded cable may alleviate the problem; otherwise, you will need to find
a shorter cable run or install a repeater or additional switch.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 91
Careful cable placement is necessary during installation to ensure that the wiring is
not subject to interference from sources such as electrical power cables, fluorescent
lights, motors, electrical fans, radio transmitters, and so on. Electromagnetic
interference (EMI) is something that should be detected when the cable is
installed, so you should suspect either some new source that has been installed
recently or some source that was not taken into account during testing (machinery
or power circuits that weren’t activated when the installation testing took place, for
instance). Interference from nearby data cables is also referred to as alien crosstalk.
Radio frequency interference (RFI) is EMI that occurs in the frequencies used for radio
transmissions.
Crosstalk Issues
Crosstalk usually indicates a problem with bad wiring (poor quality or damaged or
the improper type for the application), a bad connector, or improper termination.
Check the cable for excessive untwisting at the ends and for kinks or crush points
along its run. Crosstalk is also measured in dB, but unlike insertion loss, higher
values represent less noise. Again, the expected measurements vary according to
the cable category and application. There are various types of crosstalk that can be
measured:
• Near End (NEXT)—This measures crosstalk on the receive pairs at the
transmitter end and is usually caused by excessive untwisting of pairs or faulty
bonding of shielded elements.
• Power sum—Gigabit and 10 GbE Ethernet use all four pairs. Power sum
crosstalk calculations (PSNEXT, PSACRN, and PSACRF) confirm that a cable is
suitable for this type of application. They are measured by energizing three of
the four pairs in turn.
Complete loss of connectivity indicates a break in the cable (or a completely faulty
installation), while intermittent loss of connectivity is more likely to be caused by
attenuation, crosstalk, or noise.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
92 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• Crossover—the cable is terminated with T568A at one end and T568B at the
other. This type of cable is used to connect an end system (host) to another host
or a hub to a hub.
In fact, crossover cable is no longer required for this type of application, as switches
either have an uplink port for this purpose or can autodetect and select between an
uplink and straight-through connection. This is referred to as auto-MDI/MDI-X. All
Gigabit Ethernet ports support auto-MDI/MDI-X.
RJ-45 console port with cable connected. The Secure Digital slot for firmware updates and the
MGT port next to the console port. (Image by Sorapop Udomsri © 123RF.com.)
Routers typically have console and AUX ports. The AUX port is used to connect to the
router over a dial-up modem. The console port just uses a serial (or null modem) link.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 93
Incorrect Transceivers
The transceivers used in each optical interface (whether SFP, GBIC, or other
media converter) are designed to be used with a specific type of optical fiber. For
example, transceivers designed for single mode fiber use lasers while multimode
fiber transceivers typically use LEDs. Different transceivers are designed to work at
different optical wavelengths (typically 850 nm, 1300 nm, or 1550 nm). This means it
is important to check the manufacturer’s documentation for the interface to ensure
the correct fiber type is used, not only for the fiber optic cable, but also for the fiber
patch cords used to connect to it at each end. Mismatches between cable, patch
cords, and interfaces may lead to significant signal loss.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
94 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
Common Cable Connectivity Issues
7
3. What is the reason for making power sum crosstalk measurements when
testing a link?
4. Your network uses UTP cable throughout the building. There are a few
users who complain of intermittent network connectivity problems. You
cannot determine a pattern for these problems that relates to network
usage. You visit the users’ workstations and find that they are all located
close to an elevator shaft. What is a likely cause of the intermittent
connectivity problems? How might you correct the problem?
5. You have connected a computer to a network port and cannot get a link.
You have tested the adapter and cable and can confirm that there are no
problems. No other users are experiencing problems. The old computer
also experienced no problems. What cause would you suspect, and what
is a possible next step?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 95
Lesson 4
Summary
6
• Test the connectivity path (ports, patch cords, structured links) methodically.
• Use loopback adapters, status indicators, and CLI tools to verify port status.
• Use multimeters, wire mappers, toner generators, and cable testers to identify
faults in copper cable. Use power meters, OTDRs, and spectrum analyzers for
fiber optic plant.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 5
Explaining IPv4 Addressing
1
LESSON INTRODUCTION
The physical and data link layers covered in the previous lessons establish local
links between nodes. At the network layer (layer 3) these individual networks can be
connected together into a network of networks, or internetwork.
In this lesson, you will identify the addressing and data delivery methods of
the Internet Protocol (IP). IP is at the heart of most modern networks, and
consequently one of the most important topic areas for a network professional
to understand and apply.
Lesson Objectives
In this lesson, you will:
• Explain IPv4 addressing schemes.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
98 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 5A
Explain IPv4 Addressing Schemes
2
There are two versions of IP; version 4 is more widely adopted and is the version
discussed in the following few topics. IPv6 introduces a much larger address space and
different means of configuring clients and is discussed later in the next lesson.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 99
IPv4 header.
The Protocol field describes what is contained (encapsulated) in the payload so that
the receiving host knows how to process it. For most packets, the IP protocol type
value in the Protocol field will indicate a Transmission Control Protocol (TCP/6)
segment or a User Datagram Protocol (UDP/17) datagram, which work at the
Transport layer. The values assigned to protocols (such as 6 for TCP and 17 for UDP)
are managed by IANA.
Those are the values in decimal. ou are also likely to see them in their hex forms (0x0 and
0x11). Both formats ultimately represent 8-bit binary values (00000110 and 00010001).
Some protocols run directly on IP (rather than at the Transport layer). These IP
protocol types include the following:
• Internet Control Message Protocol (ICMP/1) is used for status messaging and
connectivity testing.
• Enhanced Interior Gateway Routing Protocol (EIGRP/88) and Open Shortest Path
First (OSPF/89) are protocols used by routers to exchange information about
paths to remote networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
100 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• The host number (host ID)—This number identifies a host within an IP network.
Binary/Decimal Conversion
The following examples demonstrate the process of converting between binary and
decimal notation.
In base 2 (binary), digits can take one of two different values (0 and 1). The place
values are powers of 2 (21=2, 22=4, 23=8, 24 16, and so on). You should memorize
these values to be able to perform binary/decimal conversions using the columnar
method. Consider the octet 11101101 represented in base 2. This image shows
the place value of each digit in the octet in the first two rows, with the binary octet
in the third row. Rows four and five show that where there is a 1 in the octet, the
decimal place value is added to the sum:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 101
You can use the same columnar method to convert from decimal to binary. For
example, the number 51 can be converted as follows:
If all the bits in an octet are set to 1, the number obtained is 255 (the maximum
possible value). Similarly, if all the bits are set to 0, the number obtained is 0 (the
minimum possible value). Therefore, theoretically an IPv4 address may be any value
between 0.0.0.0 and 255.255.255.255. However, some addresses are not
permitted or are reserved for special use.
Network Masks
An IP address represents both a network ID and a host ID. A 32-bit network
mask (or netmask) is used to distinguish these two components within a single
IP address. The mask conceals the host ID portion of the IP address and thereby
reveals the network ID portion.
The mask and the IP address are the same number of bits. Wherever there is a binary
1 in the mask, the corresponding binary digit in the IP address is part of the network
ID. The 1s in the mask are always contiguous. For example, this mask is valid:
11111111 11111111 11111111 00000000
But the following string is not a valid mask:
11111111 00000000 11111111 00000000
The network ID portion of an IP address is revealed by ANDing the mask to the IP
address. When two 1s are ANDed together, the result is a 1. Any other combination
produces a 0.
For example, to determine the network ID of the host IP address 198.51.100.1
with a mask of 255.255.255.0, the dotted decimal notation of the IP address
and mask must first be converted to binary notation. The next step is to AND the
two binary numbers. The result can be converted back to dotted decimal notation
to show the network ID (198.51.100.0). The only difference between the host
IP address and the network ID lies in the last octet, which is not masked.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
102 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Instead of the dotted decimal mask, this network can be identified using prefix or
slash notation. The prefix is simply the number of bits set to 1 in the mask. The
network can therefore be referred to as 198.51.100.0/24.
The default masks align with octet boundaries. This means that the values in the
mask will be 255 or zero. For example, the default 24-bit mask is as follows:
Subnet Masks
The relative sizes of the network and host portions determine how many networks
and hosts per network an addressing scheme can support. The conventional
addressing technique has IP addresses with two hierarchical levels, namely the
network ID and host ID. This scheme of using whole octet boundaries is inflexible,
so a system of dividing networks into subnetworks or subnets was devised.
Subnet addressing has three hierarchical levels: a network ID, subnet ID, and host
ID. To create logical subnets, bits from the host portion of the IP address must be
allocated as a subnetwork address, rather than part of the host ID.
This means the subnet ID lies within an octet boundary. For example, a binary mask
with 28 bits could use all the octets, with the network prefix boundary lying within
the fourth octet:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 103
Subnet addressing.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
104 | The Official CompTIA Network+ Student Guide (Exam N10-008)
8 bits can express 256 possible values (28). However, the first address
(198.51.100.0) cannot be assigned to a host because it is the network address.
Similarly, the last address (198.51.100.255) is reserved (for use as a broadcast
address).
Using some of these 8 host bits as a subnet ID creates extra networks, but each of
those subnets has fewer host addresses (14 in this example):
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 105
3
Review Activity:
IPv4 Addressing Schemes
Answer the following questions:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
106 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 5B
Explain IPv4 Forwarding
7
The core function of IP is to facilitate the creation of a group of logically distinct but
interconnected networks, referred to as an internetwork. This means that some
packets addressed to hosts on remote networks must be forwarded via one or
more of the intermediate systems that establish paths between networks.
In this topic, you will identify the basic principles by which IP distinguishes local and
remote hosts and networks, plus the methods by which a packet can be addressed
to more than one host.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 107
the network into three logical subnetworks. These subnets are mapped to layer 2
segments, each implemented using a switch.
Nodes within each subnet can address one another directly (they are in the same
broadcast domain), but they can only communicate with nodes in other subnets via
the router.
Within each subnet or broadcast domain, nodes use MAC addresses to forward
frames to one another, using a mechanism to translate between layer 3 IP
addresses and layer 2 MAC addresses.
The Network layer can also accommodate forwarding between different types
of layer 1/layer 2 networks. The private zone is implemented using Ethernet, but
the link between the router’s public interface and the ISP might use a different
technology, such as digital subscriber line (DSL).
In the figure, the first 28 bits of the source and destination address are the same.
Therefore, IP concludes the destination IPv4 address is on the same IP network and
tries to deliver the packet locally.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
108 | The Official CompTIA Network+ Student Guide (Exam N10-008)
If the masked portion does not match, as in the following figure, IP assumes the
packet must be routed to another IP network:
When the destination IPv4 address is on a different IP network or subnet, the host
forwards the packet to its default gateway, rather than trying to deliver it locally.
The default gateway is a router configured with a path to remote networks.
The router determines what to do with the packet by performing the same
comparison between the source and destination address and netmask. The router
then uses its routing table to determine which interface it should use to forward the
packet. If no suitable path is available, the router drops the packet and informs the
host that it could not be delivered.
If the message is destined for yet another network, the process is repeated to take
it to the next stage, and so on.
Paths to other IP networks can be manually configured in the routing table or
learned by a dynamic routing protocol. Dynamic routing protocols allow routers
to share information about known networks and possible paths to them. This
information allows them to choose the best routes to any given destination and
select alternate routes if one of these is unavailable.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 109
If the destination address is on a remote network, then the local host must use
its default gateway to forward the packet. Therefore, it must determine the MAC
address of the default gateway using ARP.
The router also uses ARP messaging for its Ethernet interfaces. ARP messaging is
only used with Ethernet, however. A router’s public interface might use a different
type of framing and local addressing.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
110 | The Official CompTIA Network+ Student Guide (Exam N10-008)
For example, if the subnet mask is 255.255.240.0, the last four digits of the
last octet in the IP address is the host ID portion. If these digits are set to all 1s, that
is the last possible address before the next subnet ID, and therefore the network
broadcast address:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 111
All hosts that share the same broadcast address receive the packet. They are said
to be in the same layer 3 broadcast domain. Broadcast domain boundaries are
established at the Network layer by routers. Routers do not forward broadcasts,
except in some specially configured circumstances.
As with unicast traffic, IP packets must be delivered to hosts using layer 2 MAC
addresses. At layer 2, broadcasts are delivered using the group MAC address
(ff:ff:ff:ff:ff:ff). This means that there is also a broadcast domain scope at layer 2.
With legacy devices such as hubs and bridges, every port on all physically connected
nodes is part of the same layer 2 broadcast domain. This is also the case with a
basic or unmanaged switch. By default, a switch floods broadcasts out of every port
except the source port.
Multicast Addressing
IPv4 multicasting allows one host on the Internet (or private IP network) to send
content to other hosts that have identified themselves as interested in receiving
the originating host’s content. Multicast packets are sent to a destination IP address
from a special range configured for use with that multicast group.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
112 | The Official CompTIA Network+ Student Guide (Exam N10-008)
At layer 2, multicasts are delivered using a special range of MAC addresses. The
switch must be multicast capable. If the switch is not multicast-capable, it will treat
multicast like a broadcast and flood the multicast transmissions out of all ports.
The intent to receive multicasts from a particular host is signaled by joining a
multicast group. The Internet Group Management Protocol (IGMP) is typically
used to configure group memberships and IP addresses.
Anycast Addressing
Anycast means that a group of hosts are configured with the same IP address.
When a router forwards a packet to an anycast group, it uses a prioritization
algorithm and metrics to select the host that is “closest” (that will receive the packet
and be able to process it the most quickly). This allows the service behind the IP
address to be provisioned more reliably. It allows for load balancing and failover
between the server hosts sharing the IP address.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 113
Review Activity:
IPv4 Forwarding
8
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
114 | The Official CompTIA Network+ Student Guide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 115
Topic 5C
Configure IP Networks and Subnets
6
Organizations with large networks need to divide those networks up into smaller
segments to improve performance and security. A network segment is represented
at the Network layer by a subnet. Understanding basic principles of segmentation
and subnetting will be critical to progressing a career in networking.
• It is useful to divide a network into logically distinct zones for security and
administrative control.
• Networks that use different physical and data link technologies, such as Token
Ring and Ethernet, should be logically separated as different subnets.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
116 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Classful Addressing
So far, we have considered IP network and subnet IDs using masks or network
prefixes. This is referred to as classless addressing. A classful addressing scheme
was employed in the 1980s, before the use of netmasks to identify the network ID
portion of an address was developed. Classful addressing allocates a network ID
based on the first octet of the IP address.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 117
When considering classful addressing, you need to be able to identify the address
class from the first octet of the IP address. This table shows how to identify an
address class from the first octet of the IP address in decimal.
Any organization can use private addresses on its networks without applying to a
registry or ISP, and multiple organizations can use these ranges simultaneously.
Internet access can be facilitated for hosts using a private addressing scheme in
two ways:
• Through a router configured with a single or block of valid public IP addresses;
the router translates between the private and public addresses using a process
called Network Address Translation (NAT).
• Through a proxy server that fulfills requests for Internet resources on behalf of
clients. The proxy server itself must be configured with a public IP address on
the external-facing interface.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
118 | The Official CompTIA Network+ Student Guide (Exam N10-008)
These addresses are from one of the address ranges reserved for private addressing
(1 .254.0.0/1 ). The first and last subnets are supposed to be unused.
Loopback Addresses
While nominally part of Class A, the range 127.0.0.0 to 127.255.255.255 (or
127.0.0.0/8) is reserved. This range is used to configure a loopback address, which
is a special address typically used to check that TCP/IP is correctly installed on the
local host. The loopback interface does not require a physical interface to function.
A packet sent to a loopback interface is not processed by a network adapter
but is otherwise processed as normal by the host’s TCP/IP stack. Every IP host is
automatically configured with a default loopback address, typically 127.0.0.1. On
some hosts, such as routers, more than one loopback address might be configured.
Loopback interfaces can also be configured with an address from any suitable IP
range, as long as it is unique on the network. A host will process a packet addressed
to a loopback address regardless of the interface on which it is received.
Other
A few other IPv4 address ranges are reserved for special use and are not publicly
routable:
• 0.0.0.0/8—Used when a specific address is unknown. This is typically used as a
source address by a client seeking a DHCP lease.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 119
• The network ID must be from a valid public or a private range (not from the
loopback, link local reserved range, multicast range, or reserved/experimental
range, for instance).
• The network and/or host IDs cannot be all 1s in binary—this is reserved for
broadcasts.
• The network and/or host ID cannot be all 0s in binary; 0 means “this network.”
• The network ID must be unique on the Internet (if you are using a public
addressing scheme) or on your internal system of internetworks (if you are using
a private addressing scheme).
When you are performing subnet calculations, try to think in terms of the number
of mask bits. It helps to remember that each power of 2 is double the previous one:
22 23 24 25 26 27 28
4 8 16 32 64 128 256
Also memorize the decimal values for the number of bits set to 1 in an octet within
a mask:
1 2 3 4 5 6 7 8
128 192 224 240 248 252 254 255
In the following example, the network designed is subnetting the network address
172.30.0.0/16. The process of designing the scheme is as follows:
1. Work out how many subnets are required (remembering to allow for future
growth), then round this number up to the nearest power of 2.
For example, if you need 12 subnets, the next nearest power of 2 is 16. The
exponent is the number of bits you will need to add to your default mask.
For example, 16 is 24 (2 to the power of 4), so you will need to add 4 bits to
the network prefix. In dotted decimal format, the subnet mask becomes
255.255.240.0.
2. Work out how many hosts each subnet must support and whether there is
enough space left in the scheme to accommodate them.
For example, the network address is in the /16 range, and you are using 4 bits
for subnetting, so you have 32 20 12 bits for hosts in each subnet. The
number of hosts per subnet can be expressed using the formula 2n-2, where
n is the number of bits you have allocated for the host ID. 12 bits is enough
for 4094 hosts in each subnet.
ou subtract 2 because each subnet s network address and broadcast address cannot
be assigned to hosts.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
120 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Wherever a 1 appears in the binary mask, the corresponding digit in the IP address is
part of the network or subnet address. When you are planning what your mask will be,
remember this rule. Allocate more bits in the mask if you need more subnets. Allocate
fewer bits in the mask if you need more hosts per subnet.
Just for comparison, if you have a /24 (or Class C) network address and try
to allocate 16 subnets, there will be enough space left for only 14 hosts per
subnet (24-2).
3. Work out the subnets. The easiest way to find the first subnet ID is to deduct
the least significant octet in the mask (240 in this example) from 256. This
gives the first subnet ID, which, in full, is 172.30.16.0/20.
The subsequent subnet IDs are all the lowest subnet ID higher than the one
before—32, 48, 64, and so on.
4. Work out the host ranges for each subnet. Take the subnet address and add
a binary 1 to it for the first host. For the last host, take the next subnet ID
and deduct two binary digits from it. In this case, this is 172.30.16.1 and
172.30.31.254, respectively. Repeat for all subnets.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 121
Review Activity:
IP Networks and Subnets
7 Configurations
Answer the following questions:
5. If the IP address 10.0.10.22 were used with an /18 mask, how many
subnets and hosts per subnet would be available?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
122 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
6 Design an IP Subnet
At the 515support branch office, you have been asked to implement an IP network.
Your network ID is currently 198.51.100.0/24. You need to divide this in half
(two subnets) to accommodate hosts on two separate floors of the building, each
of which is served by managed switches. The whole network is served by a single
router.
Using the above scenario, answer the following questions:
1. To divide the network in half, what subnet mask do you need to use?
5. Your manager has considered his original plan and realized that it
does not accommodate the need for a W link to the head o ce or a
separate segment for a team that works with sensitive data. What mask
will you need to accommodate this new requirement, and how many
hosts per subnet will it allow?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 123
Lesson 5
Summary
6
• The use of 32-bit IPv4 addresses and netmasks or network prefixes to identify
networks and subnets within networks.
• The role of the Address Resolution Protocol (ARP) in mapping layer 3 to layer
2 IP:MAC addresses
• Work out the topology of switches, virtual LANs (VLANs), and routers to create
broadcast domain network segments that meet requirements for performance,
security, and physical/data link network technologies.
• Allocate more bits to the netmask to create more subnets with fewer hosts per
subnet, or fewer bits to the netmask to create fewer subnets with more hosts
per subnet.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 6
Supporting IPv4 and IPv6 Networks
1
LESSON INTRODUCTION
IP is implemented on network hosts using a wide variety of configuration interfaces
and tools. You must be confident about selecting an appropriate tool to use to
complete a particular support or troubleshooting task.
This lesson also introduces IPv6 addressing concepts and highlights some key
differences between IPv6 and IPv4.
Lesson Objectives
In this lesson, you will:
• Use appropriate tools to test IP configuration.
• Troubleshoot IP networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
126 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 6A
Use Appropriate Tools to Test IP
Configuration
2
TCP/IP command line utilities enable you to gather information about how your
systems are configured and how they communicate over an IP network. When used
for troubleshooting, these utilities can provide information about communication
issues and their causes.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 127
ipconfig
While netsh and PowerShell offer a lot of granular functionality, the ipconfig
command is still widely used for basic configuration reporting and support tasks.
ipconfig can be used as follows:
• ipconfig without any switches will display the IP address, subnet mask, and
default gateway (router) for all network interfaces to which TCP/IP is bound.
Identifying the current IP configuration with ipconfig. (Screenshot used with permission
from Microsoft.)
There are also /release6 and /renew6 switches for use with DHCPv6 (a DHCP
server supporting IPv6).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
128 | The Official CompTIA Network+ Student Guide (Exam N10-008)
ifconfig and ip
In Linux, Ethernet interfaces are classically identified as eth0, eth1, eth2, and
so on, although some network packages now use different schemes, such as en
prefixes. In Linux, you need to distinguish between the running configuration and
the persistent configuration. The persistent configuration is the one applied after
a reboot or after a network adapter is reinitialized. The method of applying an IP
configuration to an adapter interface is specific to each distribution. Historically,
the persistent configuration was applied by editing the /etc/network/
interfaces file and bringing interfaces up or down with the ifup and
ifdown scripts. Many distributions now use the NetworkManager package,
which can be operated using a GUI or the nmcli tools. Alternatively, a network
configuration might be managed using the systemd-networkd configuration
manager. Additionally, recent distributions of Ubuntu use netplan to abstract some
of this underlying complexity to configuration files written in Y L ain t markup
language (Y L). The YAML configuration files are rendered by either systemd-
networkd or NetworkManager.
When it comes to managing the running configuration, you also need to distinguish
between legacy and current command packages. ifconfig is part of the legacy
net-tools package. Use of these commands is deprecated on most modern Linux
distributions. ifconfig can still safely be used to report the network interface
configuration, however.
ifconfig output.
net-tools has been replaced by the iproute2 package. These tools can interface
properly with modern network configuration manager packages. As part of the
iproute2 package, the ip command has options for managing routes as well as
the local interface configuration. The basic reporting functionality of ifconfig
(show the current address configuration) is performed by running ip addr; to
report a single interface only, use ip addr show dev eth0. The ip link
command shows the status of interfaces, while ip -s link reports interface
statistics.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 129
ip a command output.
• arp -d * deletes all entries in the ARP cache; it can also be used with
IPAddress to delete a single entry.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
130 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Output from the arp command showing network (IP) addresses mapped to physical (MAC)
addresses. Host interfaces are learned (dynamic), while broadcast and multicast interfaces are
configured statically. (Screenshot used with permission from Microsoft.)
In Linux, the ip neigh command shows entries in the local ARP cache (replacing
the old arp command).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 131
The Time to Live (TTL) IP header field is reduced by one every time a packet is
forwarded by a router (referred to as a hop). The TTL output field in the ping
command shows the value of the counter when the packet arrived at its destination.
To work out the number of hops it took, you need to know the initial value. Different
operating systems and OS versions use different default values. For example, if you ping
a remote host from a Windows 10 host and the TTL value in the output is 52, then you
know the packet took 12 hops ( 4-52) to reach its destination.
• o reply (Re uest timed out.)—The host is unavailable or cannot route a reply
to your computer. Requests time out when the TTL is reduced to 0 because the
packet is looping (because of a corrupted routing table), when congestion causes
delays, or when a host does not respond.
ping Switches
ping can be used with several switches. You can use a host name or fully qualified
domain name rather than an IP address to test name resolution. When pinging by name,
-4 or -6 force the tool to query the IPv4 host record or IPv6 host record respectively.
Also, -t continues to ping the host until interrupted (by pressing Ctrl+C).
ping has different syntax when used under Linux. By default, the command executes
until manually halted, unless run with the number of packets set by the -c switch.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
132 | The Official CompTIA Network+ Student Guide (Exam N10-008)
3
Review Activity:
est IP Configuration
Answer the following questions:
. What output would you expect when running the command ip neigh?
. True or alse? The arp utility will always show another host s C
address if that host is on the same subnet.
. True or alse? Receiving an echo reply message indicates that the link
between two hosts is operational.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 133
Topic 6B
Troubleshoot IP Networks
6
ower Issues
Like any computer system, networks require stable power to operate properly.
Power anomalies, such as surges and spikes, can damage devices, brownouts
(very brief power loss) can cause systems to lockup or reboot, while power failures
(blackouts) will down everything, including the lights. Enterprise sites have systems
to protect against these issues. Uninterruptible power supplies (UPSs) can keep
servers, switches, and routers running for a few minutes. This provides time to
either switch in a secondary power source (a generator) or shut down the system
gracefully, hopefully avoiding data loss. Most power problems will have to be
escalated to an electrician or to the power company, depending on where the
fault lies.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
134 | The Official CompTIA Network+ Student Guide (Exam N10-008)
At the data link layer, most wired hosts connect to the network via a switch. If you
suspect a device like a switch, analyze the topology of your network. You should be
able to view those users who are suffering the problem, identify which part of the
network is affected, and identify the problem bridging or switching device.
When you have narrowed the problem to a device, you must determine what
the nature of the problem is. It is always worth resetting the switch to see if that
resolves the problem. Often, restarting network devices can clear any errors.
I Configuration Issues
If you can rule out a problem at the Physical and Data Link layers, the next thing
to check is basic addressing and protocol configuration. If a host cannot perform
neighbor discovery to contact any other nodes on the local network, first use
ipconfig (Windows) or ip or ifconfig (Linux) to verify the host configuration.
Incorrect I ddress
Each end system host must have the same subnet mask as its neighbors and
an IP address that produces a valid, unique host address within that subnet. A
neighbor in this sense is another host in the same layer 2 broadcast domain. For
example, if the subnet is 192.168.1.0/24, consider the following host address
configurations:
• Host A: IP: 192.168.1.10, Mask: 255.255.255.0
Host A and Host B have valid configurations, but Host C has an address in a
different subnet (192.168.0.0 compared to 192.168.1.0). Hosts A and B
will try to use the default gateway to forward packets to Host C. Host C is unlikely to
be able to communicate on the network at all.
When you encounter nondefault masks, it can be slightly more difficult to identify
valid host ranges. For example, if the subnet address is 198.51.100.16/28,
consider the following host address configurations:
• Host A: IP: 198.51.100.10, Mask: 255.255.255.240
The network prefix boundary lies within the last octet, so you cannot rely on the
first three octets alone. Again, host C is in a different subnet.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 135
Also, remember that the network address and broadcast address cannot be used as
a host address.
Because it is using a longer prefix than it should, Host C will think it needs to route
to a different subnet to communicate with hosts A and B. This will cause packets to
go via the router, placing unnecessary load on it.
The other scenario for an incorrect mask is where the mask is shorter than it
should be:
• Host A: IP: 192.168.1.10, Mask: 255.255.255.0
In this case, the problem will not be obvious if hosts A, B, and C are all on the
same local network, as they will be able to use ARP messaging and receive
replies. However, host C will not be able to contact host D, as it thinks that host
D is on the same local network, whereas in fact it needs to route messages for
192.168.0.0/24 via the default gateway.
In this scenario, the router might send ICMP redirect status messages to host C.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
136 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Issues with MAC addressing can be a sign that someone is attempting to perform a
spoofing attack. Spoofing attacks are discussed later in the course.
To diagnose MAC address issues, use the arp utility to verify the MAC addresses
recorded for each host and ipconfig or ip neigh to check the MAC address
assigned to the interface. Also check the MAC address and ARP tables on any
switches and routers involved in the communications path. You can use a protocol
analyzer to examine ARP traffic and identify which IP hosts are attempting to claim
the same MAC address.
roblem Isolation
If the address configuration on the local host seems to be correct, you can complete
a series of connectivity tests using ping to determine the likely location and scope of
a fault.
. Ping the IP address of the local host to verify it was added correctly and to
verify that the network adapter is functioning properly. If you cannot ping your
own address, there might have been a configuration error, or the network
adapter or adapter driver could be faulty.
. Ping the IP address of the default gateway to verify it is up and running and
that you can communicate with another host on the local network.
. Ping the IP address of other hosts on the same subnet to test for local
configuration or link problems.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 137
netmask. If these are correct but pings still time out, suspect either a security
issue (such as a switch port security issue) or a problem at the data link or
physical layer.
. Ping the IP address of a remote host to verify you can communicate through
the router. If a remote IP address cannot be contacted, check the default
gateway parameter on the local host to rule out an incorrect gateway issue.
If the gateway is configured correctly and you can ping the router, you need
to start investigating the routing infrastructure.
When performing tests using ping, always be aware that ICMP could be blocked by a
firewall or other security software, especially when pinging remote hosts.
Incorrect D S Issues
If you can successfully perform all connectivity tests by IP address but cannot ping
by host name, then this suggests a name resolution problem. Many services use
host names and domain names to make them easier to reconfigure and easier
for people to access. The Domain Name System (DNS) is used to map these
names to IP addresses. When a host receives a client request to access a name
and it does not have the IP mapping cached, it asks a DNS server configured as
a resolver to perform the lookup and return the IP address. As name resolution
is a critical service, most hosts are configured with primary and secondary DNS
servers for redundancy. The server addresses are entered as IP addresses. On most
workstation hosts, these addresses are likely to be autoconfigured via DHCP.
In Windows, you can view the DNS servers using ipconfig /all. In Linux,
the DNS server addresses are recorded in /etc/resolv.conf. Typically, a
package such as NetworkManager or systemd-networkd would add the entries.
Entries added directly will be overwritten at reboot.
If a host cannot resolve names, check that the correct DNS server addresses have
been configured and that you can ping them. If there are configuration errors,
either correct them (if the interface is statically configured) or investigate the
automatic addressing server. If there are connectivity errors, check the network
path between the host and its DNS servers.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
138 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
Troubleshoot IP Networks
7
. You have pinged the router for the local subnet and confirmed that there
is a valid link. The local host cannot access remote hosts however. o
other users are experiencing problems. What do you think is the cause?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 139
Topic 6C
Explain IPv6 Addressing Schemes
7
The previous topics focused on IP version 4 (IPv4), which is still the mainstream
version of the protocol. In this topic, you will learn to explain IP version 6 (IPv6)
addressing. As a network professional, you should be aware of the limitations
of IPv4 and the increasing adoption of IPv6. You need to understand the
characteristics of IPv6, as well as how it can interoperate with existing IPv4
implementations.
I v versus I v
In IPv4, the addressing scheme is based on a 32-bit binary number. 32 bits can
express 232 unique addresses (in excess of four billion). However, the way in which
addresses have been allocated has been inefficient, leading to waste of available
addresses. Inefficiencies in the addressing scheme and unceasing demand for more
addresses mean that the available IPv4 address supply is exhausted.
IP version 6 (IPv6) provides a long-term solution to this problem of address space
exhaustion. Its 128-bit addressing scheme has space for 340 undecillion unique
addresses. Even though only a small part of the scheme can currently be allocated
to hosts, there is still enough address space within that allocation for every person
on the planet to own approximately 4,000 addresses. As well as coping with the
growth in ordinary company networks and Internet access subscribers, IPv6 is
designed to meet the demands of billions of personal and embedded devices with
Internet connectivity.
This blog explains why we have jumped from IPv4 to IPv6: colocationamerica.com/blog/
ipv4-ipv6-what-happened-to-ipv5.htm.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
140 | The Official CompTIA Network+ Student Guide (Exam N10-008)
An IPv6 packet consists of two or three elements: the main header, which is a fixed
length (unlike in IPv4), one or more optional extension headers, and the payload. As
with an IPv4 header, there are fields for the source and destination addresses and
the version (0110 or 0x06 for IPv6). Some of the other header fields are as follows:
Field Explanation
Traffic Class Describes the packetʼs priority.
Flow Label Used for quality of service (QoS) management, such as for
real-time streams. This is set to 0 for packets not part of any
delivery sequence or structure.
Payload Length Indicates the length of the packet payload, up to a maximum
of 64 KB; if the payload is bigger than that, this field is 0 and a
special Jumbo Payload (4 GB) option is established.
Next Header Used to describe what the next extension header (if any) is,
or where the actual payload begins.
Hop Limit Replaces the TTL field in IPv4 but performs the same function.
Extension headers replace the Options field in IPv4. There are several predefined
extension headers to cover functions such as fragmentation and reassembly,
security (IPSec), source routing, and so on.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 141
In IPv6, the interface identifier is always the last 64 bits. The first 64 bits are used for network
addressing.
Network addresses are written using classless notation, where /nn is the length of
the network prefix in bits. Within the 64-bit network ID, as with IPv4 netmasks, the
length of any given network prefix is used to determine whether two addresses
belong to the same IP network. For example, if the prefix is /48, then if the first 48
bits of an IPv6 address were the same as another address, the two would belong
to the same IP network. This means that a given organizationʼs network can be
represented by a global routing prefix 48 bits long, and they then have 16 bits left in
the network ID to subnet their network. For example,
2001:db8:3c4d::/48
would represent a network address, while:
2001:db8:3c4d:0001::/64
would represent a subnet within that network address.
Like IPv4, IPv6 can use unicast, multicast, and anycast addressing. Unlike IPv4, there
is no broadcast addressing.
• The next 45 bits are allocated in a hierarchical manner to regional registries and
from them to ISPs and end users.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
142 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Interface ID/EUI-64
The 64-bit interface ID can be determined by using two techniques.
One is by using the interfaceʼs MAC address. This is known as a MAC-derived
address or interface identifier. As a MAC address is currently 48 bits (6 bytes), a
(relatively) simple translation mechanism allows driver software to create a 64-bit
interface ID (an EUI-64) from these 48 bits.
Two changes occur to derive the EUI-64 interface ID from an interfaceʼs MAC
address. First, the digits fffe are added in the middle of the MAC address. Second,
the first 8 bits, or 2 hex digits, are converted to binary, and the 7th bit (or U/L bit) is
flipped (from 0 to 1 or 1 to 0). For example, the MAC address 00608c123abc would
become the EUI-64 address 02608cfffe123abc, which (when expressed in double
bytes) becomes 0260:8cff:fe12:3abc, or (without the leading 0) 260:8cff:fe12:3abc.
In the second technique, referred to as privacy extensions, the client device uses a
pseudorandom number for the interface ID. This is known as a temporary interface
ID or token. There is some concern that using interface identifiers would allow a
host to be identified and closely monitored when connecting to the Internet, and
using a token mitigates this to some degree.
The equivalent in IPv4 is Automatic Private IP Addressing (APIPA) and its 169.254.0.0
addresses. However, unlike IPv4, an IPv6 host is always configured with link local
addresses (one for each link), even if it also has a globally unique address.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 143
A link local address is also appended with a zone index (or scope id) of the form
%1 (Windows) or %eth0 (Linux). This is used to define the source of the address
and make it unique to a particular link. For example, a given host may have links
to a loopback address, Ethernet, and a VPN. Each of these links may use the same
link local address, so each is assigned a zone ID to make it unique. Zone indices
are generated by the host system, so where two hosts communicate, they may be
referring to the link using different zone IDs.
While it is relatively uncommon for an interface to have more than one IPv4 address, in
IPv6 it is typical for an interface to have multiple addresses.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
144 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• The host listens for a router advertisement (RA) or transmits a router solicitation
(RS) using ND protocol messaging. The router can either provide a network
prefix, direct the host to a DHCPv6 server to perform stateful autoconfiguration,
or perform some combination of stateless and stateful configuration.
ICMPv6
IPv6 uses an updated version of ICMP. The key new features are:
• Error messaging—ICMPv6 supports the same sort of destination unreachable
and time exceeded messaging as ICMPv4. One change is the introduction of a
Packet Too Big class of error. Under IPv6, routers are no longer responsible for
packet fragmentation and reassembly, so the host must ensure that they fit in
the MTUs of the various links used.
• The next 4 bits are used to flag types of multicast if necessary; otherwise, they
are set to 0.
• The next 4 bits determine the scope; for example, 1 is node-local (to all
interfaces on the same node) and 2 is link local.
• The final 112 bits define multicast groups within that scope.
The Multicast Listener Discovery (MLD) protocol allows nodes to join a multicast
group and discover whether members of a group are present on a local subnet.
Broadcast addresses are not implemented in IPv6. Instead, hosts use an
appropriate multicast address for a given situation. The well-known multicast
addresses are ones reserved for these types of broadcast functionality. They allow
an interface to transmit to all interfaces or routers on the same node or local link.
In IPv4, IP address resolution to a specific hardware interface is performed using
ARP. ARP is chatty and requires every node to process its messages, whether they
are relevant to the node or not. IPv6 replaces ARP with the Neighbor Discovery (ND)
protocol.
Each unicast address for an interface is configured with a corresponding solicited-
node multicast address. It has the prefix ff02::1:ff plus the last 24 bits of the unicast
address. The solicited-node address is used by ND to perform address resolution.
It greatly reduces the number of hosts that are likely to receive ND messages
(down to one in most cases) and is therefore much more efficient than the old ARP
broadcast mechanism.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 145
Dual Stack
Dual stack hosts and routers can run both IPv4 and IPv6 simultaneously and
communicate with devices configured with either type of address. Most modern
desktop and server operating systems implement dual stack IP. Most modern dual
stack systems will try to initiate communications using IPv6 by default.
Most services are addressed using names rather than IP addresses. This means that the
preference for IPv6 over IPv4 or the availability of either addressing method depends on
the Domain Name Server (DNS) records for the network.
Tunneling
As an alternative to dual stack, tunneling can be used to deliver IPv6 packets across
an IPv4 network. Tunneling means that IPv6 packets are inserted into IPv4 packets
and routed over the IPv4 network to their destination. Routing decisions are
based on the IPv4 address until the packets approach their destinations, at which
point the IPv6 packets are stripped from their IPv4 carrier packets and forwarded
according to IPv6 routing rules. This carries a high protocol overhead and is not
nearly as efficient as operating dual stack hosts.
In 6to4 automatic tunneling, no host configuration is necessary to enable the tunnel.
6to4 addresses use the prefix 2002::/16. 6to4 has been widely replaced by an enhanced
protocol called IPv6 Rapid Deployment (6RD). With 6RD, the 2002::/16 prefix is replaced
by an ISP-managed prefix and there are various other performance improvements.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
146 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Microsoft provides support for tunneling by Windows hosts using its Teredo
protocol. Teredo tunnels IPv6 packets as IPv4-based UDP messages over port 3544.
Teredo requires compatible clients and servers. The open-source Miredo package
implements the Teredo for UNIX/Linux operating systems.
Another option for tunneling is Generic Routing Encapsulation (GRE). GRE allows a
wide variety of Network layer protocols to be encapsulated inside virtual point-to-
point links. This protocol has the advantage that because it was originally designed
for IPv4, it is considered a mature mechanism and can carry both v4 and v6 packets
over an IPv4 network.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 147
Review Activity:
IPv6 Addressing Schemes
8
4. In IPv6, how can a host obtain a routable IPv6 address without requiring
manual configuration?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
148 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Lesson 6
Summary
6
You should be able to configure and troubleshoot host addressing and use an
appropriate IPv6 addressing scheme.
• Use the arp and ping utilities to troubleshoot issues with local addressing and
connectivity.
• Ping loopback, local, and then remote to determine connectivity and problem
scope.
• The use of 128-bit IPv6 addresses and with network prefixes and 64-bit
interface identifiers.
• The use of local and global unicast plus multicast addressing schemes.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 7
Configuring and Troubleshooting
Routers
1
LESSON INTRODUCTION
Now that you are aware of the basic concepts of IP addressing and forwarding, you can
start identifying ways that paths between networks are implemented. Routers work
at layer 3 to aggregate information about neighboring networks and forward packets
along an appropriate path to their final destination.
While configuring routing infrastructure is often a senior job role, you should
understand basic concepts and be able to apply them to solve common issues.
Lesson Objectives
In this lesson, you will:
• Compare and contrast routing concepts.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
150 | The Official CompTIA Network+ Student Guide (Exam N1 - )
Topic 7A
Compare and Contrast Routing
Concepts
2
• Gateway/next hop—The IP address of the next router along the path to the
destination.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 151
outing table on a yOS router showing connected and static route entries.
• Remote network routes, for subnets and IP networks that are not directly
attached.
• Host routes, for routes to a specific IP address. A host route has a /32 network
prefix.
• Default routes, which are used when an exact match for a network or host route
is not found.
Static Routes
A static route is manually added to the routing table and only changes if edited
by the administrator. Configuring static routing entries can be useful in some
circumstances, but it can be problematic if the routing topology changes often, as
each route on each affected router needs to be updated manually.
Default Route
A default route is a special type of static route that identifies the next hop router
for a destination that cannot be matched by another routing table entry. The
destination address 0.0.0.0/0 (IPv4) or ::/0 (IPv6) is used to represent the default
route. The default route is also described as the gateway of last resort. Most end
systems are configured with a default route (pointing to the default gateway).
This may also be the simplest way for an edge router to forward traffic to an ISP s
routers.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
152 | The Official CompTIA Network+ Student Guide (Exam N1 - )
outing tables for three routers connected in series. (Images 123 F.com.)
• The router has been configured with static routes to 10.0.3.0/24 and 10.0.4.0/24,
both of which are reachable via interface G1.
Router B has been configured in the same way, but here the networks 10.0.2.0/24
and 10.0.3.0/24 are directly connected and the paths to 10.0.1.0/24 and 10.0.4.0/24
are configured as static entries.
Router C has been configured differently. It is directly connected to 10.0.3.0/24
and 10.0.4.0/24, but the only static route configured is for 0.0.0.0/0. This is a
default route. While the router has no specific knowledge of networks 10.0.1.0/24
and 10.0.2.0/24, it will forward packets for these destinations over its G0
interface.
Packet Forwarding
When a router receives a packet, it reads the destination address in the packet and
looks up a matching destination network IP address and prefix in its routing table.
If there is a match, the router will forward the packet out of one of its interfaces by
encapsulating the packet in a new frame:
• If the packet can be delivered to a directly connected network via an Ethernet
interface, the router uses ARP (IPv4) or Neighbor Discovery (ND in IPv6) to
determine the interface address of the destination host.
• If the packet can be forwarded via a gateway over an Ethernet interface, it inserts
the next hop router s MAC address into the new frame.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 153
• If the packet can be forwarded via a gateway over another type of interface
(leased line or DSL, for instance), the router encapsulates the packet in an
appropriate frame type.
Hop Count
If the packet is forwarded via a gateway, this process is repeated at each router
to deliver the packet through the internetwork. Each router along the path
counts as one hop. For example, in the network shown in the figure, host A takes
1 hop to communicate with LOCAL SRV via a directly connected interface on the
LAN router. Note that the switches do not count as hops. Host B takes multiple
hops (9) to communicate with REMOTE SRV, with traffic routed via two ISP
networks. Also, observe the alternative routes that could be taken. Do any have a
lower hop count?
Time To Live
At each router, the Time to Live (TTL) IP header field is decreased by at least 1.
This could be greater if the router is congested. The TTL is nominally the number
of seconds a packet can stay on the network before being discarded. While TTL is
defined as a unit of time (seconds), in practice, it is interpreted as a maximum hop
count. When the TTL is 0, the packet is discarded. This prevents badly addressed
packets from permanently circulating the network.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
154 | The Official CompTIA Network+ Student Guide (Exam N1 - )
Fragmentation
IP provides best-effort delivery of an unreliable and connectionless nature.
Delivery is not guaranteed, and a packet might be lost, delivered out of sequence,
duplicated, or delayed. It is possible that due to limitations in the underlying
network, IP may fragment the packet into more manageable pieces to fit within the
Maximum Transmission Unit (MTU) of the Data Link protocol frame.
In IPv4, the ID, Flags, and Fragment Offset IP header fields are used to record the
sequence in which the packets were sent and to indicate whether the IP datagram
has been split between multiple frames for transport over the underlying Data Link
protocol. For example, the MTU of an Ethernet frame is usually 1500 bytes. An IP
datagram larger than 1500 bytes would have to be fragmented across more than
one Ethernet frame. A datagram passing over an internetwork might have to be
encapsulated in different Data Link frame types, each with different MTUs.
Most systems try to avoid IP fragmentation. IPv6 does not allow routers to perform
fragmentation. Instead, the host performs path MTU discovery to work out the MTU
supported by each hop and crafts IP datagrams that will fit the smallest MTU.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 155
Review Activity:
Routing Concepts
3
4. True or False? A router will not forward a packet when the TTL field is 0.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
156 | The Official CompTIA Network+ Student Guide (Exam N1 - )
Topic 7B
Compare and Contrast Dynamic
Routing Concepts
5
Convergence
Convergence is the process whereby routers running dynamic routing algorithms
agree on the network topology. Routers must be capable of adapting to changes
such as newly added networks, router or router interface failures, link failures, and
so on. Routers must be able to communicate changes to other routers quickly to
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 157
avoid black holes and loops. A black hole means that a packet is discarded without
notification back to the source; a loop causes a packet to be forwarded around the
network until its TTL expires.
A network where all the routers share the same topology is described as steady
state. The time taken to reach steady state is a measure of a routing protocol s
convergence performance.
A apping interface is one that fre uently changes from online to o ine and o ine to
online. Similarly, route apping refers to a router changing the properties of a route it is
advertising uickly and often. Flapping can cause serious convergence problems.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
158 | The Official CompTIA Network+ Student Guide (Exam N1 - )
RIP sends regular updates (typically every 30 seconds) of its entire routing database
to neighboring routers. It can also send triggered updates whenever changes occur.
When a router receives an update from a neighbor, it adds unknown routes to its
own routing table, increases the hop count by 1, and identifies the originator of the
update as the next hop to the specified networks.
In the following figure, RIP has been used to propagate route information between
three routers connected in a chain. Router A learns about networks 10.0.3.0/24
and 10.0.4.0/24 from Router B. It adds 1 to the hop count metric of these routes.
Router B learns about 10.0.1.0/24 from Router A and about 10.0.4.0/24 from Router
C. Router A and Router C do not exchange any information directly. The distance
vector process by which Router A learns about Router C s networks is often referred
to as “routing by rumor.”
The following example illustrates a mesh topology where there are multiple paths
between networks. Router A has two possible paths to network 10.0.3.0/24, which
it learns from Router B and Router C. It can forward a packet out of its G1 interface
over network 10.0.2.0/24, which will take one hop to reach the destination. It could
also forward the packet out of G2 and reach the destination via Router C and then
Router B. This takes two hops and so is not used as the preferred route.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 159
If Router A s G1 link goes down, those entries will be removed from the routing
table and the alternative routes via 10.0.4.0/24 will be selected:
To help prevent looping, the maximum hop count allowed is 15. Consequently, this
limits the maximum size of a RIP network, since networks that have a hop count of
16 or higher are unreachable.
RIP Versions
There are three versions of RIP:
• RIPv1 is a classful protocol and uses inefficient broadcasts to communicate
updates over UDP port 520.
• RIPng (next generation) is a version of the protocol designed for IPv6. RIPng uses
UDP port 521.
The simplicity of RIP makes it suited to small networks with limited failover routes.
Distance vector algorithms require that routers periodically propagate their entire
routing table to their immediate neighbors. This is not scalable to environments
with large numbers of networks. Distance vector algorithms provide for slower
convergence than link state algorithms. For more complex networks with redundant
paths, other dynamic routing protocols should be considered.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
160 | The Official CompTIA Network+ Student Guide (Exam N1 - )
• Delay—Applies a cost based on the time it takes for a packet to traverse the
link. This metric is most important if the route is used to carry time-sensitive
data, such as voice or video. Delay is calculated as the cumulative value for all
outgoing interfaces in the path.
Where RIP sends periodic updates of its entire routing information base, EIGRP
sends a full update when it first establishes contact with a neighbor and thereafter
only sends updates when there is a topology change. This is more efficient and less
disruptive to large networks, giving it the best convergence performance in many
scenarios. EIGRP does use regular hello messaging to confirm connectivity with
its neighbors. Unlike RIP, EIGRP maintains a topology table alongside its routing
information base. The topology table is used to prevent loops while also supporting
a greater number of maximum hops than RIP (nominally up to 255). In this respect,
EIGRP has some similarities with link state routing protocols.
Unlike RIP, EIGRP is a native IP protocol, which means that it is encapsulated
directly in IP datagrams, rather than using TCP or UDP. It is tagged with the protocol
number 88 in the Protocol field of the IP header. Updates are transmitted using
multicast addressing.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 161
Messages are sent as multicasts using OSPF s own datagram format. This is tagged
as protocol number 89 in the IP datagram s Protocol field. There are various packet
types and mechanisms to ensure sequencing and reliable delivery and to check for
errors. OSPF also supports plaintext or cryptographic authentication.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
162 | The Official CompTIA Network+ Student Guide (Exam N1 - )
Administrative Distance
If a router has multiple entries to similar networks in its routing table, it must
determine which route to prefer. The first determining factor is that longer prefixes
are preferred over shorter ones. This is referred to as longest prefix match. For
example, a routing table contains the following two entries:
198.51.100.0/24 g0
198.51.100.0/28 g1
If the router receives a packet for 198.51.100.1, the packet will be routed via
g1, as that has the longer and more specific prefix.
Each routing protocol supported by the router can add a single route for any given
destination prefix to the routing table. This means that there might be more than
one route with an identical length prefix in the routing table. Each routing protocol
uses its metric to determine the least-cost path. However, as routing protocols use
different methods to calculate the metric, it cannot be used to compare routes
from different protocols in the overall IP routing table. Instead, an administrative
distance (AD) value is used to express the relative trustworthiness of the protocol
supplying the route. Default AD values are coded into the router but can be
adjusted by the administrator if necessary.
Source AD
Local interface/Directly connected 0
Static route 1
BGP 20
EIGRP 90
OSPF 110
RIP 120
Unknown 255
This means, for example, that given identical prefix lengths, a static route will be
preferred to anything other than directly connected networks and that a route
discovered by OSPF would be preferred to one reported by RIP. The value of 255 for
unknown routes means that they will not be used.
Conversely, a static route with a high AD could be defined to function as a backup
if a learned route update fails. In normal circumstances, the router will prefer the
learned route because it has a lower AD.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 163
For example, rather than allocate a Class B (or /16) network address to a
company, several contiguous Class C (or /24) addresses could be assigned. Four
/24 network addresses gives 1,016 hosts. However, this would mean complicated
routing with many entries in the routing tables to represent four IP networks
at the same location. Using CIDR collapses these routing entries into one single
entry. If the network addresses assigned to a company were 198.51.101.0 through
to 198.51.103.0 and you wanted to view this as one network, you need to allocate
two bits from the network address to summarize the four networks. This makes
the supernet p refix /22 or the subnet mask 255.255.252.0.
The ANDing process is still used to determine whether to route. If the ANDed
result reveals the same network ID as the destination address, then it is the same
network. In this next example, the first IP addresses belong to the supernet, but the
second is on a different company s network:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
164 | The Official CompTIA Network+ Student Guide (Exam N1 - )
Routers external to the network just use this /22 prefix, so the complexity of the
LAN subnets is hidden and doesn t need to clog up their routing tables. The LAN s
internal routers use the /24 prefix or even multiple prefixes to create subnets of
different sizes.
emember that both subnetting and supernetting re uire the use of a classless routing
protocol (one that does not determine the network mask based on the first octet in the
IP address). Dynamic routing protocols that support classless addressing include IPv2,
EIG P, OSPF, and GPv4.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 165
Without VLSM, you have to allocate subnetted ranges of addresses that are the
same size and use the same subnet mask throughout the network. This typically
means that some subnets have many wasted IP addresses or additional routing
interfaces must be in stalled to connect several smaller subnets together within a
single building or department.
VLSM allows different length netmasks to be used within the same IP network,
allowing more flexibility in the design process.
For this example, consider a company with three sites, each with differing network
sizes and IP address requirements. There are also subnets representing point-to-
point WAN links between the routers.
VLSM design usually proceeds by identifying the subnets with the most hosts and
organizing the scheme in descending order. As with any subnet calculations, it helps
to remember that each power of 2 is double the previous one:
22 23 24 25 26 27 28
4 8 16 32 64 128 256
2. The next requirement is technically met by a 5-bit host address space, but as
this allows for exactly 30 addresses, there would be no room for growth. Using
6 bits might be safer, but for this scenario, we will choose the closest match
and adopt the /27 prefix.
3. The next three requirements are for 8, 12, and 12 hosts. These all require 4
bits, which gives up to 14 usab le addresses.
4. The routers use point-to-point links, so no more than two addresses will ever
be required. This can be met by selecting a /30 prefix.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
166 | The Official CompTIA Network+ Student Guide (Exam N1 - )
VLSM Design
The final VLSM design is summarized in the following table:
Required Actual
Number of IP Number of IP
O ce/Subnet Addresses Mask Bits Addresses Prefix
Main Office 1 80 7 126 /25
(Router A)
Main Office 2 30 5 30 /27
(Router A)
Main Office 3 8 4 14 /28
(Router A)
Branch Office 12 4 14 /28
(Router B)
Branch Office 12 4 14 /28
(Router C)
Router A – 2 2 2 /30
Router B
Router A – 2 2 2 /30
Router C
Router B – 2 2 2 /30
Router C
All subnets except for Main Office 2 have room for growth.
In fact, if you analyze the final design, you will find that there are 36 unused
addresses at the end of the range. Consequently, there would have been space to
use a /26 prefix for the group of 30 hosts.
The actual IP address ranges generated by the VLSM design are shown in this
table.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 167
Useable
Host
Address Broadcast
O ce Subnet Subnet Mask Range Address
Main Office 1 198.51.100.0/25 255.255.255.128 1—126 127
(Router A)
Main Office 2 198.51.100.128/27 255.255.255.224 129—158 159
(Router A)
Main Office 3 198.51.100.160/28 255.255.255.240 161—174 175
(Router A)
Branch Office 198.51.100.176/28 255.255.255.240 177—190 191
(Router B)
Branch Office 198.51.100.192/28 255.255.255.240 193—206 207
(Router C)
Router A – 198.51.100.208/30 255.255.255.252 209—210 211
Router B
Router A – 198.51.100.212/30 255.255.255.252 213—214 215
Router C
Router B – 198.51.100.216/30 255.255.255.252 217—218 219
Router C
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
168 | The Official CompTIA Network+ Student Guide (Exam N1 - )
Review Activity:
Dynamic Routing Concepts
6
1. Which factors are used by default in EIGRP to identify the least-cost path?
6. True or False? VLSM means using more than one mask to subnet an IP
network.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 169
Review Activity:
Design VLSM Subnets
7
In this activity, you will be designing an IP subnetting plan for an organization using
VLSM. This division of the company must use the 172.30.0.0/16 network address
range and subnet this down to develop an address scheme for the network displayed
in the topology diagram. You should be as efficient as possible when designing your
VLSM ranges, as additional branch offices may be added in the future.
Using the above scenario, answer the following questions:
1. How large will each of the subnets that join the three routers together
need to be?
3. What is the next largest subnet in the design? How many host bits will be
needed for that subnet? How many IP addresses will that subnet provide
and what is the LSM?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
170 | The Official CompTIA Network+ Student Guide (Exam N1 - )
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 171
Topic 7C
Install and Troubleshoot Routers
5
Edge Routers
Routers serve both to link physically remote networks and subdivide autonomous
IP networks into multiple subnets. Router placement is primarily driven by the IP
networks and subnets that have been created:
• Hosts with addresses in the same subnet or IP network must not be separated
by a router.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
172 | The Official CompTIA Network+ Student Guide (Exam N1 - )
An integrated services router. This type of device combines DS Internet access with Ethernet switch,
i-Fi, and oIP for a one box solution for remote sites and branch offices. (Image 123 F.com.)
An advanced services router. This type of device provides network edge connectivity over Carrier
Ethernet networks. (Image 123 F.com.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 173
Internal Routers
An internal router has no public interfaces. Internal routers are positioned to
implement whatever network topology is required. The figure shows a simplified
example of a typical network configuration. An edge router/firewall provides access
to the Internet. Traffic between the local subnets is controlled by a separate internal
router.
A network may also use a more complex topology, such as division into OSPF areas.
Subinterfaces
Many networks are segmented using the virtual LAN (VLAN) feature of managed
switches. Traffic between VLANs must be routed. In this scenario, it is possible
to use a router with a single interface (a one-armed router or router on a stick)
connected to a trunk port on the switch. The trunk port carries all the VLAN-to-
VLAN traffic that must be routed. The router s physical interface is configured with
multiple subinterfaces or virtual interfaces. Each subinterface is configured with
a specific VLAN ID. The subinterface receives traffic from a given VLAN and then
routes it to the subinterface serving the destination VLAN.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
174 | The Official CompTIA Network+ Student Guide (Exam N1 - )
outer on a Stick topology with subinterfaces serving each AN subnet. (Images 123 F.com.)
Router Configuration
As a router appliance does not have a screen or keyboard, it is configured locally
either via a serial connection known as a console port or (more usually) remotely
over the network by using a protocol such as Secure Shell (SSH). SSH can be used
to communicate with the router via the IP address of any configured interface.
However, as any given physical interface could suffer a hardware fault or be
temporarily unavailable for various reasons, it is considered best practice to create
a virtual interface, known as a loopback interface, in the router s operating system
and assign it an IP address for use in remotely managing the router. This is a way of
giving the router an internal IP address, not connected to any physical network, that
is therefore not reliant on a specific network link being available.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 175
Configuring IP on a yOS-based software router. The host can be configured at a local terminal or
from a remote computer over Secure Shell (SS ).
Having placed the router at an appropriate point in the network, connected its
cabling, and established a management session, the principal configuration tasks
are as follows:
• Apply an IP configuration to each interface.
• Configure one or more routing protocols and/or static routes so that the router
can serve its function.
route
The route command is used to view and modify the routing table of end system
Windows and Linux hosts.
Apart from loopback addresses and the local subnet, the routing table for an end
system generally contains a single entry for the default route. The default route is
represented as the destination 0.0.0.0/0. Any traffic that is not addressed to the
local subnet is sent over this default route.
In Windows, to show the routing table, run route print.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
176 | The Official CompTIA Network+ Student Guide (Exam N1 - )
IPv4 and IPv6 routing tables for a indows host. For IPv4, the host uses 1 .1. .254 as its default
gateway. The IPv6 configuration has no route from the local network. (Screenshot used with
permission from Microsoft.)
To add a route, the syntax for the Windows version of the tool is:
route [-f -p] add DestinationIP mask Netmask
GatewayIP metric MetricValue if Interface
The variables in the syntax are defined as:
• DestinationIP is a network or host address.
• Interface is the adapter the host should use (used if the host is multihomed).
For example:
route add 192.168.3.0 mask 255.255.255.0 192.168.5.1
metric 2
Routes added in this manner are nonpersistent by default. This means that they
are stored in memory and will be discarded if the machine is restarted. A route can
be permanently configured (stored in the registry) using the -p switch. The tool
also allows for routes to be deleted (route delete) and modified (route
change).
The Linux version of route performs the same function, but the syntax is
different. The routing table is shown by entering route with no parameters. The
change parameter is not supported, and the command cannot be used to add
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 177
persistent routes. A nonpersistent route can be added using the following general
syntax:
route add -net 192.168.3.0 netmask 255.255.255.0
metric 2 dev eth0
The iproute2 suite of tools is designed to replace deprecated legacy command-line tools
in Linux. You can use ip route show and ip route add to achieve the
same ends.
traceroute
traceroute is supported on Linux and router OSes (such as Cisco IOS).
traceroute uses UDP probe messages by default. The command issues a UDP
probe for port 32767 with a TTL of 1. The first hop should reduce this to zero and
respond with an ICMP Time Exceeded message. The command then increments the
TTL by one and sends a second probe, which should reach the second hop router.
This process is repeated until the end node is reached, which should reply with an
ICMP Port Unreachable response.
The output shows the number of hops, the IP address of the ingress interface
of the router or host (that is, the interface from which the router receives the
probe), and the time taken to respond to each probe in milliseconds (ms). If no
acknowledgment is received within the timeout period, an asterisk is shown
against the probe. Note that while this could indicate that the router interface is
not responding, it could also be that the router is configured to drop packets with
expired TTLs silently.
traceroute can be configured to send ICMP Echo Request probes rather than
UDP by using traceroute -I. The traceroute -6 or traceroute6
commands are used for IPv6 networks.
tracert
On a Windows system, the same function is performed using the tracert
command. tracert uses ICMP Echo Request probes by default. The command
issues an Echo Request probe with a TTL of 1. The first hop should reduce this to
zero and respond with a Time Exceeded response. tracert then increments the
TTL by one each time to discover the full path.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
178 | The Official CompTIA Network+ Student Guide (Exam N1 - )
sing tracert in indows to plot the path from a host in the to CompTIA s web server.
(Screenshot used with permission from Microsoft.)
tracert can be used with several switches, which must precede the target IP
address or host.
You can use the -d switch to suppress name resolution, -h to specify the
maximum number of hops (the default is 30), and -w to specify a timeout in ms
(the default is 4000). If, after increasing the value, destinations are then reachable,
you probably have a bandwidth issue to resolve. When used with host names
(rather than IP addresses), tracert can be forced to use IPv6 instead of IPv4 by
adding the -6 switch.
tracert -6 www.microsoft.com
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 179
of a potential routing loop is for routers to generate ICMP Time Exceeded error
messages.
Routing protocols use various mechanisms to prevent loops. For example, distance
vector protocols use the following mechanisms:
• Maximum hop count—If the cost exceeds a certain value (16 in RIP), the
network is deemed unreachable. A poison route is one advertised with a hop
count of 16. This can provide an explicit failure notice to other routers.
• Split horizon—Prevents a routing update from being copied back to the source.
In the example above, this would prevent router C from sending an update
about a route to router A via router B to router B.
Link state protocols try to ensure that each node has a consistent view of the
network through continual, timely updates flooded to all nodes in the routing
domain. A loop in a link state routing domain typically indicates that updates are
not being propagated correctly.
You can use traceroute to diagnose a routing loop by looking for IP addresses
that appear multiple times in the output.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
180 | The Official CompTIA Network+ Student Guide (Exam N1 - )
the paths causes stateful firewall or network address translation (NAT) devices to
filter or drop communications. These types of devices should not be placed in the
middle of a network where the forward and return paths could diverge. Problematic
asymmetric routing could be caused by incorrectly configured static or dynamic
routes. You should use traceroute from both sender and receiver to compare
the per-hop latency to identify where the routing topology is misconfigured.
Typically, an estimated loss budget is calculated when planning the link. The link is
tested at deployment using an optical time domain reflectometer (OTDR) to derive
an actual value. Differences between these values may reveal an installation fault or
some unexpected source of signal loss.
FOA have a loss budget calculator at thefoa.org tech ref oss udget oss udget.htm.
The loss budget must be less than the power budget. The power budget is
calculated from the transceiver transmit (Tx) power and receiver (Rx) sensitivity,
which are both typically measured in dB per milliwatt or dBm. For example, if Tx is
-8 dBm and Rx is -15 dBm, then the power budget is 7 dB.
If the loss budget is 5 dB, the margin between the power budget and loss budget
will be 2 dB. Margin is a safety factor to account for suboptimal installation
conditions (such as bends or stress), aging, repair of accidental damage
(additional splices), and performance under different thermal conditions (extreme
temperatures can cause loss).
If the margin between the transmitter power and link budget is low, the link is less
likely to achieve the expected bandwidth. There may be opportunities to improve
performance with better or fewer splices, or it may be necessary to use an amplifier
to boost the signal. Most outdoor plant would be designed with a margin of at least
5 dB. In a datacenter where conditions are less variable a lower margin might be
acceptable.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 181
Review Activity:
Router Installation and
6
Troubleshooting
Answer the following questions:
5. A campus to datacenter fiber optic link has been laid over 15 km of single
mode fiber with one fusion splice along this run. The termination at each
end requires two connectors. You need to evaluate a proposal to use
10GBASE-LR transceiver modules for the router. The module specification
quotes Tx power of –8.2 dBm and Rx sensitivity of –14.4 dBm. Assuming
attenuation of 0.4 dB/km, 0. 5 dB loss per connector, and 0.3 dB loss per
splice, do these modules work within the expected loss budget?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
182 | The Official CompTIA Network+ Student Guide (Exam N1 - )
Review Activity:
Design a Branch Office Internetwork
6
elpful elp East region branch office internetwork. (Images 123 F.com.)
1. Given the current scenario of the charity, how would the routers at each
local o ce be configured?
Presently, each local office has several PSTN (landline) telephones. The plan is to
replace these with a unified communications system for VoIP, conferencing, and
messaging/information. This will require devices in each local office to be able to
contact devices in other offices for direct media streaming. It is also anticipated that
additional links may be added between branch offices where larger numbers of
users are situated due to the increased bandwidth required by the new applications
at this site. Here is the revised diagram:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 183
evised design for elpful elp East region branch office internetwork. (Image 123 F.com.)
If the new system works well in the East region (the smallest), the plan is to roll out
the system to the three other regions (North, South, and West). This will involve
connecting the main routers for each region together, plus some additional links for
redundancy. The other regions use different IP numbering systems and some use
VLSM.
4. Considering the potential changes a successful pilot in the East region
might bring about in the whole organization, would your router
configuration options change?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
184 | The Official CompTIA Network+ Student Guide (Exam N1 - )
Lesson 7
Summary
6
You should be able to compare and contrast routing technologies and troubleshoot
common general routing issues.
• How the destination prefix length and route source administrative distance
affects forwarding.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 8
Explaining Network Topologies
and Types
1
LESSON INTRODUCTION
The cabling, switching, and routing functions of the first three layers in the OSI model
can be deployed in many ways to implement networks of varying sizes and with
different purposes. Being able to summarize these network types and topologies
and the different network appliance models that support them will help you to build
networks that meet customer goals for performance and security.
Lesson Objectives
In this lesson, you will:
• Explain network types and characteristics.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
186 | The Official CompTIA Network+ Student Guide (Exam N1 - )
Topic 8A
Explain Network Types and
Characteristics
2
Network types and topologies determine the scale and flow of data through a
network at layers 1, 2, and 3. Getting to know the different topologies is essential
to designing or troubleshooting a network. No matter what your specific role
in network implementation and management, you will need to understand the
characteristics of the network topology you are working with and identify how the
topology affects network performance and troubleshooting.
A client-server network is one where some nodes, such as PCs, laptops, and
smartphones, act mostly as clients. The servers are more powerful computers.
Application services and resources are centrally provisioned, managed, and
secured.
A peer-to-peer network is one where each end system acts as both client and
server. This is a decentralized model where provision, management, and security of
services and data is distributed around the network.
Business and enterprise networks are typically client-server, while residential networks
are more often peer-to-peer (or workgroup). However, note that in a client-server
network, often, nodes will function as both clients and servers at the same time. For
example, a computer hosting a web application acts as a server to browser clients
but is itself a client of database services running on other server computers. It is the
centrally administered nature of the network that really defines it as client-server.
Network Types
A network type refers primarily to its size and scope. The size of a network can be
measured as the number of nodes, while the scope refers to the area over which
nodes sharing the same network address are distributed.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 187
• Datacenters—A network that hosts only servers and storage, not end user client
devices.
The term wireless local area network (WLAN) is used for LANs based on Wi-Fi.
Open (public) WLANs are often referred to as hotspots.
Network Topology
Where the type defines the network scope, the topology describes the physical or
logical structure of the network in terms of nodes and links.
The physical network topology describes the placement of nodes and how they are
connected by the network media. For example, in one network, nodes might be
directly connected via a single cable; in another network, each node might connect to
a switch via separate cables. These two networks have different physical topologies.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
188 | The Official CompTIA Network+ Student Guide (Exam N1 - )
The logical topology describes the flow of data through the network. For example,
given the different physical network topologies described previously, if in each case
the nodes can send messages to one another, the logical topology is the same. The
different physical implementations (directly connected via a cable versus connected
to the same switch) achieve the same logical layout.
In the simplest type of topology, a single link is established between two nodes. This
is called a point-to-point link. Because only two devices share the connection, they
are guaranteed a level of bandwidth.
Star Topology
In a star topology, each endpoint node is connected to a central forwarding node,
such as a hub, switch, or router. The central node mediates communications
between the endpoints. The star topology is the most widely used physical
topology. For example, a typical SOHO network is based around a single Internet
router appliance that clients can connect to with a cable or wirelessly. The star
topology is easy to reconfigure and easy to troubleshoot because all data goes
through a central point, which can be used to monitor and manage the network.
Faults are automatically isolated to the media, node (network card), or the hub,
switch, or router at the center of the star.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N1 - ) | 189
You may also encounter the hub-and-spoke topology. This is the same layout as a
star topology. The hub-and-spoke terminology is used when speaking about WANs
with remote sites.
Mesh Topology
A mesh topology is commonly used in WANs, especially public networks like the
Internet. In theory, a mesh network requires that each device has a point-to-point
link with every other device on the network (fully connected). This approach is
normally impractical, however. The number of links required by a full mesh is
expressed as n(n-1)/2, where n is the number of nodes. For example, a network of
just four nodes would require six links, while a network of 40 nodes would need 780
links Consequently, a hybrid approach is often used, with only the most important
devices interconnected in the mesh, perhaps with extra links for fault tolerance and
redundancy. In this case, the topology is referred to as a partial mesh.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
190 | The Official CompTIA Network+ Student Guide (Exam N1 - )
Ring Topology
In a physical ring topology, each node is wired to its neighbor in a closed loop.
A node receives a transmission from its upstream neighbor and passes it to its
downstream neighbor until the transmission reaches its intended destination.
Each node can regenerate the transmission, improving the potential range of the
network.
Ring topology.
The physical ring topology is no longer used on LANs, but it does remain a feature
of many WANs. Two ring systems (dual counter-rotating rings) can be used to
provide fault tolerance. These dual rings allow the system to continue to operate if
there is a break in one ring.
Bus Topology
A physical bus topology with more than two nodes is a shared access topology,
meaning that all nodes share the bandwidth of the media. Only one node can be
active at any one time, so the nodes must contend to put signals on the media. All
nodes attach directly to a single cable segment via cable taps. A signal travels down
the bus in both directions from the source and is received by all nodes connected
to the segment. The bus is terminated at both ends of the cable to absorb the signal
when it has passed all connected devices.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 191
This type of physical bus topology is the basis of the earliest Ethernet networks
but is no longer in widespread use. Bus networks are comparatively difficult to
reconfigure (adding or removing nodes can disrupt the whole network), impose
limitations on the maximum number of nodes on a segment of cable, and are
difficult to troubleshoot (a cable fault could be anywhere on the segment of cable).
Perhaps most importantly, a fault anywhere in the cable means that all nodes are
unable to communicate.
A bus network does allow cables to be connected using a device called a repeater. Two
lengths of cable joined by a repeater is considered one length of cable for the purpose of
the bus topology. A repeater is a passive device and is not considered a network node in
the way that a switch or router would.
A logical bus topology is one in which nodes receive the data transmitted all at the
same time, regardless of the physical wiring layout of the network. Because the
transmission medium is shared, only one node can transmit at a time. Nodes within
the same logical bus segment are in the same collision domain. When Ethernet
is deployed with a legacy hub appliance, this can be described as a physical star-
logical bus topology.
Hybrid Topology
A hybrid topology is anything that uses a mixture of point-to-point, star, mesh,
ring, and bus physical and/or logical topologies. As noted, an Ethernet hub
establishes a logical bus topology, but the physical topology is a star. Another
common legacy topology is the star-wired ring, where nodes in the ring are wired
to a central multistation access unit (MAU) rather than to its neighbors. The MAU
implements the logical ring and handles token passing.
On modern networks, hybrid topologies are often used to implement redundancy
and fault tolerance or to connect sites in WANs:
• Hierarchical star—corporate networks are often designed in a hierarchy,
also known as a tree topology. This can be combined with a star topology to
implement each node in the overall tree. The links between nodes in the tree are
referred to as backbones or trunks because they aggregate and distribute traffic
from multiple different areas of the network.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
192 | The Official CompTIA Network+ Student Guide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 193
Review Activity:
3
3. You need operations to continue if one link fails. How many links does it
take to connect three sites?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
194 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 8B
Explain Tiered Switching Architecture
5
Ethernet, switching, and IP routing are the principal technologies used to implement
cabled local networks. There are many types and sizes of network, however, and
many different ways of designing cabling and forwarding to suit the requirements
of large and small organizations and budgets. While you might not be responsible
for network design at this stage of your career, it is important that you be able to
identify the components and advantages of tiered network hierarchies.
Core, distribution, and access layers in three-tiered network architecture. (Images © 123RF.com.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 195
Access/Edge Layer
The access or edge layer allows end-user devices, such as computers, printers,
and smartphones to connect to the network. The access layer is implemented for
each site using structured cabling and wall ports for wired access and access points
for wireless access. Both are ultimately connected to workgroup switches. Switches
deployed to serve the access layer might also be referred to as LAN switches or
data switches. End systems connect to switches in the access/edge layer in a star
topology. There are no direct links between the access switches.
Distribution/Aggregation Layer
The distribution or aggregation layer provides fault-tolerant interconnections
between different access blocks and either the core or other distribution blocks.
Each access switch has full or partial mesh links to each router or layer 3 switch in
its distribution layer block. The distribution layer is often used to implement traffic
policies, such as routing boundaries, filtering, or quality of service (QoS).
The layer 3 capable switches used to implement the distribution/aggregation layer
have different capabilities to the layer 2 only workgroup switches used in the access
tier. Rather than 1 Gbps access ports and 10 Gbps uplink ports, as would be typical
of a workgroup switch, basic interfaces on an aggregation switch would be 10 Gbps
and uplink/backbone ports would be 40 Gbps (or possibly 40 Gbps/100 Gbps).
Layer 3 switches work on the principle of “route once, switch many,” which means
that once a route is discovered, it is cached with the destination MAC address and
subsequent communications are switched without invoking the routing lookup.
While a router uses a generic processor and firmware to process incoming packets,
a layer 3 switch uses an application-specific integrated circuit (ASIC). This can
have an impact on the relative performance of the two types of devices. Layer 3
switches can be far faster, but they are not always as flexible. Layer 3 switches
cannot usually perform WAN routing and work with interior routing protocols only.
Often layer 3 switches support Ethernet only.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
196 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Core Layer
The core layer provides a highly available network backbone. Devices such as
client and server computers should not be attached directly to the core. Its purpose
should be kept simple: provide redundant traffic paths for data to continue
to flow around the access and distribution layers of the network. Routers or
layer 3 switches in the core layer establish a full mesh topology with switches in
distribution layer blocks.
In a two tier or collapsed core model, the core must be implemented as a full mesh. This
is impractical if there are large numbers of core switches.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 197
The following table shows the different states that a port can be in.
Forwards Learns
State Frames? MACs? Notes
Blocking No No Drops all frames
other than BPDUs.
Listening No No Port is listening for
BPDUs to detect
loops.
Learning No Yes The port discovers
the topology of
the network and
builds the MAC
address table.
Forwarding Yes Yes The port works as
normal.
Disabled No No The port has been
disabled by the
administrator.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
198 | The Official CompTIA Network+ Student Guide (Exam N10-008)
When all ports on all switches are in forwarding or blocking states, the network
is converged. When the network is not converged, no communications can take
place. Under the original 802.1D standard, this made the network unavailable
for extended periods—tens of seconds—during configuration changes. STP is
now more likely to be implemented as 802.1D-2004/802.1w or Rapid STP (RSTP).
The rapid version creates outages of a few seconds or less. In RSTP, the blocking,
listening, and disabled states are aggregated into a discarding state.
• Verify the physical configuration of segments that use legacy equipment, such as
Ethernet hubs.
• Investigate networking devices in the user environment and verify that they are
not connected as part of a loop. Typical sources of problems include unmanaged
desktop switches and VoIP handsets.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 199
Review Activity:
6
3. In what STP-configured state(s) are all ports when a network running STP
is converged?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
200 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 8C
Explain Virtual LANs
5
Most networks make use of virtual LANs (VLANs), both to improve network security
and network performance, so they are an important concept for you to understand.
In this topic, you will identify the benefits of network segmentation and the
characteristics and functions of VLANs.
Implementing VLANs can reduce broadcast traffic when a network has expanded
beyond a certain number of hosts or users. As well as reducing the impact
of broadcast traffic, from a security point of view, each VLAN can represent a
separate zone. VLANs are also used to separate nodes based on traffic type and
the need for Quality of Service. For example, it is commonplace to put all VoIP
handsets on a voice VLAN to minimize interference coming from nodes that are
sending email or downloading large files on the same network. The switches
and routers can then be configured to give the VoIP VLAN priority over ordinary
data VLANs.
The VLAN with ID 1 is referred to as the default VLAN. Unless configured differently,
all ports on a switch default to being in VLAN 1.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 201
Cumulus VX switch output showing switch ports swp 5-8 configured in VLAN 100
and ports 9-12 in VLAN 200. (Screenshot courtesy of Nvidia.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
202 | The Official CompTIA Network+ Student Guide (Exam N10-008)
When frames designated for different VLANs are transported across a trunk, the
VLAN ID (VID) of each frame must be preserved for the receiving switch to forward
it correctly. VIDs are normally defined by the IEEE 802.1Q standard. Under 802.1Q,
per-VLAN traffic is identified by a tag inserted in the Ethernet frame between the
Source Address and EtherType fields. The tag contains information about the VID
(from 1 to 4,094) and priority (used for QoS functions). The EtherType value is set to
identify the frame as 802.1Q.
• If the frame needs to be transported over a trunk link, the switch adds the
relevant 802.1Q tag to identify the VLAN, and then forwards the frame over the
trunk port.
• If the switch receives an 802.1Q tagged frame on an access port, it strips the tag
before forwarding it.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 203
Conversely, a tagged port will normally be one that is operating as a trunk; that
is, capable of transporting traffic addressed to multiple VLANs using the 802.1Q
frame format. A trunk might be used to connect switches or to connect a switch
to a router. In some circumstances, a host attached to a port might need to be
configured to use multiple VLANs and would need to be attached to a trunk port,
rather than an access port. Consider a virtualization host with multiple guest
operating systems. The virtual servers might need to be configured to use different
VLANs.
Voice VLANs
Voice over IP (VoIP) transmits voice traffic as data packets, rather than over circuit-
based transmission lines. The bandwidth and latency requirements of voice traffic
mean that it is often necessary to prioritize it over other types of data packets. This
can be accomplished using a dedicated VLAN for voice traffic. However, in many
cases, VoIP has been implemented into network infrastructures that were originally
designed for just desktop and laptop computers, with limited numbers of physical
network access ports.
To accommodate the lack of dedicated wall ports for handsets, most VoIP endpoints
incorporate an embedded switch with just two external ports. The handset is
connected via its uplink port to the wall port and via the structured cabling to an
access switch. The PC or laptop is connected to the handset via the other port. The
handset forwards data traffic from the PC to the access switch as untagged frames.
The handset sends voice traffic over the same physical link but uses 802.1Q tagged
frames.
Normally, for a switch interface to process tagged frames, it would have to be
configured as a trunk port. This adds a lot of configuration complexity, so most
switches now support the concept of a voice or auxiliary VLAN to distinguish the
PC and VoIP traffic without having to configure a trunk. In the following example,
the interface configuration assigns traffic from the PC to VLAN 100 and the voice
traffic to VLAN 101:
interface GigabitEthernet0/0
switchport mode access
switchport access vlan 100
switchport voice vlan 101
Sharing a single physical wall port between a PC and VoIP handset. The handset and switch
interface configuration allow VoIP traffic to be assigned to a different VLAN than the PC’s data
traffic. (Images © 123RF.com.)
The switch will only accept tagged frames that match the configured voice VLAN
ID. To avoid having to configure this manually, the voice VLAN ID and other
configuration parameters can be communicated to the handset using a protocol
such as Cisco Discovery Protocol (CDP).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
204 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
6
Virtual LANs
Answer the following question:
5. True or false? When configuring a voice VLAN, the voice VLAN ID must be
lower than the access VLAN ID.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 205
Lesson 8
Summary
6
You should be able to explain network types, scopes, and characteristics and how
topologies such as three-tiered switching and VLANs can make corporate networks
more manageable.
• Provision redundant trunk links within the core and between the core and
distribution layer.
• Determine bandwidth requirements for the access layer (typically 1 Gbps) and
provision appropriate workgroup/LAN switches based on media type.
• Enable spanning tree to prevent loops around redundant circuits and ensure the
selection of a root bridge within the core or distribution layer as appropriate.
• Provision redundant trunk links between distribution layer switch blocks and
access layer switches.
• Connect client devices (PCs, VoIP endpoints, and printers) and non-datacenter
servers to access layer switches.
• Use VLANs for distinct security zones, such as management traffic, guest
network access, and Internet/WAN edge.
• Aim for 250 as the maximum number of hosts in a single VLAN (/24 subnet).
Use VLANs for separate building floors to minimize traffic that must pass over
a trunk.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
206 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• Design IP subnets for each VLAN and design a VLAN numbering system.
• Map the logical topology to the physical switch topology and identify trunk links.
Tag the interfaces that will participate in trunk links with the VLANs they are
permitted to carry.
• Ensure that hosts in each VLAN can obtain leases from DHCP servers, route to
other network segments (as permitted), and contact DNS servers.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 9
Explaining Transport Layer Protocols
1
LESSON INTRODUCTION
Layers 1 through 3 of the OSI model are concerned with addressing and packet
forwarding and delivery. This basic connectivity is established for the purpose
of transporting application data. In this lesson, you will learn to describe how
protocols at layer 4 provision the transport services that network applications
depend upon.
Lesson Objectives
In this lesson, you will:
• Compare and contrast transport protocols.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
208 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 9A
Compare and Contrast Transport
Protocols
2
You have seen how IP provides addressing and delivery at layer 3 of the OSI model.
At layer 4, the TCP/IP protocol suite also defines how different applications on
separate hosts establish connections and track communications. Understanding
how application protocols use ports to establish connections is critical to being able
to configure and support network services.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 209
The port number is used in conjunction with the source IP address to form a
socket. Each socket is bound to a software process. Only one process can operate
a socket at any one time. A connection is formed when a client socket requests
a service from the server socket. A connection is uniquely identified by the
combination of server port and IP address and client port and IP address. A server
socket can therefore support multiple connections from a number of client sockets.
Field Explanation
Source port TCP port of sending host.
Destination port TCP port of destination host.
Sequence number The ID number of the current segment
(the sequence number of the last byte in
the segment). This allows the receiver to
rebuild the message correctly and deal
with out-of-order packets.
(continued)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
210 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Field Explanation
Ack number The sequence number of the next seg-
ment expected from the other host
(that is, the sequence number of the last
segment received +1). Packets might be
out-of-
order because they are delayed, but they
could also be lost completely or arrive
in a damaged state. In the first case, the
lack of acknowledgement results in the
retransmission of data and, in the se-
cond case, a Negative Acknowledgement
(NAK or NACK) forces retransmission.
Data length Length of the TCP segment.
Flags Type of content in the segment
(ACK, SYN, FIN, and so on).
Window The amount of data the host is willing
to receive before sending another
acknowledgement. TCP’s flow control
mechanism means that if it is getting
overwhelmed with traffic, one side can tell
the other to slow the sending rate.
Checksum Ensures validity of the segment. The
checksum is calculated on the value of
not only the TCP header and payload
but also part of the IP header, notably
the source and destination addresses.
Consequently, the mechanism for
calculating the checksum is different
for IPv6 (128-bit addresses) than for
IPv4 (32-bit addresses).
Urgent Pointer If urgent data is being sent, this specifies
the end of that data in the segment.
Options Allows further connection parameters
to be configured. The most important
of these is the Maximum Segment Size.
This allows the host to specify how large
the segments it receives should be,
minimizing fragmentation as they are
transported over data link frames.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 211
1. The client sends a segment with the TCP flag SYN set to the server with a
randomly generated sequence number. The client enters the SYN-SENT state.
3. The client responds with an ACK segment. The client assumes the connection
is ESTABLISHED.
4. The server opens a connection with the client and enters the ESTABLISHED
state.
The sending machine expects regular acknowledgments for segments it sends and,
if a period elapses without an acknowledgment, it assumes the information did not
arrive and automatically resends it. This overhead makes the system relatively slow.
Connection-oriented transmission is suitable when reliability and data integrity are
important.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
212 | The Official CompTIA Network+ Student Guide (Exam N10-008)
2. The server responds with an ACK segment and enters the CLOSE-WAIT state.
3. The client receives the ACK segment and enters the FIN-WAIT2 state. The
server sends its own FIN segment to the client and goes to the LAST-ACK state.
4. The client responds with an ACK and enters the TIME-WAIT state. After a
defined period, the client closes its connection.
5. The server closes the connection when it receives the ACK from the client.
Some implementations may use one less step by combining the FIN and ACK
responses into a single segment operation.
Observing TCP connections with the netstat tool. (Screenshot used with permission from Microsoft.)
A host can also end a session abruptly using a reset (RST) segment. This would
not be typical behavior and might need to be investigated. A server or security
appliance might refuse connections using RST, a client or server application might
be faulty, or there could be some sort of suspicious scanning activity ongoing.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 213
UDP is suitable for applications that send small amounts of data in each packet
and do not require acknowledgement of receipt. It is used by Application layer
protocols that need to send multicast or broadcast traffic. It may also be used for
applications that transfer time-sensitive data but do not require complete reliability,
such as voice or video. Using small packets means that if a few are lost or arrive
out of order, they only manifest as minor glitches in playback quality. The reduced
overhead means that overall delivery is faster.
This table shows the structure of a UDP datagram.
Field Explanation
Source port UDP port of sending host.
Destination port UDP port of destination host.
Sequence number The ID number of the current segment
(the sequence number of the last byte in
the segment). This allows the receiver to
rebuild the message correctly and deal
with out-of-order packets.
Message length Size of the UDP packet.
Flags Type of content in the segment
(ACK, SYN, FIN, and so on).
Checksum Ensures validity of the packet
The header size is 8 bytes, compared to 20 bytes (or more) for TCP.
Transport Service or
Port Number Protocol Application Description
20 TCP ftp-data File Transfer
Protocol—Data
21 TCP ftp File Transfer
Protocol—Control
22 TCP ssh/sftp Secure Shell/FTP
over SSH
23 TCP telnet Telnet
25 TCP smtp Simple Mail
Transfer Protocol
53 TCP/UDP domain Domain Name
System
67 UDP bootps BOOTP/DHCP Server
68 UDP bootpc BOOTP/DHCP Client
69 UDP tftp Trivial File Transfer
Protocol
80 TCP http HTTP
110 TCP pop Post Office Protocol
123 UDP ntp/sntp Network Time
Protocol/Simple NTP
(continued)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
214 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Transport Service or
Port Number Protocol Application Description
143 TCP imap Internet Message
Access Protocol
161 UDP snmp Simple Network
Management
Protocol
162 UDP snmp-trap Simple Network
Management
Protocol Trap
389 TCP/UDP ldap Lightweight
Directory Access
Protocol
443 TCP https HTTP-Secure (Se-
cure Sockets Layer
(SSL)/Transport
Layer Security (TLS)
445 TCP smb Server Message
Block over TCP/IP
514 UDP syslog Syslog
546 UDP dhcpv6-client DHCPv6 Client
547 TCP dhcpv6-server DHCPv6 Server
587 TCP smtps SMTP-Secure
636 TCP ldaps LDAP-Secure
993 TCP imaps IMAP-Secure
995 TCP pop3s POP3-Secure
1433 TCP sql-server MS Structured Que-
ry Language (SQL)
Server
1521 TCP sqlnet Oracle SQL*Net
3306 TCP mysql MySQL/MariaDB
3389 TCP rdp Remote Desktop
Protocol
5004 UDP rtp Real-Time Protocol
5005 UDP rtcp Real-Time Control
Protocol
5060 TCP/UDP sip Session Initiation
Protocol
5061 TCP/UDP sips SIP-Secure
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 215
Review Activity:
Transport Protocols
3
4. True or False? ser Datagram Protocol ( DP), like TCP, uses ow control
in the sending of data packets.
5. What port and protocol does TFTP use at the Transport layer?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
216 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 9B
Use Appropriate Tools to Scan
Network Ports
6
One of the critical tasks for network administrators is to identify and analyze the
traffic passing over network links. This information is used to troubleshoot network
services, and to verify the security of the network.
IP Scanners
One of the management tasks facing a network administrator is to verify exactly what
is connected to the network and what is being communicated over it. This is usually
described as network visibility. Visibility is necessary to confirm that servers and
clients are in the correct VLANs or subnets and to try to identify rogue or unauthorized
machines. An IP scanner is a tool that performs host discovery and can establish the
overall logical topology of the network in terms of subnets and routers.
IP scanning can be performed using lightweight standalone open source
or commercial tools, such as Nmap, AngryIP, or PRTG. Enterprise network
management suites will also be able to perform IP scanning and combine that
with asset or inventory information about each host. This functionality is often
referred to as IP Address Management (IPAM). Suites that integrate with DHCP
and DNS servers can be referred to as DHCP, DNS, and IPAM (DDI). Windows
Server is bundled with a DDI product. Other notable vendors and solutions include
ManageEngine, Infoblox, SolarWinds, Bluecat, and Men & Mice.
Angry IP Scanner.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 217
Nmap
The Nmap Security Scanner (nmap.org) is widely used for IP scanning, both as an
auditing and as a penetration testing tool. The tool is open-source software with
packages for most versions of Windows, Linux, and macOS®. It can be operated
with a command line or via a GUI (Zenmap).
The basic syntax of an Nmap command is to give the IP subnet (or IP address) to
scan. When used without switches like this, the default behavior of Nmap is to ping
and send a TCP ACK packet to ports 80 and 443 to determine whether a host is
present. On a local network segment, Nmap will also perform ARP and Neighbor
Discovery (ND) sweeps. If a host is detected, Nmap performs a port scan against
that host to determine which services it is running. This OS fingerprinting can be
time consuming on a large IP scope. If you want to perform only host discovery,
you can use Nmap with the -sn switch to suppress the port scan. The tool can also
work out hop counts by specifying the --traceroute switch.
A variety of options are available for custom scans to try to detect stealthy hosts
(nmap.org/book/host-discovery-techniques.html).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
218 | The Official CompTIA Network+ Student Guide (Exam N10-008)
netstat
As well as discovering hosts, one other visibility challenge is to establish what
services a host is running. The netstat command allows you to check the
state of ports on the local host. You can use netstat to check for service
misconfigurations, such as a host running a web or FTP server that a user installed
without authorization. You may also be able to identify suspicious remote
connections to services on the local host or from the host to remote IP addresses.
On Windows®, used without switches, the command outputs active TCP
connections, showing the local and foreign addresses and ports. Using the -a
switch displays all open ports, including both active TCP and UDP connections and
ports in the listening state.
On Linux®, running netstat without switches shows active connections of any type.
If you want to show different connection types, you can use the switches for Internet
connections for TCP (-t) and UDP (-u), raw connections (-w), and UNIX® sockets/local
server ports (-x). Using the -a switch includes ports in the listening state in the output.
-l shows only ports in the listening state, omitting established connections.
For example, the following command shows listening and established Internet
connections (TCP and UDP) only: netstat -tua
Linux netstat output showing active and listening TCP and UDP connections.
On both Windows and Linux, -n displays ports and addresses in numerical format.
Skipping name resolution speeds up each query. On Linux, using -4 or -6 filters
sockets by IPv4 or IPv6 addresses respectively. In Windows, use the -p switch with
the protocol type (TCP, TCPv6, UDP, or UDPv6).
Another common task is to identify which software process is bound to a socket. On
Windows, -o shows the Process ID (PID) number that has opened the port, while
-b shows the process name. In Linux, use -p to show the PID and process name.
netstat -s reports per protocol statistics, such as packets received, errors,
discards, unknown requests, port requests, failed connections, and so on. The tool
will report Ethernet statistics using -e (Windows) or -I (Linux). netstat -r
displays the routing table.
Linux netstat interface statistics showing receive and transmit packets numbers
plus errors and dropped packets.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 219
netstat can also be set to run continuously. In Windows, run netstat nn,
where nn is the refresh interval in seconds (press Ctrl+C to stop); in Linux, run
netstat -c.
The Linux netstat command is part of the deprecated net-tools package. The
preferred package iproute2 contains a number of different commands to replace
netstat functionality. Most of the port scanning functions are performed by ss, while
interface statistics are reported by nstat.
• TCP connect (-sT)—A half-open scan requires Nmap to have privileged access
to the network driver so that it can craft packets. If privileged access is not
available, Nmap must use the OS to attempt a full TCP connection. This type of
scan is less stealthy.
• UDP scans (-sU)—Scan UDP ports. As these do not use ACKs, Nmap needs to
wait for a response or timeout to determine the port state, so UDP scanning can
take a long time. A UDP scan can be combined with a TCP scan.
• Port range (-p)—By default, Nmap scans 1,000 commonly used ports. Use
the -p argument to specify a port range. You can also use --top-ports n,
where n is the number of commonly used ports to scan. The frequency statistics
for determining how commonly a port is used are stored in the nmap-services
configuration file.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
220 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Half-open scanning with Nmap. (Screenshot used with permission from Nmap.)
When services are discovered, you can use Nmap with the -sV or -A switch
to probe a host more intensively to discover the software or software version
operating each port. The process of identifying an OS or software application from
its responses to probes is called fingerprinting.
The responses to network probes can be used to identify the type and version of the
host operating system. (Screenshot used with permission from Nmap.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 221
Protocol Analyzers
A protocol analyzer works in conjunction with a packet capture or sniffer tool.
You can either analyze a live capture to analyze frames as they are read by a sniffer
or open a saved capture (.pcap) file. Most protocol analyzer tools bundle a sniffer
component with the analyzer in the same software package.
One function of a protocol analyzer is to parse each frame in a stream of traffic to
reveal its header fields and payload contents in a readable format. This is referred
to as packet analysis. Analyzing protocol data at the frame or packet level will help
to identify protocol or service misconfigurations. As a live stream or capture file
can contain hundreds or thousands of frames, you can use display filters to show
only particular frame or sequence of frames. Another useful option is to use the
Follow TCP Stream context command to reconstruct the packet contents for a TCP
session.
Another function of a protocol analyzer is to perform traffic analysis. Rather than
reading each frame individually, you use the tool to monitor statistics related to
communications flows, such as bandwidth consumed by each protocol or each
host, identifying the most active network hosts, monitoring link utilization and
reliability, and so on. In Wireshark, you can use the Statistics menu to access traffic
analysis tools.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
222 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Using the Protocol Hierarchy tool in Wireshark to view the most active protocols
on a network link. This sort of report can be used to baseline network activity.
(Screenshot courtesy of Wireshark.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 223
Review Activity:
Port Scanning
7
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
224 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Lesson 9
Summary
5
You should be able to compare and contrast appropriate uses of TCP and UDP and
select appropriate tools to support and troubleshoot Transport layer issues.
• Understand that applications may use UDP for unreliable unicast, multicast, or
broadcast transmissions to minimize protocol overheads.
• Deploy IP and port scanners to gain visibility into hosts attached to the network
and protocol traffic passing over it.
• Deploy packet capture and protocol analyzer software to gain visibility into
individual packets and per-per-host or per-protocol statistics.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 10
Explaining Network Services
1
LESSON INTRODUCTION
You have identified the Physical, Data Link, Network, and Transport layer
technologies and protocols that underpin basic connectivity. The TCP/IP protocol
suite also includes application protocols that implement network services.
This lesson focuses on application protocols that perform low-level network
operations tasks, such as providing dynamic address or name resolution services.
You should understand the functions of the network services protocols and the
ports that they rely upon to operate.
Lesson Objectives
In this lesson, you will:
• Explain the use of network addressing services.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
226 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 10A
Explain the Use of Network
Addressing Services
2
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 227
Presuming it has an IP address available, the DHCP server responds to the client
with a DHCPOFFER packet, containing the address and other configuration
information.
hile the client doesn’t have an IP address yet, the HCPOFFER is usually delivered
as unicast because the server knows the client’s AC address. Some hosts cannot
receive unicast without an IP address. They should set a broadcast bit in the
HCP ISCOVER packet.
The client may choose to accept the offer using a DHCPREQUEST packet—also
broadcast onto the network.
Assuming the offer is still available, the server will respond with a DHCPAC packet.
The client broadcasts an ARP message to check that the address is unused. If so, it
will start to use the address and options; if not, it declines the address and requests
a new one.
The IP address is leased by the server for a limited period only. A client can attempt
to renew or rebind the lease before it expires. If the lease cannot be renewed, the
client must release the IP address and start the discovery process again.
Sometimes, the HCP lease process is called the ORA process: iscover, Offer, Request,
and Ack(nowledge).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
228 | The Official CompTIA Network+ Student Guide (Exam N10-008)
DHCP Options
When the DHCP server offers a configuration to a client, at a minimum it must
supply an IP address and subnet mask. Typically, it will also supply other IP-related
settings, known as DHCP options. Each option is identified by a tag byte or decimal
value between 0 and 255 (though neither 0 nor 255 can be used as option values).
Some widely used options include:
• The default gateway (IP address of the router).
• The IP address(es) of DNS servers that can act as resolvers for name queries.
• Other useful server options, such as time synchronization (NTP), file transfer
(TFTP), or VoIP proxy.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 229
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
230 | The Official CompTIA Network+ Student Guide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 231
By contrast, stateful mode means that a host can also obtain a routable IP address
from a DHCPv scope, plus any other options (like with DHCP for IPv4).
Configuring the scope requires you to define the network prefix and then any IP
addresses that are to be excluded from being offered. All other addresses that
are not explicitly excluded can be offered. The host must still listen for a router
advertisement to obtain the network prefix and configure a default gateway. There
is no mechanism in DHCPv for setting the default route.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
232 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
Network Addressing Services
3
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 233
Topic 10B
Explain the Use of Name Resolution
Services
Each host that has an IP address assigned to it can also have a descriptive name.
This makes it easier for human users to identify and access it on the network and
for application services to be configured with an addressing scheme that allows
for changes in the underlying network. Almost all networks depend on this name
resolution functionality to operate smoothly and securely, so it is important to
understand how it works. In this topic, you will identify methods for host name
resolution for TCP/IP networks.
hen you are configuring name records, an FQ N must include the trailing period to
represent the root, but this can be omitted in most other use cases.
A domain name must be registered with a registrar to ensure that it is unique within
a top-level domain. Once a domain name has been registered, it cannot be used by
another organization. The same domain name may be registered within different
top-level domains, however—widget.example. and widget.example.
uk. are distinct domains, for instance.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
234 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Numerous hosts may exist within a single domain. For example: nut, bolt, and
washer might all be hosts within the widget.example. domain. Given that,
FQDNs must follow certain rules:
• The host name must be unique within the domain.
• The total length of an FQDN cannot exceed 253 characters, with each label (part of
the name defined by a period) no more than 3 characters (excluding the periods).
• A DNS label should use letter, digit, and hyphen characters only. A label should
not start with a hyphen. Punctuation characters such as the period (.) or forward
slash (/) should not be used.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 235
An FQDN reflects this hierarchy, from most specific on the left (the host’s resource
record with its name:IP address mapping) to least specific on the right (the TLD
followed by the root). For example: pc.corp.515support.com.
Most queries between name servers are performed as iterative lookups. This
means that a name server responds to a query with either the requested record or
the address of a name server at a lower level in the hierarchy that is authoritative
for the namespace. It makes no effort to try to make additional queries to locate
information that it does not have. In the figure, at steps 4 and 5, the root server and
.net name server simply pass the querying server the address of an authoritative
name server. They do not take on the task of resolving the original query for
www.515web.net.
A recursive lookup means that if the queried server is not authoritative, it does
take on the task of querying other name servers until it finds the requested record
or times out. The name servers listed in a client’s TCP/IP configuration accept
recursive queries. This is the type of querying performed by the corp.515support.
com name server.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
236 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Name Server (NS) records identify authoritative DNS name servers for the zone. As
well as the primary name server, most zones are configured with secondary name
servers for redundancy and load balancing. Secondary name servers hold read-only
copies of resource records but can still be authoritative for the zone.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 237
oth types of host records (A and AAAA) plus a CNA E record in indows Server NS.
(Screenshot courtesy of icrosoft.)
NS uses the U P transport protocol over port 53 by default, and U P has a maximum
packet size of 512 bytes. ue to the much larger address sizes of IPv , AAAA records
can exceed this size. This can result in U P packets being fragmented into several
smaller packets. This can result in these packets being blocked by firewalls if they are
not configured to expect them. Network administrators should check that their NS
servers can accept these transmissions and that intermediary components are not
blocking them.
A Canonical Name (CNAME) (or alias) record is used to configure an alias for an
existing address record (A or AAAA). For example, the IP address of a web server
with the host record lamp could also be resolved by the alias www. CNAME records
are also often used to make DNS administration easier. For example, an alias can be
redirected to a completely different host temporarily during system maintenance.
Multiple different named resource records can refer to the same IP address (and
vice versa in the case of load balancing).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
238 | The Official CompTIA Network+ Student Guide (Exam N10-008)
While most DNS records are used to resolve a name into an IP address, a Service
(SRV) record contains the service name and port on which a particular application is
hosted. SRV records are often used to locate VoIP or media servers. SRV records are
also an essential part of the infrastructure supporting Microsoft’s Active Directory;
they are used by clients to locate domain controllers, for instance. As with M , SRV
records can be configured with a priority value.
A T T record is used to store any free-form text that may be needed to support
other network services. A single domain name may have many T T records, but
most commonly they are used as part of Sender Policy Framework (SPF) and
Domain eys Identified Mail (D IM). An SPF record is used to list the IP addresses
or names of servers that are permitted to send email from a particular domain
and is used to combat the sending of spam. D IM records are used to decide
whether you should allow received email from a given source, preventing spam and
mail spoofing. D IM can use encrypted signatures to prove that a message really
originated from the domain it claims.
Pointer ecords
A DNS server may have two types of zones: forward lookup and reverse lookup.
Forward lookup zones contain the resource records listed previously. For example,
given a name record, a forward lookup returns an IP address; an M record
returns a host record associated with the domain’s mail services. Conversely, a
reverse DNS query returns the host name associated with a given IP address. This
information is stored in a reverse lookup zone as a pointer (PTR) record.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 239
Reverse DNS querying uses a special domain named by the first three octets of
IP addresses in the zone in reverse order and appended with in-addr.arpa.
The name server is configured with a reverse lookup zone . This zone contains PTR
records consisting of the final octet of each host record. For example, the reverse
lookup for a host record containing the IP address 198.51.100.1 is:
1.100.51.198.in-addr.arpa
IPv uses the ip .arpa domain; each of the 32 hex characters in the IPv address is
expressed in reverse order as a subdomain. For example, the IPv address:
2001:0db8:0000:0000:0bcd:abcd:ef12:1234
is represented by the following pointer record:
4.3.2.1.2.1.f.e.d.c.b.a.d.c.b.0.0.0.0.0.0.0.0.0.8.
b.d.0.1.0.0.2.ip6.arpa
Reverse lookup zones are not mandatory and are often omitted from DNS
servers, as they can be used by hackers to sequentially work through a range of
IP addresses to discover useful or interesting device names, which can then be
targeted by other hacking mechanisms.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
240 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
Name Resolution Services
7
4. What type of DNS record is used to prove the valid origin of email?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 241
Topic 10C
Configure DNS Services
5
The name resolution process performed by DNS servers is a critical service for
almost all types of networks. As a network technician, you will often be involved in
configuring name servers.
• Secondary means that the server holds a read-only copy of the zone. This is
maintained through a process of replication known as a zone transfer from a
primary name server. A secondary zone would typically be provided on two or
more separate servers to provide fault tolerance and load balancing. Again, the
serial number is a critical part of the zone transfer process.
The noninclusive terms “master” to mean primary and “slave” to mean secondary are
used in some NS server versions. This type of terminology is deprecated in the latest
versions.
A name server that holds complete records for a domain can be defined as
authoritative. This means that a record in the zone identifies the server as a
name server for that namespace. Both primary and secondary name servers are
authoritative.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
242 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Servers that don’t maintain a zone (primary or secondary) are referred to as cache-
only servers. A non-authoritative answer from a server is one that derives from a
cached record, rather than directly from the zone records.
DNS Caching
Each resource record can be configured with a default time to live (TTL) value,
measured in seconds. This value instructs resolvers how long a query result can
be kept in cache. Setting a low TTL allows records to be updated more quickly but
increases load on the server and latency on client connections to services. Some
common TTL values include 300 (5 minutes), 3, 00 (1 hour), 8 ,400 (1 day), and
04,800 (1 week).
DNS caching is performed by both servers and client computers. In fact, each
application on a client computer might be configured to manage its own DNS cache.
For example, separate web browser applications typically maintain their own caches
rather than relying on a shared OS cache.
If there is a change to a resource record, server and client caching means that the
updated record can be relatively slow to propagate around the Internet. These
changes need to be managed carefully to avoid causing outages. Planning for a
record change involves reducing the TTL in the period before the change, waiting
for this change to propagate before updating the record, and then reverting to the
original TTL value when the update has safely propagated.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 243
It is possible for the same NS server instance to perform in both name server and
resolver roles, but more typically these functions are separated to different servers for
security reasons.
nslookup
Name resolution troubleshooting typically involves testing multiple clients and
servers. The use of caching and the distributed nature of the system means that
configuration errors can occur in several different places.
You might start investigating a name resolution issue by verifying the name
configured on a host. In Windows, you can use the command ipconfig /
all to display the FQDN of the local host. In Linux, you can use the command
hostname --fqdn.
In a Windows environment, you can troubleshoot DNS name resolution with the
nslookup command:
nslookup -Option Host DNSServer
Host can be either a host name, domain name, FQDN, or IP address. NSServer
is the IP address of a server used to resolve the query; the default DNS server is
used if this argument is omitted. Option specifies an nslookup subcommand. For
example, the following command queries Google’s public DNS server (8.8.8.8) for
information about 515support.com’s mail records:
nslookup -type=mx 515support.com 8.8.8.8
If nslookup is run without any arguments (or by specifying the server only with
nslookup –DNSServer, the tool is started in interactive mode. You can
perform specific query types and output the result to a text file for analysis.
The first two nslookup commands identify comptia.org’s X and primary name server records
using Google’s public NS resolver (8.8.8.8). Note that the answers are nonauthoritative. The
third command queries CompTIA’s name server for the X record. This answer is authoritative.
(Screenshot courtesy of icrosoft.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
244 | The Official CompTIA Network+ Student Guide (Exam N10-008)
dig
Domain Information Groper (dig) is a command-line tool for querying DNS
servers that ships with the BIND DNS server software published by the Internet
Systems Consortium (ISC) (isc.org/downloads/bind).
dig can be run pointing at a specific DNS server; otherwise, it will use the default
resolver. Without any specific settings, it queries the DNS root zone. A simple query
uses the syntax: dig host. This will search for the address record for the host,
domain, or FQDN or PTR record for an IP address.
The following command example directs the resolve request to the specific DNS
server identified after the symbol. This can be an FQDN or IP address.
dig @ns1.isp.example host
Other examples of dig are to display all the resource records about a domain or
just specific ones such as Mail Exchange:
dig @ns1.isp.example host all
dig @ns1.isp.example host MX
dig often generates a lot of information, so it is possible to add parameters to the end
of the command like +nocomments or +nostats, which will reduce the output.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 245
Review Activity:
DNS Services
Answer the following questions:
2. What type of DNS service would you configure on the LAN to use a public
DNS server to resolve ueries for e ternal domains?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
246 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Lesson 10
Summary
5
You should be able to explain the uses and purposes of the network services
protocols DHCP and DNS.
• Ensure DHCP servers are configured with accurate IP, default gateway, and DNS
server parameters for the scopes/subnets that they serve.
• If the address pool is limited, use short lease times to prevent address
exhaustion.
• Set up primary and secondary name servers to host records for your LAN. These
name services should be accessible only by authorized clients.
• Configure the appropriate host, M , and service records for the forward lookup
zone on the primary server.
• For external DNS, consider using a third-party provider, ideally with a cloud
service, to ensure high availability. Without public DNS, your customers will not
be able to browse your websites or send you email.
• Set up a process for checking that your external DNS records are accurate and
working correctly.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 11
Explaining Network Applications
1
LESSON INTRODUCTION
Where DHCP and DNS support basic network operations, other application
protocols provide platforms for user-level services, such as websites, databases,
file/printer sharing, email, and voice/video calling.
You must be able to identify the ports used by these services and their performance
and security requirements so that you can assist with product deployments and
upgrades and perform basic troubleshooting.
In this lesson, you will identify common network applications and service platforms.
Lesson Objectives
In this lesson, you will:
• Explain the use of web, file/print, and database services.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
248 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 11A
Explain the Use of Web, File/Print,
and Database Services
2
So far, you have studied lower-layer services that enable basic connectivity between
nodes. Above these are the services that provide useful functions to users, such as
web browsing, file/print sharing, and databases. The services that form part of the
TCP/IP protocol suite are mostly client-server protocols and applications. Client-
server applications are based around a centralized server that stores information
and waits for requests from clients. You need a good understanding of how these
protocols are used so that you can support them on your networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 249
Using Firefox's web developer tools to inspect the HTTP requests and response headers involved in
serving a typical modern web page. (Screenshot courtesy of Mozilla Foundation.)
HTTP also features a forms mechanism (POST) that enables a user to submit data
from the client to the server. HTTP is nominally a stateless protocol; this means that
the server is not required to preserve information about the client during a session.
However, the basic functionality of HTTP servers is also often extended by support
for scripting and programmable features (web applications). Servers can also
set text file cookies to preserve session information. These coding features, plus
integration with databases, increase flexibility and interactivity, but also increase
the attack surface and expose more vulnerabilities.
any argue that HTTP is a stateful protocol. Version 2 of HTTP adds more state-preserving
features (blog.zamicol.com/201 /05/is-http2-stateful-protocol-application.html).
Web Servers
Most organizations have an online presence, represented by a website. In order
to run a website, it must be hosted on an HTTP server connected to the Internet.
Larger organizations or SMEs with the relevant expertise may host websites
themselves, but more typically, an organization will lease a server or space on a
server from an ISP. The following types of hosting packages are common:
• Dedicated server—The ISP allocates your own private server computer. This
type of service is usually unmanaged (or management comes at additional cost).
• Virtual Private Server (VPS)—The ISP allocates you a virtual machine (VM) on a
physical server. This is isolated from other customer instances by the hypervisor.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
250 | The Official CompTIA Network+ Student Guide (Exam N10-008)
The main web server platforms are Apache , Microsoft Internet Information Server
(IIS), and nginx.
TLS can also be used with UDP, referred to as Datagram Transport Layer Security (DTLS),
most often in virtual private networking (VPN) solutions.
To implement HTTPS, the web server is installed with a digital certificate issued by
some trusted certificate authority (CA). The certificate uses encrypted data to prove
the identity of the server, assuming that the client also trusts the CA. The certificate
is a wrapper for a public/private encryption key pair. The private key is kept a secret
known only to the server; the public key is given to clients via the digital certificate.
The server and client use the key pair in the digital certificate and a chosen cipher
suite within the SSL/TLS protocol to set up an encrypted tunnel. Even though
someone else might know the public key, they cannot decrypt the contents
of the tunnel without obtaining the server’s private key. This means that the
communications cannot be read or changed by a third party.
Encrypted traffic between the client and server is sent over TCP port 443 (by
default), rather than the open and unencrypted port 80. A web browser will open
a secure session to a server providing this service by using a URL starting with
https:// and it will also show a padlock icon in the address bar to indicate that the
connection is secure. A website can be configured to require a secure session and
reject or redirect plain HTTP requests.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 251
In passive mode, the client opens a data port (again, typically n+1) and sends the
PASV command to the server’s control port. The server then opens a random high
port number and sends it to the client using the PORT command. The client then
initiates the connection between the two ports.
Active FTP poses a configuration problem for some firewalls, as the server is
initiating the inbound connection, but there is no way of predicting which port
number will be utilized. However, not all FTP servers and clients can operate in
passive mode. If this is the case, check that firewalls installed between the client
and server can support active FTP (stateful inspection firewalls).
Another problem is that the control connection can remain idle when the data
connection is in use, meaning that the connection can be timed out by the firewall
(or other routing device).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
252 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Another means of securing FTP is to use the connection security protocol SSL/TLS.
There are two means of configuring FTP over TLS:
• Explicit TLS (FTPES)—Use the AUTH TLS command to upgrade an unsecure
connection established over port 21 to a secure one. This protects authentication
credentials. The data connection for the actual file transfers can also be
encrypted (using the PROT command).
FTPS is tricky to configure when there are firewalls between the client and server.
Consequently, FTPES is usually the preferred method.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 253
SMB has gone through several updates, with SMB3 as the current version. SMB1 has
very serious security vulnerabilities and is now disabled by default on current Windows
versions (docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/
detect-enable-and-disable-smbv1-v2-v3).
• Printer sharing—This means that a host connects to the printer (using a local or
network connection) and then shares the printer object with other hosts using SMB.
Print jobs and status messaging are sent via the host that shared the printer.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
254 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Database Services
A database provisions information in a format that can be read and updated
through some type of query language. There are two main types of databases.
Relational databases store information in tables with rows (records) and columns
(fields). Relationships between data fields in different tables is created using key
fields that uniquely identify each record. Relational databases are operated using
structured query language (SQL). SQL defines commands such as SELECT to
retrieve information or UPDATE to change it.
SQL has been implemented in relational database management system (RDBMS)
platforms by several different vendors. As well as providing an implementation
of SQL, an RDBMS provides management tools and often a GUI to use to operate
the database. A remote access protocol allows a client to connect to the database
server over the network and allows replication traffic to move between database
servers. Replication is a means of synchronizing the data held on each server. Each
RDBMS uses a different TCP port to distinguish it as an application service:
• Oracle’s remote data access protocol SQL Net uses TCP/1521.
• The open-source MySQL platform uses TCP/330 . The MariaDB platform forked
from MySQL uses the same port.
These are the principal ports. An R S is likely to use other TCP or U P ports for
additional functions.
By default, these ports are unsecure. However, the RDBMS server can be installed
with a certificate and configured to enable TLS transport encryption. The connection
is still made over the same port. Either the server or the client can be configured
to require encryption and drop the connection if a valid security profile is not
available. Optionally, the client can also be installed with a certificate and the server
configured to refuse connections from clients without a valid certificate.
The other type of database is referred to as NoSQL or “not only SQL.” Rather than
highly structured relational tables, NoSQL data can use a variety of formats, such as
key-value pairs or wide columns (where rows do not have to have the same set of
fields). NoSQL databases are typically accessed using an application programming
interface (API) over HTTPS.
All the R S platforms also provide support for NoSQL datastores. There are also
dedicated NoSQL platforms, such as ongo , Amazon s ynamo , and Couch .
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 255
Review Activity:
Use of Web, File/Print, and
Database Services
3
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
256 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 11B
Explain the Use of Email and
oice Services
The use of messaging, voice, and video services is now common in homes and
in many workplaces. These real-time applications bring their own challenges for
network architecture, and you need to understand these performance demands to
build networks that can support them.
The Simple Mail Transfer Protocol (SMTP) specifies how email is delivered from
one system to another. The SMTP server of the sender discovers the IP address
of the recipient SMTP server by using the domain name part of the recipient’s
email address. The SMTP servers for the domain are registered in DNS using Mail
Exchange (M ) and host (A/AAAA) records.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 257
The STARTTLS method is generally more widely implemented than SMTPS. Typical
SMTP configurations use the following ports and secure services:
• Port 25—Used for message relay between SMTP servers, or message transfer
agents (MTAs). If security is required and supported by both servers, the
STARTTLS command can be used to set up the secure connection.
Mail clients can use port 25 to submit messages to the server for delivery, but this is not
best practice. Use of port 25 is typically reserved for relay between servers.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
258 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Like other TCP application protocols, POP transfers all information as cleartext.
This means anyone able to monitor the session would be able to obtain the user’s
credentials and snoop on messages. POP can be secured by using TLS encryption.
The default TCP port for secure POP (POP3S) is port 995.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 259
VoIP-Enabled PBX
TDM-based PB es are being replaced by hybrid and fully IP/VoIP PB es. For internal
calls and conferences, a VoIP PB establishes connections between local VoIP
endpoints with data transmitted over the local Ethernet network. A VoIP PB can
also route incoming and outgoing calls from and to external networks. This might
involve calls between internal and external VoIP endpoints, or with voice telephone
network callers and receivers. A VoIP PB will also support features such as music
on hold and voice mail.
A TDM PB is supplied as vendor-specific hardware. A VoIP PB can be
implemented as software running on a Windows or Linux server. Examples
of software-based solutions include 3C (3cx.com) and Asterisk (asterisk.org).
There are also hardware solutions, where the VoIP PB runs on a router, such
as Cisco Unified Communications Manager (cisco.com/c/en/us/products/unified-
communications/unified-communications-manager-callmanager/index.html).
A VoIP PB would normally be placed at the network edge and be protected by
a firewall. Internal clients connect to the PB over Ethernet data cabling and
switching infrastructure, using Internet Protocol (IP) at the Network layer for
addressing. The VoIP PB uses the organization’s Internet link to connect to a
VoIP service provider, which facilitates inward and outward dialing to voice-
based telephone networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
260 | The Official CompTIA Network+ Student Guide (Exam N10-008)
A VoIP P X facilitates internal IP calls and calls to and from external VoIP networks and the
landline and cellular telephone networks. (Images © 123RF.com)
VoIP Protocols
Voice and video services can be challenging to support because they require
response times measured in milliseconds (ms). Delayed responses will result in
poor call or video quality. This type of data can be one-way, as is the case with
media streaming, or two-way, as is the case with VoIP and VTC.
The protocols designed to support real-time services cover one or more of the
following functions:
• Session control—Used to establish, manage, and disestablish communications
sessions. They handle tasks such as user discovery (locating a user on the
network), availability advertising (whether a user is prepared to receive calls),
negotiating session parameters (such as use of audio/video), and session
management and termination.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 261
sip:[email protected]
sip:[email protected]
sip:jaime@2622136227
meet:sip:[email protected];ms-app=conf;ms-
conf-id=subg42
There is also a tel: URI scheme allowing SIP endpoints to dial a landline or cell phone. A
tel: URI can either use the global (E.1 ) format (such as tel:+1-8 -8358020) or a local
format (for internal extensions).
SIP typically runs over UDP or TCP ports 50 0 (unsecured) and 50 1 (SIP-TLS). SIP
has its own reliability and retransmission mechanisms and can thus be seen to
benefit most from the lower overhead and reduced latency and jitter of UDP. Some
enterprise SIP products use TCP anyway.
VoIP Phones
A VoIP/SIP endpoint can be implemented as software running on a computer or
smartphone or as a dedicated hardware handset. VoIP phones use VLAN tagging
to ensure that the SIP control and RTP media protocols can be segregated from
normal data traffic. In a typical voice VLAN configuration, the LAN port on the
handset is connected to the wall port, while the PC is connected to the PC port
on the handset. The two devices share the same physical link, but data traffic is
distinguished from voice traffic by configuring separate VLAN IDs.
Handsets can use Power over Ethernet (PoE), if available, to avoid the need for
separate power cabling or batteries. There are also wireless handsets that work
over 802.11 Wi-Fi networks.
Connection security for VoIP works in a similar manner to HTTPS. To initiate the
call, the secure version of SIP (SIPS) uses digital certificates to authenticate the
endpoints and establish an SSL/TLS tunnel. The secure connection established by
SIPS can also be used to generate a master key to use with the secure versions of
the transport and control protocols.
When you are installing a new handset, you should also test that the connection
works and that the link provides sufficient call quality. Most service providers have
test numbers to verify basic connectivity and perform an echo test call, which
replays a message you record so that you can confirm voice quality.
Voice Gateways
SIP endpoints can establish communications directly in a peer-to-peer architecture,
but it is more typical to use intermediary servers, directory servers, and VoIP
gateways. There can also be requirements for on-premises integration between
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
262 | The Official CompTIA Network+ Student Guide (Exam N10-008)
data and voice networks and equipment. A voice gateway is a means of translating
between a VoIP system and legacy voice equipment and networks, such as POTS
lines and handsets. There are many types of VoIP gateways, serving different
functions. For example, a company may use VoIP internally, but connect to the
telephone network via a gateway. To facilitate this, you could use a hybrid or
hardware-based VoIP PB with a plug-in or integrated VoIP gateway, or you could
use a separate gateway appliance. There are analog and digital types to match the
type of incoming landline. An analog version of this type of gateway is also called a
Foreign Exchange Office (F O) gateway.
A VoIP gateway can also be deployed to allow a legacy analog or digital internal
phone system to use a VoIP service provider to place calls. In this type of setup, low
rate local and national calls might be placed directly, while international calls that
would attract high charges if placed directly are routed via the VoIP service provider.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 263
Finally, a VoIP gateway or adapter can be used to connect POTS handsets and
fax machines to a VoIP PB . This type of device is also called a Foreign Exchange
Subscriber (F S) gateway.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
264 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
Use of Email and Voice Services
7
3. True or False? SIP enables the location of user agents via a specially
formatted URI.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 265
Lesson 11
Summary
5
You should be able to explain the characteristics of common application ports and
protocols, especially in terms of security/encryption requirements.
• Configure web servers with a valid certificate issued by a locally trusted or public
certificate authority (CA) to enable HTTPS over TCP/443.
• Enable secure FTP on web servers, file servers, and appliances as a means of
transferring files securely. FTP can be secured using SSH (SFTP) or TLS (FTPES
or FTPS).
• Ensure that unencrypted local file and printer sharing services such as SMB are
used only on trusted local networks. Block the SMB ports (TCP/UDP/137-139 and
TCP/445) at the network perimeter. Ensure that legacy versions of the protocol
are disabled.
• Deploy database services for access by application servers, rather than being
directly accessible to client workstations and devices. Use access control lists to
block access to RDBMS ports TCP/1521 (Oracle SQL Net), TCP/1433 (MS SQL),
TCP/330 (MySQL/MariaDB), or TCP/5432 (PostgreSQL).
• Deploy SMTP servers to the network edge to transfer email messages to and
from external recipients over TCP/25. Use TCP/587 and TLS to allow mail clients
to submit messages for delivery securely. POP3 or IMAP mailbox servers should
be deployed as secure version (TCP/995 and TCP/993 respectively).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 12
Ensuring Network Availability
1
LESSON INTRODUCTION
So far in this course, you have learned about all the different network media and
topologies plus the application protocols that go toward building network connectivity
and services. In this lesson, you will investigate some tools and management methods
that will help you determine your network’s baseline and optimize your network’s
performance.
Lesson Objectives
In this lesson, you will:
• Explain the use of network management services.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
268 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 12A
Explain the Use of Network
Management Services
2
A remote management tool allows you to configure servers and devices over the
network. Having to perform configuration and troubleshooting activity at a local
console would be incredibly time-consuming. Efficient network administration
depends upon remote access tools. It is imperative to configure these tools
securely, however.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 269
Confirming the SSH server’s host key using the PuTT SSH client. (Screenshot courtesy of PuTT .)
The host key must be changed if any compromise of the host is suspected. If an attacker
has obtained the private key of a server or appliance, they can masquerade as that
server or appliance and perform a spoofing attack, usually with a view to obtaining
other network credentials. ou might also change the key to use a longer bit strength.
Managing valid client public keys is a critical security task. Many recent attacks on web
servers have exploited poor key management. If a user’s private key is compromised,
delete the public key from the appliance then regenerate the key pair on the user’s
(remediated) client device and copy the public key to the SSH server. Always delete public
keys if the user’s access permissions have been revoked.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
270 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• ssh-keygen—Create a key pair to use to access servers. The private key must
be stored securely on your local computer. The public key must be copied to the
server. You can use the ssh-copy-id command to do this, or you can copy
the file manually.
• ssh Host—Use the SSH client to connect to the server running at Host.
Host can be an FQDN or IP address. You can also create a client configuration
file.
Telnet
Telnet is both a protocol and a terminal emulation software tool that transmits
shell commands and output between a client and the remote host. In order to
support Telnet access, the remote computer must run a service known as the Telnet
Daemon. The Telnet Daemon listens on TCP port 23 by default.
A Telnet interface can be password protected but the password and other
communications are not encrypted and therefore could be vulnerable to packet
sniffing and replay. Historically, Telnet provided a simple means to configure switch
and router equipment, but only secure access methods should be used for these
tasks now. Ensure that the Telnet service is uninstalled or disabled, and block
access to port 23.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 271
R P clients are available for other operating systems, including Linux, macOS, iOS,
and Android so you can connect to a Windows desktop remotely using a non-Windows
device. There are also open-source R P server products, such as xrdp (xrdp.org).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
272 | The Official CompTIA Network+ Student Guide (Exam N10-008)
represents a step away from the accurate clock source over a network link. These
lower stratum servers act as clients of the stratum 1 servers and as servers or time
sources to lower stratum NTP servers or client hosts. Most switches and routers
can be configured to act as time servers to local client hosts and this function is
also typically performed by network directory servers. It is best to configure each of
these devices with multiple reference time sources (at least three) and to establish
them as peers to allow the NTP algorithm to detect drifting or obviously incorrect
time values.
Stratum 1 NTP servers are directly connected to an accurate clock source. Each stratum level below
one represents a network hop away from that accurate time source. (Images © 123RF.com.)
Client hosts (application servers and workstations) usually obtain the time by using
a modified form of the protocol called Simple NTP (SNTP). SNTP works over the
same port as NTP. A host that supports only SNTP cannot act as a time source for
other hosts. In Windows, the Time Service can be configured by using the w32tm
command. In Linux, the ntp package can be configured via /etc/ntp.conf.
If a server or host is configured with the incorrect time, it may not be able to access
network services. Authentication, and other security mechanisms will often fail
if the time is not synchronized on both communicating devices. In this situation,
errors are likely to be generic failed or invalid token type messages. Always try to
rule out time synchronization as an issue early in the troubleshooting process.
If a local stratum 1 server cannot be implemented on the local network, the time source
can be configured using one or more public NTP server pools, such as time.google.com,
time.windows.com, time.apple.com, time.nist.gov, or pool.ntp.org.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 273
Review Activity:
Network Management Services
3
1. True or false? SSH must be configured with two key pairs to operate one
on the server and one on the client.
4. What is SNTP?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
274 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 12B
Use Event Management to Ensure
Network Availability
5
Performance Metrics
When you are monitoring a network host or intermediate system, several
performance metrics can tell you whether the host is operating normally:
• Bandwidth/throughput—This is the rated speed of all the interfaces available
to the device, measured in Mbps or Gbps. For wired Ethernet links, this will not
usually vary, but the bandwidth of WAN and wireless links can change over time.
Bottlenecks
A bottleneck is a point of poor performance that reduces the productivity of the
whole network. A bottleneck may occur because a device is underpowered or faulty.
It may also occur because of user or application behavior. To identify the cause of a
bottleneck, you need to identify where and when on the network overutilization or
excessive errors occur. If the problem is continual, it is likely to be device-related; if
the problem only occurs at certain times, it is more likely to be user- or application-
related.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 275
Performance Baselines
A performance baseline establishes the resource utilization metrics at a point
in time, such as when the system was first installed. This provides a comparison
to measure system responsiveness later. For example, if a company is expanding
a remote office that is connected to the corporate office with an ISP’s basic tier
package, the baseline can help determine if there is enough reserve bandwidth to
handle the extra user load, or if the basic package needs to be upgraded to support
higher bandwidths.
Reviewing baselines is the process of evaluating whether a baseline is still fit for
purpose or whether a new baseline should be established. Changes to the system
usually require a new baseline to be taken.
Environmental Monitoring
As distinct from performance monitors, an environmental sensor is used to detect
factors that could threaten the integrity or availability of an appliance or its function.
Servers and appliances are fitted with internal sensors to monitor conditions within
the device chassis. These can report problems such as excessive temperatures
within the device chassis, fan speeds, component failure, and chassis intrusion to a
monitoring system.
CPUI ’s H ONITOR app can report temperatures from sensors installed on PC components.
(Screenshot used by permission of CPUI .)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
276 | The Official CompTIA Network+ Student Guide (Exam N10-008)
SNMP Agents
The agent is a process (software or firmware) running on a switch, router, server,
or other SNMP-compatible network device. This agent maintains a database called
a Management Information Base (MIB) that holds statistics relating to the activity
of the device, such as the number of frames per second handled by a switch. Each
parameter stored in a MIB is referred to by a numeric Object Identifier (OID). OIDs
are stored within a tree structure. Part of the tree is generic to SNMP, while part can
be defined by the device vendor.
An agent is configured with the community name of the computers allowed
to manage the agent and the IP address or host name of the server running
the management system. The community name acts as a rudimentary type of
password. An agent can pass information only to management systems configured
with the same community name. There are usually two community names; one for
read-only access and one for read-write access (or privileged mode).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 277
SNMP Monitor
An SNMP monitor is management software that provides a location from which
you can oversee network activity. The monitor polls agents at regular intervals for
information from their MIBs and displays the information for review. It also displays
any trap operations as alerts for the network administrator to assess and act upon
as necessary. The monitor can retrieve information from a device in two main ways:
• Get—The software queries the agent for a single OID. This command is used by
the monitor to perform regular polling (obtaining information from devices at
defined intervals).
• Trap—The agent informs the monitor of a notable event (port failure, for
instance). The threshold for triggering traps can be set for each value.
The monitor can be used to change certain variables using the Set command. It can
also walk an MIB subtree by using multiple Get and Get Next commands. This is
used to discover the complete layout of an MIB. Device queries take place over UDP
port 1 1; traps are communicated over UDP port 1 2.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
278 | The Official CompTIA Network+ Student Guide (Exam N10-008)
SN P collects information from network devices for diagnostic purposes. (Images © 123RF.com)
Audit Logs
An audit log records use of authentication and authorization privileges. It will
generally record success/fail type events. An audit log might also be described as an
access log or security log. Audit logging might be performed at an OS level and at a
per-application level.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 279
Audit logs typically associate an action with a particular user. This is one of the reasons
that it is critical that users not share logon details. If a user account is compromised,
there is no means of tying events in the log to the actual attacker.
Performance/Traffic Logs
Performance and traffic logs record statistics for compute, storage, and network
resources over a defined period.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
280 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Event Management
Devices can generate thousands of events per hour. A system for prioritizing them
between ones that require immediate or long-term response is vital. Most logging
systems categorize each event. For example, in Windows, system and application
events are defined as Informational, Warning, or Critical, while audit events are
categorized as Success or Fail.
Syslog severity levels are as follows:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 281
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
282 | The Official CompTIA Network+ Student Guide (Exam N10-008)
There should be some process for acknowledging and dismissing alerts as they are
raised. A serious alert may need to be processed as an incident and assigned a job
ticket for formal investigation. If an alert is a false positive, it can be dismissed. If the
management system or dashboard is allowed to become cluttered with old alerts,
it is much more difficult to identify new alerts and gauge the overall status of the
network.
Log eviews
Monitoring involves viewing traffic, protocols, and events in real time. Network
and log reviewing, or analysis involves later inspection and interpretation of
captured data to determine what the data shows was happening on the network
during the capture. Monitoring is aligned with incident response; analysis is
aligned with investigating the cause of incidents or preventing incidents in the first
place. It is important to perform performance analysis and log review continually.
Referring to the logs only after a major incident is missing the opportunity to
identify threats and vulnerabilities or performance problems early and to respond
proactively.
Not all performance incidents will be revealed by a single event. One of the features
of log analysis and reporting software should be to identify trends. A trend is
difficult to spot by examining each event in a log file. Instead, you need software to
chart the incidence of types of events and show how the number or frequency of
those events changes over time.
Plotting data as a graph is particularly helpful as it is easier to spot trends or spikes
or troughs in a visualization of events, rather than the raw data. Most performance
monitors can plot metrics in a graph.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 283
Review Activity:
Ensure Network Availability with
6
Event Management
Answer the following questions:
3. What sort of log would you inspect if you wanted to track web server
access attempts?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
284 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 12C
Use Performance Metrics to Ensure
Network Availability
6
Network Metrics
Quality of Service (QoS) protocols and appliances are designed to support real-
time services. Applications such as voice and video that carry real-time data have
different network requirements to the sort of data represented by file transfer. With
“ordinary” data, it might be beneficial to transfer a file as quickly as possible, but
the sequence in which the packets are delivered and the variable intervals between
packets arriving do not materially affect the application. This type of data transfer is
described as bursty.
While streaming video applications can have a high bandwidth requirement in
terms of the sheer amount of data to be transferred, bandwidth on modern
networks is typically less of a problem than packet loss, latency, and jitter.
Bandwidth
Bandwidth is the amount of information that can be transmitted, measured in
bits per second (bps), or some multiple thereof. When monitoring, you need to
distinguish between the nominal data link/Ethernet bit rate, the throughput of a link
at Layer 3, and the goodput available to an application.
Bandwidth for audio depends on the sampling frequency (Hertz) and bit depth
of each sample. For example, telecommunications links are based on 4 bps
channels. This was derived through the following calculation:
• The voice frequency range is 4000 Hz. This must be sampled at twice the rate to
ensure an accurate representation of the original analog waveform.
For VoIP, bandwidth requirements for voice calling can vary, but allowing 100 bps
per call upstream and downstream should be sufficient in most cases.
Bandwidth required for video is determined by image resolution (number of pixels),
color depth, and the frame rate, measured in frames per second (fps).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 285
Bandwidth Management
Latency and jitter on the Internet are difficult to control because of the number
of different parties that are involved (both caller networks plus any ISP transit
networks). On a local network, delay is typically caused by congestion. This means
that the network infrastructure is not capable of meeting the demands of peak load.
You can either provision higher bandwidth links and/or faster switches and routers,
or you can use some sort of bandwidth management mechanism. For example, if
you are running VoIP over your network and someone decides to copy a 40 GB file
down from a server, the file transfer has the potential to wreak havoc with VoIP
call quality. Without QoS, switches and routers forward traffic based on best effort
or first-in, first-out, meaning that frames or packets are forwarded in the order in
which they arrive. A QoS system identifies the packets or traffic streams belonging
to a specific application, such as VoIP, and prioritizes them over other applications,
such as file transfer.
Differentiated Services
The Differentiated Services (DiffServ) framework classifies each packet
passing through a device. Router policies can then be defined to use the packet
classification to prioritize delivery. DiffServ is an IP (layer 3) service tagging
mechanism. It uses the Type of Service field in the IPv4 header (Traffic Class in IPv ).
The field is populated with a -byte DiffServ Code Point (DSCP) by either the sending
host or by the router. Packets with the same DSCP and destination are referred to
as Behavior Aggregates and allocated the same Per Hop Behavior (PHB) at each
DiffServ-compatible router.
DiffServ traffic classes are typically grouped into three types:
• Best Effort.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
286 | The Official CompTIA Network+ Student Guide (Exam N10-008)
IEEE 802.1p
While DiffServ works at layer 3, IEEE 802.1p can be used at Layer 2 (independently
or in conjunction with DiffServ) to classify and prioritize traffic passing over a
switch or wireless access point. 802.1p defines a tagging mechanism within the
802.1Q VLAN field (it also often referred to as 802.1Q/p). The 3-bit priority field is
set to a value between 0 and 7. Most vendors map DSCP values to 802.1p ones.
For example, 7 and can be reserved for network control (such as routing table
updates), 5 and 4 map to expedited forwarding levels for 2-way communications,
3 and 2 map to assured forwarding for streaming multimedia, and 1 and 0 for
“ordinary” best-effort delivery.
As well as invoking the priority tag, VLAN infrastructure is often used for traffic
management on local networks. For example, voice traffic might be allocated to a
different VLAN than data traffic.
Traffic Shaping
Quality of Service (QoS) is distinct from Class of Service (CoS). CoS mechanisms such
as DiffServ and 802.1p just categorize protocols into groups that require different
service levels and provide a tagging mechanism to identify a frame or packet’s class.
QoS allows fine-grained control over traffic parameters. For example, if a network
link is congested, there is nothing that DiffServ and 802.1p can do about it, but a
protocol such as Multiprotocol Label Switching (MPLS) with QoS functionality can
reserve the required bandwidth and pre-determine statistics such as acceptable
packet loss and maximum latency and jitter when setting up the link.
In terms of QoS, network functions are commonly divided into three planes:
• Control plane—makes decisions about how traffic should be prioritized and
where it should be switched.
Protocols, appliances, and software that can apply these three functions can be
described as traffic shapers or bandwidth shapers. Traffic shapers delay certain
packet types—based on their content—to ensure that other packets have a higher
priority. This can help to ensure that latency is reduced for critical applications.
Simpler devices, performing traffic policing, do not offer the enhanced traffic
management functions of a shaper. For example, typical traffic policing devices will
simply fail to deliver packets once the configured traffic threshold has been reached
(this is often referred to as tail drop). Consequently, there will be times when
packets are being lost, while other times when the network is relatively idle, and the
bandwidth is being under-utilized. A traffic shaper will store packets until there is
free bandwidth available. Hopefully, this leads to consistent usage of the bandwidth
and few lost packets.
It is essential that the selected device is capable of handling high traffic volumes. As
these devices have a limited buffer, there will be situations when the buffer over ows.
evices can either drop packets and in essence provide traffic policing, or else they
must implement a dropping algorithm. Random Early Detection (RED) is one of several
algorithms that can be implemented to help manage traffic over ow on the shaper.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 287
Throughput Testers
One fairly simple way to measure network throughput is to transfer a large file
between two appropriate hosts. Appropriate in this sense means an appropriate
subnet and representative of servers and workstations that you want to measure.
It is also important to choose a representative time. There is not much point in
measuring the throughput when the network is carrying no other traffic.
To determine your network throughput using this method, simply divide the file size
by the amount of time taken to copy the file. For example, if you transfer a 1 GB file
in half an hour, the throughput can be calculated as follows:
• 1 gigabyte is 10243 bytes (1,073,741,824 bytes or 8,589,934,592 bits).
• 8,589,934,592 bits in 1,800 seconds is 4,772,18 bits per second or 4.55 Mbps.
This method derives a value that is different from the nominal data rate. Because
two hosts are transferring the files between one another, it is the Application layers
that handle the file transfer. The intervening layers on both hosts add complexity
(headers) and introduce inaccuracy, such as corrupt frames that have to be
retransmitted.
Several software utilities, such as iperf (iperf.fr), Ttcp (linux.die.net/man/1/ttcp), and
bwping (bwping.sourceforge.io), can be used to measure network throughput. An
instance of the tool is configured on two network hosts and the tools measure the
throughput achieved between the sender and the listener.
Top Talkers/Listeners
Top talkers are interfaces generating the most outgoing traffic (in terms of
bandwidth), while top listeners are the interfaces receiving the most incoming
traffic. Identifying these hosts and the routes they are using is useful in identifying
and eliminating performance bottlenecks. Most network analyzer software comes
with filters or built-in reporting to identify top talkers or top listeners.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
288 | The Official CompTIA Network+ Student Guide (Exam N10-008)
The Endpoints report in Wireshark can be used to identify top talkers and top listeners.
(Screenshot courtesy of Wireshark.)
NetFlow
A packet analyzer can be used to measure network traffic statistics but trying to
record each frame imposes a heavy processing overhead on the network tap or
mirror port. Collecting just the packet metadata, rather than the whole packet
payload, reduces the bandwidth required by the sniffer. Technologies such as
Cisco’s NetFlow (cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.
html) gather traffic metadata only and report it to a structured database. These
technologies can also use sampling to further reduce processing demands. NetFlow
has been redeveloped as the IP Flow Information Export (IPFI ) IETF standard (tools.
ietf.org/html/rfc7011).
Using NetFlow involves deploying three types of components:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 289
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
290 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• Error rate—The number of packets per second that cause errors. Errors may
occur as a result of interference or poor link quality causing data corruption
in frames. In general terms, error rates should be under 1 percent; high error
rates may indicate a driver problem, if a network media problem can be
ruled out.
Some vendors may use the term discard for frames that are rejected because of errors
or security policies and drop for frames that are lost due to high load, but often the
terms are used interchangeably.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 291
Encapsulation Errors
Encapsulation is the frame format expected on the interface. Encapsulation errors
will prevent transmission and reception. If you check the interface status, the
physical link will be listed as up, but the line protocol will be listed as down. This
type of error can arise in several circumstances:
• Ethernet frame type—Ethernet can use a variety of frame types. The most
common is Ethernet II, but if a host is configured to use a different type, such as
SNAP, then errors will be reported on the link.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
292 | The Official CompTIA Network+ Student Guide (Exam N10-008)
An Ethernet frame that is slightly larger (up to 1600 bytes) is often referred to as a baby
giant.
• Jumbo frames—A host might be configured to use jumbo frames, but the
switch interface is not configured to receive them. This type of issue often occurs
when configuring storage area networks (SANs) or links between SANs and data
networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 293
Review Activity:
Ensure Network Availability with
7
Performance Metrics
Answer the following questions:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
294 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Lesson 12
Summary
6
You should be use remote management interfaces and appropriate statistics and
sensors to ensure network availability.
• Set up filters to alert and notify administrators when key thresholds are
exceeded or when hosts fail heartbeat tests.
• Set up a process for responding to alerts, making use of secure remote access
tools such as SSH to manage configurations effectively.
• Set up a process for reviewing logs and diagnosing trends. Use this analysis
to plan deployment of traffic marking (DiffServ/802.1p) and traffic shaping/
bandwidth management solutions.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 13
Explaining Common Security Concepts
1
LESSON INTRODUCTION
You have identified the basic components and concepts for deploying and monitoring a
network, but a network implementation is not complete without security mechanisms.
In this lesson, you will describe basic concepts related to network security. As
a networking professional, it is part of your responsibility to understand these
fundamental concepts so that you can support network security controls.
Lesson Objectives
In this lesson, you will:
• Explain common security concepts.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
296 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 13A
Explain Common Security Concepts
2
In this topic, you will describe basic concepts related to network security
assessments. It’s important to have a solid foundation and awareness of the
industry terminology used when you are discussing network security.
Security Concepts
Establishing computer and network security means developing processes and
controls that protect data assets and ensure business continuity by making network
systems and hosts resilient to different kinds of attack.
• Integrity means that the data is stored and transferred as intended and that any
modification is authorized.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 297
Posture Assessment
There are many different ways of thinking about how IT services should be
governed to fulfill overall business needs. Some organizations have developed
IT service frameworks to provide best practice guides to implementing IT and
cybersecurity. These frameworks can shape company policies and provide
checklists of procedures, activities, and technologies that should ideally be in place.
Collectively, these procedures, activities, and tools can be referred to as security
controls. A security control is something designed to give a system or data asset the
properties of confidentiality, integrity, availability, and non-repudiation.
In theory, security controls or countermeasures could be introduced to address
every risk factor. The difficulty is that security controls can be expensive, so you
must balance the cost of the control with the cost associated with the risk. It is not
possible to eliminate risk; rather, the aim is to mitigate risk factors to the point
where the organization is exposed only to a level of risk that it can afford. The
overall status of risk management is referred to as risk posture. Risk posture shows
which risk response options can be identified and prioritized. Posture assessment
is often performed with reference to an IT or security framework. The framework
can be used to assess the organization’s maturity level in its use of security policies
and controls.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
298 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Process Assessment
Mitigating risk can involve a large amount of expenditure so it is important to
focus efforts. Effective risk management must focus on mission essential functions
that could cause the whole business to fail if they are not performed. Part of this
process involves identifying critical systems and assets that support these functions.
A mission essential function (MEF) is one that cannot be deferred. This means
that the organization must be able to perform the function as close to continually as
possible, and if there is any service disruption, the mission essential functions must
be restored first.
Business impact analysis (BIA) is the process of assessing what losses might
occur for a range of threat scenarios. For instance, if a denial of service (DoS)
attack suspends an e-commerce portal for five hours, the business impact analysis
will be able to quantify the losses from orders not made and customers moving
permanently to other suppliers based on historic data. The likelihood of a DoS attack
can be assessed on an annualized basis to determine annualized impact, in terms of
costs. You then have the information required to assess whether a security control,
such as load balancing or managed attack mitigation, is worth the investment.
Where BIA identifies risks, business continuity planning (BCP) identifies controls and
processes that enable an organization to maintain critical workflows in the face of
some adverse event.
The term zero-day is usually applied to the vulnerability itself but can also refer to an
attack or malware that exploits it.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 299
OS and application patches; a legacy system is one where the software vendor no
longer provides support or fixes for problems.
This issue does not ust affect PCs. Network appliances can also be vulnerable to
exploits. The risks to embedded systems have become more obvious over the last few
years, and the risks posed by unpatched mobile devices and the Internet of Things is
likely to grow.
Vulnerability Assessment
A vulnerability assessment is an evaluation of a system’s security and ability to
meet compliance requirements based on the configuration state of the system.
Essentially, the vulnerability assessment determines if the current configuration
matches the ideal configuration (the baseline). Vulnerability assessments might
involve manual inspection of security controls but are more often accomplished
through automated vulnerability scanners.
Example of a CVE.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
300 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Threat Research
Threat research is a counterintelligence gathering effort in which security
companies and researchers attempt to discover the tactics, techniques, and
procedures (TTPs) of threat actors.
The outputs from the primary research undertaken by security solutions providers
and academics can take three main forms:
• Behavioral threat research—narrative commentary describing examples of
attacks and TTPs gathered through primary research sources.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 301
OSSIM SIEM dashboard. Configurable dashboards provide the high-level status view of network
security metrics. (Screenshot used with permission from AT T Cybersecurity.)
Penetration Testing
Where vulnerability testing uses mostly automated scanning tools and is a largely
passive, or non-intrusive assessment activity, penetration testing aims to model
how exposed the organization is to vulnerabilities that could be exploited by threat
actors.
A penetration test—often shortened to pen test—uses authorized hacking
techniques to discover exploitable weaknesses in the target’s security systems.
Pen testing is also referred to as ethical hacking.
The key difference from passive vulnerability scanning is that an attempt is made to
actively test security controls and exploit any vulnerabilities discovered. Pen testing
is an intrusive assessment technique. For example, a vulnerability scan may reveal
that an SQL Server has not been patched to safeguard against a known exploit. A
penetration test would attempt to use the exploit to perform code injection and
compromise the server. This provides active testing of security controls. Even though
the potential for the exploit exists, in practice the permissions on the server might
prevent an attacker from using it. This would not be identified by a vulnerability scan
but should be proven or not proven to be the case by penetration testing.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
302 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Some other general principles of PAM include least privilege, role-based access, and
zero trust:
• Least privilege means that a user is granted sufficient rights to perform his or
her job and no more. This mitigates risk if the account should be compromised
and fall under the control of a threat actor. Authorization creep refers to a
situation where a user acquires more and more rights, either directly or by being
added to security groups and roles. Least privilege should be ensured by closely
analyzing business workflows to assess what privileges are required and by
performing regular account audits.
• Role-based access means that a set of organizational roles are defined, and
subjects allocated to those roles. Under this system, the right to modify roles is
reserved to a system owner. Therefore, the system is nondiscretionary, as each
subject account has no right to modify the ACL of a resource, even though they
may be able to change the resource in other ways. Users are said to gain rights
implicitly (through being assigned to a role) rather than explicitly (being assigned
the right directly).
Vendor Assessment
High-profile breaches have led to a greater appreciation of the importance of the
supply chain in vulnerability management. A product, or even a service, may have
components created and maintained by a long chain of different companies. Each
company in the chain depends on its suppliers or vendors performing due diligence
on their vendors. A weak link in the chain could cause impacts on service availability
and performance, or in the worst cases lead to data breaches.
Vendor management is a process for selecting supplier companies and evaluating
the risks inherent in relying on a third-party product or service. When it comes
to data and cybersecurity, you must understand that risks cannot be wholly
transferred to the vendor. If a data storage vendor suffers a data breach, you may
be able to claim costs from them, but your company will still be held liable in terms
of legal penalties and damage to reputation. If your webstore suffers frequent
outages because of failures at a hosting provider, it is your company’s reputation
that will suffer and your company that will lose orders because customers look
elsewhere.
A vendor may supply documentation and certification to prove that it has
implemented a security policy robustly. You might be able to see evidence of
security capabilities, such as a history of effective vulnerability management and
product support. Larger companies will usually ask vendors to complete a detailed
audit process to ensure that they meet the required standards.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 303
Review Activity:
Common Security Concepts
3
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
304 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 13B
Explain Authentication Methods
6
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 305
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
306 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Password credentials are stored as cryptographic hashes (such as the Hash.Target value shown
in the screenshot) that cannot normally be converted back to plaintext strings. The hashcat utility
attempts to recover passwords by matching hashes through dictionary or brute force methods.
Windows Authentication
Windows authentication involves a complex architecture of components (docs.
microsoft.com/en-us/windows-server/security/windows-authentication/credentials-
processes-in-windows-authentication), but the following three scenarios are typical:
• Windows local sign-in—the Local Security Authority (LSA) compares the
submitted credential to a hash stored in the Security Accounts Manager (SAM)
database, which is part of the registry. This is also referred to as interactive
logon.
• Windows network sign-in—the LSA can pass the credentials for authentication
to a network service. The preferred system for network authentication is based
on Kerberos, but legacy network applications might use NT LAN Manager (NTLM)
authentication.
• Remote sign-in—if the user’s device is not connected to the local network,
authentication can take place over some type of virtual private network (VPN) or
web portal.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 307
Linu Authentication
In Linux, local user account names are stored in /etc/passwd. When a user logs in
to a local interactive shell, the password is checked against a hash stored in /etc/
shadow. Interactive login over a network is typically accomplished using Secure
Shell (SSH). With SSH, the user can be authenticated using cryptographic keys
instead of a password.
A pluggable authentication module (PAM) is a package for enabling different
authentication providers, such as smart card login (tecmint.com/configure-pam-
in-centos-ubuntu-linux). The PAM framework can also be used to implement
authentication to network servers.
Single Sign- n
A single sign-on (SS ) system allows the user to authenticate once to a local
device and be authorized to access compatible application servers without
having to enter credentials again. In Windows, SSO is provided by the Kerberos
framework.
Kerberos
Kerberos provides SSO authentication to Active Directory®, as well as compatibility
with other, non-Windows operating systems. Kerberos was named after the
three-headed guard dog of Hades (Cerberus) because it consists of three parts.
Clients request services from a server, which both rely on an intermediary—a Key
Distribution Center (KDC)—to vouch for their identity.
There are two services that make up a KDC: the Authentication Service and the
Ticket Granting Service.
The Authentication Service is responsible for authenticating user logon requests.
More generally, users and services can be authenticated; these are collectively
referred to as principals. For example, when you sit at a Windows domain
workstation and log on to the domain (Kerberos documentation refers to realms
rather than domains, which is Microsoft’s terminology), the first step of logon is to
authenticate with a KDC server (implemented as a domain controller).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
308 | The Official CompTIA Network+ Student Guide (Exam N10-008)
When authenticated, the KDC server presents the user with a Ticket Granting Ticket.
To access resources within the domain, the client requests a Service Ticket (a token
that grants access to a target application server) by supplying the Ticket Granting
Ticket to the Ticket Granting Service (TGS).
As encryption using a public key is relatively slow rather than encrypting the whole
message using a public key, more typically, the public key is used to encrypt a symmetric
encryption key for use in a single session and exchange it securely. The symmetric
session key is then used to encrypt the actual message. A symmetric key can perform
both encryption and decryption.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 309
• When you want to authenticate yourself to others, you create a signature and
sign it by encrypting the signature with your private key. You give others your
public key to use to decrypt the signature. As only you know the private key,
everyone can be assured that only you could have created the signature.
The basic problem with public key cryptography lies in proving the identity of the
owner of a public key. The system is vulnerable to an on-path attack where a threat
actor substitutes your public key for their own. Public key infrastructure (P I)
aims to prove that the owners of public keys are who they say they are. Under
PKI, anyone issuing public keys should obtain a digital certificate. The validity of
the certificate is guaranteed by a certificate authority (CA). A digital certificate
is essentially a wrapper for a subject’s (or end entity’s) public key. As well as the
public key, it contains information about the subject and the certificate’s issuer or
guarantor. The certificate is digitally signed to prove that it was issued to the subject
by a particular CA.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
310 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• When the user is connecting to the network over a public network via a virtual
private network (VPN).
With AAA, the NAS devices do not have to store any authentication credentials. They
forward this data between the AAA server and the supplicant.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 311
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
312 | The Official CompTIA Network+ Student Guide (Exam N10-008)
rowsing ob ects in an Active Directory LDAP schema. (Screenshot used with permission
from Microsoft.)
The types of attributes, what information they contain, and the way object types are
defined through attributes (some of which may be required and some optional) is
described by the directory schema. For example, the distinguished name of a web
server operated by Widget in London might be:
CN=WIDGETWEB, OU=Marketing, O=Widget, L=London,
ST=London, C=UK, DC=widget, DC=example
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 313
LDAP Secure
Like many TCP/IP protocols, LDAP provides no security, and all transmissions are
in plaintext, making it vulnerable to sniffing and spoofing attacks. Also, a server
that does not require clients to authenticate is vulnerable to overloading by denial
of service attacks. Authentication, referred to as binding to the server, can be
implemented in the following ways:
• No authentication—Anonymous access is granted to the directory.
• Simple bind—the client must supply its distinguished name (DN) and password,
but these are passed as plaintext.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
314 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
7
Authentication Methods
Answer the following questions:
1. What element is missing from the following list and what is its purpose?
• Identification
• Authentification
• Accounting
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 315
Lesson 13
Summary
6
• Overall risk and posture assessment for mission essential functions (MEF)
to produce business impact analysis, business continuity plans, and security
policies, such as privileged access management and vendor assessment.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 14
Supporting and Troubleshooting
Secure Networks
1
LESSON INTRODUCTION
Each day, the number and complexity of threats against systems integrity and
data security increases. In response, there are more and more security controls
available to automate the detection and prevention of these threats. Because you
are a networking professional, your organization and users will be looking to you
to deploy these security appliances, without compromising network availability and
performance.
Lesson Objectives
In this lesson, you will:
• Compare and contrast security appliances.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
318 | The Official CompTIA Network+ Student uide (Exam N10-008)
Topic 14A
Compare and Contrast Security
Appliances
2
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 319
Screened Subnets
To configure a perimeter network, two different security configurations must be
enabled: one on the external interface and one on the internal interface.
A screened subnet uses two firewalls placed on either side of the perimeter
network zone. The edge firewall restricts traffic on the external/public interface and
allows permitted traffic to the hosts in the perimeter zone subnet. The edge firewall
can be referred to as the screening firewall or router. The internal firewall filters
communications between hosts in the perimeter and hosts on the LAN. This firewall
is often described as the choke firewall. A choke point is a purposefully narrow
gateway that facilitates better access control and easier monitoring.
The screened subnet topology was formerly referred to as a demilitarized zone (DM ).
The DM terminology is now deprecated.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
320 | The Official CompTIA Network+ Student uide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 321
ACLs might be designed to control only inbound traffic or both inbound and
outbound traffic. This is also often referred to as “ingress” and “egress” traffic or
filtering. Controlling outbound traffic is useful because it can block applications
that have not been authorized to run on the network and defeat malware, such as
backdoors. Ingress and egress traffic is filtered using separate ACLs.
A packet filtering firewall is stateless. This means that it does not preserve
information about the connection between two hosts. Each packet is analyzed
independently with no record of previously processed packets. This type of filtering
requires the least processing effort, but it can be vulnerable to attacks that are
spread over a sequence of packets. A stateless firewall can also introduce problems
in traffic flow, especially when some sort of load balancing is being used or when
clients or servers need to make use of dynamically assigned ports.
State table in the OPNsense firewall appliance. (Screenshot used with permission from OPNsense.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
322 | The Official CompTIA Network+ Student uide (Exam N10-008)
Cisco ASA (Adaptive Security Appliance) ASDM (Adaptive Security Device Manager) interface.
(Image © and Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.)
A router firewall is similar, except that the functionality is built into the router firmware.
Most SOHO Internet router/modems have this type of firewall functionality, though
they are typically limited to supporting a single subnet within the home network. An
enterprise-class router firewall would be able to support far more sessions than a
SOHO one. Additionally, some Layer 3 switches can perform packet filtering.
Proxy Servers
The basic function of a network firewall is to inspect packets and determine
whether to block them or allow them to pass. By contrast, a proxy server forwards
requests and responses on behalf of its clients. Rather than inspecting traffic as
it passes through, the proxy deconstructs each packet, performs analysis, then
rebuilds the packet and forwards it on, providing it conforms to the rules. This type
of device is placed in a perimeter network.
Forward Proxies
A forwarding proxy server provides for protocol-specific outbound traffic. For
example, you might deploy a web proxy that enables client hosts to connect to
websites and secure websites on the Internet. A proxy server must understand the
application it is servicing. A web proxy must be able to parse and modify HTTP and
HTTPS commands (and potentially HTML, too). Some proxy servers are application-
specific; others are multipurpose. A multipurpose proxy is one configured with
filters for multiple protocol types, such as HTTP, FTP, and SMTP.
The main benefit of a proxy server is that clients connect to a specified point
within the perimeter network for web access. This provides for a degree of traffic
management and security. In addition, most web proxy servers provide caching
engines, whereby frequently requested web pages are retained on the proxy,
negating the need to refetch those pages for subsequent requests.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 323
Configuring transparent proxy settings for the proxy server running on the OPNsense security
appliance. (Screenshot used with permission from OPNsense.)
Reverse Proxies
A reverse proxy server provides for protocol-specific inbound traffic. For security
purposes, it is inadvisable to place application servers, such as messaging and VoIP
servers, in the perimeter network, where they are directly exposed to the Internet.
Instead, you can deploy a reverse proxy and configure it to listen for client requests
from a public network (the Internet) and create the appropriate request to the
internal server on the corporate network.
Reverse proxies can publish applications from the corporate network to the Internet
in this way. In addition, some reverse proxy servers can handle the encryption/
decryption and authentication issues that arise when remote users attempt to
connect to corporate servers, reducing the overhead on those servers. Typical
applications for reverse proxy servers include publishing a web server, publishing
messaging or conferencing applications, and enabling POP/IMAP mail retrieval.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
324 | The Official CompTIA Network+ Student uide (Exam N10-008)
In a basic NAT static configuration, a simple 1:1 mapping is made between the
private (inside local) network address and the public (inside global) address. If
the destination network is using NAT, it is described as having outside global and
outside local addressing schemes.
Basic NAT is useful in scenarios where an inbound connection to a host must be
supported. For example, you might position a web server behind a firewall running
NAT. The firewall performs 1:1 address translation on the web server s IP address.
This means that external hosts do not know the true IP address of the web server,
but they can communicate with it successfully.
A single static mapping is not very useful in most scenarios. Under dynamic NAT,
the NAT device exposes a pool of public IP addresses. To support inbound and
outbound connections between the private network and the Internet, the NAT
service builds a table of public to private address mappings. Each new session
creates a new public-private address binding in the table. When the session is
ended or times out, the binding is released for use by another host.
Defining NAT rules in Cisco Adaptive Security Appliance (ASA). (Screenshot used with
permission from Cisco.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 325
PAT works by allocating each new connection an ephemeral TCP or UDP port. For
example, say two hosts (10.0.0.101 and 10.0.0.102) initiate a web connection at
the same time. The PAT service creates two new port mappings for these requests
(10.0.0.101:61101 and 10.0.0.102:61102) in its state table. It then substitutes the
private IP for the public IP and forwards the requests to the public Internet. It
performs a reverse mapping on any traffic returned using those ports, inserting the
original IP address and port number, and forwarding the packets to the internal
hosts.
Defense in Depth
Firewalls, screened subnets, and proxy servers try to establish a secure barrier at
the network edge. This is referred to as perimeter security. The proliferation of
mobile devices with wireless or cellular data access and cloud services, plus the
better recognition of insider threat and vulnerabilities to malware, has eroded
confidence in a solely perimeter-based security model. Network security design
must address the concept of defense in depth. This refers to placing security
controls throughout the network, so that all access attempts are authenticated,
authorized, and audited. Some examples of security controls that provide defense
in depth additional to network segmentation and screened subnets include
Network Access Control, honeypots, separation of duties, and intrusion detection.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
326 | The Official CompTIA Network+ Student uide (Exam N10-008)
Honeypots
A honeypot is a computer system set up to attract attackers, with the intention of
analyzing attack strategies and tools, to provide early warning of attack attempts, or
possibly as a decoy to divert attention from actual computer systems. Another use
is to detect internal fraud, snooping, and malpractice. A honeynet is an entire decoy
network. This may be set up as an actual network or simulated using an emulator.
On a production network, a honeypot is more likely to be located in a protected
but untrusted area between the Internet and the private network or on a closely
monitored and filtered segment within the private network itself. This provides
early warning and evidence of whether a threat actor has been able to penetrate to
a given security zone.
Separation of Duties
Separation of duties is a means of establishing checks and balances against the
possibility that critical systems or procedures can be compromised by insider
threats. Duties and responsibilities should be divided among individuals to prevent
ethical conflicts or abuse of powers.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 327
Network IDS IPS can be combined with host-based IDS IPS. These run as agents on
end systems to monitor application processes, data files, and log files for suspicious
activity. Advanced IDS IPS suites analyze information from multiple sensors to identify
suspicious traffic flows and host activity.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
328 | The Official CompTIA Network+ Student uide (Exam N10-008)
Review Activity:
Security Appliances
3
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 329
Topic 14B
Troubleshoot Service and
Security Issues
6
Issues at the application or services layer can be the most complex to diagnose
and troubleshoot. Both complex configuration options and security issues can
be factors in service-related problems. In this topic, you will work through some
common scenarios to identify typical symptoms and causes of problems with
network security and services.
DHCP Issues
The Dynamic Host Configuration Protocol (DHCP) provides IP addressing
autoconfiguration to hosts without static IP parameters. If a Windows client fails
to obtain a DHCP lease, it defaults to using an address in the Automatic Private IP
Addressing (APIPA) range of 169.254.0.0/16. It will be limited to communication
with other APIPA hosts on the same network segment (broadcast domain). Linux
hosts will use the 169.254.0.0/16 range if they have eroconf support, leave the
IP address set to 0.0.0.0, or disable IPv4 on the interface.
• The router between the client and DHCP server doesn t support BOOTP
forwarding. Either install RFC 1542-compliant routers or add another type of
DHCP relay agent to each subnet or VLAN.
If you reconfigure your DHCP servers and their scopes, the clients will gradually get
reconfigured. You will need to ensure that you plan for the fact that not all clients
IP configurations will be updated when the server scopes are edited and could be
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
330 | The Official CompTIA Network+ Student uide (Exam N10-008)
left with an expired IP, default gateway, or DNS server address. You could do this by
lowering the lease duration in advance of changes, forcing all clients to renew, or
running parallel settings for a period.
3. Query DNS. A host uses the name servers defined in its IP configuration to
resolve queries.
Any text preceded by the symbol in a HOSTS file is a comment and will not
be processed.
While we are focusing on name resolution via DNS here, note that a host can use
multiple methods, especially on Windows workgroup networks. Link Local Multicast
Name Resolution (LLMNR) and multicastDNS (mDNS) are modified forms of DNS that
allow clients to perform name resolution on a local link without needing a server.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 331
If your hosts are experiencing DNS issues, symptoms will include the inability to
connect to a server by name, despite it being accessible by IP address. To verify a
name resolution problem, edit the HOSTS file and place the correct name and IP
address record in the file for the test host. When you ping, if that is successful, it
suggests a name resolution problem.
If a single client is unable to resolve names, the issue is likely to lie with the client
configuration.
• The client has been configured either with no DNS server address or the wrong
DNS server address. Reconfigure the DNS server address.
• The client has the incorrect DNS suffix. Verify the DNS domain in which the client
is supposed to be and verify the host s configuration matches.
Bear in mind that in both of these situations, DHCP might be configuring these
settings incorrectly. Therefore, check the server options or scope options
configuration on the DHCP server as well.
If multiple clients are affected, the issue is likely to lie with the server service (or the
way a subnet accesses the server service). Check that the server configured as a
DNS resolver is online and available (that you can ping the server from the client).
If some DNS queries work from the client and others don t, then the problem is
more complex. Use the nslookup or dig utilities to check what records are
returned by the resolver. If trying to connect to an Internet resource, compare
these records to those returned by public resolvers (such as Google s servers at
8.8.8.8). Consider whether clients have cached a record that has been changed
recently. Reconfiguration of DNS records should be planned and implemented
carefully to avoid caching problems.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
332 | The Official CompTIA Network+ Student uide (Exam N10-008)
• The application or OS hosting the service has crashed (or there is a hardware or
power problem).
• There is congestion in the network, either at the client or server end (or both).
Use ping or traceroute to check the latency experienced over the link and
compare to a network performance baseline. Again, throttling connections or
bandwidth may help to ease the congestion until higher bandwidth links can be
provisioned.
• Network congestion may also be a sign that the service is being subject to a
Denial of Service (DoS) attack. Look for unusual access patterns (for example,
use GeoIP to graph source IP addresses by country and compare to baseline
access patterns).
If users on a LAN cannot connect to an external service, such as a cloud application, you
can use a site such as isitdownrightnow.com to test whether the issue is local to your
network or a problem with the service provider site.
e proactive in monitoring service availability so that you can resolve problems before
they affect large numbers of clients.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 333
Certificate Management console. The Trusted Root CA contains all Microsoft and enterprise trusts,
plus the third-party CA trusts. (Screenshot used with permission from Microsoft.)
One complication here is that different applications may have different stores
of trusted certificates. For example, there is a Windows certificate store, but the
Firefox® browser does not trust it by default and maintains its own certificate
stores. The various Linux distributions store trusted root certificates in several
different locations.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
334 | The Official CompTIA Network+ Student uide (Exam N10-008)
Frequently, certificates are untrusted because they are self-signed (the certificate
holder is both the issuer and the subject of the certificate). This is often the case
with the certificates used to protect the web management interfaces of consumer-
grade appliances and server applications. You might be able to replace the default
certificate with one trusted by the enterprise.
Some other causes of untrusted certificates are:
• The certificate s subject name does not match the URL. This is usually a
configuration error on the part of the web server manager, but it could indicate
malicious activity. You should confirm the certificate s common name and access
the website by using that URL.
This certificate is not trusted because it is self-signed and because it does not match the sub ect
name (because the host is being accessed via an IP address instead of an FQDN). (Screenshot
courtesy of Mozilla Foundation.)
• The certificate is not being used for its stated purpose. For example, a certificate
issued to sign email is being used on a web server. In this circumstance, you
should not add an exception. The service owner or subject should obtain a
correctly formatted certificate.
rowsers and email applications usually display informative error messages. In other
contexts, such as EAP authentication, it might not be so obvious that the certificate is the
cause of the failure or why the certificate is being re ected. Inspect the logs recording the
connection for clues.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 335
other generic issues you may encounter include time synchronization, mobile
devices, and licensing.
NTP Issues
Most network services, and especially authentication and authorization
mechanisms, depend upon each host using a synchronized time source. Inaccurate
time sources also affect the reliability and usability of log data, which can have
implications for regulatory compliance.
Time synchronization is usually accomplished via the Network Time Protocol (NTP).
Clients must be able to access a time source over port UDP 123. In a Windows
environment, the time source for clients will usually be a domain controller. The
domain controller can either use a hardware GPS-based time source or rely on Internet
servers, depending on the level accuracy required. In Windows, the w32tm /query
/configuration command can be used to check the current configuration.
BYOD Challenges
Bring Your Own Device (BYOD) is a smartphone/tablet provisioning model that
allows users to select a personal device to use to interact with corporate network
services and cloud apps. Allowing user selection of devices introduces numerous
compatibility, support, and security challenges:
• Compatibility/support—The wide range of devices, mobile OS versions, and
vendor support for patches make the job of ensuring that each device can
connect to corporate network apps and data resources highly complex.
Some of the impact of these issues can be mitigated through the use of enterprise
mobility management (EMM) suites and corporate workspaces. EMM (or mobile
device management) is a type of network access control solution that registers
devices as they connect to the network. It can then enforce security policies while
the device is connected. These might restrict use of device functions or personal
apps. A corporate workspace is an app that is segmented from the rest of the device
and allow more centralized control over corporate data. Users must also agree to
acceptable use policies, which might prohibit installing nonstore apps and rooting/
jailbreaking a device and keeping the device up to date with patches. Users will also
usually have to submit to inspection of the device to protect corporate data.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
336 | The Official CompTIA Network+ Student uide (Exam N10-008)
Review Activity:
7
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 337
Review Activity:
Scenarios in Service and Security Issues
5
You are staffing the network help desk and dealing with support requests as they
arrive. Your network uses four access switches to support four subnets. One subnet
contains network servers (authentication, directory services, DNS, and DHCP) and
another contains Line of Business (LoB) application servers, for sales and order
processing. There are two client subnets, serving different floors in the building.
Using the above scenario and network diagram, answer the following questions:
1. You receive a call from the user of host A who has always been able to
connect to the LoB application servers, but today she is unable to connect.
You verbally check with other users and discover that none of the hosts
on subnet 20 can connect, but that users in subnet 10 report no problems.
What tests should you perform to narrow down the cause of the problem?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
338 | The Official CompTIA Network+ Student uide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 339
Lesson 14
Summary
4
You should be able to compare and contrast features and placement of security
appliances and to troubleshoot service and security issues.
• Identify suitable types of firewall or proxy appliance based on load and filtering
requirements.
• Consider the impact of segmentation and VLANs on DHCP and DNS servers.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 15
Deploying and Troubleshooting
Wireless Networks
1
LESSON INTRODUCTION
Unbounded or wireless media technologies have distinct advantages for businesses
over bounded media. They can be easier to install to existing premises and they
support the device mobility that users require from laptop or smartphone-based
access to networks. Wireless technology implementations offer various advantages,
but you need to understand their limitations and security issues to support them
properly in your network environments.
Lesson Objectives
In this lesson, you will:
• Summarize wireless standards.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
342 | The Official CompTIA Network+ Student uide (Exam N10-008)
Topic 15A
Summarize Wireless Standards
2
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 343
• 5 GHz is less effective at penetrating solid surfaces and so does not support the
maximum ranges achieved with 2.4 GHz standards, but the band supports more
individual channels and suffers less from congestion and interference, meaning
it supports higher data rates at shorter ranges.
The IEEE 802.11a standard specifies use of the 5 GHz frequency band and a
multiplexed carrier scheme called Orthogonal Frequency Division Multiplexing
(OFDM). 802.11a has a nominal data rate of 54 Mbps.
The 5 GHz band is subdivided into 23 non-overlapping channels, each of which
is 20 MHz wide. Initially, there were 11 channels, but the subsequent 802.11h
standard added another 12. 802.11h also adds the Dynamic Frequency Selection
(DFS) method to prevent access points (APs) working in the 5 GHz band from
interfering with radar and satellite signals. The exact use of channels can be subject
to different regulation in different countries. Regulatory impacts also include a strict
limit on power output, constraining the range of Wi-Fi devices.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
344 | The Official CompTIA Network+ Student uide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 345
Cheaper client adapters may support only the 2. Hz band. An access point (AP) or
adapter that can support both is referred to as dual band. A dual band AP can support
both 2. Hz and Hz bands simultaneously. This allows legacy clients to be allocated
to the 2. Hz band.
The data rate for 802.11n is 72 Mbps per stream. Assuming the maximum number
of four spatial streams and optimum conditions, the nominal data rate could be
as high as 600 Mbps for a 40 MHz bonded channel. 802.11n can work in High
Throughput (HT)/greenfield mode for maximum performance or HT mixed mode for
compatibility with older standards (801.11a-ht, 802.11b-ht, and 802.11g-ht). Mixed
mode reduces overall WLAN performance, as it involves the transmission of legacy
identification and collision avoidance frames (HT protection) but not to the extent
that 802.11n devices are reduced to, for example, 802.11g data rates. Operating in
greenfield mode is likely to cause substantial interference if there are legacy WLANs
operating nearby on the same channel(s). There is also a legacy (non-HT) mode, in
which 802.11n s HT mechanisms are disabled completely. You might use this mode if
you have an 802.11n-capable access point but don t have any 802.11n client devices.
In recent years, Wi-Fi standards have been renamed with simpler digit numbers.
802.11n is now officially designated as Wi-Fi 4.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
346 | The Official CompTIA Network+ Student uide (Exam N10-008)
Wi-Fi 5 (802.11ac)
Wi-Fi 5 is designed to work only in the 5 GHz band. The 2.4 GHz band can be
used for legacy standards (802.11g/n) in mixed mode. The aim for Wi-Fi 5 is to
get throughput like that of Gigabit Ethernet or better. It supports more channel
bonding (up to 80 or 160 MHz channels), up to 8 spatial streams, rather than 4, and
denser modulation (at close ranges). The way Wi-Fi 5 uses the radio spectrum is
designated as very high throughput (VHT).
As with 802.11n, only enterprise-class equipment is equipped with enough antennas
to make use of three streams or more, and no devices were ever produced with
more than 4x4:4 streams. Wi-Fi 5 access points are marketed using AC values, such
as AC5300. The 5300 value represents 1000 Mbps over a 40 MHz 2.4 GHz band
channel and two 2,167 Mbps streams over 80 MHz 5 GHz band channels.
Wi-Fi 6 (802.11ax)
Wi-Fi 6 uses more complex modulation and signal encoding to improve the amount
of data sent per packet by about 40 . As with Wi-Fi 6, products are branded using
the combined throughput. For example, AX6000 allows 1,148 Mbps on the 2.4 GHz
radio and 4,804 over 5 GHz.
The way Wi-Fi 6 uses the radio spectrum is designated as high efficiency (HE) to
reflect these improvements. The aim for Wi-Fi 6 is to approximate 10G connection
speeds (AX11000). These data rates can only be achieved through use of a new
6 GHz frequency band.
Wi-Fi 6 reinstates operation in the 2.4 GHz band, mostly to support Internet of
Things (IoT) device connectivity. In Wi-Fi 6, the OFDM with multiple access (OFDMA)
modulation scheme allows sub-carriers or tones to be allocated in groups of
different sizes, referred to as resource units (RUs), each of which can communicate
in parallel. Where small RUs are used, this reduces throughput but provides more
opportunities for a larger number of devices to transmit. The effect is to reduce
latency where numerous small data packets are being transmitted. This technology
provides better support for IoT devices. Stations that require more bandwidth
can be assigned larger RUs. RUs can also be assigned based on class of service
parameters, such as prioritizing voice over IP (VoIP) traffic. It also allows an access
point to support legacy (Wi-Fi 4/5 stations) efficiently.
Multiuser MIMO
In basic 802.11 operation modes, bandwidth is shared between all stations because
of the CSMA/CA contention protocol. An AP can communicate with only one station
at a time; multiple station requests go into a queue. Wi-Fi 5 and Wi-Fi 6 products
address this problem using beamforming or Multiuser MIMO (MU-MIMO).
Downlink MU-MIMO (DL MU-MIMO) allows the AP to use its multiple antennas to
process a spatial stream of signals in one direction separately to other streams. This
means that groups of stations on a different alignment can connect simultaneously
and also obtain more bandwidth. For example, if four stations are positioned north,
south, east, and west of a 4x4:4 AP, the AP should be able to allow each of them to
connect at close to the maximum speed. If another station is added to the north,
those two northern stations will share the available bandwidth along that beam
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 347
path. Both stations and AP must support MU-MIMO. Where Wi-Fi 5 supports up to
four stations communicating in parallel over 5 GHz only, Wi-Fi 6 can support up to
eight in 2.4 GHz, 5 GHz, and 6 GHz bands, giving it better performance in congested
areas.
With DL MU-MIMO, only the AP can initiate beamforming, so it is only available on the
downlink from AP to station (not station to AP). Wi-Fi 6 supports uplink MU-MIMO (UL
MU-MIMO), allowing stations to initiate beamforming with the access point.
For both Wi-Fi and Wi-Fi , improvements are released to market in waves. For
example, UL MU-MIMO was released in wave 2 Wi-Fi products, which also added
support for the Hz frequency band.
MU-MIMO and OFDMA are different but complementary technologies. MU-MIMO makes
use of spatial streams, where OFDMA makes flexible use of subcarriers within a channel.
oth can work together to increase parallelism (supporting communication with more
devices simultaneously).
In both cases, the cell network was built primarily to support voice calls, so 2G data
access was provided on top, using Circuit Switched Data (CSD). CSD is somewhat
similar to a dial-up modem, though no analog transmissions are involved. CSD
requires a data connection to be established to the base station (incurring call
charges) and is only capable of around 14.4 Kbps at best.
The transition from 2G to 3G saw various packet-switched technologies deployed
to mobiles:
• General Packet Radio Services/Enhanced Data Rates for GSM Evolution (GPRS/EDGE)
is a precursor to 3G (2.5G), with GPRS offering up to about 48 Kbps and EDGE about
3-4 times that. Unlike CSD, GPRS and EDGE allow “always on” data connections, with
usage billed by bandwidth consumption rather than connection time.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
348 | The Official CompTIA Network+ Student uide (Exam N10-008)
Note that with HSPA, the TDMA channel access technology has been abandoned and a
type of CDMA used.
LTE uses neither TDMA nor CDMA but Orthogonal Frequency Division Multiple Access
(OFDMA), which is also used by Wi-Fi .
LTE Advanced (LTE-A) is intended to provide a 300 Mbps downlink, but again this
aspiration is not matched by real-world performance. Current typical performance
for LTE-A is up to 90 Mbps.
5G
According to the original specification, a 4G service was supposed to deliver 1 Gbps
for stationary or slow-moving users (including pedestrians) and 100 Mbps for
access from a fast-moving vehicle. Those data rates are now the minimum hoped-
for standards for 5G. As with 4G, real-world speeds are nowhere near the hoped-for
minimums, ranging from about 50 Mbps to 300 Mbps at time of writing.
5G uses different spectrum bands from low (sub-6 GHz) to medium/high
(20-60 GHz). Low bands have greater range and penetrating power; high bands,
also referred to as millimeter wave (mmWave) require close range (a few hundred
feet) and cannot penetrate walls or windows. Consequently, design and rollout
of 5G services is relatively complex. Rather than a single large antenna serving a
large wireless cell, 5G involves installing hundreds of smaller antennas to form
an array that can take advantage of multipath and beamforming to overcome the
propagation limitations of the spectrum. This is also referred to as massive MIMO.
As well as faster mobile speeds, 5G is expected to provide fixed-wireless broadband
solutions for homes and businesses, and to support IoT networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 349
Review Activity:
Wireless Standards
3
3. What options may be available for an 802.11n network that are not
supported under 802.11g?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
350 | The Official CompTIA Network+ Student uide (Exam N10-008)
Topic 15B
Install Wireless Networks
7
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 351
Each client station requires a wireless adapter compatible with the standard(s)
supported by the AP.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
352 | The Official CompTIA Network+ Student uide (Exam N10-008)
Even if SSID broadcast is suppressed, it is fairly easy for a network sniffer to detect it as
clients still use it when connecting with the AP.
A switch that supports Power over Ethernet (PoE) can be used to power a PoE-
compatible AP.
The next step is to create a new plan on which you will mark the WLAN cells and
associated APs and booster antennas. The idea here to is to place APs close enough
together to avoid “dead zones”—areas where connectivity is difficult or data
transfer rates are below an acceptable tolerance level—but far enough apart that
one AP does not interfere with another or that one AP is overutilized and a nearby
one underutilized.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 353
Position an AP in the first planned location, then use a laptop with a wireless
adapter and a wireless survey tool, such as Cisco Aironet, Metageek inSSIDer, or
Ekahau Site Survey, to record signal strength and supported data rate at various
points in the intended basic service area (BSA). Many tools can show the signal
strength within a particular channel obtained in different locations graphically using
a heat map. The heat map would show areas with a strong signal in greens and
yellows with warning oranges and reds where signal strength drops off. This step
is then repeated for each planned location. Neighboring APs should be configured
with non-overlapping channels to avoid interfering with one another. It may also be
necessary to adjust the transmit power of an AP to size its BSA appropriately.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
354 | The Official CompTIA Network+ Student uide (Exam N10-008)
You can also configure multiple access points to cover areas where it is not possible
to run cabling. This is referred to as a wireless distribution system (WDS). You must
set the APs to use the same channel, SSID, and security parameters. The APs are
configured in WDS/repeater mode. One AP is configured as a base station, while the
others are configured as remote stations. The base station can be connected to a
cabled segment. The remote stations must not be connected to cabled segments.
The remote stations can accept connections from wireless stations and forward all
traffic to the base station.
Another use for WDS is to bridge two separate cabled segments. When WDS is
configured in bridge mode, the APs will not support wireless clients; they simply
forward traffic between the cabled segments.
WDSs support and implementation can vary between manufacturers. If you are
implementing WDS, it is usually best to use APs from the same vendor.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 355
Rather than configure each device individually, enterprise wireless solutions such as
those manufactured by Cisco, Ruckus, or Ubiquiti allow for centralized management
and monitoring of the APs on the network. This may be achieved through use of a
dedicated hardware device called a wireless LAN controller. Alternatively, some
implementations use a software application to centralize the management function,
which can be run on a server or workstation.
An AP whose firmware contains enough processing logic to be able to function
autonomously and handle clients without the use of a wireless controller is known
as a fat AP, while one that requires a wireless controller in order to function
is known as a thin AP. Cisco wireless controller usually communicate with the
APs by using the Lightweight Access Point Protocol (LWAPP). LWAPP allows an
AP configured to work in lightweight mode to download an appropriate SSID,
standards mode, channel, and security configuration. Alternatives to LWAPP
include the derivative Control And Provisioning of Wireless Access Points (CAPWAP)
protocol or a proprietary protocol.
As well as autoconfiguring the appliances, a wireless controller can aggregate client
traffic and provide a central switching and routing point between the WLAN and
wired LAN. It can also assign clients to separate VLANs. Automated VLAN pooling
ensures that the total number of stations per VLAN is kept within specified limits,
reducing excessive broadcast traffic. Another function is to supply power to wired
access points, using Power over Ethernet (PoE).
Ad Hoc Topology
In an ad hoc topology, the wireless adapter allows connections to and from other
devices. In 802.11 documentation, this is referred to as an Independent Basic
Service Set (IBSS). This topology does not require an access point. All the
stations within an ad hoc network must be within range of one another. An
ad hoc network might suit a small workgroup of devices, or connectivity to a
single device, such as a shared printer, but it is not scalable to large network
implementations.
I SS is not supported by the updated WDI driver model in the latest versions of Windows
(docs.microsoft.com en-us windows-hardware drivers network wdi-features-not-
carried-over-in-wdi).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
356 | The Official CompTIA Network+ Student uide (Exam N10-008)
Mesh Topology
The 802.11s standard defines a Wireless Mesh Network (WMN). There are also
various proprietary mesh protocols and products. Unlike an ad hoc network,
nodes in a WMN (called mesh stations) are capable of discovering one another and
peering, forming a Mesh Basic Service Set (MBSS). The mesh stations can perform
path discovery and forwarding between peers using a routing protocol, such as the
Hybrid Wireless Mesh Protocol (HWMP).
These features make a mesh topology more scalable than an ad hoc topology
because the stations do not need to be within direct radio range of one another—a
transmission can be relayed by intermediate stations. Mesh topologies are
becoming increasingly popular and are the foundation of most Internet of Things
(IoT) networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 357
Review Activity:
8
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
358 | The Official CompTIA Network+ Student uide (Exam N10-008)
Topic 15C
Troubleshoot Wireless Networks
7
• Throughput is the amount of data that can be transferred at the network layer,
discarding overhead from layers 1 and 2. Often the term goodput is used to
describe data transfer achieved at the application layer (accounting for overhead
from header fields and packet loss/retransmissions).
As with cabling, attenuation refers to the weakening of the signal as the distance
between the devices increases. This can be described more precisely as radio
frequency (RF) attenuation or free space path loss. As the distance from the
antenna increases, the strength of the signal decreases in accordance with the
inverse-square rule. For example, doubling the distance decreases the signal
strength by a factor of four. Meanwhile, interference sources collectively overlay a
competing background signal, referred to as noise. These factors impose distance
limitations on how far a client can be from an access point.
Attenuation and signal strength are measured in decibels. Signal strength is
represented as the ratio of a measurement to 1 milliwatt (mw), where 1 mW is
equal to 0 dBm. dB and dBm units can be combined to analyze losses and gains in
signal strength along a communications path. For example, if you transmit a radio
signal at 1 mW and use an antenna to boost the signal, the effective power is:
0 dBm + 3 dB = 2 mW = ~3 dBm
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 359
Signal Strength
The Received Signal Strength Indicator (RSSI) is the strength of the signal from the
transmitter at the client end. When you are measuring RSSI, dBm will be a negative value
(a fraction of a milliwatt) with values closer to zero representing better performance. A
value around -65 dBm represents a good signal, while anything over -80 dBm is likely to
suffer packet loss or be dropped. The RSSI must exceed the minimum receiver sensitivity.
The comparative strength of the data signal to the background noise is called
the Signal-To-Noise Ratio (SNR). Noise is also measured in dBm, but here values
closer to zero are less welcome as they represent higher noise levels. For example,
if signal is -65 dBm and noise is -90 dBm, the SNR is the difference between the
two values, expressed in dB (25 dB). If noise is -80 dBm, the SNR is 15 dB and the
connection will be much, much worse.
RSSI and SNR can be measured by using a Wi-Fi analyzer. This type of software can
be installed to a laptop or smartphone. It will record statistics for the AP that the
client is currently associated with and detect any other access points in the vicinity.
Surveying Wi-Fi networks using inSSIDer. The chart shows which channels are active and the signal
strength of different networks in each channel. (Screenshot used with permission from Meta eek.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
360 | The Official CompTIA Network+ Student uide (Exam N10-008)
Antenna Types
The antenna type determines the propagation pattern or shape of the radio waves
transmitted. Most wireless devices have simple omnidirectional vertical rod-type
antennas, which receive and send signals in all directions more-or-less equally.
Access points with omnidirectional antennas should ideally be ceiling-mounted for
best coverage, unless the ceiling is particularly high. The propagation pattern is
shaped like a torus (donut), rather than a sphere, and radiates more powerfully in
the horizontal plane than it does in the vertical plane. Locating the antenna above
head height will minimize interference from obstructing furniture by allowing line-
of-sight to most connecting devices but positioning it too high (above around 25 ft)
will reduce signal strength, especially for stations directly below the antenna. You
can obtain APs with downtilt omnidirectional antennas for use on high ceilings.
To extend the signal to a particular area, you can use an antenna focused
in a single direction (unidirectional). Both the sender and receiver must use
directional antennas, or one will be able to receive signals but not send responses.
Unidirectional antenna types include the Yagi (a bar with fins) and parabolic
(dish or grid) form factors. Unidirectional antennas are useful for point-to-point
wireless bridge connections. The increase in signal strength obtained by focusing
the signal is referred to as the gain and is measured in dBi (decibel isotropic). The
amount of directionality, referred to as the beamwidth, is measured in degrees. A
pair of 10-degree antennas are very highly directional and will require more exact
alignment than a pair of 90 degree antennas.
A variety of generic antenna types: from left to right, a vertical rod antenna, a Yagi antenna, a
parabolic dish antenna, and a parabolic grid antenna.
Polarization refers to the orientation of the wave propagating from the antenna.
If you imagine a rod-type antenna, when the rod is pointed up relative to the floor,
the wave is horizontally polarized; if you orient the rod parallel to the floor, the
wave is vertically polarized. To maximize signal strength, the transmission and
reception antennas should normally use the same polarization. This is particularly
important when deploying unidirectional antennas for a point-to-point link.
Some antennas are dual-polarized, meaning that they can be installed in either
orientation. Dual-polarized antennas are also the best way to support mobile
devices, as these can be held by their user in a variety of orientations.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 361
Antenna Placement
Incorrect antenna placement could cause or exacerbate attenuation and
interference problems. Use a site survey and heat map to determine the optimum
position for APs and (if available) the direction in which to point adjustable
antennas. Also, using an incorrect antenna type may adversely affect the signal
strength at any given point. A unidirectional antenna is only suitable for point-to-
point connections, not for general client access. The internal antennas built into APs
may also be optimized to transmit and receive in some directions more than others.
For example, an AP designed for ceiling mounting may produce a stronger signal in
a cone directed downwards from its central axis, whereas the signal from a similar
AP designed for wall installation is more likely to be angled outwards. Consult the
documentation for your specific model of AP or use site survey software to produce
a heat map.
Remember that some client devices might support a standard such as 802.11n, but only
have a single band 2. Hz radio. They will not be able to oin a Hz network.
If a device has removable antennas, check that these are screwed in firmly. A loose
or disconnected antenna may reduce the range of the device or prevent connectivity
altogether.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
362 | The Official CompTIA Network+ Student uide (Exam N10-008)
One of the design goals for a multi-AP site is to create clean cells so that clients
can select an AP with the strongest signal easily and the WLAN operates with a
minimum of co-channel interference. At least 25 MHz spacing should be allowed to
avoid channel overlap. In practice, therefore, no more than three nearby APs using
the 2.4 GHz band can have non-overlapping channels. This could be implemented,
for example, by selecting channel 1 for AP1, channel 6 for AP2, and channel 11 for
AP3. When you are using the 5 GHz band for 802.11a or Wi-Fi 4/5/6, more non-
overlapping channels are available.
In a complex environment, it may be necessary to adjust the power level used by an
AP on a given channel. Using the maximum available power on an AP can result in
it interfering with other “cells” and to situations where a client can “hear” the AP but
cannot “talk” to it because it lacks sufficient power.
Checking power levels on a wireless station using Intel s PROSet Wi-Fi configuration utility.
(Screenshot courtesy of Intel Corp.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 363
In order to enable seamless roaming for mobile clients, the cells served by each
AP need to overlap to some extent in order to support roaming. This is one of the
trickiest elements of site design to get right, as client behaviors and capabilities for
roaming can vary widely. If there is a bring your own device (BYOD) policy in place,
these support issues are even more greatly magnified.
Issues with roaming can be identified by analyzing access point association times
for client devices. A WLAN controller will be able to track client mobility, showing
each access point and the time that the client associated with it. If a large number
of clients flap between two access points repeatedly, the site design might need to
be investigated to solve the roaming issue.
Overcapacity Issues
Overcapacity (or device saturation) occurs when too many client devices connect
to the same AP. The maximum number of clients that an AP can support varies,
depending on the Wi-Fi standard used and the type of network traffic generated.
For example, web browsing will typically place a lighter load on the network than
local client-server traffic or is likely at least to move any bottleneck further upstream
to the WAN, rather than the wireless network. While individual circumstances must
be considered, a maximum of 30 clients per AP is generally accepted as a rule of
thumb. In designing the network, enough APs should be provided in appropriate
locations to support the expected client density at this ratio. APs can usually be
configured to enforce a maximum number of connections, so that additional clients
will connect to the next nearest AP. Even with a relatively low number of clients,
the wireless network can suffer from bandwidth saturation. Since wireless is a
broadcast medium, the available bandwidth is shared between all clients. Thus,
if one client is a bandwidth hog, others may find it difficult to maintain a reliable
connection.
In an enterprise Wi-Fi solution, a controller will normally provide reporting tools to
diagnose bandwidth issues and to report on which clients are consuming the most
bandwidth. It could also report on wireless channel utilization and configure APs
and clients to reassign channels dynamically to reduce overutilization. If a traffic
shaper is deployed, it may work automatically to throttle bandwidth to overactive
nodes.
Interference Issues
If a device is within the supported range but the signal is weak or you cannot get
a connection, there is likely to be interference. Apart from channel interference
described earlier, there are several other sources of interference to consider:
• Re ection/bounce (multipath interference)—Mirrors or shiny surfaces
cause signals to reflect, meaning that a variable delay is introduced. This causes
packets to be lost and consequently the data rate to drop.
• Refraction—Glass or water can cause radio waves to bend and take a different
path to the receiver. This can also cause the data rate to drop.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
364 | The Official CompTIA Network+ Student uide (Exam N10-008)
• Absorption—This refers to the degree to which walls and windows will reduce
signal strength (some of the radio wave s energy is lost as heat when passing
through construction materials). An internal wall might “cost” 3 to 15 dB,
depending on the material used (concrete being the most effective absorber).
The 2.4 GHz frequency has better penetration than the 5 GHz one, given the
same power output. To minimize absorption from office furniture (and people),
use ceiling-mounted APs.
Also consider that signal problems could be a result of someone trying to attack the
network by amming the legitimate AP and making clients connect to a rogue AP.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 365
Review Activity:
8
Wireless Network Troubleshooting
Answer the following questions:
2. The lobby area of your office building has undergone a renovation the
centerpiece of which is a large aquarium in the middle of the room,
separating a visitor seating and greeting area from the reception desks,
where the AP facilitating guest Internet access is located. Since the
renovation, many guests have been unable to connect to Wi-Fi from the
seating area. Could the aquarium really be the cause, and what solution
could you recommend?
4. sers in the corner of an office building cannot get good Wi-Fi reception.
Your office manager doesn t want to use his budget to purchase a new
AP. He s noticed that the power level control on the AP is set to 3 out of
and wants to know why turning up the power isn t the best solution?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
366 | The Official CompTIA Network+ Student uide (Exam N10-008)
Topic 15D
Configure and Troubleshoot
Wireless Security
5
Wireless connections are popular with users but also pose considerable risk to
the whole network unless they are properly secured with access controls. In this
topic, you will identify different wireless security methods and their configuration
requirements and troubleshoot common issues with wireless settings.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 367
Configuring a TP-LINK SOHO access point with wireless encryption and authentication settings. In
this example, the 2. Hz band allows legacy connections with WPA2-Personal security, while the
Hz network is for 802.11ax (Wi-Fi ) capable devices using WPA3-SAE authentication.
(Screenshot used with permission from TP-Link Technologies.)
Personal Authentication
In order to secure a network, you need to be able to confirm that only valid users
are connecting to it. Wi-Fi authentication comes in three types: personal, open, and
enterprise. Within the personal authentication category, there are two methods: pre-
shared key authentication (PSK) and simultaneous authentication of equals (SAE).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
368 | The Official CompTIA Network+ Student uide (Exam N10-008)
The configuration interfaces for access points can use different labels for these
methods. You might see WPA2-Personal and WPA3-SAE rather than WPA2-PSK and
WPA3-Personal, for example. Additionally, an access point can be configured for WPA3
only or with support for legacy WPA2 (WPA3-Personal Transition mode).
Using Cisco s Virtual Wireless LAN Controller to set security policies for a WLAN This policy
enforces use of WPA2 and the use of 802.1 (Enterprise) authentication. (Image © and Courtesy of
Cisco Systems, Inc. Unauthorized use not permitted.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 369
It is possible that two APs are operating with the same SSID. If authentication is
required, the connection with the wrong SSID will fail. If there is no authentication (open
network), then the host will connect but take care, as this may be an attempt to snoop
on the host s traffic using a rogue AP. Also, if a user is oining a WLAN for the first time, it
may be the case that there are SSIDs from overlapping WLANs with very similar default
names and the user may be confused about which name to choose.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
370 | The Official CompTIA Network+ Student uide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 371
Review Activity:
Wireless Security Configuration and
Troubleshooting
6
3. Widget Corporation has provided wireless access for its employees using
several APs located in different parts of the building. Employees connect
to the network using 802.11g-compatible network cards. On Thursday
afternoon, several users report that they cannot log on to the network.
What troubleshooting step would you take first?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
372 | The Official CompTIA Network+ Student uide (Exam N10-008)
5. Your company has a lobby area where guest access is provided so that
visitors can get Internet access. The open guest WLAN is currently
connected to the production network. The only protection against
visitors and hackers getting into the organi ation s data is file and
directory rights. What steps should be taken to provide guest access and
better protect the organi ation s data?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student uide (Exam N10-008) | 373
Lesson 15
Summary
6
You should be able to install and configure appropriate wireless standards and
technologies.
• Consider the devices you will need and any compatibility requirements they
have, in terms of Wi-Fi standards support, such as 802.11a, b, g or Wi-Fi 4 (n), 5
(ac), 6 (ax).
• Obtain a scale drawing of the building and a Wi-Fi analyzer to use to perform a
site survey and generate heat maps of signal strength and channel utilization.
• Determine the range of the AP for the wireless technology you have chosen.
This will help you to better determine how many APs you will need to ensure
adequate coverage for the space.
• Balance the number of users who will have access to the AP, and ensure that the
AP can cover all employees in the range of the AP. More employees in a given
area means more APs.
• Tour the area in the range of the AP, and check to see if there are any devices
that will interfere with the wireless network. This can include devices such as
microwave ovens, Bluetooth-enabled devices, or an existing wireless network—
whether from a community network, a neighboring building, or another floor of
your company s building. These devices or networks can possibly interfere with
your new implementation.
• Ensure that there are no obstacles in the path of the AP, such as doors, closed
windows, walls, and furniture, that the wireless signal will need to pass through
on its way to a client. If there are too many obstacles in the path, adjust the
placement of your AP accordingly.
• Install the APs. The specific steps for installing the AP will vary by vendor, but the
common steps may include:
• Configuring frequency bands and channel layout within each frequency band.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
374 | The Official CompTIA Network+ Student uide (Exam N10-008)
• Perform period site surveys to check RSSI at key locations and compare it to
previous performance levels from previous site surveys.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 16
Comparing WAN Links and Remote
Access Methods
1
LESSON INTRODUCTION
Most local networks require some sort of external connection, whether to the
global Internet or within an enterprise WAN. These long-distance communications
are typically facilitated by service provider links. Supporting WAN and Internet
access effectively is an essential competency to learn.
In this lesson, you will identify the characteristics of WAN service provider offers
and components of remote access network implementations.
Lesson Objectives
In this lesson, you will:
• Explain WAN provider links.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
376 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 16A
Explain WAN Provider Links
2
Understanding the various WAN connectivity devices and methods will help you
support Internet connectivity and the configuration of enterprise WANs. You will
need to understand the capabilities of and limitations of WAN provider links to
choose the one best suited for your network.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 377
The R - 8 ack has a shorting bar to provide loopback on the connection if the
equipment on the customer side is unplugged. This allows the service provider to test
the line remotely.
The DSU encodes the signal from Data Terminal Equipment (DTE)—that is, the
company’s private branch exchange (PBX) internal telecoms system and/or an
IP router—to a serial digital signal transmitted over copper wiring. The DSU part
functions as a digital modem, while the CSU is used to perform diagnostic tests
on the line. The devices can be supplied separately, but more typically they are
combined as a single WAN interface card that can be plugged into a compatible
router or PBX.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
378 | The Official CompTIA Network+ Student Guide (Exam N10-008)
At the data link layer, T1 leased lines typically use either High-level Data Link Control
(HDLC) or Point-to-Point Protocol (PPP).
DSL Modems
A DSL modem is installed as CPE, typically as a multifunction “wireless router,”
where the RJ-11 WAN port connects to the provider’s phone jack over a short length
of ribbon cable. DSL modems can also be supplied as separate appliances or plug-
in cards for routers. A standalone DSL modem is connected to the phone line via
an RJ-11 port and to the local network’s router (or a single computer on the local
network) via an RJ-45 Ethernet port.
R -11 DSL (left) and R - LAN (right) ports on a DSL modem. (Image © 123RF.com.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 379
A filter (splitter) must be installed on each phone point to prevent noise from
affecting either voice calls or the DSL link. These can either be installed at the
demarc point by the telco engineer or self-installed on each phone point by the
customer.
The main drawback of DSL is that, as a copper-wire technology, it suffers from
attenuation. The maximum range of a DSL modem is typically about 3 miles (5 km),
but the longer the connection, the greater the deterioration in data rate. Domestic
cabling may also be relatively poor quality and pass through “noisy” environments.
DSL Types
There are various types or flavors of DSL. These are standardized by the ITU in a
series of G. recommendations.
• Symmetrical DSL (SDSL) is so-called because it provides the same downlink
and uplink bandwidth. There are various types of symmetric DSL service. SDSL
services tend to be provided as business packages, rather than to residential
customers.
The modem type must match the service. An ADSL-only modem cannot be used to
access a VDSL service, for instance.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
380 | The Official CompTIA Network+ Student Guide (Exam N10-008)
A cable modem The R - port connects to the local network, while the coax port connects to the
service provider network. (Image © 123RF.com.)
Installation of a cable modem follows the same general principles as for a DSL
modem. The cable modem is interfaced to a computer or router through an
Ethernet or USB adapter and with the access provider’s network by a short segment
of coax. More coax then links all the premises in a street with a Cable Modem
Termination System (CMTS), which routes data traffic via the fiber backbone to
the ISP’s Point of Presence (PoP) and from there to the Internet. Cable based on
the Data Over Cable Service Interface Specification (DOCSIS) supports downlink
speeds of up to 38 Mbps (North America) or 50 Mbps (Europe) and uplinks of up to
27 Mbps. DOCSIS version 3 allows the use of multiplexed channels to achieve
higher bandwidth.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 381
On top of the physical connectivity method, there are multiple service categories for
Carrier Ethernet. Two of these are E-line and E-LAN:
• E-line—Establishes a point-to-point link between two sites. Multiple E-lines can
be configured on a single Metro Ethernet interface, with each E-line representing
a separate VLAN.
These services can be used by the customer to join multiple sites together or as a
way of connecting their enterprise network to the Internet. From the customer’s
perspective, Carrier Ethernet has many advantages. The fact that Carrier Ethernet
is easily scalable affords businesses the flexibility to match the service to their
changing demands. Also, the fact that the same Ethernet protocol and framing
is used on the LAN and connectivity into the public network space can make the
configuration of routers, Layer 3 switches, and firewalls simpler.
Full fiber connections are also being provisioned to residential and small
business customers, though availability can often be limited to a few
metropolitan areas. Rather than dedicated leased lines, these services are
deployed as a passive optical network (PON). Packages are offered in tiers
from 100 Mbps up to 1 Gbps.
In a PON, a single fiber cable is run from the nearest exchange to an optical line
terminal (OLT) located in the street. This link uses dense wavelength division
multiplexing (DWDM) to support a ratio of backhaul cable to subscribers of 1:64 or
1:128. From the OLT, splitters direct each subscriber’s wavelength frequency over a
shorter length of fiber to an optical network unit (ONU) or optical network terminal
(ONT) installed at the demarc. The ONU/ONT converts the optical signal to an
electrical one. The ONU/ONT is connected to the customer’s router using a copper
wire patch cord.
Microwave Satellite
Satellite systems provide far bigger areas of coverage than can be achieved by
using other technologies. The microwave dishes are aligned to orbital satellites
that can either relay signals between sites directly or via another satellite. The
widespread use of satellite television receivers allows for domestic Internet
connectivity services over satellite connections. Satellite services for business are
also expanding, especially in rural areas where DSL or cable services are unlikely
to be available.
Satellite connections experience quite severe latency problems as the signal must
travel over thousands of miles more than terrestrial connections, introducing a
delay of four to five times what might be expected over a land link. For example,
if you know that accessing a site in the US from Europe takes 200 ms over a land
(undersea) link, accessing the same site over a satellite link could involve a 900 ms
delay. This is an issue for real-time applications, such as videoconferencing, VoIP,
and multiplayer gaming.
To create a satellite Internet connection, the ISP installs a satellite dish, referred
to as a very small aperture terminal (VSAT), at the customer’s premises and aligns
it with the orbital satellite. The size of a VSAT ranges from 1.2 to 2.4 meters in
diameter. The satellites are in geostationary orbit over the equator, so in the
northern hemisphere the dish will be pointing south. The antenna is connected via
coaxial cabling to a Digital Video Broadcast Satellite (DVB-S) modem.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
382 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
Explain WAN Provider Links
3
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 383
Topic 16B
Compare and Contrast Remote
Access Methods
6
• Restricting privileges on the local network (ideally, remote users would only be
permitted access to a clearly defined part of the network).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
384 | The Official CompTIA Network+ Student Guide (Exam N10-008)
In addition to this, a management plan should ensure that RASs and other
hardware are kept up to date with the latest software or firmware updates.
Administrative access to the devices should also be secured, using strong
authentication.
Point-to-Point Protocol
VPNs depend on tunneling protocols. Tunneling is used when the source and
destination hosts are on the same logical network but connected via different
physical networks. The Point-to-Point Protocol (PPP) is an encapsulation protocol
that works at the Data Link layer (layer 2). PPP is used to encapsulate IP packets for
transmission over serial digital lines. PPP has no security mechanisms, so must be
used with other protocols to provision a secure tunnel.
IP Security
Internet Protocol Security (IPSec) also operates at the network layer (layer 3) of the
OSI model to encrypt packets passing over any network. IPSec is often used with
other protocols to provide connection security, but is increasingly used as a native
VPN protocol.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 385
Microsoft’s Point-to-Point Tunneling Protocol (PPTP) was once very widely used but has
too many security flaws to be deployed safely.
When a client connected to a remote access VPN tries to access other sites on the
Internet, there are two ways to manage the connection:
• Split tunnel—the client accesses the Internet directly using its “native”
IP configuration and DNS servers.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
386 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Full tunnel offers better security, but the network address translations and DNS
operations required may cause problems with some websites, especially cloud
services. It also means more data is channeled over the link and the connection can
exhibit higher latency.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 387
There are several popular alternatives to Remote Desktop. Most support remote
access to platforms other than Windows (macOS and iOS, Linux, Chrome OS, and
Android for instance). Examples include TeamViewer (teamviewer.com/en) and
Virtual Network Computing (VNC), which is implemented by several different
providers (notably realvnc.com/en).
Clientless VPNs
Traditionally, remote desktop products and client-to-site VPNs require a client
app that implements the protocols and authentication methods supported by the
remote desktop/VPN gateway. The canvas element introduced in HTML5 allows a
browser to draw and update a desktop with relatively little lag. It can also handle
audio. This allows ordinary browser software to connect to a remote desktop
or VPN. This is referred to as an HTML5 VPN or clientless VPN (guacamole.
apache.org). This solution also uses a protocol called WebSockets, which enables
bidirectional messages to be sent between the server and client without requiring
the overhead of separate HTTP requests.
VPNs are not always established over the public Internet. A WAN service provider can
implement VPNs via its network. The provider can use VLAN-like technology to isolate a
customer s data from other traffic. This is a common model for site-to-site VPNs.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
388 | The Official CompTIA Network+ Student Guide (Exam N10-008)
While VPNs are being covered here as part of remote access, they can be ust as usefully
deployed on local networks as a type of network segmentation. For example, the
department for product development might need to provide secure communications
with the marketing department.
DMVPN topology. Each branch office establishes a permanent VPN with the HQ (hub) but can also
create spoke-to-spoke VPNs dynamically. (Images © 123RF.com.)
To configure a DMVPN, each remote site’s router is still connected to the hub router
using an IPSec tunnel. As a large percentage of a remote site’s traffic is likely to be
with the main HQ, this ensures this normal traffic is dealt with efficiently. If two
remote sites (spokes) wish to communicate with one another, the spoke instigating
the link informs the hub. The hub will provide the connection details for the other
spoke facilitating a dynamic IPSec tunnel to be created directly between the two
spokes. This process invokes the use of the Next Hop Router Protocol (NHRP)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 389
to identify destination addresses and the GRE tunneling. GRE encapsulates the
encrypted IPSec packets. The two remote sites use the physical communications
links between the two locations but all traffic flows over the temporary, encrypted
VPN tunnel setup between them. DMVPN will then decide how long this temporary
VPN remains in place based on timers and traffic flows.
In this way, DMVPN allows remote sites to connect with each other over the public
WAN or Internet, such as when using video conferencing, but doesn’t require a
static VPN connection between sites. This on-demand deployment of IPSec VPNs
is more efficient. Routing policies can be used to select the most reliable path
between the remote sites, which potentially reduces the chance of latency and jitter
affecting any voice/video services running over the VPN.
Authentication Header
The Authentication Header (AH) protocol performs a cryptographic hash on
the whole packet, including the IP header, plus a shared secret key (known
only to the communicating hosts), and adds this secret in its header as an
Integrity Check Value (ICV). The recipient performs the same function on the
packet and key and should derive the same value to confirm that the packet
has not been modified. The payload is not encrypted so this protocol does not
provide confidentiality. Also, the inclusion of IP header fields in the ICV means
that the check will fail across NAT gateways, where the IP address is rewritten.
Consequently, AH is not often used.
IPSec datagram using AH The integrity of the payload and IP header is ensured by the Integrity
Check Value (ICV), but the payload is not encrypted.
IPSec datagram using ESP The TCP header and payload from the original packet is encapsulated
within ESP and encrypted to provide confidentiality.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
390 | The Official CompTIA Network+ Student Guide (Exam N10-008)
With ESP, algorithms for both confidentiality (symmetric cipher) and authentication
integrity (hash function) are usually applied together. It is possible to use one or the
other, however.
The principles underlying IPSec are the same for IPv and IPv , but the header formats
are different. IPSec makes use of extension headers in IPv while in IPv , ESP and AH
are allocated new IP protocol numbers ( 0 and 1), and either modify the original IP
header or encapsulate the original packet, depending on whether transport or tunnel
mode is used.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 391
Lesson 16: Comparing WAN Links and Remote Access Methods | Topic 16B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
392 | The Official CompTIA Network+ Student Guide (Exam N10-008)
USB and RJ-45 type console ports plus AUX and other management interfaces on a router.
(Image © 123RF.com.)
Use a secure connection protocol (HTTPS rather than HTTP, or SSH rather than Telnet)
for the management interface. This applies to OOB too, but it is critical for in-band
management.
Lesson 16: Comparing WAN Links and Remote Access Methods | Topic 16B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 393
Review Activity:
Remote Access Methods
7
1. What step can you take to prevent unauthorized use of a remote access
server?
2. What type of client-to-site VPN ensures that any traffic from the remote
node can be monitored from the corporate network while the machine is
joined to the VPN?
4. What difference does DMVPN make to a hub and spoke VPN topology?
5. What IPSec mode would you use for data confidentiality on a private
network?
Lesson 16: Comparing WAN Links and Remote Access Methods | Topic 16B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
394 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Lesson 16
Summary
7
You should be able to explain WAN provider links and compare and contrast
remote access methods and security implications.
• Develop a remote access policy to ensure only authorized users can connect
and ensure that the network is not compromised by remote clients with weak
security configurations.
• Support site-to-site VPNs in hub and spoke topologies using protocols such as
IPSec and GRE.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 17
Explaining Organizational and
Physical Security Concepts
1
LESSON INTRODUCTION
The cabling, switches, routers, security appliances, servers, and clients that make
up a local network must all be located within a site. Managing a site so that the
network is highly available and secure involves creating policies and best practices,
supported by documentation. This might seem less immediately rewarding than
getting a new application or server up-and-running, but these kinds of operational
procedures are just as important to well-managed networks.
Site management can also involve the management of unfamiliar technologies,
such as physical access controls, embedded systems, and Internet of Things (IoT)
devices. As a network technician, you will be expected to be aware of the unique
challenges posed by incorporating these systems within sites and networks.
Lesson Objectives
In this lesson, you will:
• Explain organizational documentation and policies.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
396 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 17A
Explain Organizational
Documentation and Policies
2
onfiguration Management
Configuration management means identifying and documenting all the
infrastructure and devices installed at a site. ITIL® is a popular documentation of
good and best practice activities and processes for delivering IT services. Under ITIL,
configuration management is implemented using the following elements:
• Service assets are things, processes, or people that contribute to the delivery of
an IT service. Each asset must be identified by some sort of label.
hange Management
A documented change management process minimizes the risk of unscheduled
downtime by implementing changes in a planned and controlled way. The need
to change is often described either as reactive, where the change is forced on the
organization, or as proactive, where the need for change is initiated internally.
Changes can also be categorized according to their potential impact and level of risk
(major, significant, minor, or normal, for instance).
In a formal change management process, the need or reasons for change and the
procedure for implementing the change is captured in a Request for Change (RFC)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 397
document and submitted for approval. The RFC will then be considered at the
appropriate level and affected stakeholders will be notified. Major or significant
changes might be managed as a separate project and require approval through a
Change Advisory Board (CAB).
Audit Reports
An audit report focuses on identifying and recording assets. There are many
software suites and associated hardware solutions available to assist with
audit tracking and managing inventory. An asset management database can be
configured to store as much or as little information as is deemed necessary, though
typical data would be type, model, serial number, asset ID, location, user(s), value,
and service information. For each asset record, there should also be a copy of or
link to the appropriate vendor documentation. This includes both an invoice and
warranty/support contract and support and troubleshooting guidance.
A product such as Lansweeper assists inventory management by scanning network hosts and compiling
an asset information database automatically. (Screenshot used with permission from Lansweeper.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
398 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Assessment eports
Where an audit report focuses on identifying and documenting assets, an
assessment report evaluates the configuration and deployment of those assets,
such as deviation from baseline configuration or performance. The report will
make recommendations where the network is not meeting goals for performance
or security. Audit and assessment reports are often contracted to third parties and
might be driven by regulatory or compliance demands.
Floor Plan
A oor plan is a detailed diagram of wiring and port locations. For example, you
might use floor plans to document wall port locations and cable runs in an office.
Physically accurate floor plans are hard to design and are likely to require the help
of an architect or graphics professional.
Wiring Diagram
A wiring diagram (or pin-out) shows detailed information about the termination
of twisted pairs in an RJ-45 or RJ-48C jack or Insulation Displacement Connector
(IDC). You might also use a wiring diagram to document how fiber-optic strands are
terminated.
ou should document the wiring diagrams used to terminate twisted pairs. Ethernet
is wired by T568A or T568B, and the same standard should be used consistently
throughout the network.
Distribution rame
A port location diagram identifies how wall ports located in work areas are
connected back to ports in a distribution frame or patch panel and then from the
patch panel ports to the switch ports. Within a structured cabling system, there are
two types of distribution frame:
• Main Distribution rame MD —The location for distribution/core level
internal switching. The MDF will terminate trunk links from multiple Intermediate
Distribution Frames (IDFs). The MDF also serves as the location for termination
of external (WAN) circuits. You should ensure that WAN links to the Internet or to
remote offices from the MDF are clearly labeled and that key information such
as IP addresses and bandwidth is documented. The WAN provider will assign a
circuit ID, and you will need to quote this if raising any sort of support issue.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 399
In addition to having a diagram, it can be very useful to take a photo of the current
configuration by using a digital camera or smartphone. This provides an additional
visual reference for troubleshooting and identifying unauthori ed changes.
In order for a physical diagram of cabling and assets to make any sense, there must be
a system of labeling in place for identifying these assets. A typical type of port naming
convention is for alphanumeric identifiers for the campus (for multicampus networks),
building (for campus networks), telecommunications space, and port. For example,
CB01-01A-D01 could refer to a cable terminating at Main Campus Building (CB01),
telecommunications space A on floor 1 (01A), data port 1 (D01). Structured cable and
patch cords should be labeled at both ends to fully identify the circuit.
ack Diagrams
A rack system is a specially configured steel shelving system for patch panels,
switches and routers, and server devices. Racks are standard widths and can fit
appliances using standard height multiples of 1.75“ called units (U). For example, a
basic switch might be U while a server might be 4U (7 ) in height.
A rack diagram records the position of each appliance in the rack. You can obtain
stencils that represent vendor equipment from their websites or a collection such
as visiocafe.com. You can record key configuration information for each item
using labels. As well as service tags and port IDs and links, you should identify
which power outlets on the uninterruptible power supply (UPS) connect to which
appliance power supply units (PSU)s.
Designing rack layout in Microsoft Visio. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
400 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• Logical (IP/Layer 3)—IP addresses of router interfaces (plus any other static
IP assignments) and firewalls, plus links showing the IP network ID and netmask,
VLAN ID (if used), and DHCP scopes.
• Application—Server instances and TCP/UDP ports in use. You might also include
configuration information and performance baselines (CPU, memory, storage,
and network utilization) at this level.
Schematics can either be drawn manually using a tool such as Microsoft® Visio® or
compiled automatically from network mapping software.
Schematics can use either representative icons or pictures or drawings of actual
product models. As far as icons go, the ones created by Cisco are recognized as
standards. These are freely available (without alteration) from Cisco’s website (cisco.
com/c/en/us/about/brand-center/network-topology-icons.html). Some of the more
commonly used devices are shown here:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 401
2. It may also be important to preserve evidence of the incident with the aim of
prosecuting the perpetrators. Forensic evidence collection can interfere with
re-establishing availability, however.
• Train staff in the disaster planning procedures and how to react well to adverse
events.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
402 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Onboarding
Onboarding is the process of welcoming a new employee to the organization.
Similar principles apply to taking on new suppliers or contractors. Some of the tasks
that most affect security during the onboarding process are as follows:
• Background check—This process essentially determines that a person is
who they say they are and are not concealing criminal activity, bankruptcy, or
connections that would make them unsuitable or risky. Employees working in
high confidentiality environments or with access to high value transactions will
obviously need to be subjected to a greater degree of scrutiny.
• Identity and access management IAM —Create an account for the user to
access the computer system, assign the appropriate privileges, and ensure the
account credentials are known only to the valid user.
ffboarding
ffboarding is the process of ensuring that an employee leaves a company
gracefully. In terms of security, there are several processes that must be
completed:
• IAM—Disable the user account and privileges. Ensure that any information
assets created or managed by the employee but owned by the company are
accessible (in terms of encryption keys or password-protected files).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 403
Usage Policies
Usage policies set out rules for how users should interact with network systems and
data.
Password Policy
A password policy instructs users on best practice in choosing and maintaining
a network access credential. Password protection policies mitigate against the
risk of attackers being able to compromise an account and use it to launch other
attacks on the network. For example, users must be instructed not to write down
passwords, store them in unsecure files, or share them with other users. The
credential management policy also needs to alert users to different types of social
engineering and phishing attacks.
System-enforced policies can help to enforce credential management principles by
stipulating requirements for user-selected passwords. The following rules enforce
password complexity and make them difficult to guess or compromise:
• Length—The longer a password, the stronger it is. A typical strong network
password should be 12 to 16 characters. A longer password or passphrase might
be used for mission critical systems or devices where logon is infrequent.
BYOD Policies
A mobile deployment model describes the way employees are provided with
smartphone or tablet devices and applications. Some companies issue employees
with corporate-owned and controlled devices and insist that only these are used
to process company data. Other companies might operate a bring your own
device (BYOD) policy. BYOD means that the mobile is owned by the employee
and can be used on the corporate network so long as it meets a minimum
specification required by the company (in terms of OS version and functionality).
The employee will have to agree on the installation of corporate apps and to
some level of oversight and auditing. Very often, BYOD devices are registered
with enterprise management software and configured with sandboxed corporate
workspaces and apps.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
404 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Enterprise management software can be used to segment corporate data from personal
data on B OD devices. (Screenshot used with permission from oogle.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 405
ommon Agreements
Agreements are used between a company and its employees and between
companies to enforce performance and security objectives.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
406 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Non-Disclosure Agreement
A non-disclosure agreement NDA is the legal basis for protecting information
assets. It defines what uses of sensitive data are permitted, what storage and
distribution restrictions must be enforced, and what penalties breaches of the
agreement will incur. A contract of employment is highly likely to contain NDA
clauses. NDAs are also used between companies and contractors and between two
companies.
Memorandum of nderstanding
A memorandum of understanding M is a preliminary or exploratory
agreement to express an intent to work together. MOUs are usually intended to be
relatively informal and not to act as binding contracts. MOUs almost always have
clauses stating that the parties shall respect confidentiality, however.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 407
Review Activity:
Organizational Documentation
and Policies
3
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
408 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 17B
Explain Physical Security Methods
5
In this topic, you will examine ways to enhance the physical security of a network
site. For a network to be secure, access to the building and certain areas must
be controlled. An understanding of procedures and hardware that improve the
physical security of site premises will help reduce the risk of intrusion.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 409
Two types of electronic lock with biometric reader (left) and badge/card reader (right).
(Images © 123RF.com.)
Locking Racks
Installing equipment within secure cabinets or enclosures provides mitigation
against insider attack and attacks that have broken through the perimeter security
mechanisms. These can be supplied with key-operated or electronic locks. It is also
possible to provision lockable brackets and drawers to protect or isolate individual
elements within a rack.
Some datacenters may contain racks with equipment owned by different
companies (colocation). These racks can be installed inside cages so that technicians
can only physically access the racks housing their own company’s servers and
appliances.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
410 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Colocation cages. (Image © Chris Dag and shared with CC B 2.0 flickr.com/photos/chrisdag/
865 118 1.)
Locking Cabinets
Lockable cabinets or safes can provide secure storage for individual items, such as
media with cryptographic keys or shared password lists.
Smart Lockers
A smart locker is a cabinet that supports unlocking via a smart card/badge or
biometric. Lockers may also have built-in monitoring and surveillance that can alert
an administrator when an item is added ore removed.
Detection-Based Devices
Detection-based controls provide an important additional layer of defense in the
event that prevention-based controls fail to work. For example, surveillance is
another layer of security designed to improve the resilience of perimeter gateways.
Effective surveillance mechanisms ensure that attempts to penetrate a barricade
are detected. Surveillance may be focused on perimeter areas or within security
zones themselves. Surveillance can be performed by security guards or via video.
Camera-based surveillance is a cheaper means of monitoring than maintaining
separate guards at each gateway or zone.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 411
ameras
A security camera is either fixed or can be operated using Pan-Tilt- oom (PT )
controls. Different cameras suit different purposes. If you want to record the image
of every person entering through an access control vestibule, a fixed, narrow focal
length camera positioned on the doorway will be perfectly adequate. If you want to
survey a large room and pick out individual faces, a camera with PT is required.
Pan-tilt- oom CCTV installed to monitor a server room. (Image by Dario Lo Presti © 123RF.com.)
Asset Tags
An asset tag shows the ID of a device or component and links it to an inventory
management database. adio re uency ID ID asset tracking tags allow
electronic surveillance of managed assets. The tags can be detected at entry/exit
points to prevent theft. A battery-powered component might be in the tag, or the
tag might be passive and read and scanned by a powered device. The tags are
entered into a tracking database, which also usually has a map of the coverage area
so that a particular asset can be located.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
412 | The Official CompTIA Network+ Student Guide (Exam N10-008)
As well as protecting building areas, alarms can be installed on rack systems and
appliance chassis. For example, a chassis intrusion alarm can alert an administrator
if a server case is opened.
Another potential threat is that an attacker could splice a tap into network data
cable. A physically secure cabled network is referred to as a Protected Distribution
System (PDS). A hardened PDS is one where all cabling is routed through sealed
metal conduit and subject to periodic visual inspection. Lower grade options are
to use different materials for the conduit (plastic, for instance). Tamper detection
alarm systems can be implemented within the cable conduit.
Asset Disposal
Physical security controls also need to take account of the disposal phase of
the system life cycle. When a server or appliance is disposed of by resale, gift,
or recycling, there is a risk that software licenses could be misused or that
configuration information valuable to an attacker could be leaked. These risks
can be mitigated by ensuring that the built-in factory reset routine is invoked to
wipe any custom configuration settings or modifications when decommissioning a
server, switch, router, firewall, or printer.
A factory reset may leave data remnants, however. Data remnant removal is
critical because an organization’s confidential data or personal/sensitive data held
could be compromised.
Data remnant removal refers to ensuring that no data is recoverable from hard disk
drives (HDDs), flash devices or solid state drives (SSDs), tape media, CD and DVD
ROMs before they are disposed of or put to a different use. Paper documents must
also be disposed of securely. Data remnants can be dealt with either by destroying
the media or by sanitizing it (removing the confidential information but leaving the
media intact for reuse).
Methods of destroying media include incineration, pulverization, and degaussing
(for magnetic media such as hard drives).
Media sanitization refers to erasing data from HDD, SSD, and tape media before
they are disposed of or put to a different use. The standard method of sanitizing an
HDD is called overwriting. This can be performed using the drive’s firmware tools or
a utility program. The basic type of overwriting is called zero filling, which just sets
each bit to zero. Single- pass zero filling can leave patterns that can be read with
specialist tools. A more secure method is to overwrite the content with one pass
of all zeros, then a pass of all ones, and then one or more additional passes in a
pseudorandom pattern.
Secure Erase
Since 2 , the SATA and Serial Attached SCSI (SAS) specifications have included
a Secure Erase (SE) command. This command can be invoked using a drive/
array utility or the hdparm Linux utility. On HDDs, this performs a single pass of
zero-filling.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 413
For SSDs and hybrid drives and some USB thumb drives and flash memory cards,
overwriting methods are not reliable, because the device uses wear-leveling
routines in the drive controller to communicate which locations are available for
use to any software process accessing the device. On SSDs, the SE command marks
all blocks as empty. A block is the smallest unit on flash media that can be given an
erase command. The drive firmware’s automatic garbage collectors then perform
the actual erase of each block over time. If this process is not completed (and there
is no progress indicator), there is a risk of remnant recovery, though this requires
removing the chips from the device to analyze them in specialist hardware.
mployee Training
Employee training is another type of prevention-based security control. Untrained
users represent a serious vulnerability because they are susceptible to social
engineering and malware attacks and may be careless when handling sensitive or
confidential data or allowing access to premises.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
414 | The Official CompTIA Network+ Student Guide (Exam N10-008)
• Site security procedures, restrictions, and advice, including safety drills, escorting
guests, use of secure areas, and use of personal devices.
• Secure use of software such as browsers and email clients plus appropriate use
of Internet access, including social networking sites.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 415
Review Activity:
Physical Security Methods
6
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
416 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 17C
Compare and Contrast Internet
of Things Devices
6
Many people and businesses are deploying Internet of Things (IoT) devices in their
homes and offices, and some businesses depend on the underlying embedded
systems technology for manufacturing and inventory control. In this topic, you
will examine how these technologies can be integrated securely with or alongside
corporate data networks.
Internet of Things
The term Internet of Things IoT is used to describe the global network of
personal devices, home appliances, home control systems, vehicles, and other
items that have been equipped with sensors, software, and network connectivity.
These features allow these types of objects to communicate and pass data between
themselves and other traditional systems like computer servers. This is often
referred to as Machine to Machine (M2M) communication.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 417
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
418 | The Official CompTIA Network+ Student Guide (Exam N10-008)
IoT Networks
Each device in an IoT network is identified with some form of unique serial number
or code embedded within its own operating or control system and can interoperate
within the existing Internet infrastructure, either directly or via an intermediary.
As these devices tend to be small and often either unpowered or dependent on
battery power, the standard Ethernet, cellular, and Wi-Fi networking products that
connect computers are not always suitable for use. Other networking standards
and products have been developed to facilitate IoT networks.
Cellular Networks
A cellular network for IoT enables long-distance communication over the same
system that supports mobile and smartphones. This is also called baseband radio,
after the baseband processor that performs the function of a cellular modem.
There are several baseband radio technologies:
• Narrowband-IoT (NB-IoT)—this refers to a low-power version of the Long Term
Evolution (LTE) or 4G cellular standard. The signal occupies less bandwidth
than regular cellular. This means that data rates are limited (20-100 kbps), but
most sensors need to send small packets with low latency, rather than making
large data transfers. Narrowband also has greater penetrating power, making
it more suitable for use in inaccessible locations, such as tunnels or deep within
buildings, where ordinary cellular connectivity would be impossible.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 419
Smart uildings
By contrast with consumer-grade components, there should be less scope for
compromise in the entry mechanisms and climate/lighting control components
of a properly designed smart building system. Management and monitoring of
the system should be performed over isolated network segments. Configuration
management and change control processes should ensure that no weak
configurations are introduced and that vendor advisories are tracked for any known
vulnerabilities or exploits so that these can be patched or mitigated.
ICS/SCADA
While an ICS or SCADA is typically implemented as a dedicated OT or wireless WAN
network, there may be points where these networks are linked to a corporate data
network. Historically, these vulnerable links and bridging hosts have been exploited
by threat actors. There are risks both to embedded systems from the data network
and to corporate data assets and systems from the embedded network. Links
between OT and IT networks must be monitored and subject to access controls.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
420 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
Internet of Things Devices
7
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 421
Lesson 17
Summary
4
• Establish security response plans and procedures for incident response, disaster
recovery, and business continuity.
• Develop an overall security policy and then determine the number and type of
subpolicies and agreement types that must be created, such as onboarding/
offboarding, AUPs, BYOD, password management, remote access, employee
training, SLA, NDA, MoU, and so on.
• Review use of access control hardware and surveillance methods to ensure that
sites and server/equipment rooms are protected by prevention and detection
security controls.
• Enforce policies and procedures for ensuring a configuration wipe and remnant
removal when disposing of assets.
• Enforce policies and procedures for ensuring secure use of IoT devices and
industrial control systems, especially in terms of patch/security management
and connections to data networks.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 18
Explaining Disaster Recovery and
High Availability Concepts
1
LESSON INTRODUCTION
Even with effective management procedures and premises security controls,
disasters can overwhelm a site and threaten the core functions that a business
must perform. Planning for disasters and designing systems for high availability is
critical to supporting these mission essential functions. As an entry-level technician
or administrator, you should be able to explain the importance of these concepts
and identify the tools and techniques used to implement them.
Lesson Objectives
In this lesson, you will:
• Explain disaster recovery concepts.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
424 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 18A
Explain Disaster Recovery Concepts
2
While you have considered troubleshooting scenarios in which a single host loses
network connectivity or where a fault in a switch, router, or DHCP/DNS service
creates problems for a network segment, you also need to consider problems with
network availability across an entire site. The plans used to minimize the risk of
site-wide problems are referred to as business continuity, while the plans used
to mitigate these issues if they do occur are called disaster recovery. At this stage
in your career, it is important that you understand the concepts underpinning
these plans, so that you can assist with business continuity and disaster recovery
operations.
High Availability
One of the key properties of a resilient system is availability. Availability is the
percentage of time that the system is online, measured over a certain period,
typically one year. The corollary of availability is downtime that is, the percentage
or amount of time during which the system is unavailable.
High availability is a characteristic of a system that can guarantee a certain
level of availability. The Maximum Tolerable Downtime (MTD) metric states
the requirement for a business function. Downtime is calculated from the sum of
scheduled service intervals (Agreed Service Time) plus unplanned outages over the
period. High availability might be implemented as 24x7 (24 hours per day, 7 days
per week) or 24x365 (24 hours per day, 365 days per year). For a critical system,
availability will be described as two-nines (99 ) up to five- or six-nines (99.9999 ).
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 425
The MTD metric sets the upper limit on the amount of recovery time that system
and asset owners have to resume operations. Additional metrics can be used to
govern recovery operations:
• Recovery time objective (RTO) is the period following a disaster that an
individual IT system may remain o ine. This represents the maximum amount
of time allowed to identify that there is a problem and then perform recovery
(restore from backup or switch in an alternative system, for instance).
• Recovery Point Objective (RPO) is the amount of data loss that a system can
sustain, measured in time units. That is, if a database is destroyed by a virus, an
RPO of 24 hours means that the data can be recovered from a backup copy to a
point not more than 24 hours before the database was infected.
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
426 | The Official CompTIA Network+ Student Guide (Exam N10-008)
in a RAID array. One had failed after years, but had never been replaced, and
the second failed after 4 years, bringing down the array and the server. The
MTTF of the drives is ( + 4)/2 2 years.
• Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault
so that the system is restored to full operation. This can also be described as
mean time to replace or recover. MTTR is calculated as the total number of
hours of unplanned maintenance divided by the number of failure incidents.
This average value can be used to estimate whether a recovery time objective
(RTO) is achievable.
• Network links—If there are multiple paths between switches and routers, these
devices can automatically failover to a working path if a cable or network port is
damaged.
• Cluster services—A means of ensuring that the total failure of a server does not
disrupt services generally.
Recovery Sites
Within the scope of business continuity planning, disaster recovery plans (DRPs)
describe the specific procedures to follow to recover a system or site to a working
state. A disaster could be anything from a loss of power or failure of a minor
component to manmade or natural disasters, such as fires, earthquakes, or acts
of terrorism.
Providing redundant devices and spares or network links allows the spare devices
to be swapped in if existing systems fail. Enterprise-level networks often also
provide for spare sites. A spare site is another location that can provide the same
(or similar) level of service. A disaster or systems failure at one site will cause
services to failover to the alternate processing site. Disaster recovery planning
must demonstrate how this will happen, what checks need to be made to ensure
that failover has occurred successfully (without loss of transactional data or
service availability), and how to revert to the primary site once functionality is
restored there.
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 427
• A warm site could be similar, but with the requirement that the latest data set
will need to be loaded.
• A cold site takes longer to set up. A cold site may be an empty building with a lease
agreement in place to install whatever equipment is required when necessary.
Clearly, providing redundancy on this scale can be very expensive. Sites are often
leased from service providers. However, in the event of a nationwide emergency,
demand for the services is likely to exceed supply Another option is for businesses
to enter into reciprocal arrangements to provide mutual support. This is cost
effective but complex to plan and set up.
For many companies, the most cost-effective solution is to move processing and
data storage to a cloud site. A cloud operator should be able to maintain hot site
redundancy so that a disaster in one geographic area will not disrupt service,
because the cloud will be supported by a datacenter in a different region.
Fire Suppression
Health and safety legislation dictates what mechanisms an organization must put in
place to detect and suppress fires. Some basic elements of fire safety include:
• Well-marked fire exits and an emergency evacuation procedure that is tested
and practiced regularly.
• Building design that does not allow fire to spread quickly, by separating different
areas with fire-resistant walls and doors.
Fire suppression systems work on the basis of the fire triangle. The fire triangle
works on the principle that a fire requires heat, oxygen, and fuel to ignite and burn.
Removing any one of those elements provides fire suppression (and prevention).
In the United States (and most other countries), fires are divided by class under the
NFPA (National Fire Protection Association) system, according to the combustible
material that fuels the fire. Portable fire extinguishers come in several different
types, with each type being designed for fighting a particular class of fire. Notably,
Class C extinguishers use gas-based extinguishing and can be used where the risk
of electric shock makes other types unsuitable.
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
428 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Premises may also be fitted with an overhead sprinkler system. Wet-pipe sprinklers
work automatically, are triggered by heat, and discharge water. Wet-pipe systems
constantly hold water at high pressure, so there is some risk of burst pipes and
accidental triggering, as well as the damage that would be caused in the event of
an actual fire. There are several alternatives to wet-pipe systems that can minimize
damage that may be caused by water flooding the room.
Power Management
All types of network nodes require a stable power supply to operate. Electrical
events, such as voltage spikes or surges, can crash computers and network
appliances, while loss of power from brownouts or blackouts will cause equipment
to fail. A brownout is where the voltage drops briefly, while a blackout is a complete
loss of power lasting seconds or more. Power management means deploying
systems to ensure that equipment is protected against these events and that
network operations can either continue uninterrupted or be recovered quickly.
Generators
The runtime allowed by a UPS should be sufficient to failover to an alternative
power source, such as a standby generator. If there is no secondary power
source, a UPS will at least allow the administrator to shut down the server or
appliance properly—users can save files, and the OS can complete the proper
shut down routines.
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 429
A backup power generator can provide power to the whole building, often for
several days. Most generators use diesel, propane, or natural gas as a fuel
source. A UPS is always required to protect against any interruption to computer
services. A backup generator cannot be brought online fast enough to respond to
a power failure.
Datacenters are also investing in renewable power sources, such as solar, wind,
geothermal, hydrogen fuel cells, and hydro. The ability to use renewable power is a
strong factor in determining the best site for new datacenters. Large-scale battery
solutions, such as Tesla’s Powerpack (tesla.com/powerpack), may be able to provide
an alternative to backup power generators. There are also emerging technologies
to use all the battery resources of a datacenter as a microgrid for power storage
(scientificamerican.com/article/how-big-batteries-at-data-centers-could-replace-
power-plants).
A network appliance may also hold state information that has not been written to
a log and that will not be captured by a backup of the configuration file only. State
information includes data such as the MAC tables in switches or the NAT table in a
firewall. Advanced firewalls may contain additional data such as malware/intrusion
detection signatures. Some devices might log state data to an internal database
that can be backed up periodically. In other cases, if this information needs to be
preserved, the appliance should be configured to log state data to a remote server,
using a protocol such as syslog.
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
430 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
Disaster Recovery Concepts
3
3. web have e perienced three web server outages in the last five years
These outages all occurred in separate years and caused one hour, three
hour, and one hour downtime incidents. Assuming the company uses
the same value for MTD and RTO, did the company meet the RTO of two
hours specified in the SLA agreed annually with its customers?
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 431
Topic 18B
Explain High Availability Concepts
6
A network link is often a critical single point of failure. Routers and switches can
provide multiple paths through a network to prevent overdependence on single
critical nodes. A load balancer can switch client traffic to alternative processing
nodes, reducing bottlenecks and allowing for failover services in the event of a host
or network route going down. In this topic, you will learn to explain the technologies
used to provision highly available networks.
Multipathing
Multipathing means that a network node has more than one physical link
to another node. Multipathing is a default feature of full and partial mesh
internetworks, where routers can select alternative paths through the network if
a link is not available. Multipathing can be used anywhere that link redundancy
is required. Two common additional scenarios are connections to storage area
networks (SANs) and Internet access via an Internet Service Provider (ISP):
• SAN multipathing—In a SAN, a server uses shared storage accessed over a
network link. Multipathing means that the server has at least two SAN controllers
each with a dedicated link to the storage network.
This fault tolerance is reduced if both ISP’s links use the same entrance facility.
A physical disaster event such as an earthquake or construction damage is likely
to affect both sets of cables. Diverse paths refers to provisioning links over
separate cable conduits that are physically distant from one another. Another
option is to provision cellular links as a backup, although even if 5 technologies
are available, this is likely to reduce link bandwidth substantially, and even then,
it could be that the 5 backhaul uses some of the same fiber infrastructure as
the cabled circuit.
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
432 | The Official CompTIA Network+ Student Guide (Exam N10-008)
A server node uses NIC teaming to create a 4 bps channel link from four 1 bps ports to a
workgroup switch, while the workgroup switch bonds its uplink transceivers to create a 20 bps
channel to a router.
Link aggregation can also provide redundancy if one link is broken, the
connection is still maintained by the other. It is also often cost-effective a four-
port igabit Ethernet card might not match the bandwidth of a bE port but
will cost less.
This configuration is fully redundant only if the business function does not depend on
the full speed of the bonded link. If one port fails, and the link drops to 1 bps, but that
bandwidth is insufficient, there is not full redundancy.
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 433
Load Balancers
Where NIC teaming allows load balancing at the component level, a load balancer
can be deployed as a hardware appliance or software instance to distribute client
requests across server nodes in a farm or pool. You can use a load balancer
in any situation where you have multiple servers providing the same function.
Examples include web servers, front-end email servers, and web conferencing, A/V
conferencing, or streaming media servers. The load balancer is placed in front of
the server network and distributes requests from the client network or Internet
to the application servers. The service address is advertised to clients as a virtual
server. This is used to provision services that can scale from light to heavy loads,
provision fault tolerant services, and to provide mitigation against distributed denial
of service (DDoS) attacks.
We are used to associating switches with Layer 2 (Ethernet), but appliances can perform
switch-like forwarding at Layer 3, Layer 4, and Layer . These are collectively referred to
as multilayer switches.
Redundant Hardware/Clusters
Where a load balancer distributes traffic between independent processing nodes,
clustering allows multiple redundant processing nodes that share data with one
another to accept connections. If one of the nodes in the cluster stops working,
connections can failover to a working node. To clients, the cluster appears to be a
single server.
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
434 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Virtual IP
For example, you might want to provision two load balancer appliances so that if
one fails, the other can still handle client connections. Unlike load balancing with
a single appliance, the public IP used to access the service is shared between the
two instances in the cluster. This is referred to as a virtual IP or shared or floating
address. The instances are configured with a private connection, on which each is
identified by its real IP address. This connection runs some type of redundancy
protocol, such as Common Address Redundancy Protocol (CARP), that enables the
active node to own the virtual IP and respond to connections. The redundancy
protocol also implements a heartbeat mechanism to allow failover to the passive
node if the active one should suffer a fault.
The same sort of topology can be used to deploy routers and firewalls for high
availability and load sharing.
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 435
Cisco also have the ateway Load Balancing Protocol ( LBP) which allows for an active/
active load balanced configuration.
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
436 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 437
Review Activity:
High Availability Concepts
7
1. Why might contracting with multiple ISPs still fail to provide highly
available Internet access infrastructure?
Lesson 18: Explaining Disaster Recovery and High Availability Concepts | Topic 18B
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
438 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Lesson 18
Summary
5
You should be able to explain high availability and disaster recovery concepts and
summarize which is the best solution.
• Use disaster recovery planning to assess risks and develop response procedures
and resources, incorporating backup and restore procedures for both data and
network systems.
• Provision power and data redundancy at component, network link, and system
levels to mitigate single points of failure. Consider the use of load balancers and
clusters to provision highly redundant services.
• Ensure facilities support for climate control, fire suppression, and power
reliability, using PDUs, UPS, and standby generators.
• Provision site redundancy at hot, warm, or cold levels based on risk, MTD, and
cost factors.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 19
Applying Network Hardening
Techniques
1
LESSON INTRODUCTION
There are many ways in which networks can be attacked and just as many ways for
making networks more secure. You will need a basic understanding of the security
risks, and security methods and tools, in order to protect your network. In this lesson,
you will learn to compare and contrast common types of attacks and to apply network
hardening techniques.
Lesson Objectives
In this lesson, you will:
• Compare and contrast types of attacks
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
440 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
Topic 19A
Compare and Contrast
Types of Attacks
2
Spoofing Attacks
The term spoofing covers a wide range of different attacks. Spoofing can include
any type of attack where the attacker disguises his or her identity, or in which the
source of network information is forged to appear legitimate. Social engineering
and techniques such as phishing and pharming, where the attacker sets up a false
website in imitation of a real one, are types of spoofing attacks. It is also possible to
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 441
abuse the way a protocol works or how network packets are constructed to inject
false or modified data onto a network. The ARP and DNS protocols are often used
as vectors for this type of attack.
On-path Attacks
An on-path attack is a specific type of spoofing attack where a threat actor
compromises the connection between two hosts and transparently intercepts and
relays all communications between them. The threat actor might also have the
opportunity to modify the traffic before relaying it.
On-path attacks are also known by the term “Man-in-the-Middle (MitM).” Such terms are
non-inclusive and/or use inappropriate or vague metaphors and are deprecated in the
latest CompTIA exam objectives documents.
A P Spoofing
ARP spoofing, or ARP cache poisoning, is a common means of perpetrating an on-
path attack. It works by broadcasting unsolicited ARP reply packets, also known as
gratuitous ARP replies, with a source address that spoofs a legitimate host or router
interface. Because ARP has no security, all devices in the same broadcast domain
as the rogue host trust this communication and update their MAC:IP address cache
table with the spoofed address. Because the threat actor broadcasts endless ARP
replies, it overwhelms the legitimate interface.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
442 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
The usual target will be the subnet’s default gateway. If the attack is successful, all
traffic destined for remote networks will be sent to the attacker. The threat actor
can then perform an on-path attack to monitor the communications and continue
to forward them to the router to avoid detection. The attacker could also modify the
packets before forwarding them. ARP poisoning could also perform a DoS attack by
not forwarding the packets.
ARP poisoning can be difficult to detect without closely monitoring network traffic.
However, attempts at ARP poisoning are likely to cause sporadic communications
difficulties, such as an unreachable default gateway. In such cases, performing
network captures and examining ARP packets may reveal the poison packets, as will
examining local ARP caches for multiple IP addresses mapping to the same MAC
address.
While IPv6 does not use ARP, it is also vulnerable to layer 2 spoofing if the unencrypted
Neighbor Discovery (ND) protocol is used.
ogue D P
An on-path attack can also be launched by running a rogue DHCP server. DHCP
communications cannot be authenticated, so a host will generally trust the first
offer packet that it receives. The threat actor can exploit this to set his or her
machine as the subnet’s default gateway or DNS resolver.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 443
One way to attack DNS is to corrupt the client’s name resolution process. This can
be accomplished by changing the servers used for resolving queries, intercepting
and modifying DNS traffic, or polluting the client’s name cache (by modifying the
HOSTS file, for instance). DNS server cache poisoning (or pollution) is another
redirection attack, but instead of trying to subvert the name service used by the
client, it aims to corrupt the records held by the DNS server itself.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
444 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
Evil Twins
A rogue AP masquerading as a legitimate one is called an evil twin. An evil twin
might advertise a similar network name (SSID) to the legitimate one. For example,
an evil twin might be configured with the network name compeny where the
legitimate network name is company. Alternatively, the evil twin might spoof the
SSID and BSSID (MAC address) of an authorized access point and then the attacker
might use some DoS technique to overcome the legitimate AP. After a successful
DoS attack, the users will be forced to disconnect from the network and then
manually attempt to reconnect. At that point, with many users busy and trying to
get back to work, some or all may associate with the evil twin AP and submit the
network passphrase or their credentials for authentication.
However it is configured, when a user connects to an evil twin, it might be able to
harvest authentication information and, if it is able to provide wider network or
Internet access, execute an on-path attack to snoop on connections established
with servers or websites.
Surveying Wi-Fi networks using Xirrus Wi-Fi Inspector (xirrus.com)—Note the presence of print
devices configured with open authentication (no security) and a smart TV appliance (requiring
authentication). (Screenshot used with permission from Xirrus.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 445
One solution to the risk of rogue access points is to use EAP-TLS security so that
the authentication server and clients perform mutual authentication. There are
also various scanners and monitoring systems that can detect rogue APs, referred
to as a wireless intrusion detection system (WIDS) or wireless intrusion prevention
system (WIPS).
Deauthentication Attacks
The use of an evil twin may be coupled with a deauthentication attack. This sends
a stream of spoofed management frames to cause a client to deauthenticate from
an AP. This might allow the attacker to interpose the evil twin, sniff information
about the authentication process, or perform a denial of service (DoS) attack
against the wireless infrastructure. These attacks work against both WEP and WPA.
The attacks can be mitigated if the wireless infrastructure supports Management
Frame Protection (MFP/ 2. w). Both the AP and clients must be configured to
support MFP.
Aireplay sniffs ARP packets to harvest IVs while Airodump saves them to a capture, which
Aircrack can analyze to identify the correct encryption key.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
446 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
Botnets
A botnet is a group of compromised hosts that can be used to launch DDoS and
DRDoS attacks. A threat actor will first compromise one or two machines
to use as handlers or herders. The handlers are used to compromise hundreds
or thousands or millions of zombie hosts with DoS tools (the bots). To
compromise a host, the attacker must install malware that opens a backdoor
remote connection. The attacker can then use the malware to install bots
and trigger the zombies to launch the attack at the same time. The network
established between the handlers and the bots is called a command and control
(C&C or C2) network.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 447
Other classifications are based on the payload delivered by the malware. The
payload is an action performed by the malware other than simply replicating or
persisting on a host. Examples of payload classifications include spyware, rootkit,
remote access Trojan (RAT) or backdoor, and ransomware.
Ransomware is a type of malware that tries to extort money from the victim.
One class of ransomware will display threatening messages, such as requiring
Windows to be reactivated or suggesting that the computer has been locked
by the police because it was used to view child pornography or for terrorism.
This may block access to the computer by installing a different shell program
or browser window that is difficult to close, but this sort of attack is usually
relatively simple to fix.
The crypto-malware class of ransomware attempts to encrypt data files on any
fixed, removable, and network drives. If the attack is successful, the user will be
unable to access the files without obtaining the private encryption key, which is held
by the attacker. If successful, this sort of attack is extremely difficult to mitigate,
unless the user has up to date backups of the encrypted files. One example of this
is Cryptolocker, a Trojan that searches for files to encrypt and then prompts the
victim to pay a sum of money before a certain countdown time, after which the
malware destroys the key that allows the decryption.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
448 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
Password Attacks
On-path and malware attacks can be difficult to perpetrate. Many network
intrusions occur because a threat actor is able to obtain credentials to access
the network. Also, when a threat actor gains some sort of access via an on-path
or malware attack, they are likely to attempt to escalate privileges to gain access
to other targets on the network by harvesting credentials for administrative
accounts.
Passwords or password hashes can be captured by obtaining a password file or by
sniffing the network. If the protocol uses cleartext credentials, then the threat actor
can simply read the cleartext password from the captured frames.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 449
If authentication credentials are transmitted in cleartext, such as the unencrypted version of the
IMAP mailbox access protocol, it is a simple matter for the credentials to be intercepted via packet
sniffing. (Screenshot courtesy of Wireshark.)
A password might be sent in an encoded form, such as Base64, which is simply an ASCII
representation of binary data. This is not the same as encryption. The password value
can easily be derived from the Base64 string.
• Brute force—The software tries to match the hash against one of every possible
combination it could be. If the password is short (under eight characters) and
non-complex (using only letters, for instance), a password might be cracked in
minutes. Longer and more complex passwords increase the amount of time the
attack takes to run.
A threat actor might obtain password hashes from a protocol such as SMB with no
encryption configured. The risks posed by cracking software mean that it is more
secure to use end-to-end encryption, such as IPSec or Transport Layer Security
(TLS). This means that all payload data is encrypted, and a network sniffer cannot
even recover the password hashes.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
450 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
Phishing Attacks
Phishing is a combination of social engineering and spoofing. It persuades or tricks
the target into interacting with a malicious resource disguised as a trusted one,
traditionally using email as the vector. A phishing message might try to convince
the user to perform some action, such as installing disguised malware or allowing
a remote access connection by the attacker. Other types of phishing campaign use
a spoof website set up to imitate a bank or e-commerce site or some other web
resource that should be trusted by the target. The attacker then emails users of
the genuine website informing them that their account must be updated or with
some sort of hoax alert or alarm, supplying a disguised link that actually leads to
the spoofed site. When the user authenticates with the spoofed site, their logon
credentials are captured.
Example phishing email—On the right, you can see the message in its true form as the mail client
has stripped out the formatting (shown on the left) designed to disguise the nature of the links.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 451
Shoulder Surfing
A threat actor can learn a password or PIN (or other secure information) by
watching the user type it. This is referred to as a shoulder surfing attack. Despite
the name, the attacker may not have to be in close proximity to the target—they
could use high-powered binoculars or CCTV to directly observe the target remotely.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
452 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
Review Activity:
3
Types of Attacks
Answer the following questions:
1. Response time on the website that hosts the online version of your
product catalog is getting slower and slower. Customers are complaining
that they cannot browse the catalog items or search for products. What
type of attack do you suspect?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 453
Topic 19B
Apply Network Hardening Techniques
7
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
454 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 455
A malicious host may use a spoofed MAC address to try to perform ARP cache
poisoning against other hosts on the network and perpetrate an on-path attack.
A switch port security feature such as dynamic ARP inspection (DAI) prevents a
host attached to an untrusted port from flooding the segment with gratuitous ARP
replies. ARP inspection maintains a trusted database of IP:ARP mappings. It also
ensures that ARP packets are validly constructed and use valid IP addresses.
Configuring ARP inspection and DHCP snooping on a Cisco switch. (Image © and Courtesy of Cisco
Systems, Inc. Unauthori ed use not permitted.)
D P Snooping
Configuring D P snooping causes the switch to inspect DHCP traffic arriving on
access ports to ensure that a host is not trying to spoof its MAC address. It can also
be used to prevent rogue DHCP servers from operating on the network. With DHCP
snooping, only DHCP offers from ports configured as trusted are allowed.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
456 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
Under 2. X, the device requesting access is the supplicant. The switch, referred
to as the authenticator, enables the Extensible Authentication Protocol over LAN
(EAPoL) protocol only and waits for the device to supply authentication data.
The authenticator passes this data to an authenticating server, typically a
RADIUS server, which checks the credentials and grants or denies access. If access
is granted, the switch will configure the port to use the appropriate VLAN and
enable it for ordinary network traffic. Unauthenticated hosts may be denied any
type of access or be placed in a guest VLAN with only limited access to the rest of
the network.
Private VLANs
A private VLAN PVLAN applies an additional layer of segmentation by restricting
the ability of hosts within a VLAN to communicate directly with one another. This
might be used by a hosting company to prevent web servers operated by different
customers being able to communicate. Isolating these server instances using
PVLANs is simpler than creating multiple VLANs and subnets. Similarly, ISPs use
PVLANs to isolate subscriber traffic.
When configuring a PVLAN, the host VLAN is referred to as the primary VLAN. The
following types of PVLAN ports can be configured within the primary VLAN:
• Promiscuous port—Can communicate with all ports in all domains within the
PVLAN. This is normally the port through which routed and/or DHCP traffic is sent.
• Isolated port—Can communicate with the promiscuous port only. This creates a
subdomain of a single host only. The PVLAN can contain multiple isolated ports,
but each is in its own subdomain.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 457
Sample firewall ruleset configured on OPNsense. This ruleset blocks all traffic from bogon
networks and private IP address ranges, but it allows ICMP traffic directed at a firewall
interface, HTTP traffic from any source, and SMTP traffic from known networks, defined
as the MAILHOSTS alias. (Screenshot used with permission from OPNsense.)
Each rule can specify whether to block or allow traffic based on parameters, often
referred to as tuples. If you think of each rule being like a row in a database, the
tuples are the columns. For example, in the screenshot, the tuples include Protocol,
Source (address), (Source) Port, Destination (address), (Destination) Port, and so on.
As an example of ACL configuration, iptables is a command line utility provided by
many Linux distributions that allows administrators to edit the rules enforced by
the Linux kernel firewall. Iptables works with the firewall chains, which apply to the
different types of traffic passing through the system. The three main chains are:
• INP T—Affecting incoming connections. For example, if a user attempts to SSH
into the Linux server, iptables will attempt to match the source IP address and
destination port to a rule in the input chain.
• FORWARD—Used for connections that are passing through the host, rather than
being delivered locally. This chain would be used when configuring the host as a
network firewall.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
458 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
Rules can be assigned to these chains, or new chains can be created and then
linked to the standard system chains to affect traffic flow. To view the current status
of the iptables and the volume of traffic using the chains, use the command:
iptables -L -v
To change the firewall rules, commands such as those that follow would be used.
These examples allow one IP address from a specific subnet to connect and block
all others from the same subnet.
iptables -A INPUT -s 10.1.0.1 -j ACCEPT
iptables -A INPUT -s 10.1.0.0/24 -j DROP
When you set least access rules (if both INPUT and OUTPUT default policy is set to
deny all), you must set both INPUT and OUTPUT rules to allow most types of client/
server traffic. For example, to allow a host to operate as an SSH server, configure
the following rules:
iptables -A INPUT -p tcp --dport 22 -s 10.1.0.0/24
-m state --
state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -d 10.1.0.0/24
-m state --
state ESTABLISHED -j ACCEPT
These commands use the stateful nature of the firewall to differentiate between
new and established connections. The first rule allows hosts in the . . . /24
net to initiate connections with the SSH server on the local host over port 22. The
second rule allows the server to respond to existing connections established by
hosts in the same subnet.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 459
Wireless Security
The following features can be enabled to provision secure wireless network
access.
• Preshared keys PS s —Group authentication allows stations to connect to the
network using a shared passphrase, which is used to generate a preshared key
(PS ). The passphrase should be sufficient length ( 4+ characters) to ensure a
strong key.
• Guest network isolation—A guest network can have separate security and
forwarding policies applied to it than the network that permits access to the
corporate LAN. Typically, a guest network is permitted access to the Internet
but not to local servers. Most SOHO routers come with a preconfigured guest
network. Within an enterprise, a guest network would be implemented using a
separate VLAN.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
460 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
• Ensure that administrative interfaces are secured, and that device configuration
and management is assigned to appropriate organizational roles.
• Audit supplier security policies and procedures regularly, especially where there
are external monitoring or management channels.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 461
Review Activity:
Network Hardening Techniques
Answer the following questions:
3. What switch configuration feature could you use to prevent web servers
in the same subnet from communicating with one another?
5. Network hosts are ooding a switch s SS port with malicious traffic The
switch applies a rate-limiting mechanism to drop the traffic What best
practice network hardening control is being used?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
462 | The Official CompTIA Nework+ Student Guide (Exam N10-008)
Lesson 19
Summary
7
You should be able to compare and contrast common types of attacks and apply
network hardening techniques.
• Change default device credentials on installation and ensure that accounts are
secured with strong passwords. Configure fine-grained permissions to support
role-based access and enforcement of least privilege management practices.
• Use only secure channels for administration traffic or any other protocol where
credentials need to be submitted.
• Configure services according to the device’s baseline and disable any services
which are not required. Consider setting up alerting mechanisms to detect
service configuration changes.
• Ensure that only the necessary IP ports (TCP and UDP ports) to run permitted
services are open and that access to a port is controlled by a firewall ACL if
appropriate.
• Use switch port protection, port authentication, wireless security, IoT device
management, and control plane policing to prevent the attachment of rogue
devices and DoS attacks against critical infrastructure.
• Ensure segmentation of security zones using VLANs and PVLANs. Ensure that
trunks carrying inter-VLAN traffic are correctly configured to mitigate against
hopping attacks.
• Use vulnerability and patch assessment and scanning to ensure that all types of
hosts (servers, clients, appliances, and IoT devices) are fully patched.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Lesson 20
Summarizing Cloud and Datacenter
Architecture
1
LESSON INTRODUCTION
As the Internet becomes more robust and capable of matching the performance of
local networks, many services are being moved from on-premises servers to cloud
providers. Even where services are kept on-site, the different requirements and design
principles of datacenters are essential competencies for network technicians at all
levels.
This lesson completes the Network+ course by summarizing the software-driven
virtualization, automation, and orchestration functionality that underpins cloud
services.
Lesson Objectives
In this lesson, you will:
• Summarize cloud concepts.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
464 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 20A
Summarize Cloud Concepts
2
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 465
This type of cloud could be on-premises or offsite relative to the other business
units. An onsite link can obviously deliver better performance and is less likely to
be subject to outages (loss of an Internet link, for instance). On the other hand, a
dedicated offsite facility may provide better shared access for multiple users in
different locations.
Flexibility is a key advantage of cloud computing, but the implications for data risk
must be well understood when you are moving data between private and public
storage environments.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
466 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Infrastructure as a Service
Infrastructure as a Service (IaaS) is a means of provisioning IT resources such as
servers, load balancers, and storage area network (SAN) components quickly. Rather
than purchase these components and the Internet links they require, you rent them on
an as-needed basis from the service provider’s datacenter. Examples include Amazon
Elastic Compute Cloud (aws.amazon.com/ec2), Microsoft® Azure® Virtual Machines
(azure.microsoft.com/services/virtual-machines), and OpenStack® (openstack.org).
Software as a Service
Software as a Service (SaaS) is a different model of provisioning software
applications. Rather than purchasing software licenses for a given number of seats, a
business would access software hosted on a supplier’s servers on a pay-as-you-go or
lease arrangement (on-demand). Virtual infrastructure allows developers to provision
on-demand applications much more quickly than previously. The applications
can be developed and tested in the cloud without the need to test and deploy on
client computers. Examples include Microsoft Office 365 (support.office.com),
Salesforce® (salesforce.com), and Google Workspace™ (workspace.google.com).
Platform as a Service
Platform as a Service (PaaS) provides resources somewhere between SaaS
and IaaS. A typical PaaS solution would deploy servers and storage network
infrastructure (as per IaaS) but also provide a multi-tier web application/database
platform on top. This platform could be based on Oracle® or MS SQL or PHP and
MySQL™. Examples include Oracle Database (cloud.oracle.com/paas), Microsoft
Azure SQL Database (azure.microsoft.com/services/sql-database), and Google App
Engine™ (cloud.google.com/appengine).
As distinct from SaaS though, this platform would not be configured to actually
do anything. Your own developers would have to create the software (the CRM or
e-commerce application) that runs using the platform. The service provider would
be responsible for the integrity and availability of the platform components, but you
would be responsible for the security of the application you created on the platform.
Dashboard for Ama on Web Services Elastic Compute Cloud (EC2) IaaS/PaaS.
(Screenshot courtesy of Ama on.)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 467
Desktop as a Service
Desktop as a Service (DaaS) is a means of provisioning virtual desktop
infrastructure (VDI) as a cloud service. VDI allows a client browser to operate an OS
desktop plus software apps. This removes the need for an organization to deploy
and maintain client PCs and software installs.
Private-Direct Connection/Colocation
Colocation within a datacenter offers a higher bandwidth solution by providing a
direct or private link. The customer establishes infrastructure within a datacenter
supported by the cloud provider or provisions a direct link from his or her
enterprise network to the datacenter, possibly using private connections configured
within a service provider’s network. The datacenter installs a cross-connect cable
or VLAN between the customer and the cloud provider, establishing a low latency,
high bandwidth secure link. This solution is preferred for organizations which
have a more centralized operation where the connection to the cloud can be from
the main HQ and the company’s own enterprise network is used to allow branch
locations access.
Infrastructure as Code
The use of cloud technologies encourages the use of scripted approaches to
provisioning, rather than installing operating systems and apps and making
configuration changes or installing patches manually. An approach to infrastructure
management where automation and orchestration fully replace manual
configuration is referred to as infrastructure as code (IaC).
One of the goals of IaC is to eliminate snowflake systems. A snowflake is a
configuration or build that is different from any other. The lack of consistency—or
drift—in the platform environment leads to security issues, such as patches that
have not been installed, and stability issues, such as scripts that fail to run because
of some small configuration difference.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
468 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Automation
Automation using scripting means that each configuration or build task is
performed by a block of code. The script will take standard arguments as data, so
there is less scope for uncertainty over configuration choices leading to errors.
There are two principal types of automation tool:
• Imperative tools require the precise steps to follow to achieve the desired
configuration as input. This approach is most similar to automation through
traditional scripting languages such as Bash and PowerShell.
• Declarative tools take the desired configuration as input and leave detail of how
that configuration should be achieved to the implementation platform.
Orchestration
Where automation focuses on making a single, discrete task easily repeatable,
orchestration performs a sequence of automated tasks. For example, you might
orchestrate adding a new VM to a load-balanced cluster. This end-to-end process
might include provisioning the VM, configuring it with an app and network settings,
adding the new VM to the load-balanced cluster, and reconfiguring the load-
balancing weight distribution given the new cluster configuration. In doing this,
the orchestrated steps would have to run numerous automated scripts or API
service calls.
For orchestration to work properly, automated steps must occur in the right
sequence, taking dependencies into account it must provide the right security
credentials at every step along the way and it must have the rights and permissions
to perform the defined tasks. Orchestration can automate processes that are
complex, requiring dozens or hundreds of manual steps.
Automation and orchestration platforms connect to and provide administration,
management, and orchestration for many popular cloud platforms and services.
One of the advantages of using a third-party orchestration platform is protection
from vendor lock in. If you wish to migrate from one cloud provider to another,
or wish to move to a multicloud environment, automated workflows can often be
adapted for use on new platforms. Industry leaders in this space include Chef (chef.
io), Puppet (puppet.com), Ansible (ansible.com), and Kubernetes (kubernetes.io).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 469
For example, in a SaaS solution, the provider may be responsible for the
confidentiality, integrity, and availability of the software. They would be responsible
for configuring a fault tolerant, clustered server service for firewalling the servers
and creating proper authentication, authorization, and accounting procedures for
scanning for intrusions and monitoring network logs applying OS and software
patches and so on. You may or may not be responsible for some or all of the
software management functions, such as ensuring that administrators and users
practice good password management, configuring system privileges, making backups
of data, and so on. Where critical tasks are the responsibility of the service provider,
you should try to ensure that there is a reporting mechanism to show that these tasks
are being completed, that their disaster recovery plans are effective, and so on.
Another provision is that your company is likely to remain directly liable for serious
security breaches. If customer data is stolen, for instance, or if your hosted website
is hacked and used to distribute malware, the legal and regulatory “buck” still stops
with you. You might be able to sue the service provider for damages, but your
company would still be the point of investigation. You may also need to consider
the legal implications of using a cloud provider if its servers are in a different
country.
You must also consider the risk of insider threat, where the insiders are
administrators working for the service provider. Without effective security
mechanisms, such as separation of duties, it is possible that they would be able
to gain privileged access to your data. Consequently, the service provider must be
able to demonstrate to your satisfaction that they are prevented from doing so.
There is also the risk that your data is in proximity to other, unknown virtual servers
and that some sort of attack could be launched on your data from another virtual
server.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
470 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Review Activity:
3
Cloud Concepts
Answer the following questions:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 471
Topic 20B
Explain Virtualization and Storage
Area Network Technologies
6
Hypervisor Types
In a virtualization host, the hypervisor—or virtual machine monitor (VMM)—
manages the virtual environment and facilitates interaction with the computer
hardware and network. One basic distinction that can be made between virtual
platforms is between host and bare metal methods of interacting with the host
hardware. In a guest OS (or host-based) system, the hypervisor application (known
as a Type II hypervisor) is itself installed onto a host operating system. Examples of
host-based hypervisors include VMware Workstation™, Oracle® Virtual Box, and
Parallels® Workstation. The hypervisor software must support the host OS.
uest OS virtuali ation (Type II hypervisor). The hypervisor is an application running within a
native OS, and guest OSes are installed within the hypervisor.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
472 | The Official CompTIA Network+ Student Guide (Exam N10-008)
A bare metal virtual platform means that a Type I hypervisor is installed directly onto
the computer and manages access to the host hardware without going through a host
OS. Examples include VMware ESXi® Server, Microsoft’s Hyper-V®, and Citrix’s XEN
Server. The hardware needs to support only the base system requirements for the
hypervisor plus resources for the type and number of guest OSes that will be installed.
Type I bare metal hypervisor. The hypervisor is installed directly on the host hardware along with a
management application, then VMs are installed within the hypervisor.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 473
• Internal—Creates a bridge that is usable only by VMs on the host and the host
itself. This type of switch does not permit access to the wider physical network.
• Private—Creates a switch that is usable only by the VMs. They cannot use the
switch to communicate with the host.
When the VMs are permitted to interact with a real network, the host must support a
high bandwidth, high availability network link. Any failure of the physical link will affect
multiple VMs.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
474 | The Official CompTIA Network+ Student Guide (Exam N10-008)
ou must also provision DNS and time synchroni ation services for the virtual network.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 475
A SAN can integrate different types of storage technology—RAID arrays and tape
libraries, for instance. It can contain a mixture of high-speed and low-cost devices,
allowing for tiered storage to support different types of file access requirements
without having to overprovision high-cost, fast drives.
Fibre Channel
Fibre Channel is defined in the T ANSI standard. The British spelling fibre is
deliberately chosen to distinguish the standard from fiber optic cabling, which
it often uses but on which it does not rely. A SAN based on a Fibre Channel (FC)
Switched Fabric (FC-SW) involves three main types of components:
• Initiator—This is a client device of the SAN, such as a file or database server
installed with a fibre channel host bus adapter (HBA).
• Target—The network port for a storage device. Typical devices include single
drives, RAID drive arrays, tape drives, and tape libraries. Space on the storage
devices is divided into logical volumes, each identified by a 64-bit logical unit
number (LUN). The initiator will use SCSI, Serial Attached SCSI (SAS), SATA, or
NVMe commands to operate the storage devices in the network, depending
on which interface they support. Most devices have multiple ports for load
balancing and fault tolerance.
The initiators and targets are identified by 64-bit WorldWide Names (WWN),
similar to network adapter MAC addresses. Collectively, initiators and targets
are referred to as nodes. Nodes can be allocated their own WWN, referred to as
a WWNN (WorldWide Node Name). Also, each port on a node can have its own
WorldWide Port Name (WWPN).
Fibre Channel can use rates from FC ( bps) up to 2 FC. Using fiber optic
cabling, an FC fabric can be up to km (6 miles) in length using single mode cable
or 5 m ( 64 ft) using multimode cable.
FCoE does not quite run over standard Ethernet. It requires QoS mechanisms to ensure
flow control and guaranteed delivery. FCoE compliant products are referred to as
lossless Ethernet, Datacenter Ethernet, or Converged Enhanced Ethernet.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
476 | The Official CompTIA Network+ Student Guide (Exam N10-008)
iSCSI
Internet Small Computer System Interface (iSCSI) is an IP tunneling protocol
that enables the transfer of SCSI data over an IP-based network. iSCSI works with
ordinary Ethernet network adapters and switches.
iSCSI can be used to link SANs but is also seen as an alternative to Fibre Channel
itself, as it does not require FC-specific switches or adapters. iSCSI initiator and target
functions are supported by both Windows Server and Linux operating systems.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 477
Review Activity:
Virtualization and Storage Area
7
Network Technologies
Answer the following questions:
4. What role does an initiator play in a SAN and what hardware must be
installed on it?
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
478 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Topic 20C
Explain Datacenter Network
Architecture
6
Traffic lows
Traffic that goes to and from a datacenter is referred to as north-south. This
traffic represents clients outside the datacenter making requests and receiving
responses. Corporate network traffic flows are also typically north-south. A client
device is located on a workgroup switch connected to a router, while the server
is connected to a separate switch or VLAN. Traffic from the client to the server
passes “north” from the client’s switch to the router and then back “south” to the
server’s switch.
In datacenters that support cloud and other Internet services, most traffic is
actually between servers within the datacenter. This is referred to as east-west
traffic. Consider a client uploading a photograph as part of a social media post.
The image file might be checked by an analysis server for policy violations (indecent
or copyright images, for instance), a search/indexing service would be updated
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 479
with the image metadata, the image would be replicated to servers that provision
content delivery networks (CDNs), the image would be copied to backup servers,
and so on. A single request to the cloud tends to cascade to multiple requests and
transfers within the cloud.
Overlay Networks
The preponderance of east-west traffic complicates security design. If each of these
cascading transactions were to pass through a firewall or other security appliance,
it would create a severe bottleneck. These requirements are driving the creation of
virtualized security appliances that can monitor traffic as it passes between servers
(blogs.cisco.com/security/trends-in-data-center-security-part- -traffic-trends). At the
same time, security implementations are moving towards zero trust architectures.
Zero trust implies a highly segmented network where each link between two
servers must be authenticated and authorized.
An overlay network is used to implement this type of point-to-point logical link
between two nodes or two networks. The overlay network abstracts the complexity
of the underlying physical topology. An overlay network uses encapsulation
protocols and software defined networking to create a logical tunnel between two
nodes or networks. When used inside the datacenter, overlay networks are typically
implemented using virtual extensible LANs (VXLANs).
SDN Architecture
In the SDN model defined by IETF (datatracker.ietf.org/doc/html/rfc7426), network
functions are divided into three layers. The top and bottom layers are application
and infrastructure:
• Application layer—Applies the business logic to make decisions about how
traffic should be prioritized and secured and where it should be switched. This
layer defines policies such as segmentation, ACLs, and traffic prioritization and
policing/shaping.
The principal innovation of SDN is to insert a control layer between the application
layer and infrastructure layer. The functions of the control plane are implemented
by a virtual device referred to as the SDN controller. Each layer exposes an
application programming interface (API) that can be automated by scripts that call
functions in the layer above or below. The interface between SDN applications and
the SDN controller is described as the service interface or as the “northbound”
API, while that between the SDN controller and infrastructure devices is the
“southbound” API.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
480 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Management Plane
In IETF’s SDN model, there are separate forwarding (data) and operational planes
at the infrastructure level. The operational plane implements device state, such
as CPU and memory utilization. A management plane sits at the same level as the
control plane to interface with the operational plane. This is used to implement
monitoring of traffic conditions and network status.
• The leaf layer contains access switches. Each access switch is connected to every
spine switch in a full mesh topology. The access switches never have direct
connections to one another.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 481
• There are multiple redundant paths between a leaf switch and the backbone,
allowing for load balancing and failover.
• Servers are connected to multiple leaf switches for multipath redundancy, using
a first hop gateway protocol to determine the active path.
The leaf layer access switches are implemented as top-of-rack (ToR) switch models.
These are switch models designed to provide high-speed connectivity to a rack
of server appliances and support higher bandwidths than ordinary workgroup
switches. For example, where a workgroup switch might have 1 Gbps access ports
and a 10 Gbps uplink port, top-of-rack switches have 10 Gbps access ports and
40/100 Gbps uplink ports.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
482 | The Official CompTIA Network+ Student Guide (Exam N10-008)
limited in terms of low bandwidth, high latency links. This can mean having to install
servers to branch locations and replicate data between them and the head office or
corporate network.
The Generic Routing Encapsulation (GRE) protocol encapsulates data from layer 2
(Ethernet) or layer 3 (IP) for tunneling over any suitable transport network. Multipoint
GRE (mGRE) is a version of the protocol that supports point-to-multipoint links,
such as the hub and spoke dynamic multipoint VPN. This protocol is widely used to
connect branch offices to an on-premises datacenter located at the head office.
Colocation
An on-premises datacenter does not have any site redundancy and is also likely
to suffer from poor performance when accessed by remote offices in different
countries. Establishing on-premises datacenter services for multiple geographic
locations is expensive. One option is to use public cloud services where your
applications and data are installed to third-party servers. This is cost-effective, but
also associated with a number of risks. Colocation means that a company’s private
servers and network appliances are installed to a datacenter that is shared by
multiple tenants. The colocation provider manages the datacenter environment the
company’s servers are installed to dedicated rack space on the datacenter floor. The
rack or space within a rack is locked so that only authorized keyholders can gain
physical access to the server equipment.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 483
For example, in this diagram, the CPE router at site 1 wants to communicate with
site 4. The router is attached to the service provider’s MPLS cloud via a Label Edge
Router (LER). This router inserts or “pushes” a label or “shim” header into each
packet sent from CPE1, and then forwards it to an LSR. Each LSR examines the
shim and determines the Label Switched Path (LSP) for the packet, based on the
type of data, network congestion, and any other traffic engineering parameters
determined by the service provider. It uses the label, rather than the Layer 3
header, to forward the packet to its neighbor. In this way, costly routing table
lookups are avoided. The shim is removed (or “popped”) by the egress LER and
delivered to CPE4.
MPLS allows WAN providers to offer various solutions for enterprise networking
requirements. A basic use of MPLS is to create site-to-site VPNs to interconnect
LANs or connect a branch office to a datacenter. The traffic passing over an MPLS
VPN is isolated from any other customer or public traffic. Different sites can use
any access method available (DSL, cellular, leased line, or Ethernet), and the sites
can use point-to-point or multipoint topologies as required. The MPLS provider
can apply traffic shaping policies to communications between enterprise LANs
and the datacenter to guarantee a service level and provide link redundancy,
making the connection much more reliable than one over the open Internet
would be.
Software-defined WAN
The hub and branch office design with on-premises datacenters has a number
of performance and reliability drawbacks. Shifting services to one or more
dedicated datacenters in the cloud or using colocation mitigates some of these
issues. Service availability and integrity is separated from site accessibility
considerations. In this model access to the datacenter from the corporate
network, branch offices, and remote/teleworker locations can be facilitated
through a software-defined WAN SD-WAN . SD-WAN replaces hub and spoke
type designs with more efficient, but still secure, connectivity to corporate clouds
with less of the expense associated with provisioning an MPLS service to each
remote location.
In a branch office topology, access to the datacenter or the cloud would be
routed and authorized via the hub office. An SD-WAN is a type of overlay network
that provisions a corporate WAN across multiple locations and can facilitate
secure access to the cloud directly from a branch office or other remote location.
It uses automation and orchestration to provision links dynamically based on
application requirements and network congestion, using IPSec to ensure that
traffic is tunneled through the underlying transport networks securely. An SD-
WAN solution should also apply microsegmentation and zero trust security
policies to ensure that all requests and responses are authenticated and
authorized.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
484 | The Official CompTIA Network+ Student Guide (Exam N10-008)
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
The Official CompTIA Network+ Student Guide (Exam N10-008) | 485
Review Activity:
7
Datacenter Network Architecture
Answer the following questions:
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
486 | The Official CompTIA Network+ Student Guide (Exam N10-008)
Lesson 20
Summary
4
You should be able to summarize cloud concepts and connectivity options and
explain basic datacenter network architecture.
• Consider a spine and leaf topology with aggregation and top-of-rack switch
models to create a network fabric that best supports east-west traffic flows
and use of overlay networks.
• Identify virtualization and SAN products that can support the goals of
elasticity and scalability and benefit from SDN and network function
virtualization.
• When using a public cloud vendor, create a cloud responsibility matrix and
perform regular risk assessments and security audits.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A
Mapping Course Content to
CompTIA Certification
1
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
A-2 | Appendix A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A | A-3
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
A-4 | Appendix A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A | A-5
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
A-6 | Appendix A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A | A-7
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
A-8 | Appendix A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A | A-9
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
A-10 | Appendix A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A | A-11
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
A-12 | Appendix A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A | A-13
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
A-14 | Appendix A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A | A-15
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
A-16 | Appendix A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A | A-17
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
A-18 | Appendix A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A | A-19
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
A-20 | Appendix A
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Appendix A | A-21
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions
Review Activity: OSI Model Layers
1. At which OSI layer is the concept of a port number introduced?
Transport.
Physical.
3. hat component performs signal amplification to e tend the ma imum allowable distance for
a media type?
A repeater.
4. Which OSI layer packages bits of data from the Physical layer into frames?
Data Link.
5. True or False? The Session layer is responsible for passing data to the Network layer at the lower
bound and the Presentation layer at the upper bound.
False. The Session layer is between the Transport and Presentation layers.
False—the LAN ports and access point are connected by a switch. The WAN port is separate. Packets must be
routed between the LAN and WAN segments.
2. What type of address is used by the switch to forward transmissions to the appropriate host?
A media access control (MAC) address. This is a layer 2 address. It is also referred to as a hardware or
physical address.
3. True or false? The DHCP server in the SOHO router assigns an IP address to the WAN interface
automatically.
False—the DHCP server in the SOHO router assigns IP addresses to the hosts on the local network. The WAN
address is likely to be assigned by DHCP, but a DHCP server is managed by the access provider.
4. What function or service prevents an Internet host from accessing servers on the LAN without
authorization?
The firewall.
C (this might be written 0xC for clarity). Values above 9 are expressed as letters (10 = A, 11 = B, 12 = C).
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-2 | Solutions
0xAB. To work this out, divide 171 by 16 (144) and write the remainder (11) as the least significant hex digit
(B). Note that the quotient 10 (the integer part of the sum, where 171/16 = 10.6875) is less than 16. Convert
the quotient to hex (10 = A) to derive the second hex digit and complete the conversion.
The host will wait for a random backoff period before attempting to transmit again.
2. Which Ethernet standard works at 100 Mbps over Cat 5 or better copper cable?
100BASE-TX.
3. hich copper thernet standard meets the bandwidth re uirements for clients in an office
network while minimizing costs?
Gigabit Ethernet. Provisioning 10 GbE would require upgrading the network adapters in most client devices,
as well as potentially requiring upgraded cable installation.
4. A network designer wants to run a 10 gigabit backbone between two switches in buildings
that are 75 m (246 feet) apart. What is the main consideration when selecting an appropriate
copper cable?
At that distance, some type of shielded or screened cat 6A or better cable is required for the installation to
be compliant with Ethernet standard 10GBASE-T.
This is a twisted pair type of copper cable using a braided outer screen and foil shielding for each pair to
reduce interference.
3. hich categories of TP cable are certified to carry data transmission faster than 1 bps
Cat 5e and Cat 6/6A. Cat 7 and Cat 8 are screened/shielded types.
5. 100BASE-T transmit pins are 1 and 2. What color code are the wires terminated to these pins
under T A and T B
Green/White (pin 1) and Green (pin 2) for T658A or Orange (pin 1)/White and Orange (pin 2) for T568B.
6. hy is plenum-rated cable used when cable is run in an area where building air is circulated
Plenum-rated cable produces minimal amounts of smoke if burned, must be self-extinguishing, and must
meet other strict fire safety standards.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-3
7. Which cable type consists of a single core made of solid copper surrounded by insulation, a
braided metal shielding, and an outer cover
Coax.
OM1.
3. hich fiber thernet standard is best suited to implementing backbone cabling that does not
e ceed 2 m ( feet) and can achieve at least 4 Gbps throughput
10GBASE-SR.
550 m (1804 feet). Note that 1000BASE-LX can run over MMF or SMF. SMF has much higher range.
5. ou need to provision a fiber patch panel to terminate incoming cabling with green C
connectors. hat type of ports should be provisioned on the patch panel
Green connector color-coding indicates angled physical contact (APC) finishing. This type of finishing is
incompatible with PC or UPC ports. The patch panel must be provisioned with Lucent Connector ports with
APC finishing type.
2. What type of distribution frame is best suited to cabling wall ports to Ethernet switches in way
that best supports futures changes?
A patch panel allows wall ports to be connected to switches via patch cords. If a switch is replaced or if a wall
port needs to be connected to a different switch port, the change can be made easily by moving a patch cord.
A punchdown tool is used to connect wires via insulation displacement connectors (IDCs). You must use a
suitable blade for the IDC format (110, Krone, or BIX).
4. At what layer of the OSI model does a fiber distribution panel work
All types of distribution frames work at the physical layer (layer 1).
5. You need to provision modular SFP+ transceivers to support a 10 gigabit link between two
switches using an e isting fiber cable. hat two characteristics must you check when ordering
the transceivers?
Use an appropriate Ethernet standard and wavelength for the type and grade of fiber and link distance
(10GBASE-SR versus 10GBASE-LR, for instance) and match the connector type of the existing cable (LC or SC,
for instance).
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-4 | Solutions
No, you need an SFP+ module with 1490 nm Tx and 1310 nm Rx.
The maximum link length is 100 m (328 feet) so a repeater will be needed.
2. True or false All the nodes shown in the following figure are in the same collision domain.
True. Hubs work at the physical layer (layer 1) and just repeat the same signal out of each port.
3. True or False? A computer with a 10BASE-T Ethernet adapter cannot be joined to a 100BASE-T
network.
False. Fast Ethernet is backwards-compatible with 10BASE-T (and Gigabit Ethernet is backwards-compatible
with Fast Ethernet).
4. True or False? Devices can only transmit on an Ethernet network when the media is clear,
and the opportunity to transmit becomes less frequent as more devices are added. Also, the
probability of collisions increases. These problems can be overcome by installing a hub.
False. The description of the problem is true, but the solution is not. This issue is resolved by using a bridge
or (more likely these days) a switch.
False. Segments on different bridge ports are in separate collision domains but the same broadcast domain.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-5
2. hat is an I G bit
Determines whether a frame is addressed to an individual node (0) or group (1). The latter is used for
multicast and broadcast.
3. What is an MTU?
Maximum transmission unit—the maximum amount of data that a frame can carry as payload.
4. On a switched network, what configuration changes must be made to allow a host to sniff
unicast traffic from all hosts connected to a switch
5. rite the command to use tcpdump to capture traffic from the IP address 1 2.1 .1 .2 4 on the
interface eth and output the results to the file router.pcap.
show interface
2. True or false A managed switch should have auto DI DI- enabled by default.
True.
3. A technician configures a switch port with a list of approved AC addresses. hat type of
feature has been enabled?
Port security.
4. A server has a four-port gigabit Ethernet card. If a switch supports port aggregation, what
bandwidth link can be achieved?
4 x 1 gigabit or 4 gigabit.
5. hat port configuration feature allows a server to smooth incoming traffic rates
6. Can you safely connect a server to a Po enabled port or should you disable Po first
You can connect the server. PoE uses a detection mechanism to determine whether to supply power.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-6 | Solutions
2. hich three means of establishing a theory of probable cause refer to the OSI model
If you cannot solve it yourself (although it won’t be good for your career if you give up too easily). You might
also escalate if you do not have authorization to perform the necessary changes or if the system is under
some sort of warranty.
4. Which step follows “Implement the solution or escalate as necessary” in the troubleshooting
methodology?
5. True or alse Documentation should be created only at the end of the troubleshooting process.
False. The last step of the methodology is to ensure that findings, actions, and outcomes are documented,
but you cannot do this effectively without existing notes. Most troubleshooting takes place within a ticket
system. Ideally, a documented job ticket would be opened at the start of recording the incident.
3. hat is the reason for making power sum crosstalk measurements when testing a link
Power sum crosstalk measures cable performance when all four pairs are used, as Gigabit and 10G
Ethernet do.
4. Your network uses UTP cable throughout the building. There are a few users who complain
of intermittent network connectivity problems. You cannot determine a pattern for these
problems that relates to network usage. ou visit the users workstations and find that they
are all located close to an elevator shaft. What is a likely cause of the intermittent connectivity
problems How might you correct the problem
If the cabling is being run too close to the elevator equipment, when the elevator motor activates, it
produces interference on the network wire. You can replace the UTP cable with screened/shielded copper
wire or reposition the cables away from the elevator shaft.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-7
5. You have connected a computer to a network port and cannot get a link. You have tested the
adapter and cable and can confirm that there are no problems. o other users are e periencing
problems. The old computer also e perienced no problems. hat cause would you suspect, and
what is a possible ne t step
Speed mismatch Check the autonegotiate settings on the adapter and port.
Work out the value of the binary place positions: 128*1 + 64*1 + 32*1 + 16*1 + 8*0 + 4*0 + 2*1 + 1*0. Sum
the result to derive the answer 242.
Work out the binary place positions that add up to 72: 128*0 + 64*1 + 32*0 + 16*0 + 8*1 + 4*0 + 2*0 + 1*0.
Transcribe the 0s and 1s to form an octet 01001000.
An 8-bit mask means that each digit in the first octet is set to 1. Converted to dotted decimal, this becomes
255.0.0.0.
The first two octets take up 16 bits. In the third octet, the first two bits are set to one. In decimal, this is 192
(128 + 64). Therefore, the full mask is 255.255.192.0.
5. Given an 1 -bit netmask, are the IP addresses 1 2.1 .1.1 and 1 2.1 . 4.1 on the same
network
Yes. Convert the IP addresses to binary, and you will see that the first 18 binary digits in each address are the
same (10101100 00011110 00).
6. If the network ID is 10.1.0.0/22, how many IP addresses are available for allocation to host
interfaces?
1,022. With a 22-bit mask, from the 32-bit IP address, there are 10 bits left for host addressing (32-22). 2 to
the power 10 (210) is 1,024. You then need to subtract two for the network and broadcast addresses, which
cannot be assigned to host interfaces.
No. Compare the decimal mask and dotted decimal IP addresses and note that the third octet is within the
network portion but is different for each IP address. If you do convert to binary to check, remember that the
subnet mask contains 25 bits. You can see that the 24th bit is different in each address. As that bit occurs
within the netmask, the hosts are on different IP networks.
2. If a packet is addressed to a remote network, what destination MAC address will the sending
node use to encapsulate the IP packet in a frame?
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-8 | Solutions
3. Assuming unmanaged switches, how many broadcast domains are present in the following figure
Four. Each router interface is a separate broadcast domain. One broadcast domain contains Router A and
Router B, another contains the nodes on the legacy segment, and the last two are the client nodes Switch A
broadcast domain and the server nodes Switch B broadcast domain.
4. If a host is configured with the IP address 1 . .1 .22 and mask 2 .2 .2 .1 2, what is the
broadcast address of the subnet
10.0.10.63. Convert the IP address to binary (00001010 00000000 00001010 00010110), then work out the
number of bits in the mask (26). Change the remaining host bits (6) to 1s and convert back to dotted decimal.
5. What type of addressing delivers a packet to a single host from a group without using unicast?
Anycast means that a group of hosts are configured with the same IP address. When a router forwards a
packet to an anycast group, it uses a prioritization algorithm and metrics to select the host that is “closest”
(that will receive the packet and be able to process it the most quickly).
This is the default loopback address for most hosts. The loopback address facilitates testing the TCP/IP
implementation on a host.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-9
4. A host is configured with the IP address 1 . .1 .22 and subnet mask 2 .2 .2 .1 2. How many
hosts per subnet would this addressing scheme support
62. Either subtract the least significant octet from 256 (256 - 192 64), then subtract 2 for the network and
broadcast addresses, or having worked out that there are 6 host bits, calculate 26-2.
5. If the IP address 10.0.10.22 were used with an /18 mask, how many subnets and hosts per subnet
would be available
1024 subnets each with 16,382 hosts. From the default mask, 10 bits are allocated to the subnet ID and 14
remain as host bits.
currently 198.51.100.0/24. You need to divide this in half (two subnets) to accommodate hosts on
two separate floors of the building, each of which is served by managed switches. The whole network is
served by a single router.
1. To divide the network in half, what subnet mask do you need to use?
Adding a single bit to the mask creates two subnets. The mask and network prefix will be 255.255.255.128
(/25).
198.51.100.0 /25 and 198.51.100.128 /25. An easy way to find the first subnet ID is to deduct the least
significant octet in the mask (128 in the example) from 256, giving the answer 128.
3. hat is the broadcast address for each subnet 1 . 2.1 .12 and 1 . 1.1 .2 .
You can work these out quite simply from the subnet ID that you calculated. The broadcast address for the
first subnet is 1 less than the next subnet ID. The second subnet’s broadcast address is the last possible
address.
198.51.100.1 to 126 and 198.51.100.129 to 254. If you have each subnet ID and the broadcast ID, the host
ranges are simply the values in between.
5. Your manager has considered his original plan and realized that it does not accommodate
the need for a A link to the head office or a separate segment for a team that works with
sensitive data. What mask will you need to accommodate this new requirement, and how many
hosts per subnet will it allow?
You now need four subnets a /28 prefix or 255.255.255.240 mask. There are only 4 bits left to work with for
host addressing, though, so there are just 14 host addresses per subnet.
On Windows, run ipconfig (or netsh interface ip show config or Get-NetIPAddress). On Linux, run ifconfig
or ip a.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-10 | Solutions
2. hat output would you e pect when running the command ip neigh
3. True or False? The arp utility will always show another host’s MAC address if that host is on the
same subnet.
False. While that is the function of the Address Resolution Protocol, the arp utility is used to inspect the ARP
table cache, which may or may not contain the other host’s address. Note that a standard means to ensure
the MAC address is cached is to ping the destination address first. This is the basis of a utility called arping.
4. Output from a ping command reports some values in milliseconds. What does this measure?
Round Trip Time (RTT) is a measure of the latency or delay between the host sending the probe and
receiving a reply. ping will report minimum, maximum, and average RTT values.
5. True or alse eceiving an echo reply message indicates that the link between two hosts is
operational.
True.
Check that the switch is powered on and reset it. If that does not work, check for other causes such as a
poorly seated plug-in module.
2. A workstation cannot connect to a server application on a remote network. hat is the first test
you could perform to establish whether the workstation s link is O
3. A technician is troubleshooting a network and has asked your advice. He is trying to ping
1 2.1 .1 .1 2. The network has been subnetted with the custom mask 2 .2 .2 .224. hy
might this return a Destination host unreachable message
The IP address resolves to the subnet network address, not a host address. Windows does not normally
allow pinging the network address. Other OSs treat it as an alternative broadcast address, but most systems
are configured to disallow such directed broadcasts for security reasons.
4. Two client hosts have intermittent connectivity issues when accessing a server service on another
subnet. o other client hosts e hibit this problem. hat configuration problem might you suspect
This is likely to be caused by a duplicate IP or MAC address. Replies from the server will be misdirected
between the two hosts.
5. ou have pinged the router for the local subnet and confirmed that there is a valid link. The
local host cannot access remote hosts, however. o other users are e periencing problems.
What do you think is the cause?
The router is not configured as the default gateway for the local host. You can ping it, but the host is not
using it for routing.
6. A Windows client workstation cannot access a help desk application server by its name
support.515support.com. The service can be accessed using its IP address. What two command
line tools should you use to identify possible causes of this issue?
Use ipconfig to report the DNS servers that the client is trying to use and verify they are correct. Use ping to
verify connectivity with the DNS servers.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-11
fe 21 d2ff
ff 2 21 d2ff fea
::/128
Extended unique identifier (EUI) is IEEE s preferred term for a MAC address. EUI-64 is a 64-bit hardware
interface ID. A 48-bit MAC address can be converted to an EUI-64 by using a simple mechanism. The EUI-64
can be used as the IPv6 interface ID, though a randomly generated token is often preferred.
::1
4. In IPv , how can a host obtain a routable IPv address without re uiring manual configuration
Stateless address autoconfiguration (SLAAC) allows a host to autoconfigure an interface by listening for
Router Advertisements to obtain a network prefix.
5. True or false? 6to4 is a dual stack method of transitioning from IPv4 to IPv6.
False. 6to4 is a method of tunneling IPv6 packets over an IPv4 network. Dual stack means that hosts and
routers process both IPv4 and IPv6 traffic simultaneously.
2. Which of the parameters in the following routing table entry represents the gateway?
4. True or alse A router will not forward a packet when the TT field is .
True.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-12 | Solutions
The lowest bandwidth link along the path and the sum of latency along the path.
An Autonomous System Number (ASN) identifies a group of network prefixes under the administrative
control of a single entity (such as an ISP). The AS can be advertised to other ASs through a single prefix (route
aggregation), hiding the complexity of the internal network from other autonomous systems.
3. Of the routing protocols listed in the CompTIA Network+ syllabus, which has the highest default
value AD and does that make it more or less trusted than other protocols?
Routing Information Protocol (RIP) has a default administrative distance (AD) value of 120. In AD, lower
values are preferred, so RIP is less trusted than other protocols.
The hierarchical design of Open Shortest Path First (OSPF) means that it can divide the network into areas to
represent different sites, reduce the size of routing tables, and ensure fast convergence. That said, Enhanced
Interior Gateway Routing Protocol (EIGRP) can also support large networks and can have better convergence
performance and so could be an equally good choice. Routing Information Protocol (RIP) is too limited to
meet the requirements of a large network. Border Gateway Protocol (BGP) is not typically used on private
networks as it is slower than OSPF or EIGRP and relative complex to configure.
5. A company has eight networks, using the subnet addresses 1 2.1 . . 24, 1 2.1 .1. 24
1 2.1 . . 24. hat network prefi and subnet mask can be used to summari e a supernet
route to these networks
It takes 3 bits to summarize eight networks (23 = 8). Subtracting 3 bits from the existing network mask makes
the supernet network prefix /21. The third octet of the mask will use 5 bits, which is 248 in decimal (25 = 248),
so the full mask is 255.255.248.0.
6. True or alse S means using more than one mask to subnet an IP network.
True. By using different mask sizes, variable length subnet masking (VLSM) allows designers to match subnet
sizes to requirements more precisely.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-13
1. How large will each of the subnets that oin the three routers together need to be
Large enough for just 2 IP addresses. Just 2 host bits, so /30 mask.
2. Which is the largest subnet in the topology? What is the minimum number of bits that will be
needed for that number of hosts? How many IP addresses will that subnet provide? What would
be the S and address range for the largest subnet
Branch A is the largest subnet with 16,000 hosts. 14 bits are needed, providing 16,382 addresses (16384 - 2).
/18 will be the VLSM mask, giving an IP address range of 172.30.0.1—172.30.63.254.
3. hat is the ne t largest subnet in the design How many host bits will be needed for that
subnet How many IP addresses will that subnet provide and what is the S
Branch B is the next largest subnet with 8,000 hosts. 13 bits are needed, providing 8,190 addresses
(8,192 - 2). /19 will be the VLSM mask, giving an IP address range of 172.30.64.1—172.30.95.254.
4. Work out the remaining subnets, remembering to ensure that subnet ranges do not overlap, but
equally that you do not waste IP addresses. Complete the table.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-14 | Solutions
A subinterface for each VLAN carried over the trunk. Each subinterface must be configured with an IP
address and mask for the subnet mapped to the VLAN.
False. A layer 3 capable switch can perform fast routing and switching between subnets and virtual LANs
(VLANs) on a local network. However, a layer 3 switch does not typically support WAN interface cards and so
cannot be used as an edge router.
3. True or false? Any occurrence of an asterisk in traceroute output indicates that there is no
connectivity the destination along that path.
False. Some routers along the path might not respond to probes. If there is no route to the destination, an
unreachable notification will be displayed.
4. our network monitor is recording high numbers of IC P Time ceeded notifications. hat
type of routing issue does this typically indicate?
This is typical of a routing loop, where packets circulate between two routers until the time to live (TTL) is
exceeded.
5. A campus to datacenter fiber optic link has been laid over 1 km of single mode fiber with
one fusion splice along this run. The termination at each end requires two connectors. You
need to evaluate a proposal to use 1 GBAS - transceiver modules for the router. The
module specification uotes T power of .2 dBm and sensitivity of 14.4 dBm. Assuming
attenuation of 0.4 dB/km, 0.75 dB loss per connector, and 0.3 dB loss per splice, do these
modules work within the e pected loss budget
The loss budget is (15 * 0.4 = 6) + (2 * 0.75 = 1.5) + (1 * 0.3 = 0.6) = 7.8 dB. The power budget is –8.2 –
14.4 dBm 6.2 dB. Consequently, the power budget is insufficient. Note that 10GBASE-LR is rated for
10 km operation over single mode.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-15
1. Given the current scenario of the charity, how would the routers at each local office be
configured
As the link is only used for web browsing and online email, the local office routers would just be configured
with a static route/default gateway/gateway of last resort to forward all traffic to the main site, which would
forward the web traffic on.
Presently, each local office has several PSTN (landline) telephones. The plan is to replace these with a unified
communications system for VoIP, conferencing, and messaging/information. This will require devices in each
local office to be able to contact devices in other offices for direct media streaming. It is also anticipated that
additional links may be added between branch offices where larger numbers of users are situated due to the
increased bandwidth required by the new applications at this site. Here is the revised diagram:
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-16 | Solutions
2. With this new infrastructure in place, what changes would need to be made to the router’s
configuration
Due to the need for offices and therefore routers to be able contact each other, additional routing table
entries will be needed. This could be through more static routes, but a dynamic routing protocol would be
better able to cope with any future changes to the topology.
There are several choices. The network is relatively simple with only a few network hops, so RIPv2 could be
used as it is easier to configure.
If the new system works well in the East region (the smallest), the plan is to roll out the system to the
three other regions (North, South, and West). This will involve connecting the main routers for each region
together, plus some additional links for redundancy. The other regions use different IP numbering systems
and some use VLSM.
4. Considering the potential changes a successful pilot in the East region might bring about in the
whole organi ation, would your router configuration options change
Due to the potential increase in the number of routers and subnets, OSPF may be the better choice of
dynamic routing protocol. This is especially true due to potential IP subnet numbering differences, including
VLSM.
It may be worth considering different OSPF areas to manage the size of the OSPF topology tables and use
route summarization to reduce the router’s CPU load.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-17
2. What term is used to describe a topology in which two nodes share a single link?
Point-to-point.
3. You need operations to continue if one link fails. How many links does it take to connect three sites?
The number of links is n(n-1)/2, so with three sites, the sum is 3*2/2, which works out to three.
A personal area network (PAN) links devices such as laptops and smartphones and provides connectivity
with peripheral devices (printers, input devices, headsets, and so on) plus wearable technology, such as
fitness trackers and smart watches.
This is a hybrid topology with mesh and star elements. The core layer is a mesh and the links between core
and distribution and distribution and access are also a mesh or partial mesh. The access switches use a star
topology to connect end systems.
2. Spanning tree has been deployed without the administrator setting a priority value. Which of
the following switches will be selected as the root?
Switch A. The switch with the lowest value MAC address is selected if priority values are equal.
3. In what STP-configured state(s) are all ports when a network running STP is converged
Forwarding or blocking.
4. True or false A broadcast storm can only be resolved by investing interface configurations.
False. A broadcast storm could be caused by a physical layer issue, such as improper cabling.
True.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-18 | Solutions
From 2 to 4,094. The all zeros and all ones (0 and 4,095) are reserved and VLAN ID 1 is the default for all
unconfigured ports.
Tagged ports typically operate as trunks to carry frames between VLANs on different switches. Frames are
transported over the trunk link with an 802.1Q header to indicate the VLAN ID.
5. True or false hen configuring a voice A , the voice A ID must be lower than the access
VLAN ID.
False. The IDs only need to be distinct and synchronized with the IDs expected by the switch.
It is used for flow control. The window indicates the amount of data that the host can receive before sending
another acknowledgement.
4. True or alse ser Datagram Protocol ( DP), like TCP, uses flow control in the sending of data
packets.
False.
5. What port and protocol does TFTP use at the Transport layer?
UDP/69.
IP scanner. Note that while most IP scanners can also function as port scanners they are distinct types of
scanning activity.
2. ou are auditing the service configuration of a inu server. hich command can you use to
check the PID associated with a TCP port, even if there are no active connections?
Run netstat with the -p switch to show the process ID (PID), -a switch to show all active and listening sockets,
and optionally -t to filter by TCP and -n to suppress name resolution and display output quicker netstat
-patn
3. A technician has identified an undocumented host using an IP address in a range set aside as
unallocated. The technician is going to run a fingerprinting scan. hat type of information could
this yield about the host?
A fingerprinting scan compares specific responses to known information about hardware platforms, OS
types and versions, and application/service types and versions.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-19
4. ou need to analy e the information saved in a .pcap file. hat type of command-line tool or
other utility is best suited to this task?
This type of file will contain a network packet capture. You could use a command-line protocol analyzer such
as tcpdump to display the contents, but a graphical tool such as Wireshark will make analysis easier.
True.
2. hen configuring multiple DHCP servers for redundancy, what should you take care to do
True.
IPv6 does not support broadcasts, so clients use the multicast address ff 02 1 2 to discover a DHCP server.
In a stateless environment, the host autoconfigures an address using a network prefix provided by the
router (typically). DHCPv6 is then used to provide the IPv6 addresses used to access network services, such
as DNS or SIP gateways.
AAAA.
A pointer maps an IP address to a host name, enabling a reverse lookup. Reverse lookups are used (for
example) in spam filtering to confirm that a host name is associated with a given IP address.
4. What type of DNS record is used to prove the valid origin of email?
Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records can be used to validate the
origin of email and reject spam. These are configured in DNS as text (TXT) records.
Recursive queries. These DNS servers are designed to assist clients with queries and are usually separate to
the DNS server infrastructure designed to host authoritative name records.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-20 | Solutions
2. hat type of D S service would you configure on the A to use a public D S server to resolve
ueries for e ternal domains
A forwarder.
nslookup – 8.8.8.8
To start nslookup in interactive mode with the DNS server set to 8.8.8.8 (Google’s public DNS server).
Control what is shown by the tool. You can use these commands to suppress certain kinds of output, such as
sections of the response from the DNS server.
Trivial FTP only supports GET and PUT commands not directory browsing, file deletion, and so on. TFTP
works over UDP while FTP works over TCP.
4. ou need to configure clients to be able to communicate with print devices in a remote subnet.
hich port number must you allow on a network firewall to enable the standard TCP IP port
TCP/9100.
5. ou are configuring a firewall to allow a inu web server to communicate with a database
server over port TCP 33 . Assuming it has been left configured with the default port, what type
of database is being used?
MySQL.
The server generates a non-delivery report (NDR) with an appropriate error code and discards the
message.
2. What protocol would enable a client to manage mail subfolders on a remote mail server?
Internet Message Access Protocol (IMAP) or IMAP Secure (IMAPS). Post Office Protocol (POP3) allows
download of mail messages but not management of the remote inbox.
3. True or alse SIP enables the location of user agents via a specially formatted I.
True.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-21
4. Which component in a VoIP network allows calls to be placed to and from the voice telephone or
public switched telephone network (PSTN)?
False. While the server must be configured with a key pair, the client can optionally use a key pair to
authenticate, or can use another mechanism, such as a password.
Telnet.
UDP/123.
4. What is SNTP?
Simple Network Time Protocol—A simpler protocol derived from NTP that enables workstations to obtain
the correct time from time servers.
Processing (CPU and memory) resource. In some circumstances, you might also want to monitor local
storage capacity.
Via a trap.
3. What sort of log would you inspect if you wanted to track web server access attempts?
Audit/security/access log.
4. A technician has recommended changing the syslog logging level from its current value of 3 to 6.
Will this cause more or fewer events to be forwarded?
Raising the level to 6 will capture less severe events (up to informational level) so more events will be
forwarded.
The software could produce an alert if network performance did not meet any given metric.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-22 | Solutions
By buffering packets.
The field is 3-bit, allowing up to 8 values. In a typical schema, 7 and 6 can be reserved for network control
(such as routing table updates), 5 and 4 map to expedited forwarding levels for 2-way communications, 3
and 2 map to assured forwarding for streaming multimedia, and 1 and 0 for “ordinary” best-effort delivery.
A traffic shaper can reserve bandwidth so that QoS parameters, such as maximum latency and jitter, for a
real-time data application can be guaranteed.
5. You suspect that a network application is generating faulty packets. What interface metric(s)
might help you to diagnose the problem?
Monitoring errors and discards/drops would help to prove the cause of the problem.
False. An automated scanner is configured with a list of known vulnerabilities to scan for. By definition,
zero-day vulnerabilities are unknown to the vendor or to security practitioners. A zero-day is detected either
through detailed manual research or because an exploit is discovered.
Common Vulnerabilities and Exposures (CVE) is a dictionary of vulnerabilities in published operating systems
and applications software. An automated vulnerability scanner is configured with scripts to scan a host for
known vulnerabilities.
4. 1 web IT staff discovered an entry when reviewing their audit logs showing that a unior
employee from the sales department had logged into the network at 3:00 a.m. Further review
of the audit logs show that he had changed his timecard on the H server. hich security
factor was breached, and did the attack e ploit a software vulnerability or a configuration
vulnerability?
The attack compromised the integrity of data stored in the network. It exploited a configuration weakness.
The employee should not have had permission to alter the timecard.
A penetration test (pen test). A vulnerability assessment is one that uses passive testing techniques.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-23
Identification
Authentication
Accounting
Single Sign-on allows users to authenticate once to gain access to different resources. This reduces the
number of login credential sets a user must remember.
3. True or false A sub ect s private key is embedded in the digital certificate that represents its
digital identity?
False—the private key must be kept secure and not revealed to any other party. The public part of the key
pair is embedded in the certificate.
A device or server that accepts user connections. In a RADIUS architecture, the client does not need to be
able to perform authentication itself; it passes the logon request to an AAA server. The client needs to be
configured with the RADIUS server address and shared secret.
On a switch interface/port. A switch that supports 802.1X port-based access control can enable a port but
allow only the transfer of Extensible Authentication Protocol over LAN (EAPoL) traffic. This allows the client
device and/or user to be authenticated before full network access is granted.
A screened subnet. The edge or screening firewall is the public interface while the choke firewall is the LAN
interface. The screened subnet is therefore configured as a perimeter network preventing hosts on the
Internet being directly connected to hosts on the LAN.
To publish a web application without directly exposing the servers on the internal network to the Internet.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-24 | Solutions
A Network Access Control (NAC) server configured to allow connections only to clients that meet a health
policy, such as running an appropriate OS/OS version and being up-to-date with patches and security
scanning definitions.
5. How does placement of an IDS sensor assist with a defense in depth policy?
Placement behind a perimeter firewall can identify suspicious traffic that has been allowed through the
firewall.
Ensure that clients obtain a new DHCP lease, either by shortening the lease period in advance or by using a
script to force clients to renew the lease at startup.
2. If a network adapter is using the address 1 .2 4.1.1 on a host connected to the A , what
would you suspect
That a DHCP server is o ine or not contactable. The system is configured to obtain an address automatically
but cannot contact a DHCP server and is using Automatic Private IP Addressing (APIPA).
3. Following maintenance on network switches, users in one department cannot access the
company’s internal web and email servers. You can demonstrate basic connectivity between the
hosts and the servers by IP address. What might the problem be?
It is likely that there is a problem with name resolution. Perhaps the network maintenance left the hosts
unable to access a DNS server, possibly due to some VLAN assignment issue.
4. You are troubleshooting a connectivity problem with a network application server. Certain
clients cannot connect to the service port. How could you rule out a network or remote client
host firewall as the cause of the problem
Connect to or scan the service port from the same segment with no host firewall running.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-25
1. You receive a call from the user of host A who has always been able to connect to the LoB
application servers, but today she is unable to connect. You verbally check with other users and
discover that none of the hosts on subnet 20 can connect, but that users in subnet 10 report no
problems. What tests should you perform to narrow down the cause of the problem?
You should not assume from the information gathered so far that the user can connect to the servers in
subnet 10. There are two likely causes—either the link to the router from subnet 20 has failed, perhaps
because of a faulty switch, or hosts in subnet 20 are no longer receiving a correct IP configuration from the
network servers. To test methodically, from any host in subnet 20, ping the loopback address and then ping
that host’s IP address. If either of these tests fail or if the host is using APIPA, investigate communications
with the network servers. If the local IP configuration on each host is good, ping the router. If this fails,
suspect a problem with the switch or cabling.
2. ou send a unior technician to the e uipment room to fi the problem. Sometime later,
another user from subnet 20 calls complaining that he cannot connect to the Internet. What
questions should you ask to begin troubleshooting?
Again, do not assume that Internet connectivity is the only issue. The user might not have any sort of
network link but has only complained about accessing the Internet because that’s the particular application
he was trying to use. Ask if the user can connect to one of the LoB server applications. If this fails, check
whether other users are experiencing the problem and establish the scope—just the one user? All users on
subnet 20? All users on both subnets?
3. You asked a junior technician to step in because your manager had asked you to deploy a
wireless access point on the network to support a sales event due to start the ne t day. There
will be lots of guests, and your manager wants them all to have Internet access. You did not
have much time, so you simply added the access point to the switch supporting subnet 10. The
ne t day arrives, and sometime after the sales event starts, multiple employees in subnet 1
report that when they attempt to connect to the network, they get a message that the Windows
network has limited connectivity. What might be the cause and what test should you use to
confirm the issue
The most likely cause is that guest devices have exhausted the DHCP address pool for that scope. You can
confirm by identifying that the hosts have autoconfigured APIPA addresses, perhaps by using ipconfig.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-26 | Solutions
Carrier sense multiple access with collision avoidance (CSMA/CA). Rather than try to detect collisions, a
wireless station indicates its intent to transmit by broadcasting a Request To Send (RTS) and waits to receive
a Clear To Send (CTS) before proceeding.
3. What options may be available for an 802.11n network that are not supported under 802.11g?
Channel bonding, Multiple-Input-Multiple-Output (MIMO), and use of either 2.4 GHz or 5 GHz frequency
bands.
4. True or alse Stations with 2.11ac capable adapters must be assigned to the GH fre uency
band.
True—802.11ac is designed to work only in the 5 GHz frequency band, with the 2.4 GHz band used for legacy
clients.
5. hich fre uency band is less likely to suffer from co-channel interference
False—the beacon cannot be suppressed completely because clients use it when connecting with the AP.
Increasing the broadcast interval reduces network overhead, but it increases the time required to find and
connect to the network.
Output from a site survey plotting the strength of wireless signals and channel utilization in different parts of
a building.
4. True or false To support client roaming within an e tended service area, each access point
must be configured with the same SSID, security parameters, and i- i channel.
False the SSID and security parameters must be the same, but the access points should use different
channels where their coverage overlaps.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-27
6. What are the advantages of deploying a wireless mesh topology over an IBSS?
Stations in a wireless mesh network are capable of discovering one another, forming peering arrangements,
and performing path discovery and forwarding between peers (routing). These factors make a mesh-based
network more scalable than an ad hoc network or independent basic service set (IBSS).
Placing omnidirectional antennas on the ceiling would provide the best coverage with good line-of-sight and
reduced interference between the APs and stations. Depending on the height of the warehouse ceiling, you
may need to obtain APs with downtilt antennas.
2. The lobby area of your office building has undergone a renovation, the centerpiece of which
is a large aquarium in the middle of the room, separating a visitor seating and greeting area
from the reception desks, where the AP facilitating guest Internet access is located. Since the
renovation, many guests have been unable to connect to Wi-Fi from the seating area. Could the
aquarium really be the cause, and what solution could you recommend?
Yes, a dense body of water could cause absorption and refraction of the radio waves, weakening the signal.
You could ceiling mount the AP so that signals are less affected by the body of water. You could also add a
second AP at the front of the lobby area to act as a repeater. For optimum performance, both APs should be
ceiling-mounted, to preserve line of sight.
A Wi-Fi analyzer is a software-based tool that interrogates the wireless adapter to display detailed
information, based on what the Wi-Fi radio can receive. A spectrum analyzer uses dedicated radio hardware
to report on frequency usage outside of Wi-Fi traffic, and so can be used more reliably to detect interference
sources.
4. sers in the corner of an office building cannot get good i- i reception. our office manager
doesn’t want to use his budget to purchase a new AP. He’s noticed that the power level control
on the AP is set to 3 out of 5 and wants to know why turning up the power isn’t the best
solution?
This might work, but you should investigate the root cause of the issue and determine whether the solution
will have adverse effects. The most obvious issue is that client stations might then be able to hear the AP but
not be able to speak to it. Depending on the rest of the WLAN infrastructure, increasing power on one AP
may cause more co-channel interference with other cells. A better solution will be to add an access point or
to configure a wireless bridge using directional antennas.
WPA2 supports a stronger encryption algorithm, based on the Advanced Encryption Standard (AES). AES
is deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
(CCMP). WPA uses the same RC4 cipher as WEP. WPA uses a mechanism called the Temporal Key Integrity
Protocol (TKIP) to make it stronger than WEP, but WPA2 offers better security.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-28 | Solutions
2. hat configuration information is re uired on an access point to authenticate users oining the
wireless network against a network authentication server?
The authentication method must be set to enterprise and the access point must be configured with the IP
address and shared secret of the authentication (RADIUS or TACACS+) server.
3. Widget Corporation has provided wireless access for its employees using several APs located
in different parts of the building. mployees connect to the network using 2.11g-compatible
network cards. On Thursday afternoon, several users report that they cannot log on to the
network. hat troubleshooting step would you take first
Following troubleshooting methodology, establish the scope of the problem early on the in the process. In
this case, check whether the problem machines are trying to use the same AP. If the problem is apparent
across multiple APs, suspect a wireless controller disabling 802.11g compatibility mode.
This could be a simple denial of service (DoS) attack to prevent network access, but the attacker could also
be attempting to use an evil twin/rogue AP to intercept network traffic.
5. Your company has a lobby area where guest access is provided so that visitors can get
Internet access. The open guest WLAN is currently connected to the production network. The
only protection against visitors and hackers getting into the organi ation s data is file and
directory rights. What steps should be taken to provide guest access and better protect the
organization’s data?
The guest WLAN should be connected to a separate network segment, isolated from the production
network. Typically, this would be accomplished using a virtual LAN (VLAN) and a router/firewall to inspect
and filter traffic using the Internet link. You could configure a captive portal so that users must register
before accessing the WLAN. You could also change to using PSK authentication, with the passphrase
obtained from the receptionists.
The demarcation point or demarc is the location where the service provider terminates cable within
customer premises. In terms of the internal cable distribution components, it is identified as an entrance
facility. Ideally, this should be enclosed within a secure closet with access restricted to authorized
personnel only.
2. hat type of cable can be used to connect a CS DS to a smart ack, assuming a ma imum link
distance of 1m (3 feet)?
3. You are connecting a SOHO network to a VDSL service using a separate VDSL modem. What
cables do you require and how should they be connected?
The WAN/DSL port on the modem is connected to the service provider network via a two-pair cable with
RJ-11 connectors. The LAN/Ethernet port on the modem should be connected to the SOHO router via an
Ethernet cable with RJ-45 connectors.
4. You need to cable a service that terminates at an optical network unit (ONU) to the customer
router. What type of cable is required?
This connection can use an ordinary straight-through RJ-45 patch cord. The ONU converts the fiber optic
signal from the service provider cable to an electrical signal for transmission over copper Ethernet.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-29
5. Assuming that sufficient bandwidth can be provided, what factor limits the usefulness of a
microwave satellite Internet link?
The link will be subject to high latency, which will impact real-time data services.
Define which user accounts have dial-in rights, consider restricting access by time of day, and configure
logging and auditing of remote access logons and attempted logons.
2. hat type of client-to-site P ensures that any traffic from the remote node can be monitored
from the corporate network while the machine is joined to the VPN?
Full tunnel. This mode contrasts with split tunnel, where only traffic for the private network is tunneled.
A web browser.
A dynamic multipoint VPN (DMVPN) allows the spokes to establish a direct connection, rather than relaying
all communications via the hub.
5. hat IPSec mode would you use for data confidentiality on a private network
Transport mode with Encapsulating Security Payload (ESP). Tunnel mode encrypts the IP header information,
but this is unnecessary on a private network. Authentication Header only provides authentication and
integrity validation, not confidentiality.
Configuring a management IP address on a switch to connect to its command line interface over the network
(rather than via a serial port).
A configuration baseline records the initial setup of software or appliance. A performance baseline records
the initial throughput or general performance of a network (or part of a network). These baselines allow
changes in the future to be evaluated.
2. What type of security control provisions resources and procedures to cope with incidents that
cause major service outages?
3. How is the person who first receives notification of a potential security incident designated
First responder.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-30 | Solutions
While they have a good start on physical security, they should consider installing motion detection systems
for after hours; if there are additional doors, to install video monitoring on those doors; to update to using
smart cards or key fobs for entrance.
2. What technology could be used to provision security cameras without having to provide a
separate circuit for electrical power?
IP cameras could be powered over data cabling using Power over Ethernet (PoE).
3. Following a security incident, the lessons learned report recommends upgrading premises entry
control to prevent tailgating. hat type of prevention control will provide the most effective
solution?
An access control vestibule, or mantrap, provisions one gateway into a monitored area and a second
gateway out of it. This means that any attempt to pass through behind or with another person can easily be
detected and prevented.
A Protected Distribution System (PDS) is a system for hardened network cable distribution. It can work as both
a preventive and a detective control. The preventive element comes from enclosing the cable in metal conduit.
The detective element can be supplied by alarms that detect if the conduit has been opened or damaged.
5. What technology provides data security assurance during the asset disposal phase of system life
cycle?
Mesh topology.
The host is being used as part of a supervisory control and data acquisition (SCADA) system. The host might
be kept completely separate from the corporate data network (air gapped). If it is connected, it should be
fully segregated from other systems and subject to carefully designed access control policies.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-31
Recovery Point Objective (RPO) is the maximum amount of data loss permitted, measured in units of time
(seconds, minutes, hours, or days).
2. A server group installed with storage devices from endor A e periences two failures across 2
devices over a period of years. A server group using storage devices from endor B e periences
one failure across 12 devices over the same period. Which metric is being tracked and which
vendor’s metric is superior?
The metric is Mean Time to Failure (MTTF). Note that MTTF is used for devices that cannot be repaired.
Repairable system reliability is measured using Mean Time Between Failures (MTBF). Vendor A’s devices
have a MTTF measured at 50 years (20*5/2), while Vendor B’s are 60 years (12*5/1), so Vendor B has the
superior metric.
3. 1 web have e perienced three web server outages in the last five years. These outages all
occurred in separate years and caused one hour, three hour, and one hour downtime incidents.
Assuming the company uses the same value for TD and TO, did the company meet the TO of
two hours specified in the S A agreed annually with its customers
No. Recovery Time Objective (RTO) in this scenario is also equal to the maximum amount of downtime.
As the service level agreement (SLA) is agreed annually, the single incident causing three hours downtime
exceeded it. The mean time to repair (MTTR) is 1.66 hours, so the company is meeting its goal over a 5-year
average, 515web either needs to write off the longer outage as an outlier, improve recovery procedures, or
negotiate new terms for its SLAs.
4. What type of failover site generally requires only data to be restored before it can resume
processing?
5. hat rack-mountable device can provide line filtering and power monitoring features
The ISPs might share last mile conduit or have the same peering or transit arrangements that share
the same single point of failure. For reliable failover, you need to ensure diverse paths over physically
separate circuits.
2. True or false ink aggregation can only be configured between intermediate systems, such as
switch-to-switch or switch-to-router.
False. Link aggregation can be used between end systems and intermediate systems, too.
3. ou are configuring a load balanced web application. hich IP address should be configured as a
host record in DNS to advertise the application?
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-32 | Solutions
These are both first hop redundancy protocols. Hot Standby Router Protocol (HSRP) and Virtual Router
Redundancy Protocol (VRRP) allow multiple physical router appliances to act as the same logical router,
providing failover.
This is some type of Denial of Service (DoS) attack. Specifically, you might suspect a distributed DoS (DDoS)
or distributed reflection DoS (DRDoS).
2. The network administrator at your organi ation analy es a network trace capture file and
discovers that packets have been intercepted and retransmitted to both a sender and a receiver
during an active session. What class of attack has been detected?
On-path attack. Note that this was previously referred to as a man-in-the-middle (MitM) attack.
3. True or false To perpetrate an A P spoofing attack, the threat actor spoofs the IP address of a
legitimate host, typically the subnet’s default gateway.
True. The threat actor sends gratuitous ARP replies claiming to own the IP address of the target.
4. A threat actor forces clients to disconnect from a legitimate access point to try to force them
to reconnect to an access point controlled by the attacker using the same network name. What
two attack types are being used?
Disconnections are performed using a deauthentication attack, while using a rogue access point to
masquerade as a legitimate one is referred to as an evil twin attack.
This is command and control (C C or C2) traffic between a handler and botnet of compromised IP camera
devices, often called an Internet of Things (IoT) botnet.
6. mployees have received emails prompting them to register for a new benefit package. The link
in the mail resolves to a malicious IP address. What type of attack is being performed?
This is a phishing attack that combines social engineering (techniques that convince users that a message is
genuine) with a spoofed resource.
Role-based access, where different administrator and operator groups are assigned least privilege
permissions.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Solutions | S-33
3. hat switch configuration feature could you use to prevent web servers in the same subnet
from communicating with one another?
This can be configured using a private VLAN. The servers are all placed in the same host VLAN and
communicate out of the VLAN/subnet via the promiscuous port. Each server port is configured as an isolated
port. The isolated ports are not able to communicate directly.
A system-defined rule that denies anything not permitted by the preceding rules. This is also referred to as
an implicit deny rule. An explicit deny is one configured manually by the administrator.
5. etwork hosts are flooding a switch s SSH port with malicious traffic. The switch applies a
rate-limiting mechanism to drop the traffic. hat best practice network hardening control is
being used?
Control plane policing. The SSH port carries management traffic. Malicious management or control traffic
can be used to perform a denial of service (DoS) attack against a network appliance by overloading its
general purpose CPU. A control plane policing policy protects both control and management channels
against this type of attack.
6. How would a router appliance be patched to protect against a specific vulnerability described in
a security advisory?
This type of OS does not support patching of individual files, so the whole OS has to be replaced with a new
version. Vendors keep track of which version first addresses a specific security advisory.
Elasticity refers to the system s ability to handle changes on demand in real time.
2. 515accounting uses colocation to host its servers in datacenters across multiple geographic
regions. It configures the servers to run a software as a service (SaaS) app for use by its
employees. What type of deployment model is this?
The cloud service is wholly operated by 515web and so this is a private deployment. The cloud is offsite
relative to the corporate data network.
4. What are the main options for implementing connections to a cloud service provider?
You can use the Internet and the provider s web services (possibly over a VPN) or establish a direct
connection for better security and performance. A direct connection could be established by co-locating
resources in the same datacenter or provisioning a direct link to the datacenter.
5. A technician writes a configuration file that specifies the creation of an buntu Server with
a 2 GH CP , 1 GB A , and a mass storage disk provisioned from a high-speed resource. hat
type of cloud concept or model is being used?
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
S-34 | Solutions
A Type I hypervisor. A Type I (or bare metal) hypervisor is installed directly to the server hardware. A Type II
hypervisor is installed as a software app on a server that is already running a host operating system.
2. If a VM is connected to a bridged virtual switch, what sort of network access does it have?
A bridged switch connects the VM to a physical network via the host s NIC.
3. A technician deploys a standard inu virtual machine and then installs and configures an open
switching OS to run on it. Which virtual network concept is being deployed?
Running virtual appliances on standard CPU platforms (rather than dedicated switch/router hardware) is
referred to as network function virtualization (NFV). This is also a type of vSwitch. A virtual switch can be
implemented either using NFV or through a built-in function of the hypervisor platform.
4. What role does an initiator play in a SAN and what hardware must be installed on it?
An initiator is a storage area network (SAN) client device, such as a file server or database server. The server
must be installed with a host bus adapter (HBA), such as fiber channel adapter or converged Ethernet
adapter.
5. What protocol can be used to implement a SAN without provisioning dedicated storage
networking adapters and switches?
iSCSI.
The firewall must be able to communicate with the software defined networking (SDN) controller via an
application programming interface (API). This API between the control and infrastructure layers is referred to
as the southbound API.
2. A technician is cabling a top-of-rack switch in a spine and leaf architecture. Each server has been
cabled to the switch. What cabling must the technician add to complete the design?
Cable the top-of-rack (leaf) switch to each spine (distribution) switch. The two tiers are cabled in a full mesh
topology.
3. True or false An enterprise A can be configured using either P S or SD- A , but the two
cannot work together.
False. It is true that an enterprise WAN can be configured using multiprotocol label switching (MPLS).
However, a software defined WAN can use any type of transport network, including MPLS, so the two can be
deployed together.
Solutions
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary
1
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-2 | Glossary
arp command Utility to display and bandwidth speed tester Hosted utility
modify contents of host s cache of IP to used to measure actual speed obtained
MAC address mappings, as resolved by by an Internet link to a representative
address resolution protocol (ARP) replies. server or to measure the response times
of websites from different locations on
asymmetrical routing Topology where
the Internet.
the return path is different to the
forward path. Basic Service Set ID (BSSID) MAC
address of an access point supporting a
auditing Detailed and specific
basic service area.
evaluation of a process, procedure,
organization, job function, or system, in bidirectional wavelength division
which results are gathered and reported multiplexing (BWDM) System that
to ensure that the target of the audit is allows bidirectional data transfer over
in compliance with the organization s a single fiber strand by using separate
policies, regulations, and legal wavelengths for transmit and receive
responsibilities. Also called audit report. streams. Also called wavelength division
multiplexing (WDM).
authentication header (AH) IPSec
protocol that provides authentication biometric authentication
for the origin of transmitted data as Authentication mechanism that allows
well as integrity and protection against a user to perform a biometric scan to
replay attacks. operate an entry or access system.
Physical characteristics stored as a
authoritative name server DNS server
digital data template can be used to
designated by a name server record for
authenticate a user. Typical features
the domain that holds a complete copy
used include facial pattern, iris, retina,
of zone records.
or fingerprint pattern, and signature
auto MDI/MDIX Interface that can recognition.
detect a connection type and configure
border gateway protocol (BGP) Path
as MDI or MDI-X as appropriate.
vector exterior gateway routing protocol
automatic private IP addressing used principally by ISPs to establish
(APIPA) Mechanism for Windows routing between autonomous systems.
hosts configured to obtain an address
botnet Group of hosts or devices that
automatically that cannot contact
have been infected by a control program
a DHCP server to revert to using an
called a bot that enables attackers to
address from the range 169.254.x.y.
exploit the hosts to mount attacks. Also
This is also called a link-local address.
referred to as a zombie.
automation Using scripts and APIs
bottleneck Troubleshooting issue
to provision and deprovision systems
where performance for a whole
without manual intervention.
network or system is constrained by the
autonomous system (AS) Group performance of a single link, device, or
of network prefixes under the subsystem.
administrative control of a single
bridge Intermediate system that isolates
organization used to establish routing
collision domains to separate segments
boundaries.
while joining segments within the same
badge reader Authentication broadcast domain.
mechanism that allows a user to present
bring your own device (BYOD) Security
a smartcard to operate an entry system.
framework and tools to facilitate use
bandwidth Generally used to refer of personally-owned devices to access
to the amount of data that can be corporate networks and data.
transferred through a connection over a
broadcast Packet or frame addressed
given period. Bandwidth more properly
to all hosts on a local network segment,
means the range of frequencies
subnet, or broadcast domain. Routers
supported by transmission media,
do not ordinarily forward broadcast
measured in Hertz.
traffic. The broadcast address of IP is
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary | G-3
one where the host bits are all set to Carrier Sense Multiple Access
1 at the MAC layer it is the address with Collision Avoidance (CSMA/
ff ff ff ff ff ff. CA) Mechanism used by 802.11 Wi-Fi
standards to cope with contention over
broadcast domain Network segment
the shared access media.
in which all nodes receive the same
broadcast frames at layer 2. cat cable standards ANSI/TIA/EIA cable
category designations, with higher
broadcast storm Traffic that is
numbers representing better support
recirculated and amplified by loops in
for higher data rates.
a switching topology, causing network
slowdowns and crashing switches. cellular radio Mobile telephony
standards divided into 2G (GSM up to
brute force attack Type of password
about 14 Kbps), 2.5G (GPRS, HSCSD, and
attack where an attacker uses an
EDGE up to about 48 Kbps), and 3G
application to exhaustively try every
(WCDMA up to about 2 Mbps).
possible alphanumeric combination to
crack encrypted passwords. change management Process for
approving, preparing, supporting, and
bus topology A shared access media
managing new or updated business
where all nodes attach directly to a
processes or technologies.
single cable segment.
channel Subdivision of frequency bands
business continuity Collection of
used by Wi-Fi products into smaller
processes that enable an organization to
channels to allow multiple networks to
maintain normal business operations in
operate at the same location without
the face of some adverse event.
interfering with one another.
business impact analysis (BIA)
channel bonding Capability to
Systematic activity that identifies
aggregate one or more adjacent
organizational risks and determines
channels to increase bandwidth.
their effect on ongoing, mission
critical operations. Also called process Channel Service Unit/Data Service
assessment. Unit (CSU/DSU) Appliance or WAN
interface card providing connectivity to
cable crimper Tool to join a network
a digital circuit. The DSU encodes the
jack to the ends of network patch cable.
signal from Data Terminal Equipment
cable modem Cable Internet access (DTE) a PBX or router to a signal that
digital modem that uses a coaxial can be transported over the cable. The
connection to the service provider s fiber CSU is used to perform diagnostic tests
optic core network. Also called Hybrid on the line.
Fiber Coax (HFC).
CIA triad Three principles of
cable stripper Tool for stripping the security control and management
cable jacket or wire insulation. confidentiality, integrity, and availability.
Also known as the information security
cable tester Tool that reports physical
triad. Also referred to in reverse order
characteristics of a network link such as
as the AIC triad.
signal strength, noise, and crosstalk.
classless interdomain routing (CIDR)
campus area network (CAN)
Using network prefixes to aggregate
Scope defining a network with direct
routes to multiple network blocks
connections between two or more
( supernetting ). This replaced the old
buildings within the same overall area.
method of assigning class-based IP
canonical notation Format for addresses based on the network size.
representing IPv6 addresses using hex
client-server Administration paradigm
double-bytes with colon delimitation
where some host machines are
and zero compression.
designated as providing server and
captive portal Web page or website to services and other machines are
which a client is redirected before being designated as client devices that only
granted full network access. consume server services.
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-4 | Glossary
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary | G-5
decibel loss (dB loss) Loss of signal DiffServ Header field used to indicate
strength between a transmitter and a priority value for a layer 3 (IP) packet
receiver due to attenuation and to facilitate Quality of Service (QoS) or
interference measured in decibels. Also Class of Service (CoS) scheduling.
called insertion loss.
dig command Utility to query a
default gateway IP configuration DNS and return information about a
parameter that identifies the address particular domain name. Also referred
of a router on the local subnet that the to as domain information groper.
host can use to contact other networks.
digital certificate Identification and
default route Entry in the routing authentication information presented
table to represent the forwarding path in the X.509 format and issued by a
that will be used if no other entries are Certificate Authority (CA) as a guarantee
matched. that a key pair (as identified by the
public key embedded in the certificate)
default VLAN Default VLAN ID (1) for all
is valid for a particular subject (user or
unconfigured switch ports.
host).
defense in depth Security strategy that
Digital Subscriber Line (DSL) Carrier
positions the layers of network security
technology to implement broadband
as network traffic roadblocks each layer
Internet access for subscribers by
is intended to slow an attack s progress,
transferring data over voice-grade
rather than eliminating it outright.
telephone lines. There are various
demarcation point Location that flavors of DSL, notably S(ymmetric)
represents the end of the access DSL, A(symmetric)DSL, and V(ery HIgh
provider s network (and therefore their Bit Rate)DSL.
responsibility for maintaining it). The
directly connected route Entry in the
demarc point is usually at the Minimum
routing table representing a subnet in
Point of Entry (MPOE). If routing
which the router has an active interface.
equipment cannot be installed at this
location, demarc extension cabling may disassociation Management frame
need to be laid. handling process by which a station is
disconnected from an access point.
denial of service attack (DoS) Any
type of physical, application, or network disaster recovery plan (DRP)
attack that affects the availability of a Documented and resourced plan
managed resource. showing actions and responsibilities to
be used in response to critical incidents.
dense wavelength division
multiplexing (DWDM) Technology for distance Attenuation, or degradation
multiplexing 40 or 80 signal channels of a signal as it travels over media,
on a single fiber using different determines the maximum distance for a
wavelengths. particular media type at a given bit rate.
desktop as a service (DaaS) Cloud distance vector Algorithm used
service model that provisions desktop by routing protocols that select a
OS and applications software. forwarding path based on the next hop
router with the lowest hop count to the
DHCP relay Configuration of a router
destination network.
to forward DHCP traffic where the client
and server are in different subnets. Distributed Denial of Service (DDoS)
Attack that involves the use of infected
DHCP snooping Switchport protection
Internet-connected computers and
mechanism that blocks DHCP offers
devices to disrupt the normal flow
from unauthorized sources.
of traffic of a server or service by
dictionary attack Type of password overwhelming the target with traffic.
attack that compares encrypted
distribution/aggregation layer
passwords against a predetermined list
Intermediate tier in a hierarchical
of possible password values.
network topology providing
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-6 | Glossary
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary | G-7
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-8 | Glossary
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary | G-9
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-10 | Glossary
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary | G-11
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-12 | Glossary
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary | G-13
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-14 | Glossary
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary | G-15
port scanner Utility that can probe a and provides facilities such as voice
host to enumerate the status of TCP and mail, Automatic Call Distribution (ACD),
UDP ports. and Interactive Voice Response (IVR).
A PBX can also be implemented as
port security Preventing a device
software (virtual PBX). An IP-based PBX
attached to a switch port from
or hybrid PBX allows use of VoIP.
communicating on the network unless it
matches a given MAC address or other private key In asymmetric encryption,
protection profile. the private key is known only to the
holder and is linked to, but not derivable
port tagging On a switch with VLANs
from, a public key distributed to
configured, a port with an end station
those with which the holder wants to
host connected operates in untagged
communicate securely. A private key
mode (access port). A tagged port will
can be used to encrypt data that can be
normally be part of a trunk link.
decrypted by the linked public key or
Post Office Protocol (POP) Application vice versa.
protocol that enables a client to
private VLAN (PVLAN) Method of
download email messages from a server
isolating hosts to prevent hosts within
mailbox to a client over port TCP/110 or
the same VLAN from communicating
secure port TCP/995. Also called POP3.
directly.
posture assessment Process for
protocol analyzer Utility that can
verifying compliance with a health policy
parse the header fields and payloads
by using host health checks.
of protocols in captured frames for
power distribution unit (PDU) display and analysis. Also called a packet
Advanced strip socket that provides analyzer.
filtered output voltage. A managed unit
Protocol Data Unit (PDU) Network
supports remote administration.
packet encapsulating a data payload
Power over Ethernet (PoE) from an upper layer protocol with
Specification allowing power to be header fields used at the current layer.
supplied via switch ports and ordinary Also referred to as Encapsulation.
data cabling to devices such as VoIP
proxy server Server that mediates the
handsets and wireless access points.
communications between a client and
Devices can draw up to about 13W (or
another server. It can filter and often
25W for PoE+).
modify communications, as well as
pre-shared key (PSK) Wireless provide caching services to improve
network authentication mode where a performance. Also called a forward
passphrase-based mechanism is used to proxy.
allow group authentication to a wireless
public key During asymmetric
network. The passphrase is used to
encryption, this key is freely distributed
derive an encryption key.
and can be used to perform the reverse
Presentation Layer OSI model layer encryption or decryption operation of
that transforms data between the the linked private key in the pair.
formats used by the network and
public key infrastructure (PKI)
applications. Also called Layer 6.
Framework of certificate authorities,
printer Printer is often used to digital certificates, software, services,
mean print device but also refers to and other cryptographic components
a term used to describe the software deployed for the purpose of validating
components of a printing solution. subject identities.
The printer is the object that Windows
public switched telephone network
sends output to. It consists of a
(PSTN) Global network connecting
spool directory, a printer driver, and
national telecommunications systems.
configuration information.
public versus private addressing
private branch exchange (PBX) Routes
Some IP address ranges are designated
incoming calls to direct dial numbers
for use on private networks only.
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-16 | Glossary
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary | G-17
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-18 | Glossary
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary | G-19
networks over multiple types of point links are established between each
transport network. node as required. The circuit established
between the two nodes can use the
spanning tree protocol (STP) Protocol
full bandwidth capacity of the network
that prevents layer 2 network loops by
media.
dynamically blocking switch ports as
needed. stateless address autoconfiguration
(SLAAC) Mechanism used in IPv6 for
spectrum analyzer Device that can
hosts to assign addresses to interfaces
detect the source of interference on a
without requiring manual intervention.
wireless network.
static route Entry in the routing table
speed Amount of data that can be
added manually by an administrator.
transferred over a network connection
in a given amount of time, typically storage area network (SAN) Network
measured in bits or bytes per second (or dedicated to provisioning storage
some more suitable multiple thereof). resources, typically consisting of storage
Transfer rate is also described variously devices and servers connected to
as data rate, bit rate, connection speed, switches via host bus adapters.
transmission speed, or bandwidth.
straight tip connector (ST) Bayonet-
Transfer rates are often quoted as the
style twist-and-lock connector for fiber
peak, maximum, theoretical value
optic cabling.
sustained, actual throughput is often
considerably less. straight-through cable Cable designed
to connect an end system MDI to an
speed (port configuration) Port setting
intermediate system MDI-X, such as a
that determines the speed of the link.
host to a hub.
The same setting must be used on
the connected device and is usually structured query language (SQL)
autonegotiated. Programming and query language
common to many relational database
spine and leaf topology Topology
management systems.
commonly used in datacenters
comprising a top tier of aggregation subinterface Configuring a router s
switches forming a backbone for a leaf physical interface with multiple virtual
tier of top-of-rack switches. interfaces connected to separate virtual
LAN (VLAN) IDs over a trunk.
split tunnel VPN configuration where
only traffic for the private network is subnet addressing Division of a single
routed via the VPN gateway. IP network into two or more smaller
broadcast domains by using longer
spoofing Attack technique where the
netmasks within the boundaries of the
threat actor disguises their identity or
network. Also called a subnet mask.
impersonates another user or resource.
subscriber connector (SC) Push/pull
standard operating procedure (SOP)
connector used with fiber optic cabling.
Documentation of best practice and
work instructions to use to perform a Supervisory Control and Data
common administrative task. Acquisition (SCADA) Type of industrial
control system that manages large-scale,
star topology In a star network, each
multiple-site devices and equipment
node is connected to a central point,
spread over geographically large areas
typically a switch or a router. The
from a host computer.
central point mediates communications
between the attached nodes. When switch Intermediate system used to
a device such as a hub is used, the establish contention-free network
hub receives signals from a node and segments at layer 2 (Data Link).
repeats the signal to all other connected
switching loop Troubleshooting issue
nodes. Therefore the bandwidth is
where layer 2 frames are forwarded
still shared between all nodes. When a
between switches or bridges in an
device such as a switch is used, point-to-
endless loop.
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-20 | Glossary
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Glossary | G-21
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
G-22 | Glossary
Glossary
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index
Page numbers with Italics represent charts, graphs, and diagrams.
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-2 | Index
Angry IP Scanner, 216 ARP. see Address Resolution attack surface, 454
anonymous access, 313 Protocol (ARP) attack vector, 296
ANSI (American National arping tool, 135 attenuation, 86, 90–91, 180,
Standards Institute), 26, 29, 41, artifacts, 285 358–359
475 AS (autonomous system), 157, Attenuation-to-Crosstalk Ratio,
Ansible orchestration platform, 161 Far End (ACRF), 91
468 ASCII (American Standard Code Attenuation-to-Crosstalk
ANSI/TIA/EIA 568 standard, 26, for Information Interchange), 7, Ration, Near End (ACRN), 91
29, 29–30, 30, 41, 475 62, 351, 449 attribute=value pairs, 312
antennas Asia Pacific Network audit logs, 278, 279
5G, 348 Information Centre (APNIC), 15 audit reports, 397
booster, 352 ASIC (application-specific AUP (acceptable use policy),
cable attenuation, 361 integrated circuit), 195 403
MIMO, 344–345 ASN (autonomous system authentication
MU-MIMO, 346 numbers), 161 AAA, 310, 326, 368, 385
placement, 361, 459 assessment reports, 398 client, SSH, 269
polarization, 360 asset, 402 factor, 305
radio chain, 344–345 asset disposal, 412–413 in IAM, 304
radio frequency (RF) data remnant removal, 412 methods, 304–314
attenuation, 358–359 factory reset, 412 access control list (ACL),
removable, loose or Instant Secure Erase (ISE), 304
disconnected, 361 413 digital certificates,
types, 360, 360 sanitization, 412 308–309, 309
Wi-Fi 5, 346 Secure Erase (SE), 412–413 Extensible
anycast addressing, 111, 112 asset tags, 411 Authentication Protocol
Apache, 250 Assured Forwarding traffic (EAP), 309–310
APC (Angled Physical Contact), class, 285 identity and access
38, 39 Asterisk, 259 management (IAM), 304
API (application programming Asymmetrical DSL (ADSL), 379 IEEE 802.1X Port-based
interface), 254, 467, 479 asymmetrical routing issues, Network Access Control
APIPA (Automatic Private IP 179–180 (NAC), 310
Addressing), 118, 142, 228, asymmetric encryption, 308, Kerberos, 307, 307–308,
329 309 308
APNIC (Asia Pacific Network Asynchronous Transfer Mode LDAP Secure (LDAPS),
Information Centre), 15 (ATM), 291 313
appliance OS, 460 ATM (Asynchronous Transfer Lightweight Directory
application layer Mode), 291 Access Protocol (LDAP),
in Internet model, 15 AT&T, 347 311, 311
of OSI model (layer 7), 8, 8, attacks, 440–452 local authentication,
13, 15, 400, 433 disassociation/ 305–307
in SND, 479, 480 deauthentication, 369–370 multifactor, 305, 310
application logs, 278 distributed DoS (DDoS), 446 Public key infrastructure
application programming DNS poisoning, 442–443 (PKI), 309
interface (API), 254, 467, 479 general, 440–441 Remote Authentication
application servers, 440 human and environmental, Dial-in User Service
application-specific integrated 450–451 (RADIUS), 310, 311
circuit (ASIC), 195 malware, 447 single sign-on (SSO),
AppSocket, 253 on-path, 441–442 307
APs. see access points (APs) password, 448–449 Terminal Access
Area 0 (backbone), 160 ransomware, 447, 448 Controller Access
ARIN (American Registry for VLAN hopping, 443 Control System
Internet Numbers), 15 wireless network, 444–445 (TACACS+), 311
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-3
three-factor, 305 AUX port, 92, 391, 392 basic service area (BSA), 351,
two-factor, 305 availability, 296, 417, 424 353
mutual, 390 see also high availability Basic Service Set (BSS), 350
open, 370 availability, integrity, Basic Service Set Identifier
personal, 367–368 confidentiality (AIC) triad, 417 (BSSID), 350
plaintext, 305–306, 306, 313 available leases, DHCP, 228 bastion hosts, 319
pluggable authentication average utilization, 290 battery solutions, 429
module (PAM), 307 AWG (American Wire Gauge), baud rate, 85
public key, 269 25–26, 31 BCP (business continuity plan),
reauthentication, 311 AxB C notation, 345 298, 401
remote network access, Azure SQL Database, 466 beacon, 351
383–384 Azure Virtual Machines, 466 beamforming, 346–347, 348
simple bind, 313 beamwidth, 360
username/password, in SSH B Behavior Aggregates, 285
client, 269 behavioral factor, 305
baby giant, 292
weak, 405 behavioral threat research, 300
backbone (Area 0), 160
authentication, authorization, Best Effort traffic class, 285
backbone cabling, 42, 42
and accounting (AAA) BGP (Border Gateway
backdoor, 44, 446, 447
architecture, 310, 326, 368, 385 Protocol), 157, 161
background check, 402
Authentication Header (AH), BIA (business impact analysis),
backoff (random period), 21
99, 389 298, 401
backup
Authentication Service, in KDC, bidirectional (BiDi)
battery, 428
307 transceivers, 48
management, network
authenticator, 456 binary/decimal conversion,
device, 429
authoritative name server, 236, 100–101, 101
router, 436
241 binary digits, 15–16, 16
state/bare metal, 429
authorization BIND DNS server software, 236,
strategies, 426
AAA architecture, 310, 326, 244, 244
badge reader, 408, 409
368, 385 binding to the server, 313
badges, 408–409
creep, 302 see also authentication
bandwidth, 85, 274, 284
remote network access, biometric factor, 305
2.4 GHz, 343, 344, 344
383–384 biometric reader, 408, 409
5 GHz, 343
autoconfiguration bit depth, 284
definition, 20
IPv4, 118 bits, 8, 286
EIGRP, 160
IPv6, 143–144, 230–231 bits per second (bps), 284
Ethernet standards, 21, 22,
stateless address BIX distribution frame, 43
23, 37
autoconfiguration (SLAAC), black holes, 157, 442, 454
fiber optic cabling, 21, 34,
230–231 blackouts, 133, 276, 426
37
automatically allocated blinding attack, 44
management, 285–286
reservation, 229 blocked ports (BP), 197
network metrics, 284
automatic garbage collectors, Block I/O, 474
speed testers, 288
413 blocks, 42–43
bare metal virtual platform,
Automatic Private IP block tool, 45
472, 472
Addressing (APIPA), 118, 142, Bluecat, 216
BAS (building automation
228, 329 bonding, 69, 432
system), 417
automation, 468 BOOTP forwarding, 329
base 10, 15–16, 16
auto-MDI/MDI-X, 68, 92 Border Gateway Protocol
Base64, 449
auto-negotiation of speed, 68 (BGP), 157, 161
baseband radio, 418
autonomous system (AS), 157, botnets, 446
base numbering systems,
161 bottlenecks, 274, 290
15–16, 16
autonomous system numbers bounce (multipath
Bash, 468
(ASN), 161 interference), 363
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-4 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-5
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-6 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-7
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-8 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-9
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-10 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-11
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-12 | Index
gateways public DNS server, 243, 243 VLAN and PVLAN best
default, 108 time source, 272 practices, 456
DHCP, 126, 127, 131, 134, Workspace, 466 hardware
135, 136, 137 GPRS/EDGE (General Packet access control, 408
IP configuration, 126, 127, Radio Services/Enhanced Data addresses, 5
131, 134, 135, 136, 137 Rates for GSM Evolution), 347 control, 408
IPv4, 107, 107–108, 108 GPS (General Positioning failure issues, 133–134
unreachable, 442 System), 271–272, 272 problems, 80, 87
VoIP, 262 graphical user interface (GUI) redundant, 433–434, 434
VPN, 385 database services, 254 VoIP PBX, 259
GBIC (Gigabit Interface IP configuration, 126, 128 hashes, cryptographic,
Converter) form factor, 47 IP scanning, 217 305–306, 306, 389, 449
Gbps (gigabits per second), 21 remote desktop protocol, hash function, 390
general attacks, 440–441 271, 386 HCCs (horizontal cross-
General Packet Radio Services/ grayware, 447 connects), 42
Enhanced Data Rates for GSM GRE (Generic Routing HDDs (hard disk drives), data
Evolution (GPRS/EDGE), 347 Encapsulation), 99, 146, 384, remnant removal form, 412
General Positioning System 389, 482 HDLC (High-level Data Link
(GPS), 271–272, 272 greenfield mode, 345 Control), 291, 378
general purpose (nonplenum) group authentication, 367 headends, VPN, 388–389
cabling, 30 GSM (Global System for Mobile headers, 140, 248–249, 249
Generic Routing Encapsulation Communication), 347 health policy, 326
(GRE), 99, 146, 384, 389, 482 GSSAPI (Generic Security heating, ventilation, and air
Generic Security Services Services Application Program conditioning (HVAC), 30, 417,
Application Program Interface Interface), 269 427
(GSSAPI), 269 guest network isolation, 459 heat maps, 353, 353
geofencing, 459 guest OS, 471, 471, 472 Hertz, 284
GeoIP, 332 GUI. see graphical user heterogeneous networks, 6
Get/Get Next commands, interface (GUI) hexadecimal notation,
SNMP, 277, 277 15–16, 16
giant frame errors, 291 H hex digits, 16
Gigabit Ethernet HFC (hybrid fiber coax), 380
hacking the human. see social
auto MDI/MDI-X, 68, 92 hierarchical star-mesh
engineering
CAT cable standards, 27 topology, 192
half-open scanning, 219, 220
fiber optic connectors, 36 hierarchical star topology, 191
hard disk drives (HDDs), data
Gigabit Interface Converter high availability, 431–437
remnant removal form, 412
(GBIC), 47 availability, defined, 424
hardening, 297, 453–461
standards, 23, 23 described, 424, 424–425
control plane policing, 458
switches, 55 first hop redundancy
device and service, 453–454
Gigabit Interface Converter protocol (FHRP), 435,
endpoint security and
(GBIC) form factor, 47 435–436
switchport protection,
gigabits per second (Gbps), 21 link aggregation/NIC
454–456
GLBP (Gateway Load Balancing teaming, 432, 432
firewall rules and ACL
Protocol), 435 load balancers, 433, 433
configuration, 457–458
global addressing, IPv6, Maximum Tolerable
IoT access considerations,
141–142, 142 Downtime (MTD) metric,
459–460
global configuration mode, 66 424, 424–425
patch and firmware
Global System for Mobile multipathing, 431
management, 460
Communication (GSM), 347 redundant hardware/
secure configuration,
goodput, 85, 358 clusters, 433–434, 434
453–454
Google High-level Data Link Control
security policies, 402
App Engine, 466 (HDLC), 291, 378
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-13
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-14 | Index
IETF (Internet Engineering Task insulation, 25, 29, 30, 31, 42, 44 intermediate cross-connects,
Force), 15, 250, 288, 479, 480 insulation-displacement 42
ifconfig, 128, 128–129, 129 connection (IDC), 42, 43, 43, 45, Intermediate Distribution
I/G bit, 60, 60 398 Frame (IDF), 398, 399
IGMP (Internet Group integrity, in CIA Triad, 296 intermediate system, 5, 6, 10
Management Protocol), 99, Integrity Check Value (ICV), 389, connectivity issues in, 86
112, 137 389 internal DNS zones, 242–243
ignore, in troubleshooting Inte s et i i configuration internal firewall, 319
methodology, 81 uti it , 362 internal port, 11
IGP (Interior Gateway Protocol), interactive logon, 306 internal routers, 173, 173–174,
157, 157, 159–160 intercepting proxy, 323 174
IKE (Internet Key Exchange), interface, 150 layer 3 capable switch, 174
390, 391 identifier, 67, 141, 142 subinterfaces, 173, 174
images, policy violations and, ID/EUI-64, 142 internal threats, 300
478–479 monitoring metrics, internal virtual switch, 473
IMAP (Internet Message Access 289–290 (see also interface International Electrotechnical
Protocol), 258, 449 statistics) Commission (IEC), 26, 27, 35
imperative tools, 468 status issues, 134 International Organization for
implicit deny, 457 testing, IPv6, 143–144 Standardization (ISO)
implicit TLS (FTPS), 252 interface configuration 11801 standard, 35
in-band management, 392 autoconfiguration, 143–144 cabling standards, 26, 27,
incident response plan, 401 connectivity issues, 28
incineration, 412 troubleshooting, 87, 88 ID card standard, 408
incorrect pin-out, 90 switches, 66–68, 67 Open Systems
incorrect termination, 90 interface errors, Interconnection (OSI)
Independent Basic Service Set troubleshooting, 291–292 reference model, 2
(IBSS), 355 cyclic redundancy check Internet, 6
indicator of compromise (IOC), (CRC), 291 cloud connectivity, 467
300 encapsulation errors, 291 SOHO network connected
industrial control system (ICS), frame errors, 291–292 to, 14–15
417, 419 interface statistics, 289–290 standards, 15
Infoblox, 216 discards/drops, 290 Internet Assigned Numbers
informational messaging, in duplex, 290 Authority (IANA), 15, 99, 161,
ICMPv6, 144 error rate, 290 208
information gathering attacks, link state, 289 Internet Control Message
440 per-protocol utilization, 290 Protocol (ICMP), 99, 130–131,
infrastructure resets, 289–290 131
as code (IaC), 467–468 retransmissions, 290 Internet Corporation for
layer, in SND, 479, 480 speed, 290 Assigned Names and Numbers
node, 5 utilization, 290 (ICANN), 15, 234
as a service (IaaS), 466 interference issues, 90–91, Internet Engineering Task
topology, 350–351, 351 363–364 Force (IETF), 15, 250, 288, 479,
ingress/egress traffic, 70, 321 absorption, 364 480
initiator, 475 electromagnetic Internet eXchange Points
input (firewall chain), 457 interference (EMI), 364 (IXPs), 14
input/output (I/O), 274 reflection/bounce Internet Group Management
Instant Secure Erase (ISE), 413 (multipath interference), Protocol (IGMP), 99, 112, 137
Institute of Electrical and 363 Internet Key Exchange (IKE),
Electronics Engineers (IEEE). refraction, 363 390, 391
see IEEE 802 standards Interior BGP (IBGP), 161 Internet layer, in Internet
insufficient wireless coverage, Interior Gateway Protocol (IGP), model, 15
360–361 157, 157, 159–160
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-15
Internet Message Access multicast, 111, 111–112, 144 incorrect subnet mask,
Protocol (IMAP), 258, 449 networking address 135
Internet model, 15 services, 226–232 interface status issues,
Internet of Things (IoT), (see also Dynamic Host 134
416–420 Configuration Protocol IP configuration issues,
access considerations, (DHCP)) 134–135
459–460 private, 117 multicast flooding
consumer-grade smart public, 117 issues, 137
devices, 416 ranges reserved for special power issues, 133
described, 416 use, 118 problem isolation,
industrial control system troubleshooting 136–137
(ICS), 417 duplicate IP and MAC VoIP PBX, 259
mesh topologies, 356 address issues, 135–136 Internet Protocol Security
networks, 418 incorrect IP address, (IPSec), 384, 390, 391, 449
physical access control 134–135 Authentication Header (AH),
system (PACS), 417 unicast, 109–111, 110, 389
placement and security, 419 141–142, 142, 146 Encapsulating Security
smart buildings, 417 universal, 59–60 Payload (ESP), 389, 389–390
supervisory control and Internet Protocol (IP) networks, extension headers, 140
data acquisition (SCADA), 259 remote network access,
417 configuring, 115–121 390, 391
Internet of Things (IoT) botnet, ARP cache utility, transport mode, 390
446 129–130, 130 tunnel mode, 388, 390, 391
Internet Printing Protocol (IPP), Automatic Private IP Internet Service Provider (ISP),
253 Addressing (APIPA), 118 14, 161
Internet Protocol (IP) ICMP, 130–131, 131 multipathing, 431
addresses, 12–13, 15 ipconfig, 127, 127 Point of Presence (PoP), 380
/22 and 24, 104, 163, 163, ipconfig and ip, 128, Internet Small Computer
164 128–129, 129 System Interface (iSCSI), 476,
autoconfiguration, 143 issues, 134–135 476
base numbering systems in, ping utility, 130–131, 131 Internet Systems Consortium
15–16, 16 tools to test, 126–132 (ISC), 244
classful, 116, 116–117, 117 virtual LANs and internetwork, 6, 106, 182,
configuring subnets, 115, 116 182–183, 183
address ranges reserved in Windows, 126 intrusion detection system
for special use, 118 filtering, 320 (IDS), 7, 70, 326–327, 327
Automatic Private IP header, 98 intrusion prevention system
Addressing (APIPA), 118 helper, 230 (IPS), 327
classful addressing, 116, IPFIX IETF standard, 288 inventory management, 397,
116–117, 117 packets, 4 397
IPv4 address scheme protocol types, 99 inverse-square rule, 358
design, 119–120 scanners, 216–217 I/O (input/output), 274
loopback addresses, 118 spoofing, 441 IOC (indicator of compromise),
private IP addresses, 117 troubleshooting, 133–138 300
public IP addresses, 117 duplicate IP and MAC iOS
IP Address Management address issues, 135–136 Remote Desktop Protocol
(IPAM), 216, 329 hardware failure issues, (RDP), 271, 387
IPv4 (see IPv4 addressing) 133–134 Web Services for Devices
IPv6 (see IPv6 addressing) incorrect DNS issues, (WSD)/AirPrint, 253
local, 5, 59, 118, 142, 137 IOS Software Checker, 460
142–143 incorrect IP address, IoT. see Internet of Things (IoT)
loopback, 118 134–135 ip, 128, 128–129, 129
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-16 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-17
ans eeper, 397 link layer, in Internet model, 15 LMR/HDF/CFD 200 cable, 361
laser optimized MMF (LOMMF), link local addressing load balancers/balancing, 236,
35 IPv4, 118 237, 241, 433, 433
latency, 85, 285 IPv6, 142, 142–143 LoB (Line of Business), 337
problems, 130 Link Local Multicast Name local address, 5, 59
Latin America and Caribbean Resolution (LLMNR), 330 link, 118, 142, 142–143
Network Information Centre link state, 156, 157, 289 resolution, 143
(LACNIC), 15 Link State Advertisement (LSA), local area network (LAN), 10,
layer 2. see data link (layer 2), 160 186–187
of OSI model link state database (LSDB), 160 configuring, using DHCP on
Layer 2 Tunneling Protocol Linux wireless router, 12, 12, 13
(L2TP), 385 ARP cache, 130 enterprise, 187
layer 3. see network (layer 3), of arping tool, 135 examples, 187
OSI model authentication, 307 Extensible Authentication
layer 4. see transport (layer 4), dhclient to release lease, Protocol over (EAPoL), 456
of OSI model 228 network types, 186–187
layer 5. see session layer DHCP issues, 329 ports, 10, 261
(layer 5), of OSI model DNS server addresses SOHO network, 10–16
layer 6. see presentation layer recorded in, 137 switches, 195
(layer 6), of OSI model DNS service, 241 wireless controllers, 354,
layer 7 (application layer), of duplicate IPs, 135 354, 354–355, 368
OSI model, 8, 8, 13, 15, 400, FreeRADIUS, 311 see also virtual LAN (VLAN)
433 hdparm utility, 412 local authentication, 305–307
LC (Local Connector), 36, 36, 37 host as iSCSI target, 476, Linux, 307
LDAP (Lightweight Directory 476 single sign-on (SSO), 307
Access Protocol), 311, 311 ICMP and ping, 130 Windows, 306
LDAPS (LDAP Secure), 313 ifconfig and ip, 128, 128– Local Connector (LC), 36, 36, 37
leased line provider links, 129, 129, 134–135 local loop, 378
377–378, 378 incorrect DNS issues, 137 locally administered
lease time, DHCP, 227, 228 iproute2 suite of tools, 128, address, 60
least privilege, 302 177, 219 local privileges, 405
LED status indicators, 87, 93, legacy net-tools package, Local Security Authority
133–134 128 (LSA), 306
legacy (non-HT) mode, 345 link local address, 118, 143 local sign-in, Windows, 306
legacy modems, 376 login, 305 location factor, 305
legacy systems, 298–299 name resolution, 243 locking cabinets, 410, 410
Length field, 98, 99 netstat, 218, 218–219 locking racks, 409
LER (Label Edge Router), 483 net-tools package, 219 logging level, 281
licensed feature issues, 335 Nmap Security Scanner, 217 Logical (IP/Layer 3), 400
Lightweight Access Point ntp package, 272 logical bus topology, 191
Protocol (LWAPP), 355 ping, 130–131, 131 logical network diagrams,
Lightweight Directory Access route command, 175, 400, 400
Protocol (LDAP), 311, 311 176–177, 177 logical topology, 5, 188
LDAP Secure (LDAPS), 313 as router for VM network, logical unit number (LUN), 475
Line of Business (LoB), 337 configuring, 474 logon/login, 305–307
link aggregation, 69, 432, 432 Secure Shell (SSH), 268, 307 logs
Link Aggregation Control tcpdump, 61–62 application, 278
Protocol (LACP), 69, 432 traceroute, 177 audit, 278, 279
Link Aggregation Group (LAG), tunneling, 146 collectors, 279, 279–280
432 VoIP PBX, 259 network device, 278–279
link aggregation/NIC teaming, LLMNR (Link Local Multicast performance, 279
432, 432 Name Resolution), 330 reviews, 282, 282
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-18 | Index
Syslog, 279–280, 280 magnetic media, methods of Mean Time to Repair (MTTR),
system, 278 destroying, 412 426
traffic, 279 mailbox access protocols, Mechanical Transfer Registered
LOMMF (laser optimized MMF), 257–258, 449 Jack (MTRJ), 37, 37
35 configuring, 258 media
Long Term Evolution (LTE), 348, Internet Message Access access control and collision
418 Protocol (IMAP), 258 domains, 21–22, 22
loopback adapter (or loopback Post Office Protocol (POP), bounded, 4
plug), 87 257–258, 258 cabled, 4
loopback addresses, 118 Mail Exchange (MX), 237, 256 converters, 5, 46, 52, 53
loopback tool, 87 Main Distribution Frame (MDF), encryption key (MEK), 413
loops, 157 398 magnetic, methods of
loss budget/calculator, 180 malware destroying, 412
lossless Ethernet, 475 attacks, 447 network, cable standards
low optical link budget protection, 405 for, 27, 27–28
issues, 180 managed switches, 65 sanitization, 412
LSA (Link State Advertisement), ManageEngine, 216 unbounded, 4
160 management and wireless, 4
LSA (Local Security Authority), orchestration (MANO), 474 media access control (MAC),
306 Management Frame Protection 21–22, 22
LSDB (link state database), 160 (MFP/802.11w), 445 48-bit address, 59
LSP (Label Switched Path), 483 Management Information Base address format, 59–60, 60
LTE (Long Term Evolution), 348, (MIB), 276 Address Resolution
418 management plane, 286, 480 Protocol (ARP), 108–109,
LTE Advanced (LTE-A), 348 management port, 391–392, 129
LTE Machine Type 392 address table, 55, 68–69, 69
Communication (LTE-M), 418 Man-in-the-Middle (MitM) arp utility, 129–130
LUN (logical unit number), 475 attacks, 441–442 broadcast storm, 198
LWAPP (Lightweight Access MANO (management and data link layer functions, 11
Point Protocol), 355 orchestration), 474 derived addresses, 142
MariaDB platform, 254 duplicate address issues,
M massive MIMO, 348 135–136
master, 241 filtering, 454–455
M2M (Machine to Machine)
master key (MK), 368 MAC-derived address or
communication, 416
master router, 436 interface identifier, 142
MAC. see media access control
MAU (multistation access unit), multicast addressing, 112
(MAC)
191 spoofing, 441
Machine to Machine (M2M)
maximum hop count, 179 unicast and broadcast
communication, 416
Maximum Tolerable Downtime addressing, 111
see also Internet of Things
(MTD) metric, 424, 424–425 virtual NIC, hypervisor for
(IoT)
maximum transmission unit configuring, 473
macOS
(MTU), 60, 70, 154 medium dependent interface
Bonjour, 118
MDF (Main Distribution Frame), (MDI), 53, 68
Nmap Security Scanner, 217
398 auto-MDI/MDI-X, 68, 92
Remote Desktop Protocol
MDI. see medium dependent crossover (MDI-X), 53
(RDP), 271, 387
interface (MDI) MEF (mission essential
Secure Shell (SSH), 268
mDNS (multicastDNS), 330 function), 298
Web Services for Devices
Mean Time Between Failures megabits per second (Mbps),
(WSD)/AirPrint, 253
(MTBF), 425 21
MACs (moves, adds, and
Mean Time to Failure (MTTF), membership, VLAN, 200–201
changes), 43
425–426 memorandum of
understanding (MOU), 406
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-19
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-20 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-21
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-22 | Index
Object Identifier (OID), 276 wide area network (WAN), physical network diagrams,
octets, 12, 15, 100–103, 103, 376 398–399
110, 116–117, 117, 119 open WLANS, 187 rack diagrams, 399, 399
OEO (optical-electrical-optical) operating plans and remote access policies, 405
repeater, 52 procedures, 396–397 security response plans and
OFDM (Orthogonal Frequency change management, procedures, 401
Division Multiplexing), 343, 346 396–397 system life cycle plans and
OFDMA (Orthogonal Frequency configuration management, procedures, 397–398
Division Multiple Access), 346, 396 usage policies, 403–404
348 standard operating Organizationally Unique
offboarding, 402 procedure (SOP), 397 Identifier (OUI), 59–60, 60
OID (Object Identifier), 276 operation, full- or half-duplex, Orthogonal Frequency Division
OLT (optical line terminal), 381 68 Multiple Access (OFDMA), 346,
OM (Optical Multimode) operational technology (OT) 348
categories, 21, 35, 37 network, 418 Orthogonal Frequency Division
omnidirectional antenna, 360, OPNsense security appliance, Multiplexing (OFDM), 343, 346
360 277, 279, 280, 311, 321, 323, OSA (optical spectrum
onboarding, 402 390, 391, 457 analyzer), 93
one-to-many NAT, 325 optical add/drop multiplexers OSC Radiator, 311
on-path attack, 330, 441–442 (OADM), 48 OSes, 177, 471, 472
ONT (optical network terminal), optical-electrical-optical (OEO) OSI model. see Open Systems
381 repeater, 52 Interconnection (OSI) model
ONU (optical network unit), 381 optical line terminal (OLT), 381 OSPF (Open Shortest Path
OOB management methods. Optical Multimode (OM) First), 99, 157, 160–161, 161
see out-of-band (OOB) categories, 21, 35, 37 OSSIM SIEM dashboard, 301
management methods optical network terminal (ONT), OTDR (optical time domain
open authentication issues, 381 reflectometer), 93, 180
370 optical network unit (ONU), 381 OT (operational technology)
OpenLDAP, 312 optical power meter, 93 network, 418
Open Shortest Path First optical source, 93 OUI (Organizationally Unique
(OSPF), 99, 157, 160–161, 161 optical spectrum analyzer Identifier), 59–60, 60
OpenSSH, 268, 270 (OSA), 93 outages, 465
OpenStack, 466 optical time domain out-of-band (OOB)
Open Systems Interconnection reflectometer (OTDR), 93, 180 management methods,
(OSI) model, 2, 2–3, 3 options, TCP, 210 391–392, 392
layers, 4–8, 8 (see also options configuration, DHCP, AUX port, 391, 392
indi idua a ers) 228–229 console port, 391, 392
data link (layer 2), 5, 5–6, Oracle management port, 391–392,
11, 11 Database, 466 392
mnemonic for SQL*Net, 254 output (firewall chain), 457
remembering, 3 Virtual Box, 471 overcapacity issues, 363
network (layer 3), 6, 6–7, orchestration, 468 overlap issues, 362–363
12, 12–13 organizational documentation overlay networks, 479
packets, 4, 5, 6, 7, 13 and policies, 396–407 overloaded service, 332
physical (layer 1), 4–5, agreements, 405–406 overwriting, 412, 413
10, 11 data loss prevention, 404 ownership factor, 305
transport (layer 4), 7, 7, hardening and security
13 policies, 402 P
upper, 7–8, 13 logical vs. physical network
PaaS (Platform as a Service),
top-to-bottom/bottom-to- diagrams, 400, 400
466
top, 79–80, 80 operating plans and
packet
procedures, 396–397
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-23
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-24 | Index
PID (Process ID) number, 218 policy violations, 478–479 PostgreSQL platform, 254
piggybacking, 451 polyvinyl chloride (PVC) jackets Post Office Protocol (POP),
PIN (personal identity number), and insulation, 30 257–258, 258
305 PON (passive optical network), PostScript (PS), 253
ping utility, 130–131, 131 38, 381 posture assessment, 297
basic use, 130–131, 131 PoP (Point of Presence), 380 potentially unwanted
ping error messaging, 131 POP (Post Office Protocol), applications (PUAs), 447
ping sequence for 257–258, 258 potentially unwanted
identifying connectivity POP3S (secure POP), 258 programs (PUPs), 447
issues, 136, 136–137 port, 208 POTS (plain old telephone
ping switches, 131 active vs. passive FTP, 251 service), 259, 262, 263
pin-out, 398 aggregation, 69, 432 power
PIR (passive infrared) sensors, assignments, documenting, capping, 71
412 208 injector (or midspan), 71
pixels, 284 disabled, 87 issues, 133
PJL (Printer Job Language), 253 file and print services, 253 levels, 362, 362, 459
plain old telephone service filtering/security, 320 management, 428–429
(POTS), 259, 262, 263 mirroring, 69–70, 70 battery backups, 428
plaintext naming convention, 399 generators, 428–429
authentication, 305–306, numbers, 320 power distribution units
306, 313 POP3, 257 (PDUs), 428
cryptographic concepts, Port Address Translation uninterruptible power
161, 449 (PAT), 325, 325 supply (UPS), 428
plan of action to repair/ Port-Based Network Access sourcing equipment (PSE),
replace/ignore, 81–82 Control (PNAC), 455–456 71
Platform as a Service (PaaS), range (-p) scan, 219 sum crosstalk calculations,
466 root (RP), 197 91
PLCs (programmable logic scanners, 219–220, 220 supply unit (PSU), 399
controllers), 417 security, 69 surges and spikes, 133
plenum-rated cable, 30 security/IEEE 802.1X PNAC, powered device (PD), 71
plenum space, 30 455–456 Power over Ethernet (PoE), 27,
plug-and-play, 253 Session Initiation Protocol 71, 92, 261, 352, 355, 411
pluggable authentication (SIP), 261 PPP (Point-to-Point Protocol),
module (PAM), 307 standard TCP/IP port 291, 378, 384
PMK (pairwise master key), (9100), 253 preamble, 59
367, 368 switch, 86, 454 precursor to spoofing, 441
PNAC (Port-Based Network tagging, 202 prefix
Access Control), 455–456 TCP, 213–214, 248, discovery, 143
PoE (Power over Ethernet), 27, 250–254, 257, 258, 261, 268, IPv6 address, 146, 146
71, 92, 261, 352, 355, 411 270, 271 network, 141, 141, 230–231
pointer (PTR) record, 238, Telnet Daemon, 270 in routing table, 162
238–239 transport layer, 208–209, presentation layer (layer 6), of
point of failure, 52, 61 209 OSI model, 8, 8, 15
Point of Presence (PoP), 380 UDP, 213–214, 252, 254, preshared keys (PSKs), 367,
point-to-multipoint links, 482 261, 277 368, 459
point-to-point link, 188, 189 Port Address Translation (PAT), primary VLAN, 456
Point-to-Point Protocol (PPP), 325, 325 primary zone, 241
291, 378, 384 Port-Based Network Access principals, 307
point-to-point wireless bridge Control (PNAC), 455–456 printer, 253
connections, 360 port range (-p) scan, 219 Printer Command Language
poisoning, DNS, 442–443, 443 port security/IEEE 802.1X (PCL), 253
polarization, 360 PNAC, 455–456 Printer Job Language (PJL), 253
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-25
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-26 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-27
route processor (RP) attack, wireless, configuring RUs (resource units), 346
458 management interface on, Rx (receive) wires, 38, 53, 87, 90
router 13, 14
advertisement (RA), 143, Router Advertisement (RA) S
144, 230, 231 Guard, 455
SA (Security Associations), 390
backup, 436 routes, 175–177, 176, 177
SaaS (Software as a Service),
branch office, 388 adding, 176
466, 469
configuration, 174–175, 175 directly connected, 151
SAE (Simultaneous
customer edge (CE), 171, static and default, 151
Authentication of Equals)
291, 376 routing, 106, 150–155
protocol, 367–368
DiffServ-compatible, 285 branch office internetwork,
Salesforce, 466
edge, 151, 161, 171–172, designing, 182, 182–183,
SAM (Security Accounts
172, 173, 173 183
Manager), 306
implementation, 390 fragmentation, 154
Samba software suite, 253
installation and loop issues, 178–179, 179
SAN. see storage area network
troubleshooting, 171–183 packet forwarding, 152–153
(SAN)
asymmetrical routing path selection, 156
sanitization, 412
issues, 179–180 protocol updates, 71
SANITIZE command, 413
edge routers, 171–172, routing tables, 150–152, 151
SAS (Serial Attached SCSI), 412,
172 static and default routes,
413, 475
internal routers, 173, 151
SASL (Simple Authentication
173–174, 174 see also dynamic routing
and Security Layer), 313
low optical link budget Routing Information Protocol
SATA, 412, 413, 475
issues, 180 (RIP), 157, 157–159, 158, 159
satellite, 381
missing route issues, routing table, 108, 150–152,
SAWs (secure administrative
178 151
workstations), 478
route, 175–177, 176, 177 entries, 150–151, 151
SC (Subscriber Connector), 36,
router configuration, example, 152, 152
36, 37
174–175, 175 static and default routes,
SCADA (supervisory control
routing loop issues, 151
and data acquisition), 417, 419
178–179, 179 RP (root ports), 197
scalability, 464
traceroute, 177 RP (route processor) attack,
scope, 228
tracert, 177–178, 178 458
scope exhaustion, 329
internal, 173, 173–174, 174 RPO (Recovery Point Objective),
scope id, 143
Label Edge Router (LER), 425, 425
screened subnets, 319
483 RSSI (Received Signal Strength
screened twisted pair (ScTP)
master, 436 Indicator), 359
cable, 26
at network layer (layer 3) of RSTP (Rapid STP), 198
screening firewall or router,
OSI model, 6, 6 RST (reset) segment, 212
319
provider edge (PE), 171, RTCP (RTP Control Protocol),
scripting, automation using,
291, 376 261
468
RFC 1542 compliant, 229 RTO (recovery time objective),
scripting languages, 468
screening firewall, 319 425, 425, 426
SCSI, 475, 476
SOHO, 10–16 RTP (Real-time Transport
ScTP (screened twisted pair)
SOHO, firewall in, 13 Protocol), 261
cable, 26
solicitation (RS), 143, 144 RTP Control Protocol (RTCP),
SDN. see software defined
at transport layer (layer 3) 261
networking (SDN)
of OSI model, 7 RTS (Request to Send), 342
SDSL (Symmetrical DSL), 379
Virtual Router Redundancy RTT (Round Trip Time), 130,
SD-WAN (software-defined
Protocol (VRRP), 436 285
WAN), 483–484, 484
Ruckus, 355
SE (Secure Erase), 412–413
runt frame errors, 291
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-28 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-29
SHA (Secure Hash Algorithm), single-pair high-speed DSL WAN interface of, to
449 (SHDSL), 380 connect to Internet, 14–15
shadow IT, 419 single-pass zero filling, 412 WAN IP address, 15–16
shared hosting, 249 single sign-on (SSO), 270, 307 smart buildings, 417, 419
SHDSL (single-pair high-speed SIP (Session Initiation Protocol), smart card login, 305, 307
DSL), 380 260–261 smart devices, 416
shielded/foiled twisted pair SIPS (Session Initiation Protocol smartjack, 377
(S/FTP) cable, 23, 26, 27 Secure), 261 smart lockers, 410
shielded twisted pair (STP) site resiliency, 427 SME (small and medium-sized
cable, 26 site secure entry systems, enterprise) networks, 187
short, problem of, 89 408–409 SMF. see Single Mode Fiber
shortest path first (SPF), 160 access control hardware, (SMF)
shoulder surfing attack, 451 408 SMS (text message), 281
show commands, 67 access control vestibule, SMTP (Simple Mail Transfer
show config, 67 409 Protocol), 13, 256, 256–257
show interface, 67, 71 site survey, 352–353, 353 SMTPS (Simple Mail Transfer
shunning, 327 report, 399 Protocol Secure), 257
SIEM (Security Information and site-to-site VPNs, 387 snagless cable, 28
Event Management), 300 SLA (service level agreement), snips, 44
signal strength, 358–359, 359 405–406, 468 SNMP. see Simple Network
signal-to-noise ratio (SNR), 86, SLAAC (stateless address Management Protocol (SNMP)
91, 359 autoconfiguration), 143–144, snooping
signing, 313 230–231 DHCP, 455
sign-in/sign-on, 305–307 slave, 241 IGMP, 137
SIM (subscriber identity sleep states, 71 Internet Group
module) card, 347, 348 small and medium-sized Management Protocol
Simple Authentication and enterprise (SME) networks, 187 (IGMP), 137
Security Layer (SASL), 313 Small Form Factor Pluggable snowflake topology, 192
simple bind authentication, (SFP), 32, 47, 47 SNR (signal-to-noise ratio), 86,
313 small office/home office 91, 359
Simple Mail Transfer Protocol (SOHO) networks, 187 SNTP (Simple Network Time
(SMTP), 13, 256, 256–257 configuring, 10–16 Protocol), 272
Simple Mail Transfer Protocol connecting to Internet, SOA (Start of Authority) record,
Secure (SMTPS), 257 14–15 236
Simple Network Management switches on, 65 social engineering
Protocol (SNMP) small office/home office authentication, 305
agents, 276, 278 (SOHO) routers, 10–16, 171 definition of, 450
IP scanners, 217 application layer functions eliciting information, 450
management plane, 458 of, 13 in external vs. internal
monitor, 277, 277, 278 data link layer functions of, threats, 300
secure, implementing, 454 11, 11 footprinting, 440
Simple Network Time Protocol Dynamic Host Configuration password policy, 403
(SNTP), 272 Protocol (DHCP), 226 phishing, 450
Simultaneous Authentication firewall functionality, 322 security awareness training,
of Equals (SAE) protocol, network layer functions of, 402, 413–141
367–368 11, 12–13 spoofing, 440
Single Mode Fiber (SMF), 21, physical layer functions of, socket, 209
35, 37 10, 11 software
to Multimode Fiber (MMF), security functions of, 13, 14 automated vulnerability
53, 53 transport layer functions of, scanning, 299
to twisted pair, 52, 53 13 BIND DNS server, 236, 244,
244
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-30 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-31
Internet Small Computer supplicant, in AAA architecture, system life cycle roadmap, 398
System Interface (iSCSI), 310 system logs, 278
476, 476 switched port analyzer (SPAN),
jumbo frames, 70, 292 61, 70 T
multipathing, 431 switches, 6
T1/T2 timer, 228
STP (spanning tree protocol), authenticator, 456
T11 ANSI standard, 475
196–198, 197, 332 Cisco, 65, 67, 69, 70
T568A/T568B standard, 29,
STP (shielded twisted pair) configuring MAC filtering
29–30, 30, 91–92
cable, 26 on, 454–455
TACACS+ (Terminal Access
straight through patch cord, 91 core/distribution, 195, 195
Controller Access Control
Straight Tip (ST) connectors, 35, data, 195
System), 310, 311, 368
36, 37 deploying network devices,
tactics, techniques, and
structured cable, 41–42, 42, 86 55–56, 56
procedures (TTPs), 300, 440
structured query language desktop, 66
tagged VLAN ports, 202–203
(SQL), 254 desktop vs. rack-mounted,
tagging mechanism, 286
Azure SQL Database, 466 66
tail drop, 286
Microsoft SQL Server, 254, Fiber Channel (FC), 475
tailgating, 451
466 Gigabit Ethernet, 55
tamper detection, 411–412
MySQL, 254, 466 interface configuration,
TAP (test access point), 61
Oracle SQL*Net, 254 66–68, 67
target, 475
PostgreSQL platform, 254 LAN, 195
TCP. see Transmission Control
stub resolvers, 235, 242 layer 2, 55–56, 56
Protocol (TCP)
subnets layer 3, 195
TCP connect (-sT) scan, 219
addressing, 102–103, 103 layer 7, 433
tcpdump, 61–62
configuring modular vs. fixed, 66, 66
TCP/IP (Transmission Control
address ranges reserved ping, 131
Protocol/Internet Protocol)
for special use, 118 private virtual, 473
suite, 98, 248, 250, 253
Automatic Private IP route once, switch many,
TCP segment (window), 210
Addressing (APIPA), 118 195
TCP SYN (-sS) scan, 219, 220
classful addressing, 116, stackable, 66
TCP/UDP port number, 70
116–117, 117 top-of-rack (ToR), 481
TDM (Time Division
IP networks, 115, 116 trunks, 201–202
Multiplexing), 259, 377
IPv4 address scheme unmanaged vs. managed,
TDMA (Time Division Multiple
design, 119–120 65
Access), 347, 348
loopback addresses, 118 virtual, 472–473
TDR (time domain
private IP addresses, 117 switching. see Ethernet
reflectometer), 89
public IP addresses, 117 switching, deploying
teaming, 69, 432, 432
virtual LANs and switching loop, 198
TeamViewer, 387
subnets, 115, 116 switch port
teardown, 212
masks connectivity issues in, 86
telecommunications company
incorrect, 135 disabling unneeded, 454
(telco), 14, 376
IPv4, 102–103, 103 protection, 454
Telecommunications Industry
screened, 319, 319 symbols, 85
Association (TIA), 26, 27, 28, 29,
Subscriber Connector (SC), 36, Symmetrical DSL (SDSL), 379
30, 38, 39, 41
36, 37 symmetric cipher, 390
telecommunications room, 42,
subscriber identity module symmetric session key, 308
42
(SIM) card, 347, 348 SYN/ACK packet, 446
telephony features, 259
substitute known working SYN flood attack, 446
teletype (TTY) device, 268
hosts, 87 SYN segment, 210, 211, 213,
Telnet, 270, 271, 391
supernetting, 162 219
Telnet Daemon, 270
supervisory control and data Syslog, 279–280
temperature, monitoring, 276
acquisition (SCADA), 417, 419 system life cycle, 398
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-32 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-33
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-34 | Index
twinaxial (or twinax) cable, 32, unshielded twisted pair (UTP) VCSEL (Vertical-Cavity Surface-
32 cable, 23, 26, 27, 28 Emitting L), 35
twisted pair connectors, 28–29 untagged VLAN ports, 202–203 VDI (virtual desktop
twisted pair copper cabling, 20, untrusted certificate issues, infrastructure), 467
22, 25, 28–29 333, 333–334, 334 VDSL (Very high-speed DSL),
two-factor authentication, 305 untrusted networks, 405 377, 380
TX/RX reverse (crossed pair), 90 UPC (Ultra Physical Contact), 38 vendor assessment, 302
TXT (Text) record, 238 uplink, 288 vendor management, 302
type (filter expression), 62 link aggregation, 432 Version field, 98, 99
Type II frames, 60 MU-MIMO (UL MU-MIMO), Vertical-Cavity Surface-Emitting
Type I/Type II hypervisor, 471, 347 L (VCSEL), 35
471–472, 472 port, 68, 91–92, 195, 288, vertical cross-connects, 42
Type of Service field, 285 481 vertical/scaling up, 464
speeds, 288, 379, 380 Very high-speed DSL (VDSL),
U upper levels (layers 5-7), of OSI 377, 380
model, 4–5, 10, 11 very high throughput (VHT),
Ubiquiti, 355
UPS (uninterruptible power 346
UDP. see User Datagram
supply), 133, 399, 426, 428 very small aperture terminal
Protocol (UDP)
Urgent Pointer, 210 (VSAT), 381
UDP scans (-sU) scan, 219
URI. see Uniform Resource vestibule control, 409
U/L bit, 60, 60
Indicator (URI) VHT (very high throughput),
Ultra Physical Contact (UPC), 38
URL (web address), 140 346
UMTS (Universal Mobile
usage policies, 403–404 video teleconferencing (VTC),
Telecommunications System),
acceptable use policy (AUP), 259, 260
348
403 virtual appliances, 474
unbounded media, 4
BYOD policies, 403, 404 Virtual Carrier Sense flow
unicast addresses
password policy, 403 control mechanism, 342
/48s, 146
user agents, 260 virtual desktop infrastructure
IPv4, 109–111, 110
User Datagram Protocol (UDP), (VDI), 467
IPv6, 141–142, 142, 146
212–214, 213–214 virtual extensible LANs
Unicode, 7
Domain Name System (VXLANs), 479
unidirectional antenna, 360,
(DNS), 237 virtual IP, 343, 434
360
LDAP messaging, 312, 313 virtualization, 471–474
UniFi Wireless Network
maximum packet size, 237 hypervisor types, 471,
management console, 355
ports, 213–214 471–472, 472
Uniform Resource Indicator
port scanning for network function (NFV),
(URI), 248, 260
enumerating, 440 473–474
SIP, 260–261
in Protocol field, 99 virtual NICs, 472–473, 473
uninterruptible power supply
user EXEC mode, 66, 67 virtual switches, 473
(UPS), 133, 399, 426, 428
username/password, in SSH virtual LAN (VLAN), 56, 200–204
universal address, 59–60
client authentication, 269 assigning nodes, 201
Universal Mobile
UTC (Coordinated Universal assignment issues, 331
Telecommunications System
Time), 271 automated pooling, 355
(UMTS), 348
utilization, 290 best practices, 456
UNIX, 268
UTP (unshielded twisted pair) black hole, 454
unmanaged switches, 65
cable, 23, 26, 27, 28 configuring IP networks,
unpatched systems, 298–299
115, 116
unreachable default gateway,
442 V default, 200, 456
extensible (VXLANs), 479
unresponsive service issues, variable length subnet masking
hopping attacks, 443
331–332 (VLSM), 164–167, 165, 166, 167
ID (VID), 202, 456
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-35
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
I-36 | Index
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
Index | I-37
Index
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023
LICENSED FOR USE ONLY BY: MEETSINH PARIHAR · 37243742 · MAR 10 2023